npm - @authhero/multi-tenancy - Versions diffs - 14.19.0 → 14.20.0 - Mend

@authhero/multi-tenancy 14.19.0 → 14.20.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

package/dist/multi-tenancy.cjs +1 -1
package/dist/multi-tenancy.mjs +306 -281
package/dist/types/index.d.ts +1 -1
package/dist/types/index.d.ts.map +1 -1
package/dist/types/init.d.ts.map +1 -1
package/dist/types/middleware/index.d.ts +1 -1
package/dist/types/middleware/index.d.ts.map +1 -1
package/dist/types/middleware/settings-inheritance.d.ts +12 -2
package/dist/types/middleware/settings-inheritance.d.ts.map +1 -1
package/package.json +4 -4

package/dist/multi-tenancy.mjs CHANGED Viewed

@@ -1,30 +1,30 @@
-var x = Object.defineProperty;
-var ee = (e, t, n) => t in e ? x(e, t, { enumerable: !0, configurable: !0, writable: !0, value: n }) : e[t] = n;
-var E = (e, t, n) => ee(e, typeof t != "symbol" ? t + "" : t, n);
-import { Hono as te } from "hono";
-import { MANAGEMENT_API_SCOPES as ne, MANAGEMENT_API_AUDIENCE as J, fetchAll as q, auth0QuerySchema as re, tenantSchema as D, tenantInsertSchema as U, deepMergePatch as ae, connectionSchema as se, connectionOptionsSchema as oe, init as ie } from "authhero";
-import { OpenAPIHono as ce, createRoute as M, z as S } from "@hono/zod-openapi";
-function le(e) {
+var ee = Object.defineProperty;
+var te = (e, t, n) => t in e ? ee(e, t, { enumerable: !0, configurable: !0, writable: !0, value: n }) : e[t] = n;
+var E = (e, t, n) => te(e, typeof t != "symbol" ? t + "" : t, n);
+import { Hono as ne } from "hono";
+import { MANAGEMENT_API_SCOPES as re, MANAGEMENT_API_AUDIENCE as J, fetchAll as D, auth0QuerySchema as ae, tenantSchema as q, tenantInsertSchema as U, deepMergePatch as se, connectionSchema as oe, connectionOptionsSchema as ie, init as ce } from "authhero";
+import { OpenAPIHono as le, createRoute as M, z as I } from "@hono/zod-openapi";
+function ue(e) {
   const { controlPlaneTenantId: t, requireOrganizationMatch: n = !0 } = e;
   return {
     async onTenantAccessValidation(r, a) {
       if (a === t)
         return !0;
       if (n) {
-        const o = r.var.org_name, s = r.var.organization_id, i = o || s;
+        const s = r.var.org_name, c = r.var.organization_id, i = s || c;
         return i ? i.toLowerCase() === a.toLowerCase() : !1;
       }
       return !0;
     }
   };
 }
-function ue(e, t, n, r) {
+function de(e, t, n, r) {
   if (t === n)
     return !0;
   const a = r || e;
   return a ? a.toLowerCase() === t.toLowerCase() : !1;
 }
-function de(e) {
+function fe(e) {
   return {
     async resolveDataAdapters(t) {
       try {
@@ -39,7 +39,7 @@ function de(e) {
     }
   };
 }
-function fe(e) {
+function me(e) {
   return `urn:authhero:tenant:${e.toLowerCase()}`;
 }
 function X(e) {
@@ -47,51 +47,51 @@ function X(e) {
     async beforeCreate(t, n) {
       return !n.audience && n.id ? {
         ...n,
-        audience: fe(n.id)
+        audience: me(n.id)
       } : n;
     },
     async afterCreate(t, n) {
       const { accessControl: r, databaseIsolation: a } = e;
-      r && t.ctx && await me(t, n, r), a != null && a.onProvision && await a.onProvision(n.id);
+      r && t.ctx && await ge(t, n, r), a != null && a.onProvision && await a.onProvision(n.id);
     },
     async beforeDelete(t, n) {
       const { accessControl: r, databaseIsolation: a } = e;
       if (r)
         try {
-          const s = (await t.adapters.organizations.list(
+          const c = (await t.adapters.organizations.list(
             r.controlPlaneTenantId
           )).organizations.find((i) => i.name === n);
-          s && await t.adapters.organizations.remove(
+          c && await t.adapters.organizations.remove(
             r.controlPlaneTenantId,
-            s.id
+            c.id
           );
-        } catch (o) {
+        } catch (s) {
           console.warn(
             `Failed to remove organization for tenant ${n}:`,
-            o
+            s
           );
         }
       if (a != null && a.onDeprovision)
         try {
           await a.onDeprovision(n);
-        } catch (o) {
+        } catch (s) {
           console.warn(
             `Failed to deprovision database for tenant ${n}:`,
-            o
+            s
           );
         }
     }
   };
 }
-async function me(e, t, n) {
+async function ge(e, t, n) {
   const {
     controlPlaneTenantId: r,
     defaultPermissions: a,
-    defaultRoles: o,
-    issuer: s,
+    defaultRoles: s,
+    issuer: c,
     adminRoleName: i = "Tenant Admin",
     adminRoleDescription: u = "Full access to all tenant management operations",
-    addCreatorToOrganization: c = !0
+    addCreatorToOrganization: o = !0
   } = n, l = await e.adapters.organizations.create(
     r,
     {
@@ -100,14 +100,14 @@ async function me(e, t, n) {
     }
   );
   let g;
-  if (s && (g = await we(
+  if (c && (g = await pe(
     e,
     r,
     i,
     u
-  )), c && e.ctx) {
+  )), o && e.ctx) {
     const d = e.ctx.var.user;
-    if (d != null && d.sub && !await ge(
+    if (d != null && d.sub && !await we(
       e,
       r,
       d.sub
@@ -130,13 +130,13 @@ async function me(e, t, n) {
         );
       }
   }
-  o && o.length > 0 && console.log(
-    `Would assign roles ${o.join(", ")} to organization ${l.id}`
+  s && s.length > 0 && console.log(
+    `Would assign roles ${s.join(", ")} to organization ${l.id}`
   ), a && a.length > 0 && console.log(
     `Would grant permissions ${a.join(", ")} to organization ${l.id}`
   );
 }
-async function ge(e, t, n) {
+async function we(e, t, n) {
   const r = await e.adapters.userRoles.list(
     t,
     n,
@@ -155,26 +155,26 @@ async function ge(e, t, n) {
       return !0;
   return !1;
 }
-async function we(e, t, n, r) {
-  const o = (await e.adapters.roles.list(t, {})).roles.find((c) => c.name === n);
-  if (o)
-    return o.id;
-  const s = await e.adapters.roles.create(t, {
+async function pe(e, t, n, r) {
+  const s = (await e.adapters.roles.list(t, {})).roles.find((o) => o.name === n);
+  if (s)
+    return s.id;
+  const c = await e.adapters.roles.create(t, {
     name: n,
     description: r
-  }), i = J, u = ne.map((c) => ({
-    role_id: s.id,
+  }), i = J, u = re.map((o) => ({
+    role_id: c.id,
     resource_server_identifier: i,
-    permission_name: c.value
+    permission_name: o.value
   }));
   return await e.adapters.rolePermissions.assign(
     t,
-    s.id,
+    c.id,
     u
-  ), s.id;
+  ), c.id;
 }
 function G(e, t, n = () => !0) {
-  const { controlPlaneTenantId: r, getChildTenantIds: a, getAdapters: o } = e, s = /* @__PURE__ */ new Map();
+  const { controlPlaneTenantId: r, getChildTenantIds: a, getAdapters: s } = e, c = /* @__PURE__ */ new Map();
   async function i(l, g, d) {
     return (await t(l).list(g, {
       q: `name:${d}`,
@@ -182,11 +182,11 @@ function G(e, t, n = () => !0) {
     }))[0] ?? null;
   }
   async function u(l) {
-    const g = await a(), d = t(await o(r));
+    const g = await a(), d = t(await s(r));
     await Promise.all(
       g.map(async (f) => {
         try {
-          const m = await o(f), w = t(m), y = {
+          const m = await s(f), w = t(m), y = {
             ...d.transform(l),
             is_system: !0
           }, _ = await i(m, f, l.name), b = _ ? w.getId(_) : void 0;
@@ -204,12 +204,12 @@ function G(e, t, n = () => !0) {
       })
     );
   }
-  async function c(l) {
+  async function o(l) {
     const g = await a();
     await Promise.all(
       g.map(async (d) => {
         try {
-          const f = await o(d), m = t(f), w = await i(f, d, l), C = w ? m.getId(w) : void 0;
+          const f = await s(d), m = t(f), w = await i(f, d, l), C = w ? m.getId(w) : void 0;
           w && C && await m.remove(d, C);
         } catch (f) {
           console.error(
@@ -230,22 +230,22 @@ function G(e, t, n = () => !0) {
     beforeDelete: async (l, g) => {
       if (l.tenantId !== r) return;
       const f = await t(l.adapters).get(l.tenantId, g);
-      f && n(f) && s.set(g, f);
+      f && n(f) && c.set(g, f);
     },
     afterDelete: async (l, g) => {
       if (l.tenantId !== r) return;
-      const d = s.get(g);
-      d && (s.delete(g), await c(d.name));
+      const d = c.get(g);
+      d && (c.delete(g), await o(d.name));
     }
   };
 }
 function L(e, t, n = () => !0) {
-  const { controlPlaneTenantId: r, getControlPlaneAdapters: a, getAdapters: o } = e;
+  const { controlPlaneTenantId: r, getControlPlaneAdapters: a, getAdapters: s } = e;
   return {
-    async afterCreate(s, i) {
+    async afterCreate(c, i) {
       if (i.id !== r)
         try {
-          const u = await a(), c = await o(i.id), l = t(u), g = t(c), d = await q(
+          const u = await a(), o = await s(i.id), l = t(u), g = t(o), d = await D(
             (f) => l.listPaginated(r, f),
             l.listKey,
             { cursorField: "id", pageSize: 100 }
@@ -275,7 +275,7 @@ function L(e, t, n = () => !0) {
     }
   };
 }
-const H = (e) => ({
+const W = (e) => ({
   list: async (t, n) => (await e.resourceServers.list(t, n)).resource_servers,
   listPaginated: (t, n) => e.resourceServers.list(t, n),
   get: (t, n) => e.resourceServers.get(t, n),
@@ -293,7 +293,7 @@ const H = (e) => ({
     token_lifetime: t.token_lifetime,
     token_lifetime_for_web: t.token_lifetime_for_web
   })
-}), W = (e) => ({
+}), H = (e) => ({
   list: async (t, n) => (await e.roles.list(t, n)).roles,
   listPaginated: (t, n) => e.roles.list(t, n),
   get: (t, n) => e.roles.get(t, n),
@@ -312,26 +312,26 @@ function K(e) {
   var t;
   return ((t = e.metadata) == null ? void 0 : t.sync) !== !1;
 }
-function pe(e) {
-  const { sync: t = {}, filters: n = {} } = e, r = t.resourceServers ?? !0, a = t.roles ?? !0, o = (m) => K(m) ? n.resourceServers ? n.resourceServers(m) : !0 : !1, s = (m) => K(m) ? n.roles ? n.roles(m) : !0 : !1, i = r ? G(
-    e,
-    H,
-    o
-  ) : void 0, u = a ? G(e, W, s) : void 0, c = r ? L(
+function he(e) {
+  const { sync: t = {}, filters: n = {} } = e, r = t.resourceServers ?? !0, a = t.roles ?? !0, s = (m) => K(m) ? n.resourceServers ? n.resourceServers(m) : !0 : !1, c = (m) => K(m) ? n.roles ? n.roles(m) : !0 : !1, i = r ? G(
     e,
-    H,
-    o
-  ) : void 0, l = a ? L(
+    W,
+    s
+  ) : void 0, u = a ? G(e, H, c) : void 0, o = r ? L(
     e,
     W,
     s
+  ) : void 0, l = a ? L(
+    e,
+    H,
+    c
   ) : void 0, g = a ? {
     async afterCreate(m, w) {
       var C;
       if (w.id !== e.controlPlaneTenantId) {
         await ((C = l == null ? void 0 : l.afterCreate) == null ? void 0 : C.call(l, m, w));
         try {
-          const y = await e.getControlPlaneAdapters(), _ = await e.getAdapters(w.id), b = await q(
+          const y = await e.getControlPlaneAdapters(), _ = await e.getAdapters(w.id), b = await D(
             (p) => y.roles.list(
               e.controlPlaneTenantId,
               p
@@ -369,10 +369,10 @@ function pe(e) {
                 h.length > 0 && await _.rolePermissions.assign(
                   w.id,
                   T,
-                  h.map(($) => ({
+                  h.map((z) => ({
                     role_id: T,
-                    resource_server_identifier: $.resource_server_identifier,
-                    permission_name: $.permission_name
+                    resource_server_identifier: z.resource_server_identifier,
+                    permission_name: z.permission_name
                   }))
                 );
               } catch (h) {
@@ -405,7 +405,7 @@ function pe(e) {
     tenantHooks: {
       async afterCreate(m, w) {
         const C = [
-          c == null ? void 0 : c.afterCreate,
+          o == null ? void 0 : o.afterCreate,
           (g == null ? void 0 : g.afterCreate) ?? (l == null ? void 0 : l.afterCreate)
         ], y = [];
         for (const _ of C)
@@ -452,14 +452,14 @@ var A = class extends Error {
   }
 };
 function N(e, t) {
-  const n = new ce();
+  const n = new le();
   return n.openapi(
     M({
       tags: ["tenants"],
       method: "get",
       path: "/",
       request: {
-        query: re
+        query: ae
       },
       security: [
         {
@@ -470,11 +470,11 @@ function N(e, t) {
         200: {
           content: {
             "application/json": {
-              schema: S.object({
-                tenants: S.array(D),
-                start: S.number().optional(),
-                limit: S.number().optional(),
-                length: S.number().optional()
+              schema: I.object({
+                tenants: I.array(q),
+                start: I.number().optional(),
+                limit: I.number().optional(),
+                length: I.number().optional()
               })
             }
           },
@@ -484,27 +484,27 @@ function N(e, t) {
     }),
     async (r) => {
       var m, w, C, y, _, b;
-      const a = r.req.valid("query"), { page: o, per_page: s, include_totals: i, q: u } = a, c = r.var.user, l = (c == null ? void 0 : c.permissions) || [];
+      const a = r.req.valid("query"), { page: s, per_page: c, include_totals: i, q: u } = a, o = r.var.user, l = (o == null ? void 0 : o.permissions) || [];
       if (l.includes("auth:read") || l.includes("admin:organizations")) {
         const P = await r.env.data.tenants.list({
-          page: o,
-          per_page: s,
+          page: s,
+          per_page: c,
           include_totals: i,
           q: u
         });
         return i ? r.json({
           tenants: P.tenants,
           start: ((m = P.totals) == null ? void 0 : m.start) ?? 0,
-          limit: ((w = P.totals) == null ? void 0 : w.limit) ?? s,
+          limit: ((w = P.totals) == null ? void 0 : w.limit) ?? c,
           length: P.tenants.length
         }) : r.json({ tenants: P.tenants });
       }
       const d = ((C = e.accessControl) == null ? void 0 : C.controlPlaneTenantId) ?? ((y = r.env.data.multiTenancyConfig) == null ? void 0 : y.controlPlaneTenantId);
-      if (d && (c != null && c.sub)) {
-        const p = (await q(
+      if (d && (o != null && o.sub)) {
+        const p = (await D(
           (R) => r.env.data.userOrganizations.listUserOrganizations(
             d,
-            c.sub,
+            o.sub,
             R
           ),
           "organizations"
@@ -513,40 +513,40 @@ function N(e, t) {
           return i ? r.json({
             tenants: [],
             start: 0,
-            limit: s ?? 50,
+            limit: c ?? 50,
             length: 0
           }) : r.json({ tenants: [] });
-        const T = p.length, h = o ?? 0, $ = s ?? 50, F = h * $, j = p.slice(F, F + $);
+        const T = p.length, h = s ?? 0, z = c ?? 50, F = h * z, j = p.slice(F, F + z);
         if (j.length === 0)
           return i ? r.json({
             tenants: [],
             start: F,
-            limit: $,
+            limit: z,
             length: T
           }) : r.json({ tenants: [] });
-        const I = j.map((R) => `id:${R}`).join(" OR "), v = u ? `(${I}) AND (${u})` : I, z = await r.env.data.tenants.list({
+        const S = j.map((R) => `id:${R}`).join(" OR "), v = u ? `(${S}) AND (${u})` : S, $ = await r.env.data.tenants.list({
           q: v,
-          per_page: $,
+          per_page: z,
           include_totals: !1
           // We calculate totals from accessibleTenantIds
         });
         return i ? r.json({
-          tenants: z.tenants,
+          tenants: $.tenants,
           start: F,
-          limit: $,
+          limit: z,
           length: T
-        }) : r.json({ tenants: z.tenants });
+        }) : r.json({ tenants: $.tenants });
       }
       const f = await r.env.data.tenants.list({
-        page: o,
-        per_page: s,
+        page: s,
+        per_page: c,
         include_totals: i,
         q: u
       });
       return i ? r.json({
         tenants: f.tenants,
         start: ((_ = f.totals) == null ? void 0 : _.start) ?? 0,
-        limit: ((b = f.totals) == null ? void 0 : b.limit) ?? s,
+        limit: ((b = f.totals) == null ? void 0 : b.limit) ?? c,
         length: f.tenants.length
       }) : r.json({ tenants: f.tenants });
     }
@@ -573,7 +573,7 @@ function N(e, t) {
         201: {
           content: {
             "application/json": {
-              schema: D
+              schema: q
             }
           },
           description: "Tenant created"
@@ -587,20 +587,20 @@ function N(e, t) {
       }
     }),
     async (r) => {
-      var u, c;
+      var u, o;
       const a = r.var.user;
       if (!(a != null && a.sub))
         throw new A(401, {
           message: "Authentication required to create tenants"
         });
-      let o = r.req.valid("json");
-      const s = {
+      let s = r.req.valid("json");
+      const c = {
         adapters: r.env.data,
         ctx: r
       };
-      (u = t.tenants) != null && u.beforeCreate && (o = await t.tenants.beforeCreate(s, o));
-      const i = await r.env.data.tenants.create(o);
-      return (c = t.tenants) != null && c.afterCreate && await t.tenants.afterCreate(s, i), r.json(i, 201);
+      (u = t.tenants) != null && u.beforeCreate && (s = await t.tenants.beforeCreate(c, s));
+      const i = await r.env.data.tenants.create(s);
+      return (o = t.tenants) != null && o.afterCreate && await t.tenants.afterCreate(c, i), r.json(i, 201);
     }
   ), n.openapi(
     M({
@@ -608,8 +608,8 @@ function N(e, t) {
       method: "delete",
       path: "/{id}",
       request: {
-        params: S.object({
-          id: S.string()
+        params: I.object({
+          id: I.string()
         })
       },
       security: [
@@ -630,21 +630,21 @@ function N(e, t) {
       }
     }),
     async (r) => {
-      var u, c, l, g;
-      const { id: a } = r.req.valid("param"), o = ((u = e.accessControl) == null ? void 0 : u.controlPlaneTenantId) ?? ((c = r.env.data.multiTenancyConfig) == null ? void 0 : c.controlPlaneTenantId);
-      if (o) {
+      var u, o, l, g;
+      const { id: a } = r.req.valid("param"), s = ((u = e.accessControl) == null ? void 0 : u.controlPlaneTenantId) ?? ((o = r.env.data.multiTenancyConfig) == null ? void 0 : o.controlPlaneTenantId);
+      if (s) {
         const d = r.var.user;
         if (!(d != null && d.sub))
           throw new A(401, {
             message: "Authentication required"
           });
-        if (a === o)
+        if (a === s)
           throw new A(403, {
             message: "Cannot delete the control plane"
           });
-        if (!(await q(
+        if (!(await D(
           (w) => r.env.data.userOrganizations.listUserOrganizations(
-            o,
+            s,
             d.sub,
             w
           ),
@@ -670,8 +670,8 @@ function N(e, t) {
       method: "get",
       path: "/settings",
       request: {
-        headers: S.object({
-          "tenant-id": S.string().optional()
+        headers: I.object({
+          "tenant-id": I.string().optional()
         })
       },
       security: [
@@ -683,7 +683,7 @@ function N(e, t) {
         200: {
           content: {
             "application/json": {
-              schema: D
+              schema: q
             }
           },
           description: "Current tenant settings"
@@ -704,13 +704,13 @@ function N(e, t) {
       method: "patch",
       path: "/settings",
       request: {
-        headers: S.object({
-          "tenant-id": S.string().optional()
+        headers: I.object({
+          "tenant-id": I.string().optional()
         }),
         body: {
           content: {
             "application/json": {
-              schema: S.object(U.shape).partial()
+              schema: I.object(U.shape).partial()
             }
           }
         }
@@ -724,7 +724,7 @@ function N(e, t) {
         200: {
           content: {
             "application/json": {
-              schema: D
+              schema: q
             }
           },
           description: "Updated tenant settings"
@@ -732,23 +732,23 @@ function N(e, t) {
       }
     }),
     async (r) => {
-      const a = r.req.valid("json"), { id: o, ...s } = a, i = await r.env.data.tenants.get(r.var.tenant_id);
+      const a = r.req.valid("json"), { id: s, ...c } = a, i = await r.env.data.tenants.get(r.var.tenant_id);
       if (!i)
         throw new A(404, {
           message: "Tenant not found"
         });
-      const u = ae(i, s);
+      const u = se(i, c);
       await r.env.data.tenants.update(r.var.tenant_id, u);
-      const c = await r.env.data.tenants.get(r.var.tenant_id);
-      if (!c)
+      const o = await r.env.data.tenants.get(r.var.tenant_id);
+      if (!o)
         throw new A(500, {
           message: "Failed to retrieve updated tenant"
         });
-      return r.json(c);
+      return r.json(o);
     }
   ), n;
 }
-function he(e) {
+function ye(e) {
   const t = [
     {
       pattern: /\/api\/v2\/resource-servers\/([^/]+)$/,
@@ -764,7 +764,7 @@ function he(e) {
   }
   return null;
 }
-async function ye(e, t, n) {
+async function ve(e, t, n) {
   try {
     switch (n.type) {
       case "resource_server": {
@@ -786,26 +786,26 @@ async function ye(e, t, n) {
     return !1;
   }
 }
-function ve(e) {
+function _e(e) {
   return {
     resource_server: "resource server",
     role: "role",
     connection: "connection"
   }[e];
 }
-function _e() {
+function Ce() {
   return async (e, t) => {
     if (!["PATCH", "PUT", "DELETE"].includes(e.req.method))
       return t();
-    const n = he(e.req.path);
+    const n = ye(e.req.path);
     if (!n)
       return t();
     const r = e.var.tenant_id || e.req.header("x-tenant-id") || e.req.header("tenant-id");
     if (!r)
       return t();
-    if (await ye(e.env.data, r, n))
+    if (await ve(e.env.data, r, n))
       throw new A(403, {
-        message: `This ${ve(n.type)} is a system resource and cannot be modified. Make changes in the control plane instead.`
+        message: `This ${_e(n.type)} is a system resource and cannot be modified. Make changes in the control plane instead.`
       });
     return t();
   };
@@ -816,11 +816,11 @@ function k(e, t) {
   );
   if (!(n != null && n.options))
     return e;
-  const r = se.passthrough().parse({
+  const r = oe.passthrough().parse({
     ...n,
     ...e
   });
-  return r.options = oe.passthrough().parse({
+  return r.options = ie.passthrough().parse({
     ...n.options || {},
     ...e.options
   }), r;
@@ -829,7 +829,7 @@ function O(e, t) {
   const n = [...t || [], ...e || []];
   return [...new Set(n)];
 }
-function Ce(e, t) {
+function Te(e, t) {
   if (!(t != null && t.length))
     return e || [];
   if (!(e != null && e.length))
@@ -844,7 +844,7 @@ function Ce(e, t) {
 function Q(e, t) {
   return t ? {
     ...e,
-    scopes: Ce(
+    scopes: Te(
       e.scopes,
       t.scopes
     )
@@ -868,7 +868,64 @@ function V(e, t) {
     )
   } : e;
 }
-function Te(e, t) {
+function Y(e, t) {
+  return {
+    ...e.resourceServers,
+    get: async (n, r) => {
+      const a = await e.resourceServers.get(
+        n,
+        r
+      );
+      if (!a || !t || n === t || !a.is_system)
+        return a;
+      const s = await e.resourceServers.get(
+        t,
+        r
+      );
+      return Q(
+        a,
+        s
+      );
+    },
+    list: async (n, r) => {
+      const a = await e.resourceServers.list(n, r);
+      if (!t || n === t)
+        return a;
+      const s = t, c = a.resource_servers.filter(
+        (o) => !!(o.is_system && o.id)
+      ).map((o) => o.id);
+      if (c.length === 0)
+        return a;
+      const i = /* @__PURE__ */ new Map();
+      await Promise.all(
+        c.map(async (o) => {
+          const l = await e.resourceServers.get(s, o);
+          l && i.set(o, l);
+        })
+      );
+      const u = a.resource_servers.map(
+        (o) => o.is_system && o.id ? Q(
+          o,
+          i.get(o.id) ?? null
+        ) : o
+      );
+      return {
+        ...a,
+        resource_servers: u
+      };
+    }
+  };
+}
+function be(e, t) {
+  return {
+    ...e,
+    resourceServers: Y(
+      e,
+      t.controlPlaneTenantId
+    )
+  };
+}
+function Pe(e, t) {
   const { controlPlaneTenantId: n, controlPlaneClientId: r } = t;
   return {
     ...e,
@@ -879,46 +936,46 @@ function Te(e, t) {
     },
     connections: {
       ...e.connections,
-      get: async (a, o) => {
-        const s = await e.connections.get(
+      get: async (a, s) => {
+        const c = await e.connections.get(
           a,
-          o
+          s
         );
-        if (!s || !n || a === n)
-          return s;
+        if (!c || !n || a === n)
+          return c;
         const i = await e.connections.list(n);
         return k(
-          s,
+          c,
           i.connections || []
         );
       },
-      list: async (a, o) => {
-        const s = await e.connections.list(a, o);
+      list: async (a, s) => {
+        const c = await e.connections.list(a, s);
         if (!n || a === n)
-          return s;
-        const i = await e.connections.list(n), u = s.connections.map(
-          (c) => k(
-            c,
+          return c;
+        const i = await e.connections.list(n), u = c.connections.map(
+          (o) => k(
+            o,
             i.connections || []
           )
         );
         return {
-          ...s,
+          ...c,
           connections: u
         };
       }
     },
     clientConnections: {
       ...e.clientConnections,
-      listByClient: async (a, o) => {
-        let s = await e.clientConnections.listByClient(
+      listByClient: async (a, s) => {
+        let c = await e.clientConnections.listByClient(
           a,
-          o
+          s
         );
-        if (s.length === 0 && (s = (await e.connections.list(a)).connections || []), !n || a === n)
-          return s;
+        if (c.length === 0 && (c = (await e.connections.list(a)).connections || []), !n || a === n)
+          return c;
         const i = await e.connections.list(n);
-        return s.map(
+        return c.map(
           (u) => k(
             u,
             i.connections || []
@@ -928,107 +985,72 @@ function Te(e, t) {
     },
     clients: {
       ...e.clients,
-      get: async (a, o) => {
-        const s = await e.clients.get(a, o);
-        if (!s)
+      get: async (a, s) => {
+        const c = await e.clients.get(a, s);
+        if (!c)
           return null;
-        if (!n || !r || a === n && o === r)
-          return s;
+        if (!n || !r || a === n && s === r)
+          return c;
         const i = await e.clients.get(
           n,
           r
         );
-        return V(s, i);
+        return V(c, i);
       },
       getByClientId: async (a) => {
-        const o = await e.clients.getByClientId(a);
-        if (!o)
+        const s = await e.clients.getByClientId(a);
+        if (!s)
           return null;
-        if (!n || !r || o.tenant_id === n && o.client_id === r)
-          return o;
-        const s = await e.clients.get(
+        if (!n || !r || s.tenant_id === n && s.client_id === r)
+          return s;
+        const c = await e.clients.get(
           n,
           r
         );
         return {
-          ...V(o, s),
-          tenant_id: o.tenant_id
+          ...V(s, c),
+          tenant_id: s.tenant_id
         };
       }
     },
     emailProviders: {
       ...e.emailProviders,
       get: async (a) => {
-        const o = await e.emailProviders.get(a);
-        return o || (!n || a === n ? null : e.emailProviders.get(n));
+        const s = await e.emailProviders.get(a);
+        return s || (!n || a === n ? null : e.emailProviders.get(n));
       }
     },
-    resourceServers: {
-      ...e.resourceServers,
-      get: async (a, o) => {
-        const s = await e.resourceServers.get(
-          a,
-          o
-        );
-        if (!s || !n || a === n)
-          return s;
-        const u = (await e.resourceServers.list(
-          n,
-          { q: `identifier:${s.identifier}`, per_page: 1 }
-        )).resource_servers[0] ?? null;
-        return Q(
-          s,
-          u
-        );
-      },
-      list: async (a, o) => {
-        const s = await e.resourceServers.list(
-          a,
-          o
-        );
-        if (!n || a === n)
-          return s;
-        const i = await e.resourceServers.list(n), u = new Map(
-          i.resource_servers.map((l) => [l.identifier, l])
-        ), c = s.resource_servers.map(
-          (l) => Q(
-            l,
-            u.get(l.identifier) ?? null
-          )
-        );
-        return {
-          ...s,
-          resource_servers: c
-        };
-      }
-    }
+    resourceServers: Y(
+      e,
+      n
+    )
     // Note: Additional adapters can be extended here for runtime fallback:
     // - promptSettings: Fall back to control plane prompts
     // - branding: Fall back to control plane branding/themes
   };
 }
-function Y(e, t) {
-  return Te(e, t);
+function Z(e, t) {
+  return Pe(e, t);
 }
-function be(e) {
+function Ae(e) {
   return async (t, n) => {
     const r = t.var.user;
     return (r == null ? void 0 : r.tenant_id) === e && r.org_name && t.set("tenant_id", r.org_name), n();
   };
 }
-function Pe(e) {
+function Se(e) {
   return async (t, n) => {
     if (!e.accessControl)
       return n();
-    const { controlPlaneTenantId: r } = e.accessControl, a = t.var.org_name, o = t.var.organization_id, s = a || o;
+    const { controlPlaneTenantId: r } = e.accessControl, a = t.var.org_name, s = t.var.organization_id, c = a || s;
     let i = t.var.tenant_id;
     const u = t.var.user, l = (u != null && u.aud ? Array.isArray(u.aud) ? u.aud : [u.aud] : []).includes(J);
-    if (!i && s && l && (t.set("tenant_id", s), i = s), !i)
+    if (!i && c && l && (t.set("tenant_id", c), i = c), !i)
       throw new A(400, {
         message: "Tenant ID not found in request"
       });
-    if (!ue(
-      o,
+    if (!de(
+      s,
       i,
       r,
       a
@@ -1039,32 +1061,32 @@ function Pe(e) {
     return n();
   };
 }
-function Ae(e) {
+function Ie(e) {
   return async (t, n) => {
     if (!e.subdomainRouting)
       return n();
     const {
       baseDomain: r,
       reservedSubdomains: a = [],
-      resolveSubdomain: o
-    } = e.subdomainRouting, s = t.req.header("x-forwarded-host") || t.req.header("host") || "";
+      resolveSubdomain: s
+    } = e.subdomainRouting, c = t.req.header("x-forwarded-host") || t.req.header("host") || "";
     let i = null;
-    if (s.endsWith(r)) {
-      const c = s.slice(0, -(r.length + 1));
-      c && !c.includes(".") && (i = c);
+    if (c.endsWith(r)) {
+      const o = c.slice(0, -(r.length + 1));
+      o && !o.includes(".") && (i = o);
     }
     if (i && a.includes(i) && (i = null), !i)
       return e.accessControl && t.set("tenant_id", e.accessControl.controlPlaneTenantId), n();
     let u = null;
-    if (o)
-      u = await o(i);
+    if (s)
+      u = await s(i);
     else if (e.subdomainRouting.useOrganizations !== !1 && e.accessControl)
       try {
-        const c = await t.env.data.organizations.get(
+        const o = await t.env.data.organizations.get(
           e.accessControl.controlPlaneTenantId,
           i
         );
-        c && (u = c.id);
+        o && (u = o.id);
       } catch {
       }
     if (!u)
@@ -1074,7 +1096,7 @@ function Ae(e) {
     return t.set("tenant_id", u), n();
   };
 }
-function Ie(e) {
+function Re(e) {
   return async (t, n) => {
     if (!e.databaseIsolation)
       return n();
@@ -1097,14 +1119,14 @@ function Ie(e) {
     return n();
   };
 }
-function Z(e) {
-  const t = Ae(e), n = Pe(e), r = Ie(e);
-  return async (a, o) => (await t(a, async () => {
+function x(e) {
+  const t = Ie(e), n = Se(e), r = Re(e);
+  return async (a, s) => (await t(a, async () => {
   }), await n(a, async () => {
   }), await r(a, async () => {
-  }), o());
+  }), s());
 }
-function je(e) {
+function De(e) {
   const {
     dataAdapter: t,
     controlPlane: n,
@@ -1112,32 +1134,34 @@ function je(e) {
       tenantId: r = "control_plane",
       clientId: a
     } = {},
-    sync: o = { resourceServers: !0, roles: !0 },
-    defaultPermissions: s = ["tenant:admin"],
+    sync: s = { resourceServers: !0, roles: !0 },
+    defaultPermissions: c = ["tenant:admin"],
     requireOrganizationMatch: i = !1,
     managementApiExtensions: u = [],
-    entityHooks: c,
+    entityHooks: o,
     getChildTenantIds: l,
     getAdapters: g,
     ...d
   } = e;
   let f = t, m = t;
-  n && (f = Y(t, {
+  n && (f = Z(t, {
     controlPlaneTenantId: r,
     controlPlaneClientId: a
   }), m = {
-    ...t,
+    ...be(t, {
+      controlPlaneTenantId: r
+    }),
     multiTenancyConfig: {
       controlPlaneTenantId: r,
       controlPlaneClientId: a
     }
   });
-  const w = o !== !1, C = w ? {
-    resourceServers: o.resourceServers ?? !0,
-    roles: o.roles ?? !0
+  const w = s !== !1, C = w ? {
+    resourceServers: s.resourceServers ?? !0,
+    roles: s.roles ?? !0
   } : { resourceServers: !1, roles: !1 }, b = {
     controlPlaneTenantId: r,
-    getChildTenantIds: l ?? (async () => (await q(
+    getChildTenantIds: l ?? (async () => (await D(
       (v) => f.tenants.list(v),
       "tenants",
       { cursorField: "id", pageSize: 100 }
@@ -1145,43 +1169,43 @@ function je(e) {
     getAdapters: g ?? (async () => f),
     getControlPlaneAdapters: async () => f,
     sync: C
-  }, { entityHooks: P, tenantHooks: p } = pe(b), T = {
+  }, { entityHooks: P, tenantHooks: p } = he(b), T = {
     resourceServers: [
       P.resourceServers,
-      ...(c == null ? void 0 : c.resourceServers) ?? []
+      ...(o == null ? void 0 : o.resourceServers) ?? []
     ],
-    roles: [P.roles, ...(c == null ? void 0 : c.roles) ?? []],
-    connections: (c == null ? void 0 : c.connections) ?? [],
-    tenants: (c == null ? void 0 : c.tenants) ?? [],
-    rolePermissions: (c == null ? void 0 : c.rolePermissions) ?? []
+    roles: [P.roles, ...(o == null ? void 0 : o.roles) ?? []],
+    connections: (o == null ? void 0 : o.connections) ?? [],
+    tenants: (o == null ? void 0 : o.tenants) ?? [],
+    rolePermissions: (o == null ? void 0 : o.rolePermissions) ?? []
   }, h = X({
     accessControl: {
       controlPlaneTenantId: r,
       requireOrganizationMatch: i,
-      defaultPermissions: s
+      defaultPermissions: c
     }
   }), F = N(
     {
       accessControl: {
         controlPlaneTenantId: r,
         requireOrganizationMatch: i,
-        defaultPermissions: s
+        defaultPermissions: c
       }
     },
     { tenants: {
-      async beforeCreate(I, v) {
-        return h.beforeCreate && (v = await h.beforeCreate(I, v)), p.beforeCreate && (v = await p.beforeCreate(I, v)), v;
+      async beforeCreate(S, v) {
+        return h.beforeCreate && (v = await h.beforeCreate(S, v)), p.beforeCreate && (v = await p.beforeCreate(S, v)), v;
       },
-      async afterCreate(I, v) {
-        var z, R;
-        await ((z = h.afterCreate) == null ? void 0 : z.call(h, I, v)), await ((R = p.afterCreate) == null ? void 0 : R.call(p, I, v));
+      async afterCreate(S, v) {
+        var $, R;
+        await (($ = h.afterCreate) == null ? void 0 : $.call(h, S, v)), await ((R = p.afterCreate) == null ? void 0 : R.call(p, S, v));
       },
-      async beforeDelete(I, v) {
-        var z, R;
-        await ((z = h.beforeDelete) == null ? void 0 : z.call(h, I, v)), await ((R = p.beforeDelete) == null ? void 0 : R.call(p, I, v));
+      async beforeDelete(S, v) {
+        var $, R;
+        await (($ = h.beforeDelete) == null ? void 0 : $.call(h, S, v)), await ((R = p.beforeDelete) == null ? void 0 : R.call(p, S, v));
       }
     } }
-  ), { app: j } = ie({
+  ), { app: j } = ce({
     dataAdapter: f,
     managementDataAdapter: m,
     ...d,
@@ -1193,15 +1217,15 @@ function je(e) {
   });
   return j.use(
     "/api/v2/*",
-    be(r)
-  ), w && j.use("/api/v2/*", _e()), { app: j, controlPlaneTenantId: r };
+    Ae(r)
+  ), w && j.use("/api/v2/*", Ce()), { app: j, controlPlaneTenantId: r };
 }
-function Me(e) {
+function qe(e) {
   const t = B(e);
   return {
     name: "multi-tenancy",
     // Apply multi-tenancy middleware for subdomain routing, database resolution, etc.
-    middleware: Z(e),
+    middleware: x(e),
     // Provide lifecycle hooks
     hooks: t,
     // Mount tenant management routes
@@ -1222,22 +1246,22 @@ function Me(e) {
   };
 }
 function B(e) {
-  const t = e.accessControl ? le(e.accessControl) : {}, n = e.databaseIsolation ? de(e.databaseIsolation) : {}, r = X(e);
+  const t = e.accessControl ? ue(e.accessControl) : {}, n = e.databaseIsolation ? fe(e.databaseIsolation) : {}, r = X(e);
   return {
     ...t,
     ...n,
     tenants: r
   };
 }
-function Se(e) {
-  const t = new te(), n = B(e);
+function ze(e) {
+  const t = new ne(), n = B(e);
   return t.route("/tenants", N(e, n)), t;
 }
-function qe(e) {
+function Oe(e) {
   return {
     hooks: B(e),
-    middleware: Z(e),
-    app: Se(e),
+    middleware: x(e),
+    app: ze(e),
     config: e,
     /**
      * Wraps data adapters with runtime fallback from the control plane.
@@ -1249,7 +1273,7 @@ function qe(e) {
      */
     wrapAdapters: (t, n) => {
       var r;
-      return Y(t, {
+      return Z(t, {
         controlPlaneTenantId: (r = e.accessControl) == null ? void 0 : r.controlPlaneTenantId,
         controlPlaneClientId: n == null ? void 0 : n.controlPlaneClientId
       });
@@ -1257,23 +1281,24 @@ function qe(e) {
   };
 }
 export {
-  le as createAccessControlHooks,
-  Pe as createAccessControlMiddleware,
-  be as createControlPlaneTenantMiddleware,
-  de as createDatabaseHooks,
-  Ie as createDatabaseMiddleware,
-  Se as createMultiTenancy,
+  ue as createAccessControlHooks,
+  Se as createAccessControlMiddleware,
+  Ae as createControlPlaneTenantMiddleware,
+  fe as createDatabaseHooks,
+  Re as createDatabaseMiddleware,
+  ze as createMultiTenancy,
   B as createMultiTenancyHooks,
-  Z as createMultiTenancyMiddleware,
-  Me as createMultiTenancyPlugin,
-  _e as createProtectSyncedMiddleware,
+  x as createMultiTenancyMiddleware,
+  qe as createMultiTenancyPlugin,
+  Ce as createProtectSyncedMiddleware,
   X as createProvisioningHooks,
-  Te as createRuntimeFallbackAdapter,
-  Ae as createSubdomainMiddleware,
-  pe as createSyncHooks,
+  Pe as createRuntimeFallbackAdapter,
+  Ie as createSubdomainMiddleware,
+  he as createSyncHooks,
   N as createTenantsOpenAPIRouter,
-  je as initMultiTenant,
-  qe as setupMultiTenancy,
-  ue as validateTenantAccess,
-  Y as withRuntimeFallback
+  De as initMultiTenant,
+  Oe as setupMultiTenancy,
+  de as validateTenantAccess,
+  Z as withRuntimeFallback,
+  be as withSystemResourceServerInheritance
 };