npm - @authhero/multi-tenancy - Versions diffs - 13.20.0 → 14.0.0 - Mend

@authhero/multi-tenancy 13.20.0 → 14.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/multi-tenancy.cjs +1 -1
package/dist/multi-tenancy.mjs +327 -321
package/package.json +3 -3

package/dist/multi-tenancy.mjs CHANGED Viewed

@@ -1,17 +1,17 @@
-var V = Object.defineProperty;
-var W = (n, e, t) => e in n ? V(n, e, { enumerable: !0, configurable: !0, writable: !0, value: t }) : n[e] = t;
-var O = (n, e, t) => W(n, typeof e != "symbol" ? e + "" : e, t);
-import { Hono as Q } from "hono";
-import { getTenantAudience as J, MANAGEMENT_API_SCOPES as X, MANAGEMENT_API_AUDIENCE as Y, fetchAll as $, init as Z } from "authhero";
-import { OpenAPIHono as x, createRoute as R, z as I } from "@hono/zod-openapi";
-import { auth0QuerySchema as ee, tenantSchema as N, tenantInsertSchema as te, connectionSchema as D, connectionOptionsSchema as F } from "@authhero/adapter-interfaces";
-function ne(n) {
-  const { controlPlaneTenantId: e, requireOrganizationMatch: t = !0 } = n;
+var W = Object.defineProperty;
+var Q = (t, e, n) => e in t ? W(t, e, { enumerable: !0, configurable: !0, writable: !0, value: n }) : t[e] = n;
+var O = (t, e, n) => Q(t, typeof e != "symbol" ? e + "" : e, n);
+import { Hono as J } from "hono";
+import { MANAGEMENT_API_SCOPES as X, MANAGEMENT_API_AUDIENCE as U, fetchAll as z, init as Y } from "authhero";
+import { OpenAPIHono as Z, createRoute as R, z as I } from "@hono/zod-openapi";
+import { auth0QuerySchema as x, tenantSchema as N, tenantInsertSchema as ee, connectionSchema as D, connectionOptionsSchema as F } from "@authhero/adapter-interfaces";
+function te(t) {
+  const { controlPlaneTenantId: e, requireOrganizationMatch: n = !0 } = t;
   return {
     async onTenantAccessValidation(s, r) {
       if (r === e)
         return !0;
-      if (t) {
+      if (n) {
         const i = s.var.org_name, o = s.var.organization_id, a = i || o;
         return a ? a.toLowerCase() === r.toLowerCase() : !1;
       }
@@ -19,105 +19,108 @@ function ne(n) {
     }
   };
 }
-function se(n, e, t, s) {
-  if (e === t)
+function ne(t, e, n, s) {
+  if (e === n)
     return !0;
-  const r = s || n;
+  const r = s || t;
   return r ? r.toLowerCase() === e.toLowerCase() : !1;
 }
-function re(n) {
+function se(t) {
   return {
     async resolveDataAdapters(e) {
       try {
-        return await n.getAdapters(e);
-      } catch (t) {
+        return await t.getAdapters(e);
+      } catch (n) {
         console.error(
           `Failed to resolve data adapters for tenant ${e}:`,
-          t
+          n
         );
         return;
       }
     }
   };
 }
-function ae(n) {
+function ae(t) {
+  return `urn:authhero:tenant:${t.toLowerCase()}`;
+}
+function re(t) {
   return {
-    async beforeCreate(e, t) {
-      return !t.audience && t.id ? {
-        ...t,
-        audience: J(t.id)
-      } : t;
+    async beforeCreate(e, n) {
+      return !n.audience && n.id ? {
+        ...n,
+        audience: ae(n.id)
+      } : n;
     },
-    async afterCreate(e, t) {
-      const { accessControl: s, databaseIsolation: r } = n;
-      s && e.ctx && await oe(e, t, s), r != null && r.onProvision && await r.onProvision(t.id);
+    async afterCreate(e, n) {
+      const { accessControl: s, databaseIsolation: r } = t;
+      s && e.ctx && await oe(e, n, s), r != null && r.onProvision && await r.onProvision(n.id);
     },
-    async beforeDelete(e, t) {
-      const { accessControl: s, databaseIsolation: r } = n;
+    async beforeDelete(e, n) {
+      const { accessControl: s, databaseIsolation: r } = t;
       if (s)
         try {
           const o = (await e.adapters.organizations.list(
             s.controlPlaneTenantId
-          )).organizations.find((a) => a.name === t);
+          )).organizations.find((a) => a.name === n);
           o && await e.adapters.organizations.remove(
             s.controlPlaneTenantId,
             o.id
           );
         } catch (i) {
           console.warn(
-            `Failed to remove organization for tenant ${t}:`,
+            `Failed to remove organization for tenant ${n}:`,
             i
           );
         }
       if (r != null && r.onDeprovision)
         try {
-          await r.onDeprovision(t);
+          await r.onDeprovision(n);
         } catch (i) {
           console.warn(
-            `Failed to deprovision database for tenant ${t}:`,
+            `Failed to deprovision database for tenant ${n}:`,
             i
           );
         }
     }
   };
 }
-async function oe(n, e, t) {
+async function oe(t, e, n) {
   const {
     controlPlaneTenantId: s,
     defaultPermissions: r,
     defaultRoles: i,
     issuer: o,
     adminRoleName: a = "Tenant Admin",
-    adminRoleDescription: m = "Full access to all tenant management operations",
+    adminRoleDescription: u = "Full access to all tenant management operations",
     addCreatorToOrganization: d = !0
-  } = t, c = await n.adapters.organizations.create(
+  } = n, c = await t.adapters.organizations.create(
     s,
     {
       name: e.id,
       display_name: e.friendly_name || e.id
     }
   );
-  let p;
-  if (o && (p = await ce(
-    n,
+  let f;
+  if (o && (f = await ce(
+    t,
     s,
     a,
-    m
-  )), d && n.ctx) {
-    const l = n.ctx.var.user;
+    u
+  )), d && t.ctx) {
+    const l = t.ctx.var.user;
     if (l != null && l.sub && !await ie(
-      n,
+      t,
       s,
       l.sub
     ))
       try {
-        await n.adapters.userOrganizations.create(s, {
+        await t.adapters.userOrganizations.create(s, {
           user_id: l.sub,
           organization_id: c.id
-        }), p && await n.adapters.userRoles.create(
+        }), f && await t.adapters.userRoles.create(
           s,
           l.sub,
-          p,
+          f,
           c.id
           // organizationId
         );
@@ -134,16 +137,16 @@ async function oe(n, e, t) {
     `Would grant permissions ${r.join(", ")} to organization ${c.id}`
   );
 }
-async function ie(n, e, t) {
-  const s = await n.adapters.userRoles.list(
+async function ie(t, e, n) {
+  const s = await t.adapters.userRoles.list(
     e,
-    t,
+    n,
     void 0,
     ""
     // Empty string for global roles
   );
   for (const r of s)
-    if ((await n.adapters.rolePermissions.list(
+    if ((await t.adapters.rolePermissions.list(
       e,
       r.id,
       { per_page: 1e3 }
@@ -153,22 +156,22 @@ async function ie(n, e, t) {
       return !0;
   return !1;
 }
-async function ce(n, e, t, s) {
-  const i = (await n.adapters.roles.list(e, {})).roles.find((d) => d.name === t);
+async function ce(t, e, n, s) {
+  const i = (await t.adapters.roles.list(e, {})).roles.find((d) => d.name === n);
   if (i)
     return i.id;
-  const o = await n.adapters.roles.create(e, {
-    name: t,
+  const o = await t.adapters.roles.create(e, {
+    name: n,
     description: s
-  }), a = Y, m = X.map((d) => ({
+  }), a = U, u = X.map((d) => ({
     role_id: o.id,
     resource_server_identifier: a,
     permission_name: d.value
   }));
-  return await n.adapters.rolePermissions.assign(
+  return await t.adapters.rolePermissions.assign(
     e,
     o.id,
-    m
+    u
   ), o.id;
 }
 const le = [
@@ -180,31 +183,31 @@ const le = [
   "twilio_sid",
   "twilio_token"
 ];
-function q(n, e, t = () => !0) {
-  const { controlPlaneTenantId: s, getChildTenantIds: r, getAdapters: i } = n, o = /* @__PURE__ */ new Map();
-  async function a(c, p, l) {
-    return (await e(c).list(p, {
+function M(t, e, n = () => !0) {
+  const { controlPlaneTenantId: s, getChildTenantIds: r, getAdapters: i } = t, o = /* @__PURE__ */ new Map();
+  async function a(c, f, l) {
+    return (await e(c).list(f, {
       q: `name:${l}`,
       per_page: 1
     }))[0] ?? null;
   }
-  async function m(c) {
-    const p = await r(), l = e(await i(s));
+  async function u(c) {
+    const f = await r(), l = e(await i(s));
     await Promise.all(
-      p.map(async (u) => {
+      f.map(async (m) => {
         try {
-          const w = await i(u), g = e(w), h = {
+          const w = await i(m), g = e(w), h = {
             ...l.transform(c),
             is_system: !0
-          }, y = await a(w, u, c.name), v = y ? g.getId(y) : void 0;
+          }, y = await a(w, m, c.name), v = y ? g.getId(y) : void 0;
           if (y && v) {
             const b = g.preserveOnUpdate ? g.preserveOnUpdate(y, h) : h;
-            await g.update(u, v, b);
+            await g.update(m, v, b);
           } else
-            await g.create(u, h);
+            await g.create(m, h);
         } catch (w) {
           console.error(
-            `Failed to sync ${l.listKey} "${c.name}" to tenant "${u}":`,
+            `Failed to sync ${l.listKey} "${c.name}" to tenant "${m}":`,
             w
           );
         }
@@ -212,56 +215,56 @@ function q(n, e, t = () => !0) {
     );
   }
   async function d(c) {
-    const p = await r();
+    const f = await r();
     await Promise.all(
-      p.map(async (l) => {
+      f.map(async (l) => {
         try {
-          const u = await i(l), w = e(u), g = await a(u, l, c), f = g ? w.getId(g) : void 0;
-          g && f && await w.remove(l, f);
-        } catch (u) {
+          const m = await i(l), w = e(m), g = await a(m, l, c), p = g ? w.getId(g) : void 0;
+          g && p && await w.remove(l, p);
+        } catch (m) {
           console.error(
             `Failed to delete entity "${c}" from tenant "${l}":`,
-            u
+            m
           );
         }
       })
     );
   }
   return {
-    afterCreate: async (c, p) => {
-      c.tenantId === s && t(p) && await m(p);
+    afterCreate: async (c, f) => {
+      c.tenantId === s && n(f) && await u(f);
     },
-    afterUpdate: async (c, p, l) => {
-      c.tenantId === s && t(l) && await m(l);
+    afterUpdate: async (c, f, l) => {
+      c.tenantId === s && n(l) && await u(l);
     },
-    beforeDelete: async (c, p) => {
+    beforeDelete: async (c, f) => {
       if (c.tenantId !== s) return;
-      const u = await e(c.adapters).get(c.tenantId, p);
-      u && t(u) && o.set(p, u);
+      const m = await e(c.adapters).get(c.tenantId, f);
+      m && n(m) && o.set(f, m);
     },
-    afterDelete: async (c, p) => {
+    afterDelete: async (c, f) => {
       if (c.tenantId !== s) return;
-      const l = o.get(p);
-      l && (o.delete(p), await d(l.name));
+      const l = o.get(f);
+      l && (o.delete(f), await d(l.name));
     }
   };
 }
-function M(n, e, t = () => !0) {
-  const { controlPlaneTenantId: s, getControlPlaneAdapters: r, getAdapters: i } = n;
+function q(t, e, n = () => !0) {
+  const { controlPlaneTenantId: s, getControlPlaneAdapters: r, getAdapters: i } = t;
   return {
     async afterCreate(o, a) {
       if (a.id !== s)
         try {
-          const m = await r(), d = await i(a.id), c = e(m), p = e(d), l = await $(
-            (u) => c.listPaginated(s, u),
+          const u = await r(), d = await i(a.id), c = e(u), f = e(d), l = await z(
+            (m) => c.listPaginated(s, m),
             c.listKey,
             { cursorField: "id", pageSize: 100 }
           );
           await Promise.all(
-            l.filter((u) => t(u)).map(async (u) => {
+            l.filter((m) => n(m)).map(async (m) => {
               try {
-                const w = c.transform(u);
-                await p.create(a.id, {
+                const w = c.transform(m);
+                await f.create(a.id, {
                   ...w,
                   is_system: !0
                 });
@@ -273,22 +276,22 @@ function M(n, e, t = () => !0) {
               }
             })
           );
-        } catch (m) {
+        } catch (u) {
           console.error(
             `Failed to sync entities to new tenant "${a.id}":`,
-            m
+            u
           );
         }
     }
   };
 }
-const H = (n) => ({
-  list: async (e, t) => (await n.resourceServers.list(e, t)).resource_servers,
-  listPaginated: (e, t) => n.resourceServers.list(e, t),
-  get: (e, t) => n.resourceServers.get(e, t),
-  create: (e, t) => n.resourceServers.create(e, t),
-  update: (e, t, s) => n.resourceServers.update(e, t, s),
-  remove: (e, t) => n.resourceServers.remove(e, t),
+const H = (t) => ({
+  list: async (e, n) => (await t.resourceServers.list(e, n)).resource_servers,
+  listPaginated: (e, n) => t.resourceServers.list(e, n),
+  get: (e, n) => t.resourceServers.get(e, n),
+  create: (e, n) => t.resourceServers.create(e, n),
+  update: (e, n, s) => t.resourceServers.update(e, n, s),
+  remove: (e, n) => t.resourceServers.remove(e, n),
   listKey: "resource_servers",
   getId: (e) => e.id,
   transform: (e) => ({
@@ -300,13 +303,13 @@ const H = (n) => ({
     token_lifetime: e.token_lifetime,
     token_lifetime_for_web: e.token_lifetime_for_web
   })
-}), G = (n) => ({
-  list: async (e, t) => (await n.roles.list(e, t)).roles,
-  listPaginated: (e, t) => n.roles.list(e, t),
-  get: (e, t) => n.roles.get(e, t),
-  create: (e, t) => n.roles.create(e, t),
-  update: (e, t, s) => n.roles.update(e, t, s),
-  remove: (e, t) => n.roles.remove(e, t),
+}), G = (t) => ({
+  list: async (e, n) => (await t.roles.list(e, n)).roles,
+  listPaginated: (e, n) => t.roles.list(e, n),
+  get: (e, n) => t.roles.get(e, n),
+  create: (e, n) => t.roles.create(e, n),
+  update: (e, n, s) => t.roles.update(e, n, s),
+  remove: (e, n) => t.roles.remove(e, n),
   listKey: "roles",
   getId: (e) => e.id,
   transform: (e) => ({
@@ -314,25 +317,25 @@ const H = (n) => ({
     name: e.name,
     description: e.description
   })
-}), U = (n) => ({
-  list: async (e, t) => (await n.connections.list(e, t)).connections,
-  listPaginated: (e, t) => n.connections.list(e, t),
-  get: (e, t) => n.connections.get(e, t),
-  create: (e, t) => n.connections.create(e, t),
-  update: (e, t, s) => n.connections.update(e, t, s),
-  remove: (e, t) => n.connections.remove(e, t),
+}), L = (t) => ({
+  list: async (e, n) => (await t.connections.list(e, n)).connections,
+  listPaginated: (e, n) => t.connections.list(e, n),
+  get: (e, n) => t.connections.get(e, n),
+  create: (e, n) => t.connections.create(e, n),
+  update: (e, n, s) => t.connections.update(e, n, s),
+  remove: (e, n) => t.connections.remove(e, n),
   listKey: "connections",
   getId: (e) => e.id,
   transform: (e) => {
-    const t = e.options ? { ...e.options } : {};
+    const n = e.options ? { ...e.options } : {};
     for (const s of le)
-      delete t[s];
+      delete n[s];
     return {
       id: e.id,
       name: e.name,
       display_name: e.display_name,
       strategy: e.strategy,
-      options: t,
+      options: n,
       response_type: e.response_type,
       response_mode: e.response_mode,
       is_domain_connection: e.is_domain_connection,
@@ -340,12 +343,12 @@ const H = (n) => ({
       metadata: e.metadata
     };
   },
-  preserveOnUpdate: (e, t) => {
+  preserveOnUpdate: (e, n) => {
     const s = e.options || {};
     return {
-      ...t,
+      ...n,
       options: {
-        ...t.options,
+        ...n.options,
         client_id: s.client_id,
         client_secret: s.client_secret,
         app_secret: s.app_secret,
@@ -357,40 +360,40 @@ const H = (n) => ({
     };
   }
 });
-function de(n) {
-  const { sync: e = {}, filters: t = {} } = n, s = e.resourceServers ?? !0, r = e.roles ?? !0, i = e.connections ?? !0, o = s ? q(
-    n,
+function de(t) {
+  const { sync: e = {}, filters: n = {} } = t, s = e.resourceServers ?? !0, r = e.roles ?? !0, i = e.connections ?? !0, o = s ? M(
+    t,
     H,
-    t.resourceServers
-  ) : void 0, a = r ? q(
-    n,
+    n.resourceServers
+  ) : void 0, a = r ? M(
+    t,
     G,
-    t.roles
-  ) : void 0, m = i ? q(
-    n,
-    U,
-    t.connections
-  ) : void 0, d = s ? M(
-    n,
+    n.roles
+  ) : void 0, u = i ? M(
+    t,
+    L,
+    n.connections
+  ) : void 0, d = s ? q(
+    t,
     H,
-    t.resourceServers
-  ) : void 0, c = r ? M(
-    n,
+    n.resourceServers
+  ) : void 0, c = r ? q(
+    t,
     G,
-    t.roles
-  ) : void 0, p = i ? M(
-    n,
-    U,
-    t.connections
+    n.roles
+  ) : void 0, f = i ? q(
+    t,
+    L,
+    n.connections
   ) : void 0, l = r ? {
-    async afterCreate(g, f) {
+    async afterCreate(g, p) {
       var h;
-      if (f.id !== n.controlPlaneTenantId) {
-        await ((h = c == null ? void 0 : c.afterCreate) == null ? void 0 : h.call(c, g, f));
+      if (p.id !== t.controlPlaneTenantId) {
+        await ((h = c == null ? void 0 : c.afterCreate) == null ? void 0 : h.call(c, g, p));
         try {
-          const y = await n.getControlPlaneAdapters(), v = await n.getAdapters(f.id), b = await $(
+          const y = await t.getControlPlaneAdapters(), v = await t.getAdapters(p.id), b = await z(
             (_) => y.roles.list(
-              n.controlPlaneTenantId,
+              t.controlPlaneTenantId,
               _
             ),
             "roles",
@@ -399,12 +402,12 @@ function de(n) {
           for (const _ of b.filter(
             (T) => {
               var A;
-              return ((A = t.roles) == null ? void 0 : A.call(t, T)) ?? !0;
+              return ((A = n.roles) == null ? void 0 : A.call(n, T)) ?? !0;
             }
           )) {
-            const T = await u(
+            const T = await m(
               v,
-              f.id,
+              p.id,
               _.name
             );
             T && S.set(_.name, T.id);
@@ -412,19 +415,19 @@ function de(n) {
           for (const _ of b.filter(
             (T) => {
               var A;
-              return ((A = t.roles) == null ? void 0 : A.call(t, T)) ?? !0;
+              return ((A = n.roles) == null ? void 0 : A.call(n, T)) ?? !0;
             }
           )) {
             const T = S.get(_.name);
             if (T)
               try {
                 const A = await y.rolePermissions.list(
-                  n.controlPlaneTenantId,
+                  t.controlPlaneTenantId,
                   _.id,
                   {}
                 );
                 A.length > 0 && await v.rolePermissions.assign(
-                  f.id,
+                  p.id,
                   T,
                   A.map((P) => ({
                     role_id: T,
@@ -434,22 +437,22 @@ function de(n) {
                 );
               } catch (A) {
                 console.error(
-                  `Failed to sync permissions for role "${_.name}" to tenant "${f.id}":`,
+                  `Failed to sync permissions for role "${_.name}" to tenant "${p.id}":`,
                   A
                 );
               }
           }
         } catch (y) {
           console.error(
-            `Failed to sync role permissions to tenant "${f.id}":`,
+            `Failed to sync role permissions to tenant "${p.id}":`,
             y
           );
         }
       }
     }
   } : void 0;
-  async function u(g, f, h) {
-    return (await g.roles.list(f, {
+  async function m(g, p, h) {
+    return (await g.roles.list(p, {
       q: `name:${h}`,
       per_page: 1
     })).roles[0] ?? null;
@@ -458,19 +461,19 @@ function de(n) {
     entityHooks: {
       resourceServers: o,
       roles: a,
-      connections: m
+      connections: u
     },
     tenantHooks: {
-      async afterCreate(g, f) {
+      async afterCreate(g, p) {
         const h = [
           d == null ? void 0 : d.afterCreate,
           (l == null ? void 0 : l.afterCreate) ?? (c == null ? void 0 : c.afterCreate),
-          p == null ? void 0 : p.afterCreate
+          f == null ? void 0 : f.afterCreate
         ], y = [];
         for (const v of h)
           if (v)
             try {
-              await v(g, f);
+              await v(g, p);
             } catch (b) {
               y.push(b instanceof Error ? b : new Error(String(b)));
             }
@@ -490,11 +493,11 @@ var C = class extends Error {
    * @param status - HTTP status code for the exception. Defaults to 500.
    * @param options - Additional options for the exception.
    */
-  constructor(e = 500, t) {
-    super(t == null ? void 0 : t.message, { cause: t == null ? void 0 : t.cause });
+  constructor(e = 500, n) {
+    super(n == null ? void 0 : n.message, { cause: n == null ? void 0 : n.cause });
     O(this, "res");
     O(this, "status");
-    this.res = t == null ? void 0 : t.res, this.status = e;
+    this.res = n == null ? void 0 : n.res, this.status = e;
   }
   /**
    * Returns the response object associated with the exception.
@@ -510,15 +513,15 @@ var C = class extends Error {
     });
   }
 };
-function k(n, e) {
-  const t = new x();
-  return t.openapi(
+function k(t, e) {
+  const n = new Z();
+  return n.openapi(
     R({
       tags: ["tenants"],
       method: "get",
       path: "/",
       request: {
-        query: ee
+        query: x
       },
       security: [
         {
@@ -542,31 +545,31 @@ function k(n, e) {
       }
     }),
     async (s) => {
-      var u, w, g, f;
-      const r = s.req.valid("query"), { page: i, per_page: o, include_totals: a, q: m } = r, d = s.var.user, c = (d == null ? void 0 : d.permissions) || [];
+      var m, w, g, p;
+      const r = s.req.valid("query"), { page: i, per_page: o, include_totals: a, q: u } = r, d = s.var.user, c = (d == null ? void 0 : d.permissions) || [];
       if (c.includes("auth:read") || c.includes("admin:organizations")) {
         const h = await s.env.data.tenants.list({
           page: i,
           per_page: o,
           include_totals: a,
-          q: m
+          q: u
         });
         return a ? s.json({
           tenants: h.tenants,
-          start: ((u = h.totals) == null ? void 0 : u.start) ?? 0,
+          start: ((m = h.totals) == null ? void 0 : m.start) ?? 0,
           limit: ((w = h.totals) == null ? void 0 : w.limit) ?? o,
           length: h.tenants.length
         }) : s.json({ tenants: h.tenants });
       }
-      if (n.accessControl && (d != null && d.sub)) {
-        const h = n.accessControl.controlPlaneTenantId, v = (await $(
-          (z) => s.env.data.userOrganizations.listUserOrganizations(
+      if (t.accessControl && (d != null && d.sub)) {
+        const h = t.accessControl.controlPlaneTenantId, v = (await z(
+          ($) => s.env.data.userOrganizations.listUserOrganizations(
             h,
             d.sub,
-            z
+            $
           ),
           "organizations"
-        )).map((z) => z.name);
+        )).map(($) => $.name);
         if (v.length === 0)
           return a ? s.json({
             tenants: [],
@@ -582,8 +585,8 @@ function k(n, e) {
             limit: _,
             length: b
           }) : s.json({ tenants: [] });
-        const P = A.map((z) => `id:${z}`).join(" OR "), K = m ? `(${P}) AND (${m})` : P, E = await s.env.data.tenants.list({
-          q: K,
+        const P = A.map(($) => `id:${$}`).join(" OR "), V = u ? `(${P}) AND (${u})` : P, E = await s.env.data.tenants.list({
+          q: V,
           per_page: _,
           include_totals: !1
           // We calculate totals from accessibleTenantIds
@@ -599,16 +602,16 @@ function k(n, e) {
         page: i,
         per_page: o,
         include_totals: a,
-        q: m
+        q: u
       });
       return a ? s.json({
         tenants: l.tenants,
         start: ((g = l.totals) == null ? void 0 : g.start) ?? 0,
-        limit: ((f = l.totals) == null ? void 0 : f.limit) ?? o,
+        limit: ((p = l.totals) == null ? void 0 : p.limit) ?? o,
         length: l.tenants.length
       }) : s.json({ tenants: l.tenants });
     }
-  ), t.openapi(
+  ), n.openapi(
     R({
       tags: ["tenants"],
       method: "post",
@@ -617,7 +620,7 @@ function k(n, e) {
         body: {
           content: {
             "application/json": {
-              schema: te
+              schema: ee
             }
           }
         }
@@ -645,7 +648,7 @@ function k(n, e) {
       }
     }),
     async (s) => {
-      var m, d;
+      var u, d;
       const r = s.var.user;
       if (!(r != null && r.sub))
         throw new C(401, {
@@ -656,11 +659,11 @@ function k(n, e) {
         adapters: s.env.data,
         ctx: s
       };
-      (m = e.tenants) != null && m.beforeCreate && (i = await e.tenants.beforeCreate(o, i));
+      (u = e.tenants) != null && u.beforeCreate && (i = await e.tenants.beforeCreate(o, i));
       const a = await s.env.data.tenants.create(i);
       return (d = e.tenants) != null && d.afterCreate && await e.tenants.afterCreate(o, a), s.json(a, 201);
     }
-  ), t.openapi(
+  ), n.openapi(
     R({
       tags: ["tenants"],
       method: "delete",
@@ -688,10 +691,10 @@ function k(n, e) {
       }
     }),
     async (s) => {
-      var a, m;
+      var a, u;
       const { id: r } = s.req.valid("param");
-      if (n.accessControl) {
-        const d = s.var.user, c = n.accessControl.controlPlaneTenantId;
+      if (t.accessControl) {
+        const d = s.var.user, c = t.accessControl.controlPlaneTenantId;
         if (!(d != null && d.sub))
           throw new C(401, {
             message: "Authentication required"
@@ -700,14 +703,14 @@ function k(n, e) {
           throw new C(403, {
             message: "Cannot delete the control plane"
           });
-        if (!(await $(
-          (u) => s.env.data.userOrganizations.listUserOrganizations(
+        if (!(await z(
+          (m) => s.env.data.userOrganizations.listUserOrganizations(
             c,
             d.sub,
-            u
+            m
           ),
           "organizations"
-        )).some((u) => u.name === r))
+        )).some((m) => m.name === r))
           throw new C(403, {
             message: "Access denied to this tenant"
           });
@@ -720,11 +723,11 @@ function k(n, e) {
         adapters: s.env.data,
         ctx: s
       };
-      return (a = e.tenants) != null && a.beforeDelete && await e.tenants.beforeDelete(o, r), await s.env.data.tenants.remove(r), (m = e.tenants) != null && m.afterDelete && await e.tenants.afterDelete(o, r), s.body(null, 204);
+      return (a = e.tenants) != null && a.beforeDelete && await e.tenants.beforeDelete(o, r), await s.env.data.tenants.remove(r), (u = e.tenants) != null && u.afterDelete && await e.tenants.afterDelete(o, r), s.body(null, 204);
     }
-  ), t;
+  ), n;
 }
-function ue(n) {
+function ue(t) {
   const e = [
     {
       pattern: /\/api\/v2\/resource-servers\/([^/]+)$/,
@@ -733,26 +736,26 @@ function ue(n) {
     { pattern: /\/api\/v2\/roles\/([^/]+)$/, type: "role" },
     { pattern: /\/api\/v2\/connections\/([^/]+)$/, type: "connection" }
   ];
-  for (const { pattern: t, type: s } of e) {
-    const r = n.match(t);
+  for (const { pattern: n, type: s } of e) {
+    const r = t.match(n);
     if (r && r[1])
       return { type: s, id: r[1] };
   }
   return null;
 }
-async function me(n, e, t) {
+async function me(t, e, n) {
   try {
-    switch (t.type) {
+    switch (n.type) {
       case "resource_server": {
-        const s = await n.resourceServers.get(e, t.id);
+        const s = await t.resourceServers.get(e, n.id);
         return (s == null ? void 0 : s.is_system) === !0;
       }
       case "role": {
-        const s = await n.roles.get(e, t.id);
+        const s = await t.roles.get(e, n.id);
         return (s == null ? void 0 : s.is_system) === !0;
       }
       case "connection": {
-        const s = await n.connections.get(e, t.id);
+        const s = await t.connections.get(e, n.id);
         return (s == null ? void 0 : s.is_system) === !0;
       }
       default:
@@ -762,63 +765,63 @@ async function me(n, e, t) {
     return !1;
   }
 }
-function pe(n) {
+function fe(t) {
   return {
     resource_server: "resource server",
     role: "role",
     connection: "connection"
-  }[n];
+  }[t];
 }
-function fe() {
-  return async (n, e) => {
-    if (!["PATCH", "PUT", "DELETE"].includes(n.req.method))
+function pe() {
+  return async (t, e) => {
+    if (!["PATCH", "PUT", "DELETE"].includes(t.req.method))
       return e();
-    const t = ue(n.req.path);
-    if (!t)
+    const n = ue(t.req.path);
+    if (!n)
       return e();
-    const s = n.var.tenant_id || n.req.header("x-tenant-id") || n.req.header("tenant-id");
+    const s = t.var.tenant_id || t.req.header("x-tenant-id") || t.req.header("tenant-id");
     if (!s)
       return e();
-    if (await me(n.env.data, s, t))
+    if (await me(t.env.data, s, n))
       throw new C(403, {
-        message: `This ${pe(t.type)} is a system resource and cannot be modified. Make changes in the control plane instead.`
+        message: `This ${fe(n.type)} is a system resource and cannot be modified. Make changes in the control plane instead.`
       });
     return e();
   };
 }
-function L(n, e) {
-  const { controlPlaneTenantId: t, controlPlaneClientId: s } = e;
+function B(t, e) {
+  const { controlPlaneTenantId: n, controlPlaneClientId: s } = e;
   return {
-    ...n,
+    ...t,
     legacyClients: {
-      ...n.legacyClients,
+      ...t.legacyClients,
       get: async (r) => {
-        var p;
-        const i = await n.legacyClients.get(r);
+        var f;
+        const i = await t.legacyClients.get(r);
         if (!i)
           return null;
-        const o = s ? await n.legacyClients.get(s) : void 0, a = await n.connections.list(
+        const o = s ? await t.legacyClients.get(s) : void 0, a = await t.connections.list(
           i.tenant.id
-        ), m = t ? await n.connections.list(t) : { connections: [] }, d = a.connections.map((l) => {
+        ), u = n ? await t.connections.list(n) : { connections: [] }, d = a.connections.map((l) => {
           var g;
-          const u = (g = m.connections) == null ? void 0 : g.find(
-            (f) => f.name === l.name
+          const m = (g = u.connections) == null ? void 0 : g.find(
+            (p) => p.name === l.name
           );
-          if (!(u != null && u.options))
+          if (!(m != null && m.options))
             return l;
           const w = D.parse({
-            ...u || {},
+            ...m || {},
             ...l
           });
           return w.options = F.parse({
-            ...u.options || {},
+            ...m.options || {},
             ...l.options
           }), w;
         }).filter((l) => l), c = {
           ...(o == null ? void 0 : o.tenant) || {},
           ...i.tenant
         };
-        return !i.tenant.audience && ((p = o == null ? void 0 : o.tenant) != null && p.audience) && (c.audience = o.tenant.audience), {
+        return !i.tenant.audience && ((f = o == null ? void 0 : o.tenant) != null && f.audience) && (c.audience = o.tenant.audience), {
           ...i,
           web_origins: [
             ...(o == null ? void 0 : o.web_origins) || [],
@@ -838,52 +841,52 @@ function L(n, e) {
       }
     },
     connections: {
-      ...n.connections,
+      ...t.connections,
       get: async (r, i) => {
-        const o = await n.connections.get(
+        const o = await t.connections.get(
           r,
           i
         );
-        if (!o || !t)
+        if (!o || !n)
           return o;
-        const a = await n.connections.get(
-          t,
+        const a = await t.connections.get(
+          n,
           i
         );
         if (!a)
           return o;
-        const m = D.parse({
+        const u = D.parse({
           ...a,
           ...o
         });
-        return m.options = F.parse({
+        return u.options = F.parse({
           ...a.options || {},
           ...o.options
-        }), m;
+        }), u;
       },
       list: async (r, i) => {
-        const o = await n.connections.list(r, i);
-        if (!t || r === t)
+        const o = await t.connections.list(r, i);
+        if (!n || r === n)
           return o;
-        const a = await n.connections.list(t), m = o.connections.map((d) => {
+        const a = await t.connections.list(n), u = o.connections.map((d) => {
           var l;
           const c = (l = a.connections) == null ? void 0 : l.find(
-            (u) => u.name === d.name
+            (m) => m.name === d.name
           );
           if (!(c != null && c.options))
             return d;
-          const p = D.parse({
+          const f = D.parse({
             ...c,
             ...d
           });
-          return p.options = F.parse({
+          return f.options = F.parse({
             ...c.options || {},
             ...d.options
-          }), p;
+          }), f;
         });
         return {
           ...o,
-          connections: m
+          connections: u
         };
       }
     }
@@ -896,76 +899,79 @@ function L(n, e) {
     // They remain part of ...baseAdapters and can be properly wrapped by caching.
   };
 }
-function ge(n, e) {
-  return L(n, e);
+function ge(t, e) {
+  return B(t, e);
 }
-const Ie = L, Se = ge;
-function we(n) {
-  return async (e, t) => {
-    if (!n.accessControl)
-      return t();
-    const s = e.var.tenant_id, r = e.var.organization_id;
-    if (!s)
+const Ie = B, Se = ge;
+function we(t) {
+  return async (e, n) => {
+    if (!t.accessControl)
+      return n();
+    const { controlPlaneTenantId: s } = t.accessControl, r = e.var.org_name, i = e.var.organization_id, o = r || i;
+    let a = e.var.tenant_id;
+    const u = e.var.user, c = (u != null && u.aud ? Array.isArray(u.aud) ? u.aud : [u.aud] : []).includes(U);
+    if (!a && o && c && (e.set("tenant_id", o), a = o), !a)
       throw new C(400, {
         message: "Tenant ID not found in request"
       });
-    if (!se(
-      r,
+    if (!ne(
+      i,
+      a,
       s,
-      n.accessControl.controlPlaneTenantId
+      r
     ))
       throw new C(403, {
-        message: `Access denied to tenant ${s}`
+        message: `Access denied to tenant ${a}`
       });
-    return t();
+    return n();
   };
 }
-function he(n) {
-  return async (e, t) => {
-    if (!n.subdomainRouting)
-      return t();
+function he(t) {
+  return async (e, n) => {
+    if (!t.subdomainRouting)
+      return n();
     const {
       baseDomain: s,
       reservedSubdomains: r = [],
       resolveSubdomain: i
-    } = n.subdomainRouting, o = e.req.header("host") || "";
+    } = t.subdomainRouting, o = e.req.header("host") || "";
     let a = null;
     if (o.endsWith(s)) {
       const d = o.slice(0, -(s.length + 1));
       d && !d.includes(".") && (a = d);
     }
     if (a && r.includes(a) && (a = null), !a)
-      return n.accessControl && e.set("tenant_id", n.accessControl.controlPlaneTenantId), t();
-    let m = null;
+      return t.accessControl && e.set("tenant_id", t.accessControl.controlPlaneTenantId), n();
+    let u = null;
     if (i)
-      m = await i(a);
-    else if (n.subdomainRouting.useOrganizations !== !1 && n.accessControl)
+      u = await i(a);
+    else if (t.subdomainRouting.useOrganizations !== !1 && t.accessControl)
       try {
         const d = await e.env.data.organizations.get(
-          n.accessControl.controlPlaneTenantId,
+          t.accessControl.controlPlaneTenantId,
           a
         );
-        d && (m = d.id);
+        d && (u = d.id);
       } catch {
       }
-    if (!m)
+    if (!u)
       throw new C(404, {
         message: `Tenant not found for subdomain: ${a}`
       });
-    return e.set("tenant_id", m), t();
+    return e.set("tenant_id", u), n();
   };
 }
-function ye(n) {
-  return async (e, t) => {
-    if (!n.databaseIsolation)
-      return t();
+function ye(t) {
+  return async (e, n) => {
+    if (!t.databaseIsolation)
+      return n();
     const s = e.var.tenant_id;
     if (!s)
       throw new C(400, {
         message: "Tenant ID not found in request"
       });
     try {
-      const r = await n.databaseIsolation.getAdapters(s);
+      const r = await t.databaseIsolation.getAdapters(s);
       e.env.data = r;
     } catch (r) {
       throw console.error(
@@ -975,50 +981,50 @@ function ye(n) {
         message: "Failed to resolve tenant database"
       });
     }
-    return t();
+    return n();
   };
 }
-function B(n) {
-  const e = he(n), t = we(n), s = ye(n);
+function K(t) {
+  const e = he(t), n = we(t), s = ye(t);
   return async (r, i) => (await e(r, async () => {
-  }), await t(r, async () => {
+  }), await n(r, async () => {
   }), await s(r, async () => {
   }), i());
 }
-function Pe(n) {
+function Pe(t) {
   const {
     dataAdapter: e,
-    controlPlaneTenantId: t = "control_plane",
+    controlPlaneTenantId: n = "control_plane",
     sync: s = { resourceServers: !0, roles: !0, connections: !0 },
     defaultPermissions: r = ["tenant:admin"],
     requireOrganizationMatch: i = !1,
     managementApiExtensions: o = [],
     entityHooks: a,
-    getChildTenantIds: m,
+    getChildTenantIds: u,
     getAdapters: d,
     ...c
-  } = n, p = s !== !1, l = p ? {
+  } = t, f = s !== !1, l = f ? {
     resourceServers: s.resourceServers ?? !0,
     roles: s.roles ?? !0,
     connections: s.connections ?? !0
   } : { resourceServers: !1, roles: !1, connections: !1 }, g = {
-    controlPlaneTenantId: t,
-    getChildTenantIds: m ?? (async () => (await $(
+    controlPlaneTenantId: n,
+    getChildTenantIds: u ?? (async () => (await z(
       (_) => e.tenants.list(_),
       "tenants",
       { cursorField: "id", pageSize: 100 }
-    )).filter((_) => _.id !== t).map((_) => _.id)),
+    )).filter((_) => _.id !== n).map((_) => _.id)),
     getAdapters: d ?? (async () => e),
     getControlPlaneAdapters: async () => e,
     sync: l
-  }, { entityHooks: f, tenantHooks: h } = de(g), y = {
+  }, { entityHooks: p, tenantHooks: h } = de(g), y = {
     resourceServers: [
-      f.resourceServers,
+      p.resourceServers,
       ...(a == null ? void 0 : a.resourceServers) ?? []
     ],
-    roles: [f.roles, ...(a == null ? void 0 : a.roles) ?? []],
+    roles: [p.roles, ...(a == null ? void 0 : a.roles) ?? []],
     connections: [
-      f.connections,
+      p.connections,
       ...(a == null ? void 0 : a.connections) ?? []
     ],
     tenants: (a == null ? void 0 : a.tenants) ?? [],
@@ -1026,13 +1032,13 @@ function Pe(n) {
   }, v = k(
     {
       accessControl: {
-        controlPlaneTenantId: t,
+        controlPlaneTenantId: n,
         requireOrganizationMatch: i,
         defaultPermissions: r
       }
     },
     { tenants: h }
-  ), { app: b } = Z({
+  ), { app: b } = Y({
     dataAdapter: e,
     ...c,
     entityHooks: y,
@@ -1041,72 +1047,72 @@ function Pe(n) {
       { path: "/tenants", router: v }
     ]
   });
-  return p && b.use("/api/v2/*", fe()), { app: b, controlPlaneTenantId: t };
+  return f && b.use("/api/v2/*", pe()), { app: b, controlPlaneTenantId: n };
 }
-function ze(n) {
-  const e = j(n);
+function $e(t) {
+  const e = j(t);
   return {
     name: "multi-tenancy",
     // Apply multi-tenancy middleware for subdomain routing, database resolution, etc.
-    middleware: B(n),
+    middleware: K(t),
     // Provide lifecycle hooks
     hooks: e,
     // Mount tenant management routes
     routes: [
       {
         path: "/management",
-        handler: k(n, e)
+        handler: k(t, e)
       }
     ],
     // Called when plugin is registered
     onRegister: async () => {
-      console.log("Multi-tenancy plugin registered"), n.accessControl && console.log(
-        `  - Access control enabled (control plane: ${n.accessControl.controlPlaneTenantId})`
-      ), n.subdomainRouting && console.log(
-        `  - Subdomain routing enabled (base domain: ${n.subdomainRouting.baseDomain})`
-      ), n.databaseIsolation && console.log("  - Database isolation enabled");
+      console.log("Multi-tenancy plugin registered"), t.accessControl && console.log(
+        `  - Access control enabled (control plane: ${t.accessControl.controlPlaneTenantId})`
+      ), t.subdomainRouting && console.log(
+        `  - Subdomain routing enabled (base domain: ${t.subdomainRouting.baseDomain})`
+      ), t.databaseIsolation && console.log("  - Database isolation enabled");
     }
   };
 }
-function j(n) {
-  const e = n.accessControl ? ne(n.accessControl) : {}, t = n.databaseIsolation ? re(n.databaseIsolation) : {}, s = ae(n);
+function j(t) {
+  const e = t.accessControl ? te(t.accessControl) : {}, n = t.databaseIsolation ? se(t.databaseIsolation) : {}, s = re(t);
   return {
     ...e,
-    ...t,
+    ...n,
     tenants: s
   };
 }
-function _e(n) {
-  const e = new Q(), t = j(n);
-  return e.route("/tenants", k(n, t)), e;
+function _e(t) {
+  const e = new J(), n = j(t);
+  return e.route("/tenants", k(t, n)), e;
 }
-function $e(n) {
+function ze(t) {
   return {
-    hooks: j(n),
-    middleware: B(n),
-    app: _e(n),
-    config: n
+    hooks: j(t),
+    middleware: K(t),
+    app: _e(t),
+    config: t
   };
 }
 export {
-  ne as createAccessControlHooks,
+  te as createAccessControlHooks,
   we as createAccessControlMiddleware,
-  re as createDatabaseHooks,
+  se as createDatabaseHooks,
   ye as createDatabaseMiddleware,
   _e as createMultiTenancy,
   j as createMultiTenancyHooks,
-  B as createMultiTenancyMiddleware,
-  ze as createMultiTenancyPlugin,
-  fe as createProtectSyncedMiddleware,
-  ae as createProvisioningHooks,
-  L as createRuntimeFallbackAdapter,
+  K as createMultiTenancyMiddleware,
+  $e as createMultiTenancyPlugin,
+  pe as createProtectSyncedMiddleware,
+  re as createProvisioningHooks,
+  B as createRuntimeFallbackAdapter,
   Ie as createSettingsInheritanceAdapter,
   he as createSubdomainMiddleware,
   de as createSyncHooks,
   k as createTenantsOpenAPIRouter,
   Pe as initMultiTenant,
-  $e as setupMultiTenancy,
-  se as validateTenantAccess,
+  ze as setupMultiTenancy,
+  ne as validateTenantAccess,
   ge as withRuntimeFallback,
   Se as withSettingsInheritance
 };