npm - @authhero/multi-tenancy - Versions diffs - 14.24.0 → 14.25.0 - Mend

@authhero/multi-tenancy 14.24.0 → 14.25.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/dist/multi-tenancy.cjs +1 -1
package/dist/multi-tenancy.mjs +281 -224
package/dist/types/index.d.ts +2 -2
package/dist/types/index.d.ts.map +1 -1
package/dist/types/rollout/defaults-projection.d.ts +47 -1
package/dist/types/rollout/defaults-projection.d.ts.map +1 -1
package/dist/types/rollout/index.d.ts +3 -1
package/dist/types/rollout/index.d.ts.map +1 -1
package/dist/types/rollout/payload.d.ts +57 -0
package/dist/types/rollout/payload.d.ts.map +1 -0
package/dist/types/routes/tenants.d.ts.map +1 -1
package/package.json +3 -3

package/dist/multi-tenancy.mjs CHANGED Viewed

@@ -1,8 +1,9 @@
 import { Hono as e } from "hono";
-import { MANAGEMENT_API_AUDIENCE as t, MANAGEMENT_API_SCOPES as n, auth0QuerySchema as r, connectionInsertSchema as i, connectionOptionsSchema as a, connectionSchema as o, deepMergePatch as s, fetchAll as c, hookInsertSchema as l, init as u, resourceServerInsertSchema as d, tenantInsertSchema as f, tenantSchema as p } from "authhero";
-import { OpenAPIHono as m, createRoute as h, z as g } from "@hono/zod-openapi";
+import { MANAGEMENT_API_AUDIENCE as t, MANAGEMENT_API_SCOPES as n, auth0QuerySchema as r, brandingSchema as i, connectionInsertSchema as a, connectionOptionsSchema as o, connectionSchema as s, deepMergePatch as c, emailProviderSchema as l, fetchAll as u, hookInsertSchema as d, init as f, listControlPlaneKeys as p, promptSettingSchema as m, resourceServerInsertSchema as h, tenantInsertSchema as g, tenantSchema as _ } from "authhero";
+import { OpenAPIHono as v, createRoute as y, z as b } from "@hono/zod-openapi";
+import { HTTPException as x } from "hono/http-exception";
 //#region src/hooks/access-control.ts
-function _(e) {
+function S(e) {
 	let { controlPlaneTenantId: t, requireOrganizationMatch: n = !0 } = e;
 	return { async onTenantAccessValidation(e, r) {
 		if (r === t) return !0;
@@ -13,14 +14,14 @@ function _(e) {
 		return !0;
 	} };
 }
-function v(e, t, n, r) {
+function C(e, t, n, r) {
 	if (t === n) return !0;
 	let i = r || e;
 	return i ? i.toLowerCase() === t.toLowerCase() : !1;
 }
 //#endregion
 //#region src/hooks/database.ts
-function y(e) {
+function w(e) {
 	return { async resolveDataAdapters(t) {
 		try {
 			return await e.getAdapters(t);
@@ -32,20 +33,20 @@ function y(e) {
 }
 //#endregion
 //#region src/hooks/provisioning.ts
-function b(e) {
+function T(e) {
 	return `urn:authhero:tenant:${e.toLowerCase()}`;
 }
-function x(e) {
+function E(e) {
 	return {
 		async beforeCreate(e, t) {
 			return !t.audience && t.id ? {
 				...t,
-				audience: b(t.id)
+				audience: T(t.id)
 			} : t;
 		},
 		async afterCreate(t, n) {
 			let { accessControl: r, databaseIsolation: i } = e;
-			r && t.ctx && await S(t, n, r), i?.onProvision && await i.onProvision(n.id);
+			r && t.ctx && await ee(t, n, r), i?.onProvision && await i.onProvision(n.id);
 		},
 		async beforeDelete(t, n) {
 			let { accessControl: r, databaseIsolation: i } = e;
@@ -63,14 +64,14 @@ function x(e) {
 		}
 	};
 }
-async function S(e, t, n) {
+async function ee(e, t, n) {
 	let { controlPlaneTenantId: r, defaultPermissions: i, defaultRoles: a, issuer: o, adminRoleName: s = "Tenant Admin", adminRoleDescription: c = "Full access to all tenant management operations", addCreatorToOrganization: l = !0 } = n, u = await e.adapters.organizations.create(r, {
 		name: t.id,
 		display_name: t.friendly_name || t.id
 	}), d;
-	if (o && (d = await w(e, r, s, c)), l && e.ctx) {
+	if (o && (d = await ne(e, r, s, c)), l && e.ctx) {
 		let t = e.ctx.var.user;
-		if (t?.sub && !await C(e, r, t.sub)) try {
+		if (t?.sub && !await te(e, r, t.sub)) try {
 			await e.adapters.userOrganizations.create(r, {
 				user_id: t.sub,
 				organization_id: u.id
@@ -81,12 +82,12 @@ async function S(e, t, n) {
 	}
 	a && a.length > 0 && console.log(`Would assign roles ${a.join(", ")} to organization ${u.id}`), i && i.length > 0 && console.log(`Would grant permissions ${i.join(", ")} to organization ${u.id}`);
 }
-async function C(e, t, n) {
+async function te(e, t, n) {
 	let r = await e.adapters.userRoles.list(t, n, void 0, "");
 	for (let n of r) if ((await e.adapters.rolePermissions.list(t, n.id, { per_page: 1e3 })).some((e) => e.permission_name === "admin:organizations")) return !0;
 	return !1;
 }
-async function w(e, r, i, a) {
+async function ne(e, r, i, a) {
 	let o = (await e.adapters.roles.list(r, {})).roles.find((e) => e.name === i);
 	if (o) return o.id;
 	let s = await e.adapters.roles.create(r, {
@@ -101,7 +102,7 @@ async function w(e, r, i, a) {
 }
 //#endregion
 //#region src/hooks/sync.ts
-function T(e, t, n = () => !0) {
+function D(e, t, n = () => !0) {
 	let { controlPlaneTenantId: r, getChildTenantIds: i, getAdapters: a } = e, o = /* @__PURE__ */ new Map();
 	async function s(e, n, r) {
 		return (await t(e).list(n, {
@@ -156,18 +157,18 @@ function T(e, t, n = () => !0) {
 		}
 	};
 }
-function E(e, t, n = () => !0) {
+function O(e, t, n = () => !0) {
 	let { controlPlaneTenantId: r, getControlPlaneAdapters: i, getAdapters: a } = e;
 	return { async afterCreate(e, o) {
 		if (o.id !== r) try {
-			let e = await i(), s = await a(o.id), l = t(e), u = t(s), d = await c((e) => l.listPaginated(r, e), l.listKey, {
+			let e = await i(), s = await a(o.id), c = t(e), l = t(s), d = await u((e) => c.listPaginated(r, e), c.listKey, {
 				cursorField: "id",
 				pageSize: 100
 			});
 			await Promise.all(d.filter((e) => n(e)).map(async (e) => {
 				try {
-					let t = l.transform(e);
-					await u.create(o.id, {
+					let t = c.transform(e);
+					await l.create(o.id, {
 						...t,
 						is_system: !0
 					});
@@ -180,7 +181,7 @@ function E(e, t, n = () => !0) {
 		}
 	} };
 }
-var D = (e) => ({
+var k = (e) => ({
 	list: async (t, n) => (await e.resourceServers.list(t, n)).resource_servers,
 	listPaginated: (t, n) => e.resourceServers.list(t, n),
 	get: (t, n) => e.resourceServers.get(t, n),
@@ -198,7 +199,7 @@ var D = (e) => ({
 		token_lifetime: e.token_lifetime,
 		token_lifetime_for_web: e.token_lifetime_for_web
 	})
-}), O = (e) => ({
+}), A = (e) => ({
 	list: async (t, n) => (await e.roles.list(t, n)).roles,
 	listPaginated: (t, n) => e.roles.list(t, n),
 	get: (t, n) => e.roles.get(t, n),
@@ -213,15 +214,15 @@ var D = (e) => ({
 		description: e.description
 	})
 });
-function k(e) {
+function re(e) {
 	return e.metadata?.sync !== !1;
 }
-function A(e) {
-	let { sync: t = {}, filters: n = {} } = e, r = t.resourceServers ?? !0, i = t.roles ?? !0, a = (e) => k(e) ? n.resourceServers ? n.resourceServers(e) : !0 : !1, o = (e) => k(e) ? n.roles ? n.roles(e) : !0 : !1, s = r ? T(e, D, a) : void 0, l = i ? T(e, O, o) : void 0, u = r ? E(e, D, a) : void 0, d = i ? E(e, O, o) : void 0, f = i ? { async afterCreate(t, r) {
+function ie(e) {
+	let { sync: t = {}, filters: n = {} } = e, r = t.resourceServers ?? !0, i = t.roles ?? !0, a = (e) => re(e) ? n.resourceServers ? n.resourceServers(e) : !0 : !1, o = (e) => re(e) ? n.roles ? n.roles(e) : !0 : !1, s = r ? D(e, k, a) : void 0, c = i ? D(e, A, o) : void 0, l = r ? O(e, k, a) : void 0, d = i ? O(e, A, o) : void 0, f = i ? { async afterCreate(t, r) {
 		if (r.id !== e.controlPlaneTenantId) {
 			await d?.afterCreate?.(t, r);
 			try {
-				let t = await e.getControlPlaneAdapters(), i = await e.getAdapters(r.id), a = await c((n) => t.roles.list(e.controlPlaneTenantId, n), "roles", {
+				let t = await e.getControlPlaneAdapters(), i = await e.getAdapters(r.id), a = await u((n) => t.roles.list(e.controlPlaneTenantId, n), "roles", {
 					cursorField: "id",
 					pageSize: 100
 				}), o = /* @__PURE__ */ new Map();
@@ -256,10 +257,10 @@ function A(e) {
 	return {
 		entityHooks: {
 			resourceServers: s,
-			roles: l
+			roles: c
 		},
 		tenantHooks: { async afterCreate(e, t) {
-			let n = [u?.afterCreate, f?.afterCreate ?? d?.afterCreate], r = [];
+			let n = [l?.afterCreate, f?.afterCreate ?? d?.afterCreate], r = [];
 			for (let i of n) if (i) try {
 				await i(e, t);
 			} catch (e) {
@@ -271,36 +272,36 @@ function A(e) {
 	};
 }
 //#endregion
-//#region ../../node_modules/.pnpm/hono@4.12.25/node_modules/hono/dist/http-exception.js
-var j = class extends Error {
-	res;
-	status;
-	constructor(e = 500, t) {
-		super(t?.message, { cause: t?.cause }), this.res = t?.res, this.status = e;
-	}
-	getResponse() {
-		return this.res ? new Response(this.res.body, {
-			status: this.status,
-			headers: this.res.headers
-		}) : new Response(this.message, { status: this.status });
-	}
-};
-//#endregion
 //#region src/routes/tenants.ts
-function M(e, t) {
-	let n = new m();
-	return n.openapi(h({
+var ae = b.object({
+	sub: b.string(),
+	tenant_id: b.string().optional(),
+	org_id: b.string().optional(),
+	scope: b.string().optional(),
+	permissions: b.array(b.string()).optional()
+}).passthrough();
+function oe(e) {
+	let t = ae.safeParse(e);
+	return t.success ? t.data : void 0;
+}
+function se(e) {
+	let t = e.permissions ?? [], n = e.scope ? e.scope.split(" ").filter(Boolean) : [], r = new Set([...t, ...n]);
+	return r.has("delete:tenants") || r.has("admin:organizations");
+}
+function j(e, t) {
+	let n = new v();
+	return n.openapi(y({
 		tags: ["tenants"],
 		method: "get",
 		path: "/",
 		request: { query: r },
 		security: [{ Bearer: [] }],
 		responses: { 200: {
-			content: { "application/json": { schema: g.object({
-				tenants: g.array(p),
-				start: g.number().optional(),
-				limit: g.number().optional(),
-				length: g.number().optional()
+			content: { "application/json": { schema: b.object({
+				tenants: b.array(_),
+				start: b.number().optional(),
+				limit: b.number().optional(),
+				length: b.number().optional()
 			}) } },
 			description: "List of tenants"
 		} }
@@ -320,17 +321,17 @@ function M(e, t) {
 				length: e.tenants.length
 			}) : t.json({ tenants: e.tenants });
 		}
-		let l = e.accessControl?.controlPlaneTenantId ?? t.env.data.multiTenancyConfig?.controlPlaneTenantId;
-		if (l && !o?.sub) throw new j(403, { message: "Access denied: token has no subject" });
-		if (l && o?.sub) {
-			let e = (await c((e) => t.env.data.userOrganizations.listUserOrganizations(l, o.sub, e), "organizations")).map((e) => e.name);
+		let c = e.accessControl?.controlPlaneTenantId ?? t.env.data.multiTenancyConfig?.controlPlaneTenantId;
+		if (c && !o?.sub) throw new x(403, { message: "Access denied: token has no subject" });
+		if (c && o?.sub) {
+			let e = (await u((e) => t.env.data.userOrganizations.listUserOrganizations(c, o.sub, e), "organizations")).map((e) => e.name);
 			if (e.length === 0) return i ? t.json({
 				tenants: [],
 				start: 0,
 				limit: r ?? 50,
 				length: 0
 			}) : t.json({ tenants: [] });
-			let s = e.length, u = n ?? 0, d = r ?? 50, f = u * d, p = e.slice(f, f + d);
+			let s = e.length, l = n ?? 0, d = r ?? 50, f = l * d, p = e.slice(f, f + d);
 			if (p.length === 0) return i ? t.json({
 				tenants: [],
 				start: f,
@@ -349,34 +350,34 @@ function M(e, t) {
 				length: s
 			}) : t.json({ tenants: g.tenants });
 		}
-		let u = await t.env.data.tenants.list({
+		let l = await t.env.data.tenants.list({
 			page: n,
 			per_page: r,
 			include_totals: i,
 			q: a
 		});
 		return i ? t.json({
-			tenants: u.tenants,
-			start: u.totals?.start ?? 0,
-			limit: u.totals?.limit ?? r,
-			length: u.tenants.length
-		}) : t.json({ tenants: u.tenants });
-	}), n.openapi(h({
+			tenants: l.tenants,
+			start: l.totals?.start ?? 0,
+			limit: l.totals?.limit ?? r,
+			length: l.tenants.length
+		}) : t.json({ tenants: l.tenants });
+	}), n.openapi(y({
 		tags: ["tenants"],
 		method: "post",
 		path: "/",
-		request: { body: { content: { "application/json": { schema: f } } } },
+		request: { body: { content: { "application/json": { schema: g } } } },
 		security: [{ Bearer: [] }],
 		responses: {
 			201: {
-				content: { "application/json": { schema: p } },
+				content: { "application/json": { schema: _ } },
 				description: "Tenant created"
 			},
 			400: { description: "Validation error" },
 			409: { description: "Tenant with this ID already exists" }
 		}
 	}), async (e) => {
-		if (!e.var.user?.sub) throw new j(401, { message: "Authentication required to create tenants" });
+		if (!e.var.user?.sub) throw new x(401, { message: "Authentication required to create tenants" });
 		let n = e.req.valid("json"), r = {
 			adapters: e.env.data,
 			ctx: e
@@ -384,11 +385,11 @@ function M(e, t) {
 		t.tenants?.beforeCreate && (n = await t.tenants.beforeCreate(r, n));
 		let i = await e.env.data.tenants.create(n);
 		return t.tenants?.afterCreate && await t.tenants.afterCreate(r, i), e.json(i, 201);
-	}), n.openapi(h({
+	}), n.openapi(y({
 		tags: ["tenants"],
 		method: "delete",
 		path: "/{id}",
-		request: { params: g.object({ id: g.string() }) },
+		request: { params: b.object({ id: b.string() }) },
 		security: [{ Bearer: ["delete:tenants"] }],
 		responses: {
 			204: { description: "Tenant deleted" },
@@ -398,58 +399,62 @@ function M(e, t) {
 	}), async (n) => {
 		let { id: r } = n.req.valid("param"), i = e.accessControl?.controlPlaneTenantId ?? n.env.data.multiTenancyConfig?.controlPlaneTenantId;
 		if (i) {
-			let e = n.var.user;
-			if (!e?.sub) throw new j(401, { message: "Authentication required" });
-			if (r === i) throw new j(403, { message: "Cannot delete the control plane" });
+			let e = oe(n.var.user);
+			if (!e?.sub) throw new x(401, { message: "Authentication required" });
+			if (r === i) throw new x(403, { message: "Cannot delete the control plane" });
 			let t = n.var.org_name, a = r.toLowerCase(), o = !!t && t.toLowerCase() === a;
-			if (o ||= (await c((t) => n.env.data.userOrganizations.listUserOrganizations(i, e.sub, t), "organizations")).some((e) => e.name?.toLowerCase() === a), !o) throw new j(403, { message: "Access denied to this tenant" });
+			if (!o) {
+				let r = !!(e.org_id ?? n.var.organization_id ?? t), a = !e.tenant_id || e.tenant_id === i;
+				!r && a && se(e) && (o = !0);
+			}
+			if (o ||= (await u((t) => n.env.data.userOrganizations.listUserOrganizations(i, e.sub, t), "organizations")).some((e) => e.name?.toLowerCase() === a), !o) throw new x(403, { message: "Access denied to this tenant" });
 		}
-		if (!await n.env.data.tenants.get(r)) throw new j(404, { message: "Tenant not found" });
+		if (!await n.env.data.tenants.get(r)) throw new x(404, { message: "Tenant not found" });
 		let a = {
 			adapters: n.env.data,
 			ctx: n
 		};
 		return t.tenants?.beforeDelete && await t.tenants.beforeDelete(a, r), await n.env.data.tenants.remove(r), t.tenants?.afterDelete && await t.tenants.afterDelete(a, r), n.body(null, 204);
-	}), n.openapi(h({
+	}), n.openapi(y({
 		tags: ["tenants", "settings"],
 		method: "get",
 		path: "/settings",
-		request: { headers: g.object({ "tenant-id": g.string().optional() }) },
+		request: { headers: b.object({ "tenant-id": b.string().optional() }) },
 		security: [{ Bearer: ["read:tenants"] }],
 		responses: { 200: {
-			content: { "application/json": { schema: p } },
+			content: { "application/json": { schema: _ } },
 			description: "Current tenant settings"
 		} }
 	}), async (e) => {
 		let t = await e.env.data.tenants.get(e.var.tenant_id);
-		if (!t) throw new j(404, { message: "Tenant not found" });
+		if (!t) throw new x(404, { message: "Tenant not found" });
 		return e.json(t);
-	}), n.openapi(h({
+	}), n.openapi(y({
 		tags: ["tenants", "settings"],
 		method: "patch",
 		path: "/settings",
 		request: {
-			headers: g.object({ "tenant-id": g.string().optional() }),
-			body: { content: { "application/json": { schema: g.object(f.shape).partial() } } }
+			headers: b.object({ "tenant-id": b.string().optional() }),
+			body: { content: { "application/json": { schema: b.object(g.shape).partial() } } }
 		},
 		security: [{ Bearer: ["update:tenants"] }],
 		responses: { 200: {
-			content: { "application/json": { schema: p } },
+			content: { "application/json": { schema: _ } },
 			description: "Updated tenant settings"
 		} }
 	}), async (e) => {
 		let { id: t, ...n } = e.req.valid("json"), r = await e.env.data.tenants.get(e.var.tenant_id);
-		if (!r) throw new j(404, { message: "Tenant not found" });
-		let i = s(r, n);
+		if (!r) throw new x(404, { message: "Tenant not found" });
+		let i = c(r, n);
 		await e.env.data.tenants.update(e.var.tenant_id, i);
 		let a = await e.env.data.tenants.get(e.var.tenant_id);
-		if (!a) throw new j(500, { message: "Failed to retrieve updated tenant" });
+		if (!a) throw new x(500, { message: "Failed to retrieve updated tenant" });
 		return e.json(a);
 	}), n;
 }
 //#endregion
 //#region src/middleware/protect-synced.ts
-function ee(e) {
+function ce(e) {
 	for (let { pattern: t, type: n } of [
 		{
 			pattern: /\/api\/v2\/resource-servers\/([^/]+)$/,
@@ -472,7 +477,7 @@ function ee(e) {
 	}
 	return null;
 }
-async function te(e, t, n) {
+async function le(e, t, n) {
 	try {
 		switch (n.type) {
 			case "resource_server": return (await e.resourceServers.get(t, n.id))?.is_system === !0;
@@ -484,47 +489,47 @@ async function te(e, t, n) {
 		return !1;
 	}
 }
-function ne(e) {
+function ue(e) {
 	return {
 		resource_server: "resource server",
 		role: "role",
 		connection: "connection"
 	}[e];
 }
-function N() {
+function M() {
 	return async (e, t) => {
 		if (![
 			"PATCH",
 			"PUT",
 			"DELETE"
 		].includes(e.req.method)) return t();
-		let n = ee(e.req.path);
+		let n = ce(e.req.path);
 		if (!n) return t();
 		let r = e.var.tenant_id || e.req.header("x-tenant-id") || e.req.header("tenant-id");
 		if (!r) return t();
-		if (await te(e.env.data, r, n)) throw new j(403, { message: `This ${ne(n.type)} is a system resource and cannot be modified. Make changes in the control plane instead.` });
+		if (await le(e.env.data, r, n)) throw new x(403, { message: `This ${ue(n.type)} is a system resource and cannot be modified. Make changes in the control plane instead.` });
 		return t();
 	};
 }
 //#endregion
 //#region src/middleware/settings-inheritance.ts
-function P(e, t) {
+function N(e, t) {
 	let n = t.find((t) => t.strategy === e.strategy);
 	if (!n?.options) return e;
-	let r = o.passthrough().parse({
+	let r = s.passthrough().parse({
 		...n,
 		...e
 	});
-	return r.options = a.passthrough().parse({
+	return r.options = o.passthrough().parse({
 		...n.options || {},
 		...e.options
 	}), r;
 }
-function F(e, t) {
+function P(e, t) {
 	let n = [...t || [], ...e || []];
 	return [...new Set(n)];
 }
-function I(e, t) {
+function de(e, t) {
 	if (!t?.length) return e || [];
 	if (!e?.length) return t;
 	let n = /* @__PURE__ */ new Map();
@@ -532,22 +537,22 @@ function I(e, t) {
 	for (let t of e) n.set(t.value, t);
 	return Array.from(n.values());
 }
-function L(e, t) {
+function F(e, t) {
 	return t ? {
 		...e,
-		scopes: I(e.scopes, t.scopes)
+		scopes: de(e.scopes, t.scopes)
 	} : e;
 }
-function re(e, t) {
+function fe(e, t) {
 	return t ? {
 		...e,
-		callbacks: F(e.callbacks, t.callbacks),
-		web_origins: F(e.web_origins, t.web_origins),
-		allowed_logout_urls: F(e.allowed_logout_urls, t.allowed_logout_urls),
-		allowed_origins: F(e.allowed_origins, t.allowed_origins)
+		callbacks: P(e.callbacks, t.callbacks),
+		web_origins: P(e.web_origins, t.web_origins),
+		allowed_logout_urls: P(e.allowed_logout_urls, t.allowed_logout_urls),
+		allowed_origins: P(e.allowed_origins, t.allowed_origins)
 	} : e;
 }
-function R(e) {
+function I(e) {
 	let { controlPlaneTenantId: t, controlPlaneClientId: n, resolveControlPlane: r } = e;
 	if (r) return async (e) => r({ tenant_id: e });
 	if (!t) return async () => void 0;
@@ -557,14 +562,14 @@ function R(e) {
 	};
 	return async () => i;
 }
-function z(e, t) {
+function L(e, t) {
 	return {
 		...e.resourceServers,
 		get: async (n, r) => {
 			let i = await e.resourceServers.get(n, r);
 			if (!i) return i;
 			let a = await t(n);
-			return !a || n === a.tenantId || !i.is_system ? i : L(i, await e.resourceServers.get(a.tenantId, r));
+			return !a || n === a.tenantId || !i.is_system ? i : F(i, await e.resourceServers.get(a.tenantId, r));
 		},
 		list: async (n, r) => {
 			let i = await e.resourceServers.list(n, r), a = await t(n);
@@ -576,7 +581,7 @@ function z(e, t) {
 				let n = await e.resourceServers.get(o, t);
 				n && c.set(t, n);
 			}));
-			let l = i.resource_servers.map((e) => e.is_system && e.id ? L(e, c.get(e.id) ?? null) : e);
+			let l = i.resource_servers.map((e) => e.is_system && e.id ? F(e, c.get(e.id) ?? null) : e);
 			return {
 				...i,
 				resource_servers: l
@@ -584,18 +589,18 @@ function z(e, t) {
 		}
 	};
 }
-function B(e, t) {
-	let n = R({
+function R(e, t) {
+	let n = I({
 		controlPlaneTenantId: t.controlPlaneTenantId,
 		resolveControlPlane: t.resolveControlPlane
 	});
 	return {
 		...e,
-		resourceServers: z(e, n)
+		resourceServers: L(e, n)
 	};
 }
-function V(e, t) {
-	let { controlPlaneTenantId: n, controlPlaneClientId: r, resolveControlPlane: i } = t, a = R({
+function z(e, t) {
+	let { controlPlaneTenantId: n, controlPlaneClientId: r, resolveControlPlane: i } = t, a = I({
 		controlPlaneTenantId: n,
 		controlPlaneClientId: r,
 		resolveControlPlane: i
@@ -613,12 +618,12 @@ function V(e, t) {
 				let r = await e.connections.get(t, n);
 				if (!r) return r;
 				let i = await a(t);
-				return !i || t === i.tenantId ? r : P(r, (await e.connections.list(i.tenantId)).connections || []);
+				return !i || t === i.tenantId ? r : N(r, (await e.connections.list(i.tenantId)).connections || []);
 			},
 			list: async (t, n) => {
 				let r = await e.connections.list(t, n), i = await a(t);
 				if (!i || t === i.tenantId) return r;
-				let o = await e.connections.list(i.tenantId), s = r.connections.map((e) => P(e, o.connections || []));
+				let o = await e.connections.list(i.tenantId), s = r.connections.map((e) => N(e, o.connections || []));
 				return {
 					...r,
 					connections: s
@@ -633,7 +638,7 @@ function V(e, t) {
 				let i = await a(t);
 				if (!i || t === i.tenantId) return r;
 				let o = await e.connections.list(i.tenantId);
-				return r.map((e) => P(e, o.connections || []));
+				return r.map((e) => N(e, o.connections || []));
 			}
 		},
 		emailProviders: {
@@ -645,22 +650,22 @@ function V(e, t) {
 				return !r || t === r.tenantId ? null : e.emailProviders.get(r.tenantId);
 			}
 		},
-		resourceServers: z(e, a),
-		hooks: ie(e, a)
+		resourceServers: L(e, a),
+		hooks: pe(e, a)
 	};
 }
-function H(e) {
+function B(e) {
 	if (!e || typeof e != "object") return !1;
 	let t = e.metadata;
 	return !t || typeof t != "object" ? !1 : t.inheritable === !0;
 }
-function ie(e, t) {
+function pe(e, t) {
 	return {
 		...e.hooks,
 		list: async (n, r) => {
 			let i = await e.hooks.list(n, r), a = await t(n);
 			if (!a || n === a.tenantId) return i;
-			let o = ((await e.hooks.list(a.tenantId, r)).hooks || []).filter(H);
+			let o = ((await e.hooks.list(a.tenantId, r)).hooks || []).filter(B);
 			if (o.length === 0) return i;
 			let s = new Set((i.hooks || []).map((e) => e.hook_id)), c = o.filter((e) => !s.has(e.hook_id));
 			return {
@@ -675,31 +680,31 @@ function ie(e, t) {
 			let a = await t(n);
 			if (!a || n === a.tenantId) return i;
 			let o = await e.hooks.get(a.tenantId, r);
-			return o && H(o) ? o : null;
+			return o && B(o) ? o : null;
 		}
 	};
 }
-function U(e, t) {
-	return V(e, t);
+function V(e, t) {
+	return z(e, t);
 }
 //#endregion
 //#region src/middleware/index.ts
-function W(e) {
+function H(e) {
 	return async (t, n) => {
 		let r = t.var.user;
 		return r?.tenant_id === e && r.org_name && t.set("tenant_id", r.org_name), n();
 	};
 }
-function G(e) {
+function U(e) {
 	return async (n, r) => {
 		if (!e.accessControl) return r();
 		let { controlPlaneTenantId: i } = e.accessControl, a = n.var.org_name, o = n.var.organization_id, s = a || o, c = n.var.tenant_id, l = n.var.user, u = (l?.aud ? Array.isArray(l.aud) ? l.aud : [l.aud] : []).includes(t);
-		if (!c && s && u && (n.set("tenant_id", s), c = s), !c) throw new j(400, { message: "Tenant ID not found in request" });
-		if (!v(o, c, i, a)) throw new j(403, { message: `Access denied to tenant ${c}` });
+		if (!c && s && u && (n.set("tenant_id", s), c = s), !c) throw new x(400, { message: "Tenant ID not found in request" });
+		if (!C(o, c, i, a)) throw new x(403, { message: `Access denied to tenant ${c}` });
 		return r();
 	};
 }
-function K(e) {
+function W(e) {
 	return async (t, n) => {
 		if (!e.subdomainRouting) return n();
 		let { baseDomain: r, reservedSubdomains: i = [], resolveSubdomain: a } = e.subdomainRouting, o = t.req.header("x-forwarded-host") || t.req.header("host") || "", s = null;
@@ -714,43 +719,43 @@ function K(e) {
 			let n = await t.env.data.organizations.get(e.accessControl.controlPlaneTenantId, s);
 			n && (c = n.id);
 		} catch {}
-		if (!c) throw new j(404, { message: `Tenant not found for subdomain: ${s}` });
+		if (!c) throw new x(404, { message: `Tenant not found for subdomain: ${s}` });
 		return t.set("tenant_id", c), n();
 	};
 }
-function q(e) {
+function G(e) {
 	return async (t, n) => {
 		if (!e.databaseIsolation) return n();
 		let r = t.var.tenant_id;
-		if (!r) throw new j(400, { message: "Tenant ID not found in request" });
+		if (!r) throw new x(400, { message: "Tenant ID not found in request" });
 		try {
 			let n = await e.databaseIsolation.getAdapters(r);
 			t.env.data = n;
 		} catch (e) {
-			throw console.error(`Failed to resolve database for tenant ${r}:`, e), new j(500, { message: "Failed to resolve tenant database" });
+			throw console.error(`Failed to resolve database for tenant ${r}:`, e), new x(500, { message: "Failed to resolve tenant database" });
 		}
 		return n();
 	};
 }
-function J(e) {
-	let t = K(e), n = G(e), r = q(e);
+function K(e) {
+	let t = W(e), n = U(e), r = G(e);
 	return async (e, i) => (await t(e, async () => {}), await n(e, async () => {}), await r(e, async () => {}), i());
 }
 //#endregion
 //#region src/init.ts
-function ae(e) {
+function me(e) {
 	let { dataAdapter: t, controlPlane: n, controlPlane: { tenantId: r = "control_plane", clientId: i } = {}, resolveControlPlane: a, sync: o = {
 		resourceServers: !0,
 		roles: !0
-	}, defaultPermissions: s = ["tenant:admin"], requireOrganizationMatch: l = !1, managementApiExtensions: d = [], entityHooks: f, getChildTenantIds: p, getAdapters: m, ...h } = e;
+	}, defaultPermissions: s = ["tenant:admin"], requireOrganizationMatch: c = !1, managementApiExtensions: l = [], entityHooks: d, getChildTenantIds: p, getAdapters: m, ...h } = e;
 	if (a && !n) throw Error("initMultiTenant: `resolveControlPlane` requires `controlPlane` to be set. The static `controlPlane.tenantId` is used for access control, sync direction, and tenant management routing; the resolver only overrides per-tenant runtime inheritance lookups on top of it.");
 	let g = t, _ = t;
-	n && (g = U(t, {
+	n && (g = V(t, {
 		controlPlaneTenantId: r,
 		controlPlaneClientId: i,
 		resolveControlPlane: a
 	}), _ = {
-		...B(t, {
+		...R(t, {
 			controlPlaneTenantId: r,
 			resolveControlPlane: a
 		}),
@@ -766,67 +771,88 @@ function ae(e) {
 	} : {
 		resourceServers: !1,
 		roles: !1
-	}, { entityHooks: b, tenantHooks: S } = A({
+	}, { entityHooks: b, tenantHooks: x } = ie({
 		controlPlaneTenantId: r,
-		getChildTenantIds: p ?? (async () => (await c((e) => g.tenants.list(e), "tenants", {
+		getChildTenantIds: p ?? (async () => (await u((e) => g.tenants.list(e), "tenants", {
 			cursorField: "id",
 			pageSize: 100
 		})).filter((e) => e.id !== r).map((e) => e.id)),
 		getAdapters: m ?? (async () => g),
 		getControlPlaneAdapters: async () => g,
 		sync: y
-	}), C = {
-		resourceServers: [b.resourceServers, ...f?.resourceServers ?? []],
-		roles: [b.roles, ...f?.roles ?? []],
-		connections: f?.connections ?? [],
-		tenants: f?.tenants ?? [],
-		rolePermissions: f?.rolePermissions ?? []
-	}, w = x({ accessControl: {
+	}), S = {
+		resourceServers: [b.resourceServers, ...d?.resourceServers ?? []],
+		roles: [b.roles, ...d?.roles ?? []],
+		connections: d?.connections ?? [],
+		tenants: d?.tenants ?? [],
+		rolePermissions: d?.rolePermissions ?? []
+	}, C = E({ accessControl: {
 		controlPlaneTenantId: r,
-		requireOrganizationMatch: l,
+		requireOrganizationMatch: c,
 		defaultPermissions: s
-	} }), T = M({ accessControl: {
+	} }), w = j({ accessControl: {
 		controlPlaneTenantId: r,
-		requireOrganizationMatch: l,
+		requireOrganizationMatch: c,
 		defaultPermissions: s
 	} }, { tenants: {
 		async beforeCreate(e, t) {
-			return w.beforeCreate && (t = await w.beforeCreate(e, t)), S.beforeCreate && (t = await S.beforeCreate(e, t)), t;
+			return C.beforeCreate && (t = await C.beforeCreate(e, t)), x.beforeCreate && (t = await x.beforeCreate(e, t)), t;
 		},
 		async afterCreate(e, t) {
-			await w.afterCreate?.(e, t), await S.afterCreate?.(e, t);
+			await C.afterCreate?.(e, t), await x.afterCreate?.(e, t);
 		},
 		async beforeDelete(e, t) {
-			await w.beforeDelete?.(e, t), await S.beforeDelete?.(e, t);
+			await C.beforeDelete?.(e, t), await x.beforeDelete?.(e, t);
 		}
-	} }), { app: E } = u({
+	} }), { app: T } = f({
 		dataAdapter: g,
 		managementDataAdapter: _,
 		...h,
-		entityHooks: C,
-		managementApiExtensions: [...d, {
+		entityHooks: S,
+		managementApiExtensions: [...l, {
 			path: "/tenants",
-			router: T
+			router: w
 		}]
 	});
-	return E.use("/api/v2/*", W(r)), v && E.use("/api/v2/*", N()), {
-		app: E,
+	return T.use("/api/v2/*", H(r)), v && T.use("/api/v2/*", M()), {
+		app: T,
 		controlPlaneTenantId: r
 	};
 }
 //#endregion
 //#region src/rollout/defaults-projection.ts
-function Y() {
+function q(e = {}) {
+	return {
+		connections: e.connections ?? !0,
+		resourceServers: e.resourceServers ?? !0,
+		hooks: e.hooks ?? !0,
+		emailProvider: e.emailProvider ?? !0,
+		branding: e.branding ?? !0,
+		promptSettings: e.promptSettings ?? !0
+	};
+}
+function J() {
 	return {
 		upserted: 0,
 		errors: []
 	};
 }
-function oe(e) {
+function he(e) {
+	return {
+		tenantId: e,
+		connections: J(),
+		resourceServers: J(),
+		hooks: J(),
+		emailProvider: J(),
+		branding: J(),
+		promptSettings: J()
+	};
+}
+function ge(e) {
 	let t = e.metadata;
 	return !!(t && t.inheritable === !0);
 }
-async function X(e, t, n, r) {
+async function Y(e, t, n, r) {
 	try {
 		await r();
 	} catch (r) {
@@ -835,90 +861,121 @@ async function X(e, t, n, r) {
 		e.errors.push(i);
 	}
 }
-async function Z(e, t) {
-	let { controlPlaneTenantId: n, getControlPlaneAdapters: r, getAdapters: a, entities: o = {}, continueOnError: s = !1 } = e, u = {
-		connections: o.connections ?? !0,
-		resourceServers: o.resourceServers ?? !0,
-		hooks: o.hooks ?? !0,
-		emailProvider: o.emailProvider ?? !0,
-		branding: o.branding ?? !0,
-		promptSettings: o.promptSettings ?? !0
-	}, f = await r(), p = await a(t), m = {
-		tenantId: t,
-		connections: Y(),
-		resourceServers: Y(),
-		hooks: Y(),
-		emailProvider: Y(),
-		branding: Y(),
-		promptSettings: Y()
-	};
-	if (u.connections) {
-		let e = await c((e) => f.connections.list(n, e), "connections", {
+async function _e(e, t, n) {
+	return {
+		connections: n.connections ? await u((n) => e.connections.list(t, n), "connections", {
 			cursorField: "id",
 			pageSize: 100
-		});
-		for (let t of e) {
-			let e = t.id;
-			e && await X(m.connections, `connection ${e}`, s, async () => {
-				let r = i.parse(t);
-				await p.connections.get(n, e) ? await p.connections.update(n, e, r) : await p.connections.create(n, r), m.connections.upserted += 1;
-			});
-		}
-	}
-	if (u.resourceServers) {
-		let e = await c((e) => f.resourceServers.list(n, e), "resource_servers", {
+		}) : [],
+		resourceServers: n.resourceServers ? await u((n) => e.resourceServers.list(t, n), "resource_servers", {
 			cursorField: "id",
 			pageSize: 100
-		});
-		for (let t of e) !t.is_system || !t.id || await X(m.resourceServers, `resource_server ${t.id}`, s, async () => {
-			let e = d.parse(t);
-			await p.resourceServers.get(n, t.id) ? await p.resourceServers.update(n, t.id, e) : await p.resourceServers.create(n, e), m.resourceServers.upserted += 1;
-		});
-	}
-	if (u.hooks) {
-		let e = await c((e) => f.hooks.list(n, e), "hooks", {
+		}) : [],
+		hooks: n.hooks ? await u((n) => e.hooks.list(t, n), "hooks", {
 			cursorField: "hook_id",
 			pageSize: 100
-		});
-		for (let t of e) !oe(t) || !t.hook_id || await X(m.hooks, `hook ${t.hook_id}`, s, async () => {
-			let e = l.parse(t);
-			await p.hooks.get(n, t.hook_id) ? await p.hooks.update(n, t.hook_id, e) : await p.hooks.create(n, e), m.hooks.upserted += 1;
+		}) : [],
+		emailProvider: n.emailProvider ? await e.emailProviders.get(t) ?? null : null,
+		branding: n.branding ? await e.branding.get(t) ?? null : null,
+		promptSettings: n.promptSettings ? await e.promptSettings.get(t) ?? null : null
+	};
+}
+async function ve(e, t, n, r, i, o) {
+	if (r.connections) for (let r of e.connections) {
+		let e = r.id;
+		e && await Y(o.connections, `connection ${e}`, i, async () => {
+			let i = a.parse(r);
+			await t.connections.get(n, e) ? await t.connections.update(n, e, i) : await t.connections.create(n, i), o.connections.upserted += 1;
 		});
 	}
-	return u.emailProvider && await X(m.emailProvider, "email_provider", s, async () => {
-		let e = await f.emailProviders.get(n);
-		e && (await p.emailProviders.get(n) ? await p.emailProviders.update(n, e) : await p.emailProviders.create(n, e), m.emailProvider.upserted += 1);
-	}), u.branding && await X(m.branding, "branding", s, async () => {
-		let e = await f.branding.get(n);
-		e && (await p.branding.set(n, e), m.branding.upserted += 1);
-	}), u.promptSettings && await X(m.promptSettings, "prompt_settings", s, async () => {
-		let e = await f.promptSettings.get(n);
-		e && (await p.promptSettings.set(n, e), m.promptSettings.upserted += 1);
-	}), m;
+	if (r.resourceServers) for (let r of e.resourceServers) !r.is_system || !r.id || await Y(o.resourceServers, `resource_server ${r.id}`, i, async () => {
+		let e = h.parse(r);
+		await t.resourceServers.get(n, r.id) ? await t.resourceServers.update(n, r.id, e) : await t.resourceServers.create(n, e), o.resourceServers.upserted += 1;
+	});
+	if (r.hooks) for (let r of e.hooks) !ge(r) || !r.hook_id || await Y(o.hooks, `hook ${r.hook_id}`, i, async () => {
+		let e = d.parse(r);
+		await t.hooks.get(n, r.hook_id) ? await t.hooks.update(n, r.hook_id, e) : await t.hooks.create(n, e), o.hooks.upserted += 1;
+	});
+	r.emailProvider && e.emailProvider && await Y(o.emailProvider, "email_provider", i, async () => {
+		let r = e.emailProvider;
+		await t.emailProviders.get(n) ? await t.emailProviders.update(n, r) : await t.emailProviders.create(n, r), o.emailProvider.upserted += 1;
+	}), r.branding && e.branding && await Y(o.branding, "branding", i, async () => {
+		await t.branding.set(n, e.branding), o.branding.upserted += 1;
+	}), r.promptSettings && e.promptSettings && await Y(o.promptSettings, "prompt_settings", i, async () => {
+		await t.promptSettings.set(n, e.promptSettings), o.promptSettings.upserted += 1;
+	});
+}
+async function X(e, t) {
+	let { controlPlaneTenantId: n, getControlPlaneAdapters: r, getAdapters: i, entities: a, continueOnError: o = !1 } = e, s = q(a), c = await _e(await r(), n, s), l = await i(t), u = he(t);
+	return await ve(c, l, n, s, o, u), u;
+}
+//#endregion
+//#region src/rollout/payload.ts
+function Z(e) {
+	let { pkcs7: t, tenant_id: n, ...r } = e;
+	return r;
+}
+async function ye(e, t, n = {}) {
+	let r = q(n), i = n.signingKeys ?? !0, a = await _e(e, t, r), o = i ? (await p(e.keys)).map(Z) : [];
+	return {
+		connections: a.connections,
+		resourceServers: a.resourceServers.filter((e) => e.is_system),
+		hooks: a.hooks.filter(ge),
+		emailProvider: a.emailProvider,
+		branding: a.branding,
+		promptSettings: a.promptSettings,
+		signingKeys: o
+	};
+}
+async function be(e, t, n) {
+	let r = J();
+	if (e.length === 0) return r;
+	let i = await p(t.keys), a = new Set(i.map((e) => e.kid));
+	for (let i of e) await Y(r, `signing_key ${i.kid}`, n, async () => {
+		let e = Z(i);
+		a.has(e.kid) || (await t.keys.create(e), a.add(e.kid), r.upserted += 1);
+	});
+	return r;
+}
+async function xe(e, t, n, r = {}) {
+	let a = r.continueOnError ?? !1, o = q(r.entities), s = r.entities?.signingKeys ?? !0, c = {
+		connections: e.connections,
+		resourceServers: e.resourceServers,
+		hooks: e.hooks,
+		emailProvider: e.emailProvider ? l.parse(e.emailProvider) : null,
+		branding: e.branding ? i.parse(e.branding) : null,
+		promptSettings: e.promptSettings ? m.parse(e.promptSettings) : null
+	}, u = he(n);
+	await ve(c, t, n, o, a, u);
+	let d = s ? await be(e.signingKeys, t, a) : J();
+	return {
+		...u,
+		signingKeys: d
+	};
 }
 //#endregion
 //#region src/rollout/index.ts
-function se(e) {
+function Se(e) {
 	return {
-		syncDefaults: (t) => Z(e, t),
+		syncDefaults: (t) => X(e, t),
 		syncDefaultsToTenants: async (t) => {
 			let n = [];
-			for (let r of t) n.push(await Z(e, r));
+			for (let r of t) n.push(await X(e, r));
 			return n;
 		}
 	};
 }
 //#endregion
 //#region src/plugin.ts
-function ce(e) {
+function Ce(e) {
 	let t = Q(e);
 	return {
 		name: "multi-tenancy",
-		middleware: J(e),
+		middleware: K(e),
 		hooks: t,
 		routes: [{
 			path: "/management",
-			handler: M(e, t)
+			handler: j(e, t)
 		}],
 		onRegister: async () => {
 			console.log("Multi-tenancy plugin registered"), e.accessControl && console.log(`  - Access control enabled (control plane: ${e.accessControl.controlPlaneTenantId})`), e.subdomainRouting && console.log(`  - Subdomain routing enabled (base domain: ${e.subdomainRouting.baseDomain})`), e.databaseIsolation && console.log("  - Database isolation enabled");
@@ -928,7 +985,7 @@ function ce(e) {
 //#endregion
 //#region src/index.ts
 function Q(e) {
-	let t = e.accessControl ? _(e.accessControl) : {}, n = e.databaseIsolation ? y(e.databaseIsolation) : {}, r = x(e);
+	let t = e.accessControl ? S(e.accessControl) : {}, n = e.databaseIsolation ? w(e.databaseIsolation) : {}, r = E(e);
 	return {
 		...t,
 		...n,
@@ -937,19 +994,19 @@ function Q(e) {
 }
 function $(t) {
 	let n = new e(), r = Q(t);
-	return n.route("/tenants", M(t, r)), n;
+	return n.route("/tenants", j(t, r)), n;
 }
-function le(e) {
+function we(e) {
 	return {
 		hooks: Q(e),
-		middleware: J(e),
+		middleware: K(e),
 		app: $(e),
 		config: e,
-		wrapAdapters: (t, n) => U(t, {
+		wrapAdapters: (t, n) => V(t, {
 			controlPlaneTenantId: e.accessControl?.controlPlaneTenantId,
 			controlPlaneClientId: n?.controlPlaneClientId
 		})
 	};
 }
 //#endregion
-export { _ as createAccessControlHooks, G as createAccessControlMiddleware, W as createControlPlaneTenantMiddleware, y as createDatabaseHooks, q as createDatabaseMiddleware, se as createDirectRolloutAdapter, $ as createMultiTenancy, Q as createMultiTenancyHooks, J as createMultiTenancyMiddleware, ce as createMultiTenancyPlugin, N as createProtectSyncedMiddleware, x as createProvisioningHooks, V as createRuntimeFallbackAdapter, K as createSubdomainMiddleware, A as createSyncHooks, M as createTenantsOpenAPIRouter, ae as initMultiTenant, re as mergeClientWithFallback, Z as projectControlPlaneDefaults, le as setupMultiTenancy, v as validateTenantAccess, U as withRuntimeFallback, B as withSystemResourceServerInheritance };
+export { xe as applyControlPlaneDefaultsPayload, ye as buildControlPlaneDefaultsPayload, S as createAccessControlHooks, U as createAccessControlMiddleware, H as createControlPlaneTenantMiddleware, w as createDatabaseHooks, G as createDatabaseMiddleware, Se as createDirectRolloutAdapter, $ as createMultiTenancy, Q as createMultiTenancyHooks, K as createMultiTenancyMiddleware, Ce as createMultiTenancyPlugin, M as createProtectSyncedMiddleware, E as createProvisioningHooks, z as createRuntimeFallbackAdapter, W as createSubdomainMiddleware, ie as createSyncHooks, j as createTenantsOpenAPIRouter, me as initMultiTenant, fe as mergeClientWithFallback, X as projectControlPlaneDefaults, we as setupMultiTenancy, C as validateTenantAccess, V as withRuntimeFallback, R as withSystemResourceServerInheritance };