@de-otio/trellis 0.6.1 → 0.7.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (339) hide show
  1. package/dist/env.d.ts +21 -0
  2. package/dist/env.d.ts.map +1 -1
  3. package/dist/env.js +12 -0
  4. package/dist/env.js.map +1 -1
  5. package/dist/lambda/nightly-cron.d.ts.map +1 -1
  6. package/dist/lambda/nightly-cron.js +5 -2
  7. package/dist/lambda/nightly-cron.js.map +1 -1
  8. package/dist/lambda/post-confirmation.d.ts +30 -0
  9. package/dist/lambda/post-confirmation.d.ts.map +1 -1
  10. package/dist/lambda/post-confirmation.js +333 -29
  11. package/dist/lambda/post-confirmation.js.map +1 -1
  12. package/dist/lambda/pre-token-generation.d.ts +20 -0
  13. package/dist/lambda/pre-token-generation.d.ts.map +1 -1
  14. package/dist/lambda/pre-token-generation.js +233 -48
  15. package/dist/lambda/pre-token-generation.js.map +1 -1
  16. package/dist/lib/activitypub/activity-processor.d.ts.map +1 -1
  17. package/dist/lib/activitypub/activity-processor.js +2 -1
  18. package/dist/lib/activitypub/activity-processor.js.map +1 -1
  19. package/dist/lib/activitypub/group-service.d.ts +2 -2
  20. package/dist/lib/activitypub/group-service.d.ts.map +1 -1
  21. package/dist/lib/activitypub/group-service.js +5 -2
  22. package/dist/lib/activitypub/group-service.js.map +1 -1
  23. package/dist/lib/age-tier-transition.d.ts.map +1 -1
  24. package/dist/lib/age-tier-transition.js +19 -10
  25. package/dist/lib/age-tier-transition.js.map +1 -1
  26. package/dist/lib/audit/csv-export.d.ts +25 -0
  27. package/dist/lib/audit/csv-export.d.ts.map +1 -0
  28. package/dist/lib/audit/csv-export.js +54 -0
  29. package/dist/lib/audit/csv-export.js.map +1 -0
  30. package/dist/lib/audit/emit.d.ts +56 -0
  31. package/dist/lib/audit/emit.d.ts.map +1 -0
  32. package/dist/lib/audit/emit.js +124 -0
  33. package/dist/lib/audit/emit.js.map +1 -0
  34. package/dist/lib/audit/event-types.d.ts +36 -0
  35. package/dist/lib/audit/event-types.d.ts.map +1 -0
  36. package/dist/lib/audit/event-types.js +69 -0
  37. package/dist/lib/audit/event-types.js.map +1 -0
  38. package/dist/lib/audit/pii-filter.d.ts +22 -0
  39. package/dist/lib/audit/pii-filter.d.ts.map +1 -0
  40. package/dist/lib/audit/pii-filter.js +51 -0
  41. package/dist/lib/audit/pii-filter.js.map +1 -0
  42. package/dist/lib/audit-logger.js +1 -1
  43. package/dist/lib/audit-logger.js.map +1 -1
  44. package/dist/lib/auth/auth-context.d.ts +34 -0
  45. package/dist/lib/auth/auth-context.d.ts.map +1 -0
  46. package/dist/lib/auth/auth-context.js +10 -0
  47. package/dist/lib/auth/auth-context.js.map +1 -0
  48. package/dist/lib/auth/auth-middleware.d.ts +50 -0
  49. package/dist/lib/auth/auth-middleware.d.ts.map +1 -0
  50. package/dist/lib/auth/auth-middleware.js +153 -0
  51. package/dist/lib/auth/auth-middleware.js.map +1 -0
  52. package/dist/lib/auth/capabilities.d.ts +40 -0
  53. package/dist/lib/auth/capabilities.d.ts.map +1 -0
  54. package/dist/lib/auth/capabilities.js +44 -0
  55. package/dist/lib/auth/capabilities.js.map +1 -0
  56. package/dist/lib/auth/claims-cache.d.ts +70 -0
  57. package/dist/lib/auth/claims-cache.d.ts.map +1 -0
  58. package/dist/lib/auth/claims-cache.js +139 -0
  59. package/dist/lib/auth/claims-cache.js.map +1 -0
  60. package/dist/lib/auth/cognito-jwt.d.ts +6 -0
  61. package/dist/lib/auth/cognito-jwt.d.ts.map +1 -1
  62. package/dist/lib/auth/cognito-jwt.js.map +1 -1
  63. package/dist/lib/auth/idp-redirect-builder.d.ts +43 -0
  64. package/dist/lib/auth/idp-redirect-builder.d.ts.map +1 -0
  65. package/dist/lib/auth/idp-redirect-builder.js +48 -0
  66. package/dist/lib/auth/idp-redirect-builder.js.map +1 -0
  67. package/dist/lib/auth/require.d.ts +51 -0
  68. package/dist/lib/auth/require.d.ts.map +1 -0
  69. package/dist/lib/auth/require.js +99 -0
  70. package/dist/lib/auth/require.js.map +1 -0
  71. package/dist/lib/auth/role-grants.d.ts +18 -0
  72. package/dist/lib/auth/role-grants.d.ts.map +1 -0
  73. package/dist/lib/auth/role-grants.js +62 -0
  74. package/dist/lib/auth/role-grants.js.map +1 -0
  75. package/dist/lib/cognito/idp-sdk.d.ts +80 -0
  76. package/dist/lib/cognito/idp-sdk.d.ts.map +1 -0
  77. package/dist/lib/cognito/idp-sdk.js +186 -0
  78. package/dist/lib/cognito/idp-sdk.js.map +1 -0
  79. package/dist/lib/cognito/issuer-probe.d.ts +47 -0
  80. package/dist/lib/cognito/issuer-probe.d.ts.map +1 -0
  81. package/dist/lib/cognito/issuer-probe.js +319 -0
  82. package/dist/lib/cognito/issuer-probe.js.map +1 -0
  83. package/dist/lib/comment-handler.d.ts +7 -7
  84. package/dist/lib/comment-handler.d.ts.map +1 -1
  85. package/dist/lib/comment-handler.js +23 -20
  86. package/dist/lib/comment-handler.js.map +1 -1
  87. package/dist/lib/compliance/baseline.d.ts +15 -0
  88. package/dist/lib/compliance/baseline.d.ts.map +1 -0
  89. package/dist/lib/compliance/baseline.js +205 -0
  90. package/dist/lib/compliance/baseline.js.map +1 -0
  91. package/dist/lib/compliance/tenant-merge.d.ts +35 -0
  92. package/dist/lib/compliance/tenant-merge.d.ts.map +1 -0
  93. package/dist/lib/compliance/tenant-merge.js +80 -0
  94. package/dist/lib/compliance/tenant-merge.js.map +1 -0
  95. package/dist/lib/compliance/types.d.ts +135 -0
  96. package/dist/lib/compliance/types.d.ts.map +1 -0
  97. package/dist/lib/compliance/types.js +9 -0
  98. package/dist/lib/compliance/types.js.map +1 -0
  99. package/dist/lib/connection-code-handler.d.ts +4 -4
  100. package/dist/lib/connection-code-handler.d.ts.map +1 -1
  101. package/dist/lib/connection-code-handler.js +21 -11
  102. package/dist/lib/connection-code-handler.js.map +1 -1
  103. package/dist/lib/feed-handler.d.ts +2 -2
  104. package/dist/lib/feed-handler.d.ts.map +1 -1
  105. package/dist/lib/feed-handler.js +5 -9
  106. package/dist/lib/feed-handler.js.map +1 -1
  107. package/dist/lib/middleware/idempotency-store.d.ts +86 -0
  108. package/dist/lib/middleware/idempotency-store.d.ts.map +1 -0
  109. package/dist/lib/middleware/idempotency-store.js +109 -0
  110. package/dist/lib/middleware/idempotency-store.js.map +1 -0
  111. package/dist/lib/middleware/idempotency.d.ts +37 -0
  112. package/dist/lib/middleware/idempotency.d.ts.map +1 -0
  113. package/dist/lib/middleware/idempotency.js +358 -0
  114. package/dist/lib/middleware/idempotency.js.map +1 -0
  115. package/dist/lib/net/trusted-client-ip.d.ts +39 -0
  116. package/dist/lib/net/trusted-client-ip.d.ts.map +1 -0
  117. package/dist/lib/net/trusted-client-ip.js +100 -0
  118. package/dist/lib/net/trusted-client-ip.js.map +1 -0
  119. package/dist/lib/notification-handler.d.ts +5 -5
  120. package/dist/lib/notification-handler.d.ts.map +1 -1
  121. package/dist/lib/notification-handler.js +11 -9
  122. package/dist/lib/notification-handler.js.map +1 -1
  123. package/dist/lib/oauth/cognito-issuer.d.ts +34 -0
  124. package/dist/lib/oauth/cognito-issuer.d.ts.map +1 -0
  125. package/dist/lib/oauth/cognito-issuer.js +53 -0
  126. package/dist/lib/oauth/cognito-issuer.js.map +1 -0
  127. package/dist/lib/oauth/device-authorization.d.ts +145 -0
  128. package/dist/lib/oauth/device-authorization.d.ts.map +1 -0
  129. package/dist/lib/oauth/device-authorization.js +312 -0
  130. package/dist/lib/oauth/device-authorization.js.map +1 -0
  131. package/dist/lib/oauth/envelope-crypto.d.ts +101 -0
  132. package/dist/lib/oauth/envelope-crypto.d.ts.map +1 -0
  133. package/dist/lib/oauth/envelope-crypto.js +223 -0
  134. package/dist/lib/oauth/envelope-crypto.js.map +1 -0
  135. package/dist/lib/oauth/refresh-detection.d.ts +126 -0
  136. package/dist/lib/oauth/refresh-detection.d.ts.map +1 -0
  137. package/dist/lib/oauth/refresh-detection.js +248 -0
  138. package/dist/lib/oauth/refresh-detection.js.map +1 -0
  139. package/dist/lib/openapi/generator.d.ts +78 -0
  140. package/dist/lib/openapi/generator.d.ts.map +1 -0
  141. package/dist/lib/openapi/generator.js +201 -0
  142. package/dist/lib/openapi/generator.js.map +1 -0
  143. package/dist/lib/post-handler.d.ts +1 -1
  144. package/dist/lib/post-handler.d.ts.map +1 -1
  145. package/dist/lib/post-handler.js +4 -15
  146. package/dist/lib/post-handler.js.map +1 -1
  147. package/dist/lib/rate-limit.d.ts.map +1 -1
  148. package/dist/lib/rate-limit.js +11 -3
  149. package/dist/lib/rate-limit.js.map +1 -1
  150. package/dist/lib/routes/agent-authorize.d.ts +32 -0
  151. package/dist/lib/routes/agent-authorize.d.ts.map +1 -0
  152. package/dist/lib/routes/agent-authorize.js +479 -0
  153. package/dist/lib/routes/agent-authorize.js.map +1 -0
  154. package/dist/lib/routes/agent-sessions.d.ts +20 -0
  155. package/dist/lib/routes/agent-sessions.d.ts.map +1 -0
  156. package/dist/lib/routes/agent-sessions.js +124 -0
  157. package/dist/lib/routes/agent-sessions.js.map +1 -0
  158. package/dist/lib/routes/agent-surface.d.ts +37 -0
  159. package/dist/lib/routes/agent-surface.d.ts.map +1 -0
  160. package/dist/lib/routes/agent-surface.js +208 -0
  161. package/dist/lib/routes/agent-surface.js.map +1 -0
  162. package/dist/lib/routes/auth-discover.d.ts +18 -0
  163. package/dist/lib/routes/auth-discover.d.ts.map +1 -0
  164. package/dist/lib/routes/auth-discover.js +177 -0
  165. package/dist/lib/routes/auth-discover.js.map +1 -0
  166. package/dist/lib/routes/comments.d.ts.map +1 -1
  167. package/dist/lib/routes/comments.js +36 -7
  168. package/dist/lib/routes/comments.js.map +1 -1
  169. package/dist/lib/routes/connection-codes.d.ts.map +1 -1
  170. package/dist/lib/routes/connection-codes.js +21 -4
  171. package/dist/lib/routes/connection-codes.js.map +1 -1
  172. package/dist/lib/routes/content-discovery.d.ts.map +1 -1
  173. package/dist/lib/routes/content-discovery.js +18 -13
  174. package/dist/lib/routes/content-discovery.js.map +1 -1
  175. package/dist/lib/routes/dashboard.js +1 -1
  176. package/dist/lib/routes/dashboard.js.map +1 -1
  177. package/dist/lib/routes/employees.d.ts.map +1 -1
  178. package/dist/lib/routes/employees.js +57 -15
  179. package/dist/lib/routes/employees.js.map +1 -1
  180. package/dist/lib/routes/entities.d.ts.map +1 -1
  181. package/dist/lib/routes/entities.js +35 -19
  182. package/dist/lib/routes/entities.js.map +1 -1
  183. package/dist/lib/routes/errors.d.ts +34 -0
  184. package/dist/lib/routes/errors.d.ts.map +1 -0
  185. package/dist/lib/routes/errors.js +57 -0
  186. package/dist/lib/routes/errors.js.map +1 -0
  187. package/dist/lib/routes/feeds.d.ts.map +1 -1
  188. package/dist/lib/routes/feeds.js +12 -2
  189. package/dist/lib/routes/feeds.js.map +1 -1
  190. package/dist/lib/routes/index.d.ts.map +1 -1
  191. package/dist/lib/routes/index.js +50 -0
  192. package/dist/lib/routes/index.js.map +1 -1
  193. package/dist/lib/routes/mfa.d.ts.map +1 -1
  194. package/dist/lib/routes/mfa.js +1 -0
  195. package/dist/lib/routes/mfa.js.map +1 -1
  196. package/dist/lib/routes/notifications.d.ts.map +1 -1
  197. package/dist/lib/routes/notifications.js +21 -4
  198. package/dist/lib/routes/notifications.js.map +1 -1
  199. package/dist/lib/routes/oauth.d.ts +15 -0
  200. package/dist/lib/routes/oauth.d.ts.map +1 -0
  201. package/dist/lib/routes/oauth.js +139 -0
  202. package/dist/lib/routes/oauth.js.map +1 -0
  203. package/dist/lib/routes/posts.d.ts.map +1 -1
  204. package/dist/lib/routes/posts.js +30 -19
  205. package/dist/lib/routes/posts.js.map +1 -1
  206. package/dist/lib/routes/products.d.ts.map +1 -1
  207. package/dist/lib/routes/products.js +19 -22
  208. package/dist/lib/routes/products.js.map +1 -1
  209. package/dist/lib/routes/setup-status.d.ts +34 -0
  210. package/dist/lib/routes/setup-status.d.ts.map +1 -0
  211. package/dist/lib/routes/setup-status.js +87 -0
  212. package/dist/lib/routes/setup-status.js.map +1 -0
  213. package/dist/lib/routes/taxonomy-analytics.d.ts.map +1 -1
  214. package/dist/lib/routes/taxonomy-analytics.js +15 -14
  215. package/dist/lib/routes/taxonomy-analytics.js.map +1 -1
  216. package/dist/lib/routes/taxonomy.d.ts.map +1 -1
  217. package/dist/lib/routes/taxonomy.js +19 -16
  218. package/dist/lib/routes/taxonomy.js.map +1 -1
  219. package/dist/lib/routes/tenant-audit.d.ts +19 -0
  220. package/dist/lib/routes/tenant-audit.d.ts.map +1 -0
  221. package/dist/lib/routes/tenant-audit.js +244 -0
  222. package/dist/lib/routes/tenant-audit.js.map +1 -0
  223. package/dist/lib/routes/tenant-compliance.d.ts +21 -0
  224. package/dist/lib/routes/tenant-compliance.d.ts.map +1 -0
  225. package/dist/lib/routes/tenant-compliance.js +122 -0
  226. package/dist/lib/routes/tenant-compliance.js.map +1 -0
  227. package/dist/lib/routes/tenant-domains.d.ts +11 -0
  228. package/dist/lib/routes/tenant-domains.d.ts.map +1 -0
  229. package/dist/lib/routes/tenant-domains.js +95 -0
  230. package/dist/lib/routes/tenant-domains.js.map +1 -0
  231. package/dist/lib/routes/tenant-idp.d.ts +3 -0
  232. package/dist/lib/routes/tenant-idp.d.ts.map +1 -0
  233. package/dist/lib/routes/tenant-idp.js +89 -0
  234. package/dist/lib/routes/tenant-idp.js.map +1 -0
  235. package/dist/lib/routes/tenant-members.d.ts +13 -0
  236. package/dist/lib/routes/tenant-members.d.ts.map +1 -0
  237. package/dist/lib/routes/tenant-members.js +75 -0
  238. package/dist/lib/routes/tenant-members.js.map +1 -0
  239. package/dist/lib/routes/tenant-role-mappings.d.ts +11 -0
  240. package/dist/lib/routes/tenant-role-mappings.d.ts.map +1 -0
  241. package/dist/lib/routes/tenant-role-mappings.js +90 -0
  242. package/dist/lib/routes/tenant-role-mappings.js.map +1 -0
  243. package/dist/lib/routes/tenants.d.ts +13 -0
  244. package/dist/lib/routes/tenants.d.ts.map +1 -0
  245. package/dist/lib/routes/tenants.js +121 -0
  246. package/dist/lib/routes/tenants.js.map +1 -0
  247. package/dist/lib/routes/types.d.ts +9 -0
  248. package/dist/lib/routes/types.d.ts.map +1 -1
  249. package/dist/lib/schemas.d.ts +2 -2
  250. package/dist/lib/secrets/idp-secrets.d.ts +51 -0
  251. package/dist/lib/secrets/idp-secrets.d.ts.map +1 -0
  252. package/dist/lib/secrets/idp-secrets.js +111 -0
  253. package/dist/lib/secrets/idp-secrets.js.map +1 -0
  254. package/dist/lib/security-monitor.d.ts.map +1 -1
  255. package/dist/lib/security-monitor.js +6 -1
  256. package/dist/lib/security-monitor.js.map +1 -1
  257. package/dist/lib/session-manager.d.ts +1 -0
  258. package/dist/lib/session-manager.d.ts.map +1 -1
  259. package/dist/lib/session-manager.js.map +1 -1
  260. package/dist/lib/taxonomy-handler-factory.d.ts +4 -2
  261. package/dist/lib/taxonomy-handler-factory.d.ts.map +1 -1
  262. package/dist/lib/taxonomy-handler-factory.js +8 -7
  263. package/dist/lib/taxonomy-handler-factory.js.map +1 -1
  264. package/dist/lib/tenant/audit-emit.d.ts +18 -0
  265. package/dist/lib/tenant/audit-emit.d.ts.map +1 -0
  266. package/dist/lib/tenant/audit-emit.js +16 -0
  267. package/dist/lib/tenant/audit-emit.js.map +1 -0
  268. package/dist/lib/tenant/derive-domain.d.ts +19 -0
  269. package/dist/lib/tenant/derive-domain.d.ts.map +1 -0
  270. package/dist/lib/tenant/derive-domain.js +38 -0
  271. package/dist/lib/tenant/derive-domain.js.map +1 -0
  272. package/dist/lib/tenant/domain-handler.d.ts +42 -0
  273. package/dist/lib/tenant/domain-handler.d.ts.map +1 -0
  274. package/dist/lib/tenant/domain-handler.js +344 -0
  275. package/dist/lib/tenant/domain-handler.js.map +1 -0
  276. package/dist/lib/tenant/domain-validator.d.ts +28 -0
  277. package/dist/lib/tenant/domain-validator.d.ts.map +1 -0
  278. package/dist/lib/tenant/domain-validator.js +145 -0
  279. package/dist/lib/tenant/domain-validator.js.map +1 -0
  280. package/dist/lib/tenant/domain-verifier.d.ts +30 -0
  281. package/dist/lib/tenant/domain-verifier.d.ts.map +1 -0
  282. package/dist/lib/tenant/domain-verifier.js +53 -0
  283. package/dist/lib/tenant/domain-verifier.js.map +1 -0
  284. package/dist/lib/tenant/idp-handler.d.ts +29 -0
  285. package/dist/lib/tenant/idp-handler.d.ts.map +1 -0
  286. package/dist/lib/tenant/idp-handler.js +693 -0
  287. package/dist/lib/tenant/idp-handler.js.map +1 -0
  288. package/dist/lib/tenant/idp-name.d.ts +2 -0
  289. package/dist/lib/tenant/idp-name.d.ts.map +1 -0
  290. package/dist/lib/tenant/idp-name.js +20 -0
  291. package/dist/lib/tenant/idp-name.js.map +1 -0
  292. package/dist/lib/tenant/member-handler.d.ts +31 -0
  293. package/dist/lib/tenant/member-handler.d.ts.map +1 -0
  294. package/dist/lib/tenant/member-handler.js +343 -0
  295. package/dist/lib/tenant/member-handler.js.map +1 -0
  296. package/dist/lib/tenant/reserved-slugs.d.ts +37 -0
  297. package/dist/lib/tenant/reserved-slugs.d.ts.map +1 -0
  298. package/dist/lib/tenant/reserved-slugs.js +116 -0
  299. package/dist/lib/tenant/reserved-slugs.js.map +1 -0
  300. package/dist/lib/tenant/resolve-role.d.ts +39 -0
  301. package/dist/lib/tenant/resolve-role.d.ts.map +1 -0
  302. package/dist/lib/tenant/resolve-role.js +60 -0
  303. package/dist/lib/tenant/resolve-role.js.map +1 -0
  304. package/dist/lib/tenant/role-mapping-handler.d.ts +26 -0
  305. package/dist/lib/tenant/role-mapping-handler.d.ts.map +1 -0
  306. package/dist/lib/tenant/role-mapping-handler.js +260 -0
  307. package/dist/lib/tenant/role-mapping-handler.js.map +1 -0
  308. package/dist/lib/tenant/setup-status.d.ts +83 -0
  309. package/dist/lib/tenant/setup-status.d.ts.map +1 -0
  310. package/dist/lib/tenant/setup-status.js +201 -0
  311. package/dist/lib/tenant/setup-status.js.map +1 -0
  312. package/dist/lib/tenant/slug-validator.d.ts +31 -0
  313. package/dist/lib/tenant/slug-validator.d.ts.map +1 -0
  314. package/dist/lib/tenant/slug-validator.js +42 -0
  315. package/dist/lib/tenant/slug-validator.js.map +1 -0
  316. package/dist/lib/tenant/tenant-handler.d.ts +49 -0
  317. package/dist/lib/tenant/tenant-handler.d.ts.map +1 -0
  318. package/dist/lib/tenant/tenant-handler.js +377 -0
  319. package/dist/lib/tenant/tenant-handler.js.map +1 -0
  320. package/dist/lib/tenant/transfer-ownership.d.ts +39 -0
  321. package/dist/lib/tenant/transfer-ownership.d.ts.map +1 -0
  322. package/dist/lib/tenant/transfer-ownership.js +66 -0
  323. package/dist/lib/tenant/transfer-ownership.js.map +1 -0
  324. package/dist/lib/user/derive-handle.d.ts +29 -0
  325. package/dist/lib/user/derive-handle.d.ts.map +1 -0
  326. package/dist/lib/user/derive-handle.js +65 -0
  327. package/dist/lib/user/derive-handle.js.map +1 -0
  328. package/dist/lib/user-deprovisioning.d.ts +11 -1
  329. package/dist/lib/user-deprovisioning.d.ts.map +1 -1
  330. package/dist/lib/user-deprovisioning.js +46 -2
  331. package/dist/lib/user-deprovisioning.js.map +1 -1
  332. package/dist/lib/validation/feature-toggle-schemas.d.ts +10 -10
  333. package/package.json +5 -3
  334. package/prisma/migrations/20260502094501_add_tenancy_model/migration.sql +334 -0
  335. package/prisma/migrations/20260503000000_add_tenant_region/migration.sql +4 -0
  336. package/prisma/schema.prisma +324 -74
  337. package/src/lambda/nightly-cron.ts +4 -1
  338. package/src/lambda/post-confirmation.ts +405 -29
  339. package/src/lambda/pre-token-generation.ts +300 -59
@@ -0,0 +1,319 @@
1
+ "use strict";
2
+ Object.defineProperty(exports, "__esModule", { value: true });
3
+ exports.isPrivateIPv4 = isPrivateIPv4;
4
+ exports.isPrivateIPv6 = isPrivateIPv6;
5
+ exports.probeOidcIssuer = probeOidcIssuer;
6
+ /**
7
+ * OIDC issuer probe.
8
+ *
9
+ * Before registering an OIDC IdP with Cognito, GET the issuer's well-known
10
+ * configuration to confirm the URL points at a working OIDC provider.
11
+ *
12
+ * Security constraints (T5 — issuer probe is the trellis HTTP egress surface
13
+ * most exposed to admin-supplied URLs):
14
+ * - HTTPS only.
15
+ * - Hostname must resolve to a non-private, non-loopback, non-link-local IP
16
+ * (RFC 6890). Both IPv4 and IPv6 are checked.
17
+ * - HTTP redirects are rejected (`redirect: "manual"`); we never follow.
18
+ * - Response body is capped at 1 MiB.
19
+ * - Timeout 5 s.
20
+ * - Body must be JSON with the required OIDC discovery fields.
21
+ */
22
+ const node_dns_1 = require("node:dns");
23
+ const node_net_1 = require("node:net");
24
+ const undici_1 = require("undici");
25
+ const PROBE_TIMEOUT_MS = 5000;
26
+ const MAX_BODY_BYTES = 1024 * 1024;
27
+ const MAX_ISSUER_URL_LENGTH = 2048;
28
+ const WELL_KNOWN_PATH = "/.well-known/openid-configuration";
29
+ function fail(reason, message) {
30
+ return { ok: false, reason, message };
31
+ }
32
+ function defaultResolve(hostname) {
33
+ return node_dns_1.promises.lookup(hostname, { all: true, verbatim: true })
34
+ .then((addrs) => addrs.map((a) => a.address));
35
+ }
36
+ /**
37
+ * Returns true if the IPv4 address is in any RFC 6890 special-purpose range
38
+ * we want to refuse: loopback, private, link-local, broadcast, etc.
39
+ */
40
+ function isPrivateIPv4(ip) {
41
+ const m = /^(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})$/.exec(ip);
42
+ if (!m)
43
+ return false;
44
+ const o = m.slice(1, 5).map((s) => Number(s));
45
+ if (o.some((x) => x < 0 || x > 255))
46
+ return true;
47
+ const [a, b] = [o[0], o[1]];
48
+ if (a === 0)
49
+ return true;
50
+ if (a === 10)
51
+ return true;
52
+ if (a === 127)
53
+ return true;
54
+ if (a === 169 && b === 254)
55
+ return true;
56
+ if (a === 172 && b >= 16 && b <= 31)
57
+ return true;
58
+ if (a === 192 && b === 0)
59
+ return true;
60
+ if (a === 192 && b === 168)
61
+ return true;
62
+ if (a === 198 && (b === 18 || b === 19))
63
+ return true;
64
+ if (a === 100 && b >= 64 && b <= 127)
65
+ return true;
66
+ if (a >= 224)
67
+ return true;
68
+ return false;
69
+ }
70
+ /**
71
+ * Returns true if the IPv6 address is in a private/loopback/link-local/etc.
72
+ * range. Performs a normalized prefix comparison; we expand `::` and ignore
73
+ * zone identifiers.
74
+ */
75
+ function isPrivateIPv6(ip) {
76
+ if (!ip.includes(":"))
77
+ return false;
78
+ const stripped = ip.split("%")[0].toLowerCase();
79
+ if (stripped === "::1" || stripped === "::")
80
+ return true;
81
+ const segs = expandIPv6(stripped);
82
+ if (!segs)
83
+ return true;
84
+ if (segs[0] === 0 && segs.slice(0, 7).every((s) => s === 0) && segs[7] === 1)
85
+ return true;
86
+ if ((segs[0] & 0xfe00) === 0xfc00)
87
+ return true;
88
+ if ((segs[0] & 0xffc0) === 0xfe80)
89
+ return true;
90
+ if ((segs[0] & 0xff00) === 0xff00)
91
+ return true;
92
+ // 2001:db8::/32 — RFC 3849 documentation prefix; not routable, must not
93
+ // be reachable from the issuer probe.
94
+ if (segs[0] === 0x2001 && segs[1] === 0x0db8)
95
+ return true;
96
+ if (segs[0] === 0 &&
97
+ segs[1] === 0 &&
98
+ segs[2] === 0 &&
99
+ segs[3] === 0 &&
100
+ segs[4] === 0 &&
101
+ segs[5] === 0xffff) {
102
+ const v4 = `${(segs[6] >> 8) & 0xff}.${segs[6] & 0xff}.${(segs[7] >> 8) & 0xff}.${segs[7] & 0xff}`;
103
+ return isPrivateIPv4(v4);
104
+ }
105
+ return false;
106
+ }
107
+ function expandIPv6(ip) {
108
+ let work = ip;
109
+ let v4Tail = null;
110
+ const v4Match = /([0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3})$/.exec(work);
111
+ if (v4Match) {
112
+ const o = v4Match[1].split(".").map((s) => Number(s));
113
+ if (o.some((x) => Number.isNaN(x) || x < 0 || x > 255))
114
+ return null;
115
+ v4Tail = [(o[0] << 8) | o[1], (o[2] << 8) | o[3]];
116
+ work = work.slice(0, work.length - v4Match[1].length).replace(/:$/, "");
117
+ }
118
+ const parts = work.split("::");
119
+ if (parts.length > 2)
120
+ return null;
121
+ const head = parts[0] ? parts[0].split(":") : [];
122
+ const tail = parts.length === 2 && parts[1] ? parts[1].split(":") : [];
123
+ const totalAfterHeadTail = head.length + tail.length + (v4Tail ? 2 : 0);
124
+ const missing = 8 - totalAfterHeadTail;
125
+ if (parts.length === 2) {
126
+ if (missing < 0)
127
+ return null;
128
+ }
129
+ else if (missing !== 0) {
130
+ return null;
131
+ }
132
+ const fill = parts.length === 2 ? new Array(missing).fill("0") : [];
133
+ const filled = [...head, ...fill, ...tail];
134
+ const out = [];
135
+ for (const s of filled) {
136
+ if (!/^[0-9a-f]{0,4}$/.test(s))
137
+ return null;
138
+ out.push(parseInt(s || "0", 16));
139
+ }
140
+ if (v4Tail)
141
+ out.push(v4Tail[0], v4Tail[1]);
142
+ if (out.length !== 8)
143
+ return null;
144
+ return out;
145
+ }
146
+ /**
147
+ * Probe an OIDC issuer's well-known configuration. Returns a discriminated
148
+ * result; callers map failures onto 422 with a remediation message.
149
+ */
150
+ async function probeOidcIssuer(issuerUrl, options = {}) {
151
+ const timeoutMs = options.timeoutMs ?? PROBE_TIMEOUT_MS;
152
+ if (issuerUrl.length > MAX_ISSUER_URL_LENGTH) {
153
+ return fail("INVALID_URL", "issuerUrl exceeds maximum length");
154
+ }
155
+ let url;
156
+ try {
157
+ url = new URL(issuerUrl);
158
+ }
159
+ catch {
160
+ return fail("INVALID_URL", "issuerUrl must be a valid absolute URL");
161
+ }
162
+ if (url.protocol !== "https:") {
163
+ return fail("INSECURE_SCHEME", "issuerUrl must use https://");
164
+ }
165
+ if (url.username || url.password) {
166
+ return fail("INVALID_URL", "issuerUrl must not include credentials");
167
+ }
168
+ const hostname = url.hostname.replace(/^\[|\]$/g, "");
169
+ const resolve = options.resolveHostname ?? defaultResolve;
170
+ let addresses;
171
+ try {
172
+ addresses = await resolve(hostname);
173
+ }
174
+ catch {
175
+ return fail("DNS_ERROR", "Could not resolve issuerUrl hostname");
176
+ }
177
+ if (addresses.length === 0) {
178
+ return fail("DNS_ERROR", "Could not resolve issuerUrl hostname");
179
+ }
180
+ for (const addr of addresses) {
181
+ if (addr.includes(":")) {
182
+ if (isPrivateIPv6(addr)) {
183
+ return fail("PRIVATE_HOST", "issuerUrl resolves to a private or loopback IP");
184
+ }
185
+ }
186
+ else {
187
+ if (isPrivateIPv4(addr)) {
188
+ return fail("PRIVATE_HOST", "issuerUrl resolves to a private or loopback IP");
189
+ }
190
+ }
191
+ }
192
+ // Pin the connect step to the IP we just validated. Without this, Node's
193
+ // fetch performs its own DNS lookup at request time, which lets a TTL=0
194
+ // attacker swap the public IP for a private one between validate and
195
+ // connect (DNS-rebinding TOCTOU).
196
+ const validatedIp = addresses[0];
197
+ const validatedFamily = (0, node_net_1.isIP)(validatedIp);
198
+ const baseHref = url.toString().endsWith("/") ? url.toString() : url.toString() + "/";
199
+ const probeUrl = baseHref + ".well-known/openid-configuration";
200
+ const fetchImpl = options.fetchImpl ?? fetch;
201
+ const controller = new AbortController();
202
+ const timer = setTimeout(() => controller.abort(), timeoutMs);
203
+ const factory = options.dispatcherFactory ?? defaultPinnedDispatcher;
204
+ let pinnedDispatcher;
205
+ if (validatedFamily === 4 || validatedFamily === 6) {
206
+ pinnedDispatcher = factory(validatedIp, validatedFamily);
207
+ }
208
+ try {
209
+ return await runProbe(probeUrl, fetchImpl, controller, timer, pinnedDispatcher);
210
+ }
211
+ finally {
212
+ if (pinnedDispatcher && typeof pinnedDispatcher.close === "function") {
213
+ await pinnedDispatcher
214
+ .close()
215
+ .catch(() => undefined);
216
+ }
217
+ }
218
+ }
219
+ function defaultPinnedDispatcher(validatedIp, family) {
220
+ return new undici_1.Agent({
221
+ connect: {
222
+ lookup: (_hostname, _opts, cb) => cb(null, validatedIp, family),
223
+ },
224
+ });
225
+ }
226
+ async function runProbe(probeUrl, fetchImpl, controller, timer, pinnedDispatcher) {
227
+ let response;
228
+ try {
229
+ const init = {
230
+ method: "GET",
231
+ redirect: "manual",
232
+ headers: { accept: "application/json" },
233
+ signal: controller.signal,
234
+ };
235
+ if (pinnedDispatcher) {
236
+ init.dispatcher = pinnedDispatcher;
237
+ }
238
+ response = await fetchImpl(probeUrl, init);
239
+ }
240
+ catch (err) {
241
+ clearTimeout(timer);
242
+ if (err.name === "AbortError") {
243
+ return fail("TIMEOUT", "Probe timed out");
244
+ }
245
+ return fail("NETWORK_ERROR", "Could not reach issuerUrl");
246
+ }
247
+ clearTimeout(timer);
248
+ if (response.status >= 300 && response.status < 400) {
249
+ return fail("REDIRECT_BLOCKED", "issuerUrl responded with a redirect; redirects are not followed");
250
+ }
251
+ if (!response.ok) {
252
+ return fail("HTTP_ERROR", `Issuer returned HTTP ${response.status}`);
253
+ }
254
+ const reader = response.body?.getReader();
255
+ if (!reader) {
256
+ return fail("NETWORK_ERROR", "Empty response body");
257
+ }
258
+ const chunks = [];
259
+ let total = 0;
260
+ try {
261
+ for (;;) {
262
+ const { value, done } = await reader.read();
263
+ if (done)
264
+ break;
265
+ if (value) {
266
+ total += value.length;
267
+ if (total > MAX_BODY_BYTES) {
268
+ await reader.cancel().catch(() => { });
269
+ return fail("BODY_TOO_LARGE", "Issuer response exceeded 1 MiB");
270
+ }
271
+ chunks.push(value);
272
+ }
273
+ }
274
+ }
275
+ catch {
276
+ return fail("NETWORK_ERROR", "Failed reading issuer response");
277
+ }
278
+ const body = new TextDecoder("utf-8").decode(concat(chunks));
279
+ let json;
280
+ try {
281
+ json = JSON.parse(body);
282
+ }
283
+ catch {
284
+ return fail("INVALID_JSON", "Issuer response was not valid JSON");
285
+ }
286
+ if (typeof json !== "object" || json === null || Array.isArray(json)) {
287
+ return fail("INVALID_JSON", "Issuer response was not a JSON object");
288
+ }
289
+ const conf = json;
290
+ const issuer = typeof conf.issuer === "string" ? conf.issuer : "";
291
+ const authorizationEndpoint = typeof conf.authorization_endpoint === "string" ? conf.authorization_endpoint : "";
292
+ const tokenEndpoint = typeof conf.token_endpoint === "string" ? conf.token_endpoint : "";
293
+ const jwksUri = typeof conf.jwks_uri === "string" ? conf.jwks_uri : "";
294
+ const userinfoEndpoint = typeof conf.userinfo_endpoint === "string" ? conf.userinfo_endpoint : undefined;
295
+ if (!issuer || !authorizationEndpoint || !tokenEndpoint || !jwksUri) {
296
+ return fail("MISSING_ENDPOINTS", "Issuer well-known is missing one of: issuer, authorization_endpoint, token_endpoint, jwks_uri");
297
+ }
298
+ return {
299
+ ok: true,
300
+ issuer,
301
+ authorizationEndpoint,
302
+ tokenEndpoint,
303
+ jwksUri,
304
+ ...(userinfoEndpoint ? { userinfoEndpoint } : {}),
305
+ };
306
+ }
307
+ function concat(chunks) {
308
+ let total = 0;
309
+ for (const c of chunks)
310
+ total += c.length;
311
+ const out = new Uint8Array(total);
312
+ let off = 0;
313
+ for (const c of chunks) {
314
+ out.set(c, off);
315
+ off += c.length;
316
+ }
317
+ return out;
318
+ }
319
+ //# sourceMappingURL=issuer-probe.js.map
@@ -0,0 +1 @@
1
+ {"version":3,"file":"issuer-probe.js","sourceRoot":"","sources":["../../../src/lib/cognito/issuer-probe.ts"],"names":[],"mappings":";;AAoFA,sCAiBC;AAOD,sCAkCC;AAuCD,0CA8EC;AAnQD;;;;;;;;;;;;;;;GAeG;AACH,uCAA2C;AAC3C,uCAAgC;AAChC,mCAA+B;AAE/B,MAAM,gBAAgB,GAAG,IAAI,CAAC;AAC9B,MAAM,cAAc,GAAG,IAAI,GAAG,IAAI,CAAC;AACnC,MAAM,qBAAqB,GAAG,IAAI,CAAC;AACnC,MAAM,eAAe,GAAG,mCAAmC,CAAC;AAgD5D,SAAS,IAAI,CAAC,MAAgC,EAAE,OAAe;IAC7D,OAAO,EAAE,EAAE,EAAE,KAAK,EAAE,MAAM,EAAE,OAAO,EAAE,CAAC;AACxC,CAAC;AAED,SAAS,cAAc,CAAC,QAAgB;IACtC,OAAO,mBAAG,CAAC,MAAM,CAAC,QAAQ,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;SACvD,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC;AAClD,CAAC;AAED;;;GAGG;AACH,SAAgB,aAAa,CAAC,EAAU;IACtC,MAAM,CAAC,GAAG,8CAA8C,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC;IAClE,IAAI,CAAC,CAAC;QAAE,OAAO,KAAK,CAAC;IACrB,MAAM,CAAC,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAC9C,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IACjD,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAE,EAAE,CAAC,CAAC,CAAC,CAAE,CAAC,CAAC;IAC9B,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACzB,IAAI,CAAC,KAAK,EAAE;QAAE,OAAO,IAAI,CAAC;IAC1B,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IAC3B,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACxC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,EAAE;QAAE,OAAO,IAAI,CAAC;IACjD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACtC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,KAAK,GAAG;QAAE,OAAO,IAAI,CAAC;IACxC,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,CAAC,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,CAAC;QAAE,OAAO,IAAI,CAAC;IACrD,IAAI,CAAC,KAAK,GAAG,IAAI,CAAC,IAAI,EAAE,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,IAAI,CAAC;IAClD,IAAI,CAAC,IAAI,GAAG;QAAE,OAAO,IAAI,CAAC;IAC1B,OAAO,KAAK,CAAC;AACf,CAAC;AAED;;;;GAIG;AACH,SAAgB,aAAa,CAAC,EAAU;IACtC,IAAI,CAAC,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC;QAAE,OAAO,KAAK,CAAC;IACpC,MAAM,QAAQ,GAAG,EAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC,WAAW,EAAE,CAAC;IAEjD,IAAI,QAAQ,KAAK,KAAK,IAAI,QAAQ,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAEzD,MAAM,IAAI,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAC;IAClC,IAAI,CAAC,IAAI;QAAE,OAAO,IAAI,CAAC;IAEvB,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAE1F,IAAI,CAAC,IAAI,CAAC,CAAC,CAAE,GAAG,MAAM,CAAC,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAEhD,IAAI,CAAC,IAAI,CAAC,CAAC,CAAE,GAAG,MAAM,CAAC,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAEhD,IAAI,CAAC,IAAI,CAAC,CAAC,CAAE,GAAG,MAAM,CAAC,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAEhD,wEAAwE;IACxE,sCAAsC;IACtC,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,MAAM,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,MAAM;QAAE,OAAO,IAAI,CAAC;IAE1D,IACE,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC;QACb,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC;QACb,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC;QACb,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC;QACb,IAAI,CAAC,CAAC,CAAC,KAAK,CAAC;QACb,IAAI,CAAC,CAAC,CAAC,KAAK,MAAM,EAClB,CAAC;QACD,MAAM,EAAE,GAAG,GAAG,CAAC,IAAI,CAAC,CAAC,CAAE,IAAI,CAAC,CAAC,GAAG,IAAI,IAAI,IAAI,CAAC,CAAC,CAAE,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,CAAC,CAAE,IAAI,CAAC,CAAC,GAAG,IAAI,IAAI,IAAI,CAAC,CAAC,CAAE,GAAG,IAAI,EAAE,CAAC;QACvG,OAAO,aAAa,CAAC,EAAE,CAAC,CAAC;IAC3B,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,UAAU,CAAC,EAAU;IAC5B,IAAI,IAAI,GAAG,EAAE,CAAC;IACd,IAAI,MAAM,GAA4B,IAAI,CAAC;IAC3C,MAAM,OAAO,GAAG,mDAAmD,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/E,IAAI,OAAO,EAAE,CAAC;QACZ,MAAM,CAAC,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;QACvD,IAAI,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;QACpE,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAE,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,EAAE,CAAC,CAAC,CAAC,CAAC,CAAE,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,CAAE,CAAC,CAAC;QACtD,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,EAAE,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,CAAC,CAAE,CAAC,MAAM,CAAC,CAAC,OAAO,CAAC,IAAI,EAAE,EAAE,CAAC,CAAC;IAC3E,CAAC;IACD,MAAM,KAAK,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC/B,IAAI,KAAK,CAAC,MAAM,GAAG,CAAC;QAAE,OAAO,IAAI,CAAC;IAClC,MAAM,IAAI,GAAG,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACjD,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,KAAK,CAAC,IAAI,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IACvE,MAAM,kBAAkB,GAAG,IAAI,CAAC,MAAM,GAAG,IAAI,CAAC,MAAM,GAAG,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;IACxE,MAAM,OAAO,GAAG,CAAC,GAAG,kBAAkB,CAAC;IACvC,IAAI,KAAK,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACvB,IAAI,OAAO,GAAG,CAAC;YAAE,OAAO,IAAI,CAAC;IAC/B,CAAC;SAAM,IAAI,OAAO,KAAK,CAAC,EAAE,CAAC;QACzB,OAAO,IAAI,CAAC;IACd,CAAC;IACD,MAAM,IAAI,GAAG,KAAK,CAAC,MAAM,KAAK,CAAC,CAAC,CAAC,CAAC,IAAI,KAAK,CAAS,OAAO,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;IAC5E,MAAM,MAAM,GAAG,CAAC,GAAG,IAAI,EAAE,GAAG,IAAI,EAAE,GAAG,IAAI,CAAC,CAAC;IAC3C,MAAM,GAAG,GAAa,EAAE,CAAC;IACzB,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,IAAI,CAAC,iBAAiB,CAAC,IAAI,CAAC,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;QAC5C,GAAG,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,IAAI,GAAG,EAAE,EAAE,CAAC,CAAC,CAAC;IACnC,CAAC;IACD,IAAI,MAAM;QAAE,GAAG,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,MAAM,CAAC,CAAC,CAAC,CAAC,CAAC;IAC3C,IAAI,GAAG,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAClC,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;GAGG;AACI,KAAK,UAAU,eAAe,CACnC,SAAiB,EACjB,UAA8B,EAAE;IAEhC,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,gBAAgB,CAAC;IAExD,IAAI,SAAS,CAAC,MAAM,GAAG,qBAAqB,EAAE,CAAC;QAC7C,OAAO,IAAI,CAAC,aAAa,EAAE,kCAAkC,CAAC,CAAC;IACjE,CAAC;IAED,IAAI,GAAQ,CAAC;IACb,IAAI,CAAC;QACH,GAAG,GAAG,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC;IAC3B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,aAAa,EAAE,wCAAwC,CAAC,CAAC;IACvE,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ,EAAE,CAAC;QAC9B,OAAO,IAAI,CAAC,iBAAiB,EAAE,6BAA6B,CAAC,CAAC;IAChE,CAAC;IAED,IAAI,GAAG,CAAC,QAAQ,IAAI,GAAG,CAAC,QAAQ,EAAE,CAAC;QACjC,OAAO,IAAI,CAAC,aAAa,EAAE,wCAAwC,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,CAAC,CAAC;IACtD,MAAM,OAAO,GAAG,OAAO,CAAC,eAAe,IAAI,cAAc,CAAC;IAE1D,IAAI,SAAmB,CAAC;IACxB,IAAI,CAAC;QACH,SAAS,GAAG,MAAM,OAAO,CAAC,QAAQ,CAAC,CAAC;IACtC,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,WAAW,EAAE,sCAAsC,CAAC,CAAC;IACnE,CAAC;IACD,IAAI,SAAS,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC3B,OAAO,IAAI,CAAC,WAAW,EAAE,sCAAsC,CAAC,CAAC;IACnE,CAAC;IACD,KAAK,MAAM,IAAI,IAAI,SAAS,EAAE,CAAC;QAC7B,IAAI,IAAI,CAAC,QAAQ,CAAC,GAAG,CAAC,EAAE,CAAC;YACvB,IAAI,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxB,OAAO,IAAI,CAAC,cAAc,EAAE,gDAAgD,CAAC,CAAC;YAChF,CAAC;QACH,CAAC;aAAM,CAAC;YACN,IAAI,aAAa,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxB,OAAO,IAAI,CAAC,cAAc,EAAE,gDAAgD,CAAC,CAAC;YAChF,CAAC;QACH,CAAC;IACH,CAAC;IAED,yEAAyE;IACzE,wEAAwE;IACxE,qEAAqE;IACrE,kCAAkC;IAClC,MAAM,WAAW,GAAG,SAAS,CAAC,CAAC,CAAE,CAAC;IAClC,MAAM,eAAe,GAAG,IAAA,eAAI,EAAC,WAAW,CAAC,CAAC;IAE1C,MAAM,QAAQ,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,GAAG,GAAG,CAAC;IACtF,MAAM,QAAQ,GAAG,QAAQ,GAAG,kCAAkC,CAAC;IAE/D,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,KAAK,CAAC;IAC7C,MAAM,UAAU,GAAG,IAAI,eAAe,EAAE,CAAC;IACzC,MAAM,KAAK,GAAG,UAAU,CAAC,GAAG,EAAE,CAAC,UAAU,CAAC,KAAK,EAAE,EAAE,SAAS,CAAC,CAAC;IAE9D,MAAM,OAAO,GAAG,OAAO,CAAC,iBAAiB,IAAI,uBAAuB,CAAC;IACrE,IAAI,gBAAyB,CAAC;IAC9B,IAAI,eAAe,KAAK,CAAC,IAAI,eAAe,KAAK,CAAC,EAAE,CAAC;QACnD,gBAAgB,GAAG,OAAO,CAAC,WAAW,EAAE,eAAe,CAAC,CAAC;IAC3D,CAAC;IAED,IAAI,CAAC;QACH,OAAO,MAAM,QAAQ,CAAC,QAAQ,EAAE,SAAS,EAAE,UAAU,EAAE,KAAK,EAAE,gBAAgB,CAAC,CAAC;IAClF,CAAC;YAAS,CAAC;QACT,IAAI,gBAAgB,IAAI,OAAQ,gBAAoD,CAAC,KAAK,KAAK,UAAU,EAAE,CAAC;YAC1G,MAAO,gBAAmD;iBACvD,KAAK,EAAE;iBACP,KAAK,CAAC,GAAG,EAAE,CAAC,SAAS,CAAC,CAAC;QAC5B,CAAC;IACH,CAAC;AACH,CAAC;AAED,SAAS,uBAAuB,CAAC,WAAmB,EAAE,MAAa;IACjE,OAAO,IAAI,cAAK,CAAC;QACf,OAAO,EAAE;YACP,MAAM,EAAE,CACN,SAAiB,EACjB,KAAc,EACd,EAAgF,EAChF,EAAE,CAAC,EAAE,CAAC,IAAI,EAAE,WAAW,EAAE,MAAM,CAAC;SACnC;KACF,CAAC,CAAC;AACL,CAAC;AAED,KAAK,UAAU,QAAQ,CACrB,QAAgB,EAChB,SAAuB,EACvB,UAA2B,EAC3B,KAAqB,EACrB,gBAAyB;IAEzB,IAAI,QAAkB,CAAC;IACvB,IAAI,CAAC;QACH,MAAM,IAAI,GAA2C;YACnD,MAAM,EAAE,KAAK;YACb,QAAQ,EAAE,QAAQ;YAClB,OAAO,EAAE,EAAE,MAAM,EAAE,kBAAkB,EAAE;YACvC,MAAM,EAAE,UAAU,CAAC,MAAM;SAC1B,CAAC;QACF,IAAI,gBAAgB,EAAE,CAAC;YACrB,IAAI,CAAC,UAAU,GAAG,gBAAgB,CAAC;QACrC,CAAC;QACD,QAAQ,GAAG,MAAM,SAAS,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAC;IAC7C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,YAAY,CAAC,KAAK,CAAC,CAAC;QACpB,IAAK,GAAyB,CAAC,IAAI,KAAK,YAAY,EAAE,CAAC;YACrD,OAAO,IAAI,CAAC,SAAS,EAAE,iBAAiB,CAAC,CAAC;QAC5C,CAAC;QACD,OAAO,IAAI,CAAC,eAAe,EAAE,2BAA2B,CAAC,CAAC;IAC5D,CAAC;IACD,YAAY,CAAC,KAAK,CAAC,CAAC;IAEpB,IAAI,QAAQ,CAAC,MAAM,IAAI,GAAG,IAAI,QAAQ,CAAC,MAAM,GAAG,GAAG,EAAE,CAAC;QACpD,OAAO,IAAI,CAAC,kBAAkB,EAAE,iEAAiE,CAAC,CAAC;IACrG,CAAC;IACD,IAAI,CAAC,QAAQ,CAAC,EAAE,EAAE,CAAC;QACjB,OAAO,IAAI,CAAC,YAAY,EAAE,wBAAwB,QAAQ,CAAC,MAAM,EAAE,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,IAAI,EAAE,SAAS,EAAE,CAAC;IAC1C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,IAAI,CAAC,eAAe,EAAE,qBAAqB,CAAC,CAAC;IACtD,CAAC;IACD,MAAM,MAAM,GAAiB,EAAE,CAAC;IAChC,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,IAAI,CAAC;QACH,SAAS,CAAC;YACR,MAAM,EAAE,KAAK,EAAE,IAAI,EAAE,GAAG,MAAM,MAAM,CAAC,IAAI,EAAE,CAAC;YAC5C,IAAI,IAAI;gBAAE,MAAM;YAChB,IAAI,KAAK,EAAE,CAAC;gBACV,KAAK,IAAI,KAAK,CAAC,MAAM,CAAC;gBACtB,IAAI,KAAK,GAAG,cAAc,EAAE,CAAC;oBAC3B,MAAM,MAAM,CAAC,MAAM,EAAE,CAAC,KAAK,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;oBACtC,OAAO,IAAI,CAAC,gBAAgB,EAAE,gCAAgC,CAAC,CAAC;gBAClE,CAAC;gBACD,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACrB,CAAC;QACH,CAAC;IACH,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,eAAe,EAAE,gCAAgC,CAAC,CAAC;IACjE,CAAC;IAED,MAAM,IAAI,GAAG,IAAI,WAAW,CAAC,OAAO,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC;IAC7D,IAAI,IAAa,CAAC;IAClB,IAAI,CAAC;QACH,IAAI,GAAG,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC;IAC1B,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,IAAI,CAAC,cAAc,EAAE,oCAAoC,CAAC,CAAC;IACpE,CAAC;IACD,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,IAAI,KAAK,IAAI,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QACrE,OAAO,IAAI,CAAC,cAAc,EAAE,uCAAuC,CAAC,CAAC;IACvE,CAAC;IAED,MAAM,IAAI,GAAG,IAA+B,CAAC;IAC7C,MAAM,MAAM,GAAG,OAAO,IAAI,CAAC,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,CAAC;IAClE,MAAM,qBAAqB,GACzB,OAAO,IAAI,CAAC,sBAAsB,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,sBAAsB,CAAC,CAAC,CAAC,EAAE,CAAC;IACrF,MAAM,aAAa,GAAG,OAAO,IAAI,CAAC,cAAc,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC,CAAC,EAAE,CAAC;IACzF,MAAM,OAAO,GAAG,OAAO,IAAI,CAAC,QAAQ,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC,CAAC,EAAE,CAAC;IACvE,MAAM,gBAAgB,GACpB,OAAO,IAAI,CAAC,iBAAiB,KAAK,QAAQ,CAAC,CAAC,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC,CAAC,SAAS,CAAC;IAElF,IAAI,CAAC,MAAM,IAAI,CAAC,qBAAqB,IAAI,CAAC,aAAa,IAAI,CAAC,OAAO,EAAE,CAAC;QACpE,OAAO,IAAI,CACT,mBAAmB,EACnB,+FAA+F,CAChG,CAAC;IACJ,CAAC;IAED,OAAO;QACL,EAAE,EAAE,IAAI;QACR,MAAM;QACN,qBAAqB;QACrB,aAAa;QACb,OAAO;QACP,GAAG,CAAC,gBAAgB,CAAC,CAAC,CAAC,EAAE,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KAClD,CAAC;AACJ,CAAC;AAED,SAAS,MAAM,CAAC,MAAoB;IAClC,IAAI,KAAK,GAAG,CAAC,CAAC;IACd,KAAK,MAAM,CAAC,IAAI,MAAM;QAAE,KAAK,IAAI,CAAC,CAAC,MAAM,CAAC;IAC1C,MAAM,GAAG,GAAG,IAAI,UAAU,CAAC,KAAK,CAAC,CAAC;IAClC,IAAI,GAAG,GAAG,CAAC,CAAC;IACZ,KAAK,MAAM,CAAC,IAAI,MAAM,EAAE,CAAC;QACvB,GAAG,CAAC,GAAG,CAAC,CAAC,EAAE,GAAG,CAAC,CAAC;QAChB,GAAG,IAAI,CAAC,CAAC,MAAM,CAAC;IAClB,CAAC;IACD,OAAO,GAAG,CAAC;AACb,CAAC"}
@@ -29,12 +29,12 @@ export declare class CommentHandler {
29
29
  *
30
30
  * PREPARATORY: Uses DataRouter for region-aware operations.
31
31
  */
32
- createComment(postId: string, request: Request, session: Session, env: Env, requestContext: RequestContext, parentCommentId?: string): Promise<Response>;
32
+ createComment(postId: string, request: Request, session: Session, env: Env, requestContext: RequestContext, activeTenantId: string, parentCommentId?: string): Promise<Response>;
33
33
  /**
34
34
  * Create a reply to an existing comment
35
35
  * Uses the existing createComment() logic with parentCommentId
36
36
  */
37
- createReply(parentCommentId: string, request: Request, session: Session, env: Env, requestContext: RequestContext): Promise<Response>;
37
+ createReply(parentCommentId: string, request: Request, session: Session, env: Env, requestContext: RequestContext, activeTenantId: string): Promise<Response>;
38
38
  /**
39
39
  * Get comments for a post
40
40
  *
@@ -43,32 +43,32 @@ export declare class CommentHandler {
43
43
  getComments(postId: string, request: Request, session: Session, options: {
44
44
  limit?: number;
45
45
  cursor?: string;
46
- }, env: Env, requestContext: RequestContext): Promise<Response>;
46
+ }, env: Env, requestContext: RequestContext, activeTenantId: string): Promise<Response>;
47
47
  /**
48
48
  * Hide a comment
49
49
  *
50
50
  * PREPARATORY: Uses DataRouter for region-aware operations.
51
51
  */
52
- hideComment(commentId: string, request: Request, session: Session, env: Env, requestContext: RequestContext): Promise<Response>;
52
+ hideComment(commentId: string, request: Request, session: Session, env: Env, requestContext: RequestContext, activeTenantId: string): Promise<Response>;
53
53
  /**
54
54
  * Unhide a comment
55
55
  *
56
56
  * PREPARATORY: Uses DataRouter for region-aware operations.
57
57
  */
58
- unhideComment(commentId: string, request: Request, session: Session, env: Env, requestContext: RequestContext): Promise<Response>;
58
+ unhideComment(commentId: string, request: Request, session: Session, env: Env, requestContext: RequestContext, activeTenantId: string): Promise<Response>;
59
59
  /**
60
60
  * Edit a comment (15-minute window)
61
61
  *
62
62
  * PREPARATORY: Uses DataRouter for region-aware operations.
63
63
  */
64
- editComment(commentId: string, request: Request, session: Session, env: Env, requestContext: RequestContext): Promise<Response>;
64
+ editComment(commentId: string, request: Request, session: Session, env: Env, requestContext: RequestContext, activeTenantId: string): Promise<Response>;
65
65
  /**
66
66
  * Delete a comment (soft delete)
67
67
  *
68
68
  * Author or post owner can delete.
69
69
  * PREPARATORY: Uses DataRouter for region-aware operations.
70
70
  */
71
- deleteComment(commentId: string, request: Request, session: Session, env: Env, requestContext: RequestContext): Promise<Response>;
71
+ deleteComment(commentId: string, request: Request, session: Session, env: Env, requestContext: RequestContext, activeTenantId: string): Promise<Response>;
72
72
  /**
73
73
  * Invalidate comment cache
74
74
  */
@@ -1 +1 @@
1
- {"version":3,"file":"comment-handler.d.ts","sourceRoot":"","sources":["../../src/lib/comment-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAA6B,MAAM,4BAA4B,CAAC;AAczF,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAEjD,MAAM,WAAW,GAAG;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,mBAAmB,CAAC,EAAE,WAAW,CAAC;IAClC,aAAa,CAAC,EAAE,WAAW,CAAC;IAC5B,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,gBAAgB,CAAC,EAAE,GAAG,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,KAAK,CAAC;QACZ,IAAI,EAAE,IAAI,GAAG,IAAI,CAAC;QAClB,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC,CAAC;CACJ;AAED,qBAAa,cAAc;IACzB,OAAO,CAAC,iBAAiB,CAAoB;;IAO7C;;;;OAIG;IACG,aAAa,CACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,GAAG,EACR,cAAc,EAAE,cAAc,EAC9B,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,QAAQ,CAAC;IAqepB;;;OAGG;IACG,WAAW,CACf,eAAe,EAAE,MAAM,EACvB,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,GAAG,EACR,cAAc,EAAE,cAAc,GAC7B,OAAO,CAAC,QAAQ,CAAC;IAkEpB;;;;OAIG;IACG,WAAW,CACf,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,EAC5C,GAAG,EAAE,GAAG,EACR,cAAc,EAAE,cAAc,GAC7B,OAAO,CAAC,QAAQ,CAAC;IAyLpB;;;;OAIG;IACG,WAAW,CACf,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,GAAG,EACR,cAAc,EAAE,cAAc,GAC7B,OAAO,CAAC,QAAQ,CAAC;IAoGpB;;;;OAIG;IACG,aAAa,CACjB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,GAAG,EACR,cAAc,EAAE,cAAc,GAC7B,OAAO,CAAC,QAAQ,CAAC;IAoGpB;;;;OAIG;IACG,WAAW,CACf,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,GAAG,EACR,cAAc,EAAE,cAAc,GAC7B,OAAO,CAAC,QAAQ,CAAC;IAqKpB;;;;;OAKG;IACG,aAAa,CACjB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,GAAG,EACR,cAAc,EAAE,cAAc,GAC7B,OAAO,CAAC,QAAQ,CAAC;IA4GpB;;OAEG;YACW,sBAAsB;CAgBrC"}
1
+ {"version":3,"file":"comment-handler.d.ts","sourceRoot":"","sources":["../../src/lib/comment-handler.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,WAAW,EAA6B,MAAM,4BAA4B,CAAC;AAczF,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,mBAAmB,CAAC;AACxD,OAAO,KAAK,EAAE,OAAO,EAAE,MAAM,mBAAmB,CAAC;AAEjD,MAAM,WAAW,GAAG;IAClB,YAAY,EAAE,MAAM,CAAC;IACrB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,cAAc,CAAC,EAAE,MAAM,CAAC;IACxB,mBAAmB,CAAC,EAAE,WAAW,CAAC;IAClC,aAAa,CAAC,EAAE,WAAW,CAAC;IAC5B,WAAW,CAAC,EAAE,WAAW,CAAC;IAC1B,gBAAgB,CAAC,EAAE,GAAG,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,CAAC;CACzB;AAED,MAAM,WAAW,oBAAoB;IACnC,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,CAAC,EAAE,KAAK,CAAC;QACZ,IAAI,EAAE,IAAI,GAAG,IAAI,CAAC;QAClB,GAAG,CAAC,EAAE,MAAM,CAAC;QACb,QAAQ,EAAE,MAAM,CAAC;KAClB,CAAC,CAAC;CACJ;AAED,qBAAa,cAAc;IACzB,OAAO,CAAC,iBAAiB,CAAoB;;IAO7C;;;;OAIG;IACG,aAAa,CACjB,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,GAAG,EACR,cAAc,EAAE,cAAc,EAC9B,cAAc,EAAE,MAAM,EACtB,eAAe,CAAC,EAAE,MAAM,GACvB,OAAO,CAAC,QAAQ,CAAC;IAuepB;;;OAGG;IACG,WAAW,CACf,eAAe,EAAE,MAAM,EACvB,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,GAAG,EACR,cAAc,EAAE,cAAc,EAC9B,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,QAAQ,CAAC;IAmEpB;;;;OAIG;IACG,WAAW,CACf,MAAM,EAAE,MAAM,EACd,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE;QAAE,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE,EAC5C,GAAG,EAAE,GAAG,EACR,cAAc,EAAE,cAAc,EAC9B,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,QAAQ,CAAC;IA0LpB;;;;OAIG;IACG,WAAW,CACf,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,GAAG,EACR,cAAc,EAAE,cAAc,EAC9B,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,QAAQ,CAAC;IAoGpB;;;;OAIG;IACG,aAAa,CACjB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,GAAG,EACR,cAAc,EAAE,cAAc,EAC9B,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,QAAQ,CAAC;IAoGpB;;;;OAIG;IACG,WAAW,CACf,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,GAAG,EACR,cAAc,EAAE,cAAc,EAC9B,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,QAAQ,CAAC;IAqKpB;;;;;OAKG;IACG,aAAa,CACjB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,OAAO,EAChB,OAAO,EAAE,OAAO,EAChB,GAAG,EAAE,GAAG,EACR,cAAc,EAAE,cAAc,EAC9B,cAAc,EAAE,MAAM,GACrB,OAAO,CAAC,QAAQ,CAAC;IA4GpB;;OAEG;YACW,sBAAsB;CAgBrC"}
@@ -56,7 +56,7 @@ class CommentHandler {
56
56
  *
57
57
  * PREPARATORY: Uses DataRouter for region-aware operations.
58
58
  */
59
- async createComment(postId, request, session, env, requestContext, parentCommentId) {
59
+ async createComment(postId, request, session, env, requestContext, activeTenantId, parentCommentId) {
60
60
  try {
61
61
  // Validate request body with Zod schema
62
62
  const { validateRequest } = await Promise.resolve().then(() => __importStar(require("./validate-request")));
@@ -179,8 +179,8 @@ class CommentHandler {
179
179
  if (parentCommentId) {
180
180
  // Fetch parent comment to get thread context
181
181
  const parentComment = await withQueryTimeoutAndRetry(sharedDatabaseConnectionManager, region, env, async (db) => {
182
- return await db.postComment.findUnique({
183
- where: { id: parentCommentId },
182
+ return await db.postComment.findFirst({
183
+ where: { id: parentCommentId, tenantId: activeTenantId },
184
184
  select: {
185
185
  id: true,
186
186
  postId: true,
@@ -226,6 +226,7 @@ class CommentHandler {
226
226
  return await db.postComment.findFirst({
227
227
  where: {
228
228
  postId: post.id,
229
+ tenantId: activeTenantId,
229
230
  authorId: session.userId,
230
231
  text: sanitizedText.trim(),
231
232
  createdAt: { gte: fiveMinutesAgo },
@@ -278,6 +279,7 @@ class CommentHandler {
278
279
  hasBlockedLinks: hasBlockedLinks,
279
280
  rootUri: rootUri,
280
281
  replyToUri: replyToUri,
282
+ tenantId: activeTenantId,
281
283
  },
282
284
  });
283
285
  }, {
@@ -404,15 +406,15 @@ class CommentHandler {
404
406
  * Create a reply to an existing comment
405
407
  * Uses the existing createComment() logic with parentCommentId
406
408
  */
407
- async createReply(parentCommentId, request, session, env, requestContext) {
409
+ async createReply(parentCommentId, request, session, env, requestContext, activeTenantId) {
408
410
  try {
409
411
  // Fetch parent comment to get postId and validate it exists
410
412
  const { sharedDatabaseConnectionManager } = await Promise.resolve().then(() => __importStar(require("./database-connection-manager")));
411
413
  const { withQueryTimeoutAndRetry, QueryTimeoutPresets } = await Promise.resolve().then(() => __importStar(require("./db-query-helper")));
412
414
  const region = requestContext.region;
413
415
  const parentComment = await withQueryTimeoutAndRetry(sharedDatabaseConnectionManager, region, env, async (db) => {
414
- return await db.postComment.findUnique({
415
- where: { id: parentCommentId },
416
+ return await db.postComment.findFirst({
417
+ where: { id: parentCommentId, tenantId: activeTenantId },
416
418
  select: { postId: true, deletedAt: true },
417
419
  });
418
420
  }, {
@@ -432,7 +434,7 @@ class CommentHandler {
432
434
  return new Response(JSON.stringify({ error: "Cannot reply to deleted comment" }), { status: 400, headers: { "content-type": "application/json" } });
433
435
  }
434
436
  // Delegate to createComment() with parentCommentId
435
- return this.createComment(parentComment.postId, request, session, env, requestContext, parentCommentId);
437
+ return this.createComment(parentComment.postId, request, session, env, requestContext, activeTenantId, parentCommentId);
436
438
  }
437
439
  catch (error) {
438
440
  const { Logger } = await Promise.resolve().then(() => __importStar(require("./logger")));
@@ -445,7 +447,7 @@ class CommentHandler {
445
447
  *
446
448
  * PREPARATORY: Uses DataRouter for region-aware operations.
447
449
  */
448
- async getComments(postId, request, session, options, env, requestContext) {
450
+ async getComments(postId, request, session, options, env, requestContext, activeTenantId) {
449
451
  try {
450
452
  // PREPARATORY: Use DataRouter to get region-specific database
451
453
  const region = requestContext.region;
@@ -468,6 +470,7 @@ class CommentHandler {
468
470
  return await db.postComment.findMany({
469
471
  where: {
470
472
  postId,
473
+ tenantId: activeTenantId,
471
474
  hiddenByPostOwner: false,
472
475
  deletedAt: null, // Filter out soft-deleted comments
473
476
  ...(cursor && { createdAt: { lt: cursor } }),
@@ -585,7 +588,7 @@ class CommentHandler {
585
588
  *
586
589
  * PREPARATORY: Uses DataRouter for region-aware operations.
587
590
  */
588
- async hideComment(commentId, request, session, env, requestContext) {
591
+ async hideComment(commentId, request, session, env, requestContext, activeTenantId) {
589
592
  try {
590
593
  // PREPARATORY: Use DataRouter to get region-specific database
591
594
  const region = requestContext.region;
@@ -593,8 +596,8 @@ class CommentHandler {
593
596
  const { sharedDatabaseConnectionManager } = await Promise.resolve().then(() => __importStar(require("./database-connection-manager")));
594
597
  const { withQueryTimeoutAndRetry, QueryTimeoutPresets } = await Promise.resolve().then(() => __importStar(require("./db-query-helper")));
595
598
  const comment = await withQueryTimeoutAndRetry(sharedDatabaseConnectionManager, region, env, async (db) => {
596
- return await db.postComment.findUnique({
597
- where: { id: commentId },
599
+ return await db.postComment.findFirst({
600
+ where: { id: commentId, tenantId: activeTenantId },
598
601
  include: { post: true },
599
602
  });
600
603
  }, {
@@ -662,7 +665,7 @@ class CommentHandler {
662
665
  *
663
666
  * PREPARATORY: Uses DataRouter for region-aware operations.
664
667
  */
665
- async unhideComment(commentId, request, session, env, requestContext) {
668
+ async unhideComment(commentId, request, session, env, requestContext, activeTenantId) {
666
669
  try {
667
670
  // PREPARATORY: Use DataRouter to get region-specific database
668
671
  const region = requestContext.region;
@@ -670,8 +673,8 @@ class CommentHandler {
670
673
  const { sharedDatabaseConnectionManager } = await Promise.resolve().then(() => __importStar(require("./database-connection-manager")));
671
674
  const { withQueryTimeoutAndRetry, QueryTimeoutPresets } = await Promise.resolve().then(() => __importStar(require("./db-query-helper")));
672
675
  const comment = await withQueryTimeoutAndRetry(sharedDatabaseConnectionManager, region, env, async (db) => {
673
- return await db.postComment.findUnique({
674
- where: { id: commentId },
676
+ return await db.postComment.findFirst({
677
+ where: { id: commentId, tenantId: activeTenantId },
675
678
  include: { post: true },
676
679
  });
677
680
  }, {
@@ -736,7 +739,7 @@ class CommentHandler {
736
739
  *
737
740
  * PREPARATORY: Uses DataRouter for region-aware operations.
738
741
  */
739
- async editComment(commentId, request, session, env, requestContext) {
742
+ async editComment(commentId, request, session, env, requestContext, activeTenantId) {
740
743
  try {
741
744
  // Validate request body
742
745
  const { validateRequest } = await Promise.resolve().then(() => __importStar(require("./validate-request")));
@@ -754,8 +757,8 @@ class CommentHandler {
754
757
  const { withQueryTimeoutAndRetry, QueryTimeoutPresets } = await Promise.resolve().then(() => __importStar(require("./db-query-helper")));
755
758
  // Get comment with post info
756
759
  const comment = await withQueryTimeoutAndRetry(sharedDatabaseConnectionManager, region, env, async (db) => {
757
- return await db.postComment.findUnique({
758
- where: { id: commentId },
760
+ return await db.postComment.findFirst({
761
+ where: { id: commentId, tenantId: activeTenantId },
759
762
  include: { post: { select: { id: true, authorId: true } } },
760
763
  });
761
764
  }, {
@@ -859,15 +862,15 @@ class CommentHandler {
859
862
  * Author or post owner can delete.
860
863
  * PREPARATORY: Uses DataRouter for region-aware operations.
861
864
  */
862
- async deleteComment(commentId, request, session, env, requestContext) {
865
+ async deleteComment(commentId, request, session, env, requestContext, activeTenantId) {
863
866
  try {
864
867
  const region = requestContext.region;
865
868
  const { sharedDatabaseConnectionManager } = await Promise.resolve().then(() => __importStar(require("./database-connection-manager")));
866
869
  const { withQueryTimeoutAndRetry, QueryTimeoutPresets } = await Promise.resolve().then(() => __importStar(require("./db-query-helper")));
867
870
  // Get comment with post info
868
871
  const comment = await withQueryTimeoutAndRetry(sharedDatabaseConnectionManager, region, env, async (db) => {
869
- return await db.postComment.findUnique({
870
- where: { id: commentId },
872
+ return await db.postComment.findFirst({
873
+ where: { id: commentId, tenantId: activeTenantId },
871
874
  include: {
872
875
  post: { select: { id: true, authorId: true } },
873
876
  },