@de-otio/trellis 0.6.1 → 0.7.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/env.d.ts +21 -0
- package/dist/env.d.ts.map +1 -1
- package/dist/env.js +12 -0
- package/dist/env.js.map +1 -1
- package/dist/lambda/nightly-cron.d.ts.map +1 -1
- package/dist/lambda/nightly-cron.js +5 -2
- package/dist/lambda/nightly-cron.js.map +1 -1
- package/dist/lambda/post-confirmation.d.ts +30 -0
- package/dist/lambda/post-confirmation.d.ts.map +1 -1
- package/dist/lambda/post-confirmation.js +333 -29
- package/dist/lambda/post-confirmation.js.map +1 -1
- package/dist/lambda/pre-token-generation.d.ts +20 -0
- package/dist/lambda/pre-token-generation.d.ts.map +1 -1
- package/dist/lambda/pre-token-generation.js +233 -48
- package/dist/lambda/pre-token-generation.js.map +1 -1
- package/dist/lib/activitypub/activity-processor.d.ts.map +1 -1
- package/dist/lib/activitypub/activity-processor.js +2 -1
- package/dist/lib/activitypub/activity-processor.js.map +1 -1
- package/dist/lib/activitypub/group-service.d.ts +2 -2
- package/dist/lib/activitypub/group-service.d.ts.map +1 -1
- package/dist/lib/activitypub/group-service.js +5 -2
- package/dist/lib/activitypub/group-service.js.map +1 -1
- package/dist/lib/age-tier-transition.d.ts.map +1 -1
- package/dist/lib/age-tier-transition.js +19 -10
- package/dist/lib/age-tier-transition.js.map +1 -1
- package/dist/lib/audit/csv-export.d.ts +25 -0
- package/dist/lib/audit/csv-export.d.ts.map +1 -0
- package/dist/lib/audit/csv-export.js +54 -0
- package/dist/lib/audit/csv-export.js.map +1 -0
- package/dist/lib/audit/emit.d.ts +56 -0
- package/dist/lib/audit/emit.d.ts.map +1 -0
- package/dist/lib/audit/emit.js +124 -0
- package/dist/lib/audit/emit.js.map +1 -0
- package/dist/lib/audit/event-types.d.ts +36 -0
- package/dist/lib/audit/event-types.d.ts.map +1 -0
- package/dist/lib/audit/event-types.js +69 -0
- package/dist/lib/audit/event-types.js.map +1 -0
- package/dist/lib/audit/pii-filter.d.ts +22 -0
- package/dist/lib/audit/pii-filter.d.ts.map +1 -0
- package/dist/lib/audit/pii-filter.js +51 -0
- package/dist/lib/audit/pii-filter.js.map +1 -0
- package/dist/lib/audit-logger.js +1 -1
- package/dist/lib/audit-logger.js.map +1 -1
- package/dist/lib/auth/auth-context.d.ts +34 -0
- package/dist/lib/auth/auth-context.d.ts.map +1 -0
- package/dist/lib/auth/auth-context.js +10 -0
- package/dist/lib/auth/auth-context.js.map +1 -0
- package/dist/lib/auth/auth-middleware.d.ts +50 -0
- package/dist/lib/auth/auth-middleware.d.ts.map +1 -0
- package/dist/lib/auth/auth-middleware.js +153 -0
- package/dist/lib/auth/auth-middleware.js.map +1 -0
- package/dist/lib/auth/capabilities.d.ts +40 -0
- package/dist/lib/auth/capabilities.d.ts.map +1 -0
- package/dist/lib/auth/capabilities.js +44 -0
- package/dist/lib/auth/capabilities.js.map +1 -0
- package/dist/lib/auth/claims-cache.d.ts +70 -0
- package/dist/lib/auth/claims-cache.d.ts.map +1 -0
- package/dist/lib/auth/claims-cache.js +139 -0
- package/dist/lib/auth/claims-cache.js.map +1 -0
- package/dist/lib/auth/cognito-jwt.d.ts +6 -0
- package/dist/lib/auth/cognito-jwt.d.ts.map +1 -1
- package/dist/lib/auth/cognito-jwt.js.map +1 -1
- package/dist/lib/auth/idp-redirect-builder.d.ts +43 -0
- package/dist/lib/auth/idp-redirect-builder.d.ts.map +1 -0
- package/dist/lib/auth/idp-redirect-builder.js +48 -0
- package/dist/lib/auth/idp-redirect-builder.js.map +1 -0
- package/dist/lib/auth/require.d.ts +51 -0
- package/dist/lib/auth/require.d.ts.map +1 -0
- package/dist/lib/auth/require.js +99 -0
- package/dist/lib/auth/require.js.map +1 -0
- package/dist/lib/auth/role-grants.d.ts +18 -0
- package/dist/lib/auth/role-grants.d.ts.map +1 -0
- package/dist/lib/auth/role-grants.js +62 -0
- package/dist/lib/auth/role-grants.js.map +1 -0
- package/dist/lib/cognito/idp-sdk.d.ts +80 -0
- package/dist/lib/cognito/idp-sdk.d.ts.map +1 -0
- package/dist/lib/cognito/idp-sdk.js +186 -0
- package/dist/lib/cognito/idp-sdk.js.map +1 -0
- package/dist/lib/cognito/issuer-probe.d.ts +47 -0
- package/dist/lib/cognito/issuer-probe.d.ts.map +1 -0
- package/dist/lib/cognito/issuer-probe.js +319 -0
- package/dist/lib/cognito/issuer-probe.js.map +1 -0
- package/dist/lib/comment-handler.d.ts +7 -7
- package/dist/lib/comment-handler.d.ts.map +1 -1
- package/dist/lib/comment-handler.js +23 -20
- package/dist/lib/comment-handler.js.map +1 -1
- package/dist/lib/compliance/baseline.d.ts +15 -0
- package/dist/lib/compliance/baseline.d.ts.map +1 -0
- package/dist/lib/compliance/baseline.js +205 -0
- package/dist/lib/compliance/baseline.js.map +1 -0
- package/dist/lib/compliance/tenant-merge.d.ts +35 -0
- package/dist/lib/compliance/tenant-merge.d.ts.map +1 -0
- package/dist/lib/compliance/tenant-merge.js +80 -0
- package/dist/lib/compliance/tenant-merge.js.map +1 -0
- package/dist/lib/compliance/types.d.ts +135 -0
- package/dist/lib/compliance/types.d.ts.map +1 -0
- package/dist/lib/compliance/types.js +9 -0
- package/dist/lib/compliance/types.js.map +1 -0
- package/dist/lib/connection-code-handler.d.ts +4 -4
- package/dist/lib/connection-code-handler.d.ts.map +1 -1
- package/dist/lib/connection-code-handler.js +21 -11
- package/dist/lib/connection-code-handler.js.map +1 -1
- package/dist/lib/feed-handler.d.ts +2 -2
- package/dist/lib/feed-handler.d.ts.map +1 -1
- package/dist/lib/feed-handler.js +5 -9
- package/dist/lib/feed-handler.js.map +1 -1
- package/dist/lib/middleware/idempotency-store.d.ts +86 -0
- package/dist/lib/middleware/idempotency-store.d.ts.map +1 -0
- package/dist/lib/middleware/idempotency-store.js +109 -0
- package/dist/lib/middleware/idempotency-store.js.map +1 -0
- package/dist/lib/middleware/idempotency.d.ts +37 -0
- package/dist/lib/middleware/idempotency.d.ts.map +1 -0
- package/dist/lib/middleware/idempotency.js +358 -0
- package/dist/lib/middleware/idempotency.js.map +1 -0
- package/dist/lib/net/trusted-client-ip.d.ts +39 -0
- package/dist/lib/net/trusted-client-ip.d.ts.map +1 -0
- package/dist/lib/net/trusted-client-ip.js +100 -0
- package/dist/lib/net/trusted-client-ip.js.map +1 -0
- package/dist/lib/notification-handler.d.ts +5 -5
- package/dist/lib/notification-handler.d.ts.map +1 -1
- package/dist/lib/notification-handler.js +11 -9
- package/dist/lib/notification-handler.js.map +1 -1
- package/dist/lib/oauth/cognito-issuer.d.ts +34 -0
- package/dist/lib/oauth/cognito-issuer.d.ts.map +1 -0
- package/dist/lib/oauth/cognito-issuer.js +53 -0
- package/dist/lib/oauth/cognito-issuer.js.map +1 -0
- package/dist/lib/oauth/device-authorization.d.ts +145 -0
- package/dist/lib/oauth/device-authorization.d.ts.map +1 -0
- package/dist/lib/oauth/device-authorization.js +312 -0
- package/dist/lib/oauth/device-authorization.js.map +1 -0
- package/dist/lib/oauth/envelope-crypto.d.ts +101 -0
- package/dist/lib/oauth/envelope-crypto.d.ts.map +1 -0
- package/dist/lib/oauth/envelope-crypto.js +223 -0
- package/dist/lib/oauth/envelope-crypto.js.map +1 -0
- package/dist/lib/oauth/refresh-detection.d.ts +126 -0
- package/dist/lib/oauth/refresh-detection.d.ts.map +1 -0
- package/dist/lib/oauth/refresh-detection.js +248 -0
- package/dist/lib/oauth/refresh-detection.js.map +1 -0
- package/dist/lib/openapi/generator.d.ts +78 -0
- package/dist/lib/openapi/generator.d.ts.map +1 -0
- package/dist/lib/openapi/generator.js +201 -0
- package/dist/lib/openapi/generator.js.map +1 -0
- package/dist/lib/post-handler.d.ts +1 -1
- package/dist/lib/post-handler.d.ts.map +1 -1
- package/dist/lib/post-handler.js +4 -15
- package/dist/lib/post-handler.js.map +1 -1
- package/dist/lib/rate-limit.d.ts.map +1 -1
- package/dist/lib/rate-limit.js +11 -3
- package/dist/lib/rate-limit.js.map +1 -1
- package/dist/lib/routes/agent-authorize.d.ts +32 -0
- package/dist/lib/routes/agent-authorize.d.ts.map +1 -0
- package/dist/lib/routes/agent-authorize.js +479 -0
- package/dist/lib/routes/agent-authorize.js.map +1 -0
- package/dist/lib/routes/agent-sessions.d.ts +20 -0
- package/dist/lib/routes/agent-sessions.d.ts.map +1 -0
- package/dist/lib/routes/agent-sessions.js +124 -0
- package/dist/lib/routes/agent-sessions.js.map +1 -0
- package/dist/lib/routes/agent-surface.d.ts +37 -0
- package/dist/lib/routes/agent-surface.d.ts.map +1 -0
- package/dist/lib/routes/agent-surface.js +208 -0
- package/dist/lib/routes/agent-surface.js.map +1 -0
- package/dist/lib/routes/auth-discover.d.ts +18 -0
- package/dist/lib/routes/auth-discover.d.ts.map +1 -0
- package/dist/lib/routes/auth-discover.js +177 -0
- package/dist/lib/routes/auth-discover.js.map +1 -0
- package/dist/lib/routes/comments.d.ts.map +1 -1
- package/dist/lib/routes/comments.js +36 -7
- package/dist/lib/routes/comments.js.map +1 -1
- package/dist/lib/routes/connection-codes.d.ts.map +1 -1
- package/dist/lib/routes/connection-codes.js +21 -4
- package/dist/lib/routes/connection-codes.js.map +1 -1
- package/dist/lib/routes/content-discovery.d.ts.map +1 -1
- package/dist/lib/routes/content-discovery.js +18 -13
- package/dist/lib/routes/content-discovery.js.map +1 -1
- package/dist/lib/routes/dashboard.js +1 -1
- package/dist/lib/routes/dashboard.js.map +1 -1
- package/dist/lib/routes/employees.d.ts.map +1 -1
- package/dist/lib/routes/employees.js +57 -15
- package/dist/lib/routes/employees.js.map +1 -1
- package/dist/lib/routes/entities.d.ts.map +1 -1
- package/dist/lib/routes/entities.js +35 -19
- package/dist/lib/routes/entities.js.map +1 -1
- package/dist/lib/routes/errors.d.ts +34 -0
- package/dist/lib/routes/errors.d.ts.map +1 -0
- package/dist/lib/routes/errors.js +57 -0
- package/dist/lib/routes/errors.js.map +1 -0
- package/dist/lib/routes/feeds.d.ts.map +1 -1
- package/dist/lib/routes/feeds.js +12 -2
- package/dist/lib/routes/feeds.js.map +1 -1
- package/dist/lib/routes/index.d.ts.map +1 -1
- package/dist/lib/routes/index.js +50 -0
- package/dist/lib/routes/index.js.map +1 -1
- package/dist/lib/routes/mfa.d.ts.map +1 -1
- package/dist/lib/routes/mfa.js +1 -0
- package/dist/lib/routes/mfa.js.map +1 -1
- package/dist/lib/routes/notifications.d.ts.map +1 -1
- package/dist/lib/routes/notifications.js +21 -4
- package/dist/lib/routes/notifications.js.map +1 -1
- package/dist/lib/routes/oauth.d.ts +15 -0
- package/dist/lib/routes/oauth.d.ts.map +1 -0
- package/dist/lib/routes/oauth.js +139 -0
- package/dist/lib/routes/oauth.js.map +1 -0
- package/dist/lib/routes/posts.d.ts.map +1 -1
- package/dist/lib/routes/posts.js +30 -19
- package/dist/lib/routes/posts.js.map +1 -1
- package/dist/lib/routes/products.d.ts.map +1 -1
- package/dist/lib/routes/products.js +19 -22
- package/dist/lib/routes/products.js.map +1 -1
- package/dist/lib/routes/setup-status.d.ts +34 -0
- package/dist/lib/routes/setup-status.d.ts.map +1 -0
- package/dist/lib/routes/setup-status.js +87 -0
- package/dist/lib/routes/setup-status.js.map +1 -0
- package/dist/lib/routes/taxonomy-analytics.d.ts.map +1 -1
- package/dist/lib/routes/taxonomy-analytics.js +15 -14
- package/dist/lib/routes/taxonomy-analytics.js.map +1 -1
- package/dist/lib/routes/taxonomy.d.ts.map +1 -1
- package/dist/lib/routes/taxonomy.js +19 -16
- package/dist/lib/routes/taxonomy.js.map +1 -1
- package/dist/lib/routes/tenant-audit.d.ts +19 -0
- package/dist/lib/routes/tenant-audit.d.ts.map +1 -0
- package/dist/lib/routes/tenant-audit.js +244 -0
- package/dist/lib/routes/tenant-audit.js.map +1 -0
- package/dist/lib/routes/tenant-compliance.d.ts +21 -0
- package/dist/lib/routes/tenant-compliance.d.ts.map +1 -0
- package/dist/lib/routes/tenant-compliance.js +122 -0
- package/dist/lib/routes/tenant-compliance.js.map +1 -0
- package/dist/lib/routes/tenant-domains.d.ts +11 -0
- package/dist/lib/routes/tenant-domains.d.ts.map +1 -0
- package/dist/lib/routes/tenant-domains.js +95 -0
- package/dist/lib/routes/tenant-domains.js.map +1 -0
- package/dist/lib/routes/tenant-idp.d.ts +3 -0
- package/dist/lib/routes/tenant-idp.d.ts.map +1 -0
- package/dist/lib/routes/tenant-idp.js +89 -0
- package/dist/lib/routes/tenant-idp.js.map +1 -0
- package/dist/lib/routes/tenant-members.d.ts +13 -0
- package/dist/lib/routes/tenant-members.d.ts.map +1 -0
- package/dist/lib/routes/tenant-members.js +75 -0
- package/dist/lib/routes/tenant-members.js.map +1 -0
- package/dist/lib/routes/tenant-role-mappings.d.ts +11 -0
- package/dist/lib/routes/tenant-role-mappings.d.ts.map +1 -0
- package/dist/lib/routes/tenant-role-mappings.js +90 -0
- package/dist/lib/routes/tenant-role-mappings.js.map +1 -0
- package/dist/lib/routes/tenants.d.ts +13 -0
- package/dist/lib/routes/tenants.d.ts.map +1 -0
- package/dist/lib/routes/tenants.js +121 -0
- package/dist/lib/routes/tenants.js.map +1 -0
- package/dist/lib/routes/types.d.ts +9 -0
- package/dist/lib/routes/types.d.ts.map +1 -1
- package/dist/lib/schemas.d.ts +2 -2
- package/dist/lib/secrets/idp-secrets.d.ts +51 -0
- package/dist/lib/secrets/idp-secrets.d.ts.map +1 -0
- package/dist/lib/secrets/idp-secrets.js +111 -0
- package/dist/lib/secrets/idp-secrets.js.map +1 -0
- package/dist/lib/security-monitor.d.ts.map +1 -1
- package/dist/lib/security-monitor.js +6 -1
- package/dist/lib/security-monitor.js.map +1 -1
- package/dist/lib/session-manager.d.ts +1 -0
- package/dist/lib/session-manager.d.ts.map +1 -1
- package/dist/lib/session-manager.js.map +1 -1
- package/dist/lib/taxonomy-handler-factory.d.ts +4 -2
- package/dist/lib/taxonomy-handler-factory.d.ts.map +1 -1
- package/dist/lib/taxonomy-handler-factory.js +8 -7
- package/dist/lib/taxonomy-handler-factory.js.map +1 -1
- package/dist/lib/tenant/audit-emit.d.ts +18 -0
- package/dist/lib/tenant/audit-emit.d.ts.map +1 -0
- package/dist/lib/tenant/audit-emit.js +16 -0
- package/dist/lib/tenant/audit-emit.js.map +1 -0
- package/dist/lib/tenant/derive-domain.d.ts +19 -0
- package/dist/lib/tenant/derive-domain.d.ts.map +1 -0
- package/dist/lib/tenant/derive-domain.js +38 -0
- package/dist/lib/tenant/derive-domain.js.map +1 -0
- package/dist/lib/tenant/domain-handler.d.ts +42 -0
- package/dist/lib/tenant/domain-handler.d.ts.map +1 -0
- package/dist/lib/tenant/domain-handler.js +344 -0
- package/dist/lib/tenant/domain-handler.js.map +1 -0
- package/dist/lib/tenant/domain-validator.d.ts +28 -0
- package/dist/lib/tenant/domain-validator.d.ts.map +1 -0
- package/dist/lib/tenant/domain-validator.js +145 -0
- package/dist/lib/tenant/domain-validator.js.map +1 -0
- package/dist/lib/tenant/domain-verifier.d.ts +30 -0
- package/dist/lib/tenant/domain-verifier.d.ts.map +1 -0
- package/dist/lib/tenant/domain-verifier.js +53 -0
- package/dist/lib/tenant/domain-verifier.js.map +1 -0
- package/dist/lib/tenant/idp-handler.d.ts +29 -0
- package/dist/lib/tenant/idp-handler.d.ts.map +1 -0
- package/dist/lib/tenant/idp-handler.js +693 -0
- package/dist/lib/tenant/idp-handler.js.map +1 -0
- package/dist/lib/tenant/idp-name.d.ts +2 -0
- package/dist/lib/tenant/idp-name.d.ts.map +1 -0
- package/dist/lib/tenant/idp-name.js +20 -0
- package/dist/lib/tenant/idp-name.js.map +1 -0
- package/dist/lib/tenant/member-handler.d.ts +31 -0
- package/dist/lib/tenant/member-handler.d.ts.map +1 -0
- package/dist/lib/tenant/member-handler.js +343 -0
- package/dist/lib/tenant/member-handler.js.map +1 -0
- package/dist/lib/tenant/reserved-slugs.d.ts +37 -0
- package/dist/lib/tenant/reserved-slugs.d.ts.map +1 -0
- package/dist/lib/tenant/reserved-slugs.js +116 -0
- package/dist/lib/tenant/reserved-slugs.js.map +1 -0
- package/dist/lib/tenant/resolve-role.d.ts +39 -0
- package/dist/lib/tenant/resolve-role.d.ts.map +1 -0
- package/dist/lib/tenant/resolve-role.js +60 -0
- package/dist/lib/tenant/resolve-role.js.map +1 -0
- package/dist/lib/tenant/role-mapping-handler.d.ts +26 -0
- package/dist/lib/tenant/role-mapping-handler.d.ts.map +1 -0
- package/dist/lib/tenant/role-mapping-handler.js +260 -0
- package/dist/lib/tenant/role-mapping-handler.js.map +1 -0
- package/dist/lib/tenant/setup-status.d.ts +83 -0
- package/dist/lib/tenant/setup-status.d.ts.map +1 -0
- package/dist/lib/tenant/setup-status.js +201 -0
- package/dist/lib/tenant/setup-status.js.map +1 -0
- package/dist/lib/tenant/slug-validator.d.ts +31 -0
- package/dist/lib/tenant/slug-validator.d.ts.map +1 -0
- package/dist/lib/tenant/slug-validator.js +42 -0
- package/dist/lib/tenant/slug-validator.js.map +1 -0
- package/dist/lib/tenant/tenant-handler.d.ts +49 -0
- package/dist/lib/tenant/tenant-handler.d.ts.map +1 -0
- package/dist/lib/tenant/tenant-handler.js +377 -0
- package/dist/lib/tenant/tenant-handler.js.map +1 -0
- package/dist/lib/tenant/transfer-ownership.d.ts +39 -0
- package/dist/lib/tenant/transfer-ownership.d.ts.map +1 -0
- package/dist/lib/tenant/transfer-ownership.js +66 -0
- package/dist/lib/tenant/transfer-ownership.js.map +1 -0
- package/dist/lib/user/derive-handle.d.ts +29 -0
- package/dist/lib/user/derive-handle.d.ts.map +1 -0
- package/dist/lib/user/derive-handle.js +65 -0
- package/dist/lib/user/derive-handle.js.map +1 -0
- package/dist/lib/user-deprovisioning.d.ts +11 -1
- package/dist/lib/user-deprovisioning.d.ts.map +1 -1
- package/dist/lib/user-deprovisioning.js +46 -2
- package/dist/lib/user-deprovisioning.js.map +1 -1
- package/dist/lib/validation/feature-toggle-schemas.d.ts +10 -10
- package/package.json +7 -5
- package/prisma/migrations/20260502094501_add_tenancy_model/migration.sql +334 -0
- package/prisma/migrations/20260503000000_add_tenant_region/migration.sql +4 -0
- package/prisma/schema.prisma +324 -74
- package/src/lambda/nightly-cron.ts +4 -1
- package/src/lambda/post-confirmation.ts +405 -29
- package/src/lambda/pre-token-generation.ts +300 -59
|
@@ -0,0 +1,201 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Setup-status: machine-friendly tenant onboarding progress.
|
|
4
|
+
*
|
|
5
|
+
* `computeSetupStatus` is a pure function — it does no I/O and can be tested
|
|
6
|
+
* without a database. `loadSetupStatus` performs the Prisma query and calls
|
|
7
|
+
* `computeSetupStatus` with the results.
|
|
8
|
+
*/
|
|
9
|
+
var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
|
|
10
|
+
if (k2 === undefined) k2 = k;
|
|
11
|
+
var desc = Object.getOwnPropertyDescriptor(m, k);
|
|
12
|
+
if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
|
|
13
|
+
desc = { enumerable: true, get: function() { return m[k]; } };
|
|
14
|
+
}
|
|
15
|
+
Object.defineProperty(o, k2, desc);
|
|
16
|
+
}) : (function(o, m, k, k2) {
|
|
17
|
+
if (k2 === undefined) k2 = k;
|
|
18
|
+
o[k2] = m[k];
|
|
19
|
+
}));
|
|
20
|
+
var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
|
|
21
|
+
Object.defineProperty(o, "default", { enumerable: true, value: v });
|
|
22
|
+
}) : function(o, v) {
|
|
23
|
+
o["default"] = v;
|
|
24
|
+
});
|
|
25
|
+
var __importStar = (this && this.__importStar) || (function () {
|
|
26
|
+
var ownKeys = function(o) {
|
|
27
|
+
ownKeys = Object.getOwnPropertyNames || function (o) {
|
|
28
|
+
var ar = [];
|
|
29
|
+
for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
|
|
30
|
+
return ar;
|
|
31
|
+
};
|
|
32
|
+
return ownKeys(o);
|
|
33
|
+
};
|
|
34
|
+
return function (mod) {
|
|
35
|
+
if (mod && mod.__esModule) return mod;
|
|
36
|
+
var result = {};
|
|
37
|
+
if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
|
|
38
|
+
__setModuleDefault(result, mod);
|
|
39
|
+
return result;
|
|
40
|
+
};
|
|
41
|
+
})();
|
|
42
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
43
|
+
exports.computeSetupStatus = computeSetupStatus;
|
|
44
|
+
exports.loadSetupStatus = loadSetupStatus;
|
|
45
|
+
// ── Pure computation ────────────────────────────────────────────────────────
|
|
46
|
+
/**
|
|
47
|
+
* Deterministically derive the setup-status object from snapshot data.
|
|
48
|
+
* No side effects; safe to call in unit tests without any database.
|
|
49
|
+
*/
|
|
50
|
+
function computeSetupStatus(input) {
|
|
51
|
+
const { tenantId, tenantExists, hasTestSignIn, domains, idp, roleMappings } = input;
|
|
52
|
+
// ── tenant section ────────────────────────────────────────────────────────
|
|
53
|
+
const tenantSection = {
|
|
54
|
+
status: tenantExists ? "ok" : "missing",
|
|
55
|
+
tenantId,
|
|
56
|
+
};
|
|
57
|
+
// ── domains section ───────────────────────────────────────────────────────
|
|
58
|
+
const domainItems = domains.map((d) => ({
|
|
59
|
+
domain: d.domain,
|
|
60
|
+
verifiedAt: d.verifiedAt ? d.verifiedAt.toISOString() : null,
|
|
61
|
+
status: d.verifiedAt ? "verified" : d.failedAt ? "failed" : "pending",
|
|
62
|
+
}));
|
|
63
|
+
// ── idp section ───────────────────────────────────────────────────────────
|
|
64
|
+
const idpSection = idp
|
|
65
|
+
? {
|
|
66
|
+
kind: idp.kind,
|
|
67
|
+
status: idp.status,
|
|
68
|
+
issuerUrl: idp.issuerUrl,
|
|
69
|
+
}
|
|
70
|
+
: null;
|
|
71
|
+
// ── roleMappings section ──────────────────────────────────────────────────
|
|
72
|
+
const roleMappingItems = roleMappings.map((r) => ({
|
|
73
|
+
id: r.id,
|
|
74
|
+
externalGroup: r.externalGroup,
|
|
75
|
+
tenantRole: r.tenantRole,
|
|
76
|
+
}));
|
|
77
|
+
// ── nextStep computation ──────────────────────────────────────────────────
|
|
78
|
+
const verifiedDomains = domainItems.filter((d) => d.status === "verified");
|
|
79
|
+
const unverifiedDomains = domainItems.filter((d) => d.status !== "verified");
|
|
80
|
+
const idpActive = idpSection !== null && idpSection.status === "ACTIVE";
|
|
81
|
+
let nextStep;
|
|
82
|
+
if (domainItems.length === 0) {
|
|
83
|
+
nextStep = {
|
|
84
|
+
code: "DOMAIN_REQUIRED",
|
|
85
|
+
message: "Add a domain to verify ownership before connecting an identity provider.",
|
|
86
|
+
endpoint: `POST /api/tenants/${tenantId}/domains`,
|
|
87
|
+
remediation: "Call POST /api/tenants/{id}/domains with { \"domain\": \"yourdomain.com\" } to claim your domain.",
|
|
88
|
+
};
|
|
89
|
+
}
|
|
90
|
+
else if (verifiedDomains.length === 0 && unverifiedDomains.length > 0) {
|
|
91
|
+
// Has domains claimed but none verified (includes pending and failed states).
|
|
92
|
+
nextStep = {
|
|
93
|
+
code: "DOMAIN_VERIFICATION_PENDING",
|
|
94
|
+
message: "At least one domain is claimed but not yet verified. Add the DNS TXT record and verify.",
|
|
95
|
+
endpoint: `POST /api/tenants/${tenantId}/domains/{domainId}/verify`,
|
|
96
|
+
remediation: "Add the TXT record to your DNS provider then call POST /api/tenants/{id}/domains/{domainId}/verify.",
|
|
97
|
+
};
|
|
98
|
+
}
|
|
99
|
+
else if (idpSection === null) {
|
|
100
|
+
nextStep = {
|
|
101
|
+
code: "IDP_REQUIRED",
|
|
102
|
+
message: "No identity provider is connected. Connect an OIDC IdP to enable federated sign-in.",
|
|
103
|
+
endpoint: `POST /api/tenants/${tenantId}/identity-provider`,
|
|
104
|
+
remediation: "Call POST /api/tenants/{id}/identity-provider with { \"kind\": \"OIDC\", \"issuerUrl\": \"...\", ... }.",
|
|
105
|
+
};
|
|
106
|
+
}
|
|
107
|
+
else if (!idpActive) {
|
|
108
|
+
// IdP exists but is DISABLED or PENDING
|
|
109
|
+
nextStep = {
|
|
110
|
+
code: "IDP_REQUIRED",
|
|
111
|
+
message: `Identity provider is not active (status: ${idpSection.status}). Enable it to allow federated sign-in.`,
|
|
112
|
+
endpoint: `PATCH /api/tenants/${tenantId}/identity-provider`,
|
|
113
|
+
remediation: "Call PATCH /api/tenants/{id}/identity-provider with { \"status\": \"ACTIVE\" }.",
|
|
114
|
+
};
|
|
115
|
+
}
|
|
116
|
+
else if (roleMappingItems.length === 0) {
|
|
117
|
+
nextStep = {
|
|
118
|
+
code: "ROLE_MAPPING_REQUIRED",
|
|
119
|
+
message: "No role mappings are configured. Add at least one mapping to assign roles to IdP groups.",
|
|
120
|
+
endpoint: `POST /api/tenants/${tenantId}/role-mappings`,
|
|
121
|
+
remediation: "Call POST /api/tenants/{id}/role-mappings with { \"externalGroup\": \"...\", \"tenantRole\": \"MEMBER\" }.",
|
|
122
|
+
};
|
|
123
|
+
}
|
|
124
|
+
else if (!hasTestSignIn) {
|
|
125
|
+
nextStep = {
|
|
126
|
+
code: "TEST_SIGN_IN",
|
|
127
|
+
message: "Setup looks complete. Perform a test federated sign-in to confirm the flow works end-to-end.",
|
|
128
|
+
endpoint: `GET /api/auth/discover`,
|
|
129
|
+
remediation: "Use a test account in your IdP to sign in via POST /api/auth/discover and verify the redirect flow.",
|
|
130
|
+
};
|
|
131
|
+
}
|
|
132
|
+
else {
|
|
133
|
+
nextStep = {
|
|
134
|
+
code: "COMPLETE",
|
|
135
|
+
message: "Tenant setup is complete. Federated sign-in is operational.",
|
|
136
|
+
endpoint: `GET /api/tenants/${tenantId}/setup-status`,
|
|
137
|
+
remediation: "No action required.",
|
|
138
|
+
};
|
|
139
|
+
}
|
|
140
|
+
return {
|
|
141
|
+
tenant: tenantSection,
|
|
142
|
+
domains: domainItems,
|
|
143
|
+
idp: idpSection,
|
|
144
|
+
roleMappings: roleMappingItems,
|
|
145
|
+
nextStep,
|
|
146
|
+
};
|
|
147
|
+
}
|
|
148
|
+
// ── Loader (Prisma I/O) ─────────────────────────────────────────────────────
|
|
149
|
+
/**
|
|
150
|
+
* Fetch all data needed to compute setup-status in a single read transaction,
|
|
151
|
+
* then return the computed status object.
|
|
152
|
+
*/
|
|
153
|
+
async function loadSetupStatus(tenantId, env) {
|
|
154
|
+
const { createPrisma } = await Promise.resolve().then(() => __importStar(require("../../db")));
|
|
155
|
+
const db = createPrisma(env);
|
|
156
|
+
// Single transaction to get a consistent snapshot.
|
|
157
|
+
const [tenant, domains, idpRow, roleMappings, testSignInEvent] = await db.$transaction([
|
|
158
|
+
db.tenant.findUnique({
|
|
159
|
+
where: { id: tenantId },
|
|
160
|
+
select: { id: true },
|
|
161
|
+
}),
|
|
162
|
+
db.tenantDomain.findMany({
|
|
163
|
+
where: { tenantId },
|
|
164
|
+
select: { domain: true, verifiedAt: true },
|
|
165
|
+
orderBy: { domain: "asc" },
|
|
166
|
+
}),
|
|
167
|
+
db.tenantIdentityProvider.findUnique({
|
|
168
|
+
where: { tenantId },
|
|
169
|
+
select: { kind: true, status: true, issuerUrl: true },
|
|
170
|
+
}),
|
|
171
|
+
db.tenantRoleMapping.findMany({
|
|
172
|
+
where: { tenantId },
|
|
173
|
+
select: { id: true, idpGroupName: true, tenantRole: true },
|
|
174
|
+
orderBy: { idpGroupName: "asc" },
|
|
175
|
+
}),
|
|
176
|
+
db.securityEvent.findFirst({
|
|
177
|
+
where: {
|
|
178
|
+
tenantId,
|
|
179
|
+
type: "tenant.federated_login.success",
|
|
180
|
+
},
|
|
181
|
+
select: { id: true },
|
|
182
|
+
}),
|
|
183
|
+
]);
|
|
184
|
+
if (!tenant)
|
|
185
|
+
return null;
|
|
186
|
+
return computeSetupStatus({
|
|
187
|
+
tenantId,
|
|
188
|
+
tenantExists: true,
|
|
189
|
+
hasTestSignIn: Boolean(testSignInEvent),
|
|
190
|
+
domains,
|
|
191
|
+
idp: idpRow
|
|
192
|
+
? { kind: String(idpRow.kind), status: String(idpRow.status), issuerUrl: idpRow.issuerUrl }
|
|
193
|
+
: null,
|
|
194
|
+
roleMappings: roleMappings.map((r) => ({
|
|
195
|
+
id: r.id,
|
|
196
|
+
externalGroup: r.idpGroupName,
|
|
197
|
+
tenantRole: String(r.tenantRole),
|
|
198
|
+
})),
|
|
199
|
+
});
|
|
200
|
+
}
|
|
201
|
+
//# sourceMappingURL=setup-status.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"setup-status.js","sourceRoot":"","sources":["../../../src/lib/tenant/setup-status.ts"],"names":[],"mappings":";AAAA;;;;;;GAMG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkGH,gDAmGC;AAQD,0CAoDC;AArKD,+EAA+E;AAE/E;;;GAGG;AACH,SAAgB,kBAAkB,CAAC,KAAuB;IACxD,MAAM,EAAE,QAAQ,EAAE,YAAY,EAAE,aAAa,EAAE,OAAO,EAAE,GAAG,EAAE,YAAY,EAAE,GAAG,KAAK,CAAC;IAEpF,6EAA6E;IAC7E,MAAM,aAAa,GAAuB;QACxC,MAAM,EAAE,YAAY,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,SAAS;QACvC,QAAQ;KACT,CAAC;IAEF,6EAA6E;IAC7E,MAAM,WAAW,GAAkB,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACrD,MAAM,EAAE,CAAC,CAAC,MAAM;QAChB,UAAU,EAAE,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,WAAW,EAAE,CAAC,CAAC,CAAC,IAAI;QAC5D,MAAM,EAAE,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,SAAS;KACtE,CAAC,CAAC,CAAC;IAEJ,6EAA6E;IAC7E,MAAM,UAAU,GAAoB,GAAG;QACrC,CAAC,CAAC;YACE,IAAI,EAAE,GAAG,CAAC,IAAI;YACd,MAAM,EAAE,GAAG,CAAC,MAAmB;YAC/B,SAAS,EAAE,GAAG,CAAC,SAAS;SACzB;QACH,CAAC,CAAC,IAAI,CAAC;IAET,6EAA6E;IAC7E,MAAM,gBAAgB,GAAuB,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;QACpE,EAAE,EAAE,CAAC,CAAC,EAAE;QACR,aAAa,EAAE,CAAC,CAAC,aAAa;QAC9B,UAAU,EAAE,CAAC,CAAC,UAAU;KACzB,CAAC,CAAC,CAAC;IAEJ,6EAA6E;IAC7E,MAAM,eAAe,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,UAAU,CAAC,CAAC;IAC3E,MAAM,iBAAiB,GAAG,WAAW,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,KAAK,UAAU,CAAC,CAAC;IAC7E,MAAM,SAAS,GAAG,UAAU,KAAK,IAAI,IAAI,UAAU,CAAC,MAAM,KAAK,QAAQ,CAAC;IAExE,IAAI,QAAkB,CAAC;IAEvB,IAAI,WAAW,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QAC7B,QAAQ,GAAG;YACT,IAAI,EAAE,iBAAiB;YACvB,OAAO,EAAE,0EAA0E;YACnF,QAAQ,EAAE,qBAAqB,QAAQ,UAAU;YACjD,WAAW,EAAE,mGAAmG;SACjH,CAAC;IACJ,CAAC;SAAM,IAAI,eAAe,CAAC,MAAM,KAAK,CAAC,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACxE,8EAA8E;QAC9E,QAAQ,GAAG;YACT,IAAI,EAAE,6BAA6B;YACnC,OAAO,EAAE,yFAAyF;YAClG,QAAQ,EAAE,qBAAqB,QAAQ,4BAA4B;YACnE,WAAW,EAAE,qGAAqG;SACnH,CAAC;IACJ,CAAC;SAAM,IAAI,UAAU,KAAK,IAAI,EAAE,CAAC;QAC/B,QAAQ,GAAG;YACT,IAAI,EAAE,cAAc;YACpB,OAAO,EAAE,qFAAqF;YAC9F,QAAQ,EAAE,qBAAqB,QAAQ,oBAAoB;YAC3D,WAAW,EAAE,yGAAyG;SACvH,CAAC;IACJ,CAAC;SAAM,IAAI,CAAC,SAAS,EAAE,CAAC;QACtB,wCAAwC;QACxC,QAAQ,GAAG;YACT,IAAI,EAAE,cAAc;YACpB,OAAO,EAAE,4CAA4C,UAAU,CAAC,MAAM,0CAA0C;YAChH,QAAQ,EAAE,sBAAsB,QAAQ,oBAAoB;YAC5D,WAAW,EAAE,iFAAiF;SAC/F,CAAC;IACJ,CAAC;SAAM,IAAI,gBAAgB,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;QACzC,QAAQ,GAAG;YACT,IAAI,EAAE,uBAAuB;YAC7B,OAAO,EAAE,0FAA0F;YACnG,QAAQ,EAAE,qBAAqB,QAAQ,gBAAgB;YACvD,WAAW,EAAE,4GAA4G;SAC1H,CAAC;IACJ,CAAC;SAAM,IAAI,CAAC,aAAa,EAAE,CAAC;QAC1B,QAAQ,GAAG;YACT,IAAI,EAAE,cAAc;YACpB,OAAO,EAAE,8FAA8F;YACvG,QAAQ,EAAE,wBAAwB;YAClC,WAAW,EAAE,qGAAqG;SACnH,CAAC;IACJ,CAAC;SAAM,CAAC;QACN,QAAQ,GAAG;YACT,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,6DAA6D;YACtE,QAAQ,EAAE,oBAAoB,QAAQ,eAAe;YACrD,WAAW,EAAE,qBAAqB;SACnC,CAAC;IACJ,CAAC;IAED,OAAO;QACL,MAAM,EAAE,aAAa;QACrB,OAAO,EAAE,WAAW;QACpB,GAAG,EAAE,UAAU;QACf,YAAY,EAAE,gBAAgB;QAC9B,QAAQ;KACT,CAAC;AACJ,CAAC;AAED,+EAA+E;AAE/E;;;GAGG;AACI,KAAK,UAAU,eAAe,CACnC,QAAgB,EAChB,GAAQ;IAER,MAAM,EAAE,YAAY,EAAE,GAAG,wDAAa,UAAU,GAAC,CAAC;IAClD,MAAM,EAAE,GAAG,YAAY,CAAC,GAAG,CAAC,CAAC;IAE7B,mDAAmD;IACnD,MAAM,CAAC,MAAM,EAAE,OAAO,EAAE,MAAM,EAAE,YAAY,EAAE,eAAe,CAAC,GAAG,MAAM,EAAE,CAAC,YAAY,CAAC;QACrF,EAAE,CAAC,MAAM,CAAC,UAAU,CAAC;YACnB,KAAK,EAAE,EAAE,EAAE,EAAE,QAAQ,EAAE;YACvB,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE;SACrB,CAAC;QACF,EAAE,CAAC,YAAY,CAAC,QAAQ,CAAC;YACvB,KAAK,EAAE,EAAE,QAAQ,EAAE;YACnB,MAAM,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE;YAC1C,OAAO,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE;SAC3B,CAAC;QACF,EAAE,CAAC,sBAAsB,CAAC,UAAU,CAAC;YACnC,KAAK,EAAE,EAAE,QAAQ,EAAE;YACnB,MAAM,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,SAAS,EAAE,IAAI,EAAE;SACtD,CAAC;QACF,EAAE,CAAC,iBAAiB,CAAC,QAAQ,CAAC;YAC5B,KAAK,EAAE,EAAE,QAAQ,EAAE;YACnB,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE;YAC1D,OAAO,EAAE,EAAE,YAAY,EAAE,KAAK,EAAE;SACjC,CAAC;QACF,EAAE,CAAC,aAAa,CAAC,SAAS,CAAC;YACzB,KAAK,EAAE;gBACL,QAAQ;gBACR,IAAI,EAAE,gCAAgC;aACvC;YACD,MAAM,EAAE,EAAE,EAAE,EAAE,IAAI,EAAE;SACrB,CAAC;KACH,CAAC,CAAC;IAEH,IAAI,CAAC,MAAM;QAAE,OAAO,IAAI,CAAC;IAEzB,OAAO,kBAAkB,CAAC;QACxB,QAAQ;QACR,YAAY,EAAE,IAAI;QAClB,aAAa,EAAE,OAAO,CAAC,eAAe,CAAC;QACvC,OAAO;QACP,GAAG,EAAE,MAAM;YACT,CAAC,CAAC,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,EAAE,MAAM,EAAE,MAAM,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,SAAS,EAAE;YAC3F,CAAC,CAAC,IAAI;QACR,YAAY,EAAE,YAAY,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC;YACrC,EAAE,EAAE,CAAC,CAAC,EAAE;YACR,aAAa,EAAE,CAAC,CAAC,YAAY;YAC7B,UAAU,EAAE,MAAM,CAAC,CAAC,CAAC,UAAU,CAAC;SACjC,CAAC,CAAC;KACJ,CAAC,CAAC;AACL,CAAC"}
|
|
@@ -0,0 +1,31 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Slug Validator
|
|
3
|
+
*
|
|
4
|
+
* Wraps the T1 slug regex and reserved-list into a typed result that
|
|
5
|
+
* route handlers can pattern-match on.
|
|
6
|
+
*/
|
|
7
|
+
export type SlugValidationResult = {
|
|
8
|
+
ok: true;
|
|
9
|
+
} | {
|
|
10
|
+
ok: false;
|
|
11
|
+
code: "INVALID_FORMAT";
|
|
12
|
+
message: string;
|
|
13
|
+
} | {
|
|
14
|
+
ok: false;
|
|
15
|
+
code: "RESERVED";
|
|
16
|
+
message: string;
|
|
17
|
+
};
|
|
18
|
+
/**
|
|
19
|
+
* Full admission check for a tenant slug: format + reserved-list.
|
|
20
|
+
*
|
|
21
|
+
* Negative test cases (must never pass):
|
|
22
|
+
* - Shell-escape attempts: "foo; rm -rf", "$(evil)", "`cmd`" → INVALID_FORMAT (non-[a-z0-9-])
|
|
23
|
+
* - URL-injection: "../admin", "//evil.com", "%2F" → INVALID_FORMAT
|
|
24
|
+
* - Leading/trailing hyphen: "-foo", "foo-" → INVALID_FORMAT
|
|
25
|
+
* - Double-hyphen: "foo--bar" → INVALID_FORMAT
|
|
26
|
+
* - Too short: "ab" (2 chars) → INVALID_FORMAT
|
|
27
|
+
* - Too long: 41+ chars → INVALID_FORMAT
|
|
28
|
+
* - Reserved word: "admin", "system" → RESERVED
|
|
29
|
+
*/
|
|
30
|
+
export declare function validateTenantSlug(slug: string): SlugValidationResult;
|
|
31
|
+
//# sourceMappingURL=slug-validator.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"slug-validator.d.ts","sourceRoot":"","sources":["../../../src/lib/tenant/slug-validator.ts"],"names":[],"mappings":"AAAA;;;;;GAKG;AAIH,MAAM,MAAM,oBAAoB,GAC5B;IAAE,EAAE,EAAE,IAAI,CAAA;CAAE,GACZ;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,IAAI,EAAE,gBAAgB,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,GACtD;IAAE,EAAE,EAAE,KAAK,CAAC;IAAC,IAAI,EAAE,UAAU,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AAErD;;;;;;;;;;;GAWG;AACH,wBAAgB,kBAAkB,CAAC,IAAI,EAAE,MAAM,GAAG,oBAAoB,CAmBrE"}
|
|
@@ -0,0 +1,42 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/**
|
|
3
|
+
* Slug Validator
|
|
4
|
+
*
|
|
5
|
+
* Wraps the T1 slug regex and reserved-list into a typed result that
|
|
6
|
+
* route handlers can pattern-match on.
|
|
7
|
+
*/
|
|
8
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
9
|
+
exports.validateTenantSlug = validateTenantSlug;
|
|
10
|
+
const reserved_slugs_1 = require("./reserved-slugs");
|
|
11
|
+
/**
|
|
12
|
+
* Full admission check for a tenant slug: format + reserved-list.
|
|
13
|
+
*
|
|
14
|
+
* Negative test cases (must never pass):
|
|
15
|
+
* - Shell-escape attempts: "foo; rm -rf", "$(evil)", "`cmd`" → INVALID_FORMAT (non-[a-z0-9-])
|
|
16
|
+
* - URL-injection: "../admin", "//evil.com", "%2F" → INVALID_FORMAT
|
|
17
|
+
* - Leading/trailing hyphen: "-foo", "foo-" → INVALID_FORMAT
|
|
18
|
+
* - Double-hyphen: "foo--bar" → INVALID_FORMAT
|
|
19
|
+
* - Too short: "ab" (2 chars) → INVALID_FORMAT
|
|
20
|
+
* - Too long: 41+ chars → INVALID_FORMAT
|
|
21
|
+
* - Reserved word: "admin", "system" → RESERVED
|
|
22
|
+
*/
|
|
23
|
+
function validateTenantSlug(slug) {
|
|
24
|
+
const code = (0, reserved_slugs_1.validateSlug)(slug);
|
|
25
|
+
if (code === "INVALID_FORMAT") {
|
|
26
|
+
return {
|
|
27
|
+
ok: false,
|
|
28
|
+
code: "INVALID_FORMAT",
|
|
29
|
+
message: "Slug must be 3–40 lowercase alphanumeric characters or hyphens, " +
|
|
30
|
+
"start and end with an alphanumeric character, and contain no consecutive hyphens.",
|
|
31
|
+
};
|
|
32
|
+
}
|
|
33
|
+
if (code === "RESERVED") {
|
|
34
|
+
return {
|
|
35
|
+
ok: false,
|
|
36
|
+
code: "RESERVED",
|
|
37
|
+
message: "This slug is reserved and cannot be used.",
|
|
38
|
+
};
|
|
39
|
+
}
|
|
40
|
+
return { ok: true };
|
|
41
|
+
}
|
|
42
|
+
//# sourceMappingURL=slug-validator.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"slug-validator.js","sourceRoot":"","sources":["../../../src/lib/tenant/slug-validator.ts"],"names":[],"mappings":";AAAA;;;;;GAKG;;AAqBH,gDAmBC;AAtCD,qDAAgD;AAOhD;;;;;;;;;;;GAWG;AACH,SAAgB,kBAAkB,CAAC,IAAY;IAC7C,MAAM,IAAI,GAAG,IAAA,6BAAY,EAAC,IAAI,CAAC,CAAC;IAChC,IAAI,IAAI,KAAK,gBAAgB,EAAE,CAAC;QAC9B,OAAO;YACL,EAAE,EAAE,KAAK;YACT,IAAI,EAAE,gBAAgB;YACtB,OAAO,EACL,kEAAkE;gBAClE,mFAAmF;SACtF,CAAC;IACJ,CAAC;IACD,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC;QACxB,OAAO;YACL,EAAE,EAAE,KAAK;YACT,IAAI,EAAE,UAAU;YAChB,OAAO,EAAE,2CAA2C;SACrD,CAAC;IACJ,CAAC;IACD,OAAO,EAAE,EAAE,EAAE,IAAI,EAAE,CAAC;AACtB,CAAC"}
|
|
@@ -0,0 +1,49 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Tenant CRUD Handler
|
|
3
|
+
*
|
|
4
|
+
* Handlers for:
|
|
5
|
+
* - POST /api/tenants — create org tenant
|
|
6
|
+
* - GET /api/tenants/:id — read tenant
|
|
7
|
+
* - PATCH /api/tenants/:id — update displayName
|
|
8
|
+
* - GET /api/users/me/tenants — list caller's memberships
|
|
9
|
+
* - POST /api/auth/switch-tenant — change active tenant + invalidate cache
|
|
10
|
+
* - POST /api/tenants/:id/transfer-ownership — OWNER hand-off
|
|
11
|
+
*/
|
|
12
|
+
import type { Env } from "../../env";
|
|
13
|
+
import type { AuthContext } from "../auth/auth-context";
|
|
14
|
+
export declare class TenantHandler {
|
|
15
|
+
/**
|
|
16
|
+
* POST /api/tenants
|
|
17
|
+
* Creates an ORGANIZATION tenant. Caller becomes OWNER.
|
|
18
|
+
* If caller is END_USER their global role is bumped to B2B_PARTNER.
|
|
19
|
+
*/
|
|
20
|
+
handleCreate(request: Request, auth: AuthContext, env: Env): Promise<Response>;
|
|
21
|
+
/**
|
|
22
|
+
* GET /api/tenants/:id
|
|
23
|
+
* Returns the tenant. Caller must be an active member.
|
|
24
|
+
*/
|
|
25
|
+
handleGet(tenantId: string, auth: AuthContext, env: Env): Promise<Response>;
|
|
26
|
+
/**
|
|
27
|
+
* PATCH /api/tenants/:id
|
|
28
|
+
* Updates displayName. Requires OWNER or ADMIN.
|
|
29
|
+
*/
|
|
30
|
+
handleUpdate(tenantId: string, request: Request, auth: AuthContext, env: Env): Promise<Response>;
|
|
31
|
+
/**
|
|
32
|
+
* GET /api/users/me/tenants
|
|
33
|
+
* Lists all active tenant memberships for the caller.
|
|
34
|
+
*/
|
|
35
|
+
handleListMyTenants(auth: AuthContext, env: Env): Promise<Response>;
|
|
36
|
+
/**
|
|
37
|
+
* POST /api/auth/switch-tenant
|
|
38
|
+
* Changes the user's active tenant. Invalidates DynamoDB claim cache so
|
|
39
|
+
* the next token refresh picks up the new activeTenantId.
|
|
40
|
+
*/
|
|
41
|
+
handleSwitchTenant(request: Request, auth: AuthContext, env: Env): Promise<Response>;
|
|
42
|
+
/**
|
|
43
|
+
* POST /api/tenants/:id/transfer-ownership
|
|
44
|
+
* Current OWNER hands off ownership to another active member.
|
|
45
|
+
* Both users' cache entries are invalidated.
|
|
46
|
+
*/
|
|
47
|
+
handleTransferOwnership(tenantId: string, request: Request, auth: AuthContext, env: Env): Promise<Response>;
|
|
48
|
+
}
|
|
49
|
+
//# sourceMappingURL=tenant-handler.d.ts.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"tenant-handler.d.ts","sourceRoot":"","sources":["../../../src/lib/tenant/tenant-handler.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;GAUG;AAGH,OAAO,KAAK,EAAE,GAAG,EAAE,MAAM,WAAW,CAAC;AACrC,OAAO,KAAK,EAAE,WAAW,EAAE,MAAM,sBAAsB,CAAC;AAWxD,qBAAa,aAAa;IACxB;;;;OAIG;IACG,YAAY,CAChB,OAAO,EAAE,OAAO,EAChB,IAAI,EAAE,WAAW,EACjB,GAAG,EAAE,GAAG,GACP,OAAO,CAAC,QAAQ,CAAC;IAgGpB;;;OAGG;IACG,SAAS,CACb,QAAQ,EAAE,MAAM,EAChB,IAAI,EAAE,WAAW,EACjB,GAAG,EAAE,GAAG,GACP,OAAO,CAAC,QAAQ,CAAC;IAmCpB;;;OAGG;IACG,YAAY,CAChB,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,OAAO,EAChB,IAAI,EAAE,WAAW,EACjB,GAAG,EAAE,GAAG,GACP,OAAO,CAAC,QAAQ,CAAC;IAiEpB;;;OAGG;IACG,mBAAmB,CACvB,IAAI,EAAE,WAAW,EACjB,GAAG,EAAE,GAAG,GACP,OAAO,CAAC,QAAQ,CAAC;IAoCpB;;;;OAIG;IACG,kBAAkB,CACtB,OAAO,EAAE,OAAO,EAChB,IAAI,EAAE,WAAW,EACjB,GAAG,EAAE,GAAG,GACP,OAAO,CAAC,QAAQ,CAAC;IAuFpB;;;;OAIG;IACG,uBAAuB,CAC3B,QAAQ,EAAE,MAAM,EAChB,OAAO,EAAE,OAAO,EAChB,IAAI,EAAE,WAAW,EACjB,GAAG,EAAE,GAAG,GACP,OAAO,CAAC,QAAQ,CAAC;CAyFrB"}
|