@authhero/multi-tenancy 13.6.0 → 13.8.0

package/dist/multi-tenancy.d.ts

@@ -1,6 +1,6 @@
 // Generated by dts-bundle-generator v9.5.1
 
-import { z } from '@hono/zod-openapi';
+import { OpenAPIHono, z } from '@hono/zod-openapi';
 import { Context, Hono, MiddlewareHandler } from 'hono';
 import { FC } from 'hono/jsx';
 import { CountryCode } from 'libphonenumber-js';
@@ -9262,6 +9262,8 @@ export type Variables = {
 		sub: string;
 		tenant_id: string;
 	};
+	organization_id?: string;
+	org_name?: string;
 	loginSession?: LoginSession;
 	auth0_client?: Auth0Client$1;
 	useragent?: string;
@@ -9543,6 +9545,22 @@ export interface EntityHooksConfig {
 	connections?: EntityHooks<Connection, ConnectionInsert>;
 	tenants?: EntityHooks<Tenant, CreateTenantParams>;
 }
+/**
+ * Route extension for the management API.
+ *
+ * Allows registering additional OpenAPI routes that go through the full
+ * middleware chain (caching, tenant resolution, auth, entity hooks).
+ */
+export interface ManagementApiExtension {
+	/** The path prefix for the routes (e.g., "/tenants") */
+	path: string;
+	/**
+	 * The OpenAPI router to mount at the path.
+	 * Use `any` to allow routers with extended Bindings/Variables types
+	 * (e.g., from multi-tenancy package).
+	 */
+	router: OpenAPIHono<any, any, any>;
+}
 export interface AuthHeroConfig {
 	dataAdapter: DataAdapters;
 	allowedOrigins?: string[];
@@ -9562,6 +9580,31 @@ export interface AuthHeroConfig {
 	 * Use these to implement cross-tenant sync, audit logging, webhooks, etc.
 	 */
 	entityHooks?: EntityHooksConfig;
+	/**
+	 * Additional routes to mount on the management API.
+	 *
+	 * These routes go through the full middleware chain:
+	 * - CORS
+	 * - Data hooks & caching
+	 * - Client info extraction
+	 * - Tenant resolution
+	 * - Authentication (reads OpenAPI security definitions)
+	 * - Entity hooks
+	 *
+	 * @example
+	 * ```typescript
+	 * import { init } from "authhero";
+	 * import { createTenantsOpenAPIRouter } from "@authhero/multi-tenancy";
+	 *
+	 * const { app } = init({
+	 *   dataAdapter,
+	 *   managementApiExtensions: [
+	 *     { path: "/tenants", router: createTenantsOpenAPIRouter(config, hooks) }
+	 *   ]
+	 * });
+	 * ```
+	 */
+	managementApiExtensions?: ManagementApiExtension[];
 }
 export type SendEmailParams = {
 	emailProvider: EmailProvider;
@@ -9684,9 +9727,17 @@ export interface SeedOptions {
 	 */
 	tenantName?: string;
 	/**
-	 * The audience URL for the tenant
+	 * The audience URL for the tenant.
+	 * For the main/management tenant, defaults to `urn:authhero:management`.
+	 * For child tenants, use `getTenantAudience(tenantId)` to generate `urn:authhero:tenant:{tenantId}`.
 	 */
 	audience?: string;
+	/**
+	 * Whether this is the main/management tenant.
+	 * If true, the audience will default to `urn:authhero:management`.
+	 * @default true
+	 */
+	isMainTenant?: boolean;
 	/**
 	 * The default client ID (defaults to "default")
 	 */
@@ -18964,6 +19015,7 @@ export interface MultiTenancyBindings {
 export interface MultiTenancyVariables {
 	tenant_id: string;
 	organization_id?: string;
+	org_name?: string;
 	user?: {
 		sub: string;
 		tenant_id: string;
@@ -18981,33 +19033,33 @@ export type MultiTenancyContext = Context<{
  * Configuration for organization-based tenant access control.
  *
  * This enables a model where:
- * - A "main" tenant manages all other tenants
- * - Organizations on the main tenant correspond to child tenants
+ * - A "control plane" tenant manages all other tenants
+ * - Organizations on the control plane correspond to child tenants
  * - Tokens with an org claim can access the matching tenant
- * - Tokens without an org claim can only access the main tenant
+ * - Tokens without an org claim can only access the control plane
  */
 export interface AccessControlConfig {
 	/**
-	 * The main/management tenant ID.
-	 * This is the "master" tenant that manages all other tenants.
+	 * The control plane tenant ID.
+	 * This is the tenant that manages all other tenants.
 	 * Tokens without an organization claim can access this tenant.
 	 */
-	mainTenantId: string;
+	controlPlaneTenantId: string;
 	/**
 	 * If true, tokens must have an organization claim matching the target tenant ID
-	 * (except for main tenant access where no org is required).
+	 * (except for control plane access where no org is required).
 	 * @default true
 	 */
 	requireOrganizationMatch?: boolean;
 	/**
 	 * Permissions to automatically grant when creating an organization
-	 * for a new tenant on the main tenant.
+	 * for a new tenant on the control plane.
 	 * @example ["tenant:admin", "tenant:read", "tenant:write"]
 	 */
 	defaultPermissions?: string[];
 	/**
 	 * Roles to automatically assign to the organization when created.
-	 * These roles should exist on the main tenant.
+	 * These roles should exist on the control plane.
 	 */
 	defaultRoles?: string[];
 	/**
@@ -19085,18 +19137,18 @@ export interface DatabaseIsolationConfig {
 /**
  * Configuration for tenant settings inheritance.
  *
- * This enables child tenants to inherit default settings from the main tenant,
+ * This enables child tenants to inherit default settings from the control plane,
  * reducing configuration overhead and ensuring consistency.
  */
 export interface SettingsInheritanceConfig {
 	/**
-	 * If true, new tenants will inherit settings from the main tenant
+	 * If true, new tenants will inherit settings from the control plane
 	 * as their default configuration.
 	 * @default true
 	 */
-	inheritFromMain?: boolean;
+	inheritFromControlPlane?: boolean;
 	/**
-	 * Specific settings keys to inherit from the main tenant.
+	 * Specific settings keys to inherit from the control plane.
 	 * If not provided, all settings are inherited.
 	 */
 	inheritedKeys?: (keyof Tenant$1)[];
@@ -19108,13 +19160,13 @@ export interface SettingsInheritanceConfig {
 	/**
 	 * Custom function to transform inherited settings before applying.
 	 */
-	transformSettings?: (mainTenantSettings: Partial<Tenant$1>, newTenantId: string) => Partial<Tenant$1>;
+	transformSettings?: (controlPlaneSettings: Partial<Tenant$1>, newTenantId: string) => Partial<Tenant$1>;
 }
 /**
  * Configuration for subdomain-based tenant routing.
  *
  * This enables using subdomains to route requests to different tenants,
- * where the subdomain matches an organization ID on the main tenant.
+ * where the subdomain matches an organization ID on the control plane.
  */
 export interface SubdomainRoutingConfig {
 	/**
@@ -19124,7 +19176,7 @@ export interface SubdomainRoutingConfig {
 	baseDomain: string;
 	/**
 	 * If true, use organizations to resolve subdomains to tenants.
-	 * The subdomain will be matched against organization IDs on the main tenant.
+	 * The subdomain will be matched against organization IDs on the control plane.
 	 * @default true
 	 */
 	useOrganizations?: boolean;
@@ -19146,13 +19198,13 @@ export interface SubdomainRoutingConfig {
  *
  * - **accessControl**: Organization-based tenant access validation
  * - **databaseIsolation**: Per-tenant database instances
- * - **settingsInheritance**: Inherit settings from main tenant
+ * - **settingsInheritance**: Inherit settings from control plane
  * - **subdomainRouting**: Route requests via subdomains
  */
 export interface MultiTenancyConfig {
 	/**
 	 * Organization-based access control configuration.
-	 * Links organizations on the main tenant to tenant access.
+	 * Links organizations on the control plane to tenant access.
 	 */
 	accessControl?: AccessControlConfig;
 	/**
@@ -19189,7 +19241,7 @@ export interface TenantHookContext {
  * ```typescript
  * const tenantHooks: TenantEntityHooks = {
  *   afterCreate: async (ctx, tenant) => {
- *     // Copy resource servers from main tenant
+ *     // Copy resource servers from the control plane
  *     await syncResourceServersToNewTenant(ctx, tenant);
  *   },
  *   beforeDelete: async (ctx, tenantId) => {
@@ -19279,8 +19331,10 @@ export interface TokenWithOrg {
  * Creates hooks for organization-based tenant access control.
  *
  * This implements the following access model:
- * - Main tenant: Accessible without an organization claim
+ * - Control plane: Accessible without an organization claim
  * - Child tenants: Require an organization claim matching the tenant ID
+ *   - org_name (organization name) takes precedence and should match tenant ID
+ *   - org_id (organization ID) is checked as fallback
  *
  * @param config - Access control configuration
  * @returns Hooks for access validation
@@ -19290,11 +19344,12 @@ export declare function createAccessControlHooks(config: AccessControlConfig): P
  * Validates that a token can access a specific tenant based on its organization claim.
  *
  * @param organizationId - The organization ID from the token (may be undefined)
+ * @param orgName - The organization name from the token (may be undefined, takes precedence)
  * @param targetTenantId - The tenant ID being accessed
- * @param mainTenantId - The main/management tenant ID
+ * @param controlPlaneTenantId - The control plane/management tenant ID
  * @returns true if access is allowed
  */
-export declare function validateTenantAccess(organizationId: string | undefined, targetTenantId: string, mainTenantId: string): boolean;
+export declare function validateTenantAccess(organizationId: string | undefined, targetTenantId: string, controlPlaneTenantId: string, orgName?: string): boolean;
 /**
  * Creates hooks for per-tenant database resolution.
  *
@@ -19331,7 +19386,8 @@ export interface DatabaseFactory {
  * Creates hooks for tenant provisioning and deprovisioning.
  *
  * This handles:
- * - Creating organizations on the main tenant when a new tenant is created
+ * - Setting the correct audience for new tenants (urn:authhero:tenant:{id})
+ * - Creating organizations on the control plane when a new tenant is created
  * - Provisioning databases for new tenants
  * - Cleaning up organizations and databases when tenants are deleted
  *
@@ -19344,12 +19400,12 @@ export declare function createProvisioningHooks(config: MultiTenancyConfig): Ten
  */
 export interface ResourceServerSyncConfig {
 	/**
-	 * The main tenant ID from which resource servers are synced
+	 * The control plane tenant ID from which resource servers are synced
 	 */
-	mainTenantId: string;
+	controlPlaneTenantId: string;
 	/**
 	 * Function to get the list of all tenant IDs to sync to.
-	 * Called when a resource server is created/updated/deleted on the main tenant.
+	 * Called when a resource server is created/updated/deleted on the control plane.
 	 */
 	getChildTenantIds: () => Promise<string[]>;
 	/**
@@ -19382,9 +19438,9 @@ export interface ResourceServerEntityHooks {
 	afterDelete?: (ctx: EntityHookContext$1, id: string) => Promise<void>;
 }
 /**
- * Creates entity hooks for syncing resource servers from the main tenant to all child tenants.
+ * Creates entity hooks for syncing resource servers from the control plane to all child tenants.
  *
- * When a resource server is created, updated, or deleted on the main tenant,
+ * When a resource server is created, updated, or deleted on the control plane,
  * the change is automatically propagated to all child tenants.
  *
  * @param config - Resource server sync configuration
@@ -19395,7 +19451,7 @@ export interface ResourceServerEntityHooks {
  * import { createResourceServerSyncHooks } from "@authhero/multi-tenancy";
  *
  * const resourceServerHooks = createResourceServerSyncHooks({
- *   mainTenantId: "main",
+ *   controlPlaneTenantId: "main",
  *   getChildTenantIds: async () => {
  *     const tenants = await db.tenants.list();
  *     return tenants.filter(t => t.id !== "main").map(t => t.id);
@@ -19420,14 +19476,14 @@ export declare function createResourceServerSyncHooks(config: ResourceServerSync
  */
 export interface TenantResourceServerSyncConfig {
 	/**
-	 * The main tenant ID from which resource servers are copied
+	 * The control plane tenant ID from which resource servers are copied
 	 */
-	mainTenantId: string;
+	controlPlaneTenantId: string;
 	/**
-	 * Function to get adapters for the main tenant.
+	 * Function to get adapters for the control plane.
 	 * Used to read existing resource servers.
 	 */
-	getMainTenantAdapters: () => Promise<DataAdapters$1>;
+	getControlPlaneAdapters: () => Promise<DataAdapters$1>;
 	/**
 	 * Function to get adapters for the new tenant.
 	 * Used to write resource servers to the new tenant.
@@ -19446,7 +19502,7 @@ export interface TenantResourceServerSyncConfig {
 	transformForSync?: (resourceServer: ResourceServer$1, targetTenantId: string) => ResourceServerInsert$1;
 }
 /**
- * Creates a tenant afterCreate hook that copies all resource servers from the main tenant
+ * Creates a tenant afterCreate hook that copies all resource servers from the control plane
  * to a newly created tenant.
  *
  * This should be used with the MultiTenancyHooks.tenants.afterCreate hook.
@@ -19459,8 +19515,8 @@ export interface TenantResourceServerSyncConfig {
  * import { createTenantResourceServerSyncHooks } from "@authhero/multi-tenancy";
  *
  * const resourceServerSyncHooks = createTenantResourceServerSyncHooks({
- *   mainTenantId: "main",
- *   getMainTenantAdapters: async () => mainAdapters,
+ *   controlPlaneTenantId: "main",
+ *   getControlPlaneAdapters: async () => controlPlaneAdapters,
  *   getAdapters: async (tenantId) => createAdaptersForTenant(tenantId),
  * });
  *
@@ -19472,13 +19528,151 @@ export interface TenantResourceServerSyncConfig {
  * ```
  */
 export declare function createTenantResourceServerSyncHooks(config: TenantResourceServerSyncConfig): TenantEntityHooks;
+/**
+ * Configuration for role synchronization
+ */
+export interface RoleSyncConfig {
+	/**
+	 * The control plane tenant ID from which roles are synced
+	 */
+	controlPlaneTenantId: string;
+	/**
+	 * Function to get the list of all tenant IDs to sync to.
+	 * Called when a role is created/updated/deleted on the control plane.
+	 */
+	getChildTenantIds: () => Promise<string[]>;
+	/**
+	 * Function to get adapters for a specific tenant.
+	 * Used to write roles to child tenants.
+	 */
+	getAdapters: (tenantId: string) => Promise<DataAdapters$1>;
+	/**
+	 * Optional: Filter function to determine if a role should be synced.
+	 * Return true to sync, false to skip.
+	 * @default All roles are synced
+	 */
+	shouldSync?: (role: Role$1) => boolean;
+	/**
+	 * Optional: Transform the role before syncing to child tenants.
+	 * Useful for modifying names or removing sensitive data.
+	 */
+	transformForSync?: (role: Role$1, targetTenantId: string) => RoleInsert$1;
+}
+interface EntityHookContext$2 {
+	tenantId: string;
+	adapters: DataAdapters$1;
+}
+/**
+ * Entity hooks for role CRUD operations
+ */
+export interface RoleEntityHooks {
+	afterCreate?: (ctx: EntityHookContext$2, entity: Role$1) => Promise<void>;
+	afterUpdate?: (ctx: EntityHookContext$2, id: string, entity: Role$1) => Promise<void>;
+	afterDelete?: (ctx: EntityHookContext$2, id: string) => Promise<void>;
+}
+/**
+ * Creates entity hooks for syncing roles from the control plane to all child tenants.
+ *
+ * When a role is created, updated, or deleted on the control plane,
+ * the change is automatically propagated to all child tenants.
+ *
+ * @param config - Role sync configuration
+ * @returns Entity hooks for role synchronization
+ *
+ * @example
+ * ```typescript
+ * import { createRoleSyncHooks } from "@authhero/multi-tenancy";
+ *
+ * const roleHooks = createRoleSyncHooks({
+ *   controlPlaneTenantId: "main",
+ *   getChildTenantIds: async () => {
+ *     const tenants = await db.tenants.list();
+ *     return tenants.filter(t => t.id !== "main").map(t => t.id);
+ *   },
+ *   getAdapters: async (tenantId) => {
+ *     return createAdaptersForTenant(tenantId);
+ *   },
+ * });
+ *
+ * // Use with AuthHero config
+ * const config: AuthHeroConfig = {
+ *   dataAdapter,
+ *   entityHooks: {
+ *     roles: roleHooks,
+ *   },
+ * };
+ * ```
+ */
+export declare function createRoleSyncHooks(config: RoleSyncConfig): RoleEntityHooks;
+/**
+ * Configuration for syncing roles to new tenants
+ */
+export interface TenantRoleSyncConfig {
+	/**
+	 * The control plane tenant ID from which roles are copied
+	 */
+	controlPlaneTenantId: string;
+	/**
+	 * Function to get adapters for the control plane.
+	 * Used to read existing roles.
+	 */
+	getControlPlaneAdapters: () => Promise<DataAdapters$1>;
+	/**
+	 * Function to get adapters for the new tenant.
+	 * Used to write roles to the new tenant.
+	 */
+	getAdapters: (tenantId: string) => Promise<DataAdapters$1>;
+	/**
+	 * Optional: Filter function to determine if a role should be synced.
+	 * Return true to sync, false to skip.
+	 * @default All roles are synced
+	 */
+	shouldSync?: (role: Role$1) => boolean;
+	/**
+	 * Optional: Transform the role before syncing to the new tenant.
+	 * Useful for modifying names or removing sensitive data.
+	 */
+	transformForSync?: (role: Role$1, targetTenantId: string) => RoleInsert$1;
+	/**
+	 * Whether to also sync role permissions (scopes from resource servers).
+	 * @default true
+	 */
+	syncPermissions?: boolean;
+}
+/**
+ * Creates a tenant afterCreate hook that copies all roles from the control plane
+ * to a newly created tenant.
+ *
+ * This should be used with the MultiTenancyHooks.tenants.afterCreate hook.
+ *
+ * @param config - Configuration for tenant role sync
+ * @returns A TenantEntityHooks object with afterCreate implemented
+ *
+ * @example
+ * ```typescript
+ * import { createTenantRoleSyncHooks } from "@authhero/multi-tenancy";
+ *
+ * const roleSyncHooks = createTenantRoleSyncHooks({
+ *   controlPlaneTenantId: "main",
+ *   getControlPlaneAdapters: async () => controlPlaneAdapters,
+ *   getAdapters: async (tenantId) => createAdaptersForTenant(tenantId),
+ * });
+ *
+ * const multiTenancyHooks: MultiTenancyHooks = {
+ *   tenants: {
+ *     afterCreate: roleSyncHooks.afterCreate,
+ *   },
+ * };
+ * ```
+ */
+export declare function createTenantRoleSyncHooks(config: TenantRoleSyncConfig): TenantEntityHooks;
 /**
  * Creates the tenant management routes.
  *
  * These routes handle CRUD operations for tenants and should be mounted
  * on a management API path (e.g., /management/tenants).
  *
- * Access to these routes should be restricted to the main tenant.
+ * Access to these routes should be restricted to the control plane.
  *
  * @param config - Multi-tenancy configuration
  * @param hooks - Multi-tenancy hooks for lifecycle events
@@ -19504,10 +19698,10 @@ export interface ProtectSystemVariables {
  * Creates middleware to protect system resources from modification.
  *
  * This middleware intercepts write operations (PATCH, PUT, DELETE) on
- * entities that are marked as system entities from the main tenant and returns a 403
+ * entities that are marked as system entities from the control plane and returns a 403
  * error if modification is attempted.
  *
- * System resources can only be modified in the main tenant, and changes
+ * System resources can only be modified in the control plane, and changes
  * will be propagated to child tenants automatically.
  *
  * @returns Hono middleware handler
@@ -19530,7 +19724,7 @@ export declare function createProtectSyncedMiddleware(): MiddlewareHandler<{
  * This middleware checks that the token's organization claim matches
  * the target tenant ID, implementing the access control model where:
  *
- * - Main tenant: Accessible without an organization claim
+ * - Control plane: Accessible without an organization claim
  * - Child tenants: Require an organization claim matching the tenant ID
  *
  * @param config - Multi-tenancy configuration
@@ -19542,7 +19736,7 @@ export declare function createProtectSyncedMiddleware(): MiddlewareHandler<{
  *
  * const middleware = createAccessControlMiddleware({
  *   accessControl: {
- *     mainTenantId: "main",
+ *     controlPlaneTenantId: "main",
  *   },
  * });
  *
@@ -19557,7 +19751,7 @@ export declare function createAccessControlMiddleware(config: MultiTenancyConfig
  * Creates middleware for resolving tenants from subdomains.
  *
  * This middleware extracts the subdomain from the request host and
- * resolves it to a tenant ID using organizations on the main tenant.
+ * resolves it to a tenant ID using organizations on the control plane.
  *
  * @param config - Multi-tenancy configuration
  * @returns Hono middleware handler
@@ -19572,7 +19766,7 @@ export declare function createAccessControlMiddleware(config: MultiTenancyConfig
  *     reservedSubdomains: ["www", "api", "admin"],
  *   },
  *   accessControl: {
- *     mainTenantId: "main",
+ *     controlPlaneTenantId: "main",
  *   },
  * });
  *
@@ -19718,7 +19912,7 @@ export interface AuthHeroPlugin {
  *   plugins: [
  *     createMultiTenancyPlugin({
  *       accessControl: {
- *         mainTenantId: "main",
+ *         controlPlaneTenantId: "main",
  *         defaultPermissions: ["tenant:admin"],
  *       },
  *       subdomainRouting: {
@@ -19745,7 +19939,7 @@ export declare function createMultiTenancyPlugin(config: MultiTenancyConfig): Au
  *
  * const hooks = createMultiTenancyHooks({
  *   accessControl: {
- *     mainTenantId: "main",
+ *     controlPlaneTenantId: "main",
  *     defaultPermissions: ["tenant:admin"],
  *   },
  *   databaseIsolation: {
@@ -19773,7 +19967,7 @@ export declare function createMultiTenancyHooks(config: MultiTenancyConfig): Mul
  *
  * const multiTenancyApp = createMultiTenancy({
  *   accessControl: {
- *     mainTenantId: "main",
+ *     controlPlaneTenantId: "main",
  *   },
  * });
  *
@@ -19800,7 +19994,7 @@ export declare function createMultiTenancy(config: MultiTenancyConfig): Hono<{
  *
  * const multiTenancy = setupMultiTenancy({
  *   accessControl: {
- *     mainTenantId: "main",
+ *     controlPlaneTenantId: "main",
  *   },
  *   subdomainRouting: {
  *     baseDomain: "auth.example.com",
@@ -19834,38 +20028,50 @@ export declare function setupMultiTenancy(config: MultiTenancyConfig): {
 /**
  * Configuration for multi-tenant AuthHero initialization.
  */
-export interface MultiTenantAuthHeroConfig extends Omit<AuthHeroConfig, "entityHooks"> {
+export interface MultiTenantAuthHeroConfig extends Omit<AuthHeroConfig, "entityHooks" | "managementApiExtensions"> {
 	/**
-	 * The main tenant ID that manages all other tenants.
+	 * The control plane tenant ID that manages all other tenants.
 	 * This tenant can create, update, and delete other tenants.
 	 * @default "main"
 	 */
-	mainTenantId?: string;
+	controlPlaneTenantId?: string;
 	/**
-	 * Whether to sync resource servers from the main tenant to child tenants.
-	 * When enabled, resource servers created on the main tenant are automatically
+	 * Whether to sync resource servers from the control plane to child tenants.
+	 * When enabled, resource servers created on the control plane are automatically
 	 * copied to all other tenants.
 	 * @default true
 	 */
 	syncResourceServers?: boolean;
+	/**
+	 * Whether to sync roles from the control plane to child tenants.
+	 * When enabled, roles created on the control plane are automatically
+	 * copied to all other tenants (including their permissions).
+	 * @default true
+	 */
+	syncRoles?: boolean;
 	/**
 	 * Additional multi-tenancy configuration options.
 	 */
 	multiTenancy?: Omit<MultiTenancyConfig, "accessControl"> & {
-		accessControl?: Omit<NonNullable<MultiTenancyConfig["accessControl"]>, "mainTenantId">;
+		accessControl?: Omit<NonNullable<MultiTenancyConfig["accessControl"]>, "controlPlaneTenantId">;
 	};
 	/**
 	 * Entity hooks configuration.
 	 * Resource server and tenant hooks will be merged with the sync hooks.
 	 */
 	entityHooks?: AuthHeroConfig["entityHooks"];
+	/**
+	 * Additional routes to mount on the management API.
+	 * Note: The tenant CRUD routes are automatically added by multi-tenancy.
+	 */
+	managementApiExtensions?: ManagementApiExtension[];
 }
 /**
  * Initializes a multi-tenant AuthHero server.
  *
  * This wraps the standard AuthHero `init()` function and adds:
  * - Tenant CRUD routes (list, create, update, delete) at /api/v2/tenants
- * - Resource server synchronization from main tenant to child tenants
+ * - Resource server synchronization from control plane to child tenants
  * - Tenant creation hooks to copy resource servers to new tenants
  *
  * @param config - Multi-tenant AuthHero configuration
@@ -19880,7 +20086,7 @@ export interface MultiTenantAuthHeroConfig extends Omit<AuthHeroConfig, "entityH
  *
  * const { app } = init({
  *   dataAdapter,
- *   mainTenantId: "main",
+ *   controlPlaneTenantId: "main",
  *   syncResourceServers: true,
  * });
  *
@@ -20385,6 +20591,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						grant_type: "client_credentials";
 						scope?: string | undefined;
 						audience?: string | undefined;
+						organization?: string | undefined;
 						client_id?: string | undefined;
 						client_secret?: string | undefined;
 					} | {
@@ -20419,6 +20626,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						grant_type: "client_credentials";
 						scope?: string | undefined;
 						audience?: string | undefined;
+						organization?: string | undefined;
 						client_id?: string | undefined;
 						client_secret?: string | undefined;
 					} | {
@@ -20458,6 +20666,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						grant_type: "client_credentials";
 						scope?: string | undefined;
 						audience?: string | undefined;
+						organization?: string | undefined;
 						client_id?: string | undefined;
 						client_secret?: string | undefined;
 					} | {
@@ -20492,6 +20701,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						grant_type: "client_credentials";
 						scope?: string | undefined;
 						audience?: string | undefined;
+						organization?: string | undefined;
 						client_id?: string | undefined;
 						client_secret?: string | undefined;
 					} | {
@@ -20539,6 +20749,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						grant_type: "client_credentials";
 						scope?: string | undefined;
 						audience?: string | undefined;
+						organization?: string | undefined;
 						client_id?: string | undefined;
 						client_secret?: string | undefined;
 					} | {
@@ -20573,6 +20784,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						grant_type: "client_credentials";
 						scope?: string | undefined;
 						audience?: string | undefined;
+						organization?: string | undefined;
 						client_id?: string | undefined;
 						client_secret?: string | undefined;
 					} | {
@@ -20615,6 +20827,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						grant_type: "client_credentials";
 						scope?: string | undefined;
 						audience?: string | undefined;
+						organization?: string | undefined;
 						client_id?: string | undefined;
 						client_secret?: string | undefined;
 					} | {
@@ -20649,6 +20862,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						grant_type: "client_credentials";
 						scope?: string | undefined;
 						audience?: string | undefined;
+						organization?: string | undefined;
 						client_id?: string | undefined;
 						client_secret?: string | undefined;
 					} | {
@@ -20691,6 +20905,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						grant_type: "client_credentials";
 						scope?: string | undefined;
 						audience?: string | undefined;
+						organization?: string | undefined;
 						client_id?: string | undefined;
 						client_secret?: string | undefined;
 					} | {
@@ -20725,6 +20940,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 						grant_type: "client_credentials";
 						scope?: string | undefined;
 						audience?: string | undefined;
+						organization?: string | undefined;
 						client_id?: string | undefined;
 						client_secret?: string | undefined;
 					} | {
@@ -22663,7 +22879,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 					};
 				} & {
 					header: {
-						"tenant-id": string;
+						"tenant-id"?: string | undefined;
 					};
 				};
 				output: {
@@ -22699,7 +22915,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 					};
 				} & {
 					header: {
-						"tenant-id": string;
+						"tenant-id"?: string | undefined;
 					};
 				};
 				output: {
@@ -22719,7 +22935,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 			$post: {
 				input: {
 					header: {
-						"tenant-id": string;
+						"tenant-id"?: string | undefined;
 					};
 				} & {
 					json: {
@@ -22749,7 +22965,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 					};
 				} & {
 					header: {
-						"tenant-id": string;
+						"tenant-id"?: string | undefined;
 					};
 				} & {
 					json: {
@@ -22779,7 +22995,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 					};
 				} & {
 					header: {
-						"tenant-id": string;
+						"tenant-id"?: string | undefined;
 					};
 				};
 				output: {};
@@ -22804,7 +23020,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 					};
 				} & {
 					header: {
-						"tenant-id": string;
+						"tenant-id"?: string | undefined;
 					};
 				};
 				output: {
@@ -22826,7 +23042,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 					};
 				} & {
 					header: {
-						"tenant-id": string;
+						"tenant-id"?: string | undefined;
 					};
 				} & {
 					json: {
@@ -22850,7 +23066,7 @@ export declare function init(config: MultiTenantAuthHeroConfig): {
 					};
 				} & {
 					header: {
-						"tenant-id": string;
+						"tenant-id"?: string | undefined;
 					};
 				} & {
 					json: {