@authhero/multi-tenancy 14.2.0 → 14.3.0

package/dist/types/hooks/sync.d.ts

@@ -0,0 +1,79 @@
+import { DataAdapters, Role, RoleInsert, ResourceServer, ResourceServerInsert, EntityHooks } from "authhero";
+import { TenantEntityHooks } from "../types";
+/**
+ * Configuration for entity synchronization
+ */
+export interface EntitySyncConfig {
+    /**
+     * The control plane tenant ID from which entities are synced
+     */
+    controlPlaneTenantId: string;
+    /**
+     * Function to get the list of all tenant IDs to sync to.
+     */
+    getChildTenantIds: () => Promise<string[]>;
+    /**
+     * Function to get adapters for a specific tenant.
+     */
+    getAdapters: (tenantId: string) => Promise<DataAdapters>;
+    /**
+     * Function to get adapters for the control plane (used for tenant creation sync).
+     */
+    getControlPlaneAdapters: () => Promise<DataAdapters>;
+    /**
+     * Which entities to sync. All default to true.
+     * Note: Connections are NOT synced - they use runtime fallback by strategy instead.
+     */
+    sync?: {
+        resourceServers?: boolean;
+        roles?: boolean;
+    };
+    /**
+     * Optional filters for each entity type
+     */
+    filters?: {
+        resourceServers?: (entity: ResourceServer) => boolean;
+        roles?: (entity: Role) => boolean;
+    };
+}
+/**
+ * Result from createSyncHooks containing all entity and tenant hooks
+ *
+ * Note: Connections are NOT synced - they use runtime fallback by strategy instead.
+ * Tenants can define a connection with a strategy (e.g., "google") and leave keys blank,
+ * and the system will fallback to the control plane's connection with the same strategy.
+ */
+export interface SyncHooksResult {
+    entityHooks: {
+        resourceServers?: EntityHooks<ResourceServer, ResourceServerInsert>;
+        roles?: EntityHooks<Role, RoleInsert>;
+    };
+    tenantHooks: TenantEntityHooks;
+}
+/**
+ * Creates all sync hooks for resource servers and roles.
+ *
+ * This is the main entry point for entity synchronization. It creates hooks that:
+ * - Sync changes from control plane to all child tenants (create, update, delete)
+ * - Copy entities to newly created tenants
+ *
+ * Note: Connections are NOT synced. Instead, they use runtime fallback by strategy.
+ * Tenants can define a connection with a strategy (e.g., "google") and leave keys blank,
+ * and the system will fallback to the control plane's connection with the same strategy.
+ *
+ * @param config - Sync configuration
+ * @returns Object with entityHooks and tenantHooks ready to use
+ *
+ * @example
+ * ```typescript
+ * const { entityHooks, tenantHooks } = createSyncHooks({
+ *   controlPlaneTenantId: "main",
+ *   getChildTenantIds: async () => ["tenant1", "tenant2"],
+ *   getAdapters: async () => dataAdapter,
+ *   getControlPlaneAdapters: async () => dataAdapter,
+ *   sync: { resourceServers: true, roles: true },
+ * });
+ * ```
+ */
+export declare function createSyncHooks(config: EntitySyncConfig): SyncHooksResult;
+//# sourceMappingURL=sync.d.ts.map

package/dist/types/hooks/sync.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sync.d.ts","sourceRoot":"","sources":["../../../src/hooks/sync.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,IAAI,EACJ,UAAU,EACV,cAAc,EACd,oBAAoB,EAGpB,WAAW,EAEZ,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,iBAAiB,EAAqB,MAAM,UAAU,CAAC;AAEhE;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B;;OAEG;IACH,oBAAoB,EAAE,MAAM,CAAC;IAE7B;;OAEG;IACH,iBAAiB,EAAE,MAAM,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAE3C;;OAEG;IACH,WAAW,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,YAAY,CAAC,CAAC;IAEzD;;OAEG;IACH,uBAAuB,EAAE,MAAM,OAAO,CAAC,YAAY,CAAC,CAAC;IAErD;;;OAGG;IACH,IAAI,CAAC,EAAE;QACL,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,KAAK,CAAC,EAAE,OAAO,CAAC;KACjB,CAAC;IAEF;;OAEG;IACH,OAAO,CAAC,EAAE;QACR,eAAe,CAAC,EAAE,CAAC,MAAM,EAAE,cAAc,KAAK,OAAO,CAAC;QACtD,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,IAAI,KAAK,OAAO,CAAC;KACnC,CAAC;CACH;AAoQD;;;;;;GAMG;AACH,MAAM,WAAW,eAAe;IAC9B,WAAW,EAAE;QACX,eAAe,CAAC,EAAE,WAAW,CAAC,cAAc,EAAE,oBAAoB,CAAC,CAAC;QACpE,KAAK,CAAC,EAAE,WAAW,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;KACvC,CAAC;IACF,WAAW,EAAE,iBAAiB,CAAC;CAChC;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,gBAAgB,GAAG,eAAe,CA6KzE"}

package/dist/types/index.d.ts

@@ -0,0 +1,117 @@
+import { Hono } from "hono";
+import { MultiTenancyConfig, MultiTenancyHooks, MultiTenancyBindings, MultiTenancyVariables } from "./types";
+export * from "./types";
+export { initMultiTenant } from "./init";
+export type { MultiTenantConfig, MultiTenantResult } from "./init";
+export { createSyncHooks } from "./hooks/sync";
+export type { EntitySyncConfig, SyncHooksResult } from "./hooks/sync";
+export { createTenantsOpenAPIRouter } from "./routes";
+export { createMultiTenancyMiddleware, createAccessControlMiddleware, createControlPlaneTenantMiddleware, createSubdomainMiddleware, createDatabaseMiddleware, createProtectSyncedMiddleware, createRuntimeFallbackAdapter, withRuntimeFallback, createSettingsInheritanceAdapter, withSettingsInheritance, } from "./middleware";
+export type { RuntimeFallbackConfig, SettingsInheritanceConfig, } from "./middleware";
+export { createMultiTenancyPlugin } from "./plugin";
+export type { AuthHeroPlugin } from "./plugin";
+export { createAccessControlHooks, createDatabaseHooks, createProvisioningHooks, } from "./hooks";
+export { validateTenantAccess } from "./hooks/access-control";
+export type { DatabaseFactory } from "./hooks/database";
+/**
+ * Creates multi-tenancy hooks from configuration.
+ *
+ * This combines access control, database resolution, and provisioning hooks
+ * into a single hooks object that can be passed to AuthHero.
+ *
+ * @param config - Multi-tenancy configuration
+ * @returns Combined hooks for multi-tenancy support
+ *
+ * @example
+ * ```typescript
+ * import { createMultiTenancyHooks } from "@authhero/multi-tenancy";
+ *
+ * const hooks = createMultiTenancyHooks({
+ *   accessControl: {
+ *     controlPlaneTenantId: "control_plane",
+ *     defaultPermissions: ["tenant:admin"],
+ *   },
+ *   databaseIsolation: {
+ *     getAdapters: async (tenantId) => getDatabase(tenantId),
+ *   },
+ * });
+ * ```
+ */
+export declare function createMultiTenancyHooks(config: MultiTenancyConfig): MultiTenancyHooks;
+/**
+ * Creates a complete multi-tenancy Hono app with routes and middleware.
+ *
+ * This creates a Hono app with:
+ * - Tenant management routes (CRUD for tenants)
+ * - Access control middleware
+ * - Subdomain routing (optional)
+ * - Database resolution (optional)
+ *
+ * @param config - Multi-tenancy configuration
+ * @returns Hono app with multi-tenancy routes
+ *
+ * @example
+ * ```typescript
+ * import { createMultiTenancy } from "@authhero/multi-tenancy";
+ *
+ * const multiTenancyApp = createMultiTenancy({
+ *   accessControl: {
+ *     controlPlaneTenantId: "main",
+ *   },
+ * });
+ *
+ * // Mount on your main app
+ * app.route("/management", multiTenancyApp);
+ * ```
+ */
+export declare function createMultiTenancy(config: MultiTenancyConfig): Hono<{
+    Bindings: MultiTenancyBindings;
+    Variables: MultiTenancyVariables;
+}, import("hono/types").BlankSchema, "/">;
+/**
+ * Creates a multi-tenancy setup with both hooks and middleware.
+ *
+ * This is a convenience function that returns everything needed to
+ * integrate multi-tenancy into an AuthHero application.
+ *
+ * @param config - Multi-tenancy configuration
+ * @returns Object with hooks, middleware, and routes
+ *
+ * @example
+ * ```typescript
+ * import { setupMultiTenancy } from "@authhero/multi-tenancy";
+ *
+ * const multiTenancy = setupMultiTenancy({
+ *   accessControl: {
+ *     controlPlaneTenantId: "main",
+ *   },
+ *   subdomainRouting: {
+ *     baseDomain: "auth.example.com",
+ *   },
+ * });
+ *
+ * // Use the middleware
+ * app.use("*", multiTenancy.middleware);
+ *
+ * // Mount the routes
+ * app.route("/management", multiTenancy.app);
+ *
+ * // Pass hooks to AuthHero
+ * const authhero = createAuthhero({
+ *   hooks: multiTenancy.hooks,
+ * });
+ * ```
+ */
+export declare function setupMultiTenancy(config: MultiTenancyConfig): {
+    hooks: MultiTenancyHooks;
+    middleware: import("hono").MiddlewareHandler<{
+        Bindings: MultiTenancyBindings;
+        Variables: MultiTenancyVariables;
+    }>;
+    app: Hono<{
+        Bindings: MultiTenancyBindings;
+        Variables: MultiTenancyVariables;
+    }, import("hono/types").BlankSchema, "/">;
+    config: MultiTenancyConfig;
+};
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EACjB,oBAAoB,EACpB,qBAAqB,EACtB,MAAM,SAAS,CAAC;AAUjB,cAAc,SAAS,CAAC;AAGxB,OAAO,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAC;AACzC,YAAY,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,QAAQ,CAAC;AAGnE,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAC/C,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAEtE,OAAO,EAAE,0BAA0B,EAAE,MAAM,UAAU,CAAC;AAEtD,OAAO,EACL,4BAA4B,EAC5B,6BAA6B,EAC7B,kCAAkC,EAClC,yBAAyB,EACzB,wBAAwB,EACxB,6BAA6B,EAC7B,4BAA4B,EAC5B,mBAAmB,EAEnB,gCAAgC,EAChC,uBAAuB,GACxB,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,qBAAqB,EACrB,yBAAyB,GAC1B,MAAM,cAAc,CAAC;AAEtB,OAAO,EAAE,wBAAwB,EAAE,MAAM,UAAU,CAAC;AACpD,YAAY,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAG/C,OAAO,EACL,wBAAwB,EACxB,mBAAmB,EACnB,uBAAuB,GACxB,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAC9D,YAAY,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAExD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,kBAAkB,GACzB,iBAAiB,CAgBnB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,kBAAkB;cAE/C,oBAAoB;eACnB,qBAAqB;0CASnC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,kBAAkB;;;;;;;kBA9C9C,oBAAoB;mBACnB,qBAAqB;;;EAoDnC"}

package/dist/types/init.d.ts

@@ -0,0 +1,110 @@
+import { init, AuthHeroConfig, DataAdapters } from "authhero";
+/**
+ * Configuration for multi-tenant AuthHero initialization.
+ */
+export interface MultiTenantConfig extends Omit<AuthHeroConfig, "entityHooks" | "managementApiExtensions"> {
+    /**
+     * The control plane tenant ID - the tenant that manages all other tenants.
+     * @default "control_plane"
+     */
+    controlPlaneTenantId?: string;
+    /**
+     * Control which entities to sync from control plane to child tenants.
+     * Set to `false` to disable all syncing.
+     * @default { resourceServers: true, roles: true }
+     */
+    sync?: {
+        resourceServers?: boolean;
+        roles?: boolean;
+    } | false;
+    /**
+     * Default permissions to grant when creating a tenant organization.
+     * @default ["tenant:admin"]
+     */
+    defaultPermissions?: string[];
+    /**
+     * Whether to require organization match for tenant access.
+     * @default false
+     */
+    requireOrganizationMatch?: boolean;
+    /**
+     * Additional management API extensions to mount.
+     * The tenants router is automatically added.
+     */
+    managementApiExtensions?: AuthHeroConfig["managementApiExtensions"];
+    /**
+     * Additional entity hooks to merge with sync hooks.
+     * Sync hooks will be called first, then your custom hooks.
+     */
+    entityHooks?: AuthHeroConfig["entityHooks"];
+    /**
+     * Custom function to get child tenant IDs.
+     * By default, queries all tenants except the control plane.
+     */
+    getChildTenantIds?: () => Promise<string[]>;
+    /**
+     * Custom function to get adapters for a specific tenant.
+     * By default, returns the main dataAdapter for all tenants.
+     * Override this for per-tenant database isolation.
+     */
+    getAdapters?: (tenantId: string) => Promise<DataAdapters>;
+}
+/**
+ * Result from initMultiTenant
+ */
+export interface MultiTenantResult {
+    /** The configured Hono app */
+    app: ReturnType<typeof init>["app"];
+    /** The control plane tenant ID */
+    controlPlaneTenantId: string;
+}
+/**
+ * Initialize a multi-tenant AuthHero application with sensible defaults.
+ *
+ * This is the easiest way to set up multi-tenancy. It automatically:
+ * - Creates sync hooks for resource servers and roles
+ * - Mounts the tenants management API at `/tenants`
+ * - Adds middleware to protect synced entities on child tenants
+ * - Sets up organization-based access control
+ *
+ * @param config - Multi-tenant configuration
+ * @returns The configured app and control plane tenant ID
+ *
+ * @example
+ * ```typescript
+ * import { initMultiTenant } from "@authhero/multi-tenancy";
+ * import createAdapters from "@authhero/kysely-adapter";
+ *
+ * const dataAdapter = createAdapters(db);
+ *
+ * const { app } = initMultiTenant({
+ *   dataAdapter,
+ *   // That's it! Everything else has sensible defaults.
+ * });
+ *
+ * export default app;
+ * ```
+ *
+ * @example With customization
+ * ```typescript
+ * const { app } = initMultiTenant({
+ *   dataAdapter,
+ *   controlPlaneTenantId: "main",
+ *   sync: {
+ *     resourceServers: true,
+ *     roles: false, // Don't sync roles
+ *   },
+ *   defaultPermissions: ["tenant:admin", "tenant:read"],
+ * });
+ * ```
+ *
+ * @example Disable syncing entirely
+ * ```typescript
+ * const { app } = initMultiTenant({
+ *   dataAdapter,
+ *   sync: false, // Each tenant manages their own entities
+ * });
+ * ```
+ */
+export declare function initMultiTenant(config: MultiTenantConfig): MultiTenantResult;
+//# sourceMappingURL=init.d.ts.map

package/dist/types/init.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"init.d.ts","sourceRoot":"","sources":["../../src/init.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,cAAc,EAAY,YAAY,EAAU,MAAM,UAAU,CAAC;AAQhF;;GAEG;AACH,MAAM,WAAW,iBAAkB,SAAQ,IAAI,CAC7C,cAAc,EACd,aAAa,GAAG,yBAAyB,CAC1C;IACC;;;OAGG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAE9B;;;;OAIG;IACH,IAAI,CAAC,EACD;QACE,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,KAAK,CAAC,EAAE,OAAO,CAAC;KACjB,GACD,KAAK,CAAC;IAEV;;;OAGG;IACH,kBAAkB,CAAC,EAAE,MAAM,EAAE,CAAC;IAE9B;;;OAGG;IACH,wBAAwB,CAAC,EAAE,OAAO,CAAC;IAEnC;;;OAGG;IACH,uBAAuB,CAAC,EAAE,cAAc,CAAC,yBAAyB,CAAC,CAAC;IAEpE;;;OAGG;IACH,WAAW,CAAC,EAAE,cAAc,CAAC,aAAa,CAAC,CAAC;IAE5C;;;OAGG;IACH,iBAAiB,CAAC,EAAE,MAAM,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAE5C;;;;OAIG;IACH,WAAW,CAAC,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,YAAY,CAAC,CAAC;CAC3D;AAED;;GAEG;AACH,MAAM,WAAW,iBAAiB;IAChC,8BAA8B;IAC9B,GAAG,EAAE,UAAU,CAAC,OAAO,IAAI,CAAC,CAAC,KAAK,CAAC,CAAC;IACpC,kCAAkC;IAClC,oBAAoB,EAAE,MAAM,CAAC;CAC9B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA+CG;AACH,wBAAgB,eAAe,CAAC,MAAM,EAAE,iBAAiB,GAAG,iBAAiB,CAkG5E"}

package/dist/types/middleware/index.d.ts

@@ -0,0 +1,114 @@
+import { MiddlewareHandler } from "hono";
+import { MultiTenancyBindings, MultiTenancyVariables, MultiTenancyConfig } from "../types";
+/**
+ * Creates middleware that resolves tenant_id from org_name for control plane users.
+ *
+ * When a user authenticates to the control plane tenant and has an org_name claim,
+ * this middleware sets the tenant_id to the org_name, allowing them to access
+ * that child tenant's resources.
+ *
+ * @param controlPlaneTenantId - The ID of the control plane tenant
+ * @returns Hono middleware handler
+ *
+ * @example
+ * ```typescript
+ * import { createControlPlaneTenantMiddleware } from "@authhero/multi-tenancy";
+ *
+ * const middleware = createControlPlaneTenantMiddleware("control_plane");
+ *
+ * app.use("/api/*", middleware);
+ * ```
+ */
+export declare function createControlPlaneTenantMiddleware(controlPlaneTenantId: string): MiddlewareHandler<{
+    Bindings: MultiTenancyBindings;
+    Variables: MultiTenancyVariables;
+}>;
+/**
+ * Creates middleware for validating organization-based tenant access.
+ *
+ * This middleware checks that the token's organization claim matches
+ * the target tenant ID, implementing the access control model where:
+ *
+ * - Control plane: Accessible without an organization claim
+ * - Child tenants: Require an organization claim matching the tenant ID
+ *
+ * @param config - Multi-tenancy configuration
+ * @returns Hono middleware handler
+ *
+ * @example
+ * ```typescript
+ * import { createAccessControlMiddleware } from "@authhero/multi-tenancy";
+ *
+ * const middleware = createAccessControlMiddleware({
+ *   accessControl: {
+ *     controlPlaneTenantId: "main",
+ *   },
+ * });
+ *
+ * app.use("/api/*", middleware);
+ * ```
+ */
+export declare function createAccessControlMiddleware(config: MultiTenancyConfig): MiddlewareHandler<{
+    Bindings: MultiTenancyBindings;
+    Variables: MultiTenancyVariables;
+}>;
+/**
+ * Creates middleware for resolving tenants from subdomains.
+ *
+ * This middleware extracts the subdomain from the request host and
+ * resolves it to a tenant ID using organizations on the control plane.
+ *
+ * @param config - Multi-tenancy configuration
+ * @returns Hono middleware handler
+ *
+ * @example
+ * ```typescript
+ * import { createSubdomainMiddleware } from "@authhero/multi-tenancy";
+ *
+ * const middleware = createSubdomainMiddleware({
+ *   subdomainRouting: {
+ *     baseDomain: "auth.example.com",
+ *     reservedSubdomains: ["www", "api", "admin"],
+ *   },
+ *   accessControl: {
+ *     controlPlaneTenantId: "main",
+ *   },
+ * });
+ *
+ * app.use("*", middleware);
+ * ```
+ */
+export declare function createSubdomainMiddleware(config: MultiTenancyConfig): MiddlewareHandler<{
+    Bindings: MultiTenancyBindings;
+    Variables: MultiTenancyVariables;
+}>;
+/**
+ * Creates middleware for resolving data adapters per tenant.
+ *
+ * This middleware resolves the data adapters for the target tenant,
+ * enabling per-tenant database isolation.
+ *
+ * @param config - Multi-tenancy configuration
+ * @returns Hono middleware handler
+ */
+export declare function createDatabaseMiddleware(config: MultiTenancyConfig): MiddlewareHandler<{
+    Bindings: MultiTenancyBindings;
+    Variables: MultiTenancyVariables;
+}>;
+/**
+ * Creates a combined middleware stack for multi-tenancy.
+ *
+ * This combines subdomain routing, access control, and database resolution
+ * into a single middleware chain.
+ *
+ * @param config - Multi-tenancy configuration
+ * @returns Hono middleware handler
+ */
+export declare function createMultiTenancyMiddleware(config: MultiTenancyConfig): MiddlewareHandler<{
+    Bindings: MultiTenancyBindings;
+    Variables: MultiTenancyVariables;
+}>;
+export { createProtectSyncedMiddleware } from "./protect-synced";
+export { createRuntimeFallbackAdapter, withRuntimeFallback, createSettingsInheritanceAdapter, withSettingsInheritance, } from "./settings-inheritance";
+export type { RuntimeFallbackConfig, SettingsInheritanceConfig, } from "./settings-inheritance";
+//# sourceMappingURL=index.d.ts.map

package/dist/types/middleware/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/middleware/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAC;AAGzC,OAAO,EACL,oBAAoB,EACpB,qBAAqB,EACrB,kBAAkB,EACnB,MAAM,UAAU,CAAC;AAGlB;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,kCAAkC,CAChD,oBAAoB,EAAE,MAAM,GAC3B,iBAAiB,CAAC;IACnB,QAAQ,EAAE,oBAAoB,CAAC;IAC/B,SAAS,EAAE,qBAAqB,CAAC;CAClC,CAAC,CAUD;AAED;;;;;;;;;;;;;;;;;;;;;;;;GAwBG;AACH,wBAAgB,6BAA6B,CAC3C,MAAM,EAAE,kBAAkB,GACzB,iBAAiB,CAAC;IACnB,QAAQ,EAAE,oBAAoB,CAAC;IAC/B,SAAS,EAAE,qBAAqB,CAAC;CAClC,CAAC,CAsDD;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,yBAAyB,CACvC,MAAM,EAAE,kBAAkB,GACzB,iBAAiB,CAAC;IACnB,QAAQ,EAAE,oBAAoB,CAAC;IAC/B,SAAS,EAAE,qBAAqB,CAAC;CAClC,CAAC,CAqED;AAED;;;;;;;;GAQG;AACH,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,kBAAkB,GACzB,iBAAiB,CAAC;IACnB,QAAQ,EAAE,oBAAoB,CAAC;IAC/B,SAAS,EAAE,qBAAqB,CAAC;CAClC,CAAC,CA6BD;AAED;;;;;;;;GAQG;AACH,wBAAgB,4BAA4B,CAC1C,MAAM,EAAE,kBAAkB,GACzB,iBAAiB,CAAC;IACnB,QAAQ,EAAE,oBAAoB,CAAC;IAC/B,SAAS,EAAE,qBAAqB,CAAC;CAClC,CAAC,CAiBD;AAGD,OAAO,EAAE,6BAA6B,EAAE,MAAM,kBAAkB,CAAC;AAGjE,OAAO,EACL,4BAA4B,EAC5B,mBAAmB,EAEnB,gCAAgC,EAChC,uBAAuB,GACxB,MAAM,wBAAwB,CAAC;AAChC,YAAY,EACV,qBAAqB,EAErB,yBAAyB,GAC1B,MAAM,wBAAwB,CAAC"}

package/dist/types/middleware/protect-synced.d.ts

@@ -0,0 +1,40 @@
+import { MiddlewareHandler } from "hono";
+import type { DataAdapters } from "authhero";
+/**
+ * Bindings for the protect system middleware
+ */
+interface ProtectSystemBindings {
+    data: DataAdapters;
+}
+/**
+ * Variables expected to be set by earlier middleware
+ */
+interface ProtectSystemVariables {
+    tenant_id?: string;
+}
+/**
+ * Creates middleware to protect system resources from modification.
+ *
+ * This middleware intercepts write operations (PATCH, PUT, DELETE) on
+ * entities that are marked as system entities from the control plane and returns a 403
+ * error if modification is attempted.
+ *
+ * System resources can only be modified in the control plane, and changes
+ * will be propagated to child tenants automatically.
+ *
+ * @returns Hono middleware handler
+ *
+ * @example
+ * ```typescript
+ * import { createProtectSyncedMiddleware } from "@authhero/multi-tenancy";
+ *
+ * // Apply to management API routes
+ * app.use("/api/v2/*", createProtectSyncedMiddleware());
+ * ```
+ */
+export declare function createProtectSyncedMiddleware(): MiddlewareHandler<{
+    Bindings: ProtectSystemBindings;
+    Variables: ProtectSystemVariables;
+}>;
+export {};
+//# sourceMappingURL=protect-synced.d.ts.map

package/dist/types/middleware/protect-synced.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"protect-synced.d.ts","sourceRoot":"","sources":["../../../src/middleware/protect-synced.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAC;AAEzC,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AAE7C;;GAEG;AACH,UAAU,qBAAqB;IAC7B,IAAI,EAAE,YAAY,CAAC;CACpB;AAED;;GAEG;AACH,UAAU,sBAAsB;IAC9B,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AA4FD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,6BAA6B,IAAI,iBAAiB,CAAC;IACjE,QAAQ,EAAE,qBAAqB,CAAC;IAChC,SAAS,EAAE,sBAAsB,CAAC;CACnC,CAAC,CA+BD"}

package/dist/types/middleware/settings-inheritance.d.ts

@@ -0,0 +1,89 @@
+import { DataAdapters } from "authhero";
+/**
+ * Configuration for runtime settings fallback from a control plane tenant.
+ *
+ * Runtime fallback provides default values at query time without copying sensitive data.
+ */
+export interface RuntimeFallbackConfig {
+    /**
+     * The control plane tenant ID from which settings are inherited at runtime.
+     * Child tenants will fall back to this tenant's configuration for
+     * missing or default values (e.g., connection secrets, SMTP settings).
+     */
+    controlPlaneTenantId?: string;
+    /**
+     * The control plane client ID used for fallback client settings.
+     * This client's configuration (web_origins, callbacks, etc.) will
+     * be merged with child tenant clients at runtime.
+     */
+    controlPlaneClientId?: string;
+}
+/**
+ * Creates a data adapter wrapper that provides runtime settings fallback from a control plane tenant.
+ *
+ * This adapter wraps the base adapters to provide fallback functionality where child tenants
+ * can inherit default configurations from a control plane (main) tenant **at runtime**.
+ * This is useful for:
+ *
+ * - **Default connection settings**: Inherit OAuth secrets, SMTP API keys, etc. without copying them
+ * - **Client URL fallbacks**: Add control plane URLs to allowed origins, callbacks, etc.
+ * - **Tenant property defaults**: Fall back to control plane values for missing tenant settings
+ *
+ * **Connection fallback by strategy:**
+ * Connections are matched by **strategy** (e.g., "google", "facebook", "email") rather than by name.
+ * This allows tenants to create a connection with a strategy like "google" and leave keys blank,
+ * and the system will automatically merge in the OAuth credentials from the control plane's
+ * google connection. This is the recommended approach for sharing social auth across tenants.
+ *
+ * @param baseAdapters - The base data adapters to wrap
+ * @param config - Configuration for runtime settings fallback
+ * @returns Wrapped data adapters with runtime fallback functionality
+ *
+ * @example
+ * ```typescript
+ * import { createRuntimeFallbackAdapter } from "@authhero/multi-tenancy";
+ * import createAdapters from "@authhero/kysely";
+ *
+ * const db = // ... your database connection
+ * const baseAdapters = createAdapters(db);
+ *
+ * const adapters = createRuntimeFallbackAdapter(baseAdapters, {
+ *   controlPlaneTenantId: "main",
+ *   controlPlaneClientId: "main-client"
+ * });
+ * ```
+ */
+export declare function createRuntimeFallbackAdapter(baseAdapters: DataAdapters, config: RuntimeFallbackConfig): DataAdapters;
+/**
+ * Helper function to wrap data adapters with runtime fallback from control plane.
+ *
+ * This is a convenience wrapper around `createRuntimeFallbackAdapter`.
+ *
+ * @param baseAdapters - The base data adapters to wrap
+ * @param config - Configuration for runtime fallback
+ * @returns Wrapped data adapters with runtime fallback functionality
+ *
+ * @example
+ * ```typescript
+ * import { withRuntimeFallback } from "@authhero/multi-tenancy";
+ *
+ * const adapters = withRuntimeFallback(baseAdapters, {
+ *   controlPlaneTenantId: "main",
+ *   controlPlaneClientId: "main-client"
+ * });
+ * ```
+ */
+export declare function withRuntimeFallback(baseAdapters: DataAdapters, config: RuntimeFallbackConfig): DataAdapters;
+/**
+ * @deprecated Use `RuntimeFallbackConfig` instead
+ */
+export type SettingsInheritanceConfig = RuntimeFallbackConfig;
+/**
+ * @deprecated Use `createRuntimeFallbackAdapter` instead
+ */
+export declare const createSettingsInheritanceAdapter: typeof createRuntimeFallbackAdapter;
+/**
+ * @deprecated Use `withRuntimeFallback` instead
+ */
+export declare const withSettingsInheritance: typeof withRuntimeFallback;
+//# sourceMappingURL=settings-inheritance.d.ts.map

package/dist/types/middleware/settings-inheritance.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"settings-inheritance.d.ts","sourceRoot":"","sources":["../../../src/middleware/settings-inheritance.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EAKb,MAAM,UAAU,CAAC;AAElB;;;;GAIG;AACH,MAAM,WAAW,qBAAqB;IACpC;;;;OAIG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;IAE9B;;;;OAIG;IACH,oBAAoB,CAAC,EAAE,MAAM,CAAC;CAC/B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAkCG;AACH,wBAAgB,4BAA4B,CAC1C,YAAY,EAAE,YAAY,EAC1B,MAAM,EAAE,qBAAqB,GAC5B,YAAY,CA6Ld;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,mBAAmB,CACjC,YAAY,EAAE,YAAY,EAC1B,MAAM,EAAE,qBAAqB,GAC5B,YAAY,CAEd;AAGD;;GAEG;AACH,MAAM,MAAM,yBAAyB,GAAG,qBAAqB,CAAC;AAE9D;;GAEG;AACH,eAAO,MAAM,gCAAgC,qCAA+B,CAAC;AAE7E;;GAEG;AACH,eAAO,MAAM,uBAAuB,4BAAsB,CAAC"}

package/dist/types/plugin.d.ts

@@ -0,0 +1,66 @@
+import { Hono, MiddlewareHandler } from "hono";
+import { MultiTenancyConfig, MultiTenancyHooks, MultiTenancyBindings, MultiTenancyVariables } from "./types";
+type MultiTenancyEnv = {
+    Bindings: MultiTenancyBindings;
+    Variables: MultiTenancyVariables;
+};
+/**
+ * Plugin interface for AuthHero extensions
+ */
+export interface AuthHeroPlugin {
+    /**
+     * Plugin name for identification
+     */
+    name: string;
+    /**
+     * Middleware to run before AuthHero routes
+     */
+    middleware?: MiddlewareHandler<MultiTenancyEnv>;
+    /**
+     * Lifecycle hooks
+     */
+    hooks?: MultiTenancyHooks;
+    /**
+     * Additional routes to mount
+     */
+    routes?: Array<{
+        path: string;
+        handler: Hono<MultiTenancyEnv>;
+    }>;
+    /**
+     * Called when plugin is registered
+     */
+    onRegister?: (app: Hono) => void | Promise<void>;
+}
+/**
+ * Creates a multi-tenancy plugin for AuthHero.
+ *
+ * This packages all multi-tenancy functionality (middleware, hooks, and routes)
+ * into a single plugin that can be registered with AuthHero.
+ *
+ * @param config - Multi-tenancy configuration
+ * @returns AuthHero plugin for multi-tenancy support
+ *
+ * @example
+ * ```typescript
+ * import { createAuthhero } from "@authhero/authhero";
+ * import { createMultiTenancyPlugin } from "@authhero/multi-tenancy";
+ *
+ * const app = createAuthhero({
+ *   plugins: [
+ *     createMultiTenancyPlugin({
+ *       accessControl: {
+ *         controlPlaneTenantId: "main",
+ *         defaultPermissions: ["tenant:admin"],
+ *       },
+ *       subdomainRouting: {
+ *         baseDomain: "auth.example.com",
+ *       },
+ *     }),
+ *   ],
+ * });
+ * ```
+ */
+export declare function createMultiTenancyPlugin(config: MultiTenancyConfig): AuthHeroPlugin;
+export {};
+//# sourceMappingURL=plugin.d.ts.map

package/dist/types/plugin.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"plugin.d.ts","sourceRoot":"","sources":["../../src/plugin.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAC;AAC/C,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EACjB,oBAAoB,EACpB,qBAAqB,EACtB,MAAM,SAAS,CAAC;AAKjB,KAAK,eAAe,GAAG;IACrB,QAAQ,EAAE,oBAAoB,CAAC;IAC/B,SAAS,EAAE,qBAAqB,CAAC;CAClC,CAAC;AAEF;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B;;OAEG;IACH,IAAI,EAAE,MAAM,CAAC;IAEb;;OAEG;IACH,UAAU,CAAC,EAAE,iBAAiB,CAAC,eAAe,CAAC,CAAC;IAEhD;;OAEG;IACH,KAAK,CAAC,EAAE,iBAAiB,CAAC;IAE1B;;OAEG;IACH,MAAM,CAAC,EAAE,KAAK,CAAC;QACb,IAAI,EAAE,MAAM,CAAC;QACb,OAAO,EAAE,IAAI,CAAC,eAAe,CAAC,CAAC;KAChC,CAAC,CAAC;IAEH;;OAEG;IACH,UAAU,CAAC,EAAE,CAAC,GAAG,EAAE,IAAI,KAAK,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAClD;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;GA4BG;AACH,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,kBAAkB,GACzB,cAAc,CAsChB"}

package/dist/types/routes/index.d.ts

@@ -0,0 +1,2 @@
+export { createTenantsOpenAPIRouter } from "./tenants";
+//# sourceMappingURL=index.d.ts.map

package/dist/types/routes/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/routes/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,0BAA0B,EAAE,MAAM,WAAW,CAAC"}

package/dist/types/routes/tenants.d.ts

@@ -0,0 +1,18 @@
+import { OpenAPIHono } from "@hono/zod-openapi";
+import { MultiTenancyBindings, MultiTenancyVariables, MultiTenancyConfig, MultiTenancyHooks } from "../types";
+/**
+ * Creates OpenAPI-based tenant management routes.
+ *
+ * These routes handle CRUD operations for tenants and are designed to be
+ * mounted on authhero's management API so they get the same authentication
+ * middleware.
+ *
+ * @param config - Multi-tenancy configuration
+ * @param hooks - Multi-tenancy hooks for lifecycle events
+ * @returns OpenAPIHono router with tenant routes
+ */
+export declare function createTenantsOpenAPIRouter(config: MultiTenancyConfig, hooks: MultiTenancyHooks): OpenAPIHono<{
+    Bindings: MultiTenancyBindings;
+    Variables: MultiTenancyVariables;
+}, {}, "/">;
+//# sourceMappingURL=tenants.d.ts.map