npm - @authhero/multi-tenancy - Versions diffs - 14.20.0 → 14.20.2 - Mend

@authhero/multi-tenancy 14.20.0 → 14.20.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/dist/multi-tenancy.cjs +1 -1
package/dist/multi-tenancy.mjs +397 -357
package/dist/types/middleware/settings-inheritance.d.ts.map +1 -1
package/dist/types/routes/tenants.d.ts.map +1 -1
package/package.json +4 -4

package/dist/multi-tenancy.mjs CHANGED Viewed

@@ -1,30 +1,30 @@
-var ee = Object.defineProperty;
-var te = (e, t, n) => t in e ? ee(e, t, { enumerable: !0, configurable: !0, writable: !0, value: n }) : e[t] = n;
-var E = (e, t, n) => te(e, typeof t != "symbol" ? t + "" : t, n);
-import { Hono as ne } from "hono";
-import { MANAGEMENT_API_SCOPES as re, MANAGEMENT_API_AUDIENCE as J, fetchAll as D, auth0QuerySchema as ae, tenantSchema as q, tenantInsertSchema as U, deepMergePatch as se, connectionSchema as oe, connectionOptionsSchema as ie, init as ce } from "authhero";
-import { OpenAPIHono as le, createRoute as M, z as I } from "@hono/zod-openapi";
-function ue(e) {
+var ne = Object.defineProperty;
+var re = (e, t, n) => t in e ? ne(e, t, { enumerable: !0, configurable: !0, writable: !0, value: n }) : e[t] = n;
+var E = (e, t, n) => re(e, typeof t != "symbol" ? t + "" : t, n);
+import { Hono as ae } from "hono";
+import { MANAGEMENT_API_SCOPES as se, MANAGEMENT_API_AUDIENCE as Y, fetchAll as D, auth0QuerySchema as oe, tenantSchema as O, tenantInsertSchema as G, deepMergePatch as ie, connectionSchema as ce, connectionOptionsSchema as le, init as ue } from "authhero";
+import { OpenAPIHono as de, createRoute as k, z as A } from "@hono/zod-openapi";
+function fe(e) {
   const { controlPlaneTenantId: t, requireOrganizationMatch: n = !0 } = e;
   return {
     async onTenantAccessValidation(r, a) {
       if (a === t)
         return !0;
       if (n) {
-        const s = r.var.org_name, c = r.var.organization_id, i = s || c;
-        return i ? i.toLowerCase() === a.toLowerCase() : !1;
+        const s = r.var.org_name, i = r.var.organization_id, c = s || i;
+        return c ? c.toLowerCase() === a.toLowerCase() : !1;
       }
       return !0;
     }
   };
 }
-function de(e, t, n, r) {
+function me(e, t, n, r) {
   if (t === n)
     return !0;
   const a = r || e;
   return a ? a.toLowerCase() === t.toLowerCase() : !1;
 }
-function fe(e) {
+function ge(e) {
   return {
     async resolveDataAdapters(t) {
       try {
@@ -39,31 +39,31 @@ function fe(e) {
     }
   };
 }
-function me(e) {
+function we(e) {
   return `urn:authhero:tenant:${e.toLowerCase()}`;
 }
-function X(e) {
+function Z(e) {
   return {
     async beforeCreate(t, n) {
       return !n.audience && n.id ? {
         ...n,
-        audience: me(n.id)
+        audience: we(n.id)
       } : n;
     },
     async afterCreate(t, n) {
       const { accessControl: r, databaseIsolation: a } = e;
-      r && t.ctx && await ge(t, n, r), a != null && a.onProvision && await a.onProvision(n.id);
+      r && t.ctx && await he(t, n, r), a != null && a.onProvision && await a.onProvision(n.id);
     },
     async beforeDelete(t, n) {
       const { accessControl: r, databaseIsolation: a } = e;
       if (r)
         try {
-          const c = (await t.adapters.organizations.list(
+          const i = (await t.adapters.organizations.list(
             r.controlPlaneTenantId
-          )).organizations.find((i) => i.name === n);
-          c && await t.adapters.organizations.remove(
+          )).organizations.find((c) => c.name === n);
+          i && await t.adapters.organizations.remove(
             r.controlPlaneTenantId,
-            c.id
+            i.id
           );
         } catch (s) {
           console.warn(
@@ -83,13 +83,13 @@ function X(e) {
     }
   };
 }
-async function ge(e, t, n) {
+async function he(e, t, n) {
   const {
     controlPlaneTenantId: r,
     defaultPermissions: a,
     defaultRoles: s,
-    issuer: c,
-    adminRoleName: i = "Tenant Admin",
+    issuer: i,
+    adminRoleName: c = "Tenant Admin",
     adminRoleDescription: u = "Full access to all tenant management operations",
     addCreatorToOrganization: o = !0
   } = n, l = await e.adapters.organizations.create(
@@ -100,14 +100,14 @@ async function ge(e, t, n) {
     }
   );
   let g;
-  if (c && (g = await pe(
+  if (i && (g = await ye(
     e,
     r,
-    i,
+    c,
     u
   )), o && e.ctx) {
     const d = e.ctx.var.user;
-    if (d != null && d.sub && !await we(
+    if (d != null && d.sub && !await pe(
       e,
       r,
       d.sub
@@ -123,10 +123,10 @@ async function ge(e, t, n) {
           l.id
           // organizationId
         );
-      } catch (m) {
+      } catch (f) {
         console.warn(
           `Failed to add creator ${d.sub} to organization ${l.id}:`,
-          m
+          f
         );
       }
   }
@@ -136,7 +136,7 @@ async function ge(e, t, n) {
     `Would grant permissions ${a.join(", ")} to organization ${l.id}`
   );
 }
-async function we(e, t, n) {
+async function pe(e, t, n) {
   const r = await e.adapters.userRoles.list(
     t,
     n,
@@ -150,32 +150,32 @@ async function we(e, t, n) {
       a.id,
       { per_page: 1e3 }
     )).some(
-      (i) => i.permission_name === "admin:organizations"
+      (c) => c.permission_name === "admin:organizations"
     ))
       return !0;
   return !1;
 }
-async function pe(e, t, n, r) {
+async function ye(e, t, n, r) {
   const s = (await e.adapters.roles.list(t, {})).roles.find((o) => o.name === n);
   if (s)
     return s.id;
-  const c = await e.adapters.roles.create(t, {
+  const i = await e.adapters.roles.create(t, {
     name: n,
     description: r
-  }), i = J, u = re.map((o) => ({
-    role_id: c.id,
-    resource_server_identifier: i,
+  }), c = Y, u = se.map((o) => ({
+    role_id: i.id,
+    resource_server_identifier: c,
     permission_name: o.value
   }));
   return await e.adapters.rolePermissions.assign(
     t,
-    c.id,
+    i.id,
     u
-  ), c.id;
+  ), i.id;
 }
-function G(e, t, n = () => !0) {
-  const { controlPlaneTenantId: r, getChildTenantIds: a, getAdapters: s } = e, c = /* @__PURE__ */ new Map();
-  async function i(l, g, d) {
+function H(e, t, n = () => !0) {
+  const { controlPlaneTenantId: r, getChildTenantIds: a, getAdapters: s } = e, i = /* @__PURE__ */ new Map();
+  async function c(l, g, d) {
     return (await t(l).list(g, {
       q: `name:${d}`,
       per_page: 1
@@ -184,21 +184,21 @@ function G(e, t, n = () => !0) {
   async function u(l) {
     const g = await a(), d = t(await s(r));
     await Promise.all(
-      g.map(async (f) => {
+      g.map(async (m) => {
         try {
-          const m = await s(f), w = t(m), y = {
+          const f = await s(m), w = t(f), y = {
             ...d.transform(l),
             is_system: !0
-          }, _ = await i(m, f, l.name), b = _ ? w.getId(_) : void 0;
+          }, _ = await c(f, m, l.name), b = _ ? w.getId(_) : void 0;
           if (_ && b) {
-            const P = w.preserveOnUpdate ? w.preserveOnUpdate(_, y) : y;
-            await w.update(f, b, P);
+            const I = w.preserveOnUpdate ? w.preserveOnUpdate(_, y) : y;
+            await w.update(m, b, I);
           } else
-            await w.create(f, y);
-        } catch (m) {
+            await w.create(m, y);
+        } catch (f) {
           console.error(
-            `Failed to sync ${d.listKey} "${l.name}" to tenant "${f}":`,
-            m
+            `Failed to sync ${d.listKey} "${l.name}" to tenant "${m}":`,
+            f
           );
         }
       })
@@ -209,12 +209,12 @@ function G(e, t, n = () => !0) {
     await Promise.all(
       g.map(async (d) => {
         try {
-          const f = await s(d), m = t(f), w = await i(f, d, l), C = w ? m.getId(w) : void 0;
-          w && C && await m.remove(d, C);
-        } catch (f) {
+          const m = await s(d), f = t(m), w = await c(m, d, l), T = w ? f.getId(w) : void 0;
+          w && T && await f.remove(d, T);
+        } catch (m) {
           console.error(
             `Failed to delete entity "${l}" from tenant "${d}":`,
-            f
+            m
           );
         }
       })
@@ -229,53 +229,53 @@ function G(e, t, n = () => !0) {
     },
     beforeDelete: async (l, g) => {
       if (l.tenantId !== r) return;
-      const f = await t(l.adapters).get(l.tenantId, g);
-      f && n(f) && c.set(g, f);
+      const m = await t(l.adapters).get(l.tenantId, g);
+      m && n(m) && i.set(g, m);
     },
     afterDelete: async (l, g) => {
       if (l.tenantId !== r) return;
-      const d = c.get(g);
-      d && (c.delete(g), await o(d.name));
+      const d = i.get(g);
+      d && (i.delete(g), await o(d.name));
     }
   };
 }
-function L(e, t, n = () => !0) {
+function W(e, t, n = () => !0) {
   const { controlPlaneTenantId: r, getControlPlaneAdapters: a, getAdapters: s } = e;
   return {
-    async afterCreate(c, i) {
-      if (i.id !== r)
+    async afterCreate(i, c) {
+      if (c.id !== r)
         try {
-          const u = await a(), o = await s(i.id), l = t(u), g = t(o), d = await D(
-            (f) => l.listPaginated(r, f),
+          const u = await a(), o = await s(c.id), l = t(u), g = t(o), d = await D(
+            (m) => l.listPaginated(r, m),
             l.listKey,
             { cursorField: "id", pageSize: 100 }
           );
           await Promise.all(
-            d.filter((f) => n(f)).map(async (f) => {
+            d.filter((m) => n(m)).map(async (m) => {
               try {
-                const m = l.transform(f);
-                await g.create(i.id, {
-                  ...m,
+                const f = l.transform(m);
+                await g.create(c.id, {
+                  ...f,
                   is_system: !0
                 });
-              } catch (m) {
+              } catch (f) {
                 console.error(
-                  `Failed to sync entity to new tenant "${i.id}":`,
-                  m
+                  `Failed to sync entity to new tenant "${c.id}":`,
+                  f
                 );
               }
             })
           );
         } catch (u) {
           console.error(
-            `Failed to sync entities to new tenant "${i.id}":`,
+            `Failed to sync entities to new tenant "${c.id}":`,
             u
           );
         }
     }
   };
 }
-const W = (e) => ({
+const L = (e) => ({
   list: async (t, n) => (await e.resourceServers.list(t, n)).resource_servers,
   listPaginated: (t, n) => e.resourceServers.list(t, n),
   get: (t, n) => e.resourceServers.get(t, n),
@@ -293,7 +293,7 @@ const W = (e) => ({
     token_lifetime: t.token_lifetime,
     token_lifetime_for_web: t.token_lifetime_for_web
   })
-}), H = (e) => ({
+}), K = (e) => ({
   list: async (t, n) => (await e.roles.list(t, n)).roles,
   listPaginated: (t, n) => e.roles.list(t, n),
   get: (t, n) => e.roles.get(t, n),
@@ -308,77 +308,77 @@ const W = (e) => ({
     description: t.description
   })
 });
-function K(e) {
+function Q(e) {
   var t;
   return ((t = e.metadata) == null ? void 0 : t.sync) !== !1;
 }
-function he(e) {
-  const { sync: t = {}, filters: n = {} } = e, r = t.resourceServers ?? !0, a = t.roles ?? !0, s = (m) => K(m) ? n.resourceServers ? n.resourceServers(m) : !0 : !1, c = (m) => K(m) ? n.roles ? n.roles(m) : !0 : !1, i = r ? G(
+function ve(e) {
+  const { sync: t = {}, filters: n = {} } = e, r = t.resourceServers ?? !0, a = t.roles ?? !0, s = (f) => Q(f) ? n.resourceServers ? n.resourceServers(f) : !0 : !1, i = (f) => Q(f) ? n.roles ? n.roles(f) : !0 : !1, c = r ? H(
     e,
-    W,
+    L,
     s
-  ) : void 0, u = a ? G(e, H, c) : void 0, o = r ? L(
+  ) : void 0, u = a ? H(e, K, i) : void 0, o = r ? W(
     e,
-    W,
+    L,
     s
-  ) : void 0, l = a ? L(
+  ) : void 0, l = a ? W(
     e,
-    H,
-    c
+    K,
+    i
   ) : void 0, g = a ? {
-    async afterCreate(m, w) {
-      var C;
+    async afterCreate(f, w) {
+      var T;
       if (w.id !== e.controlPlaneTenantId) {
-        await ((C = l == null ? void 0 : l.afterCreate) == null ? void 0 : C.call(l, m, w));
+        await ((T = l == null ? void 0 : l.afterCreate) == null ? void 0 : T.call(l, f, w));
         try {
           const y = await e.getControlPlaneAdapters(), _ = await e.getAdapters(w.id), b = await D(
-            (p) => y.roles.list(
+            (h) => y.roles.list(
               e.controlPlaneTenantId,
-              p
+              h
             ),
             "roles",
             { cursorField: "id", pageSize: 100 }
-          ), P = /* @__PURE__ */ new Map();
-          for (const p of b.filter(
-            (T) => {
-              var h;
-              return ((h = n.roles) == null ? void 0 : h.call(n, T)) ?? !0;
+          ), I = /* @__PURE__ */ new Map();
+          for (const h of b.filter(
+            (C) => {
+              var p;
+              return ((p = n.roles) == null ? void 0 : p.call(n, C)) ?? !0;
             }
           )) {
-            const T = await d(
+            const C = await d(
               _,
               w.id,
-              p.name
+              h.name
             );
-            T && P.set(p.name, T.id);
+            C && I.set(h.name, C.id);
           }
-          for (const p of b.filter(
-            (T) => {
-              var h;
-              return ((h = n.roles) == null ? void 0 : h.call(n, T)) ?? !0;
+          for (const h of b.filter(
+            (C) => {
+              var p;
+              return ((p = n.roles) == null ? void 0 : p.call(n, C)) ?? !0;
             }
           )) {
-            const T = P.get(p.name);
-            if (T)
+            const C = I.get(h.name);
+            if (C)
               try {
-                const h = await y.rolePermissions.list(
+                const p = await y.rolePermissions.list(
                   e.controlPlaneTenantId,
-                  p.id,
+                  h.id,
                   {}
                 );
-                h.length > 0 && await _.rolePermissions.assign(
+                p.length > 0 && await _.rolePermissions.assign(
                   w.id,
-                  T,
-                  h.map((z) => ({
-                    role_id: T,
-                    resource_server_identifier: z.resource_server_identifier,
-                    permission_name: z.permission_name
+                  C,
+                  p.map((F) => ({
+                    role_id: C,
+                    resource_server_identifier: F.resource_server_identifier,
+                    permission_name: F.permission_name
                   }))
                 );
-              } catch (h) {
+              } catch (p) {
                 console.error(
-                  `Failed to sync permissions for role "${p.name}" to tenant "${w.id}":`,
-                  h
+                  `Failed to sync permissions for role "${h.name}" to tenant "${w.id}":`,
+                  p
                 );
               }
           }
@@ -391,27 +391,27 @@ function he(e) {
       }
     }
   } : void 0;
-  async function d(m, w, C) {
-    return (await m.roles.list(w, {
-      q: `name:${C}`,
+  async function d(f, w, T) {
+    return (await f.roles.list(w, {
+      q: `name:${T}`,
       per_page: 1
     })).roles[0] ?? null;
   }
   return {
     entityHooks: {
-      resourceServers: i,
+      resourceServers: c,
       roles: u
     },
     tenantHooks: {
-      async afterCreate(m, w) {
-        const C = [
+      async afterCreate(f, w) {
+        const T = [
           o == null ? void 0 : o.afterCreate,
           (g == null ? void 0 : g.afterCreate) ?? (l == null ? void 0 : l.afterCreate)
         ], y = [];
-        for (const _ of C)
+        for (const _ of T)
           if (_)
             try {
-              await _(m, w);
+              await _(f, w);
             } catch (b) {
               y.push(b instanceof Error ? b : new Error(String(b)));
             }
@@ -425,7 +425,7 @@ function he(e) {
     }
   };
 }
-var A = class extends Error {
+var P = class extends Error {
   /**
    * Creates an instance of `HTTPException`.
    * @param status - HTTP status code for the exception. Defaults to 500.
@@ -452,29 +452,29 @@ var A = class extends Error {
   }
 };
 function N(e, t) {
-  const n = new le();
+  const n = new de();
   return n.openapi(
-    M({
+    k({
       tags: ["tenants"],
       method: "get",
       path: "/",
       request: {
-        query: ae
+        query: oe
       },
       security: [
         {
-          Bearer: []
+          Bearer: ["read:tenants", "auth:read"]
         }
       ],
       responses: {
         200: {
           content: {
             "application/json": {
-              schema: I.object({
-                tenants: I.array(q),
-                start: I.number().optional(),
-                limit: I.number().optional(),
-                length: I.number().optional()
+              schema: A.object({
+                tenants: A.array(O),
+                start: A.number().optional(),
+                limit: A.number().optional(),
+                length: A.number().optional()
               })
             }
           },
@@ -483,75 +483,75 @@ function N(e, t) {
       }
     }),
     async (r) => {
-      var m, w, C, y, _, b;
-      const a = r.req.valid("query"), { page: s, per_page: c, include_totals: i, q: u } = a, o = r.var.user, l = (o == null ? void 0 : o.permissions) || [];
-      if (l.includes("auth:read") || l.includes("admin:organizations")) {
-        const P = await r.env.data.tenants.list({
+      var w, T, y, _, b, I;
+      const a = r.req.valid("query"), { page: s, per_page: i, include_totals: c, q: u } = a, o = r.var.user, l = (o == null ? void 0 : o.permissions) || [];
+      if (!!!((o == null ? void 0 : o.org_id) ?? r.var.organization_id) && (l.includes("auth:read") || l.includes("admin:organizations"))) {
+        const h = await r.env.data.tenants.list({
           page: s,
-          per_page: c,
-          include_totals: i,
+          per_page: i,
+          include_totals: c,
           q: u
         });
-        return i ? r.json({
-          tenants: P.tenants,
-          start: ((m = P.totals) == null ? void 0 : m.start) ?? 0,
-          limit: ((w = P.totals) == null ? void 0 : w.limit) ?? c,
-          length: P.tenants.length
-        }) : r.json({ tenants: P.tenants });
+        return c ? r.json({
+          tenants: h.tenants,
+          start: ((w = h.totals) == null ? void 0 : w.start) ?? 0,
+          limit: ((T = h.totals) == null ? void 0 : T.limit) ?? i,
+          length: h.tenants.length
+        }) : r.json({ tenants: h.tenants });
       }
-      const d = ((C = e.accessControl) == null ? void 0 : C.controlPlaneTenantId) ?? ((y = r.env.data.multiTenancyConfig) == null ? void 0 : y.controlPlaneTenantId);
-      if (d && (o != null && o.sub)) {
-        const p = (await D(
-          (R) => r.env.data.userOrganizations.listUserOrganizations(
-            d,
+      const m = ((y = e.accessControl) == null ? void 0 : y.controlPlaneTenantId) ?? ((_ = r.env.data.multiTenancyConfig) == null ? void 0 : _.controlPlaneTenantId);
+      if (m && (o != null && o.sub)) {
+        const C = (await D(
+          (M) => r.env.data.userOrganizations.listUserOrganizations(
+            m,
             o.sub,
-            R
+            M
           ),
           "organizations"
-        )).map((R) => R.name);
-        if (p.length === 0)
-          return i ? r.json({
+        )).map((M) => M.name);
+        if (C.length === 0)
+          return c ? r.json({
             tenants: [],
             start: 0,
-            limit: c ?? 50,
+            limit: i ?? 50,
             length: 0
           }) : r.json({ tenants: [] });
-        const T = p.length, h = s ?? 0, z = c ?? 50, F = h * z, j = p.slice(F, F + z);
-        if (j.length === 0)
-          return i ? r.json({
+        const p = C.length, F = s ?? 0, $ = i ?? 50, R = F * $, S = C.slice(R, R + $);
+        if (S.length === 0)
+          return c ? r.json({
             tenants: [],
-            start: F,
-            limit: z,
-            length: T
+            start: R,
+            limit: $,
+            length: p
           }) : r.json({ tenants: [] });
-        const S = j.map((R) => `id:${R}`).join(" OR "), v = u ? `(${S}) AND (${u})` : S, $ = await r.env.data.tenants.list({
-          q: v,
-          per_page: z,
+        const v = S.map((M) => `id:${M}`).join(" OR "), j = u ? `(${v}) AND (${u})` : v, z = await r.env.data.tenants.list({
+          q: j,
+          per_page: $,
           include_totals: !1
           // We calculate totals from accessibleTenantIds
         });
-        return i ? r.json({
-          tenants: $.tenants,
-          start: F,
-          limit: z,
-          length: T
-        }) : r.json({ tenants: $.tenants });
+        return c ? r.json({
+          tenants: z.tenants,
+          start: R,
+          limit: $,
+          length: p
+        }) : r.json({ tenants: z.tenants });
       }
       const f = await r.env.data.tenants.list({
         page: s,
-        per_page: c,
-        include_totals: i,
+        per_page: i,
+        include_totals: c,
         q: u
       });
-      return i ? r.json({
+      return c ? r.json({
         tenants: f.tenants,
-        start: ((_ = f.totals) == null ? void 0 : _.start) ?? 0,
-        limit: ((b = f.totals) == null ? void 0 : b.limit) ?? c,
+        start: ((b = f.totals) == null ? void 0 : b.start) ?? 0,
+        limit: ((I = f.totals) == null ? void 0 : I.limit) ?? i,
         length: f.tenants.length
       }) : r.json({ tenants: f.tenants });
     }
   ), n.openapi(
-    M({
+    k({
       tags: ["tenants"],
       method: "post",
       path: "/",
@@ -559,7 +559,7 @@ function N(e, t) {
         body: {
           content: {
             "application/json": {
-              schema: U
+              schema: G
             }
           }
         }
@@ -573,7 +573,7 @@ function N(e, t) {
         201: {
           content: {
             "application/json": {
-              schema: q
+              schema: O
             }
           },
           description: "Tenant created"
@@ -590,26 +590,26 @@ function N(e, t) {
       var u, o;
       const a = r.var.user;
       if (!(a != null && a.sub))
-        throw new A(401, {
+        throw new P(401, {
           message: "Authentication required to create tenants"
         });
       let s = r.req.valid("json");
-      const c = {
+      const i = {
         adapters: r.env.data,
         ctx: r
       };
-      (u = t.tenants) != null && u.beforeCreate && (s = await t.tenants.beforeCreate(c, s));
-      const i = await r.env.data.tenants.create(s);
-      return (o = t.tenants) != null && o.afterCreate && await t.tenants.afterCreate(c, i), r.json(i, 201);
+      (u = t.tenants) != null && u.beforeCreate && (s = await t.tenants.beforeCreate(i, s));
+      const c = await r.env.data.tenants.create(s);
+      return (o = t.tenants) != null && o.afterCreate && await t.tenants.afterCreate(i, c), r.json(c, 201);
     }
   ), n.openapi(
-    M({
+    k({
       tags: ["tenants"],
       method: "delete",
       path: "/{id}",
       request: {
-        params: I.object({
-          id: I.string()
+        params: A.object({
+          id: A.string()
         })
       },
       security: [
@@ -635,11 +635,11 @@ function N(e, t) {
       if (s) {
         const d = r.var.user;
         if (!(d != null && d.sub))
-          throw new A(401, {
+          throw new P(401, {
             message: "Authentication required"
           });
         if (a === s)
-          throw new A(403, {
+          throw new P(403, {
             message: "Cannot delete the control plane"
           });
         if (!(await D(
@@ -650,28 +650,28 @@ function N(e, t) {
           ),
           "organizations"
         )).some((w) => w.name === a))
-          throw new A(403, {
+          throw new P(403, {
             message: "Access denied to this tenant"
           });
       }
       if (!await r.env.data.tenants.get(a))
-        throw new A(404, {
+        throw new P(404, {
           message: "Tenant not found"
         });
-      const i = {
+      const c = {
         adapters: r.env.data,
         ctx: r
       };
-      return (l = t.tenants) != null && l.beforeDelete && await t.tenants.beforeDelete(i, a), await r.env.data.tenants.remove(a), (g = t.tenants) != null && g.afterDelete && await t.tenants.afterDelete(i, a), r.body(null, 204);
+      return (l = t.tenants) != null && l.beforeDelete && await t.tenants.beforeDelete(c, a), await r.env.data.tenants.remove(a), (g = t.tenants) != null && g.afterDelete && await t.tenants.afterDelete(c, a), r.body(null, 204);
     }
   ), n.openapi(
-    M({
+    k({
       tags: ["tenants", "settings"],
       method: "get",
       path: "/settings",
       request: {
-        headers: I.object({
-          "tenant-id": I.string().optional()
+        headers: A.object({
+          "tenant-id": A.string().optional()
         })
       },
       security: [
@@ -683,7 +683,7 @@ function N(e, t) {
         200: {
           content: {
             "application/json": {
-              schema: q
+              schema: O
             }
           },
           description: "Current tenant settings"
@@ -693,24 +693,24 @@ function N(e, t) {
     async (r) => {
       const a = await r.env.data.tenants.get(r.var.tenant_id);
       if (!a)
-        throw new A(404, {
+        throw new P(404, {
           message: "Tenant not found"
         });
       return r.json(a);
     }
   ), n.openapi(
-    M({
+    k({
       tags: ["tenants", "settings"],
       method: "patch",
       path: "/settings",
       request: {
-        headers: I.object({
-          "tenant-id": I.string().optional()
+        headers: A.object({
+          "tenant-id": A.string().optional()
         }),
         body: {
           content: {
             "application/json": {
-              schema: I.object(U.shape).partial()
+              schema: A.object(G.shape).partial()
             }
           }
         }
@@ -724,7 +724,7 @@ function N(e, t) {
         200: {
           content: {
             "application/json": {
-              schema: q
+              schema: O
             }
           },
           description: "Updated tenant settings"
@@ -732,23 +732,23 @@ function N(e, t) {
       }
     }),
     async (r) => {
-      const a = r.req.valid("json"), { id: s, ...c } = a, i = await r.env.data.tenants.get(r.var.tenant_id);
-      if (!i)
-        throw new A(404, {
+      const a = r.req.valid("json"), { id: s, ...i } = a, c = await r.env.data.tenants.get(r.var.tenant_id);
+      if (!c)
+        throw new P(404, {
           message: "Tenant not found"
         });
-      const u = se(i, c);
+      const u = ie(c, i);
       await r.env.data.tenants.update(r.var.tenant_id, u);
       const o = await r.env.data.tenants.get(r.var.tenant_id);
       if (!o)
-        throw new A(500, {
+        throw new P(500, {
           message: "Failed to retrieve updated tenant"
         });
       return r.json(o);
     }
   ), n;
 }
-function ye(e) {
+function _e(e) {
   const t = [
     {
       pattern: /\/api\/v2\/resource-servers\/([^/]+)$/,
@@ -764,7 +764,7 @@ function ye(e) {
   }
   return null;
 }
-async function ve(e, t, n) {
+async function Ce(e, t, n) {
   try {
     switch (n.type) {
       case "resource_server": {
@@ -786,50 +786,50 @@ async function ve(e, t, n) {
     return !1;
   }
 }
-function _e(e) {
+function Te(e) {
   return {
     resource_server: "resource server",
     role: "role",
     connection: "connection"
   }[e];
 }
-function Ce() {
+function be() {
   return async (e, t) => {
     if (!["PATCH", "PUT", "DELETE"].includes(e.req.method))
       return t();
-    const n = ye(e.req.path);
+    const n = _e(e.req.path);
     if (!n)
       return t();
     const r = e.var.tenant_id || e.req.header("x-tenant-id") || e.req.header("tenant-id");
     if (!r)
       return t();
-    if (await ve(e.env.data, r, n))
-      throw new A(403, {
-        message: `This ${_e(n.type)} is a system resource and cannot be modified. Make changes in the control plane instead.`
+    if (await Ce(e.env.data, r, n))
+      throw new P(403, {
+        message: `This ${Te(n.type)} is a system resource and cannot be modified. Make changes in the control plane instead.`
       });
     return t();
   };
 }
-function k(e, t) {
+function B(e, t) {
   const n = t.find(
     (a) => a.strategy === e.strategy
   );
   if (!(n != null && n.options))
     return e;
-  const r = oe.passthrough().parse({
+  const r = ce.passthrough().parse({
     ...n,
     ...e
   });
-  return r.options = ie.passthrough().parse({
+  return r.options = le.passthrough().parse({
     ...n.options || {},
     ...e.options
   }), r;
 }
-function O(e, t) {
+function q(e, t) {
   const n = [...t || [], ...e || []];
   return [...new Set(n)];
 }
-function Te(e, t) {
+function Pe(e, t) {
   if (!(t != null && t.length))
     return e || [];
   if (!(e != null && e.length))
@@ -841,34 +841,34 @@ function Te(e, t) {
     n.set(r.value, r);
   return Array.from(n.values());
 }
-function Q(e, t) {
+function V(e, t) {
   return t ? {
     ...e,
-    scopes: Te(
+    scopes: Pe(
       e.scopes,
       t.scopes
     )
   } : e;
 }
-function V(e, t) {
+function J(e, t) {
   return t ? {
     ...e,
-    callbacks: O(e.callbacks, t.callbacks),
-    web_origins: O(
+    callbacks: q(e.callbacks, t.callbacks),
+    web_origins: q(
       e.web_origins,
       t.web_origins
     ),
-    allowed_logout_urls: O(
+    allowed_logout_urls: q(
       e.allowed_logout_urls,
       t.allowed_logout_urls
     ),
-    allowed_origins: O(
+    allowed_origins: q(
       e.allowed_origins,
       t.allowed_origins
     )
   } : e;
 }
-function Y(e, t) {
+function x(e, t) {
   return {
     ...e.resourceServers,
     get: async (n, r) => {
@@ -882,7 +882,7 @@ function Y(e, t) {
         t,
         r
       );
-      return Q(
+      return V(
         a,
         s
       );
@@ -891,22 +891,22 @@ function Y(e, t) {
       const a = await e.resourceServers.list(n, r);
       if (!t || n === t)
         return a;
-      const s = t, c = a.resource_servers.filter(
+      const s = t, i = a.resource_servers.filter(
         (o) => !!(o.is_system && o.id)
       ).map((o) => o.id);
-      if (c.length === 0)
+      if (i.length === 0)
         return a;
-      const i = /* @__PURE__ */ new Map();
+      const c = /* @__PURE__ */ new Map();
       await Promise.all(
-        c.map(async (o) => {
+        i.map(async (o) => {
           const l = await e.resourceServers.get(s, o);
-          l && i.set(o, l);
+          l && c.set(o, l);
         })
       );
       const u = a.resource_servers.map(
-        (o) => o.is_system && o.id ? Q(
+        (o) => o.is_system && o.id ? V(
           o,
-          i.get(o.id) ?? null
+          c.get(o.id) ?? null
         ) : o
       );
       return {
@@ -916,16 +916,16 @@ function Y(e, t) {
     }
   };
 }
-function be(e, t) {
+function Se(e, t) {
   return {
     ...e,
-    resourceServers: Y(
+    resourceServers: x(
       e,
       t.controlPlaneTenantId
     )
   };
 }
-function Pe(e, t) {
+function Ae(e, t) {
   const { controlPlaneTenantId: n, controlPlaneClientId: r } = t;
   return {
     ...e,
@@ -937,30 +937,30 @@ function Pe(e, t) {
     connections: {
       ...e.connections,
       get: async (a, s) => {
-        const c = await e.connections.get(
+        const i = await e.connections.get(
           a,
           s
         );
-        if (!c || !n || a === n)
-          return c;
-        const i = await e.connections.list(n);
-        return k(
-          c,
-          i.connections || []
+        if (!i || !n || a === n)
+          return i;
+        const c = await e.connections.list(n);
+        return B(
+          i,
+          c.connections || []
         );
       },
       list: async (a, s) => {
-        const c = await e.connections.list(a, s);
+        const i = await e.connections.list(a, s);
         if (!n || a === n)
-          return c;
-        const i = await e.connections.list(n), u = c.connections.map(
-          (o) => k(
+          return i;
+        const c = await e.connections.list(n), u = i.connections.map(
+          (o) => B(
             o,
-            i.connections || []
+            c.connections || []
           )
         );
         return {
-          ...c,
+          ...i,
           connections: u
         };
       }
@@ -968,17 +968,17 @@ function Pe(e, t) {
     clientConnections: {
       ...e.clientConnections,
       listByClient: async (a, s) => {
-        let c = await e.clientConnections.listByClient(
+        let i = await e.clientConnections.listByClient(
           a,
           s
         );
-        if (c.length === 0 && (c = (await e.connections.list(a)).connections || []), !n || a === n)
-          return c;
-        const i = await e.connections.list(n);
-        return c.map(
-          (u) => k(
+        if (i.length === 0 && (i = (await e.connections.list(a)).connections || []), !n || a === n)
+          return i;
+        const c = await e.connections.list(n);
+        return i.map(
+          (u) => B(
             u,
-            i.connections || []
+            c.connections || []
           )
         );
       }
@@ -986,16 +986,16 @@ function Pe(e, t) {
     clients: {
       ...e.clients,
       get: async (a, s) => {
-        const c = await e.clients.get(a, s);
-        if (!c)
+        const i = await e.clients.get(a, s);
+        if (!i)
           return null;
         if (!n || !r || a === n && s === r)
-          return c;
-        const i = await e.clients.get(
+          return i;
+        const c = await e.clients.get(
           n,
           r
         );
-        return V(c, i);
+        return J(i, c);
       },
       getByClientId: async (a) => {
         const s = await e.clients.getByClientId(a);
@@ -1003,12 +1003,12 @@ function Pe(e, t) {
           return null;
         if (!n || !r || s.tenant_id === n && s.client_id === r)
           return s;
-        const c = await e.clients.get(
+        const i = await e.clients.get(
           n,
           r
         );
         return {
-          ...V(s, c),
+          ...J(s, i),
           tenant_id: s.tenant_id
         };
       }
@@ -1020,48 +1020,88 @@ function Pe(e, t) {
         return s || (!n || a === n ? null : e.emailProviders.get(n));
       }
     },
-    resourceServers: Y(
+    resourceServers: x(
       e,
       n
-    )
+    ),
+    hooks: Ie(e, n)
     // Note: Additional adapters can be extended here for runtime fallback:
     // - promptSettings: Fall back to control plane prompts
     // - branding: Fall back to control plane branding/themes
   };
 }
-function Z(e, t) {
-  return Pe(e, t);
+function X(e) {
+  if (!e || typeof e != "object") return !1;
+  const t = e.metadata;
+  return !t || typeof t != "object" ? !1 : t.inheritable === !0;
+}
+function Ie(e, t) {
+  return {
+    ...e.hooks,
+    list: async (n, r) => {
+      const a = await e.hooks.list(n, r);
+      if (!t || n === t)
+        return a;
+      const i = ((await e.hooks.list(
+        t,
+        r
+      )).hooks || []).filter(
+        X
+      );
+      if (i.length === 0)
+        return a;
+      const c = new Set((a.hooks || []).map((o) => o.hook_id)), u = i.filter((o) => !c.has(o.hook_id));
+      return {
+        ...a,
+        hooks: [...a.hooks || [], ...u],
+        length: typeof a.length == "number" ? a.length + u.length : a.length
+      };
+    },
+    get: async (n, r) => {
+      const a = await e.hooks.get(n, r);
+      if (a || !t || n === t)
+        return a;
+      const s = await e.hooks.get(
+        t,
+        r
+      );
+      return s && X(s) ? s : null;
+    }
+  };
 }
-function Ae(e) {
+function ee(e, t) {
+  return Ae(e, t);
+}
+function Re(e) {
   return async (t, n) => {
     const r = t.var.user;
     return (r == null ? void 0 : r.tenant_id) === e && r.org_name && t.set("tenant_id", r.org_name), n();
   };
 }
-function Se(e) {
+function ze(e) {
   return async (t, n) => {
     if (!e.accessControl)
       return n();
-    const { controlPlaneTenantId: r } = e.accessControl, a = t.var.org_name, s = t.var.organization_id, c = a || s;
-    let i = t.var.tenant_id;
-    const u = t.var.user, l = (u != null && u.aud ? Array.isArray(u.aud) ? u.aud : [u.aud] : []).includes(J);
-    if (!i && c && l && (t.set("tenant_id", c), i = c), !i)
-      throw new A(400, {
+    const { controlPlaneTenantId: r } = e.accessControl, a = t.var.org_name, s = t.var.organization_id, i = a || s;
+    let c = t.var.tenant_id;
+    const u = t.var.user, l = (u != null && u.aud ? Array.isArray(u.aud) ? u.aud : [u.aud] : []).includes(Y);
+    if (!c && i && l && (t.set("tenant_id", i), c = i), !c)
+      throw new P(400, {
         message: "Tenant ID not found in request"
       });
-    if (!de(
+    if (!me(
       s,
-      i,
+      c,
       r,
       a
     ))
-      throw new A(403, {
-        message: `Access denied to tenant ${i}`
+      throw new P(403, {
+        message: `Access denied to tenant ${c}`
       });
     return n();
   };
 }
-function Ie(e) {
+function $e(e) {
   return async (t, n) => {
     if (!e.subdomainRouting)
       return n();
@@ -1069,40 +1109,40 @@ function Ie(e) {
       baseDomain: r,
       reservedSubdomains: a = [],
       resolveSubdomain: s
-    } = e.subdomainRouting, c = t.req.header("x-forwarded-host") || t.req.header("host") || "";
-    let i = null;
-    if (c.endsWith(r)) {
-      const o = c.slice(0, -(r.length + 1));
-      o && !o.includes(".") && (i = o);
+    } = e.subdomainRouting, i = t.req.header("x-forwarded-host") || t.req.header("host") || "";
+    let c = null;
+    if (i.endsWith(r)) {
+      const o = i.slice(0, -(r.length + 1));
+      o && !o.includes(".") && (c = o);
     }
-    if (i && a.includes(i) && (i = null), !i)
+    if (c && a.includes(c) && (c = null), !c)
       return e.accessControl && t.set("tenant_id", e.accessControl.controlPlaneTenantId), n();
     let u = null;
     if (s)
-      u = await s(i);
+      u = await s(c);
     else if (e.subdomainRouting.useOrganizations !== !1 && e.accessControl)
       try {
         const o = await t.env.data.organizations.get(
           e.accessControl.controlPlaneTenantId,
-          i
+          c
         );
         o && (u = o.id);
       } catch {
       }
     if (!u)
-      throw new A(404, {
-        message: `Tenant not found for subdomain: ${i}`
+      throw new P(404, {
+        message: `Tenant not found for subdomain: ${c}`
       });
     return t.set("tenant_id", u), n();
   };
 }
-function Re(e) {
+function je(e) {
   return async (t, n) => {
     if (!e.databaseIsolation)
       return n();
     const r = t.var.tenant_id;
     if (!r)
-      throw new A(400, {
+      throw new P(400, {
         message: "Tenant ID not found in request"
       });
     try {
@@ -1112,21 +1152,21 @@ function Re(e) {
       throw console.error(
         `Failed to resolve database for tenant ${r}:`,
         a
-      ), new A(500, {
+      ), new P(500, {
         message: "Failed to resolve tenant database"
       });
     }
     return n();
   };
 }
-function x(e) {
-  const t = Ie(e), n = Se(e), r = Re(e);
+function te(e) {
+  const t = $e(e), n = ze(e), r = je(e);
   return async (a, s) => (await t(a, async () => {
   }), await n(a, async () => {
   }), await r(a, async () => {
   }), s());
 }
-function De(e) {
+function qe(e) {
   const {
     dataAdapter: t,
     controlPlane: n,
@@ -1135,20 +1175,20 @@ function De(e) {
       clientId: a
     } = {},
     sync: s = { resourceServers: !0, roles: !0 },
-    defaultPermissions: c = ["tenant:admin"],
-    requireOrganizationMatch: i = !1,
+    defaultPermissions: i = ["tenant:admin"],
+    requireOrganizationMatch: c = !1,
     managementApiExtensions: u = [],
     entityHooks: o,
     getChildTenantIds: l,
     getAdapters: g,
     ...d
   } = e;
-  let f = t, m = t;
-  n && (f = Z(t, {
+  let m = t, f = t;
+  n && (m = ee(t, {
     controlPlaneTenantId: r,
     controlPlaneClientId: a
-  }), m = {
-    ...be(t, {
+  }), f = {
+    ...Se(t, {
       controlPlaneTenantId: r
     }),
     multiTenancyConfig: {
@@ -1156,76 +1196,76 @@ function De(e) {
       controlPlaneClientId: a
     }
   });
-  const w = s !== !1, C = w ? {
+  const w = s !== !1, T = w ? {
     resourceServers: s.resourceServers ?? !0,
     roles: s.roles ?? !0
   } : { resourceServers: !1, roles: !1 }, b = {
     controlPlaneTenantId: r,
     getChildTenantIds: l ?? (async () => (await D(
-      (v) => f.tenants.list(v),
+      (v) => m.tenants.list(v),
       "tenants",
       { cursorField: "id", pageSize: 100 }
     )).filter((v) => v.id !== r).map((v) => v.id)),
-    getAdapters: g ?? (async () => f),
-    getControlPlaneAdapters: async () => f,
-    sync: C
-  }, { entityHooks: P, tenantHooks: p } = he(b), T = {
+    getAdapters: g ?? (async () => m),
+    getControlPlaneAdapters: async () => m,
+    sync: T
+  }, { entityHooks: I, tenantHooks: h } = ve(b), C = {
     resourceServers: [
-      P.resourceServers,
+      I.resourceServers,
       ...(o == null ? void 0 : o.resourceServers) ?? []
     ],
-    roles: [P.roles, ...(o == null ? void 0 : o.roles) ?? []],
+    roles: [I.roles, ...(o == null ? void 0 : o.roles) ?? []],
     connections: (o == null ? void 0 : o.connections) ?? [],
     tenants: (o == null ? void 0 : o.tenants) ?? [],
     rolePermissions: (o == null ? void 0 : o.rolePermissions) ?? []
-  }, h = X({
+  }, p = Z({
     accessControl: {
       controlPlaneTenantId: r,
-      requireOrganizationMatch: i,
-      defaultPermissions: c
+      requireOrganizationMatch: c,
+      defaultPermissions: i
     }
-  }), F = N(
+  }), $ = N(
     {
       accessControl: {
         controlPlaneTenantId: r,
-        requireOrganizationMatch: i,
-        defaultPermissions: c
+        requireOrganizationMatch: c,
+        defaultPermissions: i
       }
     },
     { tenants: {
       async beforeCreate(S, v) {
-        return h.beforeCreate && (v = await h.beforeCreate(S, v)), p.beforeCreate && (v = await p.beforeCreate(S, v)), v;
+        return p.beforeCreate && (v = await p.beforeCreate(S, v)), h.beforeCreate && (v = await h.beforeCreate(S, v)), v;
       },
       async afterCreate(S, v) {
-        var $, R;
-        await (($ = h.afterCreate) == null ? void 0 : $.call(h, S, v)), await ((R = p.afterCreate) == null ? void 0 : R.call(p, S, v));
+        var j, z;
+        await ((j = p.afterCreate) == null ? void 0 : j.call(p, S, v)), await ((z = h.afterCreate) == null ? void 0 : z.call(h, S, v));
       },
       async beforeDelete(S, v) {
-        var $, R;
-        await (($ = h.beforeDelete) == null ? void 0 : $.call(h, S, v)), await ((R = p.beforeDelete) == null ? void 0 : R.call(p, S, v));
+        var j, z;
+        await ((j = p.beforeDelete) == null ? void 0 : j.call(p, S, v)), await ((z = h.beforeDelete) == null ? void 0 : z.call(h, S, v));
       }
     } }
-  ), { app: j } = ce({
-    dataAdapter: f,
-    managementDataAdapter: m,
+  ), { app: R } = ue({
+    dataAdapter: m,
+    managementDataAdapter: f,
     ...d,
-    entityHooks: T,
+    entityHooks: C,
     managementApiExtensions: [
       ...u,
-      { path: "/tenants", router: F }
+      { path: "/tenants", router: $ }
     ]
   });
-  return j.use(
+  return R.use(
     "/api/v2/*",
-    Ae(r)
-  ), w && j.use("/api/v2/*", Ce()), { app: j, controlPlaneTenantId: r };
+    Re(r)
+  ), w && R.use("/api/v2/*", be()), { app: R, controlPlaneTenantId: r };
 }
-function qe(e) {
-  const t = B(e);
+function Ee(e) {
+  const t = U(e);
   return {
     name: "multi-tenancy",
     // Apply multi-tenancy middleware for subdomain routing, database resolution, etc.
-    middleware: x(e),
+    middleware: te(e),
     // Provide lifecycle hooks
     hooks: t,
     // Mount tenant management routes
@@ -1245,23 +1285,23 @@ function qe(e) {
     }
   };
 }
-function B(e) {
-  const t = e.accessControl ? ue(e.accessControl) : {}, n = e.databaseIsolation ? fe(e.databaseIsolation) : {}, r = X(e);
+function U(e) {
+  const t = e.accessControl ? fe(e.accessControl) : {}, n = e.databaseIsolation ? ge(e.databaseIsolation) : {}, r = Z(e);
   return {
     ...t,
     ...n,
     tenants: r
   };
 }
-function ze(e) {
-  const t = new ne(), n = B(e);
+function Fe(e) {
+  const t = new ae(), n = U(e);
   return t.route("/tenants", N(e, n)), t;
 }
-function Oe(e) {
+function Be(e) {
   return {
-    hooks: B(e),
-    middleware: x(e),
-    app: ze(e),
+    hooks: U(e),
+    middleware: te(e),
+    app: Fe(e),
     config: e,
     /**
      * Wraps data adapters with runtime fallback from the control plane.
@@ -1273,7 +1313,7 @@ function Oe(e) {
      */
     wrapAdapters: (t, n) => {
       var r;
-      return Z(t, {
+      return ee(t, {
         controlPlaneTenantId: (r = e.accessControl) == null ? void 0 : r.controlPlaneTenantId,
         controlPlaneClientId: n == null ? void 0 : n.controlPlaneClientId
       });
@@ -1281,24 +1321,24 @@ function Oe(e) {
   };
 }
 export {
-  ue as createAccessControlHooks,
-  Se as createAccessControlMiddleware,
-  Ae as createControlPlaneTenantMiddleware,
-  fe as createDatabaseHooks,
-  Re as createDatabaseMiddleware,
-  ze as createMultiTenancy,
-  B as createMultiTenancyHooks,
-  x as createMultiTenancyMiddleware,
-  qe as createMultiTenancyPlugin,
-  Ce as createProtectSyncedMiddleware,
-  X as createProvisioningHooks,
-  Pe as createRuntimeFallbackAdapter,
-  Ie as createSubdomainMiddleware,
-  he as createSyncHooks,
+  fe as createAccessControlHooks,
+  ze as createAccessControlMiddleware,
+  Re as createControlPlaneTenantMiddleware,
+  ge as createDatabaseHooks,
+  je as createDatabaseMiddleware,
+  Fe as createMultiTenancy,
+  U as createMultiTenancyHooks,
+  te as createMultiTenancyMiddleware,
+  Ee as createMultiTenancyPlugin,
+  be as createProtectSyncedMiddleware,
+  Z as createProvisioningHooks,
+  Ae as createRuntimeFallbackAdapter,
+  $e as createSubdomainMiddleware,
+  ve as createSyncHooks,
   N as createTenantsOpenAPIRouter,
-  De as initMultiTenant,
-  Oe as setupMultiTenancy,
-  de as validateTenantAccess,
-  Z as withRuntimeFallback,
-  be as withSystemResourceServerInheritance
+  qe as initMultiTenant,
+  Be as setupMultiTenancy,
+  me as validateTenantAccess,
+  ee as withRuntimeFallback,
+  Se as withSystemResourceServerInheritance
 };