fhirsmith 0.9.5 → 0.9.7

package/tx/operation-context.js

@@ -204,6 +204,10 @@ class ExpansionCache {
     this.cache = new Map();
     this.maxSize = maxSize;
     this.memoryThresholdBytes = memoryThresholdMB * 1024 * 1024;
+    // When true, every expansion is cached regardless of how long it took
+    // (bypasses MIN_CACHE_TIME_MS). Used by the test runner to force the cache
+    // path so cache correctness (e.g. language in the key) is exercised.
+    this.forceCaching = false;
   }
 
   /**
@@ -284,8 +288,9 @@ class ExpansionCache {
    * @returns {boolean} True if cached, false if duration too short
    */
   set(key, expansion, durationMs) {
-    // Only cache if expansion took significant time
-    if (durationMs < ExpansionCache.MIN_CACHE_TIME_MS) {
+    // Only cache if expansion took significant time, unless forceCaching is on
+    // (in which case everything is cached regardless of duration).
+    if (!this.forceCaching && durationMs < ExpansionCache.MIN_CACHE_TIME_MS) {
       return false;
     }
 
@@ -357,21 +362,6 @@ class ExpansionCache {
     return false;
   }
 
-  /**
-   * Force-store an expansion regardless of duration (for testing)
-   * @param {string} key - Hash key
-   * @param {Object} expansion - The expanded ValueSet
-   */
-  forceSet(key, expansion) {
-    this.cache.set(key, {
-      expansion: expansion,
-      createdAt: Date.now(),
-      lastUsed: Date.now(),
-      durationMs: 0,
-      hitCount: 0
-    });
-  }
-
   /**
    * Clear a specific entry
    * @param {string} key - Hash key
@@ -388,22 +378,22 @@ class ExpansionCache {
   }
 
   /**
-   * Get cache statistics
+   * Get cache statistics.
+   * NB: named getStats(), not stats() — the `stats` field (the ServerStats
+   * passed to the constructor) would shadow a method called `stats`, making it
+   * unreachable.
    * @returns {Object} Stats object
    */
-  stats() {
+  getStats() {
     let totalHits = 0;
-    let totalDuration = 0;
     for (const entry of this.cache.values()) {
       totalHits += entry.hitCount;
-      totalDuration += entry.durationMs;
     }
     return {
       size: this.cache.size,
       maxSize: this.maxSize,
       memoryThresholdMB: this.memoryThresholdBytes > 0 ? this.memoryThresholdBytes / (1024 * 1024) : 0,
-      totalHits,
-      totalDurationSaved: totalHits > 0 ? totalDuration * totalHits : 0
+      totalHits
     };
   }
 
@@ -448,6 +438,11 @@ class OperationContext {
     this.resourceCache = resourceCache;
     this.expansionCache = expansionCache;
     this.debugging = isDebugging();
+    // Providers opened during this operation that need their underlying
+    // resources (sqlite connections, etc.) released when the operation ends.
+    // Shared by reference with copy()'d contexts so a sub-operation's
+    // providers are cleaned up by the parent request's closeProviders().
+    this._openProviders = [];
 
     this.timeTracker.step('tx-op');
   }
@@ -476,6 +471,9 @@ class OperationContext {
     newContext.logEntries = [...this.logEntries];
     newContext.debugging = this.debugging;
     newContext.usageTracker = this.usageTracker;
+    // Share the same provider-cleanup list so providers opened by the copy
+    // are released when the parent operation ends.
+    newContext._openProviders = this._openProviders;
     return newContext;
   }
 
@@ -624,6 +622,37 @@ class OperationContext {
     return this.id;
   }
 
+  /**
+   * Register a code-system provider whose resources (typically a sqlite
+   * connection opened by factory.build()) should be released when the
+   * operation ends. Providers without a close() method are ignored.
+   * @param {Object} provider - The provider returned from factory.build()
+   */
+  registerProvider(provider) {
+    if (provider && typeof provider.close === 'function') {
+      this._openProviders.push(provider);
+    }
+  }
+
+  /**
+   * Close every provider registered during this operation. Safe to call
+   * multiple times — the list is cleared after the first call. Errors
+   * from individual close() calls are swallowed so one bad provider can't
+   * prevent the others from releasing their resources.
+   */
+  async closeProviders() {
+    if (!this._openProviders || this._openProviders.length === 0) return;
+    const providers = this._openProviders;
+    this._openProviders = [];
+    for (const p of providers) {
+      try {
+        await p.close();
+      } catch (_e) {
+        // Swallow — provider cleanup is best-effort.
+      }
+    }
+  }
+
   /**
    * @type {Languages} languages specified in request
    */

package/tx/params.js

@@ -53,6 +53,11 @@ class TxParameters {
 
     this.FHTTPLanguages = null;
     this.FDisplayLanguages = null;
+    // Whether languages were explicitly supplied by the request (vs a
+    // synthesised default). Consumed by hasHTTPLanguages/hasDisplayLanguages so
+    // the requested language folds into the expansion cache key.
+    this.FHasHTTPLanguages = false;
+    this.FHasDisplayLanguages = false;
     this.FValueSetVersionRules = null;
     this.FUid = '';
 
@@ -87,11 +92,15 @@ class TxParameters {
     if (!params.parameter) {
       return;
     }
-    if (!this.hasHTTPLanguages && this.hasParam(params, "__Content-Language")) {
-      this.HTTPLanguages = Languages.fromAcceptLanguage(this.paramstr(params, "__Content-Language"), this.languageDefinitions, !this.validating);
+    if (this.hasParam(params, "__Content-Language")) {
+      const lang = this.paramstr(params, "__Content-Language");
+      this.HTTPLanguages = Languages.fromAcceptLanguage(lang, this.languageDefinitions, !this.validating);
+      if (lang) this.FHasHTTPLanguages = true;
     }
-    if (!this.hasHTTPLanguages && this.hasParam(params, "__Accept-Language")) {
-      this.HTTPLanguages = Languages.fromAcceptLanguage(this.paramstr(params, "__Accept-Language"), this.languageDefinitions, !this.validating);
+    if (this.hasParam(params, "__Accept-Language")) {
+      const lang = this.paramstr(params, "__Accept-Language");
+      this.HTTPLanguages = Languages.fromAcceptLanguage(lang, this.languageDefinitions, !this.validating);
+      if (lang) this.FHasHTTPLanguages = true;
     }
 
     for (let p of params.parameter) {
@@ -124,7 +133,9 @@ class TxParameters {
 
         case 'displayLanguage': {
           try {
-            this.DisplayLanguages = Languages.fromAcceptLanguage(getValuePrimitive(p), this.languageDefinitions, !this.validating);
+            const lang = getValuePrimitive(p);
+            this.DisplayLanguages = Languages.fromAcceptLanguage(lang, this.languageDefinitions, !this.validating);
+            if (lang) this.FHasDisplayLanguages = true;
           } catch (error) {
             throw new Issue("error", "processing", null, 'INVALID_DISPLAY_NAME', this.i18n.translate('INVALID_DISPLAY_NAME', this.HTTPLanguages, [getValuePrimitive(p)]), "invalid-display").handleAsOO(400);
           }
@@ -139,7 +150,10 @@ class TxParameters {
           break;
         }
         case 'no-cache': {
-          if (getValuePrimitive(p) === 'true') this.uid = crypto.randomUUID();
+          // Write FUid (the field the cache key reads via hashSource); writing
+          // `this.uid` was a no-op so no-cache=true never busted the cache.
+          // Accept both the string ('true') and boolean (valueBoolean) forms.
+          if (strToBool(getValuePrimitive(p), false)) this.FUid = crypto.randomUUID();
           break;
         }
         case '_incomplete':
@@ -292,11 +306,11 @@ class TxParameters {
   }
 
   get hasHTTPLanguages() {
-    return this.FHTTPLanguages && this.FHTTPLanguages.source;
+    return this.FHasHTTPLanguages;
   }
 
   get hasDisplayLanguages() {
-    return this.FDisplayLanguages && this.FDisplayLanguages.source;
+    return this.FHasDisplayLanguages;
   }
 
   get hasDesignations() {
@@ -422,6 +436,7 @@ e
     if (value) {
       if (name === 'displayLanguage' && (!this.FDisplayLanguages || overwrite)) {
         this.DisplayLanguages = Languages.fromAcceptLanguage(getValuePrimitive(value), this.languageDefinitions, !this.validating)
+        if (getValuePrimitive(value)) this.FHasDisplayLanguages = true;
       }
 
       if (name === 'designation') {
@@ -561,6 +576,17 @@ e
     if (this.hasDesignations) {
       s = s + this.FDesignations.join(',') + '|';
     }
+    if (this.supplements && this.supplements.size > 0) {
+      // useSupplement changes the expansion result (and a bad supplement must
+      // error), so it must be part of the cache key. Sort for determinism.
+      s = s + '$' + [...this.supplements].sort().join(',') + '|';
+    }
+    // Further result-affecting parameters that were previously omitted from the
+    // key: the text filter (changes which codes expand), limited/incomplete
+    // expansion handling, whether abstract codes are included, and diagnostics.
+    // filter is free text, so JSON.stringify it to avoid delimiter collisions.
+    s = s + 'f:' + JSON.stringify(this.filter || '') + '|' +
+      b(this.limitedExpansion) + b(this.incompleteOK) + b(this.abstractOk) + b(this.diagnostics);
     for (let t of this.FVersionRules) {
       s = s + t.asString() + '|';
     }
@@ -623,9 +649,11 @@ e
 
     if (other.FHTTPLanguages) {
       this.FHTTPLanguages = other.FHTTPLanguages;
+      this.FHasHTTPLanguages = this.FHasHTTPLanguages || other.FHasHTTPLanguages;
     }
     if (other.FDisplayLanguages) {
       this.FDisplayLanguages = other.FDisplayLanguages;
+      this.FHasDisplayLanguages = this.FHasDisplayLanguages || other.FHasDisplayLanguages;
     }
   }
 

package/tx/problems.js

@@ -2,10 +2,6 @@ const escape = require('escape-html');
 
 class ProblemFinder {
 
-  constructor() {
-    this.map = new Map();
-  }
-
   async scanValueSets(provider) {
     let unknownVersions = {};  // system -> Set of versions not known to the server
     for (let vsp of provider.valueSetProviders) {

package/tx/provider.js

@@ -1,7 +1,8 @@
 const { CodeSystem } = require("./library/codesystem");
 const {VersionUtilities} = require("../library/version-utilities");
 const { FhirCodeSystemProvider} = require("./cs/cs-cs");
-const {OperationContext, TerminologyError} = require("./operation-context");
+const {OperationContext} = require("./operation-context");
+const {TerminologyError} = require("./library/errors");
 const {validateParameter, validateOptionalParameter, validateArrayParameter} = require("../library/utilities");
 const path = require("path");
 const {PackageContentLoader} = require("../library/package-manager");
@@ -419,6 +420,7 @@ class Provider {
     }
     if (factory != null) {
       const csp = await factory.build(opContext, []);
+      opContext.registerProvider(csp);
       const c = csp ? csp.locate(code) : null;
       if (c) {
         if (factory.iteratable()) {
@@ -497,14 +499,16 @@ class Provider {
   deleteCodeSystem(cs) {
     this.codeSystems.delete(cs.vurl);
     this.codeSystems.delete(cs.url);
+    // If other versions of the SAME url survive, re-point the unversioned [url]
+    // entry at the most-recent surviving version. Otherwise leave it deleted.
     let existing = null;
     for (let t of this.codeSystems.values()) {
-      if (!existing || t.isMoreRecent(existing)) {
+      if (t.url === cs.url && (!existing || t.isMoreRecent(existing))) {
         existing = t;
       }
     }
     if (existing) {
-      this.codeSystems.set(cs.url, cs);
+      this.codeSystems.set(existing.url, existing);
     }
   }
 

package/tx/tx-html.js

@@ -19,6 +19,7 @@ const {TerminologyCapabilitiesXML} = require("./xml/terminologycapabilities-xml"
 const {ParametersXML} = require("./xml/parameters-xml");
 const {OperationOutcomeXML} = require("./xml/operationoutcome-xml");
 const {debugLog} = require("./operation-context");
+const {InvalidError} = require("./library/errors");
 
 const txHtmlLog = Logger.getInstance().child({ module: 'tx-html' });
 
@@ -311,6 +312,12 @@ class TxHtmlRenderer {
       return await this.buildHomePage(req);
     } else {
       try {
+        if (json === null || json === undefined || typeof json !== 'object' || Array.isArray(json)) {
+          throw new InvalidError(`Cannot render: expected a FHIR resource object but got ${json === null ? 'null' : (Array.isArray(json) ? 'an array' : typeof json)}`);
+        }
+        if (json.resourceType === undefined || json.resourceType === null || typeof json.resourceType !== 'string' || json.resourceType === '') {
+          throw new InvalidError(`Cannot render: resource has no resourceType (got ${json.resourceType === undefined ? 'undefined' : JSON.stringify(json.resourceType)})`);
+        }
         const _fmt = req?.query?._format || req?.query?.format || req?.body?._format;
         const op = req ? req.path.includes("$") : false;
         const resourceType = json.resourceType;

package/tx/tx.js

@@ -306,6 +306,18 @@ class TXModule {
       req.txI18n = this.i18n;
       req.txLog = this.log;
 
+      // Release any code-system providers that opened sqlite connections
+      // during this request. closeProviders() is idempotent so it's safe
+      // for both events to fire. Listeners are sync; the close itself
+      // runs fire-and-forget on the event loop.
+      const releaseProviders = () => {
+        opContext.closeProviders().catch((err) => {
+          try { this.log.warn(`closeProviders failed: ${err && err.message}`); } catch (_) { /* ignore */ }
+        });
+      };
+      res.on('finish', releaseProviders);
+      res.on('close', releaseProviders);
+
       // Add X-Request-Id header to response
       res.setHeader('X-Request-Id', requestId);
 
@@ -370,16 +382,10 @@ class TXModule {
       next();
     });
 
-    // CORS headers
-    router.use((req, res, next) => {
-      res.header('Access-Control-Allow-Origin', '*');
-      res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept');
-      res.header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS');
-      if (req.method === 'OPTIONS') {
-        return res.sendStatus(200);
-      }
-      next();
-    });
+    // CORS is handled once at the app level (server.js, from config.server.cors).
+    // Do not set Access-Control-* headers here - doing so stacks a second
+    // CORS layer and produces duplicate, conflicting headers that browsers
+    // reject.
 
     // JSON body parsing - accept both application/json and application/fhir+json
     // Handle body that may already be read as a Buffer by app-level middleware
@@ -968,7 +974,9 @@ class TXModule {
     });
 
     // External source info pages
-    router.get('/info/:id', async (req, res) => {
+    // GET renders the info page; POST lets a source's info() handle a form
+    // submission (e.g. VSAC on-demand resync) and re-renders the same page.
+    const infoHandler = async (req, res) => {
       const start = Date.now();
       try {
         const source = req.txEndpoint.provider.externalSources.find(s => s.id() === req.params.id);
@@ -988,7 +996,9 @@ class TXModule {
       } finally {
         this.countRequest('info', Date.now() - start);
       }
-    });
+    };
+    router.get('/info/:id', infoHandler);
+    router.post('/info/:id', infoHandler);
   }
 
   /**
@@ -1119,8 +1129,9 @@ class TXModule {
 
   convertResourceToXml(res) {
     switch (res.resourceType) {
-      case "CodeSystem" : return CodeSystemXML._jsonToXml(res);
+      case "CodeSystem" : return CodeSystemXML.toXml(res);
       case "ValueSet" : return ValueSetXML.toXml(res);
+      case "ConceptMap" : return ConceptMapXML.toXml(res);
       case "Bundle" : return BundleXML.toXml(res, this.fhirVersion);
       case "CapabilityStatement" : return CapabilityStatementXML.toXml(res, "R5");
       case "TerminologyCapabilities" : return TerminologyCapabilitiesXML.toXml(res, "R5");

package/tx/vs/vs-vsac.js

@@ -7,6 +7,12 @@ const { VersionUtilities } = require('../../library/version-utilities');
 const folders = require('../../library/folder-setup');
 const {debugLog} = require("../operation-context");
 
+// Persisted watermark for the phase-1b _lastUpdated scan.
+const VSAC_LAST_UPDATED_KEY = 'vsac_last_updated_date';
+
+// Canonical URL prefix for VSAC value sets, so operators can enter a bare OID.
+const VSAC_VALUESET_URL_PREFIX = 'http://cts.nlm.nih.gov/fhir/ValueSet/';
+
 /**
  * VSAC (Value Set Authority Center) ValueSet provider
  * Fetches and caches ValueSets from the NLM VSAC FHIR server
@@ -21,6 +27,8 @@ class VSACValueSetProvider extends AbstractValueSetProvider {
    * @param {number} [config.refreshIntervalHours=24] - Hours between refresh scans
    * @param {string} [config.baseUrl='http://cts.nlm.nih.gov/fhir'] - Base URL for VSAC FHIR server
    * @param {number} [config.timeoutMs=120000] - HTTP request timeout in milliseconds
+   * @param {string} [config.resyncPassword] - If set, enables the operator "resync a ValueSet"
+   *   form on the /info page, gated by this password. If unset, the form is not offered.
    */
   constructor(config, stats) {
     super();
@@ -31,6 +39,8 @@ class VSACValueSetProvider extends AbstractValueSetProvider {
     }
 
     this.apiKey = config.apiKey;
+    // Optional operator password for the on-demand resync form (see info()).
+    this.resyncPassword = config.resyncPassword || null;
     this.cacheFolder = folders.ensureFilePath("terminology-cache/vsac");
     this.baseUrl = config.baseUrl || 'http://cts.nlm.nih.gov/fhir';
     this.refreshIntervalHours = config.refreshIntervalHours || 24;
@@ -127,6 +137,7 @@ class VSACValueSetProvider extends AbstractValueSetProvider {
       return;
     }
     this.queue = [];
+    this._pendingLastUpdated = null;
 
     this.isRefreshing = true;
     const runId = await this.database.startRun();
@@ -185,6 +196,9 @@ class VSACValueSetProvider extends AbstractValueSetProvider {
       this.queue = [...new Set(this.queue)];
 
       let tracking = { totalFetched: 0, totalNew: 0, totalUpdated: 0, count: 0, newCount : 0 };
+      // URLs that fail even after a requeue are permanently dropped this run; we
+      // hold the watermark back when this is non-zero so they get re-scanned.
+      let permanentFailures = 0;
       // phase 2: query for history & content
       this.requeue = [];
       for (let q of this.queue) {
@@ -204,6 +218,7 @@ class VSACValueSetProvider extends AbstractValueSetProvider {
         try {
           await this.processContentAndHistory(q, tracking, this.requeue.length);
         } catch (error) {
+          permanentFailures++;
           debugLog(error);
           this.stats.task('VSAC Sync', error.message);
         }
@@ -212,6 +227,20 @@ class VSACValueSetProvider extends AbstractValueSetProvider {
 
       // Reload map with fresh data
       await this._reloadMap();
+
+      // Commit the _lastUpdated watermark only now that phase 2 has durably
+      // written everything. Hold it back if any URL was permanently dropped, so
+      // those URLs are re-scanned next run (never advance past un-applied
+      // changes). If the run threw or the process restarted before this point,
+      // the watermark is left untouched and the window is re-scanned.
+      if (this._pendingLastUpdated && permanentFailures === 0) {
+        await this.database.setSetting(VSAC_LAST_UPDATED_KEY, this._pendingLastUpdated);
+      } else if (permanentFailures > 0) {
+        const holdMsg = `Holding _lastUpdated watermark: ${permanentFailures} URL(s) failed after retry; will re-scan next run`;
+        console.log(holdMsg);
+        this.stats.task('VSAC Sync', holdMsg);
+      }
+
       let msg = `VSAC refresh completed. Total: ${tracking.totalFetched} ValueSets, New: ${tracking.totalNew}, Updated: ${tracking.totalUpdated}`;
       this.stats.taskDone('VSAC Sync', msg);
       console.log(msg);
@@ -579,9 +608,7 @@ class VSACValueSetProvider extends AbstractValueSetProvider {
    * @private
    */
   async _scanLastUpdated() {
-    const SETTING_KEY = 'vsac_last_updated_date';
-
-    let sinceDate = await this.database.getSetting(SETTING_KEY);
+    let sinceDate = await this.database.getSetting(VSAC_LAST_UPDATED_KEY);
     if (!sinceDate) {
       // No stored date — default to 10 days ago
       const d = new Date();
@@ -615,10 +642,13 @@ class VSACValueSetProvider extends AbstractValueSetProvider {
       url = this._getNextUrl(bundle);
     }
 
-    // Store the server date for next run
-    if (serverDate) {
-      await this.database.setSetting(SETTING_KEY, serverDate);
-    }
+    // Capture the server's date but do NOT commit the watermark here. It must
+    // only advance once phase 2 has durably upserted the queued URLs; committing
+    // it now (before phase 2) means a phase-2 failure or a process restart would
+    // move the watermark past URLs that were never written, stranding them
+    // permanently. refreshValueSets() commits this._pendingLastUpdated after
+    // phase 2 completes with no dropped URLs.
+    this._pendingLastUpdated = serverDate;
 
     return count;
   }
@@ -631,8 +661,123 @@ class VSACValueSetProvider extends AbstractValueSetProvider {
     return "history";
   }
 
-  async info() {
+  /**
+   * Whether the on-demand resync form is enabled (a resyncPassword is configured).
+   */
+  _resyncEnabled() {
+    return !!this.resyncPassword;
+  }
+
+  /**
+   * Timing-safe comparison of a provided password against the configured one.
+   * @private
+   */
+  _passwordMatches(provided) {
+    if (!this.resyncPassword) {
+      return false;
+    }
+    const a = Buffer.from(String(provided == null ? '' : provided));
+    const b = Buffer.from(String(this.resyncPassword));
+    if (a.length !== b.length) {
+      return false;
+    }
+    return crypto.timingSafeEqual(a, b);
+  }
+
+  /**
+   * Immediately resync a single ValueSet URL (all versions): fetch from VSAC,
+   * upsert, and reload the in-memory map.
+   * @param {string} url - the ValueSet canonical url
+   * @returns {Promise<number>} number of versions fetched
+   */
+  async resyncValueSet(url) {
+    const tracking = { totalFetched: 0, totalNew: 0, totalUpdated: 0, count: 0, newCount: 0 };
+    await this.processContentAndHistory(url, tracking, 1);
+    await this._reloadMap();
+    return tracking.totalFetched;
+  }
+
+  /**
+   * Handle a POST from the resync form. Validates the password (timing-safe) and,
+   * if a full sync isn't already running, resyncs the requested URL. Returns an
+   * HTML notice. Never echoes or logs the password.
+   * @private
+   */
+  async _handleResyncRequest(req) {
+    const escape = require('escape-html');
+    if (!this._resyncEnabled()) {
+      return '';
+    }
+    const body = req.body || {};
+    const url = this._expandOidOrUrl(body.url);
+
+    if (!this._passwordMatches(body.password)) {
+      // Small delay to blunt brute-forcing; reveal nothing else.
+      await new Promise(r => setTimeout(r, 1000));
+      return '<p style="color:#a00"><strong>Incorrect password &mdash; no action taken.</strong></p>';
+    }
+    if (!url) {
+      return '<p style="color:#a00">Enter a ValueSet URL to resync.</p>';
+    }
+    if (this.isRefreshing) {
+      return '<p style="color:#a60">A full sync is currently running; please retry in a few minutes.</p>';
+    }
+    try {
+      const n = await this.resyncValueSet(url);
+      console.log(`Manual resync of ${url}: ${n} version(s)`);
+      this.stats.task('VSAC Sync', `Manual resync of ${url}: ${n} version(s)`);
+      return `<p style="color:#070"><strong>Resynced ${escape(url)}: ${n} version(s).</strong></p>`;
+    } catch (error) {
+      debugLog(error);
+      return `<p style="color:#a00">Resync of ${escape(url)} failed: ${escape(error.message)}</p>`;
+    }
+  }
+
+  /**
+   * Accept either a full canonical URL or a bare VSAC OID. A dotted-decimal OID
+   * (optionally with a urn:oid: prefix) is expanded to the VSAC ValueSet URL.
+   * @private
+   */
+  _expandOidOrUrl(input) {
+    let s = (input == null ? '' : String(input)).trim();
+    if (s.toLowerCase().startsWith('urn:oid:')) {
+      s = s.substring('urn:oid:'.length);
+    }
+    if (/^[0-9]+(\.[0-9]+)+$/.test(s)) {
+      return VSAC_VALUESET_URL_PREFIX + s;
+    }
+    return s;
+  }
+
+  /**
+   * The resync form HTML, or '' when the feature is disabled (no password set).
+   * @private
+   */
+  _resyncFormHtml() {
+    if (!this._resyncEnabled()) {
+      return '';
+    }
+    return `<form method="post" autocomplete="off" style="margin:0 0 1em 0; padding:0.75em; border:1px solid #ccc; background:#f7f7f7">
+  <strong>Resync a ValueSet</strong>
+  <div style="margin-top:0.5em">
+    <label>ValueSet URL or OID: <input type="text" name="url" size="70" autocomplete="off"></label>
+  </div>
+  <div style="margin-top:0.5em">
+    <label>Password: <input type="password" name="password" autocomplete="off"></label>
+    <button type="submit">Resync</button>
+  </div>
+</form>`;
+  }
+
+  async info(req) {
     const escape = require('escape-html');
+
+    // Operator action: resync a specific ValueSet (POST from the form below).
+    let resyncNotice = '';
+    if (req && req.method === 'POST') {
+      resyncNotice = await this._handleResyncRequest(req);
+    }
+
     const db = await this.database._getReadConnection();
 
     const rows = await new Promise((resolve, reject) => {
@@ -689,7 +834,10 @@ class VSACValueSetProvider extends AbstractValueSetProvider {
         ? new Date(ts * 1000).toISOString().replace('T', ' ').substring(0, 19) + ' UTC'
         : '—';
 
-    let html = '<h3>VSAC Sync History</h3>';
+    let html = '';
+    html += this._resyncFormHtml();
+    html += resyncNotice;
+    html += '<h3>VSAC Sync History</h3>';
     html += '<table class="grid">';
     html += '<thead><tr><th>Time</th><th>Event</th><th>Detail</th></tr></thead>';
     html += '<tbody>';