@authhero/multi-tenancy 13.6.0 → 13.7.0

package/dist/multi-tenancy.mjs

@@ -1,33 +1,34 @@
-var O = Object.defineProperty;
-var q = (e, n, s) => n in e ? O(e, n, { enumerable: !0, configurable: !0, writable: !0, value: s }) : e[n] = s;
-var z = (e, n, s) => q(e, typeof n != "symbol" ? n + "" : n, s);
-import { Hono as $ } from "hono";
-import { MANAGEMENT_API_SCOPES as D, init as F } from "authhero";
-import { MANAGEMENT_API_SCOPES as le, seed as ue } from "authhero";
-import { z as P } from "zod";
-import { auth0QuerySchema as U, tenantInsertSchema as I } from "@authhero/adapter-interfaces";
-function j(e) {
-  const { mainTenantId: n, requireOrganizationMatch: s = !0 } = e;
+var U = Object.defineProperty;
+var F = (a, n, s) => n in a ? U(a, n, { enumerable: !0, configurable: !0, writable: !0, value: s }) : a[n] = s;
+var j = (a, n, s) => F(a, typeof n != "symbol" ? n + "" : n, s);
+import { Hono as S } from "hono";
+import { getTenantAudience as P, MANAGEMENT_API_SCOPES as E, init as K } from "authhero";
+import { MANAGEMENT_API_SCOPES as he, seed as ye } from "authhero";
+import { z as N } from "zod";
+import { auth0QuerySchema as R, tenantInsertSchema as I, tenantSchema as q } from "@authhero/adapter-interfaces";
+import { OpenAPIHono as B, createRoute as O, z as b } from "@hono/zod-openapi";
+function V(a) {
+  const { mainTenantId: n, requireOrganizationMatch: s = !0 } = a;
   return {
-    async onTenantAccessValidation(t, a) {
-      if (a === n)
+    async onTenantAccessValidation(e, t) {
+      if (t === n)
         return !0;
       if (s) {
-        const o = t.var.organization_id;
-        return o ? o === a : !1;
+        const c = e.var.organization_id;
+        return c ? c === t : !1;
       }
       return !0;
     }
   };
 }
-function E(e, n, s) {
-  return n === s ? !0 : e ? e === n : !1;
+function W(a, n, s) {
+  return n === s ? !0 : a ? a === n : !1;
 }
-function K(e) {
+function L(a) {
   return {
     async resolveDataAdapters(n) {
       try {
-        return await e.getAdapters(n);
+        return await a.getAdapters(n);
       } catch (s) {
         console.error(
           `Failed to resolve data adapters for tenant ${n}:`,
@@ -38,72 +39,78 @@ function K(e) {
     }
   };
 }
-function N(e) {
+function Q(a) {
   return {
+    async beforeCreate(n, s) {
+      return !s.audience && s.id ? {
+        ...s,
+        audience: P(s.id)
+      } : s;
+    },
     async afterCreate(n, s) {
-      const { accessControl: t, databaseIsolation: a, settingsInheritance: o } = e;
-      t && n.ctx && await W(n, s, t), a != null && a.onProvision && await a.onProvision(s.id), (o == null ? void 0 : o.inheritFromMain) !== !1 && n.ctx && await Q(n, s, e);
+      const { accessControl: e, databaseIsolation: t, settingsInheritance: c } = a;
+      e && n.ctx && await G(n, s, e), t != null && t.onProvision && await t.onProvision(s.id), (c == null ? void 0 : c.inheritFromMain) !== !1 && n.ctx && await Z(n, s, a);
     },
     async beforeDelete(n, s) {
-      const { accessControl: t, databaseIsolation: a } = e;
-      if (t)
+      const { accessControl: e, databaseIsolation: t } = a;
+      if (e)
         try {
-          const d = (await n.adapters.organizations.list(
-            t.mainTenantId
+          const o = (await n.adapters.organizations.list(
+            e.mainTenantId
           )).organizations.find((i) => i.name === s);
-          d && await n.adapters.organizations.remove(
-            t.mainTenantId,
-            d.id
+          o && await n.adapters.organizations.remove(
+            e.mainTenantId,
+            o.id
           );
-        } catch (o) {
+        } catch (c) {
           console.warn(
             `Failed to remove organization for tenant ${s}:`,
-            o
+            c
           );
         }
-      if (a != null && a.onDeprovision)
+      if (t != null && t.onDeprovision)
         try {
-          await a.onDeprovision(s);
-        } catch (o) {
+          await t.onDeprovision(s);
+        } catch (c) {
           console.warn(
             `Failed to deprovision database for tenant ${s}:`,
-            o
+            c
           );
         }
     }
   };
 }
-async function W(e, n, s) {
+async function G(a, n, s) {
   const {
-    mainTenantId: t,
-    defaultPermissions: a,
-    defaultRoles: o,
-    issuer: d,
+    mainTenantId: e,
+    defaultPermissions: t,
+    defaultRoles: c,
+    issuer: o,
     adminRoleName: i = "Tenant Admin",
-    adminRoleDescription: c = "Full access to all tenant management operations",
+    adminRoleDescription: d = "Full access to all tenant management operations",
     addCreatorToOrganization: r = !0
   } = s;
-  await e.adapters.organizations.create(t, {
+  await a.adapters.organizations.create(e, {
     id: n.id,
     name: n.id,
     display_name: n.friendly_name || n.id
   });
   let l = null;
-  if (d && (l = await k(
+  if (o && (l = await Y(
+    a,
     e,
-    t,
-    d,
+    o,
     i,
-    c
-  )), r && e.ctx) {
-    const f = e.ctx.var.user;
+    d
+  )), r && a.ctx) {
+    const f = a.ctx.var.user;
     if (f != null && f.sub)
       try {
-        await e.adapters.userOrganizations.create(t, {
+        await a.adapters.userOrganizations.create(e, {
           user_id: f.sub,
           organization_id: n.id
-        }), l && await e.adapters.userRoles.create(
-          t,
+        }), l && await a.adapters.userRoles.create(
+          e,
           f.sub,
           l,
           n.id
@@ -116,34 +123,34 @@ async function W(e, n, s) {
         );
       }
   }
-  o && o.length > 0 && console.log(
-    `Would assign roles ${o.join(", ")} to organization ${n.id}`
-  ), a && a.length > 0 && console.log(
-    `Would grant permissions ${a.join(", ")} to organization ${n.id}`
+  c && c.length > 0 && console.log(
+    `Would assign roles ${c.join(", ")} to organization ${n.id}`
+  ), t && t.length > 0 && console.log(
+    `Would grant permissions ${t.join(", ")} to organization ${n.id}`
   );
 }
-async function k(e, n, s, t, a) {
-  const d = (await e.adapters.roles.list(n, {})).roles.find((l) => l.name === t);
-  if (d)
-    return d.id;
-  const i = await e.adapters.roles.create(n, {
-    name: t,
-    description: a
-  }), c = `${s}api/v2/`, r = D.map((l) => ({
+async function Y(a, n, s, e, t) {
+  const o = (await a.adapters.roles.list(n, {})).roles.find((l) => l.name === e);
+  if (o)
+    return o.id;
+  const i = await a.adapters.roles.create(n, {
+    name: e,
+    description: t
+  }), d = `${s}api/v2/`, r = E.map((l) => ({
     role_id: i.id,
-    resource_server_identifier: c,
+    resource_server_identifier: d,
     permission_name: l.value
   }));
-  return await e.adapters.rolePermissions.assign(n, i.id, r), i.id;
+  return await a.adapters.rolePermissions.assign(n, i.id, r), i.id;
 }
-async function Q(e, n, s) {
-  const { accessControl: t, settingsInheritance: a } = s;
-  if (!t)
+async function Z(a, n, s) {
+  const { accessControl: e, settingsInheritance: t } = s;
+  if (!e)
     return;
-  const o = await e.adapters.tenants.get(t.mainTenantId);
-  if (!o)
+  const c = await a.adapters.tenants.get(e.mainTenantId);
+  if (!c)
     return;
-  let d = { ...o };
+  let o = { ...c };
   const i = [
     "id",
     "created_at",
@@ -154,72 +161,72 @@ async function Q(e, n, s) {
     "sender_email",
     "sender_name"
   ];
-  for (const c of i)
-    delete d[c];
-  if (a != null && a.inheritedKeys) {
-    const c = {};
-    for (const r of a.inheritedKeys)
-      r in o && !i.includes(r) && (c[r] = o[r]);
-    d = c;
+  for (const d of i)
+    delete o[d];
+  if (t != null && t.inheritedKeys) {
+    const d = {};
+    for (const r of t.inheritedKeys)
+      r in c && !i.includes(r) && (d[r] = c[r]);
+    o = d;
   }
-  if (a != null && a.excludedKeys)
-    for (const c of a.excludedKeys)
-      delete d[c];
-  a != null && a.transformSettings && (d = a.transformSettings(
-    d,
+  if (t != null && t.excludedKeys)
+    for (const d of t.excludedKeys)
+      delete o[d];
+  t != null && t.transformSettings && (o = t.transformSettings(
+    o,
     n.id
-  )), Object.keys(d).length > 0 && await e.adapters.tenants.update(n.id, d);
+  )), Object.keys(o).length > 0 && await a.adapters.tenants.update(n.id, o);
 }
-async function R(e, n, s = {}) {
+async function z(a, n, s = {}) {
   const {
-    cursorField: t = "id",
-    sortOrder: a = "asc",
-    pageSize: o = 100,
-    maxItems: d = 1e4,
+    cursorField: e = "id",
+    sortOrder: t = "asc",
+    pageSize: c = 100,
+    maxItems: o = 1e4,
     q: i
-  } = s, c = [];
+  } = s, d = [];
   let r, l = !0;
   for (; l; ) {
     let f = i || "";
     if (r) {
-      const w = `${t}:${a === "asc" ? ">" : "<"}${r}`;
+      const w = `${e}:${t === "asc" ? ">" : "<"}${r}`;
       f = f ? `(${f}) AND ${w}` : w;
     }
     const u = {
-      per_page: o,
+      per_page: c,
       page: 0,
       // Always use page 0 since we're doing cursor-based pagination
       sort: {
-        sort_by: t,
-        sort_order: a
+        sort_by: e,
+        sort_order: t
       },
       ...f && { q: f }
-    }, _ = (await e(u))[n] || [];
-    if (_.length === 0)
+    }, v = (await a(u))[n] || [];
+    if (v.length === 0)
       l = !1;
     else {
-      c.push(..._);
-      const g = _[_.length - 1];
-      if (g && typeof g == "object") {
-        const w = g[t];
+      d.push(...v);
+      const h = v[v.length - 1];
+      if (h && typeof h == "object") {
+        const w = h[e];
         w != null && (r = String(w));
       }
-      _.length < o && (l = !1), d !== -1 && c.length >= d && (console.warn(
-        `fetchAll: Reached maxItems limit (${d}). There may be more items.`
+      v.length < c && (l = !1), o !== -1 && d.length >= o && (console.warn(
+        `fetchAll: Reached maxItems limit (${o}). There may be more items.`
       ), l = !1);
     }
   }
-  return c;
+  return d;
 }
-function V(e) {
+function H(a) {
   const {
     mainTenantId: n,
     getChildTenantIds: s,
-    getAdapters: t,
-    shouldSync: a = () => !0,
-    transformForSync: o
-  } = e;
-  async function d(r, l, f) {
+    getAdapters: e,
+    shouldSync: t = () => !0,
+    transformForSync: c
+  } = a;
+  async function o(r, l, f) {
     return (await r.resourceServers.list(l, {
       q: `identifier:${f}`,
       per_page: 1
@@ -230,7 +237,7 @@ function V(e) {
     await Promise.all(
       f.map(async (u) => {
         try {
-          const m = await t(u), g = { ...o ? o(r, u) : {
+          const m = await e(u), h = { ...c ? c(r, u) : {
             name: r.name,
             identifier: r.identifier,
             scopes: r.scopes,
@@ -244,7 +251,7 @@ function V(e) {
             options: r.options
           }, is_system: !0 };
           if (l === "create") {
-            const w = await d(
+            const w = await o(
               m,
               u,
               r.identifier
@@ -252,10 +259,10 @@ function V(e) {
             w && w.id ? await m.resourceServers.update(
               u,
               w.id,
-              g
-            ) : await m.resourceServers.create(u, g);
+              h
+            ) : await m.resourceServers.create(u, h);
           } else {
-            const w = await d(
+            const w = await o(
               m,
               u,
               r.identifier
@@ -263,7 +270,7 @@ function V(e) {
             w && w.id && await m.resourceServers.update(
               u,
               w.id,
-              g
+              h
             );
           }
         } catch (m) {
@@ -275,12 +282,12 @@ function V(e) {
       })
     );
   }
-  async function c(r) {
+  async function d(r) {
     const l = await s();
     await Promise.all(
       l.map(async (f) => {
         try {
-          const u = await t(f), m = await d(
+          const u = await e(f), m = await o(
             u,
             f,
             r
@@ -297,38 +304,38 @@ function V(e) {
   }
   return {
     afterCreate: async (r, l) => {
-      r.tenantId === n && a(l) && await i(l, "create");
+      r.tenantId === n && t(l) && await i(l, "create");
     },
     afterUpdate: async (r, l, f) => {
-      r.tenantId === n && a(f) && await i(f, "update");
+      r.tenantId === n && t(f) && await i(f, "update");
     },
     afterDelete: async (r, l) => {
-      r.tenantId === n && await c(l);
+      r.tenantId === n && await d(l);
     }
   };
 }
-function G(e) {
+function J(a) {
   const {
     mainTenantId: n,
     getMainTenantAdapters: s,
-    getAdapters: t,
-    shouldSync: a = () => !0,
-    transformForSync: o
-  } = e;
+    getAdapters: e,
+    shouldSync: t = () => !0,
+    transformForSync: c
+  } = a;
   return {
-    async afterCreate(d, i) {
+    async afterCreate(o, i) {
       if (i.id !== n)
         try {
-          const c = await s(), r = await t(i.id), l = await R(
-            (f) => c.resourceServers.list(n, f),
+          const d = await s(), r = await e(i.id), l = await z(
+            (f) => d.resourceServers.list(n, f),
             "resource_servers",
             { cursorField: "id", pageSize: 100 }
           );
           await Promise.all(
-            l.filter((f) => a(f)).map(async (f) => {
+            l.filter((f) => t(f)).map(async (f) => {
               const u = f;
               try {
-                const m = o ? o(u, i.id) : {
+                const m = c ? c(u, i.id) : {
                   name: u.name,
                   identifier: u.identifier,
                   scopes: u.scopes,
@@ -353,10 +360,10 @@ function G(e) {
               }
             })
           );
-        } catch (c) {
+        } catch (d) {
           console.error(
             `Failed to sync resource servers to new tenant "${i.id}":`,
-            c
+            d
           );
         }
     }
@@ -370,8 +377,8 @@ var p = class extends Error {
    */
   constructor(n = 500, s) {
     super(s == null ? void 0 : s.message, { cause: s == null ? void 0 : s.cause });
-    z(this, "res");
-    z(this, "status");
+    j(this, "res");
+    j(this, "status");
     this.res = s == null ? void 0 : s.res, this.status = n;
   }
   /**
@@ -388,162 +395,486 @@ var p = class extends Error {
     });
   }
 };
-function S(e, n) {
-  const s = new $();
-  return s.get("/", async (t) => {
+function D(a, n) {
+  const s = new S();
+  return s.get("/", async (e) => {
     var f, u;
-    const a = U.parse(t.req.query()), { page: o, per_page: d, include_totals: i, q: c } = a, r = t.var.user;
-    if (e.accessControl && (r != null && r.sub)) {
-      const m = e.accessControl.mainTenantId, g = (await t.env.data.userOrganizations.listUserOrganizations(
+    const t = R.parse(e.req.query()), { page: c, per_page: o, include_totals: i, q: d } = t, r = e.var.user;
+    if (a.accessControl && (r != null && r.sub)) {
+      const m = a.accessControl.mainTenantId, h = (await e.env.data.userOrganizations.listUserOrganizations(
         m,
         r.sub,
         {}
-      )).organizations.map((y) => y.id);
-      g.includes(m) || g.push(m);
-      const w = await t.env.data.tenants.list({
-        page: o,
-        per_page: d,
+      )).organizations.map((g) => g.id);
+      h.includes(m) || h.push(m);
+      const w = await e.env.data.tenants.list({
+        page: c,
+        per_page: o,
         include_totals: i,
-        q: c
-      }), C = w.tenants.filter(
-        (y) => g.includes(y.id)
+        q: d
+      }), T = w.tenants.filter(
+        (g) => h.includes(g.id)
       );
-      return i ? t.json({
-        tenants: C,
+      return i ? e.json({
+        tenants: T,
         start: ((f = w.totals) == null ? void 0 : f.start) ?? 0,
-        limit: ((u = w.totals) == null ? void 0 : u.limit) ?? d,
-        length: C.length
-      }) : t.json(C);
+        limit: ((u = w.totals) == null ? void 0 : u.limit) ?? o,
+        length: T.length
+      }) : e.json(T);
     }
-    const l = await t.env.data.tenants.list({
-      page: o,
-      per_page: d,
+    const l = await e.env.data.tenants.list({
+      page: c,
+      per_page: o,
       include_totals: i,
-      q: c
+      q: d
     });
-    return i ? t.json(l) : t.json(l.tenants);
-  }), s.get("/:id", async (t) => {
-    const a = t.req.param("id");
-    if (e.accessControl) {
-      const d = t.var.user, i = e.accessControl.mainTenantId;
-      if (a !== i) {
-        if (!(d != null && d.sub))
+    return i ? e.json(l) : e.json(l.tenants);
+  }), s.get("/:id", async (e) => {
+    const t = e.req.param("id");
+    if (a.accessControl) {
+      const o = e.var.user, i = a.accessControl.mainTenantId;
+      if (t !== i) {
+        if (!(o != null && o.sub))
           throw new p(401, {
             message: "Authentication required"
           });
-        if (!(await t.env.data.userOrganizations.listUserOrganizations(
+        if (!(await e.env.data.userOrganizations.listUserOrganizations(
           i,
-          d.sub,
+          o.sub,
           {}
-        )).organizations.some((l) => l.id === a))
+        )).organizations.some((l) => l.id === t))
           throw new p(403, {
             message: "Access denied to this tenant"
           });
       }
     }
-    const o = await t.env.data.tenants.get(a);
-    if (!o)
+    const c = await e.env.data.tenants.get(t);
+    if (!c)
       throw new p(404, {
         message: "Tenant not found"
       });
-    return t.json(o);
-  }), s.post("/", async (t) => {
-    var a, o, d;
+    return e.json(c);
+  }), s.post("/", async (e) => {
+    var t, c, o;
     try {
-      const i = t.var.user;
+      const i = e.var.user;
       if (!(i != null && i.sub))
         throw new p(401, {
           message: "Authentication required to create tenants"
         });
-      let c = I.parse(
-        await t.req.json()
+      let d = I.parse(
+        await e.req.json()
       );
       const r = {
-        adapters: t.env.data,
-        ctx: t
+        adapters: e.env.data,
+        ctx: e
       };
-      (a = n.tenants) != null && a.beforeCreate && (c = await n.tenants.beforeCreate(r, c));
-      const l = await t.env.data.tenants.create(c);
-      return (o = n.tenants) != null && o.afterCreate && await n.tenants.afterCreate(r, l), t.json(l, 201);
+      (t = n.tenants) != null && t.beforeCreate && (d = await n.tenants.beforeCreate(r, d));
+      const l = await e.env.data.tenants.create(d);
+      return (c = n.tenants) != null && c.afterCreate && await n.tenants.afterCreate(r, l), e.json(l, 201);
     } catch (i) {
-      throw i instanceof P.ZodError ? new p(400, {
+      throw i instanceof N.ZodError ? new p(400, {
         message: "Validation error",
         cause: i
-      }) : i instanceof Error && ("code" in i && i.code === "SQLITE_CONSTRAINT_PRIMARYKEY" || (d = i.message) != null && d.includes("UNIQUE constraint failed")) ? new p(409, {
+      }) : i instanceof Error && ("code" in i && i.code === "SQLITE_CONSTRAINT_PRIMARYKEY" || (o = i.message) != null && o.includes("UNIQUE constraint failed")) ? new p(409, {
         message: "Tenant with this ID already exists"
       }) : i;
     }
-  }), s.patch("/:id", async (t) => {
+  }), s.patch("/:id", async (e) => {
     var u, m;
-    const a = t.req.param("id");
-    if (e.accessControl) {
-      const _ = t.var.user;
-      if (!(_ != null && _.sub))
+    const t = e.req.param("id");
+    if (a.accessControl) {
+      const v = e.var.user;
+      if (!(v != null && v.sub))
         throw new p(401, {
           message: "Authentication required to update tenants"
         });
-      const g = e.accessControl.mainTenantId;
-      if (a !== g && !(await t.env.data.userOrganizations.listUserOrganizations(
-        g,
-        _.sub,
+      const h = a.accessControl.mainTenantId;
+      if (t !== h && !(await e.env.data.userOrganizations.listUserOrganizations(
+        h,
+        v.sub,
         {}
-      )).organizations.some((y) => y.id === a))
+      )).organizations.some((g) => g.id === t))
         throw new p(403, {
           message: "Access denied to update this tenant"
         });
     }
-    const o = I.partial().parse(await t.req.json()), { id: d, ...i } = o;
-    if (!await t.env.data.tenants.get(a))
+    const c = I.partial().parse(await e.req.json()), { id: o, ...i } = c;
+    if (!await e.env.data.tenants.get(t))
       throw new p(404, {
         message: "Tenant not found"
       });
     const r = {
-      adapters: t.env.data,
-      ctx: t
+      adapters: e.env.data,
+      ctx: e
     };
     let l = i;
-    (u = n.tenants) != null && u.beforeUpdate && (l = await n.tenants.beforeUpdate(r, a, i)), await t.env.data.tenants.update(a, l);
-    const f = await t.env.data.tenants.get(a);
+    (u = n.tenants) != null && u.beforeUpdate && (l = await n.tenants.beforeUpdate(r, t, i)), await e.env.data.tenants.update(t, l);
+    const f = await e.env.data.tenants.get(t);
     if (!f)
       throw new p(404, {
         message: "Tenant not found after update"
       });
-    return (m = n.tenants) != null && m.afterUpdate && await n.tenants.afterUpdate(r, f), t.json(f);
-  }), s.delete("/:id", async (t) => {
-    var i, c;
-    const a = t.req.param("id");
-    if (e.accessControl && a === e.accessControl.mainTenantId)
+    return (m = n.tenants) != null && m.afterUpdate && await n.tenants.afterUpdate(r, f), e.json(f);
+  }), s.delete("/:id", async (e) => {
+    var i, d;
+    const t = e.req.param("id");
+    if (a.accessControl && t === a.accessControl.mainTenantId)
       throw new p(400, {
         message: "Cannot delete the main tenant"
       });
-    if (e.accessControl) {
-      const r = t.var.user;
+    if (a.accessControl) {
+      const r = e.var.user;
       if (!(r != null && r.sub))
         throw new p(401, {
           message: "Authentication required to delete tenants"
         });
-      const l = e.accessControl.mainTenantId;
-      if (!(await t.env.data.userOrganizations.listUserOrganizations(
+      const l = a.accessControl.mainTenantId;
+      if (!(await e.env.data.userOrganizations.listUserOrganizations(
         l,
         r.sub,
         {}
-      )).organizations.some((m) => m.id === a))
+      )).organizations.some((m) => m.id === t))
         throw new p(403, {
           message: "Access denied to delete this tenant"
         });
     }
-    if (!await t.env.data.tenants.get(a))
+    if (!await e.env.data.tenants.get(t))
       throw new p(404, {
         message: "Tenant not found"
       });
-    const d = {
-      adapters: t.env.data,
-      ctx: t
+    const o = {
+      adapters: e.env.data,
+      ctx: e
     };
-    return (i = n.tenants) != null && i.beforeDelete && await n.tenants.beforeDelete(d, a), await t.env.data.tenants.remove(a), (c = n.tenants) != null && c.afterDelete && await n.tenants.afterDelete(d, a), t.body(null, 204);
+    return (i = n.tenants) != null && i.beforeDelete && await n.tenants.beforeDelete(o, t), await e.env.data.tenants.remove(t), (d = n.tenants) != null && d.afterDelete && await n.tenants.afterDelete(o, t), e.body(null, 204);
   }), s;
 }
-function L(e) {
+function X(a, n) {
+  const s = new B();
+  return s.openapi(
+    O({
+      tags: ["tenants"],
+      method: "get",
+      path: "/",
+      request: {
+        query: R
+      },
+      security: [
+        {
+          Bearer: ["auth:read"]
+        }
+      ],
+      responses: {
+        200: {
+          content: {
+            "application/json": {
+              schema: b.object({
+                tenants: b.array(q),
+                start: b.number().optional(),
+                limit: b.number().optional(),
+                length: b.number().optional()
+              })
+            }
+          },
+          description: "List of tenants"
+        }
+      }
+    }),
+    async (e) => {
+      var f, u, m, v;
+      const t = e.req.valid("query"), { page: c, per_page: o, include_totals: i, q: d } = t, r = e.var.user;
+      if (a.accessControl && (r != null && r.sub)) {
+        const h = a.accessControl.mainTenantId, T = (await z(
+          (_) => e.env.data.userOrganizations.listUserOrganizations(
+            h,
+            r.sub,
+            _
+          ),
+          "organizations"
+        )).map((_) => _.id);
+        T.includes(h) || T.push(h);
+        const g = await e.env.data.tenants.list({
+          page: c,
+          per_page: o,
+          include_totals: i,
+          q: d
+        }), y = g.tenants.filter(
+          (_) => T.includes(_.id)
+        );
+        return i ? e.json({
+          tenants: y,
+          start: ((f = g.totals) == null ? void 0 : f.start) ?? 0,
+          limit: ((u = g.totals) == null ? void 0 : u.limit) ?? o,
+          length: y.length
+        }) : e.json({ tenants: y });
+      }
+      const l = await e.env.data.tenants.list({
+        page: c,
+        per_page: o,
+        include_totals: i,
+        q: d
+      });
+      return i ? e.json({
+        tenants: l.tenants,
+        start: ((m = l.totals) == null ? void 0 : m.start) ?? 0,
+        limit: ((v = l.totals) == null ? void 0 : v.limit) ?? o,
+        length: l.tenants.length
+      }) : e.json({ tenants: l.tenants });
+    }
+  ), s.openapi(
+    O({
+      tags: ["tenants"],
+      method: "get",
+      path: "/{id}",
+      request: {
+        params: b.object({
+          id: b.string()
+        })
+      },
+      security: [
+        {
+          Bearer: ["auth:read"]
+        }
+      ],
+      responses: {
+        200: {
+          content: {
+            "application/json": {
+              schema: q
+            }
+          },
+          description: "Tenant details"
+        },
+        404: {
+          description: "Tenant not found"
+        }
+      }
+    }),
+    async (e) => {
+      const { id: t } = e.req.valid("param");
+      if (a.accessControl) {
+        const o = e.var.user, i = a.accessControl.mainTenantId;
+        if (t !== i) {
+          if (!(o != null && o.sub))
+            throw new p(401, {
+              message: "Authentication required"
+            });
+          if (!(await z(
+            (l) => e.env.data.userOrganizations.listUserOrganizations(
+              i,
+              o.sub,
+              l
+            ),
+            "organizations"
+          )).some((l) => l.id === t))
+            throw new p(403, {
+              message: "Access denied to this tenant"
+            });
+        }
+      }
+      const c = await e.env.data.tenants.get(t);
+      if (!c)
+        throw new p(404, {
+          message: "Tenant not found"
+        });
+      return e.json(c);
+    }
+  ), s.openapi(
+    O({
+      tags: ["tenants"],
+      method: "post",
+      path: "/",
+      request: {
+        body: {
+          content: {
+            "application/json": {
+              schema: I
+            }
+          }
+        }
+      },
+      security: [
+        {
+          Bearer: ["auth:write"]
+        }
+      ],
+      responses: {
+        201: {
+          content: {
+            "application/json": {
+              schema: q
+            }
+          },
+          description: "Tenant created"
+        },
+        400: {
+          description: "Validation error"
+        }
+      }
+    }),
+    async (e) => {
+      var d, r;
+      const t = e.var.user;
+      if (!(t != null && t.sub))
+        throw new p(401, {
+          message: "Authentication required to create tenants"
+        });
+      let c = e.req.valid("json");
+      const o = {
+        adapters: e.env.data,
+        ctx: e
+      };
+      (d = n.tenants) != null && d.beforeCreate && (c = await n.tenants.beforeCreate(o, c));
+      const i = await e.env.data.tenants.create(c);
+      return (r = n.tenants) != null && r.afterCreate && await n.tenants.afterCreate(o, i), e.json(i, 201);
+    }
+  ), s.openapi(
+    O({
+      tags: ["tenants"],
+      method: "patch",
+      path: "/{id}",
+      request: {
+        params: b.object({
+          id: b.string()
+        }),
+        body: {
+          content: {
+            "application/json": {
+              schema: b.object(I.shape).partial()
+            }
+          }
+        }
+      },
+      security: [
+        {
+          Bearer: ["auth:write"]
+        }
+      ],
+      responses: {
+        200: {
+          content: {
+            "application/json": {
+              schema: q
+            }
+          },
+          description: "Tenant updated"
+        },
+        403: {
+          description: "Access denied"
+        },
+        404: {
+          description: "Tenant not found"
+        }
+      }
+    }),
+    async (e) => {
+      var l, f;
+      const { id: t } = e.req.valid("param");
+      if (a.accessControl) {
+        const u = e.var.user, m = a.accessControl.mainTenantId;
+        if (!(u != null && u.sub))
+          throw new p(401, {
+            message: "Authentication required"
+          });
+        if (t !== m && !(await z(
+          (w) => e.env.data.userOrganizations.listUserOrganizations(
+            m,
+            u.sub,
+            w
+          ),
+          "organizations"
+        )).some((w) => w.id === t))
+          throw new p(403, {
+            message: "Access denied to this tenant"
+          });
+      }
+      if (!await e.env.data.tenants.get(t))
+        throw new p(404, {
+          message: "Tenant not found"
+        });
+      const o = e.req.valid("json"), i = {
+        adapters: e.env.data,
+        ctx: e
+      };
+      let d = o;
+      (l = n.tenants) != null && l.beforeUpdate && (d = await n.tenants.beforeUpdate(
+        i,
+        t,
+        o
+      )), await e.env.data.tenants.update(t, d);
+      const r = await e.env.data.tenants.get(t);
+      if (!r)
+        throw new p(500, {
+          message: "Failed to retrieve updated tenant"
+        });
+      return (f = n.tenants) != null && f.afterUpdate && await n.tenants.afterUpdate(i, r), e.json(r);
+    }
+  ), s.openapi(
+    O({
+      tags: ["tenants"],
+      method: "delete",
+      path: "/{id}",
+      request: {
+        params: b.object({
+          id: b.string()
+        })
+      },
+      security: [
+        {
+          Bearer: ["auth:write"]
+        }
+      ],
+      responses: {
+        204: {
+          description: "Tenant deleted"
+        },
+        403: {
+          description: "Access denied or cannot delete main tenant"
+        },
+        404: {
+          description: "Tenant not found"
+        }
+      }
+    }),
+    async (e) => {
+      var i, d;
+      const { id: t } = e.req.valid("param");
+      if (a.accessControl) {
+        const r = e.var.user, l = a.accessControl.mainTenantId;
+        if (!(r != null && r.sub))
+          throw new p(401, {
+            message: "Authentication required"
+          });
+        if (t === l)
+          throw new p(403, {
+            message: "Cannot delete the main tenant"
+          });
+        if (!(await z(
+          (m) => e.env.data.userOrganizations.listUserOrganizations(
+            l,
+            r.sub,
+            m
+          ),
+          "organizations"
+        )).some((m) => m.id === t))
+          throw new p(403, {
+            message: "Access denied to this tenant"
+          });
+      }
+      if (!await e.env.data.tenants.get(t))
+        throw new p(404, {
+          message: "Tenant not found"
+        });
+      const o = {
+        adapters: e.env.data,
+        ctx: e
+      };
+      return (i = n.tenants) != null && i.beforeDelete && await n.tenants.beforeDelete(o, t), await e.env.data.tenants.remove(t), (d = n.tenants) != null && d.afterDelete && await n.tenants.afterDelete(o, t), e.body(null, 204);
+    }
+  ), s;
+}
+function k(a) {
   const n = [
     {
       pattern: /\/api\/v2\/resource-servers\/([^/]+)$/,
@@ -552,27 +883,27 @@ function L(e) {
     { pattern: /\/api\/v2\/roles\/([^/]+)$/, type: "role" },
     { pattern: /\/api\/v2\/connections\/([^/]+)$/, type: "connection" }
   ];
-  for (const { pattern: s, type: t } of n) {
-    const a = e.match(s);
-    if (a && a[1])
-      return { type: t, id: a[1] };
+  for (const { pattern: s, type: e } of n) {
+    const t = a.match(s);
+    if (t && t[1])
+      return { type: e, id: t[1] };
   }
   return null;
 }
-async function Y(e, n, s) {
+async function x(a, n, s) {
   try {
     switch (s.type) {
       case "resource_server": {
-        const t = await e.resourceServers.get(n, s.id);
-        return (t == null ? void 0 : t.is_system) === !0;
+        const e = await a.resourceServers.get(n, s.id);
+        return (e == null ? void 0 : e.is_system) === !0;
       }
       case "role": {
-        const t = await e.roles.get(n, s.id);
-        return (t == null ? void 0 : t.is_system) === !0;
+        const e = await a.roles.get(n, s.id);
+        return (e == null ? void 0 : e.is_system) === !0;
       }
       case "connection": {
-        const t = await e.connections.get(n, s.id);
-        return (t == null ? void 0 : t.is_system) === !0;
+        const e = await a.connections.get(n, s.id);
+        return (e == null ? void 0 : e.is_system) === !0;
       }
       default:
         return !1;
@@ -581,101 +912,101 @@ async function Y(e, n, s) {
     return !1;
   }
 }
-function B(e) {
+function ee(a) {
   return {
     resource_server: "resource server",
     role: "role",
     connection: "connection"
-  }[e];
+  }[a];
 }
-function Z() {
-  return async (e, n) => {
-    if (!["PATCH", "PUT", "DELETE"].includes(e.req.method))
+function te() {
+  return async (a, n) => {
+    if (!["PATCH", "PUT", "DELETE"].includes(a.req.method))
       return n();
-    const s = L(e.req.path);
+    const s = k(a.req.path);
     if (!s)
       return n();
-    const t = e.var.tenant_id || e.req.header("x-tenant-id") || e.req.header("tenant-id");
-    if (!t)
+    const e = a.var.tenant_id || a.req.header("x-tenant-id") || a.req.header("tenant-id");
+    if (!e)
       return n();
-    if (await Y(e.env.data, t, s))
+    if (await x(a.env.data, e, s))
       throw new p(403, {
-        message: `This ${B(s.type)} is a system resource and cannot be modified. Make changes in the main tenant instead.`
+        message: `This ${ee(s.type)} is a system resource and cannot be modified. Make changes in the main tenant instead.`
       });
     return n();
   };
 }
-function J(e) {
+function ae(a) {
   return async (n, s) => {
-    if (!e.accessControl)
+    if (!a.accessControl)
       return s();
-    const t = n.var.tenant_id, a = n.var.organization_id;
-    if (!t)
+    const e = n.var.tenant_id, t = n.var.organization_id;
+    if (!e)
       throw new p(400, {
         message: "Tenant ID not found in request"
       });
-    if (!E(
-      a,
+    if (!W(
       t,
-      e.accessControl.mainTenantId
+      e,
+      a.accessControl.mainTenantId
     ))
       throw new p(403, {
-        message: `Access denied to tenant ${t}`
+        message: `Access denied to tenant ${e}`
       });
     return s();
   };
 }
-function X(e) {
+function ne(a) {
   return async (n, s) => {
-    if (!e.subdomainRouting)
+    if (!a.subdomainRouting)
       return s();
     const {
-      baseDomain: t,
-      reservedSubdomains: a = [],
-      resolveSubdomain: o
-    } = e.subdomainRouting, d = n.req.header("host") || "";
+      baseDomain: e,
+      reservedSubdomains: t = [],
+      resolveSubdomain: c
+    } = a.subdomainRouting, o = n.req.header("host") || "";
     let i = null;
-    if (d.endsWith(t)) {
-      const r = d.slice(0, -(t.length + 1));
+    if (o.endsWith(e)) {
+      const r = o.slice(0, -(e.length + 1));
       r && !r.includes(".") && (i = r);
     }
-    if (i && a.includes(i) && (i = null), !i)
-      return e.accessControl && n.set("tenant_id", e.accessControl.mainTenantId), s();
-    let c = null;
-    if (o)
-      c = await o(i);
-    else if (e.subdomainRouting.useOrganizations !== !1 && e.accessControl)
+    if (i && t.includes(i) && (i = null), !i)
+      return a.accessControl && n.set("tenant_id", a.accessControl.mainTenantId), s();
+    let d = null;
+    if (c)
+      d = await c(i);
+    else if (a.subdomainRouting.useOrganizations !== !1 && a.accessControl)
       try {
         const r = await n.env.data.organizations.get(
-          e.accessControl.mainTenantId,
+          a.accessControl.mainTenantId,
           i
         );
-        r && (c = r.id);
+        r && (d = r.id);
       } catch {
       }
-    if (!c)
+    if (!d)
       throw new p(404, {
         message: `Tenant not found for subdomain: ${i}`
       });
-    return n.set("tenant_id", c), s();
+    return n.set("tenant_id", d), s();
   };
 }
-function H(e) {
+function se(a) {
   return async (n, s) => {
-    if (!e.databaseIsolation)
+    if (!a.databaseIsolation)
       return s();
-    const t = n.var.tenant_id;
-    if (!t)
+    const e = n.var.tenant_id;
+    if (!e)
       throw new p(400, {
         message: "Tenant ID not found in request"
       });
     try {
-      const a = await e.databaseIsolation.getAdapters(t);
-      n.env.data = a;
-    } catch (a) {
+      const t = await a.databaseIsolation.getAdapters(e);
+      n.env.data = t;
+    } catch (t) {
       throw console.error(
-        `Failed to resolve database for tenant ${t}:`,
-        a
+        `Failed to resolve database for tenant ${e}:`,
+        t
       ), new p(500, {
         message: "Failed to resolve tenant database"
       });
@@ -683,190 +1014,194 @@ function H(e) {
     return s();
   };
 }
-function M(e) {
-  const n = X(e), s = J(e), t = H(e);
-  return async (a, o) => (await n(a, async () => {
-  }), await s(a, async () => {
-  }), await t(a, async () => {
-  }), o());
+function M(a) {
+  const n = ne(a), s = ae(a), e = se(a);
+  return async (t, c) => (await n(t, async () => {
+  }), await s(t, async () => {
+  }), await e(t, async () => {
+  }), c());
 }
-function re(e) {
-  const n = A(e);
+function fe(a) {
+  const n = $(a);
   return {
     name: "multi-tenancy",
     // Apply multi-tenancy middleware for subdomain routing, database resolution, etc.
-    middleware: M(e),
+    middleware: M(a),
     // Provide lifecycle hooks
     hooks: n,
     // Mount tenant management routes
     routes: [
       {
         path: "/management",
-        handler: S(e, n)
+        handler: D(a, n)
       }
     ],
     // Called when plugin is registered
     onRegister: async () => {
-      console.log("Multi-tenancy plugin registered"), e.accessControl && console.log(
-        `  - Access control enabled (main tenant: ${e.accessControl.mainTenantId})`
-      ), e.subdomainRouting && console.log(
-        `  - Subdomain routing enabled (base domain: ${e.subdomainRouting.baseDomain})`
-      ), e.databaseIsolation && console.log("  - Database isolation enabled");
+      console.log("Multi-tenancy plugin registered"), a.accessControl && console.log(
+        `  - Access control enabled (main tenant: ${a.accessControl.mainTenantId})`
+      ), a.subdomainRouting && console.log(
+        `  - Subdomain routing enabled (base domain: ${a.subdomainRouting.baseDomain})`
+      ), a.databaseIsolation && console.log("  - Database isolation enabled");
     }
   };
 }
-function A(e) {
-  const n = e.accessControl ? j(e.accessControl) : {}, s = e.databaseIsolation ? K(e.databaseIsolation) : {}, t = N(e);
+function $(a) {
+  const n = a.accessControl ? V(a.accessControl) : {}, s = a.databaseIsolation ? L(a.databaseIsolation) : {}, e = Q(a);
   return {
     ...n,
     ...s,
-    tenants: t
+    tenants: e
   };
 }
-function x(e) {
-  const n = new $(), s = A(e);
-  return n.route("/tenants", S(e, s)), n;
+function re(a) {
+  const n = new S(), s = $(a);
+  return n.route("/tenants", D(a, s)), n;
 }
-function ie(e) {
+function me(a) {
   return {
-    hooks: A(e),
-    middleware: M(e),
-    app: x(e),
-    config: e
+    hooks: $(a),
+    middleware: M(a),
+    app: re(a),
+    config: a
   };
 }
-function oe(e) {
+function pe(a) {
   const {
     mainTenantId: n = "main",
     syncResourceServers: s = !0,
-    multiTenancy: t,
-    entityHooks: a,
-    ...o
-  } = e, d = {
-    ...t,
+    multiTenancy: e,
+    entityHooks: t,
+    ...c
+  } = a, o = {
+    ...e,
     accessControl: {
       mainTenantId: n,
       requireOrganizationMatch: !1,
       defaultPermissions: ["tenant:admin"],
-      ...t == null ? void 0 : t.accessControl
+      ...e == null ? void 0 : e.accessControl
     }
-  }, i = A(d);
-  let c, r;
-  s && (c = V({
+  }, i = $(o);
+  let d, r;
+  s && (d = H({
     mainTenantId: n,
-    getChildTenantIds: async () => (await R(
-      (h) => e.dataAdapter.tenants.list(h),
+    getChildTenantIds: async () => (await z(
+      (y) => a.dataAdapter.tenants.list(y),
       "tenants",
       { cursorField: "id", pageSize: 100 }
-    )).filter((h) => h.id !== n).map((h) => h.id),
-    getAdapters: async (y) => e.dataAdapter
-  }), r = G({
+    )).filter((y) => y.id !== n).map((y) => y.id),
+    getAdapters: async (g) => a.dataAdapter
+  }), r = J({
     mainTenantId: n,
-    getMainTenantAdapters: async () => e.dataAdapter,
-    getAdapters: async (y) => e.dataAdapter
+    getMainTenantAdapters: async () => a.dataAdapter,
+    getAdapters: async (g) => a.dataAdapter
   }));
-  const l = async (y, h, ...v) => {
-    const T = [];
-    if (y)
+  const l = async (g, y, ..._) => {
+    const A = [];
+    if (g)
       try {
-        await y(...v);
-      } catch (b) {
-        T.push(b instanceof Error ? b : new Error(String(b)));
+        await g(..._);
+      } catch (C) {
+        A.push(C instanceof Error ? C : new Error(String(C)));
       }
-    if (h)
+    if (y)
       try {
-        await h(...v);
-      } catch (b) {
-        T.push(b instanceof Error ? b : new Error(String(b)));
+        await y(..._);
+      } catch (C) {
+        A.push(C instanceof Error ? C : new Error(String(C)));
       }
-    if (T.length === 1)
-      throw T[0];
-    if (T.length > 1)
+    if (A.length === 1)
+      throw A[0];
+    if (A.length > 1)
       throw new AggregateError(
-        T,
-        `Multiple hook errors: ${T.map((b) => b.message).join("; ")}`
+        A,
+        `Multiple hook errors: ${A.map((C) => C.message).join("; ")}`
       );
   }, f = {
-    ...a,
-    resourceServers: c ? {
-      ...a == null ? void 0 : a.resourceServers,
-      afterCreate: async (y, h) => {
-        var v;
+    ...t,
+    resourceServers: d ? {
+      ...t == null ? void 0 : t.resourceServers,
+      afterCreate: async (g, y) => {
+        var _;
         await l(
-          (v = a == null ? void 0 : a.resourceServers) == null ? void 0 : v.afterCreate,
-          c == null ? void 0 : c.afterCreate,
-          y,
-          h
+          (_ = t == null ? void 0 : t.resourceServers) == null ? void 0 : _.afterCreate,
+          d == null ? void 0 : d.afterCreate,
+          g,
+          y
         );
       },
-      afterUpdate: async (y, h, v) => {
-        var T;
+      afterUpdate: async (g, y, _) => {
+        var A;
         await l(
-          (T = a == null ? void 0 : a.resourceServers) == null ? void 0 : T.afterUpdate,
-          c == null ? void 0 : c.afterUpdate,
+          (A = t == null ? void 0 : t.resourceServers) == null ? void 0 : A.afterUpdate,
+          d == null ? void 0 : d.afterUpdate,
+          g,
           y,
-          h,
-          v
+          _
         );
       },
-      afterDelete: async (y, h) => {
-        var v;
+      afterDelete: async (g, y) => {
+        var _;
         await l(
-          (v = a == null ? void 0 : a.resourceServers) == null ? void 0 : v.afterDelete,
-          c == null ? void 0 : c.afterDelete,
-          y,
-          h
+          (_ = t == null ? void 0 : t.resourceServers) == null ? void 0 : _.afterDelete,
+          d == null ? void 0 : d.afterDelete,
+          g,
+          y
         );
       }
-    } : a == null ? void 0 : a.resourceServers,
+    } : t == null ? void 0 : t.resourceServers,
     tenants: r ? {
-      ...a == null ? void 0 : a.tenants,
-      afterCreate: async (y, h) => {
-        var v;
+      ...t == null ? void 0 : t.tenants,
+      afterCreate: async (g, y) => {
+        var _;
         await l(
-          (v = a == null ? void 0 : a.tenants) == null ? void 0 : v.afterCreate,
+          (_ = t == null ? void 0 : t.tenants) == null ? void 0 : _.afterCreate,
           r == null ? void 0 : r.afterCreate,
-          y,
-          h
+          g,
+          y
         );
       }
-    } : a == null ? void 0 : a.tenants
-  }, u = F({
-    ...o,
-    entityHooks: f
-  }), { app: m, managementApp: _, ...g } = u, w = new $();
-  w.use("/api/v2/*", Z()), w.route("/", m);
-  const C = S(
-    d,
+    } : t == null ? void 0 : t.tenants
+  }, u = X(
+    o,
     i
-  );
-  return w.route("/api/v2/tenants", C), {
-    app: w,
-    managementApp: _,
-    ...g,
-    multiTenancyConfig: d,
+  ), m = K({
+    ...c,
+    entityHooks: f,
+    // Register tenant routes via the extension mechanism
+    // This ensures they go through the full middleware chain (caching, tenant, auth, entity hooks)
+    managementApiExtensions: [
+      ...c.managementApiExtensions || [],
+      { path: "/tenants", router: u }
+    ]
+  }), { app: v, managementApp: h, ...w } = m, T = new S();
+  return T.use("/api/v2/*", te()), T.route("/", v), {
+    app: T,
+    managementApp: h,
+    ...w,
+    multiTenancyConfig: o,
     multiTenancyHooks: i
   };
 }
 export {
-  le as MANAGEMENT_API_SCOPES,
-  j as createAccessControlHooks,
-  J as createAccessControlMiddleware,
-  K as createDatabaseHooks,
-  H as createDatabaseMiddleware,
-  x as createMultiTenancy,
-  A as createMultiTenancyHooks,
+  he as MANAGEMENT_API_SCOPES,
+  V as createAccessControlHooks,
+  ae as createAccessControlMiddleware,
+  L as createDatabaseHooks,
+  se as createDatabaseMiddleware,
+  re as createMultiTenancy,
+  $ as createMultiTenancyHooks,
   M as createMultiTenancyMiddleware,
-  re as createMultiTenancyPlugin,
-  Z as createProtectSyncedMiddleware,
-  N as createProvisioningHooks,
-  V as createResourceServerSyncHooks,
-  X as createSubdomainMiddleware,
-  G as createTenantResourceServerSyncHooks,
-  S as createTenantsRouter,
-  R as fetchAll,
-  oe as init,
-  ue as seed,
-  ie as setupMultiTenancy,
-  E as validateTenantAccess
+  fe as createMultiTenancyPlugin,
+  te as createProtectSyncedMiddleware,
+  Q as createProvisioningHooks,
+  H as createResourceServerSyncHooks,
+  ne as createSubdomainMiddleware,
+  J as createTenantResourceServerSyncHooks,
+  D as createTenantsRouter,
+  z as fetchAll,
+  pe as init,
+  ye as seed,
+  me as setupMultiTenancy,
+  W as validateTenantAccess
 };