npm - @authhero/multi-tenancy - Versions diffs - 14.13.0 → 14.15.0 - Mend

@authhero/multi-tenancy 14.13.0 → 14.15.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/multi-tenancy.cjs +1 -1
package/dist/multi-tenancy.mjs +330 -312
package/dist/types/init.d.ts.map +1 -1
package/package.json +4 -4

package/dist/multi-tenancy.mjs CHANGED Viewed

@@ -1,30 +1,30 @@
-var Y = Object.defineProperty;
-var Z = (e, t, n) => t in e ? Y(e, t, { enumerable: !0, configurable: !0, writable: !0, value: n }) : e[t] = n;
-var M = (e, t, n) => Z(e, typeof t != "symbol" ? t + "" : t, n);
-import { Hono as x } from "hono";
-import { MANAGEMENT_API_SCOPES as ee, MANAGEMENT_API_AUDIENCE as Q, fetchAll as z, auth0QuerySchema as te, tenantSchema as N, tenantInsertSchema as ne, connectionSchema as re, connectionOptionsSchema as se, init as ae } from "authhero";
-import { OpenAPIHono as oe, createRoute as O, z as S } from "@hono/zod-openapi";
-function ie(e) {
+var Z = Object.defineProperty;
+var x = (e, t, n) => t in e ? Z(e, t, { enumerable: !0, configurable: !0, writable: !0, value: n }) : e[t] = n;
+var q = (e, t, n) => x(e, typeof t != "symbol" ? t + "" : t, n);
+import { Hono as ee } from "hono";
+import { MANAGEMENT_API_SCOPES as te, MANAGEMENT_API_AUDIENCE as V, fetchAll as M, auth0QuerySchema as ne, tenantSchema as B, tenantInsertSchema as re, connectionSchema as ae, connectionOptionsSchema as se, init as oe } from "authhero";
+import { OpenAPIHono as ie, createRoute as j, z } from "@hono/zod-openapi";
+function ce(e) {
   const { controlPlaneTenantId: t, requireOrganizationMatch: n = !0 } = e;
   return {
-    async onTenantAccessValidation(r, s) {
-      if (s === t)
+    async onTenantAccessValidation(r, a) {
+      if (a === t)
         return !0;
       if (n) {
-        const a = r.var.org_name, o = r.var.organization_id, i = a || o;
-        return i ? i.toLowerCase() === s.toLowerCase() : !1;
+        const s = r.var.org_name, o = r.var.organization_id, i = s || o;
+        return i ? i.toLowerCase() === a.toLowerCase() : !1;
       }
       return !0;
     }
   };
 }
-function ce(e, t, n, r) {
+function le(e, t, n, r) {
   if (t === n)
     return !0;
-  const s = r || e;
-  return s ? s.toLowerCase() === t.toLowerCase() : !1;
+  const a = r || e;
+  return a ? a.toLowerCase() === t.toLowerCase() : !1;
 }
-function le(e) {
+function ue(e) {
   return {
     async resolveDataAdapters(t) {
       try {
@@ -39,23 +39,23 @@ function le(e) {
     }
   };
 }
-function ue(e) {
+function de(e) {
   return `urn:authhero:tenant:${e.toLowerCase()}`;
 }
-function de(e) {
+function J(e) {
   return {
     async beforeCreate(t, n) {
       return !n.audience && n.id ? {
         ...n,
-        audience: ue(n.id)
+        audience: de(n.id)
       } : n;
     },
     async afterCreate(t, n) {
-      const { accessControl: r, databaseIsolation: s } = e;
-      r && t.ctx && await fe(t, n, r), s != null && s.onProvision && await s.onProvision(n.id);
+      const { accessControl: r, databaseIsolation: a } = e;
+      r && t.ctx && await fe(t, n, r), a != null && a.onProvision && await a.onProvision(n.id);
     },
     async beforeDelete(t, n) {
-      const { accessControl: r, databaseIsolation: s } = e;
+      const { accessControl: r, databaseIsolation: a } = e;
       if (r)
         try {
           const o = (await t.adapters.organizations.list(
@@ -65,19 +65,19 @@ function de(e) {
             r.controlPlaneTenantId,
             o.id
           );
-        } catch (a) {
+        } catch (s) {
           console.warn(
             `Failed to remove organization for tenant ${n}:`,
-            a
+            s
           );
         }
-      if (s != null && s.onDeprovision)
+      if (a != null && a.onDeprovision)
         try {
-          await s.onDeprovision(n);
-        } catch (a) {
+          await a.onDeprovision(n);
+        } catch (s) {
           console.warn(
             `Failed to deprovision database for tenant ${n}:`,
-            a
+            s
           );
         }
     }
@@ -86,8 +86,8 @@ function de(e) {
 async function fe(e, t, n) {
   const {
     controlPlaneTenantId: r,
-    defaultPermissions: s,
-    defaultRoles: a,
+    defaultPermissions: a,
+    defaultRoles: s,
     issuer: o,
     adminRoleName: i = "Tenant Admin",
     adminRoleDescription: u = "Full access to all tenant management operations",
@@ -130,10 +130,10 @@ async function fe(e, t, n) {
         );
       }
   }
-  a && a.length > 0 && console.log(
-    `Would assign roles ${a.join(", ")} to organization ${l.id}`
-  ), s && s.length > 0 && console.log(
-    `Would grant permissions ${s.join(", ")} to organization ${l.id}`
+  s && s.length > 0 && console.log(
+    `Would assign roles ${s.join(", ")} to organization ${l.id}`
+  ), a && a.length > 0 && console.log(
+    `Would grant permissions ${a.join(", ")} to organization ${l.id}`
   );
 }
 async function me(e, t, n) {
@@ -144,10 +144,10 @@ async function me(e, t, n) {
     ""
     // Empty string for global roles
   );
-  for (const s of r)
+  for (const a of r)
     if ((await e.adapters.rolePermissions.list(
       t,
-      s.id,
+      a.id,
       { per_page: 1e3 }
     )).some(
       (i) => i.permission_name === "admin:organizations"
@@ -156,13 +156,13 @@ async function me(e, t, n) {
   return !1;
 }
 async function ge(e, t, n, r) {
-  const a = (await e.adapters.roles.list(t, {})).roles.find((c) => c.name === n);
-  if (a)
-    return a.id;
+  const s = (await e.adapters.roles.list(t, {})).roles.find((c) => c.name === n);
+  if (s)
+    return s.id;
   const o = await e.adapters.roles.create(t, {
     name: n,
     description: r
-  }), i = Q, u = ee.map((c) => ({
+  }), i = V, u = te.map((c) => ({
     role_id: o.id,
     resource_server_identifier: i,
     permission_name: c.value
@@ -173,8 +173,8 @@ async function ge(e, t, n, r) {
     u
   ), o.id;
 }
-function H(e, t, n = () => !0) {
-  const { controlPlaneTenantId: r, getChildTenantIds: s, getAdapters: a } = e, o = /* @__PURE__ */ new Map();
+function G(e, t, n = () => !0) {
+  const { controlPlaneTenantId: r, getChildTenantIds: a, getAdapters: s } = e, o = /* @__PURE__ */ new Map();
   async function i(l, g, d) {
     return (await t(l).list(g, {
       q: `name:${d}`,
@@ -182,19 +182,19 @@ function H(e, t, n = () => !0) {
     }))[0] ?? null;
   }
   async function u(l) {
-    const g = await s(), d = t(await a(r));
+    const g = await a(), d = t(await s(r));
     await Promise.all(
       g.map(async (f) => {
         try {
-          const m = await a(f), w = t(m), p = {
+          const m = await s(f), w = t(m), h = {
             ...d.transform(l),
             is_system: !0
-          }, y = await i(m, f, l.name), _ = y ? w.getId(y) : void 0;
-          if (y && _) {
-            const T = w.preserveOnUpdate ? w.preserveOnUpdate(y, p) : p;
-            await w.update(f, _, T);
+          }, _ = await i(m, f, l.name), P = _ ? w.getId(_) : void 0;
+          if (_ && P) {
+            const b = w.preserveOnUpdate ? w.preserveOnUpdate(_, h) : h;
+            await w.update(f, P, b);
           } else
-            await w.create(f, p);
+            await w.create(f, h);
         } catch (m) {
           console.error(
             `Failed to sync ${d.listKey} "${l.name}" to tenant "${f}":`,
@@ -205,12 +205,12 @@ function H(e, t, n = () => !0) {
     );
   }
   async function c(l) {
-    const g = await s();
+    const g = await a();
     await Promise.all(
       g.map(async (d) => {
         try {
-          const f = await a(d), m = t(f), w = await i(f, d, l), h = w ? m.getId(w) : void 0;
-          w && h && await m.remove(d, h);
+          const f = await s(d), m = t(f), w = await i(f, d, l), C = w ? m.getId(w) : void 0;
+          w && C && await m.remove(d, C);
         } catch (f) {
           console.error(
             `Failed to delete entity "${l}" from tenant "${d}":`,
@@ -239,13 +239,13 @@ function H(e, t, n = () => !0) {
     }
   };
 }
-function B(e, t, n = () => !0) {
-  const { controlPlaneTenantId: r, getControlPlaneAdapters: s, getAdapters: a } = e;
+function U(e, t, n = () => !0) {
+  const { controlPlaneTenantId: r, getControlPlaneAdapters: a, getAdapters: s } = e;
   return {
     async afterCreate(o, i) {
       if (i.id !== r)
         try {
-          const u = await s(), c = await a(i.id), l = t(u), g = t(c), d = await z(
+          const u = await a(), c = await s(i.id), l = t(u), g = t(c), d = await M(
             (f) => l.listPaginated(r, f),
             l.listKey,
             { cursorField: "id", pageSize: 100 }
@@ -275,7 +275,7 @@ function B(e, t, n = () => !0) {
     }
   };
 }
-const G = (e) => ({
+const L = (e) => ({
   list: async (t, n) => (await e.resourceServers.list(t, n)).resource_servers,
   listPaginated: (t, n) => e.resourceServers.list(t, n),
   get: (t, n) => e.resourceServers.get(t, n),
@@ -293,7 +293,7 @@ const G = (e) => ({
     token_lifetime: t.token_lifetime,
     token_lifetime_for_web: t.token_lifetime_for_web
   })
-}), U = (e) => ({
+}), H = (e) => ({
   list: async (t, n) => (await e.roles.list(t, n)).roles,
   listPaginated: (t, n) => e.roles.list(t, n),
   get: (t, n) => e.roles.get(t, n),
@@ -308,92 +308,92 @@ const G = (e) => ({
     description: t.description
   })
 });
-function L(e) {
+function W(e) {
   var t;
   return ((t = e.metadata) == null ? void 0 : t.sync) !== !1;
 }
 function we(e) {
-  const { sync: t = {}, filters: n = {} } = e, r = t.resourceServers ?? !0, s = t.roles ?? !0, a = (m) => L(m) ? n.resourceServers ? n.resourceServers(m) : !0 : !1, o = (m) => L(m) ? n.roles ? n.roles(m) : !0 : !1, i = r ? H(
+  const { sync: t = {}, filters: n = {} } = e, r = t.resourceServers ?? !0, a = t.roles ?? !0, s = (m) => W(m) ? n.resourceServers ? n.resourceServers(m) : !0 : !1, o = (m) => W(m) ? n.roles ? n.roles(m) : !0 : !1, i = r ? G(
     e,
-    G,
-    a
-  ) : void 0, u = s ? H(e, U, o) : void 0, c = r ? B(
+    L,
+    s
+  ) : void 0, u = a ? G(e, H, o) : void 0, c = r ? U(
     e,
-    G,
-    a
-  ) : void 0, l = s ? B(
+    L,
+    s
+  ) : void 0, l = a ? U(
     e,
-    U,
+    H,
     o
-  ) : void 0, g = s ? {
+  ) : void 0, g = a ? {
     async afterCreate(m, w) {
-      var h;
+      var C;
       if (w.id !== e.controlPlaneTenantId) {
-        await ((h = l == null ? void 0 : l.afterCreate) == null ? void 0 : h.call(l, m, w));
+        await ((C = l == null ? void 0 : l.afterCreate) == null ? void 0 : C.call(l, m, w));
         try {
-          const p = await e.getControlPlaneAdapters(), y = await e.getAdapters(w.id), _ = await z(
-            (C) => p.roles.list(
+          const h = await e.getControlPlaneAdapters(), _ = await e.getAdapters(w.id), P = await M(
+            (p) => h.roles.list(
               e.controlPlaneTenantId,
-              C
+              p
             ),
             "roles",
             { cursorField: "id", pageSize: 100 }
-          ), T = /* @__PURE__ */ new Map();
-          for (const C of _.filter(
-            (v) => {
-              var P;
-              return ((P = n.roles) == null ? void 0 : P.call(n, v)) ?? !0;
+          ), b = /* @__PURE__ */ new Map();
+          for (const p of P.filter(
+            (T) => {
+              var y;
+              return ((y = n.roles) == null ? void 0 : y.call(n, T)) ?? !0;
             }
           )) {
-            const v = await d(
-              y,
+            const T = await d(
+              _,
               w.id,
-              C.name
+              p.name
             );
-            v && T.set(C.name, v.id);
+            T && b.set(p.name, T.id);
           }
-          for (const C of _.filter(
-            (v) => {
-              var P;
-              return ((P = n.roles) == null ? void 0 : P.call(n, v)) ?? !0;
+          for (const p of P.filter(
+            (T) => {
+              var y;
+              return ((y = n.roles) == null ? void 0 : y.call(n, T)) ?? !0;
             }
           )) {
-            const v = T.get(C.name);
-            if (v)
+            const T = b.get(p.name);
+            if (T)
               try {
-                const P = await p.rolePermissions.list(
+                const y = await h.rolePermissions.list(
                   e.controlPlaneTenantId,
-                  C.id,
+                  p.id,
                   {}
                 );
-                P.length > 0 && await y.rolePermissions.assign(
+                y.length > 0 && await _.rolePermissions.assign(
                   w.id,
-                  v,
-                  P.map((A) => ({
-                    role_id: v,
-                    resource_server_identifier: A.resource_server_identifier,
-                    permission_name: A.permission_name
+                  T,
+                  y.map((R) => ({
+                    role_id: T,
+                    resource_server_identifier: R.resource_server_identifier,
+                    permission_name: R.permission_name
                   }))
                 );
-              } catch (P) {
+              } catch (y) {
                 console.error(
-                  `Failed to sync permissions for role "${C.name}" to tenant "${w.id}":`,
-                  P
+                  `Failed to sync permissions for role "${p.name}" to tenant "${w.id}":`,
+                  y
                 );
               }
           }
-        } catch (p) {
+        } catch (h) {
           console.error(
             `Failed to sync role permissions to tenant "${w.id}":`,
-            p
+            h
           );
         }
       }
     }
   } : void 0;
-  async function d(m, w, h) {
+  async function d(m, w, C) {
     return (await m.roles.list(w, {
-      q: `name:${h}`,
+      q: `name:${C}`,
       per_page: 1
     })).roles[0] ?? null;
   }
@@ -404,28 +404,28 @@ function we(e) {
     },
     tenantHooks: {
       async afterCreate(m, w) {
-        const h = [
+        const C = [
           c == null ? void 0 : c.afterCreate,
           (g == null ? void 0 : g.afterCreate) ?? (l == null ? void 0 : l.afterCreate)
-        ], p = [];
-        for (const y of h)
-          if (y)
+        ], h = [];
+        for (const _ of C)
+          if (_)
             try {
-              await y(m, w);
-            } catch (_) {
-              p.push(_ instanceof Error ? _ : new Error(String(_)));
+              await _(m, w);
+            } catch (P) {
+              h.push(P instanceof Error ? P : new Error(String(P)));
             }
-        if (p.length === 1) throw p[0];
-        if (p.length > 1)
+        if (h.length === 1) throw h[0];
+        if (h.length > 1)
           throw new AggregateError(
-            p,
-            p.map((y) => y.message).join("; ")
+            h,
+            h.map((_) => _.message).join("; ")
           );
       }
     }
   };
 }
-var b = class extends Error {
+var S = class extends Error {
   /**
    * Creates an instance of `HTTPException`.
    * @param status - HTTP status code for the exception. Defaults to 500.
@@ -433,8 +433,8 @@ var b = class extends Error {
    */
   constructor(t = 500, n) {
     super(n == null ? void 0 : n.message, { cause: n == null ? void 0 : n.cause });
-    M(this, "res");
-    M(this, "status");
+    q(this, "res");
+    q(this, "status");
     this.res = n == null ? void 0 : n.res, this.status = t;
   }
   /**
@@ -451,15 +451,15 @@ var b = class extends Error {
     });
   }
 };
-function q(e, t) {
-  const n = new oe();
+function k(e, t) {
+  const n = new ie();
   return n.openapi(
-    O({
+    j({
       tags: ["tenants"],
       method: "get",
       path: "/",
       request: {
-        query: te
+        query: ne
       },
       security: [
         {
@@ -470,11 +470,11 @@ function q(e, t) {
         200: {
           content: {
             "application/json": {
-              schema: S.object({
-                tenants: S.array(N),
-                start: S.number().optional(),
-                limit: S.number().optional(),
-                length: S.number().optional()
+              schema: z.object({
+                tenants: z.array(B),
+                start: z.number().optional(),
+                limit: z.number().optional(),
+                length: z.number().optional()
               })
             }
           },
@@ -483,75 +483,75 @@ function q(e, t) {
       }
     }),
     async (r) => {
-      var m, w, h, p, y, _;
-      const s = r.req.valid("query"), { page: a, per_page: o, include_totals: i, q: u } = s, c = r.var.user, l = (c == null ? void 0 : c.permissions) || [];
+      var m, w, C, h, _, P;
+      const a = r.req.valid("query"), { page: s, per_page: o, include_totals: i, q: u } = a, c = r.var.user, l = (c == null ? void 0 : c.permissions) || [];
       if (l.includes("auth:read") || l.includes("admin:organizations")) {
-        const T = await r.env.data.tenants.list({
-          page: a,
+        const b = await r.env.data.tenants.list({
+          page: s,
           per_page: o,
           include_totals: i,
           q: u
         });
         return i ? r.json({
-          tenants: T.tenants,
-          start: ((m = T.totals) == null ? void 0 : m.start) ?? 0,
-          limit: ((w = T.totals) == null ? void 0 : w.limit) ?? o,
-          length: T.tenants.length
-        }) : r.json({ tenants: T.tenants });
+          tenants: b.tenants,
+          start: ((m = b.totals) == null ? void 0 : m.start) ?? 0,
+          limit: ((w = b.totals) == null ? void 0 : w.limit) ?? o,
+          length: b.tenants.length
+        }) : r.json({ tenants: b.tenants });
       }
-      const d = ((h = e.accessControl) == null ? void 0 : h.controlPlaneTenantId) ?? ((p = r.env.data.multiTenancyConfig) == null ? void 0 : p.controlPlaneTenantId);
+      const d = ((C = e.accessControl) == null ? void 0 : C.controlPlaneTenantId) ?? ((h = r.env.data.multiTenancyConfig) == null ? void 0 : h.controlPlaneTenantId);
       if (d && (c != null && c.sub)) {
-        const C = (await z(
-          ($) => r.env.data.userOrganizations.listUserOrganizations(
+        const p = (await M(
+          (I) => r.env.data.userOrganizations.listUserOrganizations(
             d,
             c.sub,
-            $
+            I
           ),
           "organizations"
-        )).map(($) => $.name);
-        if (C.length === 0)
+        )).map((I) => I.name);
+        if (p.length === 0)
           return i ? r.json({
             tenants: [],
             start: 0,
             limit: o ?? 50,
             length: 0
           }) : r.json({ tenants: [] });
-        const v = C.length, P = a ?? 0, A = o ?? 50, R = P * A, I = C.slice(R, R + A);
-        if (I.length === 0)
+        const T = p.length, y = s ?? 0, R = o ?? 50, F = y * R, D = p.slice(F, F + R);
+        if (D.length === 0)
           return i ? r.json({
             tenants: [],
-            start: R,
-            limit: A,
-            length: v
+            start: F,
+            limit: R,
+            length: T
           }) : r.json({ tenants: [] });
-        const k = I.map(($) => `id:${$}`).join(" OR "), X = u ? `(${k}) AND (${u})` : k, E = await r.env.data.tenants.list({
-          q: X,
-          per_page: A,
+        const A = D.map((I) => `id:${I}`).join(" OR "), v = u ? `(${A}) AND (${u})` : A, $ = await r.env.data.tenants.list({
+          q: v,
+          per_page: R,
           include_totals: !1
           // We calculate totals from accessibleTenantIds
         });
         return i ? r.json({
-          tenants: E.tenants,
-          start: R,
-          limit: A,
-          length: v
-        }) : r.json({ tenants: E.tenants });
+          tenants: $.tenants,
+          start: F,
+          limit: R,
+          length: T
+        }) : r.json({ tenants: $.tenants });
       }
       const f = await r.env.data.tenants.list({
-        page: a,
+        page: s,
         per_page: o,
         include_totals: i,
         q: u
       });
       return i ? r.json({
         tenants: f.tenants,
-        start: ((y = f.totals) == null ? void 0 : y.start) ?? 0,
-        limit: ((_ = f.totals) == null ? void 0 : _.limit) ?? o,
+        start: ((_ = f.totals) == null ? void 0 : _.start) ?? 0,
+        limit: ((P = f.totals) == null ? void 0 : P.limit) ?? o,
         length: f.tenants.length
       }) : r.json({ tenants: f.tenants });
     }
   ), n.openapi(
-    O({
+    j({
       tags: ["tenants"],
       method: "post",
       path: "/",
@@ -559,7 +559,7 @@ function q(e, t) {
         body: {
           content: {
             "application/json": {
-              schema: ne
+              schema: re
             }
           }
         }
@@ -573,7 +573,7 @@ function q(e, t) {
         201: {
           content: {
             "application/json": {
-              schema: N
+              schema: B
             }
           },
           description: "Tenant created"
@@ -588,28 +588,28 @@ function q(e, t) {
     }),
     async (r) => {
       var u, c;
-      const s = r.var.user;
-      if (!(s != null && s.sub))
-        throw new b(401, {
+      const a = r.var.user;
+      if (!(a != null && a.sub))
+        throw new S(401, {
           message: "Authentication required to create tenants"
         });
-      let a = r.req.valid("json");
+      let s = r.req.valid("json");
       const o = {
         adapters: r.env.data,
         ctx: r
       };
-      (u = t.tenants) != null && u.beforeCreate && (a = await t.tenants.beforeCreate(o, a));
-      const i = await r.env.data.tenants.create(a);
+      (u = t.tenants) != null && u.beforeCreate && (s = await t.tenants.beforeCreate(o, s));
+      const i = await r.env.data.tenants.create(s);
       return (c = t.tenants) != null && c.afterCreate && await t.tenants.afterCreate(o, i), r.json(i, 201);
     }
   ), n.openapi(
-    O({
+    j({
       tags: ["tenants"],
       method: "delete",
       path: "/{id}",
       request: {
-        params: S.object({
-          id: S.string()
+        params: z.object({
+          id: z.string()
         })
       },
       security: [
@@ -631,38 +631,38 @@ function q(e, t) {
     }),
     async (r) => {
       var u, c, l, g;
-      const { id: s } = r.req.valid("param"), a = ((u = e.accessControl) == null ? void 0 : u.controlPlaneTenantId) ?? ((c = r.env.data.multiTenancyConfig) == null ? void 0 : c.controlPlaneTenantId);
-      if (a) {
+      const { id: a } = r.req.valid("param"), s = ((u = e.accessControl) == null ? void 0 : u.controlPlaneTenantId) ?? ((c = r.env.data.multiTenancyConfig) == null ? void 0 : c.controlPlaneTenantId);
+      if (s) {
         const d = r.var.user;
         if (!(d != null && d.sub))
-          throw new b(401, {
+          throw new S(401, {
             message: "Authentication required"
           });
-        if (s === a)
-          throw new b(403, {
+        if (a === s)
+          throw new S(403, {
             message: "Cannot delete the control plane"
           });
-        if (!(await z(
+        if (!(await M(
           (w) => r.env.data.userOrganizations.listUserOrganizations(
-            a,
+            s,
             d.sub,
             w
           ),
           "organizations"
-        )).some((w) => w.name === s))
-          throw new b(403, {
+        )).some((w) => w.name === a))
+          throw new S(403, {
             message: "Access denied to this tenant"
           });
       }
-      if (!await r.env.data.tenants.get(s))
-        throw new b(404, {
+      if (!await r.env.data.tenants.get(a))
+        throw new S(404, {
           message: "Tenant not found"
         });
       const i = {
         adapters: r.env.data,
         ctx: r
       };
-      return (l = t.tenants) != null && l.beforeDelete && await t.tenants.beforeDelete(i, s), await r.env.data.tenants.remove(s), (g = t.tenants) != null && g.afterDelete && await t.tenants.afterDelete(i, s), r.body(null, 204);
+      return (l = t.tenants) != null && l.beforeDelete && await t.tenants.beforeDelete(i, a), await r.env.data.tenants.remove(a), (g = t.tenants) != null && g.afterDelete && await t.tenants.afterDelete(i, a), r.body(null, 204);
     }
   ), n;
 }
@@ -676,9 +676,9 @@ function pe(e) {
     { pattern: /\/api\/v2\/connections\/([^/]+)$/, type: "connection" }
   ];
   for (const { pattern: n, type: r } of t) {
-    const s = e.match(n);
-    if (s && s[1])
-      return { type: r, id: s[1] };
+    const a = e.match(n);
+    if (a && a[1])
+      return { type: r, id: a[1] };
   }
   return null;
 }
@@ -722,19 +722,19 @@ function ve() {
     if (!r)
       return t();
     if (await ye(e.env.data, r, n))
-      throw new b(403, {
+      throw new S(403, {
         message: `This ${he(n.type)} is a system resource and cannot be modified. Make changes in the control plane instead.`
       });
     return t();
   };
 }
-function D(e, t) {
+function E(e, t) {
   const n = t.find(
-    (s) => s.strategy === e.strategy
+    (a) => a.strategy === e.strategy
   );
   if (!(n != null && n.options))
     return e;
-  const r = re.passthrough().parse({
+  const r = ae.passthrough().parse({
     ...n,
     ...e
   });
@@ -743,7 +743,7 @@ function D(e, t) {
     ...e.options
   }), r;
 }
-function F(e, t) {
+function O(e, t) {
   const n = [...t || [], ...e || []];
   return [...new Set(n)];
 }
@@ -759,7 +759,7 @@ function _e(e, t) {
     n.set(r.value, r);
   return Array.from(n.values());
 }
-function W(e, t) {
+function K(e, t) {
   return t ? {
     ...e,
     scopes: _e(
@@ -768,25 +768,25 @@ function W(e, t) {
     )
   } : e;
 }
-function K(e, t) {
+function Q(e, t) {
   return t ? {
     ...e,
-    callbacks: F(e.callbacks, t.callbacks),
-    web_origins: F(
+    callbacks: O(e.callbacks, t.callbacks),
+    web_origins: O(
       e.web_origins,
       t.web_origins
     ),
-    allowed_logout_urls: F(
+    allowed_logout_urls: O(
       e.allowed_logout_urls,
       t.allowed_logout_urls
     ),
-    allowed_origins: F(
+    allowed_origins: O(
       e.allowed_origins,
       t.allowed_origins
     )
   } : e;
 }
-function Te(e, t) {
+function Ce(e, t) {
   const { controlPlaneTenantId: n, controlPlaneClientId: r } = t;
   return {
     ...e,
@@ -797,25 +797,25 @@ function Te(e, t) {
     },
     connections: {
       ...e.connections,
-      get: async (s, a) => {
+      get: async (a, s) => {
         const o = await e.connections.get(
-          s,
-          a
+          a,
+          s
         );
-        if (!o || !n || s === n)
+        if (!o || !n || a === n)
           return o;
         const i = await e.connections.list(n);
-        return D(
+        return E(
           o,
           i.connections || []
         );
       },
-      list: async (s, a) => {
-        const o = await e.connections.list(s, a);
-        if (!n || s === n)
+      list: async (a, s) => {
+        const o = await e.connections.list(a, s);
+        if (!n || a === n)
           return o;
         const i = await e.connections.list(n), u = o.connections.map(
-          (c) => D(
+          (c) => E(
             c,
             i.connections || []
           )
@@ -828,16 +828,16 @@ function Te(e, t) {
     },
     clientConnections: {
       ...e.clientConnections,
-      listByClient: async (s, a) => {
+      listByClient: async (a, s) => {
         let o = await e.clientConnections.listByClient(
-          s,
-          a
+          a,
+          s
         );
-        if (o.length === 0 && (o = (await e.connections.list(s)).connections || []), !n || s === n)
+        if (o.length === 0 && (o = (await e.connections.list(a)).connections || []), !n || a === n)
           return o;
         const i = await e.connections.list(n);
         return o.map(
-          (u) => D(
+          (u) => E(
             u,
             i.connections || []
           )
@@ -846,70 +846,70 @@ function Te(e, t) {
     },
     clients: {
       ...e.clients,
-      get: async (s, a) => {
-        const o = await e.clients.get(s, a);
+      get: async (a, s) => {
+        const o = await e.clients.get(a, s);
         if (!o)
           return null;
-        if (!n || !r || s === n && a === r)
+        if (!n || !r || a === n && s === r)
           return o;
         const i = await e.clients.get(
           n,
           r
         );
-        return K(o, i);
+        return Q(o, i);
       },
-      getByClientId: async (s) => {
-        const a = await e.clients.getByClientId(s);
-        if (!a)
+      getByClientId: async (a) => {
+        const s = await e.clients.getByClientId(a);
+        if (!s)
           return null;
-        if (!n || !r || a.tenant_id === n && a.client_id === r)
-          return a;
+        if (!n || !r || s.tenant_id === n && s.client_id === r)
+          return s;
         const o = await e.clients.get(
           n,
           r
         );
         return {
-          ...K(a, o),
-          tenant_id: a.tenant_id
+          ...Q(s, o),
+          tenant_id: s.tenant_id
         };
       }
     },
     emailProviders: {
       ...e.emailProviders,
-      get: async (s) => {
-        const a = await e.emailProviders.get(s);
-        return a || (!n || s === n ? null : e.emailProviders.get(n));
+      get: async (a) => {
+        const s = await e.emailProviders.get(a);
+        return s || (!n || a === n ? null : e.emailProviders.get(n));
       }
     },
     resourceServers: {
       ...e.resourceServers,
-      get: async (s, a) => {
+      get: async (a, s) => {
         const o = await e.resourceServers.get(
-          s,
-          a
+          a,
+          s
         );
-        if (!o || !n || s === n)
+        if (!o || !n || a === n)
           return o;
         const u = (await e.resourceServers.list(
           n,
           { q: `identifier:${o.identifier}`, per_page: 1 }
         )).resource_servers[0] ?? null;
-        return W(
+        return K(
           o,
           u
         );
       },
-      list: async (s, a) => {
+      list: async (a, s) => {
         const o = await e.resourceServers.list(
-          s,
-          a
+          a,
+          s
         );
-        if (!n || s === n)
+        if (!n || a === n)
           return o;
         const i = await e.resourceServers.list(n), u = new Map(
           i.resource_servers.map((l) => [l.identifier, l])
         ), c = o.resource_servers.map(
-          (l) => W(
+          (l) => K(
             l,
             u.get(l.identifier) ?? null
           )
@@ -925,10 +925,10 @@ function Te(e, t) {
     // - branding: Fall back to control plane branding/themes
   };
 }
-function V(e, t) {
-  return Te(e, t);
+function X(e, t) {
+  return Ce(e, t);
 }
-function Ce(e) {
+function Te(e) {
   return async (t, n) => {
     const r = t.var.user;
     return (r == null ? void 0 : r.tenant_id) === e && r.org_name && t.set("tenant_id", r.org_name), n();
@@ -938,44 +938,44 @@ function Pe(e) {
   return async (t, n) => {
     if (!e.accessControl)
       return n();
-    const { controlPlaneTenantId: r } = e.accessControl, s = t.var.org_name, a = t.var.organization_id, o = s || a;
+    const { controlPlaneTenantId: r } = e.accessControl, a = t.var.org_name, s = t.var.organization_id, o = a || s;
     let i = t.var.tenant_id;
-    const u = t.var.user, l = (u != null && u.aud ? Array.isArray(u.aud) ? u.aud : [u.aud] : []).includes(Q);
+    const u = t.var.user, l = (u != null && u.aud ? Array.isArray(u.aud) ? u.aud : [u.aud] : []).includes(V);
     if (!i && o && l && (t.set("tenant_id", o), i = o), !i)
-      throw new b(400, {
+      throw new S(400, {
         message: "Tenant ID not found in request"
       });
-    if (!ce(
-      a,
+    if (!le(
+      s,
       i,
       r,
-      s
+      a
     ))
-      throw new b(403, {
+      throw new S(403, {
         message: `Access denied to tenant ${i}`
       });
     return n();
   };
 }
-function Ae(e) {
+function be(e) {
   return async (t, n) => {
     if (!e.subdomainRouting)
       return n();
     const {
       baseDomain: r,
-      reservedSubdomains: s = [],
-      resolveSubdomain: a
+      reservedSubdomains: a = [],
+      resolveSubdomain: s
     } = e.subdomainRouting, o = t.req.header("host") || "";
     let i = null;
     if (o.endsWith(r)) {
       const c = o.slice(0, -(r.length + 1));
       c && !c.includes(".") && (i = c);
     }
-    if (i && s.includes(i) && (i = null), !i)
+    if (i && a.includes(i) && (i = null), !i)
       return e.accessControl && t.set("tenant_id", e.accessControl.controlPlaneTenantId), n();
     let u = null;
-    if (a)
-      u = await a(i);
+    if (s)
+      u = await s(i);
     else if (e.subdomainRouting.useOrganizations !== !1 && e.accessControl)
       try {
         const c = await t.env.data.organizations.get(
@@ -986,41 +986,41 @@ function Ae(e) {
       } catch {
       }
     if (!u)
-      throw new b(404, {
+      throw new S(404, {
         message: `Tenant not found for subdomain: ${i}`
       });
     return t.set("tenant_id", u), n();
   };
 }
-function be(e) {
+function Ae(e) {
   return async (t, n) => {
     if (!e.databaseIsolation)
       return n();
     const r = t.var.tenant_id;
     if (!r)
-      throw new b(400, {
+      throw new S(400, {
         message: "Tenant ID not found in request"
       });
     try {
-      const s = await e.databaseIsolation.getAdapters(r);
-      t.env.data = s;
-    } catch (s) {
+      const a = await e.databaseIsolation.getAdapters(r);
+      t.env.data = a;
+    } catch (a) {
       throw console.error(
         `Failed to resolve database for tenant ${r}:`,
-        s
-      ), new b(500, {
+        a
+      ), new S(500, {
         message: "Failed to resolve tenant database"
       });
     }
     return n();
   };
 }
-function J(e) {
-  const t = Ae(e), n = Pe(e), r = be(e);
-  return async (s, a) => (await t(s, async () => {
-  }), await n(s, async () => {
-  }), await r(s, async () => {
-  }), a());
+function Y(e) {
+  const t = be(e), n = Pe(e), r = Ae(e);
+  return async (a, s) => (await t(a, async () => {
+  }), await n(a, async () => {
+  }), await r(a, async () => {
+  }), s());
 }
 function Fe(e) {
   const {
@@ -1028,9 +1028,9 @@ function Fe(e) {
     controlPlane: n,
     controlPlane: {
       tenantId: r = "control_plane",
-      clientId: s
+      clientId: a
     } = {},
-    sync: a = { resourceServers: !0, roles: !0 },
+    sync: s = { resourceServers: !0, roles: !0 },
     defaultPermissions: o = ["tenant:admin"],
     requireOrganizationMatch: i = !1,
     managementApiExtensions: u = [],
@@ -1040,39 +1040,45 @@ function Fe(e) {
     ...d
   } = e;
   let f = t, m = t;
-  n && (f = V(t, {
+  n && (f = X(t, {
     controlPlaneTenantId: r,
-    controlPlaneClientId: s
+    controlPlaneClientId: a
   }), m = {
     ...t,
     multiTenancyConfig: {
       controlPlaneTenantId: r,
-      controlPlaneClientId: s
+      controlPlaneClientId: a
     }
   });
-  const w = a !== !1, h = w ? {
-    resourceServers: a.resourceServers ?? !0,
-    roles: a.roles ?? !0
-  } : { resourceServers: !1, roles: !1 }, _ = {
+  const w = s !== !1, C = w ? {
+    resourceServers: s.resourceServers ?? !0,
+    roles: s.roles ?? !0
+  } : { resourceServers: !1, roles: !1 }, P = {
     controlPlaneTenantId: r,
-    getChildTenantIds: l ?? (async () => (await z(
-      (I) => f.tenants.list(I),
+    getChildTenantIds: l ?? (async () => (await M(
+      (v) => f.tenants.list(v),
       "tenants",
       { cursorField: "id", pageSize: 100 }
-    )).filter((I) => I.id !== r).map((I) => I.id)),
+    )).filter((v) => v.id !== r).map((v) => v.id)),
     getAdapters: g ?? (async () => f),
     getControlPlaneAdapters: async () => f,
-    sync: h
-  }, { entityHooks: T, tenantHooks: C } = we(_), v = {
+    sync: C
+  }, { entityHooks: b, tenantHooks: p } = we(P), T = {
     resourceServers: [
-      T.resourceServers,
+      b.resourceServers,
       ...(c == null ? void 0 : c.resourceServers) ?? []
     ],
-    roles: [T.roles, ...(c == null ? void 0 : c.roles) ?? []],
+    roles: [b.roles, ...(c == null ? void 0 : c.roles) ?? []],
     connections: (c == null ? void 0 : c.connections) ?? [],
     tenants: (c == null ? void 0 : c.tenants) ?? [],
     rolePermissions: (c == null ? void 0 : c.rolePermissions) ?? []
-  }, P = q(
+  }, y = J({
+    accessControl: {
+      controlPlaneTenantId: r,
+      requireOrganizationMatch: i,
+      defaultPermissions: o
+    }
+  }), F = k(
     {
       accessControl: {
         controlPlaneTenantId: r,
@@ -1080,35 +1086,47 @@ function Fe(e) {
         defaultPermissions: o
       }
     },
-    { tenants: C }
-  ), { app: A } = ae({
+    { tenants: {
+      async beforeCreate(A, v) {
+        return y.beforeCreate && (v = await y.beforeCreate(A, v)), p.beforeCreate && (v = await p.beforeCreate(A, v)), v;
+      },
+      async afterCreate(A, v) {
+        var $, I;
+        await (($ = y.afterCreate) == null ? void 0 : $.call(y, A, v)), await ((I = p.afterCreate) == null ? void 0 : I.call(p, A, v));
+      },
+      async beforeDelete(A, v) {
+        var $, I;
+        await (($ = y.beforeDelete) == null ? void 0 : $.call(y, A, v)), await ((I = p.beforeDelete) == null ? void 0 : I.call(p, A, v));
+      }
+    } }
+  ), { app: D } = oe({
     dataAdapter: f,
     managementDataAdapter: m,
     ...d,
-    entityHooks: v,
+    entityHooks: T,
     managementApiExtensions: [
       ...u,
-      { path: "/tenants", router: P }
+      { path: "/tenants", router: F }
     ]
   });
-  return A.use(
+  return D.use(
     "/api/v2/*",
-    Ce(r)
-  ), w && A.use("/api/v2/*", ve()), { app: A, controlPlaneTenantId: r };
+    Te(r)
+  ), w && D.use("/api/v2/*", ve()), { app: D, controlPlaneTenantId: r };
 }
-function Me(e) {
-  const t = j(e);
+function De(e) {
+  const t = N(e);
   return {
     name: "multi-tenancy",
     // Apply multi-tenancy middleware for subdomain routing, database resolution, etc.
-    middleware: J(e),
+    middleware: Y(e),
     // Provide lifecycle hooks
     hooks: t,
     // Mount tenant management routes
     routes: [
       {
         path: "/management",
-        handler: q(e, t)
+        handler: k(e, t)
       }
     ],
     // Called when plugin is registered
@@ -1121,8 +1139,8 @@ function Me(e) {
     }
   };
 }
-function j(e) {
-  const t = e.accessControl ? ie(e.accessControl) : {}, n = e.databaseIsolation ? le(e.databaseIsolation) : {}, r = de(e);
+function N(e) {
+  const t = e.accessControl ? ce(e.accessControl) : {}, n = e.databaseIsolation ? ue(e.databaseIsolation) : {}, r = J(e);
   return {
     ...t,
     ...n,
@@ -1130,13 +1148,13 @@ function j(e) {
   };
 }
 function Ie(e) {
-  const t = new x(), n = j(e);
-  return t.route("/tenants", q(e, n)), t;
+  const t = new ee(), n = N(e);
+  return t.route("/tenants", k(e, n)), t;
 }
-function Oe(e) {
+function Me(e) {
   return {
-    hooks: j(e),
-    middleware: J(e),
+    hooks: N(e),
+    middleware: Y(e),
     app: Ie(e),
     config: e,
     /**
@@ -1149,7 +1167,7 @@ function Oe(e) {
      */
     wrapAdapters: (t, n) => {
       var r;
-      return V(t, {
+      return X(t, {
         controlPlaneTenantId: (r = e.accessControl) == null ? void 0 : r.controlPlaneTenantId,
         controlPlaneClientId: n == null ? void 0 : n.controlPlaneClientId
       });
@@ -1157,23 +1175,23 @@ function Oe(e) {
   };
 }
 export {
-  ie as createAccessControlHooks,
+  ce as createAccessControlHooks,
   Pe as createAccessControlMiddleware,
-  Ce as createControlPlaneTenantMiddleware,
-  le as createDatabaseHooks,
-  be as createDatabaseMiddleware,
+  Te as createControlPlaneTenantMiddleware,
+  ue as createDatabaseHooks,
+  Ae as createDatabaseMiddleware,
   Ie as createMultiTenancy,
-  j as createMultiTenancyHooks,
-  J as createMultiTenancyMiddleware,
-  Me as createMultiTenancyPlugin,
+  N as createMultiTenancyHooks,
+  Y as createMultiTenancyMiddleware,
+  De as createMultiTenancyPlugin,
   ve as createProtectSyncedMiddleware,
-  de as createProvisioningHooks,
-  Te as createRuntimeFallbackAdapter,
-  Ae as createSubdomainMiddleware,
+  J as createProvisioningHooks,
+  Ce as createRuntimeFallbackAdapter,
+  be as createSubdomainMiddleware,
   we as createSyncHooks,
-  q as createTenantsOpenAPIRouter,
+  k as createTenantsOpenAPIRouter,
   Fe as initMultiTenant,
-  Oe as setupMultiTenancy,
-  ce as validateTenantAccess,
-  V as withRuntimeFallback
+  Me as setupMultiTenancy,
+  le as validateTenantAccess,
+  X as withRuntimeFallback
 };