@de-otio/trellis 0.6.1 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (339) hide show
  1. package/dist/env.d.ts +21 -0
  2. package/dist/env.d.ts.map +1 -1
  3. package/dist/env.js +12 -0
  4. package/dist/env.js.map +1 -1
  5. package/dist/lambda/nightly-cron.d.ts.map +1 -1
  6. package/dist/lambda/nightly-cron.js +5 -2
  7. package/dist/lambda/nightly-cron.js.map +1 -1
  8. package/dist/lambda/post-confirmation.d.ts +30 -0
  9. package/dist/lambda/post-confirmation.d.ts.map +1 -1
  10. package/dist/lambda/post-confirmation.js +333 -29
  11. package/dist/lambda/post-confirmation.js.map +1 -1
  12. package/dist/lambda/pre-token-generation.d.ts +20 -0
  13. package/dist/lambda/pre-token-generation.d.ts.map +1 -1
  14. package/dist/lambda/pre-token-generation.js +233 -48
  15. package/dist/lambda/pre-token-generation.js.map +1 -1
  16. package/dist/lib/activitypub/activity-processor.d.ts.map +1 -1
  17. package/dist/lib/activitypub/activity-processor.js +2 -1
  18. package/dist/lib/activitypub/activity-processor.js.map +1 -1
  19. package/dist/lib/activitypub/group-service.d.ts +2 -2
  20. package/dist/lib/activitypub/group-service.d.ts.map +1 -1
  21. package/dist/lib/activitypub/group-service.js +5 -2
  22. package/dist/lib/activitypub/group-service.js.map +1 -1
  23. package/dist/lib/age-tier-transition.d.ts.map +1 -1
  24. package/dist/lib/age-tier-transition.js +19 -10
  25. package/dist/lib/age-tier-transition.js.map +1 -1
  26. package/dist/lib/audit/csv-export.d.ts +25 -0
  27. package/dist/lib/audit/csv-export.d.ts.map +1 -0
  28. package/dist/lib/audit/csv-export.js +54 -0
  29. package/dist/lib/audit/csv-export.js.map +1 -0
  30. package/dist/lib/audit/emit.d.ts +56 -0
  31. package/dist/lib/audit/emit.d.ts.map +1 -0
  32. package/dist/lib/audit/emit.js +124 -0
  33. package/dist/lib/audit/emit.js.map +1 -0
  34. package/dist/lib/audit/event-types.d.ts +36 -0
  35. package/dist/lib/audit/event-types.d.ts.map +1 -0
  36. package/dist/lib/audit/event-types.js +69 -0
  37. package/dist/lib/audit/event-types.js.map +1 -0
  38. package/dist/lib/audit/pii-filter.d.ts +22 -0
  39. package/dist/lib/audit/pii-filter.d.ts.map +1 -0
  40. package/dist/lib/audit/pii-filter.js +51 -0
  41. package/dist/lib/audit/pii-filter.js.map +1 -0
  42. package/dist/lib/audit-logger.js +1 -1
  43. package/dist/lib/audit-logger.js.map +1 -1
  44. package/dist/lib/auth/auth-context.d.ts +34 -0
  45. package/dist/lib/auth/auth-context.d.ts.map +1 -0
  46. package/dist/lib/auth/auth-context.js +10 -0
  47. package/dist/lib/auth/auth-context.js.map +1 -0
  48. package/dist/lib/auth/auth-middleware.d.ts +50 -0
  49. package/dist/lib/auth/auth-middleware.d.ts.map +1 -0
  50. package/dist/lib/auth/auth-middleware.js +153 -0
  51. package/dist/lib/auth/auth-middleware.js.map +1 -0
  52. package/dist/lib/auth/capabilities.d.ts +40 -0
  53. package/dist/lib/auth/capabilities.d.ts.map +1 -0
  54. package/dist/lib/auth/capabilities.js +44 -0
  55. package/dist/lib/auth/capabilities.js.map +1 -0
  56. package/dist/lib/auth/claims-cache.d.ts +70 -0
  57. package/dist/lib/auth/claims-cache.d.ts.map +1 -0
  58. package/dist/lib/auth/claims-cache.js +139 -0
  59. package/dist/lib/auth/claims-cache.js.map +1 -0
  60. package/dist/lib/auth/cognito-jwt.d.ts +6 -0
  61. package/dist/lib/auth/cognito-jwt.d.ts.map +1 -1
  62. package/dist/lib/auth/cognito-jwt.js.map +1 -1
  63. package/dist/lib/auth/idp-redirect-builder.d.ts +43 -0
  64. package/dist/lib/auth/idp-redirect-builder.d.ts.map +1 -0
  65. package/dist/lib/auth/idp-redirect-builder.js +48 -0
  66. package/dist/lib/auth/idp-redirect-builder.js.map +1 -0
  67. package/dist/lib/auth/require.d.ts +51 -0
  68. package/dist/lib/auth/require.d.ts.map +1 -0
  69. package/dist/lib/auth/require.js +99 -0
  70. package/dist/lib/auth/require.js.map +1 -0
  71. package/dist/lib/auth/role-grants.d.ts +18 -0
  72. package/dist/lib/auth/role-grants.d.ts.map +1 -0
  73. package/dist/lib/auth/role-grants.js +62 -0
  74. package/dist/lib/auth/role-grants.js.map +1 -0
  75. package/dist/lib/cognito/idp-sdk.d.ts +80 -0
  76. package/dist/lib/cognito/idp-sdk.d.ts.map +1 -0
  77. package/dist/lib/cognito/idp-sdk.js +186 -0
  78. package/dist/lib/cognito/idp-sdk.js.map +1 -0
  79. package/dist/lib/cognito/issuer-probe.d.ts +47 -0
  80. package/dist/lib/cognito/issuer-probe.d.ts.map +1 -0
  81. package/dist/lib/cognito/issuer-probe.js +319 -0
  82. package/dist/lib/cognito/issuer-probe.js.map +1 -0
  83. package/dist/lib/comment-handler.d.ts +7 -7
  84. package/dist/lib/comment-handler.d.ts.map +1 -1
  85. package/dist/lib/comment-handler.js +23 -20
  86. package/dist/lib/comment-handler.js.map +1 -1
  87. package/dist/lib/compliance/baseline.d.ts +15 -0
  88. package/dist/lib/compliance/baseline.d.ts.map +1 -0
  89. package/dist/lib/compliance/baseline.js +205 -0
  90. package/dist/lib/compliance/baseline.js.map +1 -0
  91. package/dist/lib/compliance/tenant-merge.d.ts +35 -0
  92. package/dist/lib/compliance/tenant-merge.d.ts.map +1 -0
  93. package/dist/lib/compliance/tenant-merge.js +80 -0
  94. package/dist/lib/compliance/tenant-merge.js.map +1 -0
  95. package/dist/lib/compliance/types.d.ts +135 -0
  96. package/dist/lib/compliance/types.d.ts.map +1 -0
  97. package/dist/lib/compliance/types.js +9 -0
  98. package/dist/lib/compliance/types.js.map +1 -0
  99. package/dist/lib/connection-code-handler.d.ts +4 -4
  100. package/dist/lib/connection-code-handler.d.ts.map +1 -1
  101. package/dist/lib/connection-code-handler.js +21 -11
  102. package/dist/lib/connection-code-handler.js.map +1 -1
  103. package/dist/lib/feed-handler.d.ts +2 -2
  104. package/dist/lib/feed-handler.d.ts.map +1 -1
  105. package/dist/lib/feed-handler.js +5 -9
  106. package/dist/lib/feed-handler.js.map +1 -1
  107. package/dist/lib/middleware/idempotency-store.d.ts +86 -0
  108. package/dist/lib/middleware/idempotency-store.d.ts.map +1 -0
  109. package/dist/lib/middleware/idempotency-store.js +109 -0
  110. package/dist/lib/middleware/idempotency-store.js.map +1 -0
  111. package/dist/lib/middleware/idempotency.d.ts +37 -0
  112. package/dist/lib/middleware/idempotency.d.ts.map +1 -0
  113. package/dist/lib/middleware/idempotency.js +358 -0
  114. package/dist/lib/middleware/idempotency.js.map +1 -0
  115. package/dist/lib/net/trusted-client-ip.d.ts +39 -0
  116. package/dist/lib/net/trusted-client-ip.d.ts.map +1 -0
  117. package/dist/lib/net/trusted-client-ip.js +100 -0
  118. package/dist/lib/net/trusted-client-ip.js.map +1 -0
  119. package/dist/lib/notification-handler.d.ts +5 -5
  120. package/dist/lib/notification-handler.d.ts.map +1 -1
  121. package/dist/lib/notification-handler.js +11 -9
  122. package/dist/lib/notification-handler.js.map +1 -1
  123. package/dist/lib/oauth/cognito-issuer.d.ts +34 -0
  124. package/dist/lib/oauth/cognito-issuer.d.ts.map +1 -0
  125. package/dist/lib/oauth/cognito-issuer.js +53 -0
  126. package/dist/lib/oauth/cognito-issuer.js.map +1 -0
  127. package/dist/lib/oauth/device-authorization.d.ts +145 -0
  128. package/dist/lib/oauth/device-authorization.d.ts.map +1 -0
  129. package/dist/lib/oauth/device-authorization.js +312 -0
  130. package/dist/lib/oauth/device-authorization.js.map +1 -0
  131. package/dist/lib/oauth/envelope-crypto.d.ts +101 -0
  132. package/dist/lib/oauth/envelope-crypto.d.ts.map +1 -0
  133. package/dist/lib/oauth/envelope-crypto.js +223 -0
  134. package/dist/lib/oauth/envelope-crypto.js.map +1 -0
  135. package/dist/lib/oauth/refresh-detection.d.ts +126 -0
  136. package/dist/lib/oauth/refresh-detection.d.ts.map +1 -0
  137. package/dist/lib/oauth/refresh-detection.js +248 -0
  138. package/dist/lib/oauth/refresh-detection.js.map +1 -0
  139. package/dist/lib/openapi/generator.d.ts +78 -0
  140. package/dist/lib/openapi/generator.d.ts.map +1 -0
  141. package/dist/lib/openapi/generator.js +201 -0
  142. package/dist/lib/openapi/generator.js.map +1 -0
  143. package/dist/lib/post-handler.d.ts +1 -1
  144. package/dist/lib/post-handler.d.ts.map +1 -1
  145. package/dist/lib/post-handler.js +4 -15
  146. package/dist/lib/post-handler.js.map +1 -1
  147. package/dist/lib/rate-limit.d.ts.map +1 -1
  148. package/dist/lib/rate-limit.js +11 -3
  149. package/dist/lib/rate-limit.js.map +1 -1
  150. package/dist/lib/routes/agent-authorize.d.ts +32 -0
  151. package/dist/lib/routes/agent-authorize.d.ts.map +1 -0
  152. package/dist/lib/routes/agent-authorize.js +479 -0
  153. package/dist/lib/routes/agent-authorize.js.map +1 -0
  154. package/dist/lib/routes/agent-sessions.d.ts +20 -0
  155. package/dist/lib/routes/agent-sessions.d.ts.map +1 -0
  156. package/dist/lib/routes/agent-sessions.js +124 -0
  157. package/dist/lib/routes/agent-sessions.js.map +1 -0
  158. package/dist/lib/routes/agent-surface.d.ts +37 -0
  159. package/dist/lib/routes/agent-surface.d.ts.map +1 -0
  160. package/dist/lib/routes/agent-surface.js +208 -0
  161. package/dist/lib/routes/agent-surface.js.map +1 -0
  162. package/dist/lib/routes/auth-discover.d.ts +18 -0
  163. package/dist/lib/routes/auth-discover.d.ts.map +1 -0
  164. package/dist/lib/routes/auth-discover.js +177 -0
  165. package/dist/lib/routes/auth-discover.js.map +1 -0
  166. package/dist/lib/routes/comments.d.ts.map +1 -1
  167. package/dist/lib/routes/comments.js +36 -7
  168. package/dist/lib/routes/comments.js.map +1 -1
  169. package/dist/lib/routes/connection-codes.d.ts.map +1 -1
  170. package/dist/lib/routes/connection-codes.js +21 -4
  171. package/dist/lib/routes/connection-codes.js.map +1 -1
  172. package/dist/lib/routes/content-discovery.d.ts.map +1 -1
  173. package/dist/lib/routes/content-discovery.js +18 -13
  174. package/dist/lib/routes/content-discovery.js.map +1 -1
  175. package/dist/lib/routes/dashboard.js +1 -1
  176. package/dist/lib/routes/dashboard.js.map +1 -1
  177. package/dist/lib/routes/employees.d.ts.map +1 -1
  178. package/dist/lib/routes/employees.js +57 -15
  179. package/dist/lib/routes/employees.js.map +1 -1
  180. package/dist/lib/routes/entities.d.ts.map +1 -1
  181. package/dist/lib/routes/entities.js +35 -19
  182. package/dist/lib/routes/entities.js.map +1 -1
  183. package/dist/lib/routes/errors.d.ts +34 -0
  184. package/dist/lib/routes/errors.d.ts.map +1 -0
  185. package/dist/lib/routes/errors.js +57 -0
  186. package/dist/lib/routes/errors.js.map +1 -0
  187. package/dist/lib/routes/feeds.d.ts.map +1 -1
  188. package/dist/lib/routes/feeds.js +12 -2
  189. package/dist/lib/routes/feeds.js.map +1 -1
  190. package/dist/lib/routes/index.d.ts.map +1 -1
  191. package/dist/lib/routes/index.js +50 -0
  192. package/dist/lib/routes/index.js.map +1 -1
  193. package/dist/lib/routes/mfa.d.ts.map +1 -1
  194. package/dist/lib/routes/mfa.js +1 -0
  195. package/dist/lib/routes/mfa.js.map +1 -1
  196. package/dist/lib/routes/notifications.d.ts.map +1 -1
  197. package/dist/lib/routes/notifications.js +21 -4
  198. package/dist/lib/routes/notifications.js.map +1 -1
  199. package/dist/lib/routes/oauth.d.ts +15 -0
  200. package/dist/lib/routes/oauth.d.ts.map +1 -0
  201. package/dist/lib/routes/oauth.js +139 -0
  202. package/dist/lib/routes/oauth.js.map +1 -0
  203. package/dist/lib/routes/posts.d.ts.map +1 -1
  204. package/dist/lib/routes/posts.js +30 -19
  205. package/dist/lib/routes/posts.js.map +1 -1
  206. package/dist/lib/routes/products.d.ts.map +1 -1
  207. package/dist/lib/routes/products.js +19 -22
  208. package/dist/lib/routes/products.js.map +1 -1
  209. package/dist/lib/routes/setup-status.d.ts +34 -0
  210. package/dist/lib/routes/setup-status.d.ts.map +1 -0
  211. package/dist/lib/routes/setup-status.js +87 -0
  212. package/dist/lib/routes/setup-status.js.map +1 -0
  213. package/dist/lib/routes/taxonomy-analytics.d.ts.map +1 -1
  214. package/dist/lib/routes/taxonomy-analytics.js +15 -14
  215. package/dist/lib/routes/taxonomy-analytics.js.map +1 -1
  216. package/dist/lib/routes/taxonomy.d.ts.map +1 -1
  217. package/dist/lib/routes/taxonomy.js +19 -16
  218. package/dist/lib/routes/taxonomy.js.map +1 -1
  219. package/dist/lib/routes/tenant-audit.d.ts +19 -0
  220. package/dist/lib/routes/tenant-audit.d.ts.map +1 -0
  221. package/dist/lib/routes/tenant-audit.js +244 -0
  222. package/dist/lib/routes/tenant-audit.js.map +1 -0
  223. package/dist/lib/routes/tenant-compliance.d.ts +21 -0
  224. package/dist/lib/routes/tenant-compliance.d.ts.map +1 -0
  225. package/dist/lib/routes/tenant-compliance.js +122 -0
  226. package/dist/lib/routes/tenant-compliance.js.map +1 -0
  227. package/dist/lib/routes/tenant-domains.d.ts +11 -0
  228. package/dist/lib/routes/tenant-domains.d.ts.map +1 -0
  229. package/dist/lib/routes/tenant-domains.js +95 -0
  230. package/dist/lib/routes/tenant-domains.js.map +1 -0
  231. package/dist/lib/routes/tenant-idp.d.ts +3 -0
  232. package/dist/lib/routes/tenant-idp.d.ts.map +1 -0
  233. package/dist/lib/routes/tenant-idp.js +89 -0
  234. package/dist/lib/routes/tenant-idp.js.map +1 -0
  235. package/dist/lib/routes/tenant-members.d.ts +13 -0
  236. package/dist/lib/routes/tenant-members.d.ts.map +1 -0
  237. package/dist/lib/routes/tenant-members.js +75 -0
  238. package/dist/lib/routes/tenant-members.js.map +1 -0
  239. package/dist/lib/routes/tenant-role-mappings.d.ts +11 -0
  240. package/dist/lib/routes/tenant-role-mappings.d.ts.map +1 -0
  241. package/dist/lib/routes/tenant-role-mappings.js +90 -0
  242. package/dist/lib/routes/tenant-role-mappings.js.map +1 -0
  243. package/dist/lib/routes/tenants.d.ts +13 -0
  244. package/dist/lib/routes/tenants.d.ts.map +1 -0
  245. package/dist/lib/routes/tenants.js +121 -0
  246. package/dist/lib/routes/tenants.js.map +1 -0
  247. package/dist/lib/routes/types.d.ts +9 -0
  248. package/dist/lib/routes/types.d.ts.map +1 -1
  249. package/dist/lib/schemas.d.ts +2 -2
  250. package/dist/lib/secrets/idp-secrets.d.ts +51 -0
  251. package/dist/lib/secrets/idp-secrets.d.ts.map +1 -0
  252. package/dist/lib/secrets/idp-secrets.js +111 -0
  253. package/dist/lib/secrets/idp-secrets.js.map +1 -0
  254. package/dist/lib/security-monitor.d.ts.map +1 -1
  255. package/dist/lib/security-monitor.js +6 -1
  256. package/dist/lib/security-monitor.js.map +1 -1
  257. package/dist/lib/session-manager.d.ts +1 -0
  258. package/dist/lib/session-manager.d.ts.map +1 -1
  259. package/dist/lib/session-manager.js.map +1 -1
  260. package/dist/lib/taxonomy-handler-factory.d.ts +4 -2
  261. package/dist/lib/taxonomy-handler-factory.d.ts.map +1 -1
  262. package/dist/lib/taxonomy-handler-factory.js +8 -7
  263. package/dist/lib/taxonomy-handler-factory.js.map +1 -1
  264. package/dist/lib/tenant/audit-emit.d.ts +18 -0
  265. package/dist/lib/tenant/audit-emit.d.ts.map +1 -0
  266. package/dist/lib/tenant/audit-emit.js +16 -0
  267. package/dist/lib/tenant/audit-emit.js.map +1 -0
  268. package/dist/lib/tenant/derive-domain.d.ts +19 -0
  269. package/dist/lib/tenant/derive-domain.d.ts.map +1 -0
  270. package/dist/lib/tenant/derive-domain.js +38 -0
  271. package/dist/lib/tenant/derive-domain.js.map +1 -0
  272. package/dist/lib/tenant/domain-handler.d.ts +42 -0
  273. package/dist/lib/tenant/domain-handler.d.ts.map +1 -0
  274. package/dist/lib/tenant/domain-handler.js +344 -0
  275. package/dist/lib/tenant/domain-handler.js.map +1 -0
  276. package/dist/lib/tenant/domain-validator.d.ts +28 -0
  277. package/dist/lib/tenant/domain-validator.d.ts.map +1 -0
  278. package/dist/lib/tenant/domain-validator.js +145 -0
  279. package/dist/lib/tenant/domain-validator.js.map +1 -0
  280. package/dist/lib/tenant/domain-verifier.d.ts +30 -0
  281. package/dist/lib/tenant/domain-verifier.d.ts.map +1 -0
  282. package/dist/lib/tenant/domain-verifier.js +53 -0
  283. package/dist/lib/tenant/domain-verifier.js.map +1 -0
  284. package/dist/lib/tenant/idp-handler.d.ts +29 -0
  285. package/dist/lib/tenant/idp-handler.d.ts.map +1 -0
  286. package/dist/lib/tenant/idp-handler.js +693 -0
  287. package/dist/lib/tenant/idp-handler.js.map +1 -0
  288. package/dist/lib/tenant/idp-name.d.ts +2 -0
  289. package/dist/lib/tenant/idp-name.d.ts.map +1 -0
  290. package/dist/lib/tenant/idp-name.js +20 -0
  291. package/dist/lib/tenant/idp-name.js.map +1 -0
  292. package/dist/lib/tenant/member-handler.d.ts +31 -0
  293. package/dist/lib/tenant/member-handler.d.ts.map +1 -0
  294. package/dist/lib/tenant/member-handler.js +343 -0
  295. package/dist/lib/tenant/member-handler.js.map +1 -0
  296. package/dist/lib/tenant/reserved-slugs.d.ts +37 -0
  297. package/dist/lib/tenant/reserved-slugs.d.ts.map +1 -0
  298. package/dist/lib/tenant/reserved-slugs.js +116 -0
  299. package/dist/lib/tenant/reserved-slugs.js.map +1 -0
  300. package/dist/lib/tenant/resolve-role.d.ts +39 -0
  301. package/dist/lib/tenant/resolve-role.d.ts.map +1 -0
  302. package/dist/lib/tenant/resolve-role.js +60 -0
  303. package/dist/lib/tenant/resolve-role.js.map +1 -0
  304. package/dist/lib/tenant/role-mapping-handler.d.ts +26 -0
  305. package/dist/lib/tenant/role-mapping-handler.d.ts.map +1 -0
  306. package/dist/lib/tenant/role-mapping-handler.js +260 -0
  307. package/dist/lib/tenant/role-mapping-handler.js.map +1 -0
  308. package/dist/lib/tenant/setup-status.d.ts +83 -0
  309. package/dist/lib/tenant/setup-status.d.ts.map +1 -0
  310. package/dist/lib/tenant/setup-status.js +201 -0
  311. package/dist/lib/tenant/setup-status.js.map +1 -0
  312. package/dist/lib/tenant/slug-validator.d.ts +31 -0
  313. package/dist/lib/tenant/slug-validator.d.ts.map +1 -0
  314. package/dist/lib/tenant/slug-validator.js +42 -0
  315. package/dist/lib/tenant/slug-validator.js.map +1 -0
  316. package/dist/lib/tenant/tenant-handler.d.ts +49 -0
  317. package/dist/lib/tenant/tenant-handler.d.ts.map +1 -0
  318. package/dist/lib/tenant/tenant-handler.js +377 -0
  319. package/dist/lib/tenant/tenant-handler.js.map +1 -0
  320. package/dist/lib/tenant/transfer-ownership.d.ts +39 -0
  321. package/dist/lib/tenant/transfer-ownership.d.ts.map +1 -0
  322. package/dist/lib/tenant/transfer-ownership.js +66 -0
  323. package/dist/lib/tenant/transfer-ownership.js.map +1 -0
  324. package/dist/lib/user/derive-handle.d.ts +29 -0
  325. package/dist/lib/user/derive-handle.d.ts.map +1 -0
  326. package/dist/lib/user/derive-handle.js +65 -0
  327. package/dist/lib/user/derive-handle.js.map +1 -0
  328. package/dist/lib/user-deprovisioning.d.ts +11 -1
  329. package/dist/lib/user-deprovisioning.d.ts.map +1 -1
  330. package/dist/lib/user-deprovisioning.js +46 -2
  331. package/dist/lib/user-deprovisioning.js.map +1 -1
  332. package/dist/lib/validation/feature-toggle-schemas.d.ts +10 -10
  333. package/package.json +5 -3
  334. package/prisma/migrations/20260502094501_add_tenancy_model/migration.sql +334 -0
  335. package/prisma/migrations/20260503000000_add_tenant_region/migration.sql +4 -0
  336. package/prisma/schema.prisma +324 -74
  337. package/src/lambda/nightly-cron.ts +4 -1
  338. package/src/lambda/post-confirmation.ts +405 -29
  339. package/src/lambda/pre-token-generation.ts +300 -59
@@ -0,0 +1,201 @@
1
+ "use strict";
2
+ /**
3
+ * Setup-status: machine-friendly tenant onboarding progress.
4
+ *
5
+ * `computeSetupStatus` is a pure function — it does no I/O and can be tested
6
+ * without a database. `loadSetupStatus` performs the Prisma query and calls
7
+ * `computeSetupStatus` with the results.
8
+ */
9
+ var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
10
+ if (k2 === undefined) k2 = k;
11
+ var desc = Object.getOwnPropertyDescriptor(m, k);
12
+ if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
13
+ desc = { enumerable: true, get: function() { return m[k]; } };
14
+ }
15
+ Object.defineProperty(o, k2, desc);
16
+ }) : (function(o, m, k, k2) {
17
+ if (k2 === undefined) k2 = k;
18
+ o[k2] = m[k];
19
+ }));
20
+ var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
21
+ Object.defineProperty(o, "default", { enumerable: true, value: v });
22
+ }) : function(o, v) {
23
+ o["default"] = v;
24
+ });
25
+ var __importStar = (this && this.__importStar) || (function () {
26
+ var ownKeys = function(o) {
27
+ ownKeys = Object.getOwnPropertyNames || function (o) {
28
+ var ar = [];
29
+ for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
30
+ return ar;
31
+ };
32
+ return ownKeys(o);
33
+ };
34
+ return function (mod) {
35
+ if (mod && mod.__esModule) return mod;
36
+ var result = {};
37
+ if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
38
+ __setModuleDefault(result, mod);
39
+ return result;
40
+ };
41
+ })();
42
+ Object.defineProperty(exports, "__esModule", { value: true });
43
+ exports.computeSetupStatus = computeSetupStatus;
44
+ exports.loadSetupStatus = loadSetupStatus;
45
+ // ── Pure computation ────────────────────────────────────────────────────────
46
+ /**
47
+ * Deterministically derive the setup-status object from snapshot data.
48
+ * No side effects; safe to call in unit tests without any database.
49
+ */
50
+ function computeSetupStatus(input) {
51
+ const { tenantId, tenantExists, hasTestSignIn, domains, idp, roleMappings } = input;
52
+ // ── tenant section ────────────────────────────────────────────────────────
53
+ const tenantSection = {
54
+ status: tenantExists ? "ok" : "missing",
55
+ tenantId,
56
+ };
57
+ // ── domains section ───────────────────────────────────────────────────────
58
+ const domainItems = domains.map((d) => ({
59
+ domain: d.domain,
60
+ verifiedAt: d.verifiedAt ? d.verifiedAt.toISOString() : null,
61
+ status: d.verifiedAt ? "verified" : d.failedAt ? "failed" : "pending",
62
+ }));
63
+ // ── idp section ───────────────────────────────────────────────────────────
64
+ const idpSection = idp
65
+ ? {
66
+ kind: idp.kind,
67
+ status: idp.status,
68
+ issuerUrl: idp.issuerUrl,
69
+ }
70
+ : null;
71
+ // ── roleMappings section ──────────────────────────────────────────────────
72
+ const roleMappingItems = roleMappings.map((r) => ({
73
+ id: r.id,
74
+ externalGroup: r.externalGroup,
75
+ tenantRole: r.tenantRole,
76
+ }));
77
+ // ── nextStep computation ──────────────────────────────────────────────────
78
+ const verifiedDomains = domainItems.filter((d) => d.status === "verified");
79
+ const unverifiedDomains = domainItems.filter((d) => d.status !== "verified");
80
+ const idpActive = idpSection !== null && idpSection.status === "ACTIVE";
81
+ let nextStep;
82
+ if (domainItems.length === 0) {
83
+ nextStep = {
84
+ code: "DOMAIN_REQUIRED",
85
+ message: "Add a domain to verify ownership before connecting an identity provider.",
86
+ endpoint: `POST /api/tenants/${tenantId}/domains`,
87
+ remediation: "Call POST /api/tenants/{id}/domains with { \"domain\": \"yourdomain.com\" } to claim your domain.",
88
+ };
89
+ }
90
+ else if (verifiedDomains.length === 0 && unverifiedDomains.length > 0) {
91
+ // Has domains claimed but none verified (includes pending and failed states).
92
+ nextStep = {
93
+ code: "DOMAIN_VERIFICATION_PENDING",
94
+ message: "At least one domain is claimed but not yet verified. Add the DNS TXT record and verify.",
95
+ endpoint: `POST /api/tenants/${tenantId}/domains/{domainId}/verify`,
96
+ remediation: "Add the TXT record to your DNS provider then call POST /api/tenants/{id}/domains/{domainId}/verify.",
97
+ };
98
+ }
99
+ else if (idpSection === null) {
100
+ nextStep = {
101
+ code: "IDP_REQUIRED",
102
+ message: "No identity provider is connected. Connect an OIDC IdP to enable federated sign-in.",
103
+ endpoint: `POST /api/tenants/${tenantId}/identity-provider`,
104
+ remediation: "Call POST /api/tenants/{id}/identity-provider with { \"kind\": \"OIDC\", \"issuerUrl\": \"...\", ... }.",
105
+ };
106
+ }
107
+ else if (!idpActive) {
108
+ // IdP exists but is DISABLED or PENDING
109
+ nextStep = {
110
+ code: "IDP_REQUIRED",
111
+ message: `Identity provider is not active (status: ${idpSection.status}). Enable it to allow federated sign-in.`,
112
+ endpoint: `PATCH /api/tenants/${tenantId}/identity-provider`,
113
+ remediation: "Call PATCH /api/tenants/{id}/identity-provider with { \"status\": \"ACTIVE\" }.",
114
+ };
115
+ }
116
+ else if (roleMappingItems.length === 0) {
117
+ nextStep = {
118
+ code: "ROLE_MAPPING_REQUIRED",
119
+ message: "No role mappings are configured. Add at least one mapping to assign roles to IdP groups.",
120
+ endpoint: `POST /api/tenants/${tenantId}/role-mappings`,
121
+ remediation: "Call POST /api/tenants/{id}/role-mappings with { \"externalGroup\": \"...\", \"tenantRole\": \"MEMBER\" }.",
122
+ };
123
+ }
124
+ else if (!hasTestSignIn) {
125
+ nextStep = {
126
+ code: "TEST_SIGN_IN",
127
+ message: "Setup looks complete. Perform a test federated sign-in to confirm the flow works end-to-end.",
128
+ endpoint: `GET /api/auth/discover`,
129
+ remediation: "Use a test account in your IdP to sign in via POST /api/auth/discover and verify the redirect flow.",
130
+ };
131
+ }
132
+ else {
133
+ nextStep = {
134
+ code: "COMPLETE",
135
+ message: "Tenant setup is complete. Federated sign-in is operational.",
136
+ endpoint: `GET /api/tenants/${tenantId}/setup-status`,
137
+ remediation: "No action required.",
138
+ };
139
+ }
140
+ return {
141
+ tenant: tenantSection,
142
+ domains: domainItems,
143
+ idp: idpSection,
144
+ roleMappings: roleMappingItems,
145
+ nextStep,
146
+ };
147
+ }
148
+ // ── Loader (Prisma I/O) ─────────────────────────────────────────────────────
149
+ /**
150
+ * Fetch all data needed to compute setup-status in a single read transaction,
151
+ * then return the computed status object.
152
+ */
153
+ async function loadSetupStatus(tenantId, env) {
154
+ const { createPrisma } = await Promise.resolve().then(() => __importStar(require("../../db")));
155
+ const db = createPrisma(env);
156
+ // Single transaction to get a consistent snapshot.
157
+ const [tenant, domains, idpRow, roleMappings, testSignInEvent] = await db.$transaction([
158
+ db.tenant.findUnique({
159
+ where: { id: tenantId },
160
+ select: { id: true },
161
+ }),
162
+ db.tenantDomain.findMany({
163
+ where: { tenantId },
164
+ select: { domain: true, verifiedAt: true },
165
+ orderBy: { domain: "asc" },
166
+ }),
167
+ db.tenantIdentityProvider.findUnique({
168
+ where: { tenantId },
169
+ select: { kind: true, status: true, issuerUrl: true },
170
+ }),
171
+ db.tenantRoleMapping.findMany({
172
+ where: { tenantId },
173
+ select: { id: true, idpGroupName: true, tenantRole: true },
174
+ orderBy: { idpGroupName: "asc" },
175
+ }),
176
+ db.securityEvent.findFirst({
177
+ where: {
178
+ tenantId,
179
+ type: "tenant.federated_login.success",
180
+ },
181
+ select: { id: true },
182
+ }),
183
+ ]);
184
+ if (!tenant)
185
+ return null;
186
+ return computeSetupStatus({
187
+ tenantId,
188
+ tenantExists: true,
189
+ hasTestSignIn: Boolean(testSignInEvent),
190
+ domains,
191
+ idp: idpRow
192
+ ? { kind: String(idpRow.kind), status: String(idpRow.status), issuerUrl: idpRow.issuerUrl }
193
+ : null,
194
+ roleMappings: roleMappings.map((r) => ({
195
+ id: r.id,
196
+ externalGroup: r.idpGroupName,
197
+ tenantRole: String(r.tenantRole),
198
+ })),
199
+ });
200
+ }
201
+ //# sourceMappingURL=setup-status.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"setup-status.js","sourceRoot":"","sources":["../../../src/lib/tenant/setup-status.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkGH,gDAmGC;AAQD,0CAoDC;AArKD,+EAA+E;AAE/E;;;GAGG;AACH,SAAgB,kBAAkB,CAAC,KAAuB;IACxD,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,aAAa,EAAE,OAAO,EAAE,GAAG,EAAE,YAAY,EAAE,GAAG,KAAK,CAAC;IAEpF,6EAA6E;IAC7E,MAAM,aAAa,GAAuB;QACxC,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;QACvC,QAAQ;KACT,CAAC;IAEF,6EAA6E;IAC7E,MAAM,WAAW,GAAkB,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACrD,MAAM,EAAE,CAAC,CAAC,MAAM;QAChB,UAAU,EAAE,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,IAAI;QAC5D,MAAM,EAAE,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;KACtE,CAAC,CAAC,CAAC;IAEJ,6EAA6E;IAC7E,MAAM,UAAU,GAAoB,GAAG;QACrC,CAAC,CAAC;YACE,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,MAAM,EAAE,GAAG,CAAC,MAAmB;YAC/B,SAAS,EAAE,GAAG,CAAC,SAAS;SACzB;QACH,CAAC,CAAC,IAAI,CAAC;IAET,6EAA6E;IAC7E,MAAM,gBAAgB,GAAuB,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACpE,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,aAAa,EAAE,CAAC,CAAC,aAAa;QAC9B,UAAU,EAAE,CAAC,CAAC,UAAU;KACzB,CAAC,CAAC,CAAC;IAEJ,6EAA6E;IAC7E,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,UAAU,CAAC,CAAC;IAC3E,MAAM,iBAAiB,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,UAAU,CAAC,CAAC;IAC7E,MAAM,SAAS,GAAG,UAAU,KAAK,IAAI,IAAI,UAAU,CAAC,MAAM,KAAK,QAAQ,CAAC;IAExE,IAAI,QAAkB,CAAC;IAEvB,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,QAAQ,GAAG;YACT,IAAI,EAAE,iBAAiB;YACvB,OAAO,EAAE,0EAA0E;YACnF,QAAQ,EAAE,qBAAqB,QAAQ,UAAU;YACjD,WAAW,EAAE,mGAAmG;SACjH,CAAC;IACJ,CAAC;SAAM,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxE,8EAA8E;QAC9E,QAAQ,GAAG;YACT,IAAI,EAAE,6BAA6B;YACnC,OAAO,EAAE,yFAAyF;YAClG,QAAQ,EAAE,qBAAqB,QAAQ,4BAA4B;YACnE,WAAW,EAAE,qGAAqG;SACnH,CAAC;IACJ,CAAC;SAAM,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;QAC/B,QAAQ,GAAG;YACT,IAAI,EAAE,cAAc;YACpB,OAAO,EAAE,qFAAqF;YAC9F,QAAQ,EAAE,qBAAqB,QAAQ,oBAAoB;YAC3D,WAAW,EAAE,yGAAyG;SACvH,CAAC;IACJ,CAAC;SAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACtB,wCAAwC;QACxC,QAAQ,GAAG;YACT,IAAI,EAAE,cAAc;YACpB,OAAO,EAAE,4CAA4C,UAAU,CAAC,MAAM,0CAA0C;YAChH,QAAQ,EAAE,sBAAsB,QAAQ,oBAAoB;YAC5D,WAAW,EAAE,iFAAiF;SAC/F,CAAC;IACJ,CAAC;SAAM,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,QAAQ,GAAG;YACT,IAAI,EAAE,uBAAuB;YAC7B,OAAO,EAAE,0FAA0F;YACnG,QAAQ,EAAE,qBAAqB,QAAQ,gBAAgB;YACvD,WAAW,EAAE,4GAA4G;SAC1H,CAAC;IACJ,CAAC;SAAM,IAAI,CAAC,aAAa,EAAE,CAAC;QAC1B,QAAQ,GAAG;YACT,IAAI,EAAE,cAAc;YACpB,OAAO,EAAE,8FAA8F;YACvG,QAAQ,EAAE,wBAAwB;YAClC,WAAW,EAAE,qGAAqG;SACnH,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,QAAQ,GAAG;YACT,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,6DAA6D;YACtE,QAAQ,EAAE,oBAAoB,QAAQ,eAAe;YACrD,WAAW,EAAE,qBAAqB;SACnC,CAAC;IACJ,CAAC;IAED,OAAO;QACL,MAAM,EAAE,aAAa;QACrB,OAAO,EAAE,WAAW;QACpB,GAAG,EAAE,UAAU;QACf,YAAY,EAAE,gBAAgB;QAC9B,QAAQ;KACT,CAAC;AACJ,CAAC;AAED,+EAA+E;AAE/E;;;GAGG;AACI,KAAK,UAAU,eAAe,CACnC,QAAgB,EAChB,GAAQ;IAER,MAAM,EAAE,YAAY,EAAE,GAAG,wDAAa,UAAU,GAAC,CAAC;IAClD,MAAM,EAAE,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IAE7B,mDAAmD;IACnD,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,eAAe,CAAC,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC;QACrF,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC;YACnB,KAAK,EAAE,EAAE,EAAE,EAAE,QAAQ,EAAE;YACvB,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE;SACrB,CAAC;QACF,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC;YACvB,KAAK,EAAE,EAAE,QAAQ,EAAE;YACnB,MAAM,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE;YAC1C,OAAO,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE;SAC3B,CAAC;QACF,EAAE,CAAC,sBAAsB,CAAC,UAAU,CAAC;YACnC,KAAK,EAAE,EAAE,QAAQ,EAAE;YACnB,MAAM,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE;SACtD,CAAC;QACF,EAAE,CAAC,iBAAiB,CAAC,QAAQ,CAAC;YAC5B,KAAK,EAAE,EAAE,QAAQ,EAAE;YACnB,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE;YAC1D,OAAO,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE;SACjC,CAAC;QACF,EAAE,CAAC,aAAa,CAAC,SAAS,CAAC;YACzB,KAAK,EAAE;gBACL,QAAQ;gBACR,IAAI,EAAE,gCAAgC;aACvC;YACD,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE;SACrB,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,OAAO,kBAAkB,CAAC;QACxB,QAAQ;QACR,YAAY,EAAE,IAAI;QAClB,aAAa,EAAE,OAAO,CAAC,eAAe,CAAC;QACvC,OAAO;QACP,GAAG,EAAE,MAAM;YACT,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE;YAC3F,CAAC,CAAC,IAAI;QACR,YAAY,EAAE,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACrC,EAAE,EAAE,CAAC,CAAC,EAAE;YACR,aAAa,EAAE,CAAC,CAAC,YAAY;YAC7B,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC;SACjC,CAAC,CAAC;KACJ,CAAC,CAAC;AACL,CAAC"}
@@ -0,0 +1,31 @@
1
+ /**
2
+ * Slug Validator
3
+ *
4
+ * Wraps the T1 slug regex and reserved-list into a typed result that
5
+ * route handlers can pattern-match on.
6
+ */
7
+ export type SlugValidationResult = {
8
+ ok: true;
9
+ } | {
10
+ ok: false;
11
+ code: "INVALID_FORMAT";
12
+ message: string;
13
+ } | {
14
+ ok: false;
15
+ code: "RESERVED";
16
+ message: string;
17
+ };
18
+ /**
19
+ * Full admission check for a tenant slug: format + reserved-list.
20
+ *
21
+ * Negative test cases (must never pass):
22
+ * - Shell-escape attempts: "foo; rm -rf", "$(evil)", "`cmd`" → INVALID_FORMAT (non-[a-z0-9-])
23
+ * - URL-injection: "../admin", "//evil.com", "%2F" → INVALID_FORMAT
24
+ * - Leading/trailing hyphen: "-foo", "foo-" → INVALID_FORMAT
25
+ * - Double-hyphen: "foo--bar" → INVALID_FORMAT
26
+ * - Too short: "ab" (2 chars) → INVALID_FORMAT
27
+ * - Too long: 41+ chars → INVALID_FORMAT
28
+ * - Reserved word: "admin", "system" → RESERVED
29
+ */
30
+ export declare function validateTenantSlug(slug: string): SlugValidationResult;
31
+ //# sourceMappingURL=slug-validator.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"slug-validator.d.ts","sourceRoot":"","sources":["../../../src/lib/tenant/slug-validator.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,MAAM,oBAAoB,GAC5B;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GACZ;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,IAAI,EAAE,gBAAgB,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACtD;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAErD;;;;;;;;;;;GAWG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,oBAAoB,CAmBrE"}
@@ -0,0 +1,42 @@
1
+ "use strict";
2
+ /**
3
+ * Slug Validator
4
+ *
5
+ * Wraps the T1 slug regex and reserved-list into a typed result that
6
+ * route handlers can pattern-match on.
7
+ */
8
+ Object.defineProperty(exports, "__esModule", { value: true });
9
+ exports.validateTenantSlug = validateTenantSlug;
10
+ const reserved_slugs_1 = require("./reserved-slugs");
11
+ /**
12
+ * Full admission check for a tenant slug: format + reserved-list.
13
+ *
14
+ * Negative test cases (must never pass):
15
+ * - Shell-escape attempts: "foo; rm -rf", "$(evil)", "`cmd`" → INVALID_FORMAT (non-[a-z0-9-])
16
+ * - URL-injection: "../admin", "//evil.com", "%2F" → INVALID_FORMAT
17
+ * - Leading/trailing hyphen: "-foo", "foo-" → INVALID_FORMAT
18
+ * - Double-hyphen: "foo--bar" → INVALID_FORMAT
19
+ * - Too short: "ab" (2 chars) → INVALID_FORMAT
20
+ * - Too long: 41+ chars → INVALID_FORMAT
21
+ * - Reserved word: "admin", "system" → RESERVED
22
+ */
23
+ function validateTenantSlug(slug) {
24
+ const code = (0, reserved_slugs_1.validateSlug)(slug);
25
+ if (code === "INVALID_FORMAT") {
26
+ return {
27
+ ok: false,
28
+ code: "INVALID_FORMAT",
29
+ message: "Slug must be 3–40 lowercase alphanumeric characters or hyphens, " +
30
+ "start and end with an alphanumeric character, and contain no consecutive hyphens.",
31
+ };
32
+ }
33
+ if (code === "RESERVED") {
34
+ return {
35
+ ok: false,
36
+ code: "RESERVED",
37
+ message: "This slug is reserved and cannot be used.",
38
+ };
39
+ }
40
+ return { ok: true };
41
+ }
42
+ //# sourceMappingURL=slug-validator.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"slug-validator.js","sourceRoot":"","sources":["../../../src/lib/tenant/slug-validator.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAqBH,gDAmBC;AAtCD,qDAAgD;AAOhD;;;;;;;;;;;GAWG;AACH,SAAgB,kBAAkB,CAAC,IAAY;IAC7C,MAAM,IAAI,GAAG,IAAA,6BAAY,EAAC,IAAI,CAAC,CAAC;IAChC,IAAI,IAAI,KAAK,gBAAgB,EAAE,CAAC;QAC9B,OAAO;YACL,EAAE,EAAE,KAAK;YACT,IAAI,EAAE,gBAAgB;YACtB,OAAO,EACL,kEAAkE;gBAClE,mFAAmF;SACtF,CAAC;IACJ,CAAC;IACD,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;QACxB,OAAO;YACL,EAAE,EAAE,KAAK;YACT,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,2CAA2C;SACrD,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;AACtB,CAAC"}
@@ -0,0 +1,49 @@
1
+ /**
2
+ * Tenant CRUD Handler
3
+ *
4
+ * Handlers for:
5
+ * - POST /api/tenants — create org tenant
6
+ * - GET /api/tenants/:id — read tenant
7
+ * - PATCH /api/tenants/:id — update displayName
8
+ * - GET /api/users/me/tenants — list caller's memberships
9
+ * - POST /api/auth/switch-tenant — change active tenant + invalidate cache
10
+ * - POST /api/tenants/:id/transfer-ownership — OWNER hand-off
11
+ */
12
+ import type { Env } from "../../env";
13
+ import type { AuthContext } from "../auth/auth-context";
14
+ export declare class TenantHandler {
15
+ /**
16
+ * POST /api/tenants
17
+ * Creates an ORGANIZATION tenant. Caller becomes OWNER.
18
+ * If caller is END_USER their global role is bumped to B2B_PARTNER.
19
+ */
20
+ handleCreate(request: Request, auth: AuthContext, env: Env): Promise<Response>;
21
+ /**
22
+ * GET /api/tenants/:id
23
+ * Returns the tenant. Caller must be an active member.
24
+ */
25
+ handleGet(tenantId: string, auth: AuthContext, env: Env): Promise<Response>;
26
+ /**
27
+ * PATCH /api/tenants/:id
28
+ * Updates displayName. Requires OWNER or ADMIN.
29
+ */
30
+ handleUpdate(tenantId: string, request: Request, auth: AuthContext, env: Env): Promise<Response>;
31
+ /**
32
+ * GET /api/users/me/tenants
33
+ * Lists all active tenant memberships for the caller.
34
+ */
35
+ handleListMyTenants(auth: AuthContext, env: Env): Promise<Response>;
36
+ /**
37
+ * POST /api/auth/switch-tenant
38
+ * Changes the user's active tenant. Invalidates DynamoDB claim cache so
39
+ * the next token refresh picks up the new activeTenantId.
40
+ */
41
+ handleSwitchTenant(request: Request, auth: AuthContext, env: Env): Promise<Response>;
42
+ /**
43
+ * POST /api/tenants/:id/transfer-ownership
44
+ * Current OWNER hands off ownership to another active member.
45
+ * Both users' cache entries are invalidated.
46
+ */
47
+ handleTransferOwnership(tenantId: string, request: Request, auth: AuthContext, env: Env): Promise<Response>;
48
+ }
49
+ //# sourceMappingURL=tenant-handler.d.ts.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"tenant-handler.d.ts","sourceRoot":"","sources":["../../../src/lib/tenant/tenant-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,WAAW,CAAC;AACrC,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAWxD,qBAAa,aAAa;IACxB;;;;OAIG;IACG,YAAY,CAChB,OAAO,EAAE,OAAO,EAChB,IAAI,EAAE,WAAW,EACjB,GAAG,EAAE,GAAG,GACP,OAAO,CAAC,QAAQ,CAAC;IAgGpB;;;OAGG;IACG,SAAS,CACb,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,WAAW,EACjB,GAAG,EAAE,GAAG,GACP,OAAO,CAAC,QAAQ,CAAC;IAmCpB;;;OAGG;IACG,YAAY,CAChB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,OAAO,EAChB,IAAI,EAAE,WAAW,EACjB,GAAG,EAAE,GAAG,GACP,OAAO,CAAC,QAAQ,CAAC;IAiEpB;;;OAGG;IACG,mBAAmB,CACvB,IAAI,EAAE,WAAW,EACjB,GAAG,EAAE,GAAG,GACP,OAAO,CAAC,QAAQ,CAAC;IAoCpB;;;;OAIG;IACG,kBAAkB,CACtB,OAAO,EAAE,OAAO,EAChB,IAAI,EAAE,WAAW,EACjB,GAAG,EAAE,GAAG,GACP,OAAO,CAAC,QAAQ,CAAC;IAuFpB;;;;OAIG;IACG,uBAAuB,CAC3B,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,OAAO,EAChB,IAAI,EAAE,WAAW,EACjB,GAAG,EAAE,GAAG,GACP,OAAO,CAAC,QAAQ,CAAC;CAyFrB"}