@de-otio/trellis 0.6.1 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (339) hide show
  1. package/dist/env.d.ts +21 -0
  2. package/dist/env.d.ts.map +1 -1
  3. package/dist/env.js +12 -0
  4. package/dist/env.js.map +1 -1
  5. package/dist/lambda/nightly-cron.d.ts.map +1 -1
  6. package/dist/lambda/nightly-cron.js +5 -2
  7. package/dist/lambda/nightly-cron.js.map +1 -1
  8. package/dist/lambda/post-confirmation.d.ts +30 -0
  9. package/dist/lambda/post-confirmation.d.ts.map +1 -1
  10. package/dist/lambda/post-confirmation.js +333 -29
  11. package/dist/lambda/post-confirmation.js.map +1 -1
  12. package/dist/lambda/pre-token-generation.d.ts +20 -0
  13. package/dist/lambda/pre-token-generation.d.ts.map +1 -1
  14. package/dist/lambda/pre-token-generation.js +233 -48
  15. package/dist/lambda/pre-token-generation.js.map +1 -1
  16. package/dist/lib/activitypub/activity-processor.d.ts.map +1 -1
  17. package/dist/lib/activitypub/activity-processor.js +2 -1
  18. package/dist/lib/activitypub/activity-processor.js.map +1 -1
  19. package/dist/lib/activitypub/group-service.d.ts +2 -2
  20. package/dist/lib/activitypub/group-service.d.ts.map +1 -1
  21. package/dist/lib/activitypub/group-service.js +5 -2
  22. package/dist/lib/activitypub/group-service.js.map +1 -1
  23. package/dist/lib/age-tier-transition.d.ts.map +1 -1
  24. package/dist/lib/age-tier-transition.js +19 -10
  25. package/dist/lib/age-tier-transition.js.map +1 -1
  26. package/dist/lib/audit/csv-export.d.ts +25 -0
  27. package/dist/lib/audit/csv-export.d.ts.map +1 -0
  28. package/dist/lib/audit/csv-export.js +54 -0
  29. package/dist/lib/audit/csv-export.js.map +1 -0
  30. package/dist/lib/audit/emit.d.ts +56 -0
  31. package/dist/lib/audit/emit.d.ts.map +1 -0
  32. package/dist/lib/audit/emit.js +124 -0
  33. package/dist/lib/audit/emit.js.map +1 -0
  34. package/dist/lib/audit/event-types.d.ts +36 -0
  35. package/dist/lib/audit/event-types.d.ts.map +1 -0
  36. package/dist/lib/audit/event-types.js +69 -0
  37. package/dist/lib/audit/event-types.js.map +1 -0
  38. package/dist/lib/audit/pii-filter.d.ts +22 -0
  39. package/dist/lib/audit/pii-filter.d.ts.map +1 -0
  40. package/dist/lib/audit/pii-filter.js +51 -0
  41. package/dist/lib/audit/pii-filter.js.map +1 -0
  42. package/dist/lib/audit-logger.js +1 -1
  43. package/dist/lib/audit-logger.js.map +1 -1
  44. package/dist/lib/auth/auth-context.d.ts +34 -0
  45. package/dist/lib/auth/auth-context.d.ts.map +1 -0
  46. package/dist/lib/auth/auth-context.js +10 -0
  47. package/dist/lib/auth/auth-context.js.map +1 -0
  48. package/dist/lib/auth/auth-middleware.d.ts +50 -0
  49. package/dist/lib/auth/auth-middleware.d.ts.map +1 -0
  50. package/dist/lib/auth/auth-middleware.js +153 -0
  51. package/dist/lib/auth/auth-middleware.js.map +1 -0
  52. package/dist/lib/auth/capabilities.d.ts +40 -0
  53. package/dist/lib/auth/capabilities.d.ts.map +1 -0
  54. package/dist/lib/auth/capabilities.js +44 -0
  55. package/dist/lib/auth/capabilities.js.map +1 -0
  56. package/dist/lib/auth/claims-cache.d.ts +70 -0
  57. package/dist/lib/auth/claims-cache.d.ts.map +1 -0
  58. package/dist/lib/auth/claims-cache.js +139 -0
  59. package/dist/lib/auth/claims-cache.js.map +1 -0
  60. package/dist/lib/auth/cognito-jwt.d.ts +6 -0
  61. package/dist/lib/auth/cognito-jwt.d.ts.map +1 -1
  62. package/dist/lib/auth/cognito-jwt.js.map +1 -1
  63. package/dist/lib/auth/idp-redirect-builder.d.ts +43 -0
  64. package/dist/lib/auth/idp-redirect-builder.d.ts.map +1 -0
  65. package/dist/lib/auth/idp-redirect-builder.js +48 -0
  66. package/dist/lib/auth/idp-redirect-builder.js.map +1 -0
  67. package/dist/lib/auth/require.d.ts +51 -0
  68. package/dist/lib/auth/require.d.ts.map +1 -0
  69. package/dist/lib/auth/require.js +99 -0
  70. package/dist/lib/auth/require.js.map +1 -0
  71. package/dist/lib/auth/role-grants.d.ts +18 -0
  72. package/dist/lib/auth/role-grants.d.ts.map +1 -0
  73. package/dist/lib/auth/role-grants.js +62 -0
  74. package/dist/lib/auth/role-grants.js.map +1 -0
  75. package/dist/lib/cognito/idp-sdk.d.ts +80 -0
  76. package/dist/lib/cognito/idp-sdk.d.ts.map +1 -0
  77. package/dist/lib/cognito/idp-sdk.js +186 -0
  78. package/dist/lib/cognito/idp-sdk.js.map +1 -0
  79. package/dist/lib/cognito/issuer-probe.d.ts +47 -0
  80. package/dist/lib/cognito/issuer-probe.d.ts.map +1 -0
  81. package/dist/lib/cognito/issuer-probe.js +319 -0
  82. package/dist/lib/cognito/issuer-probe.js.map +1 -0
  83. package/dist/lib/comment-handler.d.ts +7 -7
  84. package/dist/lib/comment-handler.d.ts.map +1 -1
  85. package/dist/lib/comment-handler.js +23 -20
  86. package/dist/lib/comment-handler.js.map +1 -1
  87. package/dist/lib/compliance/baseline.d.ts +15 -0
  88. package/dist/lib/compliance/baseline.d.ts.map +1 -0
  89. package/dist/lib/compliance/baseline.js +205 -0
  90. package/dist/lib/compliance/baseline.js.map +1 -0
  91. package/dist/lib/compliance/tenant-merge.d.ts +35 -0
  92. package/dist/lib/compliance/tenant-merge.d.ts.map +1 -0
  93. package/dist/lib/compliance/tenant-merge.js +80 -0
  94. package/dist/lib/compliance/tenant-merge.js.map +1 -0
  95. package/dist/lib/compliance/types.d.ts +135 -0
  96. package/dist/lib/compliance/types.d.ts.map +1 -0
  97. package/dist/lib/compliance/types.js +9 -0
  98. package/dist/lib/compliance/types.js.map +1 -0
  99. package/dist/lib/connection-code-handler.d.ts +4 -4
  100. package/dist/lib/connection-code-handler.d.ts.map +1 -1
  101. package/dist/lib/connection-code-handler.js +21 -11
  102. package/dist/lib/connection-code-handler.js.map +1 -1
  103. package/dist/lib/feed-handler.d.ts +2 -2
  104. package/dist/lib/feed-handler.d.ts.map +1 -1
  105. package/dist/lib/feed-handler.js +5 -9
  106. package/dist/lib/feed-handler.js.map +1 -1
  107. package/dist/lib/middleware/idempotency-store.d.ts +86 -0
  108. package/dist/lib/middleware/idempotency-store.d.ts.map +1 -0
  109. package/dist/lib/middleware/idempotency-store.js +109 -0
  110. package/dist/lib/middleware/idempotency-store.js.map +1 -0
  111. package/dist/lib/middleware/idempotency.d.ts +37 -0
  112. package/dist/lib/middleware/idempotency.d.ts.map +1 -0
  113. package/dist/lib/middleware/idempotency.js +358 -0
  114. package/dist/lib/middleware/idempotency.js.map +1 -0
  115. package/dist/lib/net/trusted-client-ip.d.ts +39 -0
  116. package/dist/lib/net/trusted-client-ip.d.ts.map +1 -0
  117. package/dist/lib/net/trusted-client-ip.js +100 -0
  118. package/dist/lib/net/trusted-client-ip.js.map +1 -0
  119. package/dist/lib/notification-handler.d.ts +5 -5
  120. package/dist/lib/notification-handler.d.ts.map +1 -1
  121. package/dist/lib/notification-handler.js +11 -9
  122. package/dist/lib/notification-handler.js.map +1 -1
  123. package/dist/lib/oauth/cognito-issuer.d.ts +34 -0
  124. package/dist/lib/oauth/cognito-issuer.d.ts.map +1 -0
  125. package/dist/lib/oauth/cognito-issuer.js +53 -0
  126. package/dist/lib/oauth/cognito-issuer.js.map +1 -0
  127. package/dist/lib/oauth/device-authorization.d.ts +145 -0
  128. package/dist/lib/oauth/device-authorization.d.ts.map +1 -0
  129. package/dist/lib/oauth/device-authorization.js +312 -0
  130. package/dist/lib/oauth/device-authorization.js.map +1 -0
  131. package/dist/lib/oauth/envelope-crypto.d.ts +101 -0
  132. package/dist/lib/oauth/envelope-crypto.d.ts.map +1 -0
  133. package/dist/lib/oauth/envelope-crypto.js +223 -0
  134. package/dist/lib/oauth/envelope-crypto.js.map +1 -0
  135. package/dist/lib/oauth/refresh-detection.d.ts +126 -0
  136. package/dist/lib/oauth/refresh-detection.d.ts.map +1 -0
  137. package/dist/lib/oauth/refresh-detection.js +248 -0
  138. package/dist/lib/oauth/refresh-detection.js.map +1 -0
  139. package/dist/lib/openapi/generator.d.ts +78 -0
  140. package/dist/lib/openapi/generator.d.ts.map +1 -0
  141. package/dist/lib/openapi/generator.js +201 -0
  142. package/dist/lib/openapi/generator.js.map +1 -0
  143. package/dist/lib/post-handler.d.ts +1 -1
  144. package/dist/lib/post-handler.d.ts.map +1 -1
  145. package/dist/lib/post-handler.js +4 -15
  146. package/dist/lib/post-handler.js.map +1 -1
  147. package/dist/lib/rate-limit.d.ts.map +1 -1
  148. package/dist/lib/rate-limit.js +11 -3
  149. package/dist/lib/rate-limit.js.map +1 -1
  150. package/dist/lib/routes/agent-authorize.d.ts +32 -0
  151. package/dist/lib/routes/agent-authorize.d.ts.map +1 -0
  152. package/dist/lib/routes/agent-authorize.js +479 -0
  153. package/dist/lib/routes/agent-authorize.js.map +1 -0
  154. package/dist/lib/routes/agent-sessions.d.ts +20 -0
  155. package/dist/lib/routes/agent-sessions.d.ts.map +1 -0
  156. package/dist/lib/routes/agent-sessions.js +124 -0
  157. package/dist/lib/routes/agent-sessions.js.map +1 -0
  158. package/dist/lib/routes/agent-surface.d.ts +37 -0
  159. package/dist/lib/routes/agent-surface.d.ts.map +1 -0
  160. package/dist/lib/routes/agent-surface.js +208 -0
  161. package/dist/lib/routes/agent-surface.js.map +1 -0
  162. package/dist/lib/routes/auth-discover.d.ts +18 -0
  163. package/dist/lib/routes/auth-discover.d.ts.map +1 -0
  164. package/dist/lib/routes/auth-discover.js +177 -0
  165. package/dist/lib/routes/auth-discover.js.map +1 -0
  166. package/dist/lib/routes/comments.d.ts.map +1 -1
  167. package/dist/lib/routes/comments.js +36 -7
  168. package/dist/lib/routes/comments.js.map +1 -1
  169. package/dist/lib/routes/connection-codes.d.ts.map +1 -1
  170. package/dist/lib/routes/connection-codes.js +21 -4
  171. package/dist/lib/routes/connection-codes.js.map +1 -1
  172. package/dist/lib/routes/content-discovery.d.ts.map +1 -1
  173. package/dist/lib/routes/content-discovery.js +18 -13
  174. package/dist/lib/routes/content-discovery.js.map +1 -1
  175. package/dist/lib/routes/dashboard.js +1 -1
  176. package/dist/lib/routes/dashboard.js.map +1 -1
  177. package/dist/lib/routes/employees.d.ts.map +1 -1
  178. package/dist/lib/routes/employees.js +57 -15
  179. package/dist/lib/routes/employees.js.map +1 -1
  180. package/dist/lib/routes/entities.d.ts.map +1 -1
  181. package/dist/lib/routes/entities.js +35 -19
  182. package/dist/lib/routes/entities.js.map +1 -1
  183. package/dist/lib/routes/errors.d.ts +34 -0
  184. package/dist/lib/routes/errors.d.ts.map +1 -0
  185. package/dist/lib/routes/errors.js +57 -0
  186. package/dist/lib/routes/errors.js.map +1 -0
  187. package/dist/lib/routes/feeds.d.ts.map +1 -1
  188. package/dist/lib/routes/feeds.js +12 -2
  189. package/dist/lib/routes/feeds.js.map +1 -1
  190. package/dist/lib/routes/index.d.ts.map +1 -1
  191. package/dist/lib/routes/index.js +50 -0
  192. package/dist/lib/routes/index.js.map +1 -1
  193. package/dist/lib/routes/mfa.d.ts.map +1 -1
  194. package/dist/lib/routes/mfa.js +1 -0
  195. package/dist/lib/routes/mfa.js.map +1 -1
  196. package/dist/lib/routes/notifications.d.ts.map +1 -1
  197. package/dist/lib/routes/notifications.js +21 -4
  198. package/dist/lib/routes/notifications.js.map +1 -1
  199. package/dist/lib/routes/oauth.d.ts +15 -0
  200. package/dist/lib/routes/oauth.d.ts.map +1 -0
  201. package/dist/lib/routes/oauth.js +139 -0
  202. package/dist/lib/routes/oauth.js.map +1 -0
  203. package/dist/lib/routes/posts.d.ts.map +1 -1
  204. package/dist/lib/routes/posts.js +30 -19
  205. package/dist/lib/routes/posts.js.map +1 -1
  206. package/dist/lib/routes/products.d.ts.map +1 -1
  207. package/dist/lib/routes/products.js +19 -22
  208. package/dist/lib/routes/products.js.map +1 -1
  209. package/dist/lib/routes/setup-status.d.ts +34 -0
  210. package/dist/lib/routes/setup-status.d.ts.map +1 -0
  211. package/dist/lib/routes/setup-status.js +87 -0
  212. package/dist/lib/routes/setup-status.js.map +1 -0
  213. package/dist/lib/routes/taxonomy-analytics.d.ts.map +1 -1
  214. package/dist/lib/routes/taxonomy-analytics.js +15 -14
  215. package/dist/lib/routes/taxonomy-analytics.js.map +1 -1
  216. package/dist/lib/routes/taxonomy.d.ts.map +1 -1
  217. package/dist/lib/routes/taxonomy.js +19 -16
  218. package/dist/lib/routes/taxonomy.js.map +1 -1
  219. package/dist/lib/routes/tenant-audit.d.ts +19 -0
  220. package/dist/lib/routes/tenant-audit.d.ts.map +1 -0
  221. package/dist/lib/routes/tenant-audit.js +244 -0
  222. package/dist/lib/routes/tenant-audit.js.map +1 -0
  223. package/dist/lib/routes/tenant-compliance.d.ts +21 -0
  224. package/dist/lib/routes/tenant-compliance.d.ts.map +1 -0
  225. package/dist/lib/routes/tenant-compliance.js +122 -0
  226. package/dist/lib/routes/tenant-compliance.js.map +1 -0
  227. package/dist/lib/routes/tenant-domains.d.ts +11 -0
  228. package/dist/lib/routes/tenant-domains.d.ts.map +1 -0
  229. package/dist/lib/routes/tenant-domains.js +95 -0
  230. package/dist/lib/routes/tenant-domains.js.map +1 -0
  231. package/dist/lib/routes/tenant-idp.d.ts +3 -0
  232. package/dist/lib/routes/tenant-idp.d.ts.map +1 -0
  233. package/dist/lib/routes/tenant-idp.js +89 -0
  234. package/dist/lib/routes/tenant-idp.js.map +1 -0
  235. package/dist/lib/routes/tenant-members.d.ts +13 -0
  236. package/dist/lib/routes/tenant-members.d.ts.map +1 -0
  237. package/dist/lib/routes/tenant-members.js +75 -0
  238. package/dist/lib/routes/tenant-members.js.map +1 -0
  239. package/dist/lib/routes/tenant-role-mappings.d.ts +11 -0
  240. package/dist/lib/routes/tenant-role-mappings.d.ts.map +1 -0
  241. package/dist/lib/routes/tenant-role-mappings.js +90 -0
  242. package/dist/lib/routes/tenant-role-mappings.js.map +1 -0
  243. package/dist/lib/routes/tenants.d.ts +13 -0
  244. package/dist/lib/routes/tenants.d.ts.map +1 -0
  245. package/dist/lib/routes/tenants.js +121 -0
  246. package/dist/lib/routes/tenants.js.map +1 -0
  247. package/dist/lib/routes/types.d.ts +9 -0
  248. package/dist/lib/routes/types.d.ts.map +1 -1
  249. package/dist/lib/schemas.d.ts +2 -2
  250. package/dist/lib/secrets/idp-secrets.d.ts +51 -0
  251. package/dist/lib/secrets/idp-secrets.d.ts.map +1 -0
  252. package/dist/lib/secrets/idp-secrets.js +111 -0
  253. package/dist/lib/secrets/idp-secrets.js.map +1 -0
  254. package/dist/lib/security-monitor.d.ts.map +1 -1
  255. package/dist/lib/security-monitor.js +6 -1
  256. package/dist/lib/security-monitor.js.map +1 -1
  257. package/dist/lib/session-manager.d.ts +1 -0
  258. package/dist/lib/session-manager.d.ts.map +1 -1
  259. package/dist/lib/session-manager.js.map +1 -1
  260. package/dist/lib/taxonomy-handler-factory.d.ts +4 -2
  261. package/dist/lib/taxonomy-handler-factory.d.ts.map +1 -1
  262. package/dist/lib/taxonomy-handler-factory.js +8 -7
  263. package/dist/lib/taxonomy-handler-factory.js.map +1 -1
  264. package/dist/lib/tenant/audit-emit.d.ts +18 -0
  265. package/dist/lib/tenant/audit-emit.d.ts.map +1 -0
  266. package/dist/lib/tenant/audit-emit.js +16 -0
  267. package/dist/lib/tenant/audit-emit.js.map +1 -0
  268. package/dist/lib/tenant/derive-domain.d.ts +19 -0
  269. package/dist/lib/tenant/derive-domain.d.ts.map +1 -0
  270. package/dist/lib/tenant/derive-domain.js +38 -0
  271. package/dist/lib/tenant/derive-domain.js.map +1 -0
  272. package/dist/lib/tenant/domain-handler.d.ts +42 -0
  273. package/dist/lib/tenant/domain-handler.d.ts.map +1 -0
  274. package/dist/lib/tenant/domain-handler.js +344 -0
  275. package/dist/lib/tenant/domain-handler.js.map +1 -0
  276. package/dist/lib/tenant/domain-validator.d.ts +28 -0
  277. package/dist/lib/tenant/domain-validator.d.ts.map +1 -0
  278. package/dist/lib/tenant/domain-validator.js +145 -0
  279. package/dist/lib/tenant/domain-validator.js.map +1 -0
  280. package/dist/lib/tenant/domain-verifier.d.ts +30 -0
  281. package/dist/lib/tenant/domain-verifier.d.ts.map +1 -0
  282. package/dist/lib/tenant/domain-verifier.js +53 -0
  283. package/dist/lib/tenant/domain-verifier.js.map +1 -0
  284. package/dist/lib/tenant/idp-handler.d.ts +29 -0
  285. package/dist/lib/tenant/idp-handler.d.ts.map +1 -0
  286. package/dist/lib/tenant/idp-handler.js +693 -0
  287. package/dist/lib/tenant/idp-handler.js.map +1 -0
  288. package/dist/lib/tenant/idp-name.d.ts +2 -0
  289. package/dist/lib/tenant/idp-name.d.ts.map +1 -0
  290. package/dist/lib/tenant/idp-name.js +20 -0
  291. package/dist/lib/tenant/idp-name.js.map +1 -0
  292. package/dist/lib/tenant/member-handler.d.ts +31 -0
  293. package/dist/lib/tenant/member-handler.d.ts.map +1 -0
  294. package/dist/lib/tenant/member-handler.js +343 -0
  295. package/dist/lib/tenant/member-handler.js.map +1 -0
  296. package/dist/lib/tenant/reserved-slugs.d.ts +37 -0
  297. package/dist/lib/tenant/reserved-slugs.d.ts.map +1 -0
  298. package/dist/lib/tenant/reserved-slugs.js +116 -0
  299. package/dist/lib/tenant/reserved-slugs.js.map +1 -0
  300. package/dist/lib/tenant/resolve-role.d.ts +39 -0
  301. package/dist/lib/tenant/resolve-role.d.ts.map +1 -0
  302. package/dist/lib/tenant/resolve-role.js +60 -0
  303. package/dist/lib/tenant/resolve-role.js.map +1 -0
  304. package/dist/lib/tenant/role-mapping-handler.d.ts +26 -0
  305. package/dist/lib/tenant/role-mapping-handler.d.ts.map +1 -0
  306. package/dist/lib/tenant/role-mapping-handler.js +260 -0
  307. package/dist/lib/tenant/role-mapping-handler.js.map +1 -0
  308. package/dist/lib/tenant/setup-status.d.ts +83 -0
  309. package/dist/lib/tenant/setup-status.d.ts.map +1 -0
  310. package/dist/lib/tenant/setup-status.js +201 -0
  311. package/dist/lib/tenant/setup-status.js.map +1 -0
  312. package/dist/lib/tenant/slug-validator.d.ts +31 -0
  313. package/dist/lib/tenant/slug-validator.d.ts.map +1 -0
  314. package/dist/lib/tenant/slug-validator.js +42 -0
  315. package/dist/lib/tenant/slug-validator.js.map +1 -0
  316. package/dist/lib/tenant/tenant-handler.d.ts +49 -0
  317. package/dist/lib/tenant/tenant-handler.d.ts.map +1 -0
  318. package/dist/lib/tenant/tenant-handler.js +377 -0
  319. package/dist/lib/tenant/tenant-handler.js.map +1 -0
  320. package/dist/lib/tenant/transfer-ownership.d.ts +39 -0
  321. package/dist/lib/tenant/transfer-ownership.d.ts.map +1 -0
  322. package/dist/lib/tenant/transfer-ownership.js +66 -0
  323. package/dist/lib/tenant/transfer-ownership.js.map +1 -0
  324. package/dist/lib/user/derive-handle.d.ts +29 -0
  325. package/dist/lib/user/derive-handle.d.ts.map +1 -0
  326. package/dist/lib/user/derive-handle.js +65 -0
  327. package/dist/lib/user/derive-handle.js.map +1 -0
  328. package/dist/lib/user-deprovisioning.d.ts +11 -1
  329. package/dist/lib/user-deprovisioning.d.ts.map +1 -1
  330. package/dist/lib/user-deprovisioning.js +46 -2
  331. package/dist/lib/user-deprovisioning.js.map +1 -1
  332. package/dist/lib/validation/feature-toggle-schemas.d.ts +10 -10
  333. package/package.json +5 -3
  334. package/prisma/migrations/20260502094501_add_tenancy_model/migration.sql +334 -0
  335. package/prisma/migrations/20260503000000_add_tenant_region/migration.sql +4 -0
  336. package/prisma/schema.prisma +324 -74
  337. package/src/lambda/nightly-cron.ts +4 -1
  338. package/src/lambda/post-confirmation.ts +405 -29
  339. package/src/lambda/pre-token-generation.ts +300 -59
@@ -0,0 +1,89 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.tenantIdpRoutes = void 0;
4
+ /**
5
+ * Tenant identity-provider routes (T5).
6
+ *
7
+ * POST /api/tenants/:id/identity-provider
8
+ * GET /api/tenants/:id/identity-provider
9
+ * PATCH /api/tenants/:id/identity-provider
10
+ * DELETE /api/tenants/:id/identity-provider?confirm=true
11
+ *
12
+ * The PATCH route serves both config edits (clientSecret rotation,
13
+ * attribute mapping, defaultRole, scopes) and status toggle
14
+ * (`{status: ACTIVE|DISABLED}`); the handler picks based on body shape.
15
+ */
16
+ const middleware_1 = require("../middleware");
17
+ const idempotency_1 = require("../middleware/idempotency");
18
+ const security_headers_1 = require("../security-headers");
19
+ const auth_middleware_1 = require("../auth/auth-middleware");
20
+ const idp_handler_1 = require("../tenant/idp-handler");
21
+ const errors_1 = require("./errors");
22
+ const IDP_RE = /^\/api\/tenants\/([^/]+)\/identity-provider$/;
23
+ exports.tenantIdpRoutes = [
24
+ {
25
+ path: IDP_RE,
26
+ method: "POST",
27
+ handler: async (request, env, { pathname }) => {
28
+ const securityHeaders = new security_headers_1.SecurityHeaders(env);
29
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
30
+ if (!auth)
31
+ return (0, errors_1.unauthorizedError)(securityHeaders);
32
+ const tenantId = pathname.match(IDP_RE)?.[1] ?? "";
33
+ const handler = new idp_handler_1.IdpHandler();
34
+ const response = await handler.handleCreate(tenantId, request, auth, env);
35
+ return securityHeaders.addSecurityHeaders(response);
36
+ },
37
+ middleware: [(0, middleware_1.corsMiddleware)(), (0, middleware_1.csrfMiddleware)(), (0, idempotency_1.idempotencyMiddleware)()],
38
+ description: "Connect a tenant identity provider (OIDC)",
39
+ },
40
+ {
41
+ path: IDP_RE,
42
+ method: "GET",
43
+ handler: async (request, env, { pathname }) => {
44
+ const securityHeaders = new security_headers_1.SecurityHeaders(env);
45
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
46
+ if (!auth)
47
+ return (0, errors_1.unauthorizedError)(securityHeaders);
48
+ const tenantId = pathname.match(IDP_RE)?.[1] ?? "";
49
+ const handler = new idp_handler_1.IdpHandler();
50
+ const response = await handler.handleGet(tenantId, auth, env);
51
+ return securityHeaders.addSecurityHeaders(response);
52
+ },
53
+ middleware: [(0, middleware_1.corsMiddleware)()],
54
+ description: "Read a tenant identity provider",
55
+ },
56
+ {
57
+ path: IDP_RE,
58
+ method: "PATCH",
59
+ handler: async (request, env, { pathname }) => {
60
+ const securityHeaders = new security_headers_1.SecurityHeaders(env);
61
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
62
+ if (!auth)
63
+ return (0, errors_1.unauthorizedError)(securityHeaders);
64
+ const tenantId = pathname.match(IDP_RE)?.[1] ?? "";
65
+ const handler = new idp_handler_1.IdpHandler();
66
+ const response = await handler.handlePatch(tenantId, request, auth, env);
67
+ return securityHeaders.addSecurityHeaders(response);
68
+ },
69
+ middleware: [(0, middleware_1.corsMiddleware)(), (0, middleware_1.csrfMiddleware)()],
70
+ description: "Update or toggle a tenant identity provider",
71
+ },
72
+ {
73
+ path: IDP_RE,
74
+ method: "DELETE",
75
+ handler: async (request, env, { pathname }) => {
76
+ const securityHeaders = new security_headers_1.SecurityHeaders(env);
77
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
78
+ if (!auth)
79
+ return (0, errors_1.unauthorizedError)(securityHeaders);
80
+ const tenantId = pathname.match(IDP_RE)?.[1] ?? "";
81
+ const handler = new idp_handler_1.IdpHandler();
82
+ const response = await handler.handleDelete(tenantId, new URL(request.url), auth, env);
83
+ return securityHeaders.addSecurityHeaders(response);
84
+ },
85
+ middleware: [(0, middleware_1.corsMiddleware)(), (0, middleware_1.csrfMiddleware)()],
86
+ description: "Disconnect a tenant identity provider",
87
+ },
88
+ ];
89
+ //# sourceMappingURL=tenant-idp.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"tenant-idp.js","sourceRoot":"","sources":["../../../src/lib/routes/tenant-idp.ts"],"names":[],"mappings":";;;AAAA;;;;;;;;;;;GAWG;AACH,8CAA+D;AAC/D,2DAAkE;AAClE,0DAAsD;AACtD,6DAAyD;AACzD,uDAAmD;AACnD,qCAA6C;AAG7C,MAAM,MAAM,GAAG,8CAA8C,CAAC;AAEjD,QAAA,eAAe,GAAY;IACtC;QACE,IAAI,EAAE,MAAM;QACZ,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC5C,MAAM,eAAe,GAAG,IAAI,kCAAe,CAAC,GAAG,CAAC,CAAC;YACjD,MAAM,IAAI,GAAG,MAAM,IAAA,gCAAc,EAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAA,0BAAiB,EAAC,eAAe,CAAC,CAAC;YACrD,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACnD,MAAM,OAAO,GAAG,IAAI,wBAAU,EAAE,CAAC;YACjC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAC1E,OAAO,eAAe,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,EAAE,IAAA,2BAAc,GAAE,EAAE,IAAA,mCAAqB,GAAE,CAAC;QACzE,WAAW,EAAE,2CAA2C;KACzD;IACD;QACE,IAAI,EAAE,MAAM;QACZ,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC5C,MAAM,eAAe,GAAG,IAAI,kCAAe,CAAC,GAAG,CAAC,CAAC;YACjD,MAAM,IAAI,GAAG,MAAM,IAAA,gCAAc,EAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAA,0BAAiB,EAAC,eAAe,CAAC,CAAC;YACrD,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACnD,MAAM,OAAO,GAAG,IAAI,wBAAU,EAAE,CAAC;YACjC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAC9D,OAAO,eAAe,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,CAAC;QAC9B,WAAW,EAAE,iCAAiC;KAC/C;IACD;QACE,IAAI,EAAE,MAAM;QACZ,MAAM,EAAE,OAAO;QACf,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC5C,MAAM,eAAe,GAAG,IAAI,kCAAe,CAAC,GAAG,CAAC,CAAC;YACjD,MAAM,IAAI,GAAG,MAAM,IAAA,gCAAc,EAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAA,0BAAiB,EAAC,eAAe,CAAC,CAAC;YACrD,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACnD,MAAM,OAAO,GAAG,IAAI,wBAAU,EAAE,CAAC;YACjC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,WAAW,CAAC,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YACzE,OAAO,eAAe,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,EAAE,IAAA,2BAAc,GAAE,CAAC;QAChD,WAAW,EAAE,6CAA6C;KAC3D;IACD;QACE,IAAI,EAAE,MAAM;QACZ,MAAM,EAAE,QAAQ;QAChB,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC5C,MAAM,eAAe,GAAG,IAAI,kCAAe,CAAC,GAAG,CAAC,CAAC;YACjD,MAAM,IAAI,GAAG,MAAM,IAAA,gCAAc,EAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAA,0BAAiB,EAAC,eAAe,CAAC,CAAC;YACrD,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACnD,MAAM,OAAO,GAAG,IAAI,wBAAU,EAAE,CAAC;YACjC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,QAAQ,EAAE,IAAI,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YACvF,OAAO,eAAe,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,EAAE,IAAA,2BAAc,GAAE,CAAC;QAChD,WAAW,EAAE,uCAAuC;KACrD;CACF,CAAC"}
@@ -0,0 +1,13 @@
1
+ /**
2
+ * Tenant member routes.
3
+ *
4
+ * GET /api/tenants/:id/members
5
+ * PATCH /api/tenants/:id/members/:memberId
6
+ * DELETE /api/tenants/:id/members/:memberId
7
+ *
8
+ * `POST /api/tenants/:id/transfer-ownership` is wired in routes/tenants.ts
9
+ * and now backed by MemberHandler.handleTransferOwnership.
10
+ */
11
+ import type { Route } from "./types";
12
+ export declare const tenantMemberRoutes: Route[];
13
+ //# sourceMappingURL=tenant-members.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"tenant-members.d.ts","sourceRoot":"","sources":["../../../src/lib/routes/tenant-members.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAOH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAKrC,eAAO,MAAM,kBAAkB,EAAE,KAAK,EAuDrC,CAAC"}
@@ -0,0 +1,75 @@
1
+ "use strict";
2
+ /**
3
+ * Tenant member routes.
4
+ *
5
+ * GET /api/tenants/:id/members
6
+ * PATCH /api/tenants/:id/members/:memberId
7
+ * DELETE /api/tenants/:id/members/:memberId
8
+ *
9
+ * `POST /api/tenants/:id/transfer-ownership` is wired in routes/tenants.ts
10
+ * and now backed by MemberHandler.handleTransferOwnership.
11
+ */
12
+ Object.defineProperty(exports, "__esModule", { value: true });
13
+ exports.tenantMemberRoutes = void 0;
14
+ const middleware_1 = require("../middleware");
15
+ const security_headers_1 = require("../security-headers");
16
+ const member_handler_1 = require("../tenant/member-handler");
17
+ const auth_middleware_1 = require("../auth/auth-middleware");
18
+ const errors_1 = require("./errors");
19
+ const MEMBERS_LIST = /^\/api\/tenants\/([^/]+)\/members$/;
20
+ const MEMBER_ITEM = /^\/api\/tenants\/([^/]+)\/members\/([^/]+)$/;
21
+ exports.tenantMemberRoutes = [
22
+ {
23
+ path: MEMBERS_LIST,
24
+ method: "GET",
25
+ handler: async (request, env, { pathname }) => {
26
+ const securityHeaders = new security_headers_1.SecurityHeaders(env);
27
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
28
+ if (!auth)
29
+ return (0, errors_1.unauthorizedError)(securityHeaders);
30
+ const tenantId = pathname.match(MEMBERS_LIST)?.[1] ?? "";
31
+ const handler = new member_handler_1.MemberHandler();
32
+ const response = await handler.handleList(tenantId, request, auth, env);
33
+ return securityHeaders.addSecurityHeaders(response);
34
+ },
35
+ middleware: [(0, middleware_1.corsMiddleware)()],
36
+ description: "List tenant members (paginated)",
37
+ },
38
+ {
39
+ path: MEMBER_ITEM,
40
+ method: "PATCH",
41
+ handler: async (request, env, { pathname }) => {
42
+ const securityHeaders = new security_headers_1.SecurityHeaders(env);
43
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
44
+ if (!auth)
45
+ return (0, errors_1.unauthorizedError)(securityHeaders);
46
+ const match = pathname.match(MEMBER_ITEM);
47
+ const tenantId = match?.[1] ?? "";
48
+ const memberId = match?.[2] ?? "";
49
+ const handler = new member_handler_1.MemberHandler();
50
+ const response = await handler.handlePatchRole(tenantId, memberId, request, auth, env);
51
+ return securityHeaders.addSecurityHeaders(response);
52
+ },
53
+ middleware: [(0, middleware_1.corsMiddleware)(), (0, middleware_1.csrfMiddleware)()],
54
+ description: "Change a member's role",
55
+ },
56
+ {
57
+ path: MEMBER_ITEM,
58
+ method: "DELETE",
59
+ handler: async (request, env, { pathname }) => {
60
+ const securityHeaders = new security_headers_1.SecurityHeaders(env);
61
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
62
+ if (!auth)
63
+ return (0, errors_1.unauthorizedError)(securityHeaders);
64
+ const match = pathname.match(MEMBER_ITEM);
65
+ const tenantId = match?.[1] ?? "";
66
+ const memberId = match?.[2] ?? "";
67
+ const handler = new member_handler_1.MemberHandler();
68
+ const response = await handler.handleRemove(tenantId, memberId, auth, env);
69
+ return securityHeaders.addSecurityHeaders(response);
70
+ },
71
+ middleware: [(0, middleware_1.corsMiddleware)(), (0, middleware_1.csrfMiddleware)()],
72
+ description: "Remove a member (soft-delete + global sign-out)",
73
+ },
74
+ ];
75
+ //# sourceMappingURL=tenant-members.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"tenant-members.js","sourceRoot":"","sources":["../../../src/lib/routes/tenant-members.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;;AAEH,8CAA+D;AAC/D,0DAAsD;AACtD,6DAAyD;AACzD,6DAAyD;AACzD,qCAA6C;AAG7C,MAAM,YAAY,GAAG,oCAAoC,CAAC;AAC1D,MAAM,WAAW,GAAG,6CAA6C,CAAC;AAErD,QAAA,kBAAkB,GAAY;IACzC;QACE,IAAI,EAAE,YAAY;QAClB,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC5C,MAAM,eAAe,GAAG,IAAI,kCAAe,CAAC,GAAG,CAAC,CAAC;YACjD,MAAM,IAAI,GAAG,MAAM,IAAA,gCAAc,EAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAA,0BAAiB,EAAC,eAAe,CAAC,CAAC;YAErD,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,YAAY,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACzD,MAAM,OAAO,GAAG,IAAI,8BAAa,EAAE,CAAC;YACpC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YACxE,OAAO,eAAe,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,CAAC;QAC9B,WAAW,EAAE,iCAAiC;KAC/C;IAED;QACE,IAAI,EAAE,WAAW;QACjB,MAAM,EAAE,OAAO;QACf,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC5C,MAAM,eAAe,GAAG,IAAI,kCAAe,CAAC,GAAG,CAAC,CAAC;YACjD,MAAM,IAAI,GAAG,MAAM,IAAA,gCAAc,EAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAA,0BAAiB,EAAC,eAAe,CAAC,CAAC;YAErD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;YAC1C,MAAM,QAAQ,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAClC,MAAM,QAAQ,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAClC,MAAM,OAAO,GAAG,IAAI,8BAAa,EAAE,CAAC;YACpC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,eAAe,CAAC,QAAQ,EAAE,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YACvF,OAAO,eAAe,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,EAAE,IAAA,2BAAc,GAAE,CAAC;QAChD,WAAW,EAAE,wBAAwB;KACtC;IAED;QACE,IAAI,EAAE,WAAW;QACjB,MAAM,EAAE,QAAQ;QAChB,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC5C,MAAM,eAAe,GAAG,IAAI,kCAAe,CAAC,GAAG,CAAC,CAAC;YACjD,MAAM,IAAI,GAAG,MAAM,IAAA,gCAAc,EAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAA,0BAAiB,EAAC,eAAe,CAAC,CAAC;YAErD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,WAAW,CAAC,CAAC;YAC1C,MAAM,QAAQ,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAClC,MAAM,QAAQ,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAClC,MAAM,OAAO,GAAG,IAAI,8BAAa,EAAE,CAAC;YACpC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,QAAQ,EAAE,QAAQ,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAC3E,OAAO,eAAe,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,EAAE,IAAA,2BAAc,GAAE,CAAC;QAChD,WAAW,EAAE,iDAAiD;KAC/D;CACF,CAAC"}
@@ -0,0 +1,11 @@
1
+ /**
2
+ * Tenant role-mapping routes.
3
+ *
4
+ * GET /api/tenants/:id/role-mappings
5
+ * POST /api/tenants/:id/role-mappings
6
+ * PATCH /api/tenants/:id/role-mappings/:mappingId
7
+ * DELETE /api/tenants/:id/role-mappings/:mappingId
8
+ */
9
+ import type { Route } from "./types";
10
+ export declare const tenantRoleMappingRoutes: Route[];
11
+ //# sourceMappingURL=tenant-role-mappings.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"tenant-role-mappings.d.ts","sourceRoot":"","sources":["../../../src/lib/routes/tenant-role-mappings.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAQH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAKrC,eAAO,MAAM,uBAAuB,EAAE,KAAK,EAwE1C,CAAC"}
@@ -0,0 +1,90 @@
1
+ "use strict";
2
+ /**
3
+ * Tenant role-mapping routes.
4
+ *
5
+ * GET /api/tenants/:id/role-mappings
6
+ * POST /api/tenants/:id/role-mappings
7
+ * PATCH /api/tenants/:id/role-mappings/:mappingId
8
+ * DELETE /api/tenants/:id/role-mappings/:mappingId
9
+ */
10
+ Object.defineProperty(exports, "__esModule", { value: true });
11
+ exports.tenantRoleMappingRoutes = void 0;
12
+ const middleware_1 = require("../middleware");
13
+ const idempotency_1 = require("../middleware/idempotency");
14
+ const security_headers_1 = require("../security-headers");
15
+ const role_mapping_handler_1 = require("../tenant/role-mapping-handler");
16
+ const auth_middleware_1 = require("../auth/auth-middleware");
17
+ const errors_1 = require("./errors");
18
+ const MAPPINGS_LIST = /^\/api\/tenants\/([^/]+)\/role-mappings$/;
19
+ const MAPPING_ITEM = /^\/api\/tenants\/([^/]+)\/role-mappings\/([^/]+)$/;
20
+ exports.tenantRoleMappingRoutes = [
21
+ {
22
+ path: MAPPINGS_LIST,
23
+ method: "GET",
24
+ handler: async (request, env, { pathname }) => {
25
+ const securityHeaders = new security_headers_1.SecurityHeaders(env);
26
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
27
+ if (!auth)
28
+ return (0, errors_1.unauthorizedError)(securityHeaders);
29
+ const tenantId = pathname.match(MAPPINGS_LIST)?.[1] ?? "";
30
+ const handler = new role_mapping_handler_1.RoleMappingHandler();
31
+ const response = await handler.handleList(tenantId, auth, env);
32
+ return securityHeaders.addSecurityHeaders(response);
33
+ },
34
+ middleware: [(0, middleware_1.corsMiddleware)()],
35
+ description: "List tenant role mappings",
36
+ },
37
+ {
38
+ path: MAPPINGS_LIST,
39
+ method: "POST",
40
+ handler: async (request, env, { pathname }) => {
41
+ const securityHeaders = new security_headers_1.SecurityHeaders(env);
42
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
43
+ if (!auth)
44
+ return (0, errors_1.unauthorizedError)(securityHeaders);
45
+ const tenantId = pathname.match(MAPPINGS_LIST)?.[1] ?? "";
46
+ const handler = new role_mapping_handler_1.RoleMappingHandler();
47
+ const response = await handler.handleCreate(tenantId, request, auth, env);
48
+ return securityHeaders.addSecurityHeaders(response);
49
+ },
50
+ middleware: [(0, middleware_1.corsMiddleware)(), (0, middleware_1.csrfMiddleware)(), (0, idempotency_1.idempotencyMiddleware)()],
51
+ description: "Create a tenant role mapping",
52
+ },
53
+ {
54
+ path: MAPPING_ITEM,
55
+ method: "PATCH",
56
+ handler: async (request, env, { pathname }) => {
57
+ const securityHeaders = new security_headers_1.SecurityHeaders(env);
58
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
59
+ if (!auth)
60
+ return (0, errors_1.unauthorizedError)(securityHeaders);
61
+ const match = pathname.match(MAPPING_ITEM);
62
+ const tenantId = match?.[1] ?? "";
63
+ const mappingId = match?.[2] ?? "";
64
+ const handler = new role_mapping_handler_1.RoleMappingHandler();
65
+ const response = await handler.handleUpdate(tenantId, mappingId, request, auth, env);
66
+ return securityHeaders.addSecurityHeaders(response);
67
+ },
68
+ middleware: [(0, middleware_1.corsMiddleware)(), (0, middleware_1.csrfMiddleware)()],
69
+ description: "Update a tenant role mapping",
70
+ },
71
+ {
72
+ path: MAPPING_ITEM,
73
+ method: "DELETE",
74
+ handler: async (request, env, { pathname }) => {
75
+ const securityHeaders = new security_headers_1.SecurityHeaders(env);
76
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
77
+ if (!auth)
78
+ return (0, errors_1.unauthorizedError)(securityHeaders);
79
+ const match = pathname.match(MAPPING_ITEM);
80
+ const tenantId = match?.[1] ?? "";
81
+ const mappingId = match?.[2] ?? "";
82
+ const handler = new role_mapping_handler_1.RoleMappingHandler();
83
+ const response = await handler.handleDelete(tenantId, mappingId, auth, env);
84
+ return securityHeaders.addSecurityHeaders(response);
85
+ },
86
+ middleware: [(0, middleware_1.corsMiddleware)(), (0, middleware_1.csrfMiddleware)()],
87
+ description: "Delete a tenant role mapping",
88
+ },
89
+ ];
90
+ //# sourceMappingURL=tenant-role-mappings.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"tenant-role-mappings.js","sourceRoot":"","sources":["../../../src/lib/routes/tenant-role-mappings.ts"],"names":[],"mappings":";AAAA;;;;;;;GAOG;;;AAEH,8CAA+D;AAC/D,2DAAkE;AAClE,0DAAsD;AACtD,yEAAoE;AACpE,6DAAyD;AACzD,qCAA6C;AAG7C,MAAM,aAAa,GAAG,0CAA0C,CAAC;AACjE,MAAM,YAAY,GAAG,mDAAmD,CAAC;AAE5D,QAAA,uBAAuB,GAAY;IAC9C;QACE,IAAI,EAAE,aAAa;QACnB,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC5C,MAAM,eAAe,GAAG,IAAI,kCAAe,CAAC,GAAG,CAAC,CAAC;YACjD,MAAM,IAAI,GAAG,MAAM,IAAA,gCAAc,EAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAA,0BAAiB,EAAC,eAAe,CAAC,CAAC;YAErD,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC1D,MAAM,OAAO,GAAG,IAAI,yCAAkB,EAAE,CAAC;YACzC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,UAAU,CAAC,QAAQ,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAC/D,OAAO,eAAe,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,CAAC;QAC9B,WAAW,EAAE,2BAA2B;KACzC;IAED;QACE,IAAI,EAAE,aAAa;QACnB,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC5C,MAAM,eAAe,GAAG,IAAI,kCAAe,CAAC,GAAG,CAAC,CAAC;YACjD,MAAM,IAAI,GAAG,MAAM,IAAA,gCAAc,EAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAA,0BAAiB,EAAC,eAAe,CAAC,CAAC;YAErD,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,aAAa,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC1D,MAAM,OAAO,GAAG,IAAI,yCAAkB,EAAE,CAAC;YACzC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAC1E,OAAO,eAAe,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,EAAE,IAAA,2BAAc,GAAE,EAAE,IAAA,mCAAqB,GAAE,CAAC;QACzE,WAAW,EAAE,8BAA8B;KAC5C;IAED;QACE,IAAI,EAAE,YAAY;QAClB,MAAM,EAAE,OAAO;QACf,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC5C,MAAM,eAAe,GAAG,IAAI,kCAAe,CAAC,GAAG,CAAC,CAAC;YACjD,MAAM,IAAI,GAAG,MAAM,IAAA,gCAAc,EAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAA,0BAAiB,EAAC,eAAe,CAAC,CAAC;YAErD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;YAC3C,MAAM,QAAQ,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAClC,MAAM,SAAS,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,OAAO,GAAG,IAAI,yCAAkB,EAAE,CAAC;YACzC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,QAAQ,EAAE,SAAS,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YACrF,OAAO,eAAe,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,EAAE,IAAA,2BAAc,GAAE,CAAC;QAChD,WAAW,EAAE,8BAA8B;KAC5C;IAED;QACE,IAAI,EAAE,YAAY;QAClB,MAAM,EAAE,QAAQ;QAChB,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC5C,MAAM,eAAe,GAAG,IAAI,kCAAe,CAAC,GAAG,CAAC,CAAC;YACjD,MAAM,IAAI,GAAG,MAAM,IAAA,gCAAc,EAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,OAAO,IAAA,0BAAiB,EAAC,eAAe,CAAC,CAAC;YAErD,MAAM,KAAK,GAAG,QAAQ,CAAC,KAAK,CAAC,YAAY,CAAC,CAAC;YAC3C,MAAM,QAAQ,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAClC,MAAM,SAAS,GAAG,KAAK,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACnC,MAAM,OAAO,GAAG,IAAI,yCAAkB,EAAE,CAAC;YACzC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,QAAQ,EAAE,SAAS,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAC5E,OAAO,eAAe,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,EAAE,IAAA,2BAAc,GAAE,CAAC;QAChD,WAAW,EAAE,8BAA8B;KAC5C;CACF,CAAC"}
@@ -0,0 +1,13 @@
1
+ /**
2
+ * Tenant Routes
3
+ *
4
+ * - POST /api/tenants
5
+ * - GET /api/tenants/:id
6
+ * - PATCH /api/tenants/:id
7
+ * - POST /api/tenants/:id/transfer-ownership
8
+ * - GET /api/users/me/tenants
9
+ * - POST /api/auth/switch-tenant
10
+ */
11
+ import type { Route } from "./types";
12
+ export declare const tenantRoutes: Route[];
13
+ //# sourceMappingURL=tenants.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"tenants.d.ts","sourceRoot":"","sources":["../../../src/lib/routes/tenants.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAQH,OAAO,KAAK,EAAE,KAAK,EAAE,MAAM,SAAS,CAAC;AAErC,eAAO,MAAM,YAAY,EAAE,KAAK,EA0G/B,CAAC"}
@@ -0,0 +1,121 @@
1
+ "use strict";
2
+ /**
3
+ * Tenant Routes
4
+ *
5
+ * - POST /api/tenants
6
+ * - GET /api/tenants/:id
7
+ * - PATCH /api/tenants/:id
8
+ * - POST /api/tenants/:id/transfer-ownership
9
+ * - GET /api/users/me/tenants
10
+ * - POST /api/auth/switch-tenant
11
+ */
12
+ Object.defineProperty(exports, "__esModule", { value: true });
13
+ exports.tenantRoutes = void 0;
14
+ const middleware_1 = require("../middleware");
15
+ const idempotency_1 = require("../middleware/idempotency");
16
+ const security_headers_1 = require("../security-headers");
17
+ const tenant_handler_1 = require("../tenant/tenant-handler");
18
+ const auth_middleware_1 = require("../auth/auth-middleware");
19
+ const errors_1 = require("./errors");
20
+ exports.tenantRoutes = [
21
+ // ── POST /api/tenants ─────────────────────────────────────────────────────
22
+ {
23
+ path: "/api/tenants",
24
+ method: "POST",
25
+ handler: async (request, env) => {
26
+ const securityHeaders = new security_headers_1.SecurityHeaders(env);
27
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
28
+ if (!auth)
29
+ return securityHeaders.addSecurityHeaders((0, errors_1.unauthorizedError)(securityHeaders));
30
+ const handler = new tenant_handler_1.TenantHandler();
31
+ const response = await handler.handleCreate(request, auth, env);
32
+ return securityHeaders.addSecurityHeaders(response);
33
+ },
34
+ middleware: [(0, middleware_1.corsMiddleware)(), (0, middleware_1.csrfMiddleware)(), (0, idempotency_1.idempotencyMiddleware)()],
35
+ description: "Create organization tenant",
36
+ },
37
+ // ── GET /api/tenants/:id ──────────────────────────────────────────────────
38
+ {
39
+ path: /^\/api\/tenants\/([^/]+)$/,
40
+ method: "GET",
41
+ handler: async (request, env, { pathname }) => {
42
+ const securityHeaders = new security_headers_1.SecurityHeaders(env);
43
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
44
+ if (!auth)
45
+ return securityHeaders.addSecurityHeaders((0, errors_1.unauthorizedError)(securityHeaders));
46
+ const tenantId = pathname.match(/^\/api\/tenants\/([^/]+)$/)?.[1] ?? "";
47
+ const handler = new tenant_handler_1.TenantHandler();
48
+ const response = await handler.handleGet(tenantId, auth, env);
49
+ return securityHeaders.addSecurityHeaders(response);
50
+ },
51
+ middleware: [(0, middleware_1.corsMiddleware)()],
52
+ description: "Get tenant by ID",
53
+ },
54
+ // ── PATCH /api/tenants/:id ────────────────────────────────────────────────
55
+ {
56
+ path: /^\/api\/tenants\/([^/]+)$/,
57
+ method: "PATCH",
58
+ handler: async (request, env, { pathname }) => {
59
+ const securityHeaders = new security_headers_1.SecurityHeaders(env);
60
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
61
+ if (!auth)
62
+ return securityHeaders.addSecurityHeaders((0, errors_1.unauthorizedError)(securityHeaders));
63
+ const tenantId = pathname.match(/^\/api\/tenants\/([^/]+)$/)?.[1] ?? "";
64
+ const handler = new tenant_handler_1.TenantHandler();
65
+ const response = await handler.handleUpdate(tenantId, request, auth, env);
66
+ return securityHeaders.addSecurityHeaders(response);
67
+ },
68
+ middleware: [(0, middleware_1.corsMiddleware)(), (0, middleware_1.csrfMiddleware)()],
69
+ description: "Update tenant displayName",
70
+ },
71
+ // ── POST /api/tenants/:id/transfer-ownership ──────────────────────────────
72
+ {
73
+ path: /^\/api\/tenants\/([^/]+)\/transfer-ownership$/,
74
+ method: "POST",
75
+ handler: async (request, env, { pathname }) => {
76
+ const securityHeaders = new security_headers_1.SecurityHeaders(env);
77
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
78
+ if (!auth)
79
+ return securityHeaders.addSecurityHeaders((0, errors_1.unauthorizedError)(securityHeaders));
80
+ const tenantId = pathname.match(/^\/api\/tenants\/([^/]+)\/transfer-ownership$/)?.[1] ?? "";
81
+ const handler = new tenant_handler_1.TenantHandler();
82
+ const response = await handler.handleTransferOwnership(tenantId, request, auth, env);
83
+ return securityHeaders.addSecurityHeaders(response);
84
+ },
85
+ middleware: [(0, middleware_1.corsMiddleware)(), (0, middleware_1.csrfMiddleware)()],
86
+ description: "Transfer tenant ownership",
87
+ },
88
+ // ── GET /api/users/me/tenants ─────────────────────────────────────────────
89
+ {
90
+ path: "/api/users/me/tenants",
91
+ method: "GET",
92
+ handler: async (request, env) => {
93
+ const securityHeaders = new security_headers_1.SecurityHeaders(env);
94
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
95
+ if (!auth)
96
+ return securityHeaders.addSecurityHeaders((0, errors_1.unauthorizedError)(securityHeaders));
97
+ const handler = new tenant_handler_1.TenantHandler();
98
+ const response = await handler.handleListMyTenants(auth, env);
99
+ return securityHeaders.addSecurityHeaders(response);
100
+ },
101
+ middleware: [(0, middleware_1.corsMiddleware)()],
102
+ description: "List caller's tenant memberships",
103
+ },
104
+ // ── POST /api/auth/switch-tenant ──────────────────────────────────────────
105
+ {
106
+ path: "/api/auth/switch-tenant",
107
+ method: "POST",
108
+ handler: async (request, env) => {
109
+ const securityHeaders = new security_headers_1.SecurityHeaders(env);
110
+ const auth = await (0, auth_middleware_1.authMiddleware)(request, env);
111
+ if (!auth)
112
+ return securityHeaders.addSecurityHeaders((0, errors_1.unauthorizedError)(securityHeaders));
113
+ const handler = new tenant_handler_1.TenantHandler();
114
+ const response = await handler.handleSwitchTenant(request, auth, env);
115
+ return securityHeaders.addSecurityHeaders(response);
116
+ },
117
+ middleware: [(0, middleware_1.corsMiddleware)(), (0, middleware_1.csrfMiddleware)()],
118
+ description: "Switch active tenant",
119
+ },
120
+ ];
121
+ //# sourceMappingURL=tenants.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"tenants.js","sourceRoot":"","sources":["../../../src/lib/routes/tenants.ts"],"names":[],"mappings":";AAAA;;;;;;;;;GASG;;;AAEH,8CAA+D;AAC/D,2DAAkE;AAClE,0DAAsD;AACtD,6DAAyD;AACzD,6DAAyD;AACzD,qCAA6C;AAGhC,QAAA,YAAY,GAAY;IACnC,6EAA6E;IAC7E;QACE,IAAI,EAAE,cAAc;QACpB,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE;YAC9B,MAAM,eAAe,GAAG,IAAI,kCAAe,CAAC,GAAG,CAAC,CAAC;YACjD,MAAM,IAAI,GAAG,MAAM,IAAA,gCAAc,EAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,OAAO,eAAe,CAAC,kBAAkB,CAAC,IAAA,0BAAiB,EAAC,eAAe,CAAC,CAAC,CAAC;YAEzF,MAAM,OAAO,GAAG,IAAI,8BAAa,EAAE,CAAC;YACpC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAChE,OAAO,eAAe,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,EAAE,IAAA,2BAAc,GAAE,EAAE,IAAA,mCAAqB,GAAE,CAAC;QACzE,WAAW,EAAE,4BAA4B;KAC1C;IAED,6EAA6E;IAC7E;QACE,IAAI,EAAE,2BAA2B;QACjC,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC5C,MAAM,eAAe,GAAG,IAAI,kCAAe,CAAC,GAAG,CAAC,CAAC;YACjD,MAAM,IAAI,GAAG,MAAM,IAAA,gCAAc,EAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,OAAO,eAAe,CAAC,kBAAkB,CAAC,IAAA,0BAAiB,EAAC,eAAe,CAAC,CAAC,CAAC;YAEzF,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,2BAA2B,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACxE,MAAM,OAAO,GAAG,IAAI,8BAAa,EAAE,CAAC;YACpC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,SAAS,CAAC,QAAQ,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAC9D,OAAO,eAAe,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,CAAC;QAC9B,WAAW,EAAE,kBAAkB;KAChC;IAED,6EAA6E;IAC7E;QACE,IAAI,EAAE,2BAA2B;QACjC,MAAM,EAAE,OAAO;QACf,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC5C,MAAM,eAAe,GAAG,IAAI,kCAAe,CAAC,GAAG,CAAC,CAAC;YACjD,MAAM,IAAI,GAAG,MAAM,IAAA,gCAAc,EAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,OAAO,eAAe,CAAC,kBAAkB,CAAC,IAAA,0BAAiB,EAAC,eAAe,CAAC,CAAC,CAAC;YAEzF,MAAM,QAAQ,GAAG,QAAQ,CAAC,KAAK,CAAC,2BAA2B,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YACxE,MAAM,OAAO,GAAG,IAAI,8BAAa,EAAE,CAAC;YACpC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,YAAY,CAAC,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YAC1E,OAAO,eAAe,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,EAAE,IAAA,2BAAc,GAAE,CAAC;QAChD,WAAW,EAAE,2BAA2B;KACzC;IAED,6EAA6E;IAC7E;QACE,IAAI,EAAE,+CAA+C;QACrD,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE;YAC5C,MAAM,eAAe,GAAG,IAAI,kCAAe,CAAC,GAAG,CAAC,CAAC;YACjD,MAAM,IAAI,GAAG,MAAM,IAAA,gCAAc,EAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,OAAO,eAAe,CAAC,kBAAkB,CAAC,IAAA,0BAAiB,EAAC,eAAe,CAAC,CAAC,CAAC;YAEzF,MAAM,QAAQ,GACZ,QAAQ,CAAC,KAAK,CAAC,+CAA+C,CAAC,EAAE,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;YAC7E,MAAM,OAAO,GAAG,IAAI,8BAAa,EAAE,CAAC;YACpC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,uBAAuB,CAAC,QAAQ,EAAE,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YACrF,OAAO,eAAe,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,EAAE,IAAA,2BAAc,GAAE,CAAC;QAChD,WAAW,EAAE,2BAA2B;KACzC;IAED,6EAA6E;IAC7E;QACE,IAAI,EAAE,uBAAuB;QAC7B,MAAM,EAAE,KAAK;QACb,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE;YAC9B,MAAM,eAAe,GAAG,IAAI,kCAAe,CAAC,GAAG,CAAC,CAAC;YACjD,MAAM,IAAI,GAAG,MAAM,IAAA,gCAAc,EAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,OAAO,eAAe,CAAC,kBAAkB,CAAC,IAAA,0BAAiB,EAAC,eAAe,CAAC,CAAC,CAAC;YAEzF,MAAM,OAAO,GAAG,IAAI,8BAAa,EAAE,CAAC;YACpC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,mBAAmB,CAAC,IAAI,EAAE,GAAG,CAAC,CAAC;YAC9D,OAAO,eAAe,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,CAAC;QAC9B,WAAW,EAAE,kCAAkC;KAChD;IAED,6EAA6E;IAC7E;QACE,IAAI,EAAE,yBAAyB;QAC/B,MAAM,EAAE,MAAM;QACd,OAAO,EAAE,KAAK,EAAE,OAAO,EAAE,GAAG,EAAE,EAAE;YAC9B,MAAM,eAAe,GAAG,IAAI,kCAAe,CAAC,GAAG,CAAC,CAAC;YACjD,MAAM,IAAI,GAAG,MAAM,IAAA,gCAAc,EAAC,OAAO,EAAE,GAAG,CAAC,CAAC;YAChD,IAAI,CAAC,IAAI;gBAAE,OAAO,eAAe,CAAC,kBAAkB,CAAC,IAAA,0BAAiB,EAAC,eAAe,CAAC,CAAC,CAAC;YAEzF,MAAM,OAAO,GAAG,IAAI,8BAAa,EAAE,CAAC;YACpC,MAAM,QAAQ,GAAG,MAAM,OAAO,CAAC,kBAAkB,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,CAAC;YACtE,OAAO,eAAe,CAAC,kBAAkB,CAAC,QAAQ,CAAC,CAAC;QACtD,CAAC;QACD,UAAU,EAAE,CAAC,IAAA,2BAAc,GAAE,EAAE,IAAA,2BAAc,GAAE,CAAC;QAChD,WAAW,EAAE,sBAAsB;KACpC;CACF,CAAC"}
@@ -42,5 +42,14 @@ export interface Route {
42
42
  * API version (for versioning support)
43
43
  */
44
44
  version?: string;
45
+ /**
46
+ * Opt-in flag for publication on the public OpenAPI spec
47
+ * (`/openapi.json`) (G4 MEDIUM-3). Default `false` — only routes
48
+ * explicitly marked `publicSpec: true` appear in the document. The
49
+ * agent-discovery surface and the federation management routes are
50
+ * expected to set this; non-federation routes (posts, comments,
51
+ * media, ActivityPub, etc.) are excluded from the public spec.
52
+ */
53
+ publicSpec?: boolean;
45
54
  }
46
55
  //# sourceMappingURL=types.d.ts.map
@@ -1 +1 @@
1
- {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/lib/routes/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,WAAW,CAAC;AACrC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAErD,MAAM,WAAW,KAAK;IACpB;;;;;;;OAOG;IACH,IAAI,EAAE,YAAY,CAAC;IAEnB;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAE3B;;OAEG;IACH,OAAO,EAAE,CACP,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,GAAG,EACR,OAAO,EAAE;QACP,GAAG,EAAE,GAAG,CAAC;QACT,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC/B,cAAc,CAAC,EAAE,cAAc,CAAC;KACjC,KACE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAEvB;;OAEG;IACH,UAAU,CAAC,EAAE,UAAU,EAAE,CAAC;IAE1B;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;CAClB"}
1
+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../../../src/lib/routes/types.ts"],"names":[],"mappings":"AAAA;;;;GAIG;AAEH,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,WAAW,CAAC;AACrC,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,oBAAoB,CAAC;AACzD,OAAO,KAAK,EAAE,UAAU,EAAE,MAAM,eAAe,CAAC;AAChD,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,kBAAkB,CAAC;AAErD,MAAM,WAAW,KAAK;IACpB;;;;;;;OAOG;IACH,IAAI,EAAE,YAAY,CAAC;IAEnB;;OAEG;IACH,MAAM,CAAC,EAAE,MAAM,GAAG,MAAM,EAAE,CAAC;IAE3B;;OAEG;IACH,OAAO,EAAE,CACP,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,GAAG,EACR,OAAO,EAAE;QACP,GAAG,EAAE,GAAG,CAAC;QACT,QAAQ,EAAE,MAAM,CAAC;QACjB,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;QAC/B,cAAc,CAAC,EAAE,cAAc,CAAC;KACjC,KACE,OAAO,CAAC,QAAQ,CAAC,CAAC;IAEvB;;OAEG;IACH,UAAU,CAAC,EAAE,UAAU,EAAE,CAAC;IAE1B;;OAEG;IACH,WAAW,CAAC,EAAE,MAAM,CAAC;IAErB;;OAEG;IACH,OAAO,CAAC,EAAE,MAAM,CAAC;IAEjB;;;;;;;OAOG;IACH,UAAU,CAAC,EAAE,OAAO,CAAC;CACtB"}
@@ -275,16 +275,16 @@ export declare const feedQuerySchema: z.ZodObject<{
275
275
  }, "strip", z.ZodTypeAny, {
276
276
  limit: number;
277
277
  cursor?: string | undefined;
278
- entityRef?: string | undefined;
279
278
  taxonomyTags?: string[] | undefined;
279
+ entityRef?: string | undefined;
280
280
  entityRefs?: string[] | undefined;
281
281
  offset?: number | undefined;
282
282
  personalized?: boolean | undefined;
283
283
  personalizationEntityIds?: string[] | undefined;
284
284
  }, {
285
285
  cursor?: string | undefined;
286
- entityRef?: string | undefined;
287
286
  taxonomyTags?: string[] | undefined;
287
+ entityRef?: string | undefined;
288
288
  limit?: number | undefined;
289
289
  entityRefs?: string[] | undefined;
290
290
  offset?: number | undefined;
@@ -0,0 +1,51 @@
1
+ /**
2
+ * Secrets Manager wrapper for IdP client secrets.
3
+ *
4
+ * Naming convention: `tenant/{tenantId}/idp-client-secret`. The IAM policy
5
+ * grants Skybber's task role only `secretsmanager:CreateSecret`,
6
+ * `PutSecretValue`, `DeleteSecret`, `DescribeSecret`, `GetSecretValue` on
7
+ * `arn:aws:secretsmanager:{region}:{account}:secret:tenant/*` so a leak in
8
+ * the IdP CRUD path can never read or rewrite secrets outside that prefix.
9
+ *
10
+ * The plaintext secret enters via `createOrUpdate` and is forwarded straight
11
+ * to Secrets Manager. It is never logged here. Callers must not log it
12
+ * either.
13
+ */
14
+ import { SecretsManagerClient } from "@aws-sdk/client-secrets-manager";
15
+ export declare const IDP_SECRET_PREFIX = "tenant/";
16
+ export declare const IDP_SECRET_SUFFIX = "/idp-client-secret";
17
+ export declare function idpSecretName(tenantId: string): string;
18
+ export interface IdpSecretRecord {
19
+ arn: string;
20
+ versionId?: string;
21
+ }
22
+ export declare class IdpSecretsClient {
23
+ private readonly client;
24
+ constructor(client: SecretsManagerClient);
25
+ /**
26
+ * Create the secret on first IdP connect. Tagged with the tenantId so an
27
+ * audit (or per-tenant cleanup) can find the secret without a lookup table.
28
+ * Throws if a secret with the same name already exists — the route handler
29
+ * maps that into 409.
30
+ */
31
+ create(tenantId: string, plaintext: string): Promise<IdpSecretRecord>;
32
+ /**
33
+ * Rotate the secret in place. Returns the new version id so the caller
34
+ * can attach it to audit metadata.
35
+ */
36
+ rotate(tenantId: string, plaintext: string): Promise<IdpSecretRecord>;
37
+ /**
38
+ * Permanently delete with no recovery window. We never want to leave
39
+ * dangling client secrets in Secrets Manager, and the only call sites
40
+ * (rollback after Cognito create failure, IdP disconnect) are explicitly
41
+ * destructive. NotFound is silently swallowed for idempotency.
42
+ */
43
+ delete(tenantId: string): Promise<void>;
44
+ /**
45
+ * Existence + ARN lookup. Used at IdP create time to decide whether to
46
+ * call Create vs Put. Returns null if the secret does not exist.
47
+ */
48
+ describe(tenantId: string): Promise<IdpSecretRecord | null>;
49
+ }
50
+ export declare function createIdpSecretsClient(region?: string): IdpSecretsClient;
51
+ //# sourceMappingURL=idp-secrets.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"idp-secrets.d.ts","sourceRoot":"","sources":["../../../src/lib/secrets/idp-secrets.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;GAYG;AACH,OAAO,EACL,oBAAoB,EAKrB,MAAM,iCAAiC,CAAC;AAEzC,eAAO,MAAM,iBAAiB,YAAY,CAAC;AAC3C,eAAO,MAAM,iBAAiB,uBAAuB,CAAC;AAEtD,wBAAgB,aAAa,CAAC,QAAQ,EAAE,MAAM,GAAG,MAAM,CAEtD;AAED,MAAM,WAAW,eAAe;IAC9B,GAAG,EAAE,MAAM,CAAC;IACZ,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,qBAAa,gBAAgB;IACf,OAAO,CAAC,QAAQ,CAAC,MAAM;gBAAN,MAAM,EAAE,oBAAoB;IAEzD;;;;;OAKG;IACG,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC;IAkB3E;;;OAGG;IACG,MAAM,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC;IAc3E;;;;;OAKG;IACG,MAAM,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC;IAgB7C;;;OAGG;IACG,QAAQ,CAAC,QAAQ,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,GAAG,IAAI,CAAC;CAclE;AAED,wBAAgB,sBAAsB,CAAC,MAAM,CAAC,EAAE,MAAM,GAAG,gBAAgB,CAIxE"}