@authhero/multi-tenancy 14.9.0 → 14.11.0

package/dist/multi-tenancy.mjs

@@ -1,30 +1,30 @@
-var X = Object.defineProperty;
-var Y = (e, t, n) => t in e ? X(e, t, { enumerable: !0, configurable: !0, writable: !0, value: n }) : e[t] = n;
-var R = (e, t, n) => Y(e, typeof t != "symbol" ? t + "" : t, n);
-import { Hono as Z } from "hono";
-import { MANAGEMENT_API_SCOPES as x, MANAGEMENT_API_AUDIENCE as V, fetchAll as F, auth0QuerySchema as ee, tenantSchema as H, tenantInsertSchema as te, connectionSchema as ne, connectionOptionsSchema as re, init as ae } from "authhero";
-import { OpenAPIHono as se, createRoute as D, z as S } from "@hono/zod-openapi";
-function oe(e) {
+var Y = Object.defineProperty;
+var Z = (e, t, n) => t in e ? Y(e, t, { enumerable: !0, configurable: !0, writable: !0, value: n }) : e[t] = n;
+var M = (e, t, n) => Z(e, typeof t != "symbol" ? t + "" : t, n);
+import { Hono as x } from "hono";
+import { MANAGEMENT_API_SCOPES as ee, MANAGEMENT_API_AUDIENCE as Q, fetchAll as z, auth0QuerySchema as te, tenantSchema as N, tenantInsertSchema as ne, connectionSchema as re, connectionOptionsSchema as se, init as ae } from "authhero";
+import { OpenAPIHono as oe, createRoute as O, z as S } from "@hono/zod-openapi";
+function ie(e) {
   const { controlPlaneTenantId: t, requireOrganizationMatch: n = !0 } = e;
   return {
     async onTenantAccessValidation(r, s) {
       if (s === t)
         return !0;
       if (n) {
-        const o = r.var.org_name, i = r.var.organization_id, a = o || i;
-        return a ? a.toLowerCase() === s.toLowerCase() : !1;
+        const a = r.var.org_name, o = r.var.organization_id, i = a || o;
+        return i ? i.toLowerCase() === s.toLowerCase() : !1;
       }
       return !0;
     }
   };
 }
-function ie(e, t, n, r) {
+function ce(e, t, n, r) {
   if (t === n)
     return !0;
   const s = r || e;
   return s ? s.toLowerCase() === t.toLowerCase() : !1;
 }
-function ce(e) {
+function le(e) {
   return {
     async resolveDataAdapters(t) {
       try {
@@ -39,57 +39,57 @@ function ce(e) {
     }
   };
 }
-function le(e) {
+function ue(e) {
   return `urn:authhero:tenant:${e.toLowerCase()}`;
 }
-function ue(e) {
+function de(e) {
   return {
     async beforeCreate(t, n) {
       return !n.audience && n.id ? {
         ...n,
-        audience: le(n.id)
+        audience: ue(n.id)
       } : n;
     },
     async afterCreate(t, n) {
       const { accessControl: r, databaseIsolation: s } = e;
-      r && t.ctx && await de(t, n, r), s != null && s.onProvision && await s.onProvision(n.id);
+      r && t.ctx && await fe(t, n, r), s != null && s.onProvision && await s.onProvision(n.id);
     },
     async beforeDelete(t, n) {
       const { accessControl: r, databaseIsolation: s } = e;
       if (r)
         try {
-          const i = (await t.adapters.organizations.list(
+          const o = (await t.adapters.organizations.list(
             r.controlPlaneTenantId
-          )).organizations.find((a) => a.name === n);
-          i && await t.adapters.organizations.remove(
+          )).organizations.find((i) => i.name === n);
+          o && await t.adapters.organizations.remove(
             r.controlPlaneTenantId,
-            i.id
+            o.id
           );
-        } catch (o) {
+        } catch (a) {
           console.warn(
             `Failed to remove organization for tenant ${n}:`,
-            o
+            a
           );
         }
       if (s != null && s.onDeprovision)
         try {
           await s.onDeprovision(n);
-        } catch (o) {
+        } catch (a) {
           console.warn(
             `Failed to deprovision database for tenant ${n}:`,
-            o
+            a
           );
         }
     }
   };
 }
-async function de(e, t, n) {
+async function fe(e, t, n) {
   const {
     controlPlaneTenantId: r,
     defaultPermissions: s,
-    defaultRoles: o,
-    issuer: i,
-    adminRoleName: a = "Tenant Admin",
+    defaultRoles: a,
+    issuer: o,
+    adminRoleName: i = "Tenant Admin",
     adminRoleDescription: u = "Full access to all tenant management operations",
     addCreatorToOrganization: c = !0
   } = n, l = await e.adapters.organizations.create(
@@ -100,14 +100,14 @@ async function de(e, t, n) {
     }
   );
   let g;
-  if (i && (g = await me(
+  if (o && (g = await ge(
     e,
     r,
-    a,
+    i,
     u
   )), c && e.ctx) {
     const d = e.ctx.var.user;
-    if (d != null && d.sub && !await fe(
+    if (d != null && d.sub && !await me(
       e,
       r,
       d.sub
@@ -130,13 +130,13 @@ async function de(e, t, n) {
         );
       }
   }
-  o && o.length > 0 && console.log(
-    `Would assign roles ${o.join(", ")} to organization ${l.id}`
+  a && a.length > 0 && console.log(
+    `Would assign roles ${a.join(", ")} to organization ${l.id}`
   ), s && s.length > 0 && console.log(
     `Would grant permissions ${s.join(", ")} to organization ${l.id}`
   );
 }
-async function fe(e, t, n) {
+async function me(e, t, n) {
   const r = await e.adapters.userRoles.list(
     t,
     n,
@@ -150,46 +150,46 @@ async function fe(e, t, n) {
       s.id,
       { per_page: 1e3 }
     )).some(
-      (a) => a.permission_name === "admin:organizations"
+      (i) => i.permission_name === "admin:organizations"
     ))
       return !0;
   return !1;
 }
-async function me(e, t, n, r) {
-  const o = (await e.adapters.roles.list(t, {})).roles.find((c) => c.name === n);
-  if (o)
-    return o.id;
-  const i = await e.adapters.roles.create(t, {
+async function ge(e, t, n, r) {
+  const a = (await e.adapters.roles.list(t, {})).roles.find((c) => c.name === n);
+  if (a)
+    return a.id;
+  const o = await e.adapters.roles.create(t, {
     name: n,
     description: r
-  }), a = V, u = x.map((c) => ({
-    role_id: i.id,
-    resource_server_identifier: a,
+  }), i = Q, u = ee.map((c) => ({
+    role_id: o.id,
+    resource_server_identifier: i,
     permission_name: c.value
   }));
   return await e.adapters.rolePermissions.assign(
     t,
-    i.id,
+    o.id,
     u
-  ), i.id;
+  ), o.id;
 }
-function B(e, t, n = () => !0) {
-  const { controlPlaneTenantId: r, getChildTenantIds: s, getAdapters: o } = e, i = /* @__PURE__ */ new Map();
-  async function a(l, g, d) {
+function H(e, t, n = () => !0) {
+  const { controlPlaneTenantId: r, getChildTenantIds: s, getAdapters: a } = e, o = /* @__PURE__ */ new Map();
+  async function i(l, g, d) {
     return (await t(l).list(g, {
       q: `name:${d}`,
       per_page: 1
     }))[0] ?? null;
   }
   async function u(l) {
-    const g = await s(), d = t(await o(r));
+    const g = await s(), d = t(await a(r));
     await Promise.all(
       g.map(async (f) => {
         try {
-          const m = await o(f), w = t(m), p = {
+          const m = await a(f), w = t(m), p = {
             ...d.transform(l),
             is_system: !0
-          }, y = await a(m, f, l.name), _ = y ? w.getId(y) : void 0;
+          }, y = await i(m, f, l.name), _ = y ? w.getId(y) : void 0;
           if (y && _) {
             const T = w.preserveOnUpdate ? w.preserveOnUpdate(y, p) : p;
             await w.update(f, _, T);
@@ -209,7 +209,7 @@ function B(e, t, n = () => !0) {
     await Promise.all(
       g.map(async (d) => {
         try {
-          const f = await o(d), m = t(f), w = await a(f, d, l), h = w ? m.getId(w) : void 0;
+          const f = await a(d), m = t(f), w = await i(f, d, l), h = w ? m.getId(w) : void 0;
           w && h && await m.remove(d, h);
         } catch (f) {
           console.error(
@@ -230,22 +230,22 @@ function B(e, t, n = () => !0) {
     beforeDelete: async (l, g) => {
       if (l.tenantId !== r) return;
       const f = await t(l.adapters).get(l.tenantId, g);
-      f && n(f) && i.set(g, f);
+      f && n(f) && o.set(g, f);
     },
     afterDelete: async (l, g) => {
       if (l.tenantId !== r) return;
-      const d = i.get(g);
-      d && (i.delete(g), await c(d.name));
+      const d = o.get(g);
+      d && (o.delete(g), await c(d.name));
     }
   };
 }
-function G(e, t, n = () => !0) {
-  const { controlPlaneTenantId: r, getControlPlaneAdapters: s, getAdapters: o } = e;
+function B(e, t, n = () => !0) {
+  const { controlPlaneTenantId: r, getControlPlaneAdapters: s, getAdapters: a } = e;
   return {
-    async afterCreate(i, a) {
-      if (a.id !== r)
+    async afterCreate(o, i) {
+      if (i.id !== r)
         try {
-          const u = await s(), c = await o(a.id), l = t(u), g = t(c), d = await F(
+          const u = await s(), c = await a(i.id), l = t(u), g = t(c), d = await z(
             (f) => l.listPaginated(r, f),
             l.listKey,
             { cursorField: "id", pageSize: 100 }
@@ -254,13 +254,13 @@ function G(e, t, n = () => !0) {
             d.filter((f) => n(f)).map(async (f) => {
               try {
                 const m = l.transform(f);
-                await g.create(a.id, {
+                await g.create(i.id, {
                   ...m,
                   is_system: !0
                 });
               } catch (m) {
                 console.error(
-                  `Failed to sync entity to new tenant "${a.id}":`,
+                  `Failed to sync entity to new tenant "${i.id}":`,
                   m
                 );
               }
@@ -268,14 +268,14 @@ function G(e, t, n = () => !0) {
           );
         } catch (u) {
           console.error(
-            `Failed to sync entities to new tenant "${a.id}":`,
+            `Failed to sync entities to new tenant "${i.id}":`,
             u
           );
         }
     }
   };
 }
-const L = (e) => ({
+const G = (e) => ({
   list: async (t, n) => (await e.resourceServers.list(t, n)).resource_servers,
   listPaginated: (t, n) => e.resourceServers.list(t, n),
   get: (t, n) => e.resourceServers.get(t, n),
@@ -308,34 +308,34 @@ const L = (e) => ({
     description: t.description
   })
 });
-function W(e) {
+function L(e) {
   var t;
   return ((t = e.metadata) == null ? void 0 : t.sync) !== !1;
 }
-function ge(e) {
-  const { sync: t = {}, filters: n = {} } = e, r = t.resourceServers ?? !0, s = t.roles ?? !0, o = (m) => W(m) ? n.resourceServers ? n.resourceServers(m) : !0 : !1, i = (m) => W(m) ? n.roles ? n.roles(m) : !0 : !1, a = r ? B(
+function we(e) {
+  const { sync: t = {}, filters: n = {} } = e, r = t.resourceServers ?? !0, s = t.roles ?? !0, a = (m) => L(m) ? n.resourceServers ? n.resourceServers(m) : !0 : !1, o = (m) => L(m) ? n.roles ? n.roles(m) : !0 : !1, i = r ? H(
     e,
-    L,
-    o
-  ) : void 0, u = s ? B(
+    G,
+    a
+  ) : void 0, u = s ? H(
     e,
     U,
-    i
-  ) : void 0, c = r ? G(
-    e,
-    L,
     o
-  ) : void 0, l = s ? G(
+  ) : void 0, c = r ? B(
+    e,
+    G,
+    a
+  ) : void 0, l = s ? B(
     e,
     U,
-    i
+    o
   ) : void 0, g = s ? {
     async afterCreate(m, w) {
       var h;
       if (w.id !== e.controlPlaneTenantId) {
         await ((h = l == null ? void 0 : l.afterCreate) == null ? void 0 : h.call(l, m, w));
         try {
-          const p = await e.getControlPlaneAdapters(), y = await e.getAdapters(w.id), _ = await F(
+          const p = await e.getControlPlaneAdapters(), y = await e.getAdapters(w.id), _ = await z(
             (C) => p.roles.list(
               e.controlPlaneTenantId,
               C
@@ -403,7 +403,7 @@ function ge(e) {
   }
   return {
     entityHooks: {
-      resourceServers: a,
+      resourceServers: i,
       roles: u
     },
     tenantHooks: {
@@ -437,8 +437,8 @@ var b = class extends Error {
    */
   constructor(t = 500, n) {
     super(n == null ? void 0 : n.message, { cause: n == null ? void 0 : n.cause });
-    R(this, "res");
-    R(this, "status");
+    M(this, "res");
+    M(this, "status");
     this.res = n == null ? void 0 : n.res, this.status = t;
   }
   /**
@@ -455,15 +455,15 @@ var b = class extends Error {
     });
   }
 };
-function j(e, t) {
-  const n = new se();
+function q(e, t) {
+  const n = new oe();
   return n.openapi(
-    D({
+    O({
       tags: ["tenants"],
       method: "get",
       path: "/",
       request: {
-        query: ee
+        query: te
       },
       security: [
         {
@@ -475,7 +475,7 @@ function j(e, t) {
           content: {
             "application/json": {
               schema: S.object({
-                tenants: S.array(H),
+                tenants: S.array(N),
                 start: S.number().optional(),
                 limit: S.number().optional(),
                 length: S.number().optional()
@@ -488,74 +488,74 @@ function j(e, t) {
     }),
     async (r) => {
       var m, w, h, p, y, _;
-      const s = r.req.valid("query"), { page: o, per_page: i, include_totals: a, q: u } = s, c = r.var.user, l = (c == null ? void 0 : c.permissions) || [];
+      const s = r.req.valid("query"), { page: a, per_page: o, include_totals: i, q: u } = s, c = r.var.user, l = (c == null ? void 0 : c.permissions) || [];
       if (l.includes("auth:read") || l.includes("admin:organizations")) {
         const T = await r.env.data.tenants.list({
-          page: o,
-          per_page: i,
-          include_totals: a,
+          page: a,
+          per_page: o,
+          include_totals: i,
           q: u
         });
-        return a ? r.json({
+        return i ? r.json({
           tenants: T.tenants,
           start: ((m = T.totals) == null ? void 0 : m.start) ?? 0,
-          limit: ((w = T.totals) == null ? void 0 : w.limit) ?? i,
+          limit: ((w = T.totals) == null ? void 0 : w.limit) ?? o,
           length: T.tenants.length
         }) : r.json({ tenants: T.tenants });
       }
       const d = ((h = e.accessControl) == null ? void 0 : h.controlPlaneTenantId) ?? ((p = r.env.data.multiTenancyConfig) == null ? void 0 : p.controlPlaneTenantId);
       if (d && (c != null && c.sub)) {
-        const C = (await F(
-          (z) => r.env.data.userOrganizations.listUserOrganizations(
+        const C = (await z(
+          ($) => r.env.data.userOrganizations.listUserOrganizations(
             d,
             c.sub,
-            z
+            $
           ),
           "organizations"
-        )).map((z) => z.name);
+        )).map(($) => $.name);
         if (C.length === 0)
-          return a ? r.json({
+          return i ? r.json({
             tenants: [],
             start: 0,
-            limit: i ?? 50,
+            limit: o ?? 50,
             length: 0
           }) : r.json({ tenants: [] });
-        const v = C.length, P = o ?? 0, A = i ?? 50, $ = P * A, I = C.slice($, $ + A);
+        const v = C.length, P = a ?? 0, A = o ?? 50, R = P * A, I = C.slice(R, R + A);
         if (I.length === 0)
-          return a ? r.json({
+          return i ? r.json({
             tenants: [],
-            start: $,
+            start: R,
             limit: A,
             length: v
           }) : r.json({ tenants: [] });
-        const E = I.map((z) => `id:${z}`).join(" OR "), J = u ? `(${E}) AND (${u})` : E, N = await r.env.data.tenants.list({
-          q: J,
+        const k = I.map(($) => `id:${$}`).join(" OR "), X = u ? `(${k}) AND (${u})` : k, E = await r.env.data.tenants.list({
+          q: X,
           per_page: A,
           include_totals: !1
           // We calculate totals from accessibleTenantIds
         });
-        return a ? r.json({
-          tenants: N.tenants,
-          start: $,
+        return i ? r.json({
+          tenants: E.tenants,
+          start: R,
           limit: A,
           length: v
-        }) : r.json({ tenants: N.tenants });
+        }) : r.json({ tenants: E.tenants });
       }
       const f = await r.env.data.tenants.list({
-        page: o,
-        per_page: i,
-        include_totals: a,
+        page: a,
+        per_page: o,
+        include_totals: i,
         q: u
       });
-      return a ? r.json({
+      return i ? r.json({
         tenants: f.tenants,
         start: ((y = f.totals) == null ? void 0 : y.start) ?? 0,
-        limit: ((_ = f.totals) == null ? void 0 : _.limit) ?? i,
+        limit: ((_ = f.totals) == null ? void 0 : _.limit) ?? o,
         length: f.tenants.length
       }) : r.json({ tenants: f.tenants });
     }
   ), n.openapi(
-    D({
+    O({
       tags: ["tenants"],
       method: "post",
       path: "/",
@@ -563,7 +563,7 @@ function j(e, t) {
         body: {
           content: {
             "application/json": {
-              schema: te
+              schema: ne
             }
           }
         }
@@ -577,7 +577,7 @@ function j(e, t) {
         201: {
           content: {
             "application/json": {
-              schema: H
+              schema: N
             }
           },
           description: "Tenant created"
@@ -597,17 +597,17 @@ function j(e, t) {
         throw new b(401, {
           message: "Authentication required to create tenants"
         });
-      let o = r.req.valid("json");
-      const i = {
+      let a = r.req.valid("json");
+      const o = {
         adapters: r.env.data,
         ctx: r
       };
-      (u = t.tenants) != null && u.beforeCreate && (o = await t.tenants.beforeCreate(i, o));
-      const a = await r.env.data.tenants.create(o);
-      return (c = t.tenants) != null && c.afterCreate && await t.tenants.afterCreate(i, a), r.json(a, 201);
+      (u = t.tenants) != null && u.beforeCreate && (a = await t.tenants.beforeCreate(o, a));
+      const i = await r.env.data.tenants.create(a);
+      return (c = t.tenants) != null && c.afterCreate && await t.tenants.afterCreate(o, i), r.json(i, 201);
     }
   ), n.openapi(
-    D({
+    O({
       tags: ["tenants"],
       method: "delete",
       path: "/{id}",
@@ -635,20 +635,20 @@ function j(e, t) {
     }),
     async (r) => {
       var u, c, l, g;
-      const { id: s } = r.req.valid("param"), o = ((u = e.accessControl) == null ? void 0 : u.controlPlaneTenantId) ?? ((c = r.env.data.multiTenancyConfig) == null ? void 0 : c.controlPlaneTenantId);
-      if (o) {
+      const { id: s } = r.req.valid("param"), a = ((u = e.accessControl) == null ? void 0 : u.controlPlaneTenantId) ?? ((c = r.env.data.multiTenancyConfig) == null ? void 0 : c.controlPlaneTenantId);
+      if (a) {
         const d = r.var.user;
         if (!(d != null && d.sub))
           throw new b(401, {
             message: "Authentication required"
           });
-        if (s === o)
+        if (s === a)
           throw new b(403, {
             message: "Cannot delete the control plane"
           });
-        if (!(await F(
+        if (!(await z(
           (w) => r.env.data.userOrganizations.listUserOrganizations(
-            o,
+            a,
             d.sub,
             w
           ),
@@ -662,15 +662,15 @@ function j(e, t) {
         throw new b(404, {
           message: "Tenant not found"
         });
-      const a = {
+      const i = {
         adapters: r.env.data,
         ctx: r
       };
-      return (l = t.tenants) != null && l.beforeDelete && await t.tenants.beforeDelete(a, s), await r.env.data.tenants.remove(s), (g = t.tenants) != null && g.afterDelete && await t.tenants.afterDelete(a, s), r.body(null, 204);
+      return (l = t.tenants) != null && l.beforeDelete && await t.tenants.beforeDelete(i, s), await r.env.data.tenants.remove(s), (g = t.tenants) != null && g.afterDelete && await t.tenants.afterDelete(i, s), r.body(null, 204);
     }
   ), n;
 }
-function we(e) {
+function pe(e) {
   const t = [
     {
       pattern: /\/api\/v2\/resource-servers\/([^/]+)$/,
@@ -686,7 +686,7 @@ function we(e) {
   }
   return null;
 }
-async function pe(e, t, n) {
+async function ye(e, t, n) {
   try {
     switch (n.type) {
       case "resource_server": {
@@ -708,88 +708,93 @@ async function pe(e, t, n) {
     return !1;
   }
 }
-function ye(e) {
+function he(e) {
   return {
     resource_server: "resource server",
     role: "role",
     connection: "connection"
   }[e];
 }
-function he() {
+function ve() {
   return async (e, t) => {
     if (!["PATCH", "PUT", "DELETE"].includes(e.req.method))
       return t();
-    const n = we(e.req.path);
+    const n = pe(e.req.path);
     if (!n)
       return t();
     const r = e.var.tenant_id || e.req.header("x-tenant-id") || e.req.header("tenant-id");
     if (!r)
       return t();
-    if (await pe(e.env.data, r, n))
+    if (await ye(e.env.data, r, n))
       throw new b(403, {
-        message: `This ${ye(n.type)} is a system resource and cannot be modified. Make changes in the control plane instead.`
+        message: `This ${he(n.type)} is a system resource and cannot be modified. Make changes in the control plane instead.`
       });
     return t();
   };
 }
-const ve = [
-  "client_secret",
-  "app_secret",
-  "twilio_token"
-];
-function _e(e) {
-  if (!e) return e;
-  const t = { ...e };
-  for (const n of ve)
-    delete t[n];
-  return t;
-}
-function M(e, t, n) {
-  const r = t.find(
-    (i) => i.strategy === e.strategy
+function D(e, t) {
+  const n = t.find(
+    (s) => s.strategy === e.strategy
   );
-  if (!(r != null && r.options))
+  if (!(n != null && n.options))
     return e;
-  const s = ne.passthrough().parse({
-    ...r,
+  const r = re.passthrough().parse({
+    ...n,
     ...e
-  }), o = n ? _e(r.options) : r.options;
-  return s.options = re.passthrough().parse({
-    ...o || {},
+  });
+  return r.options = se.passthrough().parse({
+    ...n.options || {},
     ...e.options
-  }), s;
+  }), r;
 }
-function O(e, t) {
+function F(e, t) {
   const n = [
     ...t || [],
     ...e || []
   ];
   return [...new Set(n)];
 }
+function _e(e, t) {
+  if (!(t != null && t.length))
+    return e || [];
+  if (!(e != null && e.length))
+    return t;
+  const n = /* @__PURE__ */ new Map();
+  for (const r of t)
+    n.set(r.value, r);
+  for (const r of e)
+    n.set(r.value, r);
+  return Array.from(n.values());
+}
+function W(e, t) {
+  return t ? {
+    ...e,
+    scopes: _e(
+      e.scopes,
+      t.scopes
+    )
+  } : e;
+}
 function K(e, t) {
   return t ? {
     ...e,
-    callbacks: O(e.callbacks, t.callbacks),
-    web_origins: O(
+    callbacks: F(e.callbacks, t.callbacks),
+    web_origins: F(
       e.web_origins,
       t.web_origins
     ),
-    allowed_logout_urls: O(
+    allowed_logout_urls: F(
       e.allowed_logout_urls,
       t.allowed_logout_urls
     ),
-    allowed_origins: O(
+    allowed_origins: F(
       e.allowed_origins,
       t.allowed_origins
     )
   } : e;
 }
 function Te(e, t) {
-  const {
-    controlPlaneTenantId: n,
-    controlPlaneClientId: r,
-    excludeSensitiveFields: s = !1
-  } = t;
+  const { controlPlaneTenantId: n, controlPlaneClientId: r } = t;
   return {
     ...e,
     // Store config for use by tenants route access control
@@ -799,91 +804,126 @@ function Te(e, t) {
     },
     connections: {
       ...e.connections,
-      get: async (o, i) => {
-        const a = await e.connections.get(
-          o,
-          i
+      get: async (s, a) => {
+        const o = await e.connections.get(
+          s,
+          a
         );
-        if (!a || !n || o === n)
-          return a;
-        const u = await e.connections.list(n);
-        return M(
-          a,
-          u.connections || [],
-          s
+        if (!o || !n || s === n)
+          return o;
+        const i = await e.connections.list(n);
+        return D(
+          o,
+          i.connections || []
         );
       },
-      list: async (o, i) => {
-        const a = await e.connections.list(o, i);
-        if (!n || o === n)
-          return a;
-        const u = await e.connections.list(n), c = a.connections.map(
-          (l) => M(
-            l,
-            u.connections || [],
-            s
+      list: async (s, a) => {
+        const o = await e.connections.list(s, a);
+        if (!n || s === n)
+          return o;
+        const i = await e.connections.list(n), u = o.connections.map(
+          (c) => D(
+            c,
+            i.connections || []
           )
         );
         return {
-          ...a,
-          connections: c
+          ...o,
+          connections: u
         };
       }
     },
     clientConnections: {
       ...e.clientConnections,
-      listByClient: async (o, i) => {
-        let a = await e.clientConnections.listByClient(
-          o,
-          i
+      listByClient: async (s, a) => {
+        let o = await e.clientConnections.listByClient(
+          s,
+          a
         );
-        if (a.length === 0 && (a = (await e.connections.list(o)).connections || []), !n || o === n)
-          return a;
-        const u = await e.connections.list(n);
-        return a.map(
-          (c) => M(
-            c,
-            u.connections || [],
-            s
+        if (o.length === 0 && (o = (await e.connections.list(s)).connections || []), !n || s === n)
+          return o;
+        const i = await e.connections.list(n);
+        return o.map(
+          (u) => D(
+            u,
+            i.connections || []
           )
         );
       }
     },
     clients: {
       ...e.clients,
-      get: async (o, i) => {
-        const a = await e.clients.get(o, i);
-        if (!a)
+      get: async (s, a) => {
+        const o = await e.clients.get(s, a);
+        if (!o)
           return null;
-        if (!n || !r || o === n && i === r)
-          return a;
-        const u = await e.clients.get(
+        if (!n || !r || s === n && a === r)
+          return o;
+        const i = await e.clients.get(
           n,
           r
         );
-        return K(a, u);
+        return K(o, i);
       },
-      getByClientId: async (o) => {
-        const i = await e.clients.getByClientId(o);
-        if (!i)
+      getByClientId: async (s) => {
+        const a = await e.clients.getByClientId(s);
+        if (!a)
           return null;
-        if (!n || !r || i.tenant_id === n && i.client_id === r)
-          return i;
-        const a = await e.clients.get(
+        if (!n || !r || a.tenant_id === n && a.client_id === r)
+          return a;
+        const o = await e.clients.get(
           n,
           r
         );
         return {
-          ...K(i, a),
-          tenant_id: i.tenant_id
+          ...K(a, o),
+          tenant_id: a.tenant_id
         };
       }
     },
     emailProviders: {
       ...e.emailProviders,
-      get: async (o) => {
-        const i = await e.emailProviders.get(o);
-        return i || (!n || o === n ? null : e.emailProviders.get(n));
+      get: async (s) => {
+        const a = await e.emailProviders.get(s);
+        return a || (!n || s === n ? null : e.emailProviders.get(n));
+      }
+    },
+    resourceServers: {
+      ...e.resourceServers,
+      get: async (s, a) => {
+        const o = await e.resourceServers.get(
+          s,
+          a
+        );
+        if (!o || !n || s === n)
+          return o;
+        const u = (await e.resourceServers.list(
+          n,
+          { q: `identifier:${o.identifier}`, per_page: 1 }
+        )).resource_servers[0] ?? null;
+        return W(
+          o,
+          u
+        );
+      },
+      list: async (s, a) => {
+        const o = await e.resourceServers.list(s, a);
+        if (!n || s === n)
+          return o;
+        const i = await e.resourceServers.list(
+          n
+        ), u = new Map(
+          i.resource_servers.map((l) => [l.identifier, l])
+        ), c = o.resource_servers.map(
+          (l) => W(
+            l,
+            u.get(l.identifier) ?? null
+          )
+        );
+        return {
+          ...o,
+          resource_servers: c
+        };
       }
     }
     // Note: Additional adapters can be extended here for runtime fallback:
@@ -891,7 +931,7 @@ function Te(e, t) {
     // - branding: Fall back to control plane branding/themes
   };
 }
-function q(e, t) {
+function V(e, t) {
   return Te(e, t);
 }
 function Ce(e) {
@@ -904,21 +944,21 @@ function Pe(e) {
   return async (t, n) => {
     if (!e.accessControl)
       return n();
-    const { controlPlaneTenantId: r } = e.accessControl, s = t.var.org_name, o = t.var.organization_id, i = s || o;
-    let a = t.var.tenant_id;
-    const u = t.var.user, l = (u != null && u.aud ? Array.isArray(u.aud) ? u.aud : [u.aud] : []).includes(V);
-    if (!a && i && l && (t.set("tenant_id", i), a = i), !a)
+    const { controlPlaneTenantId: r } = e.accessControl, s = t.var.org_name, a = t.var.organization_id, o = s || a;
+    let i = t.var.tenant_id;
+    const u = t.var.user, l = (u != null && u.aud ? Array.isArray(u.aud) ? u.aud : [u.aud] : []).includes(Q);
+    if (!i && o && l && (t.set("tenant_id", o), i = o), !i)
       throw new b(400, {
         message: "Tenant ID not found in request"
       });
-    if (!ie(
-      o,
+    if (!ce(
       a,
+      i,
       r,
       s
     ))
       throw new b(403, {
-        message: `Access denied to tenant ${a}`
+        message: `Access denied to tenant ${i}`
       });
     return n();
   };
@@ -930,30 +970,30 @@ function Ae(e) {
     const {
       baseDomain: r,
       reservedSubdomains: s = [],
-      resolveSubdomain: o
-    } = e.subdomainRouting, i = t.req.header("host") || "";
-    let a = null;
-    if (i.endsWith(r)) {
-      const c = i.slice(0, -(r.length + 1));
-      c && !c.includes(".") && (a = c);
+      resolveSubdomain: a
+    } = e.subdomainRouting, o = t.req.header("host") || "";
+    let i = null;
+    if (o.endsWith(r)) {
+      const c = o.slice(0, -(r.length + 1));
+      c && !c.includes(".") && (i = c);
     }
-    if (a && s.includes(a) && (a = null), !a)
+    if (i && s.includes(i) && (i = null), !i)
       return e.accessControl && t.set("tenant_id", e.accessControl.controlPlaneTenantId), n();
     let u = null;
-    if (o)
-      u = await o(a);
+    if (a)
+      u = await a(i);
     else if (e.subdomainRouting.useOrganizations !== !1 && e.accessControl)
       try {
         const c = await t.env.data.organizations.get(
           e.accessControl.controlPlaneTenantId,
-          a
+          i
         );
         c && (u = c.id);
       } catch {
       }
     if (!u)
       throw new b(404, {
-        message: `Tenant not found for subdomain: ${a}`
+        message: `Tenant not found for subdomain: ${i}`
       });
     return t.set("tenant_id", u), n();
   };
@@ -981,14 +1021,14 @@ function be(e) {
     return n();
   };
 }
-function Q(e) {
+function J(e) {
   const t = Ae(e), n = Pe(e), r = be(e);
-  return async (s, o) => (await t(s, async () => {
+  return async (s, a) => (await t(s, async () => {
   }), await n(s, async () => {
   }), await r(s, async () => {
-  }), o());
+  }), a());
 }
-function Oe(e) {
+function Fe(e) {
   const {
     dataAdapter: t,
     controlPlane: n,
@@ -996,9 +1036,9 @@ function Oe(e) {
       tenantId: r = "control_plane",
       clientId: s
     } = {},
-    sync: o = { resourceServers: !0, roles: !0 },
-    defaultPermissions: i = ["tenant:admin"],
-    requireOrganizationMatch: a = !1,
+    sync: a = { resourceServers: !0, roles: !0 },
+    defaultPermissions: o = ["tenant:admin"],
+    requireOrganizationMatch: i = !1,
     managementApiExtensions: u = [],
     entityHooks: c,
     getChildTenantIds: l,
@@ -1006,20 +1046,22 @@ function Oe(e) {
     ...d
   } = e;
   let f = t, m = t;
-  n && (f = q(t, {
+  n && (f = V(t, {
     controlPlaneTenantId: r,
     controlPlaneClientId: s
-  }), m = q(t, {
-    controlPlaneTenantId: r,
-    controlPlaneClientId: s,
-    excludeSensitiveFields: !0
-  }));
-  const w = o !== !1, h = w ? {
-    resourceServers: o.resourceServers ?? !0,
-    roles: o.roles ?? !0
+  }), m = {
+    ...t,
+    multiTenancyConfig: {
+      controlPlaneTenantId: r,
+      controlPlaneClientId: s
+    }
+  });
+  const w = a !== !1, h = w ? {
+    resourceServers: a.resourceServers ?? !0,
+    roles: a.roles ?? !0
   } : { resourceServers: !1, roles: !1 }, _ = {
     controlPlaneTenantId: r,
-    getChildTenantIds: l ?? (async () => (await F(
+    getChildTenantIds: l ?? (async () => (await z(
       (I) => f.tenants.list(I),
       "tenants",
       { cursorField: "id", pageSize: 100 }
@@ -1027,7 +1069,7 @@ function Oe(e) {
     getAdapters: g ?? (async () => f),
     getControlPlaneAdapters: async () => f,
     sync: h
-  }, { entityHooks: T, tenantHooks: C } = ge(_), v = {
+  }, { entityHooks: T, tenantHooks: C } = we(_), v = {
     resourceServers: [
       T.resourceServers,
       ...(c == null ? void 0 : c.resourceServers) ?? []
@@ -1036,12 +1078,12 @@ function Oe(e) {
     connections: (c == null ? void 0 : c.connections) ?? [],
     tenants: (c == null ? void 0 : c.tenants) ?? [],
     rolePermissions: (c == null ? void 0 : c.rolePermissions) ?? []
-  }, P = j(
+  }, P = q(
     {
       accessControl: {
         controlPlaneTenantId: r,
-        requireOrganizationMatch: a,
-        defaultPermissions: i
+        requireOrganizationMatch: i,
+        defaultPermissions: o
       }
     },
     { tenants: C }
@@ -1055,21 +1097,21 @@ function Oe(e) {
       { path: "/tenants", router: P }
     ]
   });
-  return A.use("/api/v2/*", Ce(r)), w && A.use("/api/v2/*", he()), { app: A, controlPlaneTenantId: r };
+  return A.use("/api/v2/*", Ce(r)), w && A.use("/api/v2/*", ve()), { app: A, controlPlaneTenantId: r };
 }
-function Re(e) {
-  const t = k(e);
+function Me(e) {
+  const t = j(e);
   return {
     name: "multi-tenancy",
     // Apply multi-tenancy middleware for subdomain routing, database resolution, etc.
-    middleware: Q(e),
+    middleware: J(e),
     // Provide lifecycle hooks
     hooks: t,
     // Mount tenant management routes
     routes: [
       {
         path: "/management",
-        handler: j(e, t)
+        handler: q(e, t)
       }
     ],
     // Called when plugin is registered
@@ -1082,8 +1124,8 @@ function Re(e) {
     }
   };
 }
-function k(e) {
-  const t = e.accessControl ? oe(e.accessControl) : {}, n = e.databaseIsolation ? ce(e.databaseIsolation) : {}, r = ue(e);
+function j(e) {
+  const t = e.accessControl ? ie(e.accessControl) : {}, n = e.databaseIsolation ? le(e.databaseIsolation) : {}, r = de(e);
   return {
     ...t,
     ...n,
@@ -1091,13 +1133,13 @@ function k(e) {
   };
 }
 function Ie(e) {
-  const t = new Z(), n = k(e);
-  return t.route("/tenants", j(e, n)), t;
+  const t = new x(), n = j(e);
+  return t.route("/tenants", q(e, n)), t;
 }
-function De(e) {
+function Oe(e) {
   return {
-    hooks: k(e),
-    middleware: Q(e),
+    hooks: j(e),
+    middleware: J(e),
     app: Ie(e),
     config: e,
     /**
@@ -1110,7 +1152,7 @@ function De(e) {
      */
     wrapAdapters: (t, n) => {
       var r;
-      return q(t, {
+      return V(t, {
         controlPlaneTenantId: (r = e.accessControl) == null ? void 0 : r.controlPlaneTenantId,
         controlPlaneClientId: n == null ? void 0 : n.controlPlaneClientId
       });
@@ -1118,23 +1160,23 @@ function De(e) {
   };
 }
 export {
-  oe as createAccessControlHooks,
+  ie as createAccessControlHooks,
   Pe as createAccessControlMiddleware,
   Ce as createControlPlaneTenantMiddleware,
-  ce as createDatabaseHooks,
+  le as createDatabaseHooks,
   be as createDatabaseMiddleware,
   Ie as createMultiTenancy,
-  k as createMultiTenancyHooks,
-  Q as createMultiTenancyMiddleware,
-  Re as createMultiTenancyPlugin,
-  he as createProtectSyncedMiddleware,
-  ue as createProvisioningHooks,
+  j as createMultiTenancyHooks,
+  J as createMultiTenancyMiddleware,
+  Me as createMultiTenancyPlugin,
+  ve as createProtectSyncedMiddleware,
+  de as createProvisioningHooks,
   Te as createRuntimeFallbackAdapter,
   Ae as createSubdomainMiddleware,
-  ge as createSyncHooks,
-  j as createTenantsOpenAPIRouter,
-  Oe as initMultiTenant,
-  De as setupMultiTenancy,
-  ie as validateTenantAccess,
-  q as withRuntimeFallback
+  we as createSyncHooks,
+  q as createTenantsOpenAPIRouter,
+  Fe as initMultiTenant,
+  Oe as setupMultiTenancy,
+  ce as validateTenantAccess,
+  V as withRuntimeFallback
 };