npm - @authhero/multi-tenancy - Versions diffs - 13.4.0 → 13.5.0 - Mend

@authhero/multi-tenancy 13.4.0 → 13.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/multi-tenancy.cjs +1 -1
package/dist/multi-tenancy.d.ts +35 -0
package/dist/multi-tenancy.mjs +332 -280
package/package.json +2 -2

package/dist/multi-tenancy.cjs CHANGED Viewed

	@@ -1 +1 @@
1	- "use strict";var W=Object.defineProperty;var Q=(a,e,s)=>e in a?W(a,e,{enumerable:!0,configurable:!0,writable:!0,value:s}):a[e]=s;var S=(a,e,s)=>Q(a,typeof e!="symbol"?e+"":e,s);Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});const $=require("hono"),D=require("authhero"),L=require("zod"),M=require("@authhero/adapter-interfaces");function I(a){const{mainTenantId:e,requireOrganizationMatch:s=!0}=a;return{async onTenantAccessValidation(n,t){if(t===e)return!0;if(s){const o=n.var.organization_id;return o?o===t:!1}return!0}}}function z(a,e,s){return e===s?!0:a?a===e:!1}function F(a){return{async resolveDataAdapters(e){try{return await a.getAdapters(e)}catch(s){console.error(`Failed to resolve data adapters for tenant ${e}:`,s);return}}}}function P(a){return{async afterCreate(e,s){const{accessControl:n,databaseIsolation:t,settingsInheritance:o}=a;n&&e.ctx&&await Y(e,s,n),t!=null&&t.onProvision&&await t.onProvision(s.id),(o==null?void 0:o.inheritFromMain)!==!1&&e.ctx&&await B(e,s,a)},async beforeDelete(e,s){const{accessControl:n,databaseIsolation:t}=a;if(n)try{const d=(await e.adapters.organizations.list(n.mainTenantId)).organizations.find(c=>c.name===s);d&&await e.adapters.organizations.remove(n.mainTenantId,d.id)}catch(o){console.warn(`Failed to remove organization for tenant ${s}:`,o)}if(t!=null&&t.onDeprovision)try{await t.onDeprovision(s)}catch(o){console.warn(`Failed to deprovision database for tenant ${s}:`,o)}}}}async function Y(a,e,s){const{mainTenantId:n,defaultPermissions:t,defaultRoles:o}=s;await a.adapters.organizations.create(n,{id:e.id,name:e.id,display_name:e.friendly_name\|\|e.id}),o&&o.length>0&&console.log(`Would assign roles ${o.join(", ")} to organization ${e.id}`),t&&t.length>0&&console.log(`Would grant permissions ${t.join(", ")} to organization ${e.id}`)}async function B(a,e,s){const{accessControl:n,settingsInheritance:t}=s;if(!n)return;const o=await a.adapters.tenants.get(n.mainTenantId);if(!o)return;let d={...o};const c=["id","created_at","updated_at","friendly_name","audience","sender_email","sender_name"];for(const i of c)delete d[i];if(t!=null&&t.inheritedKeys){const i={};for(const r of t.inheritedKeys)r in o&&!c.includes(r)&&(i[r]=o[r]);d=i}if(t!=null&&t.excludedKeys)for(const i of t.excludedKeys)delete d[i];t!=null&&t.transformSettings&&(d=t.transformSettings(d,e.id)),Object.keys(d).length>0&&await a.adapters.tenants.update(e.id,d)}async function q(a,e,s={}){const{cursorField:n="id",sortOrder:t="asc",pageSize:o=100,maxItems:d=1e4,q:c}=s,i=[];let r,u=!0;for(;u;){let f=c\|\|"";if(r){const w=`${n}:${t==="asc"?">":"<"}${r}`;f=f?`(${f}) AND ${w}`:w}const l={per_page:o,page:0,sort:{sort_by:n,sort_order:t},...f&&{q:f}},h=(await a(l))[e]\|\|[];if(h.length===0)u=!1;else{i.push(...h);const _=h[h.length-1];if(_&&typeof _=="object"){const w=_[n];w!=null&&(r=String(w))}h.length<o&&(u=!1),d!==-1&&i.length>=d&&(console.warn(`fetchAll: Reached maxItems limit (${d}). There may be more items.`),u=!1)}}return i}function j(a){const{mainTenantId:e,getChildTenantIds:s,getAdapters:n,shouldSync:t=()=>!0,transformForSync:o}=a;async function d(r,u,f){return(await r.resourceServers.list(u,{q:`identifier:${f}`,per_page:1})).resource_servers[0]??null}async function c(r,u){const f=await s();await Promise.all(f.map(async l=>{try{const m=await n(l),_={...o?o(r,l):{name:r.name,identifier:r.identifier,scopes:r.scopes,signing_alg:r.signing_alg,signing_secret:r.signing_secret,token_lifetime:r.token_lifetime,token_lifetime_for_web:r.token_lifetime_for_web,skip_consent_for_verifiable_first_party_clients:r.skip_consent_for_verifiable_first_party_clients,allow_offline_access:r.allow_offline_access,verificationKey:r.verificationKey,options:r.options},is_system:!0};if(u==="create"){const w=await d(m,l,r.identifier);w&&w.id?await m.resourceServers.update(l,w.id,_):await m.resourceServers.create(l,_)}else{const w=await d(m,l,r.identifier);w&&w.id&&await m.resourceServers.update(l,w.id,_)}}catch(m){console.error(`Failed to sync resource server "${r.identifier}" to tenant "${l}":`,m)}}))}async function i(r){const u=await s();await Promise.all(u.map(async f=>{try{const l=await n(f),m=await d(l,f,r);m&&m.id&&await l.resourceServers.remove(f,m.id)}catch(l){console.error(`Failed to delete resource server "${r}" from tenant "${f}":`,l)}}))}return{afterCreate:async(r,u)=>{r.tenantId===e&&t(u)&&await c(u,"create")},afterUpdate:async(r,u,f)=>{r.tenantId===e&&t(f)&&await c(f,"update")},afterDelete:async(r,u)=>{r.tenantId===e&&await i(u)}}}function U(a){const{mainTenantId:e,getMainTenantAdapters:s,getAdapters:n,shouldSync:t=()=>!0,transformForSync:o}=a;return{async afterCreate(d,c){if(c.id!==e)try{const i=await s(),r=await n(c.id),u=await q(f=>i.resourceServers.list(e,f),"resource_servers",{cursorField:"id",pageSize:100});await Promise.all(u.filter(f=>t(f)).map(async f=>{const l=f;try{const m=o?o(l,c.id):{name:l.name,identifier:l.identifier,scopes:l.scopes,signing_alg:l.signing_alg,signing_secret:l.signing_secret,token_lifetime:l.token_lifetime,token_lifetime_for_web:l.token_lifetime_for_web,skip_consent_for_verifiable_first_party_clients:l.skip_consent_for_verifiable_first_party_clients,allow_offline_access:l.allow_offline_access,verificationKey:l.verificationKey,options:l.options};await r.resourceServers.create(c.id,{...m,is_system:!0})}catch(m){console.error(`Failed to sync resource server "${l.identifier}" to new tenant "${c.id}":`,m)}}))}catch(i){console.error(`Failed to sync resource servers to new tenant "${c.id}":`,i)}}}}var p=class extends Error{constructor(e=500,s){super(s==null?void 0:s.message,{cause:s==null?void 0:s.cause});S(this,"res");S(this,"status");this.res=s==null?void 0:s.res,this.status=e}getResponse(){return this.res?new Response(this.res.body,{status:this.status,headers:this.res.headers}):new Response(this.message,{status:this.status})}};function C(a,e){const s=new $.Hono;return s.get("/",async n=>{var u;if(a.accessControl&&await((u=e.onTenantAccessValidation)==null?void 0:u.call(e,n,a.accessControl.mainTenantId))===!1)throw new p(403,{message:"Access denied to tenant management"});const t=M.auth0QuerySchema.parse(n.req.query()),{page:o,per_page:d,include_totals:c,q:i}=t,r=await n.env.data.tenants.list({page:o,per_page:d,include_totals:c,q:i});return c?n.json(r):n.json(r.tenants)}),s.get("/:id",async n=>{var c;const t=n.req.param("id");if(await((c=e.onTenantAccessValidation)==null?void 0:c.call(e,n,t))===!1)throw new p(403,{message:"Access denied to this tenant"});const d=await n.env.data.tenants.get(t);if(!d)throw new p(404,{message:"Tenant not found"});return n.json(d)}),s.post("/",async n=>{var t,o,d,c;try{if(a.accessControl&&await((t=e.onTenantAccessValidation)==null?void 0:t.call(e,n,a.accessControl.mainTenantId))===!1)throw new p(403,{message:"Access denied to create tenants"});let i=M.tenantInsertSchema.parse(await n.req.json());const r={adapters:n.env.data,ctx:n};(o=e.tenants)!=null&&o.beforeCreate&&(i=await e.tenants.beforeCreate(r,i));const u=await n.env.data.tenants.create(i);return(d=e.tenants)!=null&&d.afterCreate&&await e.tenants.afterCreate(r,u),n.json(u,201)}catch(i){throw i instanceof L.z.ZodError?new p(400,{message:"Validation error",cause:i}):i instanceof Error&&("code"in i&&i.code==="SQLITE_CONSTRAINT_PRIMARYKEY"\|\|(c=i.message)!=null&&c.includes("UNIQUE constraint failed"))?new p(409,{message:"Tenant with this ID already exists"}):i}}),s.patch("/:id",async n=>{var m,h,_;const t=n.req.param("id");if(await((m=e.onTenantAccessValidation)==null?void 0:m.call(e,n,t))===!1)throw new p(403,{message:"Access denied to update this tenant"});const d=M.tenantInsertSchema.partial().parse(await n.req.json()),{id:c,...i}=d;if(!await n.env.data.tenants.get(t))throw new p(404,{message:"Tenant not found"});const u={adapters:n.env.data,ctx:n};let f=i;(h=e.tenants)!=null&&h.beforeUpdate&&(f=await e.tenants.beforeUpdate(u,t,i)),await n.env.data.tenants.update(t,f);const l=await n.env.data.tenants.get(t);if(!l)throw new p(404,{message:"Tenant not found after update"});return(_=e.tenants)!=null&&_.afterUpdate&&await e.tenants.afterUpdate(u,l),n.json(l)}),s.delete("/:id",async n=>{var c,i,r;const t=n.req.param("id");if(a.accessControl&&t===a.accessControl.mainTenantId)throw new p(400,{message:"Cannot delete the main tenant"});if(a.accessControl&&await((c=e.onTenantAccessValidation)==null?void 0:c.call(e,n,a.accessControl.mainTenantId))===!1)throw new p(403,{message:"Access denied to delete tenants"});if(!await n.env.data.tenants.get(t))throw new p(404,{message:"Tenant not found"});const d={adapters:n.env.data,ctx:n};return(i=e.tenants)!=null&&i.beforeDelete&&await e.tenants.beforeDelete(d,t),await n.env.data.tenants.remove(t),(r=e.tenants)!=null&&r.afterDelete&&await e.tenants.afterDelete(d,t),n.body(null,204)}),s}function Z(a){const e=[{pattern:/\/api\/v2\/resource-servers\/([^/]+)$/,type:"resource_server"},{pattern:/\/api\/v2\/roles\/([^/]+)$/,type:"role"},{pattern:/\/api\/v2\/connections\/([^/]+)$/,type:"connection"}];for(const{pattern:s,type:n}of e){const t=a.match(s);if(t&&t[1])return{type:n,id:t[1]}}return null}async function G(a,e,s){try{switch(s.type){case"resource_server":{const n=await a.resourceServers.get(e,s.id);return(n==null?void 0:n.is_system)===!0}case"role":{const n=await a.roles.get(e,s.id);return(n==null?void 0:n.is_system)===!0}case"connection":{const n=await a.connections.get(e,s.id);return(n==null?void 0:n.is_system)===!0}default:return!1}}catch{return!1}}function J(a){return{resource_server:"resource server",role:"role",connection:"connection"}[a]}function K(){return async(a,e)=>{if(!["PATCH","PUT","DELETE"].includes(a.req.method))return e();const s=Z(a.req.path);if(!s)return e();const n=a.var.tenant_id\|\|a.req.header("x-tenant-id")\|\|a.req.header("tenant-id");if(!n)return e();if(await G(a.env.data,n,s))throw new p(403,{message:`This ${J(s.type)} is a system resource and cannot be modified. Make changes in the main tenant instead.`});return e()}}function O(a){return async(e,s)=>{if(!a.accessControl)return s();const n=e.var.tenant_id,t=e.var.organization_id;if(!n)throw new p(400,{message:"Tenant ID not found in request"});if(!z(t,n,a.accessControl.mainTenantId))throw new p(403,{message:`Access denied to tenant ${n}`});return s()}}function V(a){return async(e,s)=>{if(!a.subdomainRouting)return s();const{baseDomain:n,reservedSubdomains:t=[],resolveSubdomain:o}=a.subdomainRouting,d=e.req.header("host")\|\|"";let c=null;if(d.endsWith(n)){const r=d.slice(0,-(n.length+1));r&&!r.includes(".")&&(c=r)}if(c&&t.includes(c)&&(c=null),!c)return a.accessControl&&e.set("tenant_id",a.accessControl.mainTenantId),s();let i=null;if(o)i=await o(c);else if(a.subdomainRouting.useOrganizations!==!1&&a.accessControl)try{const r=await e.env.data.organizations.get(a.accessControl.mainTenantId,c);r&&(i=r.id)}catch{}if(!i)throw new p(404,{message:`Tenant not found for subdomain: ${c}`});return e.set("tenant_id",i),s()}}function H(a){return async(e,s)=>{if(!a.databaseIsolation)return s();const n=e.var.tenant_id;if(!n)throw new p(400,{message:"Tenant ID not found in request"});try{const t=await a.databaseIsolation.getAdapters(n);e.env.data=t}catch(t){throw console.error(`Failed to resolve database for tenant ${n}:`,t),new p(500,{message:"Failed to resolve tenant database"})}return s()}}function R(a){const e=V(a),s=O(a),n=H(a);return async(t,o)=>(await e(t,async()=>{}),await s(t,async()=>{}),await n(t,async()=>{}),o())}function X(a){const e=A(a);return{name:"multi-tenancy",middleware:R(a),hooks:e,routes:[{path:"/management",handler:C(a,e)}],onRegister:async()=>{console.log("Multi-tenancy plugin registered"),a.accessControl&&console.log(` - Access control enabled (main tenant: ${a.accessControl.mainTenantId})`),a.subdomainRouting&&console.log(` - Subdomain routing enabled (base domain: ${a.subdomainRouting.baseDomain})`),a.databaseIsolation&&console.log(" - Database isolation enabled")}}}function A(a){const e=a.accessControl?I(a.accessControl):{},s=a.databaseIsolation?F(a.databaseIsolation):{},n=P(a);return{...e,...s,tenants:n}}function N(a){const e=new $.Hono,s=A(a);return e.route("/tenants",C(a,s)),e}function k(a){return{hooks:A(a),middleware:R(a),app:N(a),config:a}}function x(a){const{mainTenantId:e="main",syncResourceServers:s=!0,multiTenancy:n,entityHooks:t,...o}=a,d={...n,accessControl:{mainTenantId:e,requireOrganizationMatch:!1,defaultPermissions:["tenant:admin"],...n==null?void 0:n.accessControl}},c=A(d);let i,r;s&&(i=j({mainTenantId:e,getChildTenantIds:async()=>(await q(y=>a.dataAdapter.tenants.list(y),"tenants",{cursorField:"id",pageSize:100})).filter(y=>y.id!==e).map(y=>y.id),getAdapters:async g=>a.dataAdapter}),r=U({mainTenantId:e,getMainTenantAdapters:async()=>a.dataAdapter,getAdapters:async g=>a.dataAdapter}));const u=async(g,y,...T)=>{const v=[];if(g)try{await g(...T)}catch(b){v.push(b instanceof Error?b:new Error(String(b)))}if(y)try{await y(...T)}catch(b){v.push(b instanceof Error?b:new Error(String(b)))}if(v.length===1)throw v[0];if(v.length>1)throw new AggregateError(v,`Multiple hook errors: ${v.map(b=>b.message).join("; ")}`)},f={...t,resourceServers:i?{...t==null?void 0:t.resourceServers,afterCreate:async(g,y)=>{var T;await u((T=t==null?void 0:t.resourceServers)==null?void 0:T.afterCreate,i==null?void 0:i.afterCreate,g,y)},afterUpdate:async(g,y,T)=>{var v;await u((v=t==null?void 0:t.resourceServers)==null?void 0:v.afterUpdate,i==null?void 0:i.afterUpdate,g,y,T)},afterDelete:async(g,y)=>{var T;await u((T=t==null?void 0:t.resourceServers)==null?void 0:T.afterDelete,i==null?void 0:i.afterDelete,g,y)}}:t==null?void 0:t.resourceServers,tenants:r?{...t==null?void 0:t.tenants,afterCreate:async(g,y)=>{var T;await u((T=t==null?void 0:t.tenants)==null?void 0:T.afterCreate,r==null?void 0:r.afterCreate,g,y)}}:t==null?void 0:t.tenants},l=D.init({...o,entityHooks:f}),{app:m,managementApp:h,..._}=l,w=new $.Hono;w.use("/api/v2/*",K()),w.route("/",m);const E=C(d,c);return w.route("/api/v2/tenants",E),{app:w,managementApp:h,..._,multiTenancyConfig:d,multiTenancyHooks:c}}Object.defineProperty(exports,"seed",{enumerable:!0,get:()=>D.seed});exports.createAccessControlHooks=I;exports.createAccessControlMiddleware=O;exports.createDatabaseHooks=F;exports.createDatabaseMiddleware=H;exports.createMultiTenancy=N;exports.createMultiTenancyHooks=A;exports.createMultiTenancyMiddleware=R;exports.createMultiTenancyPlugin=X;exports.createProtectSyncedMiddleware=K;exports.createProvisioningHooks=P;exports.createResourceServerSyncHooks=j;exports.createSubdomainMiddleware=V;exports.createTenantResourceServerSyncHooks=U;exports.createTenantsRouter=C;exports.fetchAll=q;exports.init=x;exports.setupMultiTenancy=k;exports.validateTenantAccess=z;
1	+ "use strict";var W=Object.defineProperty;var G=(t,e,s)=>e in t?W(t,e,{enumerable:!0,configurable:!0,writable:!0,value:s}):t[e]=s;var M=(t,e,s)=>G(t,typeof e!="symbol"?e+"":e,s);Object.defineProperty(exports,Symbol.toStringTag,{value:"Module"});const R=require("hono"),C=require("authhero"),Q=require("zod"),$=require("@authhero/adapter-interfaces");function q(t){const{mainTenantId:e,requireOrganizationMatch:s=!0}=t;return{async onTenantAccessValidation(n,a){if(a===e)return!0;if(s){const c=n.var.organization_id;return c?c===a:!1}return!0}}}function D(t,e,s){return e===s?!0:t?t===e:!1}function z(t){return{async resolveDataAdapters(e){try{return await t.getAdapters(e)}catch(s){console.error(`Failed to resolve data adapters for tenant ${e}:`,s);return}}}}function F(t){return{async afterCreate(e,s){const{accessControl:n,databaseIsolation:a,settingsInheritance:c}=t;n&&e.ctx&&await L(e,s,n),a!=null&&a.onProvision&&await a.onProvision(s.id),(c==null?void 0:c.inheritFromMain)!==!1&&e.ctx&&await B(e,s,t)},async beforeDelete(e,s){const{accessControl:n,databaseIsolation:a}=t;if(n)try{const d=(await e.adapters.organizations.list(n.mainTenantId)).organizations.find(o=>o.name===s);d&&await e.adapters.organizations.remove(n.mainTenantId,d.id)}catch(c){console.warn(`Failed to remove organization for tenant ${s}:`,c)}if(a!=null&&a.onDeprovision)try{await a.onDeprovision(s)}catch(c){console.warn(`Failed to deprovision database for tenant ${s}:`,c)}}}}async function L(t,e,s){const{mainTenantId:n,defaultPermissions:a,defaultRoles:c,issuer:d,adminRoleName:o="Tenant Admin",adminRoleDescription:i="Full access to all tenant management operations",addCreatorToOrganization:r=!0}=s;await t.adapters.organizations.create(n,{id:e.id,name:e.id,display_name:e.friendly_name\|\|e.id});let l=null;if(d&&(l=await Y(t,n,d,o,i)),r&&t.ctx){const f=t.ctx.var.user;if(f!=null&&f.sub)try{await t.adapters.userOrganizations.create(n,{user_id:f.sub,organization_id:e.id}),l&&await t.adapters.userRoles.create(n,f.sub,l,e.id)}catch(u){console.warn(`Failed to add creator ${f.sub} to organization ${e.id}:`,u)}}c&&c.length>0&&console.log(`Would assign roles ${c.join(", ")} to organization ${e.id}`),a&&a.length>0&&console.log(`Would grant permissions ${a.join(", ")} to organization ${e.id}`)}async function Y(t,e,s,n,a){const d=(await t.adapters.roles.list(e,{})).roles.find(l=>l.name===n);if(d)return d.id;const o=await t.adapters.roles.create(e,{name:n,description:a}),i=`${s}api/v2/`,r=C.MANAGEMENT_API_SCOPES.map(l=>({role_id:o.id,resource_server_identifier:i,permission_name:l.value}));return await t.adapters.rolePermissions.assign(e,o.id,r),o.id}async function B(t,e,s){const{accessControl:n,settingsInheritance:a}=s;if(!n)return;const c=await t.adapters.tenants.get(n.mainTenantId);if(!c)return;let d={...c};const o=["id","created_at","updated_at","friendly_name","audience","sender_email","sender_name"];for(const i of o)delete d[i];if(a!=null&&a.inheritedKeys){const i={};for(const r of a.inheritedKeys)r in c&&!o.includes(r)&&(i[r]=c[r]);d=i}if(a!=null&&a.excludedKeys)for(const i of a.excludedKeys)delete d[i];a!=null&&a.transformSettings&&(d=a.transformSettings(d,e.id)),Object.keys(d).length>0&&await t.adapters.tenants.update(e.id,d)}async function P(t,e,s={}){const{cursorField:n="id",sortOrder:a="asc",pageSize:c=100,maxItems:d=1e4,q:o}=s,i=[];let r,l=!0;for(;l;){let f=o\|\|"";if(r){const w=`${n}:${a==="asc"?">":"<"}${r}`;f=f?`(${f}) AND ${w}`:w}const u={per_page:c,page:0,sort:{sort_by:n,sort_order:a},...f&&{q:f}},h=(await t(u))[e]\|\|[];if(h.length===0)l=!1;else{i.push(...h);const _=h[h.length-1];if(_&&typeof _=="object"){const w=_[n];w!=null&&(r=String(w))}h.length<c&&(l=!1),d!==-1&&i.length>=d&&(console.warn(`fetchAll: Reached maxItems limit (${d}). There may be more items.`),l=!1)}}return i}function j(t){const{mainTenantId:e,getChildTenantIds:s,getAdapters:n,shouldSync:a=()=>!0,transformForSync:c}=t;async function d(r,l,f){return(await r.resourceServers.list(l,{q:`identifier:${f}`,per_page:1})).resource_servers[0]??null}async function o(r,l){const f=await s();await Promise.all(f.map(async u=>{try{const m=await n(u),_={...c?c(r,u):{name:r.name,identifier:r.identifier,scopes:r.scopes,signing_alg:r.signing_alg,signing_secret:r.signing_secret,token_lifetime:r.token_lifetime,token_lifetime_for_web:r.token_lifetime_for_web,skip_consent_for_verifiable_first_party_clients:r.skip_consent_for_verifiable_first_party_clients,allow_offline_access:r.allow_offline_access,verificationKey:r.verificationKey,options:r.options},is_system:!0};if(l==="create"){const w=await d(m,u,r.identifier);w&&w.id?await m.resourceServers.update(u,w.id,_):await m.resourceServers.create(u,_)}else{const w=await d(m,u,r.identifier);w&&w.id&&await m.resourceServers.update(u,w.id,_)}}catch(m){console.error(`Failed to sync resource server "${r.identifier}" to tenant "${u}":`,m)}}))}async function i(r){const l=await s();await Promise.all(l.map(async f=>{try{const u=await n(f),m=await d(u,f,r);m&&m.id&&await u.resourceServers.remove(f,m.id)}catch(u){console.error(`Failed to delete resource server "${r}" from tenant "${f}":`,u)}}))}return{afterCreate:async(r,l)=>{r.tenantId===e&&a(l)&&await o(l,"create")},afterUpdate:async(r,l,f)=>{r.tenantId===e&&a(f)&&await o(f,"update")},afterDelete:async(r,l)=>{r.tenantId===e&&await i(l)}}}function O(t){const{mainTenantId:e,getMainTenantAdapters:s,getAdapters:n,shouldSync:a=()=>!0,transformForSync:c}=t;return{async afterCreate(d,o){if(o.id!==e)try{const i=await s(),r=await n(o.id),l=await P(f=>i.resourceServers.list(e,f),"resource_servers",{cursorField:"id",pageSize:100});await Promise.all(l.filter(f=>a(f)).map(async f=>{const u=f;try{const m=c?c(u,o.id):{name:u.name,identifier:u.identifier,scopes:u.scopes,signing_alg:u.signing_alg,signing_secret:u.signing_secret,token_lifetime:u.token_lifetime,token_lifetime_for_web:u.token_lifetime_for_web,skip_consent_for_verifiable_first_party_clients:u.skip_consent_for_verifiable_first_party_clients,allow_offline_access:u.allow_offline_access,verificationKey:u.verificationKey,options:u.options};await r.resourceServers.create(o.id,{...m,is_system:!0})}catch(m){console.error(`Failed to sync resource server "${u.identifier}" to new tenant "${o.id}":`,m)}}))}catch(i){console.error(`Failed to sync resource servers to new tenant "${o.id}":`,i)}}}}var p=class extends Error{constructor(e=500,s){super(s==null?void 0:s.message,{cause:s==null?void 0:s.cause});M(this,"res");M(this,"status");this.res=s==null?void 0:s.res,this.status=e}getResponse(){return this.res?new Response(this.res.body,{status:this.status,headers:this.res.headers}):new Response(this.message,{status:this.status})}};function S(t,e){const s=new R.Hono;return s.get("/",async n=>{var l;if(t.accessControl&&await((l=e.onTenantAccessValidation)==null?void 0:l.call(e,n,t.accessControl.mainTenantId))===!1)throw new p(403,{message:"Access denied to tenant management"});const a=$.auth0QuerySchema.parse(n.req.query()),{page:c,per_page:d,include_totals:o,q:i}=a,r=await n.env.data.tenants.list({page:c,per_page:d,include_totals:o,q:i});return o?n.json(r):n.json(r.tenants)}),s.get("/:id",async n=>{var o;const a=n.req.param("id");if(await((o=e.onTenantAccessValidation)==null?void 0:o.call(e,n,a))===!1)throw new p(403,{message:"Access denied to this tenant"});const d=await n.env.data.tenants.get(a);if(!d)throw new p(404,{message:"Tenant not found"});return n.json(d)}),s.post("/",async n=>{var a,c,d,o;try{if(t.accessControl&&await((a=e.onTenantAccessValidation)==null?void 0:a.call(e,n,t.accessControl.mainTenantId))===!1)throw new p(403,{message:"Access denied to create tenants"});let i=$.tenantInsertSchema.parse(await n.req.json());const r={adapters:n.env.data,ctx:n};(c=e.tenants)!=null&&c.beforeCreate&&(i=await e.tenants.beforeCreate(r,i));const l=await n.env.data.tenants.create(i);return(d=e.tenants)!=null&&d.afterCreate&&await e.tenants.afterCreate(r,l),n.json(l,201)}catch(i){throw i instanceof Q.z.ZodError?new p(400,{message:"Validation error",cause:i}):i instanceof Error&&("code"in i&&i.code==="SQLITE_CONSTRAINT_PRIMARYKEY"\|\|(o=i.message)!=null&&o.includes("UNIQUE constraint failed"))?new p(409,{message:"Tenant with this ID already exists"}):i}}),s.patch("/:id",async n=>{var m,h,_;const a=n.req.param("id");if(await((m=e.onTenantAccessValidation)==null?void 0:m.call(e,n,a))===!1)throw new p(403,{message:"Access denied to update this tenant"});const d=$.tenantInsertSchema.partial().parse(await n.req.json()),{id:o,...i}=d;if(!await n.env.data.tenants.get(a))throw new p(404,{message:"Tenant not found"});const l={adapters:n.env.data,ctx:n};let f=i;(h=e.tenants)!=null&&h.beforeUpdate&&(f=await e.tenants.beforeUpdate(l,a,i)),await n.env.data.tenants.update(a,f);const u=await n.env.data.tenants.get(a);if(!u)throw new p(404,{message:"Tenant not found after update"});return(_=e.tenants)!=null&&_.afterUpdate&&await e.tenants.afterUpdate(l,u),n.json(u)}),s.delete("/:id",async n=>{var o,i,r;const a=n.req.param("id");if(t.accessControl&&a===t.accessControl.mainTenantId)throw new p(400,{message:"Cannot delete the main tenant"});if(t.accessControl&&await((o=e.onTenantAccessValidation)==null?void 0:o.call(e,n,t.accessControl.mainTenantId))===!1)throw new p(403,{message:"Access denied to delete tenants"});if(!await n.env.data.tenants.get(a))throw new p(404,{message:"Tenant not found"});const d={adapters:n.env.data,ctx:n};return(i=e.tenants)!=null&&i.beforeDelete&&await e.tenants.beforeDelete(d,a),await n.env.data.tenants.remove(a),(r=e.tenants)!=null&&r.afterDelete&&await e.tenants.afterDelete(d,a),n.body(null,204)}),s}function Z(t){const e=[{pattern:/\/api\/v2\/resource-servers\/([^/]+)$/,type:"resource_server"},{pattern:/\/api\/v2\/roles\/([^/]+)$/,type:"role"},{pattern:/\/api\/v2\/connections\/([^/]+)$/,type:"connection"}];for(const{pattern:s,type:n}of e){const a=t.match(s);if(a&&a[1])return{type:n,id:a[1]}}return null}async function J(t,e,s){try{switch(s.type){case"resource_server":{const n=await t.resourceServers.get(e,s.id);return(n==null?void 0:n.is_system)===!0}case"role":{const n=await t.roles.get(e,s.id);return(n==null?void 0:n.is_system)===!0}case"connection":{const n=await t.connections.get(e,s.id);return(n==null?void 0:n.is_system)===!0}default:return!1}}catch{return!1}}function X(t){return{resource_server:"resource server",role:"role",connection:"connection"}[t]}function E(){return async(t,e)=>{if(!["PATCH","PUT","DELETE"].includes(t.req.method))return e();const s=Z(t.req.path);if(!s)return e();const n=t.var.tenant_id\|\|t.req.header("x-tenant-id")\|\|t.req.header("tenant-id");if(!n)return e();if(await J(t.env.data,n,s))throw new p(403,{message:`This ${X(s.type)} is a system resource and cannot be modified. Make changes in the main tenant instead.`});return e()}}function U(t){return async(e,s)=>{if(!t.accessControl)return s();const n=e.var.tenant_id,a=e.var.organization_id;if(!n)throw new p(400,{message:"Tenant ID not found in request"});if(!D(a,n,t.accessControl.mainTenantId))throw new p(403,{message:`Access denied to tenant ${n}`});return s()}}function N(t){return async(e,s)=>{if(!t.subdomainRouting)return s();const{baseDomain:n,reservedSubdomains:a=[],resolveSubdomain:c}=t.subdomainRouting,d=e.req.header("host")\|\|"";let o=null;if(d.endsWith(n)){const r=d.slice(0,-(n.length+1));r&&!r.includes(".")&&(o=r)}if(o&&a.includes(o)&&(o=null),!o)return t.accessControl&&e.set("tenant_id",t.accessControl.mainTenantId),s();let i=null;if(c)i=await c(o);else if(t.subdomainRouting.useOrganizations!==!1&&t.accessControl)try{const r=await e.env.data.organizations.get(t.accessControl.mainTenantId,o);r&&(i=r.id)}catch{}if(!i)throw new p(404,{message:`Tenant not found for subdomain: ${o}`});return e.set("tenant_id",i),s()}}function K(t){return async(e,s)=>{if(!t.databaseIsolation)return s();const n=e.var.tenant_id;if(!n)throw new p(400,{message:"Tenant ID not found in request"});try{const a=await t.databaseIsolation.getAdapters(n);e.env.data=a}catch(a){throw console.error(`Failed to resolve database for tenant ${n}:`,a),new p(500,{message:"Failed to resolve tenant database"})}return s()}}function I(t){const e=N(t),s=U(t),n=K(t);return async(a,c)=>(await e(a,async()=>{}),await s(a,async()=>{}),await n(a,async()=>{}),c())}function k(t){const e=b(t);return{name:"multi-tenancy",middleware:I(t),hooks:e,routes:[{path:"/management",handler:S(t,e)}],onRegister:async()=>{console.log("Multi-tenancy plugin registered"),t.accessControl&&console.log(` - Access control enabled (main tenant: ${t.accessControl.mainTenantId})`),t.subdomainRouting&&console.log(` - Subdomain routing enabled (base domain: ${t.subdomainRouting.baseDomain})`),t.databaseIsolation&&console.log(" - Database isolation enabled")}}}function b(t){const e=t.accessControl?q(t.accessControl):{},s=t.databaseIsolation?z(t.databaseIsolation):{},n=F(t);return{...e,...s,tenants:n}}function V(t){const e=new R.Hono,s=b(t);return e.route("/tenants",S(t,s)),e}function x(t){return{hooks:b(t),middleware:I(t),app:V(t),config:t}}function ee(t){const{mainTenantId:e="main",syncResourceServers:s=!0,multiTenancy:n,entityHooks:a,...c}=t,d={...n,accessControl:{mainTenantId:e,requireOrganizationMatch:!1,defaultPermissions:["tenant:admin"],...n==null?void 0:n.accessControl}},o=b(d);let i,r;s&&(i=j({mainTenantId:e,getChildTenantIds:async()=>(await P(y=>t.dataAdapter.tenants.list(y),"tenants",{cursorField:"id",pageSize:100})).filter(y=>y.id!==e).map(y=>y.id),getAdapters:async g=>t.dataAdapter}),r=O({mainTenantId:e,getMainTenantAdapters:async()=>t.dataAdapter,getAdapters:async g=>t.dataAdapter}));const l=async(g,y,...T)=>{const v=[];if(g)try{await g(...T)}catch(A){v.push(A instanceof Error?A:new Error(String(A)))}if(y)try{await y(...T)}catch(A){v.push(A instanceof Error?A:new Error(String(A)))}if(v.length===1)throw v[0];if(v.length>1)throw new AggregateError(v,`Multiple hook errors: ${v.map(A=>A.message).join("; ")}`)},f={...a,resourceServers:i?{...a==null?void 0:a.resourceServers,afterCreate:async(g,y)=>{var T;await l((T=a==null?void 0:a.resourceServers)==null?void 0:T.afterCreate,i==null?void 0:i.afterCreate,g,y)},afterUpdate:async(g,y,T)=>{var v;await l((v=a==null?void 0:a.resourceServers)==null?void 0:v.afterUpdate,i==null?void 0:i.afterUpdate,g,y,T)},afterDelete:async(g,y)=>{var T;await l((T=a==null?void 0:a.resourceServers)==null?void 0:T.afterDelete,i==null?void 0:i.afterDelete,g,y)}}:a==null?void 0:a.resourceServers,tenants:r?{...a==null?void 0:a.tenants,afterCreate:async(g,y)=>{var T;await l((T=a==null?void 0:a.tenants)==null?void 0:T.afterCreate,r==null?void 0:r.afterCreate,g,y)}}:a==null?void 0:a.tenants},u=C.init({...c,entityHooks:f}),{app:m,managementApp:h,..._}=u,w=new R.Hono;w.use("/api/v2/*",E()),w.route("/",m);const H=S(d,o);return w.route("/api/v2/tenants",H),{app:w,managementApp:h,..._,multiTenancyConfig:d,multiTenancyHooks:o}}Object.defineProperty(exports,"MANAGEMENT_API_SCOPES",{enumerable:!0,get:()=>C.MANAGEMENT_API_SCOPES});Object.defineProperty(exports,"seed",{enumerable:!0,get:()=>C.seed});exports.createAccessControlHooks=q;exports.createAccessControlMiddleware=U;exports.createDatabaseHooks=z;exports.createDatabaseMiddleware=K;exports.createMultiTenancy=V;exports.createMultiTenancyHooks=b;exports.createMultiTenancyMiddleware=I;exports.createMultiTenancyPlugin=k;exports.createProtectSyncedMiddleware=E;exports.createProvisioningHooks=F;exports.createResourceServerSyncHooks=j;exports.createSubdomainMiddleware=N;exports.createTenantResourceServerSyncHooks=O;exports.createTenantsRouter=S;exports.fetchAll=P;exports.init=ee;exports.setupMultiTenancy=x;exports.validateTenantAccess=D;

package/dist/multi-tenancy.d.ts CHANGED Viewed

@@ -9659,6 +9659,13 @@ export type Bindings = {
 export interface CreateX509CertificateParams {
 	name: string;
 }
+/**
+ * Management API scopes for the AuthHero Management API
+ */
+export declare const MANAGEMENT_API_SCOPES: {
+	description: string;
+	value: string;
+}[];
 export interface SeedOptions {
 	/**
 	 * The admin user's email address
@@ -9696,6 +9703,10 @@ export interface SeedOptions {
 	 * Whether to log progress (defaults to true)
 	 */
 	debug?: boolean;
+	/**
+	 * The issuer URL (used to construct the Management API identifier)
+	 */
+	issuer?: string;
 }
 export interface SeedResult {
 	tenantId: string;
@@ -18998,6 +19009,30 @@ export interface AccessControlConfig {
 	 * These roles should exist on the main tenant.
 	 */
 	defaultRoles?: string[];
+	/**
+	 * The issuer URL used to construct the Management API identifier.
+	 * If provided, a "Tenant Admin" role will be created with all Management API
+	 * permissions, and the user creating a new tenant will be assigned this role.
+	 * @example "https://auth.example.com/"
+	 */
+	issuer?: string;
+	/**
+	 * The name of the admin role to create/use for tenant administrators.
+	 * This role will have full Management API permissions.
+	 * @default "Tenant Admin"
+	 */
+	adminRoleName?: string;
+	/**
+	 * Description for the admin role.
+	 * @default "Full access to all tenant management operations"
+	 */
+	adminRoleDescription?: string;
+	/**
+	 * If true, the user creating a tenant will be added to the organization
+	 * and assigned the admin role.
+	 * @default true
+	 */
+	addCreatorToOrganization?: boolean;
 }
 /**
  * Configuration for per-tenant database isolation.

package/dist/multi-tenancy.mjs CHANGED Viewed

@@ -1,33 +1,33 @@
-var R = Object.defineProperty;
-var F = (a, e, s) => e in a ? R(a, e, { enumerable: !0, configurable: !0, writable: !0, value: s }) : a[e] = s;
-var C = (a, e, s) => F(a, typeof e != "symbol" ? e + "" : e, s);
+var D = Object.defineProperty;
+var q = (t, e, s) => e in t ? D(t, e, { enumerable: !0, configurable: !0, writable: !0, value: s }) : t[e] = s;
+var C = (t, e, s) => q(t, typeof e != "symbol" ? e + "" : e, s);
 import { Hono as $ } from "hono";
-import { init as z } from "authhero";
-import { seed as ce } from "authhero";
-import { z as P } from "zod";
-import { auth0QuerySchema as j, tenantInsertSchema as M } from "@authhero/adapter-interfaces";
-function U(a) {
-  const { mainTenantId: e, requireOrganizationMatch: s = !0 } = a;
+import { MANAGEMENT_API_SCOPES as F, init as P } from "authhero";
+import { MANAGEMENT_API_SCOPES as le, seed as ue } from "authhero";
+import { z as j } from "zod";
+import { auth0QuerySchema as U, tenantInsertSchema as R } from "@authhero/adapter-interfaces";
+function O(t) {
+  const { mainTenantId: e, requireOrganizationMatch: s = !0 } = t;
   return {
-    async onTenantAccessValidation(n, t) {
-      if (t === e)
+    async onTenantAccessValidation(n, a) {
+      if (a === e)
         return !0;
       if (s) {
-        const o = n.var.organization_id;
-        return o ? o === t : !1;
+        const c = n.var.organization_id;
+        return c ? c === a : !1;
       }
       return !0;
     }
   };
 }
-function K(a, e, s) {
-  return e === s ? !0 : a ? a === e : !1;
+function E(t, e, s) {
+  return e === s ? !0 : t ? t === e : !1;
 }
-function V(a) {
+function K(t) {
   return {
     async resolveDataAdapters(e) {
       try {
-        return await a.getAdapters(e);
+        return await t.getAdapters(e);
       } catch (s) {
         console.error(
           `Failed to resolve data adapters for tenant ${e}:`,
@@ -38,62 +38,113 @@ function V(a) {
     }
   };
 }
-function O(a) {
+function N(t) {
   return {
     async afterCreate(e, s) {
-      const { accessControl: n, databaseIsolation: t, settingsInheritance: o } = a;
-      n && e.ctx && await N(e, s, n), t != null && t.onProvision && await t.onProvision(s.id), (o == null ? void 0 : o.inheritFromMain) !== !1 && e.ctx && await E(e, s, a);
+      const { accessControl: n, databaseIsolation: a, settingsInheritance: c } = t;
+      n && e.ctx && await V(e, s, n), a != null && a.onProvision && await a.onProvision(s.id), (c == null ? void 0 : c.inheritFromMain) !== !1 && e.ctx && await Q(e, s, t);
     },
     async beforeDelete(e, s) {
-      const { accessControl: n, databaseIsolation: t } = a;
+      const { accessControl: n, databaseIsolation: a } = t;
       if (n)
         try {
           const d = (await e.adapters.organizations.list(
             n.mainTenantId
-          )).organizations.find((c) => c.name === s);
+          )).organizations.find((o) => o.name === s);
           d && await e.adapters.organizations.remove(
             n.mainTenantId,
             d.id
           );
-        } catch (o) {
+        } catch (c) {
           console.warn(
             `Failed to remove organization for tenant ${s}:`,
-            o
+            c
           );
         }
-      if (t != null && t.onDeprovision)
+      if (a != null && a.onDeprovision)
         try {
-          await t.onDeprovision(s);
-        } catch (o) {
+          await a.onDeprovision(s);
+        } catch (c) {
           console.warn(
             `Failed to deprovision database for tenant ${s}:`,
-            o
+            c
           );
         }
     }
   };
 }
-async function N(a, e, s) {
-  const { mainTenantId: n, defaultPermissions: t, defaultRoles: o } = s;
-  await a.adapters.organizations.create(n, {
+async function V(t, e, s) {
+  const {
+    mainTenantId: n,
+    defaultPermissions: a,
+    defaultRoles: c,
+    issuer: d,
+    adminRoleName: o = "Tenant Admin",
+    adminRoleDescription: i = "Full access to all tenant management operations",
+    addCreatorToOrganization: r = !0
+  } = s;
+  await t.adapters.organizations.create(n, {
     id: e.id,
     name: e.id,
     display_name: e.friendly_name || e.id
-  }), o && o.length > 0 && console.log(
-    `Would assign roles ${o.join(", ")} to organization ${e.id}`
-  ), t && t.length > 0 && console.log(
-    `Would grant permissions ${t.join(", ")} to organization ${e.id}`
+  });
+  let l = null;
+  if (d && (l = await W(
+    t,
+    n,
+    d,
+    o,
+    i
+  )), r && t.ctx) {
+    const f = t.ctx.var.user;
+    if (f != null && f.sub)
+      try {
+        await t.adapters.userOrganizations.create(n, {
+          user_id: f.sub,
+          organization_id: e.id
+        }), l && await t.adapters.userRoles.create(
+          n,
+          f.sub,
+          l,
+          e.id
+          // organizationId
+        );
+      } catch (u) {
+        console.warn(
+          `Failed to add creator ${f.sub} to organization ${e.id}:`,
+          u
+        );
+      }
+  }
+  c && c.length > 0 && console.log(
+    `Would assign roles ${c.join(", ")} to organization ${e.id}`
+  ), a && a.length > 0 && console.log(
+    `Would grant permissions ${a.join(", ")} to organization ${e.id}`
   );
 }
-async function E(a, e, s) {
-  const { accessControl: n, settingsInheritance: t } = s;
+async function W(t, e, s, n, a) {
+  const d = (await t.adapters.roles.list(e, {})).roles.find((l) => l.name === n);
+  if (d)
+    return d.id;
+  const o = await t.adapters.roles.create(e, {
+    name: n,
+    description: a
+  }), i = `${s}api/v2/`, r = F.map((l) => ({
+    role_id: o.id,
+    resource_server_identifier: i,
+    permission_name: l.value
+  }));
+  return await t.adapters.rolePermissions.assign(e, o.id, r), o.id;
+}
+async function Q(t, e, s) {
+  const { accessControl: n, settingsInheritance: a } = s;
   if (!n)
     return;
-  const o = await a.adapters.tenants.get(n.mainTenantId);
-  if (!o)
+  const c = await t.adapters.tenants.get(n.mainTenantId);
+  if (!c)
     return;
-  let d = { ...o };
-  const c = [
+  let d = { ...c };
+  const o = [
     "id",
     "created_at",
     "updated_at",
@@ -103,49 +154,49 @@ async function E(a, e, s) {
     "sender_email",
     "sender_name"
   ];
-  for (const i of c)
+  for (const i of o)
     delete d[i];
-  if (t != null && t.inheritedKeys) {
+  if (a != null && a.inheritedKeys) {
     const i = {};
-    for (const r of t.inheritedKeys)
-      r in o && !c.includes(r) && (i[r] = o[r]);
+    for (const r of a.inheritedKeys)
+      r in c && !o.includes(r) && (i[r] = c[r]);
     d = i;
   }
-  if (t != null && t.excludedKeys)
-    for (const i of t.excludedKeys)
+  if (a != null && a.excludedKeys)
+    for (const i of a.excludedKeys)
       delete d[i];
-  t != null && t.transformSettings && (d = t.transformSettings(
+  a != null && a.transformSettings && (d = a.transformSettings(
     d,
     e.id
-  )), Object.keys(d).length > 0 && await a.adapters.tenants.update(e.id, d);
+  )), Object.keys(d).length > 0 && await t.adapters.tenants.update(e.id, d);
 }
-async function q(a, e, s = {}) {
+async function M(t, e, s = {}) {
   const {
     cursorField: n = "id",
-    sortOrder: t = "asc",
-    pageSize: o = 100,
+    sortOrder: a = "asc",
+    pageSize: c = 100,
     maxItems: d = 1e4,
-    q: c
+    q: o
   } = s, i = [];
-  let r, u = !0;
-  for (; u; ) {
-    let f = c || "";
+  let r, l = !0;
+  for (; l; ) {
+    let f = o || "";
     if (r) {
-      const w = `${n}:${t === "asc" ? ">" : "<"}${r}`;
+      const w = `${n}:${a === "asc" ? ">" : "<"}${r}`;
       f = f ? `(${f}) AND ${w}` : w;
     }
-    const l = {
-      per_page: o,
+    const u = {
+      per_page: c,
       page: 0,
       // Always use page 0 since we're doing cursor-based pagination
       sort: {
         sort_by: n,
-        sort_order: t
+        sort_order: a
       },
       ...f && { q: f }
-    }, T = (await a(l))[e] || [];
+    }, T = (await t(u))[e] || [];
     if (T.length === 0)
-      u = !1;
+      l = !1;
     else {
       i.push(...T);
       const _ = T[T.length - 1];
@@ -153,33 +204,33 @@ async function q(a, e, s = {}) {
         const w = _[n];
         w != null && (r = String(w));
       }
-      T.length < o && (u = !1), d !== -1 && i.length >= d && (console.warn(
+      T.length < c && (l = !1), d !== -1 && i.length >= d && (console.warn(
         `fetchAll: Reached maxItems limit (${d}). There may be more items.`
-      ), u = !1);
+      ), l = !1);
     }
   }
   return i;
 }
-function W(a) {
+function G(t) {
   const {
     mainTenantId: e,
     getChildTenantIds: s,
     getAdapters: n,
-    shouldSync: t = () => !0,
-    transformForSync: o
-  } = a;
-  async function d(r, u, f) {
-    return (await r.resourceServers.list(u, {
+    shouldSync: a = () => !0,
+    transformForSync: c
+  } = t;
+  async function d(r, l, f) {
+    return (await r.resourceServers.list(l, {
       q: `identifier:${f}`,
       per_page: 1
     })).resource_servers[0] ?? null;
   }
-  async function c(r, u) {
+  async function o(r, l) {
     const f = await s();
     await Promise.all(
-      f.map(async (l) => {
+      f.map(async (u) => {
         try {
-          const m = await n(l), _ = { ...o ? o(r, l) : {
+          const m = await n(u), _ = { ...c ? c(r, u) : {
             name: r.name,
             identifier: r.identifier,
             scopes: r.scopes,
@@ -192,32 +243,32 @@ function W(a) {
             verificationKey: r.verificationKey,
             options: r.options
           }, is_system: !0 };
-          if (u === "create") {
+          if (l === "create") {
             const w = await d(
               m,
-              l,
+              u,
               r.identifier
             );
             w && w.id ? await m.resourceServers.update(
-              l,
+              u,
               w.id,
               _
-            ) : await m.resourceServers.create(l, _);
+            ) : await m.resourceServers.create(u, _);
           } else {
             const w = await d(
               m,
-              l,
+              u,
               r.identifier
             );
             w && w.id && await m.resourceServers.update(
-              l,
+              u,
               w.id,
               _
             );
           }
         } catch (m) {
           console.error(
-            `Failed to sync resource server "${r.identifier}" to tenant "${l}":`,
+            `Failed to sync resource server "${r.identifier}" to tenant "${u}":`,
             m
           );
         }
@@ -225,78 +276,78 @@ function W(a) {
     );
   }
   async function i(r) {
-    const u = await s();
+    const l = await s();
     await Promise.all(
-      u.map(async (f) => {
+      l.map(async (f) => {
         try {
-          const l = await n(f), m = await d(
-            l,
+          const u = await n(f), m = await d(
+            u,
             f,
             r
           );
-          m && m.id && await l.resourceServers.remove(f, m.id);
-        } catch (l) {
+          m && m.id && await u.resourceServers.remove(f, m.id);
+        } catch (u) {
           console.error(
             `Failed to delete resource server "${r}" from tenant "${f}":`,
-            l
+            u
           );
         }
       })
     );
   }
   return {
-    afterCreate: async (r, u) => {
-      r.tenantId === e && t(u) && await c(u, "create");
+    afterCreate: async (r, l) => {
+      r.tenantId === e && a(l) && await o(l, "create");
     },
-    afterUpdate: async (r, u, f) => {
-      r.tenantId === e && t(f) && await c(f, "update");
+    afterUpdate: async (r, l, f) => {
+      r.tenantId === e && a(f) && await o(f, "update");
     },
-    afterDelete: async (r, u) => {
-      r.tenantId === e && await i(u);
+    afterDelete: async (r, l) => {
+      r.tenantId === e && await i(l);
     }
   };
 }
-function Q(a) {
+function L(t) {
   const {
     mainTenantId: e,
     getMainTenantAdapters: s,
     getAdapters: n,
-    shouldSync: t = () => !0,
-    transformForSync: o
-  } = a;
+    shouldSync: a = () => !0,
+    transformForSync: c
+  } = t;
   return {
-    async afterCreate(d, c) {
-      if (c.id !== e)
+    async afterCreate(d, o) {
+      if (o.id !== e)
         try {
-          const i = await s(), r = await n(c.id), u = await q(
+          const i = await s(), r = await n(o.id), l = await M(
             (f) => i.resourceServers.list(e, f),
             "resource_servers",
             { cursorField: "id", pageSize: 100 }
           );
           await Promise.all(
-            u.filter((f) => t(f)).map(async (f) => {
-              const l = f;
+            l.filter((f) => a(f)).map(async (f) => {
+              const u = f;
               try {
-                const m = o ? o(l, c.id) : {
-                  name: l.name,
-                  identifier: l.identifier,
-                  scopes: l.scopes,
-                  signing_alg: l.signing_alg,
-                  signing_secret: l.signing_secret,
-                  token_lifetime: l.token_lifetime,
-                  token_lifetime_for_web: l.token_lifetime_for_web,
-                  skip_consent_for_verifiable_first_party_clients: l.skip_consent_for_verifiable_first_party_clients,
-                  allow_offline_access: l.allow_offline_access,
-                  verificationKey: l.verificationKey,
-                  options: l.options
+                const m = c ? c(u, o.id) : {
+                  name: u.name,
+                  identifier: u.identifier,
+                  scopes: u.scopes,
+                  signing_alg: u.signing_alg,
+                  signing_secret: u.signing_secret,
+                  token_lifetime: u.token_lifetime,
+                  token_lifetime_for_web: u.token_lifetime_for_web,
+                  skip_consent_for_verifiable_first_party_clients: u.skip_consent_for_verifiable_first_party_clients,
+                  allow_offline_access: u.allow_offline_access,
+                  verificationKey: u.verificationKey,
+                  options: u.options
                 };
-                await r.resourceServers.create(c.id, {
+                await r.resourceServers.create(o.id, {
                   ...m,
                   is_system: !0
                 });
               } catch (m) {
                 console.error(
-                  `Failed to sync resource server "${l.identifier}" to new tenant "${c.id}":`,
+                  `Failed to sync resource server "${u.identifier}" to new tenant "${o.id}":`,
                   m
                 );
               }
@@ -304,7 +355,7 @@ function Q(a) {
           );
         } catch (i) {
           console.error(
-            `Failed to sync resource servers to new tenant "${c.id}":`,
+            `Failed to sync resource servers to new tenant "${o.id}":`,
             i
           );
         }
@@ -337,107 +388,107 @@ var p = class extends Error {
     });
   }
 };
-function S(a, e) {
+function S(t, e) {
   const s = new $();
   return s.get("/", async (n) => {
-    var u;
-    if (a.accessControl && await ((u = e.onTenantAccessValidation) == null ? void 0 : u.call(
+    var l;
+    if (t.accessControl && await ((l = e.onTenantAccessValidation) == null ? void 0 : l.call(
       e,
       n,
-      a.accessControl.mainTenantId
+      t.accessControl.mainTenantId
     )) === !1)
       throw new p(403, {
         message: "Access denied to tenant management"
       });
-    const t = j.parse(n.req.query()), { page: o, per_page: d, include_totals: c, q: i } = t, r = await n.env.data.tenants.list({
-      page: o,
+    const a = U.parse(n.req.query()), { page: c, per_page: d, include_totals: o, q: i } = a, r = await n.env.data.tenants.list({
+      page: c,
       per_page: d,
-      include_totals: c,
+      include_totals: o,
       q: i
     });
-    return c ? n.json(r) : n.json(r.tenants);
+    return o ? n.json(r) : n.json(r.tenants);
   }), s.get("/:id", async (n) => {
-    var c;
-    const t = n.req.param("id");
-    if (await ((c = e.onTenantAccessValidation) == null ? void 0 : c.call(e, n, t)) === !1)
+    var o;
+    const a = n.req.param("id");
+    if (await ((o = e.onTenantAccessValidation) == null ? void 0 : o.call(e, n, a)) === !1)
       throw new p(403, {
         message: "Access denied to this tenant"
       });
-    const d = await n.env.data.tenants.get(t);
+    const d = await n.env.data.tenants.get(a);
     if (!d)
       throw new p(404, {
         message: "Tenant not found"
       });
     return n.json(d);
   }), s.post("/", async (n) => {
-    var t, o, d, c;
+    var a, c, d, o;
     try {
-      if (a.accessControl && await ((t = e.onTenantAccessValidation) == null ? void 0 : t.call(
+      if (t.accessControl && await ((a = e.onTenantAccessValidation) == null ? void 0 : a.call(
         e,
         n,
-        a.accessControl.mainTenantId
+        t.accessControl.mainTenantId
       )) === !1)
         throw new p(403, {
           message: "Access denied to create tenants"
         });
-      let i = M.parse(
+      let i = R.parse(
         await n.req.json()
       );
       const r = {
         adapters: n.env.data,
         ctx: n
       };
-      (o = e.tenants) != null && o.beforeCreate && (i = await e.tenants.beforeCreate(r, i));
-      const u = await n.env.data.tenants.create(i);
-      return (d = e.tenants) != null && d.afterCreate && await e.tenants.afterCreate(r, u), n.json(u, 201);
+      (c = e.tenants) != null && c.beforeCreate && (i = await e.tenants.beforeCreate(r, i));
+      const l = await n.env.data.tenants.create(i);
+      return (d = e.tenants) != null && d.afterCreate && await e.tenants.afterCreate(r, l), n.json(l, 201);
     } catch (i) {
-      throw i instanceof P.ZodError ? new p(400, {
+      throw i instanceof j.ZodError ? new p(400, {
         message: "Validation error",
         cause: i
-      }) : i instanceof Error && ("code" in i && i.code === "SQLITE_CONSTRAINT_PRIMARYKEY" || (c = i.message) != null && c.includes("UNIQUE constraint failed")) ? new p(409, {
+      }) : i instanceof Error && ("code" in i && i.code === "SQLITE_CONSTRAINT_PRIMARYKEY" || (o = i.message) != null && o.includes("UNIQUE constraint failed")) ? new p(409, {
         message: "Tenant with this ID already exists"
       }) : i;
     }
   }), s.patch("/:id", async (n) => {
     var m, T, _;
-    const t = n.req.param("id");
-    if (await ((m = e.onTenantAccessValidation) == null ? void 0 : m.call(e, n, t)) === !1)
+    const a = n.req.param("id");
+    if (await ((m = e.onTenantAccessValidation) == null ? void 0 : m.call(e, n, a)) === !1)
       throw new p(403, {
         message: "Access denied to update this tenant"
       });
-    const d = M.partial().parse(await n.req.json()), { id: c, ...i } = d;
-    if (!await n.env.data.tenants.get(t))
+    const d = R.partial().parse(await n.req.json()), { id: o, ...i } = d;
+    if (!await n.env.data.tenants.get(a))
       throw new p(404, {
         message: "Tenant not found"
       });
-    const u = {
+    const l = {
       adapters: n.env.data,
       ctx: n
     };
     let f = i;
-    (T = e.tenants) != null && T.beforeUpdate && (f = await e.tenants.beforeUpdate(u, t, i)), await n.env.data.tenants.update(t, f);
-    const l = await n.env.data.tenants.get(t);
-    if (!l)
+    (T = e.tenants) != null && T.beforeUpdate && (f = await e.tenants.beforeUpdate(l, a, i)), await n.env.data.tenants.update(a, f);
+    const u = await n.env.data.tenants.get(a);
+    if (!u)
       throw new p(404, {
         message: "Tenant not found after update"
       });
-    return (_ = e.tenants) != null && _.afterUpdate && await e.tenants.afterUpdate(u, l), n.json(l);
+    return (_ = e.tenants) != null && _.afterUpdate && await e.tenants.afterUpdate(l, u), n.json(u);
   }), s.delete("/:id", async (n) => {
-    var c, i, r;
-    const t = n.req.param("id");
-    if (a.accessControl && t === a.accessControl.mainTenantId)
+    var o, i, r;
+    const a = n.req.param("id");
+    if (t.accessControl && a === t.accessControl.mainTenantId)
       throw new p(400, {
         message: "Cannot delete the main tenant"
       });
-    if (a.accessControl && await ((c = e.onTenantAccessValidation) == null ? void 0 : c.call(
+    if (t.accessControl && await ((o = e.onTenantAccessValidation) == null ? void 0 : o.call(
       e,
       n,
-      a.accessControl.mainTenantId
+      t.accessControl.mainTenantId
     )) === !1)
       throw new p(403, {
         message: "Access denied to delete tenants"
       });
-    if (!await n.env.data.tenants.get(t))
+    if (!await n.env.data.tenants.get(a))
       throw new p(404, {
         message: "Tenant not found"
       });
@@ -445,10 +496,10 @@ function S(a, e) {
       adapters: n.env.data,
       ctx: n
     };
-    return (i = e.tenants) != null && i.beforeDelete && await e.tenants.beforeDelete(d, t), await n.env.data.tenants.remove(t), (r = e.tenants) != null && r.afterDelete && await e.tenants.afterDelete(d, t), n.body(null, 204);
+    return (i = e.tenants) != null && i.beforeDelete && await e.tenants.beforeDelete(d, a), await n.env.data.tenants.remove(a), (r = e.tenants) != null && r.afterDelete && await e.tenants.afterDelete(d, a), n.body(null, 204);
   }), s;
 }
-function L(a) {
+function Y(t) {
   const e = [
     {
       pattern: /\/api\/v2\/resource-servers\/([^/]+)$/,
@@ -458,25 +509,25 @@ function L(a) {
     { pattern: /\/api\/v2\/connections\/([^/]+)$/, type: "connection" }
   ];
   for (const { pattern: s, type: n } of e) {
-    const t = a.match(s);
-    if (t && t[1])
-      return { type: n, id: t[1] };
+    const a = t.match(s);
+    if (a && a[1])
+      return { type: n, id: a[1] };
   }
   return null;
 }
-async function Y(a, e, s) {
+async function B(t, e, s) {
   try {
     switch (s.type) {
       case "resource_server": {
-        const n = await a.resourceServers.get(e, s.id);
+        const n = await t.resourceServers.get(e, s.id);
         return (n == null ? void 0 : n.is_system) === !0;
       }
       case "role": {
-        const n = await a.roles.get(e, s.id);
+        const n = await t.roles.get(e, s.id);
         return (n == null ? void 0 : n.is_system) === !0;
       }
       case "connection": {
-        const n = await a.connections.get(e, s.id);
+        const n = await t.connections.get(e, s.id);
         return (n == null ? void 0 : n.is_system) === !0;
       }
       default:
@@ -486,43 +537,43 @@ async function Y(a, e, s) {
     return !1;
   }
 }
-function B(a) {
+function Z(t) {
   return {
     resource_server: "resource server",
     role: "role",
     connection: "connection"
-  }[a];
+  }[t];
 }
-function Z() {
-  return async (a, e) => {
-    if (!["PATCH", "PUT", "DELETE"].includes(a.req.method))
+function J() {
+  return async (t, e) => {
+    if (!["PATCH", "PUT", "DELETE"].includes(t.req.method))
       return e();
-    const s = L(a.req.path);
+    const s = Y(t.req.path);
     if (!s)
       return e();
-    const n = a.var.tenant_id || a.req.header("x-tenant-id") || a.req.header("tenant-id");
+    const n = t.var.tenant_id || t.req.header("x-tenant-id") || t.req.header("tenant-id");
     if (!n)
       return e();
-    if (await Y(a.env.data, n, s))
+    if (await B(t.env.data, n, s))
       throw new p(403, {
-        message: `This ${B(s.type)} is a system resource and cannot be modified. Make changes in the main tenant instead.`
+        message: `This ${Z(s.type)} is a system resource and cannot be modified. Make changes in the main tenant instead.`
       });
     return e();
   };
 }
-function G(a) {
+function X(t) {
   return async (e, s) => {
-    if (!a.accessControl)
+    if (!t.accessControl)
       return s();
-    const n = e.var.tenant_id, t = e.var.organization_id;
+    const n = e.var.tenant_id, a = e.var.organization_id;
     if (!n)
       throw new p(400, {
         message: "Tenant ID not found in request"
       });
-    if (!K(
-      t,
+    if (!E(
+      a,
       n,
-      a.accessControl.mainTenantId
+      t.accessControl.mainTenantId
     ))
       throw new p(403, {
         message: `Access denied to tenant ${n}`
@@ -530,44 +581,44 @@ function G(a) {
     return s();
   };
 }
-function J(a) {
+function H(t) {
   return async (e, s) => {
-    if (!a.subdomainRouting)
+    if (!t.subdomainRouting)
       return s();
     const {
       baseDomain: n,
-      reservedSubdomains: t = [],
-      resolveSubdomain: o
-    } = a.subdomainRouting, d = e.req.header("host") || "";
-    let c = null;
+      reservedSubdomains: a = [],
+      resolveSubdomain: c
+    } = t.subdomainRouting, d = e.req.header("host") || "";
+    let o = null;
     if (d.endsWith(n)) {
       const r = d.slice(0, -(n.length + 1));
-      r && !r.includes(".") && (c = r);
+      r && !r.includes(".") && (o = r);
     }
-    if (c && t.includes(c) && (c = null), !c)
-      return a.accessControl && e.set("tenant_id", a.accessControl.mainTenantId), s();
+    if (o && a.includes(o) && (o = null), !o)
+      return t.accessControl && e.set("tenant_id", t.accessControl.mainTenantId), s();
     let i = null;
-    if (o)
-      i = await o(c);
-    else if (a.subdomainRouting.useOrganizations !== !1 && a.accessControl)
+    if (c)
+      i = await c(o);
+    else if (t.subdomainRouting.useOrganizations !== !1 && t.accessControl)
       try {
         const r = await e.env.data.organizations.get(
-          a.accessControl.mainTenantId,
-          c
+          t.accessControl.mainTenantId,
+          o
         );
         r && (i = r.id);
       } catch {
       }
     if (!i)
       throw new p(404, {
-        message: `Tenant not found for subdomain: ${c}`
+        message: `Tenant not found for subdomain: ${o}`
       });
     return e.set("tenant_id", i), s();
   };
 }
-function X(a) {
+function k(t) {
   return async (e, s) => {
-    if (!a.databaseIsolation)
+    if (!t.databaseIsolation)
       return s();
     const n = e.var.tenant_id;
     if (!n)
@@ -575,12 +626,12 @@ function X(a) {
         message: "Tenant ID not found in request"
       });
     try {
-      const t = await a.databaseIsolation.getAdapters(n);
-      e.env.data = t;
-    } catch (t) {
+      const a = await t.databaseIsolation.getAdapters(n);
+      e.env.data = a;
+    } catch (a) {
       throw console.error(
         `Failed to resolve database for tenant ${n}:`,
-        t
+        a
       ), new p(500, {
         message: "Failed to resolve tenant database"
       });
@@ -588,66 +639,66 @@ function X(a) {
     return s();
   };
 }
-function D(a) {
-  const e = J(a), s = G(a), n = X(a);
-  return async (t, o) => (await e(t, async () => {
-  }), await s(t, async () => {
-  }), await n(t, async () => {
-  }), o());
+function I(t) {
+  const e = H(t), s = X(t), n = k(t);
+  return async (a, c) => (await e(a, async () => {
+  }), await s(a, async () => {
+  }), await n(a, async () => {
+  }), c());
 }
-function ne(a) {
-  const e = A(a);
+function re(t) {
+  const e = b(t);
   return {
     name: "multi-tenancy",
     // Apply multi-tenancy middleware for subdomain routing, database resolution, etc.
-    middleware: D(a),
+    middleware: I(t),
     // Provide lifecycle hooks
     hooks: e,
     // Mount tenant management routes
     routes: [
       {
         path: "/management",
-        handler: S(a, e)
+        handler: S(t, e)
       }
     ],
     // Called when plugin is registered
     onRegister: async () => {
-      console.log("Multi-tenancy plugin registered"), a.accessControl && console.log(
-        `  - Access control enabled (main tenant: ${a.accessControl.mainTenantId})`
-      ), a.subdomainRouting && console.log(
-        `  - Subdomain routing enabled (base domain: ${a.subdomainRouting.baseDomain})`
-      ), a.databaseIsolation && console.log("  - Database isolation enabled");
+      console.log("Multi-tenancy plugin registered"), t.accessControl && console.log(
+        `  - Access control enabled (main tenant: ${t.accessControl.mainTenantId})`
+      ), t.subdomainRouting && console.log(
+        `  - Subdomain routing enabled (base domain: ${t.subdomainRouting.baseDomain})`
+      ), t.databaseIsolation && console.log("  - Database isolation enabled");
     }
   };
 }
-function A(a) {
-  const e = a.accessControl ? U(a.accessControl) : {}, s = a.databaseIsolation ? V(a.databaseIsolation) : {}, n = O(a);
+function b(t) {
+  const e = t.accessControl ? O(t.accessControl) : {}, s = t.databaseIsolation ? K(t.databaseIsolation) : {}, n = N(t);
   return {
     ...e,
     ...s,
     tenants: n
   };
 }
-function H(a) {
-  const e = new $(), s = A(a);
-  return e.route("/tenants", S(a, s)), e;
+function x(t) {
+  const e = new $(), s = b(t);
+  return e.route("/tenants", S(t, s)), e;
 }
-function se(a) {
+function ie(t) {
   return {
-    hooks: A(a),
-    middleware: D(a),
-    app: H(a),
-    config: a
+    hooks: b(t),
+    middleware: I(t),
+    app: x(t),
+    config: t
   };
 }
-function re(a) {
+function oe(t) {
   const {
     mainTenantId: e = "main",
     syncResourceServers: s = !0,
     multiTenancy: n,
-    entityHooks: t,
-    ...o
-  } = a, d = {
+    entityHooks: a,
+    ...c
+  } = t, d = {
     ...n,
     accessControl: {
       mainTenantId: e,
@@ -655,50 +706,50 @@ function re(a) {
       defaultPermissions: ["tenant:admin"],
       ...n == null ? void 0 : n.accessControl
     }
-  }, c = A(d);
+  }, o = b(d);
   let i, r;
-  s && (i = W({
+  s && (i = G({
     mainTenantId: e,
-    getChildTenantIds: async () => (await q(
-      (y) => a.dataAdapter.tenants.list(y),
+    getChildTenantIds: async () => (await M(
+      (y) => t.dataAdapter.tenants.list(y),
       "tenants",
       { cursorField: "id", pageSize: 100 }
     )).filter((y) => y.id !== e).map((y) => y.id),
-    getAdapters: async (g) => a.dataAdapter
-  }), r = Q({
+    getAdapters: async (g) => t.dataAdapter
+  }), r = L({
     mainTenantId: e,
-    getMainTenantAdapters: async () => a.dataAdapter,
-    getAdapters: async (g) => a.dataAdapter
+    getMainTenantAdapters: async () => t.dataAdapter,
+    getAdapters: async (g) => t.dataAdapter
   }));
-  const u = async (g, y, ...h) => {
+  const l = async (g, y, ...h) => {
     const v = [];
     if (g)
       try {
         await g(...h);
-      } catch (b) {
-        v.push(b instanceof Error ? b : new Error(String(b)));
+      } catch (A) {
+        v.push(A instanceof Error ? A : new Error(String(A)));
       }
     if (y)
       try {
         await y(...h);
-      } catch (b) {
-        v.push(b instanceof Error ? b : new Error(String(b)));
+      } catch (A) {
+        v.push(A instanceof Error ? A : new Error(String(A)));
       }
     if (v.length === 1)
       throw v[0];
     if (v.length > 1)
       throw new AggregateError(
         v,
-        `Multiple hook errors: ${v.map((b) => b.message).join("; ")}`
+        `Multiple hook errors: ${v.map((A) => A.message).join("; ")}`
       );
   }, f = {
-    ...t,
+    ...a,
     resourceServers: i ? {
-      ...t == null ? void 0 : t.resourceServers,
+      ...a == null ? void 0 : a.resourceServers,
       afterCreate: async (g, y) => {
         var h;
-        await u(
-          (h = t == null ? void 0 : t.resourceServers) == null ? void 0 : h.afterCreate,
+        await l(
+          (h = a == null ? void 0 : a.resourceServers) == null ? void 0 : h.afterCreate,
           i == null ? void 0 : i.afterCreate,
           g,
           y
@@ -706,8 +757,8 @@ function re(a) {
       },
       afterUpdate: async (g, y, h) => {
         var v;
-        await u(
-          (v = t == null ? void 0 : t.resourceServers) == null ? void 0 : v.afterUpdate,
+        await l(
+          (v = a == null ? void 0 : a.resourceServers) == null ? void 0 : v.afterUpdate,
           i == null ? void 0 : i.afterUpdate,
           g,
           y,
@@ -716,61 +767,62 @@ function re(a) {
       },
       afterDelete: async (g, y) => {
         var h;
-        await u(
-          (h = t == null ? void 0 : t.resourceServers) == null ? void 0 : h.afterDelete,
+        await l(
+          (h = a == null ? void 0 : a.resourceServers) == null ? void 0 : h.afterDelete,
           i == null ? void 0 : i.afterDelete,
           g,
           y
         );
       }
-    } : t == null ? void 0 : t.resourceServers,
+    } : a == null ? void 0 : a.resourceServers,
     tenants: r ? {
-      ...t == null ? void 0 : t.tenants,
+      ...a == null ? void 0 : a.tenants,
       afterCreate: async (g, y) => {
         var h;
-        await u(
-          (h = t == null ? void 0 : t.tenants) == null ? void 0 : h.afterCreate,
+        await l(
+          (h = a == null ? void 0 : a.tenants) == null ? void 0 : h.afterCreate,
           r == null ? void 0 : r.afterCreate,
           g,
           y
         );
       }
-    } : t == null ? void 0 : t.tenants
-  }, l = z({
-    ...o,
+    } : a == null ? void 0 : a.tenants
+  }, u = P({
+    ...c,
     entityHooks: f
-  }), { app: m, managementApp: T, ..._ } = l, w = new $();
-  w.use("/api/v2/*", Z()), w.route("/", m);
-  const I = S(
+  }), { app: m, managementApp: T, ..._ } = u, w = new $();
+  w.use("/api/v2/*", J()), w.route("/", m);
+  const z = S(
     d,
-    c
+    o
   );
-  return w.route("/api/v2/tenants", I), {
+  return w.route("/api/v2/tenants", z), {
     app: w,
     managementApp: T,
     ..._,
     multiTenancyConfig: d,
-    multiTenancyHooks: c
+    multiTenancyHooks: o
   };
 }
 export {
-  U as createAccessControlHooks,
-  G as createAccessControlMiddleware,
-  V as createDatabaseHooks,
-  X as createDatabaseMiddleware,
-  H as createMultiTenancy,
-  A as createMultiTenancyHooks,
-  D as createMultiTenancyMiddleware,
-  ne as createMultiTenancyPlugin,
-  Z as createProtectSyncedMiddleware,
-  O as createProvisioningHooks,
-  W as createResourceServerSyncHooks,
-  J as createSubdomainMiddleware,
-  Q as createTenantResourceServerSyncHooks,
+  le as MANAGEMENT_API_SCOPES,
+  O as createAccessControlHooks,
+  X as createAccessControlMiddleware,
+  K as createDatabaseHooks,
+  k as createDatabaseMiddleware,
+  x as createMultiTenancy,
+  b as createMultiTenancyHooks,
+  I as createMultiTenancyMiddleware,
+  re as createMultiTenancyPlugin,
+  J as createProtectSyncedMiddleware,
+  N as createProvisioningHooks,
+  G as createResourceServerSyncHooks,
+  H as createSubdomainMiddleware,
+  L as createTenantResourceServerSyncHooks,
   S as createTenantsRouter,
-  q as fetchAll,
-  re as init,
-  ce as seed,
-  se as setupMultiTenancy,
-  K as validateTenantAccess
+  M as fetchAll,
+  oe as init,
+  ue as seed,
+  ie as setupMultiTenancy,
+  E as validateTenantAccess
 };

package/package.json CHANGED Viewed

@@ -11,7 +11,7 @@
     "type": "git",
     "url": "https://github.com/markusahlstrand/authhero"
   },
-  "version": "13.4.0",
+  "version": "13.5.0",
   "description": "Multi-tenancy support for AuthHero with organization-based access control and per-tenant database isolation",
   "files": [
     "dist"
@@ -42,7 +42,7 @@
   "dependencies": {
     "zod": "^3.24.0",
     "@authhero/adapter-interfaces": "0.112.0",
-    "authhero": "0.302.0"
+    "authhero": "0.303.0"
   },
   "peerDependencies": {
     "@hono/zod-openapi": "^0.19.10",