@openhi/constructs 0.0.85 → 0.0.87

package/lib/rest-api-lambda.handler.mjs

@@ -142,6 +142,31 @@ var dynamoClient = new DynamoDBClient({
 
 // src/data/dynamo/entities/control/configuration-entity.ts
 import { Entity } from "electrodb";
+
+// src/data/dynamo/shard.ts
+var SHARD_COUNT = 4;
+function computeShard(id) {
+  let hash = 2166136261;
+  for (let i = 0; i < id.length; i++) {
+    hash ^= id.charCodeAt(i);
+    hash = Math.imul(hash, 16777619);
+  }
+  return (hash >>> 0) % SHARD_COUNT;
+}
+
+// src/data/dynamo/entities/control/control-entity-common.ts
+var gsi1ShardAttribute = {
+  type: "string",
+  watch: ["id"],
+  set: (_val, item) => {
+    if (typeof item?.id !== "string" || item.id.length === 0) {
+      return void 0;
+    }
+    return String(computeShard(item.id));
+  }
+};
+
+// src/data/dynamo/entities/control/configuration-entity.ts
 var ConfigurationEntity = new Entity({
   model: {
     entity: "configuration",
@@ -194,6 +219,14 @@ var ConfigurationEntity = new Entity({
       type: "string",
       required: true
     },
+    /**
+     * Summary projection (key display fields as JSON string: id, key, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
     /** Version id (e.g. ULID). Tracks current version; S3 history key. */
     vid: {
       type: "string",
@@ -203,6 +236,7 @@ var ConfigurationEntity = new Entity({
       type: "string",
       required: true
     },
+    gsi1Shard: gsi1ShardAttribute,
     deleted: {
       type: "boolean",
       required: false
@@ -230,19 +264,27 @@ var ConfigurationEntity = new Entity({
         template: "KEY#${key}#SK#${sk}"
       }
     },
-    /** GSI4 — Resource Type Index: list all Configuration in a tenant or workspace (no scan). Use for "list configs scoped to this tenant" (workspaceId = "-") or "list configs scoped to this workspace". Does not support hierarchical resolution in one query; use base table GetItem in fallback order (user → workspace → tenant → baseline) for that. */
-    gsi4: {
-      index: "GSI4",
-      condition: () => true,
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Configuration entries for a
+     * (tenant, workspace) across the four shards. Use for "list configs scoped to this tenant"
+     * (workspaceId = "-") or "list configs scoped to this workspace". Does not support
+     * hierarchical resolution in one query; use base table GetItem in fallback order
+     * (user → workspace → tenant → baseline) for that.
+     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
+     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
       pk: {
-        field: "GSI4PK",
-        composite: ["tenantId", "workspaceId"],
-        template: "TID#${tenantId}#WID#${workspaceId}#RT#Configuration"
+        field: "GSI1PK",
+        composite: ["tenantId", "workspaceId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#${workspaceId}#RT#Configuration#SHARD#${gsi1Shard}"
       },
       sk: {
-        field: "GSI4SK",
-        composite: ["key", "sk"],
-        template: "KEY#${key}#SK#${sk}"
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["lastUpdated", "id"],
+        template: "${lastUpdated}#${id}"
       }
     }
   }
@@ -278,6 +320,14 @@ var MembershipEntity = new Entity2({
       type: "string",
       required: true
     },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
     /** Version id (e.g. ULID). */
     vid: {
       type: "string",
@@ -287,6 +337,7 @@ var MembershipEntity = new Entity2({
       type: "string",
       required: true
     },
+    gsi1Shard: gsi1ShardAttribute,
     deleted: {
       type: "boolean",
       required: false
@@ -314,19 +365,24 @@ var MembershipEntity = new Entity2({
         template: "${sk}"
       }
     },
-    /** GSI4 — Resource Type Index: list all Memberships for a tenant (no scan). */
-    gsi4: {
-      index: "GSI4",
-      condition: () => true,
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Memberships for a tenant across the
+     * four shards. Membership is tenant-scoped only, so `WID#-` is a sentinel.
+     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
+     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
       pk: {
-        field: "GSI4PK",
-        composite: ["tenantId"],
-        template: "TID#${tenantId}#RT#Membership"
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#Membership#SHARD#${gsi1Shard}"
       },
       sk: {
-        field: "GSI4SK",
-        composite: ["id"],
-        template: "ID#${id}"
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["lastUpdated", "id"],
+        template: "${lastUpdated}#${id}"
       }
     }
   }
@@ -357,6 +413,14 @@ var RoleEntity = new Entity3({
       type: "string",
       required: true
     },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
     /** Version id (e.g. ULID). */
     vid: {
       type: "string",
@@ -366,6 +430,7 @@ var RoleEntity = new Entity3({
       type: "string",
       required: true
     },
+    gsi1Shard: gsi1ShardAttribute,
     deleted: {
       type: "boolean",
       required: false
@@ -393,19 +458,24 @@ var RoleEntity = new Entity3({
         template: "${sk}"
       }
     },
-    /** GSI4 — Resource Type Index: list all Roles (no scan). */
-    gsi4: {
-      index: "GSI4",
-      condition: () => true,
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Roles across the four shards.
+     * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#Role#SHARD#<n>`.
+     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
+     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
       pk: {
-        field: "GSI4PK",
-        composite: [],
-        template: "RT#Role"
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#Role#SHARD#${gsi1Shard}"
       },
       sk: {
-        field: "GSI4SK",
-        composite: ["id"],
-        template: "ID#${id}"
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["lastUpdated", "id"],
+        template: "${lastUpdated}#${id}"
       }
     }
   }
@@ -441,6 +511,14 @@ var RoleAssignmentEntity = new Entity4({
       type: "string",
       required: true
     },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
     /** Version id (e.g. ULID). */
     vid: {
       type: "string",
@@ -450,6 +528,7 @@ var RoleAssignmentEntity = new Entity4({
       type: "string",
       required: true
     },
+    gsi1Shard: gsi1ShardAttribute,
     deleted: {
       type: "boolean",
       required: false
@@ -477,19 +556,24 @@ var RoleAssignmentEntity = new Entity4({
         template: "${sk}"
       }
     },
-    /** GSI4 — Resource Type Index: list all RoleAssignments for a tenant (no scan). */
-    gsi4: {
-      index: "GSI4",
-      condition: () => true,
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all RoleAssignments for a tenant across the
+     * four shards. Tenant-scoped only, so `WID#-` is a sentinel.
+     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
+     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
       pk: {
-        field: "GSI4PK",
-        composite: ["tenantId"],
-        template: "TID#${tenantId}#RT#RoleAssignment"
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#RoleAssignment#SHARD#${gsi1Shard}"
       },
       sk: {
-        field: "GSI4SK",
-        composite: ["id"],
-        template: "ID#${id}"
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["lastUpdated", "id"],
+        template: "${lastUpdated}#${id}"
       }
     }
   }
@@ -525,6 +609,14 @@ var TenantEntity = new Entity5({
       type: "string",
       required: true
     },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
     /** Version id (e.g. ULID). */
     vid: {
       type: "string",
@@ -534,6 +626,7 @@ var TenantEntity = new Entity5({
       type: "string",
       required: true
     },
+    gsi1Shard: gsi1ShardAttribute,
     deleted: {
       type: "boolean",
       required: false
@@ -561,19 +654,24 @@ var TenantEntity = new Entity5({
         template: "${sk}"
       }
     },
-    /** GSI4 — Resource Type Index: list all Tenants (no scan). */
-    gsi4: {
-      index: "GSI4",
-      condition: () => true,
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Tenants across the four shards.
+     * Tenant lives at the platform tier (no parent tenant or workspace), so `TID#-#WID#-`
+     * sentinels precede `RT#Tenant#SHARD#<n>`. SK is `<ISO-8601 lastUpdated>#<id>` (control-plane
+     * unlabeled per DR-004). `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
       pk: {
-        field: "GSI4PK",
-        composite: [],
-        template: "RT#Tenant"
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#Tenant#SHARD#${gsi1Shard}"
       },
       sk: {
-        field: "GSI4SK",
-        composite: ["tenantId"],
-        template: "ID#${tenantId}"
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["lastUpdated", "id"],
+        template: "${lastUpdated}#${id}"
       }
     }
   }
@@ -604,6 +702,22 @@ var UserEntity = new Entity6({
       type: "string",
       required: true
     },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
+    /**
+     * Immutable Cognito-issued `sub` claim. Drives GSI2 (sub-lookup). Optional until the
+     * Post Confirmation Lambda (#770) lands; required thereafter.
+     */
+    cognitoSub: {
+      type: "string",
+      required: false
+    },
     /** Version id (e.g. ULID). */
     vid: {
       type: "string",
@@ -613,6 +727,7 @@ var UserEntity = new Entity6({
       type: "string",
       required: true
     },
+    gsi1Shard: gsi1ShardAttribute,
     deleted: {
       type: "boolean",
       required: false
@@ -640,19 +755,45 @@ var UserEntity = new Entity6({
         template: "${sk}"
       }
     },
-    /** GSI4 — Resource Type Index: list all Users (no scan). */
-    gsi4: {
-      index: "GSI4",
-      condition: () => true,
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Users across the four shards.
+     * Non-tenant-isolated, so `TID#-#WID#-` sentinels precede `RT#User#SHARD#<n>`.
+     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
+     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z` characters.
+     */
+    gsi1: {
+      index: "GSI1",
       pk: {
-        field: "GSI4PK",
-        composite: [],
-        template: "RT#User"
+        field: "GSI1PK",
+        composite: ["gsi1Shard"],
+        template: "TID#-#WID#-#RT#User#SHARD#${gsi1Shard}"
       },
       sk: {
-        field: "GSI4SK",
-        composite: ["id"],
-        template: "ID#${id}"
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["lastUpdated", "id"],
+        template: "${lastUpdated}#${id}"
+      }
+    },
+    /**
+     * GSI2 — Cognito sub-lookup per ADR-011: resolves the UserEntity from a Cognito `sub` claim.
+     * `condition` skips the index when `cognitoSub` is missing so legacy items without a sub are
+     * not indexed.
+     */
+    gsi2: {
+      index: "GSI2",
+      condition: (attrs) => typeof attrs.cognitoSub === "string" && attrs.cognitoSub.length > 0,
+      pk: {
+        field: "GSI2PK",
+        casing: "none",
+        composite: ["cognitoSub"],
+        template: "USER#SUB#${cognitoSub}"
+      },
+      sk: {
+        field: "GSI2SK",
+        casing: "none",
+        composite: [],
+        template: "CURRENT"
       }
     }
   }
@@ -688,6 +829,14 @@ var WorkspaceEntity = new Entity7({
       type: "string",
       required: true
     },
+    /**
+     * Summary projection (key display fields as JSON string: id, displayName, status).
+     * Populated on every write via extractSummary(resource); GSI1 INCLUDE surfaces it on lists.
+     */
+    summary: {
+      type: "string",
+      required: true
+    },
     /** Version id (e.g. ULID). */
     vid: {
       type: "string",
@@ -697,6 +846,7 @@ var WorkspaceEntity = new Entity7({
       type: "string",
       required: true
     },
+    gsi1Shard: gsi1ShardAttribute,
     deleted: {
       type: "boolean",
       required: false
@@ -724,19 +874,24 @@ var WorkspaceEntity = new Entity7({
         template: "${sk}"
       }
     },
-    /** GSI4 — Resource Type Index: list all Workspaces for a tenant (no scan). */
-    gsi4: {
-      index: "GSI4",
-      condition: () => true,
+    /**
+     * GSI1 — Unified Sharded List per ADR-011: list all Workspaces for a tenant across the
+     * four shards. Workspace is itself the workspace identity, so `WID#-` is a sentinel.
+     * SK is `<ISO-8601 lastUpdated>#<id>` (control-plane unlabeled per DR-004).
+     * `casing: "none"` on the SK preserves ISO-8601 `T`/`Z`.
+     */
+    gsi1: {
+      index: "GSI1",
       pk: {
-        field: "GSI4PK",
-        composite: ["tenantId"],
-        template: "TID#${tenantId}#RT#Workspace"
+        field: "GSI1PK",
+        composite: ["tenantId", "gsi1Shard"],
+        template: "TID#${tenantId}#WID#-#RT#Workspace#SHARD#${gsi1Shard}"
       },
       sk: {
-        field: "GSI4SK",
-        composite: ["id"],
-        template: "ID#${id}"
+        field: "GSI1SK",
+        casing: "none",
+        composite: ["lastUpdated", "id"],
+        template: "${lastUpdated}#${id}"
       }
     }
   }
@@ -790,6 +945,7 @@ async function createConfigurationOperation(params) {
   const roleId = body.roleId ?? context.roleId ?? "-";
   const lastUpdated = body.lastUpdated ?? date;
   const vid = body.vid ?? (date.replace(/[-:T.Z]/g, "").slice(0, 12) || Date.now().toString(36));
+  const summary = JSON.stringify({ resourceType: "Configuration", id, key });
   const service = getDynamoControlService(tableName);
   await service.entities.configuration.put({
     tenantId,
@@ -799,6 +955,7 @@ async function createConfigurationOperation(params) {
     key,
     id,
     resource: compressResource(resourceStr),
+    summary,
     vid,
     lastUpdated,
     sk: SK
@@ -1205,22 +1362,25 @@ async function listConfigurationsOperation(params) {
   const { context, tableName } = params;
   const { tenantId, workspaceId } = context;
   const service = getDynamoControlService(tableName);
-  const result = await service.entities.configuration.query.gsi4({ tenantId, workspaceId }).go();
-  const entries = (result.data ?? []).map(
-    (item) => {
-      const resource = JSON.parse(decompressResource(item.resource));
-      return {
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.configuration.query.gsi1({ tenantId, workspaceId, gsi1Shard: String(shard) }).go()
+    )
+  );
+  const entries = shardResults.flatMap((shardResult) => shardResult.data ?? []).map((item) => {
+    const resource = JSON.parse(decompressResource(item.resource));
+    return {
+      id: item.id,
+      key: item.key,
+      resource: {
+        resourceType: "Configuration",
         id: item.id,
         key: item.key,
-        resource: {
-          resourceType: "Configuration",
-          id: item.id,
-          key: item.key,
-          resource
-        }
-      };
-    }
-  );
+        resource
+      }
+    };
+  });
   return { entries };
 }
 
@@ -1394,8 +1554,14 @@ async function updateConfigurationOperation(params) {
   const resourceStr = typeof resourcePayload === "string" ? resourcePayload : JSON.stringify(resourcePayload ?? {});
   const lastUpdated = body.lastUpdated ?? date;
   const nextVid = existing.data.vid != null ? String(Number(existing.data.vid) + 1) : date.replace(/[-:T.Z]/g, "").slice(0, 12) || "2";
+  const summary = JSON.stringify({
+    resourceType: "Configuration",
+    id: existing.data.id,
+    key: existing.data.key
+  });
   await service.entities.configuration.patch({ tenantId, workspaceId, userId: actorId, roleId, key: id, sk: SK4 }).set({
     resource: compressResource(resourceStr),
+    summary,
     lastUpdated,
     vid: nextVid
   }).go();
@@ -1473,6 +1639,7 @@ router.delete("/:id", deleteConfigurationRoute);
 import express2 from "express";
 
 // src/data/operations/control/membership/membership-create-operation.ts
+import { extractSummary } from "@openhi/types";
 async function createMembershipOperation(params) {
   const { context, body, tableName } = params;
   const service = getDynamoControlService(tableName);
@@ -1480,20 +1647,19 @@ async function createMembershipOperation(params) {
   const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
   const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
   const vid = `1`;
+  const resource = { resourceType: "Membership", id, ...parsedResource };
+  const summary = JSON.stringify(extractSummary(resource));
   await service.entities.membership.put({
     tenantId: context.tenantId,
     id,
-    resource: JSON.stringify({
-      resourceType: "Membership",
-      id,
-      ...parsedResource
-    }),
+    resource: JSON.stringify(resource),
+    summary,
     vid,
     lastUpdated
   }).go();
   return {
     id,
-    resource: { resourceType: "Membership", id, ...parsedResource },
+    resource,
     meta: { lastUpdated, versionId: vid }
   };
 }
@@ -1601,12 +1767,21 @@ async function getMembershipByIdRoute(req, res) {
 async function listMembershipsOperation(params) {
   const { context, tableName } = params;
   const service = getDynamoControlService(tableName);
-  const response = await service.entities.membership.query.gsi4({ tenantId: context.tenantId }).go();
-  const entries = (response.data ?? []).map((item) => {
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.membership.query.gsi1({ tenantId: context.tenantId, gsi1Shard: String(shard) }).go()
+    )
+  );
+  const entries = shardResults.flatMap((shardResult) => shardResult.data ?? []).map((item) => {
     const parsedResource = JSON.parse(item.resource);
     return {
       id: item.id,
-      resource: { resourceType: "Membership", id: item.id, ...parsedResource }
+      resource: {
+        resourceType: "Membership",
+        id: item.id,
+        ...parsedResource
+      }
     };
   });
   return { entries };
@@ -1635,6 +1810,7 @@ async function listMembershipsRoute(req, res) {
 }
 
 // src/data/operations/control/membership/membership-update-operation.ts
+import { extractSummary as extractSummary2 } from "@openhi/types";
 async function updateMembershipOperation(params) {
   const { context, id, body, tableName } = params;
   const service = getDynamoControlService(tableName);
@@ -1645,20 +1821,19 @@ async function updateMembershipOperation(params) {
   const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
   const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
   const vid = `${Date.now()}`;
+  const resource = { resourceType: "Membership", id, ...parsedResource };
+  const summary = JSON.stringify(extractSummary2(resource));
   await service.entities.membership.put({
     tenantId: context.tenantId,
     id,
-    resource: JSON.stringify({
-      resourceType: "Membership",
-      id,
-      ...parsedResource
-    }),
+    resource: JSON.stringify(resource),
+    summary,
     vid,
     lastUpdated
   }).go();
   return {
     id,
-    resource: { resourceType: "Membership", id, ...parsedResource },
+    resource,
     meta: { lastUpdated, versionId: vid }
   };
 }
@@ -1715,6 +1890,7 @@ router2.delete("/:id", deleteMembershipRoute);
 import express3 from "express";
 
 // src/data/operations/control/role/role-create-operation.ts
+import { extractSummary as extractSummary3 } from "@openhi/types";
 async function createRoleOperation(params) {
   const { context, body, tableName } = params;
   const service = getDynamoControlService(tableName);
@@ -1722,15 +1898,18 @@ async function createRoleOperation(params) {
   const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
   const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
   const vid = `1`;
+  const resource = { resourceType: "Role", id, ...parsedResource };
+  const summary = JSON.stringify(extractSummary3(resource));
   await service.entities.role.put({
     id,
-    resource: JSON.stringify({ resourceType: "Role", id, ...parsedResource }),
+    resource: JSON.stringify(resource),
+    summary,
     vid,
     lastUpdated
   }).go();
   return {
     id,
-    resource: { resourceType: "Role", id, ...parsedResource },
+    resource,
     meta: { lastUpdated, versionId: vid }
   };
 }
@@ -1838,8 +2017,13 @@ async function getRoleByIdRoute(req, res) {
 async function listRolesOperation(params) {
   const { tableName } = params;
   const service = getDynamoControlService(tableName);
-  const response = await service.entities.role.query.gsi4({}).go();
-  const entries = (response.data ?? []).map((item) => {
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.role.query.gsi1({ gsi1Shard: String(shard) }).go()
+    )
+  );
+  const entries = shardResults.flatMap((shardResult) => shardResult.data ?? []).map((item) => {
     const parsedResource = JSON.parse(item.resource);
     return {
       id: item.id,
@@ -1872,6 +2056,7 @@ async function listRolesRoute(req, res) {
 }
 
 // src/data/operations/control/role/role-update-operation.ts
+import { extractSummary as extractSummary4 } from "@openhi/types";
 async function updateRoleOperation(params) {
   const { context, id, body, tableName } = params;
   const service = getDynamoControlService(tableName);
@@ -1882,15 +2067,18 @@ async function updateRoleOperation(params) {
   const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
   const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
   const vid = `${Date.now()}`;
+  const resource = { resourceType: "Role", id, ...parsedResource };
+  const summary = JSON.stringify(extractSummary4(resource));
   await service.entities.role.put({
     id,
-    resource: JSON.stringify({ resourceType: "Role", id, ...parsedResource }),
+    resource: JSON.stringify(resource),
+    summary,
     vid,
     lastUpdated
   }).go();
   return {
     id,
-    resource: { resourceType: "Role", id, ...parsedResource },
+    resource,
     meta: { lastUpdated, versionId: vid }
   };
 }
@@ -1947,6 +2135,7 @@ router3.delete("/:id", deleteRoleRoute);
 import express4 from "express";
 
 // src/data/operations/control/roleassignment/roleassignment-create-operation.ts
+import { extractSummary as extractSummary5 } from "@openhi/types";
 async function createRoleAssignmentOperation(params) {
   const { context, body, tableName } = params;
   const service = getDynamoControlService(tableName);
@@ -1954,20 +2143,19 @@ async function createRoleAssignmentOperation(params) {
   const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
   const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
   const vid = `1`;
+  const resource = { resourceType: "RoleAssignment", id, ...parsedResource };
+  const summary = JSON.stringify(extractSummary5(resource));
   await service.entities.roleAssignment.put({
     tenantId: context.tenantId,
     id,
-    resource: JSON.stringify({
-      resourceType: "RoleAssignment",
-      id,
-      ...parsedResource
-    }),
+    resource: JSON.stringify(resource),
+    summary,
     vid,
     lastUpdated
   }).go();
   return {
     id,
-    resource: { resourceType: "RoleAssignment", id, ...parsedResource },
+    resource,
     meta: { lastUpdated, versionId: vid }
   };
 }
@@ -2075,8 +2263,13 @@ async function getRoleAssignmentByIdRoute(req, res) {
 async function listRoleAssignmentsOperation(params) {
   const { context, tableName } = params;
   const service = getDynamoControlService(tableName);
-  const response = await service.entities.roleAssignment.query.gsi4({ tenantId: context.tenantId }).go();
-  const entries = (response.data ?? []).map((item) => {
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.roleAssignment.query.gsi1({ tenantId: context.tenantId, gsi1Shard: String(shard) }).go()
+    )
+  );
+  const entries = shardResults.flatMap((shardResult) => shardResult.data ?? []).map((item) => {
     const parsedResource = JSON.parse(item.resource);
     return {
       id: item.id,
@@ -2113,6 +2306,7 @@ async function listRoleAssignmentsRoute(req, res) {
 }
 
 // src/data/operations/control/roleassignment/roleassignment-update-operation.ts
+import { extractSummary as extractSummary6 } from "@openhi/types";
 async function updateRoleAssignmentOperation(params) {
   const { context, id, body, tableName } = params;
   const service = getDynamoControlService(tableName);
@@ -2123,20 +2317,19 @@ async function updateRoleAssignmentOperation(params) {
   const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
   const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
   const vid = `${Date.now()}`;
+  const resource = { resourceType: "RoleAssignment", id, ...parsedResource };
+  const summary = JSON.stringify(extractSummary6(resource));
   await service.entities.roleAssignment.put({
     tenantId: context.tenantId,
     id,
-    resource: JSON.stringify({
-      resourceType: "RoleAssignment",
-      id,
-      ...parsedResource
-    }),
+    resource: JSON.stringify(resource),
+    summary,
     vid,
     lastUpdated
   }).go();
   return {
     id,
-    resource: { resourceType: "RoleAssignment", id, ...parsedResource },
+    resource,
     meta: { lastUpdated, versionId: vid }
   };
 }
@@ -2193,6 +2386,7 @@ router4.delete("/:id", deleteRoleAssignmentRoute);
 import express5 from "express";
 
 // src/data/operations/control/tenant/tenant-create-operation.ts
+import { extractSummary as extractSummary7 } from "@openhi/types";
 async function createTenantOperation(params) {
   const { context, body, tableName } = params;
   const service = getDynamoControlService(tableName);
@@ -2201,10 +2395,12 @@ async function createTenantOperation(params) {
   const vid = lastUpdated.replace(/[-:T.Z]/g, "").slice(0, 12) || Date.now().toString(36);
   const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
   const resource = { resourceType: "Tenant", id, ...parsedResource };
+  const summary = JSON.stringify(extractSummary7(resource));
   await service.entities.tenant.put({
     tenantId: id,
     id,
     resource: JSON.stringify(resource),
+    summary,
     vid,
     lastUpdated
   }).go();
@@ -2313,8 +2509,13 @@ async function getTenantByIdRoute(req, res) {
 async function listTenantsOperation(params) {
   const { tableName } = params;
   const service = getDynamoControlService(tableName);
-  const { data: items } = await service.entities.tenant.query.gsi4({}).go();
-  const entries = items.map((item) => {
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.tenant.query.gsi1({ gsi1Shard: String(shard) }).go()
+    )
+  );
+  const entries = shardResults.flatMap((shardResult) => shardResult.data ?? []).map((item) => {
     const parsed = JSON.parse(item.resource);
     return {
       id: item.id,
@@ -2347,6 +2548,7 @@ async function listTenantsRoute(req, res) {
 }
 
 // src/data/operations/control/tenant/tenant-update-operation.ts
+import { extractSummary as extractSummary8 } from "@openhi/types";
 async function updateTenantOperation(params) {
   const { context, id, body, tableName } = params;
   const service = getDynamoControlService(tableName);
@@ -2364,7 +2566,8 @@ async function updateTenantOperation(params) {
     resourceType: "Tenant",
     id
   };
-  await service.entities.tenant.patch({ tenantId: id, sk: "CURRENT" }).set({ resource: JSON.stringify(updated), vid, lastUpdated }).go();
+  const summary = JSON.stringify(extractSummary8(updated));
+  await service.entities.tenant.patch({ tenantId: id, sk: "CURRENT" }).set({ resource: JSON.stringify(updated), summary, vid, lastUpdated }).go();
   return { id, resource: updated, meta: { lastUpdated, versionId: vid } };
 }
 
@@ -2420,6 +2623,7 @@ router5.delete("/:id", deleteTenantRoute);
 import express6 from "express";
 
 // src/data/operations/control/user/user-create-operation.ts
+import { extractSummary as extractSummary9 } from "@openhi/types";
 async function createUserOperation(params) {
   const { context, body, tableName } = params;
   const service = getDynamoControlService(tableName);
@@ -2427,15 +2631,18 @@ async function createUserOperation(params) {
   const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
   const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
   const vid = `1`;
+  const resource = { resourceType: "User", id, ...parsedResource };
+  const summary = JSON.stringify(extractSummary9(resource));
   await service.entities.user.put({
     id,
-    resource: JSON.stringify({ resourceType: "User", id, ...parsedResource }),
+    resource: JSON.stringify(resource),
+    summary,
     vid,
     lastUpdated
   }).go();
   return {
     id,
-    resource: { resourceType: "User", id, ...parsedResource },
+    resource,
     meta: { lastUpdated, versionId: vid }
   };
 }
@@ -2543,8 +2750,13 @@ async function getUserByIdRoute(req, res) {
 async function listUsersOperation(params) {
   const { tableName } = params;
   const service = getDynamoControlService(tableName);
-  const response = await service.entities.user.query.gsi4({}).go();
-  const entries = (response.data ?? []).map((item) => {
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.user.query.gsi1({ gsi1Shard: String(shard) }).go()
+    )
+  );
+  const entries = shardResults.flatMap((shardResult) => shardResult.data ?? []).map((item) => {
     const parsedResource = JSON.parse(item.resource);
     return {
       id: item.id,
@@ -2577,6 +2789,7 @@ async function listUsersRoute(req, res) {
 }
 
 // src/data/operations/control/user/user-update-operation.ts
+import { extractSummary as extractSummary10 } from "@openhi/types";
 async function updateUserOperation(params) {
   const { context, id, body, tableName } = params;
   const service = getDynamoControlService(tableName);
@@ -2587,15 +2800,18 @@ async function updateUserOperation(params) {
   const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
   const lastUpdated = context.date ?? (/* @__PURE__ */ new Date()).toISOString();
   const vid = `${Date.now()}`;
+  const resource = { resourceType: "User", id, ...parsedResource };
+  const summary = JSON.stringify(extractSummary10(resource));
   await service.entities.user.put({
     id,
-    resource: JSON.stringify({ resourceType: "User", id, ...parsedResource }),
+    resource: JSON.stringify(resource),
+    summary,
     vid,
     lastUpdated
   }).go();
   return {
     id,
-    resource: { resourceType: "User", id, ...parsedResource },
+    resource,
     meta: { lastUpdated, versionId: vid }
   };
 }
@@ -2652,6 +2868,7 @@ router6.delete("/:id", deleteUserRoute);
 import express7 from "express";
 
 // src/data/operations/control/workspace/workspace-create-operation.ts
+import { extractSummary as extractSummary11 } from "@openhi/types";
 async function createWorkspaceOperation(params) {
   const { context, body, tableName } = params;
   const { tenantId } = context;
@@ -2661,7 +2878,15 @@ async function createWorkspaceOperation(params) {
   const vid = lastUpdated.replace(/[-:T.Z]/g, "").slice(0, 12) || Date.now().toString(36);
   const parsedResource = typeof body.resource === "string" ? JSON.parse(body.resource) : body.resource ?? {};
   const resource = { resourceType: "Workspace", id, ...parsedResource };
-  await service.entities.workspace.put({ tenantId, id, resource: JSON.stringify(resource), vid, lastUpdated }).go();
+  const summary = JSON.stringify(extractSummary11(resource));
+  await service.entities.workspace.put({
+    tenantId,
+    id,
+    resource: JSON.stringify(resource),
+    summary,
+    vid,
+    lastUpdated
+  }).go();
   return { id, resource, meta: { lastUpdated, versionId: vid } };
 }
 
@@ -2770,8 +2995,13 @@ async function listWorkspacesOperation(params) {
   const { context, tableName } = params;
   const { tenantId } = context;
   const service = getDynamoControlService(tableName);
-  const { data: items } = await service.entities.workspace.query.gsi4({ tenantId }).go();
-  const entries = items.map((item) => {
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => service.entities.workspace.query.gsi1({ tenantId, gsi1Shard: String(shard) }).go()
+    )
+  );
+  const entries = shardResults.flatMap((shardResult) => shardResult.data ?? []).map((item) => {
     const parsed = JSON.parse(item.resource);
     return {
       id: item.id,
@@ -2804,6 +3034,7 @@ async function listWorkspacesRoute(req, res) {
 }
 
 // src/data/operations/control/workspace/workspace-update-operation.ts
+import { extractSummary as extractSummary12 } from "@openhi/types";
 async function updateWorkspaceOperation(params) {
   const { context, id, body, tableName } = params;
   const { tenantId } = context;
@@ -2822,7 +3053,8 @@ async function updateWorkspaceOperation(params) {
     resourceType: "Workspace",
     id
   };
-  await service.entities.workspace.patch({ tenantId, id, sk: "CURRENT" }).set({ resource: JSON.stringify(updated), vid, lastUpdated }).go();
+  const summary = JSON.stringify(extractSummary12(updated));
+  await service.entities.workspace.patch({ tenantId, id, sk: "CURRENT" }).set({ resource: JSON.stringify(updated), summary, vid, lastUpdated }).go();
   return { id, resource: updated, meta: { lastUpdated, versionId: vid } };
 }
 
@@ -2934,6 +3166,18 @@ var dataEntityAttributes = {
     type: "string",
     required: true
   },
+  /**
+   * Summary projection of the FHIR resource as a JSON string (uncompressed). Populated on every
+   * write via `extractSummary(resource)` so GSI projections can surface list/lookup data without
+   * reading the compressed `resource` blob. Kept uncompressed because the summary is small and
+   * must be fast to retrieve without encode/decode overhead.
+   *
+   * @see sites/www-docs/content/architecture/adr/2026-04-17-02-fhir-summary-projection-for-gsi-access-patterns.md
+   */
+  summary: {
+    type: "string",
+    required: true
+  },
   /** Version id (e.g. ULID). Tracks current version; S3 history key. */
   vid: {
     type: "string",
@@ -2943,6 +3187,41 @@ var dataEntityAttributes = {
     type: "string",
     required: true
   },
+  /**
+   * Shard index segment for the GSI1 partition key. Computed deterministically from `id`
+   * via `computeShard` so updates always land on the same shard. Stored as a string because
+   * it appears as a literal segment in the GSI1 PK template; the underlying value is 0..3.
+   * Not `required` because the value is derived via `watch`/`set`; ElectroDB's required-field
+   * check runs before watch propagation, so callers must not fail validation on a derived field.
+   *
+   * @see sites/www-docs/content/packages/@openhi/constructs/data/dynamo/single-table-design.md — GSI1 (sharded)
+   */
+  gsi1Shard: {
+    type: "string",
+    watch: ["id"],
+    set: (_val, item) => {
+      if (typeof item?.id !== "string" || item.id.length === 0) {
+        return void 0;
+      }
+      return String(computeShard(item.id));
+    }
+  },
+  /**
+   * GSI1 sort key. Written as the index's SK verbatim so list endpoints can
+   * use `BEGINS_WITH` for prefix queries (e.g. `?name=Sm` against Patient).
+   * Computed at write time via `extractSortKey(resource)` per DR-004:
+   *   - Labeled types (LABEL_PATHS): `<normalizedLabel>#<id>`
+   *   - Unlabeled types: `<ISO-8601 lastUpdated>#<id>`
+   * The factory deliberately does not derive this from `lastUpdated`/`id`
+   * — that would lock every type into the unlabeled fallback and defeat
+   * label-based BEGINS_WITH on labeled types.
+   *
+   * @see openhi-planning DR-004
+   */
+  gsi1sk: {
+    type: "string",
+    required: true
+  },
   deleted: {
     type: "boolean",
     required: false
@@ -2977,18 +3256,26 @@ function createDataEntity(entity, resourceTypeLabel) {
           composite: ["sk"]
         }
       },
-      /** GSI4 — Resource Type Index: list all resources of this type in a workspace (no scan). Used by list operations (e.g. GET /Patient). */
-      gsi4: {
-        index: "GSI4",
+      /**
+       * GSI1 — Unified Sharded List: list all resources of this type in a workspace; reads fan
+       * out across the four shards and merge by SK. SK is the writer-supplied `gsi1sk` verbatim
+       * (per DR-004) so labeled types serve `BEGINS_WITH` prefix queries on the natural label.
+       * `casing: "none"` is required on the SK because the writer (`extractSortKey`) already
+       * applies DR-004 normalization — ElectroDB's default lowercasing would mangle the
+       * ISO-8601 unlabeled fallback (`T`/`Z` → `t`/`z`).
+       */
+      gsi1: {
+        index: "GSI1",
         pk: {
-          field: "GSI4PK",
-          composite: ["tenantId", "workspaceId"],
-          template: `TID#\${tenantId}#WID#\${workspaceId}#RT#${resourceTypeLabel}`
+          field: "GSI1PK",
+          composite: ["tenantId", "workspaceId", "gsi1Shard"],
+          template: `TID#\${tenantId}#WID#\${workspaceId}#RT#${resourceTypeLabel}#SHARD#\${gsi1Shard}`
         },
         sk: {
-          field: "GSI4SK",
-          composite: ["id"],
-          template: `ID#\${id}`
+          field: "GSI1SK",
+          casing: "none",
+          composite: ["gsi1sk"],
+          template: `\${gsi1sk}`
         }
       }
     }
@@ -3882,6 +4169,7 @@ function getDynamoDataService(tableName) {
 }
 
 // src/data/operations/data-operations-common.ts
+import { extractSortKey, extractSummary as extractSummary13 } from "@openhi/types";
 var DATA_ENTITY_SK = "CURRENT";
 async function getDataEntityById(entity, tenantId, workspaceId, id, resourceLabel) {
   const result = await entity.get({
@@ -3910,28 +4198,40 @@ async function deleteDataEntityById(entity, tenantId, workspaceId, id) {
   }).go();
 }
 async function listDataEntitiesByWorkspace(entity, tenantId, workspaceId) {
-  const result = await entity.query.gsi4({ tenantId, workspaceId }).go();
-  const items = result.data ?? [];
-  const entries = items.map((item) => {
-    const parsed = JSON.parse(decompressResource(item.resource));
-    return {
-      id: item.id,
-      resource: { ...parsed, id: item.id }
-    };
-  });
+  const shardResults = await Promise.all(
+    Array.from(
+      { length: SHARD_COUNT },
+      (_, shard) => entity.query.gsi1({ tenantId, workspaceId, gsi1Shard: String(shard) }).go()
+    )
+  );
+  const entries = [];
+  for (const shardResult of shardResults) {
+    for (const item of shardResult.data ?? []) {
+      const parsed = JSON.parse(decompressResource(item.resource));
+      entries.push({
+        id: item.id,
+        resource: { ...parsed, id: item.id }
+      });
+    }
+  }
   return { entries };
 }
 async function createDataEntityRecord(entity, tenantId, workspaceId, id, resourceWithAudit, fallbackDate) {
   const lastUpdated = resourceWithAudit.meta?.lastUpdated ?? fallbackDate ?? (/* @__PURE__ */ new Date()).toISOString();
   const vid = lastUpdated.replace(/[-:T.Z]/g, "").slice(0, 12) || Date.now().toString(36);
+  const resourceLike = resourceWithAudit;
+  const summary = JSON.stringify(extractSummary13(resourceLike));
+  const gsi1sk = extractSortKey(resourceLike);
   await entity.put({
     sk: DATA_ENTITY_SK,
     tenantId,
     workspaceId,
     id,
     resource: compressResource(JSON.stringify(resourceWithAudit)),
+    summary,
     vid,
-    lastUpdated
+    lastUpdated,
+    gsi1sk
   }).go();
   return {
     id,
@@ -3978,6 +4278,9 @@ async function updateDataEntityById(entity, tenantId, workspaceId, id, resourceL
   }
   const existingStr = decompressResource(existing.data.resource);
   const { resource, lastUpdated } = buildPatched(existingStr);
+  const resourceLike = resource;
+  const summary = JSON.stringify(extractSummary13(resourceLike));
+  const gsi1sk = extractSortKey(resourceLike);
   await entity.patch({
     tenantId,
     workspaceId,
@@ -3985,7 +4288,9 @@ async function updateDataEntityById(entity, tenantId, workspaceId, id, resourceL
     sk: DATA_ENTITY_SK
   }).set({
     resource: compressResource(JSON.stringify(resource)),
-    lastUpdated
+    summary,
+    lastUpdated,
+    gsi1sk
   }).go();
   return {
     id,
@@ -12629,9 +12934,168 @@ async function listEncountersOperation(params) {
   );
 }
 
+// src/data/postgres/data-api-postgres-query-runner.ts
+import {
+  ExecuteStatementCommand,
+  RDSDataClient
+} from "@aws-sdk/client-rds-data";
+var DataApiPostgresQueryRunner = class {
+  constructor(options) {
+    this.client = options.client ?? new RDSDataClient({});
+    this.clusterArn = options.clusterArn;
+    this.secretArn = options.secretArn;
+    this.database = options.database;
+    this.schema = options.schema;
+  }
+  async query(sql, params) {
+    const out = await this.client.send(
+      new ExecuteStatementCommand({
+        resourceArn: this.clusterArn,
+        secretArn: this.secretArn,
+        database: this.database,
+        schema: this.schema,
+        sql,
+        parameters: params.map(toSqlParameter),
+        // Results as named columns so we can map them back to JS objects.
+        includeResultMetadata: true,
+        // Encode JSONB results as strings, then parse client-side. Without
+        // this, Data API returns JSON values inline as their underlying types
+        // and complex JSONB columns get clipped.
+        formatRecordsAs: "JSON"
+      })
+    );
+    if (!out.formattedRecords) {
+      return [];
+    }
+    return JSON.parse(out.formattedRecords);
+  }
+};
+function toSqlParameter(param) {
+  if (param.value === null) {
+    return { name: param.name, value: { isNull: true } };
+  }
+  const v = param.value;
+  let field;
+  if (typeof v === "string") {
+    field = { stringValue: v };
+  } else if (typeof v === "boolean") {
+    field = { booleanValue: v };
+  } else if (Number.isInteger(v)) {
+    field = { longValue: v };
+  } else {
+    field = { doubleValue: v };
+  }
+  return { name: param.name, value: field };
+}
+
+// src/data/postgres/default-postgres-query-runner.ts
+var cached;
+function readEnv(name) {
+  const v = process.env[name]?.trim();
+  if (!v) {
+    throw new Error(
+      `Missing required env var for default PostgresQueryRunner: ${name}`
+    );
+  }
+  return v;
+}
+function getDefaultPostgresQueryRunner() {
+  if (!cached) {
+    cached = new DataApiPostgresQueryRunner({
+      clusterArn: readEnv("OPENHI_PG_CLUSTER_ARN"),
+      secretArn: readEnv("OPENHI_PG_SECRET_ARN"),
+      database: readEnv("OPENHI_PG_DATABASE"),
+      schema: readEnv("OPENHI_PG_SCHEMA")
+    });
+  }
+  return cached;
+}
+
+// src/data/operations/data/encounter/encounter-search-by-patient-operation.ts
+var DEFAULT_LIMIT = 100;
+function buildOpenHiResourceUrn(opts) {
+  return `urn:ohi:${opts.tenantId}:${opts.workspaceId}:${opts.resourceType}:${opts.resourceId}`;
+}
+function buildSearchEncountersByPatientSql() {
+  return [
+    "SELECT resource_id AS id, resource",
+    "FROM resources",
+    "WHERE tenant_id = :tenantId",
+    "  AND workspace_id = :workspaceId",
+    "  AND resource_type = 'Encounter'",
+    "  AND deleted_at IS NULL",
+    "  AND (resource @> :containmentRelative::jsonb",
+    "    OR resource @> :containmentUrn::jsonb)",
+    "ORDER BY last_updated DESC",
+    "LIMIT :limit;"
+  ].join("\n");
+}
+async function searchEncountersByPatientOperation(params) {
+  const { context, patientId } = params;
+  const { tenantId, workspaceId } = context;
+  const runner = params.runner ?? getDefaultPostgresQueryRunner();
+  const limit = params.limit ?? DEFAULT_LIMIT;
+  const containmentRelative = JSON.stringify({
+    subject: { reference: `Patient/${patientId}` }
+  });
+  const containmentUrn = JSON.stringify({
+    subject: {
+      reference: buildOpenHiResourceUrn({
+        tenantId,
+        workspaceId,
+        resourceType: "Patient",
+        resourceId: patientId
+      })
+    }
+  });
+  const rows = await runner.query(
+    buildSearchEncountersByPatientSql(),
+    [
+      { name: "tenantId", value: tenantId },
+      { name: "workspaceId", value: workspaceId },
+      { name: "containmentRelative", value: containmentRelative },
+      { name: "containmentUrn", value: containmentUrn },
+      { name: "limit", value: limit }
+    ]
+  );
+  const entries = rows.map((row) => ({
+    id: row.id,
+    resource: {
+      ...row.resource,
+      id: row.id
+    }
+  }));
+  return { entries };
+}
+
 // src/data/rest-api/routes/data/encounter/encounter-list-route.ts
+function singleStringQueryParam(req, name) {
+  const v = req.query[name];
+  if (typeof v !== "string") {
+    return void 0;
+  }
+  const trimmed = v.trim();
+  return trimmed === "" ? void 0 : trimmed;
+}
 async function listEncountersRoute(req, res) {
   const ctx = req.openhiContext;
+  const patientId = singleStringQueryParam(req, "patient");
+  if (patientId) {
+    try {
+      const result = await searchEncountersByPatientOperation({
+        context: ctx,
+        patientId
+      });
+      const bundle = buildSearchsetBundle(BASE_PATH.ENCOUNTER, result.entries);
+      return res.json(bundle);
+    } catch (err) {
+      return sendOperationOutcome500(
+        res,
+        err,
+        "GET /Encounter?patient= search error:"
+      );
+    }
+  }
   try {
     const result = await listEncountersOperation({ context: ctx });
     const bundle = buildSearchsetBundle(BASE_PATH.ENCOUNTER, result.entries);
@@ -24548,6 +25012,7 @@ import { ulid as ulid99 } from "ulid";
 // src/data/import-patient.ts
 import { readFileSync } from "fs";
 import { resolve } from "path";
+import { extractSummary as extractSummary14 } from "@openhi/types";
 function extractPatient(parsed) {
   if (parsed && typeof parsed === "object" && "resourceType" in parsed) {
     const root = parsed;
@@ -24613,6 +25078,9 @@ function patientToPutAttrs(patient, options) {
     workspaceId,
     id: patient.id,
     resource: compressResource(JSON.stringify(patientWithMeta)),
+    summary: JSON.stringify(
+      extractSummary14(patientWithMeta)
+    ),
     vid: lastUpdated.replace(/[-:T.Z]/g, "").slice(0, 12) || Date.now().toString(36),
     lastUpdated,
     identifierSystem: "",
@@ -33933,6 +34401,7 @@ app.use(
     "/MedicinalProductPackaged",
     "/MedicinalProductPharmaceutical",
     "/MedicinalProductUndesirableEffect",
+    "/Membership",
     "/MessageDefinition",
     "/MessageHeader",
     "/MolecularSequence",
@@ -33962,6 +34431,8 @@ app.use(
     "/ResearchSubject",
     "/RiskAssessment",
     "/RiskEvidenceSynthesis",
+    "/Role",
+    "/RoleAssignment",
     "/Schedule",
     "/ServiceRequest",
     "/SearchParameter",
@@ -33981,12 +34452,15 @@ app.use(
     "/SupplyDelivery",
     "/SupplyRequest",
     "/Task",
+    "/Tenant",
     "/TerminologyCapabilities",
     "/TestReport",
     "/TestScript",
+    "/User",
     "/ValueSet",
     "/VerificationResult",
-    "/VisionPrescription"
+    "/VisionPrescription",
+    "/Workspace"
   ],
   openHiContextMiddleware
 );
@@ -34148,6 +34622,18 @@ app.use("/RoleAssignment", router4);
 app.use("/Tenant", router5);
 app.use("/User", router6);
 app.use("/Workspace", router7);
+app.use((_req, res) => {
+  res.status(404).json({
+    resourceType: "OperationOutcome",
+    issue: [
+      {
+        severity: "error",
+        code: "not-supported",
+        diagnostics: "The requested endpoint or resource type is not supported by this server."
+      }
+    ]
+  });
+});
 
 // src/data/lambda/rest-api-lambda.handler.ts
 var handler = serverlessExpress({ app });