@de-otio/trellis 0.6.1 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (339) hide show
  1. package/dist/env.d.ts +21 -0
  2. package/dist/env.d.ts.map +1 -1
  3. package/dist/env.js +12 -0
  4. package/dist/env.js.map +1 -1
  5. package/dist/lambda/nightly-cron.d.ts.map +1 -1
  6. package/dist/lambda/nightly-cron.js +5 -2
  7. package/dist/lambda/nightly-cron.js.map +1 -1
  8. package/dist/lambda/post-confirmation.d.ts +30 -0
  9. package/dist/lambda/post-confirmation.d.ts.map +1 -1
  10. package/dist/lambda/post-confirmation.js +333 -29
  11. package/dist/lambda/post-confirmation.js.map +1 -1
  12. package/dist/lambda/pre-token-generation.d.ts +20 -0
  13. package/dist/lambda/pre-token-generation.d.ts.map +1 -1
  14. package/dist/lambda/pre-token-generation.js +233 -48
  15. package/dist/lambda/pre-token-generation.js.map +1 -1
  16. package/dist/lib/activitypub/activity-processor.d.ts.map +1 -1
  17. package/dist/lib/activitypub/activity-processor.js +2 -1
  18. package/dist/lib/activitypub/activity-processor.js.map +1 -1
  19. package/dist/lib/activitypub/group-service.d.ts +2 -2
  20. package/dist/lib/activitypub/group-service.d.ts.map +1 -1
  21. package/dist/lib/activitypub/group-service.js +5 -2
  22. package/dist/lib/activitypub/group-service.js.map +1 -1
  23. package/dist/lib/age-tier-transition.d.ts.map +1 -1
  24. package/dist/lib/age-tier-transition.js +19 -10
  25. package/dist/lib/age-tier-transition.js.map +1 -1
  26. package/dist/lib/audit/csv-export.d.ts +25 -0
  27. package/dist/lib/audit/csv-export.d.ts.map +1 -0
  28. package/dist/lib/audit/csv-export.js +54 -0
  29. package/dist/lib/audit/csv-export.js.map +1 -0
  30. package/dist/lib/audit/emit.d.ts +56 -0
  31. package/dist/lib/audit/emit.d.ts.map +1 -0
  32. package/dist/lib/audit/emit.js +124 -0
  33. package/dist/lib/audit/emit.js.map +1 -0
  34. package/dist/lib/audit/event-types.d.ts +36 -0
  35. package/dist/lib/audit/event-types.d.ts.map +1 -0
  36. package/dist/lib/audit/event-types.js +69 -0
  37. package/dist/lib/audit/event-types.js.map +1 -0
  38. package/dist/lib/audit/pii-filter.d.ts +22 -0
  39. package/dist/lib/audit/pii-filter.d.ts.map +1 -0
  40. package/dist/lib/audit/pii-filter.js +51 -0
  41. package/dist/lib/audit/pii-filter.js.map +1 -0
  42. package/dist/lib/audit-logger.js +1 -1
  43. package/dist/lib/audit-logger.js.map +1 -1
  44. package/dist/lib/auth/auth-context.d.ts +34 -0
  45. package/dist/lib/auth/auth-context.d.ts.map +1 -0
  46. package/dist/lib/auth/auth-context.js +10 -0
  47. package/dist/lib/auth/auth-context.js.map +1 -0
  48. package/dist/lib/auth/auth-middleware.d.ts +50 -0
  49. package/dist/lib/auth/auth-middleware.d.ts.map +1 -0
  50. package/dist/lib/auth/auth-middleware.js +153 -0
  51. package/dist/lib/auth/auth-middleware.js.map +1 -0
  52. package/dist/lib/auth/capabilities.d.ts +40 -0
  53. package/dist/lib/auth/capabilities.d.ts.map +1 -0
  54. package/dist/lib/auth/capabilities.js +44 -0
  55. package/dist/lib/auth/capabilities.js.map +1 -0
  56. package/dist/lib/auth/claims-cache.d.ts +70 -0
  57. package/dist/lib/auth/claims-cache.d.ts.map +1 -0
  58. package/dist/lib/auth/claims-cache.js +139 -0
  59. package/dist/lib/auth/claims-cache.js.map +1 -0
  60. package/dist/lib/auth/cognito-jwt.d.ts +6 -0
  61. package/dist/lib/auth/cognito-jwt.d.ts.map +1 -1
  62. package/dist/lib/auth/cognito-jwt.js.map +1 -1
  63. package/dist/lib/auth/idp-redirect-builder.d.ts +43 -0
  64. package/dist/lib/auth/idp-redirect-builder.d.ts.map +1 -0
  65. package/dist/lib/auth/idp-redirect-builder.js +48 -0
  66. package/dist/lib/auth/idp-redirect-builder.js.map +1 -0
  67. package/dist/lib/auth/require.d.ts +51 -0
  68. package/dist/lib/auth/require.d.ts.map +1 -0
  69. package/dist/lib/auth/require.js +99 -0
  70. package/dist/lib/auth/require.js.map +1 -0
  71. package/dist/lib/auth/role-grants.d.ts +18 -0
  72. package/dist/lib/auth/role-grants.d.ts.map +1 -0
  73. package/dist/lib/auth/role-grants.js +62 -0
  74. package/dist/lib/auth/role-grants.js.map +1 -0
  75. package/dist/lib/cognito/idp-sdk.d.ts +80 -0
  76. package/dist/lib/cognito/idp-sdk.d.ts.map +1 -0
  77. package/dist/lib/cognito/idp-sdk.js +186 -0
  78. package/dist/lib/cognito/idp-sdk.js.map +1 -0
  79. package/dist/lib/cognito/issuer-probe.d.ts +47 -0
  80. package/dist/lib/cognito/issuer-probe.d.ts.map +1 -0
  81. package/dist/lib/cognito/issuer-probe.js +319 -0
  82. package/dist/lib/cognito/issuer-probe.js.map +1 -0
  83. package/dist/lib/comment-handler.d.ts +7 -7
  84. package/dist/lib/comment-handler.d.ts.map +1 -1
  85. package/dist/lib/comment-handler.js +23 -20
  86. package/dist/lib/comment-handler.js.map +1 -1
  87. package/dist/lib/compliance/baseline.d.ts +15 -0
  88. package/dist/lib/compliance/baseline.d.ts.map +1 -0
  89. package/dist/lib/compliance/baseline.js +205 -0
  90. package/dist/lib/compliance/baseline.js.map +1 -0
  91. package/dist/lib/compliance/tenant-merge.d.ts +35 -0
  92. package/dist/lib/compliance/tenant-merge.d.ts.map +1 -0
  93. package/dist/lib/compliance/tenant-merge.js +80 -0
  94. package/dist/lib/compliance/tenant-merge.js.map +1 -0
  95. package/dist/lib/compliance/types.d.ts +135 -0
  96. package/dist/lib/compliance/types.d.ts.map +1 -0
  97. package/dist/lib/compliance/types.js +9 -0
  98. package/dist/lib/compliance/types.js.map +1 -0
  99. package/dist/lib/connection-code-handler.d.ts +4 -4
  100. package/dist/lib/connection-code-handler.d.ts.map +1 -1
  101. package/dist/lib/connection-code-handler.js +21 -11
  102. package/dist/lib/connection-code-handler.js.map +1 -1
  103. package/dist/lib/feed-handler.d.ts +2 -2
  104. package/dist/lib/feed-handler.d.ts.map +1 -1
  105. package/dist/lib/feed-handler.js +5 -9
  106. package/dist/lib/feed-handler.js.map +1 -1
  107. package/dist/lib/middleware/idempotency-store.d.ts +86 -0
  108. package/dist/lib/middleware/idempotency-store.d.ts.map +1 -0
  109. package/dist/lib/middleware/idempotency-store.js +109 -0
  110. package/dist/lib/middleware/idempotency-store.js.map +1 -0
  111. package/dist/lib/middleware/idempotency.d.ts +37 -0
  112. package/dist/lib/middleware/idempotency.d.ts.map +1 -0
  113. package/dist/lib/middleware/idempotency.js +358 -0
  114. package/dist/lib/middleware/idempotency.js.map +1 -0
  115. package/dist/lib/net/trusted-client-ip.d.ts +39 -0
  116. package/dist/lib/net/trusted-client-ip.d.ts.map +1 -0
  117. package/dist/lib/net/trusted-client-ip.js +100 -0
  118. package/dist/lib/net/trusted-client-ip.js.map +1 -0
  119. package/dist/lib/notification-handler.d.ts +5 -5
  120. package/dist/lib/notification-handler.d.ts.map +1 -1
  121. package/dist/lib/notification-handler.js +11 -9
  122. package/dist/lib/notification-handler.js.map +1 -1
  123. package/dist/lib/oauth/cognito-issuer.d.ts +34 -0
  124. package/dist/lib/oauth/cognito-issuer.d.ts.map +1 -0
  125. package/dist/lib/oauth/cognito-issuer.js +53 -0
  126. package/dist/lib/oauth/cognito-issuer.js.map +1 -0
  127. package/dist/lib/oauth/device-authorization.d.ts +145 -0
  128. package/dist/lib/oauth/device-authorization.d.ts.map +1 -0
  129. package/dist/lib/oauth/device-authorization.js +312 -0
  130. package/dist/lib/oauth/device-authorization.js.map +1 -0
  131. package/dist/lib/oauth/envelope-crypto.d.ts +101 -0
  132. package/dist/lib/oauth/envelope-crypto.d.ts.map +1 -0
  133. package/dist/lib/oauth/envelope-crypto.js +223 -0
  134. package/dist/lib/oauth/envelope-crypto.js.map +1 -0
  135. package/dist/lib/oauth/refresh-detection.d.ts +126 -0
  136. package/dist/lib/oauth/refresh-detection.d.ts.map +1 -0
  137. package/dist/lib/oauth/refresh-detection.js +248 -0
  138. package/dist/lib/oauth/refresh-detection.js.map +1 -0
  139. package/dist/lib/openapi/generator.d.ts +78 -0
  140. package/dist/lib/openapi/generator.d.ts.map +1 -0
  141. package/dist/lib/openapi/generator.js +201 -0
  142. package/dist/lib/openapi/generator.js.map +1 -0
  143. package/dist/lib/post-handler.d.ts +1 -1
  144. package/dist/lib/post-handler.d.ts.map +1 -1
  145. package/dist/lib/post-handler.js +4 -15
  146. package/dist/lib/post-handler.js.map +1 -1
  147. package/dist/lib/rate-limit.d.ts.map +1 -1
  148. package/dist/lib/rate-limit.js +11 -3
  149. package/dist/lib/rate-limit.js.map +1 -1
  150. package/dist/lib/routes/agent-authorize.d.ts +32 -0
  151. package/dist/lib/routes/agent-authorize.d.ts.map +1 -0
  152. package/dist/lib/routes/agent-authorize.js +479 -0
  153. package/dist/lib/routes/agent-authorize.js.map +1 -0
  154. package/dist/lib/routes/agent-sessions.d.ts +20 -0
  155. package/dist/lib/routes/agent-sessions.d.ts.map +1 -0
  156. package/dist/lib/routes/agent-sessions.js +124 -0
  157. package/dist/lib/routes/agent-sessions.js.map +1 -0
  158. package/dist/lib/routes/agent-surface.d.ts +37 -0
  159. package/dist/lib/routes/agent-surface.d.ts.map +1 -0
  160. package/dist/lib/routes/agent-surface.js +208 -0
  161. package/dist/lib/routes/agent-surface.js.map +1 -0
  162. package/dist/lib/routes/auth-discover.d.ts +18 -0
  163. package/dist/lib/routes/auth-discover.d.ts.map +1 -0
  164. package/dist/lib/routes/auth-discover.js +177 -0
  165. package/dist/lib/routes/auth-discover.js.map +1 -0
  166. package/dist/lib/routes/comments.d.ts.map +1 -1
  167. package/dist/lib/routes/comments.js +36 -7
  168. package/dist/lib/routes/comments.js.map +1 -1
  169. package/dist/lib/routes/connection-codes.d.ts.map +1 -1
  170. package/dist/lib/routes/connection-codes.js +21 -4
  171. package/dist/lib/routes/connection-codes.js.map +1 -1
  172. package/dist/lib/routes/content-discovery.d.ts.map +1 -1
  173. package/dist/lib/routes/content-discovery.js +18 -13
  174. package/dist/lib/routes/content-discovery.js.map +1 -1
  175. package/dist/lib/routes/dashboard.js +1 -1
  176. package/dist/lib/routes/dashboard.js.map +1 -1
  177. package/dist/lib/routes/employees.d.ts.map +1 -1
  178. package/dist/lib/routes/employees.js +57 -15
  179. package/dist/lib/routes/employees.js.map +1 -1
  180. package/dist/lib/routes/entities.d.ts.map +1 -1
  181. package/dist/lib/routes/entities.js +35 -19
  182. package/dist/lib/routes/entities.js.map +1 -1
  183. package/dist/lib/routes/errors.d.ts +34 -0
  184. package/dist/lib/routes/errors.d.ts.map +1 -0
  185. package/dist/lib/routes/errors.js +57 -0
  186. package/dist/lib/routes/errors.js.map +1 -0
  187. package/dist/lib/routes/feeds.d.ts.map +1 -1
  188. package/dist/lib/routes/feeds.js +12 -2
  189. package/dist/lib/routes/feeds.js.map +1 -1
  190. package/dist/lib/routes/index.d.ts.map +1 -1
  191. package/dist/lib/routes/index.js +50 -0
  192. package/dist/lib/routes/index.js.map +1 -1
  193. package/dist/lib/routes/mfa.d.ts.map +1 -1
  194. package/dist/lib/routes/mfa.js +1 -0
  195. package/dist/lib/routes/mfa.js.map +1 -1
  196. package/dist/lib/routes/notifications.d.ts.map +1 -1
  197. package/dist/lib/routes/notifications.js +21 -4
  198. package/dist/lib/routes/notifications.js.map +1 -1
  199. package/dist/lib/routes/oauth.d.ts +15 -0
  200. package/dist/lib/routes/oauth.d.ts.map +1 -0
  201. package/dist/lib/routes/oauth.js +139 -0
  202. package/dist/lib/routes/oauth.js.map +1 -0
  203. package/dist/lib/routes/posts.d.ts.map +1 -1
  204. package/dist/lib/routes/posts.js +30 -19
  205. package/dist/lib/routes/posts.js.map +1 -1
  206. package/dist/lib/routes/products.d.ts.map +1 -1
  207. package/dist/lib/routes/products.js +19 -22
  208. package/dist/lib/routes/products.js.map +1 -1
  209. package/dist/lib/routes/setup-status.d.ts +34 -0
  210. package/dist/lib/routes/setup-status.d.ts.map +1 -0
  211. package/dist/lib/routes/setup-status.js +87 -0
  212. package/dist/lib/routes/setup-status.js.map +1 -0
  213. package/dist/lib/routes/taxonomy-analytics.d.ts.map +1 -1
  214. package/dist/lib/routes/taxonomy-analytics.js +15 -14
  215. package/dist/lib/routes/taxonomy-analytics.js.map +1 -1
  216. package/dist/lib/routes/taxonomy.d.ts.map +1 -1
  217. package/dist/lib/routes/taxonomy.js +19 -16
  218. package/dist/lib/routes/taxonomy.js.map +1 -1
  219. package/dist/lib/routes/tenant-audit.d.ts +19 -0
  220. package/dist/lib/routes/tenant-audit.d.ts.map +1 -0
  221. package/dist/lib/routes/tenant-audit.js +244 -0
  222. package/dist/lib/routes/tenant-audit.js.map +1 -0
  223. package/dist/lib/routes/tenant-compliance.d.ts +21 -0
  224. package/dist/lib/routes/tenant-compliance.d.ts.map +1 -0
  225. package/dist/lib/routes/tenant-compliance.js +122 -0
  226. package/dist/lib/routes/tenant-compliance.js.map +1 -0
  227. package/dist/lib/routes/tenant-domains.d.ts +11 -0
  228. package/dist/lib/routes/tenant-domains.d.ts.map +1 -0
  229. package/dist/lib/routes/tenant-domains.js +95 -0
  230. package/dist/lib/routes/tenant-domains.js.map +1 -0
  231. package/dist/lib/routes/tenant-idp.d.ts +3 -0
  232. package/dist/lib/routes/tenant-idp.d.ts.map +1 -0
  233. package/dist/lib/routes/tenant-idp.js +89 -0
  234. package/dist/lib/routes/tenant-idp.js.map +1 -0
  235. package/dist/lib/routes/tenant-members.d.ts +13 -0
  236. package/dist/lib/routes/tenant-members.d.ts.map +1 -0
  237. package/dist/lib/routes/tenant-members.js +75 -0
  238. package/dist/lib/routes/tenant-members.js.map +1 -0
  239. package/dist/lib/routes/tenant-role-mappings.d.ts +11 -0
  240. package/dist/lib/routes/tenant-role-mappings.d.ts.map +1 -0
  241. package/dist/lib/routes/tenant-role-mappings.js +90 -0
  242. package/dist/lib/routes/tenant-role-mappings.js.map +1 -0
  243. package/dist/lib/routes/tenants.d.ts +13 -0
  244. package/dist/lib/routes/tenants.d.ts.map +1 -0
  245. package/dist/lib/routes/tenants.js +121 -0
  246. package/dist/lib/routes/tenants.js.map +1 -0
  247. package/dist/lib/routes/types.d.ts +9 -0
  248. package/dist/lib/routes/types.d.ts.map +1 -1
  249. package/dist/lib/schemas.d.ts +2 -2
  250. package/dist/lib/secrets/idp-secrets.d.ts +51 -0
  251. package/dist/lib/secrets/idp-secrets.d.ts.map +1 -0
  252. package/dist/lib/secrets/idp-secrets.js +111 -0
  253. package/dist/lib/secrets/idp-secrets.js.map +1 -0
  254. package/dist/lib/security-monitor.d.ts.map +1 -1
  255. package/dist/lib/security-monitor.js +6 -1
  256. package/dist/lib/security-monitor.js.map +1 -1
  257. package/dist/lib/session-manager.d.ts +1 -0
  258. package/dist/lib/session-manager.d.ts.map +1 -1
  259. package/dist/lib/session-manager.js.map +1 -1
  260. package/dist/lib/taxonomy-handler-factory.d.ts +4 -2
  261. package/dist/lib/taxonomy-handler-factory.d.ts.map +1 -1
  262. package/dist/lib/taxonomy-handler-factory.js +8 -7
  263. package/dist/lib/taxonomy-handler-factory.js.map +1 -1
  264. package/dist/lib/tenant/audit-emit.d.ts +18 -0
  265. package/dist/lib/tenant/audit-emit.d.ts.map +1 -0
  266. package/dist/lib/tenant/audit-emit.js +16 -0
  267. package/dist/lib/tenant/audit-emit.js.map +1 -0
  268. package/dist/lib/tenant/derive-domain.d.ts +19 -0
  269. package/dist/lib/tenant/derive-domain.d.ts.map +1 -0
  270. package/dist/lib/tenant/derive-domain.js +38 -0
  271. package/dist/lib/tenant/derive-domain.js.map +1 -0
  272. package/dist/lib/tenant/domain-handler.d.ts +42 -0
  273. package/dist/lib/tenant/domain-handler.d.ts.map +1 -0
  274. package/dist/lib/tenant/domain-handler.js +344 -0
  275. package/dist/lib/tenant/domain-handler.js.map +1 -0
  276. package/dist/lib/tenant/domain-validator.d.ts +28 -0
  277. package/dist/lib/tenant/domain-validator.d.ts.map +1 -0
  278. package/dist/lib/tenant/domain-validator.js +145 -0
  279. package/dist/lib/tenant/domain-validator.js.map +1 -0
  280. package/dist/lib/tenant/domain-verifier.d.ts +30 -0
  281. package/dist/lib/tenant/domain-verifier.d.ts.map +1 -0
  282. package/dist/lib/tenant/domain-verifier.js +53 -0
  283. package/dist/lib/tenant/domain-verifier.js.map +1 -0
  284. package/dist/lib/tenant/idp-handler.d.ts +29 -0
  285. package/dist/lib/tenant/idp-handler.d.ts.map +1 -0
  286. package/dist/lib/tenant/idp-handler.js +693 -0
  287. package/dist/lib/tenant/idp-handler.js.map +1 -0
  288. package/dist/lib/tenant/idp-name.d.ts +2 -0
  289. package/dist/lib/tenant/idp-name.d.ts.map +1 -0
  290. package/dist/lib/tenant/idp-name.js +20 -0
  291. package/dist/lib/tenant/idp-name.js.map +1 -0
  292. package/dist/lib/tenant/member-handler.d.ts +31 -0
  293. package/dist/lib/tenant/member-handler.d.ts.map +1 -0
  294. package/dist/lib/tenant/member-handler.js +343 -0
  295. package/dist/lib/tenant/member-handler.js.map +1 -0
  296. package/dist/lib/tenant/reserved-slugs.d.ts +37 -0
  297. package/dist/lib/tenant/reserved-slugs.d.ts.map +1 -0
  298. package/dist/lib/tenant/reserved-slugs.js +116 -0
  299. package/dist/lib/tenant/reserved-slugs.js.map +1 -0
  300. package/dist/lib/tenant/resolve-role.d.ts +39 -0
  301. package/dist/lib/tenant/resolve-role.d.ts.map +1 -0
  302. package/dist/lib/tenant/resolve-role.js +60 -0
  303. package/dist/lib/tenant/resolve-role.js.map +1 -0
  304. package/dist/lib/tenant/role-mapping-handler.d.ts +26 -0
  305. package/dist/lib/tenant/role-mapping-handler.d.ts.map +1 -0
  306. package/dist/lib/tenant/role-mapping-handler.js +260 -0
  307. package/dist/lib/tenant/role-mapping-handler.js.map +1 -0
  308. package/dist/lib/tenant/setup-status.d.ts +83 -0
  309. package/dist/lib/tenant/setup-status.d.ts.map +1 -0
  310. package/dist/lib/tenant/setup-status.js +201 -0
  311. package/dist/lib/tenant/setup-status.js.map +1 -0
  312. package/dist/lib/tenant/slug-validator.d.ts +31 -0
  313. package/dist/lib/tenant/slug-validator.d.ts.map +1 -0
  314. package/dist/lib/tenant/slug-validator.js +42 -0
  315. package/dist/lib/tenant/slug-validator.js.map +1 -0
  316. package/dist/lib/tenant/tenant-handler.d.ts +49 -0
  317. package/dist/lib/tenant/tenant-handler.d.ts.map +1 -0
  318. package/dist/lib/tenant/tenant-handler.js +377 -0
  319. package/dist/lib/tenant/tenant-handler.js.map +1 -0
  320. package/dist/lib/tenant/transfer-ownership.d.ts +39 -0
  321. package/dist/lib/tenant/transfer-ownership.d.ts.map +1 -0
  322. package/dist/lib/tenant/transfer-ownership.js +66 -0
  323. package/dist/lib/tenant/transfer-ownership.js.map +1 -0
  324. package/dist/lib/user/derive-handle.d.ts +29 -0
  325. package/dist/lib/user/derive-handle.d.ts.map +1 -0
  326. package/dist/lib/user/derive-handle.js +65 -0
  327. package/dist/lib/user/derive-handle.js.map +1 -0
  328. package/dist/lib/user-deprovisioning.d.ts +11 -1
  329. package/dist/lib/user-deprovisioning.d.ts.map +1 -1
  330. package/dist/lib/user-deprovisioning.js +46 -2
  331. package/dist/lib/user-deprovisioning.js.map +1 -1
  332. package/dist/lib/validation/feature-toggle-schemas.d.ts +10 -10
  333. package/package.json +5 -3
  334. package/prisma/migrations/20260502094501_add_tenancy_model/migration.sql +334 -0
  335. package/prisma/migrations/20260503000000_add_tenant_region/migration.sql +4 -0
  336. package/prisma/schema.prisma +324 -74
  337. package/src/lambda/nightly-cron.ts +4 -1
  338. package/src/lambda/post-confirmation.ts +405 -29
  339. package/src/lambda/pre-token-generation.ts +300 -59
@@ -0,0 +1 @@
1
+ {"version":3,"file":"agent-sessions.js","sourceRoot":"","sources":["../../../src/lib/routes/agent-sessions.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AA6BH,kEAEC;AAED,sEAEC;AAjCD,kEAMoC;AACpC,6DAAyD;AACzD,wCAAkD;AAClD,gGAGmD;AACnD,iCAAwC;AACxC,8CAA+D;AAC/D,gEAA2D;AAC3D,0DAAsD;AACtD,qCAA8D;AAQ9D,IAAI,IAAI,GAAqB,EAAE,CAAC;AAEhC,SAAgB,2BAA2B,CAAC,CAAmB;IAC7D,IAAI,GAAG,CAAC,CAAC;AACX,CAAC;AAED,SAAgB,6BAA6B;IAC3C,IAAI,GAAG,EAAE,CAAC;AACZ,CAAC;AAED,SAAS,UAAU;IACjB,IAAI,IAAI,CAAC,OAAO;QAAE,OAAO,IAAI,CAAC,OAAO,CAAC;IACtC,MAAM,MAAM,GAAG,OAAO,CAAC,GAAG,CAAC,cAAc,IAAI,OAAO,CAAC,GAAG,CAAC,UAAU,IAAI,WAAW,CAAC;IACnF,MAAM,MAAM,GAAG,IAAI,gEAA6B,CAAC,EAAE,MAAM,EAAE,CAAC,CAAC;IAC7D,OAAO;QACL,KAAK,CAAC,aAAa,CAAC,KAAK;YACvB,MAAM,MAAM,CAAC,IAAI,CACf,IAAI,gEAA6B,CAAC;gBAChC,UAAU,EAAE,KAAK,CAAC,UAAU;gBAC5B,QAAQ,EAAE,KAAK,CAAC,eAAe;aAChC,CAAC,CACH,CAAC;QACJ,CAAC;KACF,CAAC;AACJ,CAAC;AAED,SAAS,QAAQ;IACf,OAAO,IAAI,CAAC,YAAY,IAAI,IAAI,wBAAiB,EAAE,CAAC;AACtD,CAAC;AAED,SAAS,WAAW,CAAC,GAAuB;IAC1C,OAAO;QACL,EAAE,EAAE,GAAG,CAAC,SAAS;QACjB,UAAU,EAAE,GAAG,CAAC,UAAU,IAAI,IAAI;QAClC,QAAQ,EAAE,GAAG,CAAC,QAAQ,IAAI,IAAI;QAC9B,SAAS,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,SAAS,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;QACvD,UAAU,EAAE,IAAI,IAAI,CAAC,GAAG,CAAC,UAAU,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE;QACzD,MAAM,EAAE,GAAG,CAAC,MAAM;KACnB,CAAC;AACJ,CAAC;AAED,MAAM,SAAS,GAAG,qDAAqD,CAAC;AAE3D,QAAA,mBAAmB,GAAY;IAC1C;QACE,IAAI,EAAE,8BAA8B;QACpC,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE;YAC9B,MAAM,GAAG,GAAG,IAAI,kCAAe,CAAC,GAAG,CAAC,CAAC;YACrC,MAAM,IAAI,GAAG,MAAM,IAAA,gCAAc,EAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAA,0BAAiB,EAAC,GAAG,CAAC,CAAC;YAEzC,MAAM,QAAQ,GAAG,MAAM,IAAA,qCAAiB,EAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACtD,OAAO,GAAG,CAAC,oBAAoB,CAC7B,IAAI,CAAC,SAAS,CAAC,EAAE,QAAQ,EAAE,QAAQ,CAAC,GAAG,CAAC,WAAW,CAAC,EAAE,CAAC,EACvD,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;QACJ,CAAC;QACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,CAAC;QAC9B,WAAW,EAAE,iDAAiD;KAC/D;IAED;QACE,IAAI,EAAE,SAAS;QACf,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC5C,MAAM,GAAG,GAAG,IAAI,kCAAe,CAAC,GAAG,CAAC,CAAC;YACrC,MAAM,IAAI,GAAG,MAAM,IAAA,gCAAc,EAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAA,0BAAiB,EAAC,GAAG,CAAC,CAAC;YAEzC,MAAM,SAAS,GAAG,QAAQ,CAAC,KAAK,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC;YACjD,IAAI,CAAC,SAAS,EAAE,CAAC;gBACf,OAAO,IAAA,wBAAe,EAAC,GAAG,EAAE;oBAC1B,KAAK,EAAE,iBAAiB;oBACxB,OAAO,EAAE,yBAAyB;oBAClC,WAAW,EAAE,oDAAoD;iBAClE,EAAE,GAAG,CAAC,CAAC;YACV,CAAC;YAED,MAAM,OAAO,GAAG,MAAM,IAAA,mCAAe,EAAC,SAAS,CAAC,CAAC;YACjD,IAAI,CAAC,OAAO,IAAI,OAAO,CAAC,MAAM,KAAK,IAAI,CAAC,MAAM,EAAE,CAAC;gBAC/C,2CAA2C;gBAC3C,OAAO,IAAA,wBAAe,EAAC,GAAG,EAAE;oBAC1B,KAAK,EAAE,WAAW;oBAClB,OAAO,EAAE,0BAA0B;oBACnC,WAAW,EAAE,8DAA8D;iBAC5E,EAAE,GAAG,CAAC,CAAC;YACV,CAAC;YAED,MAAM,UAAU,GAAG,GAAG,CAAC,oBAAoB,CAAC;YAC5C,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,OAAO,GAAG,CAAC,oBAAoB,CAC7B,IAAI,CAAC,SAAS,CAAC,EAAE,KAAK,EAAE,gBAAgB,EAAE,CAAC,EAC3C,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;YACJ,CAAC;YAED,MAAM,OAAO,GAAG,UAAU,EAAE,CAAC;YAC7B,MAAM,KAAK,GAAG,QAAQ,EAAE,CAAC;YACzB,mEAAmE;YACnE,MAAM,MAAM,GAAG,IAAA,iBAAY,EAAC,GAAG,CAAC,CAAC;YAEjC,MAAM,IAAA,sCAAkB,EAAC;gBACvB,SAAS;gBACT,UAAU;gBACV,eAAe,EAAE,OAAO,CAAC,UAAU;gBACnC,OAAO;gBACP,KAAK,EAAE;oBACL,IAAI,EAAE,KAAK,EAAE,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,IAAI,CAAC,KAAc,EAAE,MAAe,CAAC;iBACnE;gBACD,QAAQ,EAAE,OAAO,CAAC,QAAQ;gBAC1B,WAAW,EAAE,IAAI,CAAC,MAAM;gBACxB,QAAQ,EAAE,IAAA,mCAAe,EAAC,OAAO,EAAE,GAAG,CAAC;aACxC,CAAC,CAAC;YAEH,OAAO,GAAG,CAAC,oBAAoB,CAC7B,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,SAAS,EAAE,CAAC,EACrC,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;QACJ,CAAC;QACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,EAAE,IAAA,2BAAc,GAAE,CAAC;QAChD,WAAW,EAAE,yBAAyB;KACvC;CACF,CAAC"}
@@ -0,0 +1,37 @@
1
+ /**
2
+ * Agent-Surface Routes (T9b-a)
3
+ *
4
+ * Public, unauthenticated discovery endpoints for AI agents and tooling:
5
+ *
6
+ * GET /llms.txt — setup contract for AI agents (llmstxt.org convention)
7
+ * GET /openapi.json — OpenAPI 3.1 document auto-generated from route registry
8
+ * GET /security.txt — RFC 9116 security contact
9
+ *
10
+ * All three are rate-limited at the API Gateway / WAF layer (120 req/min per IP).
11
+ * No session required.
12
+ */
13
+ import type { Route } from "./types";
14
+ /**
15
+ * Build the agent-surface routes, injecting the full route list so the
16
+ * OpenAPI generator can introspect the registry.
17
+ *
18
+ * Usage in routes/index.ts:
19
+ * import { buildAgentSurfaceRoutes } from "./agent-surface";
20
+ * // after all routes are collected:
21
+ * const agentSurface = buildAgentSurfaceRoutes(coreRoutes);
22
+ *
23
+ * Because we need the full route list for OpenAPI generation but the route
24
+ * list includes these routes themselves, we expose a plain `agentSurfaceRoutes`
25
+ * export that uses a deferred getter — the first HTTP request triggers
26
+ * generation using whatever has been registered by then.
27
+ */
28
+ export declare function buildAgentSurfaceRoutes(getAllRoutes: () => Route[]): Route[];
29
+ /**
30
+ * Static export for the route registry.
31
+ *
32
+ * These routes have no dependency on the full route list (llms.txt and
33
+ * security.txt are static; openapi.json generates lazily on first request).
34
+ * Import and spread into coreRoutes in routes/index.ts.
35
+ */
36
+ export declare const agentSurfaceRoutes: Route[];
37
+ //# sourceMappingURL=agent-surface.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"agent-surface.d.ts","sourceRoot":"","sources":["../../../src/lib/routes/agent-surface.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;GAWG;AAIH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAgHrC;;;;;;;;;;;;;GAaG;AACH,wBAAgB,uBAAuB,CAAC,YAAY,EAAE,MAAM,KAAK,EAAE,GAAG,KAAK,EAAE,CAiE5E;AAED;;;;;;GAMG;AACH,eAAO,MAAM,kBAAkB,EAAE,KAAK,EAAsC,CAAC"}
@@ -0,0 +1,208 @@
1
+ "use strict";
2
+ /**
3
+ * Agent-Surface Routes (T9b-a)
4
+ *
5
+ * Public, unauthenticated discovery endpoints for AI agents and tooling:
6
+ *
7
+ * GET /llms.txt — setup contract for AI agents (llmstxt.org convention)
8
+ * GET /openapi.json — OpenAPI 3.1 document auto-generated from route registry
9
+ * GET /security.txt — RFC 9116 security contact
10
+ *
11
+ * All three are rate-limited at the API Gateway / WAF layer (120 req/min per IP).
12
+ * No session required.
13
+ */
14
+ Object.defineProperty(exports, "__esModule", { value: true });
15
+ exports.agentSurfaceRoutes = void 0;
16
+ exports.buildAgentSurfaceRoutes = buildAgentSurfaceRoutes;
17
+ const middleware_1 = require("../middleware");
18
+ const generator_1 = require("../openapi/generator");
19
+ // ── Constants ─────────────────────────────────────────────────────────────────
20
+ const SECURITY_CONTACT = "security@skybber.com";
21
+ const SECURITY_POLICY_URL = "https://skybber.com/security/policy";
22
+ const SECURITY_CANONICAL_URL = "https://api.skybber.com/security.txt";
23
+ // ── llms.txt content ──────────────────────────────────────────────────────────
24
+ const LLMS_TXT_CONTENT = `# Trellis / Skybber — Agent Setup Contract
25
+
26
+ > Skybber is a social platform for dog fans with a B2B multi-tenant identity
27
+ > federation layer. This file tells an AI agent everything it needs to drive
28
+ > tenant onboarding end-to-end.
29
+
30
+ ## Persona scenario
31
+
32
+ An IT engineer at a customer org says: "Help me set up Skybber for my company."
33
+ The agent should be able to:
34
+ 1. Discover what Skybber is and what setup involves (this file).
35
+ 2. Ask the engineer for the few inputs only a human can supply (Entra admin
36
+ consent, role-mapping decisions).
37
+ 3. Drive every other step via HTTP API or tools the agent already has
38
+ (Microsoft Graph, Route53/Cloudflare DNS, etc.).
39
+ 4. Verify the result.
40
+ 5. Hand the engineer back a working tenant with a one-paragraph summary.
41
+
42
+ ## Authentication
43
+
44
+ Agents authenticate via OIDC — no static API tokens are issued.
45
+ Two flows are supported:
46
+
47
+ - **PKCE + localhost-listener** (interactive agent on engineer's machine):
48
+ Redirect to \`https://auth.skybber.com/oauth2/authorize\` with
49
+ \`response_type=code&client_id=skybber-agent-cli&code_challenge=...\`
50
+ and catch the code on \`http://127.0.0.1:{ephemeral-port}/cb\`.
51
+
52
+ - **Device authorization grant** (headless / CI agent):
53
+ POST /oauth2/device_authorization → get device_code + user_code →
54
+ engineer approves at https://app.skybber.com/agents/authorize →
55
+ agent polls POST /oauth2/token.
56
+
57
+ Tokens are short-lived (~1 h). Refresh tokens are single-use and rotated.
58
+ The engineer can revoke any agent session at any time via GET/POST
59
+ /api/users/me/agent-sessions.
60
+
61
+ ## Key endpoints
62
+
63
+ | Endpoint | Method | Purpose |
64
+ |---|---|---|
65
+ | /api/tenants/{id}/setup-status | GET | Current onboarding progress + nextStep hint |
66
+ | /api/tenants/{id}/domains | POST | Add a domain for verification |
67
+ | /api/tenants/{id}/domains/{domainId}/verify | POST | Trigger DNS TXT check |
68
+ | /api/tenants/{id}/identity-provider | POST | Connect OIDC/SAML IdP |
69
+ | /api/tenants/{id}/identity-provider/test-sign-in | POST | Validate IdP round-trip |
70
+ | /api/tenants/{id}/role-mappings | POST | Map IdP group → Skybber role |
71
+ | /api/tenants/{id}/audit | GET | Audit log of tenant events |
72
+ | /api/auth/discover | POST | Pre-login: resolve email → IdP redirect or password |
73
+ | /openapi.json | GET | Full OpenAPI 3.1 spec (this server) |
74
+ | /.well-known/compliance.json | GET | Tenant compliance bundle |
75
+
76
+ ## Error format
77
+
78
+ Every 4xx response from federation endpoints is JSON:
79
+ \`\`\`json
80
+ {
81
+ "error": "ERROR_CODE",
82
+ "message": "Human-readable description.",
83
+ "remediation": "Exact next step or 'ask the engineer X'.",
84
+ "field": "fieldName"
85
+ }
86
+ \`\`\`
87
+
88
+ ## Idempotency
89
+
90
+ Every federation POST accepts an \`Idempotency-Key\` header. Same key + same
91
+ body within 24 h returns the original 2xx response without side-effects.
92
+
93
+ ## Safety
94
+
95
+ - Client secrets are write-only. GET /api/tenants/{id}/identity-provider
96
+ returns \`null\` for \`clientSecret\`. Never echo secrets in conversation.
97
+ - Destructive operations require \`?confirm=true\`. A call without it returns
98
+ 400 with a remediation explaining the risk.
99
+ - Agents should request minimal scopes: domain.*, idp.*, role_mapping.*.
100
+
101
+ ## Further reading
102
+
103
+ - Full spec: GET /openapi.json
104
+ - Compliance bundle: GET /.well-known/compliance.json (per-tenant, auth required)
105
+ - Security contact: GET /security.txt
106
+ `;
107
+ // ── Route definitions ─────────────────────────────────────────────────────────
108
+ /**
109
+ * Build a lazy-caching OpenAPI JSON getter scoped to a specific route-list getter.
110
+ * The cache is per-getter closure so multiple `buildAgentSurfaceRoutes` calls
111
+ * (e.g. in tests) each get an independent cache.
112
+ */
113
+ function makeOpenApiGetter(getAllRoutes) {
114
+ let cached = null;
115
+ return () => {
116
+ if (cached === null) {
117
+ const doc = (0, generator_1.generateOpenApiDoc)(getAllRoutes());
118
+ cached = JSON.stringify(doc, null, 2);
119
+ }
120
+ return cached;
121
+ };
122
+ }
123
+ /**
124
+ * Build the agent-surface routes, injecting the full route list so the
125
+ * OpenAPI generator can introspect the registry.
126
+ *
127
+ * Usage in routes/index.ts:
128
+ * import { buildAgentSurfaceRoutes } from "./agent-surface";
129
+ * // after all routes are collected:
130
+ * const agentSurface = buildAgentSurfaceRoutes(coreRoutes);
131
+ *
132
+ * Because we need the full route list for OpenAPI generation but the route
133
+ * list includes these routes themselves, we expose a plain `agentSurfaceRoutes`
134
+ * export that uses a deferred getter — the first HTTP request triggers
135
+ * generation using whatever has been registered by then.
136
+ */
137
+ function buildAgentSurfaceRoutes(getAllRoutes) {
138
+ const getOpenApiJson = makeOpenApiGetter(getAllRoutes);
139
+ return [
140
+ // ── GET /llms.txt ────────────────────────────────────────────────────────
141
+ {
142
+ path: "/llms.txt",
143
+ method: "GET",
144
+ handler: async (_request, _env) => {
145
+ return new Response(LLMS_TXT_CONTENT, {
146
+ status: 200,
147
+ headers: {
148
+ "content-type": "text/plain; charset=utf-8",
149
+ "cache-control": "public, max-age=3600",
150
+ },
151
+ });
152
+ },
153
+ middleware: [(0, middleware_1.corsMiddleware)()],
154
+ description: "Agent setup contract (llmstxt.org convention)",
155
+ },
156
+ // ── GET /openapi.json ────────────────────────────────────────────────────
157
+ {
158
+ path: "/openapi.json",
159
+ method: "GET",
160
+ handler: async (_request, _env) => {
161
+ const json = getOpenApiJson();
162
+ return new Response(json, {
163
+ status: 200,
164
+ headers: {
165
+ "content-type": "application/json; charset=utf-8",
166
+ "cache-control": "public, max-age=300",
167
+ },
168
+ });
169
+ },
170
+ middleware: [(0, middleware_1.corsMiddleware)()],
171
+ description: "OpenAPI 3.1 document (auto-generated from route registry)",
172
+ },
173
+ // ── GET /security.txt ────────────────────────────────────────────────────
174
+ {
175
+ path: "/security.txt",
176
+ method: "GET",
177
+ handler: async (_request, _env) => {
178
+ const expires = new Date(Date.now() + 365 * 24 * 60 * 60 * 1000).toISOString();
179
+ const body = [
180
+ `Contact: mailto:${SECURITY_CONTACT}`,
181
+ `Expires: ${expires}`,
182
+ `Preferred-Languages: en`,
183
+ `Canonical: ${SECURITY_CANONICAL_URL}`,
184
+ `Policy: ${SECURITY_POLICY_URL}`,
185
+ "",
186
+ ].join("\n");
187
+ return new Response(body, {
188
+ status: 200,
189
+ headers: {
190
+ "content-type": "text/plain; charset=utf-8",
191
+ "cache-control": "public, max-age=86400",
192
+ },
193
+ });
194
+ },
195
+ middleware: [(0, middleware_1.corsMiddleware)()],
196
+ description: "RFC 9116 security contact",
197
+ },
198
+ ];
199
+ }
200
+ /**
201
+ * Static export for the route registry.
202
+ *
203
+ * These routes have no dependency on the full route list (llms.txt and
204
+ * security.txt are static; openapi.json generates lazily on first request).
205
+ * Import and spread into coreRoutes in routes/index.ts.
206
+ */
207
+ exports.agentSurfaceRoutes = buildAgentSurfaceRoutes(() => []);
208
+ //# sourceMappingURL=agent-surface.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"agent-surface.js","sourceRoot":"","sources":["../../../src/lib/routes/agent-surface.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;GAWG;;;AAkIH,0DAiEC;AAjMD,8CAA+C;AAC/C,oDAA0D;AAG1D,iFAAiF;AAEjF,MAAM,gBAAgB,GAAG,sBAAsB,CAAC;AAChD,MAAM,mBAAmB,GAAG,qCAAqC,CAAC;AAClE,MAAM,sBAAsB,GAAG,sCAAsC,CAAC;AAEtE,iFAAiF;AAEjF,MAAM,gBAAgB,GAAG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;CAkFxB,CAAC;AAEF,iFAAiF;AAEjF;;;;GAIG;AACH,SAAS,iBAAiB,CAAC,YAA2B;IACpD,IAAI,MAAM,GAAkB,IAAI,CAAC;IACjC,OAAO,GAAG,EAAE;QACV,IAAI,MAAM,KAAK,IAAI,EAAE,CAAC;YACpB,MAAM,GAAG,GAAG,IAAA,8BAAkB,EAAC,YAAY,EAAE,CAAC,CAAC;YAC/C,MAAM,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;QACxC,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;GAaG;AACH,SAAgB,uBAAuB,CAAC,YAA2B;IACjE,MAAM,cAAc,GAAG,iBAAiB,CAAC,YAAY,CAAC,CAAC;IACvD,OAAO;QACL,4EAA4E;QAC5E;YACE,IAAI,EAAE,WAAW;YACjB,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE;gBAChC,OAAO,IAAI,QAAQ,CAAC,gBAAgB,EAAE;oBACpC,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE;wBACP,cAAc,EAAE,2BAA2B;wBAC3C,eAAe,EAAE,sBAAsB;qBACxC;iBACF,CAAC,CAAC;YACL,CAAC;YACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,CAAC;YAC9B,WAAW,EAAE,+CAA+C;SAC7D;QAED,4EAA4E;QAC5E;YACE,IAAI,EAAE,eAAe;YACrB,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE;gBAChC,MAAM,IAAI,GAAG,cAAc,EAAE,CAAC;gBAC9B,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;oBACxB,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE;wBACP,cAAc,EAAE,iCAAiC;wBACjD,eAAe,EAAE,qBAAqB;qBACvC;iBACF,CAAC,CAAC;YACL,CAAC;YACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,CAAC;YAC9B,WAAW,EAAE,2DAA2D;SACzE;QAED,4EAA4E;QAC5E;YACE,IAAI,EAAE,eAAe;YACrB,MAAM,EAAE,KAAK;YACb,OAAO,EAAE,KAAK,EAAE,QAAQ,EAAE,IAAI,EAAE,EAAE;gBAChC,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;gBAC/E,MAAM,IAAI,GAAG;oBACX,mBAAmB,gBAAgB,EAAE;oBACrC,YAAY,OAAO,EAAE;oBACrB,yBAAyB;oBACzB,cAAc,sBAAsB,EAAE;oBACtC,WAAW,mBAAmB,EAAE;oBAChC,EAAE;iBACH,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;gBAEb,OAAO,IAAI,QAAQ,CAAC,IAAI,EAAE;oBACxB,MAAM,EAAE,GAAG;oBACX,OAAO,EAAE;wBACP,cAAc,EAAE,2BAA2B;wBAC3C,eAAe,EAAE,uBAAuB;qBACzC;iBACF,CAAC,CAAC;YACL,CAAC;YACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,CAAC;YAC9B,WAAW,EAAE,2BAA2B;SACzC;KACF,CAAC;AACJ,CAAC;AAED;;;;;;GAMG;AACU,QAAA,kBAAkB,GAAY,uBAAuB,CAAC,GAAG,EAAE,CAAC,EAAE,CAAC,CAAC"}
@@ -0,0 +1,18 @@
1
+ /**
2
+ * POST /api/auth/discover
3
+ *
4
+ * Pre-login sign-in discovery. Accepts an email address and returns either:
5
+ * - { method: "idp", idpRedirect: "...", tenantSlug: "..." } — federated tenant
6
+ * - { method: "password" } — everything else
7
+ *
8
+ * Security properties:
9
+ * - No auth required (pre-login endpoint).
10
+ * - Never leaks whether a domain is claimed but with a disabled IdP.
11
+ * - Rate-limited 30 req/min per source IP (DynamoDB token bucket via RATE_LIMIT_KV).
12
+ * - Timing-safe: always performs the DB query; pads short-circuit paths to a
13
+ * fixed minimum elapsed time so response-time analysis cannot distinguish
14
+ * federated from non-federated domains.
15
+ */
16
+ import type { Route } from "./types";
17
+ export declare const authDiscoverRoutes: Route[];
18
+ //# sourceMappingURL=auth-discover.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"auth-discover.d.ts","sourceRoot":"","sources":["../../../src/lib/routes/auth-discover.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;GAcG;AAEH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAqJrC,eAAO,MAAM,kBAAkB,EAAE,KAAK,EAYrC,CAAC"}
@@ -0,0 +1,177 @@
1
+ "use strict";
2
+ /**
3
+ * POST /api/auth/discover
4
+ *
5
+ * Pre-login sign-in discovery. Accepts an email address and returns either:
6
+ * - { method: "idp", idpRedirect: "...", tenantSlug: "..." } — federated tenant
7
+ * - { method: "password" } — everything else
8
+ *
9
+ * Security properties:
10
+ * - No auth required (pre-login endpoint).
11
+ * - Never leaks whether a domain is claimed but with a disabled IdP.
12
+ * - Rate-limited 30 req/min per source IP (DynamoDB token bucket via RATE_LIMIT_KV).
13
+ * - Timing-safe: always performs the DB query; pads short-circuit paths to a
14
+ * fixed minimum elapsed time so response-time analysis cannot distinguish
15
+ * federated from non-federated domains.
16
+ */
17
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
18
+ if (k2 === undefined) k2 = k;
19
+ var desc = Object.getOwnPropertyDescriptor(m, k);
20
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
21
+ desc = { enumerable: true, get: function() { return m[k]; } };
22
+ }
23
+ Object.defineProperty(o, k2, desc);
24
+ }) : (function(o, m, k, k2) {
25
+ if (k2 === undefined) k2 = k;
26
+ o[k2] = m[k];
27
+ }));
28
+ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
29
+ Object.defineProperty(o, "default", { enumerable: true, value: v });
30
+ }) : function(o, v) {
31
+ o["default"] = v;
32
+ });
33
+ var __importStar = (this && this.__importStar) || (function () {
34
+ var ownKeys = function(o) {
35
+ ownKeys = Object.getOwnPropertyNames || function (o) {
36
+ var ar = [];
37
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
38
+ return ar;
39
+ };
40
+ return ownKeys(o);
41
+ };
42
+ return function (mod) {
43
+ if (mod && mod.__esModule) return mod;
44
+ var result = {};
45
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
46
+ __setModuleDefault(result, mod);
47
+ return result;
48
+ };
49
+ })();
50
+ Object.defineProperty(exports, "__esModule", { value: true });
51
+ exports.authDiscoverRoutes = void 0;
52
+ const middleware_1 = require("../middleware");
53
+ const security_headers_1 = require("../security-headers");
54
+ const derive_domain_1 = require("../tenant/derive-domain");
55
+ const idp_redirect_builder_1 = require("../auth/idp-redirect-builder");
56
+ const idp_name_1 = require("../tenant/idp-name");
57
+ const rate_limit_1 = require("../rate-limit");
58
+ const errors_1 = require("./errors");
59
+ const RATE_LIMIT_PER_MIN = 30;
60
+ const WINDOW_SECONDS = 60;
61
+ const MIN_RESPONSE_MS = 80;
62
+ function passwordResponse() {
63
+ return new Response(JSON.stringify({ method: "password" }), { status: 200, headers: { "content-type": "application/json" } });
64
+ }
65
+ function tooManyRequests(retryAfter) {
66
+ const r = (0, errors_1.structuredError)(429, {
67
+ error: "RATE_LIMIT_EXCEEDED",
68
+ message: "Too many sign-in discovery requests. Please slow down.",
69
+ remediation: `Wait ${retryAfter} seconds before retrying.`,
70
+ });
71
+ // Attach Retry-After without re-constructing the body.
72
+ const headers = new Headers(r.headers);
73
+ headers.set("Retry-After", String(retryAfter));
74
+ return new Response(r.body, { status: 429, headers });
75
+ }
76
+ async function padToMinimum(startMs) {
77
+ const elapsed = Date.now() - startMs;
78
+ if (elapsed < MIN_RESPONSE_MS) {
79
+ await new Promise((resolve) => setTimeout(resolve, MIN_RESPONSE_MS - elapsed));
80
+ }
81
+ }
82
+ async function discoverHandler(request, env) {
83
+ const startMs = Date.now();
84
+ const rateLimiter = new rate_limit_1.RateLimiter();
85
+ const ip = request.headers.get("CF-Connecting-IP") ||
86
+ request.headers.get("X-Forwarded-For")?.split(",")[0]?.trim() ||
87
+ "unknown";
88
+ const rateLimitResult = await rateLimiter.checkRateLimitKV(env, request, "auth-discover", RATE_LIMIT_PER_MIN, WINDOW_SECONDS);
89
+ if (!rateLimitResult.allowed) {
90
+ const retryAfter = Math.ceil((rateLimitResult.resetAt - Date.now()) / 1000);
91
+ await padToMinimum(startMs);
92
+ return tooManyRequests(retryAfter);
93
+ }
94
+ let body;
95
+ try {
96
+ body = await request.json();
97
+ }
98
+ catch {
99
+ await padToMinimum(startMs);
100
+ return (0, errors_1.structuredError)(400, {
101
+ error: "INVALID_JSON",
102
+ message: "Request body must be valid JSON.",
103
+ remediation: "Ensure the request body is well-formed JSON with an 'email' field.",
104
+ });
105
+ }
106
+ const { z } = await Promise.resolve().then(() => __importStar(require("zod")));
107
+ const schema = z.object({ email: z.string() });
108
+ const parsed = schema.safeParse(body);
109
+ const emailDomain = parsed.success ? (0, derive_domain_1.deriveEmailDomain)(parsed.data.email) : null;
110
+ if (!emailDomain) {
111
+ await padToMinimum(startMs);
112
+ return (0, errors_1.structuredError)(400, {
113
+ error: "INVALID_EMAIL",
114
+ message: "A valid email address is required.",
115
+ remediation: "Provide a well-formed email address in the 'email' field.",
116
+ field: "email",
117
+ });
118
+ }
119
+ const { createPrisma } = await Promise.resolve().then(() => __importStar(require("../../db")));
120
+ const db = createPrisma(env);
121
+ try {
122
+ const row = await db.tenantDomain.findFirst({
123
+ where: {
124
+ domain: emailDomain,
125
+ verifiedAt: { not: null },
126
+ tenant: {
127
+ identityProvider: {
128
+ status: "ACTIVE",
129
+ },
130
+ },
131
+ },
132
+ select: {
133
+ tenant: {
134
+ select: {
135
+ id: true,
136
+ slug: true,
137
+ identityProvider: {
138
+ select: {
139
+ cognitoIdpName: true,
140
+ },
141
+ },
142
+ },
143
+ },
144
+ },
145
+ });
146
+ await padToMinimum(startMs);
147
+ if (!row?.tenant?.identityProvider) {
148
+ return passwordResponse();
149
+ }
150
+ const { tenant } = row;
151
+ const idpName = tenant.identityProvider.cognitoIdpName ?? (0, idp_name_1.cognitoIdpName)(tenant.id);
152
+ const config = (0, idp_redirect_builder_1.getIdpRedirectConfig)(env);
153
+ const idpRedirect = (0, idp_redirect_builder_1.buildIdpRedirectUrl)(config, {
154
+ cognitoIdpName: idpName,
155
+ tenantSlug: tenant.slug,
156
+ });
157
+ return new Response(JSON.stringify({ method: "idp", idpRedirect, tenantSlug: tenant.slug }), { status: 200, headers: { "content-type": "application/json" } });
158
+ }
159
+ catch (err) {
160
+ await padToMinimum(startMs);
161
+ throw err;
162
+ }
163
+ }
164
+ exports.authDiscoverRoutes = [
165
+ {
166
+ path: "/api/auth/discover",
167
+ method: "POST",
168
+ handler: async (request, env) => {
169
+ const securityHeaders = new security_headers_1.SecurityHeaders(env);
170
+ const response = await discoverHandler(request, env);
171
+ return securityHeaders.addSecurityHeaders(response);
172
+ },
173
+ middleware: [(0, middleware_1.corsMiddleware)()],
174
+ description: "Sign-in discovery: returns idp redirect or password fallback",
175
+ },
176
+ ];
177
+ //# sourceMappingURL=auth-discover.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"auth-discover.js","sourceRoot":"","sources":["../../../src/lib/routes/auth-discover.ts"],"names":[],"mappings":";AAAA;;;;;;;;;;;;;;GAcG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAGH,8CAA+C;AAC/C,0DAAsD;AACtD,2DAA4D;AAC5D,uEAGsC;AACtC,iDAAoD;AACpD,8CAA4C;AAC5C,qCAA2C;AAG3C,MAAM,kBAAkB,GAAG,EAAE,CAAC;AAC9B,MAAM,cAAc,GAAG,EAAE,CAAC;AAC1B,MAAM,eAAe,GAAG,EAAE,CAAC;AAE3B,SAAS,gBAAgB;IACvB,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,UAAU,EAAE,CAAC,EACtC,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;AACJ,CAAC;AAED,SAAS,eAAe,CAAC,UAAkB;IACzC,MAAM,CAAC,GAAG,IAAA,wBAAe,EAAC,GAAG,EAAE;QAC7B,KAAK,EAAE,qBAAqB;QAC5B,OAAO,EAAE,wDAAwD;QACjE,WAAW,EAAE,QAAQ,UAAU,2BAA2B;KAC3D,CAAC,CAAC;IACH,uDAAuD;IACvD,MAAM,OAAO,GAAG,IAAI,OAAO,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC;IACvC,OAAO,CAAC,GAAG,CAAC,aAAa,EAAE,MAAM,CAAC,UAAU,CAAC,CAAC,CAAC;IAC/C,OAAO,IAAI,QAAQ,CAAC,CAAC,CAAC,IAAI,EAAE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,CAAC,CAAC;AACxD,CAAC;AAED,KAAK,UAAU,YAAY,CAAC,OAAe;IACzC,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,GAAG,OAAO,CAAC;IACrC,IAAI,OAAO,GAAG,eAAe,EAAE,CAAC;QAC9B,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,OAAO,EAAE,eAAe,GAAG,OAAO,CAAC,CAAC,CAAC;IACvF,CAAC;AACH,CAAC;AAED,KAAK,UAAU,eAAe,CAAC,OAAgB,EAAE,GAAQ;IACvD,MAAM,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;IAE3B,MAAM,WAAW,GAAG,IAAI,wBAAW,EAAE,CAAC;IACtC,MAAM,EAAE,GACN,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,kBAAkB,CAAC;QACvC,OAAO,CAAC,OAAO,CAAC,GAAG,CAAC,iBAAiB,CAAC,EAAE,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,IAAI,EAAE;QAC7D,SAAS,CAAC;IAEZ,MAAM,eAAe,GAAG,MAAM,WAAW,CAAC,gBAAgB,CACxD,GAAG,EACH,OAAO,EACP,eAAe,EACf,kBAAkB,EAClB,cAAc,CACf,CAAC;IAEF,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,CAAC;QAC7B,MAAM,UAAU,GAAG,IAAI,CAAC,IAAI,CAAC,CAAC,eAAe,CAAC,OAAO,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC,GAAG,IAAI,CAAC,CAAC;QAC5E,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAC5B,OAAO,eAAe,CAAC,UAAU,CAAC,CAAC;IACrC,CAAC;IAED,IAAI,IAAa,CAAC;IAClB,IAAI,CAAC;QACH,IAAI,GAAG,MAAM,OAAO,CAAC,IAAI,EAAE,CAAC;IAC9B,CAAC;IAAC,MAAM,CAAC;QACP,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAC5B,OAAO,IAAA,wBAAe,EAAC,GAAG,EAAE;YAC1B,KAAK,EAAE,cAAc;YACrB,OAAO,EAAE,kCAAkC;YAC3C,WAAW,EAAE,oEAAoE;SAClF,CAAC,CAAC;IACL,CAAC;IAED,MAAM,EAAE,CAAC,EAAE,GAAG,wDAAa,KAAK,GAAC,CAAC;IAClC,MAAM,MAAM,GAAG,CAAC,CAAC,MAAM,CAAC,EAAE,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;IAC/C,MAAM,MAAM,GAAG,MAAM,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC;IAEtC,MAAM,WAAW,GAAG,MAAM,CAAC,OAAO,CAAC,CAAC,CAAC,IAAA,iCAAiB,EAAC,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;IAEjF,IAAI,CAAC,WAAW,EAAE,CAAC;QACjB,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAC5B,OAAO,IAAA,wBAAe,EAAC,GAAG,EAAE;YAC1B,KAAK,EAAE,eAAe;YACtB,OAAO,EAAE,oCAAoC;YAC7C,WAAW,EAAE,2DAA2D;YACxE,KAAK,EAAE,OAAO;SACf,CAAC,CAAC;IACL,CAAC;IAED,MAAM,EAAE,YAAY,EAAE,GAAG,wDAAa,UAAU,GAAC,CAAC;IAClD,MAAM,EAAE,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IAE7B,IAAI,CAAC;QACH,MAAM,GAAG,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC,SAAS,CAAC;YAC1C,KAAK,EAAE;gBACL,MAAM,EAAE,WAAW;gBACnB,UAAU,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE;gBACzB,MAAM,EAAE;oBACN,gBAAgB,EAAE;wBAChB,MAAM,EAAE,QAAQ;qBACjB;iBACF;aACF;YACD,MAAM,EAAE;gBACN,MAAM,EAAE;oBACN,MAAM,EAAE;wBACN,EAAE,EAAE,IAAI;wBACR,IAAI,EAAE,IAAI;wBACV,gBAAgB,EAAE;4BAChB,MAAM,EAAE;gCACN,cAAc,EAAE,IAAI;6BACrB;yBACF;qBACF;iBACF;aACF;SACF,CAAC,CAAC;QAEH,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAE5B,IAAI,CAAC,GAAG,EAAE,MAAM,EAAE,gBAAgB,EAAE,CAAC;YACnC,OAAO,gBAAgB,EAAE,CAAC;QAC5B,CAAC;QAED,MAAM,EAAE,MAAM,EAAE,GAAG,GAAG,CAAC;QACvB,MAAM,OAAO,GACX,MAAM,CAAC,gBAAiB,CAAC,cAAc,IAAI,IAAA,yBAAc,EAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QAEvE,MAAM,MAAM,GAAG,IAAA,2CAAoB,EAAC,GAAG,CAAC,CAAC;QACzC,MAAM,WAAW,GAAG,IAAA,0CAAmB,EAAC,MAAM,EAAE;YAC9C,cAAc,EAAE,OAAO;YACvB,UAAU,EAAE,MAAM,CAAC,IAAI;SACxB,CAAC,CAAC;QAEH,OAAO,IAAI,QAAQ,CACjB,IAAI,CAAC,SAAS,CAAC,EAAE,MAAM,EAAE,KAAK,EAAE,WAAW,EAAE,UAAU,EAAE,MAAM,CAAC,IAAI,EAAE,CAAC,EACvE,EAAE,MAAM,EAAE,GAAG,EAAE,OAAO,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,EAAE,CACjE,CAAC;IACJ,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,MAAM,YAAY,CAAC,OAAO,CAAC,CAAC;QAC5B,MAAM,GAAG,CAAC;IACZ,CAAC;AACH,CAAC;AAEY,QAAA,kBAAkB,GAAY;IACzC;QACE,IAAI,EAAE,oBAAoB;QAC1B,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE;YAC9B,MAAM,eAAe,GAAG,IAAI,kCAAe,CAAC,GAAG,CAAC,CAAC;YACjD,MAAM,QAAQ,GAAG,MAAM,eAAe,CAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YACrD,OAAO,eAAe,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,CAAC;QAC9B,WAAW,EAAE,8DAA8D;KAC5E;CACF,CAAC"}
@@ -1 +1 @@
1
- {"version":3,"file":"comments.d.ts","sourceRoot":"","sources":["../../../src/lib/routes/comments.ts"],"names":[],"mappings":"AAAA;;GAEG;AAWH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAErC,eAAO,MAAM,cAAc,EAAE,KAAK,EA8WjC,CAAC"}
1
+ {"version":3,"file":"comments.d.ts","sourceRoot":"","sources":["../../../src/lib/routes/comments.ts"],"names":[],"mappings":"AAAA;;GAEG;AAYH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAErC,eAAO,MAAM,cAAc,EAAE,KAAK,EA6ajC,CAAC"}
@@ -5,6 +5,7 @@
5
5
  Object.defineProperty(exports, "__esModule", { value: true });
6
6
  exports.commentsRoutes = void 0;
7
7
  const comment_handler_1 = require("../comment-handler");
8
+ const auth_middleware_1 = require("../auth/auth-middleware");
8
9
  const logger_1 = require("../logger");
9
10
  const middleware_1 = require("../middleware");
10
11
  const schemas_1 = require("../schemas");
@@ -27,12 +28,16 @@ exports.commentsRoutes = [
27
28
  if (!session) {
28
29
  return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
29
30
  }
31
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
32
+ if (!auth || !auth.activeTenantId) {
33
+ return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
34
+ }
30
35
  try {
31
36
  if (!requestContext) {
32
37
  return securityHeaders.createSecureResponse(JSON.stringify({ error: "Request context not available" }), { status: 500, headers: { "content-type": "application/json" } });
33
38
  }
34
39
  const postId = pathname.split("/api/posts/")[1].split("/comments")[0];
35
- const response = await commentHandler.createComment(postId, request, session, env, requestContext);
40
+ const response = await commentHandler.createComment(postId, request, session, env, requestContext, auth.activeTenantId);
36
41
  return securityHeaders.addSecurityHeaders(response);
37
42
  }
38
43
  catch (error) {
@@ -56,6 +61,10 @@ exports.commentsRoutes = [
56
61
  if (!session) {
57
62
  return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
58
63
  }
64
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
65
+ if (!auth || !auth.activeTenantId) {
66
+ return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
67
+ }
59
68
  try {
60
69
  if (!requestContext) {
61
70
  return securityHeaders.createSecureResponse(JSON.stringify({ error: "Request context not available" }), { status: 500, headers: { "content-type": "application/json" } });
@@ -66,7 +75,7 @@ exports.commentsRoutes = [
66
75
  return securityHeaders.addSecurityHeaders(queryValidation.error);
67
76
  }
68
77
  const { limit, cursor } = queryValidation.data;
69
- const response = await commentHandler.getComments(postId, request, session, { limit, cursor }, env, requestContext);
78
+ const response = await commentHandler.getComments(postId, request, session, { limit, cursor }, env, requestContext, auth.activeTenantId);
70
79
  return securityHeaders.addSecurityHeaders(response);
71
80
  }
72
81
  catch (error) {
@@ -90,12 +99,16 @@ exports.commentsRoutes = [
90
99
  if (!session) {
91
100
  return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
92
101
  }
102
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
103
+ if (!auth || !auth.activeTenantId) {
104
+ return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
105
+ }
93
106
  try {
94
107
  if (!requestContext) {
95
108
  return securityHeaders.createSecureResponse(JSON.stringify({ error: "Request context not available" }), { status: 500, headers: { "content-type": "application/json" } });
96
109
  }
97
110
  const commentId = pathname.split("/api/comments/")[1].split("/hide")[0];
98
- const response = await commentHandler.hideComment(commentId, request, session, env, requestContext);
111
+ const response = await commentHandler.hideComment(commentId, request, session, env, requestContext, auth.activeTenantId);
99
112
  return securityHeaders.addSecurityHeaders(response);
100
113
  }
101
114
  catch (error) {
@@ -119,6 +132,10 @@ exports.commentsRoutes = [
119
132
  if (!session) {
120
133
  return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
121
134
  }
135
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
136
+ if (!auth || !auth.activeTenantId) {
137
+ return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
138
+ }
122
139
  try {
123
140
  if (!requestContext) {
124
141
  return securityHeaders.createSecureResponse(JSON.stringify({ error: "Request context not available" }), { status: 500, headers: { "content-type": "application/json" } });
@@ -126,7 +143,7 @@ exports.commentsRoutes = [
126
143
  const commentId = pathname
127
144
  .split("/api/comments/")[1]
128
145
  .split("/unhide")[0];
129
- const response = await commentHandler.unhideComment(commentId, request, session, env, requestContext);
146
+ const response = await commentHandler.unhideComment(commentId, request, session, env, requestContext, auth.activeTenantId);
130
147
  return securityHeaders.addSecurityHeaders(response);
131
148
  }
132
149
  catch (error) {
@@ -150,12 +167,16 @@ exports.commentsRoutes = [
150
167
  if (!session) {
151
168
  return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
152
169
  }
170
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
171
+ if (!auth || !auth.activeTenantId) {
172
+ return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
173
+ }
153
174
  try {
154
175
  if (!requestContext) {
155
176
  return securityHeaders.createSecureResponse(JSON.stringify({ error: "Request context not available" }), { status: 500, headers: { "content-type": "application/json" } });
156
177
  }
157
178
  const commentId = pathname.split("/api/comments/")[1];
158
- const response = await commentHandler.editComment(commentId, request, session, env, requestContext);
179
+ const response = await commentHandler.editComment(commentId, request, session, env, requestContext, auth.activeTenantId);
159
180
  return securityHeaders.addSecurityHeaders(response);
160
181
  }
161
182
  catch (error) {
@@ -179,12 +200,16 @@ exports.commentsRoutes = [
179
200
  if (!session) {
180
201
  return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
181
202
  }
203
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
204
+ if (!auth || !auth.activeTenantId) {
205
+ return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
206
+ }
182
207
  try {
183
208
  if (!requestContext) {
184
209
  return securityHeaders.createSecureResponse(JSON.stringify({ error: "Request context not available" }), { status: 500, headers: { "content-type": "application/json" } });
185
210
  }
186
211
  const commentId = pathname.split("/api/comments/")[1];
187
- const response = await commentHandler.deleteComment(commentId, request, session, env, requestContext);
212
+ const response = await commentHandler.deleteComment(commentId, request, session, env, requestContext, auth.activeTenantId);
188
213
  return securityHeaders.addSecurityHeaders(response);
189
214
  }
190
215
  catch (error) {
@@ -208,12 +233,16 @@ exports.commentsRoutes = [
208
233
  if (!session) {
209
234
  return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
210
235
  }
236
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
237
+ if (!auth || !auth.activeTenantId) {
238
+ return securityHeaders.createSecureResponse(JSON.stringify({ error: "Unauthorized" }), { status: 401, headers: { "content-type": "application/json" } });
239
+ }
211
240
  try {
212
241
  if (!requestContext) {
213
242
  return securityHeaders.createSecureResponse(JSON.stringify({ error: "Request context not available" }), { status: 500, headers: { "content-type": "application/json" } });
214
243
  }
215
244
  const parentCommentId = pathname.split("/api/comments/")[1].split("/replies")[0];
216
- const response = await commentHandler.createReply(parentCommentId, request, session, env, requestContext);
245
+ const response = await commentHandler.createReply(parentCommentId, request, session, env, requestContext, auth.activeTenantId);
217
246
  return securityHeaders.addSecurityHeaders(response);
218
247
  }
219
248
  catch (error) {