@authhero/multi-tenancy 14.24.1 → 14.25.0

package/dist/multi-tenancy.mjs

@@ -1,9 +1,9 @@
 import { Hono as e } from "hono";
-import { MANAGEMENT_API_AUDIENCE as t, MANAGEMENT_API_SCOPES as n, auth0QuerySchema as r, connectionInsertSchema as i, connectionOptionsSchema as a, connectionSchema as o, deepMergePatch as s, fetchAll as c, hookInsertSchema as l, init as u, resourceServerInsertSchema as d, tenantInsertSchema as f, tenantSchema as p } from "authhero";
-import { OpenAPIHono as m, createRoute as h, z as g } from "@hono/zod-openapi";
-import { HTTPException as _ } from "hono/http-exception";
+import { MANAGEMENT_API_AUDIENCE as t, MANAGEMENT_API_SCOPES as n, auth0QuerySchema as r, brandingSchema as i, connectionInsertSchema as a, connectionOptionsSchema as o, connectionSchema as s, deepMergePatch as c, emailProviderSchema as l, fetchAll as u, hookInsertSchema as d, init as f, listControlPlaneKeys as p, promptSettingSchema as m, resourceServerInsertSchema as h, tenantInsertSchema as g, tenantSchema as _ } from "authhero";
+import { OpenAPIHono as v, createRoute as y, z as b } from "@hono/zod-openapi";
+import { HTTPException as x } from "hono/http-exception";
 //#region src/hooks/access-control.ts
-function v(e) {
+function S(e) {
 	let { controlPlaneTenantId: t, requireOrganizationMatch: n = !0 } = e;
 	return { async onTenantAccessValidation(e, r) {
 		if (r === t) return !0;
@@ -14,14 +14,14 @@ function v(e) {
 		return !0;
 	} };
 }
-function y(e, t, n, r) {
+function C(e, t, n, r) {
 	if (t === n) return !0;
 	let i = r || e;
 	return i ? i.toLowerCase() === t.toLowerCase() : !1;
 }
 //#endregion
 //#region src/hooks/database.ts
-function b(e) {
+function w(e) {
 	return { async resolveDataAdapters(t) {
 		try {
 			return await e.getAdapters(t);
@@ -33,20 +33,20 @@ function b(e) {
 }
 //#endregion
 //#region src/hooks/provisioning.ts
-function x(e) {
+function T(e) {
 	return `urn:authhero:tenant:${e.toLowerCase()}`;
 }
-function S(e) {
+function E(e) {
 	return {
 		async beforeCreate(e, t) {
 			return !t.audience && t.id ? {
 				...t,
-				audience: x(t.id)
+				audience: T(t.id)
 			} : t;
 		},
 		async afterCreate(t, n) {
 			let { accessControl: r, databaseIsolation: i } = e;
-			r && t.ctx && await C(t, n, r), i?.onProvision && await i.onProvision(n.id);
+			r && t.ctx && await ee(t, n, r), i?.onProvision && await i.onProvision(n.id);
 		},
 		async beforeDelete(t, n) {
 			let { accessControl: r, databaseIsolation: i } = e;
@@ -64,14 +64,14 @@ function S(e) {
 		}
 	};
 }
-async function C(e, t, n) {
+async function ee(e, t, n) {
 	let { controlPlaneTenantId: r, defaultPermissions: i, defaultRoles: a, issuer: o, adminRoleName: s = "Tenant Admin", adminRoleDescription: c = "Full access to all tenant management operations", addCreatorToOrganization: l = !0 } = n, u = await e.adapters.organizations.create(r, {
 		name: t.id,
 		display_name: t.friendly_name || t.id
 	}), d;
-	if (o && (d = await T(e, r, s, c)), l && e.ctx) {
+	if (o && (d = await ne(e, r, s, c)), l && e.ctx) {
 		let t = e.ctx.var.user;
-		if (t?.sub && !await w(e, r, t.sub)) try {
+		if (t?.sub && !await te(e, r, t.sub)) try {
 			await e.adapters.userOrganizations.create(r, {
 				user_id: t.sub,
 				organization_id: u.id
@@ -82,12 +82,12 @@ async function C(e, t, n) {
 	}
 	a && a.length > 0 && console.log(`Would assign roles ${a.join(", ")} to organization ${u.id}`), i && i.length > 0 && console.log(`Would grant permissions ${i.join(", ")} to organization ${u.id}`);
 }
-async function w(e, t, n) {
+async function te(e, t, n) {
 	let r = await e.adapters.userRoles.list(t, n, void 0, "");
 	for (let n of r) if ((await e.adapters.rolePermissions.list(t, n.id, { per_page: 1e3 })).some((e) => e.permission_name === "admin:organizations")) return !0;
 	return !1;
 }
-async function T(e, r, i, a) {
+async function ne(e, r, i, a) {
 	let o = (await e.adapters.roles.list(r, {})).roles.find((e) => e.name === i);
 	if (o) return o.id;
 	let s = await e.adapters.roles.create(r, {
@@ -102,7 +102,7 @@ async function T(e, r, i, a) {
 }
 //#endregion
 //#region src/hooks/sync.ts
-function E(e, t, n = () => !0) {
+function D(e, t, n = () => !0) {
 	let { controlPlaneTenantId: r, getChildTenantIds: i, getAdapters: a } = e, o = /* @__PURE__ */ new Map();
 	async function s(e, n, r) {
 		return (await t(e).list(n, {
@@ -157,18 +157,18 @@ function E(e, t, n = () => !0) {
 		}
 	};
 }
-function D(e, t, n = () => !0) {
+function O(e, t, n = () => !0) {
 	let { controlPlaneTenantId: r, getControlPlaneAdapters: i, getAdapters: a } = e;
 	return { async afterCreate(e, o) {
 		if (o.id !== r) try {
-			let e = await i(), s = await a(o.id), l = t(e), u = t(s), d = await c((e) => l.listPaginated(r, e), l.listKey, {
+			let e = await i(), s = await a(o.id), c = t(e), l = t(s), d = await u((e) => c.listPaginated(r, e), c.listKey, {
 				cursorField: "id",
 				pageSize: 100
 			});
 			await Promise.all(d.filter((e) => n(e)).map(async (e) => {
 				try {
-					let t = l.transform(e);
-					await u.create(o.id, {
+					let t = c.transform(e);
+					await l.create(o.id, {
 						...t,
 						is_system: !0
 					});
@@ -181,7 +181,7 @@ function D(e, t, n = () => !0) {
 		}
 	} };
 }
-var O = (e) => ({
+var k = (e) => ({
 	list: async (t, n) => (await e.resourceServers.list(t, n)).resource_servers,
 	listPaginated: (t, n) => e.resourceServers.list(t, n),
 	get: (t, n) => e.resourceServers.get(t, n),
@@ -199,7 +199,7 @@ var O = (e) => ({
 		token_lifetime: e.token_lifetime,
 		token_lifetime_for_web: e.token_lifetime_for_web
 	})
-}), k = (e) => ({
+}), A = (e) => ({
 	list: async (t, n) => (await e.roles.list(t, n)).roles,
 	listPaginated: (t, n) => e.roles.list(t, n),
 	get: (t, n) => e.roles.get(t, n),
@@ -214,15 +214,15 @@ var O = (e) => ({
 		description: e.description
 	})
 });
-function A(e) {
+function re(e) {
 	return e.metadata?.sync !== !1;
 }
-function j(e) {
-	let { sync: t = {}, filters: n = {} } = e, r = t.resourceServers ?? !0, i = t.roles ?? !0, a = (e) => A(e) ? n.resourceServers ? n.resourceServers(e) : !0 : !1, o = (e) => A(e) ? n.roles ? n.roles(e) : !0 : !1, s = r ? E(e, O, a) : void 0, l = i ? E(e, k, o) : void 0, u = r ? D(e, O, a) : void 0, d = i ? D(e, k, o) : void 0, f = i ? { async afterCreate(t, r) {
+function ie(e) {
+	let { sync: t = {}, filters: n = {} } = e, r = t.resourceServers ?? !0, i = t.roles ?? !0, a = (e) => re(e) ? n.resourceServers ? n.resourceServers(e) : !0 : !1, o = (e) => re(e) ? n.roles ? n.roles(e) : !0 : !1, s = r ? D(e, k, a) : void 0, c = i ? D(e, A, o) : void 0, l = r ? O(e, k, a) : void 0, d = i ? O(e, A, o) : void 0, f = i ? { async afterCreate(t, r) {
 		if (r.id !== e.controlPlaneTenantId) {
 			await d?.afterCreate?.(t, r);
 			try {
-				let t = await e.getControlPlaneAdapters(), i = await e.getAdapters(r.id), a = await c((n) => t.roles.list(e.controlPlaneTenantId, n), "roles", {
+				let t = await e.getControlPlaneAdapters(), i = await e.getAdapters(r.id), a = await u((n) => t.roles.list(e.controlPlaneTenantId, n), "roles", {
 					cursorField: "id",
 					pageSize: 100
 				}), o = /* @__PURE__ */ new Map();
@@ -257,10 +257,10 @@ function j(e) {
 	return {
 		entityHooks: {
 			resourceServers: s,
-			roles: l
+			roles: c
 		},
 		tenantHooks: { async afterCreate(e, t) {
-			let n = [u?.afterCreate, f?.afterCreate ?? d?.afterCreate], r = [];
+			let n = [l?.afterCreate, f?.afterCreate ?? d?.afterCreate], r = [];
 			for (let i of n) if (i) try {
 				await i(e, t);
 			} catch (e) {
@@ -273,35 +273,35 @@ function j(e) {
 }
 //#endregion
 //#region src/routes/tenants.ts
-var ee = g.object({
-	sub: g.string(),
-	tenant_id: g.string().optional(),
-	org_id: g.string().optional(),
-	scope: g.string().optional(),
-	permissions: g.array(g.string()).optional()
+var ae = b.object({
+	sub: b.string(),
+	tenant_id: b.string().optional(),
+	org_id: b.string().optional(),
+	scope: b.string().optional(),
+	permissions: b.array(b.string()).optional()
 }).passthrough();
-function te(e) {
-	let t = ee.safeParse(e);
+function oe(e) {
+	let t = ae.safeParse(e);
 	return t.success ? t.data : void 0;
 }
-function ne(e) {
+function se(e) {
 	let t = e.permissions ?? [], n = e.scope ? e.scope.split(" ").filter(Boolean) : [], r = new Set([...t, ...n]);
 	return r.has("delete:tenants") || r.has("admin:organizations");
 }
-function M(e, t) {
-	let n = new m();
-	return n.openapi(h({
+function j(e, t) {
+	let n = new v();
+	return n.openapi(y({
 		tags: ["tenants"],
 		method: "get",
 		path: "/",
 		request: { query: r },
 		security: [{ Bearer: [] }],
 		responses: { 200: {
-			content: { "application/json": { schema: g.object({
-				tenants: g.array(p),
-				start: g.number().optional(),
-				limit: g.number().optional(),
-				length: g.number().optional()
+			content: { "application/json": { schema: b.object({
+				tenants: b.array(_),
+				start: b.number().optional(),
+				limit: b.number().optional(),
+				length: b.number().optional()
 			}) } },
 			description: "List of tenants"
 		} }
@@ -321,17 +321,17 @@ function M(e, t) {
 				length: e.tenants.length
 			}) : t.json({ tenants: e.tenants });
 		}
-		let l = e.accessControl?.controlPlaneTenantId ?? t.env.data.multiTenancyConfig?.controlPlaneTenantId;
-		if (l && !o?.sub) throw new _(403, { message: "Access denied: token has no subject" });
-		if (l && o?.sub) {
-			let e = (await c((e) => t.env.data.userOrganizations.listUserOrganizations(l, o.sub, e), "organizations")).map((e) => e.name);
+		let c = e.accessControl?.controlPlaneTenantId ?? t.env.data.multiTenancyConfig?.controlPlaneTenantId;
+		if (c && !o?.sub) throw new x(403, { message: "Access denied: token has no subject" });
+		if (c && o?.sub) {
+			let e = (await u((e) => t.env.data.userOrganizations.listUserOrganizations(c, o.sub, e), "organizations")).map((e) => e.name);
 			if (e.length === 0) return i ? t.json({
 				tenants: [],
 				start: 0,
 				limit: r ?? 50,
 				length: 0
 			}) : t.json({ tenants: [] });
-			let s = e.length, u = n ?? 0, d = r ?? 50, f = u * d, p = e.slice(f, f + d);
+			let s = e.length, l = n ?? 0, d = r ?? 50, f = l * d, p = e.slice(f, f + d);
 			if (p.length === 0) return i ? t.json({
 				tenants: [],
 				start: f,
@@ -350,34 +350,34 @@ function M(e, t) {
 				length: s
 			}) : t.json({ tenants: g.tenants });
 		}
-		let u = await t.env.data.tenants.list({
+		let l = await t.env.data.tenants.list({
 			page: n,
 			per_page: r,
 			include_totals: i,
 			q: a
 		});
 		return i ? t.json({
-			tenants: u.tenants,
-			start: u.totals?.start ?? 0,
-			limit: u.totals?.limit ?? r,
-			length: u.tenants.length
-		}) : t.json({ tenants: u.tenants });
-	}), n.openapi(h({
+			tenants: l.tenants,
+			start: l.totals?.start ?? 0,
+			limit: l.totals?.limit ?? r,
+			length: l.tenants.length
+		}) : t.json({ tenants: l.tenants });
+	}), n.openapi(y({
 		tags: ["tenants"],
 		method: "post",
 		path: "/",
-		request: { body: { content: { "application/json": { schema: f } } } },
+		request: { body: { content: { "application/json": { schema: g } } } },
 		security: [{ Bearer: [] }],
 		responses: {
 			201: {
-				content: { "application/json": { schema: p } },
+				content: { "application/json": { schema: _ } },
 				description: "Tenant created"
 			},
 			400: { description: "Validation error" },
 			409: { description: "Tenant with this ID already exists" }
 		}
 	}), async (e) => {
-		if (!e.var.user?.sub) throw new _(401, { message: "Authentication required to create tenants" });
+		if (!e.var.user?.sub) throw new x(401, { message: "Authentication required to create tenants" });
 		let n = e.req.valid("json"), r = {
 			adapters: e.env.data,
 			ctx: e
@@ -385,11 +385,11 @@ function M(e, t) {
 		t.tenants?.beforeCreate && (n = await t.tenants.beforeCreate(r, n));
 		let i = await e.env.data.tenants.create(n);
 		return t.tenants?.afterCreate && await t.tenants.afterCreate(r, i), e.json(i, 201);
-	}), n.openapi(h({
+	}), n.openapi(y({
 		tags: ["tenants"],
 		method: "delete",
 		path: "/{id}",
-		request: { params: g.object({ id: g.string() }) },
+		request: { params: b.object({ id: b.string() }) },
 		security: [{ Bearer: ["delete:tenants"] }],
 		responses: {
 			204: { description: "Tenant deleted" },
@@ -399,62 +399,62 @@ function M(e, t) {
 	}), async (n) => {
 		let { id: r } = n.req.valid("param"), i = e.accessControl?.controlPlaneTenantId ?? n.env.data.multiTenancyConfig?.controlPlaneTenantId;
 		if (i) {
-			let e = te(n.var.user);
-			if (!e?.sub) throw new _(401, { message: "Authentication required" });
-			if (r === i) throw new _(403, { message: "Cannot delete the control plane" });
+			let e = oe(n.var.user);
+			if (!e?.sub) throw new x(401, { message: "Authentication required" });
+			if (r === i) throw new x(403, { message: "Cannot delete the control plane" });
 			let t = n.var.org_name, a = r.toLowerCase(), o = !!t && t.toLowerCase() === a;
 			if (!o) {
 				let r = !!(e.org_id ?? n.var.organization_id ?? t), a = !e.tenant_id || e.tenant_id === i;
-				!r && a && ne(e) && (o = !0);
+				!r && a && se(e) && (o = !0);
 			}
-			if (o ||= (await c((t) => n.env.data.userOrganizations.listUserOrganizations(i, e.sub, t), "organizations")).some((e) => e.name?.toLowerCase() === a), !o) throw new _(403, { message: "Access denied to this tenant" });
+			if (o ||= (await u((t) => n.env.data.userOrganizations.listUserOrganizations(i, e.sub, t), "organizations")).some((e) => e.name?.toLowerCase() === a), !o) throw new x(403, { message: "Access denied to this tenant" });
 		}
-		if (!await n.env.data.tenants.get(r)) throw new _(404, { message: "Tenant not found" });
+		if (!await n.env.data.tenants.get(r)) throw new x(404, { message: "Tenant not found" });
 		let a = {
 			adapters: n.env.data,
 			ctx: n
 		};
 		return t.tenants?.beforeDelete && await t.tenants.beforeDelete(a, r), await n.env.data.tenants.remove(r), t.tenants?.afterDelete && await t.tenants.afterDelete(a, r), n.body(null, 204);
-	}), n.openapi(h({
+	}), n.openapi(y({
 		tags: ["tenants", "settings"],
 		method: "get",
 		path: "/settings",
-		request: { headers: g.object({ "tenant-id": g.string().optional() }) },
+		request: { headers: b.object({ "tenant-id": b.string().optional() }) },
 		security: [{ Bearer: ["read:tenants"] }],
 		responses: { 200: {
-			content: { "application/json": { schema: p } },
+			content: { "application/json": { schema: _ } },
 			description: "Current tenant settings"
 		} }
 	}), async (e) => {
 		let t = await e.env.data.tenants.get(e.var.tenant_id);
-		if (!t) throw new _(404, { message: "Tenant not found" });
+		if (!t) throw new x(404, { message: "Tenant not found" });
 		return e.json(t);
-	}), n.openapi(h({
+	}), n.openapi(y({
 		tags: ["tenants", "settings"],
 		method: "patch",
 		path: "/settings",
 		request: {
-			headers: g.object({ "tenant-id": g.string().optional() }),
-			body: { content: { "application/json": { schema: g.object(f.shape).partial() } } }
+			headers: b.object({ "tenant-id": b.string().optional() }),
+			body: { content: { "application/json": { schema: b.object(g.shape).partial() } } }
 		},
 		security: [{ Bearer: ["update:tenants"] }],
 		responses: { 200: {
-			content: { "application/json": { schema: p } },
+			content: { "application/json": { schema: _ } },
 			description: "Updated tenant settings"
 		} }
 	}), async (e) => {
 		let { id: t, ...n } = e.req.valid("json"), r = await e.env.data.tenants.get(e.var.tenant_id);
-		if (!r) throw new _(404, { message: "Tenant not found" });
-		let i = s(r, n);
+		if (!r) throw new x(404, { message: "Tenant not found" });
+		let i = c(r, n);
 		await e.env.data.tenants.update(e.var.tenant_id, i);
 		let a = await e.env.data.tenants.get(e.var.tenant_id);
-		if (!a) throw new _(500, { message: "Failed to retrieve updated tenant" });
+		if (!a) throw new x(500, { message: "Failed to retrieve updated tenant" });
 		return e.json(a);
 	}), n;
 }
 //#endregion
 //#region src/middleware/protect-synced.ts
-function N(e) {
+function ce(e) {
 	for (let { pattern: t, type: n } of [
 		{
 			pattern: /\/api\/v2\/resource-servers\/([^/]+)$/,
@@ -477,7 +477,7 @@ function N(e) {
 	}
 	return null;
 }
-async function re(e, t, n) {
+async function le(e, t, n) {
 	try {
 		switch (n.type) {
 			case "resource_server": return (await e.resourceServers.get(t, n.id))?.is_system === !0;
@@ -489,47 +489,47 @@ async function re(e, t, n) {
 		return !1;
 	}
 }
-function ie(e) {
+function ue(e) {
 	return {
 		resource_server: "resource server",
 		role: "role",
 		connection: "connection"
 	}[e];
 }
-function P() {
+function M() {
 	return async (e, t) => {
 		if (![
 			"PATCH",
 			"PUT",
 			"DELETE"
 		].includes(e.req.method)) return t();
-		let n = N(e.req.path);
+		let n = ce(e.req.path);
 		if (!n) return t();
 		let r = e.var.tenant_id || e.req.header("x-tenant-id") || e.req.header("tenant-id");
 		if (!r) return t();
-		if (await re(e.env.data, r, n)) throw new _(403, { message: `This ${ie(n.type)} is a system resource and cannot be modified. Make changes in the control plane instead.` });
+		if (await le(e.env.data, r, n)) throw new x(403, { message: `This ${ue(n.type)} is a system resource and cannot be modified. Make changes in the control plane instead.` });
 		return t();
 	};
 }
 //#endregion
 //#region src/middleware/settings-inheritance.ts
-function F(e, t) {
+function N(e, t) {
 	let n = t.find((t) => t.strategy === e.strategy);
 	if (!n?.options) return e;
-	let r = o.passthrough().parse({
+	let r = s.passthrough().parse({
 		...n,
 		...e
 	});
-	return r.options = a.passthrough().parse({
+	return r.options = o.passthrough().parse({
 		...n.options || {},
 		...e.options
 	}), r;
 }
-function I(e, t) {
+function P(e, t) {
 	let n = [...t || [], ...e || []];
 	return [...new Set(n)];
 }
-function ae(e, t) {
+function de(e, t) {
 	if (!t?.length) return e || [];
 	if (!e?.length) return t;
 	let n = /* @__PURE__ */ new Map();
@@ -537,22 +537,22 @@ function ae(e, t) {
 	for (let t of e) n.set(t.value, t);
 	return Array.from(n.values());
 }
-function L(e, t) {
+function F(e, t) {
 	return t ? {
 		...e,
-		scopes: ae(e.scopes, t.scopes)
+		scopes: de(e.scopes, t.scopes)
 	} : e;
 }
-function oe(e, t) {
+function fe(e, t) {
 	return t ? {
 		...e,
-		callbacks: I(e.callbacks, t.callbacks),
-		web_origins: I(e.web_origins, t.web_origins),
-		allowed_logout_urls: I(e.allowed_logout_urls, t.allowed_logout_urls),
-		allowed_origins: I(e.allowed_origins, t.allowed_origins)
+		callbacks: P(e.callbacks, t.callbacks),
+		web_origins: P(e.web_origins, t.web_origins),
+		allowed_logout_urls: P(e.allowed_logout_urls, t.allowed_logout_urls),
+		allowed_origins: P(e.allowed_origins, t.allowed_origins)
 	} : e;
 }
-function R(e) {
+function I(e) {
 	let { controlPlaneTenantId: t, controlPlaneClientId: n, resolveControlPlane: r } = e;
 	if (r) return async (e) => r({ tenant_id: e });
 	if (!t) return async () => void 0;
@@ -562,14 +562,14 @@ function R(e) {
 	};
 	return async () => i;
 }
-function z(e, t) {
+function L(e, t) {
 	return {
 		...e.resourceServers,
 		get: async (n, r) => {
 			let i = await e.resourceServers.get(n, r);
 			if (!i) return i;
 			let a = await t(n);
-			return !a || n === a.tenantId || !i.is_system ? i : L(i, await e.resourceServers.get(a.tenantId, r));
+			return !a || n === a.tenantId || !i.is_system ? i : F(i, await e.resourceServers.get(a.tenantId, r));
 		},
 		list: async (n, r) => {
 			let i = await e.resourceServers.list(n, r), a = await t(n);
@@ -581,7 +581,7 @@ function z(e, t) {
 				let n = await e.resourceServers.get(o, t);
 				n && c.set(t, n);
 			}));
-			let l = i.resource_servers.map((e) => e.is_system && e.id ? L(e, c.get(e.id) ?? null) : e);
+			let l = i.resource_servers.map((e) => e.is_system && e.id ? F(e, c.get(e.id) ?? null) : e);
 			return {
 				...i,
 				resource_servers: l
@@ -589,18 +589,18 @@ function z(e, t) {
 		}
 	};
 }
-function B(e, t) {
-	let n = R({
+function R(e, t) {
+	let n = I({
 		controlPlaneTenantId: t.controlPlaneTenantId,
 		resolveControlPlane: t.resolveControlPlane
 	});
 	return {
 		...e,
-		resourceServers: z(e, n)
+		resourceServers: L(e, n)
 	};
 }
-function V(e, t) {
-	let { controlPlaneTenantId: n, controlPlaneClientId: r, resolveControlPlane: i } = t, a = R({
+function z(e, t) {
+	let { controlPlaneTenantId: n, controlPlaneClientId: r, resolveControlPlane: i } = t, a = I({
 		controlPlaneTenantId: n,
 		controlPlaneClientId: r,
 		resolveControlPlane: i
@@ -618,12 +618,12 @@ function V(e, t) {
 				let r = await e.connections.get(t, n);
 				if (!r) return r;
 				let i = await a(t);
-				return !i || t === i.tenantId ? r : F(r, (await e.connections.list(i.tenantId)).connections || []);
+				return !i || t === i.tenantId ? r : N(r, (await e.connections.list(i.tenantId)).connections || []);
 			},
 			list: async (t, n) => {
 				let r = await e.connections.list(t, n), i = await a(t);
 				if (!i || t === i.tenantId) return r;
-				let o = await e.connections.list(i.tenantId), s = r.connections.map((e) => F(e, o.connections || []));
+				let o = await e.connections.list(i.tenantId), s = r.connections.map((e) => N(e, o.connections || []));
 				return {
 					...r,
 					connections: s
@@ -638,7 +638,7 @@ function V(e, t) {
 				let i = await a(t);
 				if (!i || t === i.tenantId) return r;
 				let o = await e.connections.list(i.tenantId);
-				return r.map((e) => F(e, o.connections || []));
+				return r.map((e) => N(e, o.connections || []));
 			}
 		},
 		emailProviders: {
@@ -650,22 +650,22 @@ function V(e, t) {
 				return !r || t === r.tenantId ? null : e.emailProviders.get(r.tenantId);
 			}
 		},
-		resourceServers: z(e, a),
-		hooks: se(e, a)
+		resourceServers: L(e, a),
+		hooks: pe(e, a)
 	};
 }
-function H(e) {
+function B(e) {
 	if (!e || typeof e != "object") return !1;
 	let t = e.metadata;
 	return !t || typeof t != "object" ? !1 : t.inheritable === !0;
 }
-function se(e, t) {
+function pe(e, t) {
 	return {
 		...e.hooks,
 		list: async (n, r) => {
 			let i = await e.hooks.list(n, r), a = await t(n);
 			if (!a || n === a.tenantId) return i;
-			let o = ((await e.hooks.list(a.tenantId, r)).hooks || []).filter(H);
+			let o = ((await e.hooks.list(a.tenantId, r)).hooks || []).filter(B);
 			if (o.length === 0) return i;
 			let s = new Set((i.hooks || []).map((e) => e.hook_id)), c = o.filter((e) => !s.has(e.hook_id));
 			return {
@@ -680,31 +680,31 @@ function se(e, t) {
 			let a = await t(n);
 			if (!a || n === a.tenantId) return i;
 			let o = await e.hooks.get(a.tenantId, r);
-			return o && H(o) ? o : null;
+			return o && B(o) ? o : null;
 		}
 	};
 }
-function U(e, t) {
-	return V(e, t);
+function V(e, t) {
+	return z(e, t);
 }
 //#endregion
 //#region src/middleware/index.ts
-function W(e) {
+function H(e) {
 	return async (t, n) => {
 		let r = t.var.user;
 		return r?.tenant_id === e && r.org_name && t.set("tenant_id", r.org_name), n();
 	};
 }
-function G(e) {
+function U(e) {
 	return async (n, r) => {
 		if (!e.accessControl) return r();
 		let { controlPlaneTenantId: i } = e.accessControl, a = n.var.org_name, o = n.var.organization_id, s = a || o, c = n.var.tenant_id, l = n.var.user, u = (l?.aud ? Array.isArray(l.aud) ? l.aud : [l.aud] : []).includes(t);
-		if (!c && s && u && (n.set("tenant_id", s), c = s), !c) throw new _(400, { message: "Tenant ID not found in request" });
-		if (!y(o, c, i, a)) throw new _(403, { message: `Access denied to tenant ${c}` });
+		if (!c && s && u && (n.set("tenant_id", s), c = s), !c) throw new x(400, { message: "Tenant ID not found in request" });
+		if (!C(o, c, i, a)) throw new x(403, { message: `Access denied to tenant ${c}` });
 		return r();
 	};
 }
-function K(e) {
+function W(e) {
 	return async (t, n) => {
 		if (!e.subdomainRouting) return n();
 		let { baseDomain: r, reservedSubdomains: i = [], resolveSubdomain: a } = e.subdomainRouting, o = t.req.header("x-forwarded-host") || t.req.header("host") || "", s = null;
@@ -719,43 +719,43 @@ function K(e) {
 			let n = await t.env.data.organizations.get(e.accessControl.controlPlaneTenantId, s);
 			n && (c = n.id);
 		} catch {}
-		if (!c) throw new _(404, { message: `Tenant not found for subdomain: ${s}` });
+		if (!c) throw new x(404, { message: `Tenant not found for subdomain: ${s}` });
 		return t.set("tenant_id", c), n();
 	};
 }
-function q(e) {
+function G(e) {
 	return async (t, n) => {
 		if (!e.databaseIsolation) return n();
 		let r = t.var.tenant_id;
-		if (!r) throw new _(400, { message: "Tenant ID not found in request" });
+		if (!r) throw new x(400, { message: "Tenant ID not found in request" });
 		try {
 			let n = await e.databaseIsolation.getAdapters(r);
 			t.env.data = n;
 		} catch (e) {
-			throw console.error(`Failed to resolve database for tenant ${r}:`, e), new _(500, { message: "Failed to resolve tenant database" });
+			throw console.error(`Failed to resolve database for tenant ${r}:`, e), new x(500, { message: "Failed to resolve tenant database" });
 		}
 		return n();
 	};
 }
-function J(e) {
-	let t = K(e), n = G(e), r = q(e);
+function K(e) {
+	let t = W(e), n = U(e), r = G(e);
 	return async (e, i) => (await t(e, async () => {}), await n(e, async () => {}), await r(e, async () => {}), i());
 }
 //#endregion
 //#region src/init.ts
-function ce(e) {
+function me(e) {
 	let { dataAdapter: t, controlPlane: n, controlPlane: { tenantId: r = "control_plane", clientId: i } = {}, resolveControlPlane: a, sync: o = {
 		resourceServers: !0,
 		roles: !0
-	}, defaultPermissions: s = ["tenant:admin"], requireOrganizationMatch: l = !1, managementApiExtensions: d = [], entityHooks: f, getChildTenantIds: p, getAdapters: m, ...h } = e;
+	}, defaultPermissions: s = ["tenant:admin"], requireOrganizationMatch: c = !1, managementApiExtensions: l = [], entityHooks: d, getChildTenantIds: p, getAdapters: m, ...h } = e;
 	if (a && !n) throw Error("initMultiTenant: `resolveControlPlane` requires `controlPlane` to be set. The static `controlPlane.tenantId` is used for access control, sync direction, and tenant management routing; the resolver only overrides per-tenant runtime inheritance lookups on top of it.");
 	let g = t, _ = t;
-	n && (g = U(t, {
+	n && (g = V(t, {
 		controlPlaneTenantId: r,
 		controlPlaneClientId: i,
 		resolveControlPlane: a
 	}), _ = {
-		...B(t, {
+		...R(t, {
 			controlPlaneTenantId: r,
 			resolveControlPlane: a
 		}),
@@ -771,67 +771,88 @@ function ce(e) {
 	} : {
 		resourceServers: !1,
 		roles: !1
-	}, { entityHooks: b, tenantHooks: x } = j({
+	}, { entityHooks: b, tenantHooks: x } = ie({
 		controlPlaneTenantId: r,
-		getChildTenantIds: p ?? (async () => (await c((e) => g.tenants.list(e), "tenants", {
+		getChildTenantIds: p ?? (async () => (await u((e) => g.tenants.list(e), "tenants", {
 			cursorField: "id",
 			pageSize: 100
 		})).filter((e) => e.id !== r).map((e) => e.id)),
 		getAdapters: m ?? (async () => g),
 		getControlPlaneAdapters: async () => g,
 		sync: y
-	}), C = {
-		resourceServers: [b.resourceServers, ...f?.resourceServers ?? []],
-		roles: [b.roles, ...f?.roles ?? []],
-		connections: f?.connections ?? [],
-		tenants: f?.tenants ?? [],
-		rolePermissions: f?.rolePermissions ?? []
-	}, w = S({ accessControl: {
+	}), S = {
+		resourceServers: [b.resourceServers, ...d?.resourceServers ?? []],
+		roles: [b.roles, ...d?.roles ?? []],
+		connections: d?.connections ?? [],
+		tenants: d?.tenants ?? [],
+		rolePermissions: d?.rolePermissions ?? []
+	}, C = E({ accessControl: {
 		controlPlaneTenantId: r,
-		requireOrganizationMatch: l,
+		requireOrganizationMatch: c,
 		defaultPermissions: s
-	} }), T = M({ accessControl: {
+	} }), w = j({ accessControl: {
 		controlPlaneTenantId: r,
-		requireOrganizationMatch: l,
+		requireOrganizationMatch: c,
 		defaultPermissions: s
 	} }, { tenants: {
 		async beforeCreate(e, t) {
-			return w.beforeCreate && (t = await w.beforeCreate(e, t)), x.beforeCreate && (t = await x.beforeCreate(e, t)), t;
+			return C.beforeCreate && (t = await C.beforeCreate(e, t)), x.beforeCreate && (t = await x.beforeCreate(e, t)), t;
 		},
 		async afterCreate(e, t) {
-			await w.afterCreate?.(e, t), await x.afterCreate?.(e, t);
+			await C.afterCreate?.(e, t), await x.afterCreate?.(e, t);
 		},
 		async beforeDelete(e, t) {
-			await w.beforeDelete?.(e, t), await x.beforeDelete?.(e, t);
+			await C.beforeDelete?.(e, t), await x.beforeDelete?.(e, t);
 		}
-	} }), { app: E } = u({
+	} }), { app: T } = f({
 		dataAdapter: g,
 		managementDataAdapter: _,
 		...h,
-		entityHooks: C,
-		managementApiExtensions: [...d, {
+		entityHooks: S,
+		managementApiExtensions: [...l, {
 			path: "/tenants",
-			router: T
+			router: w
 		}]
 	});
-	return E.use("/api/v2/*", W(r)), v && E.use("/api/v2/*", P()), {
-		app: E,
+	return T.use("/api/v2/*", H(r)), v && T.use("/api/v2/*", M()), {
+		app: T,
 		controlPlaneTenantId: r
 	};
 }
 //#endregion
 //#region src/rollout/defaults-projection.ts
-function Y() {
+function q(e = {}) {
+	return {
+		connections: e.connections ?? !0,
+		resourceServers: e.resourceServers ?? !0,
+		hooks: e.hooks ?? !0,
+		emailProvider: e.emailProvider ?? !0,
+		branding: e.branding ?? !0,
+		promptSettings: e.promptSettings ?? !0
+	};
+}
+function J() {
 	return {
 		upserted: 0,
 		errors: []
 	};
 }
-function le(e) {
+function he(e) {
+	return {
+		tenantId: e,
+		connections: J(),
+		resourceServers: J(),
+		hooks: J(),
+		emailProvider: J(),
+		branding: J(),
+		promptSettings: J()
+	};
+}
+function ge(e) {
 	let t = e.metadata;
 	return !!(t && t.inheritable === !0);
 }
-async function X(e, t, n, r) {
+async function Y(e, t, n, r) {
 	try {
 		await r();
 	} catch (r) {
@@ -840,90 +861,121 @@ async function X(e, t, n, r) {
 		e.errors.push(i);
 	}
 }
-async function Z(e, t) {
-	let { controlPlaneTenantId: n, getControlPlaneAdapters: r, getAdapters: a, entities: o = {}, continueOnError: s = !1 } = e, u = {
-		connections: o.connections ?? !0,
-		resourceServers: o.resourceServers ?? !0,
-		hooks: o.hooks ?? !0,
-		emailProvider: o.emailProvider ?? !0,
-		branding: o.branding ?? !0,
-		promptSettings: o.promptSettings ?? !0
-	}, f = await r(), p = await a(t), m = {
-		tenantId: t,
-		connections: Y(),
-		resourceServers: Y(),
-		hooks: Y(),
-		emailProvider: Y(),
-		branding: Y(),
-		promptSettings: Y()
-	};
-	if (u.connections) {
-		let e = await c((e) => f.connections.list(n, e), "connections", {
+async function _e(e, t, n) {
+	return {
+		connections: n.connections ? await u((n) => e.connections.list(t, n), "connections", {
 			cursorField: "id",
 			pageSize: 100
-		});
-		for (let t of e) {
-			let e = t.id;
-			e && await X(m.connections, `connection ${e}`, s, async () => {
-				let r = i.parse(t);
-				await p.connections.get(n, e) ? await p.connections.update(n, e, r) : await p.connections.create(n, r), m.connections.upserted += 1;
-			});
-		}
-	}
-	if (u.resourceServers) {
-		let e = await c((e) => f.resourceServers.list(n, e), "resource_servers", {
+		}) : [],
+		resourceServers: n.resourceServers ? await u((n) => e.resourceServers.list(t, n), "resource_servers", {
 			cursorField: "id",
 			pageSize: 100
-		});
-		for (let t of e) !t.is_system || !t.id || await X(m.resourceServers, `resource_server ${t.id}`, s, async () => {
-			let e = d.parse(t);
-			await p.resourceServers.get(n, t.id) ? await p.resourceServers.update(n, t.id, e) : await p.resourceServers.create(n, e), m.resourceServers.upserted += 1;
-		});
-	}
-	if (u.hooks) {
-		let e = await c((e) => f.hooks.list(n, e), "hooks", {
+		}) : [],
+		hooks: n.hooks ? await u((n) => e.hooks.list(t, n), "hooks", {
 			cursorField: "hook_id",
 			pageSize: 100
-		});
-		for (let t of e) !le(t) || !t.hook_id || await X(m.hooks, `hook ${t.hook_id}`, s, async () => {
-			let e = l.parse(t);
-			await p.hooks.get(n, t.hook_id) ? await p.hooks.update(n, t.hook_id, e) : await p.hooks.create(n, e), m.hooks.upserted += 1;
+		}) : [],
+		emailProvider: n.emailProvider ? await e.emailProviders.get(t) ?? null : null,
+		branding: n.branding ? await e.branding.get(t) ?? null : null,
+		promptSettings: n.promptSettings ? await e.promptSettings.get(t) ?? null : null
+	};
+}
+async function ve(e, t, n, r, i, o) {
+	if (r.connections) for (let r of e.connections) {
+		let e = r.id;
+		e && await Y(o.connections, `connection ${e}`, i, async () => {
+			let i = a.parse(r);
+			await t.connections.get(n, e) ? await t.connections.update(n, e, i) : await t.connections.create(n, i), o.connections.upserted += 1;
 		});
 	}
-	return u.emailProvider && await X(m.emailProvider, "email_provider", s, async () => {
-		let e = await f.emailProviders.get(n);
-		e && (await p.emailProviders.get(n) ? await p.emailProviders.update(n, e) : await p.emailProviders.create(n, e), m.emailProvider.upserted += 1);
-	}), u.branding && await X(m.branding, "branding", s, async () => {
-		let e = await f.branding.get(n);
-		e && (await p.branding.set(n, e), m.branding.upserted += 1);
-	}), u.promptSettings && await X(m.promptSettings, "prompt_settings", s, async () => {
-		let e = await f.promptSettings.get(n);
-		e && (await p.promptSettings.set(n, e), m.promptSettings.upserted += 1);
-	}), m;
+	if (r.resourceServers) for (let r of e.resourceServers) !r.is_system || !r.id || await Y(o.resourceServers, `resource_server ${r.id}`, i, async () => {
+		let e = h.parse(r);
+		await t.resourceServers.get(n, r.id) ? await t.resourceServers.update(n, r.id, e) : await t.resourceServers.create(n, e), o.resourceServers.upserted += 1;
+	});
+	if (r.hooks) for (let r of e.hooks) !ge(r) || !r.hook_id || await Y(o.hooks, `hook ${r.hook_id}`, i, async () => {
+		let e = d.parse(r);
+		await t.hooks.get(n, r.hook_id) ? await t.hooks.update(n, r.hook_id, e) : await t.hooks.create(n, e), o.hooks.upserted += 1;
+	});
+	r.emailProvider && e.emailProvider && await Y(o.emailProvider, "email_provider", i, async () => {
+		let r = e.emailProvider;
+		await t.emailProviders.get(n) ? await t.emailProviders.update(n, r) : await t.emailProviders.create(n, r), o.emailProvider.upserted += 1;
+	}), r.branding && e.branding && await Y(o.branding, "branding", i, async () => {
+		await t.branding.set(n, e.branding), o.branding.upserted += 1;
+	}), r.promptSettings && e.promptSettings && await Y(o.promptSettings, "prompt_settings", i, async () => {
+		await t.promptSettings.set(n, e.promptSettings), o.promptSettings.upserted += 1;
+	});
+}
+async function X(e, t) {
+	let { controlPlaneTenantId: n, getControlPlaneAdapters: r, getAdapters: i, entities: a, continueOnError: o = !1 } = e, s = q(a), c = await _e(await r(), n, s), l = await i(t), u = he(t);
+	return await ve(c, l, n, s, o, u), u;
+}
+//#endregion
+//#region src/rollout/payload.ts
+function Z(e) {
+	let { pkcs7: t, tenant_id: n, ...r } = e;
+	return r;
+}
+async function ye(e, t, n = {}) {
+	let r = q(n), i = n.signingKeys ?? !0, a = await _e(e, t, r), o = i ? (await p(e.keys)).map(Z) : [];
+	return {
+		connections: a.connections,
+		resourceServers: a.resourceServers.filter((e) => e.is_system),
+		hooks: a.hooks.filter(ge),
+		emailProvider: a.emailProvider,
+		branding: a.branding,
+		promptSettings: a.promptSettings,
+		signingKeys: o
+	};
+}
+async function be(e, t, n) {
+	let r = J();
+	if (e.length === 0) return r;
+	let i = await p(t.keys), a = new Set(i.map((e) => e.kid));
+	for (let i of e) await Y(r, `signing_key ${i.kid}`, n, async () => {
+		let e = Z(i);
+		a.has(e.kid) || (await t.keys.create(e), a.add(e.kid), r.upserted += 1);
+	});
+	return r;
+}
+async function xe(e, t, n, r = {}) {
+	let a = r.continueOnError ?? !1, o = q(r.entities), s = r.entities?.signingKeys ?? !0, c = {
+		connections: e.connections,
+		resourceServers: e.resourceServers,
+		hooks: e.hooks,
+		emailProvider: e.emailProvider ? l.parse(e.emailProvider) : null,
+		branding: e.branding ? i.parse(e.branding) : null,
+		promptSettings: e.promptSettings ? m.parse(e.promptSettings) : null
+	}, u = he(n);
+	await ve(c, t, n, o, a, u);
+	let d = s ? await be(e.signingKeys, t, a) : J();
+	return {
+		...u,
+		signingKeys: d
+	};
 }
 //#endregion
 //#region src/rollout/index.ts
-function ue(e) {
+function Se(e) {
 	return {
-		syncDefaults: (t) => Z(e, t),
+		syncDefaults: (t) => X(e, t),
 		syncDefaultsToTenants: async (t) => {
 			let n = [];
-			for (let r of t) n.push(await Z(e, r));
+			for (let r of t) n.push(await X(e, r));
 			return n;
 		}
 	};
 }
 //#endregion
 //#region src/plugin.ts
-function de(e) {
+function Ce(e) {
 	let t = Q(e);
 	return {
 		name: "multi-tenancy",
-		middleware: J(e),
+		middleware: K(e),
 		hooks: t,
 		routes: [{
 			path: "/management",
-			handler: M(e, t)
+			handler: j(e, t)
 		}],
 		onRegister: async () => {
 			console.log("Multi-tenancy plugin registered"), e.accessControl && console.log(`  - Access control enabled (control plane: ${e.accessControl.controlPlaneTenantId})`), e.subdomainRouting && console.log(`  - Subdomain routing enabled (base domain: ${e.subdomainRouting.baseDomain})`), e.databaseIsolation && console.log("  - Database isolation enabled");
@@ -933,7 +985,7 @@ function de(e) {
 //#endregion
 //#region src/index.ts
 function Q(e) {
-	let t = e.accessControl ? v(e.accessControl) : {}, n = e.databaseIsolation ? b(e.databaseIsolation) : {}, r = S(e);
+	let t = e.accessControl ? S(e.accessControl) : {}, n = e.databaseIsolation ? w(e.databaseIsolation) : {}, r = E(e);
 	return {
 		...t,
 		...n,
@@ -942,19 +994,19 @@ function Q(e) {
 }
 function $(t) {
 	let n = new e(), r = Q(t);
-	return n.route("/tenants", M(t, r)), n;
+	return n.route("/tenants", j(t, r)), n;
 }
-function fe(e) {
+function we(e) {
 	return {
 		hooks: Q(e),
-		middleware: J(e),
+		middleware: K(e),
 		app: $(e),
 		config: e,
-		wrapAdapters: (t, n) => U(t, {
+		wrapAdapters: (t, n) => V(t, {
 			controlPlaneTenantId: e.accessControl?.controlPlaneTenantId,
 			controlPlaneClientId: n?.controlPlaneClientId
 		})
 	};
 }
 //#endregion
-export { v as createAccessControlHooks, G as createAccessControlMiddleware, W as createControlPlaneTenantMiddleware, b as createDatabaseHooks, q as createDatabaseMiddleware, ue as createDirectRolloutAdapter, $ as createMultiTenancy, Q as createMultiTenancyHooks, J as createMultiTenancyMiddleware, de as createMultiTenancyPlugin, P as createProtectSyncedMiddleware, S as createProvisioningHooks, V as createRuntimeFallbackAdapter, K as createSubdomainMiddleware, j as createSyncHooks, M as createTenantsOpenAPIRouter, ce as initMultiTenant, oe as mergeClientWithFallback, Z as projectControlPlaneDefaults, fe as setupMultiTenancy, y as validateTenantAccess, U as withRuntimeFallback, B as withSystemResourceServerInheritance };
+export { xe as applyControlPlaneDefaultsPayload, ye as buildControlPlaneDefaultsPayload, S as createAccessControlHooks, U as createAccessControlMiddleware, H as createControlPlaneTenantMiddleware, w as createDatabaseHooks, G as createDatabaseMiddleware, Se as createDirectRolloutAdapter, $ as createMultiTenancy, Q as createMultiTenancyHooks, K as createMultiTenancyMiddleware, Ce as createMultiTenancyPlugin, M as createProtectSyncedMiddleware, E as createProvisioningHooks, z as createRuntimeFallbackAdapter, W as createSubdomainMiddleware, ie as createSyncHooks, j as createTenantsOpenAPIRouter, me as initMultiTenant, fe as mergeClientWithFallback, X as projectControlPlaneDefaults, we as setupMultiTenancy, C as validateTenantAccess, V as withRuntimeFallback, R as withSystemResourceServerInheritance };