@happyvertical/smrt-tenancy 0.34.0 → 0.34.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (17) hide show
  1. package/dist/adapters/index.js +1 -1
  2. package/dist/chunks/{context-B5CKsmMi.js → context-DfTygamS.js} +10 -10
  3. package/dist/chunks/{context-B5CKsmMi.js.map → context-DfTygamS.js.map} +1 -1
  4. package/dist/chunks/{sveltekit-9eRH1RLw.js → sveltekit-C2HTOgcm.js} +2 -2
  5. package/dist/chunks/{sveltekit-9eRH1RLw.js.map → sveltekit-C2HTOgcm.js.map} +1 -1
  6. package/dist/chunks/{testing-xgmq8uDP.js → testing-DyAqaOBC.js} +2 -2
  7. package/dist/chunks/{testing-xgmq8uDP.js.map → testing-DyAqaOBC.js.map} +1 -1
  8. package/dist/index.d.ts +1 -0
  9. package/dist/index.d.ts.map +1 -1
  10. package/dist/index.js +51 -17
  11. package/dist/index.js.map +1 -1
  12. package/dist/manifest.json +2 -2
  13. package/dist/smrt-knowledge.json +4 -4
  14. package/dist/tenant-global-queries.d.ts +33 -0
  15. package/dist/tenant-global-queries.d.ts.map +1 -0
  16. package/dist/testing.js +2 -2
  17. package/package.json +5 -5
package/dist/adapters/index.js CHANGED
@@ -1,4 +1,4 @@
1
- import { c, a, b } from "../chunks/sveltekit-9eRH1RLw.js";
1
+ import { c, a, b } from "../chunks/sveltekit-C2HTOgcm.js";
2
2
  export {
3
3
  c as createCliContext,
4
4
  a as createExpressMiddleware,
package/dist/chunks/{context-B5CKsmMi.js → context-DfTygamS.js} RENAMED
@@ -171,20 +171,20 @@ class TenantIsolationError extends Error {
171
171
  }
172
172
  }
173
173
  export {
174
- TenantContext as T,
175
- TenantContextError as a,
176
- TenantIsolationError as b,
177
- getTenantId as c,
178
- isSystemContext as d,
174
+ TenantIsolationError as T,
175
+ withSystemContext as a,
176
+ TenantContext as b,
177
+ TenantContextError as c,
178
+ getTenantId as d,
179
179
  enterTenantContext as e,
180
- requireTenantId as f,
180
+ isSystemContext as f,
181
181
  getCurrentTenant as g,
182
182
  hasTenantContext as h,
183
183
  isSuperAdminBypass as i,
184
- withSystemContext as j,
185
- withTenant as k,
184
+ requireTenantId as j,
185
+ withSuperAdminBypass as k,
186
186
  withTenantSync as l,
187
187
  requireTenant as r,
188
- withSuperAdminBypass as w
188
+ withTenant as w
189
189
  };
190
- //# sourceMappingURL=context-B5CKsmMi.js.map
190
+ //# sourceMappingURL=context-DfTygamS.js.map
package/dist/chunks/{context-B5CKsmMi.js.map → context-DfTygamS.js.map} RENAMED
@@ -1 +1 @@
1
- {"version":3,"file":"context-B5CKsmMi.js","sources":["../../src/context.ts"],"sourcesContent":["/**\n * TenantContext - AsyncLocalStorage-based tenant context propagation\n *\n * Provides request-scoped tenant context that flows through async operations.\n * This is the core of the tenancy system - all tenant isolation depends on\n * having a valid context.\n *\n * @example Basic usage with middleware\n * ```typescript\n * import { withTenant, requireTenantId } from '@happyvertical/smrt-tenancy';\n *\n * // In middleware (SvelteKit, Express, etc.)\n * await withTenant({ tenantId: 'tenant-123' }, async () => {\n * // All code in this async tree has access to tenant context\n * const id = requireTenantId(); // 'tenant-123'\n * });\n * ```\n *\n * @example Background job binding\n * ```typescript\n * import { TenantContext } from '@happyvertical/smrt-tenancy';\n *\n * // Bind a callback to preserve context across async boundaries\n * setTimeout(TenantContext.bind(() => {\n * console.log(requireTenantId()); // Works!\n * }), 1000);\n * ```\n *\n * @see https://github.com/happyvertical/smrt/issues/675\n */\n\nimport { AsyncLocalStorage } from 'node:async_hooks';\nimport type { DatabaseInterface } from '@happyvertical/sql';\n\n/**\n * Full data stored in tenant context for the current async execution scope.\n *\n * Created by `withTenant()` / `enterTenantContext()` and read by `getCurrentTenant()`,\n * `getTenantId()`, and the interceptor hooks. All fields except `tenantId` and\n * `permissions` are optional and may be populated lazily by higher-level packages\n * (e.g., `smrt-users`).\n *\n * @see withTenant\n * @see MinimalTenantContext\n */\nexport interface TenantContextData {\n /** Current tenant ID (required) */\n tenantId: string;\n\n /** Current tenant object (lazy-loaded if smrt-users is available) */\n tenant?: unknown;\n\n /** Current user ID (optional) */\n userId?: string;\n\n /** Current user object (lazy-loaded if smrt-users is available) */\n user?: unknown;\n\n /** Resolved permissions for this user in this tenant */\n permissions: Set<string>;\n\n /** Database connection for this tenant (if database-per-tenant strategy) */\n database?: DatabaseInterface;\n\n /** Super admin bypass enabled - allows cross-tenant operations */\n superAdminBypass?: boolean;\n\n /** Custom metadata for application-specific data */\n metadata?: Record<string, unknown>;\n}\n\n/**\n * Minimal context accepted by `withTenant()` and `withTenantSync()` when only a\n * tenant ID is known.\n *\n * `permissions` defaults to an empty `Set` when omitted. Use `TenantContextData`\n * when you also need to carry user info, database handles, or resolved permissions.\n *\n * @see TenantContextData\n * @see withTenant\n */\nexport interface MinimalTenantContext {\n /** Tenant identifier. */\n tenantId: string;\n /** Resolved permissions; defaults to an empty Set when omitted. */\n permissions?: Set<string>;\n /** When `true`, tenant auto-filtering is skipped for classes that allow super admin bypass. */\n superAdminBypass?: boolean;\n /** Arbitrary application-specific metadata to carry through the context. */\n metadata?: Record<string, unknown>;\n}\n\n// Sentinel symbol to mark system context (distinct from \"no context\")\nconst SYSTEM_CONTEXT_MARKER = Symbol.for('smrt:system-context');\n\n// Storage type includes the marker for system context\ntype ContextStoreValue = TenantContextData | typeof SYSTEM_CONTEXT_MARKER;\n\n// AsyncLocalStorage instance for tenant context\nconst tenantStorage = new AsyncLocalStorage<ContextStoreValue>();\n\n/**\n * Get the current tenant context for this async execution scope.\n *\n * Returns `undefined` when called outside any tenant scope or inside a\n * `withSystemContext()` block (the system context marker is treated as \"no\n * tenant data\"). Prefer `requireTenant()` when a context is mandatory.\n *\n * @returns The active `TenantContextData`, or `undefined` if none is set.\n *\n * @example\n * ```typescript\n * const ctx = getCurrentTenant();\n * if (ctx) {\n * console.log('Current tenant:', ctx.tenantId);\n * }\n * ```\n *\n * @see requireTenant\n * @see hasTenantContext\n */\nexport function getCurrentTenant(): TenantContextData | undefined {\n const store = tenantStorage.getStore();\n // Return undefined for system context marker (no tenant data available)\n if (store === SYSTEM_CONTEXT_MARKER) {\n return undefined;\n }\n return store;\n}\n\n/**\n * Get the current tenant context or throw if one is not available.\n *\n * Use this in business-logic code that must run inside a tenant scope.\n * For a non-throwing alternative use `getCurrentTenant()`.\n *\n * @returns The active `TenantContextData`.\n * @throws {TenantContextError} When no tenant context is set (code is outside\n * any `withTenant()` call or the enclosing middleware has not run).\n *\n * @example\n * ```typescript\n * const { tenantId, permissions } = requireTenant();\n * ```\n *\n * @see getCurrentTenant\n * @see requireTenantId\n */\nexport function requireTenant(): TenantContextData {\n const ctx = tenantStorage.getStore();\n if (!ctx || ctx === SYSTEM_CONTEXT_MARKER) {\n throw new TenantContextError(\n 'No tenant context available. ' +\n 'Ensure request is wrapped in withTenant() or middleware is configured.',\n );\n }\n return ctx;\n}\n\n/**\n * Get the current tenant ID or throw if no tenant context is available.\n *\n * Shorthand for `requireTenant().tenantId`.\n *\n * @returns The active tenant ID string.\n * @throws {TenantContextError} When no tenant context is set.\n *\n * @example\n * ```typescript\n * const tenantId = requireTenantId();\n * const rows = await db.query(`SELECT * FROM docs WHERE tenant_id = ?`, [tenantId]);\n * ```\n *\n * @see getTenantId\n * @see requireTenant\n */\nexport function requireTenantId(): string {\n return requireTenant().tenantId;\n}\n\n/**\n * Get the current tenant ID without throwing.\n *\n * Returns `undefined` when called outside any tenant scope or inside a\n * `withSystemContext()` block. Use `requireTenantId()` when a missing context\n * should be treated as an error.\n *\n * @returns The active tenant ID, or `undefined` if none is set.\n *\n * @example\n * ```typescript\n * const tenantId = getTenantId();\n * if (tenantId) {\n * // Optional tenant-scoped logic\n * }\n * ```\n *\n * @see requireTenantId\n * @see hasTenantContext\n */\nexport function getTenantId(): string | undefined {\n const store = tenantStorage.getStore();\n if (store === SYSTEM_CONTEXT_MARKER) {\n return undefined;\n }\n return store?.tenantId;\n}\n\n/**\n * Check whether the current async execution scope has an active tenant context.\n *\n * Returns `false` both when there is no context at all and when code is running\n * inside `withSystemContext()` (the system marker is not a tenant context).\n *\n * @returns `true` if a `TenantContextData` is active, `false` otherwise.\n *\n * @example\n * ```typescript\n * if (hasTenantContext()) {\n * console.log('Tenant:', getTenantId());\n * }\n * ```\n *\n * @see getTenantId\n * @see isSystemContext\n */\nexport function hasTenantContext(): boolean {\n const store = tenantStorage.getStore();\n // System context marker means no tenant context (even though storage is set)\n return store !== undefined && store !== SYSTEM_CONTEXT_MARKER;\n}\n\n/**\n * Check whether the current async execution scope was entered via `withSystemContext()`.\n *\n * A system context is explicitly set to bypass all tenant checks; it is distinct\n * from \"no context\" (undefined store). When the store is undefined the\n * interceptor enforces tenant requirements; when it holds the system marker the\n * interceptor skips all checks.\n *\n * @returns `true` if inside a `withSystemContext()` call, `false` otherwise.\n *\n * @see withSystemContext\n * @see hasTenantContext\n */\nexport function isSystemContext(): boolean {\n return tenantStorage.getStore() === SYSTEM_CONTEXT_MARKER;\n}\n\n/**\n * Check whether the super admin bypass flag is set in the current tenant context.\n *\n * When `true`, the interceptor skips tenant auto-filtering for classes that have\n * `allowSuperAdminBypass: true` in their `@TenantScoped()` config. Returns\n * `false` inside a system context (no tenant data is available).\n *\n * @returns `true` if super admin bypass is active, `false` otherwise.\n *\n * @see withSuperAdminBypass\n * @see TenantScopedOptions.allowSuperAdminBypass\n */\nexport function isSuperAdminBypass(): boolean {\n const store = tenantStorage.getStore();\n if (store === SYSTEM_CONTEXT_MARKER) {\n return false;\n }\n return store?.superAdminBypass === true;\n}\n\n/**\n * Run code within a tenant context (async version)\n *\n * @param context - Tenant context data (at minimum, tenantId)\n * @param fn - Async function to run within the tenant context\n * @returns Promise resolving to the function's return value\n *\n * @example\n * ```typescript\n * await withTenant({ tenantId: 'tenant-123' }, async () => {\n * const id = requireTenantId(); // 'tenant-123'\n * await doSomething();\n * });\n * ```\n */\nexport async function withTenant<T>(\n context: TenantContextData | MinimalTenantContext,\n fn: () => Promise<T>,\n): Promise<T> {\n const fullContext: TenantContextData = {\n permissions: new Set(),\n ...context,\n };\n return tenantStorage.run(fullContext, fn);\n}\n\n/**\n * Run synchronous code within a tenant context.\n *\n * Prefer `withTenant()` for async code. Use this variant only when the\n * callback must be synchronous (e.g., initializing a module-level value that\n * is consumed synchronously downstream).\n *\n * @param context - Tenant context data (at minimum, `tenantId`).\n * @param fn - Synchronous function to run within the tenant context.\n * @returns The return value of `fn`.\n *\n * @example\n * ```typescript\n * const result = withTenantSync({ tenantId: 'tenant-123' }, () => {\n * return computeSomethingSync();\n * });\n * ```\n *\n * @see withTenant\n */\nexport function withTenantSync<T>(\n context: TenantContextData | MinimalTenantContext,\n fn: () => T,\n): T {\n const fullContext: TenantContextData = {\n permissions: new Set(),\n ...context,\n };\n return tenantStorage.run(fullContext, fn);\n}\n\n/**\n * Enter tenant context for the remainder of the current async execution\n *\n * This uses AsyncLocalStorage.enterWith() to establish context that persists\n * until the async resource completes. Useful for Express middleware where\n * the route handler executes after the middleware returns.\n *\n * @param context - Tenant context data\n *\n * @example Express middleware\n * ```typescript\n * app.use((req, res, next) => {\n * const tenantId = req.headers['x-tenant-id'] as string;\n * enterTenantContext({ tenantId });\n * next(); // Route handlers now have tenant context\n * });\n * ```\n */\nexport function enterTenantContext(\n context: TenantContextData | MinimalTenantContext,\n): void {\n const fullContext: TenantContextData = {\n permissions: new Set(),\n ...context,\n };\n tenantStorage.enterWith(fullContext);\n}\n\n/**\n * Run code in system context (bypasses tenant checks)\n *\n * Use this for:\n * - Migration scripts\n * - Admin tools that need cross-tenant access\n * - Background jobs that process multiple tenants\n *\n * System context is explicitly different from \"no context\" - it signals\n * that tenant checks should be bypassed, while no context means the\n * interceptor should enforce tenant requirements.\n *\n * @param fn - Async function to run without tenant context\n *\n * @example\n * ```typescript\n * await withSystemContext(async () => {\n * // No tenant context - can access all data\n * const allDocuments = await documentCollection.list({});\n * });\n * ```\n */\nexport async function withSystemContext<T>(fn: () => Promise<T>): Promise<T> {\n // Run with system context marker (distinct from undefined/no context)\n return tenantStorage.run(SYSTEM_CONTEXT_MARKER, fn);\n}\n\n/**\n * Run async code with the super admin bypass flag enabled on the current\n * tenant context.\n *\n * Unlike `withSystemContext()`, this does **not** remove the tenant context —\n * the caller's `tenantId` remains intact. The interceptor skips\n * auto-filtering only for classes that have `allowSuperAdminBypass: true` in\n * their `@TenantScoped()` config.\n *\n * A tenant context must already be active (i.e., this must be called from\n * within a `withTenant()` scope). Use `withSystemContext()` if no tenant\n * context is available at all.\n *\n * @param fn - Async function to run with super admin bypass enabled.\n * @returns Promise resolving to the return value of `fn`.\n * @throws {TenantContextError} If called outside any tenant context.\n *\n * @example\n * ```typescript\n * await withTenant({ tenantId: 'admin-tenant' }, async () => {\n * await withSuperAdminBypass(async () => {\n * // Can read any tenant's AuditLog (if allowSuperAdminBypass: true)\n * const logs = await auditLogCollection.list({});\n * });\n * });\n * ```\n *\n * @see withSystemContext\n * @see isSuperAdminBypass\n */\nexport async function withSuperAdminBypass<T>(\n fn: () => Promise<T>,\n): Promise<T> {\n const current = tenantStorage.getStore();\n if (!current || current === SYSTEM_CONTEXT_MARKER) {\n throw new TenantContextError(\n 'Cannot enable super admin bypass without a tenant context. ' +\n 'Use withTenant() first or withSystemContext() instead.',\n );\n }\n\n const bypassContext: TenantContextData = {\n ...current,\n superAdminBypass: true,\n };\n\n return tenantStorage.run(bypassContext, fn);\n}\n\n/**\n * Namespace object providing advanced tenant context utilities.\n *\n * Contains helpers for binding callbacks, inspecting context state, and\n * running code with the context stored in a queued job payload. These\n * utilities supplement the standalone exported functions for situations where\n * async context might otherwise be lost (e.g., `setTimeout`, event emitters,\n * message queue consumers).\n *\n * @example\n * ```typescript\n * import { TenantContext } from '@happyvertical/smrt-tenancy';\n *\n * // Preserve context across a setTimeout\n * setTimeout(TenantContext.bind(() => {\n * console.log(getTenantId()); // context is intact\n * }), 500);\n *\n * // Process a queued job\n * await TenantContext.runWithJobContext(job, async () => {\n * await processJob(job);\n * });\n * ```\n */\nexport const TenantContext = {\n /**\n * Bind a callback to the current tenant context\n *\n * Use this when passing callbacks to setTimeout, event emitters,\n * or other APIs that might lose the async context.\n *\n * @param fn - Function to bind to current context\n * @returns Wrapped function that will run in the original context\n *\n * @example\n * ```typescript\n * // Without bind - context is lost\n * setTimeout(() => {\n * console.log(getTenantId()); // undefined!\n * }, 1000);\n *\n * // With bind - context is preserved\n * setTimeout(TenantContext.bind(() => {\n * console.log(getTenantId()); // 'tenant-123'\n * }), 1000);\n * ```\n */\n bind<T extends (...args: unknown[]) => unknown>(fn: T): T {\n const store = tenantStorage.getStore();\n if (!store) {\n // No context to bind, return function as-is\n return fn;\n }\n\n // Preserve the context (including system context marker)\n return ((...args: unknown[]) => {\n return tenantStorage.run(store, () => fn(...args));\n }) as T;\n },\n\n /**\n * Get the current context data (or undefined for system/no context)\n */\n get current(): TenantContextData | undefined {\n return getCurrentTenant();\n },\n\n /**\n * Check if we're in system context\n */\n get isSystem(): boolean {\n return isSystemContext();\n },\n\n /**\n * Run code with context from a job/message payload\n *\n * Useful for processing queued jobs that include tenant metadata.\n *\n * @param job - Job object with tenantId in metadata\n * @param fn - Function to run in the job's tenant context\n *\n * @example\n * ```typescript\n * const job = await queue.pop();\n * await TenantContext.runWithJobContext(job, async () => {\n * await processJob(job);\n * });\n * ```\n */\n async runWithJobContext<T>(\n job: { metadata?: { tenantId?: string }; tenantId?: string },\n fn: () => Promise<T>,\n ): Promise<T> {\n const tenantId = job.metadata?.tenantId ?? job.tenantId;\n if (!tenantId) {\n throw new TenantContextError(\n 'Job does not contain tenant information. ' +\n 'Ensure jobs include tenantId in metadata or as a top-level field.',\n );\n }\n\n return withTenant({ tenantId }, fn);\n },\n};\n\n/**\n * Error thrown when a tenant context is required but not available.\n *\n * Raised by `requireTenant()`, `requireTenantId()`, and the tenant interceptor\n * when a `@TenantScoped({ mode: 'required' })` operation is attempted outside\n * any `withTenant()` scope.\n *\n * The `code` property is always `'TENANT_CONTEXT_REQUIRED'` and can be used for\n * programmatic error handling.\n *\n * @example\n * ```typescript\n * try {\n * const tenantId = requireTenantId();\n * } catch (err) {\n * if (err instanceof TenantContextError) {\n * // err.code === 'TENANT_CONTEXT_REQUIRED'\n * }\n * }\n * ```\n *\n * @see requireTenant\n * @see requireTenantId\n * @see TenantIsolationError\n */\nexport class TenantContextError extends Error {\n /** Stable error code; always `'TENANT_CONTEXT_REQUIRED'`. */\n readonly code = 'TENANT_CONTEXT_REQUIRED';\n\n constructor(message: string) {\n super(message);\n this.name = 'TenantContextError';\n }\n}\n\n/**\n * Error thrown when a tenant isolation boundary is crossed.\n *\n * Raised by the tenant interceptor when:\n * - A `list()` or `get()` query explicitly filters by a tenant ID that does not\n * match the current context tenant.\n * - A `save()` or `delete()` is attempted on an object whose `tenantId` field\n * belongs to a different tenant than the current context.\n * - A raw SQL query is executed against a tenant-scoped class without an\n * explicit bypass (when `rawQueryPolicy` is `'throw'`).\n *\n * The `code` property is always `'TENANT_ISOLATION_VIOLATION'`.\n *\n * @example\n * ```typescript\n * try {\n * await collection.list({ where: { tenantId: 'other-tenant' } });\n * } catch (err) {\n * if (err instanceof TenantIsolationError) {\n * // err.tenantId — context tenant\n * // err.attemptedTenantId — tenant that was attempted\n * }\n * }\n * ```\n *\n * @see TenantContextError\n * @see createTenantInterceptor\n */\nexport class TenantIsolationError extends Error {\n /** Stable error code; always `'TENANT_ISOLATION_VIOLATION'`. */\n readonly code = 'TENANT_ISOLATION_VIOLATION';\n /** The tenant ID that is active in the current context. */\n readonly tenantId?: string;\n /** The tenant ID that was attempted (and rejected). */\n readonly attemptedTenantId?: string;\n\n constructor(\n message: string,\n details?: { tenantId?: string; attemptedTenantId?: string },\n ) {\n super(message);\n this.name = 'TenantIsolationError';\n this.tenantId = details?.tenantId;\n this.attemptedTenantId = details?.attemptedTenantId;\n }\n}\n"],"names":[],"mappings":";AA6FA,MAAM,wBAAwB,uBAAO,IAAI,qBAAqB;AAM9D,MAAM,gBAAgB,IAAI,kBAAA;AAsBnB,SAAS,mBAAkD;AAChE,QAAM,QAAQ,cAAc,SAAA;AAE5B,MAAI,UAAU,uBAAuB;AACnC,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAoBO,SAAS,gBAAmC;AACjD,QAAM,MAAM,cAAc,SAAA;AAC1B,MAAI,CAAC,OAAO,QAAQ,uBAAuB;AACzC,UAAM,IAAI;AAAA,MACR;AAAA,IAAA;AAAA,EAGJ;AACA,SAAO;AACT;AAmBO,SAAS,kBAA0B;AACxC,SAAO,gBAAgB;AACzB;AAsBO,SAAS,cAAkC;AAChD,QAAM,QAAQ,cAAc,SAAA;AAC5B,MAAI,UAAU,uBAAuB;AACnC,WAAO;AAAA,EACT;AACA,SAAO,OAAO;AAChB;AAoBO,SAAS,mBAA4B;AAC1C,QAAM,QAAQ,cAAc,SAAA;AAE5B,SAAO,UAAU,UAAa,UAAU;AAC1C;AAeO,SAAS,kBAA2B;AACzC,SAAO,cAAc,eAAe;AACtC;AAcO,SAAS,qBAA8B;AAC5C,QAAM,QAAQ,cAAc,SAAA;AAC5B,MAAI,UAAU,uBAAuB;AACnC,WAAO;AAAA,EACT;AACA,SAAO,OAAO,qBAAqB;AACrC;AAiBA,eAAsB,WACpB,SACA,IACY;AACZ,QAAM,cAAiC;AAAA,IACrC,iCAAiB,IAAA;AAAA,IACjB,GAAG;AAAA,EAAA;AAEL,SAAO,cAAc,IAAI,aAAa,EAAE;AAC1C;AAsBO,SAAS,eACd,SACA,IACG;AACH,QAAM,cAAiC;AAAA,IACrC,iCAAiB,IAAA;AAAA,IACjB,GAAG;AAAA,EAAA;AAEL,SAAO,cAAc,IAAI,aAAa,EAAE;AAC1C;AAoBO,SAAS,mBACd,SACM;AACN,QAAM,cAAiC;AAAA,IACrC,iCAAiB,IAAA;AAAA,IACjB,GAAG;AAAA,EAAA;AAEL,gBAAc,UAAU,WAAW;AACrC;AAwBA,eAAsB,kBAAqB,IAAkC;AAE3E,SAAO,cAAc,IAAI,uBAAuB,EAAE;AACpD;AAgCA,eAAsB,qBACpB,IACY;AACZ,QAAM,UAAU,cAAc,SAAA;AAC9B,MAAI,CAAC,WAAW,YAAY,uBAAuB;AACjD,UAAM,IAAI;AAAA,MACR;AAAA,IAAA;AAAA,EAGJ;AAEA,QAAM,gBAAmC;AAAA,IACvC,GAAG;AAAA,IACH,kBAAkB;AAAA,EAAA;AAGpB,SAAO,cAAc,IAAI,eAAe,EAAE;AAC5C;AA0BO,MAAM,gBAAgB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAuB3B,KAAgD,IAAU;AACxD,UAAM,QAAQ,cAAc,SAAA;AAC5B,QAAI,CAAC,OAAO;AAEV,aAAO;AAAA,IACT;AAGA,YAAQ,IAAI,SAAoB;AAC9B,aAAO,cAAc,IAAI,OAAO,MAAM,GAAG,GAAG,IAAI,CAAC;AAAA,IACnD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,UAAyC;AAC3C,WAAO,iBAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,WAAoB;AACtB,WAAO,gBAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkBA,MAAM,kBACJ,KACA,IACY;AACZ,UAAM,WAAW,IAAI,UAAU,YAAY,IAAI;AAC/C,QAAI,CAAC,UAAU;AACb,YAAM,IAAI;AAAA,QACR;AAAA,MAAA;AAAA,IAGJ;AAEA,WAAO,WAAW,EAAE,SAAA,GAAY,EAAE;AAAA,EACpC;AACF;AA2BO,MAAM,2BAA2B,MAAM;AAAA;AAAA,EAEnC,OAAO;AAAA,EAEhB,YAAY,SAAiB;AAC3B,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AA8BO,MAAM,6BAA6B,MAAM;AAAA;AAAA,EAErC,OAAO;AAAA;AAAA,EAEP;AAAA;AAAA,EAEA;AAAA,EAET,YACE,SACA,SACA;AACA,UAAM,OAAO;AACb,SAAK,OAAO;AACZ,SAAK,WAAW,SAAS;AACzB,SAAK,oBAAoB,SAAS;AAAA,EACpC;AACF;"}
1
+ {"version":3,"file":"context-DfTygamS.js","sources":["../../src/context.ts"],"sourcesContent":["/**\n * TenantContext - AsyncLocalStorage-based tenant context propagation\n *\n * Provides request-scoped tenant context that flows through async operations.\n * This is the core of the tenancy system - all tenant isolation depends on\n * having a valid context.\n *\n * @example Basic usage with middleware\n * ```typescript\n * import { withTenant, requireTenantId } from '@happyvertical/smrt-tenancy';\n *\n * // In middleware (SvelteKit, Express, etc.)\n * await withTenant({ tenantId: 'tenant-123' }, async () => {\n * // All code in this async tree has access to tenant context\n * const id = requireTenantId(); // 'tenant-123'\n * });\n * ```\n *\n * @example Background job binding\n * ```typescript\n * import { TenantContext } from '@happyvertical/smrt-tenancy';\n *\n * // Bind a callback to preserve context across async boundaries\n * setTimeout(TenantContext.bind(() => {\n * console.log(requireTenantId()); // Works!\n * }), 1000);\n * ```\n *\n * @see https://github.com/happyvertical/smrt/issues/675\n */\n\nimport { AsyncLocalStorage } from 'node:async_hooks';\nimport type { DatabaseInterface } from '@happyvertical/sql';\n\n/**\n * Full data stored in tenant context for the current async execution scope.\n *\n * Created by `withTenant()` / `enterTenantContext()` and read by `getCurrentTenant()`,\n * `getTenantId()`, and the interceptor hooks. All fields except `tenantId` and\n * `permissions` are optional and may be populated lazily by higher-level packages\n * (e.g., `smrt-users`).\n *\n * @see withTenant\n * @see MinimalTenantContext\n */\nexport interface TenantContextData {\n /** Current tenant ID (required) */\n tenantId: string;\n\n /** Current tenant object (lazy-loaded if smrt-users is available) */\n tenant?: unknown;\n\n /** Current user ID (optional) */\n userId?: string;\n\n /** Current user object (lazy-loaded if smrt-users is available) */\n user?: unknown;\n\n /** Resolved permissions for this user in this tenant */\n permissions: Set<string>;\n\n /** Database connection for this tenant (if database-per-tenant strategy) */\n database?: DatabaseInterface;\n\n /** Super admin bypass enabled - allows cross-tenant operations */\n superAdminBypass?: boolean;\n\n /** Custom metadata for application-specific data */\n metadata?: Record<string, unknown>;\n}\n\n/**\n * Minimal context accepted by `withTenant()` and `withTenantSync()` when only a\n * tenant ID is known.\n *\n * `permissions` defaults to an empty `Set` when omitted. Use `TenantContextData`\n * when you also need to carry user info, database handles, or resolved permissions.\n *\n * @see TenantContextData\n * @see withTenant\n */\nexport interface MinimalTenantContext {\n /** Tenant identifier. */\n tenantId: string;\n /** Resolved permissions; defaults to an empty Set when omitted. */\n permissions?: Set<string>;\n /** When `true`, tenant auto-filtering is skipped for classes that allow super admin bypass. */\n superAdminBypass?: boolean;\n /** Arbitrary application-specific metadata to carry through the context. */\n metadata?: Record<string, unknown>;\n}\n\n// Sentinel symbol to mark system context (distinct from \"no context\")\nconst SYSTEM_CONTEXT_MARKER = Symbol.for('smrt:system-context');\n\n// Storage type includes the marker for system context\ntype ContextStoreValue = TenantContextData | typeof SYSTEM_CONTEXT_MARKER;\n\n// AsyncLocalStorage instance for tenant context\nconst tenantStorage = new AsyncLocalStorage<ContextStoreValue>();\n\n/**\n * Get the current tenant context for this async execution scope.\n *\n * Returns `undefined` when called outside any tenant scope or inside a\n * `withSystemContext()` block (the system context marker is treated as \"no\n * tenant data\"). Prefer `requireTenant()` when a context is mandatory.\n *\n * @returns The active `TenantContextData`, or `undefined` if none is set.\n *\n * @example\n * ```typescript\n * const ctx = getCurrentTenant();\n * if (ctx) {\n * console.log('Current tenant:', ctx.tenantId);\n * }\n * ```\n *\n * @see requireTenant\n * @see hasTenantContext\n */\nexport function getCurrentTenant(): TenantContextData | undefined {\n const store = tenantStorage.getStore();\n // Return undefined for system context marker (no tenant data available)\n if (store === SYSTEM_CONTEXT_MARKER) {\n return undefined;\n }\n return store;\n}\n\n/**\n * Get the current tenant context or throw if one is not available.\n *\n * Use this in business-logic code that must run inside a tenant scope.\n * For a non-throwing alternative use `getCurrentTenant()`.\n *\n * @returns The active `TenantContextData`.\n * @throws {TenantContextError} When no tenant context is set (code is outside\n * any `withTenant()` call or the enclosing middleware has not run).\n *\n * @example\n * ```typescript\n * const { tenantId, permissions } = requireTenant();\n * ```\n *\n * @see getCurrentTenant\n * @see requireTenantId\n */\nexport function requireTenant(): TenantContextData {\n const ctx = tenantStorage.getStore();\n if (!ctx || ctx === SYSTEM_CONTEXT_MARKER) {\n throw new TenantContextError(\n 'No tenant context available. ' +\n 'Ensure request is wrapped in withTenant() or middleware is configured.',\n );\n }\n return ctx;\n}\n\n/**\n * Get the current tenant ID or throw if no tenant context is available.\n *\n * Shorthand for `requireTenant().tenantId`.\n *\n * @returns The active tenant ID string.\n * @throws {TenantContextError} When no tenant context is set.\n *\n * @example\n * ```typescript\n * const tenantId = requireTenantId();\n * const rows = await db.query(`SELECT * FROM docs WHERE tenant_id = ?`, [tenantId]);\n * ```\n *\n * @see getTenantId\n * @see requireTenant\n */\nexport function requireTenantId(): string {\n return requireTenant().tenantId;\n}\n\n/**\n * Get the current tenant ID without throwing.\n *\n * Returns `undefined` when called outside any tenant scope or inside a\n * `withSystemContext()` block. Use `requireTenantId()` when a missing context\n * should be treated as an error.\n *\n * @returns The active tenant ID, or `undefined` if none is set.\n *\n * @example\n * ```typescript\n * const tenantId = getTenantId();\n * if (tenantId) {\n * // Optional tenant-scoped logic\n * }\n * ```\n *\n * @see requireTenantId\n * @see hasTenantContext\n */\nexport function getTenantId(): string | undefined {\n const store = tenantStorage.getStore();\n if (store === SYSTEM_CONTEXT_MARKER) {\n return undefined;\n }\n return store?.tenantId;\n}\n\n/**\n * Check whether the current async execution scope has an active tenant context.\n *\n * Returns `false` both when there is no context at all and when code is running\n * inside `withSystemContext()` (the system marker is not a tenant context).\n *\n * @returns `true` if a `TenantContextData` is active, `false` otherwise.\n *\n * @example\n * ```typescript\n * if (hasTenantContext()) {\n * console.log('Tenant:', getTenantId());\n * }\n * ```\n *\n * @see getTenantId\n * @see isSystemContext\n */\nexport function hasTenantContext(): boolean {\n const store = tenantStorage.getStore();\n // System context marker means no tenant context (even though storage is set)\n return store !== undefined && store !== SYSTEM_CONTEXT_MARKER;\n}\n\n/**\n * Check whether the current async execution scope was entered via `withSystemContext()`.\n *\n * A system context is explicitly set to bypass all tenant checks; it is distinct\n * from \"no context\" (undefined store). When the store is undefined the\n * interceptor enforces tenant requirements; when it holds the system marker the\n * interceptor skips all checks.\n *\n * @returns `true` if inside a `withSystemContext()` call, `false` otherwise.\n *\n * @see withSystemContext\n * @see hasTenantContext\n */\nexport function isSystemContext(): boolean {\n return tenantStorage.getStore() === SYSTEM_CONTEXT_MARKER;\n}\n\n/**\n * Check whether the super admin bypass flag is set in the current tenant context.\n *\n * When `true`, the interceptor skips tenant auto-filtering for classes that have\n * `allowSuperAdminBypass: true` in their `@TenantScoped()` config. Returns\n * `false` inside a system context (no tenant data is available).\n *\n * @returns `true` if super admin bypass is active, `false` otherwise.\n *\n * @see withSuperAdminBypass\n * @see TenantScopedOptions.allowSuperAdminBypass\n */\nexport function isSuperAdminBypass(): boolean {\n const store = tenantStorage.getStore();\n if (store === SYSTEM_CONTEXT_MARKER) {\n return false;\n }\n return store?.superAdminBypass === true;\n}\n\n/**\n * Run code within a tenant context (async version)\n *\n * @param context - Tenant context data (at minimum, tenantId)\n * @param fn - Async function to run within the tenant context\n * @returns Promise resolving to the function's return value\n *\n * @example\n * ```typescript\n * await withTenant({ tenantId: 'tenant-123' }, async () => {\n * const id = requireTenantId(); // 'tenant-123'\n * await doSomething();\n * });\n * ```\n */\nexport async function withTenant<T>(\n context: TenantContextData | MinimalTenantContext,\n fn: () => Promise<T>,\n): Promise<T> {\n const fullContext: TenantContextData = {\n permissions: new Set(),\n ...context,\n };\n return tenantStorage.run(fullContext, fn);\n}\n\n/**\n * Run synchronous code within a tenant context.\n *\n * Prefer `withTenant()` for async code. Use this variant only when the\n * callback must be synchronous (e.g., initializing a module-level value that\n * is consumed synchronously downstream).\n *\n * @param context - Tenant context data (at minimum, `tenantId`).\n * @param fn - Synchronous function to run within the tenant context.\n * @returns The return value of `fn`.\n *\n * @example\n * ```typescript\n * const result = withTenantSync({ tenantId: 'tenant-123' }, () => {\n * return computeSomethingSync();\n * });\n * ```\n *\n * @see withTenant\n */\nexport function withTenantSync<T>(\n context: TenantContextData | MinimalTenantContext,\n fn: () => T,\n): T {\n const fullContext: TenantContextData = {\n permissions: new Set(),\n ...context,\n };\n return tenantStorage.run(fullContext, fn);\n}\n\n/**\n * Enter tenant context for the remainder of the current async execution\n *\n * This uses AsyncLocalStorage.enterWith() to establish context that persists\n * until the async resource completes. Useful for Express middleware where\n * the route handler executes after the middleware returns.\n *\n * @param context - Tenant context data\n *\n * @example Express middleware\n * ```typescript\n * app.use((req, res, next) => {\n * const tenantId = req.headers['x-tenant-id'] as string;\n * enterTenantContext({ tenantId });\n * next(); // Route handlers now have tenant context\n * });\n * ```\n */\nexport function enterTenantContext(\n context: TenantContextData | MinimalTenantContext,\n): void {\n const fullContext: TenantContextData = {\n permissions: new Set(),\n ...context,\n };\n tenantStorage.enterWith(fullContext);\n}\n\n/**\n * Run code in system context (bypasses tenant checks)\n *\n * Use this for:\n * - Migration scripts\n * - Admin tools that need cross-tenant access\n * - Background jobs that process multiple tenants\n *\n * System context is explicitly different from \"no context\" - it signals\n * that tenant checks should be bypassed, while no context means the\n * interceptor should enforce tenant requirements.\n *\n * @param fn - Async function to run without tenant context\n *\n * @example\n * ```typescript\n * await withSystemContext(async () => {\n * // No tenant context - can access all data\n * const allDocuments = await documentCollection.list({});\n * });\n * ```\n */\nexport async function withSystemContext<T>(fn: () => Promise<T>): Promise<T> {\n // Run with system context marker (distinct from undefined/no context)\n return tenantStorage.run(SYSTEM_CONTEXT_MARKER, fn);\n}\n\n/**\n * Run async code with the super admin bypass flag enabled on the current\n * tenant context.\n *\n * Unlike `withSystemContext()`, this does **not** remove the tenant context —\n * the caller's `tenantId` remains intact. The interceptor skips\n * auto-filtering only for classes that have `allowSuperAdminBypass: true` in\n * their `@TenantScoped()` config.\n *\n * A tenant context must already be active (i.e., this must be called from\n * within a `withTenant()` scope). Use `withSystemContext()` if no tenant\n * context is available at all.\n *\n * @param fn - Async function to run with super admin bypass enabled.\n * @returns Promise resolving to the return value of `fn`.\n * @throws {TenantContextError} If called outside any tenant context.\n *\n * @example\n * ```typescript\n * await withTenant({ tenantId: 'admin-tenant' }, async () => {\n * await withSuperAdminBypass(async () => {\n * // Can read any tenant's AuditLog (if allowSuperAdminBypass: true)\n * const logs = await auditLogCollection.list({});\n * });\n * });\n * ```\n *\n * @see withSystemContext\n * @see isSuperAdminBypass\n */\nexport async function withSuperAdminBypass<T>(\n fn: () => Promise<T>,\n): Promise<T> {\n const current = tenantStorage.getStore();\n if (!current || current === SYSTEM_CONTEXT_MARKER) {\n throw new TenantContextError(\n 'Cannot enable super admin bypass without a tenant context. ' +\n 'Use withTenant() first or withSystemContext() instead.',\n );\n }\n\n const bypassContext: TenantContextData = {\n ...current,\n superAdminBypass: true,\n };\n\n return tenantStorage.run(bypassContext, fn);\n}\n\n/**\n * Namespace object providing advanced tenant context utilities.\n *\n * Contains helpers for binding callbacks, inspecting context state, and\n * running code with the context stored in a queued job payload. These\n * utilities supplement the standalone exported functions for situations where\n * async context might otherwise be lost (e.g., `setTimeout`, event emitters,\n * message queue consumers).\n *\n * @example\n * ```typescript\n * import { TenantContext } from '@happyvertical/smrt-tenancy';\n *\n * // Preserve context across a setTimeout\n * setTimeout(TenantContext.bind(() => {\n * console.log(getTenantId()); // context is intact\n * }), 500);\n *\n * // Process a queued job\n * await TenantContext.runWithJobContext(job, async () => {\n * await processJob(job);\n * });\n * ```\n */\nexport const TenantContext = {\n /**\n * Bind a callback to the current tenant context\n *\n * Use this when passing callbacks to setTimeout, event emitters,\n * or other APIs that might lose the async context.\n *\n * @param fn - Function to bind to current context\n * @returns Wrapped function that will run in the original context\n *\n * @example\n * ```typescript\n * // Without bind - context is lost\n * setTimeout(() => {\n * console.log(getTenantId()); // undefined!\n * }, 1000);\n *\n * // With bind - context is preserved\n * setTimeout(TenantContext.bind(() => {\n * console.log(getTenantId()); // 'tenant-123'\n * }), 1000);\n * ```\n */\n bind<T extends (...args: unknown[]) => unknown>(fn: T): T {\n const store = tenantStorage.getStore();\n if (!store) {\n // No context to bind, return function as-is\n return fn;\n }\n\n // Preserve the context (including system context marker)\n return ((...args: unknown[]) => {\n return tenantStorage.run(store, () => fn(...args));\n }) as T;\n },\n\n /**\n * Get the current context data (or undefined for system/no context)\n */\n get current(): TenantContextData | undefined {\n return getCurrentTenant();\n },\n\n /**\n * Check if we're in system context\n */\n get isSystem(): boolean {\n return isSystemContext();\n },\n\n /**\n * Run code with context from a job/message payload\n *\n * Useful for processing queued jobs that include tenant metadata.\n *\n * @param job - Job object with tenantId in metadata\n * @param fn - Function to run in the job's tenant context\n *\n * @example\n * ```typescript\n * const job = await queue.pop();\n * await TenantContext.runWithJobContext(job, async () => {\n * await processJob(job);\n * });\n * ```\n */\n async runWithJobContext<T>(\n job: { metadata?: { tenantId?: string }; tenantId?: string },\n fn: () => Promise<T>,\n ): Promise<T> {\n const tenantId = job.metadata?.tenantId ?? job.tenantId;\n if (!tenantId) {\n throw new TenantContextError(\n 'Job does not contain tenant information. ' +\n 'Ensure jobs include tenantId in metadata or as a top-level field.',\n );\n }\n\n return withTenant({ tenantId }, fn);\n },\n};\n\n/**\n * Error thrown when a tenant context is required but not available.\n *\n * Raised by `requireTenant()`, `requireTenantId()`, and the tenant interceptor\n * when a `@TenantScoped({ mode: 'required' })` operation is attempted outside\n * any `withTenant()` scope.\n *\n * The `code` property is always `'TENANT_CONTEXT_REQUIRED'` and can be used for\n * programmatic error handling.\n *\n * @example\n * ```typescript\n * try {\n * const tenantId = requireTenantId();\n * } catch (err) {\n * if (err instanceof TenantContextError) {\n * // err.code === 'TENANT_CONTEXT_REQUIRED'\n * }\n * }\n * ```\n *\n * @see requireTenant\n * @see requireTenantId\n * @see TenantIsolationError\n */\nexport class TenantContextError extends Error {\n /** Stable error code; always `'TENANT_CONTEXT_REQUIRED'`. */\n readonly code = 'TENANT_CONTEXT_REQUIRED';\n\n constructor(message: string) {\n super(message);\n this.name = 'TenantContextError';\n }\n}\n\n/**\n * Error thrown when a tenant isolation boundary is crossed.\n *\n * Raised by the tenant interceptor when:\n * - A `list()` or `get()` query explicitly filters by a tenant ID that does not\n * match the current context tenant.\n * - A `save()` or `delete()` is attempted on an object whose `tenantId` field\n * belongs to a different tenant than the current context.\n * - A raw SQL query is executed against a tenant-scoped class without an\n * explicit bypass (when `rawQueryPolicy` is `'throw'`).\n *\n * The `code` property is always `'TENANT_ISOLATION_VIOLATION'`.\n *\n * @example\n * ```typescript\n * try {\n * await collection.list({ where: { tenantId: 'other-tenant' } });\n * } catch (err) {\n * if (err instanceof TenantIsolationError) {\n * // err.tenantId — context tenant\n * // err.attemptedTenantId — tenant that was attempted\n * }\n * }\n * ```\n *\n * @see TenantContextError\n * @see createTenantInterceptor\n */\nexport class TenantIsolationError extends Error {\n /** Stable error code; always `'TENANT_ISOLATION_VIOLATION'`. */\n readonly code = 'TENANT_ISOLATION_VIOLATION';\n /** The tenant ID that is active in the current context. */\n readonly tenantId?: string;\n /** The tenant ID that was attempted (and rejected). */\n readonly attemptedTenantId?: string;\n\n constructor(\n message: string,\n details?: { tenantId?: string; attemptedTenantId?: string },\n ) {\n super(message);\n this.name = 'TenantIsolationError';\n this.tenantId = details?.tenantId;\n this.attemptedTenantId = details?.attemptedTenantId;\n }\n}\n"],"names":[],"mappings":";AA6FA,MAAM,wBAAwB,uBAAO,IAAI,qBAAqB;AAM9D,MAAM,gBAAgB,IAAI,kBAAA;AAsBnB,SAAS,mBAAkD;AAChE,QAAM,QAAQ,cAAc,SAAA;AAE5B,MAAI,UAAU,uBAAuB;AACnC,WAAO;AAAA,EACT;AACA,SAAO;AACT;AAoBO,SAAS,gBAAmC;AACjD,QAAM,MAAM,cAAc,SAAA;AAC1B,MAAI,CAAC,OAAO,QAAQ,uBAAuB;AACzC,UAAM,IAAI;AAAA,MACR;AAAA,IAAA;AAAA,EAGJ;AACA,SAAO;AACT;AAmBO,SAAS,kBAA0B;AACxC,SAAO,gBAAgB;AACzB;AAsBO,SAAS,cAAkC;AAChD,QAAM,QAAQ,cAAc,SAAA;AAC5B,MAAI,UAAU,uBAAuB;AACnC,WAAO;AAAA,EACT;AACA,SAAO,OAAO;AAChB;AAoBO,SAAS,mBAA4B;AAC1C,QAAM,QAAQ,cAAc,SAAA;AAE5B,SAAO,UAAU,UAAa,UAAU;AAC1C;AAeO,SAAS,kBAA2B;AACzC,SAAO,cAAc,eAAe;AACtC;AAcO,SAAS,qBAA8B;AAC5C,QAAM,QAAQ,cAAc,SAAA;AAC5B,MAAI,UAAU,uBAAuB;AACnC,WAAO;AAAA,EACT;AACA,SAAO,OAAO,qBAAqB;AACrC;AAiBA,eAAsB,WACpB,SACA,IACY;AACZ,QAAM,cAAiC;AAAA,IACrC,iCAAiB,IAAA;AAAA,IACjB,GAAG;AAAA,EAAA;AAEL,SAAO,cAAc,IAAI,aAAa,EAAE;AAC1C;AAsBO,SAAS,eACd,SACA,IACG;AACH,QAAM,cAAiC;AAAA,IACrC,iCAAiB,IAAA;AAAA,IACjB,GAAG;AAAA,EAAA;AAEL,SAAO,cAAc,IAAI,aAAa,EAAE;AAC1C;AAoBO,SAAS,mBACd,SACM;AACN,QAAM,cAAiC;AAAA,IACrC,iCAAiB,IAAA;AAAA,IACjB,GAAG;AAAA,EAAA;AAEL,gBAAc,UAAU,WAAW;AACrC;AAwBA,eAAsB,kBAAqB,IAAkC;AAE3E,SAAO,cAAc,IAAI,uBAAuB,EAAE;AACpD;AAgCA,eAAsB,qBACpB,IACY;AACZ,QAAM,UAAU,cAAc,SAAA;AAC9B,MAAI,CAAC,WAAW,YAAY,uBAAuB;AACjD,UAAM,IAAI;AAAA,MACR;AAAA,IAAA;AAAA,EAGJ;AAEA,QAAM,gBAAmC;AAAA,IACvC,GAAG;AAAA,IACH,kBAAkB;AAAA,EAAA;AAGpB,SAAO,cAAc,IAAI,eAAe,EAAE;AAC5C;AA0BO,MAAM,gBAAgB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAuB3B,KAAgD,IAAU;AACxD,UAAM,QAAQ,cAAc,SAAA;AAC5B,QAAI,CAAC,OAAO;AAEV,aAAO;AAAA,IACT;AAGA,YAAQ,IAAI,SAAoB;AAC9B,aAAO,cAAc,IAAI,OAAO,MAAM,GAAG,GAAG,IAAI,CAAC;AAAA,IACnD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,UAAyC;AAC3C,WAAO,iBAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,IAAI,WAAoB;AACtB,WAAO,gBAAA;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAkBA,MAAM,kBACJ,KACA,IACY;AACZ,UAAM,WAAW,IAAI,UAAU,YAAY,IAAI;AAC/C,QAAI,CAAC,UAAU;AACb,YAAM,IAAI;AAAA,QACR;AAAA,MAAA;AAAA,IAGJ;AAEA,WAAO,WAAW,EAAE,SAAA,GAAY,EAAE;AAAA,EACpC;AACF;AA2BO,MAAM,2BAA2B,MAAM;AAAA;AAAA,EAEnC,OAAO;AAAA,EAEhB,YAAY,SAAiB;AAC3B,UAAM,OAAO;AACb,SAAK,OAAO;AAAA,EACd;AACF;AA8BO,MAAM,6BAA6B,MAAM;AAAA;AAAA,EAErC,OAAO;AAAA;AAAA,EAEP;AAAA;AAAA,EAEA;AAAA,EAET,YACE,SACA,SACA;AACA,UAAM,OAAO;AACb,SAAK,OAAO;AACZ,SAAK,WAAW,SAAS;AACzB,SAAK,oBAAoB,SAAS;AAAA,EACpC;AACF;"}
package/dist/chunks/{sveltekit-9eRH1RLw.js → sveltekit-C2HTOgcm.js} RENAMED
@@ -1,4 +1,4 @@
1
- import { k as withTenant, j as withSystemContext, e as enterTenantContext } from "./context-B5CKsmMi.js";
1
+ import { w as withTenant, a as withSystemContext, e as enterTenantContext } from "./context-DfTygamS.js";
2
2
  function createCliContext(options = {}) {
3
3
  const {
4
4
  resolveTenantId,
@@ -150,4 +150,4 @@ export {
150
150
  createSvelteKitHandle as b,
151
151
  createCliContext as c
152
152
  };
153
- //# sourceMappingURL=sveltekit-9eRH1RLw.js.map
153
+ //# sourceMappingURL=sveltekit-C2HTOgcm.js.map
package/dist/chunks/{sveltekit-9eRH1RLw.js.map → sveltekit-C2HTOgcm.js.map} RENAMED
@@ -1 +1 @@
1
- {"version":3,"file":"sveltekit-9eRH1RLw.js","sources":["../../src/adapters/cli.ts","../../src/adapters/express.ts","../../src/adapters/sveltekit.ts"],"sourcesContent":["/**\n * CLI Adapter for smrt-tenancy\n *\n * Provides utilities for setting up tenant context in CLI tools.\n *\n * @example\n * ```typescript\n * import { createCliContext } from '@happyvertical/smrt-tenancy/adapters';\n *\n * // Create context helper for CLI\n * const cliContext = createCliContext({\n * resolveTenantId: () => process.env.TENANT_ID,\n * });\n *\n * // Run command in tenant context\n * await cliContext.run(async () => {\n * await documentCollection.list({});\n * });\n * ```\n */\n\nimport {\n type TenantContextData,\n withSystemContext,\n withTenant,\n} from '../context.js';\n\n/**\n * Configuration for the CLI context runner created by `createCliContext()`.\n *\n * `resolveTenantId` is optional — when omitted (or when it returns\n * `null`/`undefined`) the `run()` method falls back to `withSystemContext()`.\n *\n * @see createCliContext\n * @see CliContextRunner\n */\nexport interface CliContextOptions {\n /**\n * Resolve tenant ID\n *\n * Common sources:\n * - Environment variable: () => process.env.TENANT_ID\n * - Command line argument: () => argv.tenant\n * - Config file: () => config.tenantId\n */\n resolveTenantId?: () =>\n | Promise<string | null | undefined>\n | string\n | null\n | undefined;\n\n /**\n * Resolve user ID (optional)\n */\n resolveUserId?: () =>\n | Promise<string | null | undefined>\n | string\n | null\n | undefined;\n\n /**\n * Default permissions for CLI operations\n */\n defaultPermissions?: Set<string>;\n\n /**\n * Run CLI as super admin by default\n * @default false\n */\n superAdminByDefault?: boolean;\n}\n\n/**\n * Context runner returned by `createCliContext()`.\n *\n * Provides four execution modes suitable for different CLI scenarios:\n * - `run()` — resolves the tenant from the configured options and runs code in\n * that context; falls back to system context if no tenant is available.\n * - `runWithTenant()` — explicitly specify a tenant ID for this invocation.\n * - `runAsSystem()` — bypass all tenant checks (migration scripts, admin tools).\n * - `runAsSuperAdmin()` — tenant context with bypass flag enabled.\n *\n * @see createCliContext\n */\nexport interface CliContextRunner {\n /**\n * Run `fn` inside the tenant context resolved from the `CliContextOptions`.\n *\n * Falls back to `withSystemContext()` when no tenant ID is available.\n *\n * @param fn - Async function to execute.\n * @returns Promise resolving to the return value of `fn`.\n */\n run<T>(fn: () => Promise<T>): Promise<T>;\n\n /**\n * Run `fn` inside the context of the specified tenant.\n *\n * @param tenantId - Tenant ID to set as context.\n * @param fn - Async function to execute.\n * @returns Promise resolving to the return value of `fn`.\n */\n runWithTenant<T>(tenantId: string, fn: () => Promise<T>): Promise<T>;\n\n /**\n * Run `fn` in system context, bypassing all tenant checks.\n *\n * @param fn - Async function to execute.\n * @returns Promise resolving to the return value of `fn`.\n */\n runAsSystem<T>(fn: () => Promise<T>): Promise<T>;\n\n /**\n * Run `fn` with a tenant context and super admin bypass enabled.\n *\n * @param tenantId - Tenant ID to set as context.\n * @param fn - Async function to execute.\n * @returns Promise resolving to the return value of `fn`.\n */\n runAsSuperAdmin<T>(tenantId: string, fn: () => Promise<T>): Promise<T>;\n}\n\n/**\n * Create a CLI context runner\n *\n * @param options - Configuration options\n * @returns CLI context runner with various execution modes\n *\n * @example\n * ```typescript\n * const cli = createCliContext({\n * resolveTenantId: () => process.env.TENANT_ID,\n * superAdminByDefault: true,\n * });\n *\n * // Use resolved tenant\n * await cli.run(async () => {\n * const docs = await collection.list({});\n * console.log(`Found ${docs.length} documents`);\n * });\n *\n * // Override tenant\n * await cli.runWithTenant('other-tenant', async () => {\n * // Operations in other-tenant context\n * });\n *\n * // System operations (no tenant)\n * await cli.runAsSystem(async () => {\n * // Can access all data\n * const allDocs = await collection.list({});\n * });\n * ```\n */\nexport function createCliContext(\n options: CliContextOptions = {},\n): CliContextRunner {\n const {\n resolveTenantId,\n resolveUserId,\n defaultPermissions = new Set<string>(),\n superAdminByDefault = false,\n } = options;\n\n return {\n async run<T>(fn: () => Promise<T>): Promise<T> {\n const tenantId = resolveTenantId ? await resolveTenantId() : null;\n\n if (!tenantId) {\n // No tenant configured - run in system context\n return withSystemContext(fn);\n }\n\n const userId = resolveUserId ? await resolveUserId() : undefined;\n\n const context: TenantContextData = {\n tenantId,\n userId: userId ?? undefined,\n permissions: defaultPermissions,\n superAdminBypass: superAdminByDefault,\n };\n\n return withTenant(context, fn);\n },\n\n async runWithTenant<T>(tenantId: string, fn: () => Promise<T>): Promise<T> {\n const userId = resolveUserId ? await resolveUserId() : undefined;\n\n const context: TenantContextData = {\n tenantId,\n userId: userId ?? undefined,\n permissions: defaultPermissions,\n superAdminBypass: superAdminByDefault,\n };\n\n return withTenant(context, fn);\n },\n\n async runAsSystem<T>(fn: () => Promise<T>): Promise<T> {\n return withSystemContext(fn);\n },\n\n async runAsSuperAdmin<T>(\n tenantId: string,\n fn: () => Promise<T>,\n ): Promise<T> {\n const userId = resolveUserId ? await resolveUserId() : undefined;\n\n const context: TenantContextData = {\n tenantId,\n userId: userId ?? undefined,\n permissions: defaultPermissions,\n superAdminBypass: true,\n };\n\n return withTenant(context, fn);\n },\n };\n}\n\n/**\n * Run an async function with a specific tenant ID set as context.\n *\n * Convenience wrapper around `withTenant()` for one-off CLI operations where\n * a full `CliContextRunner` is not needed.\n *\n * @param tenantId - Tenant ID to set as the active context.\n * @param fn - Async function to execute in the tenant context.\n * @returns Promise resolving to the return value of `fn`.\n *\n * @example\n * ```typescript\n * import { runWithTenant } from '@happyvertical/smrt-tenancy/adapters';\n *\n * await runWithTenant('tenant-123', async () => {\n * await collection.list({});\n * });\n * ```\n *\n * @see createCliContext\n * @see runAsSystem\n */\nexport async function runWithTenant<T>(\n tenantId: string,\n fn: () => Promise<T>,\n): Promise<T> {\n return withTenant({ tenantId }, fn);\n}\n\n/**\n * Run an async function in system context, bypassing all tenant checks.\n *\n * Convenience wrapper around `withSystemContext()` for one-off CLI operations\n * such as migration scripts or admin tooling that needs cross-tenant access.\n *\n * @param fn - Async function to execute in system context.\n * @returns Promise resolving to the return value of `fn`.\n *\n * @example\n * ```typescript\n * import { runAsSystem } from '@happyvertical/smrt-tenancy/adapters';\n *\n * await runAsSystem(async () => {\n * const all = await collection.list({});\n * console.log(`Total records: ${all.length}`);\n * });\n * ```\n *\n * @see runWithTenant\n * @see createCliContext\n */\nexport async function runAsSystem<T>(fn: () => Promise<T>): Promise<T> {\n return withSystemContext(fn);\n}\n","/**\n * Express Adapter for smrt-tenancy\n *\n * Provides Express middleware that sets up tenant context for each request.\n *\n * @example\n * ```typescript\n * import express from 'express';\n * import { createExpressMiddleware } from '@happyvertical/smrt-tenancy/adapters';\n *\n * const app = express();\n *\n * app.use(createExpressMiddleware({\n * resolveTenantId: (req) => req.headers['x-tenant-id'] as string,\n * }));\n * ```\n */\n\nimport { enterTenantContext, type TenantContextData } from '../context.js';\n\n/**\n * Express Request interface (minimal to avoid direct dependency)\n */\ninterface ExpressRequest {\n headers: Record<string, string | string[] | undefined>;\n url: string;\n path: string;\n query: Record<string, unknown>;\n cookies?: Record<string, string>;\n}\n\n/**\n * Express Response interface\n */\ninterface ExpressResponse {\n status(code: number): ExpressResponse;\n json(data: unknown): ExpressResponse;\n send(data: unknown): ExpressResponse;\n}\n\n/**\n * Express NextFunction\n */\ntype ExpressNext = (error?: unknown) => void;\n\n/**\n * Configuration options for the Express tenancy middleware created by\n * `createExpressMiddleware()`.\n *\n * Only `resolveTenantId` is required. All callback options receive the raw\n * Express `Request` object so you can extract tenant information from headers,\n * subdomains, cookies, or any other request property.\n *\n * @see createExpressMiddleware\n */\nexport interface ExpressMiddlewareOptions {\n /**\n * Resolve tenant ID from the request\n */\n resolveTenantId: (\n req: ExpressRequest,\n ) => Promise<string | null | undefined> | string | null | undefined;\n\n /**\n * Resolve user ID from the request (optional)\n */\n resolveUserId?: (\n req: ExpressRequest,\n ) => Promise<string | null | undefined> | string | null | undefined;\n\n /**\n * Resolve permissions (optional)\n */\n resolvePermissions?: (\n req: ExpressRequest,\n tenantId: string,\n userId?: string,\n ) => Promise<Set<string>> | Set<string>;\n\n /**\n * Check if user is super admin (optional)\n */\n isSuperAdmin?: (\n req: ExpressRequest,\n tenantId: string,\n userId?: string,\n ) => Promise<boolean> | boolean;\n\n /**\n * Called when no tenant ID could be resolved\n * Return true to continue, false to stop with 400 error.\n */\n onNoTenant?: (\n req: ExpressRequest,\n res: ExpressResponse,\n ) => Promise<boolean> | boolean;\n\n /**\n * Paths to exclude from tenant context\n */\n excludePaths?: string[];\n}\n\n/**\n * Create an Express middleware function that establishes tenant context for\n * every incoming request.\n *\n * Uses `enterTenantContext()` (rather than `withTenant()`) because Express\n * middleware returns before route handlers execute. `enterWith()` sets the\n * context on the current async resource so it propagates to handlers that run\n * after `next()` is called.\n *\n * The resolved context is also attached directly to the request object for\n * convenience:\n * - `req.tenantContext` — full `TenantContextData`\n * - `req.tenantId` — string tenant ID shortcut\n *\n * When no tenant ID can be resolved, the default behaviour returns a `400`\n * JSON response. Customise this with the `onNoTenant` option.\n *\n * @param options - Middleware configuration including the required\n * `resolveTenantId` callback.\n * @returns An Express-compatible middleware function `(req, res, next) => void`.\n *\n * @example\n * ```typescript\n * import express from 'express';\n * import { createExpressMiddleware } from '@happyvertical/smrt-tenancy/adapters';\n *\n * const app = express();\n * app.use(createExpressMiddleware({\n * resolveTenantId: (req) => req.headers['x-tenant-id'] as string,\n * excludePaths: ['/health', '/public/*'],\n * }));\n * ```\n *\n * @see ExpressMiddlewareOptions\n * @see createSvelteKitHandle\n */\nexport function createExpressMiddleware(options: ExpressMiddlewareOptions) {\n const {\n resolveTenantId,\n resolveUserId,\n resolvePermissions,\n isSuperAdmin,\n onNoTenant,\n excludePaths = [],\n } = options;\n\n return async function tenancyMiddleware(\n req: ExpressRequest,\n res: ExpressResponse,\n next: ExpressNext,\n ): Promise<void> {\n try {\n // Check excluded paths\n if (excludePaths.some((pattern) => matchPath(req.path, pattern))) {\n next();\n return;\n }\n\n // Resolve tenant ID\n const tenantId = await resolveTenantId(req);\n\n if (!tenantId) {\n if (onNoTenant) {\n const shouldContinue = await onNoTenant(req, res);\n if (shouldContinue) {\n next();\n return;\n }\n } else {\n res.status(400).json({\n error: 'Tenant ID required',\n message:\n 'Please provide a tenant ID via header, subdomain, or query parameter.',\n });\n return;\n }\n return;\n }\n\n // Resolve optional context\n const userId = resolveUserId ? await resolveUserId(req) : undefined;\n const permissions = resolvePermissions\n ? await resolvePermissions(req, tenantId, userId ?? undefined)\n : new Set<string>();\n const superAdminBypass = isSuperAdmin\n ? await isSuperAdmin(req, tenantId, userId ?? undefined)\n : false;\n\n // Build context\n const context: TenantContextData = {\n tenantId,\n userId: userId ?? undefined,\n permissions,\n superAdminBypass,\n };\n\n // Attach to request for access in route handlers\n (req as any).tenantContext = context;\n (req as any).tenantId = tenantId;\n\n // Use enterWith() to establish context that persists for the entire\n // request lifecycle. This ensures route handlers have access to\n // tenant context via AsyncLocalStorage.\n enterTenantContext(context);\n next();\n } catch (error) {\n next(error);\n }\n };\n}\n\n/**\n * Simple glob pattern matching for paths\n */\nfunction matchPath(path: string, pattern: string): boolean {\n const regexPattern = pattern\n .replace(/\\*/g, '.*')\n .replace(/\\//g, '\\\\/')\n .replace(/\\?/g, '.');\n\n return new RegExp(`^${regexPattern}$`).test(path);\n}\n","/**\n * SvelteKit Adapter for smrt-tenancy\n *\n * Provides a SvelteKit Handle that sets up tenant context for each request.\n *\n * @example\n * ```typescript\n * // hooks.server.ts\n * import { createSvelteKitHandle } from '@happyvertical/smrt-tenancy/adapters';\n *\n * export const handle = createSvelteKitHandle({\n * resolveTenantId: async (event) => {\n * // From subdomain\n * const host = event.request.headers.get('host');\n * const subdomain = host?.split('.')[0];\n * return subdomain;\n *\n * // Or from header\n * // return event.request.headers.get('x-tenant-id');\n *\n * // Or from cookie\n * // return event.cookies.get('tenant_id');\n * }\n * });\n * ```\n */\n\nimport { type TenantContextData, withTenant } from '../context.js';\n\n/**\n * SvelteKit RequestEvent (minimal interface to avoid direct dependency)\n */\ninterface SvelteKitEvent {\n request: Request;\n url: URL;\n cookies: {\n get(name: string): string | undefined;\n set(name: string, value: string, opts?: unknown): void;\n };\n locals: Record<string, unknown>;\n}\n\n/**\n * SvelteKit resolve function\n */\ntype SvelteKitResolve = (event: SvelteKitEvent) => Promise<Response>;\n\n/**\n * Configuration options for the SvelteKit tenancy handle created by\n * `createSvelteKitHandle()`.\n *\n * Only `resolveTenantId` is required; all other fields are optional callbacks\n * used to enrich the context or customise missing-tenant behaviour.\n *\n * @see createSvelteKitHandle\n */\nexport interface SvelteKitHandleOptions {\n /**\n * Resolve tenant ID from the request\n *\n * Return the tenant ID string, or null/undefined if no tenant context should be set.\n */\n resolveTenantId: (\n event: SvelteKitEvent,\n ) => Promise<string | null | undefined> | string | null | undefined;\n\n /**\n * Resolve user ID from the request (optional)\n */\n resolveUserId?: (\n event: SvelteKitEvent,\n ) => Promise<string | null | undefined> | string | null | undefined;\n\n /**\n * Resolve permissions for the user in this tenant (optional)\n */\n resolvePermissions?: (\n event: SvelteKitEvent,\n tenantId: string,\n userId?: string,\n ) => Promise<Set<string>> | Set<string>;\n\n /**\n * Check if user is a super admin (optional)\n * If true and super admin bypass is enabled on the class, tenant filtering is skipped.\n */\n isSuperAdmin?: (\n event: SvelteKitEvent,\n tenantId: string,\n userId?: string,\n ) => Promise<boolean> | boolean;\n\n /**\n * Called when no tenant ID could be resolved\n * Return a Response to short-circuit, or undefined to continue without tenant context.\n */\n onNoTenant?: (\n event: SvelteKitEvent,\n ) => Promise<Response | undefined> | Response | undefined;\n\n /**\n * Paths to exclude from tenant context (e.g., public APIs, health checks)\n * Supports glob patterns.\n */\n excludePaths?: string[];\n}\n\n/**\n * Create a SvelteKit `Handle` function that establishes tenant context for\n * every server-side request.\n *\n * The returned handle wraps the `resolve` call in `withTenant()` so that all\n * server-side load functions, API routes, and `+server.ts` handlers within the\n * request share the same tenant context via `AsyncLocalStorage`.\n *\n * The resolved context is also stored in `event.locals` under two keys:\n * - `event.locals.tenantContext` — full `TenantContextData`\n * - `event.locals.tenantId` — string tenant ID shortcut\n *\n * When no tenant ID can be resolved (and no custom `onNoTenant` handler\n * returns a `Response`), the request continues without any tenant context.\n *\n * @param options - Configuration options including the required\n * `resolveTenantId` callback.\n * @returns A SvelteKit `Handle` function suitable for use in `hooks.server.ts`.\n *\n * @example\n * ```typescript\n * // src/hooks.server.ts\n * import { createSvelteKitHandle } from '@happyvertical/smrt-tenancy/adapters';\n *\n * export const handle = createSvelteKitHandle({\n * resolveTenantId: (event) =>\n * event.request.headers.get('x-tenant-id'),\n * onNoTenant: () =>\n * new Response('Tenant required', { status: 400 }),\n * });\n * ```\n *\n * @see SvelteKitHandleOptions\n * @see createExpressMiddleware\n */\nexport function createSvelteKitHandle(options: SvelteKitHandleOptions) {\n const {\n resolveTenantId,\n resolveUserId,\n resolvePermissions,\n isSuperAdmin,\n onNoTenant,\n excludePaths = [],\n } = options;\n\n return async function handle({\n event,\n resolve,\n }: {\n event: SvelteKitEvent;\n resolve: SvelteKitResolve;\n }): Promise<Response> {\n // Check excluded paths\n const path = event.url.pathname;\n if (excludePaths.some((pattern) => matchPath(path, pattern))) {\n return resolve(event);\n }\n\n // Resolve tenant ID\n const tenantId = await resolveTenantId(event);\n\n if (!tenantId) {\n // No tenant ID - call handler or continue without context\n if (onNoTenant) {\n const response = await onNoTenant(event);\n if (response) {\n return response;\n }\n }\n return resolve(event);\n }\n\n // Resolve optional context data\n const userId = resolveUserId ? await resolveUserId(event) : undefined;\n const permissions = resolvePermissions\n ? await resolvePermissions(event, tenantId, userId ?? undefined)\n : new Set<string>();\n const superAdminBypass = isSuperAdmin\n ? await isSuperAdmin(event, tenantId, userId ?? undefined)\n : false;\n\n // Build context\n const context: TenantContextData = {\n tenantId,\n userId: userId ?? undefined,\n permissions,\n superAdminBypass,\n };\n\n // Store in locals for access in load functions\n event.locals.tenantContext = context;\n event.locals.tenantId = tenantId;\n\n // Run request in tenant context\n return withTenant(context, () => resolve(event));\n };\n}\n\n/**\n * Simple glob pattern matching for paths\n */\nfunction matchPath(path: string, pattern: string): boolean {\n // Convert glob to regex\n const regexPattern = pattern\n .replace(/\\*/g, '.*')\n .replace(/\\//g, '\\\\/')\n .replace(/\\?/g, '.');\n\n return new RegExp(`^${regexPattern}$`).test(path);\n}\n"],"names":["matchPath"],"mappings":";AAyJO,SAAS,iBACd,UAA6B,IACX;AAClB,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,yCAAyB,IAAA;AAAA,IACzB,sBAAsB;AAAA,EAAA,IACpB;AAEJ,SAAO;AAAA,IACL,MAAM,IAAO,IAAkC;AAC7C,YAAM,WAAW,kBAAkB,MAAM,gBAAA,IAAoB;AAE7D,UAAI,CAAC,UAAU;AAEb,eAAO,kBAAkB,EAAE;AAAA,MAC7B;AAEA,YAAM,SAAS,gBAAgB,MAAM,cAAA,IAAkB;AAEvD,YAAM,UAA6B;AAAA,QACjC;AAAA,QACA,QAAQ,UAAU;AAAA,QAClB,aAAa;AAAA,QACb,kBAAkB;AAAA,MAAA;AAGpB,aAAO,WAAW,SAAS,EAAE;AAAA,IAC/B;AAAA,IAEA,MAAM,cAAiB,UAAkB,IAAkC;AACzE,YAAM,SAAS,gBAAgB,MAAM,cAAA,IAAkB;AAEvD,YAAM,UAA6B;AAAA,QACjC;AAAA,QACA,QAAQ,UAAU;AAAA,QAClB,aAAa;AAAA,QACb,kBAAkB;AAAA,MAAA;AAGpB,aAAO,WAAW,SAAS,EAAE;AAAA,IAC/B;AAAA,IAEA,MAAM,YAAe,IAAkC;AACrD,aAAO,kBAAkB,EAAE;AAAA,IAC7B;AAAA,IAEA,MAAM,gBACJ,UACA,IACY;AACZ,YAAM,SAAS,gBAAgB,MAAM,cAAA,IAAkB;AAEvD,YAAM,UAA6B;AAAA,QACjC;AAAA,QACA,QAAQ,UAAU;AAAA,QAClB,aAAa;AAAA,QACb,kBAAkB;AAAA,MAAA;AAGpB,aAAO,WAAW,SAAS,EAAE;AAAA,IAC/B;AAAA,EAAA;AAEJ;AC9EO,SAAS,wBAAwB,SAAmC;AACzE,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,eAAe,CAAA;AAAA,EAAC,IACd;AAEJ,SAAO,eAAe,kBACpB,KACA,KACA,MACe;AACf,QAAI;AAEF,UAAI,aAAa,KAAK,CAAC,YAAYA,YAAU,IAAI,MAAM,OAAO,CAAC,GAAG;AAChE,aAAA;AACA;AAAA,MACF;AAGA,YAAM,WAAW,MAAM,gBAAgB,GAAG;AAE1C,UAAI,CAAC,UAAU;AACb,YAAI,YAAY;AACd,gBAAM,iBAAiB,MAAM,WAAW,KAAK,GAAG;AAChD,cAAI,gBAAgB;AAClB,iBAAA;AACA;AAAA,UACF;AAAA,QACF,OAAO;AACL,cAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YACnB,OAAO;AAAA,YACP,SACE;AAAA,UAAA,CACH;AACD;AAAA,QACF;AACA;AAAA,MACF;AAGA,YAAM,SAAS,gBAAgB,MAAM,cAAc,GAAG,IAAI;AAC1D,YAAM,cAAc,qBAChB,MAAM,mBAAmB,KAAK,UAAU,UAAU,MAAS,IAC3D,oBAAI,IAAA;AACR,YAAM,mBAAmB,eACrB,MAAM,aAAa,KAAK,UAAU,UAAU,MAAS,IACrD;AAGJ,YAAM,UAA6B;AAAA,QACjC;AAAA,QACA,QAAQ,UAAU;AAAA,QAClB;AAAA,QACA;AAAA,MAAA;AAID,UAAY,gBAAgB;AAC5B,UAAY,WAAW;AAKxB,yBAAmB,OAAO;AAC1B,WAAA;AAAA,IACF,SAAS,OAAO;AACd,WAAK,KAAK;AAAA,IACZ;AAAA,EACF;AACF;AAKA,SAASA,YAAU,MAAc,SAA0B;AACzD,QAAM,eAAe,QAClB,QAAQ,OAAO,IAAI,EACnB,QAAQ,OAAO,KAAK,EACpB,QAAQ,OAAO,GAAG;AAErB,SAAO,IAAI,OAAO,IAAI,YAAY,GAAG,EAAE,KAAK,IAAI;AAClD;AClFO,SAAS,sBAAsB,SAAiC;AACrE,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,eAAe,CAAA;AAAA,EAAC,IACd;AAEJ,SAAO,eAAe,OAAO;AAAA,IAC3B;AAAA,IACA;AAAA,EAAA,GAIoB;AAEpB,UAAM,OAAO,MAAM,IAAI;AACvB,QAAI,aAAa,KAAK,CAAC,YAAY,UAAU,MAAM,OAAO,CAAC,GAAG;AAC5D,aAAO,QAAQ,KAAK;AAAA,IACtB;AAGA,UAAM,WAAW,MAAM,gBAAgB,KAAK;AAE5C,QAAI,CAAC,UAAU;AAEb,UAAI,YAAY;AACd,cAAM,WAAW,MAAM,WAAW,KAAK;AACvC,YAAI,UAAU;AACZ,iBAAO;AAAA,QACT;AAAA,MACF;AACA,aAAO,QAAQ,KAAK;AAAA,IACtB;AAGA,UAAM,SAAS,gBAAgB,MAAM,cAAc,KAAK,IAAI;AAC5D,UAAM,cAAc,qBAChB,MAAM,mBAAmB,OAAO,UAAU,UAAU,MAAS,IAC7D,oBAAI,IAAA;AACR,UAAM,mBAAmB,eACrB,MAAM,aAAa,OAAO,UAAU,UAAU,MAAS,IACvD;AAGJ,UAAM,UAA6B;AAAA,MACjC;AAAA,MACA,QAAQ,UAAU;AAAA,MAClB;AAAA,MACA;AAAA,IAAA;AAIF,UAAM,OAAO,gBAAgB;AAC7B,UAAM,OAAO,WAAW;AAGxB,WAAO,WAAW,SAAS,MAAM,QAAQ,KAAK,CAAC;AAAA,EACjD;AACF;AAKA,SAAS,UAAU,MAAc,SAA0B;AAEzD,QAAM,eAAe,QAClB,QAAQ,OAAO,IAAI,EACnB,QAAQ,OAAO,KAAK,EACpB,QAAQ,OAAO,GAAG;AAErB,SAAO,IAAI,OAAO,IAAI,YAAY,GAAG,EAAE,KAAK,IAAI;AAClD;"}
1
+ {"version":3,"file":"sveltekit-C2HTOgcm.js","sources":["../../src/adapters/cli.ts","../../src/adapters/express.ts","../../src/adapters/sveltekit.ts"],"sourcesContent":["/**\n * CLI Adapter for smrt-tenancy\n *\n * Provides utilities for setting up tenant context in CLI tools.\n *\n * @example\n * ```typescript\n * import { createCliContext } from '@happyvertical/smrt-tenancy/adapters';\n *\n * // Create context helper for CLI\n * const cliContext = createCliContext({\n * resolveTenantId: () => process.env.TENANT_ID,\n * });\n *\n * // Run command in tenant context\n * await cliContext.run(async () => {\n * await documentCollection.list({});\n * });\n * ```\n */\n\nimport {\n type TenantContextData,\n withSystemContext,\n withTenant,\n} from '../context.js';\n\n/**\n * Configuration for the CLI context runner created by `createCliContext()`.\n *\n * `resolveTenantId` is optional — when omitted (or when it returns\n * `null`/`undefined`) the `run()` method falls back to `withSystemContext()`.\n *\n * @see createCliContext\n * @see CliContextRunner\n */\nexport interface CliContextOptions {\n /**\n * Resolve tenant ID\n *\n * Common sources:\n * - Environment variable: () => process.env.TENANT_ID\n * - Command line argument: () => argv.tenant\n * - Config file: () => config.tenantId\n */\n resolveTenantId?: () =>\n | Promise<string | null | undefined>\n | string\n | null\n | undefined;\n\n /**\n * Resolve user ID (optional)\n */\n resolveUserId?: () =>\n | Promise<string | null | undefined>\n | string\n | null\n | undefined;\n\n /**\n * Default permissions for CLI operations\n */\n defaultPermissions?: Set<string>;\n\n /**\n * Run CLI as super admin by default\n * @default false\n */\n superAdminByDefault?: boolean;\n}\n\n/**\n * Context runner returned by `createCliContext()`.\n *\n * Provides four execution modes suitable for different CLI scenarios:\n * - `run()` — resolves the tenant from the configured options and runs code in\n * that context; falls back to system context if no tenant is available.\n * - `runWithTenant()` — explicitly specify a tenant ID for this invocation.\n * - `runAsSystem()` — bypass all tenant checks (migration scripts, admin tools).\n * - `runAsSuperAdmin()` — tenant context with bypass flag enabled.\n *\n * @see createCliContext\n */\nexport interface CliContextRunner {\n /**\n * Run `fn` inside the tenant context resolved from the `CliContextOptions`.\n *\n * Falls back to `withSystemContext()` when no tenant ID is available.\n *\n * @param fn - Async function to execute.\n * @returns Promise resolving to the return value of `fn`.\n */\n run<T>(fn: () => Promise<T>): Promise<T>;\n\n /**\n * Run `fn` inside the context of the specified tenant.\n *\n * @param tenantId - Tenant ID to set as context.\n * @param fn - Async function to execute.\n * @returns Promise resolving to the return value of `fn`.\n */\n runWithTenant<T>(tenantId: string, fn: () => Promise<T>): Promise<T>;\n\n /**\n * Run `fn` in system context, bypassing all tenant checks.\n *\n * @param fn - Async function to execute.\n * @returns Promise resolving to the return value of `fn`.\n */\n runAsSystem<T>(fn: () => Promise<T>): Promise<T>;\n\n /**\n * Run `fn` with a tenant context and super admin bypass enabled.\n *\n * @param tenantId - Tenant ID to set as context.\n * @param fn - Async function to execute.\n * @returns Promise resolving to the return value of `fn`.\n */\n runAsSuperAdmin<T>(tenantId: string, fn: () => Promise<T>): Promise<T>;\n}\n\n/**\n * Create a CLI context runner\n *\n * @param options - Configuration options\n * @returns CLI context runner with various execution modes\n *\n * @example\n * ```typescript\n * const cli = createCliContext({\n * resolveTenantId: () => process.env.TENANT_ID,\n * superAdminByDefault: true,\n * });\n *\n * // Use resolved tenant\n * await cli.run(async () => {\n * const docs = await collection.list({});\n * console.log(`Found ${docs.length} documents`);\n * });\n *\n * // Override tenant\n * await cli.runWithTenant('other-tenant', async () => {\n * // Operations in other-tenant context\n * });\n *\n * // System operations (no tenant)\n * await cli.runAsSystem(async () => {\n * // Can access all data\n * const allDocs = await collection.list({});\n * });\n * ```\n */\nexport function createCliContext(\n options: CliContextOptions = {},\n): CliContextRunner {\n const {\n resolveTenantId,\n resolveUserId,\n defaultPermissions = new Set<string>(),\n superAdminByDefault = false,\n } = options;\n\n return {\n async run<T>(fn: () => Promise<T>): Promise<T> {\n const tenantId = resolveTenantId ? await resolveTenantId() : null;\n\n if (!tenantId) {\n // No tenant configured - run in system context\n return withSystemContext(fn);\n }\n\n const userId = resolveUserId ? await resolveUserId() : undefined;\n\n const context: TenantContextData = {\n tenantId,\n userId: userId ?? undefined,\n permissions: defaultPermissions,\n superAdminBypass: superAdminByDefault,\n };\n\n return withTenant(context, fn);\n },\n\n async runWithTenant<T>(tenantId: string, fn: () => Promise<T>): Promise<T> {\n const userId = resolveUserId ? await resolveUserId() : undefined;\n\n const context: TenantContextData = {\n tenantId,\n userId: userId ?? undefined,\n permissions: defaultPermissions,\n superAdminBypass: superAdminByDefault,\n };\n\n return withTenant(context, fn);\n },\n\n async runAsSystem<T>(fn: () => Promise<T>): Promise<T> {\n return withSystemContext(fn);\n },\n\n async runAsSuperAdmin<T>(\n tenantId: string,\n fn: () => Promise<T>,\n ): Promise<T> {\n const userId = resolveUserId ? await resolveUserId() : undefined;\n\n const context: TenantContextData = {\n tenantId,\n userId: userId ?? undefined,\n permissions: defaultPermissions,\n superAdminBypass: true,\n };\n\n return withTenant(context, fn);\n },\n };\n}\n\n/**\n * Run an async function with a specific tenant ID set as context.\n *\n * Convenience wrapper around `withTenant()` for one-off CLI operations where\n * a full `CliContextRunner` is not needed.\n *\n * @param tenantId - Tenant ID to set as the active context.\n * @param fn - Async function to execute in the tenant context.\n * @returns Promise resolving to the return value of `fn`.\n *\n * @example\n * ```typescript\n * import { runWithTenant } from '@happyvertical/smrt-tenancy/adapters';\n *\n * await runWithTenant('tenant-123', async () => {\n * await collection.list({});\n * });\n * ```\n *\n * @see createCliContext\n * @see runAsSystem\n */\nexport async function runWithTenant<T>(\n tenantId: string,\n fn: () => Promise<T>,\n): Promise<T> {\n return withTenant({ tenantId }, fn);\n}\n\n/**\n * Run an async function in system context, bypassing all tenant checks.\n *\n * Convenience wrapper around `withSystemContext()` for one-off CLI operations\n * such as migration scripts or admin tooling that needs cross-tenant access.\n *\n * @param fn - Async function to execute in system context.\n * @returns Promise resolving to the return value of `fn`.\n *\n * @example\n * ```typescript\n * import { runAsSystem } from '@happyvertical/smrt-tenancy/adapters';\n *\n * await runAsSystem(async () => {\n * const all = await collection.list({});\n * console.log(`Total records: ${all.length}`);\n * });\n * ```\n *\n * @see runWithTenant\n * @see createCliContext\n */\nexport async function runAsSystem<T>(fn: () => Promise<T>): Promise<T> {\n return withSystemContext(fn);\n}\n","/**\n * Express Adapter for smrt-tenancy\n *\n * Provides Express middleware that sets up tenant context for each request.\n *\n * @example\n * ```typescript\n * import express from 'express';\n * import { createExpressMiddleware } from '@happyvertical/smrt-tenancy/adapters';\n *\n * const app = express();\n *\n * app.use(createExpressMiddleware({\n * resolveTenantId: (req) => req.headers['x-tenant-id'] as string,\n * }));\n * ```\n */\n\nimport { enterTenantContext, type TenantContextData } from '../context.js';\n\n/**\n * Express Request interface (minimal to avoid direct dependency)\n */\ninterface ExpressRequest {\n headers: Record<string, string | string[] | undefined>;\n url: string;\n path: string;\n query: Record<string, unknown>;\n cookies?: Record<string, string>;\n}\n\n/**\n * Express Response interface\n */\ninterface ExpressResponse {\n status(code: number): ExpressResponse;\n json(data: unknown): ExpressResponse;\n send(data: unknown): ExpressResponse;\n}\n\n/**\n * Express NextFunction\n */\ntype ExpressNext = (error?: unknown) => void;\n\n/**\n * Configuration options for the Express tenancy middleware created by\n * `createExpressMiddleware()`.\n *\n * Only `resolveTenantId` is required. All callback options receive the raw\n * Express `Request` object so you can extract tenant information from headers,\n * subdomains, cookies, or any other request property.\n *\n * @see createExpressMiddleware\n */\nexport interface ExpressMiddlewareOptions {\n /**\n * Resolve tenant ID from the request\n */\n resolveTenantId: (\n req: ExpressRequest,\n ) => Promise<string | null | undefined> | string | null | undefined;\n\n /**\n * Resolve user ID from the request (optional)\n */\n resolveUserId?: (\n req: ExpressRequest,\n ) => Promise<string | null | undefined> | string | null | undefined;\n\n /**\n * Resolve permissions (optional)\n */\n resolvePermissions?: (\n req: ExpressRequest,\n tenantId: string,\n userId?: string,\n ) => Promise<Set<string>> | Set<string>;\n\n /**\n * Check if user is super admin (optional)\n */\n isSuperAdmin?: (\n req: ExpressRequest,\n tenantId: string,\n userId?: string,\n ) => Promise<boolean> | boolean;\n\n /**\n * Called when no tenant ID could be resolved\n * Return true to continue, false to stop with 400 error.\n */\n onNoTenant?: (\n req: ExpressRequest,\n res: ExpressResponse,\n ) => Promise<boolean> | boolean;\n\n /**\n * Paths to exclude from tenant context\n */\n excludePaths?: string[];\n}\n\n/**\n * Create an Express middleware function that establishes tenant context for\n * every incoming request.\n *\n * Uses `enterTenantContext()` (rather than `withTenant()`) because Express\n * middleware returns before route handlers execute. `enterWith()` sets the\n * context on the current async resource so it propagates to handlers that run\n * after `next()` is called.\n *\n * The resolved context is also attached directly to the request object for\n * convenience:\n * - `req.tenantContext` — full `TenantContextData`\n * - `req.tenantId` — string tenant ID shortcut\n *\n * When no tenant ID can be resolved, the default behaviour returns a `400`\n * JSON response. Customise this with the `onNoTenant` option.\n *\n * @param options - Middleware configuration including the required\n * `resolveTenantId` callback.\n * @returns An Express-compatible middleware function `(req, res, next) => void`.\n *\n * @example\n * ```typescript\n * import express from 'express';\n * import { createExpressMiddleware } from '@happyvertical/smrt-tenancy/adapters';\n *\n * const app = express();\n * app.use(createExpressMiddleware({\n * resolveTenantId: (req) => req.headers['x-tenant-id'] as string,\n * excludePaths: ['/health', '/public/*'],\n * }));\n * ```\n *\n * @see ExpressMiddlewareOptions\n * @see createSvelteKitHandle\n */\nexport function createExpressMiddleware(options: ExpressMiddlewareOptions) {\n const {\n resolveTenantId,\n resolveUserId,\n resolvePermissions,\n isSuperAdmin,\n onNoTenant,\n excludePaths = [],\n } = options;\n\n return async function tenancyMiddleware(\n req: ExpressRequest,\n res: ExpressResponse,\n next: ExpressNext,\n ): Promise<void> {\n try {\n // Check excluded paths\n if (excludePaths.some((pattern) => matchPath(req.path, pattern))) {\n next();\n return;\n }\n\n // Resolve tenant ID\n const tenantId = await resolveTenantId(req);\n\n if (!tenantId) {\n if (onNoTenant) {\n const shouldContinue = await onNoTenant(req, res);\n if (shouldContinue) {\n next();\n return;\n }\n } else {\n res.status(400).json({\n error: 'Tenant ID required',\n message:\n 'Please provide a tenant ID via header, subdomain, or query parameter.',\n });\n return;\n }\n return;\n }\n\n // Resolve optional context\n const userId = resolveUserId ? await resolveUserId(req) : undefined;\n const permissions = resolvePermissions\n ? await resolvePermissions(req, tenantId, userId ?? undefined)\n : new Set<string>();\n const superAdminBypass = isSuperAdmin\n ? await isSuperAdmin(req, tenantId, userId ?? undefined)\n : false;\n\n // Build context\n const context: TenantContextData = {\n tenantId,\n userId: userId ?? undefined,\n permissions,\n superAdminBypass,\n };\n\n // Attach to request for access in route handlers\n (req as any).tenantContext = context;\n (req as any).tenantId = tenantId;\n\n // Use enterWith() to establish context that persists for the entire\n // request lifecycle. This ensures route handlers have access to\n // tenant context via AsyncLocalStorage.\n enterTenantContext(context);\n next();\n } catch (error) {\n next(error);\n }\n };\n}\n\n/**\n * Simple glob pattern matching for paths\n */\nfunction matchPath(path: string, pattern: string): boolean {\n const regexPattern = pattern\n .replace(/\\*/g, '.*')\n .replace(/\\//g, '\\\\/')\n .replace(/\\?/g, '.');\n\n return new RegExp(`^${regexPattern}$`).test(path);\n}\n","/**\n * SvelteKit Adapter for smrt-tenancy\n *\n * Provides a SvelteKit Handle that sets up tenant context for each request.\n *\n * @example\n * ```typescript\n * // hooks.server.ts\n * import { createSvelteKitHandle } from '@happyvertical/smrt-tenancy/adapters';\n *\n * export const handle = createSvelteKitHandle({\n * resolveTenantId: async (event) => {\n * // From subdomain\n * const host = event.request.headers.get('host');\n * const subdomain = host?.split('.')[0];\n * return subdomain;\n *\n * // Or from header\n * // return event.request.headers.get('x-tenant-id');\n *\n * // Or from cookie\n * // return event.cookies.get('tenant_id');\n * }\n * });\n * ```\n */\n\nimport { type TenantContextData, withTenant } from '../context.js';\n\n/**\n * SvelteKit RequestEvent (minimal interface to avoid direct dependency)\n */\ninterface SvelteKitEvent {\n request: Request;\n url: URL;\n cookies: {\n get(name: string): string | undefined;\n set(name: string, value: string, opts?: unknown): void;\n };\n locals: Record<string, unknown>;\n}\n\n/**\n * SvelteKit resolve function\n */\ntype SvelteKitResolve = (event: SvelteKitEvent) => Promise<Response>;\n\n/**\n * Configuration options for the SvelteKit tenancy handle created by\n * `createSvelteKitHandle()`.\n *\n * Only `resolveTenantId` is required; all other fields are optional callbacks\n * used to enrich the context or customise missing-tenant behaviour.\n *\n * @see createSvelteKitHandle\n */\nexport interface SvelteKitHandleOptions {\n /**\n * Resolve tenant ID from the request\n *\n * Return the tenant ID string, or null/undefined if no tenant context should be set.\n */\n resolveTenantId: (\n event: SvelteKitEvent,\n ) => Promise<string | null | undefined> | string | null | undefined;\n\n /**\n * Resolve user ID from the request (optional)\n */\n resolveUserId?: (\n event: SvelteKitEvent,\n ) => Promise<string | null | undefined> | string | null | undefined;\n\n /**\n * Resolve permissions for the user in this tenant (optional)\n */\n resolvePermissions?: (\n event: SvelteKitEvent,\n tenantId: string,\n userId?: string,\n ) => Promise<Set<string>> | Set<string>;\n\n /**\n * Check if user is a super admin (optional)\n * If true and super admin bypass is enabled on the class, tenant filtering is skipped.\n */\n isSuperAdmin?: (\n event: SvelteKitEvent,\n tenantId: string,\n userId?: string,\n ) => Promise<boolean> | boolean;\n\n /**\n * Called when no tenant ID could be resolved\n * Return a Response to short-circuit, or undefined to continue without tenant context.\n */\n onNoTenant?: (\n event: SvelteKitEvent,\n ) => Promise<Response | undefined> | Response | undefined;\n\n /**\n * Paths to exclude from tenant context (e.g., public APIs, health checks)\n * Supports glob patterns.\n */\n excludePaths?: string[];\n}\n\n/**\n * Create a SvelteKit `Handle` function that establishes tenant context for\n * every server-side request.\n *\n * The returned handle wraps the `resolve` call in `withTenant()` so that all\n * server-side load functions, API routes, and `+server.ts` handlers within the\n * request share the same tenant context via `AsyncLocalStorage`.\n *\n * The resolved context is also stored in `event.locals` under two keys:\n * - `event.locals.tenantContext` — full `TenantContextData`\n * - `event.locals.tenantId` — string tenant ID shortcut\n *\n * When no tenant ID can be resolved (and no custom `onNoTenant` handler\n * returns a `Response`), the request continues without any tenant context.\n *\n * @param options - Configuration options including the required\n * `resolveTenantId` callback.\n * @returns A SvelteKit `Handle` function suitable for use in `hooks.server.ts`.\n *\n * @example\n * ```typescript\n * // src/hooks.server.ts\n * import { createSvelteKitHandle } from '@happyvertical/smrt-tenancy/adapters';\n *\n * export const handle = createSvelteKitHandle({\n * resolveTenantId: (event) =>\n * event.request.headers.get('x-tenant-id'),\n * onNoTenant: () =>\n * new Response('Tenant required', { status: 400 }),\n * });\n * ```\n *\n * @see SvelteKitHandleOptions\n * @see createExpressMiddleware\n */\nexport function createSvelteKitHandle(options: SvelteKitHandleOptions) {\n const {\n resolveTenantId,\n resolveUserId,\n resolvePermissions,\n isSuperAdmin,\n onNoTenant,\n excludePaths = [],\n } = options;\n\n return async function handle({\n event,\n resolve,\n }: {\n event: SvelteKitEvent;\n resolve: SvelteKitResolve;\n }): Promise<Response> {\n // Check excluded paths\n const path = event.url.pathname;\n if (excludePaths.some((pattern) => matchPath(path, pattern))) {\n return resolve(event);\n }\n\n // Resolve tenant ID\n const tenantId = await resolveTenantId(event);\n\n if (!tenantId) {\n // No tenant ID - call handler or continue without context\n if (onNoTenant) {\n const response = await onNoTenant(event);\n if (response) {\n return response;\n }\n }\n return resolve(event);\n }\n\n // Resolve optional context data\n const userId = resolveUserId ? await resolveUserId(event) : undefined;\n const permissions = resolvePermissions\n ? await resolvePermissions(event, tenantId, userId ?? undefined)\n : new Set<string>();\n const superAdminBypass = isSuperAdmin\n ? await isSuperAdmin(event, tenantId, userId ?? undefined)\n : false;\n\n // Build context\n const context: TenantContextData = {\n tenantId,\n userId: userId ?? undefined,\n permissions,\n superAdminBypass,\n };\n\n // Store in locals for access in load functions\n event.locals.tenantContext = context;\n event.locals.tenantId = tenantId;\n\n // Run request in tenant context\n return withTenant(context, () => resolve(event));\n };\n}\n\n/**\n * Simple glob pattern matching for paths\n */\nfunction matchPath(path: string, pattern: string): boolean {\n // Convert glob to regex\n const regexPattern = pattern\n .replace(/\\*/g, '.*')\n .replace(/\\//g, '\\\\/')\n .replace(/\\?/g, '.');\n\n return new RegExp(`^${regexPattern}$`).test(path);\n}\n"],"names":["matchPath"],"mappings":";AAyJO,SAAS,iBACd,UAA6B,IACX;AAClB,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,yCAAyB,IAAA;AAAA,IACzB,sBAAsB;AAAA,EAAA,IACpB;AAEJ,SAAO;AAAA,IACL,MAAM,IAAO,IAAkC;AAC7C,YAAM,WAAW,kBAAkB,MAAM,gBAAA,IAAoB;AAE7D,UAAI,CAAC,UAAU;AAEb,eAAO,kBAAkB,EAAE;AAAA,MAC7B;AAEA,YAAM,SAAS,gBAAgB,MAAM,cAAA,IAAkB;AAEvD,YAAM,UAA6B;AAAA,QACjC;AAAA,QACA,QAAQ,UAAU;AAAA,QAClB,aAAa;AAAA,QACb,kBAAkB;AAAA,MAAA;AAGpB,aAAO,WAAW,SAAS,EAAE;AAAA,IAC/B;AAAA,IAEA,MAAM,cAAiB,UAAkB,IAAkC;AACzE,YAAM,SAAS,gBAAgB,MAAM,cAAA,IAAkB;AAEvD,YAAM,UAA6B;AAAA,QACjC;AAAA,QACA,QAAQ,UAAU;AAAA,QAClB,aAAa;AAAA,QACb,kBAAkB;AAAA,MAAA;AAGpB,aAAO,WAAW,SAAS,EAAE;AAAA,IAC/B;AAAA,IAEA,MAAM,YAAe,IAAkC;AACrD,aAAO,kBAAkB,EAAE;AAAA,IAC7B;AAAA,IAEA,MAAM,gBACJ,UACA,IACY;AACZ,YAAM,SAAS,gBAAgB,MAAM,cAAA,IAAkB;AAEvD,YAAM,UAA6B;AAAA,QACjC;AAAA,QACA,QAAQ,UAAU;AAAA,QAClB,aAAa;AAAA,QACb,kBAAkB;AAAA,MAAA;AAGpB,aAAO,WAAW,SAAS,EAAE;AAAA,IAC/B;AAAA,EAAA;AAEJ;AC9EO,SAAS,wBAAwB,SAAmC;AACzE,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,eAAe,CAAA;AAAA,EAAC,IACd;AAEJ,SAAO,eAAe,kBACpB,KACA,KACA,MACe;AACf,QAAI;AAEF,UAAI,aAAa,KAAK,CAAC,YAAYA,YAAU,IAAI,MAAM,OAAO,CAAC,GAAG;AAChE,aAAA;AACA;AAAA,MACF;AAGA,YAAM,WAAW,MAAM,gBAAgB,GAAG;AAE1C,UAAI,CAAC,UAAU;AACb,YAAI,YAAY;AACd,gBAAM,iBAAiB,MAAM,WAAW,KAAK,GAAG;AAChD,cAAI,gBAAgB;AAClB,iBAAA;AACA;AAAA,UACF;AAAA,QACF,OAAO;AACL,cAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YACnB,OAAO;AAAA,YACP,SACE;AAAA,UAAA,CACH;AACD;AAAA,QACF;AACA;AAAA,MACF;AAGA,YAAM,SAAS,gBAAgB,MAAM,cAAc,GAAG,IAAI;AAC1D,YAAM,cAAc,qBAChB,MAAM,mBAAmB,KAAK,UAAU,UAAU,MAAS,IAC3D,oBAAI,IAAA;AACR,YAAM,mBAAmB,eACrB,MAAM,aAAa,KAAK,UAAU,UAAU,MAAS,IACrD;AAGJ,YAAM,UAA6B;AAAA,QACjC;AAAA,QACA,QAAQ,UAAU;AAAA,QAClB;AAAA,QACA;AAAA,MAAA;AAID,UAAY,gBAAgB;AAC5B,UAAY,WAAW;AAKxB,yBAAmB,OAAO;AAC1B,WAAA;AAAA,IACF,SAAS,OAAO;AACd,WAAK,KAAK;AAAA,IACZ;AAAA,EACF;AACF;AAKA,SAASA,YAAU,MAAc,SAA0B;AACzD,QAAM,eAAe,QAClB,QAAQ,OAAO,IAAI,EACnB,QAAQ,OAAO,KAAK,EACpB,QAAQ,OAAO,GAAG;AAErB,SAAO,IAAI,OAAO,IAAI,YAAY,GAAG,EAAE,KAAK,IAAI;AAClD;AClFO,SAAS,sBAAsB,SAAiC;AACrE,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,eAAe,CAAA;AAAA,EAAC,IACd;AAEJ,SAAO,eAAe,OAAO;AAAA,IAC3B;AAAA,IACA;AAAA,EAAA,GAIoB;AAEpB,UAAM,OAAO,MAAM,IAAI;AACvB,QAAI,aAAa,KAAK,CAAC,YAAY,UAAU,MAAM,OAAO,CAAC,GAAG;AAC5D,aAAO,QAAQ,KAAK;AAAA,IACtB;AAGA,UAAM,WAAW,MAAM,gBAAgB,KAAK;AAE5C,QAAI,CAAC,UAAU;AAEb,UAAI,YAAY;AACd,cAAM,WAAW,MAAM,WAAW,KAAK;AACvC,YAAI,UAAU;AACZ,iBAAO;AAAA,QACT;AAAA,MACF;AACA,aAAO,QAAQ,KAAK;AAAA,IACtB;AAGA,UAAM,SAAS,gBAAgB,MAAM,cAAc,KAAK,IAAI;AAC5D,UAAM,cAAc,qBAChB,MAAM,mBAAmB,OAAO,UAAU,UAAU,MAAS,IAC7D,oBAAI,IAAA;AACR,UAAM,mBAAmB,eACrB,MAAM,aAAa,OAAO,UAAU,UAAU,MAAS,IACvD;AAGJ,UAAM,UAA6B;AAAA,MACjC;AAAA,MACA,QAAQ,UAAU;AAAA,MAClB;AAAA,MACA;AAAA,IAAA;AAIF,UAAM,OAAO,gBAAgB;AAC7B,UAAM,OAAO,WAAW;AAGxB,WAAO,WAAW,SAAS,MAAM,QAAQ,KAAK,CAAC;AAAA,EACjD;AACF;AAKA,SAAS,UAAU,MAAc,SAA0B;AAEzD,QAAM,eAAe,QAClB,QAAQ,OAAO,IAAI,EACnB,QAAQ,OAAO,KAAK,EACpB,QAAQ,OAAO,GAAG;AAErB,SAAO,IAAI,OAAO,IAAI,YAAY,GAAG,EAAE,KAAK,IAAI;AAClD;"}
package/dist/chunks/{testing-xgmq8uDP.js → testing-DyAqaOBC.js} RENAMED
@@ -1,4 +1,4 @@
1
- import { h as hasTenantContext, d as isSystemContext, j as withSystemContext, k as withTenant, a as TenantContextError, i as isSuperAdminBypass, g as getCurrentTenant, b as TenantIsolationError, c as getTenantId } from "./context-B5CKsmMi.js";
1
+ import { h as hasTenantContext, f as isSystemContext, a as withSystemContext, w as withTenant, c as TenantContextError, i as isSuperAdminBypass, g as getCurrentTenant, T as TenantIsolationError, d as getTenantId } from "./context-DfTygamS.js";
2
2
  import { createLogger } from "@happyvertical/logger";
3
3
  import { ObjectRegistry, GlobalInterceptors, setDispatchTenantResolver, setTenantEntryPointRunner } from "@happyvertical/smrt-core";
4
4
  const DEFAULT_CONFIG = {
@@ -513,4 +513,4 @@ export {
513
513
  testTenantIsolation as t,
514
514
  unregisterTenantScopedClass as u
515
515
  };
516
- //# sourceMappingURL=testing-xgmq8uDP.js.map
516
+ //# sourceMappingURL=testing-DyAqaOBC.js.map
package/dist/chunks/{testing-xgmq8uDP.js.map → testing-DyAqaOBC.js.map} RENAMED
@@ -1 +1 @@
1
- {"version":3,"file":"testing-xgmq8uDP.js","sources":["../../src/registry.ts","../../src/enabled-state.ts","../../src/entry-point.ts","../../src/interceptor.ts","../../src/testing.ts"],"sourcesContent":["/**\n * Tenant-Scoped Class Registry\n *\n * Tracks which classes are tenant-scoped and their configuration.\n * Used by the interceptor to determine how to handle operations.\n *\n * This registry supports two patterns:\n * 1. @TenantScoped() decorator + tenantId field (original pattern)\n * 2. @smrt({ tenantScoped: true }) in smrt-core (Issue #688 pattern)\n *\n * Both patterns are automatically recognized by the interceptor.\n *\n * @see https://github.com/happyvertical/smrt/issues/675\n * @see https://github.com/happyvertical/smrt/issues/688\n */\n\nimport { ObjectRegistry } from '@happyvertical/smrt-core';\n\n/**\n * Resolved tenancy configuration for a single class, as stored in the registry.\n *\n * Every field has a concrete (non-optional) value — defaults are applied by\n * `registerTenantScopedClass()` when the class is registered via `@TenantScoped()`.\n *\n * @see TenantScopedOptions\n * @see registerTenantScopedClass\n */\nexport interface TenantScopedConfig {\n /**\n * Tenancy mode for this class\n * - 'required': Must have tenant context for all operations\n * - 'optional': Works with or without tenant context\n * @default 'required'\n */\n mode: 'required' | 'optional';\n\n /**\n * Field name containing tenant ID\n * @default 'tenantId'\n */\n field: string;\n\n /**\n * Auto-filter all queries by tenant\n * @default true\n */\n autoFilter: boolean;\n\n /**\n * Auto-populate tenant ID from context on create\n * @default true\n */\n autoPopulate: boolean;\n\n /**\n * Allow super admin bypass for this class\n * @default false\n */\n allowSuperAdminBypass: boolean;\n}\n\nconst DEFAULT_CONFIG: TenantScopedConfig = {\n mode: 'required',\n field: 'tenantId',\n autoFilter: true,\n autoPopulate: true,\n allowSuperAdminBypass: false,\n};\n\n// Registry storing tenant-scoped class configurations\nconst tenantScopedClasses = new Map<string, TenantScopedConfig>();\n\n/**\n * Register a class as tenant-scoped with the given configuration.\n *\n * Called automatically by the `@TenantScoped()` decorator. You can also call\n * this directly when you cannot use decorators (e.g., third-party classes or\n * plain objects in tests). Defaults from `DEFAULT_CONFIG` are merged over any\n * omitted options.\n *\n * Calling this again for the same `className` overwrites the previous entry.\n *\n * @param className - The class's `name` property (e.g., `'Document'`).\n * @param config - Partial tenancy configuration; omitted fields receive defaults.\n *\n * @example\n * ```typescript\n * // Manually register a class (e.g., for testing)\n * registerTenantScopedClass('Document', { mode: 'optional' });\n * ```\n *\n * @see TenantScoped\n * @see unregisterTenantScopedClass\n */\nexport function registerTenantScopedClass(\n className: string,\n config: Partial<TenantScopedConfig> = {},\n): void {\n tenantScopedClasses.set(className, {\n ...DEFAULT_CONFIG,\n ...config,\n });\n}\n\n/**\n * Remove a class from the tenant-scoped registry.\n *\n * Primarily intended for test teardown — use `clearTenantScopedRegistry()` to\n * reset the entire registry at once.\n *\n * @param className - The class name to remove (e.g., `'Document'`).\n *\n * @see clearTenantScopedRegistry\n * @see registerTenantScopedClass\n */\nexport function unregisterTenantScopedClass(className: string): void {\n tenantScopedClasses.delete(className);\n}\n\n/**\n * Strip a qualified `@scope/pkg:ClassName` name down to its bare class name.\n *\n * `@TenantScoped` registers classes by their simple name (`target.name`), but\n * `ObjectRegistry.getInheritanceChain()` emits **qualified** names where a\n * class has package context. The simple-name bridge this enables is confined to\n * the inheritance walk (`getInheritedTenantScopedConfig`) — never the direct\n * lookup — so a *direct* qualified lookup can't strip the namespace and\n * cross-match a same-simple-name class in another package.\n */\nfunction toSimpleClassName(className: string): string {\n const idx = className.lastIndexOf(':');\n return idx === -1 ? className : className.slice(idx + 1);\n}\n\n/**\n * Return a shallow copy of a config so callers can never mutate the stored\n * registration. The same backing object is shared by the base and every\n * inheriting descendant, so handing out the reference would let an accidental\n * caller mutation silently corrupt the base (and all children). (#1598 review)\n */\nfunction cloneConfig(config: TenantScopedConfig): TenantScopedConfig {\n return { ...config };\n}\n\n/**\n * Resolve a class's OWN tenancy configuration — no STI inheritance, EXACT name\n * match only.\n *\n * Checks the two registration mechanisms in order, with the local registry\n * taking precedence:\n * 1. The local registry populated by `@TenantScoped()` (keyed by simple name).\n * 2. The core `ObjectRegistry` populated by `@smrt({ tenantScoped: true })`.\n *\n * Lookups are by exact name only — no simple-name fallback — so a qualified\n * lookup (e.g. `@happyvertical/smrt-affiliates:Payout`, explicitly not scoped)\n * can never strip its namespace and match a same-simple-name scoped class in\n * another package (e.g. `@happyvertical/smrt-commerce:Payout`). The\n * namespace-stripping bridge lives only in the inheritance walk. (#1598 review)\n */\nfunction getDirectTenantScopedConfig(\n className: string,\n): TenantScopedConfig | undefined {\n // 1. Local registry (explicit @TenantScoped decorator).\n const localConfig = tenantScopedClasses.get(className);\n if (localConfig) {\n return cloneConfig(localConfig);\n }\n\n // 2. Core registry (@smrt({ tenantScoped: true }) pattern - Issue #688).\n // findClass() resolves qualified names package-safely, so this branch is\n // already disambiguated.\n const coreConfig = ObjectRegistry.getTenantScopedConfig(className);\n if (coreConfig) {\n // Convert core config to TenantScopedConfig format\n return {\n mode: coreConfig.mode,\n field: coreConfig.field,\n autoFilter: coreConfig.autoFilter,\n autoPopulate: coreConfig.autoPopulate,\n allowSuperAdminBypass: coreConfig.allowSuperAdminBypass,\n };\n }\n\n return undefined;\n}\n\n/**\n * Resolve tenancy configuration inherited from an STI/ancestor class.\n *\n * `@TenantScoped` (and `@smrt({ tenantScoped })`) register ONLY the exact class\n * decorated — recognition does NOT propagate to subclasses. Before #1596 this\n * meant an STI child with its own collection (the child is the collection's\n * `_itemClass`) was treated as non-tenant-scoped at runtime: the interceptor\n * skipped tenant filtering on its `list()`/`get()` (cross-tenant reads), skipped\n * tenant population in `beforeSave`, and skipped the raw-SQL policy. Manual\n * re-declaration on every child was the fragile pattern that already bit images\n * (#1407) and messages.\n *\n * We now walk the STI inheritance chain so any descendant of a tenant-scoped\n * base is recognized automatically and inherits the base's config. A subclass\n * of a tenant-scoped class is always itself tenant-scoped — there is no safe\n * reason for it to opt out — so the walk intentionally covers any inheritance\n * (the motivating leak is STI child collections, but this is correct for CTI\n * hierarchies too).\n *\n * Ancestors are walked from nearest-to-self toward the root, returning the\n * first tenant-scoped ancestor's config so a closer ancestor wins. The class's\n * OWN declaration is resolved by the direct lookup in `getTenantScopedConfig`\n * and always takes precedence over anything inherited here.\n */\nfunction getInheritedTenantScopedConfig(\n className: string,\n): TenantScopedConfig | undefined {\n // getInheritanceChain returns [root, ..., self] (qualified names where the\n // class has package context). It is cached by core and only reached here when\n // the direct lookup misses, so the per-call cost on non-tenant classes is a\n // cache hit plus this short loop. Returns [] for unregistered classes.\n const chain = ObjectRegistry.getInheritanceChain(className);\n // chain[length - 1] is the class itself (already covered by the direct\n // lookup); walk its ancestors from nearest to root.\n for (let i = chain.length - 2; i >= 0; i--) {\n const ancestor = chain[i];\n\n // Exact, package-safe match first — covers `@smrt({ tenantScoped })` bases\n // (resolved through the core registry by qualified name) and any class\n // whose @TenantScoped key matches the chain entry verbatim.\n const direct = getDirectTenantScopedConfig(ancestor);\n if (direct) {\n return direct;\n }\n\n // @TenantScoped registers by SIMPLE name (`target.name`), but the chain\n // emits QUALIFIED names. Bridge to the simple-keyed local registry here —\n // scoped to the inheritance walk only, so a direct qualified lookup never\n // strips the namespace (see getDirectTenantScopedConfig). The chain entry\n // is a verified ancestor of `className`, so matching its simple name is the\n // intended hop. (Residual: the @TenantScoped registry is simple-keyed, so\n // two DISTINCT same-simple-name classes that are BOTH @TenantScoped across\n // packages could cross-match here — a pre-existing decorator-keying limit,\n // not the direct-lookup hazard fixed above.)\n const simple = toSimpleClassName(ancestor);\n if (simple !== ancestor) {\n const bySimple = tenantScopedClasses.get(simple);\n if (bySimple) {\n return cloneConfig(bySimple);\n }\n }\n }\n return undefined;\n}\n\n/**\n * Retrieve the resolved tenancy configuration for a class.\n *\n * Resolution order:\n * 1. The class's OWN declaration — local `@TenantScoped()` registry first, then\n * the core `@smrt({ tenantScoped: true })` registry.\n * 2. STI inheritance — the nearest tenant-scoped ancestor's config (#1596).\n *\n * A class that declares its own tenancy never reaches step 2, so an explicit\n * child `@TenantScoped` always overrides the inherited base config.\n *\n * @param className - The class name to look up.\n * @returns The `TenantScopedConfig` if the class is tenant-scoped directly or\n * by inheritance, or `undefined` if it is not.\n *\n * @see isTenantScopedClass\n * @see getAllTenantScopedClasses\n */\nexport function getTenantScopedConfig(\n className: string,\n): TenantScopedConfig | undefined {\n // A class's own @TenantScoped / @smrt({ tenantScoped }) declaration wins.\n const direct = getDirectTenantScopedConfig(className);\n if (direct) {\n return direct;\n }\n // Otherwise inherit recognition from a tenant-scoped STI ancestor (#1596).\n return getInheritedTenantScopedConfig(className);\n}\n\n/**\n * Return `true` if the named class is tenant-scoped — directly (via\n * `@TenantScoped()` / `@smrt({ tenantScoped: true })`) or by inheriting from a\n * tenant-scoped STI ancestor (#1596).\n *\n * @param className - The class name to look up (e.g., `'Document'`).\n * @returns `true` if the class is tenant-scoped by any mechanism.\n *\n * @see getTenantScopedConfig\n * @see registerTenantScopedClass\n */\nexport function isTenantScopedClass(className: string): boolean {\n return getTenantScopedConfig(className) !== undefined;\n}\n\n/**\n * Return a snapshot of all classes registered via `@TenantScoped()`.\n *\n * Returns a new `Map` so mutations to the returned value do not affect the\n * internal registry. Note that classes registered only through the core\n * `ObjectRegistry` (`@smrt({ tenantScoped: true })`) are **not** included in\n * this map.\n *\n * @returns A copy of the local tenant-scoped class registry, keyed by class name.\n *\n * @see isTenantScopedClass\n * @see getTenantScopedConfig\n */\nexport function getAllTenantScopedClasses(): Map<string, TenantScopedConfig> {\n return new Map(tenantScopedClasses);\n}\n\n/**\n * Remove all entries from the local tenant-scoped class registry.\n *\n * Intended for test teardown via `resetTenancy()`. Does not affect\n * registrations held by the core `ObjectRegistry`.\n *\n * @see resetTenancy\n * @see unregisterTenantScopedClass\n */\nexport function clearTenantScopedRegistry(): void {\n tenantScopedClasses.clear();\n}\n","/**\n * Shared tenancy-enabled flag.\n *\n * Holds the single boolean toggled by `enableTenancy()` / `disableTenancy()`.\n * It lives in its own leaf module (importing nothing from the package) so that\n * both `interceptor.ts` and `entry-point.ts` can read it without forming a\n * circular import: `interceptor.ts` imports `runTenantScopedEntryPoint` from\n * `entry-point.ts`, and `entry-point.ts` needs the enabled flag — routing the\n * flag through here keeps that dependency one-directional.\n */\n\nlet enabled = false;\n\n/**\n * Set the global tenancy-enabled flag. Internal — called by `enableTenancy()` /\n * `disableTenancy()` in `interceptor.ts`.\n *\n * @param value - `true` to mark tenancy enabled, `false` to clear it.\n */\nexport function setTenancyEnabled(value: boolean): void {\n enabled = value;\n}\n\n/**\n * Return `true` if tenant enforcement is currently active.\n *\n * @returns Whether `enableTenancy()` has been called without a later\n * `disableTenancy()`.\n */\nexport function isTenancyEnabled(): boolean {\n return enabled;\n}\n","/**\n * Fail-closed tenant-context establishment for non-web entry points (#1554).\n *\n * The SvelteKit/Express adapters establish tenant context from the authenticated\n * request principal, so the web surface of a `@TenantScoped({ mode: 'optional' })`\n * model never reads across tenants without an active context. The generated\n * **CLI** and **MCP** entry points have no request principal, so an invocation\n * with no active context would fall through the interceptor's optional-mode\n * pass-through and return rows across **all** tenants.\n *\n * `runTenantScopedEntryPoint()` closes that gap. It is the single fail-closed\n * gate both generated surfaces wrap their per-command/per-tool execution in.\n *\n * @see createCliContext for the richer CLI runner (resolveTenantId, super-admin).\n */\n\nimport {\n hasTenantContext,\n isSystemContext,\n TenantContextError,\n withSystemContext,\n withTenant,\n} from './context.js';\nimport { isTenancyEnabled } from './enabled-state.js';\nimport { isTenantScopedClass } from './registry.js';\n\n/**\n * Inputs for {@link runTenantScopedEntryPoint}.\n *\n * Provide **either** `className` (the gate resolves tenant-scoping from the\n * authoritative tenancy registry — the same source the interceptor uses, so it\n * covers both `@TenantScoped` and `@smrt({ tenantScoped })` registrations) or an\n * explicit `tenantScoped` boolean (when the caller already resolved it, e.g. a\n * build-time generated surface). An explicit boolean wins when both are given.\n */\nexport interface TenantEntryPointOptions {\n /**\n * Class name of the target model. When provided, tenant-scoping is resolved\n * via `isTenantScopedClass(className)`.\n */\n className?: string;\n\n /**\n * Explicit tenant-scoping decision. Overrides `className` resolution when set.\n * Non-scoped models always pass through unchanged — the gate is a no-op.\n */\n tenantScoped?: boolean;\n\n /**\n * Explicit operator-provided tenant selector (CLI `--tenant <id>`, MCP\n * `context.tenantId`). When present (and no context is already active) the\n * function runs inside this tenant's context.\n */\n tenantId?: string | null;\n\n /**\n * Explicit operator opt-in to cross-tenant / system access (CLI\n * `--all-tenants`, an MCP host that trusts the caller as an operator). When\n * set the function runs in system context, bypassing tenant filtering.\n *\n * @default false\n */\n allowCrossTenant?: boolean;\n\n /**\n * Human-facing surface name used in the fail-closed error message, e.g.\n * `'CLI'` or `'MCP'`.\n *\n * @default 'entry point'\n */\n surface?: string;\n}\n\n/**\n * Run `fn` inside an appropriate tenant context for a generated CLI/MCP entry\n * point, failing closed for tenant-scoped models when no authorized context can\n * be established.\n *\n * Resolution order (tenant-scoped models only):\n * 1. A tenant context is already active, or an explicit `withSystemContext()`\n * bypass is in effect (e.g. `runAsSystem()`, migrations) → run as-is.\n * 2. `allowCrossTenant` was explicitly set → run in system context. Checked\n * before `tenantId` so an explicit cross-tenant opt-in wins over a default\n * principal/host tenant rather than being silently scoped.\n * 3. An explicit `tenantId` was provided → run inside that tenant.\n * 4. Tenancy is enabled but none of the above → **throw** `TenantContextError`\n * (the fail-closed branch — never silently read across tenants).\n * 5. Tenancy is disabled (single-/no-tenant deployment) → pass through.\n *\n * Non-tenant-scoped models always pass straight through.\n *\n * @param options - {@link TenantEntryPointOptions}.\n * @param fn - The command/tool body to execute.\n * @returns The resolved value of `fn`.\n * @throws {TenantContextError} When a tenant-scoped model is reached with\n * tenancy enabled and no tenant/cross-tenant selector.\n */\nexport async function runTenantScopedEntryPoint<T>(\n options: TenantEntryPointOptions,\n fn: () => Promise<T>,\n): Promise<T> {\n const {\n className,\n tenantScoped,\n tenantId,\n allowCrossTenant = false,\n surface = 'entry point',\n } = options;\n\n // Resolve tenant-scoping: an explicit boolean wins; otherwise consult the\n // authoritative tenancy registry by class name (matches the interceptor).\n const scoped =\n typeof tenantScoped === 'boolean'\n ? tenantScoped\n : className\n ? isTenantScopedClass(className)\n : false;\n\n // Non-scoped models run as-is. So do calls already inside a tenant context\n // (an upstream handle) or an explicit system-context bypass — the interceptor\n // honors `withSystemContext()` (migrations, `runAsSystem()`), so the gate must\n // not fail-close over it (hasTenantContext() is false for the system marker).\n if (!scoped) return fn();\n if (hasTenantContext() || isSystemContext()) return fn();\n\n // Explicit operator opt-in to cross-tenant access. Checked before the tenant\n // selector so a deliberate `--all-tenants` / `allowCrossTenant` overrides a\n // default host/principal tenant instead of being silently scoped to it.\n if (allowCrossTenant) {\n return withSystemContext(fn);\n }\n\n // Explicit tenant selector.\n if (typeof tenantId === 'string' && tenantId) {\n return withTenant({ tenantId }, fn);\n }\n\n // Fail closed: tenancy is on but the caller gave us nothing to scope by.\n if (isTenancyEnabled()) {\n throw new TenantContextError(\n `Tenant context required for tenant-scoped access via ${surface}. ` +\n 'Pass an explicit tenant (e.g. --tenant <id> / a tenantId) or opt into ' +\n 'cross-tenant access (e.g. --all-tenants) to read across all tenants.',\n );\n }\n\n // Tenancy disabled → single-tenant deployment, pass through.\n return fn();\n}\n","/**\n * Tenant Interceptor - Core enforcement mechanism\n *\n * Registers with GlobalInterceptors in smrt-core to automatically:\n * - Filter queries by tenant ID\n * - Validate tenant context on save/delete\n * - Block or audit raw SQL on tenant-scoped classes\n *\n * @see https://github.com/happyvertical/smrt/issues/675\n */\n\nimport { createLogger } from '@happyvertical/logger';\nimport type { SmrtObject } from '@happyvertical/smrt-core';\nimport {\n type CollectionInterceptor,\n type DispatchBus,\n GlobalInterceptors,\n type InterceptorContext,\n type ListOptions,\n type QueryInterceptResult,\n type QueryOptions,\n setDispatchTenantResolver,\n setTenantEntryPointRunner,\n} from '@happyvertical/smrt-core';\nimport {\n getCurrentTenant,\n getTenantId,\n isSuperAdminBypass,\n isSystemContext,\n TenantContextError,\n TenantIsolationError,\n} from './context.js';\nimport { isTenancyEnabled, setTenancyEnabled } from './enabled-state.js';\nimport { runTenantScopedEntryPoint } from './entry-point.js';\nimport { getTenantScopedConfig, isTenantScopedClass } from './registry.js';\n\nconst logger = createLogger({ level: 'info' });\n\n/**\n * Policy controlling what happens when raw SQL is executed against a\n * tenant-scoped class without an explicit bypass.\n *\n * - `'throw'` — Raises a `TenantIsolationError` (most secure; default).\n * - `'warn'` — Logs a `console.warn` but allows the query to proceed (useful\n * during migration periods).\n * - `'allow'` — Silently allows the query; not recommended for production.\n *\n * @see TenantInterceptorOptions.rawQueryPolicy\n * @see enableTenancy\n */\nexport type RawQueryPolicy = 'throw' | 'warn' | 'allow';\n\n/**\n * Configuration options accepted by `createTenantInterceptor()` and\n * `enableTenancy()`.\n *\n * All options are optional; reasonable defaults are applied. The callback\n * hooks (`onRawQuery`, `onMissingContext`, `onIsolationViolation`) are useful\n * for logging and alerting without altering the enforcement behaviour.\n *\n * @see createTenantInterceptor\n * @see enableTenancy\n */\nexport interface TenantInterceptorOptions {\n /**\n * Policy for raw SQL queries on tenant-scoped classes\n * - 'throw': Throw error (most secure, default)\n * - 'warn': Log warning but allow (for migration)\n * - 'allow': Silently allow (not recommended for production)\n * @default 'throw'\n */\n rawQueryPolicy?: RawQueryPolicy;\n\n /**\n * Called when a raw query is attempted on a tenant-scoped class\n * Useful for logging/auditing\n */\n onRawQuery?: (\n className: string,\n sql: string,\n context: InterceptorContext,\n ) => void;\n\n /**\n * Called when tenant context is missing for a tenant-scoped operation\n */\n onMissingContext?: (\n className: string,\n operation: string,\n context: InterceptorContext,\n ) => void;\n\n /**\n * Called when an isolation violation is detected\n */\n onIsolationViolation?: (\n className: string,\n expectedTenantId: string,\n actualTenantId: string,\n context: InterceptorContext,\n ) => void;\n\n /**\n * DispatchBus instance for emitting provisioning events on lifecycle changes.\n * When provided along with directoryClasses, afterSave/afterDelete hooks\n * emit dispatches like `directory.membership.created`.\n */\n dispatchBus?: DispatchBus;\n\n /**\n * Class names to emit directory dispatches for on save/delete lifecycle events.\n * Only classes listed here will trigger dispatch emissions.\n * @example ['Tenant', 'Membership', 'User']\n */\n directoryClasses?: string[];\n}\n\nconst DEFAULT_OPTIONS: TenantInterceptorOptions = {\n rawQueryPolicy: 'throw',\n};\n\n/**\n * Extract a plain-object snapshot of an instance for dispatch payloads.\n *\n * Prefers `toJSON()` when available (all real SmrtObject instances) because\n * it returns only data fields and excludes internal handles like `_db`, `_ai`,\n * and `_fs` which may contain circular references (e.g. connection pools with\n * Timeout objects).\n *\n * @see https://github.com/happyvertical/smrt/issues/946\n */\nfunction serializeInstance(\n instance: SmrtObject,\n className: string,\n): Record<string, unknown> {\n // Documented exception to the \"never call toJSON() directly\" convention\n // (docs/content/standards.md §7): the interceptor must serialize whatever\n // instance is handed to it, including workspace stubs and plain-object\n // doubles used in unit tests whose classes may not extend SmrtObject and\n // therefore have no `transformJSON()` hook. Using `toJSON()` here is a\n // duck-typed fallback — when present, it strips framework-internal handles\n // for us; when absent, we fall through to manual key iteration below.\n if (typeof (instance as any).toJSON === 'function') {\n return { className, ...(instance as any).toJSON() };\n }\n\n // Fallback for plain-object stubs (e.g. in unit tests):\n // skip functions and framework-internal properties\n const result: Record<string, unknown> = { className };\n for (const key of Object.keys(instance)) {\n const value = (instance as any)[key];\n if (typeof value !== 'function') {\n result[key] = value;\n }\n }\n return result;\n}\n\n/**\n * Create a `CollectionInterceptor` that enforces tenant isolation on all\n * `SmrtCollection` operations.\n *\n * The returned interceptor hooks into the smrt-core `GlobalInterceptors`\n * pipeline at priority 100 (runs before all other interceptors) and\n * handles the following lifecycle hooks:\n *\n * | Hook | Behaviour |\n * |---------------|-----------|\n * | `beforeList` | Injects tenant filter into `WHERE`; validates explicit filters. |\n * | `beforeGet` | Converts ID lookups to `{ id, tenantId }` filter objects. |\n * | `beforeSave` | Auto-populates `tenantId`; validates existing values. |\n * | `beforeDelete`| Validates the instance's `tenantId` matches context. |\n * | `beforeQuery` | Enforces `rawQueryPolicy` on raw SQL calls. |\n * | `afterSave` | Emits `directory.<class>.created/updated` via `dispatchBus`. |\n * | `afterDelete` | Emits `directory.<class>.deleted` via `dispatchBus`. |\n *\n * Use `enableTenancy()` to register the interceptor globally. Call this\n * directly only when you need multiple interceptor instances (e.g., for\n * isolated tests or feature flags).\n *\n * @param options - Configuration for the interceptor.\n * @returns A `CollectionInterceptor` ready to be registered with\n * `GlobalInterceptors.register()`.\n *\n * @example\n * ```typescript\n * import { createTenantInterceptor } from '@happyvertical/smrt-tenancy';\n * import { GlobalInterceptors } from '@happyvertical/smrt-core';\n *\n * const interceptor = createTenantInterceptor({ rawQueryPolicy: 'warn' });\n * GlobalInterceptors.register(interceptor);\n * ```\n *\n * @see enableTenancy\n * @see TenantInterceptorOptions\n */\nexport function createTenantInterceptor(\n options: TenantInterceptorOptions = {},\n): CollectionInterceptor {\n const opts = { ...DEFAULT_OPTIONS, ...options };\n\n return {\n name: 'smrt-tenancy',\n priority: 100, // High priority - should run first\n\n /**\n * Before list: Add tenant filter to queries\n */\n beforeList(\n className: string,\n listOptions: ListOptions,\n context: InterceptorContext,\n ): ListOptions | undefined {\n // Check if this class is tenant-scoped\n if (!isTenantScopedClass(className)) {\n return; // Not tenant-scoped, pass through\n }\n\n // Check for super admin bypass\n if (isSuperAdminBypass()) {\n return; // Bypass enabled, pass through\n }\n\n // Check for system context (explicit bypass via withSystemContext)\n if (isSystemContext()) {\n return; // System context bypasses tenant checks\n }\n\n const config = getTenantScopedConfig(className);\n const tenantContext = getCurrentTenant();\n\n // If no tenant context and mode is 'required', throw\n if (!tenantContext) {\n if (config?.mode === 'required') {\n opts.onMissingContext?.(className, 'list', context);\n throw new TenantContextError(\n `Tenant context required for listing ${className}. ` +\n `Use withTenant() or configure TenantContext middleware.`,\n );\n }\n return; // Mode is 'optional', allow without filtering\n }\n\n // Add tenant filter to where clause\n const tenantField = config?.field || 'tenantId';\n const where = listOptions.where || {};\n\n // Check if tenant filter is already present\n if (tenantField in where) {\n // Validate it matches context. The filter may be a scalar\n // (`tenantId: 'x'`) or an IN-style array (`tenantId: ['x']`) —\n // smrt-core auto-converts array values to SQL IN clauses, so an\n // array containing only the context tenant is a valid filter.\n // See https://github.com/happyvertical/smrt/issues/1495\n const existingFilter = where[tenantField];\n const filterValues = Array.isArray(existingFilter)\n ? existingFilter\n : [existingFilter];\n // findIndex (not find) so a literal null/undefined filter value is\n // still flagged as a violation rather than mistaken for \"not found\"\n const offendingIndex = filterValues.findIndex(\n (value) => value !== tenantContext.tenantId,\n );\n if (offendingIndex !== -1) {\n const offending = filterValues[offendingIndex];\n opts.onIsolationViolation?.(\n className,\n tenantContext.tenantId,\n String(offending),\n context,\n );\n throw new TenantIsolationError(\n `Tenant isolation violation in ${className} query: ` +\n `context tenant is '${tenantContext.tenantId}' but query filters by '${String(offending)}'`,\n {\n tenantId: tenantContext.tenantId,\n attemptedTenantId: String(offending),\n },\n );\n }\n return; // Filter already correct\n }\n\n // Inject tenant filter\n return {\n ...listOptions,\n where: {\n ...where,\n [tenantField]: tenantContext.tenantId,\n },\n };\n },\n\n /**\n * Before get: Add tenant filter to single record fetches\n */\n beforeGet(\n className: string,\n filter: string | Record<string, unknown>,\n context: InterceptorContext,\n ): string | Record<string, unknown> | undefined {\n if (!isTenantScopedClass(className)) {\n return;\n }\n\n if (isSuperAdminBypass()) {\n return;\n }\n\n // Check for system context (explicit bypass via withSystemContext)\n if (isSystemContext()) {\n return; // System context bypasses tenant checks\n }\n\n const config = getTenantScopedConfig(className);\n const tenantContext = getCurrentTenant();\n\n if (!tenantContext) {\n if (config?.mode === 'required') {\n opts.onMissingContext?.(className, 'get', context);\n throw new TenantContextError(\n `Tenant context required for getting ${className}. ` +\n `Use withTenant() or configure TenantContext middleware.`,\n );\n }\n return;\n }\n\n const tenantField = config?.field || 'tenantId';\n\n // If filter is a string (ID), convert to object filter with tenant\n if (typeof filter === 'string') {\n return {\n id: filter,\n [tenantField]: tenantContext.tenantId,\n };\n }\n\n // Add tenant filter to object\n if (!(tenantField in filter)) {\n return {\n ...filter,\n [tenantField]: tenantContext.tenantId,\n };\n }\n\n // Validate existing filter. Like beforeList, accept scalar or\n // IN-style array filters (smrt-core auto-converts arrays to SQL IN).\n // See https://github.com/happyvertical/smrt/issues/1495\n const existingFilter = filter[tenantField];\n const filterValues = Array.isArray(existingFilter)\n ? existingFilter\n : [existingFilter];\n // findIndex (not find) so a literal null/undefined filter value is\n // still flagged as a violation rather than mistaken for \"not found\"\n const offendingIndex = filterValues.findIndex(\n (value) => value !== tenantContext.tenantId,\n );\n if (offendingIndex !== -1) {\n const offending = filterValues[offendingIndex];\n opts.onIsolationViolation?.(\n className,\n tenantContext.tenantId,\n String(offending),\n context,\n );\n throw new TenantIsolationError(\n `Tenant isolation violation in ${className} get: ` +\n `context tenant is '${tenantContext.tenantId}' but query filters by '${String(offending)}'`,\n {\n tenantId: tenantContext.tenantId,\n attemptedTenantId: String(offending),\n },\n );\n }\n\n return;\n },\n\n /**\n * Before query: Handle raw SQL on tenant-scoped classes\n */\n beforeQuery(\n className: string,\n queryOptions: QueryOptions,\n context: InterceptorContext,\n ): QueryInterceptResult | undefined {\n if (!isTenantScopedClass(className)) {\n return;\n }\n\n // Check for explicit bypass flag\n if (queryOptions.allowRawOnTenantScoped) {\n opts.onRawQuery?.(className, queryOptions.sql, context);\n return; // Explicitly allowed\n }\n\n if (isSuperAdminBypass()) {\n opts.onRawQuery?.(className, queryOptions.sql, context);\n return;\n }\n\n // Check for system context (explicit bypass via withSystemContext)\n if (isSystemContext()) {\n opts.onRawQuery?.(className, queryOptions.sql, context);\n return;\n }\n\n // Handle based on policy\n const message =\n `Raw SQL query attempted on tenant-scoped class ${className}. ` +\n `Use list()/get() for automatic tenant filtering, or call ` +\n `query() with { allowRawOnTenantScoped: true } if you're handling ` +\n `tenant filtering manually.`;\n\n opts.onRawQuery?.(className, queryOptions.sql, context);\n\n switch (opts.rawQueryPolicy) {\n case 'throw':\n throw new TenantIsolationError(message);\n\n case 'warn':\n logger.warn(`[smrt-tenancy] WARNING: ${message}`);\n return;\n default:\n return;\n }\n },\n\n /**\n * Before save: Validate tenant ID is set and matches context\n */\n beforeSave(instance: SmrtObject, context: InterceptorContext): void {\n // Use context.className which is always correct\n // (instance.constructor.name may not match for proxies or plain objects in tests)\n const className = context.className;\n\n // Stash isNew flag for afterSave dispatch detection\n if (opts.directoryClasses?.includes(className)) {\n const id = (instance as any).id;\n context.metadata = {\n ...context.metadata,\n _directoryIsNew: id === undefined || id === null,\n };\n }\n\n if (!isTenantScopedClass(className)) {\n return;\n }\n\n if (isSuperAdminBypass()) {\n return;\n }\n\n // Check for system context (explicit bypass via withSystemContext)\n if (isSystemContext()) {\n return; // System context bypasses tenant checks\n }\n\n const config = getTenantScopedConfig(className);\n const tenantField = config?.field || 'tenantId';\n const instanceTenantId = (instance as any)[tenantField];\n\n const tenantContext = getCurrentTenant();\n\n // Check if tenant context is required\n if (!tenantContext) {\n if (config?.mode === 'required') {\n opts.onMissingContext?.(className, 'save', context);\n throw new TenantContextError(\n `Tenant context required for saving ${className}. ` +\n `Use withTenant() or configure TenantContext middleware.`,\n );\n }\n return; // Mode is 'optional'\n }\n\n // Auto-populate tenant ID if not set\n if (!instanceTenantId && config?.autoPopulate !== false) {\n (instance as any)[tenantField] = tenantContext.tenantId;\n return;\n }\n\n // Validate tenant ID matches context\n if (instanceTenantId && instanceTenantId !== tenantContext.tenantId) {\n opts.onIsolationViolation?.(\n className,\n tenantContext.tenantId,\n instanceTenantId,\n context,\n );\n throw new TenantIsolationError(\n `Tenant isolation violation: cannot save ${className} with ` +\n `tenantId '${instanceTenantId}' in context of tenant '${tenantContext.tenantId}'`,\n {\n tenantId: tenantContext.tenantId,\n attemptedTenantId: instanceTenantId,\n },\n );\n }\n },\n\n /**\n * Before delete: Validate instance belongs to current tenant\n */\n beforeDelete(instance: SmrtObject, context: InterceptorContext): void {\n // Use context.className which is always correct\n const className = context.className;\n\n if (!isTenantScopedClass(className)) {\n return;\n }\n\n if (isSuperAdminBypass()) {\n return;\n }\n\n // Check for system context (explicit bypass via withSystemContext)\n if (isSystemContext()) {\n return; // System context bypasses tenant checks\n }\n\n const config = getTenantScopedConfig(className);\n const tenantField = config?.field || 'tenantId';\n const instanceTenantId = (instance as any)[tenantField];\n\n const tenantContext = getCurrentTenant();\n\n if (!tenantContext) {\n if (config?.mode === 'required') {\n opts.onMissingContext?.(className, 'delete', context);\n throw new TenantContextError(\n `Tenant context required for deleting ${className}. ` +\n `Use withTenant() or configure TenantContext middleware.`,\n );\n }\n return;\n }\n\n // Validate tenant ID matches\n if (instanceTenantId && instanceTenantId !== tenantContext.tenantId) {\n opts.onIsolationViolation?.(\n className,\n tenantContext.tenantId,\n instanceTenantId,\n context,\n );\n throw new TenantIsolationError(\n `Tenant isolation violation: cannot delete ${className} with ` +\n `tenantId '${instanceTenantId}' in context of tenant '${tenantContext.tenantId}'`,\n {\n tenantId: tenantContext.tenantId,\n attemptedTenantId: instanceTenantId,\n },\n );\n }\n },\n\n /**\n * After save: Emit directory dispatch for configured classes\n */\n async afterSave(\n instance: SmrtObject,\n context: InterceptorContext,\n ): Promise<void> {\n if (\n !opts.dispatchBus ||\n !opts.directoryClasses?.includes(context.className)\n )\n return;\n\n const rawIsNew = context.metadata?._directoryIsNew;\n const isNew =\n typeof rawIsNew === 'boolean' ? rawIsNew : (instance as any).id == null;\n const event = isNew\n ? `directory.${context.className.toLowerCase()}.created`\n : `directory.${context.className.toLowerCase()}.updated`;\n\n await opts.dispatchBus.emit(\n event,\n serializeInstance(instance, context.className),\n {\n source: 'smrt-tenancy',\n sourceId: (instance as any).id,\n },\n );\n },\n\n /**\n * After delete: Emit directory dispatch for configured classes\n */\n async afterDelete(\n instance: SmrtObject,\n context: InterceptorContext,\n ): Promise<void> {\n if (\n !opts.dispatchBus ||\n !opts.directoryClasses?.includes(context.className)\n )\n return;\n\n await opts.dispatchBus.emit(\n `directory.${context.className.toLowerCase()}.deleted`,\n serializeInstance(instance, context.className),\n {\n source: 'smrt-tenancy',\n sourceId: (instance as any).id,\n },\n );\n },\n };\n}\n\n// ─────────────────────────────────────────────────────────────────────────────\n// Registration Functions\n// ─────────────────────────────────────────────────────────────────────────────\n\n// The enabled flag lives in `enabled-state.ts` (a leaf module) so `entry-point.ts`\n// can read it without importing this module — breaking the otherwise-circular\n// interceptor ↔ entry-point dependency.\nlet registeredInterceptor: CollectionInterceptor | null = null;\n\n/**\n * Enable tenant enforcement globally\n *\n * Call this once at application startup to enable automatic tenant isolation.\n *\n * @param options - Configuration options\n *\n * @example\n * ```typescript\n * // In your app initialization\n * import { enableTenancy } from '@happyvertical/smrt-tenancy';\n *\n * enableTenancy({\n * rawQueryPolicy: 'throw',\n * onMissingContext: (className, operation) => {\n * console.error(`Missing tenant context for ${operation} on ${className}`);\n * }\n * });\n * ```\n */\nexport function enableTenancy(options: TenantInterceptorOptions = {}): void {\n if (isTenancyEnabled()) {\n logger.warn(\n '[smrt-tenancy] Tenancy is already enabled. Call disableTenancy() first to reconfigure.',\n );\n return;\n }\n\n registeredInterceptor = createTenantInterceptor(options);\n GlobalInterceptors.register(registeredInterceptor);\n\n // Wire the DispatchBus tenant-scope resolver (S5 #1398). Core cannot depend\n // on tenancy, so it reads the active tenant through this injected hook; the\n // bus stamps/filters dispatches by the active tenant only while tenancy is\n // enabled. Mirrors the GlobalInterceptors inversion above.\n setDispatchTenantResolver(() => getTenantId());\n\n // Wire the fail-closed tenant gate for generated CLI/MCP entry points (#1554).\n // Core invokes this runner around tenant-scoped CLI/MCP execution; without it\n // (tenancy disabled) those surfaces pass through unchanged.\n setTenantEntryPointRunner(runTenantScopedEntryPoint);\n\n setTenancyEnabled(true);\n}\n\n/**\n * Disable global tenant enforcement.\n *\n * Unregisters the interceptor previously installed by `enableTenancy()` and\n * resets the internal enabled flag so `enableTenancy()` can be called again.\n * Idempotent — safe to call even when tenancy was never enabled.\n *\n * Common use-cases:\n * - Test teardown (via `resetTenancy()`).\n * - Temporarily disabling tenancy before reconfiguring with new options.\n *\n * @example\n * ```typescript\n * afterAll(() => {\n * disableTenancy();\n * });\n * ```\n *\n * @see enableTenancy\n * @see isTenancyEnabled\n * @see resetTenancy\n */\nexport function disableTenancy(): void {\n if (!isTenancyEnabled() || !registeredInterceptor) {\n return;\n }\n\n GlobalInterceptors.unregister(registeredInterceptor);\n // Clear the DispatchBus tenant resolver so the bus reverts to its no-op\n // (pre-tenancy) behavior when tenancy is disabled.\n setDispatchTenantResolver(undefined);\n // Clear the CLI/MCP tenant gate so those surfaces pass through (#1554).\n setTenantEntryPointRunner(undefined);\n registeredInterceptor = null;\n setTenancyEnabled(false);\n}\n\n/**\n * Return `true` if tenant enforcement is currently active.\n *\n * Reflects whether `enableTenancy()` has been called and the interceptor has not\n * yet been removed by `disableTenancy()`. Re-exported from `enabled-state.ts`\n * (the shared leaf module) so the public API surface is unchanged.\n *\n * @see enableTenancy\n * @see disableTenancy\n */\nexport { isTenancyEnabled };\n","/**\n * Testing Utilities for smrt-tenancy\n *\n * Helpers for testing tenant-scoped applications.\n *\n * @example\n * ```typescript\n * import { createTestTenantContext, resetTenancy } from '@happyvertical/smrt-tenancy/testing';\n *\n * beforeEach(() => {\n * resetTenancy(); // Clear all state\n * });\n *\n * it('should filter by tenant', async () => {\n * await createTestTenantContext({ tenantId: 'tenant-1' }, async () => {\n * const docs = await collection.list({});\n * // Only tenant-1 documents\n * });\n * });\n * ```\n */\n\nimport {\n type MinimalTenantContext,\n type TenantContextData,\n withTenant,\n} from './context.js';\nimport { disableTenancy, enableTenancy } from './interceptor.js';\nimport { clearTenantScopedRegistry } from './registry.js';\n\n/**\n * Reset all tenancy state (for use in beforeEach/afterEach)\n *\n * This clears:\n * - Registered interceptors\n * - Tenant-scoped class registry\n *\n * @example\n * ```typescript\n * afterEach(() => {\n * resetTenancy();\n * });\n * ```\n */\nexport function resetTenancy(): void {\n disableTenancy();\n clearTenantScopedRegistry();\n}\n\n/**\n * Create a test tenant context and run code within it\n *\n * Convenience wrapper around withTenant() with sensible defaults for testing.\n *\n * @param context - Tenant context (can be minimal, just tenantId)\n * @param fn - Async function to run in the context\n *\n * @example\n * ```typescript\n * await createTestTenantContext({ tenantId: 'test-tenant' }, async () => {\n * const product = await collection.create({ name: 'Test' });\n * expect(product.tenantId).toBe('test-tenant');\n * });\n * ```\n */\nexport async function createTestTenantContext<T>(\n context: MinimalTenantContext | TenantContextData,\n fn: () => Promise<T>,\n): Promise<T> {\n return withTenant(context, fn);\n}\n\n/**\n * Create multiple tenant contexts for isolation testing\n *\n * @param tenantIds - Array of tenant IDs to create contexts for\n * @param fn - Function that receives an object mapping tenant IDs to context runners\n *\n * @example\n * ```typescript\n * await testTenantIsolation(['tenant-a', 'tenant-b'], async (tenants) => {\n * // Create in tenant A\n * const docA = await tenants['tenant-a'](async () => {\n * return collection.create({ title: 'A doc' });\n * });\n *\n * // Verify not visible in tenant B\n * await tenants['tenant-b'](async () => {\n * const found = await collection.get(docA.id);\n * expect(found).toBeNull();\n * });\n * });\n * ```\n */\nexport async function testTenantIsolation<T>(\n tenantIds: string[],\n fn: (\n tenants: Record<string, <R>(runner: () => Promise<R>) => Promise<R>>,\n ) => Promise<T>,\n): Promise<T> {\n const tenants: Record<string, <R>(runner: () => Promise<R>) => Promise<R>> =\n {};\n\n for (const tenantId of tenantIds) {\n tenants[tenantId] = async <R>(runner: () => Promise<R>) => {\n return withTenant({ tenantId }, runner);\n };\n }\n\n return fn(tenants);\n}\n\n/**\n * Options for `setupTestTenancy()`.\n *\n * @see setupTestTenancy\n */\nexport interface SetupTestTenancyOptions {\n /**\n * Enable tenancy interceptors\n * @default true\n */\n enableInterceptors?: boolean;\n\n /**\n * Raw query policy for tests\n * @default 'throw'\n */\n rawQueryPolicy?: 'throw' | 'warn' | 'allow';\n}\n\n/**\n * Set up tenancy for a test suite\n *\n * Call in beforeAll or at the start of tests to configure tenancy.\n *\n * @param options - Setup options\n *\n * @example\n * ```typescript\n * beforeAll(() => {\n * setupTestTenancy({ enableInterceptors: true });\n * });\n *\n * afterAll(() => {\n * resetTenancy();\n * });\n * ```\n */\nexport function setupTestTenancy(options: SetupTestTenancyOptions = {}): void {\n const { enableInterceptors = true, rawQueryPolicy = 'throw' } = options;\n\n // Clear any existing state\n resetTenancy();\n\n // Enable interceptors if requested\n if (enableInterceptors) {\n enableTenancy({ rawQueryPolicy });\n }\n}\n\n/**\n * Assert that executing `fn` throws a `TenantContextError`.\n *\n * Fails with a descriptive message if `fn` completes without throwing, or if\n * it throws a different error type. Optionally verifies that the error message\n * contains a specific substring.\n *\n * Useful for testing that business-logic code correctly rejects calls that are\n * made outside a tenant context.\n *\n * @param fn - Async function that should throw `TenantContextError`.\n * @param messageContains - Optional substring the error message must include.\n *\n * @example\n * ```typescript\n * await assertTenantContextRequired(async () => {\n * // No withTenant() in scope\n * await documentCollection.list({});\n * });\n * ```\n *\n * @see assertTenantIsolationViolation\n * @see TenantContextError\n */\nexport async function assertTenantContextRequired(\n fn: () => Promise<unknown>,\n messageContains?: string,\n): Promise<void> {\n try {\n await fn();\n throw new Error('Expected TenantContextError but no error was thrown');\n } catch (error: unknown) {\n const err = error as Error & { code?: string };\n if (err.code !== 'TENANT_CONTEXT_REQUIRED') {\n throw new Error(\n `Expected TenantContextError but got ${err.constructor.name}: ${err.message}`,\n );\n }\n if (messageContains && !err.message.includes(messageContains)) {\n throw new Error(\n `Expected error message to contain '${messageContains}' but got: ${err.message}`,\n );\n }\n }\n}\n\n/**\n * Assert that executing `fn` throws a `TenantIsolationError`.\n *\n * Fails with a descriptive message if `fn` completes without throwing, or if\n * it throws a different error type. Optionally verifies that the error message\n * contains a specific substring.\n *\n * Use this to verify that cross-tenant data access attempts are correctly\n * blocked by the interceptor.\n *\n * @param fn - Async function that should throw `TenantIsolationError`.\n * @param messageContains - Optional substring the error message must include.\n *\n * @example\n * ```typescript\n * await withTenant({ tenantId: 'tenant-a' }, async () => {\n * await assertTenantIsolationViolation(async () => {\n * // Attempt to filter by a different tenant\n * await collection.list({ where: { tenantId: 'tenant-b' } });\n * });\n * });\n * ```\n *\n * @see assertTenantContextRequired\n * @see TenantIsolationError\n */\nexport async function assertTenantIsolationViolation(\n fn: () => Promise<unknown>,\n messageContains?: string,\n): Promise<void> {\n try {\n await fn();\n throw new Error('Expected TenantIsolationError but no error was thrown');\n } catch (error: unknown) {\n const err = error as Error & { code?: string };\n if (err.code !== 'TENANT_ISOLATION_VIOLATION') {\n throw new Error(\n `Expected TenantIsolationError but got ${err.constructor.name}: ${err.message}`,\n );\n }\n if (messageContains && !err.message.includes(messageContains)) {\n throw new Error(\n `Expected error message to contain '${messageContains}' but got: ${err.message}`,\n );\n }\n }\n}\n"],"names":[],"mappings":";;;AA6DA,MAAM,iBAAqC;AAAA,EACzC,MAAM;AAAA,EACN,OAAO;AAAA,EACP,YAAY;AAAA,EACZ,cAAc;AAAA,EACd,uBAAuB;AACzB;AAGA,MAAM,0CAA0B,IAAA;AAwBzB,SAAS,0BACd,WACA,SAAsC,IAChC;AACN,sBAAoB,IAAI,WAAW;AAAA,IACjC,GAAG;AAAA,IACH,GAAG;AAAA,EAAA,CACJ;AACH;AAaO,SAAS,4BAA4B,WAAyB;AACnE,sBAAoB,OAAO,SAAS;AACtC;AAYA,SAAS,kBAAkB,WAA2B;AACpD,QAAM,MAAM,UAAU,YAAY,GAAG;AACrC,SAAO,QAAQ,KAAK,YAAY,UAAU,MAAM,MAAM,CAAC;AACzD;AAQA,SAAS,YAAY,QAAgD;AACnE,SAAO,EAAE,GAAG,OAAA;AACd;AAiBA,SAAS,4BACP,WACgC;AAEhC,QAAM,cAAc,oBAAoB,IAAI,SAAS;AACrD,MAAI,aAAa;AACf,WAAO,YAAY,WAAW;AAAA,EAChC;AAKA,QAAM,aAAa,eAAe,sBAAsB,SAAS;AACjE,MAAI,YAAY;AAEd,WAAO;AAAA,MACL,MAAM,WAAW;AAAA,MACjB,OAAO,WAAW;AAAA,MAClB,YAAY,WAAW;AAAA,MACvB,cAAc,WAAW;AAAA,MACzB,uBAAuB,WAAW;AAAA,IAAA;AAAA,EAEtC;AAEA,SAAO;AACT;AA0BA,SAAS,+BACP,WACgC;AAKhC,QAAM,QAAQ,eAAe,oBAAoB,SAAS;AAG1D,WAAS,IAAI,MAAM,SAAS,GAAG,KAAK,GAAG,KAAK;AAC1C,UAAM,WAAW,MAAM,CAAC;AAKxB,UAAM,SAAS,4BAA4B,QAAQ;AACnD,QAAI,QAAQ;AACV,aAAO;AAAA,IACT;AAWA,UAAM,SAAS,kBAAkB,QAAQ;AACzC,QAAI,WAAW,UAAU;AACvB,YAAM,WAAW,oBAAoB,IAAI,MAAM;AAC/C,UAAI,UAAU;AACZ,eAAO,YAAY,QAAQ;AAAA,MAC7B;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAoBO,SAAS,sBACd,WACgC;AAEhC,QAAM,SAAS,4BAA4B,SAAS;AACpD,MAAI,QAAQ;AACV,WAAO;AAAA,EACT;AAEA,SAAO,+BAA+B,SAAS;AACjD;AAaO,SAAS,oBAAoB,WAA4B;AAC9D,SAAO,sBAAsB,SAAS,MAAM;AAC9C;AAeO,SAAS,4BAA6D;AAC3E,SAAO,IAAI,IAAI,mBAAmB;AACpC;AAWO,SAAS,4BAAkC;AAChD,sBAAoB,MAAA;AACtB;ACzTA,IAAI,UAAU;AAQP,SAAS,kBAAkB,OAAsB;AACtD,YAAU;AACZ;AAQO,SAAS,mBAA4B;AAC1C,SAAO;AACT;ACkEA,eAAsB,0BACpB,SACA,IACY;AACZ,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA,mBAAmB;AAAA,IACnB,UAAU;AAAA,EAAA,IACR;AAIJ,QAAM,SACJ,OAAO,iBAAiB,YACpB,eACA,YACE,oBAAoB,SAAS,IAC7B;AAMR,MAAI,CAAC,OAAQ,QAAO,GAAA;AACpB,MAAI,iBAAA,KAAsB,gBAAA,UAA0B,GAAA;AAKpD,MAAI,kBAAkB;AACpB,WAAO,kBAAkB,EAAE;AAAA,EAC7B;AAGA,MAAI,OAAO,aAAa,YAAY,UAAU;AAC5C,WAAO,WAAW,EAAE,SAAA,GAAY,EAAE;AAAA,EACpC;AAGA,MAAI,oBAAoB;AACtB,UAAM,IAAI;AAAA,MACR,wDAAwD,OAAO;AAAA,IAAA;AAAA,EAInE;AAGA,SAAO,GAAA;AACT;AChHA,MAAM,SAAS,aAAa,EAAE,OAAO,QAAQ;AAiF7C,MAAM,kBAA4C;AAAA,EAChD,gBAAgB;AAClB;AAYA,SAAS,kBACP,UACA,WACyB;AAQzB,MAAI,OAAQ,SAAiB,WAAW,YAAY;AAClD,WAAO,EAAE,WAAW,GAAI,SAAiB,SAAO;AAAA,EAClD;AAIA,QAAM,SAAkC,EAAE,UAAA;AAC1C,aAAW,OAAO,OAAO,KAAK,QAAQ,GAAG;AACvC,UAAM,QAAS,SAAiB,GAAG;AACnC,QAAI,OAAO,UAAU,YAAY;AAC/B,aAAO,GAAG,IAAI;AAAA,IAChB;AAAA,EACF;AACA,SAAO;AACT;AAwCO,SAAS,wBACd,UAAoC,IACb;AACvB,QAAM,OAAO,EAAE,GAAG,iBAAiB,GAAG,QAAA;AAEtC,SAAO;AAAA,IACL,MAAM;AAAA,IACN,UAAU;AAAA;AAAA;AAAA;AAAA;AAAA,IAKV,WACE,WACA,aACA,SACyB;AAEzB,UAAI,CAAC,oBAAoB,SAAS,GAAG;AACnC;AAAA,MACF;AAGA,UAAI,sBAAsB;AACxB;AAAA,MACF;AAGA,UAAI,mBAAmB;AACrB;AAAA,MACF;AAEA,YAAM,SAAS,sBAAsB,SAAS;AAC9C,YAAM,gBAAgB,iBAAA;AAGtB,UAAI,CAAC,eAAe;AAClB,YAAI,QAAQ,SAAS,YAAY;AAC/B,eAAK,mBAAmB,WAAW,QAAQ,OAAO;AAClD,gBAAM,IAAI;AAAA,YACR,uCAAuC,SAAS;AAAA,UAAA;AAAA,QAGpD;AACA;AAAA,MACF;AAGA,YAAM,cAAc,QAAQ,SAAS;AACrC,YAAM,QAAQ,YAAY,SAAS,CAAA;AAGnC,UAAI,eAAe,OAAO;AAMxB,cAAM,iBAAiB,MAAM,WAAW;AACxC,cAAM,eAAe,MAAM,QAAQ,cAAc,IAC7C,iBACA,CAAC,cAAc;AAGnB,cAAM,iBAAiB,aAAa;AAAA,UAClC,CAAC,UAAU,UAAU,cAAc;AAAA,QAAA;AAErC,YAAI,mBAAmB,IAAI;AACzB,gBAAM,YAAY,aAAa,cAAc;AAC7C,eAAK;AAAA,YACH;AAAA,YACA,cAAc;AAAA,YACd,OAAO,SAAS;AAAA,YAChB;AAAA,UAAA;AAEF,gBAAM,IAAI;AAAA,YACR,iCAAiC,SAAS,8BAClB,cAAc,QAAQ,2BAA2B,OAAO,SAAS,CAAC;AAAA,YAC1F;AAAA,cACE,UAAU,cAAc;AAAA,cACxB,mBAAmB,OAAO,SAAS;AAAA,YAAA;AAAA,UACrC;AAAA,QAEJ;AACA;AAAA,MACF;AAGA,aAAO;AAAA,QACL,GAAG;AAAA,QACH,OAAO;AAAA,UACL,GAAG;AAAA,UACH,CAAC,WAAW,GAAG,cAAc;AAAA,QAAA;AAAA,MAC/B;AAAA,IAEJ;AAAA;AAAA;AAAA;AAAA,IAKA,UACE,WACA,QACA,SAC8C;AAC9C,UAAI,CAAC,oBAAoB,SAAS,GAAG;AACnC;AAAA,MACF;AAEA,UAAI,sBAAsB;AACxB;AAAA,MACF;AAGA,UAAI,mBAAmB;AACrB;AAAA,MACF;AAEA,YAAM,SAAS,sBAAsB,SAAS;AAC9C,YAAM,gBAAgB,iBAAA;AAEtB,UAAI,CAAC,eAAe;AAClB,YAAI,QAAQ,SAAS,YAAY;AAC/B,eAAK,mBAAmB,WAAW,OAAO,OAAO;AACjD,gBAAM,IAAI;AAAA,YACR,uCAAuC,SAAS;AAAA,UAAA;AAAA,QAGpD;AACA;AAAA,MACF;AAEA,YAAM,cAAc,QAAQ,SAAS;AAGrC,UAAI,OAAO,WAAW,UAAU;AAC9B,eAAO;AAAA,UACL,IAAI;AAAA,UACJ,CAAC,WAAW,GAAG,cAAc;AAAA,QAAA;AAAA,MAEjC;AAGA,UAAI,EAAE,eAAe,SAAS;AAC5B,eAAO;AAAA,UACL,GAAG;AAAA,UACH,CAAC,WAAW,GAAG,cAAc;AAAA,QAAA;AAAA,MAEjC;AAKA,YAAM,iBAAiB,OAAO,WAAW;AACzC,YAAM,eAAe,MAAM,QAAQ,cAAc,IAC7C,iBACA,CAAC,cAAc;AAGnB,YAAM,iBAAiB,aAAa;AAAA,QAClC,CAAC,UAAU,UAAU,cAAc;AAAA,MAAA;AAErC,UAAI,mBAAmB,IAAI;AACzB,cAAM,YAAY,aAAa,cAAc;AAC7C,aAAK;AAAA,UACH;AAAA,UACA,cAAc;AAAA,UACd,OAAO,SAAS;AAAA,UAChB;AAAA,QAAA;AAEF,cAAM,IAAI;AAAA,UACR,iCAAiC,SAAS,4BAClB,cAAc,QAAQ,2BAA2B,OAAO,SAAS,CAAC;AAAA,UAC1F;AAAA,YACE,UAAU,cAAc;AAAA,YACxB,mBAAmB,OAAO,SAAS;AAAA,UAAA;AAAA,QACrC;AAAA,MAEJ;AAEA;AAAA,IACF;AAAA;AAAA;AAAA;AAAA,IAKA,YACE,WACA,cACA,SACkC;AAClC,UAAI,CAAC,oBAAoB,SAAS,GAAG;AACnC;AAAA,MACF;AAGA,UAAI,aAAa,wBAAwB;AACvC,aAAK,aAAa,WAAW,aAAa,KAAK,OAAO;AACtD;AAAA,MACF;AAEA,UAAI,sBAAsB;AACxB,aAAK,aAAa,WAAW,aAAa,KAAK,OAAO;AACtD;AAAA,MACF;AAGA,UAAI,mBAAmB;AACrB,aAAK,aAAa,WAAW,aAAa,KAAK,OAAO;AACtD;AAAA,MACF;AAGA,YAAM,UACJ,kDAAkD,SAAS;AAK7D,WAAK,aAAa,WAAW,aAAa,KAAK,OAAO;AAEtD,cAAQ,KAAK,gBAAA;AAAA,QACX,KAAK;AACH,gBAAM,IAAI,qBAAqB,OAAO;AAAA,QAExC,KAAK;AACH,iBAAO,KAAK,2BAA2B,OAAO,EAAE;AAChD;AAAA,QACF;AACE;AAAA,MAAA;AAAA,IAEN;AAAA;AAAA;AAAA;AAAA,IAKA,WAAW,UAAsB,SAAmC;AAGlE,YAAM,YAAY,QAAQ;AAG1B,UAAI,KAAK,kBAAkB,SAAS,SAAS,GAAG;AAC9C,cAAM,KAAM,SAAiB;AAC7B,gBAAQ,WAAW;AAAA,UACjB,GAAG,QAAQ;AAAA,UACX,iBAAiB,OAAO,UAAa,OAAO;AAAA,QAAA;AAAA,MAEhD;AAEA,UAAI,CAAC,oBAAoB,SAAS,GAAG;AACnC;AAAA,MACF;AAEA,UAAI,sBAAsB;AACxB;AAAA,MACF;AAGA,UAAI,mBAAmB;AACrB;AAAA,MACF;AAEA,YAAM,SAAS,sBAAsB,SAAS;AAC9C,YAAM,cAAc,QAAQ,SAAS;AACrC,YAAM,mBAAoB,SAAiB,WAAW;AAEtD,YAAM,gBAAgB,iBAAA;AAGtB,UAAI,CAAC,eAAe;AAClB,YAAI,QAAQ,SAAS,YAAY;AAC/B,eAAK,mBAAmB,WAAW,QAAQ,OAAO;AAClD,gBAAM,IAAI;AAAA,YACR,sCAAsC,SAAS;AAAA,UAAA;AAAA,QAGnD;AACA;AAAA,MACF;AAGA,UAAI,CAAC,oBAAoB,QAAQ,iBAAiB,OAAO;AACtD,iBAAiB,WAAW,IAAI,cAAc;AAC/C;AAAA,MACF;AAGA,UAAI,oBAAoB,qBAAqB,cAAc,UAAU;AACnE,aAAK;AAAA,UACH;AAAA,UACA,cAAc;AAAA,UACd;AAAA,UACA;AAAA,QAAA;AAEF,cAAM,IAAI;AAAA,UACR,2CAA2C,SAAS,mBACrC,gBAAgB,2BAA2B,cAAc,QAAQ;AAAA,UAChF;AAAA,YACE,UAAU,cAAc;AAAA,YACxB,mBAAmB;AAAA,UAAA;AAAA,QACrB;AAAA,MAEJ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA,IAKA,aAAa,UAAsB,SAAmC;AAEpE,YAAM,YAAY,QAAQ;AAE1B,UAAI,CAAC,oBAAoB,SAAS,GAAG;AACnC;AAAA,MACF;AAEA,UAAI,sBAAsB;AACxB;AAAA,MACF;AAGA,UAAI,mBAAmB;AACrB;AAAA,MACF;AAEA,YAAM,SAAS,sBAAsB,SAAS;AAC9C,YAAM,cAAc,QAAQ,SAAS;AACrC,YAAM,mBAAoB,SAAiB,WAAW;AAEtD,YAAM,gBAAgB,iBAAA;AAEtB,UAAI,CAAC,eAAe;AAClB,YAAI,QAAQ,SAAS,YAAY;AAC/B,eAAK,mBAAmB,WAAW,UAAU,OAAO;AACpD,gBAAM,IAAI;AAAA,YACR,wCAAwC,SAAS;AAAA,UAAA;AAAA,QAGrD;AACA;AAAA,MACF;AAGA,UAAI,oBAAoB,qBAAqB,cAAc,UAAU;AACnE,aAAK;AAAA,UACH;AAAA,UACA,cAAc;AAAA,UACd;AAAA,UACA;AAAA,QAAA;AAEF,cAAM,IAAI;AAAA,UACR,6CAA6C,SAAS,mBACvC,gBAAgB,2BAA2B,cAAc,QAAQ;AAAA,UAChF;AAAA,YACE,UAAU,cAAc;AAAA,YACxB,mBAAmB;AAAA,UAAA;AAAA,QACrB;AAAA,MAEJ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA,IAKA,MAAM,UACJ,UACA,SACe;AACf,UACE,CAAC,KAAK,eACN,CAAC,KAAK,kBAAkB,SAAS,QAAQ,SAAS;AAElD;AAEF,YAAM,WAAW,QAAQ,UAAU;AACnC,YAAM,QACJ,OAAO,aAAa,YAAY,WAAY,SAAiB,MAAM;AACrE,YAAM,QAAQ,QACV,aAAa,QAAQ,UAAU,YAAA,CAAa,aAC5C,aAAa,QAAQ,UAAU,YAAA,CAAa;AAEhD,YAAM,KAAK,YAAY;AAAA,QACrB;AAAA,QACA,kBAAkB,UAAU,QAAQ,SAAS;AAAA,QAC7C;AAAA,UACE,QAAQ;AAAA,UACR,UAAW,SAAiB;AAAA,QAAA;AAAA,MAC9B;AAAA,IAEJ;AAAA;AAAA;AAAA;AAAA,IAKA,MAAM,YACJ,UACA,SACe;AACf,UACE,CAAC,KAAK,eACN,CAAC,KAAK,kBAAkB,SAAS,QAAQ,SAAS;AAElD;AAEF,YAAM,KAAK,YAAY;AAAA,QACrB,aAAa,QAAQ,UAAU,YAAA,CAAa;AAAA,QAC5C,kBAAkB,UAAU,QAAQ,SAAS;AAAA,QAC7C;AAAA,UACE,QAAQ;AAAA,UACR,UAAW,SAAiB;AAAA,QAAA;AAAA,MAC9B;AAAA,IAEJ;AAAA,EAAA;AAEJ;AASA,IAAI,wBAAsD;AAsBnD,SAAS,cAAc,UAAoC,IAAU;AAC1E,MAAI,oBAAoB;AACtB,WAAO;AAAA,MACL;AAAA,IAAA;AAEF;AAAA,EACF;AAEA,0BAAwB,wBAAwB,OAAO;AACvD,qBAAmB,SAAS,qBAAqB;AAMjD,4BAA0B,MAAM,aAAa;AAK7C,4BAA0B,yBAAyB;AAEnD,oBAAkB,IAAI;AACxB;AAwBO,SAAS,iBAAuB;AACrC,MAAI,CAAC,sBAAsB,CAAC,uBAAuB;AACjD;AAAA,EACF;AAEA,qBAAmB,WAAW,qBAAqB;AAGnD,4BAA0B,MAAS;AAEnC,4BAA0B,MAAS;AACnC,0BAAwB;AACxB,oBAAkB,KAAK;AACzB;AClpBO,SAAS,eAAqB;AACnC,iBAAA;AACA,4BAAA;AACF;AAkBA,eAAsB,wBACpB,SACA,IACY;AACZ,SAAO,WAAW,SAAS,EAAE;AAC/B;AAwBA,eAAsB,oBACpB,WACA,IAGY;AACZ,QAAM,UACJ,CAAA;AAEF,aAAW,YAAY,WAAW;AAChC,YAAQ,QAAQ,IAAI,OAAU,WAA6B;AACzD,aAAO,WAAW,EAAE,SAAA,GAAY,MAAM;AAAA,IACxC;AAAA,EACF;AAEA,SAAO,GAAG,OAAO;AACnB;AAuCO,SAAS,iBAAiB,UAAmC,IAAU;AAC5E,QAAM,EAAE,qBAAqB,MAAM,iBAAiB,YAAY;AAGhE,eAAA;AAGA,MAAI,oBAAoB;AACtB,kBAAc,EAAE,gBAAgB;AAAA,EAClC;AACF;AA0BA,eAAsB,4BACpB,IACA,iBACe;AACf,MAAI;AACF,UAAM,GAAA;AACN,UAAM,IAAI,MAAM,qDAAqD;AAAA,EACvE,SAAS,OAAgB;AACvB,UAAM,MAAM;AACZ,QAAI,IAAI,SAAS,2BAA2B;AAC1C,YAAM,IAAI;AAAA,QACR,uCAAuC,IAAI,YAAY,IAAI,KAAK,IAAI,OAAO;AAAA,MAAA;AAAA,IAE/E;AACA,QAAI,mBAAmB,CAAC,IAAI,QAAQ,SAAS,eAAe,GAAG;AAC7D,YAAM,IAAI;AAAA,QACR,sCAAsC,eAAe,cAAc,IAAI,OAAO;AAAA,MAAA;AAAA,IAElF;AAAA,EACF;AACF;AA4BA,eAAsB,+BACpB,IACA,iBACe;AACf,MAAI;AACF,UAAM,GAAA;AACN,UAAM,IAAI,MAAM,uDAAuD;AAAA,EACzE,SAAS,OAAgB;AACvB,UAAM,MAAM;AACZ,QAAI,IAAI,SAAS,8BAA8B;AAC7C,YAAM,IAAI;AAAA,QACR,yCAAyC,IAAI,YAAY,IAAI,KAAK,IAAI,OAAO;AAAA,MAAA;AAAA,IAEjF;AACA,QAAI,mBAAmB,CAAC,IAAI,QAAQ,SAAS,eAAe,GAAG;AAC7D,YAAM,IAAI;AAAA,QACR,sCAAsC,eAAe,cAAc,IAAI,OAAO;AAAA,MAAA;AAAA,IAElF;AAAA,EACF;AACF;"}
1
+ {"version":3,"file":"testing-DyAqaOBC.js","sources":["../../src/registry.ts","../../src/enabled-state.ts","../../src/entry-point.ts","../../src/interceptor.ts","../../src/testing.ts"],"sourcesContent":["/**\n * Tenant-Scoped Class Registry\n *\n * Tracks which classes are tenant-scoped and their configuration.\n * Used by the interceptor to determine how to handle operations.\n *\n * This registry supports two patterns:\n * 1. @TenantScoped() decorator + tenantId field (original pattern)\n * 2. @smrt({ tenantScoped: true }) in smrt-core (Issue #688 pattern)\n *\n * Both patterns are automatically recognized by the interceptor.\n *\n * @see https://github.com/happyvertical/smrt/issues/675\n * @see https://github.com/happyvertical/smrt/issues/688\n */\n\nimport { ObjectRegistry } from '@happyvertical/smrt-core';\n\n/**\n * Resolved tenancy configuration for a single class, as stored in the registry.\n *\n * Every field has a concrete (non-optional) value — defaults are applied by\n * `registerTenantScopedClass()` when the class is registered via `@TenantScoped()`.\n *\n * @see TenantScopedOptions\n * @see registerTenantScopedClass\n */\nexport interface TenantScopedConfig {\n /**\n * Tenancy mode for this class\n * - 'required': Must have tenant context for all operations\n * - 'optional': Works with or without tenant context\n * @default 'required'\n */\n mode: 'required' | 'optional';\n\n /**\n * Field name containing tenant ID\n * @default 'tenantId'\n */\n field: string;\n\n /**\n * Auto-filter all queries by tenant\n * @default true\n */\n autoFilter: boolean;\n\n /**\n * Auto-populate tenant ID from context on create\n * @default true\n */\n autoPopulate: boolean;\n\n /**\n * Allow super admin bypass for this class\n * @default false\n */\n allowSuperAdminBypass: boolean;\n}\n\nconst DEFAULT_CONFIG: TenantScopedConfig = {\n mode: 'required',\n field: 'tenantId',\n autoFilter: true,\n autoPopulate: true,\n allowSuperAdminBypass: false,\n};\n\n// Registry storing tenant-scoped class configurations\nconst tenantScopedClasses = new Map<string, TenantScopedConfig>();\n\n/**\n * Register a class as tenant-scoped with the given configuration.\n *\n * Called automatically by the `@TenantScoped()` decorator. You can also call\n * this directly when you cannot use decorators (e.g., third-party classes or\n * plain objects in tests). Defaults from `DEFAULT_CONFIG` are merged over any\n * omitted options.\n *\n * Calling this again for the same `className` overwrites the previous entry.\n *\n * @param className - The class's `name` property (e.g., `'Document'`).\n * @param config - Partial tenancy configuration; omitted fields receive defaults.\n *\n * @example\n * ```typescript\n * // Manually register a class (e.g., for testing)\n * registerTenantScopedClass('Document', { mode: 'optional' });\n * ```\n *\n * @see TenantScoped\n * @see unregisterTenantScopedClass\n */\nexport function registerTenantScopedClass(\n className: string,\n config: Partial<TenantScopedConfig> = {},\n): void {\n tenantScopedClasses.set(className, {\n ...DEFAULT_CONFIG,\n ...config,\n });\n}\n\n/**\n * Remove a class from the tenant-scoped registry.\n *\n * Primarily intended for test teardown — use `clearTenantScopedRegistry()` to\n * reset the entire registry at once.\n *\n * @param className - The class name to remove (e.g., `'Document'`).\n *\n * @see clearTenantScopedRegistry\n * @see registerTenantScopedClass\n */\nexport function unregisterTenantScopedClass(className: string): void {\n tenantScopedClasses.delete(className);\n}\n\n/**\n * Strip a qualified `@scope/pkg:ClassName` name down to its bare class name.\n *\n * `@TenantScoped` registers classes by their simple name (`target.name`), but\n * `ObjectRegistry.getInheritanceChain()` emits **qualified** names where a\n * class has package context. The simple-name bridge this enables is confined to\n * the inheritance walk (`getInheritedTenantScopedConfig`) — never the direct\n * lookup — so a *direct* qualified lookup can't strip the namespace and\n * cross-match a same-simple-name class in another package.\n */\nfunction toSimpleClassName(className: string): string {\n const idx = className.lastIndexOf(':');\n return idx === -1 ? className : className.slice(idx + 1);\n}\n\n/**\n * Return a shallow copy of a config so callers can never mutate the stored\n * registration. The same backing object is shared by the base and every\n * inheriting descendant, so handing out the reference would let an accidental\n * caller mutation silently corrupt the base (and all children). (#1598 review)\n */\nfunction cloneConfig(config: TenantScopedConfig): TenantScopedConfig {\n return { ...config };\n}\n\n/**\n * Resolve a class's OWN tenancy configuration — no STI inheritance, EXACT name\n * match only.\n *\n * Checks the two registration mechanisms in order, with the local registry\n * taking precedence:\n * 1. The local registry populated by `@TenantScoped()` (keyed by simple name).\n * 2. The core `ObjectRegistry` populated by `@smrt({ tenantScoped: true })`.\n *\n * Lookups are by exact name only — no simple-name fallback — so a qualified\n * lookup (e.g. `@happyvertical/smrt-affiliates:Payout`, explicitly not scoped)\n * can never strip its namespace and match a same-simple-name scoped class in\n * another package (e.g. `@happyvertical/smrt-commerce:Payout`). The\n * namespace-stripping bridge lives only in the inheritance walk. (#1598 review)\n */\nfunction getDirectTenantScopedConfig(\n className: string,\n): TenantScopedConfig | undefined {\n // 1. Local registry (explicit @TenantScoped decorator).\n const localConfig = tenantScopedClasses.get(className);\n if (localConfig) {\n return cloneConfig(localConfig);\n }\n\n // 2. Core registry (@smrt({ tenantScoped: true }) pattern - Issue #688).\n // findClass() resolves qualified names package-safely, so this branch is\n // already disambiguated.\n const coreConfig = ObjectRegistry.getTenantScopedConfig(className);\n if (coreConfig) {\n // Convert core config to TenantScopedConfig format\n return {\n mode: coreConfig.mode,\n field: coreConfig.field,\n autoFilter: coreConfig.autoFilter,\n autoPopulate: coreConfig.autoPopulate,\n allowSuperAdminBypass: coreConfig.allowSuperAdminBypass,\n };\n }\n\n return undefined;\n}\n\n/**\n * Resolve tenancy configuration inherited from an STI/ancestor class.\n *\n * `@TenantScoped` (and `@smrt({ tenantScoped })`) register ONLY the exact class\n * decorated — recognition does NOT propagate to subclasses. Before #1596 this\n * meant an STI child with its own collection (the child is the collection's\n * `_itemClass`) was treated as non-tenant-scoped at runtime: the interceptor\n * skipped tenant filtering on its `list()`/`get()` (cross-tenant reads), skipped\n * tenant population in `beforeSave`, and skipped the raw-SQL policy. Manual\n * re-declaration on every child was the fragile pattern that already bit images\n * (#1407) and messages.\n *\n * We now walk the STI inheritance chain so any descendant of a tenant-scoped\n * base is recognized automatically and inherits the base's config. A subclass\n * of a tenant-scoped class is always itself tenant-scoped — there is no safe\n * reason for it to opt out — so the walk intentionally covers any inheritance\n * (the motivating leak is STI child collections, but this is correct for CTI\n * hierarchies too).\n *\n * Ancestors are walked from nearest-to-self toward the root, returning the\n * first tenant-scoped ancestor's config so a closer ancestor wins. The class's\n * OWN declaration is resolved by the direct lookup in `getTenantScopedConfig`\n * and always takes precedence over anything inherited here.\n */\nfunction getInheritedTenantScopedConfig(\n className: string,\n): TenantScopedConfig | undefined {\n // getInheritanceChain returns [root, ..., self] (qualified names where the\n // class has package context). It is cached by core and only reached here when\n // the direct lookup misses, so the per-call cost on non-tenant classes is a\n // cache hit plus this short loop. Returns [] for unregistered classes.\n const chain = ObjectRegistry.getInheritanceChain(className);\n // chain[length - 1] is the class itself (already covered by the direct\n // lookup); walk its ancestors from nearest to root.\n for (let i = chain.length - 2; i >= 0; i--) {\n const ancestor = chain[i];\n\n // Exact, package-safe match first — covers `@smrt({ tenantScoped })` bases\n // (resolved through the core registry by qualified name) and any class\n // whose @TenantScoped key matches the chain entry verbatim.\n const direct = getDirectTenantScopedConfig(ancestor);\n if (direct) {\n return direct;\n }\n\n // @TenantScoped registers by SIMPLE name (`target.name`), but the chain\n // emits QUALIFIED names. Bridge to the simple-keyed local registry here —\n // scoped to the inheritance walk only, so a direct qualified lookup never\n // strips the namespace (see getDirectTenantScopedConfig). The chain entry\n // is a verified ancestor of `className`, so matching its simple name is the\n // intended hop. (Residual: the @TenantScoped registry is simple-keyed, so\n // two DISTINCT same-simple-name classes that are BOTH @TenantScoped across\n // packages could cross-match here — a pre-existing decorator-keying limit,\n // not the direct-lookup hazard fixed above.)\n const simple = toSimpleClassName(ancestor);\n if (simple !== ancestor) {\n const bySimple = tenantScopedClasses.get(simple);\n if (bySimple) {\n return cloneConfig(bySimple);\n }\n }\n }\n return undefined;\n}\n\n/**\n * Retrieve the resolved tenancy configuration for a class.\n *\n * Resolution order:\n * 1. The class's OWN declaration — local `@TenantScoped()` registry first, then\n * the core `@smrt({ tenantScoped: true })` registry.\n * 2. STI inheritance — the nearest tenant-scoped ancestor's config (#1596).\n *\n * A class that declares its own tenancy never reaches step 2, so an explicit\n * child `@TenantScoped` always overrides the inherited base config.\n *\n * @param className - The class name to look up.\n * @returns The `TenantScopedConfig` if the class is tenant-scoped directly or\n * by inheritance, or `undefined` if it is not.\n *\n * @see isTenantScopedClass\n * @see getAllTenantScopedClasses\n */\nexport function getTenantScopedConfig(\n className: string,\n): TenantScopedConfig | undefined {\n // A class's own @TenantScoped / @smrt({ tenantScoped }) declaration wins.\n const direct = getDirectTenantScopedConfig(className);\n if (direct) {\n return direct;\n }\n // Otherwise inherit recognition from a tenant-scoped STI ancestor (#1596).\n return getInheritedTenantScopedConfig(className);\n}\n\n/**\n * Return `true` if the named class is tenant-scoped — directly (via\n * `@TenantScoped()` / `@smrt({ tenantScoped: true })`) or by inheriting from a\n * tenant-scoped STI ancestor (#1596).\n *\n * @param className - The class name to look up (e.g., `'Document'`).\n * @returns `true` if the class is tenant-scoped by any mechanism.\n *\n * @see getTenantScopedConfig\n * @see registerTenantScopedClass\n */\nexport function isTenantScopedClass(className: string): boolean {\n return getTenantScopedConfig(className) !== undefined;\n}\n\n/**\n * Return a snapshot of all classes registered via `@TenantScoped()`.\n *\n * Returns a new `Map` so mutations to the returned value do not affect the\n * internal registry. Note that classes registered only through the core\n * `ObjectRegistry` (`@smrt({ tenantScoped: true })`) are **not** included in\n * this map.\n *\n * @returns A copy of the local tenant-scoped class registry, keyed by class name.\n *\n * @see isTenantScopedClass\n * @see getTenantScopedConfig\n */\nexport function getAllTenantScopedClasses(): Map<string, TenantScopedConfig> {\n return new Map(tenantScopedClasses);\n}\n\n/**\n * Remove all entries from the local tenant-scoped class registry.\n *\n * Intended for test teardown via `resetTenancy()`. Does not affect\n * registrations held by the core `ObjectRegistry`.\n *\n * @see resetTenancy\n * @see unregisterTenantScopedClass\n */\nexport function clearTenantScopedRegistry(): void {\n tenantScopedClasses.clear();\n}\n","/**\n * Shared tenancy-enabled flag.\n *\n * Holds the single boolean toggled by `enableTenancy()` / `disableTenancy()`.\n * It lives in its own leaf module (importing nothing from the package) so that\n * both `interceptor.ts` and `entry-point.ts` can read it without forming a\n * circular import: `interceptor.ts` imports `runTenantScopedEntryPoint` from\n * `entry-point.ts`, and `entry-point.ts` needs the enabled flag — routing the\n * flag through here keeps that dependency one-directional.\n */\n\nlet enabled = false;\n\n/**\n * Set the global tenancy-enabled flag. Internal — called by `enableTenancy()` /\n * `disableTenancy()` in `interceptor.ts`.\n *\n * @param value - `true` to mark tenancy enabled, `false` to clear it.\n */\nexport function setTenancyEnabled(value: boolean): void {\n enabled = value;\n}\n\n/**\n * Return `true` if tenant enforcement is currently active.\n *\n * @returns Whether `enableTenancy()` has been called without a later\n * `disableTenancy()`.\n */\nexport function isTenancyEnabled(): boolean {\n return enabled;\n}\n","/**\n * Fail-closed tenant-context establishment for non-web entry points (#1554).\n *\n * The SvelteKit/Express adapters establish tenant context from the authenticated\n * request principal, so the web surface of a `@TenantScoped({ mode: 'optional' })`\n * model never reads across tenants without an active context. The generated\n * **CLI** and **MCP** entry points have no request principal, so an invocation\n * with no active context would fall through the interceptor's optional-mode\n * pass-through and return rows across **all** tenants.\n *\n * `runTenantScopedEntryPoint()` closes that gap. It is the single fail-closed\n * gate both generated surfaces wrap their per-command/per-tool execution in.\n *\n * @see createCliContext for the richer CLI runner (resolveTenantId, super-admin).\n */\n\nimport {\n hasTenantContext,\n isSystemContext,\n TenantContextError,\n withSystemContext,\n withTenant,\n} from './context.js';\nimport { isTenancyEnabled } from './enabled-state.js';\nimport { isTenantScopedClass } from './registry.js';\n\n/**\n * Inputs for {@link runTenantScopedEntryPoint}.\n *\n * Provide **either** `className` (the gate resolves tenant-scoping from the\n * authoritative tenancy registry — the same source the interceptor uses, so it\n * covers both `@TenantScoped` and `@smrt({ tenantScoped })` registrations) or an\n * explicit `tenantScoped` boolean (when the caller already resolved it, e.g. a\n * build-time generated surface). An explicit boolean wins when both are given.\n */\nexport interface TenantEntryPointOptions {\n /**\n * Class name of the target model. When provided, tenant-scoping is resolved\n * via `isTenantScopedClass(className)`.\n */\n className?: string;\n\n /**\n * Explicit tenant-scoping decision. Overrides `className` resolution when set.\n * Non-scoped models always pass through unchanged — the gate is a no-op.\n */\n tenantScoped?: boolean;\n\n /**\n * Explicit operator-provided tenant selector (CLI `--tenant <id>`, MCP\n * `context.tenantId`). When present (and no context is already active) the\n * function runs inside this tenant's context.\n */\n tenantId?: string | null;\n\n /**\n * Explicit operator opt-in to cross-tenant / system access (CLI\n * `--all-tenants`, an MCP host that trusts the caller as an operator). When\n * set the function runs in system context, bypassing tenant filtering.\n *\n * @default false\n */\n allowCrossTenant?: boolean;\n\n /**\n * Human-facing surface name used in the fail-closed error message, e.g.\n * `'CLI'` or `'MCP'`.\n *\n * @default 'entry point'\n */\n surface?: string;\n}\n\n/**\n * Run `fn` inside an appropriate tenant context for a generated CLI/MCP entry\n * point, failing closed for tenant-scoped models when no authorized context can\n * be established.\n *\n * Resolution order (tenant-scoped models only):\n * 1. A tenant context is already active, or an explicit `withSystemContext()`\n * bypass is in effect (e.g. `runAsSystem()`, migrations) → run as-is.\n * 2. `allowCrossTenant` was explicitly set → run in system context. Checked\n * before `tenantId` so an explicit cross-tenant opt-in wins over a default\n * principal/host tenant rather than being silently scoped.\n * 3. An explicit `tenantId` was provided → run inside that tenant.\n * 4. Tenancy is enabled but none of the above → **throw** `TenantContextError`\n * (the fail-closed branch — never silently read across tenants).\n * 5. Tenancy is disabled (single-/no-tenant deployment) → pass through.\n *\n * Non-tenant-scoped models always pass straight through.\n *\n * @param options - {@link TenantEntryPointOptions}.\n * @param fn - The command/tool body to execute.\n * @returns The resolved value of `fn`.\n * @throws {TenantContextError} When a tenant-scoped model is reached with\n * tenancy enabled and no tenant/cross-tenant selector.\n */\nexport async function runTenantScopedEntryPoint<T>(\n options: TenantEntryPointOptions,\n fn: () => Promise<T>,\n): Promise<T> {\n const {\n className,\n tenantScoped,\n tenantId,\n allowCrossTenant = false,\n surface = 'entry point',\n } = options;\n\n // Resolve tenant-scoping: an explicit boolean wins; otherwise consult the\n // authoritative tenancy registry by class name (matches the interceptor).\n const scoped =\n typeof tenantScoped === 'boolean'\n ? tenantScoped\n : className\n ? isTenantScopedClass(className)\n : false;\n\n // Non-scoped models run as-is. So do calls already inside a tenant context\n // (an upstream handle) or an explicit system-context bypass — the interceptor\n // honors `withSystemContext()` (migrations, `runAsSystem()`), so the gate must\n // not fail-close over it (hasTenantContext() is false for the system marker).\n if (!scoped) return fn();\n if (hasTenantContext() || isSystemContext()) return fn();\n\n // Explicit operator opt-in to cross-tenant access. Checked before the tenant\n // selector so a deliberate `--all-tenants` / `allowCrossTenant` overrides a\n // default host/principal tenant instead of being silently scoped to it.\n if (allowCrossTenant) {\n return withSystemContext(fn);\n }\n\n // Explicit tenant selector.\n if (typeof tenantId === 'string' && tenantId) {\n return withTenant({ tenantId }, fn);\n }\n\n // Fail closed: tenancy is on but the caller gave us nothing to scope by.\n if (isTenancyEnabled()) {\n throw new TenantContextError(\n `Tenant context required for tenant-scoped access via ${surface}. ` +\n 'Pass an explicit tenant (e.g. --tenant <id> / a tenantId) or opt into ' +\n 'cross-tenant access (e.g. --all-tenants) to read across all tenants.',\n );\n }\n\n // Tenancy disabled → single-tenant deployment, pass through.\n return fn();\n}\n","/**\n * Tenant Interceptor - Core enforcement mechanism\n *\n * Registers with GlobalInterceptors in smrt-core to automatically:\n * - Filter queries by tenant ID\n * - Validate tenant context on save/delete\n * - Block or audit raw SQL on tenant-scoped classes\n *\n * @see https://github.com/happyvertical/smrt/issues/675\n */\n\nimport { createLogger } from '@happyvertical/logger';\nimport type { SmrtObject } from '@happyvertical/smrt-core';\nimport {\n type CollectionInterceptor,\n type DispatchBus,\n GlobalInterceptors,\n type InterceptorContext,\n type ListOptions,\n type QueryInterceptResult,\n type QueryOptions,\n setDispatchTenantResolver,\n setTenantEntryPointRunner,\n} from '@happyvertical/smrt-core';\nimport {\n getCurrentTenant,\n getTenantId,\n isSuperAdminBypass,\n isSystemContext,\n TenantContextError,\n TenantIsolationError,\n} from './context.js';\nimport { isTenancyEnabled, setTenancyEnabled } from './enabled-state.js';\nimport { runTenantScopedEntryPoint } from './entry-point.js';\nimport { getTenantScopedConfig, isTenantScopedClass } from './registry.js';\n\nconst logger = createLogger({ level: 'info' });\n\n/**\n * Policy controlling what happens when raw SQL is executed against a\n * tenant-scoped class without an explicit bypass.\n *\n * - `'throw'` — Raises a `TenantIsolationError` (most secure; default).\n * - `'warn'` — Logs a `console.warn` but allows the query to proceed (useful\n * during migration periods).\n * - `'allow'` — Silently allows the query; not recommended for production.\n *\n * @see TenantInterceptorOptions.rawQueryPolicy\n * @see enableTenancy\n */\nexport type RawQueryPolicy = 'throw' | 'warn' | 'allow';\n\n/**\n * Configuration options accepted by `createTenantInterceptor()` and\n * `enableTenancy()`.\n *\n * All options are optional; reasonable defaults are applied. The callback\n * hooks (`onRawQuery`, `onMissingContext`, `onIsolationViolation`) are useful\n * for logging and alerting without altering the enforcement behaviour.\n *\n * @see createTenantInterceptor\n * @see enableTenancy\n */\nexport interface TenantInterceptorOptions {\n /**\n * Policy for raw SQL queries on tenant-scoped classes\n * - 'throw': Throw error (most secure, default)\n * - 'warn': Log warning but allow (for migration)\n * - 'allow': Silently allow (not recommended for production)\n * @default 'throw'\n */\n rawQueryPolicy?: RawQueryPolicy;\n\n /**\n * Called when a raw query is attempted on a tenant-scoped class\n * Useful for logging/auditing\n */\n onRawQuery?: (\n className: string,\n sql: string,\n context: InterceptorContext,\n ) => void;\n\n /**\n * Called when tenant context is missing for a tenant-scoped operation\n */\n onMissingContext?: (\n className: string,\n operation: string,\n context: InterceptorContext,\n ) => void;\n\n /**\n * Called when an isolation violation is detected\n */\n onIsolationViolation?: (\n className: string,\n expectedTenantId: string,\n actualTenantId: string,\n context: InterceptorContext,\n ) => void;\n\n /**\n * DispatchBus instance for emitting provisioning events on lifecycle changes.\n * When provided along with directoryClasses, afterSave/afterDelete hooks\n * emit dispatches like `directory.membership.created`.\n */\n dispatchBus?: DispatchBus;\n\n /**\n * Class names to emit directory dispatches for on save/delete lifecycle events.\n * Only classes listed here will trigger dispatch emissions.\n * @example ['Tenant', 'Membership', 'User']\n */\n directoryClasses?: string[];\n}\n\nconst DEFAULT_OPTIONS: TenantInterceptorOptions = {\n rawQueryPolicy: 'throw',\n};\n\n/**\n * Extract a plain-object snapshot of an instance for dispatch payloads.\n *\n * Prefers `toJSON()` when available (all real SmrtObject instances) because\n * it returns only data fields and excludes internal handles like `_db`, `_ai`,\n * and `_fs` which may contain circular references (e.g. connection pools with\n * Timeout objects).\n *\n * @see https://github.com/happyvertical/smrt/issues/946\n */\nfunction serializeInstance(\n instance: SmrtObject,\n className: string,\n): Record<string, unknown> {\n // Documented exception to the \"never call toJSON() directly\" convention\n // (docs/content/standards.md §7): the interceptor must serialize whatever\n // instance is handed to it, including workspace stubs and plain-object\n // doubles used in unit tests whose classes may not extend SmrtObject and\n // therefore have no `transformJSON()` hook. Using `toJSON()` here is a\n // duck-typed fallback — when present, it strips framework-internal handles\n // for us; when absent, we fall through to manual key iteration below.\n if (typeof (instance as any).toJSON === 'function') {\n return { className, ...(instance as any).toJSON() };\n }\n\n // Fallback for plain-object stubs (e.g. in unit tests):\n // skip functions and framework-internal properties\n const result: Record<string, unknown> = { className };\n for (const key of Object.keys(instance)) {\n const value = (instance as any)[key];\n if (typeof value !== 'function') {\n result[key] = value;\n }\n }\n return result;\n}\n\n/**\n * Create a `CollectionInterceptor` that enforces tenant isolation on all\n * `SmrtCollection` operations.\n *\n * The returned interceptor hooks into the smrt-core `GlobalInterceptors`\n * pipeline at priority 100 (runs before all other interceptors) and\n * handles the following lifecycle hooks:\n *\n * | Hook | Behaviour |\n * |---------------|-----------|\n * | `beforeList` | Injects tenant filter into `WHERE`; validates explicit filters. |\n * | `beforeGet` | Converts ID lookups to `{ id, tenantId }` filter objects. |\n * | `beforeSave` | Auto-populates `tenantId`; validates existing values. |\n * | `beforeDelete`| Validates the instance's `tenantId` matches context. |\n * | `beforeQuery` | Enforces `rawQueryPolicy` on raw SQL calls. |\n * | `afterSave` | Emits `directory.<class>.created/updated` via `dispatchBus`. |\n * | `afterDelete` | Emits `directory.<class>.deleted` via `dispatchBus`. |\n *\n * Use `enableTenancy()` to register the interceptor globally. Call this\n * directly only when you need multiple interceptor instances (e.g., for\n * isolated tests or feature flags).\n *\n * @param options - Configuration for the interceptor.\n * @returns A `CollectionInterceptor` ready to be registered with\n * `GlobalInterceptors.register()`.\n *\n * @example\n * ```typescript\n * import { createTenantInterceptor } from '@happyvertical/smrt-tenancy';\n * import { GlobalInterceptors } from '@happyvertical/smrt-core';\n *\n * const interceptor = createTenantInterceptor({ rawQueryPolicy: 'warn' });\n * GlobalInterceptors.register(interceptor);\n * ```\n *\n * @see enableTenancy\n * @see TenantInterceptorOptions\n */\nexport function createTenantInterceptor(\n options: TenantInterceptorOptions = {},\n): CollectionInterceptor {\n const opts = { ...DEFAULT_OPTIONS, ...options };\n\n return {\n name: 'smrt-tenancy',\n priority: 100, // High priority - should run first\n\n /**\n * Before list: Add tenant filter to queries\n */\n beforeList(\n className: string,\n listOptions: ListOptions,\n context: InterceptorContext,\n ): ListOptions | undefined {\n // Check if this class is tenant-scoped\n if (!isTenantScopedClass(className)) {\n return; // Not tenant-scoped, pass through\n }\n\n // Check for super admin bypass\n if (isSuperAdminBypass()) {\n return; // Bypass enabled, pass through\n }\n\n // Check for system context (explicit bypass via withSystemContext)\n if (isSystemContext()) {\n return; // System context bypasses tenant checks\n }\n\n const config = getTenantScopedConfig(className);\n const tenantContext = getCurrentTenant();\n\n // If no tenant context and mode is 'required', throw\n if (!tenantContext) {\n if (config?.mode === 'required') {\n opts.onMissingContext?.(className, 'list', context);\n throw new TenantContextError(\n `Tenant context required for listing ${className}. ` +\n `Use withTenant() or configure TenantContext middleware.`,\n );\n }\n return; // Mode is 'optional', allow without filtering\n }\n\n // Add tenant filter to where clause\n const tenantField = config?.field || 'tenantId';\n const where = listOptions.where || {};\n\n // Check if tenant filter is already present\n if (tenantField in where) {\n // Validate it matches context. The filter may be a scalar\n // (`tenantId: 'x'`) or an IN-style array (`tenantId: ['x']`) —\n // smrt-core auto-converts array values to SQL IN clauses, so an\n // array containing only the context tenant is a valid filter.\n // See https://github.com/happyvertical/smrt/issues/1495\n const existingFilter = where[tenantField];\n const filterValues = Array.isArray(existingFilter)\n ? existingFilter\n : [existingFilter];\n // findIndex (not find) so a literal null/undefined filter value is\n // still flagged as a violation rather than mistaken for \"not found\"\n const offendingIndex = filterValues.findIndex(\n (value) => value !== tenantContext.tenantId,\n );\n if (offendingIndex !== -1) {\n const offending = filterValues[offendingIndex];\n opts.onIsolationViolation?.(\n className,\n tenantContext.tenantId,\n String(offending),\n context,\n );\n throw new TenantIsolationError(\n `Tenant isolation violation in ${className} query: ` +\n `context tenant is '${tenantContext.tenantId}' but query filters by '${String(offending)}'`,\n {\n tenantId: tenantContext.tenantId,\n attemptedTenantId: String(offending),\n },\n );\n }\n return; // Filter already correct\n }\n\n // Inject tenant filter\n return {\n ...listOptions,\n where: {\n ...where,\n [tenantField]: tenantContext.tenantId,\n },\n };\n },\n\n /**\n * Before get: Add tenant filter to single record fetches\n */\n beforeGet(\n className: string,\n filter: string | Record<string, unknown>,\n context: InterceptorContext,\n ): string | Record<string, unknown> | undefined {\n if (!isTenantScopedClass(className)) {\n return;\n }\n\n if (isSuperAdminBypass()) {\n return;\n }\n\n // Check for system context (explicit bypass via withSystemContext)\n if (isSystemContext()) {\n return; // System context bypasses tenant checks\n }\n\n const config = getTenantScopedConfig(className);\n const tenantContext = getCurrentTenant();\n\n if (!tenantContext) {\n if (config?.mode === 'required') {\n opts.onMissingContext?.(className, 'get', context);\n throw new TenantContextError(\n `Tenant context required for getting ${className}. ` +\n `Use withTenant() or configure TenantContext middleware.`,\n );\n }\n return;\n }\n\n const tenantField = config?.field || 'tenantId';\n\n // If filter is a string (ID), convert to object filter with tenant\n if (typeof filter === 'string') {\n return {\n id: filter,\n [tenantField]: tenantContext.tenantId,\n };\n }\n\n // Add tenant filter to object\n if (!(tenantField in filter)) {\n return {\n ...filter,\n [tenantField]: tenantContext.tenantId,\n };\n }\n\n // Validate existing filter. Like beforeList, accept scalar or\n // IN-style array filters (smrt-core auto-converts arrays to SQL IN).\n // See https://github.com/happyvertical/smrt/issues/1495\n const existingFilter = filter[tenantField];\n const filterValues = Array.isArray(existingFilter)\n ? existingFilter\n : [existingFilter];\n // findIndex (not find) so a literal null/undefined filter value is\n // still flagged as a violation rather than mistaken for \"not found\"\n const offendingIndex = filterValues.findIndex(\n (value) => value !== tenantContext.tenantId,\n );\n if (offendingIndex !== -1) {\n const offending = filterValues[offendingIndex];\n opts.onIsolationViolation?.(\n className,\n tenantContext.tenantId,\n String(offending),\n context,\n );\n throw new TenantIsolationError(\n `Tenant isolation violation in ${className} get: ` +\n `context tenant is '${tenantContext.tenantId}' but query filters by '${String(offending)}'`,\n {\n tenantId: tenantContext.tenantId,\n attemptedTenantId: String(offending),\n },\n );\n }\n\n return;\n },\n\n /**\n * Before query: Handle raw SQL on tenant-scoped classes\n */\n beforeQuery(\n className: string,\n queryOptions: QueryOptions,\n context: InterceptorContext,\n ): QueryInterceptResult | undefined {\n if (!isTenantScopedClass(className)) {\n return;\n }\n\n // Check for explicit bypass flag\n if (queryOptions.allowRawOnTenantScoped) {\n opts.onRawQuery?.(className, queryOptions.sql, context);\n return; // Explicitly allowed\n }\n\n if (isSuperAdminBypass()) {\n opts.onRawQuery?.(className, queryOptions.sql, context);\n return;\n }\n\n // Check for system context (explicit bypass via withSystemContext)\n if (isSystemContext()) {\n opts.onRawQuery?.(className, queryOptions.sql, context);\n return;\n }\n\n // Handle based on policy\n const message =\n `Raw SQL query attempted on tenant-scoped class ${className}. ` +\n `Use list()/get() for automatic tenant filtering, or call ` +\n `query() with { allowRawOnTenantScoped: true } if you're handling ` +\n `tenant filtering manually.`;\n\n opts.onRawQuery?.(className, queryOptions.sql, context);\n\n switch (opts.rawQueryPolicy) {\n case 'throw':\n throw new TenantIsolationError(message);\n\n case 'warn':\n logger.warn(`[smrt-tenancy] WARNING: ${message}`);\n return;\n default:\n return;\n }\n },\n\n /**\n * Before save: Validate tenant ID is set and matches context\n */\n beforeSave(instance: SmrtObject, context: InterceptorContext): void {\n // Use context.className which is always correct\n // (instance.constructor.name may not match for proxies or plain objects in tests)\n const className = context.className;\n\n // Stash isNew flag for afterSave dispatch detection\n if (opts.directoryClasses?.includes(className)) {\n const id = (instance as any).id;\n context.metadata = {\n ...context.metadata,\n _directoryIsNew: id === undefined || id === null,\n };\n }\n\n if (!isTenantScopedClass(className)) {\n return;\n }\n\n if (isSuperAdminBypass()) {\n return;\n }\n\n // Check for system context (explicit bypass via withSystemContext)\n if (isSystemContext()) {\n return; // System context bypasses tenant checks\n }\n\n const config = getTenantScopedConfig(className);\n const tenantField = config?.field || 'tenantId';\n const instanceTenantId = (instance as any)[tenantField];\n\n const tenantContext = getCurrentTenant();\n\n // Check if tenant context is required\n if (!tenantContext) {\n if (config?.mode === 'required') {\n opts.onMissingContext?.(className, 'save', context);\n throw new TenantContextError(\n `Tenant context required for saving ${className}. ` +\n `Use withTenant() or configure TenantContext middleware.`,\n );\n }\n return; // Mode is 'optional'\n }\n\n // Auto-populate tenant ID if not set\n if (!instanceTenantId && config?.autoPopulate !== false) {\n (instance as any)[tenantField] = tenantContext.tenantId;\n return;\n }\n\n // Validate tenant ID matches context\n if (instanceTenantId && instanceTenantId !== tenantContext.tenantId) {\n opts.onIsolationViolation?.(\n className,\n tenantContext.tenantId,\n instanceTenantId,\n context,\n );\n throw new TenantIsolationError(\n `Tenant isolation violation: cannot save ${className} with ` +\n `tenantId '${instanceTenantId}' in context of tenant '${tenantContext.tenantId}'`,\n {\n tenantId: tenantContext.tenantId,\n attemptedTenantId: instanceTenantId,\n },\n );\n }\n },\n\n /**\n * Before delete: Validate instance belongs to current tenant\n */\n beforeDelete(instance: SmrtObject, context: InterceptorContext): void {\n // Use context.className which is always correct\n const className = context.className;\n\n if (!isTenantScopedClass(className)) {\n return;\n }\n\n if (isSuperAdminBypass()) {\n return;\n }\n\n // Check for system context (explicit bypass via withSystemContext)\n if (isSystemContext()) {\n return; // System context bypasses tenant checks\n }\n\n const config = getTenantScopedConfig(className);\n const tenantField = config?.field || 'tenantId';\n const instanceTenantId = (instance as any)[tenantField];\n\n const tenantContext = getCurrentTenant();\n\n if (!tenantContext) {\n if (config?.mode === 'required') {\n opts.onMissingContext?.(className, 'delete', context);\n throw new TenantContextError(\n `Tenant context required for deleting ${className}. ` +\n `Use withTenant() or configure TenantContext middleware.`,\n );\n }\n return;\n }\n\n // Validate tenant ID matches\n if (instanceTenantId && instanceTenantId !== tenantContext.tenantId) {\n opts.onIsolationViolation?.(\n className,\n tenantContext.tenantId,\n instanceTenantId,\n context,\n );\n throw new TenantIsolationError(\n `Tenant isolation violation: cannot delete ${className} with ` +\n `tenantId '${instanceTenantId}' in context of tenant '${tenantContext.tenantId}'`,\n {\n tenantId: tenantContext.tenantId,\n attemptedTenantId: instanceTenantId,\n },\n );\n }\n },\n\n /**\n * After save: Emit directory dispatch for configured classes\n */\n async afterSave(\n instance: SmrtObject,\n context: InterceptorContext,\n ): Promise<void> {\n if (\n !opts.dispatchBus ||\n !opts.directoryClasses?.includes(context.className)\n )\n return;\n\n const rawIsNew = context.metadata?._directoryIsNew;\n const isNew =\n typeof rawIsNew === 'boolean' ? rawIsNew : (instance as any).id == null;\n const event = isNew\n ? `directory.${context.className.toLowerCase()}.created`\n : `directory.${context.className.toLowerCase()}.updated`;\n\n await opts.dispatchBus.emit(\n event,\n serializeInstance(instance, context.className),\n {\n source: 'smrt-tenancy',\n sourceId: (instance as any).id,\n },\n );\n },\n\n /**\n * After delete: Emit directory dispatch for configured classes\n */\n async afterDelete(\n instance: SmrtObject,\n context: InterceptorContext,\n ): Promise<void> {\n if (\n !opts.dispatchBus ||\n !opts.directoryClasses?.includes(context.className)\n )\n return;\n\n await opts.dispatchBus.emit(\n `directory.${context.className.toLowerCase()}.deleted`,\n serializeInstance(instance, context.className),\n {\n source: 'smrt-tenancy',\n sourceId: (instance as any).id,\n },\n );\n },\n };\n}\n\n// ─────────────────────────────────────────────────────────────────────────────\n// Registration Functions\n// ─────────────────────────────────────────────────────────────────────────────\n\n// The enabled flag lives in `enabled-state.ts` (a leaf module) so `entry-point.ts`\n// can read it without importing this module — breaking the otherwise-circular\n// interceptor ↔ entry-point dependency.\nlet registeredInterceptor: CollectionInterceptor | null = null;\n\n/**\n * Enable tenant enforcement globally\n *\n * Call this once at application startup to enable automatic tenant isolation.\n *\n * @param options - Configuration options\n *\n * @example\n * ```typescript\n * // In your app initialization\n * import { enableTenancy } from '@happyvertical/smrt-tenancy';\n *\n * enableTenancy({\n * rawQueryPolicy: 'throw',\n * onMissingContext: (className, operation) => {\n * console.error(`Missing tenant context for ${operation} on ${className}`);\n * }\n * });\n * ```\n */\nexport function enableTenancy(options: TenantInterceptorOptions = {}): void {\n if (isTenancyEnabled()) {\n logger.warn(\n '[smrt-tenancy] Tenancy is already enabled. Call disableTenancy() first to reconfigure.',\n );\n return;\n }\n\n registeredInterceptor = createTenantInterceptor(options);\n GlobalInterceptors.register(registeredInterceptor);\n\n // Wire the DispatchBus tenant-scope resolver (S5 #1398). Core cannot depend\n // on tenancy, so it reads the active tenant through this injected hook; the\n // bus stamps/filters dispatches by the active tenant only while tenancy is\n // enabled. Mirrors the GlobalInterceptors inversion above.\n setDispatchTenantResolver(() => getTenantId());\n\n // Wire the fail-closed tenant gate for generated CLI/MCP entry points (#1554).\n // Core invokes this runner around tenant-scoped CLI/MCP execution; without it\n // (tenancy disabled) those surfaces pass through unchanged.\n setTenantEntryPointRunner(runTenantScopedEntryPoint);\n\n setTenancyEnabled(true);\n}\n\n/**\n * Disable global tenant enforcement.\n *\n * Unregisters the interceptor previously installed by `enableTenancy()` and\n * resets the internal enabled flag so `enableTenancy()` can be called again.\n * Idempotent — safe to call even when tenancy was never enabled.\n *\n * Common use-cases:\n * - Test teardown (via `resetTenancy()`).\n * - Temporarily disabling tenancy before reconfiguring with new options.\n *\n * @example\n * ```typescript\n * afterAll(() => {\n * disableTenancy();\n * });\n * ```\n *\n * @see enableTenancy\n * @see isTenancyEnabled\n * @see resetTenancy\n */\nexport function disableTenancy(): void {\n if (!isTenancyEnabled() || !registeredInterceptor) {\n return;\n }\n\n GlobalInterceptors.unregister(registeredInterceptor);\n // Clear the DispatchBus tenant resolver so the bus reverts to its no-op\n // (pre-tenancy) behavior when tenancy is disabled.\n setDispatchTenantResolver(undefined);\n // Clear the CLI/MCP tenant gate so those surfaces pass through (#1554).\n setTenantEntryPointRunner(undefined);\n registeredInterceptor = null;\n setTenancyEnabled(false);\n}\n\n/**\n * Return `true` if tenant enforcement is currently active.\n *\n * Reflects whether `enableTenancy()` has been called and the interceptor has not\n * yet been removed by `disableTenancy()`. Re-exported from `enabled-state.ts`\n * (the shared leaf module) so the public API surface is unchanged.\n *\n * @see enableTenancy\n * @see disableTenancy\n */\nexport { isTenancyEnabled };\n","/**\n * Testing Utilities for smrt-tenancy\n *\n * Helpers for testing tenant-scoped applications.\n *\n * @example\n * ```typescript\n * import { createTestTenantContext, resetTenancy } from '@happyvertical/smrt-tenancy/testing';\n *\n * beforeEach(() => {\n * resetTenancy(); // Clear all state\n * });\n *\n * it('should filter by tenant', async () => {\n * await createTestTenantContext({ tenantId: 'tenant-1' }, async () => {\n * const docs = await collection.list({});\n * // Only tenant-1 documents\n * });\n * });\n * ```\n */\n\nimport {\n type MinimalTenantContext,\n type TenantContextData,\n withTenant,\n} from './context.js';\nimport { disableTenancy, enableTenancy } from './interceptor.js';\nimport { clearTenantScopedRegistry } from './registry.js';\n\n/**\n * Reset all tenancy state (for use in beforeEach/afterEach)\n *\n * This clears:\n * - Registered interceptors\n * - Tenant-scoped class registry\n *\n * @example\n * ```typescript\n * afterEach(() => {\n * resetTenancy();\n * });\n * ```\n */\nexport function resetTenancy(): void {\n disableTenancy();\n clearTenantScopedRegistry();\n}\n\n/**\n * Create a test tenant context and run code within it\n *\n * Convenience wrapper around withTenant() with sensible defaults for testing.\n *\n * @param context - Tenant context (can be minimal, just tenantId)\n * @param fn - Async function to run in the context\n *\n * @example\n * ```typescript\n * await createTestTenantContext({ tenantId: 'test-tenant' }, async () => {\n * const product = await collection.create({ name: 'Test' });\n * expect(product.tenantId).toBe('test-tenant');\n * });\n * ```\n */\nexport async function createTestTenantContext<T>(\n context: MinimalTenantContext | TenantContextData,\n fn: () => Promise<T>,\n): Promise<T> {\n return withTenant(context, fn);\n}\n\n/**\n * Create multiple tenant contexts for isolation testing\n *\n * @param tenantIds - Array of tenant IDs to create contexts for\n * @param fn - Function that receives an object mapping tenant IDs to context runners\n *\n * @example\n * ```typescript\n * await testTenantIsolation(['tenant-a', 'tenant-b'], async (tenants) => {\n * // Create in tenant A\n * const docA = await tenants['tenant-a'](async () => {\n * return collection.create({ title: 'A doc' });\n * });\n *\n * // Verify not visible in tenant B\n * await tenants['tenant-b'](async () => {\n * const found = await collection.get(docA.id);\n * expect(found).toBeNull();\n * });\n * });\n * ```\n */\nexport async function testTenantIsolation<T>(\n tenantIds: string[],\n fn: (\n tenants: Record<string, <R>(runner: () => Promise<R>) => Promise<R>>,\n ) => Promise<T>,\n): Promise<T> {\n const tenants: Record<string, <R>(runner: () => Promise<R>) => Promise<R>> =\n {};\n\n for (const tenantId of tenantIds) {\n tenants[tenantId] = async <R>(runner: () => Promise<R>) => {\n return withTenant({ tenantId }, runner);\n };\n }\n\n return fn(tenants);\n}\n\n/**\n * Options for `setupTestTenancy()`.\n *\n * @see setupTestTenancy\n */\nexport interface SetupTestTenancyOptions {\n /**\n * Enable tenancy interceptors\n * @default true\n */\n enableInterceptors?: boolean;\n\n /**\n * Raw query policy for tests\n * @default 'throw'\n */\n rawQueryPolicy?: 'throw' | 'warn' | 'allow';\n}\n\n/**\n * Set up tenancy for a test suite\n *\n * Call in beforeAll or at the start of tests to configure tenancy.\n *\n * @param options - Setup options\n *\n * @example\n * ```typescript\n * beforeAll(() => {\n * setupTestTenancy({ enableInterceptors: true });\n * });\n *\n * afterAll(() => {\n * resetTenancy();\n * });\n * ```\n */\nexport function setupTestTenancy(options: SetupTestTenancyOptions = {}): void {\n const { enableInterceptors = true, rawQueryPolicy = 'throw' } = options;\n\n // Clear any existing state\n resetTenancy();\n\n // Enable interceptors if requested\n if (enableInterceptors) {\n enableTenancy({ rawQueryPolicy });\n }\n}\n\n/**\n * Assert that executing `fn` throws a `TenantContextError`.\n *\n * Fails with a descriptive message if `fn` completes without throwing, or if\n * it throws a different error type. Optionally verifies that the error message\n * contains a specific substring.\n *\n * Useful for testing that business-logic code correctly rejects calls that are\n * made outside a tenant context.\n *\n * @param fn - Async function that should throw `TenantContextError`.\n * @param messageContains - Optional substring the error message must include.\n *\n * @example\n * ```typescript\n * await assertTenantContextRequired(async () => {\n * // No withTenant() in scope\n * await documentCollection.list({});\n * });\n * ```\n *\n * @see assertTenantIsolationViolation\n * @see TenantContextError\n */\nexport async function assertTenantContextRequired(\n fn: () => Promise<unknown>,\n messageContains?: string,\n): Promise<void> {\n try {\n await fn();\n throw new Error('Expected TenantContextError but no error was thrown');\n } catch (error: unknown) {\n const err = error as Error & { code?: string };\n if (err.code !== 'TENANT_CONTEXT_REQUIRED') {\n throw new Error(\n `Expected TenantContextError but got ${err.constructor.name}: ${err.message}`,\n );\n }\n if (messageContains && !err.message.includes(messageContains)) {\n throw new Error(\n `Expected error message to contain '${messageContains}' but got: ${err.message}`,\n );\n }\n }\n}\n\n/**\n * Assert that executing `fn` throws a `TenantIsolationError`.\n *\n * Fails with a descriptive message if `fn` completes without throwing, or if\n * it throws a different error type. Optionally verifies that the error message\n * contains a specific substring.\n *\n * Use this to verify that cross-tenant data access attempts are correctly\n * blocked by the interceptor.\n *\n * @param fn - Async function that should throw `TenantIsolationError`.\n * @param messageContains - Optional substring the error message must include.\n *\n * @example\n * ```typescript\n * await withTenant({ tenantId: 'tenant-a' }, async () => {\n * await assertTenantIsolationViolation(async () => {\n * // Attempt to filter by a different tenant\n * await collection.list({ where: { tenantId: 'tenant-b' } });\n * });\n * });\n * ```\n *\n * @see assertTenantContextRequired\n * @see TenantIsolationError\n */\nexport async function assertTenantIsolationViolation(\n fn: () => Promise<unknown>,\n messageContains?: string,\n): Promise<void> {\n try {\n await fn();\n throw new Error('Expected TenantIsolationError but no error was thrown');\n } catch (error: unknown) {\n const err = error as Error & { code?: string };\n if (err.code !== 'TENANT_ISOLATION_VIOLATION') {\n throw new Error(\n `Expected TenantIsolationError but got ${err.constructor.name}: ${err.message}`,\n );\n }\n if (messageContains && !err.message.includes(messageContains)) {\n throw new Error(\n `Expected error message to contain '${messageContains}' but got: ${err.message}`,\n );\n }\n }\n}\n"],"names":[],"mappings":";;;AA6DA,MAAM,iBAAqC;AAAA,EACzC,MAAM;AAAA,EACN,OAAO;AAAA,EACP,YAAY;AAAA,EACZ,cAAc;AAAA,EACd,uBAAuB;AACzB;AAGA,MAAM,0CAA0B,IAAA;AAwBzB,SAAS,0BACd,WACA,SAAsC,IAChC;AACN,sBAAoB,IAAI,WAAW;AAAA,IACjC,GAAG;AAAA,IACH,GAAG;AAAA,EAAA,CACJ;AACH;AAaO,SAAS,4BAA4B,WAAyB;AACnE,sBAAoB,OAAO,SAAS;AACtC;AAYA,SAAS,kBAAkB,WAA2B;AACpD,QAAM,MAAM,UAAU,YAAY,GAAG;AACrC,SAAO,QAAQ,KAAK,YAAY,UAAU,MAAM,MAAM,CAAC;AACzD;AAQA,SAAS,YAAY,QAAgD;AACnE,SAAO,EAAE,GAAG,OAAA;AACd;AAiBA,SAAS,4BACP,WACgC;AAEhC,QAAM,cAAc,oBAAoB,IAAI,SAAS;AACrD,MAAI,aAAa;AACf,WAAO,YAAY,WAAW;AAAA,EAChC;AAKA,QAAM,aAAa,eAAe,sBAAsB,SAAS;AACjE,MAAI,YAAY;AAEd,WAAO;AAAA,MACL,MAAM,WAAW;AAAA,MACjB,OAAO,WAAW;AAAA,MAClB,YAAY,WAAW;AAAA,MACvB,cAAc,WAAW;AAAA,MACzB,uBAAuB,WAAW;AAAA,IAAA;AAAA,EAEtC;AAEA,SAAO;AACT;AA0BA,SAAS,+BACP,WACgC;AAKhC,QAAM,QAAQ,eAAe,oBAAoB,SAAS;AAG1D,WAAS,IAAI,MAAM,SAAS,GAAG,KAAK,GAAG,KAAK;AAC1C,UAAM,WAAW,MAAM,CAAC;AAKxB,UAAM,SAAS,4BAA4B,QAAQ;AACnD,QAAI,QAAQ;AACV,aAAO;AAAA,IACT;AAWA,UAAM,SAAS,kBAAkB,QAAQ;AACzC,QAAI,WAAW,UAAU;AACvB,YAAM,WAAW,oBAAoB,IAAI,MAAM;AAC/C,UAAI,UAAU;AACZ,eAAO,YAAY,QAAQ;AAAA,MAC7B;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAoBO,SAAS,sBACd,WACgC;AAEhC,QAAM,SAAS,4BAA4B,SAAS;AACpD,MAAI,QAAQ;AACV,WAAO;AAAA,EACT;AAEA,SAAO,+BAA+B,SAAS;AACjD;AAaO,SAAS,oBAAoB,WAA4B;AAC9D,SAAO,sBAAsB,SAAS,MAAM;AAC9C;AAeO,SAAS,4BAA6D;AAC3E,SAAO,IAAI,IAAI,mBAAmB;AACpC;AAWO,SAAS,4BAAkC;AAChD,sBAAoB,MAAA;AACtB;ACzTA,IAAI,UAAU;AAQP,SAAS,kBAAkB,OAAsB;AACtD,YAAU;AACZ;AAQO,SAAS,mBAA4B;AAC1C,SAAO;AACT;ACkEA,eAAsB,0BACpB,SACA,IACY;AACZ,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA,mBAAmB;AAAA,IACnB,UAAU;AAAA,EAAA,IACR;AAIJ,QAAM,SACJ,OAAO,iBAAiB,YACpB,eACA,YACE,oBAAoB,SAAS,IAC7B;AAMR,MAAI,CAAC,OAAQ,QAAO,GAAA;AACpB,MAAI,iBAAA,KAAsB,gBAAA,UAA0B,GAAA;AAKpD,MAAI,kBAAkB;AACpB,WAAO,kBAAkB,EAAE;AAAA,EAC7B;AAGA,MAAI,OAAO,aAAa,YAAY,UAAU;AAC5C,WAAO,WAAW,EAAE,SAAA,GAAY,EAAE;AAAA,EACpC;AAGA,MAAI,oBAAoB;AACtB,UAAM,IAAI;AAAA,MACR,wDAAwD,OAAO;AAAA,IAAA;AAAA,EAInE;AAGA,SAAO,GAAA;AACT;AChHA,MAAM,SAAS,aAAa,EAAE,OAAO,QAAQ;AAiF7C,MAAM,kBAA4C;AAAA,EAChD,gBAAgB;AAClB;AAYA,SAAS,kBACP,UACA,WACyB;AAQzB,MAAI,OAAQ,SAAiB,WAAW,YAAY;AAClD,WAAO,EAAE,WAAW,GAAI,SAAiB,SAAO;AAAA,EAClD;AAIA,QAAM,SAAkC,EAAE,UAAA;AAC1C,aAAW,OAAO,OAAO,KAAK,QAAQ,GAAG;AACvC,UAAM,QAAS,SAAiB,GAAG;AACnC,QAAI,OAAO,UAAU,YAAY;AAC/B,aAAO,GAAG,IAAI;AAAA,IAChB;AAAA,EACF;AACA,SAAO;AACT;AAwCO,SAAS,wBACd,UAAoC,IACb;AACvB,QAAM,OAAO,EAAE,GAAG,iBAAiB,GAAG,QAAA;AAEtC,SAAO;AAAA,IACL,MAAM;AAAA,IACN,UAAU;AAAA;AAAA;AAAA;AAAA;AAAA,IAKV,WACE,WACA,aACA,SACyB;AAEzB,UAAI,CAAC,oBAAoB,SAAS,GAAG;AACnC;AAAA,MACF;AAGA,UAAI,sBAAsB;AACxB;AAAA,MACF;AAGA,UAAI,mBAAmB;AACrB;AAAA,MACF;AAEA,YAAM,SAAS,sBAAsB,SAAS;AAC9C,YAAM,gBAAgB,iBAAA;AAGtB,UAAI,CAAC,eAAe;AAClB,YAAI,QAAQ,SAAS,YAAY;AAC/B,eAAK,mBAAmB,WAAW,QAAQ,OAAO;AAClD,gBAAM,IAAI;AAAA,YACR,uCAAuC,SAAS;AAAA,UAAA;AAAA,QAGpD;AACA;AAAA,MACF;AAGA,YAAM,cAAc,QAAQ,SAAS;AACrC,YAAM,QAAQ,YAAY,SAAS,CAAA;AAGnC,UAAI,eAAe,OAAO;AAMxB,cAAM,iBAAiB,MAAM,WAAW;AACxC,cAAM,eAAe,MAAM,QAAQ,cAAc,IAC7C,iBACA,CAAC,cAAc;AAGnB,cAAM,iBAAiB,aAAa;AAAA,UAClC,CAAC,UAAU,UAAU,cAAc;AAAA,QAAA;AAErC,YAAI,mBAAmB,IAAI;AACzB,gBAAM,YAAY,aAAa,cAAc;AAC7C,eAAK;AAAA,YACH;AAAA,YACA,cAAc;AAAA,YACd,OAAO,SAAS;AAAA,YAChB;AAAA,UAAA;AAEF,gBAAM,IAAI;AAAA,YACR,iCAAiC,SAAS,8BAClB,cAAc,QAAQ,2BAA2B,OAAO,SAAS,CAAC;AAAA,YAC1F;AAAA,cACE,UAAU,cAAc;AAAA,cACxB,mBAAmB,OAAO,SAAS;AAAA,YAAA;AAAA,UACrC;AAAA,QAEJ;AACA;AAAA,MACF;AAGA,aAAO;AAAA,QACL,GAAG;AAAA,QACH,OAAO;AAAA,UACL,GAAG;AAAA,UACH,CAAC,WAAW,GAAG,cAAc;AAAA,QAAA;AAAA,MAC/B;AAAA,IAEJ;AAAA;AAAA;AAAA;AAAA,IAKA,UACE,WACA,QACA,SAC8C;AAC9C,UAAI,CAAC,oBAAoB,SAAS,GAAG;AACnC;AAAA,MACF;AAEA,UAAI,sBAAsB;AACxB;AAAA,MACF;AAGA,UAAI,mBAAmB;AACrB;AAAA,MACF;AAEA,YAAM,SAAS,sBAAsB,SAAS;AAC9C,YAAM,gBAAgB,iBAAA;AAEtB,UAAI,CAAC,eAAe;AAClB,YAAI,QAAQ,SAAS,YAAY;AAC/B,eAAK,mBAAmB,WAAW,OAAO,OAAO;AACjD,gBAAM,IAAI;AAAA,YACR,uCAAuC,SAAS;AAAA,UAAA;AAAA,QAGpD;AACA;AAAA,MACF;AAEA,YAAM,cAAc,QAAQ,SAAS;AAGrC,UAAI,OAAO,WAAW,UAAU;AAC9B,eAAO;AAAA,UACL,IAAI;AAAA,UACJ,CAAC,WAAW,GAAG,cAAc;AAAA,QAAA;AAAA,MAEjC;AAGA,UAAI,EAAE,eAAe,SAAS;AAC5B,eAAO;AAAA,UACL,GAAG;AAAA,UACH,CAAC,WAAW,GAAG,cAAc;AAAA,QAAA;AAAA,MAEjC;AAKA,YAAM,iBAAiB,OAAO,WAAW;AACzC,YAAM,eAAe,MAAM,QAAQ,cAAc,IAC7C,iBACA,CAAC,cAAc;AAGnB,YAAM,iBAAiB,aAAa;AAAA,QAClC,CAAC,UAAU,UAAU,cAAc;AAAA,MAAA;AAErC,UAAI,mBAAmB,IAAI;AACzB,cAAM,YAAY,aAAa,cAAc;AAC7C,aAAK;AAAA,UACH;AAAA,UACA,cAAc;AAAA,UACd,OAAO,SAAS;AAAA,UAChB;AAAA,QAAA;AAEF,cAAM,IAAI;AAAA,UACR,iCAAiC,SAAS,4BAClB,cAAc,QAAQ,2BAA2B,OAAO,SAAS,CAAC;AAAA,UAC1F;AAAA,YACE,UAAU,cAAc;AAAA,YACxB,mBAAmB,OAAO,SAAS;AAAA,UAAA;AAAA,QACrC;AAAA,MAEJ;AAEA;AAAA,IACF;AAAA;AAAA;AAAA;AAAA,IAKA,YACE,WACA,cACA,SACkC;AAClC,UAAI,CAAC,oBAAoB,SAAS,GAAG;AACnC;AAAA,MACF;AAGA,UAAI,aAAa,wBAAwB;AACvC,aAAK,aAAa,WAAW,aAAa,KAAK,OAAO;AACtD;AAAA,MACF;AAEA,UAAI,sBAAsB;AACxB,aAAK,aAAa,WAAW,aAAa,KAAK,OAAO;AACtD;AAAA,MACF;AAGA,UAAI,mBAAmB;AACrB,aAAK,aAAa,WAAW,aAAa,KAAK,OAAO;AACtD;AAAA,MACF;AAGA,YAAM,UACJ,kDAAkD,SAAS;AAK7D,WAAK,aAAa,WAAW,aAAa,KAAK,OAAO;AAEtD,cAAQ,KAAK,gBAAA;AAAA,QACX,KAAK;AACH,gBAAM,IAAI,qBAAqB,OAAO;AAAA,QAExC,KAAK;AACH,iBAAO,KAAK,2BAA2B,OAAO,EAAE;AAChD;AAAA,QACF;AACE;AAAA,MAAA;AAAA,IAEN;AAAA;AAAA;AAAA;AAAA,IAKA,WAAW,UAAsB,SAAmC;AAGlE,YAAM,YAAY,QAAQ;AAG1B,UAAI,KAAK,kBAAkB,SAAS,SAAS,GAAG;AAC9C,cAAM,KAAM,SAAiB;AAC7B,gBAAQ,WAAW;AAAA,UACjB,GAAG,QAAQ;AAAA,UACX,iBAAiB,OAAO,UAAa,OAAO;AAAA,QAAA;AAAA,MAEhD;AAEA,UAAI,CAAC,oBAAoB,SAAS,GAAG;AACnC;AAAA,MACF;AAEA,UAAI,sBAAsB;AACxB;AAAA,MACF;AAGA,UAAI,mBAAmB;AACrB;AAAA,MACF;AAEA,YAAM,SAAS,sBAAsB,SAAS;AAC9C,YAAM,cAAc,QAAQ,SAAS;AACrC,YAAM,mBAAoB,SAAiB,WAAW;AAEtD,YAAM,gBAAgB,iBAAA;AAGtB,UAAI,CAAC,eAAe;AAClB,YAAI,QAAQ,SAAS,YAAY;AAC/B,eAAK,mBAAmB,WAAW,QAAQ,OAAO;AAClD,gBAAM,IAAI;AAAA,YACR,sCAAsC,SAAS;AAAA,UAAA;AAAA,QAGnD;AACA;AAAA,MACF;AAGA,UAAI,CAAC,oBAAoB,QAAQ,iBAAiB,OAAO;AACtD,iBAAiB,WAAW,IAAI,cAAc;AAC/C;AAAA,MACF;AAGA,UAAI,oBAAoB,qBAAqB,cAAc,UAAU;AACnE,aAAK;AAAA,UACH;AAAA,UACA,cAAc;AAAA,UACd;AAAA,UACA;AAAA,QAAA;AAEF,cAAM,IAAI;AAAA,UACR,2CAA2C,SAAS,mBACrC,gBAAgB,2BAA2B,cAAc,QAAQ;AAAA,UAChF;AAAA,YACE,UAAU,cAAc;AAAA,YACxB,mBAAmB;AAAA,UAAA;AAAA,QACrB;AAAA,MAEJ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA,IAKA,aAAa,UAAsB,SAAmC;AAEpE,YAAM,YAAY,QAAQ;AAE1B,UAAI,CAAC,oBAAoB,SAAS,GAAG;AACnC;AAAA,MACF;AAEA,UAAI,sBAAsB;AACxB;AAAA,MACF;AAGA,UAAI,mBAAmB;AACrB;AAAA,MACF;AAEA,YAAM,SAAS,sBAAsB,SAAS;AAC9C,YAAM,cAAc,QAAQ,SAAS;AACrC,YAAM,mBAAoB,SAAiB,WAAW;AAEtD,YAAM,gBAAgB,iBAAA;AAEtB,UAAI,CAAC,eAAe;AAClB,YAAI,QAAQ,SAAS,YAAY;AAC/B,eAAK,mBAAmB,WAAW,UAAU,OAAO;AACpD,gBAAM,IAAI;AAAA,YACR,wCAAwC,SAAS;AAAA,UAAA;AAAA,QAGrD;AACA;AAAA,MACF;AAGA,UAAI,oBAAoB,qBAAqB,cAAc,UAAU;AACnE,aAAK;AAAA,UACH;AAAA,UACA,cAAc;AAAA,UACd;AAAA,UACA;AAAA,QAAA;AAEF,cAAM,IAAI;AAAA,UACR,6CAA6C,SAAS,mBACvC,gBAAgB,2BAA2B,cAAc,QAAQ;AAAA,UAChF;AAAA,YACE,UAAU,cAAc;AAAA,YACxB,mBAAmB;AAAA,UAAA;AAAA,QACrB;AAAA,MAEJ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA,IAKA,MAAM,UACJ,UACA,SACe;AACf,UACE,CAAC,KAAK,eACN,CAAC,KAAK,kBAAkB,SAAS,QAAQ,SAAS;AAElD;AAEF,YAAM,WAAW,QAAQ,UAAU;AACnC,YAAM,QACJ,OAAO,aAAa,YAAY,WAAY,SAAiB,MAAM;AACrE,YAAM,QAAQ,QACV,aAAa,QAAQ,UAAU,YAAA,CAAa,aAC5C,aAAa,QAAQ,UAAU,YAAA,CAAa;AAEhD,YAAM,KAAK,YAAY;AAAA,QACrB;AAAA,QACA,kBAAkB,UAAU,QAAQ,SAAS;AAAA,QAC7C;AAAA,UACE,QAAQ;AAAA,UACR,UAAW,SAAiB;AAAA,QAAA;AAAA,MAC9B;AAAA,IAEJ;AAAA;AAAA;AAAA;AAAA,IAKA,MAAM,YACJ,UACA,SACe;AACf,UACE,CAAC,KAAK,eACN,CAAC,KAAK,kBAAkB,SAAS,QAAQ,SAAS;AAElD;AAEF,YAAM,KAAK,YAAY;AAAA,QACrB,aAAa,QAAQ,UAAU,YAAA,CAAa;AAAA,QAC5C,kBAAkB,UAAU,QAAQ,SAAS;AAAA,QAC7C;AAAA,UACE,QAAQ;AAAA,UACR,UAAW,SAAiB;AAAA,QAAA;AAAA,MAC9B;AAAA,IAEJ;AAAA,EAAA;AAEJ;AASA,IAAI,wBAAsD;AAsBnD,SAAS,cAAc,UAAoC,IAAU;AAC1E,MAAI,oBAAoB;AACtB,WAAO;AAAA,MACL;AAAA,IAAA;AAEF;AAAA,EACF;AAEA,0BAAwB,wBAAwB,OAAO;AACvD,qBAAmB,SAAS,qBAAqB;AAMjD,4BAA0B,MAAM,aAAa;AAK7C,4BAA0B,yBAAyB;AAEnD,oBAAkB,IAAI;AACxB;AAwBO,SAAS,iBAAuB;AACrC,MAAI,CAAC,sBAAsB,CAAC,uBAAuB;AACjD;AAAA,EACF;AAEA,qBAAmB,WAAW,qBAAqB;AAGnD,4BAA0B,MAAS;AAEnC,4BAA0B,MAAS;AACnC,0BAAwB;AACxB,oBAAkB,KAAK;AACzB;AClpBO,SAAS,eAAqB;AACnC,iBAAA;AACA,4BAAA;AACF;AAkBA,eAAsB,wBACpB,SACA,IACY;AACZ,SAAO,WAAW,SAAS,EAAE;AAC/B;AAwBA,eAAsB,oBACpB,WACA,IAGY;AACZ,QAAM,UACJ,CAAA;AAEF,aAAW,YAAY,WAAW;AAChC,YAAQ,QAAQ,IAAI,OAAU,WAA6B;AACzD,aAAO,WAAW,EAAE,SAAA,GAAY,MAAM;AAAA,IACxC;AAAA,EACF;AAEA,SAAO,GAAG,OAAO;AACnB;AAuCO,SAAS,iBAAiB,UAAmC,IAAU;AAC5E,QAAM,EAAE,qBAAqB,MAAM,iBAAiB,YAAY;AAGhE,eAAA;AAGA,MAAI,oBAAoB;AACtB,kBAAc,EAAE,gBAAgB;AAAA,EAClC;AACF;AA0BA,eAAsB,4BACpB,IACA,iBACe;AACf,MAAI;AACF,UAAM,GAAA;AACN,UAAM,IAAI,MAAM,qDAAqD;AAAA,EACvE,SAAS,OAAgB;AACvB,UAAM,MAAM;AACZ,QAAI,IAAI,SAAS,2BAA2B;AAC1C,YAAM,IAAI;AAAA,QACR,uCAAuC,IAAI,YAAY,IAAI,KAAK,IAAI,OAAO;AAAA,MAAA;AAAA,IAE/E;AACA,QAAI,mBAAmB,CAAC,IAAI,QAAQ,SAAS,eAAe,GAAG;AAC7D,YAAM,IAAI;AAAA,QACR,sCAAsC,eAAe,cAAc,IAAI,OAAO;AAAA,MAAA;AAAA,IAElF;AAAA,EACF;AACF;AA4BA,eAAsB,+BACpB,IACA,iBACe;AACf,MAAI;AACF,UAAM,GAAA;AACN,UAAM,IAAI,MAAM,uDAAuD;AAAA,EACzE,SAAS,OAAgB;AACvB,UAAM,MAAM;AACZ,QAAI,IAAI,SAAS,8BAA8B;AAC7C,YAAM,IAAI;AAAA,QACR,yCAAyC,IAAI,YAAY,IAAI,KAAK,IAAI,OAAO;AAAA,MAAA;AAAA,IAEjF;AACA,QAAI,mBAAmB,CAAC,IAAI,QAAQ,SAAS,eAAe,GAAG;AAC7D,YAAM,IAAI;AAAA,QACR,sCAAsC,eAAe,cAAc,IAAI,OAAO;AAAA,MAAA;AAAA,IAElF;AAAA,EACF;AACF;"}
package/dist/index.d.ts CHANGED
@@ -5,5 +5,6 @@ export { runTenantScopedEntryPoint, type TenantEntryPointOptions, } from './entr
5
5
  export { getTenantIdFieldOptions, isTenantIdField, type TenantIdFieldDefinition, type TenantIdFieldOptions, } from './fields.js';
6
6
  export { createTenantInterceptor, disableTenancy, enableTenancy, isTenancyEnabled, type RawQueryPolicy, type TenantInterceptorOptions, } from './interceptor.js';
7
7
  export { clearTenantScopedRegistry, getAllTenantScopedClasses, getTenantScopedConfig, isTenantScopedClass, registerTenantScopedClass, type TenantScopedConfig, unregisterTenantScopedClass, } from './registry.js';
8
+ export { assertTenantReadAllowed, queryGlobal, queryWithGlobals, } from './tenant-global-queries.js';
8
9
  export { assertTenantContextRequired, assertTenantIsolationViolation, createTestTenantContext, resetTenancy, type SetupTestTenancyOptions, setupTestTenancy, testTenantIsolation, } from './testing.js';
9
10
  //# sourceMappingURL=index.d.ts.map
package/dist/index.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAKH,OAAO,wBAAwB,CAAC;AAKhC,OAAO,EACL,KAAK,iBAAiB,EAEtB,gBAAgB,EAEhB,uBAAuB,EAEvB,qBAAqB,EACrB,KAAK,wBAAwB,EAC7B,KAAK,sBAAsB,GAC5B,MAAM,qBAAqB,CAAC;AAI7B,OAAO,EACL,kBAAkB,EAElB,gBAAgB,EAChB,WAAW,EACX,gBAAgB,EAChB,kBAAkB,EAElB,eAAe,EACf,KAAK,oBAAoB,EACzB,aAAa,EACb,eAAe,EAEf,aAAa,EAEb,KAAK,iBAAiB,EAEtB,kBAAkB,EAClB,oBAAoB,EACpB,oBAAoB,EACpB,iBAAiB,EAEjB,UAAU,EACV,cAAc,GACf,MAAM,cAAc,CAAC;AAKtB,OAAO,EAEL,YAAY,EACZ,KAAK,mBAAmB,EAExB,QAAQ,GACT,MAAM,iBAAiB,CAAC;AAIzB,OAAO,EACL,yBAAyB,EACzB,KAAK,uBAAuB,GAC7B,MAAM,kBAAkB,CAAC;AAI1B,OAAO,EACL,uBAAuB,EACvB,eAAe,EACf,KAAK,uBAAuB,EAC5B,KAAK,oBAAoB,GAC1B,MAAM,aAAa,CAAC;AAIrB,OAAO,EAEL,uBAAuB,EACvB,cAAc,EAEd,aAAa,EACb,gBAAgB,EAChB,KAAK,cAAc,EAEnB,KAAK,wBAAwB,GAC9B,MAAM,kBAAkB,CAAC;AAI1B,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,qBAAqB,EACrB,mBAAmB,EACnB,yBAAyB,EACzB,KAAK,kBAAkB,EACvB,2BAA2B,GAC5B,MAAM,eAAe,CAAC;AAKvB,OAAO,EACL,2BAA2B,EAC3B,8BAA8B,EAC9B,uBAAuB,EACvB,YAAY,EACZ,KAAK,uBAAuB,EAC5B,gBAAgB,EAChB,mBAAmB,GACpB,MAAM,cAAc,CAAC"}
1
+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAiCG;AAKH,OAAO,wBAAwB,CAAC;AAKhC,OAAO,EACL,KAAK,iBAAiB,EAEtB,gBAAgB,EAEhB,uBAAuB,EAEvB,qBAAqB,EACrB,KAAK,wBAAwB,EAC7B,KAAK,sBAAsB,GAC5B,MAAM,qBAAqB,CAAC;AAI7B,OAAO,EACL,kBAAkB,EAElB,gBAAgB,EAChB,WAAW,EACX,gBAAgB,EAChB,kBAAkB,EAElB,eAAe,EACf,KAAK,oBAAoB,EACzB,aAAa,EACb,eAAe,EAEf,aAAa,EAEb,KAAK,iBAAiB,EAEtB,kBAAkB,EAClB,oBAAoB,EACpB,oBAAoB,EACpB,iBAAiB,EAEjB,UAAU,EACV,cAAc,GACf,MAAM,cAAc,CAAC;AAKtB,OAAO,EAEL,YAAY,EACZ,KAAK,mBAAmB,EAExB,QAAQ,GACT,MAAM,iBAAiB,CAAC;AAIzB,OAAO,EACL,yBAAyB,EACzB,KAAK,uBAAuB,GAC7B,MAAM,kBAAkB,CAAC;AAI1B,OAAO,EACL,uBAAuB,EACvB,eAAe,EACf,KAAK,uBAAuB,EAC5B,KAAK,oBAAoB,GAC1B,MAAM,aAAa,CAAC;AAIrB,OAAO,EAEL,uBAAuB,EACvB,cAAc,EAEd,aAAa,EACb,gBAAgB,EAChB,KAAK,cAAc,EAEnB,KAAK,wBAAwB,GAC9B,MAAM,kBAAkB,CAAC;AAI1B,OAAO,EACL,yBAAyB,EACzB,yBAAyB,EACzB,qBAAqB,EACrB,mBAAmB,EACnB,yBAAyB,EACzB,KAAK,kBAAkB,EACvB,2BAA2B,GAC5B,MAAM,eAAe,CAAC;AAIvB,OAAO,EACL,uBAAuB,EACvB,WAAW,EACX,gBAAgB,GACjB,MAAM,4BAA4B,CAAC;AAKpC,OAAO,EACL,2BAA2B,EAC3B,8BAA8B,EAC9B,uBAAuB,EACvB,YAAY,EACZ,KAAK,uBAAuB,EAC5B,gBAAgB,EAChB,mBAAmB,GACpB,MAAM,cAAc,CAAC"}
package/dist/index.js CHANGED
@@ -1,8 +1,9 @@
1
1
  import { ObjectRegistry, applyPendingDecoratorRegistrations, registerCompatibleFieldDecorator } from "@happyvertical/smrt-core";
2
- import { c, a, b } from "./chunks/sveltekit-9eRH1RLw.js";
3
- import { T, a as a2, b as b2, e, g, c as c2, h, i, d, r, f, w, j, k, l } from "./chunks/context-B5CKsmMi.js";
4
- import { r as registerTenantScopedClass } from "./chunks/testing-xgmq8uDP.js";
5
- import { a as a3, b as b3, c as c3, d as d2, e as e2, f as f2, g as g2, h as h2, i as i2, j as j2, k as k2, l as l2, m, s, t, u } from "./chunks/testing-xgmq8uDP.js";
2
+ import { c, a, b } from "./chunks/sveltekit-C2HTOgcm.js";
3
+ import { g as getCurrentTenant, i as isSuperAdminBypass, T as TenantIsolationError } from "./chunks/context-DfTygamS.js";
4
+ import { b as b2, c as c2, e, d, h, f, r, j, k, a as a2, w, l } from "./chunks/context-DfTygamS.js";
5
+ import { r as registerTenantScopedClass } from "./chunks/testing-DyAqaOBC.js";
6
+ import { a as a3, b as b3, c as c3, d as d2, e as e2, f as f2, g, h as h2, i, j as j2, k as k2, l as l2, m, s, t, u } from "./chunks/testing-DyAqaOBC.js";
6
7
  ObjectRegistry.registerPackageManifest(
7
8
  new URL("./manifest.json", import.meta.url)
8
9
  );
@@ -64,13 +65,44 @@ function getTenantIdFieldOptions(field) {
64
65
  const def = field;
65
66
  return def.__tenancy;
66
67
  }
68
+ function assertTenantReadAllowed(tenantId2, label) {
69
+ const tenantContext = getCurrentTenant();
70
+ if (tenantContext && !isSuperAdminBypass() && tenantContext.tenantId !== tenantId2) {
71
+ throw new TenantIsolationError(
72
+ `Tenant isolation violation in ${label}: context tenant is '${tenantContext.tenantId}' but query requested '${tenantId2}'`,
73
+ { tenantId: tenantContext.tenantId, attemptedTenantId: tenantId2 }
74
+ );
75
+ }
76
+ }
77
+ async function queryGlobal(collection) {
78
+ const metaType = collection.getStiChildMetaType();
79
+ const where = metaType ? "WHERE _meta_type = ? AND tenant_id IS NULL" : "WHERE tenant_id IS NULL";
80
+ const params = metaType ? [metaType] : [];
81
+ return await collection.query(
82
+ `SELECT * FROM ${collection.tableName} ${where}`,
83
+ params,
84
+ { allowRawOnTenantScoped: true }
85
+ );
86
+ }
87
+ async function queryWithGlobals(collection, tenantId2, label) {
88
+ assertTenantReadAllowed(tenantId2, label);
89
+ const metaType = collection.getStiChildMetaType();
90
+ const where = metaType ? "WHERE _meta_type = ? AND (tenant_id = ? OR tenant_id IS NULL)" : "WHERE tenant_id = ? OR tenant_id IS NULL";
91
+ const params = metaType ? [metaType, tenantId2] : [tenantId2];
92
+ return await collection.query(
93
+ `SELECT * FROM ${collection.tableName} ${where}`,
94
+ params,
95
+ { allowRawOnTenantScoped: true }
96
+ );
97
+ }
67
98
  export {
68
- T as TenantContext,
69
- a2 as TenantContextError,
70
- b2 as TenantIsolationError,
99
+ b2 as TenantContext,
100
+ c2 as TenantContextError,
101
+ TenantIsolationError,
71
102
  TenantScoped,
72
103
  a3 as assertTenantContextRequired,
73
104
  b3 as assertTenantIsolationViolation,
105
+ assertTenantReadAllowed,
74
106
  c3 as clearTenantScopedRegistry,
75
107
  c as createCliContext,
76
108
  a as createExpressMiddleware,
@@ -78,31 +110,33 @@ export {
78
110
  d2 as createTenantInterceptor,
79
111
  e2 as createTestTenantContext,
80
112
  f2 as disableTenancy,
81
- g2 as enableTenancy,
113
+ g as enableTenancy,
82
114
  e as enterTenantContext,
83
115
  h2 as getAllTenantScopedClasses,
84
- g as getCurrentTenant,
85
- c2 as getTenantId,
116
+ getCurrentTenant,
117
+ d as getTenantId,
86
118
  getTenantIdFieldOptions,
87
- i2 as getTenantScopedConfig,
119
+ i as getTenantScopedConfig,
88
120
  h as hasTenantContext,
89
- i as isSuperAdminBypass,
90
- d as isSystemContext,
121
+ isSuperAdminBypass,
122
+ f as isSystemContext,
91
123
  j2 as isTenancyEnabled,
92
124
  isTenantIdField,
93
125
  k2 as isTenantScopedClass,
126
+ queryGlobal,
127
+ queryWithGlobals,
94
128
  registerTenantScopedClass,
95
129
  r as requireTenant,
96
- f as requireTenantId,
130
+ j as requireTenantId,
97
131
  l2 as resetTenancy,
98
132
  m as runTenantScopedEntryPoint,
99
133
  s as setupTestTenancy,
100
134
  tenantId,
101
135
  t as testTenantIsolation,
102
136
  u as unregisterTenantScopedClass,
103
- w as withSuperAdminBypass,
104
- j as withSystemContext,
105
- k as withTenant,
137
+ k as withSuperAdminBypass,
138
+ a2 as withSystemContext,
139
+ w as withTenant,
106
140
  l as withTenantSync
107
141
  };
108
142
  //# sourceMappingURL=index.js.map
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sources":["../src/__smrt-register__.ts","../src/decorators.ts","../src/fields.ts"],"sourcesContent":["/**\n * Self-registers this package's build-time manifest before any @smrt() decorator\n * in the package fires. Fixes issue #1132: in consumer runtimes (tsx, SvelteKit\n * SSR, plain `vite dev`) the decorator's synchronous manifest lookup previously\n * missed because no step populated the global manifest cache — classes got\n * registered with zero fields and `save()` / `toJSON()` silently dropped every\n * declared property.\n *\n * Import this module as the first statement in `src/index.ts` so its top-level\n * side effect runs ahead of any class module's @smrt() decorator.\n *\n * Silent no-op in dev/test, where the vitest plugin already populates manifests\n * via a different path. Only needs to succeed in the published dist output.\n *\n * @see https://github.com/happyvertical/smrt/issues/1132\n */\nimport { ObjectRegistry } from '@happyvertical/smrt-core';\n\n// `new URL('./manifest.json', import.meta.url)` resolves at runtime to the\n// manifest sitting next to this module's compiled output. Vite warns at build\n// time that it cannot pre-resolve the URL; that is the intended behavior —\n// the URL must resolve to dist/manifest.json at runtime, not be inlined.\nObjectRegistry.registerPackageManifest(\n new URL('./manifest.json', import.meta.url),\n);\n","/**\n * Tenancy Decorators\n *\n * Provides class and property decorators for tenant-scoped SMRT objects.\n *\n * @example\n * ```typescript\n * import { smrt, SmrtObject } from '@happyvertical/smrt-core';\n * import { TenantScoped, tenantId } from '@happyvertical/smrt-tenancy';\n *\n * @smrt()\n * @TenantScoped({ mode: 'optional' })\n * class Document extends SmrtObject {\n * @tenantId({ nullable: true })\n * tenantId: string | null = null; // null = global document\n *\n * title: string = '';\n * }\n * ```\n *\n * @see https://github.com/happyvertical/smrt/issues/675\n * @see https://github.com/happyvertical/smrt/issues/829\n */\n\nimport {\n applyPendingDecoratorRegistrations,\n type CompatiblePropertyDecorator,\n type CompatiblePropertyDecoratorContext,\n type LegacyPropertyDecoratorTarget,\n ObjectRegistry,\n registerCompatibleFieldDecorator,\n} from '@happyvertical/smrt-core';\nimport type { TenantIdFieldOptions } from './fields.js';\nimport {\n registerTenantScopedClass,\n type TenantScopedConfig,\n} from './registry.js';\n\n/**\n * Options accepted by the `@TenantScoped()` class decorator.\n *\n * All fields are optional; defaults match the most restrictive safe behaviour\n * (required mode, auto-filter and auto-populate enabled, no super-admin bypass).\n *\n * @see TenantScoped\n * @see TenantScopedConfig\n */\nexport interface TenantScopedOptions {\n /**\n * Tenancy mode for this class\n * - 'required': Must have tenant context for all operations (default)\n * - 'optional': Works with or without tenant context\n */\n mode?: 'required' | 'optional';\n\n /**\n * Field name containing tenant ID\n * @default 'tenantId'\n */\n field?: string;\n\n /**\n * Auto-filter all queries by tenant\n * @default true\n */\n autoFilter?: boolean;\n\n /**\n * Auto-populate tenant ID from context on create\n * @default true\n */\n autoPopulate?: boolean;\n\n /**\n * Allow super admin bypass for this class\n * @default false - must be explicitly enabled\n */\n allowSuperAdminBypass?: boolean;\n}\n\n/**\n * Mark a class as tenant-scoped\n *\n * This decorator registers the class with the tenancy system so that:\n * - list()/get() queries are automatically filtered by tenant\n * - save() validates tenant ID matches current context\n * - delete() validates tenant ownership\n * - Raw SQL queries trigger policy enforcement\n *\n * @param options - Configuration options\n *\n * @example Basic usage (required tenancy)\n * ```typescript\n * @smrt()\n * @TenantScoped()\n * class Document extends SmrtObject {\n * @tenantId()\n * tenantId: string = '';\n *\n * title: string = '';\n * }\n * ```\n *\n * @example With super admin bypass enabled\n * ```typescript\n * @smrt()\n * @TenantScoped({ allowSuperAdminBypass: true })\n * class AuditLog extends SmrtObject {\n * @tenantId()\n * tenantId: string = '';\n *\n * action: string = '';\n * }\n * ```\n *\n * @example Optional tenancy (works with or without context)\n * ```typescript\n * @smrt()\n * @TenantScoped({ mode: 'optional' })\n * class GlobalConfig extends SmrtObject {\n * @tenantId({ nullable: true })\n * tenantId: string | null = null; // null = global, string = tenant-specific\n *\n * key: string = '';\n * value: string = '';\n * }\n * ```\n */\nexport function TenantScoped(options: TenantScopedOptions = {}) {\n return <T extends Function>(\n target: T,\n decoratorContext?: ClassDecoratorContext,\n ): T => {\n applyPendingDecoratorRegistrations(target, decoratorContext);\n\n const className = target.name;\n\n // Merge with defaults\n const config: Partial<TenantScopedConfig> = {\n mode: options.mode ?? 'required',\n field: options.field ?? 'tenantId',\n autoFilter: options.autoFilter ?? true,\n autoPopulate: options.autoPopulate ?? true,\n allowSuperAdminBypass: options.allowSuperAdminBypass ?? false,\n };\n\n // Register with the tenancy system\n registerTenantScopedClass(className, config);\n\n // Return the class unchanged\n return target;\n };\n}\n\n// ─────────────────────────────────────────────────────────────────────────────\n// Property Decorator: @tenantId\n// ─────────────────────────────────────────────────────────────────────────────\n\n/**\n * Tenant ID property decorator\n *\n * Marks a property as the tenant identifier field. This decorator registers\n * the field metadata with ObjectRegistry, keeping the property value clean\n * (no descriptor objects that could be accidentally saved to the database).\n *\n * @param options - Field options (nullable, autoFilter, autoPopulate, etc.)\n * @returns Property decorator\n *\n * @example Basic usage (required tenancy)\n * ```typescript\n * @smrt()\n * @TenantScoped()\n * class Document extends SmrtObject {\n * @tenantId()\n * tenantId: string = '';\n *\n * title: string = '';\n * }\n * ```\n *\n * @example Nullable tenant ID (for global resources)\n * ```typescript\n * @smrt()\n * @TenantScoped({ mode: 'optional' })\n * class GlobalConfig extends SmrtObject {\n * @tenantId({ nullable: true })\n * tenantId: string | null = null; // null = global, string = tenant-specific\n *\n * key: string = '';\n * }\n * ```\n *\n * @see https://github.com/happyvertical/smrt/issues/829 - Why decorators over field helpers\n */\nexport function tenantId(options: TenantIdFieldOptions = {}) {\n const opts = {\n autoFilter: true,\n required: true,\n autoPopulate: true,\n nullable: false,\n ...options,\n };\n\n return ((\n targetOrValue: LegacyPropertyDecoratorTarget | undefined,\n propertyKeyOrContext: CompatiblePropertyDecoratorContext<any, any>,\n ) => {\n registerCompatibleFieldDecorator(\n targetOrValue,\n propertyKeyOrContext,\n (className, propertyKey) => {\n ObjectRegistry.registerFieldDecorator(className, propertyKey, {\n type: 'foreignKey',\n related: 'Tenant',\n sqlType: 'UUID',\n required: opts.required,\n nullable: opts.nullable,\n __tenancy: {\n ...opts,\n isTenantIdField: true,\n },\n });\n },\n );\n }) as CompatiblePropertyDecorator;\n}\n","/**\n * Tenancy Field Types and Utilities\n *\n * This module provides types and utility functions for tenant ID fields.\n * The actual field decorator is in decorators.ts.\n *\n * @see https://github.com/happyvertical/smrt/issues/675\n * @see https://github.com/happyvertical/smrt/issues/829\n */\n\n/**\n * Options for the `@tenantId()` property decorator.\n *\n * Controls how the decorated field interacts with the tenancy interceptor.\n * All options default to the strictest safe values: auto-filter on, required,\n * auto-populate on, not nullable.\n *\n * @see tenantId\n * @see TenantScopedOptions\n */\nexport interface TenantIdFieldOptions {\n /**\n * Auto-filter queries by this field\n * @default true\n */\n autoFilter?: boolean;\n\n /**\n * Require this field to have a value on save\n * @default true\n */\n required?: boolean;\n\n /**\n * Auto-populate from context on create if not set\n * @default true\n */\n autoPopulate?: boolean;\n\n /**\n * Allow null values (for global resources)\n * @default false\n */\n nullable?: boolean;\n}\n\n// Symbol to identify tenantId fields\nexport const TENANT_ID_SYMBOL = Symbol('tenantId');\n\n/**\n * Internal field descriptor stored in `ObjectRegistry` when `@tenantId()` is\n * applied to a property.\n *\n * Consumers should use `isTenantIdField()` and `getTenantIdFieldOptions()`\n * to inspect these descriptors rather than reading the raw properties directly.\n *\n * @see isTenantIdField\n * @see getTenantIdFieldOptions\n */\nexport interface TenantIdFieldDefinition {\n /** Field type marker */\n type: 'foreignKey';\n /** Reference to Tenant class (placeholder - actual class resolved at runtime) */\n reference: 'Tenant';\n /** SQL type */\n sqlType: 'UUID';\n /** Field is required */\n required: boolean;\n /** Field allows null */\n nullable: boolean;\n /** Tenancy-specific options */\n __tenancy: TenantIdFieldOptions & { isTenantIdField: true };\n}\n\n/**\n * Return `true` if the given field definition was produced by the `@tenantId()`\n * decorator (i.e., it has an `__tenancy.isTenantIdField` marker).\n *\n * Used internally by the interceptor and code generators to locate the tenant\n * ID field on a class without knowing its property name in advance.\n *\n * @param field - A raw field definition object, typically from `ObjectRegistry`.\n * @returns `true` if `field` is a tenant ID field definition, `false` otherwise.\n *\n * @example\n * ```typescript\n * const fields = ObjectRegistry.getFields('Document');\n * const tenantField = Object.entries(fields).find(([, def]) => isTenantIdField(def));\n * ```\n *\n * @see getTenantIdFieldOptions\n * @see TenantIdFieldDefinition\n */\nexport function isTenantIdField(field: unknown): boolean {\n if (!field || typeof field !== 'object') {\n return false;\n }\n const def = field as Record<string, unknown>;\n const tenancy = def.__tenancy as Record<string, unknown> | undefined;\n return tenancy?.isTenantIdField === true;\n}\n\n/**\n * Extract the `TenantIdFieldOptions` from a field definition.\n *\n * Returns the tenancy-specific options (autoFilter, required, autoPopulate,\n * nullable) stored inside the field descriptor's `__tenancy` property.\n * Returns `null` if the field was not produced by `@tenantId()`.\n *\n * @param field - A raw field definition object, typically from `ObjectRegistry`.\n * @returns The `TenantIdFieldOptions` if the field is a tenant ID field,\n * `null` otherwise.\n *\n * @see isTenantIdField\n * @see TenantIdFieldOptions\n */\nexport function getTenantIdFieldOptions(\n field: unknown,\n): TenantIdFieldOptions | null {\n if (!isTenantIdField(field)) {\n return null;\n }\n const def = field as { __tenancy: TenantIdFieldOptions };\n return def.__tenancy;\n}\n"],"names":[],"mappings":";;;;;AAsBA,eAAe;AAAA,EACb,IAAA,IAAA,mBAAA,YAAA,GAAA;AACF;ACwGO,SAAS,aAAa,UAA+B,IAAI;AAC9D,SAAO,CACL,QACA,qBACM;AACN,uCAAmC,QAAQ,gBAAgB;AAE3D,UAAM,YAAY,OAAO;AAGzB,UAAM,SAAsC;AAAA,MAC1C,MAAM,QAAQ,QAAQ;AAAA,MACtB,OAAO,QAAQ,SAAS;AAAA,MACxB,YAAY,QAAQ,cAAc;AAAA,MAClC,cAAc,QAAQ,gBAAgB;AAAA,MACtC,uBAAuB,QAAQ,yBAAyB;AAAA,IAAA;AAI1D,8BAA0B,WAAW,MAAM;AAG3C,WAAO;AAAA,EACT;AACF;AA0CO,SAAS,SAAS,UAAgC,IAAI;AAC3D,QAAM,OAAO;AAAA,IACX,YAAY;AAAA,IACZ,UAAU;AAAA,IACV,cAAc;AAAA,IACd,UAAU;AAAA,IACV,GAAG;AAAA,EAAA;AAGL,UAAQ,CACN,eACA,yBACG;AACH;AAAA,MACE;AAAA,MACA;AAAA,MACA,CAAC,WAAW,gBAAgB;AAC1B,uBAAe,uBAAuB,WAAW,aAAa;AAAA,UAC5D,MAAM;AAAA,UACN,SAAS;AAAA,UACT,SAAS;AAAA,UACT,UAAU,KAAK;AAAA,UACf,UAAU,KAAK;AAAA,UACf,WAAW;AAAA,YACT,GAAG;AAAA,YACH,iBAAiB;AAAA,UAAA;AAAA,QACnB,CACD;AAAA,MACH;AAAA,IAAA;AAAA,EAEJ;AACF;ACpIO,SAAS,gBAAgB,OAAyB;AACvD,MAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,WAAO;AAAA,EACT;AACA,QAAM,MAAM;AACZ,QAAM,UAAU,IAAI;AACpB,SAAO,SAAS,oBAAoB;AACtC;AAgBO,SAAS,wBACd,OAC6B;AAC7B,MAAI,CAAC,gBAAgB,KAAK,GAAG;AAC3B,WAAO;AAAA,EACT;AACA,QAAM,MAAM;AACZ,SAAO,IAAI;AACb;"}
1
+ {"version":3,"file":"index.js","sources":["../src/__smrt-register__.ts","../src/decorators.ts","../src/fields.ts","../src/tenant-global-queries.ts"],"sourcesContent":["/**\n * Self-registers this package's build-time manifest before any @smrt() decorator\n * in the package fires. Fixes issue #1132: in consumer runtimes (tsx, SvelteKit\n * SSR, plain `vite dev`) the decorator's synchronous manifest lookup previously\n * missed because no step populated the global manifest cache — classes got\n * registered with zero fields and `save()` / `toJSON()` silently dropped every\n * declared property.\n *\n * Import this module as the first statement in `src/index.ts` so its top-level\n * side effect runs ahead of any class module's @smrt() decorator.\n *\n * Silent no-op in dev/test, where the vitest plugin already populates manifests\n * via a different path. Only needs to succeed in the published dist output.\n *\n * @see https://github.com/happyvertical/smrt/issues/1132\n */\nimport { ObjectRegistry } from '@happyvertical/smrt-core';\n\n// `new URL('./manifest.json', import.meta.url)` resolves at runtime to the\n// manifest sitting next to this module's compiled output. Vite warns at build\n// time that it cannot pre-resolve the URL; that is the intended behavior —\n// the URL must resolve to dist/manifest.json at runtime, not be inlined.\nObjectRegistry.registerPackageManifest(\n new URL('./manifest.json', import.meta.url),\n);\n","/**\n * Tenancy Decorators\n *\n * Provides class and property decorators for tenant-scoped SMRT objects.\n *\n * @example\n * ```typescript\n * import { smrt, SmrtObject } from '@happyvertical/smrt-core';\n * import { TenantScoped, tenantId } from '@happyvertical/smrt-tenancy';\n *\n * @smrt()\n * @TenantScoped({ mode: 'optional' })\n * class Document extends SmrtObject {\n * @tenantId({ nullable: true })\n * tenantId: string | null = null; // null = global document\n *\n * title: string = '';\n * }\n * ```\n *\n * @see https://github.com/happyvertical/smrt/issues/675\n * @see https://github.com/happyvertical/smrt/issues/829\n */\n\nimport {\n applyPendingDecoratorRegistrations,\n type CompatiblePropertyDecorator,\n type CompatiblePropertyDecoratorContext,\n type LegacyPropertyDecoratorTarget,\n ObjectRegistry,\n registerCompatibleFieldDecorator,\n} from '@happyvertical/smrt-core';\nimport type { TenantIdFieldOptions } from './fields.js';\nimport {\n registerTenantScopedClass,\n type TenantScopedConfig,\n} from './registry.js';\n\n/**\n * Options accepted by the `@TenantScoped()` class decorator.\n *\n * All fields are optional; defaults match the most restrictive safe behaviour\n * (required mode, auto-filter and auto-populate enabled, no super-admin bypass).\n *\n * @see TenantScoped\n * @see TenantScopedConfig\n */\nexport interface TenantScopedOptions {\n /**\n * Tenancy mode for this class\n * - 'required': Must have tenant context for all operations (default)\n * - 'optional': Works with or without tenant context\n */\n mode?: 'required' | 'optional';\n\n /**\n * Field name containing tenant ID\n * @default 'tenantId'\n */\n field?: string;\n\n /**\n * Auto-filter all queries by tenant\n * @default true\n */\n autoFilter?: boolean;\n\n /**\n * Auto-populate tenant ID from context on create\n * @default true\n */\n autoPopulate?: boolean;\n\n /**\n * Allow super admin bypass for this class\n * @default false - must be explicitly enabled\n */\n allowSuperAdminBypass?: boolean;\n}\n\n/**\n * Mark a class as tenant-scoped\n *\n * This decorator registers the class with the tenancy system so that:\n * - list()/get() queries are automatically filtered by tenant\n * - save() validates tenant ID matches current context\n * - delete() validates tenant ownership\n * - Raw SQL queries trigger policy enforcement\n *\n * @param options - Configuration options\n *\n * @example Basic usage (required tenancy)\n * ```typescript\n * @smrt()\n * @TenantScoped()\n * class Document extends SmrtObject {\n * @tenantId()\n * tenantId: string = '';\n *\n * title: string = '';\n * }\n * ```\n *\n * @example With super admin bypass enabled\n * ```typescript\n * @smrt()\n * @TenantScoped({ allowSuperAdminBypass: true })\n * class AuditLog extends SmrtObject {\n * @tenantId()\n * tenantId: string = '';\n *\n * action: string = '';\n * }\n * ```\n *\n * @example Optional tenancy (works with or without context)\n * ```typescript\n * @smrt()\n * @TenantScoped({ mode: 'optional' })\n * class GlobalConfig extends SmrtObject {\n * @tenantId({ nullable: true })\n * tenantId: string | null = null; // null = global, string = tenant-specific\n *\n * key: string = '';\n * value: string = '';\n * }\n * ```\n */\nexport function TenantScoped(options: TenantScopedOptions = {}) {\n return <T extends Function>(\n target: T,\n decoratorContext?: ClassDecoratorContext,\n ): T => {\n applyPendingDecoratorRegistrations(target, decoratorContext);\n\n const className = target.name;\n\n // Merge with defaults\n const config: Partial<TenantScopedConfig> = {\n mode: options.mode ?? 'required',\n field: options.field ?? 'tenantId',\n autoFilter: options.autoFilter ?? true,\n autoPopulate: options.autoPopulate ?? true,\n allowSuperAdminBypass: options.allowSuperAdminBypass ?? false,\n };\n\n // Register with the tenancy system\n registerTenantScopedClass(className, config);\n\n // Return the class unchanged\n return target;\n };\n}\n\n// ─────────────────────────────────────────────────────────────────────────────\n// Property Decorator: @tenantId\n// ─────────────────────────────────────────────────────────────────────────────\n\n/**\n * Tenant ID property decorator\n *\n * Marks a property as the tenant identifier field. This decorator registers\n * the field metadata with ObjectRegistry, keeping the property value clean\n * (no descriptor objects that could be accidentally saved to the database).\n *\n * @param options - Field options (nullable, autoFilter, autoPopulate, etc.)\n * @returns Property decorator\n *\n * @example Basic usage (required tenancy)\n * ```typescript\n * @smrt()\n * @TenantScoped()\n * class Document extends SmrtObject {\n * @tenantId()\n * tenantId: string = '';\n *\n * title: string = '';\n * }\n * ```\n *\n * @example Nullable tenant ID (for global resources)\n * ```typescript\n * @smrt()\n * @TenantScoped({ mode: 'optional' })\n * class GlobalConfig extends SmrtObject {\n * @tenantId({ nullable: true })\n * tenantId: string | null = null; // null = global, string = tenant-specific\n *\n * key: string = '';\n * }\n * ```\n *\n * @see https://github.com/happyvertical/smrt/issues/829 - Why decorators over field helpers\n */\nexport function tenantId(options: TenantIdFieldOptions = {}) {\n const opts = {\n autoFilter: true,\n required: true,\n autoPopulate: true,\n nullable: false,\n ...options,\n };\n\n return ((\n targetOrValue: LegacyPropertyDecoratorTarget | undefined,\n propertyKeyOrContext: CompatiblePropertyDecoratorContext<any, any>,\n ) => {\n registerCompatibleFieldDecorator(\n targetOrValue,\n propertyKeyOrContext,\n (className, propertyKey) => {\n ObjectRegistry.registerFieldDecorator(className, propertyKey, {\n type: 'foreignKey',\n related: 'Tenant',\n sqlType: 'UUID',\n required: opts.required,\n nullable: opts.nullable,\n __tenancy: {\n ...opts,\n isTenantIdField: true,\n },\n });\n },\n );\n }) as CompatiblePropertyDecorator;\n}\n","/**\n * Tenancy Field Types and Utilities\n *\n * This module provides types and utility functions for tenant ID fields.\n * The actual field decorator is in decorators.ts.\n *\n * @see https://github.com/happyvertical/smrt/issues/675\n * @see https://github.com/happyvertical/smrt/issues/829\n */\n\n/**\n * Options for the `@tenantId()` property decorator.\n *\n * Controls how the decorated field interacts with the tenancy interceptor.\n * All options default to the strictest safe values: auto-filter on, required,\n * auto-populate on, not nullable.\n *\n * @see tenantId\n * @see TenantScopedOptions\n */\nexport interface TenantIdFieldOptions {\n /**\n * Auto-filter queries by this field\n * @default true\n */\n autoFilter?: boolean;\n\n /**\n * Require this field to have a value on save\n * @default true\n */\n required?: boolean;\n\n /**\n * Auto-populate from context on create if not set\n * @default true\n */\n autoPopulate?: boolean;\n\n /**\n * Allow null values (for global resources)\n * @default false\n */\n nullable?: boolean;\n}\n\n// Symbol to identify tenantId fields\nexport const TENANT_ID_SYMBOL = Symbol('tenantId');\n\n/**\n * Internal field descriptor stored in `ObjectRegistry` when `@tenantId()` is\n * applied to a property.\n *\n * Consumers should use `isTenantIdField()` and `getTenantIdFieldOptions()`\n * to inspect these descriptors rather than reading the raw properties directly.\n *\n * @see isTenantIdField\n * @see getTenantIdFieldOptions\n */\nexport interface TenantIdFieldDefinition {\n /** Field type marker */\n type: 'foreignKey';\n /** Reference to Tenant class (placeholder - actual class resolved at runtime) */\n reference: 'Tenant';\n /** SQL type */\n sqlType: 'UUID';\n /** Field is required */\n required: boolean;\n /** Field allows null */\n nullable: boolean;\n /** Tenancy-specific options */\n __tenancy: TenantIdFieldOptions & { isTenantIdField: true };\n}\n\n/**\n * Return `true` if the given field definition was produced by the `@tenantId()`\n * decorator (i.e., it has an `__tenancy.isTenantIdField` marker).\n *\n * Used internally by the interceptor and code generators to locate the tenant\n * ID field on a class without knowing its property name in advance.\n *\n * @param field - A raw field definition object, typically from `ObjectRegistry`.\n * @returns `true` if `field` is a tenant ID field definition, `false` otherwise.\n *\n * @example\n * ```typescript\n * const fields = ObjectRegistry.getFields('Document');\n * const tenantField = Object.entries(fields).find(([, def]) => isTenantIdField(def));\n * ```\n *\n * @see getTenantIdFieldOptions\n * @see TenantIdFieldDefinition\n */\nexport function isTenantIdField(field: unknown): boolean {\n if (!field || typeof field !== 'object') {\n return false;\n }\n const def = field as Record<string, unknown>;\n const tenancy = def.__tenancy as Record<string, unknown> | undefined;\n return tenancy?.isTenantIdField === true;\n}\n\n/**\n * Extract the `TenantIdFieldOptions` from a field definition.\n *\n * Returns the tenancy-specific options (autoFilter, required, autoPopulate,\n * nullable) stored inside the field descriptor's `__tenancy` property.\n * Returns `null` if the field was not produced by `@tenantId()`.\n *\n * @param field - A raw field definition object, typically from `ObjectRegistry`.\n * @returns The `TenantIdFieldOptions` if the field is a tenant ID field,\n * `null` otherwise.\n *\n * @see isTenantIdField\n * @see TenantIdFieldOptions\n */\nexport function getTenantIdFieldOptions(\n field: unknown,\n): TenantIdFieldOptions | null {\n if (!isTenantIdField(field)) {\n return null;\n }\n const def = field as { __tenancy: TenantIdFieldOptions };\n return def.__tenancy;\n}\n","/**\n * Shared raw-SQL helpers for tenant-scoped collections' \"global\" and\n * \"tenant + globals\" lookups (#1600).\n *\n * Most domain models are `@TenantScoped`. Their collections historically\n * hand-rolled two helpers the OLD way:\n *\n * ```typescript\n * async findGlobal() { return this.list({ where: { tenantId: null } }); }\n * async findWithGlobals(tid) { return this.query(\n * `SELECT * FROM ${this.tableName} WHERE tenant_id = ? OR tenant_id IS NULL`, [tid]); }\n * ```\n *\n * Under an ACTIVE tenant context with tenancy enabled (default\n * `rawQueryPolicy: 'throw'`) BOTH break:\n * - `findGlobal()` routes an explicit `tenant_id IS NULL` filter through\n * `list()`, which the interceptor flags as an isolation violation → throws.\n * - `findWithGlobals()` issues unflagged raw SQL on a tenant-scoped class,\n * which `beforeQuery` blocks → throws.\n * - `findWithGlobals()` also trusts the caller-supplied `tenantId`, so once the\n * raw bypass is added a caller under tenant-A could read tenant-B by passing\n * B's id.\n *\n * These helpers run raw with `{ allowRawOnTenantScoped: true }` (carrying the\n * tenant predicate themselves), and `queryWithGlobals` re-implements the\n * isolation guard the bypass disables (`assertTenantReadAllowed`): a caller\n * under tenant-A must not read tenant-B's rows by passing tenant-B's id. A\n * system / super-admin-bypass context keeps the deliberate cross-tenant\n * capability for admin paths.\n *\n * STI scoping is derived automatically from the collection's item class via\n * `collection.getStiChildMetaType()` (smrt-core), which mirrors the\n * `_meta_type` scoping `list()` applies: STI **child** collections scope the\n * shared table to their own subtype, while STI **base** and CTI collections do\n * not (a base legitimately spans subtypes; CTI tables have no `_meta_type`).\n * Callers never hand-classify their collection. Promoted from\n * `@happyvertical/smrt-messages` (#1596) so every package shares one\n * implementation.\n */\n\nimport type { SmrtCollection } from '@happyvertical/smrt-core';\nimport {\n getCurrentTenant,\n isSuperAdminBypass,\n TenantIsolationError,\n} from './context.js';\n\n/**\n * Fail closed when an active tenant context requests a different tenant's rows.\n *\n * @param tenantId - The tenant id the caller asked for.\n * @param label - `Class.method` identifier for the error message.\n * @throws {TenantIsolationError} when a non-bypass tenant context is active and\n * does not match `tenantId`.\n */\nexport function assertTenantReadAllowed(tenantId: string, label: string): void {\n const tenantContext = getCurrentTenant();\n if (\n tenantContext &&\n !isSuperAdminBypass() &&\n tenantContext.tenantId !== tenantId\n ) {\n throw new TenantIsolationError(\n `Tenant isolation violation in ${label}: context tenant is ` +\n `'${tenantContext.tenantId}' but query requested '${tenantId}'`,\n { tenantId: tenantContext.tenantId, attemptedTenantId: tenantId },\n );\n }\n}\n\n/**\n * Return all global (tenant-less) rows for a tenant-scoped collection.\n *\n * STI child collections are auto-scoped to their own `_meta_type` (via\n * `collection.getStiChildMetaType()`) so the shared table never returns sibling\n * subtypes; STI base / CTI collections are not scoped.\n *\n * @param collection - The tenant-scoped collection to query.\n */\nexport async function queryGlobal<T>(\n collection: SmrtCollection<any>,\n): Promise<T[]> {\n const metaType = collection.getStiChildMetaType();\n const where = metaType\n ? 'WHERE _meta_type = ? AND tenant_id IS NULL'\n : 'WHERE tenant_id IS NULL';\n const params = metaType ? [metaType] : [];\n return (await collection.query(\n `SELECT * FROM ${collection.tableName} ${where}`,\n params,\n { allowRawOnTenantScoped: true },\n )) as T[];\n}\n\n/**\n * Return a tenant's rows plus all global rows for a tenant-scoped collection.\n *\n * Fails closed (`assertTenantReadAllowed`) before issuing the bypassed query.\n * STI child collections are auto-scoped to their own `_meta_type` (via\n * `collection.getStiChildMetaType()`); STI base / CTI collections are not.\n *\n * @param collection - The tenant-scoped collection to query.\n * @param tenantId - The tenant id to include alongside globals.\n * @param label - `Class.method` identifier for the isolation error message.\n */\nexport async function queryWithGlobals<T>(\n collection: SmrtCollection<any>,\n tenantId: string,\n label: string,\n): Promise<T[]> {\n assertTenantReadAllowed(tenantId, label);\n const metaType = collection.getStiChildMetaType();\n const where = metaType\n ? 'WHERE _meta_type = ? AND (tenant_id = ? OR tenant_id IS NULL)'\n : 'WHERE tenant_id = ? OR tenant_id IS NULL';\n const params = metaType ? [metaType, tenantId] : [tenantId];\n return (await collection.query(\n `SELECT * FROM ${collection.tableName} ${where}`,\n params,\n { allowRawOnTenantScoped: true },\n )) as T[];\n}\n"],"names":["tenantId"],"mappings":";;;;;;AAsBA,eAAe;AAAA,EACb,IAAA,IAAA,mBAAA,YAAA,GAAA;AACF;ACwGO,SAAS,aAAa,UAA+B,IAAI;AAC9D,SAAO,CACL,QACA,qBACM;AACN,uCAAmC,QAAQ,gBAAgB;AAE3D,UAAM,YAAY,OAAO;AAGzB,UAAM,SAAsC;AAAA,MAC1C,MAAM,QAAQ,QAAQ;AAAA,MACtB,OAAO,QAAQ,SAAS;AAAA,MACxB,YAAY,QAAQ,cAAc;AAAA,MAClC,cAAc,QAAQ,gBAAgB;AAAA,MACtC,uBAAuB,QAAQ,yBAAyB;AAAA,IAAA;AAI1D,8BAA0B,WAAW,MAAM;AAG3C,WAAO;AAAA,EACT;AACF;AA0CO,SAAS,SAAS,UAAgC,IAAI;AAC3D,QAAM,OAAO;AAAA,IACX,YAAY;AAAA,IACZ,UAAU;AAAA,IACV,cAAc;AAAA,IACd,UAAU;AAAA,IACV,GAAG;AAAA,EAAA;AAGL,UAAQ,CACN,eACA,yBACG;AACH;AAAA,MACE;AAAA,MACA;AAAA,MACA,CAAC,WAAW,gBAAgB;AAC1B,uBAAe,uBAAuB,WAAW,aAAa;AAAA,UAC5D,MAAM;AAAA,UACN,SAAS;AAAA,UACT,SAAS;AAAA,UACT,UAAU,KAAK;AAAA,UACf,UAAU,KAAK;AAAA,UACf,WAAW;AAAA,YACT,GAAG;AAAA,YACH,iBAAiB;AAAA,UAAA;AAAA,QACnB,CACD;AAAA,MACH;AAAA,IAAA;AAAA,EAEJ;AACF;ACpIO,SAAS,gBAAgB,OAAyB;AACvD,MAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,WAAO;AAAA,EACT;AACA,QAAM,MAAM;AACZ,QAAM,UAAU,IAAI;AACpB,SAAO,SAAS,oBAAoB;AACtC;AAgBO,SAAS,wBACd,OAC6B;AAC7B,MAAI,CAAC,gBAAgB,KAAK,GAAG;AAC3B,WAAO;AAAA,EACT;AACA,QAAM,MAAM;AACZ,SAAO,IAAI;AACb;ACrEO,SAAS,wBAAwBA,WAAkB,OAAqB;AAC7E,QAAM,gBAAgB,iBAAA;AACtB,MACE,iBACA,CAAC,mBAAA,KACD,cAAc,aAAaA,WAC3B;AACA,UAAM,IAAI;AAAA,MACR,iCAAiC,KAAK,wBAChC,cAAc,QAAQ,0BAA0BA,SAAQ;AAAA,MAC9D,EAAE,UAAU,cAAc,UAAU,mBAAmBA,UAAA;AAAA,IAAS;AAAA,EAEpE;AACF;AAWA,eAAsB,YACpB,YACc;AACd,QAAM,WAAW,WAAW,oBAAA;AAC5B,QAAM,QAAQ,WACV,+CACA;AACJ,QAAM,SAAS,WAAW,CAAC,QAAQ,IAAI,CAAA;AACvC,SAAQ,MAAM,WAAW;AAAA,IACvB,iBAAiB,WAAW,SAAS,IAAI,KAAK;AAAA,IAC9C;AAAA,IACA,EAAE,wBAAwB,KAAA;AAAA,EAAK;AAEnC;AAaA,eAAsB,iBACpB,YACAA,WACA,OACc;AACd,0BAAwBA,WAAU,KAAK;AACvC,QAAM,WAAW,WAAW,oBAAA;AAC5B,QAAM,QAAQ,WACV,kEACA;AACJ,QAAM,SAAS,WAAW,CAAC,UAAUA,SAAQ,IAAI,CAACA,SAAQ;AAC1D,SAAQ,MAAM,WAAW;AAAA,IACvB,iBAAiB,WAAW,SAAS,IAAI,KAAK;AAAA,IAC9C;AAAA,IACA,EAAE,wBAAwB,KAAA;AAAA,EAAK;AAEnC;"}
package/dist/manifest.json CHANGED
@@ -1,8 +1,8 @@
1
1
  {
2
2
  "version": "1.0.0",
3
- "timestamp": 1782240979493,
3
+ "timestamp": 1782251512004,
4
4
  "packageName": "@happyvertical/smrt-tenancy",
5
- "packageVersion": "0.34.0",
5
+ "packageVersion": "0.34.2",
6
6
  "objects": {},
7
7
  "moduleType": "smrt",
8
8
  "smrtDependencies": [
package/dist/smrt-knowledge.json CHANGED
@@ -1,13 +1,13 @@
1
1
  {
2
2
  "schemaVersion": 1,
3
- "generatedAt": "2026-06-23T18:56:19.749Z",
3
+ "generatedAt": "2026-06-23T21:51:52.243Z",
4
4
  "packageName": "@happyvertical/smrt-tenancy",
5
- "packageVersion": "0.34.0",
5
+ "packageVersion": "0.34.2",
6
6
  "sourceManifestPath": "dist/manifest.json",
7
7
  "agentDocPath": "AGENTS.md",
8
8
  "sourceHashes": {
9
- "manifest": "566f92ad68fa0261eb5e0472f55d8563bc4e841f9148e6741c3425390b7a9904",
10
- "packageJson": "5c9d438544c86d650c93706ee64a42680600e0db8ee8a22298489951fa70755b",
9
+ "manifest": "5ec6c5f578a59aa9242b552b4f7c08de281f41660e55665eb59cf608d73ed091",
10
+ "packageJson": "58f099630bcda4cb21e71c2b128486e1063e94a995c6a4f45c0eeb16e614e50c",
11
11
  "agents": "6466580ac48829d3e51e940aaf42578919619e3a43fa7efbb741b744c80530c8"
12
12
  },
13
13
  "exports": [
package/dist/tenant-global-queries.d.ts ADDED
@@ -0,0 +1,33 @@
1
+ import { SmrtCollection } from '@happyvertical/smrt-core';
2
+ /**
3
+ * Fail closed when an active tenant context requests a different tenant's rows.
4
+ *
5
+ * @param tenantId - The tenant id the caller asked for.
6
+ * @param label - `Class.method` identifier for the error message.
7
+ * @throws {TenantIsolationError} when a non-bypass tenant context is active and
8
+ * does not match `tenantId`.
9
+ */
10
+ export declare function assertTenantReadAllowed(tenantId: string, label: string): void;
11
+ /**
12
+ * Return all global (tenant-less) rows for a tenant-scoped collection.
13
+ *
14
+ * STI child collections are auto-scoped to their own `_meta_type` (via
15
+ * `collection.getStiChildMetaType()`) so the shared table never returns sibling
16
+ * subtypes; STI base / CTI collections are not scoped.
17
+ *
18
+ * @param collection - The tenant-scoped collection to query.
19
+ */
20
+ export declare function queryGlobal<T>(collection: SmrtCollection<any>): Promise<T[]>;
21
+ /**
22
+ * Return a tenant's rows plus all global rows for a tenant-scoped collection.
23
+ *
24
+ * Fails closed (`assertTenantReadAllowed`) before issuing the bypassed query.
25
+ * STI child collections are auto-scoped to their own `_meta_type` (via
26
+ * `collection.getStiChildMetaType()`); STI base / CTI collections are not.
27
+ *
28
+ * @param collection - The tenant-scoped collection to query.
29
+ * @param tenantId - The tenant id to include alongside globals.
30
+ * @param label - `Class.method` identifier for the isolation error message.
31
+ */
32
+ export declare function queryWithGlobals<T>(collection: SmrtCollection<any>, tenantId: string, label: string): Promise<T[]>;
33
+ //# sourceMappingURL=tenant-global-queries.d.ts.map
package/dist/tenant-global-queries.d.ts.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"tenant-global-queries.d.ts","sourceRoot":"","sources":["../src/tenant-global-queries.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAO/D;;;;;;;GAOG;AACH,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAa7E;AAED;;;;;;;;GAQG;AACH,wBAAsB,WAAW,CAAC,CAAC,EACjC,UAAU,EAAE,cAAc,CAAC,GAAG,CAAC,GAC9B,OAAO,CAAC,CAAC,EAAE,CAAC,CAWd;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,gBAAgB,CAAC,CAAC,EACtC,UAAU,EAAE,cAAc,CAAC,GAAG,CAAC,EAC/B,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,CAAC,EAAE,CAAC,CAYd"}
package/dist/testing.js CHANGED
@@ -1,5 +1,5 @@
1
- import "./chunks/context-B5CKsmMi.js";
2
- import { a, b, e, l, s, t } from "./chunks/testing-xgmq8uDP.js";
1
+ import "./chunks/context-DfTygamS.js";
2
+ import { a, b, e, l, s, t } from "./chunks/testing-DyAqaOBC.js";
3
3
  export {
4
4
  a as assertTenantContextRequired,
5
5
  b as assertTenantIsolationViolation,
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@happyvertical/smrt-tenancy",
3
- "version": "0.34.0",
3
+ "version": "0.34.2",
4
4
  "description": "Production-ready multi-tenancy framework for SMRT with automatic tenant isolation and enforcement",
5
5
  "type": "module",
6
6
  "main": "./dist/index.js",
@@ -43,9 +43,9 @@
43
43
  "@happyvertical/logger": "^0.74.7",
44
44
  "@happyvertical/sql": "^0.74.7",
45
45
  "@happyvertical/utils": "^0.74.7",
46
- "@happyvertical/smrt-core": "0.34.0",
47
- "@happyvertical/smrt-types": "0.34.0",
48
- "@happyvertical/smrt-ui": "0.34.0"
46
+ "@happyvertical/smrt-core": "0.34.2",
47
+ "@happyvertical/smrt-types": "0.34.2",
48
+ "@happyvertical/smrt-ui": "0.34.2"
49
49
  },
50
50
  "peerDependencies": {
51
51
  "svelte": "^5.46.4"
@@ -64,7 +64,7 @@
64
64
  "typescript": "^5.9.3",
65
65
  "vite": "^7.3.1",
66
66
  "vitest": "^4.0.17",
67
- "@happyvertical/smrt-vitest": "0.34.0"
67
+ "@happyvertical/smrt-vitest": "0.34.2"
68
68
  },
69
69
  "keywords": [
70
70
  "ai",