npm - @c15t/backend - Versions diffs - 2.0.0-rc.1 → 2.0.0-rc.10 - Mend

@c15t/backend 2.0.0-rc.1 → 2.0.0-rc.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (336) hide show

package/README.md +3 -3
package/dist/302.js +473 -0
package/dist/583.js +540 -0
package/dist/915.js +1771 -0
package/dist/cache.cjs +5 -5
package/dist/cache.js +4 -415
package/dist/core.cjs +1356 -120
package/dist/core.js +163 -1981
package/dist/db/adapters/drizzle.cjs +1 -1
package/dist/db/adapters/drizzle.js +1 -2
package/dist/db/adapters/kysely.cjs +1 -1
package/dist/db/adapters/kysely.js +1 -2
package/dist/db/adapters/mongo.cjs +1 -1
package/dist/db/adapters/mongo.js +1 -2
package/dist/db/adapters/prisma.cjs +1 -1
package/dist/db/adapters/prisma.js +1 -2
package/dist/db/adapters/typeorm.cjs +1 -1
package/dist/db/adapters/typeorm.js +1 -2
package/dist/db/adapters.cjs +1 -1
package/dist/db/migrator.cjs +1 -1
package/dist/db/schema.cjs +43 -3
package/dist/db/schema.js +35 -4
package/dist/define-config.cjs +1 -1
package/dist/edge.cjs +1106 -0
package/dist/edge.js +190 -0
package/dist/router.cjs +885 -123
package/dist/router.js +1 -1507
package/dist/{types.cjs → types/index.cjs} +1 -1
package/{dist → dist-types}/cache/adapters/cloudflare-kv.d.ts +0 -1
package/{dist → dist-types}/cache/adapters/index.d.ts +0 -1
package/{dist → dist-types}/cache/adapters/memory.d.ts +0 -1
package/{dist → dist-types}/cache/adapters/upstash-redis.d.ts +0 -1
package/{dist → dist-types}/cache/gvl-resolver.d.ts +0 -1
package/{dist → dist-types}/cache/index.d.ts +0 -1
package/{dist → dist-types}/cache/keys.d.ts +0 -1
package/{dist → dist-types}/cache/types.d.ts +0 -1
package/{dist → dist-types}/core.d.ts +8 -1
package/{dist → dist-types}/db/migrator/index.d.ts +0 -1
package/dist-types/db/registry/consent-policy.d.ts +78 -0
package/{dist → dist-types}/db/registry/consent-purpose.d.ts +0 -1
package/{dist → dist-types}/db/registry/domain.d.ts +0 -1
package/dist-types/db/registry/index.d.ts +118 -0
package/dist-types/db/registry/runtime-policy-decision.d.ts +60 -0
package/{dist → dist-types}/db/registry/subject.d.ts +0 -2
package/{dist → dist-types}/db/registry/types.d.ts +1 -1
package/{dist → dist-types}/db/registry/utils/generate-id.d.ts +0 -1
package/{dist → dist-types}/db/registry/utils.d.ts +0 -1
package/{dist → dist-types}/db/schema/1.0.0/audit-log.d.ts +0 -1
package/{dist → dist-types}/db/schema/1.0.0/consent-policy.d.ts +0 -1
package/{dist → dist-types}/db/schema/1.0.0/consent-purpose.d.ts +0 -1
package/{dist → dist-types}/db/schema/1.0.0/consent-record.d.ts +0 -1
package/{dist → dist-types}/db/schema/1.0.0/consent.d.ts +1 -2
package/{dist → dist-types}/db/schema/1.0.0/domain.d.ts +0 -1
package/{dist → dist-types}/db/schema/1.0.0/index.d.ts +0 -32
package/{dist → dist-types}/db/schema/1.0.0/subject.d.ts +0 -2
package/{dist → dist-types}/db/schema/2.0.0/audit-log.d.ts +1 -2
package/{dist → dist-types}/db/schema/2.0.0/consent-policy.d.ts +3 -3
package/{dist → dist-types}/db/schema/2.0.0/consent-purpose.d.ts +1 -2
package/{dist → dist-types}/db/schema/2.0.0/consent.d.ts +7 -2
package/{dist → dist-types}/db/schema/2.0.0/domain.d.ts +1 -2
package/{dist → dist-types}/db/schema/2.0.0/index.d.ts +455 -28
package/dist-types/db/schema/2.0.0/runtime-policy-decision.d.ts +23 -0
package/{dist → dist-types}/db/schema/2.0.0/subject.d.ts +1 -3
package/{dist → dist-types}/db/schema/index.d.ts +908 -86
package/{dist → dist-types}/db/tenant-scope.d.ts +0 -1
package/dist-types/define-config.d.ts +17 -0
package/dist-types/edge/index.d.ts +5 -0
package/dist-types/edge/init-handler.d.ts +40 -0
package/dist-types/edge/resolve-consent.d.ts +80 -0
package/dist-types/edge/types.d.ts +13 -0
package/{dist → dist-types}/handlers/consent/check.handler.d.ts +0 -1
package/{src/handlers/consent/index.ts → dist-types/handlers/consent/index.d.ts} +0 -1
package/{dist → dist-types}/handlers/init/geo.d.ts +2 -3
package/{dist → dist-types}/handlers/init/index.d.ts +2 -3
package/dist-types/handlers/init/policy.d.ts +26 -0
package/dist-types/handlers/init/resolve-init.d.ts +44 -0
package/dist-types/handlers/init/translations.d.ts +48 -0
package/dist-types/handlers/legal-document/current.handler.d.ts +11 -0
package/dist-types/handlers/legal-document/snapshot.d.ts +39 -0
package/dist-types/handlers/policy/snapshot.d.ts +99 -0
package/{src/handlers/status/index.ts → dist-types/handlers/status/index.d.ts} +0 -1
package/{dist → dist-types}/handlers/status/status.handler.d.ts +0 -1
package/{dist → dist-types}/handlers/subject/get.handler.d.ts +3 -2
package/{src/handlers/subject/index.ts → dist-types/handlers/subject/index.d.ts} +0 -1
package/{dist → dist-types}/handlers/subject/list.handler.d.ts +3 -2
package/{dist → dist-types}/handlers/subject/patch.handler.d.ts +0 -2
package/{dist → dist-types}/handlers/subject/post.handler.d.ts +12 -1
package/{dist → dist-types}/handlers/utils/consent-enrichment.d.ts +3 -1
package/{dist → dist-types}/init.d.ts +4 -7
package/{dist → dist-types}/middleware/auth/index.d.ts +0 -1
package/{dist → dist-types}/middleware/auth/validate-api-key.d.ts +0 -1
package/{dist → dist-types}/middleware/cors/cors.d.ts +0 -1
package/{src/middleware/cors/index.ts → dist-types/middleware/cors/index.d.ts} +0 -1
package/{dist → dist-types}/middleware/cors/is-origin-trusted.d.ts +0 -1
package/{dist → dist-types}/middleware/cors/process-cors.d.ts +0 -1
package/{dist → dist-types}/middleware/openapi/config.d.ts +0 -1
package/{dist → dist-types}/middleware/openapi/handlers.d.ts +0 -1
package/{src/middleware/openapi/index.ts → dist-types/middleware/openapi/index.d.ts} +0 -1
package/{dist → dist-types}/middleware/process-ip/index.d.ts +0 -1
package/dist-types/policies/builder.d.ts +127 -0
package/dist-types/policies/defaults.d.ts +2 -0
package/dist-types/policies/matchers.d.ts +3 -0
package/{dist → dist-types}/router.d.ts +0 -1
package/{dist → dist-types}/routes/consent.d.ts +0 -1
package/{dist → dist-types}/routes/index.d.ts +1 -1
package/{dist → dist-types}/routes/init.d.ts +0 -1
package/dist-types/routes/legal-document.d.ts +7 -0
package/{dist → dist-types}/routes/status.d.ts +0 -1
package/{dist → dist-types}/routes/subject.d.ts +0 -1
package/{dist → dist-types}/types/api.d.ts +0 -1
package/dist-types/types/index.d.ts +464 -0
package/dist-types/utils/background.d.ts +6 -0
package/{dist → dist-types}/utils/create-telemetry-options.d.ts +1 -2
package/{dist → dist-types}/utils/env.d.ts +0 -1
package/{dist → dist-types}/utils/extract-error-message.d.ts +0 -1
package/{dist → dist-types}/utils/instrumentation.d.ts +2 -3
package/{dist → dist-types}/utils/logger.d.ts +0 -1
package/{dist → dist-types}/utils/metrics.d.ts +0 -1
package/dist-types/version.d.ts +1 -0
package/docs/README.md +49 -0
package/docs/api/configuration.md +208 -0
package/docs/api/endpoints.md +211 -0
package/docs/guides/caching.md +85 -0
package/docs/guides/database-setup.md +128 -0
package/docs/guides/edge-deployment.md +251 -0
package/docs/guides/framework-integration.md +142 -0
package/docs/guides/iab-tcf.md +89 -0
package/docs/guides/observability.md +96 -0
package/docs/guides/policy-packs.md +396 -0
package/docs/quickstart.md +129 -0
package/package.json +51 -37
package/.turbo/turbo-build.log +0 -49
package/CHANGELOG.md +0 -99
package/dist/cache/adapters/cloudflare-kv.d.ts.map +0 -1
package/dist/cache/adapters/index.d.ts.map +0 -1
package/dist/cache/adapters/memory.d.ts.map +0 -1
package/dist/cache/adapters/upstash-redis.d.ts.map +0 -1
package/dist/cache/gvl-resolver.d.ts.map +0 -1
package/dist/cache/index.d.ts.map +0 -1
package/dist/cache/keys.d.ts.map +0 -1
package/dist/cache/types.d.ts.map +0 -1
package/dist/core.d.ts.map +0 -1
package/dist/db/adapters/drizzle.d.ts +0 -2
package/dist/db/adapters/drizzle.d.ts.map +0 -1
package/dist/db/adapters/index.d.ts +0 -2
package/dist/db/adapters/index.d.ts.map +0 -1
package/dist/db/adapters/kysely.d.ts +0 -2
package/dist/db/adapters/kysely.d.ts.map +0 -1
package/dist/db/adapters/mongo.d.ts +0 -2
package/dist/db/adapters/mongo.d.ts.map +0 -1
package/dist/db/adapters/prisma.d.ts +0 -2
package/dist/db/adapters/prisma.d.ts.map +0 -1
package/dist/db/adapters/typeorm.d.ts +0 -2
package/dist/db/adapters/typeorm.d.ts.map +0 -1
package/dist/db/migrator/index.d.ts.map +0 -1
package/dist/db/registry/consent-policy.d.ts +0 -23
package/dist/db/registry/consent-policy.d.ts.map +0 -1
package/dist/db/registry/consent-purpose.d.ts.map +0 -1
package/dist/db/registry/domain.d.ts.map +0 -1
package/dist/db/registry/index.d.ts +0 -57
package/dist/db/registry/index.d.ts.map +0 -1
package/dist/db/registry/subject.d.ts.map +0 -1
package/dist/db/registry/types.d.ts.map +0 -1
package/dist/db/registry/utils/generate-id.d.ts.map +0 -1
package/dist/db/registry/utils.d.ts.map +0 -1
package/dist/db/schema/1.0.0/audit-log.d.ts.map +0 -1
package/dist/db/schema/1.0.0/consent-policy.d.ts.map +0 -1
package/dist/db/schema/1.0.0/consent-purpose.d.ts.map +0 -1
package/dist/db/schema/1.0.0/consent-record.d.ts.map +0 -1
package/dist/db/schema/1.0.0/consent.d.ts.map +0 -1
package/dist/db/schema/1.0.0/domain.d.ts.map +0 -1
package/dist/db/schema/1.0.0/index.d.ts.map +0 -1
package/dist/db/schema/1.0.0/subject.d.ts.map +0 -1
package/dist/db/schema/2.0.0/audit-log.d.ts.map +0 -1
package/dist/db/schema/2.0.0/consent-policy.d.ts.map +0 -1
package/dist/db/schema/2.0.0/consent-purpose.d.ts.map +0 -1
package/dist/db/schema/2.0.0/consent.d.ts.map +0 -1
package/dist/db/schema/2.0.0/domain.d.ts.map +0 -1
package/dist/db/schema/2.0.0/index.d.ts.map +0 -1
package/dist/db/schema/2.0.0/subject.d.ts.map +0 -1
package/dist/db/schema/index.d.ts.map +0 -1
package/dist/db/tenant-scope.d.ts.map +0 -1
package/dist/define-config.d.ts +0 -5
package/dist/define-config.d.ts.map +0 -1
package/dist/handlers/consent/check.handler.d.ts.map +0 -1
package/dist/handlers/consent/index.d.ts +0 -12
package/dist/handlers/consent/index.d.ts.map +0 -1
package/dist/handlers/init/geo.d.ts.map +0 -1
package/dist/handlers/init/index.d.ts.map +0 -1
package/dist/handlers/init/translations.d.ts +0 -28
package/dist/handlers/init/translations.d.ts.map +0 -1
package/dist/handlers/status/index.d.ts +0 -7
package/dist/handlers/status/index.d.ts.map +0 -1
package/dist/handlers/status/status.handler.d.ts.map +0 -1
package/dist/handlers/subject/get.handler.d.ts.map +0 -1
package/dist/handlers/subject/index.d.ts +0 -10
package/dist/handlers/subject/index.d.ts.map +0 -1
package/dist/handlers/subject/list.handler.d.ts.map +0 -1
package/dist/handlers/subject/patch.handler.d.ts.map +0 -1
package/dist/handlers/subject/post.handler.d.ts.map +0 -1
package/dist/handlers/utils/consent-enrichment.d.ts.map +0 -1
package/dist/init.d.ts.map +0 -1
package/dist/middleware/auth/index.d.ts.map +0 -1
package/dist/middleware/auth/validate-api-key.d.ts.map +0 -1
package/dist/middleware/cors/cors.d.ts.map +0 -1
package/dist/middleware/cors/index.d.ts +0 -30
package/dist/middleware/cors/index.d.ts.map +0 -1
package/dist/middleware/cors/is-origin-trusted.d.ts.map +0 -1
package/dist/middleware/cors/process-cors.d.ts.map +0 -1
package/dist/middleware/openapi/config.d.ts.map +0 -1
package/dist/middleware/openapi/handlers.d.ts.map +0 -1
package/dist/middleware/openapi/index.d.ts +0 -12
package/dist/middleware/openapi/index.d.ts.map +0 -1
package/dist/middleware/process-ip/index.d.ts.map +0 -1
package/dist/router.d.ts.map +0 -1
package/dist/routes/consent.d.ts.map +0 -1
package/dist/routes/index.d.ts.map +0 -1
package/dist/routes/init.d.ts.map +0 -1
package/dist/routes/status.d.ts.map +0 -1
package/dist/routes/subject.d.ts.map +0 -1
package/dist/types/api.d.ts.map +0 -1
package/dist/types/index.d.ts +0 -255
package/dist/types/index.d.ts.map +0 -1
package/dist/utils/create-telemetry-options.d.ts.map +0 -1
package/dist/utils/env.d.ts.map +0 -1
package/dist/utils/extract-error-message.d.ts.map +0 -1
package/dist/utils/index.d.ts +0 -4
package/dist/utils/index.d.ts.map +0 -1
package/dist/utils/instrumentation.d.ts.map +0 -1
package/dist/utils/logger.d.ts.map +0 -1
package/dist/utils/metrics.d.ts.map +0 -1
package/dist/version.d.ts +0 -2
package/dist/version.d.ts.map +0 -1
package/knip.json +0 -31
package/rslib.config.ts +0 -93
package/src/cache/adapters/cloudflare-kv.ts +0 -71
package/src/cache/adapters/index.ts +0 -22
package/src/cache/adapters/memory.ts +0 -111
package/src/cache/adapters/upstash-redis.ts +0 -113
package/src/cache/gvl-resolver.ts +0 -289
package/src/cache/index.ts +0 -34
package/src/cache/keys.ts +0 -68
package/src/cache/types.ts +0 -66
package/src/core.ts +0 -368
package/src/db/migrator/index.ts +0 -80
package/src/db/registry/consent-policy.test.ts +0 -451
package/src/db/registry/consent-policy.ts +0 -82
package/src/db/registry/consent-purpose.test.ts +0 -428
package/src/db/registry/consent-purpose.ts +0 -61
package/src/db/registry/domain.test.ts +0 -445
package/src/db/registry/domain.ts +0 -91
package/src/db/registry/index.ts +0 -14
package/src/db/registry/subject.test.ts +0 -388
package/src/db/registry/subject.ts +0 -129
package/src/db/registry/types.ts +0 -10
package/src/db/registry/utils/generate-id.test.ts +0 -216
package/src/db/registry/utils/generate-id.ts +0 -133
package/src/db/registry/utils.ts +0 -133
package/src/db/schema/1.0.0/audit-log.ts +0 -15
package/src/db/schema/1.0.0/consent-policy.ts +0 -14
package/src/db/schema/1.0.0/consent-purpose.ts +0 -14
package/src/db/schema/1.0.0/consent-record.ts +0 -10
package/src/db/schema/1.0.0/consent.ts +0 -20
package/src/db/schema/1.0.0/domain.ts +0 -12
package/src/db/schema/1.0.0/index.ts +0 -48
package/src/db/schema/1.0.0/subject.ts +0 -12
package/src/db/schema/2.0.0/audit-log.ts +0 -18
package/src/db/schema/2.0.0/consent-policy.ts +0 -28
package/src/db/schema/2.0.0/consent-purpose.ts +0 -12
package/src/db/schema/2.0.0/consent.ts +0 -26
package/src/db/schema/2.0.0/domain.ts +0 -12
package/src/db/schema/2.0.0/index.ts +0 -47
package/src/db/schema/2.0.0/subject.ts +0 -14
package/src/db/schema/index.ts +0 -15
package/src/db/tenant-scope.test.ts +0 -750
package/src/db/tenant-scope.ts +0 -103
package/src/define-config.ts +0 -5
package/src/handlers/consent/check.handler.ts +0 -126
package/src/handlers/init/geo.test.ts +0 -317
package/src/handlers/init/geo.ts +0 -195
package/src/handlers/init/index.test.ts +0 -205
package/src/handlers/init/index.ts +0 -114
package/src/handlers/init/translations.test.ts +0 -121
package/src/handlers/init/translations.ts +0 -72
package/src/handlers/status/status.handler.test.ts +0 -155
package/src/handlers/status/status.handler.ts +0 -51
package/src/handlers/subject/get.handler.ts +0 -93
package/src/handlers/subject/list.handler.ts +0 -93
package/src/handlers/subject/patch.handler.ts +0 -122
package/src/handlers/subject/post.handler.test.ts +0 -294
package/src/handlers/subject/post.handler.ts +0 -254
package/src/handlers/utils/consent-enrichment.test.ts +0 -380
package/src/handlers/utils/consent-enrichment.ts +0 -218
package/src/init.test.ts +0 -126
package/src/init.ts +0 -87
package/src/middleware/auth/index.ts +0 -11
package/src/middleware/auth/validate-api-key.test.ts +0 -86
package/src/middleware/auth/validate-api-key.ts +0 -107
package/src/middleware/cors/cors.test.ts +0 -135
package/src/middleware/cors/cors.ts +0 -186
package/src/middleware/cors/is-origin-trusted.test.ts +0 -164
package/src/middleware/cors/is-origin-trusted.ts +0 -130
package/src/middleware/cors/process-cors.ts +0 -91
package/src/middleware/openapi/config.ts +0 -29
package/src/middleware/openapi/handlers.ts +0 -34
package/src/middleware/process-ip/index.test.ts +0 -195
package/src/middleware/process-ip/index.ts +0 -199
package/src/router.ts +0 -15
package/src/routes/consent.ts +0 -52
package/src/routes/index.ts +0 -10
package/src/routes/init.ts +0 -102
package/src/routes/status.ts +0 -46
package/src/routes/subject.ts +0 -152
package/src/types/api.ts +0 -48
package/src/types/index.ts +0 -288
package/src/utils/create-telemetry-options.test.ts +0 -302
package/src/utils/create-telemetry-options.ts +0 -229
package/src/utils/env.ts +0 -84
package/src/utils/extract-error-message.ts +0 -21
package/src/utils/instrumentation.test.ts +0 -185
package/src/utils/instrumentation.ts +0 -196
package/src/utils/logger.ts +0 -41
package/src/utils/metrics.test.ts +0 -323
package/src/utils/metrics.ts +0 -402
package/src/utils/telemetry-pii.test.ts +0 -325
package/src/version.ts +0 -2
package/tsconfig.json +0 -11
package/vitest.config.ts +0 -28
/package/dist/{types.js → types/index.js} +0 -0
/package/{src/db/adapters/drizzle.ts → dist-types/db/adapters/drizzle.d.ts} +0 -0
/package/{src/db/adapters/index.ts → dist-types/db/adapters/index.d.ts} +0 -0
/package/{src/db/adapters/kysely.ts → dist-types/db/adapters/kysely.d.ts} +0 -0
/package/{src/db/adapters/mongo.ts → dist-types/db/adapters/mongo.d.ts} +0 -0
/package/{src/db/adapters/prisma.ts → dist-types/db/adapters/prisma.d.ts} +0 -0
/package/{src/db/adapters/typeorm.ts → dist-types/db/adapters/typeorm.d.ts} +0 -0
/package/{src/utils/index.ts → dist-types/utils/index.d.ts} +0 -0

package/src/db/tenant-scope.test.ts DELETED Viewed

@@ -1,750 +0,0 @@
-import { describe, expect, it, vi } from 'vitest';
-import { withTenantScope } from './tenant-scope';
-/**
- * A minimal in-memory database that implements the ORM interface well enough
- * to prove real data isolation.  Records are stored in a flat Map<table, rows[]>
- * and the where-builder evaluates conditions against actual row data.
- */
-function createInMemoryOrm() {
-	const store = new Map<string, Record<string, any>[]>();
-	const getTable = (table: string) => {
-		if (!store.has(table)) store.set(table, []);
-		return store.get(table)!;
-	};
-	// Minimal where-builder that evaluates conditions against a row
-	const createBuilder = (row: Record<string, any>) => {
-		const b: any = (col: string, op: string, val: any) => {
-			if (op === '=') return row[col] === val;
-			if (op === '!=') return row[col] !== val;
-			return false;
-		};
-		b.and = (...conds: boolean[]) => conds.every(Boolean);
-		b.or = (...conds: boolean[]) => conds.some(Boolean);
-		return b;
-	};
-	const matchesWhere = (
-		row: Record<string, any>,
-		where?: (b: any) => boolean
-	) => {
-		if (!where) return true;
-		return where(createBuilder(row));
-	};
-	const orm: any = {
-		create: (table: string, data: any) => {
-			getTable(table).push({ ...data });
-			return Promise.resolve({ ...data });
-		},
-		createMany: (table: string, items: any[]) => {
-			const rows = items.map((d) => ({ ...d }));
-			getTable(table).push(...rows);
-			return Promise.resolve(rows);
-		},
-		findFirst: (table: string, opts?: any) => {
-			const rows = getTable(table);
-			const found = rows.find((r) => matchesWhere(r, opts?.where));
-			return Promise.resolve(found ?? null);
-		},
-		findMany: (table: string, opts?: any) => {
-			const rows = getTable(table);
-			return Promise.resolve(rows.filter((r) => matchesWhere(r, opts?.where)));
-		},
-		count: (table: string, opts?: any) => {
-			const rows = getTable(table);
-			return Promise.resolve(
-				rows.filter((r) => matchesWhere(r, opts?.where)).length
-			);
-		},
-		updateMany: (table: string, opts: any) => {
-			const rows = getTable(table);
-			let updated = 0;
-			for (const row of rows) {
-				if (matchesWhere(row, opts?.where)) {
-					Object.assign(row, opts.set);
-					updated++;
-				}
-			}
-			return Promise.resolve(updated);
-		},
-		deleteMany: (table: string, opts: any) => {
-			const rows = getTable(table);
-			const remaining = rows.filter((r) => !matchesWhere(r, opts?.where));
-			const deleted = rows.length - remaining.length;
-			store.set(table, remaining);
-			return Promise.resolve(deleted);
-		},
-		upsert: (table: string, opts: any) => {
-			const rows = getTable(table);
-			const existing = rows.find((r) => matchesWhere(r, opts?.where));
-			if (existing) {
-				Object.assign(existing, opts.update);
-				return Promise.resolve(existing);
-			}
-			const created = { ...opts.create };
-			rows.push(created);
-			return Promise.resolve(created);
-		},
-		transaction: (fn: any) => fn(orm),
-	};
-	return { orm, store };
-}
-function createMockOrm() {
-	return {
-		create: vi.fn().mockResolvedValue({ id: 'test_1' }),
-		createMany: vi.fn().mockResolvedValue([{ _id: 'test_1' }]),
-		findFirst: vi.fn().mockResolvedValue({ id: 'test_1' }),
-		findMany: vi.fn().mockResolvedValue([{ id: 'test_1' }]),
-		count: vi.fn().mockResolvedValue(1),
-		updateMany: vi.fn().mockResolvedValue(undefined),
-		deleteMany: vi.fn().mockResolvedValue(undefined),
-		upsert: vi.fn().mockResolvedValue(undefined),
-		transaction: vi.fn().mockImplementation((fn: any) => fn(createMockOrm())),
-	} as any;
-}
-// A minimal where builder mock that captures calls for assertion
-function createWhereBuilder() {
-	const builder: any = (col: string, op: string, val: any) => ({
-		_type: 'condition',
-		col,
-		op,
-		val,
-	});
-	builder.and = (...conditions: any[]) => ({
-		_type: 'and',
-		conditions,
-	});
-	builder.or = (...conditions: any[]) => ({
-		_type: 'or',
-		conditions,
-	});
-	builder.not = (v: any) => ({ _type: 'not', v });
-	builder.isNull = (a: string) => ({ _type: 'isNull', a });
-	builder.isNotNull = (a: string) => ({ _type: 'isNotNull', a });
-	return builder;
-}
-describe('withTenantScope', () => {
-	const tenantId = 'tenant_abc';
-	describe('create', () => {
-		it('should inject tenantId into created data', async () => {
-			const db = createMockOrm();
-			const scoped = withTenantScope(db, tenantId);
-			await scoped.create('subject', {
-				id: 'sub_1',
-				externalId: null,
-				identityProvider: 'anonymous',
-				isIdentified: false,
-			} as any);
-			expect(db.create).toHaveBeenCalledWith('subject', {
-				id: 'sub_1',
-				externalId: null,
-				identityProvider: 'anonymous',
-				isIdentified: false,
-				tenantId: 'tenant_abc',
-			});
-		});
-	});
-	describe('createMany', () => {
-		it('should inject tenantId into all items', async () => {
-			const db = createMockOrm();
-			const scoped = withTenantScope(db, tenantId);
-			await scoped.createMany('subject', [
-				{ id: 'sub_1', isIdentified: false } as any,
-				{ id: 'sub_2', isIdentified: true } as any,
-			]);
-			expect(db.createMany).toHaveBeenCalledWith('subject', [
-				{ id: 'sub_1', isIdentified: false, tenantId: 'tenant_abc' },
-				{ id: 'sub_2', isIdentified: true, tenantId: 'tenant_abc' },
-			]);
-		});
-	});
-	describe('findFirst', () => {
-		it('should add tenantId filter to where clause', async () => {
-			const db = createMockOrm();
-			const scoped = withTenantScope(db, tenantId);
-			const originalWhere = (b: any) => b('id', '=', 'sub_1');
-			await scoped.findFirst('subject', {
-				where: originalWhere,
-			});
-			expect(db.findFirst).toHaveBeenCalledTimes(1);
-			const passedOpts = db.findFirst.mock.calls[0][1];
-			// Verify the where clause includes tenantId
-			const b = createWhereBuilder();
-			const result = passedOpts.where(b);
-			expect(result).toEqual({
-				_type: 'and',
-				conditions: [
-					{ _type: 'condition', col: 'id', op: '=', val: 'sub_1' },
-					{
-						_type: 'condition',
-						col: 'tenantId',
-						op: '=',
-						val: 'tenant_abc',
-					},
-				],
-			});
-		});
-		it('should use only tenantId filter when no original where', async () => {
-			const db = createMockOrm();
-			const scoped = withTenantScope(db, tenantId);
-			await scoped.findFirst('subject', {} as any);
-			const passedOpts = db.findFirst.mock.calls[0][1];
-			const b = createWhereBuilder();
-			const result = passedOpts.where(b);
-			expect(result).toEqual({
-				_type: 'condition',
-				col: 'tenantId',
-				op: '=',
-				val: 'tenant_abc',
-			});
-		});
-	});
-	describe('findMany', () => {
-		it('should add tenantId filter to where clause', async () => {
-			const db = createMockOrm();
-			const scoped = withTenantScope(db, tenantId);
-			await scoped.findMany('consent', {
-				where: (b: any) => b('subjectId', '=', 'sub_1'),
-			});
-			const passedOpts = db.findMany.mock.calls[0][1];
-			const b = createWhereBuilder();
-			const result = passedOpts.where(b);
-			expect(result).toEqual({
-				_type: 'and',
-				conditions: [
-					{
-						_type: 'condition',
-						col: 'subjectId',
-						op: '=',
-						val: 'sub_1',
-					},
-					{
-						_type: 'condition',
-						col: 'tenantId',
-						op: '=',
-						val: 'tenant_abc',
-					},
-				],
-			});
-		});
-		it('should handle findMany with no options', async () => {
-			const db = createMockOrm();
-			const scoped = withTenantScope(db, tenantId);
-			await scoped.findMany('subject');
-			const passedOpts = db.findMany.mock.calls[0][1];
-			const b = createWhereBuilder();
-			const result = passedOpts.where(b);
-			expect(result).toEqual({
-				_type: 'condition',
-				col: 'tenantId',
-				op: '=',
-				val: 'tenant_abc',
-			});
-		});
-	});
-	describe('count', () => {
-		it('should add tenantId filter to where clause', async () => {
-			const db = createMockOrm();
-			const scoped = withTenantScope(db, tenantId);
-			await scoped.count('subject', {
-				where: (b: any) => b('isIdentified', '=', true),
-			});
-			const passedOpts = db.count.mock.calls[0][1];
-			const b = createWhereBuilder();
-			const result = passedOpts.where(b);
-			expect(result).toEqual({
-				_type: 'and',
-				conditions: [
-					{
-						_type: 'condition',
-						col: 'isIdentified',
-						op: '=',
-						val: true,
-					},
-					{
-						_type: 'condition',
-						col: 'tenantId',
-						op: '=',
-						val: 'tenant_abc',
-					},
-				],
-			});
-		});
-	});
-	describe('updateMany', () => {
-		it('should add tenantId filter to where clause', async () => {
-			const db = createMockOrm();
-			const scoped = withTenantScope(db, tenantId);
-			await scoped.updateMany('subject', {
-				where: (b: any) => b('id', '=', 'sub_1'),
-				set: { identityProvider: 'google' },
-			});
-			const passedOpts = db.updateMany.mock.calls[0][1];
-			// Verify set is preserved
-			expect(passedOpts.set).toEqual({ identityProvider: 'google' });
-			// Verify where includes tenantId
-			const b = createWhereBuilder();
-			const result = passedOpts.where(b);
-			expect(result).toEqual({
-				_type: 'and',
-				conditions: [
-					{ _type: 'condition', col: 'id', op: '=', val: 'sub_1' },
-					{
-						_type: 'condition',
-						col: 'tenantId',
-						op: '=',
-						val: 'tenant_abc',
-					},
-				],
-			});
-		});
-	});
-	describe('deleteMany', () => {
-		it('should add tenantId filter to where clause', async () => {
-			const db = createMockOrm();
-			const scoped = withTenantScope(db, tenantId);
-			await scoped.deleteMany('consent', {
-				where: (b: any) => b('id', '=', 'cns_1'),
-			});
-			const passedOpts = db.deleteMany.mock.calls[0][1];
-			const b = createWhereBuilder();
-			const result = passedOpts.where(b);
-			expect(result).toEqual({
-				_type: 'and',
-				conditions: [
-					{ _type: 'condition', col: 'id', op: '=', val: 'cns_1' },
-					{
-						_type: 'condition',
-						col: 'tenantId',
-						op: '=',
-						val: 'tenant_abc',
-					},
-				],
-			});
-		});
-	});
-	describe('upsert', () => {
-		it('should add tenantId to where clause and create data', async () => {
-			const db = createMockOrm();
-			const scoped = withTenantScope(db, tenantId);
-			await scoped.upsert('subject', {
-				where: (b: any) => b('externalId', '=', 'ext_1'),
-				create: {
-					id: 'sub_1',
-					externalId: 'ext_1',
-					isIdentified: true,
-				} as any,
-				update: { identityProvider: 'google' },
-			});
-			const passedOpts = db.upsert.mock.calls[0][1];
-			// Verify create includes tenantId
-			expect(passedOpts.create).toEqual({
-				id: 'sub_1',
-				externalId: 'ext_1',
-				isIdentified: true,
-				tenantId: 'tenant_abc',
-			});
-			// Verify update is preserved
-			expect(passedOpts.update).toEqual({ identityProvider: 'google' });
-			// Verify where includes tenantId
-			const b = createWhereBuilder();
-			const result = passedOpts.where(b);
-			expect(result).toEqual({
-				_type: 'and',
-				conditions: [
-					{
-						_type: 'condition',
-						col: 'externalId',
-						op: '=',
-						val: 'ext_1',
-					},
-					{
-						_type: 'condition',
-						col: 'tenantId',
-						op: '=',
-						val: 'tenant_abc',
-					},
-				],
-			});
-		});
-	});
-	describe('transaction', () => {
-		it('should provide a tenant-scoped ORM inside transaction', async () => {
-			const innerDb = createMockOrm();
-			const db = createMockOrm();
-			db.transaction.mockImplementation((fn: any) => fn(innerDb));
-			const scoped = withTenantScope(db, tenantId);
-			await scoped.transaction(async (tx) => {
-				await tx.create('subject', {
-					id: 'sub_1',
-					isIdentified: false,
-				} as any);
-				await tx.findFirst('subject', {
-					where: (b: any) => b('id', '=', 'sub_1'),
-				});
-			});
-			// The inner db should have tenantId injected
-			expect(innerDb.create).toHaveBeenCalledWith('subject', {
-				id: 'sub_1',
-				isIdentified: false,
-				tenantId: 'tenant_abc',
-			});
-			const findOpts = innerDb.findFirst.mock.calls[0][1];
-			const b = createWhereBuilder();
-			const result = findOpts.where(b);
-			expect(result).toEqual({
-				_type: 'and',
-				conditions: [
-					{ _type: 'condition', col: 'id', op: '=', val: 'sub_1' },
-					{
-						_type: 'condition',
-						col: 'tenantId',
-						op: '=',
-						val: 'tenant_abc',
-					},
-				],
-			});
-		});
-	});
-	describe('data isolation (mock)', () => {
-		it('should scope different tenants to their own data', async () => {
-			const db = createMockOrm();
-			const tenantA = withTenantScope(db, 'tenant_a');
-			const tenantB = withTenantScope(db, 'tenant_b');
-			await tenantA.create('subject', { id: 'sub_1' } as any);
-			await tenantB.create('subject', { id: 'sub_2' } as any);
-			expect(db.create).toHaveBeenCalledWith('subject', {
-				id: 'sub_1',
-				tenantId: 'tenant_a',
-			});
-			expect(db.create).toHaveBeenCalledWith('subject', {
-				id: 'sub_2',
-				tenantId: 'tenant_b',
-			});
-			// Each tenant's findMany should have its own tenantId filter
-			await tenantA.findMany('subject');
-			await tenantB.findMany('subject');
-			const b = createWhereBuilder();
-			const tenantAOpts = db.findMany.mock.calls[0][1];
-			expect(tenantAOpts.where(b)).toEqual({
-				_type: 'condition',
-				col: 'tenantId',
-				op: '=',
-				val: 'tenant_a',
-			});
-			const tenantBOpts = db.findMany.mock.calls[1][1];
-			expect(tenantBOpts.where(b)).toEqual({
-				_type: 'condition',
-				col: 'tenantId',
-				op: '=',
-				val: 'tenant_b',
-			});
-		});
-	});
-});
-// ===========================================================================
-// Integration tests — real in-memory store proving row-level isolation
-// ===========================================================================
-describe('withTenantScope – row-level isolation (integration)', () => {
-	it('tenant A cannot see subjects created by tenant B', async () => {
-		const { orm } = createInMemoryOrm();
-		const tenantA = withTenantScope(orm, 'tenant_a');
-		const tenantB = withTenantScope(orm, 'tenant_b');
-		await tenantA.create('subject', {
-			id: 'sub_1',
-			externalId: 'Alice',
-		} as any);
-		await tenantB.create('subject', { id: 'sub_2', externalId: 'Bob' } as any);
-		const aSubjects = await tenantA.findMany('subject');
-		const bSubjects = await tenantB.findMany('subject');
-		expect(aSubjects).toHaveLength(1);
-		expect(aSubjects[0]!.id).toBe('sub_1');
-		expect(aSubjects[0]!.externalId).toBe('Alice');
-		expect(bSubjects).toHaveLength(1);
-		expect(bSubjects[0]!.id).toBe('sub_2');
-		expect(bSubjects[0]!.externalId).toBe('Bob');
-	});
-	it('findFirst only returns records belonging to the querying tenant', async () => {
-		const { orm } = createInMemoryOrm();
-		const tenantA = withTenantScope(orm, 'tenant_a');
-		const tenantB = withTenantScope(orm, 'tenant_b');
-		await tenantA.create('consent', { id: 'cns_1', subjectId: 'sub_1' } as any);
-		const fromA = await tenantA.findFirst('consent', {
-			where: (b: any) => b('id', '=', 'cns_1'),
-		});
-		const fromB = await tenantB.findFirst('consent', {
-			where: (b: any) => b('id', '=', 'cns_1'),
-		});
-		expect(fromA).not.toBeNull();
-		expect(fromA!.id).toBe('cns_1');
-		expect(fromB).toBeNull();
-	});
-	it('count only counts records belonging to the querying tenant', async () => {
-		const { orm } = createInMemoryOrm();
-		const tenantA = withTenantScope(orm, 'tenant_a');
-		const tenantB = withTenantScope(orm, 'tenant_b');
-		await tenantA.create('subject', { id: 'sub_1' } as any);
-		await tenantA.create('subject', { id: 'sub_2' } as any);
-		await tenantB.create('subject', { id: 'sub_3' } as any);
-		expect(await tenantA.count('subject')).toBe(2);
-		expect(await tenantB.count('subject')).toBe(1);
-	});
-	it("updateMany only affects the calling tenant's rows", async () => {
-		const { orm } = createInMemoryOrm();
-		const tenantA = withTenantScope(orm, 'tenant_a');
-		const tenantB = withTenantScope(orm, 'tenant_b');
-		await tenantA.create('subject', {
-			id: 'sub_1',
-			identityProvider: '1.1.1.1',
-		} as any);
-		await tenantB.create('subject', {
-			id: 'sub_2',
-			identityProvider: '2.2.2.2',
-		} as any);
-		// Tenant A updates all their subjects
-		await tenantA.updateMany('subject', {
-			where: (b: any) => b('id', '=', 'sub_1'),
-			set: { identityProvider: '9.9.9.9' },
-		});
-		// Tenant A's row is updated
-		const aRow = await tenantA.findFirst('subject', {
-			where: (b: any) => b('id', '=', 'sub_1'),
-		});
-		expect(aRow!.identityProvider).toBe('9.9.9.9');
-		// Tenant B's row is untouched
-		const bRow = await tenantB.findFirst('subject', {
-			where: (b: any) => b('id', '=', 'sub_2'),
-		});
-		expect(bRow!.identityProvider).toBe('2.2.2.2');
-	});
-	it("deleteMany only deletes the calling tenant's rows", async () => {
-		const { orm } = createInMemoryOrm();
-		const tenantA = withTenantScope(orm, 'tenant_a');
-		const tenantB = withTenantScope(orm, 'tenant_b');
-		await tenantA.create('domain', { id: 'dom_1', name: 'a.com' } as any);
-		await tenantB.create('domain', { id: 'dom_2', name: 'b.com' } as any);
-		// Tenant A deletes their domain
-		await tenantA.deleteMany('domain', {
-			where: (b: any) => b('id', '=', 'dom_1'),
-		});
-		expect(await tenantA.findMany('domain')).toHaveLength(0);
-		expect(await tenantB.findMany('domain')).toHaveLength(1);
-	});
-	it('upsert creates with tenantId and only matches own rows', async () => {
-		const { orm } = createInMemoryOrm();
-		const tenantA = withTenantScope(orm, 'tenant_a');
-		const tenantB = withTenantScope(orm, 'tenant_b');
-		// Tenant A upserts — creates since row doesn't exist
-		await tenantA.upsert('subject', {
-			where: (b: any) => b('externalId', '=', 'ext_1'),
-			create: {
-				id: 'sub_1',
-				externalId: 'ext_1',
-				identityProvider: '1.1.1.1',
-			} as any,
-			update: { identityProvider: '9.9.9.9' },
-		});
-		// Tenant B upserts same externalId — should also CREATE (not update A's row)
-		await tenantB.upsert('subject', {
-			where: (b: any) => b('externalId', '=', 'ext_1'),
-			create: {
-				id: 'sub_2',
-				externalId: 'ext_1',
-				identityProvider: '2.2.2.2',
-			} as any,
-			update: { identityProvider: '8.8.8.8' },
-		});
-		const aRows = await tenantA.findMany('subject');
-		const bRows = await tenantB.findMany('subject');
-		// Each tenant has their own row, even though externalId is the same
-		expect(aRows).toHaveLength(1);
-		expect(aRows[0]!.id).toBe('sub_1');
-		expect(aRows[0]!.identityProvider).toBe('1.1.1.1'); // unchanged
-		expect(bRows).toHaveLength(1);
-		expect(bRows[0]!.id).toBe('sub_2');
-		expect(bRows[0]!.identityProvider).toBe('2.2.2.2'); // created, not updated from A
-	});
-	it("tenant A cannot update tenant B's row even with matching id", async () => {
-		const { orm } = createInMemoryOrm();
-		const tenantA = withTenantScope(orm, 'tenant_a');
-		const tenantB = withTenantScope(orm, 'tenant_b');
-		await tenantB.create('subject', {
-			id: 'sub_1',
-			identityProvider: '2.2.2.2',
-		} as any);
-		// Tenant A tries to update sub_1 which belongs to B
-		await tenantA.updateMany('subject', {
-			where: (b: any) => b('id', '=', 'sub_1'),
-			set: { identityProvider: 'hacked' },
-		});
-		// B's row is still untouched
-		const bRow = await tenantB.findFirst('subject', {
-			where: (b: any) => b('id', '=', 'sub_1'),
-		});
-		expect(bRow!.identityProvider).toBe('2.2.2.2');
-	});
-	it("tenant A cannot delete tenant B's row even with matching id", async () => {
-		const { orm } = createInMemoryOrm();
-		const tenantA = withTenantScope(orm, 'tenant_a');
-		const tenantB = withTenantScope(orm, 'tenant_b');
-		await tenantB.create('domain', { id: 'dom_1', name: 'b.com' } as any);
-		// Tenant A tries to delete dom_1 which belongs to B
-		await tenantA.deleteMany('domain', {
-			where: (b: any) => b('id', '=', 'dom_1'),
-		});
-		// B's row still exists
-		expect(await tenantB.findMany('domain')).toHaveLength(1);
-	});
-	it('transaction inherits tenant scope', async () => {
-		const { orm } = createInMemoryOrm();
-		const tenantA = withTenantScope(orm, 'tenant_a');
-		const tenantB = withTenantScope(orm, 'tenant_b');
-		await tenantA.transaction(async (tx) => {
-			await tx.create('subject', {
-				id: 'sub_tx',
-				externalId: 'TxAlice',
-			} as any);
-		});
-		// Visible to tenant A
-		const aResult = await tenantA.findFirst('subject', {
-			where: (b: any) => b('id', '=', 'sub_tx'),
-		});
-		expect(aResult).not.toBeNull();
-		expect(aResult!.externalId).toBe('TxAlice');
-		// Invisible to tenant B
-		const bResult = await tenantB.findFirst('subject', {
-			where: (b: any) => b('id', '=', 'sub_tx'),
-		});
-		expect(bResult).toBeNull();
-	});
-	it('three tenants sharing same database are fully isolated', async () => {
-		const { orm, store } = createInMemoryOrm();
-		const t1 = withTenantScope(orm, 'inst_001');
-		const t2 = withTenantScope(orm, 'inst_002');
-		const t3 = withTenantScope(orm, 'inst_003');
-		await t1.create('subject', { id: 'sub_1' } as any);
-		await t2.create('subject', { id: 'sub_2' } as any);
-		await t2.create('subject', { id: 'sub_3' } as any);
-		await t3.create('subject', { id: 'sub_4' } as any);
-		await t3.create('subject', { id: 'sub_5' } as any);
-		await t3.create('subject', { id: 'sub_6' } as any);
-		// Underlying store has all 6 rows
-		expect(store.get('subject')).toHaveLength(6);
-		// But each tenant only sees their own
-		expect(await t1.count('subject')).toBe(1);
-		expect(await t2.count('subject')).toBe(2);
-		expect(await t3.count('subject')).toBe(3);
-		expect(await t1.findMany('subject')).toHaveLength(1);
-		expect(await t2.findMany('subject')).toHaveLength(2);
-		expect(await t3.findMany('subject')).toHaveLength(3);
-	});
-});