@authhero/multi-tenancy 14.20.2 → 14.21.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (12) hide show
  1. package/dist/multi-tenancy.cjs +1 -1
  2. package/dist/multi-tenancy.mjs +645 -612
  3. package/dist/types/index.d.ts +2 -2
  4. package/dist/types/index.d.ts.map +1 -1
  5. package/dist/types/init.d.ts +28 -0
  6. package/dist/types/init.d.ts.map +1 -1
  7. package/dist/types/middleware/index.d.ts +2 -2
  8. package/dist/types/middleware/index.d.ts.map +1 -1
  9. package/dist/types/middleware/settings-inheritance.d.ts +48 -1
  10. package/dist/types/middleware/settings-inheritance.d.ts.map +1 -1
  11. package/dist/types/routes/tenants.d.ts.map +1 -1
  12. package/package.json +4 -4
package/dist/multi-tenancy.mjs CHANGED
@@ -1,27 +1,27 @@
1
1
  var ne = Object.defineProperty;
2
- var re = (e, t, n) => t in e ? ne(e, t, { enumerable: !0, configurable: !0, writable: !0, value: n }) : e[t] = n;
3
- var E = (e, t, n) => re(e, typeof t != "symbol" ? t + "" : t, n);
2
+ var re = (e, t, r) => t in e ? ne(e, t, { enumerable: !0, configurable: !0, writable: !0, value: r }) : e[t] = r;
3
+ var E = (e, t, r) => re(e, typeof t != "symbol" ? t + "" : t, r);
4
4
  import { Hono as ae } from "hono";
5
- import { MANAGEMENT_API_SCOPES as se, MANAGEMENT_API_AUDIENCE as Y, fetchAll as D, auth0QuerySchema as oe, tenantSchema as O, tenantInsertSchema as G, deepMergePatch as ie, connectionSchema as ce, connectionOptionsSchema as le, init as ue } from "authhero";
6
- import { OpenAPIHono as de, createRoute as k, z as A } from "@hono/zod-openapi";
5
+ import { MANAGEMENT_API_SCOPES as se, MANAGEMENT_API_AUDIENCE as X, fetchAll as q, auth0QuerySchema as oe, tenantSchema as D, tenantInsertSchema as G, deepMergePatch as ie, connectionSchema as ce, connectionOptionsSchema as le, init as ue } from "authhero";
6
+ import { OpenAPIHono as de, createRoute as M, z as S } from "@hono/zod-openapi";
7
7
  function fe(e) {
8
- const { controlPlaneTenantId: t, requireOrganizationMatch: n = !0 } = e;
8
+ const { controlPlaneTenantId: t, requireOrganizationMatch: r = !0 } = e;
9
9
  return {
10
- async onTenantAccessValidation(r, a) {
10
+ async onTenantAccessValidation(n, a) {
11
11
  if (a === t)
12
12
  return !0;
13
- if (n) {
14
- const s = r.var.org_name, i = r.var.organization_id, c = s || i;
15
- return c ? c.toLowerCase() === a.toLowerCase() : !1;
13
+ if (r) {
14
+ const o = n.var.org_name, c = n.var.organization_id, i = o || c;
15
+ return i ? i.toLowerCase() === a.toLowerCase() : !1;
16
16
  }
17
17
  return !0;
18
18
  }
19
19
  };
20
20
  }
21
- function me(e, t, n, r) {
22
- if (t === n)
21
+ function me(e, t, r, n) {
22
+ if (t === r)
23
23
  return !0;
24
- const a = r || e;
24
+ const a = n || e;
25
25
  return a ? a.toLowerCase() === t.toLowerCase() : !1;
26
26
  }
27
27
  function ge(e) {
@@ -29,10 +29,10 @@ function ge(e) {
29
29
  async resolveDataAdapters(t) {
30
30
  try {
31
31
  return await e.getAdapters(t);
32
- } catch (n) {
32
+ } catch (r) {
33
33
  console.error(
34
34
  `Failed to resolve data adapters for tenant ${t}:`,
35
- n
35
+ r
36
36
  );
37
37
  return;
38
38
  }
@@ -42,246 +42,246 @@ function ge(e) {
42
42
  function we(e) {
43
43
  return `urn:authhero:tenant:${e.toLowerCase()}`;
44
44
  }
45
- function Z(e) {
45
+ function Y(e) {
46
46
  return {
47
- async beforeCreate(t, n) {
48
- return !n.audience && n.id ? {
49
- ...n,
50
- audience: we(n.id)
51
- } : n;
47
+ async beforeCreate(t, r) {
48
+ return !r.audience && r.id ? {
49
+ ...r,
50
+ audience: we(r.id)
51
+ } : r;
52
52
  },
53
- async afterCreate(t, n) {
54
- const { accessControl: r, databaseIsolation: a } = e;
55
- r && t.ctx && await he(t, n, r), a != null && a.onProvision && await a.onProvision(n.id);
53
+ async afterCreate(t, r) {
54
+ const { accessControl: n, databaseIsolation: a } = e;
55
+ n && t.ctx && await pe(t, r, n), a != null && a.onProvision && await a.onProvision(r.id);
56
56
  },
57
- async beforeDelete(t, n) {
58
- const { accessControl: r, databaseIsolation: a } = e;
59
- if (r)
57
+ async beforeDelete(t, r) {
58
+ const { accessControl: n, databaseIsolation: a } = e;
59
+ if (n)
60
60
  try {
61
- const i = (await t.adapters.organizations.list(
62
- r.controlPlaneTenantId
63
- )).organizations.find((c) => c.name === n);
64
- i && await t.adapters.organizations.remove(
65
- r.controlPlaneTenantId,
66
- i.id
61
+ const c = (await t.adapters.organizations.list(
62
+ n.controlPlaneTenantId
63
+ )).organizations.find((i) => i.name === r);
64
+ c && await t.adapters.organizations.remove(
65
+ n.controlPlaneTenantId,
66
+ c.id
67
67
  );
68
- } catch (s) {
68
+ } catch (o) {
69
69
  console.warn(
70
- `Failed to remove organization for tenant ${n}:`,
71
- s
70
+ `Failed to remove organization for tenant ${r}:`,
71
+ o
72
72
  );
73
73
  }
74
74
  if (a != null && a.onDeprovision)
75
75
  try {
76
- await a.onDeprovision(n);
77
- } catch (s) {
76
+ await a.onDeprovision(r);
77
+ } catch (o) {
78
78
  console.warn(
79
- `Failed to deprovision database for tenant ${n}:`,
80
- s
79
+ `Failed to deprovision database for tenant ${r}:`,
80
+ o
81
81
  );
82
82
  }
83
83
  }
84
84
  };
85
85
  }
86
- async function he(e, t, n) {
86
+ async function pe(e, t, r) {
87
87
  const {
88
- controlPlaneTenantId: r,
88
+ controlPlaneTenantId: n,
89
89
  defaultPermissions: a,
90
- defaultRoles: s,
91
- issuer: i,
92
- adminRoleName: c = "Tenant Admin",
93
- adminRoleDescription: u = "Full access to all tenant management operations",
94
- addCreatorToOrganization: o = !0
95
- } = n, l = await e.adapters.organizations.create(
96
- r,
90
+ defaultRoles: o,
91
+ issuer: c,
92
+ adminRoleName: i = "Tenant Admin",
93
+ adminRoleDescription: l = "Full access to all tenant management operations",
94
+ addCreatorToOrganization: u = !0
95
+ } = r, s = await e.adapters.organizations.create(
96
+ n,
97
97
  {
98
98
  name: t.id,
99
99
  display_name: t.friendly_name || t.id
100
100
  }
101
101
  );
102
- let g;
103
- if (i && (g = await ye(
102
+ let d;
103
+ if (c && (d = await ye(
104
104
  e,
105
- r,
106
- c,
107
- u
108
- )), o && e.ctx) {
109
- const d = e.ctx.var.user;
110
- if (d != null && d.sub && !await pe(
105
+ n,
106
+ i,
107
+ l
108
+ )), u && e.ctx) {
109
+ const m = e.ctx.var.user;
110
+ if (m != null && m.sub && !await he(
111
111
  e,
112
- r,
113
- d.sub
112
+ n,
113
+ m.sub
114
114
  ))
115
115
  try {
116
- await e.adapters.userOrganizations.create(r, {
117
- user_id: d.sub,
118
- organization_id: l.id
119
- }), g && await e.adapters.userRoles.create(
120
- r,
121
- d.sub,
122
- g,
123
- l.id
116
+ await e.adapters.userOrganizations.create(n, {
117
+ user_id: m.sub,
118
+ organization_id: s.id
119
+ }), d && await e.adapters.userRoles.create(
120
+ n,
121
+ m.sub,
122
+ d,
123
+ s.id
124
124
  // organizationId
125
125
  );
126
126
  } catch (f) {
127
127
  console.warn(
128
- `Failed to add creator ${d.sub} to organization ${l.id}:`,
128
+ `Failed to add creator ${m.sub} to organization ${s.id}:`,
129
129
  f
130
130
  );
131
131
  }
132
132
  }
133
- s && s.length > 0 && console.log(
134
- `Would assign roles ${s.join(", ")} to organization ${l.id}`
133
+ o && o.length > 0 && console.log(
134
+ `Would assign roles ${o.join(", ")} to organization ${s.id}`
135
135
  ), a && a.length > 0 && console.log(
136
- `Would grant permissions ${a.join(", ")} to organization ${l.id}`
136
+ `Would grant permissions ${a.join(", ")} to organization ${s.id}`
137
137
  );
138
138
  }
139
- async function pe(e, t, n) {
140
- const r = await e.adapters.userRoles.list(
139
+ async function he(e, t, r) {
140
+ const n = await e.adapters.userRoles.list(
141
141
  t,
142
- n,
142
+ r,
143
143
  void 0,
144
144
  ""
145
145
  // Empty string for global roles
146
146
  );
147
- for (const a of r)
147
+ for (const a of n)
148
148
  if ((await e.adapters.rolePermissions.list(
149
149
  t,
150
150
  a.id,
151
151
  { per_page: 1e3 }
152
152
  )).some(
153
- (c) => c.permission_name === "admin:organizations"
153
+ (i) => i.permission_name === "admin:organizations"
154
154
  ))
155
155
  return !0;
156
156
  return !1;
157
157
  }
158
- async function ye(e, t, n, r) {
159
- const s = (await e.adapters.roles.list(t, {})).roles.find((o) => o.name === n);
160
- if (s)
161
- return s.id;
162
- const i = await e.adapters.roles.create(t, {
163
- name: n,
164
- description: r
165
- }), c = Y, u = se.map((o) => ({
166
- role_id: i.id,
167
- resource_server_identifier: c,
168
- permission_name: o.value
158
+ async function ye(e, t, r, n) {
159
+ const o = (await e.adapters.roles.list(t, {})).roles.find((u) => u.name === r);
160
+ if (o)
161
+ return o.id;
162
+ const c = await e.adapters.roles.create(t, {
163
+ name: r,
164
+ description: n
165
+ }), i = X, l = se.map((u) => ({
166
+ role_id: c.id,
167
+ resource_server_identifier: i,
168
+ permission_name: u.value
169
169
  }));
170
170
  return await e.adapters.rolePermissions.assign(
171
171
  t,
172
- i.id,
173
- u
174
- ), i.id;
172
+ c.id,
173
+ l
174
+ ), c.id;
175
175
  }
176
- function H(e, t, n = () => !0) {
177
- const { controlPlaneTenantId: r, getChildTenantIds: a, getAdapters: s } = e, i = /* @__PURE__ */ new Map();
178
- async function c(l, g, d) {
179
- return (await t(l).list(g, {
180
- q: `name:${d}`,
176
+ function H(e, t, r = () => !0) {
177
+ const { controlPlaneTenantId: n, getChildTenantIds: a, getAdapters: o } = e, c = /* @__PURE__ */ new Map();
178
+ async function i(s, d, m) {
179
+ return (await t(s).list(d, {
180
+ q: `name:${m}`,
181
181
  per_page: 1
182
182
  }))[0] ?? null;
183
183
  }
184
- async function u(l) {
185
- const g = await a(), d = t(await s(r));
184
+ async function l(s) {
185
+ const d = await a(), m = t(await o(n));
186
186
  await Promise.all(
187
- g.map(async (m) => {
187
+ d.map(async (w) => {
188
188
  try {
189
- const f = await s(m), w = t(f), y = {
190
- ...d.transform(l),
189
+ const f = await o(w), g = t(f), h = {
190
+ ...m.transform(s),
191
191
  is_system: !0
192
- }, _ = await c(f, m, l.name), b = _ ? w.getId(_) : void 0;
193
- if (_ && b) {
194
- const I = w.preserveOnUpdate ? w.preserveOnUpdate(_, y) : y;
195
- await w.update(m, b, I);
192
+ }, T = await i(f, w, s.name), b = T ? g.getId(T) : void 0;
193
+ if (T && b) {
194
+ const z = g.preserveOnUpdate ? g.preserveOnUpdate(T, h) : h;
195
+ await g.update(w, b, z);
196
196
  } else
197
- await w.create(m, y);
197
+ await g.create(w, h);
198
198
  } catch (f) {
199
199
  console.error(
200
- `Failed to sync ${d.listKey} "${l.name}" to tenant "${m}":`,
200
+ `Failed to sync ${m.listKey} "${s.name}" to tenant "${w}":`,
201
201
  f
202
202
  );
203
203
  }
204
204
  })
205
205
  );
206
206
  }
207
- async function o(l) {
208
- const g = await a();
207
+ async function u(s) {
208
+ const d = await a();
209
209
  await Promise.all(
210
- g.map(async (d) => {
210
+ d.map(async (m) => {
211
211
  try {
212
- const m = await s(d), f = t(m), w = await c(m, d, l), T = w ? f.getId(w) : void 0;
213
- w && T && await f.remove(d, T);
214
- } catch (m) {
212
+ const w = await o(m), f = t(w), g = await i(w, m, s), _ = g ? f.getId(g) : void 0;
213
+ g && _ && await f.remove(m, _);
214
+ } catch (w) {
215
215
  console.error(
216
- `Failed to delete entity "${l}" from tenant "${d}":`,
217
- m
216
+ `Failed to delete entity "${s}" from tenant "${m}":`,
217
+ w
218
218
  );
219
219
  }
220
220
  })
221
221
  );
222
222
  }
223
223
  return {
224
- afterCreate: async (l, g) => {
225
- l.tenantId === r && n(g) && await u(g);
224
+ afterCreate: async (s, d) => {
225
+ s.tenantId === n && r(d) && await l(d);
226
226
  },
227
- afterUpdate: async (l, g, d) => {
228
- l.tenantId === r && n(d) && await u(d);
227
+ afterUpdate: async (s, d, m) => {
228
+ s.tenantId === n && r(m) && await l(m);
229
229
  },
230
- beforeDelete: async (l, g) => {
231
- if (l.tenantId !== r) return;
232
- const m = await t(l.adapters).get(l.tenantId, g);
233
- m && n(m) && i.set(g, m);
230
+ beforeDelete: async (s, d) => {
231
+ if (s.tenantId !== n) return;
232
+ const w = await t(s.adapters).get(s.tenantId, d);
233
+ w && r(w) && c.set(d, w);
234
234
  },
235
- afterDelete: async (l, g) => {
236
- if (l.tenantId !== r) return;
237
- const d = i.get(g);
238
- d && (i.delete(g), await o(d.name));
235
+ afterDelete: async (s, d) => {
236
+ if (s.tenantId !== n) return;
237
+ const m = c.get(d);
238
+ m && (c.delete(d), await u(m.name));
239
239
  }
240
240
  };
241
241
  }
242
- function W(e, t, n = () => !0) {
243
- const { controlPlaneTenantId: r, getControlPlaneAdapters: a, getAdapters: s } = e;
242
+ function W(e, t, r = () => !0) {
243
+ const { controlPlaneTenantId: n, getControlPlaneAdapters: a, getAdapters: o } = e;
244
244
  return {
245
- async afterCreate(i, c) {
246
- if (c.id !== r)
245
+ async afterCreate(c, i) {
246
+ if (i.id !== n)
247
247
  try {
248
- const u = await a(), o = await s(c.id), l = t(u), g = t(o), d = await D(
249
- (m) => l.listPaginated(r, m),
250
- l.listKey,
248
+ const l = await a(), u = await o(i.id), s = t(l), d = t(u), m = await q(
249
+ (w) => s.listPaginated(n, w),
250
+ s.listKey,
251
251
  { cursorField: "id", pageSize: 100 }
252
252
  );
253
253
  await Promise.all(
254
- d.filter((m) => n(m)).map(async (m) => {
254
+ m.filter((w) => r(w)).map(async (w) => {
255
255
  try {
256
- const f = l.transform(m);
257
- await g.create(c.id, {
256
+ const f = s.transform(w);
257
+ await d.create(i.id, {
258
258
  ...f,
259
259
  is_system: !0
260
260
  });
261
261
  } catch (f) {
262
262
  console.error(
263
- `Failed to sync entity to new tenant "${c.id}":`,
263
+ `Failed to sync entity to new tenant "${i.id}":`,
264
264
  f
265
265
  );
266
266
  }
267
267
  })
268
268
  );
269
- } catch (u) {
269
+ } catch (l) {
270
270
  console.error(
271
- `Failed to sync entities to new tenant "${c.id}":`,
272
- u
271
+ `Failed to sync entities to new tenant "${i.id}":`,
272
+ l
273
273
  );
274
274
  }
275
275
  }
276
276
  };
277
277
  }
278
278
  const L = (e) => ({
279
- list: async (t, n) => (await e.resourceServers.list(t, n)).resource_servers,
280
- listPaginated: (t, n) => e.resourceServers.list(t, n),
281
- get: (t, n) => e.resourceServers.get(t, n),
282
- create: (t, n) => e.resourceServers.create(t, n),
283
- update: (t, n, r) => e.resourceServers.update(t, n, r),
284
- remove: (t, n) => e.resourceServers.remove(t, n),
279
+ list: async (t, r) => (await e.resourceServers.list(t, r)).resource_servers,
280
+ listPaginated: (t, r) => e.resourceServers.list(t, r),
281
+ get: (t, r) => e.resourceServers.get(t, r),
282
+ create: (t, r) => e.resourceServers.create(t, r),
283
+ update: (t, r, n) => e.resourceServers.update(t, r, n),
284
+ remove: (t, r) => e.resourceServers.remove(t, r),
285
285
  listKey: "resource_servers",
286
286
  getId: (t) => t.id,
287
287
  transform: (t) => ({
@@ -294,12 +294,12 @@ const L = (e) => ({
294
294
  token_lifetime_for_web: t.token_lifetime_for_web
295
295
  })
296
296
  }), K = (e) => ({
297
- list: async (t, n) => (await e.roles.list(t, n)).roles,
298
- listPaginated: (t, n) => e.roles.list(t, n),
299
- get: (t, n) => e.roles.get(t, n),
300
- create: (t, n) => e.roles.create(t, n),
301
- update: (t, n, r) => e.roles.update(t, n, r),
302
- remove: (t, n) => e.roles.remove(t, n),
297
+ list: async (t, r) => (await e.roles.list(t, r)).roles,
298
+ listPaginated: (t, r) => e.roles.list(t, r),
299
+ get: (t, r) => e.roles.get(t, r),
300
+ create: (t, r) => e.roles.create(t, r),
301
+ update: (t, r, n) => e.roles.update(t, r, n),
302
+ remove: (t, r) => e.roles.remove(t, r),
303
303
  listKey: "roles",
304
304
  getId: (t) => t.id,
305
305
  transform: (t) => ({
@@ -313,113 +313,113 @@ function Q(e) {
313
313
  return ((t = e.metadata) == null ? void 0 : t.sync) !== !1;
314
314
  }
315
315
  function ve(e) {
316
- const { sync: t = {}, filters: n = {} } = e, r = t.resourceServers ?? !0, a = t.roles ?? !0, s = (f) => Q(f) ? n.resourceServers ? n.resourceServers(f) : !0 : !1, i = (f) => Q(f) ? n.roles ? n.roles(f) : !0 : !1, c = r ? H(
316
+ const { sync: t = {}, filters: r = {} } = e, n = t.resourceServers ?? !0, a = t.roles ?? !0, o = (f) => Q(f) ? r.resourceServers ? r.resourceServers(f) : !0 : !1, c = (f) => Q(f) ? r.roles ? r.roles(f) : !0 : !1, i = n ? H(
317
317
  e,
318
318
  L,
319
- s
320
- ) : void 0, u = a ? H(e, K, i) : void 0, o = r ? W(
319
+ o
320
+ ) : void 0, l = a ? H(e, K, c) : void 0, u = n ? W(
321
321
  e,
322
322
  L,
323
- s
324
- ) : void 0, l = a ? W(
323
+ o
324
+ ) : void 0, s = a ? W(
325
325
  e,
326
326
  K,
327
- i
328
- ) : void 0, g = a ? {
329
- async afterCreate(f, w) {
330
- var T;
331
- if (w.id !== e.controlPlaneTenantId) {
332
- await ((T = l == null ? void 0 : l.afterCreate) == null ? void 0 : T.call(l, f, w));
327
+ c
328
+ ) : void 0, d = a ? {
329
+ async afterCreate(f, g) {
330
+ var _;
331
+ if (g.id !== e.controlPlaneTenantId) {
332
+ await ((_ = s == null ? void 0 : s.afterCreate) == null ? void 0 : _.call(s, f, g));
333
333
  try {
334
- const y = await e.getControlPlaneAdapters(), _ = await e.getAdapters(w.id), b = await D(
335
- (h) => y.roles.list(
334
+ const h = await e.getControlPlaneAdapters(), T = await e.getAdapters(g.id), b = await q(
335
+ (v) => h.roles.list(
336
336
  e.controlPlaneTenantId,
337
- h
337
+ v
338
338
  ),
339
339
  "roles",
340
340
  { cursorField: "id", pageSize: 100 }
341
- ), I = /* @__PURE__ */ new Map();
342
- for (const h of b.filter(
343
- (C) => {
344
- var p;
345
- return ((p = n.roles) == null ? void 0 : p.call(n, C)) ?? !0;
341
+ ), z = /* @__PURE__ */ new Map();
342
+ for (const v of b.filter(
343
+ (p) => {
344
+ var C;
345
+ return ((C = r.roles) == null ? void 0 : C.call(r, p)) ?? !0;
346
346
  }
347
347
  )) {
348
- const C = await d(
349
- _,
350
- w.id,
351
- h.name
348
+ const p = await m(
349
+ T,
350
+ g.id,
351
+ v.name
352
352
  );
353
- C && I.set(h.name, C.id);
353
+ p && z.set(v.name, p.id);
354
354
  }
355
- for (const h of b.filter(
356
- (C) => {
357
- var p;
358
- return ((p = n.roles) == null ? void 0 : p.call(n, C)) ?? !0;
355
+ for (const v of b.filter(
356
+ (p) => {
357
+ var C;
358
+ return ((C = r.roles) == null ? void 0 : C.call(r, p)) ?? !0;
359
359
  }
360
360
  )) {
361
- const C = I.get(h.name);
362
- if (C)
361
+ const p = z.get(v.name);
362
+ if (p)
363
363
  try {
364
- const p = await y.rolePermissions.list(
364
+ const C = await h.rolePermissions.list(
365
365
  e.controlPlaneTenantId,
366
- h.id,
366
+ v.id,
367
367
  {}
368
368
  );
369
- p.length > 0 && await _.rolePermissions.assign(
370
- w.id,
371
- C,
372
- p.map((F) => ({
373
- role_id: C,
374
- resource_server_identifier: F.resource_server_identifier,
375
- permission_name: F.permission_name
369
+ C.length > 0 && await T.rolePermissions.assign(
370
+ g.id,
371
+ p,
372
+ C.map((I) => ({
373
+ role_id: p,
374
+ resource_server_identifier: I.resource_server_identifier,
375
+ permission_name: I.permission_name
376
376
  }))
377
377
  );
378
- } catch (p) {
378
+ } catch (C) {
379
379
  console.error(
380
- `Failed to sync permissions for role "${h.name}" to tenant "${w.id}":`,
381
- p
380
+ `Failed to sync permissions for role "${v.name}" to tenant "${g.id}":`,
381
+ C
382
382
  );
383
383
  }
384
384
  }
385
- } catch (y) {
385
+ } catch (h) {
386
386
  console.error(
387
- `Failed to sync role permissions to tenant "${w.id}":`,
388
- y
387
+ `Failed to sync role permissions to tenant "${g.id}":`,
388
+ h
389
389
  );
390
390
  }
391
391
  }
392
392
  }
393
393
  } : void 0;
394
- async function d(f, w, T) {
395
- return (await f.roles.list(w, {
396
- q: `name:${T}`,
394
+ async function m(f, g, _) {
395
+ return (await f.roles.list(g, {
396
+ q: `name:${_}`,
397
397
  per_page: 1
398
398
  })).roles[0] ?? null;
399
399
  }
400
400
  return {
401
401
  entityHooks: {
402
- resourceServers: c,
403
- roles: u
402
+ resourceServers: i,
403
+ roles: l
404
404
  },
405
405
  tenantHooks: {
406
- async afterCreate(f, w) {
407
- const T = [
408
- o == null ? void 0 : o.afterCreate,
409
- (g == null ? void 0 : g.afterCreate) ?? (l == null ? void 0 : l.afterCreate)
410
- ], y = [];
411
- for (const _ of T)
412
- if (_)
406
+ async afterCreate(f, g) {
407
+ const _ = [
408
+ u == null ? void 0 : u.afterCreate,
409
+ (d == null ? void 0 : d.afterCreate) ?? (s == null ? void 0 : s.afterCreate)
410
+ ], h = [];
411
+ for (const T of _)
412
+ if (T)
413
413
  try {
414
- await _(f, w);
414
+ await T(f, g);
415
415
  } catch (b) {
416
- y.push(b instanceof Error ? b : new Error(String(b)));
416
+ h.push(b instanceof Error ? b : new Error(String(b)));
417
417
  }
418
- if (y.length === 1) throw y[0];
419
- if (y.length > 1)
418
+ if (h.length === 1) throw h[0];
419
+ if (h.length > 1)
420
420
  throw new AggregateError(
421
- y,
422
- y.map((_) => _.message).join("; ")
421
+ h,
422
+ h.map((T) => T.message).join("; ")
423
423
  );
424
424
  }
425
425
  }
@@ -431,11 +431,11 @@ var P = class extends Error {
431
431
  * @param status - HTTP status code for the exception. Defaults to 500.
432
432
  * @param options - Additional options for the exception.
433
433
  */
434
- constructor(t = 500, n) {
435
- super(n == null ? void 0 : n.message, { cause: n == null ? void 0 : n.cause });
434
+ constructor(t = 500, r) {
435
+ super(r == null ? void 0 : r.message, { cause: r == null ? void 0 : r.cause });
436
436
  E(this, "res");
437
437
  E(this, "status");
438
- this.res = n == null ? void 0 : n.res, this.status = t;
438
+ this.res = r == null ? void 0 : r.res, this.status = t;
439
439
  }
440
440
  /**
441
441
  * Returns the response object associated with the exception.
@@ -451,10 +451,10 @@ var P = class extends Error {
451
451
  });
452
452
  }
453
453
  };
454
- function N(e, t) {
455
- const n = new de();
456
- return n.openapi(
457
- k({
454
+ function B(e, t) {
455
+ const r = new de();
456
+ return r.openapi(
457
+ M({
458
458
  tags: ["tenants"],
459
459
  method: "get",
460
460
  path: "/",
@@ -463,18 +463,18 @@ function N(e, t) {
463
463
  },
464
464
  security: [
465
465
  {
466
- Bearer: ["read:tenants", "auth:read"]
466
+ Bearer: []
467
467
  }
468
468
  ],
469
469
  responses: {
470
470
  200: {
471
471
  content: {
472
472
  "application/json": {
473
- schema: A.object({
474
- tenants: A.array(O),
475
- start: A.number().optional(),
476
- limit: A.number().optional(),
477
- length: A.number().optional()
473
+ schema: S.object({
474
+ tenants: S.array(D),
475
+ start: S.number().optional(),
476
+ limit: S.number().optional(),
477
+ length: S.number().optional()
478
478
  })
479
479
  }
480
480
  },
@@ -482,76 +482,80 @@ function N(e, t) {
482
482
  }
483
483
  }
484
484
  }),
485
- async (r) => {
486
- var w, T, y, _, b, I;
487
- const a = r.req.valid("query"), { page: s, per_page: i, include_totals: c, q: u } = a, o = r.var.user, l = (o == null ? void 0 : o.permissions) || [];
488
- if (!!!((o == null ? void 0 : o.org_id) ?? r.var.organization_id) && (l.includes("auth:read") || l.includes("admin:organizations"))) {
489
- const h = await r.env.data.tenants.list({
490
- page: s,
491
- per_page: i,
492
- include_totals: c,
493
- q: u
485
+ async (n) => {
486
+ var g, _, h, T, b, z;
487
+ const a = n.req.valid("query"), { page: o, per_page: c, include_totals: i, q: l } = a, u = n.var.user, s = (u == null ? void 0 : u.permissions) || [];
488
+ if (!!!((u == null ? void 0 : u.org_id) ?? n.var.organization_id) && s.includes("admin:organizations")) {
489
+ const v = await n.env.data.tenants.list({
490
+ page: o,
491
+ per_page: c,
492
+ include_totals: i,
493
+ q: l
494
494
  });
495
- return c ? r.json({
496
- tenants: h.tenants,
497
- start: ((w = h.totals) == null ? void 0 : w.start) ?? 0,
498
- limit: ((T = h.totals) == null ? void 0 : T.limit) ?? i,
499
- length: h.tenants.length
500
- }) : r.json({ tenants: h.tenants });
495
+ return i ? n.json({
496
+ tenants: v.tenants,
497
+ start: ((g = v.totals) == null ? void 0 : g.start) ?? 0,
498
+ limit: ((_ = v.totals) == null ? void 0 : _.limit) ?? c,
499
+ length: v.tenants.length
500
+ }) : n.json({ tenants: v.tenants });
501
501
  }
502
- const m = ((y = e.accessControl) == null ? void 0 : y.controlPlaneTenantId) ?? ((_ = r.env.data.multiTenancyConfig) == null ? void 0 : _.controlPlaneTenantId);
503
- if (m && (o != null && o.sub)) {
504
- const C = (await D(
505
- (M) => r.env.data.userOrganizations.listUserOrganizations(
506
- m,
507
- o.sub,
508
- M
502
+ const w = ((h = e.accessControl) == null ? void 0 : h.controlPlaneTenantId) ?? ((T = n.env.data.multiTenancyConfig) == null ? void 0 : T.controlPlaneTenantId);
503
+ if (w && !(u != null && u.sub))
504
+ throw new P(403, {
505
+ message: "Access denied: token has no subject"
506
+ });
507
+ if (w && (u != null && u.sub)) {
508
+ const p = (await q(
509
+ (R) => n.env.data.userOrganizations.listUserOrganizations(
510
+ w,
511
+ u.sub,
512
+ R
509
513
  ),
510
514
  "organizations"
511
- )).map((M) => M.name);
512
- if (C.length === 0)
513
- return c ? r.json({
515
+ )).map((R) => R.name);
516
+ if (p.length === 0)
517
+ return i ? n.json({
514
518
  tenants: [],
515
519
  start: 0,
516
- limit: i ?? 50,
520
+ limit: c ?? 50,
517
521
  length: 0
518
- }) : r.json({ tenants: [] });
519
- const p = C.length, F = s ?? 0, $ = i ?? 50, R = F * $, S = C.slice(R, R + $);
520
- if (S.length === 0)
521
- return c ? r.json({
522
+ }) : n.json({ tenants: [] });
523
+ const C = p.length, I = o ?? 0, j = c ?? 50, k = I * j, F = p.slice(k, k + j);
524
+ if (F.length === 0)
525
+ return i ? n.json({
522
526
  tenants: [],
523
- start: R,
524
- limit: $,
525
- length: p
526
- }) : r.json({ tenants: [] });
527
- const v = S.map((M) => `id:${M}`).join(" OR "), j = u ? `(${v}) AND (${u})` : v, z = await r.env.data.tenants.list({
528
- q: j,
529
- per_page: $,
527
+ start: k,
528
+ limit: j,
529
+ length: C
530
+ }) : n.json({ tenants: [] });
531
+ const A = F.map((R) => `id:${R}`).join(" OR "), y = l ? `(${A}) AND (${l})` : A, $ = await n.env.data.tenants.list({
532
+ q: y,
533
+ per_page: j,
530
534
  include_totals: !1
531
535
  // We calculate totals from accessibleTenantIds
532
536
  });
533
- return c ? r.json({
534
- tenants: z.tenants,
535
- start: R,
536
- limit: $,
537
- length: p
538
- }) : r.json({ tenants: z.tenants });
537
+ return i ? n.json({
538
+ tenants: $.tenants,
539
+ start: k,
540
+ limit: j,
541
+ length: C
542
+ }) : n.json({ tenants: $.tenants });
539
543
  }
540
- const f = await r.env.data.tenants.list({
541
- page: s,
542
- per_page: i,
543
- include_totals: c,
544
- q: u
544
+ const f = await n.env.data.tenants.list({
545
+ page: o,
546
+ per_page: c,
547
+ include_totals: i,
548
+ q: l
545
549
  });
546
- return c ? r.json({
550
+ return i ? n.json({
547
551
  tenants: f.tenants,
548
552
  start: ((b = f.totals) == null ? void 0 : b.start) ?? 0,
549
- limit: ((I = f.totals) == null ? void 0 : I.limit) ?? i,
553
+ limit: ((z = f.totals) == null ? void 0 : z.limit) ?? c,
550
554
  length: f.tenants.length
551
- }) : r.json({ tenants: f.tenants });
555
+ }) : n.json({ tenants: f.tenants });
552
556
  }
553
- ), n.openapi(
554
- k({
557
+ ), r.openapi(
558
+ M({
555
559
  tags: ["tenants"],
556
560
  method: "post",
557
561
  path: "/",
@@ -573,7 +577,7 @@ function N(e, t) {
573
577
  201: {
574
578
  content: {
575
579
  "application/json": {
576
- schema: O
580
+ schema: D
577
581
  }
578
582
  },
579
583
  description: "Tenant created"
@@ -586,30 +590,30 @@ function N(e, t) {
586
590
  }
587
591
  }
588
592
  }),
589
- async (r) => {
590
- var u, o;
591
- const a = r.var.user;
593
+ async (n) => {
594
+ var l, u;
595
+ const a = n.var.user;
592
596
  if (!(a != null && a.sub))
593
597
  throw new P(401, {
594
598
  message: "Authentication required to create tenants"
595
599
  });
596
- let s = r.req.valid("json");
597
- const i = {
598
- adapters: r.env.data,
599
- ctx: r
600
+ let o = n.req.valid("json");
601
+ const c = {
602
+ adapters: n.env.data,
603
+ ctx: n
600
604
  };
601
- (u = t.tenants) != null && u.beforeCreate && (s = await t.tenants.beforeCreate(i, s));
602
- const c = await r.env.data.tenants.create(s);
603
- return (o = t.tenants) != null && o.afterCreate && await t.tenants.afterCreate(i, c), r.json(c, 201);
605
+ (l = t.tenants) != null && l.beforeCreate && (o = await t.tenants.beforeCreate(c, o));
606
+ const i = await n.env.data.tenants.create(o);
607
+ return (u = t.tenants) != null && u.afterCreate && await t.tenants.afterCreate(c, i), n.json(i, 201);
604
608
  }
605
- ), n.openapi(
606
- k({
609
+ ), r.openapi(
610
+ M({
607
611
  tags: ["tenants"],
608
612
  method: "delete",
609
613
  path: "/{id}",
610
614
  request: {
611
- params: A.object({
612
- id: A.string()
615
+ params: S.object({
616
+ id: S.string()
613
617
  })
614
618
  },
615
619
  security: [
@@ -629,49 +633,49 @@ function N(e, t) {
629
633
  }
630
634
  }
631
635
  }),
632
- async (r) => {
633
- var u, o, l, g;
634
- const { id: a } = r.req.valid("param"), s = ((u = e.accessControl) == null ? void 0 : u.controlPlaneTenantId) ?? ((o = r.env.data.multiTenancyConfig) == null ? void 0 : o.controlPlaneTenantId);
635
- if (s) {
636
- const d = r.var.user;
637
- if (!(d != null && d.sub))
636
+ async (n) => {
637
+ var l, u, s, d;
638
+ const { id: a } = n.req.valid("param"), o = ((l = e.accessControl) == null ? void 0 : l.controlPlaneTenantId) ?? ((u = n.env.data.multiTenancyConfig) == null ? void 0 : u.controlPlaneTenantId);
639
+ if (o) {
640
+ const m = n.var.user;
641
+ if (!(m != null && m.sub))
638
642
  throw new P(401, {
639
643
  message: "Authentication required"
640
644
  });
641
- if (a === s)
645
+ if (a === o)
642
646
  throw new P(403, {
643
647
  message: "Cannot delete the control plane"
644
648
  });
645
- if (!(await D(
646
- (w) => r.env.data.userOrganizations.listUserOrganizations(
647
- s,
648
- d.sub,
649
- w
649
+ if (!(await q(
650
+ (g) => n.env.data.userOrganizations.listUserOrganizations(
651
+ o,
652
+ m.sub,
653
+ g
650
654
  ),
651
655
  "organizations"
652
- )).some((w) => w.name === a))
656
+ )).some((g) => g.name === a))
653
657
  throw new P(403, {
654
658
  message: "Access denied to this tenant"
655
659
  });
656
660
  }
657
- if (!await r.env.data.tenants.get(a))
661
+ if (!await n.env.data.tenants.get(a))
658
662
  throw new P(404, {
659
663
  message: "Tenant not found"
660
664
  });
661
- const c = {
662
- adapters: r.env.data,
663
- ctx: r
665
+ const i = {
666
+ adapters: n.env.data,
667
+ ctx: n
664
668
  };
665
- return (l = t.tenants) != null && l.beforeDelete && await t.tenants.beforeDelete(c, a), await r.env.data.tenants.remove(a), (g = t.tenants) != null && g.afterDelete && await t.tenants.afterDelete(c, a), r.body(null, 204);
669
+ return (s = t.tenants) != null && s.beforeDelete && await t.tenants.beforeDelete(i, a), await n.env.data.tenants.remove(a), (d = t.tenants) != null && d.afterDelete && await t.tenants.afterDelete(i, a), n.body(null, 204);
666
670
  }
667
- ), n.openapi(
668
- k({
671
+ ), r.openapi(
672
+ M({
669
673
  tags: ["tenants", "settings"],
670
674
  method: "get",
671
675
  path: "/settings",
672
676
  request: {
673
- headers: A.object({
674
- "tenant-id": A.string().optional()
677
+ headers: S.object({
678
+ "tenant-id": S.string().optional()
675
679
  })
676
680
  },
677
681
  security: [
@@ -683,34 +687,34 @@ function N(e, t) {
683
687
  200: {
684
688
  content: {
685
689
  "application/json": {
686
- schema: O
690
+ schema: D
687
691
  }
688
692
  },
689
693
  description: "Current tenant settings"
690
694
  }
691
695
  }
692
696
  }),
693
- async (r) => {
694
- const a = await r.env.data.tenants.get(r.var.tenant_id);
697
+ async (n) => {
698
+ const a = await n.env.data.tenants.get(n.var.tenant_id);
695
699
  if (!a)
696
700
  throw new P(404, {
697
701
  message: "Tenant not found"
698
702
  });
699
- return r.json(a);
703
+ return n.json(a);
700
704
  }
701
- ), n.openapi(
702
- k({
705
+ ), r.openapi(
706
+ M({
703
707
  tags: ["tenants", "settings"],
704
708
  method: "patch",
705
709
  path: "/settings",
706
710
  request: {
707
- headers: A.object({
708
- "tenant-id": A.string().optional()
711
+ headers: S.object({
712
+ "tenant-id": S.string().optional()
709
713
  }),
710
714
  body: {
711
715
  content: {
712
716
  "application/json": {
713
- schema: A.object(G.shape).partial()
717
+ schema: S.object(G.shape).partial()
714
718
  }
715
719
  }
716
720
  }
@@ -724,29 +728,29 @@ function N(e, t) {
724
728
  200: {
725
729
  content: {
726
730
  "application/json": {
727
- schema: O
731
+ schema: D
728
732
  }
729
733
  },
730
734
  description: "Updated tenant settings"
731
735
  }
732
736
  }
733
737
  }),
734
- async (r) => {
735
- const a = r.req.valid("json"), { id: s, ...i } = a, c = await r.env.data.tenants.get(r.var.tenant_id);
736
- if (!c)
738
+ async (n) => {
739
+ const a = n.req.valid("json"), { id: o, ...c } = a, i = await n.env.data.tenants.get(n.var.tenant_id);
740
+ if (!i)
737
741
  throw new P(404, {
738
742
  message: "Tenant not found"
739
743
  });
740
- const u = ie(c, i);
741
- await r.env.data.tenants.update(r.var.tenant_id, u);
742
- const o = await r.env.data.tenants.get(r.var.tenant_id);
743
- if (!o)
744
+ const l = ie(i, c);
745
+ await n.env.data.tenants.update(n.var.tenant_id, l);
746
+ const u = await n.env.data.tenants.get(n.var.tenant_id);
747
+ if (!u)
744
748
  throw new P(500, {
745
749
  message: "Failed to retrieve updated tenant"
746
750
  });
747
- return r.json(o);
751
+ return n.json(u);
748
752
  }
749
- ), n;
753
+ ), r;
750
754
  }
751
755
  function _e(e) {
752
756
  const t = [
@@ -757,27 +761,27 @@ function _e(e) {
757
761
  { pattern: /\/api\/v2\/roles\/([^/]+)$/, type: "role" },
758
762
  { pattern: /\/api\/v2\/connections\/([^/]+)$/, type: "connection" }
759
763
  ];
760
- for (const { pattern: n, type: r } of t) {
761
- const a = e.match(n);
764
+ for (const { pattern: r, type: n } of t) {
765
+ const a = e.match(r);
762
766
  if (a && a[1])
763
- return { type: r, id: a[1] };
767
+ return { type: n, id: a[1] };
764
768
  }
765
769
  return null;
766
770
  }
767
- async function Ce(e, t, n) {
771
+ async function Te(e, t, r) {
768
772
  try {
769
- switch (n.type) {
773
+ switch (r.type) {
770
774
  case "resource_server": {
771
- const r = await e.resourceServers.get(t, n.id);
772
- return (r == null ? void 0 : r.is_system) === !0;
775
+ const n = await e.resourceServers.get(t, r.id);
776
+ return (n == null ? void 0 : n.is_system) === !0;
773
777
  }
774
778
  case "role": {
775
- const r = await e.roles.get(t, n.id);
776
- return (r == null ? void 0 : r.is_system) === !0;
779
+ const n = await e.roles.get(t, r.id);
780
+ return (n == null ? void 0 : n.is_system) === !0;
777
781
  }
778
782
  case "connection": {
779
- const r = await e.connections.get(t, n.id);
780
- return (r == null ? void 0 : r.is_system) === !0;
783
+ const n = await e.connections.get(t, r.id);
784
+ return (n == null ? void 0 : n.is_system) === !0;
781
785
  }
782
786
  default:
783
787
  return !1;
@@ -786,128 +790,144 @@ async function Ce(e, t, n) {
786
790
  return !1;
787
791
  }
788
792
  }
789
- function Te(e) {
793
+ function Ce(e) {
790
794
  return {
791
795
  resource_server: "resource server",
792
796
  role: "role",
793
797
  connection: "connection"
794
798
  }[e];
795
799
  }
796
- function be() {
800
+ function Pe() {
797
801
  return async (e, t) => {
798
802
  if (!["PATCH", "PUT", "DELETE"].includes(e.req.method))
799
803
  return t();
800
- const n = _e(e.req.path);
801
- if (!n)
802
- return t();
803
- const r = e.var.tenant_id || e.req.header("x-tenant-id") || e.req.header("tenant-id");
804
+ const r = _e(e.req.path);
804
805
  if (!r)
805
806
  return t();
806
- if (await Ce(e.env.data, r, n))
807
+ const n = e.var.tenant_id || e.req.header("x-tenant-id") || e.req.header("tenant-id");
808
+ if (!n)
809
+ return t();
810
+ if (await Te(e.env.data, n, r))
807
811
  throw new P(403, {
808
- message: `This ${Te(n.type)} is a system resource and cannot be modified. Make changes in the control plane instead.`
812
+ message: `This ${Ce(r.type)} is a system resource and cannot be modified. Make changes in the control plane instead.`
809
813
  });
810
814
  return t();
811
815
  };
812
816
  }
813
- function B(e, t) {
814
- const n = t.find(
817
+ function N(e, t) {
818
+ const r = t.find(
815
819
  (a) => a.strategy === e.strategy
816
820
  );
817
- if (!(n != null && n.options))
821
+ if (!(r != null && r.options))
818
822
  return e;
819
- const r = ce.passthrough().parse({
820
- ...n,
823
+ const n = ce.passthrough().parse({
824
+ ...r,
821
825
  ...e
822
826
  });
823
- return r.options = le.passthrough().parse({
824
- ...n.options || {},
827
+ return n.options = le.passthrough().parse({
828
+ ...r.options || {},
825
829
  ...e.options
826
- }), r;
830
+ }), n;
827
831
  }
828
- function q(e, t) {
829
- const n = [...t || [], ...e || []];
830
- return [...new Set(n)];
832
+ function O(e, t) {
833
+ const r = [...t || [], ...e || []];
834
+ return [...new Set(r)];
831
835
  }
832
- function Pe(e, t) {
836
+ function be(e, t) {
833
837
  if (!(t != null && t.length))
834
838
  return e || [];
835
839
  if (!(e != null && e.length))
836
840
  return t;
837
- const n = /* @__PURE__ */ new Map();
838
- for (const r of t)
839
- n.set(r.value, r);
840
- for (const r of e)
841
- n.set(r.value, r);
842
- return Array.from(n.values());
841
+ const r = /* @__PURE__ */ new Map();
842
+ for (const n of t)
843
+ r.set(n.value, n);
844
+ for (const n of e)
845
+ r.set(n.value, n);
846
+ return Array.from(r.values());
843
847
  }
844
848
  function V(e, t) {
845
849
  return t ? {
846
850
  ...e,
847
- scopes: Pe(
851
+ scopes: be(
848
852
  e.scopes,
849
853
  t.scopes
850
854
  )
851
855
  } : e;
852
856
  }
853
- function J(e, t) {
857
+ function Oe(e, t) {
854
858
  return t ? {
855
859
  ...e,
856
- callbacks: q(e.callbacks, t.callbacks),
857
- web_origins: q(
860
+ callbacks: O(e.callbacks, t.callbacks),
861
+ web_origins: O(
858
862
  e.web_origins,
859
863
  t.web_origins
860
864
  ),
861
- allowed_logout_urls: q(
865
+ allowed_logout_urls: O(
862
866
  e.allowed_logout_urls,
863
867
  t.allowed_logout_urls
864
868
  ),
865
- allowed_origins: q(
869
+ allowed_origins: O(
866
870
  e.allowed_origins,
867
871
  t.allowed_origins
868
872
  )
869
873
  } : e;
870
874
  }
875
+ function Z(e) {
876
+ const { controlPlaneTenantId: t, controlPlaneClientId: r, resolveControlPlane: n } = e;
877
+ if (n)
878
+ return async (o) => n({ tenant_id: o });
879
+ if (!t)
880
+ return async () => {
881
+ };
882
+ const a = {
883
+ tenantId: t,
884
+ clientId: r
885
+ };
886
+ return async () => a;
887
+ }
871
888
  function x(e, t) {
872
889
  return {
873
890
  ...e.resourceServers,
874
- get: async (n, r) => {
891
+ get: async (r, n) => {
875
892
  const a = await e.resourceServers.get(
876
- n,
877
- r
893
+ r,
894
+ n
878
895
  );
879
- if (!a || !t || n === t || !a.is_system)
896
+ if (!a)
880
897
  return a;
881
- const s = await e.resourceServers.get(
882
- t,
883
- r
898
+ const o = await t(r);
899
+ if (!o || r === o.tenantId || !a.is_system)
900
+ return a;
901
+ const c = await e.resourceServers.get(
902
+ o.tenantId,
903
+ n
884
904
  );
885
905
  return V(
886
906
  a,
887
- s
907
+ c
888
908
  );
889
909
  },
890
- list: async (n, r) => {
891
- const a = await e.resourceServers.list(n, r);
892
- if (!t || n === t)
910
+ list: async (r, n) => {
911
+ const a = await e.resourceServers.list(r, n), o = await t(r);
912
+ if (!o || r === o.tenantId)
893
913
  return a;
894
- const s = t, i = a.resource_servers.filter(
895
- (o) => !!(o.is_system && o.id)
896
- ).map((o) => o.id);
914
+ const c = o.tenantId, i = a.resource_servers.filter(
915
+ (s) => !!(s.is_system && s.id)
916
+ ).map((s) => s.id);
897
917
  if (i.length === 0)
898
918
  return a;
899
- const c = /* @__PURE__ */ new Map();
919
+ const l = /* @__PURE__ */ new Map();
900
920
  await Promise.all(
901
- i.map(async (o) => {
902
- const l = await e.resourceServers.get(s, o);
903
- l && c.set(o, l);
921
+ i.map(async (s) => {
922
+ const d = await e.resourceServers.get(c, s);
923
+ d && l.set(s, d);
904
924
  })
905
925
  );
906
926
  const u = a.resource_servers.map(
907
- (o) => o.is_system && o.id ? V(
908
- o,
909
- c.get(o.id) ?? null
910
- ) : o
927
+ (s) => s.is_system && s.id ? V(
928
+ s,
929
+ l.get(s.id) ?? null
930
+ ) : s
911
931
  );
912
932
  return {
913
933
  ...a,
@@ -916,156 +936,160 @@ function x(e, t) {
916
936
  }
917
937
  };
918
938
  }
919
- function Se(e, t) {
939
+ function Ie(e, t) {
940
+ const r = Z({
941
+ controlPlaneTenantId: t.controlPlaneTenantId,
942
+ resolveControlPlane: t.resolveControlPlane
943
+ });
920
944
  return {
921
945
  ...e,
922
946
  resourceServers: x(
923
947
  e,
924
- t.controlPlaneTenantId
948
+ r
925
949
  )
926
950
  };
927
951
  }
928
952
  function Ae(e, t) {
929
- const { controlPlaneTenantId: n, controlPlaneClientId: r } = t;
953
+ const { controlPlaneTenantId: r, controlPlaneClientId: n, resolveControlPlane: a } = t, o = Z({
954
+ controlPlaneTenantId: r,
955
+ controlPlaneClientId: n,
956
+ resolveControlPlane: a
957
+ });
930
958
  return {
931
959
  ...e,
932
- // Store config for use by tenants route access control
960
+ // Store the static config for use by tenants route access control.
961
+ // Per-tenant inheritance overrides do NOT affect access-control values —
962
+ // those intentionally use a single global control plane id. The resolver
963
+ // is exposed here so runtime helpers (e.g. `getEnrichedClient`) can
964
+ // consult it before merging control-plane URLs.
933
965
  multiTenancyConfig: {
934
- controlPlaneTenantId: n,
935
- controlPlaneClientId: r
966
+ controlPlaneTenantId: r,
967
+ controlPlaneClientId: n,
968
+ resolveControlPlane: a
936
969
  },
937
970
  connections: {
938
971
  ...e.connections,
939
- get: async (a, s) => {
940
- const i = await e.connections.get(
941
- a,
942
- s
972
+ get: async (c, i) => {
973
+ const l = await e.connections.get(
974
+ c,
975
+ i
943
976
  );
944
- if (!i || !n || a === n)
945
- return i;
946
- const c = await e.connections.list(n);
947
- return B(
948
- i,
949
- c.connections || []
977
+ if (!l)
978
+ return l;
979
+ const u = await o(c);
980
+ if (!u || c === u.tenantId)
981
+ return l;
982
+ const s = await e.connections.list(
983
+ u.tenantId
984
+ );
985
+ return N(
986
+ l,
987
+ s.connections || []
950
988
  );
951
989
  },
952
- list: async (a, s) => {
953
- const i = await e.connections.list(a, s);
954
- if (!n || a === n)
955
- return i;
956
- const c = await e.connections.list(n), u = i.connections.map(
957
- (o) => B(
958
- o,
959
- c.connections || []
990
+ list: async (c, i) => {
991
+ const l = await e.connections.list(c, i), u = await o(c);
992
+ if (!u || c === u.tenantId)
993
+ return l;
994
+ const s = await e.connections.list(
995
+ u.tenantId
996
+ ), d = l.connections.map(
997
+ (m) => N(
998
+ m,
999
+ s.connections || []
960
1000
  )
961
1001
  );
962
1002
  return {
963
- ...i,
964
- connections: u
1003
+ ...l,
1004
+ connections: d
965
1005
  };
966
1006
  }
967
1007
  },
968
1008
  clientConnections: {
969
1009
  ...e.clientConnections,
970
- listByClient: async (a, s) => {
971
- let i = await e.clientConnections.listByClient(
972
- a,
973
- s
1010
+ listByClient: async (c, i) => {
1011
+ let l = await e.clientConnections.listByClient(
1012
+ c,
1013
+ i
974
1014
  );
975
- if (i.length === 0 && (i = (await e.connections.list(a)).connections || []), !n || a === n)
976
- return i;
977
- const c = await e.connections.list(n);
978
- return i.map(
979
- (u) => B(
980
- u,
981
- c.connections || []
982
- )
1015
+ l.length === 0 && (l = (await e.connections.list(c)).connections || []);
1016
+ const u = await o(c);
1017
+ if (!u || c === u.tenantId)
1018
+ return l;
1019
+ const s = await e.connections.list(
1020
+ u.tenantId
983
1021
  );
984
- }
985
- },
986
- clients: {
987
- ...e.clients,
988
- get: async (a, s) => {
989
- const i = await e.clients.get(a, s);
990
- if (!i)
991
- return null;
992
- if (!n || !r || a === n && s === r)
993
- return i;
994
- const c = await e.clients.get(
995
- n,
996
- r
997
- );
998
- return J(i, c);
999
- },
1000
- getByClientId: async (a) => {
1001
- const s = await e.clients.getByClientId(a);
1002
- if (!s)
1003
- return null;
1004
- if (!n || !r || s.tenant_id === n && s.client_id === r)
1005
- return s;
1006
- const i = await e.clients.get(
1007
- n,
1008
- r
1022
+ return l.map(
1023
+ (d) => N(
1024
+ d,
1025
+ s.connections || []
1026
+ )
1009
1027
  );
1010
- return {
1011
- ...J(s, i),
1012
- tenant_id: s.tenant_id
1013
- };
1014
1028
  }
1015
1029
  },
1030
+ // Note: clients.get / getByClientId are intentionally NOT wrapped here.
1031
+ // Storage reads must return the tenant's own stored URLs so that the
1032
+ // management API and DCR don't echo control-plane callbacks back on
1033
+ // update. Runtime URL merging for auth flows happens in
1034
+ // `getEnrichedClient` (packages/authhero/src/helpers/client.ts).
1016
1035
  emailProviders: {
1017
1036
  ...e.emailProviders,
1018
- get: async (a) => {
1019
- const s = await e.emailProviders.get(a);
1020
- return s || (!n || a === n ? null : e.emailProviders.get(n));
1037
+ get: async (c) => {
1038
+ const i = await e.emailProviders.get(c);
1039
+ if (i)
1040
+ return i;
1041
+ const l = await o(c);
1042
+ return !l || c === l.tenantId ? null : e.emailProviders.get(l.tenantId);
1021
1043
  }
1022
1044
  },
1023
1045
  resourceServers: x(
1024
1046
  e,
1025
- n
1047
+ o
1026
1048
  ),
1027
- hooks: Ie(e, n)
1049
+ hooks: Se(e, o)
1028
1050
  // Note: Additional adapters can be extended here for runtime fallback:
1029
1051
  // - promptSettings: Fall back to control plane prompts
1030
1052
  // - branding: Fall back to control plane branding/themes
1031
1053
  };
1032
1054
  }
1033
- function X(e) {
1055
+ function J(e) {
1034
1056
  if (!e || typeof e != "object") return !1;
1035
1057
  const t = e.metadata;
1036
1058
  return !t || typeof t != "object" ? !1 : t.inheritable === !0;
1037
1059
  }
1038
- function Ie(e, t) {
1060
+ function Se(e, t) {
1039
1061
  return {
1040
1062
  ...e.hooks,
1041
- list: async (n, r) => {
1042
- const a = await e.hooks.list(n, r);
1043
- if (!t || n === t)
1063
+ list: async (r, n) => {
1064
+ const a = await e.hooks.list(r, n), o = await t(r);
1065
+ if (!o || r === o.tenantId)
1044
1066
  return a;
1045
1067
  const i = ((await e.hooks.list(
1046
- t,
1047
- r
1068
+ o.tenantId,
1069
+ n
1048
1070
  )).hooks || []).filter(
1049
- X
1071
+ J
1050
1072
  );
1051
1073
  if (i.length === 0)
1052
1074
  return a;
1053
- const c = new Set((a.hooks || []).map((o) => o.hook_id)), u = i.filter((o) => !c.has(o.hook_id));
1075
+ const l = new Set((a.hooks || []).map((s) => s.hook_id)), u = i.filter((s) => !l.has(s.hook_id));
1054
1076
  return {
1055
1077
  ...a,
1056
1078
  hooks: [...a.hooks || [], ...u],
1057
1079
  length: typeof a.length == "number" ? a.length + u.length : a.length
1058
1080
  };
1059
1081
  },
1060
- get: async (n, r) => {
1061
- const a = await e.hooks.get(n, r);
1062
- if (a || !t || n === t)
1082
+ get: async (r, n) => {
1083
+ const a = await e.hooks.get(r, n);
1084
+ if (a) return a;
1085
+ const o = await t(r);
1086
+ if (!o || r === o.tenantId)
1063
1087
  return a;
1064
- const s = await e.hooks.get(
1065
- t,
1066
- r
1088
+ const c = await e.hooks.get(
1089
+ o.tenantId,
1090
+ n
1067
1091
  );
1068
- return s && X(s) ? s : null;
1092
+ return c && J(c) ? c : null;
1069
1093
  }
1070
1094
  };
1071
1095
  }
@@ -1073,194 +1097,202 @@ function ee(e, t) {
1073
1097
  return Ae(e, t);
1074
1098
  }
1075
1099
  function Re(e) {
1076
- return async (t, n) => {
1077
- const r = t.var.user;
1078
- return (r == null ? void 0 : r.tenant_id) === e && r.org_name && t.set("tenant_id", r.org_name), n();
1100
+ return async (t, r) => {
1101
+ const n = t.var.user;
1102
+ return (n == null ? void 0 : n.tenant_id) === e && n.org_name && t.set("tenant_id", n.org_name), r();
1079
1103
  };
1080
1104
  }
1081
1105
  function ze(e) {
1082
- return async (t, n) => {
1106
+ return async (t, r) => {
1083
1107
  if (!e.accessControl)
1084
- return n();
1085
- const { controlPlaneTenantId: r } = e.accessControl, a = t.var.org_name, s = t.var.organization_id, i = a || s;
1086
- let c = t.var.tenant_id;
1087
- const u = t.var.user, l = (u != null && u.aud ? Array.isArray(u.aud) ? u.aud : [u.aud] : []).includes(Y);
1088
- if (!c && i && l && (t.set("tenant_id", i), c = i), !c)
1108
+ return r();
1109
+ const { controlPlaneTenantId: n } = e.accessControl, a = t.var.org_name, o = t.var.organization_id, c = a || o;
1110
+ let i = t.var.tenant_id;
1111
+ const l = t.var.user, s = (l != null && l.aud ? Array.isArray(l.aud) ? l.aud : [l.aud] : []).includes(X);
1112
+ if (!i && c && s && (t.set("tenant_id", c), i = c), !i)
1089
1113
  throw new P(400, {
1090
1114
  message: "Tenant ID not found in request"
1091
1115
  });
1092
1116
  if (!me(
1093
- s,
1094
- c,
1095
- r,
1117
+ o,
1118
+ i,
1119
+ n,
1096
1120
  a
1097
1121
  ))
1098
1122
  throw new P(403, {
1099
- message: `Access denied to tenant ${c}`
1123
+ message: `Access denied to tenant ${i}`
1100
1124
  });
1101
- return n();
1125
+ return r();
1102
1126
  };
1103
1127
  }
1104
1128
  function $e(e) {
1105
- return async (t, n) => {
1129
+ return async (t, r) => {
1106
1130
  if (!e.subdomainRouting)
1107
- return n();
1131
+ return r();
1108
1132
  const {
1109
- baseDomain: r,
1133
+ baseDomain: n,
1110
1134
  reservedSubdomains: a = [],
1111
- resolveSubdomain: s
1112
- } = e.subdomainRouting, i = t.req.header("x-forwarded-host") || t.req.header("host") || "";
1113
- let c = null;
1114
- if (i.endsWith(r)) {
1115
- const o = i.slice(0, -(r.length + 1));
1116
- o && !o.includes(".") && (c = o);
1135
+ resolveSubdomain: o
1136
+ } = e.subdomainRouting, c = t.req.header("x-forwarded-host") || t.req.header("host") || "";
1137
+ let i = null;
1138
+ if (c.endsWith(n)) {
1139
+ const u = c.slice(0, -(n.length + 1));
1140
+ u && !u.includes(".") && (i = u);
1117
1141
  }
1118
- if (c && a.includes(c) && (c = null), !c)
1119
- return e.accessControl && t.set("tenant_id", e.accessControl.controlPlaneTenantId), n();
1120
- let u = null;
1121
- if (s)
1122
- u = await s(c);
1142
+ if (i && a.includes(i) && (i = null), !i)
1143
+ return e.accessControl && t.set("tenant_id", e.accessControl.controlPlaneTenantId), r();
1144
+ let l = null;
1145
+ if (o)
1146
+ l = await o(i);
1123
1147
  else if (e.subdomainRouting.useOrganizations !== !1 && e.accessControl)
1124
1148
  try {
1125
- const o = await t.env.data.organizations.get(
1149
+ const u = await t.env.data.organizations.get(
1126
1150
  e.accessControl.controlPlaneTenantId,
1127
- c
1151
+ i
1128
1152
  );
1129
- o && (u = o.id);
1153
+ u && (l = u.id);
1130
1154
  } catch {
1131
1155
  }
1132
- if (!u)
1156
+ if (!l)
1133
1157
  throw new P(404, {
1134
- message: `Tenant not found for subdomain: ${c}`
1158
+ message: `Tenant not found for subdomain: ${i}`
1135
1159
  });
1136
- return t.set("tenant_id", u), n();
1160
+ return t.set("tenant_id", l), r();
1137
1161
  };
1138
1162
  }
1139
1163
  function je(e) {
1140
- return async (t, n) => {
1164
+ return async (t, r) => {
1141
1165
  if (!e.databaseIsolation)
1142
- return n();
1143
- const r = t.var.tenant_id;
1144
- if (!r)
1166
+ return r();
1167
+ const n = t.var.tenant_id;
1168
+ if (!n)
1145
1169
  throw new P(400, {
1146
1170
  message: "Tenant ID not found in request"
1147
1171
  });
1148
1172
  try {
1149
- const a = await e.databaseIsolation.getAdapters(r);
1173
+ const a = await e.databaseIsolation.getAdapters(n);
1150
1174
  t.env.data = a;
1151
1175
  } catch (a) {
1152
1176
  throw console.error(
1153
- `Failed to resolve database for tenant ${r}:`,
1177
+ `Failed to resolve database for tenant ${n}:`,
1154
1178
  a
1155
1179
  ), new P(500, {
1156
1180
  message: "Failed to resolve tenant database"
1157
1181
  });
1158
1182
  }
1159
- return n();
1183
+ return r();
1160
1184
  };
1161
1185
  }
1162
1186
  function te(e) {
1163
- const t = $e(e), n = ze(e), r = je(e);
1164
- return async (a, s) => (await t(a, async () => {
1165
- }), await n(a, async () => {
1187
+ const t = $e(e), r = ze(e), n = je(e);
1188
+ return async (a, o) => (await t(a, async () => {
1166
1189
  }), await r(a, async () => {
1167
- }), s());
1190
+ }), await n(a, async () => {
1191
+ }), o());
1168
1192
  }
1169
- function qe(e) {
1193
+ function Ee(e) {
1170
1194
  const {
1171
1195
  dataAdapter: t,
1172
- controlPlane: n,
1196
+ controlPlane: r,
1173
1197
  controlPlane: {
1174
- tenantId: r = "control_plane",
1198
+ tenantId: n = "control_plane",
1175
1199
  clientId: a
1176
1200
  } = {},
1177
- sync: s = { resourceServers: !0, roles: !0 },
1201
+ resolveControlPlane: o,
1202
+ sync: c = { resourceServers: !0, roles: !0 },
1178
1203
  defaultPermissions: i = ["tenant:admin"],
1179
- requireOrganizationMatch: c = !1,
1204
+ requireOrganizationMatch: l = !1,
1180
1205
  managementApiExtensions: u = [],
1181
- entityHooks: o,
1182
- getChildTenantIds: l,
1183
- getAdapters: g,
1184
- ...d
1206
+ entityHooks: s,
1207
+ getChildTenantIds: d,
1208
+ getAdapters: m,
1209
+ ...w
1185
1210
  } = e;
1186
- let m = t, f = t;
1187
- n && (m = ee(t, {
1188
- controlPlaneTenantId: r,
1189
- controlPlaneClientId: a
1190
- }), f = {
1191
- ...Se(t, {
1192
- controlPlaneTenantId: r
1211
+ if (o && !r)
1212
+ throw new Error(
1213
+ "initMultiTenant: `resolveControlPlane` requires `controlPlane` to be set. The static `controlPlane.tenantId` is used for access control, sync direction, and tenant management routing; the resolver only overrides per-tenant runtime inheritance lookups on top of it."
1214
+ );
1215
+ let f = t, g = t;
1216
+ r && (f = ee(t, {
1217
+ controlPlaneTenantId: n,
1218
+ controlPlaneClientId: a,
1219
+ resolveControlPlane: o
1220
+ }), g = {
1221
+ ...Ie(t, {
1222
+ controlPlaneTenantId: n,
1223
+ resolveControlPlane: o
1193
1224
  }),
1194
1225
  multiTenancyConfig: {
1195
- controlPlaneTenantId: r,
1196
- controlPlaneClientId: a
1226
+ controlPlaneTenantId: n,
1227
+ controlPlaneClientId: a,
1228
+ resolveControlPlane: o
1197
1229
  }
1198
1230
  });
1199
- const w = s !== !1, T = w ? {
1200
- resourceServers: s.resourceServers ?? !0,
1201
- roles: s.roles ?? !0
1202
- } : { resourceServers: !1, roles: !1 }, b = {
1203
- controlPlaneTenantId: r,
1204
- getChildTenantIds: l ?? (async () => (await D(
1205
- (v) => m.tenants.list(v),
1231
+ const _ = c !== !1, h = _ ? {
1232
+ resourceServers: c.resourceServers ?? !0,
1233
+ roles: c.roles ?? !0
1234
+ } : { resourceServers: !1, roles: !1 }, z = {
1235
+ controlPlaneTenantId: n,
1236
+ getChildTenantIds: d ?? (async () => (await q(
1237
+ (y) => f.tenants.list(y),
1206
1238
  "tenants",
1207
1239
  { cursorField: "id", pageSize: 100 }
1208
- )).filter((v) => v.id !== r).map((v) => v.id)),
1209
- getAdapters: g ?? (async () => m),
1210
- getControlPlaneAdapters: async () => m,
1211
- sync: T
1212
- }, { entityHooks: I, tenantHooks: h } = ve(b), C = {
1240
+ )).filter((y) => y.id !== n).map((y) => y.id)),
1241
+ getAdapters: m ?? (async () => f),
1242
+ getControlPlaneAdapters: async () => f,
1243
+ sync: h
1244
+ }, { entityHooks: v, tenantHooks: p } = ve(z), C = {
1213
1245
  resourceServers: [
1214
- I.resourceServers,
1215
- ...(o == null ? void 0 : o.resourceServers) ?? []
1246
+ v.resourceServers,
1247
+ ...(s == null ? void 0 : s.resourceServers) ?? []
1216
1248
  ],
1217
- roles: [I.roles, ...(o == null ? void 0 : o.roles) ?? []],
1218
- connections: (o == null ? void 0 : o.connections) ?? [],
1219
- tenants: (o == null ? void 0 : o.tenants) ?? [],
1220
- rolePermissions: (o == null ? void 0 : o.rolePermissions) ?? []
1221
- }, p = Z({
1249
+ roles: [v.roles, ...(s == null ? void 0 : s.roles) ?? []],
1250
+ connections: (s == null ? void 0 : s.connections) ?? [],
1251
+ tenants: (s == null ? void 0 : s.tenants) ?? [],
1252
+ rolePermissions: (s == null ? void 0 : s.rolePermissions) ?? []
1253
+ }, I = Y({
1222
1254
  accessControl: {
1223
- controlPlaneTenantId: r,
1224
- requireOrganizationMatch: c,
1255
+ controlPlaneTenantId: n,
1256
+ requireOrganizationMatch: l,
1225
1257
  defaultPermissions: i
1226
1258
  }
1227
- }), $ = N(
1259
+ }), k = B(
1228
1260
  {
1229
1261
  accessControl: {
1230
- controlPlaneTenantId: r,
1231
- requireOrganizationMatch: c,
1262
+ controlPlaneTenantId: n,
1263
+ requireOrganizationMatch: l,
1232
1264
  defaultPermissions: i
1233
1265
  }
1234
1266
  },
1235
1267
  { tenants: {
1236
- async beforeCreate(S, v) {
1237
- return p.beforeCreate && (v = await p.beforeCreate(S, v)), h.beforeCreate && (v = await h.beforeCreate(S, v)), v;
1268
+ async beforeCreate(A, y) {
1269
+ return I.beforeCreate && (y = await I.beforeCreate(A, y)), p.beforeCreate && (y = await p.beforeCreate(A, y)), y;
1238
1270
  },
1239
- async afterCreate(S, v) {
1240
- var j, z;
1241
- await ((j = p.afterCreate) == null ? void 0 : j.call(p, S, v)), await ((z = h.afterCreate) == null ? void 0 : z.call(h, S, v));
1271
+ async afterCreate(A, y) {
1272
+ var $, R;
1273
+ await (($ = I.afterCreate) == null ? void 0 : $.call(I, A, y)), await ((R = p.afterCreate) == null ? void 0 : R.call(p, A, y));
1242
1274
  },
1243
- async beforeDelete(S, v) {
1244
- var j, z;
1245
- await ((j = p.beforeDelete) == null ? void 0 : j.call(p, S, v)), await ((z = h.beforeDelete) == null ? void 0 : z.call(h, S, v));
1275
+ async beforeDelete(A, y) {
1276
+ var $, R;
1277
+ await (($ = I.beforeDelete) == null ? void 0 : $.call(I, A, y)), await ((R = p.beforeDelete) == null ? void 0 : R.call(p, A, y));
1246
1278
  }
1247
1279
  } }
1248
- ), { app: R } = ue({
1249
- dataAdapter: m,
1250
- managementDataAdapter: f,
1251
- ...d,
1280
+ ), { app: F } = ue({
1281
+ dataAdapter: f,
1282
+ managementDataAdapter: g,
1283
+ ...w,
1252
1284
  entityHooks: C,
1253
1285
  managementApiExtensions: [
1254
1286
  ...u,
1255
- { path: "/tenants", router: $ }
1287
+ { path: "/tenants", router: k }
1256
1288
  ]
1257
1289
  });
1258
- return R.use(
1290
+ return F.use(
1259
1291
  "/api/v2/*",
1260
- Re(r)
1261
- ), w && R.use("/api/v2/*", be()), { app: R, controlPlaneTenantId: r };
1292
+ Re(n)
1293
+ ), _ && F.use("/api/v2/*", Pe()), { app: F, controlPlaneTenantId: n };
1262
1294
  }
1263
- function Ee(e) {
1295
+ function Ne(e) {
1264
1296
  const t = U(e);
1265
1297
  return {
1266
1298
  name: "multi-tenancy",
@@ -1272,7 +1304,7 @@ function Ee(e) {
1272
1304
  routes: [
1273
1305
  {
1274
1306
  path: "/management",
1275
- handler: N(e, t)
1307
+ handler: B(e, t)
1276
1308
  }
1277
1309
  ],
1278
1310
  // Called when plugin is registered
@@ -1286,22 +1318,22 @@ function Ee(e) {
1286
1318
  };
1287
1319
  }
1288
1320
  function U(e) {
1289
- const t = e.accessControl ? fe(e.accessControl) : {}, n = e.databaseIsolation ? ge(e.databaseIsolation) : {}, r = Z(e);
1321
+ const t = e.accessControl ? fe(e.accessControl) : {}, r = e.databaseIsolation ? ge(e.databaseIsolation) : {}, n = Y(e);
1290
1322
  return {
1291
1323
  ...t,
1292
- ...n,
1293
- tenants: r
1324
+ ...r,
1325
+ tenants: n
1294
1326
  };
1295
1327
  }
1296
- function Fe(e) {
1297
- const t = new ae(), n = U(e);
1298
- return t.route("/tenants", N(e, n)), t;
1328
+ function ke(e) {
1329
+ const t = new ae(), r = U(e);
1330
+ return t.route("/tenants", B(e, r)), t;
1299
1331
  }
1300
1332
  function Be(e) {
1301
1333
  return {
1302
1334
  hooks: U(e),
1303
1335
  middleware: te(e),
1304
- app: Fe(e),
1336
+ app: ke(e),
1305
1337
  config: e,
1306
1338
  /**
1307
1339
  * Wraps data adapters with runtime fallback from the control plane.
@@ -1311,11 +1343,11 @@ function Be(e) {
1311
1343
  * @param additionalConfig - Additional config (controlPlaneClientId, etc.)
1312
1344
  * @returns Wrapped adapters with runtime fallback
1313
1345
  */
1314
- wrapAdapters: (t, n) => {
1315
- var r;
1346
+ wrapAdapters: (t, r) => {
1347
+ var n;
1316
1348
  return ee(t, {
1317
- controlPlaneTenantId: (r = e.accessControl) == null ? void 0 : r.controlPlaneTenantId,
1318
- controlPlaneClientId: n == null ? void 0 : n.controlPlaneClientId
1349
+ controlPlaneTenantId: (n = e.accessControl) == null ? void 0 : n.controlPlaneTenantId,
1350
+ controlPlaneClientId: r == null ? void 0 : r.controlPlaneClientId
1319
1351
  });
1320
1352
  }
1321
1353
  };
@@ -1326,19 +1358,20 @@ export {
1326
1358
  Re as createControlPlaneTenantMiddleware,
1327
1359
  ge as createDatabaseHooks,
1328
1360
  je as createDatabaseMiddleware,
1329
- Fe as createMultiTenancy,
1361
+ ke as createMultiTenancy,
1330
1362
  U as createMultiTenancyHooks,
1331
1363
  te as createMultiTenancyMiddleware,
1332
- Ee as createMultiTenancyPlugin,
1333
- be as createProtectSyncedMiddleware,
1334
- Z as createProvisioningHooks,
1364
+ Ne as createMultiTenancyPlugin,
1365
+ Pe as createProtectSyncedMiddleware,
1366
+ Y as createProvisioningHooks,
1335
1367
  Ae as createRuntimeFallbackAdapter,
1336
1368
  $e as createSubdomainMiddleware,
1337
1369
  ve as createSyncHooks,
1338
- N as createTenantsOpenAPIRouter,
1339
- qe as initMultiTenant,
1370
+ B as createTenantsOpenAPIRouter,
1371
+ Ee as initMultiTenant,
1372
+ Oe as mergeClientWithFallback,
1340
1373
  Be as setupMultiTenancy,
1341
1374
  me as validateTenantAccess,
1342
1375
  ee as withRuntimeFallback,
1343
- Se as withSystemResourceServerInheritance
1376
+ Ie as withSystemResourceServerInheritance
1344
1377
  };