@authhero/multi-tenancy 14.2.0 → 14.4.0

package/dist/types/hooks/access-control.d.ts

@@ -0,0 +1,25 @@
+import { AccessControlConfig, MultiTenancyHooks } from "../types";
+/**
+ * Creates hooks for organization-based tenant access control.
+ *
+ * This implements the following access model:
+ * - Control plane: Accessible without an organization claim
+ * - Child tenants: Require an organization claim matching the tenant ID
+ *   - org_name (organization name) takes precedence and should match tenant ID
+ *   - org_id (organization ID) is checked as fallback
+ *
+ * @param config - Access control configuration
+ * @returns Hooks for access validation
+ */
+export declare function createAccessControlHooks(config: AccessControlConfig): Pick<MultiTenancyHooks, "onTenantAccessValidation">;
+/**
+ * Validates that a token can access a specific tenant based on its organization claim.
+ *
+ * @param organizationId - The organization ID from the token (may be undefined)
+ * @param orgName - The organization name from the token (may be undefined, takes precedence)
+ * @param targetTenantId - The tenant ID being accessed
+ * @param controlPlaneTenantId - The control plane/management tenant ID
+ * @returns true if access is allowed
+ */
+export declare function validateTenantAccess(organizationId: string | undefined, targetTenantId: string, controlPlaneTenantId: string, orgName?: string): boolean;
+//# sourceMappingURL=access-control.d.ts.map

package/dist/types/hooks/access-control.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"access-control.d.ts","sourceRoot":"","sources":["../../../src/hooks/access-control.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,mBAAmB,EAEnB,iBAAiB,EAClB,MAAM,UAAU,CAAC;AAElB;;;;;;;;;;;GAWG;AACH,wBAAgB,wBAAwB,CACtC,MAAM,EAAE,mBAAmB,GAC1B,IAAI,CAAC,iBAAiB,EAAE,0BAA0B,CAAC,CAuCrD;AAED;;;;;;;;GAQG;AACH,wBAAgB,oBAAoB,CAClC,cAAc,EAAE,MAAM,GAAG,SAAS,EAClC,cAAc,EAAE,MAAM,EACtB,oBAAoB,EAAE,MAAM,EAC5B,OAAO,CAAC,EAAE,MAAM,GACf,OAAO,CAiBT"}

package/dist/types/hooks/database.d.ts

@@ -0,0 +1,35 @@
+import { DataAdapters } from "authhero";
+import { DatabaseIsolationConfig, MultiTenancyHooks } from "../types";
+/**
+ * Creates hooks for per-tenant database resolution.
+ *
+ * This enables scenarios where each tenant has its own database instance,
+ * providing complete data isolation.
+ *
+ * @param config - Database isolation configuration
+ * @returns Hooks for database resolution
+ */
+export declare function createDatabaseHooks(config: DatabaseIsolationConfig): Pick<MultiTenancyHooks, "resolveDataAdapters">;
+/**
+ * Database factory interface for creating tenant-specific database adapters.
+ *
+ * Implementations of this interface should live in the respective adapter packages:
+ * - D1: @authhero/cloudflare
+ * - Turso: @authhero/turso (or similar)
+ * - Custom: Implement your own
+ */
+export interface DatabaseFactory {
+    /**
+     * Get or create a database adapter for a tenant.
+     */
+    getAdapters(tenantId: string): Promise<DataAdapters>;
+    /**
+     * Provision a new database for a tenant.
+     */
+    provision(tenantId: string): Promise<void>;
+    /**
+     * Deprovision (delete) a tenant's database.
+     */
+    deprovision(tenantId: string): Promise<void>;
+}
+//# sourceMappingURL=database.d.ts.map

package/dist/types/hooks/database.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"database.d.ts","sourceRoot":"","sources":["../../../src/hooks/database.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,MAAM,UAAU,CAAC;AACxC,OAAO,EAAE,uBAAuB,EAAE,iBAAiB,EAAE,MAAM,UAAU,CAAC;AAEtE;;;;;;;;GAQG;AACH,wBAAgB,mBAAmB,CACjC,MAAM,EAAE,uBAAuB,GAC9B,IAAI,CAAC,iBAAiB,EAAE,qBAAqB,CAAC,CAgBhD;AAED;;;;;;;GAOG;AACH,MAAM,WAAW,eAAe;IAC9B;;OAEG;IACH,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,YAAY,CAAC,CAAC;IAErD;;OAEG;IACH,SAAS,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IAE3C;;OAEG;IACH,WAAW,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;CAC9C"}

package/dist/types/hooks/index.d.ts

@@ -0,0 +1,5 @@
+export { createAccessControlHooks, validateTenantAccess, } from "./access-control";
+export { createDatabaseHooks, type DatabaseFactory } from "./database";
+export { createProvisioningHooks } from "./provisioning";
+export { createSyncHooks, type EntitySyncConfig, type SyncHooksResult, } from "./sync";
+//# sourceMappingURL=index.d.ts.map

package/dist/types/hooks/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../../src/hooks/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,wBAAwB,EACxB,oBAAoB,GACrB,MAAM,kBAAkB,CAAC;AAC1B,OAAO,EAAE,mBAAmB,EAAE,KAAK,eAAe,EAAE,MAAM,YAAY,CAAC;AACvE,OAAO,EAAE,uBAAuB,EAAE,MAAM,gBAAgB,CAAC;AACzD,OAAO,EACL,eAAe,EACf,KAAK,gBAAgB,EACrB,KAAK,eAAe,GACrB,MAAM,QAAQ,CAAC"}

package/dist/types/hooks/provisioning.d.ts

@@ -0,0 +1,15 @@
+import { MultiTenancyConfig, TenantEntityHooks } from "../types";
+/**
+ * Creates hooks for tenant provisioning and deprovisioning.
+ *
+ * This handles:
+ * - Setting the correct audience for new tenants (urn:authhero:tenant:{id})
+ * - Creating organizations on the control plane when a new tenant is created
+ * - Provisioning databases for new tenants
+ * - Cleaning up organizations and databases when tenants are deleted
+ *
+ * @param config - Multi-tenancy configuration
+ * @returns Tenant entity hooks for lifecycle events
+ */
+export declare function createProvisioningHooks(config: MultiTenancyConfig): TenantEntityHooks;
+//# sourceMappingURL=provisioning.d.ts.map

package/dist/types/hooks/provisioning.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"provisioning.d.ts","sourceRoot":"","sources":["../../../src/hooks/provisioning.ts"],"names":[],"mappings":"AAeA,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EAElB,MAAM,UAAU,CAAC;AAElB;;;;;;;;;;;GAWG;AACH,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,kBAAkB,GACzB,iBAAiB,CAyEnB"}

package/dist/types/hooks/resource-server-sync.d.ts

@@ -0,0 +1,140 @@
+import { DataAdapters, ResourceServer, ResourceServerInsert } from "authhero";
+import { TenantEntityHooks } from "../types";
+/**
+ * Configuration for resource server synchronization
+ */
+export interface ResourceServerSyncConfig {
+    /**
+     * The control plane tenant ID from which resource servers are synced
+     */
+    controlPlaneTenantId: string;
+    /**
+     * Function to get the list of all tenant IDs to sync to.
+     * Called when a resource server is created/updated/deleted on the control plane.
+     */
+    getChildTenantIds: () => Promise<string[]>;
+    /**
+     * Function to get adapters for a specific tenant.
+     * Used to write resource servers to child tenants.
+     */
+    getAdapters: (tenantId: string) => Promise<DataAdapters>;
+    /**
+     * Optional: Filter function to determine if a resource server should be synced.
+     * Return true to sync, false to skip.
+     * @default All resource servers are synced
+     */
+    shouldSync?: (resourceServer: ResourceServer) => boolean;
+    /**
+     * Optional: Transform the resource server before syncing to child tenants.
+     * Useful for modifying identifiers or removing sensitive data.
+     */
+    transformForSync?: (resourceServer: ResourceServer, targetTenantId: string) => ResourceServerInsert;
+}
+/**
+ * Context passed to entity hooks
+ */
+interface EntityHookContext {
+    tenantId: string;
+    adapters: DataAdapters;
+}
+/**
+ * Entity hooks for resource server CRUD operations
+ */
+export interface ResourceServerEntityHooks {
+    afterCreate?: (ctx: EntityHookContext, entity: ResourceServer) => Promise<void>;
+    afterUpdate?: (ctx: EntityHookContext, id: string, entity: ResourceServer) => Promise<void>;
+    afterDelete?: (ctx: EntityHookContext, id: string) => Promise<void>;
+}
+/**
+ * Creates entity hooks for syncing resource servers from the control plane to all child tenants.
+ *
+ * When a resource server is created, updated, or deleted on the control plane,
+ * the change is automatically propagated to all child tenants.
+ *
+ * @param config - Resource server sync configuration
+ * @returns Entity hooks for resource server synchronization
+ *
+ * @example
+ * ```typescript
+ * import { createResourceServerSyncHooks } from "@authhero/multi-tenancy";
+ *
+ * const resourceServerHooks = createResourceServerSyncHooks({
+ *   controlPlaneTenantId: "main",
+ *   getChildTenantIds: async () => {
+ *     const tenants = await db.tenants.list();
+ *     return tenants.filter(t => t.id !== "main").map(t => t.id);
+ *   },
+ *   getAdapters: async (tenantId) => {
+ *     return createAdaptersForTenant(tenantId);
+ *   },
+ * });
+ *
+ * // Use with AuthHero config
+ * const config: AuthHeroConfig = {
+ *   dataAdapter,
+ *   entityHooks: {
+ *     resourceServers: resourceServerHooks,
+ *   },
+ * };
+ * ```
+ */
+export declare function createResourceServerSyncHooks(config: ResourceServerSyncConfig): ResourceServerEntityHooks;
+/**
+ * Configuration for syncing resource servers to new tenants
+ */
+export interface TenantResourceServerSyncConfig {
+    /**
+     * The control plane tenant ID from which resource servers are copied
+     */
+    controlPlaneTenantId: string;
+    /**
+     * Function to get adapters for the control plane.
+     * Used to read existing resource servers.
+     */
+    getControlPlaneAdapters: () => Promise<DataAdapters>;
+    /**
+     * Function to get adapters for the new tenant.
+     * Used to write resource servers to the new tenant.
+     */
+    getAdapters: (tenantId: string) => Promise<DataAdapters>;
+    /**
+     * Optional: Filter function to determine if a resource server should be synced.
+     * Return true to sync, false to skip.
+     * @default All resource servers are synced
+     */
+    shouldSync?: (resourceServer: ResourceServer) => boolean;
+    /**
+     * Optional: Transform the resource server before syncing to the new tenant.
+     * Useful for modifying identifiers or removing sensitive data.
+     */
+    transformForSync?: (resourceServer: ResourceServer, targetTenantId: string) => ResourceServerInsert;
+}
+/**
+ * Creates a tenant afterCreate hook that copies all resource servers from the control plane
+ * to a newly created tenant.
+ *
+ * This should be used with the MultiTenancyHooks.tenants.afterCreate hook.
+ *
+ * @param config - Configuration for tenant resource server sync
+ * @returns A TenantEntityHooks object with afterCreate implemented
+ *
+ * @example
+ * ```typescript
+ * import { createTenantResourceServerSyncHooks } from "@authhero/multi-tenancy";
+ *
+ * const resourceServerSyncHooks = createTenantResourceServerSyncHooks({
+ *   controlPlaneTenantId: "main",
+ *   getControlPlaneAdapters: async () => controlPlaneAdapters,
+ *   getAdapters: async (tenantId) => createAdaptersForTenant(tenantId),
+ * });
+ *
+ * const multiTenancyHooks: MultiTenancyHooks = {
+ *   tenants: {
+ *     afterCreate: resourceServerSyncHooks.afterCreate,
+ *   },
+ * };
+ * ```
+ */
+export declare function createTenantResourceServerSyncHooks(config: TenantResourceServerSyncConfig): TenantEntityHooks;
+export {};
+//# sourceMappingURL=resource-server-sync.d.ts.map

package/dist/types/hooks/resource-server-sync.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"resource-server-sync.d.ts","sourceRoot":"","sources":["../../../src/hooks/resource-server-sync.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,cAAc,EACd,oBAAoB,EAErB,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,iBAAiB,EAAqB,MAAM,UAAU,CAAC;AAEhE;;GAEG;AACH,MAAM,WAAW,wBAAwB;IACvC;;OAEG;IACH,oBAAoB,EAAE,MAAM,CAAC;IAE7B;;;OAGG;IACH,iBAAiB,EAAE,MAAM,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAE3C;;;OAGG;IACH,WAAW,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,YAAY,CAAC,CAAC;IAEzD;;;;OAIG;IACH,UAAU,CAAC,EAAE,CAAC,cAAc,EAAE,cAAc,KAAK,OAAO,CAAC;IAEzD;;;OAGG;IACH,gBAAgB,CAAC,EAAE,CACjB,cAAc,EAAE,cAAc,EAC9B,cAAc,EAAE,MAAM,KACnB,oBAAoB,CAAC;CAC3B;AAED;;GAEG;AACH,UAAU,iBAAiB;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,YAAY,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,yBAAyB;IACxC,WAAW,CAAC,EAAE,CACZ,GAAG,EAAE,iBAAiB,EACtB,MAAM,EAAE,cAAc,KACnB,OAAO,CAAC,IAAI,CAAC,CAAC;IACnB,WAAW,CAAC,EAAE,CACZ,GAAG,EAAE,iBAAiB,EACtB,EAAE,EAAE,MAAM,EACV,MAAM,EAAE,cAAc,KACnB,OAAO,CAAC,IAAI,CAAC,CAAC;IACnB,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,iBAAiB,EAAE,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACrE;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,wBAAgB,6BAA6B,CAC3C,MAAM,EAAE,wBAAwB,GAC/B,yBAAyB,CA2L3B;AAED;;GAEG;AACH,MAAM,WAAW,8BAA8B;IAC7C;;OAEG;IACH,oBAAoB,EAAE,MAAM,CAAC;IAE7B;;;OAGG;IACH,uBAAuB,EAAE,MAAM,OAAO,CAAC,YAAY,CAAC,CAAC;IAErD;;;OAGG;IACH,WAAW,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,YAAY,CAAC,CAAC;IAEzD;;;;OAIG;IACH,UAAU,CAAC,EAAE,CAAC,cAAc,EAAE,cAAc,KAAK,OAAO,CAAC;IAEzD;;;OAGG;IACH,gBAAgB,CAAC,EAAE,CACjB,cAAc,EAAE,cAAc,EAC9B,cAAc,EAAE,MAAM,KACnB,oBAAoB,CAAC;CAC3B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,mCAAmC,CACjD,MAAM,EAAE,8BAA8B,GACrC,iBAAiB,CAiFnB"}

package/dist/types/hooks/role-sync.d.ts

@@ -0,0 +1,145 @@
+import { DataAdapters, Role, RoleInsert } from "authhero";
+import { TenantEntityHooks } from "../types";
+/**
+ * Configuration for role synchronization
+ */
+export interface RoleSyncConfig {
+    /**
+     * The control plane tenant ID from which roles are synced
+     */
+    controlPlaneTenantId: string;
+    /**
+     * Function to get the list of all tenant IDs to sync to.
+     * Called when a role is created/updated/deleted on the control plane.
+     */
+    getChildTenantIds: () => Promise<string[]>;
+    /**
+     * Function to get adapters for a specific tenant.
+     * Used to write roles to child tenants.
+     */
+    getAdapters: (tenantId: string) => Promise<DataAdapters>;
+    /**
+     * Optional: Filter function to determine if a role should be synced.
+     * Return true to sync, false to skip.
+     * @default All roles are synced
+     */
+    shouldSync?: (role: Role) => boolean;
+    /**
+     * Optional: Transform the role before syncing to child tenants.
+     * Useful for modifying names or removing sensitive data.
+     */
+    transformForSync?: (role: Role, targetTenantId: string) => RoleInsert;
+}
+/**
+ * Context passed to entity hooks
+ */
+interface EntityHookContext {
+    tenantId: string;
+    adapters: DataAdapters;
+}
+/**
+ * Entity hooks for role CRUD operations
+ */
+export interface RoleEntityHooks {
+    afterCreate?: (ctx: EntityHookContext, entity: Role) => Promise<void>;
+    afterUpdate?: (ctx: EntityHookContext, id: string, entity: Role) => Promise<void>;
+    afterDelete?: (ctx: EntityHookContext, id: string) => Promise<void>;
+}
+/**
+ * Creates entity hooks for syncing roles from the control plane to all child tenants.
+ *
+ * When a role is created, updated, or deleted on the control plane,
+ * the change is automatically propagated to all child tenants.
+ *
+ * @param config - Role sync configuration
+ * @returns Entity hooks for role synchronization
+ *
+ * @example
+ * ```typescript
+ * import { createRoleSyncHooks } from "@authhero/multi-tenancy";
+ *
+ * const roleHooks = createRoleSyncHooks({
+ *   controlPlaneTenantId: "main",
+ *   getChildTenantIds: async () => {
+ *     const tenants = await db.tenants.list();
+ *     return tenants.filter(t => t.id !== "main").map(t => t.id);
+ *   },
+ *   getAdapters: async (tenantId) => {
+ *     return createAdaptersForTenant(tenantId);
+ *   },
+ * });
+ *
+ * // Use with AuthHero config
+ * const config: AuthHeroConfig = {
+ *   dataAdapter,
+ *   entityHooks: {
+ *     roles: roleHooks,
+ *   },
+ * };
+ * ```
+ */
+export declare function createRoleSyncHooks(config: RoleSyncConfig): RoleEntityHooks;
+/**
+ * Configuration for syncing roles to new tenants
+ */
+export interface TenantRoleSyncConfig {
+    /**
+     * The control plane tenant ID from which roles are copied
+     */
+    controlPlaneTenantId: string;
+    /**
+     * Function to get adapters for the control plane.
+     * Used to read existing roles.
+     */
+    getControlPlaneAdapters: () => Promise<DataAdapters>;
+    /**
+     * Function to get adapters for the new tenant.
+     * Used to write roles to the new tenant.
+     */
+    getAdapters: (tenantId: string) => Promise<DataAdapters>;
+    /**
+     * Optional: Filter function to determine if a role should be synced.
+     * Return true to sync, false to skip.
+     * @default All roles are synced
+     */
+    shouldSync?: (role: Role) => boolean;
+    /**
+     * Optional: Transform the role before syncing to the new tenant.
+     * Useful for modifying names or removing sensitive data.
+     */
+    transformForSync?: (role: Role, targetTenantId: string) => RoleInsert;
+    /**
+     * Whether to also sync role permissions (scopes from resource servers).
+     * @default true
+     */
+    syncPermissions?: boolean;
+}
+/**
+ * Creates a tenant afterCreate hook that copies all roles from the control plane
+ * to a newly created tenant.
+ *
+ * This should be used with the MultiTenancyHooks.tenants.afterCreate hook.
+ *
+ * @param config - Configuration for tenant role sync
+ * @returns A TenantEntityHooks object with afterCreate implemented
+ *
+ * @example
+ * ```typescript
+ * import { createTenantRoleSyncHooks } from "@authhero/multi-tenancy";
+ *
+ * const roleSyncHooks = createTenantRoleSyncHooks({
+ *   controlPlaneTenantId: "main",
+ *   getControlPlaneAdapters: async () => controlPlaneAdapters,
+ *   getAdapters: async (tenantId) => createAdaptersForTenant(tenantId),
+ * });
+ *
+ * const multiTenancyHooks: MultiTenancyHooks = {
+ *   tenants: {
+ *     afterCreate: roleSyncHooks.afterCreate,
+ *   },
+ * };
+ * ```
+ */
+export declare function createTenantRoleSyncHooks(config: TenantRoleSyncConfig): TenantEntityHooks;
+export {};
+//# sourceMappingURL=role-sync.d.ts.map

package/dist/types/hooks/role-sync.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"role-sync.d.ts","sourceRoot":"","sources":["../../../src/hooks/role-sync.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,IAAI,EAAE,UAAU,EAAY,MAAM,UAAU,CAAC;AACpE,OAAO,EAAE,iBAAiB,EAAqB,MAAM,UAAU,CAAC;AAEhE;;GAEG;AACH,MAAM,WAAW,cAAc;IAC7B;;OAEG;IACH,oBAAoB,EAAE,MAAM,CAAC;IAE7B;;;OAGG;IACH,iBAAiB,EAAE,MAAM,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAE3C;;;OAGG;IACH,WAAW,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,YAAY,CAAC,CAAC;IAEzD;;;;OAIG;IACH,UAAU,CAAC,EAAE,CAAC,IAAI,EAAE,IAAI,KAAK,OAAO,CAAC;IAErC;;;OAGG;IACH,gBAAgB,CAAC,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,KAAK,UAAU,CAAC;CACvE;AAED;;GAEG;AACH,UAAU,iBAAiB;IACzB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,YAAY,CAAC;CACxB;AAED;;GAEG;AACH,MAAM,WAAW,eAAe;IAC9B,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,iBAAiB,EAAE,MAAM,EAAE,IAAI,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;IACtE,WAAW,CAAC,EAAE,CACZ,GAAG,EAAE,iBAAiB,EACtB,EAAE,EAAE,MAAM,EACV,MAAM,EAAE,IAAI,KACT,OAAO,CAAC,IAAI,CAAC,CAAC;IACnB,WAAW,CAAC,EAAE,CAAC,GAAG,EAAE,iBAAiB,EAAE,EAAE,EAAE,MAAM,KAAK,OAAO,CAAC,IAAI,CAAC,CAAC;CACrE;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAgCG;AACH,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,cAAc,GAAG,eAAe,CAwI3E;AAED;;GAEG;AACH,MAAM,WAAW,oBAAoB;IACnC;;OAEG;IACH,oBAAoB,EAAE,MAAM,CAAC;IAE7B;;;OAGG;IACH,uBAAuB,EAAE,MAAM,OAAO,CAAC,YAAY,CAAC,CAAC;IAErD;;;OAGG;IACH,WAAW,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,YAAY,CAAC,CAAC;IAEzD;;;;OAIG;IACH,UAAU,CAAC,EAAE,CAAC,IAAI,EAAE,IAAI,KAAK,OAAO,CAAC;IAErC;;;OAGG;IACH,gBAAgB,CAAC,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,cAAc,EAAE,MAAM,KAAK,UAAU,CAAC;IAEtE;;;OAGG;IACH,eAAe,CAAC,EAAE,OAAO,CAAC;CAC3B;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,yBAAyB,CACvC,MAAM,EAAE,oBAAoB,GAC3B,iBAAiB,CA4GnB"}

package/dist/types/hooks/sync.d.ts

@@ -0,0 +1,54 @@
+import { DataAdapters, Role, RoleInsert, ResourceServer, ResourceServerInsert, EntityHooks } from "authhero";
+import { TenantEntityHooks } from "../types";
+/**
+ * Configuration for entity synchronization
+ */
+export interface EntitySyncConfig {
+    /**
+     * The control plane tenant ID from which entities are synced
+     */
+    controlPlaneTenantId: string;
+    /**
+     * Function to get the list of all tenant IDs to sync to.
+     */
+    getChildTenantIds: () => Promise<string[]>;
+    /**
+     * Function to get adapters for a specific tenant.
+     */
+    getAdapters: (tenantId: string) => Promise<DataAdapters>;
+    /**
+     * Function to get adapters for the control plane (used for tenant creation sync).
+     */
+    getControlPlaneAdapters: () => Promise<DataAdapters>;
+    /**
+     * Which entities to sync. All default to true.
+     * Note: Connections are NOT synced - they use runtime fallback by strategy instead.
+     */
+    sync?: {
+        resourceServers?: boolean;
+        roles?: boolean;
+    };
+    /**
+     * Optional filters for each entity type
+     */
+    filters?: {
+        resourceServers?: (entity: ResourceServer) => boolean;
+        roles?: (entity: Role) => boolean;
+    };
+}
+/**
+ * Result from createSyncHooks containing all entity and tenant hooks
+ *
+ * Note: Connections are NOT synced - they use runtime fallback by strategy instead.
+ * Tenants can define a connection with a strategy (e.g., "google") and leave keys blank,
+ * and the system will fallback to the control plane's connection with the same strategy.
+ */
+export interface SyncHooksResult {
+    entityHooks: {
+        resourceServers?: EntityHooks<ResourceServer, ResourceServerInsert>;
+        roles?: EntityHooks<Role, RoleInsert>;
+    };
+    tenantHooks: TenantEntityHooks;
+}
+export declare function createSyncHooks(config: EntitySyncConfig): SyncHooksResult;
+//# sourceMappingURL=sync.d.ts.map

package/dist/types/hooks/sync.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sync.d.ts","sourceRoot":"","sources":["../../../src/hooks/sync.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,YAAY,EACZ,IAAI,EACJ,UAAU,EACV,cAAc,EACd,oBAAoB,EAGpB,WAAW,EAEZ,MAAM,UAAU,CAAC;AAClB,OAAO,EAAE,iBAAiB,EAAqB,MAAM,UAAU,CAAC;AAEhE;;GAEG;AACH,MAAM,WAAW,gBAAgB;IAC/B;;OAEG;IACH,oBAAoB,EAAE,MAAM,CAAC;IAE7B;;OAEG;IACH,iBAAiB,EAAE,MAAM,OAAO,CAAC,MAAM,EAAE,CAAC,CAAC;IAE3C;;OAEG;IACH,WAAW,EAAE,CAAC,QAAQ,EAAE,MAAM,KAAK,OAAO,CAAC,YAAY,CAAC,CAAC;IAEzD;;OAEG;IACH,uBAAuB,EAAE,MAAM,OAAO,CAAC,YAAY,CAAC,CAAC;IAErD;;;OAGG;IACH,IAAI,CAAC,EAAE;QACL,eAAe,CAAC,EAAE,OAAO,CAAC;QAC1B,KAAK,CAAC,EAAE,OAAO,CAAC;KACjB,CAAC;IAEF;;OAEG;IACH,OAAO,CAAC,EAAE;QACR,eAAe,CAAC,EAAE,CAAC,MAAM,EAAE,cAAc,KAAK,OAAO,CAAC;QACtD,KAAK,CAAC,EAAE,CAAC,MAAM,EAAE,IAAI,KAAK,OAAO,CAAC;KACnC,CAAC;CACH;AAoQD;;;;;;GAMG;AACH,MAAM,WAAW,eAAe;IAC9B,WAAW,EAAE;QACX,eAAe,CAAC,EAAE,WAAW,CAAC,cAAc,EAAE,oBAAoB,CAAC,CAAC;QACpE,KAAK,CAAC,EAAE,WAAW,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;KACvC,CAAC;IACF,WAAW,EAAE,iBAAiB,CAAC;CAChC;AAqCD,wBAAgB,eAAe,CAAC,MAAM,EAAE,gBAAgB,GAAG,eAAe,CAwLzE"}

package/dist/types/index.d.ts

@@ -0,0 +1,117 @@
+import { Hono } from "hono";
+import { MultiTenancyConfig, MultiTenancyHooks, MultiTenancyBindings, MultiTenancyVariables } from "./types";
+export * from "./types";
+export { initMultiTenant } from "./init";
+export type { MultiTenantConfig, MultiTenantResult } from "./init";
+export { createSyncHooks } from "./hooks/sync";
+export type { EntitySyncConfig, SyncHooksResult } from "./hooks/sync";
+export { createTenantsOpenAPIRouter } from "./routes";
+export { createMultiTenancyMiddleware, createAccessControlMiddleware, createControlPlaneTenantMiddleware, createSubdomainMiddleware, createDatabaseMiddleware, createProtectSyncedMiddleware, createRuntimeFallbackAdapter, withRuntimeFallback, createSettingsInheritanceAdapter, withSettingsInheritance, } from "./middleware";
+export type { RuntimeFallbackConfig, SettingsInheritanceConfig, } from "./middleware";
+export { createMultiTenancyPlugin } from "./plugin";
+export type { AuthHeroPlugin } from "./plugin";
+export { createAccessControlHooks, createDatabaseHooks, createProvisioningHooks, } from "./hooks";
+export { validateTenantAccess } from "./hooks/access-control";
+export type { DatabaseFactory } from "./hooks/database";
+/**
+ * Creates multi-tenancy hooks from configuration.
+ *
+ * This combines access control, database resolution, and provisioning hooks
+ * into a single hooks object that can be passed to AuthHero.
+ *
+ * @param config - Multi-tenancy configuration
+ * @returns Combined hooks for multi-tenancy support
+ *
+ * @example
+ * ```typescript
+ * import { createMultiTenancyHooks } from "@authhero/multi-tenancy";
+ *
+ * const hooks = createMultiTenancyHooks({
+ *   accessControl: {
+ *     controlPlaneTenantId: "control_plane",
+ *     defaultPermissions: ["tenant:admin"],
+ *   },
+ *   databaseIsolation: {
+ *     getAdapters: async (tenantId) => getDatabase(tenantId),
+ *   },
+ * });
+ * ```
+ */
+export declare function createMultiTenancyHooks(config: MultiTenancyConfig): MultiTenancyHooks;
+/**
+ * Creates a complete multi-tenancy Hono app with routes and middleware.
+ *
+ * This creates a Hono app with:
+ * - Tenant management routes (CRUD for tenants)
+ * - Access control middleware
+ * - Subdomain routing (optional)
+ * - Database resolution (optional)
+ *
+ * @param config - Multi-tenancy configuration
+ * @returns Hono app with multi-tenancy routes
+ *
+ * @example
+ * ```typescript
+ * import { createMultiTenancy } from "@authhero/multi-tenancy";
+ *
+ * const multiTenancyApp = createMultiTenancy({
+ *   accessControl: {
+ *     controlPlaneTenantId: "main",
+ *   },
+ * });
+ *
+ * // Mount on your main app
+ * app.route("/management", multiTenancyApp);
+ * ```
+ */
+export declare function createMultiTenancy(config: MultiTenancyConfig): Hono<{
+    Bindings: MultiTenancyBindings;
+    Variables: MultiTenancyVariables;
+}, import("hono/types").BlankSchema, "/">;
+/**
+ * Creates a multi-tenancy setup with both hooks and middleware.
+ *
+ * This is a convenience function that returns everything needed to
+ * integrate multi-tenancy into an AuthHero application.
+ *
+ * @param config - Multi-tenancy configuration
+ * @returns Object with hooks, middleware, and routes
+ *
+ * @example
+ * ```typescript
+ * import { setupMultiTenancy } from "@authhero/multi-tenancy";
+ *
+ * const multiTenancy = setupMultiTenancy({
+ *   accessControl: {
+ *     controlPlaneTenantId: "main",
+ *   },
+ *   subdomainRouting: {
+ *     baseDomain: "auth.example.com",
+ *   },
+ * });
+ *
+ * // Use the middleware
+ * app.use("*", multiTenancy.middleware);
+ *
+ * // Mount the routes
+ * app.route("/management", multiTenancy.app);
+ *
+ * // Pass hooks to AuthHero
+ * const authhero = createAuthhero({
+ *   hooks: multiTenancy.hooks,
+ * });
+ * ```
+ */
+export declare function setupMultiTenancy(config: MultiTenancyConfig): {
+    hooks: MultiTenancyHooks;
+    middleware: import("hono").MiddlewareHandler<{
+        Bindings: MultiTenancyBindings;
+        Variables: MultiTenancyVariables;
+    }>;
+    app: Hono<{
+        Bindings: MultiTenancyBindings;
+        Variables: MultiTenancyVariables;
+    }, import("hono/types").BlankSchema, "/">;
+    config: MultiTenancyConfig;
+};
+//# sourceMappingURL=index.d.ts.map

package/dist/types/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,IAAI,EAAE,MAAM,MAAM,CAAC;AAC5B,OAAO,EACL,kBAAkB,EAClB,iBAAiB,EACjB,oBAAoB,EACpB,qBAAqB,EACtB,MAAM,SAAS,CAAC;AAUjB,cAAc,SAAS,CAAC;AAGxB,OAAO,EAAE,eAAe,EAAE,MAAM,QAAQ,CAAC;AACzC,YAAY,EAAE,iBAAiB,EAAE,iBAAiB,EAAE,MAAM,QAAQ,CAAC;AAGnE,OAAO,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAC/C,YAAY,EAAE,gBAAgB,EAAE,eAAe,EAAE,MAAM,cAAc,CAAC;AAEtE,OAAO,EAAE,0BAA0B,EAAE,MAAM,UAAU,CAAC;AAEtD,OAAO,EACL,4BAA4B,EAC5B,6BAA6B,EAC7B,kCAAkC,EAClC,yBAAyB,EACzB,wBAAwB,EACxB,6BAA6B,EAC7B,4BAA4B,EAC5B,mBAAmB,EAEnB,gCAAgC,EAChC,uBAAuB,GACxB,MAAM,cAAc,CAAC;AACtB,YAAY,EACV,qBAAqB,EACrB,yBAAyB,GAC1B,MAAM,cAAc,CAAC;AAEtB,OAAO,EAAE,wBAAwB,EAAE,MAAM,UAAU,CAAC;AACpD,YAAY,EAAE,cAAc,EAAE,MAAM,UAAU,CAAC;AAG/C,OAAO,EACL,wBAAwB,EACxB,mBAAmB,EACnB,uBAAuB,GACxB,MAAM,SAAS,CAAC;AACjB,OAAO,EAAE,oBAAoB,EAAE,MAAM,wBAAwB,CAAC;AAC9D,YAAY,EAAE,eAAe,EAAE,MAAM,kBAAkB,CAAC;AAExD;;;;;;;;;;;;;;;;;;;;;;;GAuBG;AACH,wBAAgB,uBAAuB,CACrC,MAAM,EAAE,kBAAkB,GACzB,iBAAiB,CAgBnB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,wBAAgB,kBAAkB,CAAC,MAAM,EAAE,kBAAkB;cAE/C,oBAAoB;eACnB,qBAAqB;0CASnC;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AACH,wBAAgB,iBAAiB,CAAC,MAAM,EAAE,kBAAkB;;;;;;;kBA9C9C,oBAAoB;mBACnB,qBAAqB;;;EAoDnC"}