npm - @authhero/multi-tenancy - Versions diffs - 13.15.0 → 13.16.0 - Mend

@authhero/multi-tenancy 13.15.0 → 13.16.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/multi-tenancy.cjs +1 -1
package/dist/multi-tenancy.d.ts +346 -502
package/dist/multi-tenancy.mjs +312 -313
package/package.json +4 -4

package/dist/multi-tenancy.mjs CHANGED Viewed

@@ -1,11 +1,11 @@
-var se = Object.defineProperty;
-var oe = (t, e, n) => e in t ? se(t, e, { enumerable: !0, configurable: !0, writable: !0, value: n }) : t[e] = n;
-var U = (t, e, n) => oe(t, typeof e != "symbol" ? e + "" : e, n);
-import { Hono as te } from "hono";
-import { getTenantAudience as ie, MANAGEMENT_API_SCOPES as ce, MANAGEMENT_API_AUDIENCE as le, fetchAll as F, init as de } from "authhero";
+var ae = Object.defineProperty;
+var se = (t, e, n) => e in t ? ae(t, e, { enumerable: !0, configurable: !0, writable: !0, value: n }) : t[e] = n;
+var U = (t, e, n) => se(t, typeof e != "symbol" ? e + "" : e, n);
+import { Hono as ee } from "hono";
+import { getTenantAudience as oe, MANAGEMENT_API_SCOPES as ie, MANAGEMENT_API_AUDIENCE as ce, fetchAll as F, init as le } from "authhero";
 export * from "authhero";
-import { OpenAPIHono as ue, createRoute as B, z } from "@hono/zod-openapi";
-import { auth0QuerySchema as me, tenantSchema as k, tenantInsertSchema as pe, connectionSchema as G, connectionOptionsSchema as K } from "@authhero/adapter-interfaces";
+import { OpenAPIHono as de, createRoute as B, z } from "@hono/zod-openapi";
+import { auth0QuerySchema as ue, tenantSchema as E, tenantInsertSchema as me, connectionSchema as G, connectionOptionsSchema as K } from "@authhero/adapter-interfaces";
 var S = class extends Error {
   /**
    * Creates an instance of `HTTPException`.
@@ -32,27 +32,27 @@ var S = class extends Error {
     });
   }
 };
-function fe(t) {
+function pe(t) {
   const { controlPlaneTenantId: e, requireOrganizationMatch: n = !0 } = t;
   return {
-    async onTenantAccessValidation(a, r) {
-      if (r === e)
+    async onTenantAccessValidation(r, a) {
+      if (a === e)
         return !0;
       if (n) {
-        const l = a.var.org_name, s = a.var.organization_id, i = l || s;
-        return i ? i === r : !1;
+        const c = r.var.org_name, s = r.var.organization_id, i = c || s;
+        return i ? i === a : !1;
       }
       return !0;
     }
   };
 }
-function we(t, e, n, a) {
+function fe(t, e, n, r) {
   if (e === n)
     return !0;
-  const r = a || t;
-  return r ? r === e : !1;
+  const a = r || t;
+  return a ? a === e : !1;
 }
-function ge(t) {
+function we(t) {
   return {
     async resolveDataAdapters(e) {
       try {
@@ -67,112 +67,112 @@ function ge(t) {
     }
   };
 }
-function he(t) {
+function ge(t) {
   return {
     async beforeCreate(e, n) {
       return !n.audience && n.id ? {
         ...n,
-        audience: ie(n.id)
+        audience: oe(n.id)
       } : n;
     },
     async afterCreate(e, n) {
-      const { accessControl: a, databaseIsolation: r } = t;
-      a && e.ctx && await ve(e, n, a), r != null && r.onProvision && await r.onProvision(n.id);
+      const { accessControl: r, databaseIsolation: a } = t;
+      r && e.ctx && await he(e, n, r), a != null && a.onProvision && await a.onProvision(n.id);
     },
     async beforeDelete(e, n) {
-      const { accessControl: a, databaseIsolation: r } = t;
-      if (a)
+      const { accessControl: r, databaseIsolation: a } = t;
+      if (r)
         try {
           const s = (await e.adapters.organizations.list(
-            a.controlPlaneTenantId
+            r.controlPlaneTenantId
           )).organizations.find((i) => i.name === n);
           s && await e.adapters.organizations.remove(
-            a.controlPlaneTenantId,
+            r.controlPlaneTenantId,
             s.id
           );
-        } catch (l) {
+        } catch (c) {
           console.warn(
             `Failed to remove organization for tenant ${n}:`,
-            l
+            c
           );
         }
-      if (r != null && r.onDeprovision)
+      if (a != null && a.onDeprovision)
         try {
-          await r.onDeprovision(n);
-        } catch (l) {
+          await a.onDeprovision(n);
+        } catch (c) {
           console.warn(
             `Failed to deprovision database for tenant ${n}:`,
-            l
+            c
           );
         }
     }
   };
 }
-async function ve(t, e, n) {
+async function he(t, e, n) {
   const {
-    controlPlaneTenantId: a,
-    defaultPermissions: r,
-    defaultRoles: l,
+    controlPlaneTenantId: r,
+    defaultPermissions: a,
+    defaultRoles: c,
     issuer: s,
     adminRoleName: i = "Tenant Admin",
     adminRoleDescription: p = "Full access to all tenant management operations",
     addCreatorToOrganization: o = !0
-  } = n, c = await t.adapters.organizations.create(
-    a,
+  } = n, l = await t.adapters.organizations.create(
+    r,
     {
       name: e.id,
       display_name: e.friendly_name || e.id
     }
   );
   let u;
-  if (s && (u = await ye(
+  if (s && (u = await _e(
     t,
-    a,
+    r,
     i,
     p
   )), o && t.ctx) {
     const d = t.ctx.var.user;
-    if (d != null && d.sub && !await _e(
+    if (d != null && d.sub && !await ve(
       t,
-      a,
+      r,
       d.sub
     ))
       try {
-        await t.adapters.userOrganizations.create(a, {
+        await t.adapters.userOrganizations.create(r, {
           user_id: d.sub,
-          organization_id: c.id
+          organization_id: l.id
         }), u && await t.adapters.userRoles.create(
-          a,
+          r,
           d.sub,
           u,
-          c.id
+          l.id
           // organizationId
         );
       } catch (f) {
         console.warn(
-          `Failed to add creator ${d.sub} to organization ${c.id}:`,
+          `Failed to add creator ${d.sub} to organization ${l.id}:`,
           f
         );
       }
   }
-  l && l.length > 0 && console.log(
-    `Would assign roles ${l.join(", ")} to organization ${c.id}`
-  ), r && r.length > 0 && console.log(
-    `Would grant permissions ${r.join(", ")} to organization ${c.id}`
+  c && c.length > 0 && console.log(
+    `Would assign roles ${c.join(", ")} to organization ${l.id}`
+  ), a && a.length > 0 && console.log(
+    `Would grant permissions ${a.join(", ")} to organization ${l.id}`
   );
 }
-async function _e(t, e, n) {
-  const a = await t.adapters.userRoles.list(
+async function ve(t, e, n) {
+  const r = await t.adapters.userRoles.list(
     e,
     n,
     void 0,
     ""
     // Empty string for global roles
   );
-  for (const r of a)
+  for (const a of r)
     if ((await t.adapters.rolePermissions.list(
       e,
-      r.id,
+      a.id,
       { per_page: 1e3 }
     )).some(
       (i) => i.permission_name === "admin:organizations"
@@ -180,14 +180,14 @@ async function _e(t, e, n) {
       return !0;
   return !1;
 }
-async function ye(t, e, n, a) {
-  const l = (await t.adapters.roles.list(e, {})).roles.find((o) => o.name === n);
-  if (l)
-    return l.id;
+async function _e(t, e, n, r) {
+  const c = (await t.adapters.roles.list(e, {})).roles.find((o) => o.name === n);
+  if (c)
+    return c.id;
   const s = await t.adapters.roles.create(e, {
     name: n,
-    description: a
-  }), i = le, p = ce.map((o) => ({
+    description: r
+  }), i = ce, p = ie.map((o) => ({
     role_id: s.id,
     resource_server_identifier: i,
     permission_name: o.value
@@ -198,7 +198,7 @@ async function ye(t, e, n, a) {
     p
   ), s.id;
 }
-const be = [
+const ye = [
   "client_id",
   "client_secret",
   "app_secret",
@@ -208,22 +208,22 @@ const be = [
   "twilio_token"
 ];
 function L(t, e, n = () => !0) {
-  const { controlPlaneTenantId: a, getChildTenantIds: r, getAdapters: l } = t, s = /* @__PURE__ */ new Map();
-  async function i(c, u, d) {
-    return (await e(c).list(u, {
+  const { controlPlaneTenantId: r, getChildTenantIds: a, getAdapters: c } = t, s = /* @__PURE__ */ new Map();
+  async function i(l, u, d) {
+    return (await e(l).list(u, {
       q: `name:${d}`,
       per_page: 1
     }))[0] ?? null;
   }
-  async function p(c) {
-    const u = await r(), d = e(await l(a));
+  async function p(l) {
+    const u = await a(), d = e(await c(r));
     await Promise.all(
       u.map(async (m) => {
         try {
-          const f = await l(m), w = e(f), h = {
-            ...d.transform(c),
+          const f = await c(m), w = e(f), h = {
+            ...d.transform(l),
             is_system: !0
-          }, v = await i(f, m, c.name), _ = v ? w.getId(v) : void 0;
+          }, v = await i(f, m, l.name), _ = v ? w.getId(v) : void 0;
           if (v && _) {
             const A = w.preserveOnUpdate ? w.preserveOnUpdate(v, h) : h;
             await w.update(m, _, A);
@@ -231,23 +231,23 @@ function L(t, e, n = () => !0) {
             await w.create(m, h);
         } catch (f) {
           console.error(
-            `Failed to sync ${d.listKey} "${c.name}" to tenant "${m}":`,
+            `Failed to sync ${d.listKey} "${l.name}" to tenant "${m}":`,
             f
           );
         }
       })
     );
   }
-  async function o(c) {
-    const u = await r();
+  async function o(l) {
+    const u = await a();
     await Promise.all(
       u.map(async (d) => {
         try {
-          const m = await l(d), f = e(m), w = await i(m, d, c), g = w ? f.getId(w) : void 0;
+          const m = await c(d), f = e(m), w = await i(m, d, l), g = w ? f.getId(w) : void 0;
           w && g && await f.remove(d, g);
         } catch (m) {
           console.error(
-            `Failed to delete entity "${c}" from tenant "${d}":`,
+            `Failed to delete entity "${l}" from tenant "${d}":`,
             m
           );
         }
@@ -255,39 +255,39 @@ function L(t, e, n = () => !0) {
     );
   }
   return {
-    afterCreate: async (c, u) => {
-      c.tenantId === a && n(u) && await p(u);
+    afterCreate: async (l, u) => {
+      l.tenantId === r && n(u) && await p(u);
     },
-    afterUpdate: async (c, u, d) => {
-      c.tenantId === a && n(d) && await p(d);
+    afterUpdate: async (l, u, d) => {
+      l.tenantId === r && n(d) && await p(d);
     },
-    beforeDelete: async (c, u) => {
-      if (c.tenantId !== a) return;
-      const m = await e(c.adapters).get(c.tenantId, u);
+    beforeDelete: async (l, u) => {
+      if (l.tenantId !== r) return;
+      const m = await e(l.adapters).get(l.tenantId, u);
       m && n(m) && s.set(u, m);
     },
-    afterDelete: async (c, u) => {
-      if (c.tenantId !== a) return;
+    afterDelete: async (l, u) => {
+      if (l.tenantId !== r) return;
       const d = s.get(u);
       d && (s.delete(u), await o(d.name));
     }
   };
 }
 function V(t, e, n = () => !0) {
-  const { controlPlaneTenantId: a, getControlPlaneAdapters: r, getAdapters: l } = t;
+  const { controlPlaneTenantId: r, getControlPlaneAdapters: a, getAdapters: c } = t;
   return {
     async afterCreate(s, i) {
-      if (i.id !== a)
+      if (i.id !== r)
         try {
-          const p = await r(), o = await l(i.id), c = e(p), u = e(o), d = await F(
-            (m) => c.listPaginated(a, m),
-            c.listKey,
+          const p = await a(), o = await c(i.id), l = e(p), u = e(o), d = await F(
+            (m) => l.listPaginated(r, m),
+            l.listKey,
             { cursorField: "id", pageSize: 100 }
           );
           await Promise.all(
             d.filter((m) => n(m)).map(async (m) => {
               try {
-                const f = c.transform(m);
+                const f = l.transform(m);
                 await u.create(i.id, {
                   ...f,
                   is_system: !0
@@ -309,16 +309,17 @@ function V(t, e, n = () => !0) {
     }
   };
 }
-const H = (t) => ({
+const k = (t) => ({
   list: async (e, n) => (await t.resourceServers.list(e, n)).resource_servers,
   listPaginated: (e, n) => t.resourceServers.list(e, n),
   get: (e, n) => t.resourceServers.get(e, n),
   create: (e, n) => t.resourceServers.create(e, n),
-  update: (e, n, a) => t.resourceServers.update(e, n, a),
+  update: (e, n, r) => t.resourceServers.update(e, n, r),
   remove: (e, n) => t.resourceServers.remove(e, n),
   listKey: "resource_servers",
   getId: (e) => e.id,
   transform: (e) => ({
+    id: e.id,
     name: e.name,
     identifier: e.identifier,
     scopes: e.scopes,
@@ -326,33 +327,35 @@ const H = (t) => ({
     token_lifetime: e.token_lifetime,
     token_lifetime_for_web: e.token_lifetime_for_web
   })
-}), x = (t) => ({
+}), H = (t) => ({
   list: async (e, n) => (await t.roles.list(e, n)).roles,
   listPaginated: (e, n) => t.roles.list(e, n),
   get: (e, n) => t.roles.get(e, n),
   create: (e, n) => t.roles.create(e, n),
-  update: (e, n, a) => t.roles.update(e, n, a),
+  update: (e, n, r) => t.roles.update(e, n, r),
   remove: (e, n) => t.roles.remove(e, n),
   listKey: "roles",
   getId: (e) => e.id,
   transform: (e) => ({
+    id: e.id,
     name: e.name,
     description: e.description
   })
-}), ee = (t) => ({
+}), x = (t) => ({
   list: async (e, n) => (await t.connections.list(e, n)).connections,
   listPaginated: (e, n) => t.connections.list(e, n),
   get: (e, n) => t.connections.get(e, n),
   create: (e, n) => t.connections.create(e, n),
-  update: (e, n, a) => t.connections.update(e, n, a),
+  update: (e, n, r) => t.connections.update(e, n, r),
   remove: (e, n) => t.connections.remove(e, n),
   listKey: "connections",
   getId: (e) => e.id,
   transform: (e) => {
     const n = e.options ? { ...e.options } : {};
-    for (const a of be)
-      delete n[a];
+    for (const r of ye)
+      delete n[r];
     return {
+      id: e.id,
       name: e.name,
       display_name: e.display_name,
       strategy: e.strategy,
@@ -365,52 +368,52 @@ const H = (t) => ({
     };
   },
   preserveOnUpdate: (e, n) => {
-    const a = e.options || {};
+    const r = e.options || {};
     return {
       ...n,
       options: {
         ...n.options,
-        client_id: a.client_id,
-        client_secret: a.client_secret,
-        app_secret: a.app_secret,
-        kid: a.kid,
-        team_id: a.team_id,
-        twilio_sid: a.twilio_sid,
-        twilio_token: a.twilio_token
+        client_id: r.client_id,
+        client_secret: r.client_secret,
+        app_secret: r.app_secret,
+        kid: r.kid,
+        team_id: r.team_id,
+        twilio_sid: r.twilio_sid,
+        twilio_token: r.twilio_token
       }
     };
   }
 });
-function Ce(t) {
-  const { sync: e = {}, filters: n = {} } = t, a = e.resourceServers ?? !0, r = e.roles ?? !0, l = e.connections ?? !0, s = a ? L(
+function be(t) {
+  const { sync: e = {}, filters: n = {} } = t, r = e.resourceServers ?? !0, a = e.roles ?? !0, c = e.connections ?? !0, s = r ? L(
     t,
-    H,
+    k,
     n.resourceServers
-  ) : void 0, i = r ? L(
+  ) : void 0, i = a ? L(
     t,
-    x,
+    H,
     n.roles
-  ) : void 0, p = l ? L(
+  ) : void 0, p = c ? L(
     t,
-    ee,
+    x,
     n.connections
-  ) : void 0, o = a ? V(
+  ) : void 0, o = r ? V(
     t,
-    H,
+    k,
     n.resourceServers
-  ) : void 0, c = r ? V(
+  ) : void 0, l = a ? V(
     t,
-    x,
+    H,
     n.roles
-  ) : void 0, u = l ? V(
+  ) : void 0, u = c ? V(
     t,
-    ee,
+    x,
     n.connections
-  ) : void 0, d = r ? {
+  ) : void 0, d = a ? {
     async afterCreate(w, g) {
       var h;
       if (g.id !== t.controlPlaneTenantId) {
-        await ((h = c == null ? void 0 : c.afterCreate) == null ? void 0 : h.call(c, w, g));
+        await ((h = l == null ? void 0 : l.afterCreate) == null ? void 0 : h.call(l, w, g));
         try {
           const v = await t.getControlPlaneAdapters(), _ = await t.getAdapters(g.id), A = await F(
             (b) => v.roles.list(
@@ -488,7 +491,7 @@ function Ce(t) {
       async afterCreate(w, g) {
         const h = [
           o == null ? void 0 : o.afterCreate,
-          (d == null ? void 0 : d.afterCreate) ?? (c == null ? void 0 : c.afterCreate),
+          (d == null ? void 0 : d.afterCreate) ?? (l == null ? void 0 : l.afterCreate),
           u == null ? void 0 : u.afterCreate
         ], v = [];
         for (const _ of h)
@@ -509,14 +512,14 @@ function Ce(t) {
   };
 }
 function W(t, e) {
-  const n = new ue();
+  const n = new de();
   return n.openapi(
     B({
       tags: ["tenants"],
       method: "get",
       path: "/",
       request: {
-        query: me
+        query: ue
       },
       security: [
         {
@@ -528,7 +531,7 @@ function W(t, e) {
           content: {
             "application/json": {
               schema: z.object({
-                tenants: z.array(k),
+                tenants: z.array(E),
                 start: z.number().optional(),
                 limit: z.number().optional(),
                 length: z.number().optional()
@@ -539,26 +542,26 @@ function W(t, e) {
         }
       }
     }),
-    async (a) => {
+    async (r) => {
       var m, f, w, g;
-      const r = a.req.valid("query"), { page: l, per_page: s, include_totals: i, q: p } = r, o = a.var.user, c = (o == null ? void 0 : o.permissions) || [];
-      if (c.includes("auth:read") || c.includes("admin:organizations")) {
-        const h = await a.env.data.tenants.list({
-          page: l,
+      const a = r.req.valid("query"), { page: c, per_page: s, include_totals: i, q: p } = a, o = r.var.user, l = (o == null ? void 0 : o.permissions) || [];
+      if (l.includes("auth:read") || l.includes("admin:organizations")) {
+        const h = await r.env.data.tenants.list({
+          page: c,
           per_page: s,
           include_totals: i,
           q: p
         });
-        return i ? a.json({
+        return i ? r.json({
           tenants: h.tenants,
           start: ((m = h.totals) == null ? void 0 : m.start) ?? 0,
           limit: ((f = h.totals) == null ? void 0 : f.limit) ?? s,
           length: h.tenants.length
-        }) : a.json({ tenants: h.tenants });
+        }) : r.json({ tenants: h.tenants });
       }
       if (t.accessControl && (o != null && o.sub)) {
         const h = t.accessControl.controlPlaneTenantId, _ = (await F(
-          (D) => a.env.data.userOrganizations.listUserOrganizations(
+          (D) => r.env.data.userOrganizations.listUserOrganizations(
             h,
             o.sub,
             D
@@ -566,45 +569,45 @@ function W(t, e) {
           "organizations"
         )).map((D) => D.name);
         if (_.length === 0)
-          return i ? a.json({
+          return i ? r.json({
             tenants: [],
             start: 0,
             limit: s ?? 50,
             length: 0
-          }) : a.json({ tenants: [] });
-        const A = _.length, $ = l ?? 0, b = s ?? 50, y = $ * b, C = _.slice(y, y + b);
+          }) : r.json({ tenants: [] });
+        const A = _.length, $ = c ?? 0, b = s ?? 50, y = $ * b, C = _.slice(y, y + b);
         if (C.length === 0)
-          return i ? a.json({
+          return i ? r.json({
             tenants: [],
             start: y,
             limit: b,
             length: A
-          }) : a.json({ tenants: [] });
-        const P = C.map((D) => `id:${D}`).join(" OR "), q = p ? `(${P}) AND (${p})` : P, R = await a.env.data.tenants.list({
+          }) : r.json({ tenants: [] });
+        const P = C.map((D) => `id:${D}`).join(" OR "), q = p ? `(${P}) AND (${p})` : P, R = await r.env.data.tenants.list({
           q,
           per_page: b,
           include_totals: !1
           // We calculate totals from accessibleTenantIds
         });
-        return i ? a.json({
+        return i ? r.json({
           tenants: R.tenants,
           start: y,
           limit: b,
           length: A
-        }) : a.json({ tenants: R.tenants });
+        }) : r.json({ tenants: R.tenants });
       }
-      const d = await a.env.data.tenants.list({
-        page: l,
+      const d = await r.env.data.tenants.list({
+        page: c,
         per_page: s,
         include_totals: i,
         q: p
       });
-      return i ? a.json({
+      return i ? r.json({
         tenants: d.tenants,
         start: ((w = d.totals) == null ? void 0 : w.start) ?? 0,
         limit: ((g = d.totals) == null ? void 0 : g.limit) ?? s,
         length: d.tenants.length
-      }) : a.json({ tenants: d.tenants });
+      }) : r.json({ tenants: d.tenants });
     }
   ), n.openapi(
     B({
@@ -615,7 +618,7 @@ function W(t, e) {
         body: {
           content: {
             "application/json": {
-              schema: pe
+              schema: me
             }
           }
         }
@@ -629,7 +632,7 @@ function W(t, e) {
         201: {
           content: {
             "application/json": {
-              schema: k
+              schema: E
             }
           },
           description: "Tenant created"
@@ -642,21 +645,21 @@ function W(t, e) {
         }
       }
     }),
-    async (a) => {
+    async (r) => {
       var p, o;
-      const r = a.var.user;
-      if (!(r != null && r.sub))
+      const a = r.var.user;
+      if (!(a != null && a.sub))
         throw new S(401, {
           message: "Authentication required to create tenants"
         });
-      let l = a.req.valid("json");
+      let c = r.req.valid("json");
       const s = {
-        adapters: a.env.data,
-        ctx: a
+        adapters: r.env.data,
+        ctx: r
       };
-      (p = e.tenants) != null && p.beforeCreate && (l = await e.tenants.beforeCreate(s, l));
-      const i = await a.env.data.tenants.create(l);
-      return (o = e.tenants) != null && o.afterCreate && await e.tenants.afterCreate(s, i), a.json(i, 201);
+      (p = e.tenants) != null && p.beforeCreate && (c = await e.tenants.beforeCreate(s, c));
+      const i = await r.env.data.tenants.create(c);
+      return (o = e.tenants) != null && o.afterCreate && await e.tenants.afterCreate(s, i), r.json(i, 201);
     }
   ), n.openapi(
     B({
@@ -685,44 +688,44 @@ function W(t, e) {
         }
       }
     }),
-    async (a) => {
+    async (r) => {
       var i, p;
-      const { id: r } = a.req.valid("param");
+      const { id: a } = r.req.valid("param");
       if (t.accessControl) {
-        const o = a.var.user, c = t.accessControl.controlPlaneTenantId;
+        const o = r.var.user, l = t.accessControl.controlPlaneTenantId;
         if (!(o != null && o.sub))
           throw new S(401, {
             message: "Authentication required"
           });
-        if (r === c)
+        if (a === l)
           throw new S(403, {
             message: "Cannot delete the control plane"
           });
         if (!(await F(
-          (m) => a.env.data.userOrganizations.listUserOrganizations(
-            c,
+          (m) => r.env.data.userOrganizations.listUserOrganizations(
+            l,
             o.sub,
             m
           ),
           "organizations"
-        )).some((m) => m.name === r))
+        )).some((m) => m.name === a))
           throw new S(403, {
             message: "Access denied to this tenant"
           });
       }
-      if (!await a.env.data.tenants.get(r))
+      if (!await r.env.data.tenants.get(a))
         throw new S(404, {
           message: "Tenant not found"
         });
       const s = {
-        adapters: a.env.data,
-        ctx: a
+        adapters: r.env.data,
+        ctx: r
       };
-      return (i = e.tenants) != null && i.beforeDelete && await e.tenants.beforeDelete(s, r), await a.env.data.tenants.remove(r), (p = e.tenants) != null && p.afterDelete && await e.tenants.afterDelete(s, r), a.body(null, 204);
+      return (i = e.tenants) != null && i.beforeDelete && await e.tenants.beforeDelete(s, a), await r.env.data.tenants.remove(a), (p = e.tenants) != null && p.afterDelete && await e.tenants.afterDelete(s, a), r.body(null, 204);
     }
   ), n;
 }
-function Ae(t) {
+function Ce(t) {
   const e = [
     {
       pattern: /\/api\/v2\/resource-servers\/([^/]+)$/,
@@ -731,27 +734,27 @@ function Ae(t) {
     { pattern: /\/api\/v2\/roles\/([^/]+)$/, type: "role" },
     { pattern: /\/api\/v2\/connections\/([^/]+)$/, type: "connection" }
   ];
-  for (const { pattern: n, type: a } of e) {
-    const r = t.match(n);
-    if (r && r[1])
-      return { type: a, id: r[1] };
+  for (const { pattern: n, type: r } of e) {
+    const a = t.match(n);
+    if (a && a[1])
+      return { type: r, id: a[1] };
   }
   return null;
 }
-async function Te(t, e, n) {
+async function Ae(t, e, n) {
   try {
     switch (n.type) {
       case "resource_server": {
-        const a = await t.resourceServers.get(e, n.id);
-        return (a == null ? void 0 : a.is_system) === !0;
+        const r = await t.resourceServers.get(e, n.id);
+        return (r == null ? void 0 : r.is_system) === !0;
       }
       case "role": {
-        const a = await t.roles.get(e, n.id);
-        return (a == null ? void 0 : a.is_system) === !0;
+        const r = await t.roles.get(e, n.id);
+        return (r == null ? void 0 : r.is_system) === !0;
       }
       case "connection": {
-        const a = await t.connections.get(e, n.id);
-        return (a == null ? void 0 : a.is_system) === !0;
+        const r = await t.connections.get(e, n.id);
+        return (r == null ? void 0 : r.is_system) === !0;
       }
       default:
         return !1;
@@ -760,43 +763,43 @@ async function Te(t, e, n) {
     return !1;
   }
 }
-function Se(t) {
+function Te(t) {
   return {
     resource_server: "resource server",
     role: "role",
     connection: "connection"
   }[t];
 }
-function Ie() {
+function Se() {
   return async (t, e) => {
     if (!["PATCH", "PUT", "DELETE"].includes(t.req.method))
       return e();
-    const n = Ae(t.req.path);
+    const n = Ce(t.req.path);
     if (!n)
       return e();
-    const a = t.var.tenant_id || t.req.header("x-tenant-id") || t.req.header("tenant-id");
-    if (!a)
+    const r = t.var.tenant_id || t.req.header("x-tenant-id") || t.req.header("tenant-id");
+    if (!r)
       return e();
-    if (await Te(t.env.data, a, n))
+    if (await Ae(t.env.data, r, n))
       throw new S(403, {
-        message: `This ${Se(n.type)} is a system resource and cannot be modified. Make changes in the control plane instead.`
+        message: `This ${Te(n.type)} is a system resource and cannot be modified. Make changes in the control plane instead.`
       });
     return e();
   };
 }
-function ne(t, e) {
-  const { controlPlaneTenantId: n, controlPlaneClientId: a } = e;
+function te(t, e) {
+  const { controlPlaneTenantId: n, controlPlaneClientId: r } = e;
   return {
     ...t,
     legacyClients: {
       ...t.legacyClients,
-      get: async (r) => {
+      get: async (a) => {
         var u;
-        const l = await t.legacyClients.get(r);
-        if (!l)
+        const c = await t.legacyClients.get(a);
+        if (!c)
           return null;
-        const s = a ? await t.legacyClients.get(a) : void 0, i = await t.connections.list(
-          l.tenant.id
+        const s = r ? await t.legacyClients.get(r) : void 0, i = await t.connections.list(
+          c.tenant.id
         ), p = n ? await t.connections.list(n) : { connections: [] }, o = i.connections.map((d) => {
           var w;
           const m = (w = p.connections) == null ? void 0 : w.find(
@@ -812,41 +815,41 @@ function ne(t, e) {
             ...m.options || {},
             ...d.options
           }), f;
-        }).filter((d) => d), c = {
+        }).filter((d) => d), l = {
           ...(s == null ? void 0 : s.tenant) || {},
-          ...l.tenant
+          ...c.tenant
         };
-        return !l.tenant.audience && ((u = s == null ? void 0 : s.tenant) != null && u.audience) && (c.audience = s.tenant.audience), {
-          ...l,
+        return !c.tenant.audience && ((u = s == null ? void 0 : s.tenant) != null && u.audience) && (l.audience = s.tenant.audience), {
+          ...c,
           web_origins: [
             ...(s == null ? void 0 : s.web_origins) || [],
-            ...l.web_origins || []
+            ...c.web_origins || []
           ],
           allowed_logout_urls: [
             ...(s == null ? void 0 : s.allowed_logout_urls) || [],
-            ...l.allowed_logout_urls || []
+            ...c.allowed_logout_urls || []
           ],
           callbacks: [
             ...(s == null ? void 0 : s.callbacks) || [],
-            ...l.callbacks || []
+            ...c.callbacks || []
           ],
           connections: o,
-          tenant: c
+          tenant: l
         };
       }
     },
     connections: {
       ...t.connections,
-      get: async (r, l) => {
+      get: async (a, c) => {
         const s = await t.connections.get(
-          r,
-          l
+          a,
+          c
         );
         if (!s || !n)
           return s;
         const i = await t.connections.get(
           n,
-          l
+          c
         );
         if (!i)
           return s;
@@ -859,23 +862,23 @@ function ne(t, e) {
           ...s.options
         }), p;
       },
-      list: async (r, l) => {
-        const s = await t.connections.list(r, l);
-        if (!n || r === n)
+      list: async (a, c) => {
+        const s = await t.connections.list(a, c);
+        if (!n || a === n)
           return s;
         const i = await t.connections.list(n), p = s.connections.map((o) => {
           var d;
-          const c = (d = i.connections) == null ? void 0 : d.find(
+          const l = (d = i.connections) == null ? void 0 : d.find(
             (m) => m.name === o.name
           );
-          if (!(c != null && c.options))
+          if (!(l != null && l.options))
             return o;
           const u = G.parse({
-            ...c,
+            ...l,
             ...o
           });
           return u.options = K.parse({
-            ...c.options || {},
+            ...l.options || {},
             ...o.options
           }), u;
         });
@@ -894,49 +897,49 @@ function ne(t, e) {
     // They remain part of ...baseAdapters and can be properly wrapped by caching.
   };
 }
-function Pe(t, e) {
-  return ne(t, e);
+function Ie(t, e) {
+  return te(t, e);
 }
-const Ne = ne, Ue = Pe;
-function De(t) {
+const Me = te, Ne = Ie;
+function Pe(t) {
   return async (e, n) => {
     if (!t.accessControl)
       return n();
-    const a = e.var.tenant_id, r = e.var.organization_id;
-    if (!a)
+    const r = e.var.tenant_id, a = e.var.organization_id;
+    if (!r)
       throw new S(400, {
         message: "Tenant ID not found in request"
       });
-    if (!we(
-      r,
+    if (!fe(
       a,
+      r,
       t.accessControl.controlPlaneTenantId
     ))
       throw new S(403, {
-        message: `Access denied to tenant ${a}`
+        message: `Access denied to tenant ${r}`
       });
     return n();
   };
 }
-function $e(t) {
+function De(t) {
   return async (e, n) => {
     if (!t.subdomainRouting)
       return n();
     const {
-      baseDomain: a,
-      reservedSubdomains: r = [],
-      resolveSubdomain: l
+      baseDomain: r,
+      reservedSubdomains: a = [],
+      resolveSubdomain: c
     } = t.subdomainRouting, s = e.req.header("host") || "";
     let i = null;
-    if (s.endsWith(a)) {
-      const o = s.slice(0, -(a.length + 1));
+    if (s.endsWith(r)) {
+      const o = s.slice(0, -(r.length + 1));
       o && !o.includes(".") && (i = o);
     }
-    if (i && r.includes(i) && (i = null), !i)
+    if (i && a.includes(i) && (i = null), !i)
       return t.accessControl && e.set("tenant_id", t.accessControl.controlPlaneTenantId), n();
     let p = null;
-    if (l)
-      p = await l(i);
+    if (c)
+      p = await c(i);
     else if (t.subdomainRouting.useOrganizations !== !1 && t.accessControl)
       try {
         const o = await e.env.data.organizations.get(
@@ -953,22 +956,22 @@ function $e(t) {
     return e.set("tenant_id", p), n();
   };
 }
-function ze(t) {
+function $e(t) {
   return async (e, n) => {
     if (!t.databaseIsolation)
       return n();
-    const a = e.var.tenant_id;
-    if (!a)
+    const r = e.var.tenant_id;
+    if (!r)
       throw new S(400, {
         message: "Tenant ID not found in request"
       });
     try {
-      const r = await t.databaseIsolation.getAdapters(a);
-      e.env.data = r;
-    } catch (r) {
+      const a = await t.databaseIsolation.getAdapters(r);
+      e.env.data = a;
+    } catch (a) {
       throw console.error(
-        `Failed to resolve database for tenant ${a}:`,
-        r
+        `Failed to resolve database for tenant ${r}:`,
+        a
       ), new S(500, {
         message: "Failed to resolve tenant database"
       });
@@ -976,19 +979,19 @@ function ze(t) {
     return n();
   };
 }
-function re(t) {
-  const e = $e(t), n = De(t), a = ze(t);
-  return async (r, l) => (await e(r, async () => {
-  }), await n(r, async () => {
-  }), await a(r, async () => {
-  }), l());
+function ne(t) {
+  const e = De(t), n = Pe(t), r = $e(t);
+  return async (a, c) => (await e(a, async () => {
+  }), await n(a, async () => {
+  }), await r(a, async () => {
+  }), c());
 }
-function Be(t) {
+function Ue(t) {
   const e = j(t);
   return {
     name: "multi-tenancy",
     // Apply multi-tenancy middleware for subdomain routing, database resolution, etc.
-    middleware: re(t),
+    middleware: ne(t),
     // Provide lifecycle hooks
     hooks: e,
     // Mount tenant management routes
@@ -1009,42 +1012,42 @@ function Be(t) {
   };
 }
 function j(t) {
-  const e = t.accessControl ? fe(t.accessControl) : {}, n = t.databaseIsolation ? ge(t.databaseIsolation) : {}, a = he(t);
+  const e = t.accessControl ? pe(t.accessControl) : {}, n = t.databaseIsolation ? we(t.databaseIsolation) : {}, r = ge(t);
   return {
     ...e,
     ...n,
-    tenants: a
+    tenants: r
   };
 }
-function Oe(t) {
-  const e = new te(), n = j(t);
+function ze(t) {
+  const e = new ee(), n = j(t);
   return e.route("/tenants", W(t, n)), e;
 }
-function Ge(t) {
+function Be(t) {
   return {
     hooks: j(t),
-    middleware: re(t),
-    app: Oe(t),
+    middleware: ne(t),
+    app: ze(t),
     config: t
   };
 }
-function Ke(t) {
-  var A, $, b, y, C, P, q, R, D, Q, J, X, Y, Z, E;
+function Ge(t) {
+  var A, $, b, y, C, P, q, R, D, Q, J, X, Y, Z;
   const {
     controlPlaneTenantId: e = "control_plane",
     sync: n,
-    multiTenancy: a,
-    entityHooks: r,
-    ...l
+    multiTenancy: r,
+    entityHooks: a,
+    ...c
   } = t, s = {
-    ...a,
+    ...r,
     accessControl: {
       controlPlaneTenantId: e,
       requireOrganizationMatch: !1,
       defaultPermissions: ["tenant:admin"],
-      ...a == null ? void 0 : a.accessControl
+      ...r == null ? void 0 : r.accessControl
     }
-  }, i = j(s), p = ((A = a == null ? void 0 : a.databaseIsolation) == null ? void 0 : A.getAdapters) ?? (async () => t.dataAdapter), { entityHooks: o, tenantHooks: c } = Ce({
+  }, i = j(s), p = ((A = r == null ? void 0 : r.databaseIsolation) == null ? void 0 : A.getAdapters) ?? (async () => t.dataAdapter), { entityHooks: o, tenantHooks: l } = be({
     controlPlaneTenantId: e,
     getChildTenantIds: async () => (await F(
       (T) => t.dataAdapter.tenants.list(T),
@@ -1057,11 +1060,11 @@ function Ke(t) {
   });
   function u(I, T) {
     if (!(!I && !T))
-      return I ? T ? async (...ae) => {
+      return I ? T ? async (...re) => {
         const O = [];
         for (const M of [I, T])
           try {
-            await M(...ae);
+            await M(...re);
           } catch (N) {
             O.push(N instanceof Error ? N : new Error(String(N)));
           }
@@ -1074,92 +1077,88 @@ function Ke(t) {
       } : I : T;
   }
   const d = {
-    ...r,
+    ...a,
     resourceServers: o != null && o.resourceServers ? {
-      ...r == null ? void 0 : r.resourceServers,
+      ...a == null ? void 0 : a.resourceServers,
       afterCreate: u(
-        ($ = r == null ? void 0 : r.resourceServers) == null ? void 0 : $.afterCreate,
+        ($ = a == null ? void 0 : a.resourceServers) == null ? void 0 : $.afterCreate,
         o.resourceServers.afterCreate
       ),
       afterUpdate: u(
-        (b = r == null ? void 0 : r.resourceServers) == null ? void 0 : b.afterUpdate,
+        (b = a == null ? void 0 : a.resourceServers) == null ? void 0 : b.afterUpdate,
         o.resourceServers.afterUpdate
       ),
       beforeDelete: u(
-        (y = r == null ? void 0 : r.resourceServers) == null ? void 0 : y.beforeDelete,
+        (y = a == null ? void 0 : a.resourceServers) == null ? void 0 : y.beforeDelete,
         o.resourceServers.beforeDelete
       ),
       afterDelete: u(
-        (C = r == null ? void 0 : r.resourceServers) == null ? void 0 : C.afterDelete,
+        (C = a == null ? void 0 : a.resourceServers) == null ? void 0 : C.afterDelete,
         o.resourceServers.afterDelete
       )
-    } : r == null ? void 0 : r.resourceServers,
+    } : a == null ? void 0 : a.resourceServers,
     roles: o != null && o.roles ? {
-      ...r == null ? void 0 : r.roles,
+      ...a == null ? void 0 : a.roles,
       afterCreate: u(
-        (P = r == null ? void 0 : r.roles) == null ? void 0 : P.afterCreate,
+        (P = a == null ? void 0 : a.roles) == null ? void 0 : P.afterCreate,
         o.roles.afterCreate
       ),
       afterUpdate: u(
-        (q = r == null ? void 0 : r.roles) == null ? void 0 : q.afterUpdate,
+        (q = a == null ? void 0 : a.roles) == null ? void 0 : q.afterUpdate,
         o.roles.afterUpdate
       ),
       beforeDelete: u(
-        (R = r == null ? void 0 : r.roles) == null ? void 0 : R.beforeDelete,
+        (R = a == null ? void 0 : a.roles) == null ? void 0 : R.beforeDelete,
         o.roles.beforeDelete
       ),
       afterDelete: u(
-        (D = r == null ? void 0 : r.roles) == null ? void 0 : D.afterDelete,
+        (D = a == null ? void 0 : a.roles) == null ? void 0 : D.afterDelete,
         o.roles.afterDelete
       )
-    } : r == null ? void 0 : r.roles,
+    } : a == null ? void 0 : a.roles,
     connections: o != null && o.connections ? {
-      ...r == null ? void 0 : r.connections,
+      ...a == null ? void 0 : a.connections,
       afterCreate: u(
-        (Q = r == null ? void 0 : r.connections) == null ? void 0 : Q.afterCreate,
+        (Q = a == null ? void 0 : a.connections) == null ? void 0 : Q.afterCreate,
         o.connections.afterCreate
       ),
       afterUpdate: u(
-        (J = r == null ? void 0 : r.connections) == null ? void 0 : J.afterUpdate,
+        (J = a == null ? void 0 : a.connections) == null ? void 0 : J.afterUpdate,
         o.connections.afterUpdate
       ),
       beforeDelete: u(
-        (X = r == null ? void 0 : r.connections) == null ? void 0 : X.beforeDelete,
+        (X = a == null ? void 0 : a.connections) == null ? void 0 : X.beforeDelete,
         o.connections.beforeDelete
       ),
       afterDelete: u(
-        (Y = r == null ? void 0 : r.connections) == null ? void 0 : Y.afterDelete,
+        (Y = a == null ? void 0 : a.connections) == null ? void 0 : Y.afterDelete,
         o.connections.afterDelete
       )
-    } : r == null ? void 0 : r.connections,
-    tenants: c ? {
-      ...r == null ? void 0 : r.tenants,
-      afterCreate: u(
-        (Z = r == null ? void 0 : r.tenants) == null ? void 0 : Z.afterCreate,
-        c.afterCreate
-      )
-    } : r == null ? void 0 : r.tenants
+    } : a == null ? void 0 : a.connections,
+    // Note: tenant sync hooks are only attached to combinedTenantHooks (for router use)
+    // to avoid duplicate execution. The entityHooks.tenants doesn't need the sync hook.
+    tenants: a == null ? void 0 : a.tenants
   }, m = {
     ...i,
-    tenants: c ? {
+    tenants: l ? {
       ...i.tenants,
       afterCreate: u(
-        (E = i.tenants) == null ? void 0 : E.afterCreate,
-        c.afterCreate
+        (Z = i.tenants) == null ? void 0 : Z.afterCreate,
+        l.afterCreate
       )
     } : i.tenants
   }, f = W(
     s,
     m
-  ), w = de({
-    ...l,
+  ), w = le({
+    ...c,
     entityHooks: d,
     managementApiExtensions: [
-      ...l.managementApiExtensions || [],
+      ...c.managementApiExtensions || [],
       { path: "/tenants", router: f }
     ]
-  }), { app: g, managementApp: h, ...v } = w, _ = new te();
-  return _.onError((I, T) => I instanceof S ? I.getResponse() : (console.error(I), T.json({ message: "Internal Server Error" }, 500))), _.use("/api/v2/*", Ie()), _.route("/", g), {
+  }), { app: g, managementApp: h, ...v } = w, _ = new ee();
+  return _.onError((I, T) => I instanceof S ? I.getResponse() : (console.error(I), T.json({ message: "Internal Server Error" }, 500))), _.use("/api/v2/*", Se()), _.route("/", g), {
     app: _,
     managementApp: h,
     ...v,
@@ -1168,24 +1167,24 @@ function Ke(t) {
   };
 }
 export {
-  fe as createAccessControlHooks,
-  De as createAccessControlMiddleware,
-  ge as createDatabaseHooks,
-  ze as createDatabaseMiddleware,
-  Oe as createMultiTenancy,
+  pe as createAccessControlHooks,
+  Pe as createAccessControlMiddleware,
+  we as createDatabaseHooks,
+  $e as createDatabaseMiddleware,
+  ze as createMultiTenancy,
   j as createMultiTenancyHooks,
-  re as createMultiTenancyMiddleware,
-  Be as createMultiTenancyPlugin,
-  Ie as createProtectSyncedMiddleware,
-  he as createProvisioningHooks,
-  ne as createRuntimeFallbackAdapter,
-  Ne as createSettingsInheritanceAdapter,
-  $e as createSubdomainMiddleware,
-  Ce as createSyncHooks,
+  ne as createMultiTenancyMiddleware,
+  Ue as createMultiTenancyPlugin,
+  Se as createProtectSyncedMiddleware,
+  ge as createProvisioningHooks,
+  te as createRuntimeFallbackAdapter,
+  Me as createSettingsInheritanceAdapter,
+  De as createSubdomainMiddleware,
+  be as createSyncHooks,
   W as createTenantsOpenAPIRouter,
-  Ke as init,
-  Ge as setupMultiTenancy,
-  we as validateTenantAccess,
-  Pe as withRuntimeFallback,
-  Ue as withSettingsInheritance
+  Ge as init,
+  Be as setupMultiTenancy,
+  fe as validateTenantAccess,
+  Ie as withRuntimeFallback,
+  Ne as withSettingsInheritance
 };