npm - @authhero/multi-tenancy - Versions diffs - 14.15.0 → 14.16.0 - Mend

@authhero/multi-tenancy 14.15.0 → 14.16.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/multi-tenancy.cjs +1 -1
package/dist/multi-tenancy.mjs +384 -302
package/dist/types/routes/tenants.d.ts.map +1 -1
package/package.json +4 -4

package/dist/multi-tenancy.mjs CHANGED Viewed

@@ -1,30 +1,30 @@
-var Z = Object.defineProperty;
-var x = (e, t, n) => t in e ? Z(e, t, { enumerable: !0, configurable: !0, writable: !0, value: n }) : e[t] = n;
-var q = (e, t, n) => x(e, typeof t != "symbol" ? t + "" : t, n);
-import { Hono as ee } from "hono";
-import { MANAGEMENT_API_SCOPES as te, MANAGEMENT_API_AUDIENCE as V, fetchAll as M, auth0QuerySchema as ne, tenantSchema as B, tenantInsertSchema as re, connectionSchema as ae, connectionOptionsSchema as se, init as oe } from "authhero";
-import { OpenAPIHono as ie, createRoute as j, z } from "@hono/zod-openapi";
-function ce(e) {
+var x = Object.defineProperty;
+var ee = (e, t, n) => t in e ? x(e, t, { enumerable: !0, configurable: !0, writable: !0, value: n }) : e[t] = n;
+var E = (e, t, n) => ee(e, typeof t != "symbol" ? t + "" : t, n);
+import { Hono as te } from "hono";
+import { MANAGEMENT_API_SCOPES as ne, MANAGEMENT_API_AUDIENCE as J, fetchAll as D, auth0QuerySchema as re, tenantSchema as q, tenantInsertSchema as U, deepMergePatch as ae, connectionSchema as se, connectionOptionsSchema as oe, init as ie } from "authhero";
+import { OpenAPIHono as ce, createRoute as M, z as S } from "@hono/zod-openapi";
+function le(e) {
   const { controlPlaneTenantId: t, requireOrganizationMatch: n = !0 } = e;
   return {
     async onTenantAccessValidation(r, a) {
       if (a === t)
         return !0;
       if (n) {
-        const s = r.var.org_name, o = r.var.organization_id, i = s || o;
+        const o = r.var.org_name, s = r.var.organization_id, i = o || s;
         return i ? i.toLowerCase() === a.toLowerCase() : !1;
       }
       return !0;
     }
   };
 }
-function le(e, t, n, r) {
+function ue(e, t, n, r) {
   if (t === n)
     return !0;
   const a = r || e;
   return a ? a.toLowerCase() === t.toLowerCase() : !1;
 }
-function ue(e) {
+function de(e) {
   return {
     async resolveDataAdapters(t) {
       try {
@@ -39,56 +39,56 @@ function ue(e) {
     }
   };
 }
-function de(e) {
+function fe(e) {
   return `urn:authhero:tenant:${e.toLowerCase()}`;
 }
-function J(e) {
+function X(e) {
   return {
     async beforeCreate(t, n) {
       return !n.audience && n.id ? {
         ...n,
-        audience: de(n.id)
+        audience: fe(n.id)
       } : n;
     },
     async afterCreate(t, n) {
       const { accessControl: r, databaseIsolation: a } = e;
-      r && t.ctx && await fe(t, n, r), a != null && a.onProvision && await a.onProvision(n.id);
+      r && t.ctx && await me(t, n, r), a != null && a.onProvision && await a.onProvision(n.id);
     },
     async beforeDelete(t, n) {
       const { accessControl: r, databaseIsolation: a } = e;
       if (r)
         try {
-          const o = (await t.adapters.organizations.list(
+          const s = (await t.adapters.organizations.list(
             r.controlPlaneTenantId
           )).organizations.find((i) => i.name === n);
-          o && await t.adapters.organizations.remove(
+          s && await t.adapters.organizations.remove(
             r.controlPlaneTenantId,
-            o.id
+            s.id
           );
-        } catch (s) {
+        } catch (o) {
           console.warn(
             `Failed to remove organization for tenant ${n}:`,
-            s
+            o
           );
         }
       if (a != null && a.onDeprovision)
         try {
           await a.onDeprovision(n);
-        } catch (s) {
+        } catch (o) {
           console.warn(
             `Failed to deprovision database for tenant ${n}:`,
-            s
+            o
           );
         }
     }
   };
 }
-async function fe(e, t, n) {
+async function me(e, t, n) {
   const {
     controlPlaneTenantId: r,
     defaultPermissions: a,
-    defaultRoles: s,
-    issuer: o,
+    defaultRoles: o,
+    issuer: s,
     adminRoleName: i = "Tenant Admin",
     adminRoleDescription: u = "Full access to all tenant management operations",
     addCreatorToOrganization: c = !0
@@ -100,14 +100,14 @@ async function fe(e, t, n) {
     }
   );
   let g;
-  if (o && (g = await ge(
+  if (s && (g = await we(
     e,
     r,
     i,
     u
   )), c && e.ctx) {
     const d = e.ctx.var.user;
-    if (d != null && d.sub && !await me(
+    if (d != null && d.sub && !await ge(
       e,
       r,
       d.sub
@@ -130,13 +130,13 @@ async function fe(e, t, n) {
         );
       }
   }
-  s && s.length > 0 && console.log(
-    `Would assign roles ${s.join(", ")} to organization ${l.id}`
+  o && o.length > 0 && console.log(
+    `Would assign roles ${o.join(", ")} to organization ${l.id}`
   ), a && a.length > 0 && console.log(
     `Would grant permissions ${a.join(", ")} to organization ${l.id}`
   );
 }
-async function me(e, t, n) {
+async function ge(e, t, n) {
   const r = await e.adapters.userRoles.list(
     t,
     n,
@@ -155,26 +155,26 @@ async function me(e, t, n) {
       return !0;
   return !1;
 }
-async function ge(e, t, n, r) {
-  const s = (await e.adapters.roles.list(t, {})).roles.find((c) => c.name === n);
-  if (s)
-    return s.id;
-  const o = await e.adapters.roles.create(t, {
+async function we(e, t, n, r) {
+  const o = (await e.adapters.roles.list(t, {})).roles.find((c) => c.name === n);
+  if (o)
+    return o.id;
+  const s = await e.adapters.roles.create(t, {
     name: n,
     description: r
-  }), i = V, u = te.map((c) => ({
-    role_id: o.id,
+  }), i = J, u = ne.map((c) => ({
+    role_id: s.id,
     resource_server_identifier: i,
     permission_name: c.value
   }));
   return await e.adapters.rolePermissions.assign(
     t,
-    o.id,
+    s.id,
     u
-  ), o.id;
+  ), s.id;
 }
 function G(e, t, n = () => !0) {
-  const { controlPlaneTenantId: r, getChildTenantIds: a, getAdapters: s } = e, o = /* @__PURE__ */ new Map();
+  const { controlPlaneTenantId: r, getChildTenantIds: a, getAdapters: o } = e, s = /* @__PURE__ */ new Map();
   async function i(l, g, d) {
     return (await t(l).list(g, {
       q: `name:${d}`,
@@ -182,19 +182,19 @@ function G(e, t, n = () => !0) {
     }))[0] ?? null;
   }
   async function u(l) {
-    const g = await a(), d = t(await s(r));
+    const g = await a(), d = t(await o(r));
     await Promise.all(
       g.map(async (f) => {
         try {
-          const m = await s(f), w = t(m), h = {
+          const m = await o(f), w = t(m), y = {
             ...d.transform(l),
             is_system: !0
-          }, _ = await i(m, f, l.name), P = _ ? w.getId(_) : void 0;
-          if (_ && P) {
-            const b = w.preserveOnUpdate ? w.preserveOnUpdate(_, h) : h;
-            await w.update(f, P, b);
+          }, _ = await i(m, f, l.name), b = _ ? w.getId(_) : void 0;
+          if (_ && b) {
+            const P = w.preserveOnUpdate ? w.preserveOnUpdate(_, y) : y;
+            await w.update(f, b, P);
           } else
-            await w.create(f, h);
+            await w.create(f, y);
         } catch (m) {
           console.error(
             `Failed to sync ${d.listKey} "${l.name}" to tenant "${f}":`,
@@ -209,7 +209,7 @@ function G(e, t, n = () => !0) {
     await Promise.all(
       g.map(async (d) => {
         try {
-          const f = await s(d), m = t(f), w = await i(f, d, l), C = w ? m.getId(w) : void 0;
+          const f = await o(d), m = t(f), w = await i(f, d, l), C = w ? m.getId(w) : void 0;
           w && C && await m.remove(d, C);
         } catch (f) {
           console.error(
@@ -230,22 +230,22 @@ function G(e, t, n = () => !0) {
     beforeDelete: async (l, g) => {
       if (l.tenantId !== r) return;
       const f = await t(l.adapters).get(l.tenantId, g);
-      f && n(f) && o.set(g, f);
+      f && n(f) && s.set(g, f);
     },
     afterDelete: async (l, g) => {
       if (l.tenantId !== r) return;
-      const d = o.get(g);
-      d && (o.delete(g), await c(d.name));
+      const d = s.get(g);
+      d && (s.delete(g), await c(d.name));
     }
   };
 }
-function U(e, t, n = () => !0) {
-  const { controlPlaneTenantId: r, getControlPlaneAdapters: a, getAdapters: s } = e;
+function L(e, t, n = () => !0) {
+  const { controlPlaneTenantId: r, getControlPlaneAdapters: a, getAdapters: o } = e;
   return {
-    async afterCreate(o, i) {
+    async afterCreate(s, i) {
       if (i.id !== r)
         try {
-          const u = await a(), c = await s(i.id), l = t(u), g = t(c), d = await M(
+          const u = await a(), c = await o(i.id), l = t(u), g = t(c), d = await D(
             (f) => l.listPaginated(r, f),
             l.listKey,
             { cursorField: "id", pageSize: 100 }
@@ -275,7 +275,7 @@ function U(e, t, n = () => !0) {
     }
   };
 }
-const L = (e) => ({
+const H = (e) => ({
   list: async (t, n) => (await e.resourceServers.list(t, n)).resource_servers,
   listPaginated: (t, n) => e.resourceServers.list(t, n),
   get: (t, n) => e.resourceServers.get(t, n),
@@ -293,7 +293,7 @@ const L = (e) => ({
     token_lifetime: t.token_lifetime,
     token_lifetime_for_web: t.token_lifetime_for_web
   })
-}), H = (e) => ({
+}), W = (e) => ({
   list: async (t, n) => (await e.roles.list(t, n)).roles,
   listPaginated: (t, n) => e.roles.list(t, n),
   get: (t, n) => e.roles.get(t, n),
@@ -308,41 +308,41 @@ const L = (e) => ({
     description: t.description
   })
 });
-function W(e) {
+function K(e) {
   var t;
   return ((t = e.metadata) == null ? void 0 : t.sync) !== !1;
 }
-function we(e) {
-  const { sync: t = {}, filters: n = {} } = e, r = t.resourceServers ?? !0, a = t.roles ?? !0, s = (m) => W(m) ? n.resourceServers ? n.resourceServers(m) : !0 : !1, o = (m) => W(m) ? n.roles ? n.roles(m) : !0 : !1, i = r ? G(
-    e,
-    L,
-    s
-  ) : void 0, u = a ? G(e, H, o) : void 0, c = r ? U(
+function pe(e) {
+  const { sync: t = {}, filters: n = {} } = e, r = t.resourceServers ?? !0, a = t.roles ?? !0, o = (m) => K(m) ? n.resourceServers ? n.resourceServers(m) : !0 : !1, s = (m) => K(m) ? n.roles ? n.roles(m) : !0 : !1, i = r ? G(
     e,
-    L,
-    s
-  ) : void 0, l = a ? U(
+    H,
+    o
+  ) : void 0, u = a ? G(e, W, s) : void 0, c = r ? L(
     e,
     H,
     o
+  ) : void 0, l = a ? L(
+    e,
+    W,
+    s
   ) : void 0, g = a ? {
     async afterCreate(m, w) {
       var C;
       if (w.id !== e.controlPlaneTenantId) {
         await ((C = l == null ? void 0 : l.afterCreate) == null ? void 0 : C.call(l, m, w));
         try {
-          const h = await e.getControlPlaneAdapters(), _ = await e.getAdapters(w.id), P = await M(
-            (p) => h.roles.list(
+          const y = await e.getControlPlaneAdapters(), _ = await e.getAdapters(w.id), b = await D(
+            (p) => y.roles.list(
               e.controlPlaneTenantId,
               p
             ),
             "roles",
             { cursorField: "id", pageSize: 100 }
-          ), b = /* @__PURE__ */ new Map();
-          for (const p of P.filter(
+          ), P = /* @__PURE__ */ new Map();
+          for (const p of b.filter(
             (T) => {
-              var y;
-              return ((y = n.roles) == null ? void 0 : y.call(n, T)) ?? !0;
+              var h;
+              return ((h = n.roles) == null ? void 0 : h.call(n, T)) ?? !0;
             }
           )) {
             const T = await d(
@@ -350,42 +350,42 @@ function we(e) {
               w.id,
               p.name
             );
-            T && b.set(p.name, T.id);
+            T && P.set(p.name, T.id);
           }
-          for (const p of P.filter(
+          for (const p of b.filter(
             (T) => {
-              var y;
-              return ((y = n.roles) == null ? void 0 : y.call(n, T)) ?? !0;
+              var h;
+              return ((h = n.roles) == null ? void 0 : h.call(n, T)) ?? !0;
             }
           )) {
-            const T = b.get(p.name);
+            const T = P.get(p.name);
             if (T)
               try {
-                const y = await h.rolePermissions.list(
+                const h = await y.rolePermissions.list(
                   e.controlPlaneTenantId,
                   p.id,
                   {}
                 );
-                y.length > 0 && await _.rolePermissions.assign(
+                h.length > 0 && await _.rolePermissions.assign(
                   w.id,
                   T,
-                  y.map((R) => ({
+                  h.map(($) => ({
                     role_id: T,
-                    resource_server_identifier: R.resource_server_identifier,
-                    permission_name: R.permission_name
+                    resource_server_identifier: $.resource_server_identifier,
+                    permission_name: $.permission_name
                   }))
                 );
-              } catch (y) {
+              } catch (h) {
                 console.error(
                   `Failed to sync permissions for role "${p.name}" to tenant "${w.id}":`,
-                  y
+                  h
                 );
               }
           }
-        } catch (h) {
+        } catch (y) {
           console.error(
             `Failed to sync role permissions to tenant "${w.id}":`,
-            h
+            y
           );
         }
       }
@@ -407,25 +407,25 @@ function we(e) {
         const C = [
           c == null ? void 0 : c.afterCreate,
           (g == null ? void 0 : g.afterCreate) ?? (l == null ? void 0 : l.afterCreate)
-        ], h = [];
+        ], y = [];
         for (const _ of C)
           if (_)
             try {
               await _(m, w);
-            } catch (P) {
-              h.push(P instanceof Error ? P : new Error(String(P)));
+            } catch (b) {
+              y.push(b instanceof Error ? b : new Error(String(b)));
             }
-        if (h.length === 1) throw h[0];
-        if (h.length > 1)
+        if (y.length === 1) throw y[0];
+        if (y.length > 1)
           throw new AggregateError(
-            h,
-            h.map((_) => _.message).join("; ")
+            y,
+            y.map((_) => _.message).join("; ")
           );
       }
     }
   };
 }
-var S = class extends Error {
+var A = class extends Error {
   /**
    * Creates an instance of `HTTPException`.
    * @param status - HTTP status code for the exception. Defaults to 500.
@@ -433,8 +433,8 @@ var S = class extends Error {
    */
   constructor(t = 500, n) {
     super(n == null ? void 0 : n.message, { cause: n == null ? void 0 : n.cause });
-    q(this, "res");
-    q(this, "status");
+    E(this, "res");
+    E(this, "status");
     this.res = n == null ? void 0 : n.res, this.status = t;
   }
   /**
@@ -451,15 +451,15 @@ var S = class extends Error {
     });
   }
 };
-function k(e, t) {
-  const n = new ie();
+function N(e, t) {
+  const n = new ce();
   return n.openapi(
-    j({
+    M({
       tags: ["tenants"],
       method: "get",
       path: "/",
       request: {
-        query: ne
+        query: re
       },
       security: [
         {
@@ -470,11 +470,11 @@ function k(e, t) {
         200: {
           content: {
             "application/json": {
-              schema: z.object({
-                tenants: z.array(B),
-                start: z.number().optional(),
-                limit: z.number().optional(),
-                length: z.number().optional()
+              schema: S.object({
+                tenants: S.array(q),
+                start: S.number().optional(),
+                limit: S.number().optional(),
+                length: S.number().optional()
               })
             }
           },
@@ -483,75 +483,75 @@ function k(e, t) {
       }
     }),
     async (r) => {
-      var m, w, C, h, _, P;
-      const a = r.req.valid("query"), { page: s, per_page: o, include_totals: i, q: u } = a, c = r.var.user, l = (c == null ? void 0 : c.permissions) || [];
+      var m, w, C, y, _, b;
+      const a = r.req.valid("query"), { page: o, per_page: s, include_totals: i, q: u } = a, c = r.var.user, l = (c == null ? void 0 : c.permissions) || [];
       if (l.includes("auth:read") || l.includes("admin:organizations")) {
-        const b = await r.env.data.tenants.list({
-          page: s,
-          per_page: o,
+        const P = await r.env.data.tenants.list({
+          page: o,
+          per_page: s,
           include_totals: i,
           q: u
         });
         return i ? r.json({
-          tenants: b.tenants,
-          start: ((m = b.totals) == null ? void 0 : m.start) ?? 0,
-          limit: ((w = b.totals) == null ? void 0 : w.limit) ?? o,
-          length: b.tenants.length
-        }) : r.json({ tenants: b.tenants });
+          tenants: P.tenants,
+          start: ((m = P.totals) == null ? void 0 : m.start) ?? 0,
+          limit: ((w = P.totals) == null ? void 0 : w.limit) ?? s,
+          length: P.tenants.length
+        }) : r.json({ tenants: P.tenants });
       }
-      const d = ((C = e.accessControl) == null ? void 0 : C.controlPlaneTenantId) ?? ((h = r.env.data.multiTenancyConfig) == null ? void 0 : h.controlPlaneTenantId);
+      const d = ((C = e.accessControl) == null ? void 0 : C.controlPlaneTenantId) ?? ((y = r.env.data.multiTenancyConfig) == null ? void 0 : y.controlPlaneTenantId);
       if (d && (c != null && c.sub)) {
-        const p = (await M(
-          (I) => r.env.data.userOrganizations.listUserOrganizations(
+        const p = (await D(
+          (R) => r.env.data.userOrganizations.listUserOrganizations(
             d,
             c.sub,
-            I
+            R
           ),
           "organizations"
-        )).map((I) => I.name);
+        )).map((R) => R.name);
         if (p.length === 0)
           return i ? r.json({
             tenants: [],
             start: 0,
-            limit: o ?? 50,
+            limit: s ?? 50,
             length: 0
           }) : r.json({ tenants: [] });
-        const T = p.length, y = s ?? 0, R = o ?? 50, F = y * R, D = p.slice(F, F + R);
-        if (D.length === 0)
+        const T = p.length, h = o ?? 0, $ = s ?? 50, F = h * $, j = p.slice(F, F + $);
+        if (j.length === 0)
           return i ? r.json({
             tenants: [],
             start: F,
-            limit: R,
+            limit: $,
             length: T
           }) : r.json({ tenants: [] });
-        const A = D.map((I) => `id:${I}`).join(" OR "), v = u ? `(${A}) AND (${u})` : A, $ = await r.env.data.tenants.list({
+        const I = j.map((R) => `id:${R}`).join(" OR "), v = u ? `(${I}) AND (${u})` : I, z = await r.env.data.tenants.list({
           q: v,
-          per_page: R,
+          per_page: $,
           include_totals: !1
           // We calculate totals from accessibleTenantIds
         });
         return i ? r.json({
-          tenants: $.tenants,
+          tenants: z.tenants,
           start: F,
-          limit: R,
+          limit: $,
           length: T
-        }) : r.json({ tenants: $.tenants });
+        }) : r.json({ tenants: z.tenants });
       }
       const f = await r.env.data.tenants.list({
-        page: s,
-        per_page: o,
+        page: o,
+        per_page: s,
         include_totals: i,
         q: u
       });
       return i ? r.json({
         tenants: f.tenants,
         start: ((_ = f.totals) == null ? void 0 : _.start) ?? 0,
-        limit: ((P = f.totals) == null ? void 0 : P.limit) ?? o,
+        limit: ((b = f.totals) == null ? void 0 : b.limit) ?? s,
         length: f.tenants.length
       }) : r.json({ tenants: f.tenants });
     }
   ), n.openapi(
-    j({
+    M({
       tags: ["tenants"],
       method: "post",
       path: "/",
@@ -559,7 +559,7 @@ function k(e, t) {
         body: {
           content: {
             "application/json": {
-              schema: re
+              schema: U
             }
           }
         }
@@ -573,7 +573,7 @@ function k(e, t) {
         201: {
           content: {
             "application/json": {
-              schema: B
+              schema: q
             }
           },
           description: "Tenant created"
@@ -590,26 +590,26 @@ function k(e, t) {
       var u, c;
       const a = r.var.user;
       if (!(a != null && a.sub))
-        throw new S(401, {
+        throw new A(401, {
           message: "Authentication required to create tenants"
         });
-      let s = r.req.valid("json");
-      const o = {
+      let o = r.req.valid("json");
+      const s = {
         adapters: r.env.data,
         ctx: r
       };
-      (u = t.tenants) != null && u.beforeCreate && (s = await t.tenants.beforeCreate(o, s));
-      const i = await r.env.data.tenants.create(s);
-      return (c = t.tenants) != null && c.afterCreate && await t.tenants.afterCreate(o, i), r.json(i, 201);
+      (u = t.tenants) != null && u.beforeCreate && (o = await t.tenants.beforeCreate(s, o));
+      const i = await r.env.data.tenants.create(o);
+      return (c = t.tenants) != null && c.afterCreate && await t.tenants.afterCreate(s, i), r.json(i, 201);
     }
   ), n.openapi(
-    j({
+    M({
       tags: ["tenants"],
       method: "delete",
       path: "/{id}",
       request: {
-        params: z.object({
-          id: z.string()
+        params: S.object({
+          id: S.string()
         })
       },
       security: [
@@ -631,31 +631,31 @@ function k(e, t) {
     }),
     async (r) => {
       var u, c, l, g;
-      const { id: a } = r.req.valid("param"), s = ((u = e.accessControl) == null ? void 0 : u.controlPlaneTenantId) ?? ((c = r.env.data.multiTenancyConfig) == null ? void 0 : c.controlPlaneTenantId);
-      if (s) {
+      const { id: a } = r.req.valid("param"), o = ((u = e.accessControl) == null ? void 0 : u.controlPlaneTenantId) ?? ((c = r.env.data.multiTenancyConfig) == null ? void 0 : c.controlPlaneTenantId);
+      if (o) {
         const d = r.var.user;
         if (!(d != null && d.sub))
-          throw new S(401, {
+          throw new A(401, {
             message: "Authentication required"
           });
-        if (a === s)
-          throw new S(403, {
+        if (a === o)
+          throw new A(403, {
             message: "Cannot delete the control plane"
           });
-        if (!(await M(
+        if (!(await D(
           (w) => r.env.data.userOrganizations.listUserOrganizations(
-            s,
+            o,
             d.sub,
             w
           ),
           "organizations"
         )).some((w) => w.name === a))
-          throw new S(403, {
+          throw new A(403, {
             message: "Access denied to this tenant"
           });
       }
       if (!await r.env.data.tenants.get(a))
-        throw new S(404, {
+        throw new A(404, {
           message: "Tenant not found"
         });
       const i = {
@@ -664,9 +664,91 @@ function k(e, t) {
       };
       return (l = t.tenants) != null && l.beforeDelete && await t.tenants.beforeDelete(i, a), await r.env.data.tenants.remove(a), (g = t.tenants) != null && g.afterDelete && await t.tenants.afterDelete(i, a), r.body(null, 204);
     }
+  ), n.openapi(
+    M({
+      tags: ["tenants", "settings"],
+      method: "get",
+      path: "/settings",
+      request: {
+        headers: S.object({
+          "tenant-id": S.string().optional()
+        })
+      },
+      security: [
+        {
+          Bearer: ["read:tenants", "auth:read"]
+        }
+      ],
+      responses: {
+        200: {
+          content: {
+            "application/json": {
+              schema: q
+            }
+          },
+          description: "Current tenant settings"
+        }
+      }
+    }),
+    async (r) => {
+      const a = await r.env.data.tenants.get(r.var.tenant_id);
+      if (!a)
+        throw new A(404, {
+          message: "Tenant not found"
+        });
+      return r.json(a);
+    }
+  ), n.openapi(
+    M({
+      tags: ["tenants", "settings"],
+      method: "patch",
+      path: "/settings",
+      request: {
+        headers: S.object({
+          "tenant-id": S.string().optional()
+        }),
+        body: {
+          content: {
+            "application/json": {
+              schema: S.object(U.shape).partial()
+            }
+          }
+        }
+      },
+      security: [
+        {
+          Bearer: ["update:tenants", "auth:write"]
+        }
+      ],
+      responses: {
+        200: {
+          content: {
+            "application/json": {
+              schema: q
+            }
+          },
+          description: "Updated tenant settings"
+        }
+      }
+    }),
+    async (r) => {
+      const a = r.req.valid("json"), { id: o, ...s } = a, i = await r.env.data.tenants.get(r.var.tenant_id);
+      if (!i)
+        throw new A(404, {
+          message: "Tenant not found"
+        });
+      const u = ae(i, s);
+      await r.env.data.tenants.update(r.var.tenant_id, u);
+      const c = await r.env.data.tenants.get(r.var.tenant_id);
+      if (!c)
+        throw new A(500, {
+          message: "Failed to retrieve updated tenant"
+        });
+      return r.json(c);
+    }
   ), n;
 }
-function pe(e) {
+function he(e) {
   const t = [
     {
       pattern: /\/api\/v2\/resource-servers\/([^/]+)$/,
@@ -704,41 +786,41 @@ async function ye(e, t, n) {
     return !1;
   }
 }
-function he(e) {
+function ve(e) {
   return {
     resource_server: "resource server",
     role: "role",
     connection: "connection"
   }[e];
 }
-function ve() {
+function _e() {
   return async (e, t) => {
     if (!["PATCH", "PUT", "DELETE"].includes(e.req.method))
       return t();
-    const n = pe(e.req.path);
+    const n = he(e.req.path);
     if (!n)
       return t();
     const r = e.var.tenant_id || e.req.header("x-tenant-id") || e.req.header("tenant-id");
     if (!r)
       return t();
     if (await ye(e.env.data, r, n))
-      throw new S(403, {
-        message: `This ${he(n.type)} is a system resource and cannot be modified. Make changes in the control plane instead.`
+      throw new A(403, {
+        message: `This ${ve(n.type)} is a system resource and cannot be modified. Make changes in the control plane instead.`
       });
     return t();
   };
 }
-function E(e, t) {
+function k(e, t) {
   const n = t.find(
     (a) => a.strategy === e.strategy
   );
   if (!(n != null && n.options))
     return e;
-  const r = ae.passthrough().parse({
+  const r = se.passthrough().parse({
     ...n,
     ...e
   });
-  return r.options = se.passthrough().parse({
+  return r.options = oe.passthrough().parse({
     ...n.options || {},
     ...e.options
   }), r;
@@ -747,7 +829,7 @@ function O(e, t) {
   const n = [...t || [], ...e || []];
   return [...new Set(n)];
 }
-function _e(e, t) {
+function Ce(e, t) {
   if (!(t != null && t.length))
     return e || [];
   if (!(e != null && e.length))
@@ -759,16 +841,16 @@ function _e(e, t) {
     n.set(r.value, r);
   return Array.from(n.values());
 }
-function K(e, t) {
+function Q(e, t) {
   return t ? {
     ...e,
-    scopes: _e(
+    scopes: Ce(
       e.scopes,
       t.scopes
     )
   } : e;
 }
-function Q(e, t) {
+function V(e, t) {
   return t ? {
     ...e,
     callbacks: O(e.callbacks, t.callbacks),
@@ -786,7 +868,7 @@ function Q(e, t) {
     )
   } : e;
 }
-function Ce(e, t) {
+function Te(e, t) {
   const { controlPlaneTenantId: n, controlPlaneClientId: r } = t;
   return {
     ...e,
@@ -797,47 +879,47 @@ function Ce(e, t) {
     },
     connections: {
       ...e.connections,
-      get: async (a, s) => {
-        const o = await e.connections.get(
+      get: async (a, o) => {
+        const s = await e.connections.get(
           a,
-          s
+          o
         );
-        if (!o || !n || a === n)
-          return o;
+        if (!s || !n || a === n)
+          return s;
         const i = await e.connections.list(n);
-        return E(
-          o,
+        return k(
+          s,
           i.connections || []
         );
       },
-      list: async (a, s) => {
-        const o = await e.connections.list(a, s);
+      list: async (a, o) => {
+        const s = await e.connections.list(a, o);
         if (!n || a === n)
-          return o;
-        const i = await e.connections.list(n), u = o.connections.map(
-          (c) => E(
+          return s;
+        const i = await e.connections.list(n), u = s.connections.map(
+          (c) => k(
             c,
             i.connections || []
           )
         );
         return {
-          ...o,
+          ...s,
           connections: u
         };
       }
     },
     clientConnections: {
       ...e.clientConnections,
-      listByClient: async (a, s) => {
-        let o = await e.clientConnections.listByClient(
+      listByClient: async (a, o) => {
+        let s = await e.clientConnections.listByClient(
           a,
-          s
+          o
         );
-        if (o.length === 0 && (o = (await e.connections.list(a)).connections || []), !n || a === n)
-          return o;
+        if (s.length === 0 && (s = (await e.connections.list(a)).connections || []), !n || a === n)
+          return s;
         const i = await e.connections.list(n);
-        return o.map(
-          (u) => E(
+        return s.map(
+          (u) => k(
             u,
             i.connections || []
           )
@@ -846,76 +928,76 @@ function Ce(e, t) {
     },
     clients: {
       ...e.clients,
-      get: async (a, s) => {
-        const o = await e.clients.get(a, s);
-        if (!o)
+      get: async (a, o) => {
+        const s = await e.clients.get(a, o);
+        if (!s)
           return null;
-        if (!n || !r || a === n && s === r)
-          return o;
+        if (!n || !r || a === n && o === r)
+          return s;
         const i = await e.clients.get(
           n,
           r
         );
-        return Q(o, i);
+        return V(s, i);
       },
       getByClientId: async (a) => {
-        const s = await e.clients.getByClientId(a);
-        if (!s)
+        const o = await e.clients.getByClientId(a);
+        if (!o)
           return null;
-        if (!n || !r || s.tenant_id === n && s.client_id === r)
-          return s;
-        const o = await e.clients.get(
+        if (!n || !r || o.tenant_id === n && o.client_id === r)
+          return o;
+        const s = await e.clients.get(
           n,
           r
         );
         return {
-          ...Q(s, o),
-          tenant_id: s.tenant_id
+          ...V(o, s),
+          tenant_id: o.tenant_id
         };
       }
     },
     emailProviders: {
       ...e.emailProviders,
       get: async (a) => {
-        const s = await e.emailProviders.get(a);
-        return s || (!n || a === n ? null : e.emailProviders.get(n));
+        const o = await e.emailProviders.get(a);
+        return o || (!n || a === n ? null : e.emailProviders.get(n));
       }
     },
     resourceServers: {
       ...e.resourceServers,
-      get: async (a, s) => {
-        const o = await e.resourceServers.get(
+      get: async (a, o) => {
+        const s = await e.resourceServers.get(
           a,
-          s
+          o
         );
-        if (!o || !n || a === n)
-          return o;
+        if (!s || !n || a === n)
+          return s;
         const u = (await e.resourceServers.list(
           n,
-          { q: `identifier:${o.identifier}`, per_page: 1 }
+          { q: `identifier:${s.identifier}`, per_page: 1 }
         )).resource_servers[0] ?? null;
-        return K(
-          o,
+        return Q(
+          s,
           u
         );
       },
-      list: async (a, s) => {
-        const o = await e.resourceServers.list(
+      list: async (a, o) => {
+        const s = await e.resourceServers.list(
           a,
-          s
+          o
         );
         if (!n || a === n)
-          return o;
+          return s;
         const i = await e.resourceServers.list(n), u = new Map(
           i.resource_servers.map((l) => [l.identifier, l])
-        ), c = o.resource_servers.map(
-          (l) => K(
+        ), c = s.resource_servers.map(
+          (l) => Q(
             l,
             u.get(l.identifier) ?? null
           )
         );
         return {
-          ...o,
+          ...s,
           resource_servers: c
         };
       }
@@ -925,10 +1007,10 @@ function Ce(e, t) {
     // - branding: Fall back to control plane branding/themes
   };
 }
-function X(e, t) {
-  return Ce(e, t);
+function Y(e, t) {
+  return Te(e, t);
 }
-function Te(e) {
+function be(e) {
   return async (t, n) => {
     const r = t.var.user;
     return (r == null ? void 0 : r.tenant_id) === e && r.org_name && t.set("tenant_id", r.org_name), n();
@@ -938,44 +1020,44 @@ function Pe(e) {
   return async (t, n) => {
     if (!e.accessControl)
       return n();
-    const { controlPlaneTenantId: r } = e.accessControl, a = t.var.org_name, s = t.var.organization_id, o = a || s;
+    const { controlPlaneTenantId: r } = e.accessControl, a = t.var.org_name, o = t.var.organization_id, s = a || o;
     let i = t.var.tenant_id;
-    const u = t.var.user, l = (u != null && u.aud ? Array.isArray(u.aud) ? u.aud : [u.aud] : []).includes(V);
-    if (!i && o && l && (t.set("tenant_id", o), i = o), !i)
-      throw new S(400, {
+    const u = t.var.user, l = (u != null && u.aud ? Array.isArray(u.aud) ? u.aud : [u.aud] : []).includes(J);
+    if (!i && s && l && (t.set("tenant_id", s), i = s), !i)
+      throw new A(400, {
         message: "Tenant ID not found in request"
       });
-    if (!le(
-      s,
+    if (!ue(
+      o,
       i,
       r,
       a
     ))
-      throw new S(403, {
+      throw new A(403, {
         message: `Access denied to tenant ${i}`
       });
     return n();
   };
 }
-function be(e) {
+function Ae(e) {
   return async (t, n) => {
     if (!e.subdomainRouting)
       return n();
     const {
       baseDomain: r,
       reservedSubdomains: a = [],
-      resolveSubdomain: s
-    } = e.subdomainRouting, o = t.req.header("host") || "";
+      resolveSubdomain: o
+    } = e.subdomainRouting, s = t.req.header("host") || "";
     let i = null;
-    if (o.endsWith(r)) {
-      const c = o.slice(0, -(r.length + 1));
+    if (s.endsWith(r)) {
+      const c = s.slice(0, -(r.length + 1));
       c && !c.includes(".") && (i = c);
     }
     if (i && a.includes(i) && (i = null), !i)
       return e.accessControl && t.set("tenant_id", e.accessControl.controlPlaneTenantId), n();
     let u = null;
-    if (s)
-      u = await s(i);
+    if (o)
+      u = await o(i);
     else if (e.subdomainRouting.useOrganizations !== !1 && e.accessControl)
       try {
         const c = await t.env.data.organizations.get(
@@ -986,19 +1068,19 @@ function be(e) {
       } catch {
       }
     if (!u)
-      throw new S(404, {
+      throw new A(404, {
         message: `Tenant not found for subdomain: ${i}`
       });
     return t.set("tenant_id", u), n();
   };
 }
-function Ae(e) {
+function Ie(e) {
   return async (t, n) => {
     if (!e.databaseIsolation)
       return n();
     const r = t.var.tenant_id;
     if (!r)
-      throw new S(400, {
+      throw new A(400, {
         message: "Tenant ID not found in request"
       });
     try {
@@ -1008,21 +1090,21 @@ function Ae(e) {
       throw console.error(
         `Failed to resolve database for tenant ${r}:`,
         a
-      ), new S(500, {
+      ), new A(500, {
         message: "Failed to resolve tenant database"
       });
     }
     return n();
   };
 }
-function Y(e) {
-  const t = be(e), n = Pe(e), r = Ae(e);
-  return async (a, s) => (await t(a, async () => {
+function Z(e) {
+  const t = Ae(e), n = Pe(e), r = Ie(e);
+  return async (a, o) => (await t(a, async () => {
   }), await n(a, async () => {
   }), await r(a, async () => {
-  }), s());
+  }), o());
 }
-function Fe(e) {
+function je(e) {
   const {
     dataAdapter: t,
     controlPlane: n,
@@ -1030,8 +1112,8 @@ function Fe(e) {
       tenantId: r = "control_plane",
       clientId: a
     } = {},
-    sync: s = { resourceServers: !0, roles: !0 },
-    defaultPermissions: o = ["tenant:admin"],
+    sync: o = { resourceServers: !0, roles: !0 },
+    defaultPermissions: s = ["tenant:admin"],
     requireOrganizationMatch: i = !1,
     managementApiExtensions: u = [],
     entityHooks: c,
@@ -1040,7 +1122,7 @@ function Fe(e) {
     ...d
   } = e;
   let f = t, m = t;
-  n && (f = X(t, {
+  n && (f = Y(t, {
     controlPlaneTenantId: r,
     controlPlaneClientId: a
   }), m = {
@@ -1050,12 +1132,12 @@ function Fe(e) {
       controlPlaneClientId: a
     }
   });
-  const w = s !== !1, C = w ? {
-    resourceServers: s.resourceServers ?? !0,
-    roles: s.roles ?? !0
-  } : { resourceServers: !1, roles: !1 }, P = {
+  const w = o !== !1, C = w ? {
+    resourceServers: o.resourceServers ?? !0,
+    roles: o.roles ?? !0
+  } : { resourceServers: !1, roles: !1 }, b = {
     controlPlaneTenantId: r,
-    getChildTenantIds: l ?? (async () => (await M(
+    getChildTenantIds: l ?? (async () => (await D(
       (v) => f.tenants.list(v),
       "tenants",
       { cursorField: "id", pageSize: 100 }
@@ -1063,43 +1145,43 @@ function Fe(e) {
     getAdapters: g ?? (async () => f),
     getControlPlaneAdapters: async () => f,
     sync: C
-  }, { entityHooks: b, tenantHooks: p } = we(P), T = {
+  }, { entityHooks: P, tenantHooks: p } = pe(b), T = {
     resourceServers: [
-      b.resourceServers,
+      P.resourceServers,
       ...(c == null ? void 0 : c.resourceServers) ?? []
     ],
-    roles: [b.roles, ...(c == null ? void 0 : c.roles) ?? []],
+    roles: [P.roles, ...(c == null ? void 0 : c.roles) ?? []],
     connections: (c == null ? void 0 : c.connections) ?? [],
     tenants: (c == null ? void 0 : c.tenants) ?? [],
     rolePermissions: (c == null ? void 0 : c.rolePermissions) ?? []
-  }, y = J({
+  }, h = X({
     accessControl: {
       controlPlaneTenantId: r,
       requireOrganizationMatch: i,
-      defaultPermissions: o
+      defaultPermissions: s
     }
-  }), F = k(
+  }), F = N(
     {
       accessControl: {
         controlPlaneTenantId: r,
         requireOrganizationMatch: i,
-        defaultPermissions: o
+        defaultPermissions: s
       }
     },
     { tenants: {
-      async beforeCreate(A, v) {
-        return y.beforeCreate && (v = await y.beforeCreate(A, v)), p.beforeCreate && (v = await p.beforeCreate(A, v)), v;
+      async beforeCreate(I, v) {
+        return h.beforeCreate && (v = await h.beforeCreate(I, v)), p.beforeCreate && (v = await p.beforeCreate(I, v)), v;
       },
-      async afterCreate(A, v) {
-        var $, I;
-        await (($ = y.afterCreate) == null ? void 0 : $.call(y, A, v)), await ((I = p.afterCreate) == null ? void 0 : I.call(p, A, v));
+      async afterCreate(I, v) {
+        var z, R;
+        await ((z = h.afterCreate) == null ? void 0 : z.call(h, I, v)), await ((R = p.afterCreate) == null ? void 0 : R.call(p, I, v));
       },
-      async beforeDelete(A, v) {
-        var $, I;
-        await (($ = y.beforeDelete) == null ? void 0 : $.call(y, A, v)), await ((I = p.beforeDelete) == null ? void 0 : I.call(p, A, v));
+      async beforeDelete(I, v) {
+        var z, R;
+        await ((z = h.beforeDelete) == null ? void 0 : z.call(h, I, v)), await ((R = p.beforeDelete) == null ? void 0 : R.call(p, I, v));
       }
     } }
-  ), { app: D } = oe({
+  ), { app: j } = ie({
     dataAdapter: f,
     managementDataAdapter: m,
     ...d,
@@ -1109,24 +1191,24 @@ function Fe(e) {
       { path: "/tenants", router: F }
     ]
   });
-  return D.use(
+  return j.use(
     "/api/v2/*",
-    Te(r)
-  ), w && D.use("/api/v2/*", ve()), { app: D, controlPlaneTenantId: r };
+    be(r)
+  ), w && j.use("/api/v2/*", _e()), { app: j, controlPlaneTenantId: r };
 }
-function De(e) {
-  const t = N(e);
+function Me(e) {
+  const t = B(e);
   return {
     name: "multi-tenancy",
     // Apply multi-tenancy middleware for subdomain routing, database resolution, etc.
-    middleware: Y(e),
+    middleware: Z(e),
     // Provide lifecycle hooks
     hooks: t,
     // Mount tenant management routes
     routes: [
       {
         path: "/management",
-        handler: k(e, t)
+        handler: N(e, t)
       }
     ],
     // Called when plugin is registered
@@ -1139,23 +1221,23 @@ function De(e) {
     }
   };
 }
-function N(e) {
-  const t = e.accessControl ? ce(e.accessControl) : {}, n = e.databaseIsolation ? ue(e.databaseIsolation) : {}, r = J(e);
+function B(e) {
+  const t = e.accessControl ? le(e.accessControl) : {}, n = e.databaseIsolation ? de(e.databaseIsolation) : {}, r = X(e);
   return {
     ...t,
     ...n,
     tenants: r
   };
 }
-function Ie(e) {
-  const t = new ee(), n = N(e);
-  return t.route("/tenants", k(e, n)), t;
+function Se(e) {
+  const t = new te(), n = B(e);
+  return t.route("/tenants", N(e, n)), t;
 }
-function Me(e) {
+function De(e) {
   return {
-    hooks: N(e),
-    middleware: Y(e),
-    app: Ie(e),
+    hooks: B(e),
+    middleware: Z(e),
+    app: Se(e),
     config: e,
     /**
      * Wraps data adapters with runtime fallback from the control plane.
@@ -1167,7 +1249,7 @@ function Me(e) {
      */
     wrapAdapters: (t, n) => {
       var r;
-      return X(t, {
+      return Y(t, {
         controlPlaneTenantId: (r = e.accessControl) == null ? void 0 : r.controlPlaneTenantId,
         controlPlaneClientId: n == null ? void 0 : n.controlPlaneClientId
       });
@@ -1175,23 +1257,23 @@ function Me(e) {
   };
 }
 export {
-  ce as createAccessControlHooks,
+  le as createAccessControlHooks,
   Pe as createAccessControlMiddleware,
-  Te as createControlPlaneTenantMiddleware,
-  ue as createDatabaseHooks,
-  Ae as createDatabaseMiddleware,
-  Ie as createMultiTenancy,
-  N as createMultiTenancyHooks,
-  Y as createMultiTenancyMiddleware,
-  De as createMultiTenancyPlugin,
-  ve as createProtectSyncedMiddleware,
-  J as createProvisioningHooks,
-  Ce as createRuntimeFallbackAdapter,
-  be as createSubdomainMiddleware,
-  we as createSyncHooks,
-  k as createTenantsOpenAPIRouter,
-  Fe as initMultiTenant,
-  Me as setupMultiTenancy,
-  le as validateTenantAccess,
-  X as withRuntimeFallback
+  be as createControlPlaneTenantMiddleware,
+  de as createDatabaseHooks,
+  Ie as createDatabaseMiddleware,
+  Se as createMultiTenancy,
+  B as createMultiTenancyHooks,
+  Z as createMultiTenancyMiddleware,
+  Me as createMultiTenancyPlugin,
+  _e as createProtectSyncedMiddleware,
+  X as createProvisioningHooks,
+  Te as createRuntimeFallbackAdapter,
+  Ae as createSubdomainMiddleware,
+  pe as createSyncHooks,
+  N as createTenantsOpenAPIRouter,
+  je as initMultiTenant,
+  De as setupMultiTenancy,
+  ue as validateTenantAccess,
+  Y as withRuntimeFallback
 };