@happyvertical/smrt-tenancy 0.35.0 → 0.35.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (14) hide show
  1. package/dist/adapters/express.d.ts.map +1 -1
  2. package/dist/chunks/sveltekit-C2HTOgcm.js.map +1 -1
  3. package/dist/chunks/{testing-DyAqaOBC.js → testing-BWF_N0FL.js} +26 -15
  4. package/dist/chunks/testing-BWF_N0FL.js.map +1 -0
  5. package/dist/index.js +2 -2
  6. package/dist/index.js.map +1 -1
  7. package/dist/interceptor.d.ts.map +1 -1
  8. package/dist/manifest.json +2 -2
  9. package/dist/smrt-knowledge.json +4 -4
  10. package/dist/tenant-global-queries.d.ts +3 -3
  11. package/dist/tenant-global-queries.d.ts.map +1 -1
  12. package/dist/testing.js +1 -1
  13. package/package.json +5 -5
  14. package/dist/chunks/testing-DyAqaOBC.js.map +0 -1
package/dist/adapters/express.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"express.d.ts","sourceRoot":"","sources":["../../src/adapters/express.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH;;GAEG;AACH,UAAU,cAAc;IACtB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC;IACvD,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAED;;GAEG;AACH,UAAU,eAAe;IACvB,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,CAAC;IACtC,IAAI,CAAC,IAAI,EAAE,OAAO,GAAG,eAAe,CAAC;IACrC,IAAI,CAAC,IAAI,EAAE,OAAO,GAAG,eAAe,CAAC;CACtC;AAED;;GAEG;AACH,KAAK,WAAW,GAAG,CAAC,KAAK,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;AAE7C;;;;;;;;;GASG;AACH,MAAM,WAAW,wBAAwB;IACvC;;OAEG;IACH,eAAe,EAAE,CACf,GAAG,EAAE,cAAc,KAChB,OAAO,CAAC,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC,GAAG,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC;IAEpE;;OAEG;IACH,aAAa,CAAC,EAAE,CACd,GAAG,EAAE,cAAc,KAChB,OAAO,CAAC,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC,GAAG,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC;IAEpE;;OAEG;IACH,kBAAkB,CAAC,EAAE,CACnB,GAAG,EAAE,cAAc,EACnB,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,MAAM,KACZ,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;IAExC;;OAEG;IACH,YAAY,CAAC,EAAE,CACb,GAAG,EAAE,cAAc,EACnB,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,MAAM,KACZ,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC;IAEhC;;;OAGG;IACH,UAAU,CAAC,EAAE,CACX,GAAG,EAAE,cAAc,EACnB,GAAG,EAAE,eAAe,KACjB,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC;IAEhC;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,wBAAwB,IAWrE,KAAK,cAAc,EACnB,KAAK,eAAe,EACpB,MAAM,WAAW,KAChB,OAAO,CAAC,IAAI,CAAC,CA2DjB"}
1
+ {"version":3,"file":"express.d.ts","sourceRoot":"","sources":["../../src/adapters/express.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AAIH;;GAEG;AACH,UAAU,cAAc;IACtB,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,MAAM,EAAE,GAAG,SAAS,CAAC,CAAC;IACvD,GAAG,EAAE,MAAM,CAAC;IACZ,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAC/B,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;CAClC;AAYD;;GAEG;AACH,UAAU,eAAe;IACvB,MAAM,CAAC,IAAI,EAAE,MAAM,GAAG,eAAe,CAAC;IACtC,IAAI,CAAC,IAAI,EAAE,OAAO,GAAG,eAAe,CAAC;IACrC,IAAI,CAAC,IAAI,EAAE,OAAO,GAAG,eAAe,CAAC;CACtC;AAED;;GAEG;AACH,KAAK,WAAW,GAAG,CAAC,KAAK,CAAC,EAAE,OAAO,KAAK,IAAI,CAAC;AAE7C;;;;;;;;;GASG;AACH,MAAM,WAAW,wBAAwB;IACvC;;OAEG;IACH,eAAe,EAAE,CACf,GAAG,EAAE,cAAc,KAChB,OAAO,CAAC,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC,GAAG,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC;IAEpE;;OAEG;IACH,aAAa,CAAC,EAAE,CACd,GAAG,EAAE,cAAc,KAChB,OAAO,CAAC,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC,GAAG,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC;IAEpE;;OAEG;IACH,kBAAkB,CAAC,EAAE,CACnB,GAAG,EAAE,cAAc,EACnB,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,MAAM,KACZ,OAAO,CAAC,GAAG,CAAC,MAAM,CAAC,CAAC,GAAG,GAAG,CAAC,MAAM,CAAC,CAAC;IAExC;;OAEG;IACH,YAAY,CAAC,EAAE,CACb,GAAG,EAAE,cAAc,EACnB,QAAQ,EAAE,MAAM,EAChB,MAAM,CAAC,EAAE,MAAM,KACZ,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC;IAEhC;;;OAGG;IACH,UAAU,CAAC,EAAE,CACX,GAAG,EAAE,cAAc,EACnB,GAAG,EAAE,eAAe,KACjB,OAAO,CAAC,OAAO,CAAC,GAAG,OAAO,CAAC;IAEhC;;OAEG;IACH,YAAY,CAAC,EAAE,MAAM,EAAE,CAAC;CACzB;AAED;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmCG;AACH,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,wBAAwB,IAWrE,KAAK,cAAc,EACnB,KAAK,eAAe,EACpB,MAAM,WAAW,KAChB,OAAO,CAAC,IAAI,CAAC,CA2DjB"}
package/dist/chunks/sveltekit-C2HTOgcm.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"sveltekit-C2HTOgcm.js","sources":["../../src/adapters/cli.ts","../../src/adapters/express.ts","../../src/adapters/sveltekit.ts"],"sourcesContent":["/**\n * CLI Adapter for smrt-tenancy\n *\n * Provides utilities for setting up tenant context in CLI tools.\n *\n * @example\n * ```typescript\n * import { createCliContext } from '@happyvertical/smrt-tenancy/adapters';\n *\n * // Create context helper for CLI\n * const cliContext = createCliContext({\n * resolveTenantId: () => process.env.TENANT_ID,\n * });\n *\n * // Run command in tenant context\n * await cliContext.run(async () => {\n * await documentCollection.list({});\n * });\n * ```\n */\n\nimport {\n type TenantContextData,\n withSystemContext,\n withTenant,\n} from '../context.js';\n\n/**\n * Configuration for the CLI context runner created by `createCliContext()`.\n *\n * `resolveTenantId` is optional — when omitted (or when it returns\n * `null`/`undefined`) the `run()` method falls back to `withSystemContext()`.\n *\n * @see createCliContext\n * @see CliContextRunner\n */\nexport interface CliContextOptions {\n /**\n * Resolve tenant ID\n *\n * Common sources:\n * - Environment variable: () => process.env.TENANT_ID\n * - Command line argument: () => argv.tenant\n * - Config file: () => config.tenantId\n */\n resolveTenantId?: () =>\n | Promise<string | null | undefined>\n | string\n | null\n | undefined;\n\n /**\n * Resolve user ID (optional)\n */\n resolveUserId?: () =>\n | Promise<string | null | undefined>\n | string\n | null\n | undefined;\n\n /**\n * Default permissions for CLI operations\n */\n defaultPermissions?: Set<string>;\n\n /**\n * Run CLI as super admin by default\n * @default false\n */\n superAdminByDefault?: boolean;\n}\n\n/**\n * Context runner returned by `createCliContext()`.\n *\n * Provides four execution modes suitable for different CLI scenarios:\n * - `run()` — resolves the tenant from the configured options and runs code in\n * that context; falls back to system context if no tenant is available.\n * - `runWithTenant()` — explicitly specify a tenant ID for this invocation.\n * - `runAsSystem()` — bypass all tenant checks (migration scripts, admin tools).\n * - `runAsSuperAdmin()` — tenant context with bypass flag enabled.\n *\n * @see createCliContext\n */\nexport interface CliContextRunner {\n /**\n * Run `fn` inside the tenant context resolved from the `CliContextOptions`.\n *\n * Falls back to `withSystemContext()` when no tenant ID is available.\n *\n * @param fn - Async function to execute.\n * @returns Promise resolving to the return value of `fn`.\n */\n run<T>(fn: () => Promise<T>): Promise<T>;\n\n /**\n * Run `fn` inside the context of the specified tenant.\n *\n * @param tenantId - Tenant ID to set as context.\n * @param fn - Async function to execute.\n * @returns Promise resolving to the return value of `fn`.\n */\n runWithTenant<T>(tenantId: string, fn: () => Promise<T>): Promise<T>;\n\n /**\n * Run `fn` in system context, bypassing all tenant checks.\n *\n * @param fn - Async function to execute.\n * @returns Promise resolving to the return value of `fn`.\n */\n runAsSystem<T>(fn: () => Promise<T>): Promise<T>;\n\n /**\n * Run `fn` with a tenant context and super admin bypass enabled.\n *\n * @param tenantId - Tenant ID to set as context.\n * @param fn - Async function to execute.\n * @returns Promise resolving to the return value of `fn`.\n */\n runAsSuperAdmin<T>(tenantId: string, fn: () => Promise<T>): Promise<T>;\n}\n\n/**\n * Create a CLI context runner\n *\n * @param options - Configuration options\n * @returns CLI context runner with various execution modes\n *\n * @example\n * ```typescript\n * const cli = createCliContext({\n * resolveTenantId: () => process.env.TENANT_ID,\n * superAdminByDefault: true,\n * });\n *\n * // Use resolved tenant\n * await cli.run(async () => {\n * const docs = await collection.list({});\n * console.log(`Found ${docs.length} documents`);\n * });\n *\n * // Override tenant\n * await cli.runWithTenant('other-tenant', async () => {\n * // Operations in other-tenant context\n * });\n *\n * // System operations (no tenant)\n * await cli.runAsSystem(async () => {\n * // Can access all data\n * const allDocs = await collection.list({});\n * });\n * ```\n */\nexport function createCliContext(\n options: CliContextOptions = {},\n): CliContextRunner {\n const {\n resolveTenantId,\n resolveUserId,\n defaultPermissions = new Set<string>(),\n superAdminByDefault = false,\n } = options;\n\n return {\n async run<T>(fn: () => Promise<T>): Promise<T> {\n const tenantId = resolveTenantId ? await resolveTenantId() : null;\n\n if (!tenantId) {\n // No tenant configured - run in system context\n return withSystemContext(fn);\n }\n\n const userId = resolveUserId ? await resolveUserId() : undefined;\n\n const context: TenantContextData = {\n tenantId,\n userId: userId ?? undefined,\n permissions: defaultPermissions,\n superAdminBypass: superAdminByDefault,\n };\n\n return withTenant(context, fn);\n },\n\n async runWithTenant<T>(tenantId: string, fn: () => Promise<T>): Promise<T> {\n const userId = resolveUserId ? await resolveUserId() : undefined;\n\n const context: TenantContextData = {\n tenantId,\n userId: userId ?? undefined,\n permissions: defaultPermissions,\n superAdminBypass: superAdminByDefault,\n };\n\n return withTenant(context, fn);\n },\n\n async runAsSystem<T>(fn: () => Promise<T>): Promise<T> {\n return withSystemContext(fn);\n },\n\n async runAsSuperAdmin<T>(\n tenantId: string,\n fn: () => Promise<T>,\n ): Promise<T> {\n const userId = resolveUserId ? await resolveUserId() : undefined;\n\n const context: TenantContextData = {\n tenantId,\n userId: userId ?? undefined,\n permissions: defaultPermissions,\n superAdminBypass: true,\n };\n\n return withTenant(context, fn);\n },\n };\n}\n\n/**\n * Run an async function with a specific tenant ID set as context.\n *\n * Convenience wrapper around `withTenant()` for one-off CLI operations where\n * a full `CliContextRunner` is not needed.\n *\n * @param tenantId - Tenant ID to set as the active context.\n * @param fn - Async function to execute in the tenant context.\n * @returns Promise resolving to the return value of `fn`.\n *\n * @example\n * ```typescript\n * import { runWithTenant } from '@happyvertical/smrt-tenancy/adapters';\n *\n * await runWithTenant('tenant-123', async () => {\n * await collection.list({});\n * });\n * ```\n *\n * @see createCliContext\n * @see runAsSystem\n */\nexport async function runWithTenant<T>(\n tenantId: string,\n fn: () => Promise<T>,\n): Promise<T> {\n return withTenant({ tenantId }, fn);\n}\n\n/**\n * Run an async function in system context, bypassing all tenant checks.\n *\n * Convenience wrapper around `withSystemContext()` for one-off CLI operations\n * such as migration scripts or admin tooling that needs cross-tenant access.\n *\n * @param fn - Async function to execute in system context.\n * @returns Promise resolving to the return value of `fn`.\n *\n * @example\n * ```typescript\n * import { runAsSystem } from '@happyvertical/smrt-tenancy/adapters';\n *\n * await runAsSystem(async () => {\n * const all = await collection.list({});\n * console.log(`Total records: ${all.length}`);\n * });\n * ```\n *\n * @see runWithTenant\n * @see createCliContext\n */\nexport async function runAsSystem<T>(fn: () => Promise<T>): Promise<T> {\n return withSystemContext(fn);\n}\n","/**\n * Express Adapter for smrt-tenancy\n *\n * Provides Express middleware that sets up tenant context for each request.\n *\n * @example\n * ```typescript\n * import express from 'express';\n * import { createExpressMiddleware } from '@happyvertical/smrt-tenancy/adapters';\n *\n * const app = express();\n *\n * app.use(createExpressMiddleware({\n * resolveTenantId: (req) => req.headers['x-tenant-id'] as string,\n * }));\n * ```\n */\n\nimport { enterTenantContext, type TenantContextData } from '../context.js';\n\n/**\n * Express Request interface (minimal to avoid direct dependency)\n */\ninterface ExpressRequest {\n headers: Record<string, string | string[] | undefined>;\n url: string;\n path: string;\n query: Record<string, unknown>;\n cookies?: Record<string, string>;\n}\n\n/**\n * Express Response interface\n */\ninterface ExpressResponse {\n status(code: number): ExpressResponse;\n json(data: unknown): ExpressResponse;\n send(data: unknown): ExpressResponse;\n}\n\n/**\n * Express NextFunction\n */\ntype ExpressNext = (error?: unknown) => void;\n\n/**\n * Configuration options for the Express tenancy middleware created by\n * `createExpressMiddleware()`.\n *\n * Only `resolveTenantId` is required. All callback options receive the raw\n * Express `Request` object so you can extract tenant information from headers,\n * subdomains, cookies, or any other request property.\n *\n * @see createExpressMiddleware\n */\nexport interface ExpressMiddlewareOptions {\n /**\n * Resolve tenant ID from the request\n */\n resolveTenantId: (\n req: ExpressRequest,\n ) => Promise<string | null | undefined> | string | null | undefined;\n\n /**\n * Resolve user ID from the request (optional)\n */\n resolveUserId?: (\n req: ExpressRequest,\n ) => Promise<string | null | undefined> | string | null | undefined;\n\n /**\n * Resolve permissions (optional)\n */\n resolvePermissions?: (\n req: ExpressRequest,\n tenantId: string,\n userId?: string,\n ) => Promise<Set<string>> | Set<string>;\n\n /**\n * Check if user is super admin (optional)\n */\n isSuperAdmin?: (\n req: ExpressRequest,\n tenantId: string,\n userId?: string,\n ) => Promise<boolean> | boolean;\n\n /**\n * Called when no tenant ID could be resolved\n * Return true to continue, false to stop with 400 error.\n */\n onNoTenant?: (\n req: ExpressRequest,\n res: ExpressResponse,\n ) => Promise<boolean> | boolean;\n\n /**\n * Paths to exclude from tenant context\n */\n excludePaths?: string[];\n}\n\n/**\n * Create an Express middleware function that establishes tenant context for\n * every incoming request.\n *\n * Uses `enterTenantContext()` (rather than `withTenant()`) because Express\n * middleware returns before route handlers execute. `enterWith()` sets the\n * context on the current async resource so it propagates to handlers that run\n * after `next()` is called.\n *\n * The resolved context is also attached directly to the request object for\n * convenience:\n * - `req.tenantContext` — full `TenantContextData`\n * - `req.tenantId` — string tenant ID shortcut\n *\n * When no tenant ID can be resolved, the default behaviour returns a `400`\n * JSON response. Customise this with the `onNoTenant` option.\n *\n * @param options - Middleware configuration including the required\n * `resolveTenantId` callback.\n * @returns An Express-compatible middleware function `(req, res, next) => void`.\n *\n * @example\n * ```typescript\n * import express from 'express';\n * import { createExpressMiddleware } from '@happyvertical/smrt-tenancy/adapters';\n *\n * const app = express();\n * app.use(createExpressMiddleware({\n * resolveTenantId: (req) => req.headers['x-tenant-id'] as string,\n * excludePaths: ['/health', '/public/*'],\n * }));\n * ```\n *\n * @see ExpressMiddlewareOptions\n * @see createSvelteKitHandle\n */\nexport function createExpressMiddleware(options: ExpressMiddlewareOptions) {\n const {\n resolveTenantId,\n resolveUserId,\n resolvePermissions,\n isSuperAdmin,\n onNoTenant,\n excludePaths = [],\n } = options;\n\n return async function tenancyMiddleware(\n req: ExpressRequest,\n res: ExpressResponse,\n next: ExpressNext,\n ): Promise<void> {\n try {\n // Check excluded paths\n if (excludePaths.some((pattern) => matchPath(req.path, pattern))) {\n next();\n return;\n }\n\n // Resolve tenant ID\n const tenantId = await resolveTenantId(req);\n\n if (!tenantId) {\n if (onNoTenant) {\n const shouldContinue = await onNoTenant(req, res);\n if (shouldContinue) {\n next();\n return;\n }\n } else {\n res.status(400).json({\n error: 'Tenant ID required',\n message:\n 'Please provide a tenant ID via header, subdomain, or query parameter.',\n });\n return;\n }\n return;\n }\n\n // Resolve optional context\n const userId = resolveUserId ? await resolveUserId(req) : undefined;\n const permissions = resolvePermissions\n ? await resolvePermissions(req, tenantId, userId ?? undefined)\n : new Set<string>();\n const superAdminBypass = isSuperAdmin\n ? await isSuperAdmin(req, tenantId, userId ?? undefined)\n : false;\n\n // Build context\n const context: TenantContextData = {\n tenantId,\n userId: userId ?? undefined,\n permissions,\n superAdminBypass,\n };\n\n // Attach to request for access in route handlers\n (req as any).tenantContext = context;\n (req as any).tenantId = tenantId;\n\n // Use enterWith() to establish context that persists for the entire\n // request lifecycle. This ensures route handlers have access to\n // tenant context via AsyncLocalStorage.\n enterTenantContext(context);\n next();\n } catch (error) {\n next(error);\n }\n };\n}\n\n/**\n * Simple glob pattern matching for paths\n */\nfunction matchPath(path: string, pattern: string): boolean {\n const regexPattern = pattern\n .replace(/\\*/g, '.*')\n .replace(/\\//g, '\\\\/')\n .replace(/\\?/g, '.');\n\n return new RegExp(`^${regexPattern}$`).test(path);\n}\n","/**\n * SvelteKit Adapter for smrt-tenancy\n *\n * Provides a SvelteKit Handle that sets up tenant context for each request.\n *\n * @example\n * ```typescript\n * // hooks.server.ts\n * import { createSvelteKitHandle } from '@happyvertical/smrt-tenancy/adapters';\n *\n * export const handle = createSvelteKitHandle({\n * resolveTenantId: async (event) => {\n * // From subdomain\n * const host = event.request.headers.get('host');\n * const subdomain = host?.split('.')[0];\n * return subdomain;\n *\n * // Or from header\n * // return event.request.headers.get('x-tenant-id');\n *\n * // Or from cookie\n * // return event.cookies.get('tenant_id');\n * }\n * });\n * ```\n */\n\nimport { type TenantContextData, withTenant } from '../context.js';\n\n/**\n * SvelteKit RequestEvent (minimal interface to avoid direct dependency)\n */\ninterface SvelteKitEvent {\n request: Request;\n url: URL;\n cookies: {\n get(name: string): string | undefined;\n set(name: string, value: string, opts?: unknown): void;\n };\n locals: Record<string, unknown>;\n}\n\n/**\n * SvelteKit resolve function\n */\ntype SvelteKitResolve = (event: SvelteKitEvent) => Promise<Response>;\n\n/**\n * Configuration options for the SvelteKit tenancy handle created by\n * `createSvelteKitHandle()`.\n *\n * Only `resolveTenantId` is required; all other fields are optional callbacks\n * used to enrich the context or customise missing-tenant behaviour.\n *\n * @see createSvelteKitHandle\n */\nexport interface SvelteKitHandleOptions {\n /**\n * Resolve tenant ID from the request\n *\n * Return the tenant ID string, or null/undefined if no tenant context should be set.\n */\n resolveTenantId: (\n event: SvelteKitEvent,\n ) => Promise<string | null | undefined> | string | null | undefined;\n\n /**\n * Resolve user ID from the request (optional)\n */\n resolveUserId?: (\n event: SvelteKitEvent,\n ) => Promise<string | null | undefined> | string | null | undefined;\n\n /**\n * Resolve permissions for the user in this tenant (optional)\n */\n resolvePermissions?: (\n event: SvelteKitEvent,\n tenantId: string,\n userId?: string,\n ) => Promise<Set<string>> | Set<string>;\n\n /**\n * Check if user is a super admin (optional)\n * If true and super admin bypass is enabled on the class, tenant filtering is skipped.\n */\n isSuperAdmin?: (\n event: SvelteKitEvent,\n tenantId: string,\n userId?: string,\n ) => Promise<boolean> | boolean;\n\n /**\n * Called when no tenant ID could be resolved\n * Return a Response to short-circuit, or undefined to continue without tenant context.\n */\n onNoTenant?: (\n event: SvelteKitEvent,\n ) => Promise<Response | undefined> | Response | undefined;\n\n /**\n * Paths to exclude from tenant context (e.g., public APIs, health checks)\n * Supports glob patterns.\n */\n excludePaths?: string[];\n}\n\n/**\n * Create a SvelteKit `Handle` function that establishes tenant context for\n * every server-side request.\n *\n * The returned handle wraps the `resolve` call in `withTenant()` so that all\n * server-side load functions, API routes, and `+server.ts` handlers within the\n * request share the same tenant context via `AsyncLocalStorage`.\n *\n * The resolved context is also stored in `event.locals` under two keys:\n * - `event.locals.tenantContext` — full `TenantContextData`\n * - `event.locals.tenantId` — string tenant ID shortcut\n *\n * When no tenant ID can be resolved (and no custom `onNoTenant` handler\n * returns a `Response`), the request continues without any tenant context.\n *\n * @param options - Configuration options including the required\n * `resolveTenantId` callback.\n * @returns A SvelteKit `Handle` function suitable for use in `hooks.server.ts`.\n *\n * @example\n * ```typescript\n * // src/hooks.server.ts\n * import { createSvelteKitHandle } from '@happyvertical/smrt-tenancy/adapters';\n *\n * export const handle = createSvelteKitHandle({\n * resolveTenantId: (event) =>\n * event.request.headers.get('x-tenant-id'),\n * onNoTenant: () =>\n * new Response('Tenant required', { status: 400 }),\n * });\n * ```\n *\n * @see SvelteKitHandleOptions\n * @see createExpressMiddleware\n */\nexport function createSvelteKitHandle(options: SvelteKitHandleOptions) {\n const {\n resolveTenantId,\n resolveUserId,\n resolvePermissions,\n isSuperAdmin,\n onNoTenant,\n excludePaths = [],\n } = options;\n\n return async function handle({\n event,\n resolve,\n }: {\n event: SvelteKitEvent;\n resolve: SvelteKitResolve;\n }): Promise<Response> {\n // Check excluded paths\n const path = event.url.pathname;\n if (excludePaths.some((pattern) => matchPath(path, pattern))) {\n return resolve(event);\n }\n\n // Resolve tenant ID\n const tenantId = await resolveTenantId(event);\n\n if (!tenantId) {\n // No tenant ID - call handler or continue without context\n if (onNoTenant) {\n const response = await onNoTenant(event);\n if (response) {\n return response;\n }\n }\n return resolve(event);\n }\n\n // Resolve optional context data\n const userId = resolveUserId ? await resolveUserId(event) : undefined;\n const permissions = resolvePermissions\n ? await resolvePermissions(event, tenantId, userId ?? undefined)\n : new Set<string>();\n const superAdminBypass = isSuperAdmin\n ? await isSuperAdmin(event, tenantId, userId ?? undefined)\n : false;\n\n // Build context\n const context: TenantContextData = {\n tenantId,\n userId: userId ?? undefined,\n permissions,\n superAdminBypass,\n };\n\n // Store in locals for access in load functions\n event.locals.tenantContext = context;\n event.locals.tenantId = tenantId;\n\n // Run request in tenant context\n return withTenant(context, () => resolve(event));\n };\n}\n\n/**\n * Simple glob pattern matching for paths\n */\nfunction matchPath(path: string, pattern: string): boolean {\n // Convert glob to regex\n const regexPattern = pattern\n .replace(/\\*/g, '.*')\n .replace(/\\//g, '\\\\/')\n .replace(/\\?/g, '.');\n\n return new RegExp(`^${regexPattern}$`).test(path);\n}\n"],"names":["matchPath"],"mappings":";AAyJO,SAAS,iBACd,UAA6B,IACX;AAClB,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,yCAAyB,IAAA;AAAA,IACzB,sBAAsB;AAAA,EAAA,IACpB;AAEJ,SAAO;AAAA,IACL,MAAM,IAAO,IAAkC;AAC7C,YAAM,WAAW,kBAAkB,MAAM,gBAAA,IAAoB;AAE7D,UAAI,CAAC,UAAU;AAEb,eAAO,kBAAkB,EAAE;AAAA,MAC7B;AAEA,YAAM,SAAS,gBAAgB,MAAM,cAAA,IAAkB;AAEvD,YAAM,UAA6B;AAAA,QACjC;AAAA,QACA,QAAQ,UAAU;AAAA,QAClB,aAAa;AAAA,QACb,kBAAkB;AAAA,MAAA;AAGpB,aAAO,WAAW,SAAS,EAAE;AAAA,IAC/B;AAAA,IAEA,MAAM,cAAiB,UAAkB,IAAkC;AACzE,YAAM,SAAS,gBAAgB,MAAM,cAAA,IAAkB;AAEvD,YAAM,UAA6B;AAAA,QACjC;AAAA,QACA,QAAQ,UAAU;AAAA,QAClB,aAAa;AAAA,QACb,kBAAkB;AAAA,MAAA;AAGpB,aAAO,WAAW,SAAS,EAAE;AAAA,IAC/B;AAAA,IAEA,MAAM,YAAe,IAAkC;AACrD,aAAO,kBAAkB,EAAE;AAAA,IAC7B;AAAA,IAEA,MAAM,gBACJ,UACA,IACY;AACZ,YAAM,SAAS,gBAAgB,MAAM,cAAA,IAAkB;AAEvD,YAAM,UAA6B;AAAA,QACjC;AAAA,QACA,QAAQ,UAAU;AAAA,QAClB,aAAa;AAAA,QACb,kBAAkB;AAAA,MAAA;AAGpB,aAAO,WAAW,SAAS,EAAE;AAAA,IAC/B;AAAA,EAAA;AAEJ;AC9EO,SAAS,wBAAwB,SAAmC;AACzE,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,eAAe,CAAA;AAAA,EAAC,IACd;AAEJ,SAAO,eAAe,kBACpB,KACA,KACA,MACe;AACf,QAAI;AAEF,UAAI,aAAa,KAAK,CAAC,YAAYA,YAAU,IAAI,MAAM,OAAO,CAAC,GAAG;AAChE,aAAA;AACA;AAAA,MACF;AAGA,YAAM,WAAW,MAAM,gBAAgB,GAAG;AAE1C,UAAI,CAAC,UAAU;AACb,YAAI,YAAY;AACd,gBAAM,iBAAiB,MAAM,WAAW,KAAK,GAAG;AAChD,cAAI,gBAAgB;AAClB,iBAAA;AACA;AAAA,UACF;AAAA,QACF,OAAO;AACL,cAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YACnB,OAAO;AAAA,YACP,SACE;AAAA,UAAA,CACH;AACD;AAAA,QACF;AACA;AAAA,MACF;AAGA,YAAM,SAAS,gBAAgB,MAAM,cAAc,GAAG,IAAI;AAC1D,YAAM,cAAc,qBAChB,MAAM,mBAAmB,KAAK,UAAU,UAAU,MAAS,IAC3D,oBAAI,IAAA;AACR,YAAM,mBAAmB,eACrB,MAAM,aAAa,KAAK,UAAU,UAAU,MAAS,IACrD;AAGJ,YAAM,UAA6B;AAAA,QACjC;AAAA,QACA,QAAQ,UAAU;AAAA,QAClB;AAAA,QACA;AAAA,MAAA;AAID,UAAY,gBAAgB;AAC5B,UAAY,WAAW;AAKxB,yBAAmB,OAAO;AAC1B,WAAA;AAAA,IACF,SAAS,OAAO;AACd,WAAK,KAAK;AAAA,IACZ;AAAA,EACF;AACF;AAKA,SAASA,YAAU,MAAc,SAA0B;AACzD,QAAM,eAAe,QAClB,QAAQ,OAAO,IAAI,EACnB,QAAQ,OAAO,KAAK,EACpB,QAAQ,OAAO,GAAG;AAErB,SAAO,IAAI,OAAO,IAAI,YAAY,GAAG,EAAE,KAAK,IAAI;AAClD;AClFO,SAAS,sBAAsB,SAAiC;AACrE,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,eAAe,CAAA;AAAA,EAAC,IACd;AAEJ,SAAO,eAAe,OAAO;AAAA,IAC3B;AAAA,IACA;AAAA,EAAA,GAIoB;AAEpB,UAAM,OAAO,MAAM,IAAI;AACvB,QAAI,aAAa,KAAK,CAAC,YAAY,UAAU,MAAM,OAAO,CAAC,GAAG;AAC5D,aAAO,QAAQ,KAAK;AAAA,IACtB;AAGA,UAAM,WAAW,MAAM,gBAAgB,KAAK;AAE5C,QAAI,CAAC,UAAU;AAEb,UAAI,YAAY;AACd,cAAM,WAAW,MAAM,WAAW,KAAK;AACvC,YAAI,UAAU;AACZ,iBAAO;AAAA,QACT;AAAA,MACF;AACA,aAAO,QAAQ,KAAK;AAAA,IACtB;AAGA,UAAM,SAAS,gBAAgB,MAAM,cAAc,KAAK,IAAI;AAC5D,UAAM,cAAc,qBAChB,MAAM,mBAAmB,OAAO,UAAU,UAAU,MAAS,IAC7D,oBAAI,IAAA;AACR,UAAM,mBAAmB,eACrB,MAAM,aAAa,OAAO,UAAU,UAAU,MAAS,IACvD;AAGJ,UAAM,UAA6B;AAAA,MACjC;AAAA,MACA,QAAQ,UAAU;AAAA,MAClB;AAAA,MACA;AAAA,IAAA;AAIF,UAAM,OAAO,gBAAgB;AAC7B,UAAM,OAAO,WAAW;AAGxB,WAAO,WAAW,SAAS,MAAM,QAAQ,KAAK,CAAC;AAAA,EACjD;AACF;AAKA,SAAS,UAAU,MAAc,SAA0B;AAEzD,QAAM,eAAe,QAClB,QAAQ,OAAO,IAAI,EACnB,QAAQ,OAAO,KAAK,EACpB,QAAQ,OAAO,GAAG;AAErB,SAAO,IAAI,OAAO,IAAI,YAAY,GAAG,EAAE,KAAK,IAAI;AAClD;"}
1
+ {"version":3,"file":"sveltekit-C2HTOgcm.js","sources":["../../src/adapters/cli.ts","../../src/adapters/express.ts","../../src/adapters/sveltekit.ts"],"sourcesContent":["/**\n * CLI Adapter for smrt-tenancy\n *\n * Provides utilities for setting up tenant context in CLI tools.\n *\n * @example\n * ```typescript\n * import { createCliContext } from '@happyvertical/smrt-tenancy/adapters';\n *\n * // Create context helper for CLI\n * const cliContext = createCliContext({\n * resolveTenantId: () => process.env.TENANT_ID,\n * });\n *\n * // Run command in tenant context\n * await cliContext.run(async () => {\n * await documentCollection.list({});\n * });\n * ```\n */\n\nimport {\n type TenantContextData,\n withSystemContext,\n withTenant,\n} from '../context.js';\n\n/**\n * Configuration for the CLI context runner created by `createCliContext()`.\n *\n * `resolveTenantId` is optional — when omitted (or when it returns\n * `null`/`undefined`) the `run()` method falls back to `withSystemContext()`.\n *\n * @see createCliContext\n * @see CliContextRunner\n */\nexport interface CliContextOptions {\n /**\n * Resolve tenant ID\n *\n * Common sources:\n * - Environment variable: () => process.env.TENANT_ID\n * - Command line argument: () => argv.tenant\n * - Config file: () => config.tenantId\n */\n resolveTenantId?: () =>\n | Promise<string | null | undefined>\n | string\n | null\n | undefined;\n\n /**\n * Resolve user ID (optional)\n */\n resolveUserId?: () =>\n | Promise<string | null | undefined>\n | string\n | null\n | undefined;\n\n /**\n * Default permissions for CLI operations\n */\n defaultPermissions?: Set<string>;\n\n /**\n * Run CLI as super admin by default\n * @default false\n */\n superAdminByDefault?: boolean;\n}\n\n/**\n * Context runner returned by `createCliContext()`.\n *\n * Provides four execution modes suitable for different CLI scenarios:\n * - `run()` — resolves the tenant from the configured options and runs code in\n * that context; falls back to system context if no tenant is available.\n * - `runWithTenant()` — explicitly specify a tenant ID for this invocation.\n * - `runAsSystem()` — bypass all tenant checks (migration scripts, admin tools).\n * - `runAsSuperAdmin()` — tenant context with bypass flag enabled.\n *\n * @see createCliContext\n */\nexport interface CliContextRunner {\n /**\n * Run `fn` inside the tenant context resolved from the `CliContextOptions`.\n *\n * Falls back to `withSystemContext()` when no tenant ID is available.\n *\n * @param fn - Async function to execute.\n * @returns Promise resolving to the return value of `fn`.\n */\n run<T>(fn: () => Promise<T>): Promise<T>;\n\n /**\n * Run `fn` inside the context of the specified tenant.\n *\n * @param tenantId - Tenant ID to set as context.\n * @param fn - Async function to execute.\n * @returns Promise resolving to the return value of `fn`.\n */\n runWithTenant<T>(tenantId: string, fn: () => Promise<T>): Promise<T>;\n\n /**\n * Run `fn` in system context, bypassing all tenant checks.\n *\n * @param fn - Async function to execute.\n * @returns Promise resolving to the return value of `fn`.\n */\n runAsSystem<T>(fn: () => Promise<T>): Promise<T>;\n\n /**\n * Run `fn` with a tenant context and super admin bypass enabled.\n *\n * @param tenantId - Tenant ID to set as context.\n * @param fn - Async function to execute.\n * @returns Promise resolving to the return value of `fn`.\n */\n runAsSuperAdmin<T>(tenantId: string, fn: () => Promise<T>): Promise<T>;\n}\n\n/**\n * Create a CLI context runner\n *\n * @param options - Configuration options\n * @returns CLI context runner with various execution modes\n *\n * @example\n * ```typescript\n * const cli = createCliContext({\n * resolveTenantId: () => process.env.TENANT_ID,\n * superAdminByDefault: true,\n * });\n *\n * // Use resolved tenant\n * await cli.run(async () => {\n * const docs = await collection.list({});\n * console.log(`Found ${docs.length} documents`);\n * });\n *\n * // Override tenant\n * await cli.runWithTenant('other-tenant', async () => {\n * // Operations in other-tenant context\n * });\n *\n * // System operations (no tenant)\n * await cli.runAsSystem(async () => {\n * // Can access all data\n * const allDocs = await collection.list({});\n * });\n * ```\n */\nexport function createCliContext(\n options: CliContextOptions = {},\n): CliContextRunner {\n const {\n resolveTenantId,\n resolveUserId,\n defaultPermissions = new Set<string>(),\n superAdminByDefault = false,\n } = options;\n\n return {\n async run<T>(fn: () => Promise<T>): Promise<T> {\n const tenantId = resolveTenantId ? await resolveTenantId() : null;\n\n if (!tenantId) {\n // No tenant configured - run in system context\n return withSystemContext(fn);\n }\n\n const userId = resolveUserId ? await resolveUserId() : undefined;\n\n const context: TenantContextData = {\n tenantId,\n userId: userId ?? undefined,\n permissions: defaultPermissions,\n superAdminBypass: superAdminByDefault,\n };\n\n return withTenant(context, fn);\n },\n\n async runWithTenant<T>(tenantId: string, fn: () => Promise<T>): Promise<T> {\n const userId = resolveUserId ? await resolveUserId() : undefined;\n\n const context: TenantContextData = {\n tenantId,\n userId: userId ?? undefined,\n permissions: defaultPermissions,\n superAdminBypass: superAdminByDefault,\n };\n\n return withTenant(context, fn);\n },\n\n async runAsSystem<T>(fn: () => Promise<T>): Promise<T> {\n return withSystemContext(fn);\n },\n\n async runAsSuperAdmin<T>(\n tenantId: string,\n fn: () => Promise<T>,\n ): Promise<T> {\n const userId = resolveUserId ? await resolveUserId() : undefined;\n\n const context: TenantContextData = {\n tenantId,\n userId: userId ?? undefined,\n permissions: defaultPermissions,\n superAdminBypass: true,\n };\n\n return withTenant(context, fn);\n },\n };\n}\n\n/**\n * Run an async function with a specific tenant ID set as context.\n *\n * Convenience wrapper around `withTenant()` for one-off CLI operations where\n * a full `CliContextRunner` is not needed.\n *\n * @param tenantId - Tenant ID to set as the active context.\n * @param fn - Async function to execute in the tenant context.\n * @returns Promise resolving to the return value of `fn`.\n *\n * @example\n * ```typescript\n * import { runWithTenant } from '@happyvertical/smrt-tenancy/adapters';\n *\n * await runWithTenant('tenant-123', async () => {\n * await collection.list({});\n * });\n * ```\n *\n * @see createCliContext\n * @see runAsSystem\n */\nexport async function runWithTenant<T>(\n tenantId: string,\n fn: () => Promise<T>,\n): Promise<T> {\n return withTenant({ tenantId }, fn);\n}\n\n/**\n * Run an async function in system context, bypassing all tenant checks.\n *\n * Convenience wrapper around `withSystemContext()` for one-off CLI operations\n * such as migration scripts or admin tooling that needs cross-tenant access.\n *\n * @param fn - Async function to execute in system context.\n * @returns Promise resolving to the return value of `fn`.\n *\n * @example\n * ```typescript\n * import { runAsSystem } from '@happyvertical/smrt-tenancy/adapters';\n *\n * await runAsSystem(async () => {\n * const all = await collection.list({});\n * console.log(`Total records: ${all.length}`);\n * });\n * ```\n *\n * @see runWithTenant\n * @see createCliContext\n */\nexport async function runAsSystem<T>(fn: () => Promise<T>): Promise<T> {\n return withSystemContext(fn);\n}\n","/**\n * Express Adapter for smrt-tenancy\n *\n * Provides Express middleware that sets up tenant context for each request.\n *\n * @example\n * ```typescript\n * import express from 'express';\n * import { createExpressMiddleware } from '@happyvertical/smrt-tenancy/adapters';\n *\n * const app = express();\n *\n * app.use(createExpressMiddleware({\n * resolveTenantId: (req) => req.headers['x-tenant-id'] as string,\n * }));\n * ```\n */\n\nimport { enterTenantContext, type TenantContextData } from '../context.js';\n\n/**\n * Express Request interface (minimal to avoid direct dependency)\n */\ninterface ExpressRequest {\n headers: Record<string, string | string[] | undefined>;\n url: string;\n path: string;\n query: Record<string, unknown>;\n cookies?: Record<string, string>;\n}\n\n/**\n * Request object after the tenancy middleware has attached the resolved tenant\n * context. The middleware sets these properties so downstream route handlers can\n * read the tenant directly off the request.\n */\ninterface TenantAwareExpressRequest extends ExpressRequest {\n tenantContext?: TenantContextData;\n tenantId?: string;\n}\n\n/**\n * Express Response interface\n */\ninterface ExpressResponse {\n status(code: number): ExpressResponse;\n json(data: unknown): ExpressResponse;\n send(data: unknown): ExpressResponse;\n}\n\n/**\n * Express NextFunction\n */\ntype ExpressNext = (error?: unknown) => void;\n\n/**\n * Configuration options for the Express tenancy middleware created by\n * `createExpressMiddleware()`.\n *\n * Only `resolveTenantId` is required. All callback options receive the raw\n * Express `Request` object so you can extract tenant information from headers,\n * subdomains, cookies, or any other request property.\n *\n * @see createExpressMiddleware\n */\nexport interface ExpressMiddlewareOptions {\n /**\n * Resolve tenant ID from the request\n */\n resolveTenantId: (\n req: ExpressRequest,\n ) => Promise<string | null | undefined> | string | null | undefined;\n\n /**\n * Resolve user ID from the request (optional)\n */\n resolveUserId?: (\n req: ExpressRequest,\n ) => Promise<string | null | undefined> | string | null | undefined;\n\n /**\n * Resolve permissions (optional)\n */\n resolvePermissions?: (\n req: ExpressRequest,\n tenantId: string,\n userId?: string,\n ) => Promise<Set<string>> | Set<string>;\n\n /**\n * Check if user is super admin (optional)\n */\n isSuperAdmin?: (\n req: ExpressRequest,\n tenantId: string,\n userId?: string,\n ) => Promise<boolean> | boolean;\n\n /**\n * Called when no tenant ID could be resolved\n * Return true to continue, false to stop with 400 error.\n */\n onNoTenant?: (\n req: ExpressRequest,\n res: ExpressResponse,\n ) => Promise<boolean> | boolean;\n\n /**\n * Paths to exclude from tenant context\n */\n excludePaths?: string[];\n}\n\n/**\n * Create an Express middleware function that establishes tenant context for\n * every incoming request.\n *\n * Uses `enterTenantContext()` (rather than `withTenant()`) because Express\n * middleware returns before route handlers execute. `enterWith()` sets the\n * context on the current async resource so it propagates to handlers that run\n * after `next()` is called.\n *\n * The resolved context is also attached directly to the request object for\n * convenience:\n * - `req.tenantContext` — full `TenantContextData`\n * - `req.tenantId` — string tenant ID shortcut\n *\n * When no tenant ID can be resolved, the default behaviour returns a `400`\n * JSON response. Customise this with the `onNoTenant` option.\n *\n * @param options - Middleware configuration including the required\n * `resolveTenantId` callback.\n * @returns An Express-compatible middleware function `(req, res, next) => void`.\n *\n * @example\n * ```typescript\n * import express from 'express';\n * import { createExpressMiddleware } from '@happyvertical/smrt-tenancy/adapters';\n *\n * const app = express();\n * app.use(createExpressMiddleware({\n * resolveTenantId: (req) => req.headers['x-tenant-id'] as string,\n * excludePaths: ['/health', '/public/*'],\n * }));\n * ```\n *\n * @see ExpressMiddlewareOptions\n * @see createSvelteKitHandle\n */\nexport function createExpressMiddleware(options: ExpressMiddlewareOptions) {\n const {\n resolveTenantId,\n resolveUserId,\n resolvePermissions,\n isSuperAdmin,\n onNoTenant,\n excludePaths = [],\n } = options;\n\n return async function tenancyMiddleware(\n req: ExpressRequest,\n res: ExpressResponse,\n next: ExpressNext,\n ): Promise<void> {\n try {\n // Check excluded paths\n if (excludePaths.some((pattern) => matchPath(req.path, pattern))) {\n next();\n return;\n }\n\n // Resolve tenant ID\n const tenantId = await resolveTenantId(req);\n\n if (!tenantId) {\n if (onNoTenant) {\n const shouldContinue = await onNoTenant(req, res);\n if (shouldContinue) {\n next();\n return;\n }\n } else {\n res.status(400).json({\n error: 'Tenant ID required',\n message:\n 'Please provide a tenant ID via header, subdomain, or query parameter.',\n });\n return;\n }\n return;\n }\n\n // Resolve optional context\n const userId = resolveUserId ? await resolveUserId(req) : undefined;\n const permissions = resolvePermissions\n ? await resolvePermissions(req, tenantId, userId ?? undefined)\n : new Set<string>();\n const superAdminBypass = isSuperAdmin\n ? await isSuperAdmin(req, tenantId, userId ?? undefined)\n : false;\n\n // Build context\n const context: TenantContextData = {\n tenantId,\n userId: userId ?? undefined,\n permissions,\n superAdminBypass,\n };\n\n // Attach to request for access in route handlers\n (req as TenantAwareExpressRequest).tenantContext = context;\n (req as TenantAwareExpressRequest).tenantId = tenantId;\n\n // Use enterWith() to establish context that persists for the entire\n // request lifecycle. This ensures route handlers have access to\n // tenant context via AsyncLocalStorage.\n enterTenantContext(context);\n next();\n } catch (error) {\n next(error);\n }\n };\n}\n\n/**\n * Simple glob pattern matching for paths\n */\nfunction matchPath(path: string, pattern: string): boolean {\n const regexPattern = pattern\n .replace(/\\*/g, '.*')\n .replace(/\\//g, '\\\\/')\n .replace(/\\?/g, '.');\n\n return new RegExp(`^${regexPattern}$`).test(path);\n}\n","/**\n * SvelteKit Adapter for smrt-tenancy\n *\n * Provides a SvelteKit Handle that sets up tenant context for each request.\n *\n * @example\n * ```typescript\n * // hooks.server.ts\n * import { createSvelteKitHandle } from '@happyvertical/smrt-tenancy/adapters';\n *\n * export const handle = createSvelteKitHandle({\n * resolveTenantId: async (event) => {\n * // From subdomain\n * const host = event.request.headers.get('host');\n * const subdomain = host?.split('.')[0];\n * return subdomain;\n *\n * // Or from header\n * // return event.request.headers.get('x-tenant-id');\n *\n * // Or from cookie\n * // return event.cookies.get('tenant_id');\n * }\n * });\n * ```\n */\n\nimport { type TenantContextData, withTenant } from '../context.js';\n\n/**\n * SvelteKit RequestEvent (minimal interface to avoid direct dependency)\n */\ninterface SvelteKitEvent {\n request: Request;\n url: URL;\n cookies: {\n get(name: string): string | undefined;\n set(name: string, value: string, opts?: unknown): void;\n };\n locals: Record<string, unknown>;\n}\n\n/**\n * SvelteKit resolve function\n */\ntype SvelteKitResolve = (event: SvelteKitEvent) => Promise<Response>;\n\n/**\n * Configuration options for the SvelteKit tenancy handle created by\n * `createSvelteKitHandle()`.\n *\n * Only `resolveTenantId` is required; all other fields are optional callbacks\n * used to enrich the context or customise missing-tenant behaviour.\n *\n * @see createSvelteKitHandle\n */\nexport interface SvelteKitHandleOptions {\n /**\n * Resolve tenant ID from the request\n *\n * Return the tenant ID string, or null/undefined if no tenant context should be set.\n */\n resolveTenantId: (\n event: SvelteKitEvent,\n ) => Promise<string | null | undefined> | string | null | undefined;\n\n /**\n * Resolve user ID from the request (optional)\n */\n resolveUserId?: (\n event: SvelteKitEvent,\n ) => Promise<string | null | undefined> | string | null | undefined;\n\n /**\n * Resolve permissions for the user in this tenant (optional)\n */\n resolvePermissions?: (\n event: SvelteKitEvent,\n tenantId: string,\n userId?: string,\n ) => Promise<Set<string>> | Set<string>;\n\n /**\n * Check if user is a super admin (optional)\n * If true and super admin bypass is enabled on the class, tenant filtering is skipped.\n */\n isSuperAdmin?: (\n event: SvelteKitEvent,\n tenantId: string,\n userId?: string,\n ) => Promise<boolean> | boolean;\n\n /**\n * Called when no tenant ID could be resolved\n * Return a Response to short-circuit, or undefined to continue without tenant context.\n */\n onNoTenant?: (\n event: SvelteKitEvent,\n ) => Promise<Response | undefined> | Response | undefined;\n\n /**\n * Paths to exclude from tenant context (e.g., public APIs, health checks)\n * Supports glob patterns.\n */\n excludePaths?: string[];\n}\n\n/**\n * Create a SvelteKit `Handle` function that establishes tenant context for\n * every server-side request.\n *\n * The returned handle wraps the `resolve` call in `withTenant()` so that all\n * server-side load functions, API routes, and `+server.ts` handlers within the\n * request share the same tenant context via `AsyncLocalStorage`.\n *\n * The resolved context is also stored in `event.locals` under two keys:\n * - `event.locals.tenantContext` — full `TenantContextData`\n * - `event.locals.tenantId` — string tenant ID shortcut\n *\n * When no tenant ID can be resolved (and no custom `onNoTenant` handler\n * returns a `Response`), the request continues without any tenant context.\n *\n * @param options - Configuration options including the required\n * `resolveTenantId` callback.\n * @returns A SvelteKit `Handle` function suitable for use in `hooks.server.ts`.\n *\n * @example\n * ```typescript\n * // src/hooks.server.ts\n * import { createSvelteKitHandle } from '@happyvertical/smrt-tenancy/adapters';\n *\n * export const handle = createSvelteKitHandle({\n * resolveTenantId: (event) =>\n * event.request.headers.get('x-tenant-id'),\n * onNoTenant: () =>\n * new Response('Tenant required', { status: 400 }),\n * });\n * ```\n *\n * @see SvelteKitHandleOptions\n * @see createExpressMiddleware\n */\nexport function createSvelteKitHandle(options: SvelteKitHandleOptions) {\n const {\n resolveTenantId,\n resolveUserId,\n resolvePermissions,\n isSuperAdmin,\n onNoTenant,\n excludePaths = [],\n } = options;\n\n return async function handle({\n event,\n resolve,\n }: {\n event: SvelteKitEvent;\n resolve: SvelteKitResolve;\n }): Promise<Response> {\n // Check excluded paths\n const path = event.url.pathname;\n if (excludePaths.some((pattern) => matchPath(path, pattern))) {\n return resolve(event);\n }\n\n // Resolve tenant ID\n const tenantId = await resolveTenantId(event);\n\n if (!tenantId) {\n // No tenant ID - call handler or continue without context\n if (onNoTenant) {\n const response = await onNoTenant(event);\n if (response) {\n return response;\n }\n }\n return resolve(event);\n }\n\n // Resolve optional context data\n const userId = resolveUserId ? await resolveUserId(event) : undefined;\n const permissions = resolvePermissions\n ? await resolvePermissions(event, tenantId, userId ?? undefined)\n : new Set<string>();\n const superAdminBypass = isSuperAdmin\n ? await isSuperAdmin(event, tenantId, userId ?? undefined)\n : false;\n\n // Build context\n const context: TenantContextData = {\n tenantId,\n userId: userId ?? undefined,\n permissions,\n superAdminBypass,\n };\n\n // Store in locals for access in load functions\n event.locals.tenantContext = context;\n event.locals.tenantId = tenantId;\n\n // Run request in tenant context\n return withTenant(context, () => resolve(event));\n };\n}\n\n/**\n * Simple glob pattern matching for paths\n */\nfunction matchPath(path: string, pattern: string): boolean {\n // Convert glob to regex\n const regexPattern = pattern\n .replace(/\\*/g, '.*')\n .replace(/\\//g, '\\\\/')\n .replace(/\\?/g, '.');\n\n return new RegExp(`^${regexPattern}$`).test(path);\n}\n"],"names":["matchPath"],"mappings":";AAyJO,SAAS,iBACd,UAA6B,IACX;AAClB,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA,yCAAyB,IAAA;AAAA,IACzB,sBAAsB;AAAA,EAAA,IACpB;AAEJ,SAAO;AAAA,IACL,MAAM,IAAO,IAAkC;AAC7C,YAAM,WAAW,kBAAkB,MAAM,gBAAA,IAAoB;AAE7D,UAAI,CAAC,UAAU;AAEb,eAAO,kBAAkB,EAAE;AAAA,MAC7B;AAEA,YAAM,SAAS,gBAAgB,MAAM,cAAA,IAAkB;AAEvD,YAAM,UAA6B;AAAA,QACjC;AAAA,QACA,QAAQ,UAAU;AAAA,QAClB,aAAa;AAAA,QACb,kBAAkB;AAAA,MAAA;AAGpB,aAAO,WAAW,SAAS,EAAE;AAAA,IAC/B;AAAA,IAEA,MAAM,cAAiB,UAAkB,IAAkC;AACzE,YAAM,SAAS,gBAAgB,MAAM,cAAA,IAAkB;AAEvD,YAAM,UAA6B;AAAA,QACjC;AAAA,QACA,QAAQ,UAAU;AAAA,QAClB,aAAa;AAAA,QACb,kBAAkB;AAAA,MAAA;AAGpB,aAAO,WAAW,SAAS,EAAE;AAAA,IAC/B;AAAA,IAEA,MAAM,YAAe,IAAkC;AACrD,aAAO,kBAAkB,EAAE;AAAA,IAC7B;AAAA,IAEA,MAAM,gBACJ,UACA,IACY;AACZ,YAAM,SAAS,gBAAgB,MAAM,cAAA,IAAkB;AAEvD,YAAM,UAA6B;AAAA,QACjC;AAAA,QACA,QAAQ,UAAU;AAAA,QAClB,aAAa;AAAA,QACb,kBAAkB;AAAA,MAAA;AAGpB,aAAO,WAAW,SAAS,EAAE;AAAA,IAC/B;AAAA,EAAA;AAEJ;ACpEO,SAAS,wBAAwB,SAAmC;AACzE,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,eAAe,CAAA;AAAA,EAAC,IACd;AAEJ,SAAO,eAAe,kBACpB,KACA,KACA,MACe;AACf,QAAI;AAEF,UAAI,aAAa,KAAK,CAAC,YAAYA,YAAU,IAAI,MAAM,OAAO,CAAC,GAAG;AAChE,aAAA;AACA;AAAA,MACF;AAGA,YAAM,WAAW,MAAM,gBAAgB,GAAG;AAE1C,UAAI,CAAC,UAAU;AACb,YAAI,YAAY;AACd,gBAAM,iBAAiB,MAAM,WAAW,KAAK,GAAG;AAChD,cAAI,gBAAgB;AAClB,iBAAA;AACA;AAAA,UACF;AAAA,QACF,OAAO;AACL,cAAI,OAAO,GAAG,EAAE,KAAK;AAAA,YACnB,OAAO;AAAA,YACP,SACE;AAAA,UAAA,CACH;AACD;AAAA,QACF;AACA;AAAA,MACF;AAGA,YAAM,SAAS,gBAAgB,MAAM,cAAc,GAAG,IAAI;AAC1D,YAAM,cAAc,qBAChB,MAAM,mBAAmB,KAAK,UAAU,UAAU,MAAS,IAC3D,oBAAI,IAAA;AACR,YAAM,mBAAmB,eACrB,MAAM,aAAa,KAAK,UAAU,UAAU,MAAS,IACrD;AAGJ,YAAM,UAA6B;AAAA,QACjC;AAAA,QACA,QAAQ,UAAU;AAAA,QAClB;AAAA,QACA;AAAA,MAAA;AAID,UAAkC,gBAAgB;AAClD,UAAkC,WAAW;AAK9C,yBAAmB,OAAO;AAC1B,WAAA;AAAA,IACF,SAAS,OAAO;AACd,WAAK,KAAK;AAAA,IACZ;AAAA,EACF;AACF;AAKA,SAASA,YAAU,MAAc,SAA0B;AACzD,QAAM,eAAe,QAClB,QAAQ,OAAO,IAAI,EACnB,QAAQ,OAAO,KAAK,EACpB,QAAQ,OAAO,GAAG;AAErB,SAAO,IAAI,OAAO,IAAI,YAAY,GAAG,EAAE,KAAK,IAAI;AAClD;AC5FO,SAAS,sBAAsB,SAAiC;AACrE,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA;AAAA,IACA,eAAe,CAAA;AAAA,EAAC,IACd;AAEJ,SAAO,eAAe,OAAO;AAAA,IAC3B;AAAA,IACA;AAAA,EAAA,GAIoB;AAEpB,UAAM,OAAO,MAAM,IAAI;AACvB,QAAI,aAAa,KAAK,CAAC,YAAY,UAAU,MAAM,OAAO,CAAC,GAAG;AAC5D,aAAO,QAAQ,KAAK;AAAA,IACtB;AAGA,UAAM,WAAW,MAAM,gBAAgB,KAAK;AAE5C,QAAI,CAAC,UAAU;AAEb,UAAI,YAAY;AACd,cAAM,WAAW,MAAM,WAAW,KAAK;AACvC,YAAI,UAAU;AACZ,iBAAO;AAAA,QACT;AAAA,MACF;AACA,aAAO,QAAQ,KAAK;AAAA,IACtB;AAGA,UAAM,SAAS,gBAAgB,MAAM,cAAc,KAAK,IAAI;AAC5D,UAAM,cAAc,qBAChB,MAAM,mBAAmB,OAAO,UAAU,UAAU,MAAS,IAC7D,oBAAI,IAAA;AACR,UAAM,mBAAmB,eACrB,MAAM,aAAa,OAAO,UAAU,UAAU,MAAS,IACvD;AAGJ,UAAM,UAA6B;AAAA,MACjC;AAAA,MACA,QAAQ,UAAU;AAAA,MAClB;AAAA,MACA;AAAA,IAAA;AAIF,UAAM,OAAO,gBAAgB;AAC7B,UAAM,OAAO,WAAW;AAGxB,WAAO,WAAW,SAAS,MAAM,QAAQ,KAAK,CAAC;AAAA,EACjD;AACF;AAKA,SAAS,UAAU,MAAc,SAA0B;AAEzD,QAAM,eAAe,QAClB,QAAQ,OAAO,IAAI,EACnB,QAAQ,OAAO,KAAK,EACpB,QAAQ,OAAO,GAAG;AAErB,SAAO,IAAI,OAAO,IAAI,YAAY,GAAG,EAAE,KAAK,IAAI;AAClD;"}
package/dist/chunks/{testing-DyAqaOBC.js → testing-BWF_N0FL.js} RENAMED
@@ -112,12 +112,17 @@ const DEFAULT_OPTIONS = {
112
112
  rawQueryPolicy: "throw"
113
113
  };
114
114
  function serializeInstance(instance, className) {
115
- if (typeof instance.toJSON === "function") {
116
- return { className, ...instance.toJSON() };
115
+ const maybeToJSON = instance.toJSON;
116
+ if (typeof maybeToJSON === "function") {
117
+ return {
118
+ className,
119
+ ...maybeToJSON.call(instance)
120
+ };
117
121
  }
118
122
  const result = { className };
123
+ const record = instance;
119
124
  for (const key of Object.keys(instance)) {
120
- const value = instance[key];
125
+ const value = record[key];
121
126
  if (typeof value !== "function") {
122
127
  result[key] = value;
123
128
  }
@@ -302,7 +307,8 @@ function createTenantInterceptor(options = {}) {
302
307
  }
303
308
  const config = getTenantScopedConfig(className);
304
309
  const tenantField = config?.field || "tenantId";
305
- const instanceTenantId = instance[tenantField];
310
+ const instanceRecord = instance;
311
+ const instanceTenantId = instanceRecord[tenantField];
306
312
  const tenantContext = getCurrentTenant();
307
313
  if (!tenantContext) {
308
314
  if (config?.mode === "required") {
@@ -314,21 +320,22 @@ function createTenantInterceptor(options = {}) {
314
320
  return;
315
321
  }
316
322
  if (!instanceTenantId && config?.autoPopulate !== false) {
317
- instance[tenantField] = tenantContext.tenantId;
323
+ instanceRecord[tenantField] = tenantContext.tenantId;
318
324
  return;
319
325
  }
320
326
  if (instanceTenantId && instanceTenantId !== tenantContext.tenantId) {
327
+ const attemptedTenantId = String(instanceTenantId);
321
328
  opts.onIsolationViolation?.(
322
329
  className,
323
330
  tenantContext.tenantId,
324
- instanceTenantId,
331
+ attemptedTenantId,
325
332
  context
326
333
  );
327
334
  throw new TenantIsolationError(
328
- `Tenant isolation violation: cannot save ${className} with tenantId '${instanceTenantId}' in context of tenant '${tenantContext.tenantId}'`,
335
+ `Tenant isolation violation: cannot save ${className} with tenantId '${attemptedTenantId}' in context of tenant '${tenantContext.tenantId}'`,
329
336
  {
330
337
  tenantId: tenantContext.tenantId,
331
- attemptedTenantId: instanceTenantId
338
+ attemptedTenantId
332
339
  }
333
340
  );
334
341
  }
@@ -361,17 +368,18 @@ function createTenantInterceptor(options = {}) {
361
368
  return;
362
369
  }
363
370
  if (instanceTenantId && instanceTenantId !== tenantContext.tenantId) {
371
+ const attemptedTenantId = String(instanceTenantId);
364
372
  opts.onIsolationViolation?.(
365
373
  className,
366
374
  tenantContext.tenantId,
367
- instanceTenantId,
375
+ attemptedTenantId,
368
376
  context
369
377
  );
370
378
  throw new TenantIsolationError(
371
- `Tenant isolation violation: cannot delete ${className} with tenantId '${instanceTenantId}' in context of tenant '${tenantContext.tenantId}'`,
379
+ `Tenant isolation violation: cannot delete ${className} with tenantId '${attemptedTenantId}' in context of tenant '${tenantContext.tenantId}'`,
372
380
  {
373
381
  tenantId: tenantContext.tenantId,
374
- attemptedTenantId: instanceTenantId
382
+ attemptedTenantId
375
383
  }
376
384
  );
377
385
  }
@@ -382,15 +390,17 @@ function createTenantInterceptor(options = {}) {
382
390
  async afterSave(instance, context) {
383
391
  if (!opts.dispatchBus || !opts.directoryClasses?.includes(context.className))
384
392
  return;
393
+ const instanceId = instance.id;
394
+ const sourceId = typeof instanceId === "string" ? instanceId : void 0;
385
395
  const rawIsNew = context.metadata?._directoryIsNew;
386
- const isNew = typeof rawIsNew === "boolean" ? rawIsNew : instance.id == null;
396
+ const isNew = typeof rawIsNew === "boolean" ? rawIsNew : instanceId == null;
387
397
  const event = isNew ? `directory.${context.className.toLowerCase()}.created` : `directory.${context.className.toLowerCase()}.updated`;
388
398
  await opts.dispatchBus.emit(
389
399
  event,
390
400
  serializeInstance(instance, context.className),
391
401
  {
392
402
  source: "smrt-tenancy",
393
- sourceId: instance.id
403
+ sourceId
394
404
  }
395
405
  );
396
406
  },
@@ -400,12 +410,13 @@ function createTenantInterceptor(options = {}) {
400
410
  async afterDelete(instance, context) {
401
411
  if (!opts.dispatchBus || !opts.directoryClasses?.includes(context.className))
402
412
  return;
413
+ const instanceId = instance.id;
403
414
  await opts.dispatchBus.emit(
404
415
  `directory.${context.className.toLowerCase()}.deleted`,
405
416
  serializeInstance(instance, context.className),
406
417
  {
407
418
  source: "smrt-tenancy",
408
- sourceId: instance.id
419
+ sourceId: typeof instanceId === "string" ? instanceId : void 0
409
420
  }
410
421
  );
411
422
  }
@@ -513,4 +524,4 @@ export {
513
524
  testTenantIsolation as t,
514
525
  unregisterTenantScopedClass as u
515
526
  };
516
- //# sourceMappingURL=testing-DyAqaOBC.js.map
527
+ //# sourceMappingURL=testing-BWF_N0FL.js.map
package/dist/chunks/testing-BWF_N0FL.js.map ADDED
@@ -0,0 +1 @@
1
+ {"version":3,"file":"testing-BWF_N0FL.js","sources":["../../src/registry.ts","../../src/enabled-state.ts","../../src/entry-point.ts","../../src/interceptor.ts","../../src/testing.ts"],"sourcesContent":["/**\n * Tenant-Scoped Class Registry\n *\n * Tracks which classes are tenant-scoped and their configuration.\n * Used by the interceptor to determine how to handle operations.\n *\n * This registry supports two patterns:\n * 1. @TenantScoped() decorator + tenantId field (original pattern)\n * 2. @smrt({ tenantScoped: true }) in smrt-core (Issue #688 pattern)\n *\n * Both patterns are automatically recognized by the interceptor.\n *\n * @see https://github.com/happyvertical/smrt/issues/675\n * @see https://github.com/happyvertical/smrt/issues/688\n */\n\nimport { ObjectRegistry } from '@happyvertical/smrt-core';\n\n/**\n * Resolved tenancy configuration for a single class, as stored in the registry.\n *\n * Every field has a concrete (non-optional) value — defaults are applied by\n * `registerTenantScopedClass()` when the class is registered via `@TenantScoped()`.\n *\n * @see TenantScopedOptions\n * @see registerTenantScopedClass\n */\nexport interface TenantScopedConfig {\n /**\n * Tenancy mode for this class\n * - 'required': Must have tenant context for all operations\n * - 'optional': Works with or without tenant context\n * @default 'required'\n */\n mode: 'required' | 'optional';\n\n /**\n * Field name containing tenant ID\n * @default 'tenantId'\n */\n field: string;\n\n /**\n * Auto-filter all queries by tenant\n * @default true\n */\n autoFilter: boolean;\n\n /**\n * Auto-populate tenant ID from context on create\n * @default true\n */\n autoPopulate: boolean;\n\n /**\n * Allow super admin bypass for this class\n * @default false\n */\n allowSuperAdminBypass: boolean;\n}\n\nconst DEFAULT_CONFIG: TenantScopedConfig = {\n mode: 'required',\n field: 'tenantId',\n autoFilter: true,\n autoPopulate: true,\n allowSuperAdminBypass: false,\n};\n\n// Registry storing tenant-scoped class configurations\nconst tenantScopedClasses = new Map<string, TenantScopedConfig>();\n\n/**\n * Register a class as tenant-scoped with the given configuration.\n *\n * Called automatically by the `@TenantScoped()` decorator. You can also call\n * this directly when you cannot use decorators (e.g., third-party classes or\n * plain objects in tests). Defaults from `DEFAULT_CONFIG` are merged over any\n * omitted options.\n *\n * Calling this again for the same `className` overwrites the previous entry.\n *\n * @param className - The class's `name` property (e.g., `'Document'`).\n * @param config - Partial tenancy configuration; omitted fields receive defaults.\n *\n * @example\n * ```typescript\n * // Manually register a class (e.g., for testing)\n * registerTenantScopedClass('Document', { mode: 'optional' });\n * ```\n *\n * @see TenantScoped\n * @see unregisterTenantScopedClass\n */\nexport function registerTenantScopedClass(\n className: string,\n config: Partial<TenantScopedConfig> = {},\n): void {\n tenantScopedClasses.set(className, {\n ...DEFAULT_CONFIG,\n ...config,\n });\n}\n\n/**\n * Remove a class from the tenant-scoped registry.\n *\n * Primarily intended for test teardown — use `clearTenantScopedRegistry()` to\n * reset the entire registry at once.\n *\n * @param className - The class name to remove (e.g., `'Document'`).\n *\n * @see clearTenantScopedRegistry\n * @see registerTenantScopedClass\n */\nexport function unregisterTenantScopedClass(className: string): void {\n tenantScopedClasses.delete(className);\n}\n\n/**\n * Strip a qualified `@scope/pkg:ClassName` name down to its bare class name.\n *\n * `@TenantScoped` registers classes by their simple name (`target.name`), but\n * `ObjectRegistry.getInheritanceChain()` emits **qualified** names where a\n * class has package context. The simple-name bridge this enables is confined to\n * the inheritance walk (`getInheritedTenantScopedConfig`) — never the direct\n * lookup — so a *direct* qualified lookup can't strip the namespace and\n * cross-match a same-simple-name class in another package.\n */\nfunction toSimpleClassName(className: string): string {\n const idx = className.lastIndexOf(':');\n return idx === -1 ? className : className.slice(idx + 1);\n}\n\n/**\n * Return a shallow copy of a config so callers can never mutate the stored\n * registration. The same backing object is shared by the base and every\n * inheriting descendant, so handing out the reference would let an accidental\n * caller mutation silently corrupt the base (and all children). (#1598 review)\n */\nfunction cloneConfig(config: TenantScopedConfig): TenantScopedConfig {\n return { ...config };\n}\n\n/**\n * Resolve a class's OWN tenancy configuration — no STI inheritance, EXACT name\n * match only.\n *\n * Checks the two registration mechanisms in order, with the local registry\n * taking precedence:\n * 1. The local registry populated by `@TenantScoped()` (keyed by simple name).\n * 2. The core `ObjectRegistry` populated by `@smrt({ tenantScoped: true })`.\n *\n * Lookups are by exact name only — no simple-name fallback — so a qualified\n * lookup (e.g. `@happyvertical/smrt-affiliates:Payout`, explicitly not scoped)\n * can never strip its namespace and match a same-simple-name scoped class in\n * another package (e.g. `@happyvertical/smrt-commerce:Payout`). The\n * namespace-stripping bridge lives only in the inheritance walk. (#1598 review)\n */\nfunction getDirectTenantScopedConfig(\n className: string,\n): TenantScopedConfig | undefined {\n // 1. Local registry (explicit @TenantScoped decorator).\n const localConfig = tenantScopedClasses.get(className);\n if (localConfig) {\n return cloneConfig(localConfig);\n }\n\n // 2. Core registry (@smrt({ tenantScoped: true }) pattern - Issue #688).\n // findClass() resolves qualified names package-safely, so this branch is\n // already disambiguated.\n const coreConfig = ObjectRegistry.getTenantScopedConfig(className);\n if (coreConfig) {\n // Convert core config to TenantScopedConfig format\n return {\n mode: coreConfig.mode,\n field: coreConfig.field,\n autoFilter: coreConfig.autoFilter,\n autoPopulate: coreConfig.autoPopulate,\n allowSuperAdminBypass: coreConfig.allowSuperAdminBypass,\n };\n }\n\n return undefined;\n}\n\n/**\n * Resolve tenancy configuration inherited from an STI/ancestor class.\n *\n * `@TenantScoped` (and `@smrt({ tenantScoped })`) register ONLY the exact class\n * decorated — recognition does NOT propagate to subclasses. Before #1596 this\n * meant an STI child with its own collection (the child is the collection's\n * `_itemClass`) was treated as non-tenant-scoped at runtime: the interceptor\n * skipped tenant filtering on its `list()`/`get()` (cross-tenant reads), skipped\n * tenant population in `beforeSave`, and skipped the raw-SQL policy. Manual\n * re-declaration on every child was the fragile pattern that already bit images\n * (#1407) and messages.\n *\n * We now walk the STI inheritance chain so any descendant of a tenant-scoped\n * base is recognized automatically and inherits the base's config. A subclass\n * of a tenant-scoped class is always itself tenant-scoped — there is no safe\n * reason for it to opt out — so the walk intentionally covers any inheritance\n * (the motivating leak is STI child collections, but this is correct for CTI\n * hierarchies too).\n *\n * Ancestors are walked from nearest-to-self toward the root, returning the\n * first tenant-scoped ancestor's config so a closer ancestor wins. The class's\n * OWN declaration is resolved by the direct lookup in `getTenantScopedConfig`\n * and always takes precedence over anything inherited here.\n */\nfunction getInheritedTenantScopedConfig(\n className: string,\n): TenantScopedConfig | undefined {\n // getInheritanceChain returns [root, ..., self] (qualified names where the\n // class has package context). It is cached by core and only reached here when\n // the direct lookup misses, so the per-call cost on non-tenant classes is a\n // cache hit plus this short loop. Returns [] for unregistered classes.\n const chain = ObjectRegistry.getInheritanceChain(className);\n // chain[length - 1] is the class itself (already covered by the direct\n // lookup); walk its ancestors from nearest to root.\n for (let i = chain.length - 2; i >= 0; i--) {\n const ancestor = chain[i];\n\n // Exact, package-safe match first — covers `@smrt({ tenantScoped })` bases\n // (resolved through the core registry by qualified name) and any class\n // whose @TenantScoped key matches the chain entry verbatim.\n const direct = getDirectTenantScopedConfig(ancestor);\n if (direct) {\n return direct;\n }\n\n // @TenantScoped registers by SIMPLE name (`target.name`), but the chain\n // emits QUALIFIED names. Bridge to the simple-keyed local registry here —\n // scoped to the inheritance walk only, so a direct qualified lookup never\n // strips the namespace (see getDirectTenantScopedConfig). The chain entry\n // is a verified ancestor of `className`, so matching its simple name is the\n // intended hop. (Residual: the @TenantScoped registry is simple-keyed, so\n // two DISTINCT same-simple-name classes that are BOTH @TenantScoped across\n // packages could cross-match here — a pre-existing decorator-keying limit,\n // not the direct-lookup hazard fixed above.)\n const simple = toSimpleClassName(ancestor);\n if (simple !== ancestor) {\n const bySimple = tenantScopedClasses.get(simple);\n if (bySimple) {\n return cloneConfig(bySimple);\n }\n }\n }\n return undefined;\n}\n\n/**\n * Retrieve the resolved tenancy configuration for a class.\n *\n * Resolution order:\n * 1. The class's OWN declaration — local `@TenantScoped()` registry first, then\n * the core `@smrt({ tenantScoped: true })` registry.\n * 2. STI inheritance — the nearest tenant-scoped ancestor's config (#1596).\n *\n * A class that declares its own tenancy never reaches step 2, so an explicit\n * child `@TenantScoped` always overrides the inherited base config.\n *\n * @param className - The class name to look up.\n * @returns The `TenantScopedConfig` if the class is tenant-scoped directly or\n * by inheritance, or `undefined` if it is not.\n *\n * @see isTenantScopedClass\n * @see getAllTenantScopedClasses\n */\nexport function getTenantScopedConfig(\n className: string,\n): TenantScopedConfig | undefined {\n // A class's own @TenantScoped / @smrt({ tenantScoped }) declaration wins.\n const direct = getDirectTenantScopedConfig(className);\n if (direct) {\n return direct;\n }\n // Otherwise inherit recognition from a tenant-scoped STI ancestor (#1596).\n return getInheritedTenantScopedConfig(className);\n}\n\n/**\n * Return `true` if the named class is tenant-scoped — directly (via\n * `@TenantScoped()` / `@smrt({ tenantScoped: true })`) or by inheriting from a\n * tenant-scoped STI ancestor (#1596).\n *\n * @param className - The class name to look up (e.g., `'Document'`).\n * @returns `true` if the class is tenant-scoped by any mechanism.\n *\n * @see getTenantScopedConfig\n * @see registerTenantScopedClass\n */\nexport function isTenantScopedClass(className: string): boolean {\n return getTenantScopedConfig(className) !== undefined;\n}\n\n/**\n * Return a snapshot of all classes registered via `@TenantScoped()`.\n *\n * Returns a new `Map` so mutations to the returned value do not affect the\n * internal registry. Note that classes registered only through the core\n * `ObjectRegistry` (`@smrt({ tenantScoped: true })`) are **not** included in\n * this map.\n *\n * @returns A copy of the local tenant-scoped class registry, keyed by class name.\n *\n * @see isTenantScopedClass\n * @see getTenantScopedConfig\n */\nexport function getAllTenantScopedClasses(): Map<string, TenantScopedConfig> {\n return new Map(tenantScopedClasses);\n}\n\n/**\n * Remove all entries from the local tenant-scoped class registry.\n *\n * Intended for test teardown via `resetTenancy()`. Does not affect\n * registrations held by the core `ObjectRegistry`.\n *\n * @see resetTenancy\n * @see unregisterTenantScopedClass\n */\nexport function clearTenantScopedRegistry(): void {\n tenantScopedClasses.clear();\n}\n","/**\n * Shared tenancy-enabled flag.\n *\n * Holds the single boolean toggled by `enableTenancy()` / `disableTenancy()`.\n * It lives in its own leaf module (importing nothing from the package) so that\n * both `interceptor.ts` and `entry-point.ts` can read it without forming a\n * circular import: `interceptor.ts` imports `runTenantScopedEntryPoint` from\n * `entry-point.ts`, and `entry-point.ts` needs the enabled flag — routing the\n * flag through here keeps that dependency one-directional.\n */\n\nlet enabled = false;\n\n/**\n * Set the global tenancy-enabled flag. Internal — called by `enableTenancy()` /\n * `disableTenancy()` in `interceptor.ts`.\n *\n * @param value - `true` to mark tenancy enabled, `false` to clear it.\n */\nexport function setTenancyEnabled(value: boolean): void {\n enabled = value;\n}\n\n/**\n * Return `true` if tenant enforcement is currently active.\n *\n * @returns Whether `enableTenancy()` has been called without a later\n * `disableTenancy()`.\n */\nexport function isTenancyEnabled(): boolean {\n return enabled;\n}\n","/**\n * Fail-closed tenant-context establishment for non-web entry points (#1554).\n *\n * The SvelteKit/Express adapters establish tenant context from the authenticated\n * request principal, so the web surface of a `@TenantScoped({ mode: 'optional' })`\n * model never reads across tenants without an active context. The generated\n * **CLI** and **MCP** entry points have no request principal, so an invocation\n * with no active context would fall through the interceptor's optional-mode\n * pass-through and return rows across **all** tenants.\n *\n * `runTenantScopedEntryPoint()` closes that gap. It is the single fail-closed\n * gate both generated surfaces wrap their per-command/per-tool execution in.\n *\n * @see createCliContext for the richer CLI runner (resolveTenantId, super-admin).\n */\n\nimport {\n hasTenantContext,\n isSystemContext,\n TenantContextError,\n withSystemContext,\n withTenant,\n} from './context.js';\nimport { isTenancyEnabled } from './enabled-state.js';\nimport { isTenantScopedClass } from './registry.js';\n\n/**\n * Inputs for {@link runTenantScopedEntryPoint}.\n *\n * Provide **either** `className` (the gate resolves tenant-scoping from the\n * authoritative tenancy registry — the same source the interceptor uses, so it\n * covers both `@TenantScoped` and `@smrt({ tenantScoped })` registrations) or an\n * explicit `tenantScoped` boolean (when the caller already resolved it, e.g. a\n * build-time generated surface). An explicit boolean wins when both are given.\n */\nexport interface TenantEntryPointOptions {\n /**\n * Class name of the target model. When provided, tenant-scoping is resolved\n * via `isTenantScopedClass(className)`.\n */\n className?: string;\n\n /**\n * Explicit tenant-scoping decision. Overrides `className` resolution when set.\n * Non-scoped models always pass through unchanged — the gate is a no-op.\n */\n tenantScoped?: boolean;\n\n /**\n * Explicit operator-provided tenant selector (CLI `--tenant <id>`, MCP\n * `context.tenantId`). When present (and no context is already active) the\n * function runs inside this tenant's context.\n */\n tenantId?: string | null;\n\n /**\n * Explicit operator opt-in to cross-tenant / system access (CLI\n * `--all-tenants`, an MCP host that trusts the caller as an operator). When\n * set the function runs in system context, bypassing tenant filtering.\n *\n * @default false\n */\n allowCrossTenant?: boolean;\n\n /**\n * Human-facing surface name used in the fail-closed error message, e.g.\n * `'CLI'` or `'MCP'`.\n *\n * @default 'entry point'\n */\n surface?: string;\n}\n\n/**\n * Run `fn` inside an appropriate tenant context for a generated CLI/MCP entry\n * point, failing closed for tenant-scoped models when no authorized context can\n * be established.\n *\n * Resolution order (tenant-scoped models only):\n * 1. A tenant context is already active, or an explicit `withSystemContext()`\n * bypass is in effect (e.g. `runAsSystem()`, migrations) → run as-is.\n * 2. `allowCrossTenant` was explicitly set → run in system context. Checked\n * before `tenantId` so an explicit cross-tenant opt-in wins over a default\n * principal/host tenant rather than being silently scoped.\n * 3. An explicit `tenantId` was provided → run inside that tenant.\n * 4. Tenancy is enabled but none of the above → **throw** `TenantContextError`\n * (the fail-closed branch — never silently read across tenants).\n * 5. Tenancy is disabled (single-/no-tenant deployment) → pass through.\n *\n * Non-tenant-scoped models always pass straight through.\n *\n * @param options - {@link TenantEntryPointOptions}.\n * @param fn - The command/tool body to execute.\n * @returns The resolved value of `fn`.\n * @throws {TenantContextError} When a tenant-scoped model is reached with\n * tenancy enabled and no tenant/cross-tenant selector.\n */\nexport async function runTenantScopedEntryPoint<T>(\n options: TenantEntryPointOptions,\n fn: () => Promise<T>,\n): Promise<T> {\n const {\n className,\n tenantScoped,\n tenantId,\n allowCrossTenant = false,\n surface = 'entry point',\n } = options;\n\n // Resolve tenant-scoping: an explicit boolean wins; otherwise consult the\n // authoritative tenancy registry by class name (matches the interceptor).\n const scoped =\n typeof tenantScoped === 'boolean'\n ? tenantScoped\n : className\n ? isTenantScopedClass(className)\n : false;\n\n // Non-scoped models run as-is. So do calls already inside a tenant context\n // (an upstream handle) or an explicit system-context bypass — the interceptor\n // honors `withSystemContext()` (migrations, `runAsSystem()`), so the gate must\n // not fail-close over it (hasTenantContext() is false for the system marker).\n if (!scoped) return fn();\n if (hasTenantContext() || isSystemContext()) return fn();\n\n // Explicit operator opt-in to cross-tenant access. Checked before the tenant\n // selector so a deliberate `--all-tenants` / `allowCrossTenant` overrides a\n // default host/principal tenant instead of being silently scoped to it.\n if (allowCrossTenant) {\n return withSystemContext(fn);\n }\n\n // Explicit tenant selector.\n if (typeof tenantId === 'string' && tenantId) {\n return withTenant({ tenantId }, fn);\n }\n\n // Fail closed: tenancy is on but the caller gave us nothing to scope by.\n if (isTenancyEnabled()) {\n throw new TenantContextError(\n `Tenant context required for tenant-scoped access via ${surface}. ` +\n 'Pass an explicit tenant (e.g. --tenant <id> / a tenantId) or opt into ' +\n 'cross-tenant access (e.g. --all-tenants) to read across all tenants.',\n );\n }\n\n // Tenancy disabled → single-tenant deployment, pass through.\n return fn();\n}\n","/**\n * Tenant Interceptor - Core enforcement mechanism\n *\n * Registers with GlobalInterceptors in smrt-core to automatically:\n * - Filter queries by tenant ID\n * - Validate tenant context on save/delete\n * - Block or audit raw SQL on tenant-scoped classes\n *\n * @see https://github.com/happyvertical/smrt/issues/675\n */\n\nimport { createLogger } from '@happyvertical/logger';\nimport type { SmrtObject } from '@happyvertical/smrt-core';\nimport {\n type CollectionInterceptor,\n type DispatchBus,\n GlobalInterceptors,\n type InterceptorContext,\n type ListOptions,\n type QueryInterceptResult,\n type QueryOptions,\n setDispatchTenantResolver,\n setTenantEntryPointRunner,\n} from '@happyvertical/smrt-core';\nimport {\n getCurrentTenant,\n getTenantId,\n isSuperAdminBypass,\n isSystemContext,\n TenantContextError,\n TenantIsolationError,\n} from './context.js';\nimport { isTenancyEnabled, setTenancyEnabled } from './enabled-state.js';\nimport { runTenantScopedEntryPoint } from './entry-point.js';\nimport { getTenantScopedConfig, isTenantScopedClass } from './registry.js';\n\nconst logger = createLogger({ level: 'info' });\n\n/**\n * Policy controlling what happens when raw SQL is executed against a\n * tenant-scoped class without an explicit bypass.\n *\n * - `'throw'` — Raises a `TenantIsolationError` (most secure; default).\n * - `'warn'` — Logs a `console.warn` but allows the query to proceed (useful\n * during migration periods).\n * - `'allow'` — Silently allows the query; not recommended for production.\n *\n * @see TenantInterceptorOptions.rawQueryPolicy\n * @see enableTenancy\n */\nexport type RawQueryPolicy = 'throw' | 'warn' | 'allow';\n\n/**\n * Configuration options accepted by `createTenantInterceptor()` and\n * `enableTenancy()`.\n *\n * All options are optional; reasonable defaults are applied. The callback\n * hooks (`onRawQuery`, `onMissingContext`, `onIsolationViolation`) are useful\n * for logging and alerting without altering the enforcement behaviour.\n *\n * @see createTenantInterceptor\n * @see enableTenancy\n */\nexport interface TenantInterceptorOptions {\n /**\n * Policy for raw SQL queries on tenant-scoped classes\n * - 'throw': Throw error (most secure, default)\n * - 'warn': Log warning but allow (for migration)\n * - 'allow': Silently allow (not recommended for production)\n * @default 'throw'\n */\n rawQueryPolicy?: RawQueryPolicy;\n\n /**\n * Called when a raw query is attempted on a tenant-scoped class\n * Useful for logging/auditing\n */\n onRawQuery?: (\n className: string,\n sql: string,\n context: InterceptorContext,\n ) => void;\n\n /**\n * Called when tenant context is missing for a tenant-scoped operation\n */\n onMissingContext?: (\n className: string,\n operation: string,\n context: InterceptorContext,\n ) => void;\n\n /**\n * Called when an isolation violation is detected\n */\n onIsolationViolation?: (\n className: string,\n expectedTenantId: string,\n actualTenantId: string,\n context: InterceptorContext,\n ) => void;\n\n /**\n * DispatchBus instance for emitting provisioning events on lifecycle changes.\n * When provided along with directoryClasses, afterSave/afterDelete hooks\n * emit dispatches like `directory.membership.created`.\n */\n dispatchBus?: DispatchBus;\n\n /**\n * Class names to emit directory dispatches for on save/delete lifecycle events.\n * Only classes listed here will trigger dispatch emissions.\n * @example ['Tenant', 'Membership', 'User']\n */\n directoryClasses?: string[];\n}\n\nconst DEFAULT_OPTIONS: TenantInterceptorOptions = {\n rawQueryPolicy: 'throw',\n};\n\n/**\n * Extract a plain-object snapshot of an instance for dispatch payloads.\n *\n * Prefers `toJSON()` when available (all real SmrtObject instances) because\n * it returns only data fields and excludes internal handles like `_db`, `_ai`,\n * and `_fs` which may contain circular references (e.g. connection pools with\n * Timeout objects).\n *\n * @see https://github.com/happyvertical/smrt/issues/946\n */\nfunction serializeInstance(\n instance: SmrtObject,\n className: string,\n): Record<string, unknown> {\n // Documented exception to the \"never call toJSON() directly\" convention\n // (docs/content/standards.md §7): the interceptor must serialize whatever\n // instance is handed to it, including workspace stubs and plain-object\n // doubles used in unit tests whose classes may not extend SmrtObject and\n // therefore have no `transformJSON()` hook. Using `toJSON()` here is a\n // duck-typed fallback — when present, it strips framework-internal handles\n // for us; when absent, we fall through to manual key iteration below.\n const maybeToJSON = (instance as { toJSON?: unknown }).toJSON;\n if (typeof maybeToJSON === 'function') {\n return {\n className,\n ...(maybeToJSON.call(instance) as Record<string, unknown>),\n };\n }\n\n // Fallback for plain-object stubs (e.g. in unit tests):\n // skip functions and framework-internal properties\n const result: Record<string, unknown> = { className };\n const record = instance as unknown as Record<string, unknown>;\n for (const key of Object.keys(instance)) {\n const value = record[key];\n if (typeof value !== 'function') {\n result[key] = value;\n }\n }\n return result;\n}\n\n/**\n * Create a `CollectionInterceptor` that enforces tenant isolation on all\n * `SmrtCollection` operations.\n *\n * The returned interceptor hooks into the smrt-core `GlobalInterceptors`\n * pipeline at priority 100 (runs before all other interceptors) and\n * handles the following lifecycle hooks:\n *\n * | Hook | Behaviour |\n * |---------------|-----------|\n * | `beforeList` | Injects tenant filter into `WHERE`; validates explicit filters. |\n * | `beforeGet` | Converts ID lookups to `{ id, tenantId }` filter objects. |\n * | `beforeSave` | Auto-populates `tenantId`; validates existing values. |\n * | `beforeDelete`| Validates the instance's `tenantId` matches context. |\n * | `beforeQuery` | Enforces `rawQueryPolicy` on raw SQL calls. |\n * | `afterSave` | Emits `directory.<class>.created/updated` via `dispatchBus`. |\n * | `afterDelete` | Emits `directory.<class>.deleted` via `dispatchBus`. |\n *\n * Use `enableTenancy()` to register the interceptor globally. Call this\n * directly only when you need multiple interceptor instances (e.g., for\n * isolated tests or feature flags).\n *\n * @param options - Configuration for the interceptor.\n * @returns A `CollectionInterceptor` ready to be registered with\n * `GlobalInterceptors.register()`.\n *\n * @example\n * ```typescript\n * import { createTenantInterceptor } from '@happyvertical/smrt-tenancy';\n * import { GlobalInterceptors } from '@happyvertical/smrt-core';\n *\n * const interceptor = createTenantInterceptor({ rawQueryPolicy: 'warn' });\n * GlobalInterceptors.register(interceptor);\n * ```\n *\n * @see enableTenancy\n * @see TenantInterceptorOptions\n */\nexport function createTenantInterceptor(\n options: TenantInterceptorOptions = {},\n): CollectionInterceptor {\n const opts = { ...DEFAULT_OPTIONS, ...options };\n\n return {\n name: 'smrt-tenancy',\n priority: 100, // High priority - should run first\n\n /**\n * Before list: Add tenant filter to queries\n */\n beforeList(\n className: string,\n listOptions: ListOptions,\n context: InterceptorContext,\n ): ListOptions | undefined {\n // Check if this class is tenant-scoped\n if (!isTenantScopedClass(className)) {\n return; // Not tenant-scoped, pass through\n }\n\n // Check for super admin bypass\n if (isSuperAdminBypass()) {\n return; // Bypass enabled, pass through\n }\n\n // Check for system context (explicit bypass via withSystemContext)\n if (isSystemContext()) {\n return; // System context bypasses tenant checks\n }\n\n const config = getTenantScopedConfig(className);\n const tenantContext = getCurrentTenant();\n\n // If no tenant context and mode is 'required', throw\n if (!tenantContext) {\n if (config?.mode === 'required') {\n opts.onMissingContext?.(className, 'list', context);\n throw new TenantContextError(\n `Tenant context required for listing ${className}. ` +\n `Use withTenant() or configure TenantContext middleware.`,\n );\n }\n return; // Mode is 'optional', allow without filtering\n }\n\n // Add tenant filter to where clause\n const tenantField = config?.field || 'tenantId';\n const where = listOptions.where || {};\n\n // Check if tenant filter is already present\n if (tenantField in where) {\n // Validate it matches context. The filter may be a scalar\n // (`tenantId: 'x'`) or an IN-style array (`tenantId: ['x']`) —\n // smrt-core auto-converts array values to SQL IN clauses, so an\n // array containing only the context tenant is a valid filter.\n // See https://github.com/happyvertical/smrt/issues/1495\n const existingFilter = where[tenantField];\n const filterValues = Array.isArray(existingFilter)\n ? existingFilter\n : [existingFilter];\n // findIndex (not find) so a literal null/undefined filter value is\n // still flagged as a violation rather than mistaken for \"not found\"\n const offendingIndex = filterValues.findIndex(\n (value) => value !== tenantContext.tenantId,\n );\n if (offendingIndex !== -1) {\n const offending = filterValues[offendingIndex];\n opts.onIsolationViolation?.(\n className,\n tenantContext.tenantId,\n String(offending),\n context,\n );\n throw new TenantIsolationError(\n `Tenant isolation violation in ${className} query: ` +\n `context tenant is '${tenantContext.tenantId}' but query filters by '${String(offending)}'`,\n {\n tenantId: tenantContext.tenantId,\n attemptedTenantId: String(offending),\n },\n );\n }\n return; // Filter already correct\n }\n\n // Inject tenant filter\n return {\n ...listOptions,\n where: {\n ...where,\n [tenantField]: tenantContext.tenantId,\n },\n };\n },\n\n /**\n * Before get: Add tenant filter to single record fetches\n */\n beforeGet(\n className: string,\n filter: string | Record<string, unknown>,\n context: InterceptorContext,\n ): string | Record<string, unknown> | undefined {\n if (!isTenantScopedClass(className)) {\n return;\n }\n\n if (isSuperAdminBypass()) {\n return;\n }\n\n // Check for system context (explicit bypass via withSystemContext)\n if (isSystemContext()) {\n return; // System context bypasses tenant checks\n }\n\n const config = getTenantScopedConfig(className);\n const tenantContext = getCurrentTenant();\n\n if (!tenantContext) {\n if (config?.mode === 'required') {\n opts.onMissingContext?.(className, 'get', context);\n throw new TenantContextError(\n `Tenant context required for getting ${className}. ` +\n `Use withTenant() or configure TenantContext middleware.`,\n );\n }\n return;\n }\n\n const tenantField = config?.field || 'tenantId';\n\n // If filter is a string (ID), convert to object filter with tenant\n if (typeof filter === 'string') {\n return {\n id: filter,\n [tenantField]: tenantContext.tenantId,\n };\n }\n\n // Add tenant filter to object\n if (!(tenantField in filter)) {\n return {\n ...filter,\n [tenantField]: tenantContext.tenantId,\n };\n }\n\n // Validate existing filter. Like beforeList, accept scalar or\n // IN-style array filters (smrt-core auto-converts arrays to SQL IN).\n // See https://github.com/happyvertical/smrt/issues/1495\n const existingFilter = filter[tenantField];\n const filterValues = Array.isArray(existingFilter)\n ? existingFilter\n : [existingFilter];\n // findIndex (not find) so a literal null/undefined filter value is\n // still flagged as a violation rather than mistaken for \"not found\"\n const offendingIndex = filterValues.findIndex(\n (value) => value !== tenantContext.tenantId,\n );\n if (offendingIndex !== -1) {\n const offending = filterValues[offendingIndex];\n opts.onIsolationViolation?.(\n className,\n tenantContext.tenantId,\n String(offending),\n context,\n );\n throw new TenantIsolationError(\n `Tenant isolation violation in ${className} get: ` +\n `context tenant is '${tenantContext.tenantId}' but query filters by '${String(offending)}'`,\n {\n tenantId: tenantContext.tenantId,\n attemptedTenantId: String(offending),\n },\n );\n }\n\n return;\n },\n\n /**\n * Before query: Handle raw SQL on tenant-scoped classes\n */\n beforeQuery(\n className: string,\n queryOptions: QueryOptions,\n context: InterceptorContext,\n ): QueryInterceptResult | undefined {\n if (!isTenantScopedClass(className)) {\n return;\n }\n\n // Check for explicit bypass flag\n if (queryOptions.allowRawOnTenantScoped) {\n opts.onRawQuery?.(className, queryOptions.sql, context);\n return; // Explicitly allowed\n }\n\n if (isSuperAdminBypass()) {\n opts.onRawQuery?.(className, queryOptions.sql, context);\n return;\n }\n\n // Check for system context (explicit bypass via withSystemContext)\n if (isSystemContext()) {\n opts.onRawQuery?.(className, queryOptions.sql, context);\n return;\n }\n\n // Handle based on policy\n const message =\n `Raw SQL query attempted on tenant-scoped class ${className}. ` +\n `Use list()/get() for automatic tenant filtering, or call ` +\n `query() with { allowRawOnTenantScoped: true } if you're handling ` +\n `tenant filtering manually.`;\n\n opts.onRawQuery?.(className, queryOptions.sql, context);\n\n switch (opts.rawQueryPolicy) {\n case 'throw':\n throw new TenantIsolationError(message);\n\n case 'warn':\n logger.warn(`[smrt-tenancy] WARNING: ${message}`);\n return;\n default:\n return;\n }\n },\n\n /**\n * Before save: Validate tenant ID is set and matches context\n */\n beforeSave(instance: SmrtObject, context: InterceptorContext): void {\n // Use context.className which is always correct\n // (instance.constructor.name may not match for proxies or plain objects in tests)\n const className = context.className;\n\n // Stash isNew flag for afterSave dispatch detection\n if (opts.directoryClasses?.includes(className)) {\n const id = (instance as unknown as Record<string, unknown>).id;\n context.metadata = {\n ...context.metadata,\n _directoryIsNew: id === undefined || id === null,\n };\n }\n\n if (!isTenantScopedClass(className)) {\n return;\n }\n\n if (isSuperAdminBypass()) {\n return;\n }\n\n // Check for system context (explicit bypass via withSystemContext)\n if (isSystemContext()) {\n return; // System context bypasses tenant checks\n }\n\n const config = getTenantScopedConfig(className);\n const tenantField = config?.field || 'tenantId';\n const instanceRecord = instance as unknown as Record<string, unknown>;\n const instanceTenantId = instanceRecord[tenantField];\n\n const tenantContext = getCurrentTenant();\n\n // Check if tenant context is required\n if (!tenantContext) {\n if (config?.mode === 'required') {\n opts.onMissingContext?.(className, 'save', context);\n throw new TenantContextError(\n `Tenant context required for saving ${className}. ` +\n `Use withTenant() or configure TenantContext middleware.`,\n );\n }\n return; // Mode is 'optional'\n }\n\n // Auto-populate tenant ID if not set\n if (!instanceTenantId && config?.autoPopulate !== false) {\n instanceRecord[tenantField] = tenantContext.tenantId;\n return;\n }\n\n // Validate tenant ID matches context\n if (instanceTenantId && instanceTenantId !== tenantContext.tenantId) {\n const attemptedTenantId = String(instanceTenantId);\n opts.onIsolationViolation?.(\n className,\n tenantContext.tenantId,\n attemptedTenantId,\n context,\n );\n throw new TenantIsolationError(\n `Tenant isolation violation: cannot save ${className} with ` +\n `tenantId '${attemptedTenantId}' in context of tenant '${tenantContext.tenantId}'`,\n {\n tenantId: tenantContext.tenantId,\n attemptedTenantId,\n },\n );\n }\n },\n\n /**\n * Before delete: Validate instance belongs to current tenant\n */\n beforeDelete(instance: SmrtObject, context: InterceptorContext): void {\n // Use context.className which is always correct\n const className = context.className;\n\n if (!isTenantScopedClass(className)) {\n return;\n }\n\n if (isSuperAdminBypass()) {\n return;\n }\n\n // Check for system context (explicit bypass via withSystemContext)\n if (isSystemContext()) {\n return; // System context bypasses tenant checks\n }\n\n const config = getTenantScopedConfig(className);\n const tenantField = config?.field || 'tenantId';\n const instanceTenantId = (instance as unknown as Record<string, unknown>)[\n tenantField\n ];\n\n const tenantContext = getCurrentTenant();\n\n if (!tenantContext) {\n if (config?.mode === 'required') {\n opts.onMissingContext?.(className, 'delete', context);\n throw new TenantContextError(\n `Tenant context required for deleting ${className}. ` +\n `Use withTenant() or configure TenantContext middleware.`,\n );\n }\n return;\n }\n\n // Validate tenant ID matches\n if (instanceTenantId && instanceTenantId !== tenantContext.tenantId) {\n const attemptedTenantId = String(instanceTenantId);\n opts.onIsolationViolation?.(\n className,\n tenantContext.tenantId,\n attemptedTenantId,\n context,\n );\n throw new TenantIsolationError(\n `Tenant isolation violation: cannot delete ${className} with ` +\n `tenantId '${attemptedTenantId}' in context of tenant '${tenantContext.tenantId}'`,\n {\n tenantId: tenantContext.tenantId,\n attemptedTenantId,\n },\n );\n }\n },\n\n /**\n * After save: Emit directory dispatch for configured classes\n */\n async afterSave(\n instance: SmrtObject,\n context: InterceptorContext,\n ): Promise<void> {\n if (\n !opts.dispatchBus ||\n !opts.directoryClasses?.includes(context.className)\n )\n return;\n\n const instanceId = (instance as unknown as Record<string, unknown>).id;\n const sourceId = typeof instanceId === 'string' ? instanceId : undefined;\n const rawIsNew = context.metadata?._directoryIsNew;\n const isNew =\n typeof rawIsNew === 'boolean' ? rawIsNew : instanceId == null;\n const event = isNew\n ? `directory.${context.className.toLowerCase()}.created`\n : `directory.${context.className.toLowerCase()}.updated`;\n\n await opts.dispatchBus.emit(\n event,\n serializeInstance(instance, context.className),\n {\n source: 'smrt-tenancy',\n sourceId,\n },\n );\n },\n\n /**\n * After delete: Emit directory dispatch for configured classes\n */\n async afterDelete(\n instance: SmrtObject,\n context: InterceptorContext,\n ): Promise<void> {\n if (\n !opts.dispatchBus ||\n !opts.directoryClasses?.includes(context.className)\n )\n return;\n\n const instanceId = (instance as unknown as Record<string, unknown>).id;\n await opts.dispatchBus.emit(\n `directory.${context.className.toLowerCase()}.deleted`,\n serializeInstance(instance, context.className),\n {\n source: 'smrt-tenancy',\n sourceId: typeof instanceId === 'string' ? instanceId : undefined,\n },\n );\n },\n };\n}\n\n// ─────────────────────────────────────────────────────────────────────────────\n// Registration Functions\n// ─────────────────────────────────────────────────────────────────────────────\n\n// The enabled flag lives in `enabled-state.ts` (a leaf module) so `entry-point.ts`\n// can read it without importing this module — breaking the otherwise-circular\n// interceptor ↔ entry-point dependency.\nlet registeredInterceptor: CollectionInterceptor | null = null;\n\n/**\n * Enable tenant enforcement globally\n *\n * Call this once at application startup to enable automatic tenant isolation.\n *\n * @param options - Configuration options\n *\n * @example\n * ```typescript\n * // In your app initialization\n * import { enableTenancy } from '@happyvertical/smrt-tenancy';\n *\n * enableTenancy({\n * rawQueryPolicy: 'throw',\n * onMissingContext: (className, operation) => {\n * console.error(`Missing tenant context for ${operation} on ${className}`);\n * }\n * });\n * ```\n */\nexport function enableTenancy(options: TenantInterceptorOptions = {}): void {\n if (isTenancyEnabled()) {\n logger.warn(\n '[smrt-tenancy] Tenancy is already enabled. Call disableTenancy() first to reconfigure.',\n );\n return;\n }\n\n registeredInterceptor = createTenantInterceptor(options);\n GlobalInterceptors.register(registeredInterceptor);\n\n // Wire the DispatchBus tenant-scope resolver (S5 #1398). Core cannot depend\n // on tenancy, so it reads the active tenant through this injected hook; the\n // bus stamps/filters dispatches by the active tenant only while tenancy is\n // enabled. Mirrors the GlobalInterceptors inversion above.\n setDispatchTenantResolver(() => getTenantId());\n\n // Wire the fail-closed tenant gate for generated CLI/MCP entry points (#1554).\n // Core invokes this runner around tenant-scoped CLI/MCP execution; without it\n // (tenancy disabled) those surfaces pass through unchanged.\n setTenantEntryPointRunner(runTenantScopedEntryPoint);\n\n setTenancyEnabled(true);\n}\n\n/**\n * Disable global tenant enforcement.\n *\n * Unregisters the interceptor previously installed by `enableTenancy()` and\n * resets the internal enabled flag so `enableTenancy()` can be called again.\n * Idempotent — safe to call even when tenancy was never enabled.\n *\n * Common use-cases:\n * - Test teardown (via `resetTenancy()`).\n * - Temporarily disabling tenancy before reconfiguring with new options.\n *\n * @example\n * ```typescript\n * afterAll(() => {\n * disableTenancy();\n * });\n * ```\n *\n * @see enableTenancy\n * @see isTenancyEnabled\n * @see resetTenancy\n */\nexport function disableTenancy(): void {\n if (!isTenancyEnabled() || !registeredInterceptor) {\n return;\n }\n\n GlobalInterceptors.unregister(registeredInterceptor);\n // Clear the DispatchBus tenant resolver so the bus reverts to its no-op\n // (pre-tenancy) behavior when tenancy is disabled.\n setDispatchTenantResolver(undefined);\n // Clear the CLI/MCP tenant gate so those surfaces pass through (#1554).\n setTenantEntryPointRunner(undefined);\n registeredInterceptor = null;\n setTenancyEnabled(false);\n}\n\n/**\n * Return `true` if tenant enforcement is currently active.\n *\n * Reflects whether `enableTenancy()` has been called and the interceptor has not\n * yet been removed by `disableTenancy()`. Re-exported from `enabled-state.ts`\n * (the shared leaf module) so the public API surface is unchanged.\n *\n * @see enableTenancy\n * @see disableTenancy\n */\nexport { isTenancyEnabled };\n","/**\n * Testing Utilities for smrt-tenancy\n *\n * Helpers for testing tenant-scoped applications.\n *\n * @example\n * ```typescript\n * import { createTestTenantContext, resetTenancy } from '@happyvertical/smrt-tenancy/testing';\n *\n * beforeEach(() => {\n * resetTenancy(); // Clear all state\n * });\n *\n * it('should filter by tenant', async () => {\n * await createTestTenantContext({ tenantId: 'tenant-1' }, async () => {\n * const docs = await collection.list({});\n * // Only tenant-1 documents\n * });\n * });\n * ```\n */\n\nimport {\n type MinimalTenantContext,\n type TenantContextData,\n withTenant,\n} from './context.js';\nimport { disableTenancy, enableTenancy } from './interceptor.js';\nimport { clearTenantScopedRegistry } from './registry.js';\n\n/**\n * Reset all tenancy state (for use in beforeEach/afterEach)\n *\n * This clears:\n * - Registered interceptors\n * - Tenant-scoped class registry\n *\n * @example\n * ```typescript\n * afterEach(() => {\n * resetTenancy();\n * });\n * ```\n */\nexport function resetTenancy(): void {\n disableTenancy();\n clearTenantScopedRegistry();\n}\n\n/**\n * Create a test tenant context and run code within it\n *\n * Convenience wrapper around withTenant() with sensible defaults for testing.\n *\n * @param context - Tenant context (can be minimal, just tenantId)\n * @param fn - Async function to run in the context\n *\n * @example\n * ```typescript\n * await createTestTenantContext({ tenantId: 'test-tenant' }, async () => {\n * const product = await collection.create({ name: 'Test' });\n * expect(product.tenantId).toBe('test-tenant');\n * });\n * ```\n */\nexport async function createTestTenantContext<T>(\n context: MinimalTenantContext | TenantContextData,\n fn: () => Promise<T>,\n): Promise<T> {\n return withTenant(context, fn);\n}\n\n/**\n * Create multiple tenant contexts for isolation testing\n *\n * @param tenantIds - Array of tenant IDs to create contexts for\n * @param fn - Function that receives an object mapping tenant IDs to context runners\n *\n * @example\n * ```typescript\n * await testTenantIsolation(['tenant-a', 'tenant-b'], async (tenants) => {\n * // Create in tenant A\n * const docA = await tenants['tenant-a'](async () => {\n * return collection.create({ title: 'A doc' });\n * });\n *\n * // Verify not visible in tenant B\n * await tenants['tenant-b'](async () => {\n * const found = await collection.get(docA.id);\n * expect(found).toBeNull();\n * });\n * });\n * ```\n */\nexport async function testTenantIsolation<T>(\n tenantIds: string[],\n fn: (\n tenants: Record<string, <R>(runner: () => Promise<R>) => Promise<R>>,\n ) => Promise<T>,\n): Promise<T> {\n const tenants: Record<string, <R>(runner: () => Promise<R>) => Promise<R>> =\n {};\n\n for (const tenantId of tenantIds) {\n tenants[tenantId] = async <R>(runner: () => Promise<R>) => {\n return withTenant({ tenantId }, runner);\n };\n }\n\n return fn(tenants);\n}\n\n/**\n * Options for `setupTestTenancy()`.\n *\n * @see setupTestTenancy\n */\nexport interface SetupTestTenancyOptions {\n /**\n * Enable tenancy interceptors\n * @default true\n */\n enableInterceptors?: boolean;\n\n /**\n * Raw query policy for tests\n * @default 'throw'\n */\n rawQueryPolicy?: 'throw' | 'warn' | 'allow';\n}\n\n/**\n * Set up tenancy for a test suite\n *\n * Call in beforeAll or at the start of tests to configure tenancy.\n *\n * @param options - Setup options\n *\n * @example\n * ```typescript\n * beforeAll(() => {\n * setupTestTenancy({ enableInterceptors: true });\n * });\n *\n * afterAll(() => {\n * resetTenancy();\n * });\n * ```\n */\nexport function setupTestTenancy(options: SetupTestTenancyOptions = {}): void {\n const { enableInterceptors = true, rawQueryPolicy = 'throw' } = options;\n\n // Clear any existing state\n resetTenancy();\n\n // Enable interceptors if requested\n if (enableInterceptors) {\n enableTenancy({ rawQueryPolicy });\n }\n}\n\n/**\n * Assert that executing `fn` throws a `TenantContextError`.\n *\n * Fails with a descriptive message if `fn` completes without throwing, or if\n * it throws a different error type. Optionally verifies that the error message\n * contains a specific substring.\n *\n * Useful for testing that business-logic code correctly rejects calls that are\n * made outside a tenant context.\n *\n * @param fn - Async function that should throw `TenantContextError`.\n * @param messageContains - Optional substring the error message must include.\n *\n * @example\n * ```typescript\n * await assertTenantContextRequired(async () => {\n * // No withTenant() in scope\n * await documentCollection.list({});\n * });\n * ```\n *\n * @see assertTenantIsolationViolation\n * @see TenantContextError\n */\nexport async function assertTenantContextRequired(\n fn: () => Promise<unknown>,\n messageContains?: string,\n): Promise<void> {\n try {\n await fn();\n throw new Error('Expected TenantContextError but no error was thrown');\n } catch (error: unknown) {\n const err = error as Error & { code?: string };\n if (err.code !== 'TENANT_CONTEXT_REQUIRED') {\n throw new Error(\n `Expected TenantContextError but got ${err.constructor.name}: ${err.message}`,\n );\n }\n if (messageContains && !err.message.includes(messageContains)) {\n throw new Error(\n `Expected error message to contain '${messageContains}' but got: ${err.message}`,\n );\n }\n }\n}\n\n/**\n * Assert that executing `fn` throws a `TenantIsolationError`.\n *\n * Fails with a descriptive message if `fn` completes without throwing, or if\n * it throws a different error type. Optionally verifies that the error message\n * contains a specific substring.\n *\n * Use this to verify that cross-tenant data access attempts are correctly\n * blocked by the interceptor.\n *\n * @param fn - Async function that should throw `TenantIsolationError`.\n * @param messageContains - Optional substring the error message must include.\n *\n * @example\n * ```typescript\n * await withTenant({ tenantId: 'tenant-a' }, async () => {\n * await assertTenantIsolationViolation(async () => {\n * // Attempt to filter by a different tenant\n * await collection.list({ where: { tenantId: 'tenant-b' } });\n * });\n * });\n * ```\n *\n * @see assertTenantContextRequired\n * @see TenantIsolationError\n */\nexport async function assertTenantIsolationViolation(\n fn: () => Promise<unknown>,\n messageContains?: string,\n): Promise<void> {\n try {\n await fn();\n throw new Error('Expected TenantIsolationError but no error was thrown');\n } catch (error: unknown) {\n const err = error as Error & { code?: string };\n if (err.code !== 'TENANT_ISOLATION_VIOLATION') {\n throw new Error(\n `Expected TenantIsolationError but got ${err.constructor.name}: ${err.message}`,\n );\n }\n if (messageContains && !err.message.includes(messageContains)) {\n throw new Error(\n `Expected error message to contain '${messageContains}' but got: ${err.message}`,\n );\n }\n }\n}\n"],"names":[],"mappings":";;;AA6DA,MAAM,iBAAqC;AAAA,EACzC,MAAM;AAAA,EACN,OAAO;AAAA,EACP,YAAY;AAAA,EACZ,cAAc;AAAA,EACd,uBAAuB;AACzB;AAGA,MAAM,0CAA0B,IAAA;AAwBzB,SAAS,0BACd,WACA,SAAsC,IAChC;AACN,sBAAoB,IAAI,WAAW;AAAA,IACjC,GAAG;AAAA,IACH,GAAG;AAAA,EAAA,CACJ;AACH;AAaO,SAAS,4BAA4B,WAAyB;AACnE,sBAAoB,OAAO,SAAS;AACtC;AAYA,SAAS,kBAAkB,WAA2B;AACpD,QAAM,MAAM,UAAU,YAAY,GAAG;AACrC,SAAO,QAAQ,KAAK,YAAY,UAAU,MAAM,MAAM,CAAC;AACzD;AAQA,SAAS,YAAY,QAAgD;AACnE,SAAO,EAAE,GAAG,OAAA;AACd;AAiBA,SAAS,4BACP,WACgC;AAEhC,QAAM,cAAc,oBAAoB,IAAI,SAAS;AACrD,MAAI,aAAa;AACf,WAAO,YAAY,WAAW;AAAA,EAChC;AAKA,QAAM,aAAa,eAAe,sBAAsB,SAAS;AACjE,MAAI,YAAY;AAEd,WAAO;AAAA,MACL,MAAM,WAAW;AAAA,MACjB,OAAO,WAAW;AAAA,MAClB,YAAY,WAAW;AAAA,MACvB,cAAc,WAAW;AAAA,MACzB,uBAAuB,WAAW;AAAA,IAAA;AAAA,EAEtC;AAEA,SAAO;AACT;AA0BA,SAAS,+BACP,WACgC;AAKhC,QAAM,QAAQ,eAAe,oBAAoB,SAAS;AAG1D,WAAS,IAAI,MAAM,SAAS,GAAG,KAAK,GAAG,KAAK;AAC1C,UAAM,WAAW,MAAM,CAAC;AAKxB,UAAM,SAAS,4BAA4B,QAAQ;AACnD,QAAI,QAAQ;AACV,aAAO;AAAA,IACT;AAWA,UAAM,SAAS,kBAAkB,QAAQ;AACzC,QAAI,WAAW,UAAU;AACvB,YAAM,WAAW,oBAAoB,IAAI,MAAM;AAC/C,UAAI,UAAU;AACZ,eAAO,YAAY,QAAQ;AAAA,MAC7B;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAoBO,SAAS,sBACd,WACgC;AAEhC,QAAM,SAAS,4BAA4B,SAAS;AACpD,MAAI,QAAQ;AACV,WAAO;AAAA,EACT;AAEA,SAAO,+BAA+B,SAAS;AACjD;AAaO,SAAS,oBAAoB,WAA4B;AAC9D,SAAO,sBAAsB,SAAS,MAAM;AAC9C;AAeO,SAAS,4BAA6D;AAC3E,SAAO,IAAI,IAAI,mBAAmB;AACpC;AAWO,SAAS,4BAAkC;AAChD,sBAAoB,MAAA;AACtB;ACzTA,IAAI,UAAU;AAQP,SAAS,kBAAkB,OAAsB;AACtD,YAAU;AACZ;AAQO,SAAS,mBAA4B;AAC1C,SAAO;AACT;ACkEA,eAAsB,0BACpB,SACA,IACY;AACZ,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA,mBAAmB;AAAA,IACnB,UAAU;AAAA,EAAA,IACR;AAIJ,QAAM,SACJ,OAAO,iBAAiB,YACpB,eACA,YACE,oBAAoB,SAAS,IAC7B;AAMR,MAAI,CAAC,OAAQ,QAAO,GAAA;AACpB,MAAI,iBAAA,KAAsB,gBAAA,UAA0B,GAAA;AAKpD,MAAI,kBAAkB;AACpB,WAAO,kBAAkB,EAAE;AAAA,EAC7B;AAGA,MAAI,OAAO,aAAa,YAAY,UAAU;AAC5C,WAAO,WAAW,EAAE,SAAA,GAAY,EAAE;AAAA,EACpC;AAGA,MAAI,oBAAoB;AACtB,UAAM,IAAI;AAAA,MACR,wDAAwD,OAAO;AAAA,IAAA;AAAA,EAInE;AAGA,SAAO,GAAA;AACT;AChHA,MAAM,SAAS,aAAa,EAAE,OAAO,QAAQ;AAiF7C,MAAM,kBAA4C;AAAA,EAChD,gBAAgB;AAClB;AAYA,SAAS,kBACP,UACA,WACyB;AAQzB,QAAM,cAAe,SAAkC;AACvD,MAAI,OAAO,gBAAgB,YAAY;AACrC,WAAO;AAAA,MACL;AAAA,MACA,GAAI,YAAY,KAAK,QAAQ;AAAA,IAAA;AAAA,EAEjC;AAIA,QAAM,SAAkC,EAAE,UAAA;AAC1C,QAAM,SAAS;AACf,aAAW,OAAO,OAAO,KAAK,QAAQ,GAAG;AACvC,UAAM,QAAQ,OAAO,GAAG;AACxB,QAAI,OAAO,UAAU,YAAY;AAC/B,aAAO,GAAG,IAAI;AAAA,IAChB;AAAA,EACF;AACA,SAAO;AACT;AAwCO,SAAS,wBACd,UAAoC,IACb;AACvB,QAAM,OAAO,EAAE,GAAG,iBAAiB,GAAG,QAAA;AAEtC,SAAO;AAAA,IACL,MAAM;AAAA,IACN,UAAU;AAAA;AAAA;AAAA;AAAA;AAAA,IAKV,WACE,WACA,aACA,SACyB;AAEzB,UAAI,CAAC,oBAAoB,SAAS,GAAG;AACnC;AAAA,MACF;AAGA,UAAI,sBAAsB;AACxB;AAAA,MACF;AAGA,UAAI,mBAAmB;AACrB;AAAA,MACF;AAEA,YAAM,SAAS,sBAAsB,SAAS;AAC9C,YAAM,gBAAgB,iBAAA;AAGtB,UAAI,CAAC,eAAe;AAClB,YAAI,QAAQ,SAAS,YAAY;AAC/B,eAAK,mBAAmB,WAAW,QAAQ,OAAO;AAClD,gBAAM,IAAI;AAAA,YACR,uCAAuC,SAAS;AAAA,UAAA;AAAA,QAGpD;AACA;AAAA,MACF;AAGA,YAAM,cAAc,QAAQ,SAAS;AACrC,YAAM,QAAQ,YAAY,SAAS,CAAA;AAGnC,UAAI,eAAe,OAAO;AAMxB,cAAM,iBAAiB,MAAM,WAAW;AACxC,cAAM,eAAe,MAAM,QAAQ,cAAc,IAC7C,iBACA,CAAC,cAAc;AAGnB,cAAM,iBAAiB,aAAa;AAAA,UAClC,CAAC,UAAU,UAAU,cAAc;AAAA,QAAA;AAErC,YAAI,mBAAmB,IAAI;AACzB,gBAAM,YAAY,aAAa,cAAc;AAC7C,eAAK;AAAA,YACH;AAAA,YACA,cAAc;AAAA,YACd,OAAO,SAAS;AAAA,YAChB;AAAA,UAAA;AAEF,gBAAM,IAAI;AAAA,YACR,iCAAiC,SAAS,8BAClB,cAAc,QAAQ,2BAA2B,OAAO,SAAS,CAAC;AAAA,YAC1F;AAAA,cACE,UAAU,cAAc;AAAA,cACxB,mBAAmB,OAAO,SAAS;AAAA,YAAA;AAAA,UACrC;AAAA,QAEJ;AACA;AAAA,MACF;AAGA,aAAO;AAAA,QACL,GAAG;AAAA,QACH,OAAO;AAAA,UACL,GAAG;AAAA,UACH,CAAC,WAAW,GAAG,cAAc;AAAA,QAAA;AAAA,MAC/B;AAAA,IAEJ;AAAA;AAAA;AAAA;AAAA,IAKA,UACE,WACA,QACA,SAC8C;AAC9C,UAAI,CAAC,oBAAoB,SAAS,GAAG;AACnC;AAAA,MACF;AAEA,UAAI,sBAAsB;AACxB;AAAA,MACF;AAGA,UAAI,mBAAmB;AACrB;AAAA,MACF;AAEA,YAAM,SAAS,sBAAsB,SAAS;AAC9C,YAAM,gBAAgB,iBAAA;AAEtB,UAAI,CAAC,eAAe;AAClB,YAAI,QAAQ,SAAS,YAAY;AAC/B,eAAK,mBAAmB,WAAW,OAAO,OAAO;AACjD,gBAAM,IAAI;AAAA,YACR,uCAAuC,SAAS;AAAA,UAAA;AAAA,QAGpD;AACA;AAAA,MACF;AAEA,YAAM,cAAc,QAAQ,SAAS;AAGrC,UAAI,OAAO,WAAW,UAAU;AAC9B,eAAO;AAAA,UACL,IAAI;AAAA,UACJ,CAAC,WAAW,GAAG,cAAc;AAAA,QAAA;AAAA,MAEjC;AAGA,UAAI,EAAE,eAAe,SAAS;AAC5B,eAAO;AAAA,UACL,GAAG;AAAA,UACH,CAAC,WAAW,GAAG,cAAc;AAAA,QAAA;AAAA,MAEjC;AAKA,YAAM,iBAAiB,OAAO,WAAW;AACzC,YAAM,eAAe,MAAM,QAAQ,cAAc,IAC7C,iBACA,CAAC,cAAc;AAGnB,YAAM,iBAAiB,aAAa;AAAA,QAClC,CAAC,UAAU,UAAU,cAAc;AAAA,MAAA;AAErC,UAAI,mBAAmB,IAAI;AACzB,cAAM,YAAY,aAAa,cAAc;AAC7C,aAAK;AAAA,UACH;AAAA,UACA,cAAc;AAAA,UACd,OAAO,SAAS;AAAA,UAChB;AAAA,QAAA;AAEF,cAAM,IAAI;AAAA,UACR,iCAAiC,SAAS,4BAClB,cAAc,QAAQ,2BAA2B,OAAO,SAAS,CAAC;AAAA,UAC1F;AAAA,YACE,UAAU,cAAc;AAAA,YACxB,mBAAmB,OAAO,SAAS;AAAA,UAAA;AAAA,QACrC;AAAA,MAEJ;AAEA;AAAA,IACF;AAAA;AAAA;AAAA;AAAA,IAKA,YACE,WACA,cACA,SACkC;AAClC,UAAI,CAAC,oBAAoB,SAAS,GAAG;AACnC;AAAA,MACF;AAGA,UAAI,aAAa,wBAAwB;AACvC,aAAK,aAAa,WAAW,aAAa,KAAK,OAAO;AACtD;AAAA,MACF;AAEA,UAAI,sBAAsB;AACxB,aAAK,aAAa,WAAW,aAAa,KAAK,OAAO;AACtD;AAAA,MACF;AAGA,UAAI,mBAAmB;AACrB,aAAK,aAAa,WAAW,aAAa,KAAK,OAAO;AACtD;AAAA,MACF;AAGA,YAAM,UACJ,kDAAkD,SAAS;AAK7D,WAAK,aAAa,WAAW,aAAa,KAAK,OAAO;AAEtD,cAAQ,KAAK,gBAAA;AAAA,QACX,KAAK;AACH,gBAAM,IAAI,qBAAqB,OAAO;AAAA,QAExC,KAAK;AACH,iBAAO,KAAK,2BAA2B,OAAO,EAAE;AAChD;AAAA,QACF;AACE;AAAA,MAAA;AAAA,IAEN;AAAA;AAAA;AAAA;AAAA,IAKA,WAAW,UAAsB,SAAmC;AAGlE,YAAM,YAAY,QAAQ;AAG1B,UAAI,KAAK,kBAAkB,SAAS,SAAS,GAAG;AAC9C,cAAM,KAAM,SAAgD;AAC5D,gBAAQ,WAAW;AAAA,UACjB,GAAG,QAAQ;AAAA,UACX,iBAAiB,OAAO,UAAa,OAAO;AAAA,QAAA;AAAA,MAEhD;AAEA,UAAI,CAAC,oBAAoB,SAAS,GAAG;AACnC;AAAA,MACF;AAEA,UAAI,sBAAsB;AACxB;AAAA,MACF;AAGA,UAAI,mBAAmB;AACrB;AAAA,MACF;AAEA,YAAM,SAAS,sBAAsB,SAAS;AAC9C,YAAM,cAAc,QAAQ,SAAS;AACrC,YAAM,iBAAiB;AACvB,YAAM,mBAAmB,eAAe,WAAW;AAEnD,YAAM,gBAAgB,iBAAA;AAGtB,UAAI,CAAC,eAAe;AAClB,YAAI,QAAQ,SAAS,YAAY;AAC/B,eAAK,mBAAmB,WAAW,QAAQ,OAAO;AAClD,gBAAM,IAAI;AAAA,YACR,sCAAsC,SAAS;AAAA,UAAA;AAAA,QAGnD;AACA;AAAA,MACF;AAGA,UAAI,CAAC,oBAAoB,QAAQ,iBAAiB,OAAO;AACvD,uBAAe,WAAW,IAAI,cAAc;AAC5C;AAAA,MACF;AAGA,UAAI,oBAAoB,qBAAqB,cAAc,UAAU;AACnE,cAAM,oBAAoB,OAAO,gBAAgB;AACjD,aAAK;AAAA,UACH;AAAA,UACA,cAAc;AAAA,UACd;AAAA,UACA;AAAA,QAAA;AAEF,cAAM,IAAI;AAAA,UACR,2CAA2C,SAAS,mBACrC,iBAAiB,2BAA2B,cAAc,QAAQ;AAAA,UACjF;AAAA,YACE,UAAU,cAAc;AAAA,YACxB;AAAA,UAAA;AAAA,QACF;AAAA,MAEJ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA,IAKA,aAAa,UAAsB,SAAmC;AAEpE,YAAM,YAAY,QAAQ;AAE1B,UAAI,CAAC,oBAAoB,SAAS,GAAG;AACnC;AAAA,MACF;AAEA,UAAI,sBAAsB;AACxB;AAAA,MACF;AAGA,UAAI,mBAAmB;AACrB;AAAA,MACF;AAEA,YAAM,SAAS,sBAAsB,SAAS;AAC9C,YAAM,cAAc,QAAQ,SAAS;AACrC,YAAM,mBAAoB,SACxB,WACF;AAEA,YAAM,gBAAgB,iBAAA;AAEtB,UAAI,CAAC,eAAe;AAClB,YAAI,QAAQ,SAAS,YAAY;AAC/B,eAAK,mBAAmB,WAAW,UAAU,OAAO;AACpD,gBAAM,IAAI;AAAA,YACR,wCAAwC,SAAS;AAAA,UAAA;AAAA,QAGrD;AACA;AAAA,MACF;AAGA,UAAI,oBAAoB,qBAAqB,cAAc,UAAU;AACnE,cAAM,oBAAoB,OAAO,gBAAgB;AACjD,aAAK;AAAA,UACH;AAAA,UACA,cAAc;AAAA,UACd;AAAA,UACA;AAAA,QAAA;AAEF,cAAM,IAAI;AAAA,UACR,6CAA6C,SAAS,mBACvC,iBAAiB,2BAA2B,cAAc,QAAQ;AAAA,UACjF;AAAA,YACE,UAAU,cAAc;AAAA,YACxB;AAAA,UAAA;AAAA,QACF;AAAA,MAEJ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA,IAKA,MAAM,UACJ,UACA,SACe;AACf,UACE,CAAC,KAAK,eACN,CAAC,KAAK,kBAAkB,SAAS,QAAQ,SAAS;AAElD;AAEF,YAAM,aAAc,SAAgD;AACpE,YAAM,WAAW,OAAO,eAAe,WAAW,aAAa;AAC/D,YAAM,WAAW,QAAQ,UAAU;AACnC,YAAM,QACJ,OAAO,aAAa,YAAY,WAAW,cAAc;AAC3D,YAAM,QAAQ,QACV,aAAa,QAAQ,UAAU,YAAA,CAAa,aAC5C,aAAa,QAAQ,UAAU,YAAA,CAAa;AAEhD,YAAM,KAAK,YAAY;AAAA,QACrB;AAAA,QACA,kBAAkB,UAAU,QAAQ,SAAS;AAAA,QAC7C;AAAA,UACE,QAAQ;AAAA,UACR;AAAA,QAAA;AAAA,MACF;AAAA,IAEJ;AAAA;AAAA;AAAA;AAAA,IAKA,MAAM,YACJ,UACA,SACe;AACf,UACE,CAAC,KAAK,eACN,CAAC,KAAK,kBAAkB,SAAS,QAAQ,SAAS;AAElD;AAEF,YAAM,aAAc,SAAgD;AACpE,YAAM,KAAK,YAAY;AAAA,QACrB,aAAa,QAAQ,UAAU,YAAA,CAAa;AAAA,QAC5C,kBAAkB,UAAU,QAAQ,SAAS;AAAA,QAC7C;AAAA,UACE,QAAQ;AAAA,UACR,UAAU,OAAO,eAAe,WAAW,aAAa;AAAA,QAAA;AAAA,MAC1D;AAAA,IAEJ;AAAA,EAAA;AAEJ;AASA,IAAI,wBAAsD;AAsBnD,SAAS,cAAc,UAAoC,IAAU;AAC1E,MAAI,oBAAoB;AACtB,WAAO;AAAA,MACL;AAAA,IAAA;AAEF;AAAA,EACF;AAEA,0BAAwB,wBAAwB,OAAO;AACvD,qBAAmB,SAAS,qBAAqB;AAMjD,4BAA0B,MAAM,aAAa;AAK7C,4BAA0B,yBAAyB;AAEnD,oBAAkB,IAAI;AACxB;AAwBO,SAAS,iBAAuB;AACrC,MAAI,CAAC,sBAAsB,CAAC,uBAAuB;AACjD;AAAA,EACF;AAEA,qBAAmB,WAAW,qBAAqB;AAGnD,4BAA0B,MAAS;AAEnC,4BAA0B,MAAS;AACnC,0BAAwB;AACxB,oBAAkB,KAAK;AACzB;AC/pBO,SAAS,eAAqB;AACnC,iBAAA;AACA,4BAAA;AACF;AAkBA,eAAsB,wBACpB,SACA,IACY;AACZ,SAAO,WAAW,SAAS,EAAE;AAC/B;AAwBA,eAAsB,oBACpB,WACA,IAGY;AACZ,QAAM,UACJ,CAAA;AAEF,aAAW,YAAY,WAAW;AAChC,YAAQ,QAAQ,IAAI,OAAU,WAA6B;AACzD,aAAO,WAAW,EAAE,SAAA,GAAY,MAAM;AAAA,IACxC;AAAA,EACF;AAEA,SAAO,GAAG,OAAO;AACnB;AAuCO,SAAS,iBAAiB,UAAmC,IAAU;AAC5E,QAAM,EAAE,qBAAqB,MAAM,iBAAiB,YAAY;AAGhE,eAAA;AAGA,MAAI,oBAAoB;AACtB,kBAAc,EAAE,gBAAgB;AAAA,EAClC;AACF;AA0BA,eAAsB,4BACpB,IACA,iBACe;AACf,MAAI;AACF,UAAM,GAAA;AACN,UAAM,IAAI,MAAM,qDAAqD;AAAA,EACvE,SAAS,OAAgB;AACvB,UAAM,MAAM;AACZ,QAAI,IAAI,SAAS,2BAA2B;AAC1C,YAAM,IAAI;AAAA,QACR,uCAAuC,IAAI,YAAY,IAAI,KAAK,IAAI,OAAO;AAAA,MAAA;AAAA,IAE/E;AACA,QAAI,mBAAmB,CAAC,IAAI,QAAQ,SAAS,eAAe,GAAG;AAC7D,YAAM,IAAI;AAAA,QACR,sCAAsC,eAAe,cAAc,IAAI,OAAO;AAAA,MAAA;AAAA,IAElF;AAAA,EACF;AACF;AA4BA,eAAsB,+BACpB,IACA,iBACe;AACf,MAAI;AACF,UAAM,GAAA;AACN,UAAM,IAAI,MAAM,uDAAuD;AAAA,EACzE,SAAS,OAAgB;AACvB,UAAM,MAAM;AACZ,QAAI,IAAI,SAAS,8BAA8B;AAC7C,YAAM,IAAI;AAAA,QACR,yCAAyC,IAAI,YAAY,IAAI,KAAK,IAAI,OAAO;AAAA,MAAA;AAAA,IAEjF;AACA,QAAI,mBAAmB,CAAC,IAAI,QAAQ,SAAS,eAAe,GAAG;AAC7D,YAAM,IAAI;AAAA,QACR,sCAAsC,eAAe,cAAc,IAAI,OAAO;AAAA,MAAA;AAAA,IAElF;AAAA,EACF;AACF;"}
package/dist/index.js CHANGED
@@ -2,8 +2,8 @@ import { ObjectRegistry, applyPendingDecoratorRegistrations, registerCompatibleF
2
2
  import { c, a, b } from "./chunks/sveltekit-C2HTOgcm.js";
3
3
  import { g as getCurrentTenant, i as isSuperAdminBypass, T as TenantIsolationError } from "./chunks/context-DfTygamS.js";
4
4
  import { b as b2, c as c2, e, d, h, f, r, j, k, a as a2, w, l } from "./chunks/context-DfTygamS.js";
5
- import { r as registerTenantScopedClass } from "./chunks/testing-DyAqaOBC.js";
6
- import { a as a3, b as b3, c as c3, d as d2, e as e2, f as f2, g, h as h2, i, j as j2, k as k2, l as l2, m, s, t, u } from "./chunks/testing-DyAqaOBC.js";
5
+ import { r as registerTenantScopedClass } from "./chunks/testing-BWF_N0FL.js";
6
+ import { a as a3, b as b3, c as c3, d as d2, e as e2, f as f2, g, h as h2, i, j as j2, k as k2, l as l2, m, s, t, u } from "./chunks/testing-BWF_N0FL.js";
7
7
  ObjectRegistry.registerPackageManifest(
8
8
  new URL("./manifest.json", import.meta.url)
9
9
  );
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"index.js","sources":["../src/__smrt-register__.ts","../src/decorators.ts","../src/fields.ts","../src/tenant-global-queries.ts"],"sourcesContent":["/**\n * Self-registers this package's build-time manifest before any @smrt() decorator\n * in the package fires. Fixes issue #1132: in consumer runtimes (tsx, SvelteKit\n * SSR, plain `vite dev`) the decorator's synchronous manifest lookup previously\n * missed because no step populated the global manifest cache — classes got\n * registered with zero fields and `save()` / `toJSON()` silently dropped every\n * declared property.\n *\n * Import this module as the first statement in `src/index.ts` so its top-level\n * side effect runs ahead of any class module's @smrt() decorator.\n *\n * Silent no-op in dev/test, where the vitest plugin already populates manifests\n * via a different path. Only needs to succeed in the published dist output.\n *\n * @see https://github.com/happyvertical/smrt/issues/1132\n */\nimport { ObjectRegistry } from '@happyvertical/smrt-core';\n\n// `new URL('./manifest.json', import.meta.url)` resolves at runtime to the\n// manifest sitting next to this module's compiled output. Vite warns at build\n// time that it cannot pre-resolve the URL; that is the intended behavior —\n// the URL must resolve to dist/manifest.json at runtime, not be inlined.\nObjectRegistry.registerPackageManifest(\n new URL('./manifest.json', import.meta.url),\n);\n","/**\n * Tenancy Decorators\n *\n * Provides class and property decorators for tenant-scoped SMRT objects.\n *\n * @example\n * ```typescript\n * import { smrt, SmrtObject } from '@happyvertical/smrt-core';\n * import { TenantScoped, tenantId } from '@happyvertical/smrt-tenancy';\n *\n * @smrt()\n * @TenantScoped({ mode: 'optional' })\n * class Document extends SmrtObject {\n * @tenantId({ nullable: true })\n * tenantId: string | null = null; // null = global document\n *\n * title: string = '';\n * }\n * ```\n *\n * @see https://github.com/happyvertical/smrt/issues/675\n * @see https://github.com/happyvertical/smrt/issues/829\n */\n\nimport {\n applyPendingDecoratorRegistrations,\n type CompatiblePropertyDecorator,\n type CompatiblePropertyDecoratorContext,\n type LegacyPropertyDecoratorTarget,\n ObjectRegistry,\n registerCompatibleFieldDecorator,\n} from '@happyvertical/smrt-core';\nimport type { TenantIdFieldOptions } from './fields.js';\nimport {\n registerTenantScopedClass,\n type TenantScopedConfig,\n} from './registry.js';\n\n/**\n * Options accepted by the `@TenantScoped()` class decorator.\n *\n * All fields are optional; defaults match the most restrictive safe behaviour\n * (required mode, auto-filter and auto-populate enabled, no super-admin bypass).\n *\n * @see TenantScoped\n * @see TenantScopedConfig\n */\nexport interface TenantScopedOptions {\n /**\n * Tenancy mode for this class\n * - 'required': Must have tenant context for all operations (default)\n * - 'optional': Works with or without tenant context\n */\n mode?: 'required' | 'optional';\n\n /**\n * Field name containing tenant ID\n * @default 'tenantId'\n */\n field?: string;\n\n /**\n * Auto-filter all queries by tenant\n * @default true\n */\n autoFilter?: boolean;\n\n /**\n * Auto-populate tenant ID from context on create\n * @default true\n */\n autoPopulate?: boolean;\n\n /**\n * Allow super admin bypass for this class\n * @default false - must be explicitly enabled\n */\n allowSuperAdminBypass?: boolean;\n}\n\n/**\n * Mark a class as tenant-scoped\n *\n * This decorator registers the class with the tenancy system so that:\n * - list()/get() queries are automatically filtered by tenant\n * - save() validates tenant ID matches current context\n * - delete() validates tenant ownership\n * - Raw SQL queries trigger policy enforcement\n *\n * @param options - Configuration options\n *\n * @example Basic usage (required tenancy)\n * ```typescript\n * @smrt()\n * @TenantScoped()\n * class Document extends SmrtObject {\n * @tenantId()\n * tenantId: string = '';\n *\n * title: string = '';\n * }\n * ```\n *\n * @example With super admin bypass enabled\n * ```typescript\n * @smrt()\n * @TenantScoped({ allowSuperAdminBypass: true })\n * class AuditLog extends SmrtObject {\n * @tenantId()\n * tenantId: string = '';\n *\n * action: string = '';\n * }\n * ```\n *\n * @example Optional tenancy (works with or without context)\n * ```typescript\n * @smrt()\n * @TenantScoped({ mode: 'optional' })\n * class GlobalConfig extends SmrtObject {\n * @tenantId({ nullable: true })\n * tenantId: string | null = null; // null = global, string = tenant-specific\n *\n * key: string = '';\n * value: string = '';\n * }\n * ```\n */\nexport function TenantScoped(options: TenantScopedOptions = {}) {\n return <T extends Function>(\n target: T,\n decoratorContext?: ClassDecoratorContext,\n ): T => {\n applyPendingDecoratorRegistrations(target, decoratorContext);\n\n const className = target.name;\n\n // Merge with defaults\n const config: Partial<TenantScopedConfig> = {\n mode: options.mode ?? 'required',\n field: options.field ?? 'tenantId',\n autoFilter: options.autoFilter ?? true,\n autoPopulate: options.autoPopulate ?? true,\n allowSuperAdminBypass: options.allowSuperAdminBypass ?? false,\n };\n\n // Register with the tenancy system\n registerTenantScopedClass(className, config);\n\n // Return the class unchanged\n return target;\n };\n}\n\n// ─────────────────────────────────────────────────────────────────────────────\n// Property Decorator: @tenantId\n// ─────────────────────────────────────────────────────────────────────────────\n\n/**\n * Tenant ID property decorator\n *\n * Marks a property as the tenant identifier field. This decorator registers\n * the field metadata with ObjectRegistry, keeping the property value clean\n * (no descriptor objects that could be accidentally saved to the database).\n *\n * @param options - Field options (nullable, autoFilter, autoPopulate, etc.)\n * @returns Property decorator\n *\n * @example Basic usage (required tenancy)\n * ```typescript\n * @smrt()\n * @TenantScoped()\n * class Document extends SmrtObject {\n * @tenantId()\n * tenantId: string = '';\n *\n * title: string = '';\n * }\n * ```\n *\n * @example Nullable tenant ID (for global resources)\n * ```typescript\n * @smrt()\n * @TenantScoped({ mode: 'optional' })\n * class GlobalConfig extends SmrtObject {\n * @tenantId({ nullable: true })\n * tenantId: string | null = null; // null = global, string = tenant-specific\n *\n * key: string = '';\n * }\n * ```\n *\n * @see https://github.com/happyvertical/smrt/issues/829 - Why decorators over field helpers\n */\nexport function tenantId(options: TenantIdFieldOptions = {}) {\n const opts = {\n autoFilter: true,\n required: true,\n autoPopulate: true,\n nullable: false,\n ...options,\n };\n\n return ((\n targetOrValue: LegacyPropertyDecoratorTarget | undefined,\n propertyKeyOrContext: CompatiblePropertyDecoratorContext<any, any>,\n ) => {\n registerCompatibleFieldDecorator(\n targetOrValue,\n propertyKeyOrContext,\n (className, propertyKey) => {\n ObjectRegistry.registerFieldDecorator(className, propertyKey, {\n type: 'foreignKey',\n related: 'Tenant',\n sqlType: 'UUID',\n required: opts.required,\n nullable: opts.nullable,\n __tenancy: {\n ...opts,\n isTenantIdField: true,\n },\n });\n },\n );\n }) as CompatiblePropertyDecorator;\n}\n","/**\n * Tenancy Field Types and Utilities\n *\n * This module provides types and utility functions for tenant ID fields.\n * The actual field decorator is in decorators.ts.\n *\n * @see https://github.com/happyvertical/smrt/issues/675\n * @see https://github.com/happyvertical/smrt/issues/829\n */\n\n/**\n * Options for the `@tenantId()` property decorator.\n *\n * Controls how the decorated field interacts with the tenancy interceptor.\n * All options default to the strictest safe values: auto-filter on, required,\n * auto-populate on, not nullable.\n *\n * @see tenantId\n * @see TenantScopedOptions\n */\nexport interface TenantIdFieldOptions {\n /**\n * Auto-filter queries by this field\n * @default true\n */\n autoFilter?: boolean;\n\n /**\n * Require this field to have a value on save\n * @default true\n */\n required?: boolean;\n\n /**\n * Auto-populate from context on create if not set\n * @default true\n */\n autoPopulate?: boolean;\n\n /**\n * Allow null values (for global resources)\n * @default false\n */\n nullable?: boolean;\n}\n\n// Symbol to identify tenantId fields\nexport const TENANT_ID_SYMBOL = Symbol('tenantId');\n\n/**\n * Internal field descriptor stored in `ObjectRegistry` when `@tenantId()` is\n * applied to a property.\n *\n * Consumers should use `isTenantIdField()` and `getTenantIdFieldOptions()`\n * to inspect these descriptors rather than reading the raw properties directly.\n *\n * @see isTenantIdField\n * @see getTenantIdFieldOptions\n */\nexport interface TenantIdFieldDefinition {\n /** Field type marker */\n type: 'foreignKey';\n /** Reference to Tenant class (placeholder - actual class resolved at runtime) */\n reference: 'Tenant';\n /** SQL type */\n sqlType: 'UUID';\n /** Field is required */\n required: boolean;\n /** Field allows null */\n nullable: boolean;\n /** Tenancy-specific options */\n __tenancy: TenantIdFieldOptions & { isTenantIdField: true };\n}\n\n/**\n * Return `true` if the given field definition was produced by the `@tenantId()`\n * decorator (i.e., it has an `__tenancy.isTenantIdField` marker).\n *\n * Used internally by the interceptor and code generators to locate the tenant\n * ID field on a class without knowing its property name in advance.\n *\n * @param field - A raw field definition object, typically from `ObjectRegistry`.\n * @returns `true` if `field` is a tenant ID field definition, `false` otherwise.\n *\n * @example\n * ```typescript\n * const fields = ObjectRegistry.getFields('Document');\n * const tenantField = Object.entries(fields).find(([, def]) => isTenantIdField(def));\n * ```\n *\n * @see getTenantIdFieldOptions\n * @see TenantIdFieldDefinition\n */\nexport function isTenantIdField(field: unknown): boolean {\n if (!field || typeof field !== 'object') {\n return false;\n }\n const def = field as Record<string, unknown>;\n const tenancy = def.__tenancy as Record<string, unknown> | undefined;\n return tenancy?.isTenantIdField === true;\n}\n\n/**\n * Extract the `TenantIdFieldOptions` from a field definition.\n *\n * Returns the tenancy-specific options (autoFilter, required, autoPopulate,\n * nullable) stored inside the field descriptor's `__tenancy` property.\n * Returns `null` if the field was not produced by `@tenantId()`.\n *\n * @param field - A raw field definition object, typically from `ObjectRegistry`.\n * @returns The `TenantIdFieldOptions` if the field is a tenant ID field,\n * `null` otherwise.\n *\n * @see isTenantIdField\n * @see TenantIdFieldOptions\n */\nexport function getTenantIdFieldOptions(\n field: unknown,\n): TenantIdFieldOptions | null {\n if (!isTenantIdField(field)) {\n return null;\n }\n const def = field as { __tenancy: TenantIdFieldOptions };\n return def.__tenancy;\n}\n","/**\n * Shared raw-SQL helpers for tenant-scoped collections' \"global\" and\n * \"tenant + globals\" lookups (#1600).\n *\n * Most domain models are `@TenantScoped`. Their collections historically\n * hand-rolled two helpers the OLD way:\n *\n * ```typescript\n * async findGlobal() { return this.list({ where: { tenantId: null } }); }\n * async findWithGlobals(tid) { return this.query(\n * `SELECT * FROM ${this.tableName} WHERE tenant_id = ? OR tenant_id IS NULL`, [tid]); }\n * ```\n *\n * Under an ACTIVE tenant context with tenancy enabled (default\n * `rawQueryPolicy: 'throw'`) BOTH break:\n * - `findGlobal()` routes an explicit `tenant_id IS NULL` filter through\n * `list()`, which the interceptor flags as an isolation violation → throws.\n * - `findWithGlobals()` issues unflagged raw SQL on a tenant-scoped class,\n * which `beforeQuery` blocks → throws.\n * - `findWithGlobals()` also trusts the caller-supplied `tenantId`, so once the\n * raw bypass is added a caller under tenant-A could read tenant-B by passing\n * B's id.\n *\n * These helpers run raw with `{ allowRawOnTenantScoped: true }` (carrying the\n * tenant predicate themselves), and `queryWithGlobals` re-implements the\n * isolation guard the bypass disables (`assertTenantReadAllowed`): a caller\n * under tenant-A must not read tenant-B's rows by passing tenant-B's id. A\n * system / super-admin-bypass context keeps the deliberate cross-tenant\n * capability for admin paths.\n *\n * STI scoping is derived automatically from the collection's item class via\n * `collection.getStiChildMetaType()` (smrt-core), which mirrors the\n * `_meta_type` scoping `list()` applies: STI **child** collections scope the\n * shared table to their own subtype, while STI **base** and CTI collections do\n * not (a base legitimately spans subtypes; CTI tables have no `_meta_type`).\n * Callers never hand-classify their collection. Promoted from\n * `@happyvertical/smrt-messages` (#1596) so every package shares one\n * implementation.\n */\n\nimport type { SmrtCollection } from '@happyvertical/smrt-core';\nimport {\n getCurrentTenant,\n isSuperAdminBypass,\n TenantIsolationError,\n} from './context.js';\n\n/**\n * Fail closed when an active tenant context requests a different tenant's rows.\n *\n * @param tenantId - The tenant id the caller asked for.\n * @param label - `Class.method` identifier for the error message.\n * @throws {TenantIsolationError} when a non-bypass tenant context is active and\n * does not match `tenantId`.\n */\nexport function assertTenantReadAllowed(tenantId: string, label: string): void {\n const tenantContext = getCurrentTenant();\n if (\n tenantContext &&\n !isSuperAdminBypass() &&\n tenantContext.tenantId !== tenantId\n ) {\n throw new TenantIsolationError(\n `Tenant isolation violation in ${label}: context tenant is ` +\n `'${tenantContext.tenantId}' but query requested '${tenantId}'`,\n { tenantId: tenantContext.tenantId, attemptedTenantId: tenantId },\n );\n }\n}\n\n/**\n * Return all global (tenant-less) rows for a tenant-scoped collection.\n *\n * STI child collections are auto-scoped to their own `_meta_type` (via\n * `collection.getStiChildMetaType()`) so the shared table never returns sibling\n * subtypes; STI base / CTI collections are not scoped.\n *\n * @param collection - The tenant-scoped collection to query.\n */\nexport async function queryGlobal<T>(\n collection: SmrtCollection<any>,\n): Promise<T[]> {\n const metaType = collection.getStiChildMetaType();\n const where = metaType\n ? 'WHERE _meta_type = ? AND tenant_id IS NULL'\n : 'WHERE tenant_id IS NULL';\n const params = metaType ? [metaType] : [];\n return (await collection.query(\n `SELECT * FROM ${collection.tableName} ${where}`,\n params,\n { allowRawOnTenantScoped: true },\n )) as T[];\n}\n\n/**\n * Return a tenant's rows plus all global rows for a tenant-scoped collection.\n *\n * Fails closed (`assertTenantReadAllowed`) before issuing the bypassed query.\n * STI child collections are auto-scoped to their own `_meta_type` (via\n * `collection.getStiChildMetaType()`); STI base / CTI collections are not.\n *\n * @param collection - The tenant-scoped collection to query.\n * @param tenantId - The tenant id to include alongside globals.\n * @param label - `Class.method` identifier for the isolation error message.\n */\nexport async function queryWithGlobals<T>(\n collection: SmrtCollection<any>,\n tenantId: string,\n label: string,\n): Promise<T[]> {\n assertTenantReadAllowed(tenantId, label);\n const metaType = collection.getStiChildMetaType();\n const where = metaType\n ? 'WHERE _meta_type = ? AND (tenant_id = ? OR tenant_id IS NULL)'\n : 'WHERE tenant_id = ? OR tenant_id IS NULL';\n const params = metaType ? [metaType, tenantId] : [tenantId];\n return (await collection.query(\n `SELECT * FROM ${collection.tableName} ${where}`,\n params,\n { allowRawOnTenantScoped: true },\n )) as T[];\n}\n"],"names":["tenantId"],"mappings":";;;;;;AAsBA,eAAe;AAAA,EACb,IAAA,IAAA,mBAAA,YAAA,GAAA;AACF;ACwGO,SAAS,aAAa,UAA+B,IAAI;AAC9D,SAAO,CACL,QACA,qBACM;AACN,uCAAmC,QAAQ,gBAAgB;AAE3D,UAAM,YAAY,OAAO;AAGzB,UAAM,SAAsC;AAAA,MAC1C,MAAM,QAAQ,QAAQ;AAAA,MACtB,OAAO,QAAQ,SAAS;AAAA,MACxB,YAAY,QAAQ,cAAc;AAAA,MAClC,cAAc,QAAQ,gBAAgB;AAAA,MACtC,uBAAuB,QAAQ,yBAAyB;AAAA,IAAA;AAI1D,8BAA0B,WAAW,MAAM;AAG3C,WAAO;AAAA,EACT;AACF;AA0CO,SAAS,SAAS,UAAgC,IAAI;AAC3D,QAAM,OAAO;AAAA,IACX,YAAY;AAAA,IACZ,UAAU;AAAA,IACV,cAAc;AAAA,IACd,UAAU;AAAA,IACV,GAAG;AAAA,EAAA;AAGL,UAAQ,CACN,eACA,yBACG;AACH;AAAA,MACE;AAAA,MACA;AAAA,MACA,CAAC,WAAW,gBAAgB;AAC1B,uBAAe,uBAAuB,WAAW,aAAa;AAAA,UAC5D,MAAM;AAAA,UACN,SAAS;AAAA,UACT,SAAS;AAAA,UACT,UAAU,KAAK;AAAA,UACf,UAAU,KAAK;AAAA,UACf,WAAW;AAAA,YACT,GAAG;AAAA,YACH,iBAAiB;AAAA,UAAA;AAAA,QACnB,CACD;AAAA,MACH;AAAA,IAAA;AAAA,EAEJ;AACF;ACpIO,SAAS,gBAAgB,OAAyB;AACvD,MAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,WAAO;AAAA,EACT;AACA,QAAM,MAAM;AACZ,QAAM,UAAU,IAAI;AACpB,SAAO,SAAS,oBAAoB;AACtC;AAgBO,SAAS,wBACd,OAC6B;AAC7B,MAAI,CAAC,gBAAgB,KAAK,GAAG;AAC3B,WAAO;AAAA,EACT;AACA,QAAM,MAAM;AACZ,SAAO,IAAI;AACb;ACrEO,SAAS,wBAAwBA,WAAkB,OAAqB;AAC7E,QAAM,gBAAgB,iBAAA;AACtB,MACE,iBACA,CAAC,mBAAA,KACD,cAAc,aAAaA,WAC3B;AACA,UAAM,IAAI;AAAA,MACR,iCAAiC,KAAK,wBAChC,cAAc,QAAQ,0BAA0BA,SAAQ;AAAA,MAC9D,EAAE,UAAU,cAAc,UAAU,mBAAmBA,UAAA;AAAA,IAAS;AAAA,EAEpE;AACF;AAWA,eAAsB,YACpB,YACc;AACd,QAAM,WAAW,WAAW,oBAAA;AAC5B,QAAM,QAAQ,WACV,+CACA;AACJ,QAAM,SAAS,WAAW,CAAC,QAAQ,IAAI,CAAA;AACvC,SAAQ,MAAM,WAAW;AAAA,IACvB,iBAAiB,WAAW,SAAS,IAAI,KAAK;AAAA,IAC9C;AAAA,IACA,EAAE,wBAAwB,KAAA;AAAA,EAAK;AAEnC;AAaA,eAAsB,iBACpB,YACAA,WACA,OACc;AACd,0BAAwBA,WAAU,KAAK;AACvC,QAAM,WAAW,WAAW,oBAAA;AAC5B,QAAM,QAAQ,WACV,kEACA;AACJ,QAAM,SAAS,WAAW,CAAC,UAAUA,SAAQ,IAAI,CAACA,SAAQ;AAC1D,SAAQ,MAAM,WAAW;AAAA,IACvB,iBAAiB,WAAW,SAAS,IAAI,KAAK;AAAA,IAC9C;AAAA,IACA,EAAE,wBAAwB,KAAA;AAAA,EAAK;AAEnC;"}
1
+ {"version":3,"file":"index.js","sources":["../src/__smrt-register__.ts","../src/decorators.ts","../src/fields.ts","../src/tenant-global-queries.ts"],"sourcesContent":["/**\n * Self-registers this package's build-time manifest before any @smrt() decorator\n * in the package fires. Fixes issue #1132: in consumer runtimes (tsx, SvelteKit\n * SSR, plain `vite dev`) the decorator's synchronous manifest lookup previously\n * missed because no step populated the global manifest cache — classes got\n * registered with zero fields and `save()` / `toJSON()` silently dropped every\n * declared property.\n *\n * Import this module as the first statement in `src/index.ts` so its top-level\n * side effect runs ahead of any class module's @smrt() decorator.\n *\n * Silent no-op in dev/test, where the vitest plugin already populates manifests\n * via a different path. Only needs to succeed in the published dist output.\n *\n * @see https://github.com/happyvertical/smrt/issues/1132\n */\nimport { ObjectRegistry } from '@happyvertical/smrt-core';\n\n// `new URL('./manifest.json', import.meta.url)` resolves at runtime to the\n// manifest sitting next to this module's compiled output. Vite warns at build\n// time that it cannot pre-resolve the URL; that is the intended behavior —\n// the URL must resolve to dist/manifest.json at runtime, not be inlined.\nObjectRegistry.registerPackageManifest(\n new URL('./manifest.json', import.meta.url),\n);\n","/**\n * Tenancy Decorators\n *\n * Provides class and property decorators for tenant-scoped SMRT objects.\n *\n * @example\n * ```typescript\n * import { smrt, SmrtObject } from '@happyvertical/smrt-core';\n * import { TenantScoped, tenantId } from '@happyvertical/smrt-tenancy';\n *\n * @smrt()\n * @TenantScoped({ mode: 'optional' })\n * class Document extends SmrtObject {\n * @tenantId({ nullable: true })\n * tenantId: string | null = null; // null = global document\n *\n * title: string = '';\n * }\n * ```\n *\n * @see https://github.com/happyvertical/smrt/issues/675\n * @see https://github.com/happyvertical/smrt/issues/829\n */\n\nimport {\n applyPendingDecoratorRegistrations,\n type CompatiblePropertyDecorator,\n type CompatiblePropertyDecoratorContext,\n type LegacyPropertyDecoratorTarget,\n ObjectRegistry,\n registerCompatibleFieldDecorator,\n} from '@happyvertical/smrt-core';\nimport type { TenantIdFieldOptions } from './fields.js';\nimport {\n registerTenantScopedClass,\n type TenantScopedConfig,\n} from './registry.js';\n\n/**\n * Options accepted by the `@TenantScoped()` class decorator.\n *\n * All fields are optional; defaults match the most restrictive safe behaviour\n * (required mode, auto-filter and auto-populate enabled, no super-admin bypass).\n *\n * @see TenantScoped\n * @see TenantScopedConfig\n */\nexport interface TenantScopedOptions {\n /**\n * Tenancy mode for this class\n * - 'required': Must have tenant context for all operations (default)\n * - 'optional': Works with or without tenant context\n */\n mode?: 'required' | 'optional';\n\n /**\n * Field name containing tenant ID\n * @default 'tenantId'\n */\n field?: string;\n\n /**\n * Auto-filter all queries by tenant\n * @default true\n */\n autoFilter?: boolean;\n\n /**\n * Auto-populate tenant ID from context on create\n * @default true\n */\n autoPopulate?: boolean;\n\n /**\n * Allow super admin bypass for this class\n * @default false - must be explicitly enabled\n */\n allowSuperAdminBypass?: boolean;\n}\n\n/**\n * Mark a class as tenant-scoped\n *\n * This decorator registers the class with the tenancy system so that:\n * - list()/get() queries are automatically filtered by tenant\n * - save() validates tenant ID matches current context\n * - delete() validates tenant ownership\n * - Raw SQL queries trigger policy enforcement\n *\n * @param options - Configuration options\n *\n * @example Basic usage (required tenancy)\n * ```typescript\n * @smrt()\n * @TenantScoped()\n * class Document extends SmrtObject {\n * @tenantId()\n * tenantId: string = '';\n *\n * title: string = '';\n * }\n * ```\n *\n * @example With super admin bypass enabled\n * ```typescript\n * @smrt()\n * @TenantScoped({ allowSuperAdminBypass: true })\n * class AuditLog extends SmrtObject {\n * @tenantId()\n * tenantId: string = '';\n *\n * action: string = '';\n * }\n * ```\n *\n * @example Optional tenancy (works with or without context)\n * ```typescript\n * @smrt()\n * @TenantScoped({ mode: 'optional' })\n * class GlobalConfig extends SmrtObject {\n * @tenantId({ nullable: true })\n * tenantId: string | null = null; // null = global, string = tenant-specific\n *\n * key: string = '';\n * value: string = '';\n * }\n * ```\n */\nexport function TenantScoped(options: TenantScopedOptions = {}) {\n return <T extends Function>(\n target: T,\n decoratorContext?: ClassDecoratorContext,\n ): T => {\n applyPendingDecoratorRegistrations(target, decoratorContext);\n\n const className = target.name;\n\n // Merge with defaults\n const config: Partial<TenantScopedConfig> = {\n mode: options.mode ?? 'required',\n field: options.field ?? 'tenantId',\n autoFilter: options.autoFilter ?? true,\n autoPopulate: options.autoPopulate ?? true,\n allowSuperAdminBypass: options.allowSuperAdminBypass ?? false,\n };\n\n // Register with the tenancy system\n registerTenantScopedClass(className, config);\n\n // Return the class unchanged\n return target;\n };\n}\n\n// ─────────────────────────────────────────────────────────────────────────────\n// Property Decorator: @tenantId\n// ─────────────────────────────────────────────────────────────────────────────\n\n/**\n * Tenant ID property decorator\n *\n * Marks a property as the tenant identifier field. This decorator registers\n * the field metadata with ObjectRegistry, keeping the property value clean\n * (no descriptor objects that could be accidentally saved to the database).\n *\n * @param options - Field options (nullable, autoFilter, autoPopulate, etc.)\n * @returns Property decorator\n *\n * @example Basic usage (required tenancy)\n * ```typescript\n * @smrt()\n * @TenantScoped()\n * class Document extends SmrtObject {\n * @tenantId()\n * tenantId: string = '';\n *\n * title: string = '';\n * }\n * ```\n *\n * @example Nullable tenant ID (for global resources)\n * ```typescript\n * @smrt()\n * @TenantScoped({ mode: 'optional' })\n * class GlobalConfig extends SmrtObject {\n * @tenantId({ nullable: true })\n * tenantId: string | null = null; // null = global, string = tenant-specific\n *\n * key: string = '';\n * }\n * ```\n *\n * @see https://github.com/happyvertical/smrt/issues/829 - Why decorators over field helpers\n */\nexport function tenantId(options: TenantIdFieldOptions = {}) {\n const opts = {\n autoFilter: true,\n required: true,\n autoPopulate: true,\n nullable: false,\n ...options,\n };\n\n return ((\n targetOrValue: LegacyPropertyDecoratorTarget | undefined,\n propertyKeyOrContext: CompatiblePropertyDecoratorContext<unknown, unknown>,\n ) => {\n registerCompatibleFieldDecorator(\n targetOrValue,\n propertyKeyOrContext,\n (className, propertyKey) => {\n ObjectRegistry.registerFieldDecorator(className, propertyKey, {\n type: 'foreignKey',\n related: 'Tenant',\n sqlType: 'UUID',\n required: opts.required,\n nullable: opts.nullable,\n __tenancy: {\n ...opts,\n isTenantIdField: true,\n },\n });\n },\n );\n }) as CompatiblePropertyDecorator;\n}\n","/**\n * Tenancy Field Types and Utilities\n *\n * This module provides types and utility functions for tenant ID fields.\n * The actual field decorator is in decorators.ts.\n *\n * @see https://github.com/happyvertical/smrt/issues/675\n * @see https://github.com/happyvertical/smrt/issues/829\n */\n\n/**\n * Options for the `@tenantId()` property decorator.\n *\n * Controls how the decorated field interacts with the tenancy interceptor.\n * All options default to the strictest safe values: auto-filter on, required,\n * auto-populate on, not nullable.\n *\n * @see tenantId\n * @see TenantScopedOptions\n */\nexport interface TenantIdFieldOptions {\n /**\n * Auto-filter queries by this field\n * @default true\n */\n autoFilter?: boolean;\n\n /**\n * Require this field to have a value on save\n * @default true\n */\n required?: boolean;\n\n /**\n * Auto-populate from context on create if not set\n * @default true\n */\n autoPopulate?: boolean;\n\n /**\n * Allow null values (for global resources)\n * @default false\n */\n nullable?: boolean;\n}\n\n// Symbol to identify tenantId fields\nexport const TENANT_ID_SYMBOL = Symbol('tenantId');\n\n/**\n * Internal field descriptor stored in `ObjectRegistry` when `@tenantId()` is\n * applied to a property.\n *\n * Consumers should use `isTenantIdField()` and `getTenantIdFieldOptions()`\n * to inspect these descriptors rather than reading the raw properties directly.\n *\n * @see isTenantIdField\n * @see getTenantIdFieldOptions\n */\nexport interface TenantIdFieldDefinition {\n /** Field type marker */\n type: 'foreignKey';\n /** Reference to Tenant class (placeholder - actual class resolved at runtime) */\n reference: 'Tenant';\n /** SQL type */\n sqlType: 'UUID';\n /** Field is required */\n required: boolean;\n /** Field allows null */\n nullable: boolean;\n /** Tenancy-specific options */\n __tenancy: TenantIdFieldOptions & { isTenantIdField: true };\n}\n\n/**\n * Return `true` if the given field definition was produced by the `@tenantId()`\n * decorator (i.e., it has an `__tenancy.isTenantIdField` marker).\n *\n * Used internally by the interceptor and code generators to locate the tenant\n * ID field on a class without knowing its property name in advance.\n *\n * @param field - A raw field definition object, typically from `ObjectRegistry`.\n * @returns `true` if `field` is a tenant ID field definition, `false` otherwise.\n *\n * @example\n * ```typescript\n * const fields = ObjectRegistry.getFields('Document');\n * const tenantField = Object.entries(fields).find(([, def]) => isTenantIdField(def));\n * ```\n *\n * @see getTenantIdFieldOptions\n * @see TenantIdFieldDefinition\n */\nexport function isTenantIdField(field: unknown): boolean {\n if (!field || typeof field !== 'object') {\n return false;\n }\n const def = field as Record<string, unknown>;\n const tenancy = def.__tenancy as Record<string, unknown> | undefined;\n return tenancy?.isTenantIdField === true;\n}\n\n/**\n * Extract the `TenantIdFieldOptions` from a field definition.\n *\n * Returns the tenancy-specific options (autoFilter, required, autoPopulate,\n * nullable) stored inside the field descriptor's `__tenancy` property.\n * Returns `null` if the field was not produced by `@tenantId()`.\n *\n * @param field - A raw field definition object, typically from `ObjectRegistry`.\n * @returns The `TenantIdFieldOptions` if the field is a tenant ID field,\n * `null` otherwise.\n *\n * @see isTenantIdField\n * @see TenantIdFieldOptions\n */\nexport function getTenantIdFieldOptions(\n field: unknown,\n): TenantIdFieldOptions | null {\n if (!isTenantIdField(field)) {\n return null;\n }\n const def = field as { __tenancy: TenantIdFieldOptions };\n return def.__tenancy;\n}\n","/**\n * Shared raw-SQL helpers for tenant-scoped collections' \"global\" and\n * \"tenant + globals\" lookups (#1600).\n *\n * Most domain models are `@TenantScoped`. Their collections historically\n * hand-rolled two helpers the OLD way:\n *\n * ```typescript\n * async findGlobal() { return this.list({ where: { tenantId: null } }); }\n * async findWithGlobals(tid) { return this.query(\n * `SELECT * FROM ${this.tableName} WHERE tenant_id = ? OR tenant_id IS NULL`, [tid]); }\n * ```\n *\n * Under an ACTIVE tenant context with tenancy enabled (default\n * `rawQueryPolicy: 'throw'`) BOTH break:\n * - `findGlobal()` routes an explicit `tenant_id IS NULL` filter through\n * `list()`, which the interceptor flags as an isolation violation → throws.\n * - `findWithGlobals()` issues unflagged raw SQL on a tenant-scoped class,\n * which `beforeQuery` blocks → throws.\n * - `findWithGlobals()` also trusts the caller-supplied `tenantId`, so once the\n * raw bypass is added a caller under tenant-A could read tenant-B by passing\n * B's id.\n *\n * These helpers run raw with `{ allowRawOnTenantScoped: true }` (carrying the\n * tenant predicate themselves), and `queryWithGlobals` re-implements the\n * isolation guard the bypass disables (`assertTenantReadAllowed`): a caller\n * under tenant-A must not read tenant-B's rows by passing tenant-B's id. A\n * system / super-admin-bypass context keeps the deliberate cross-tenant\n * capability for admin paths.\n *\n * STI scoping is derived automatically from the collection's item class via\n * `collection.getStiChildMetaType()` (smrt-core), which mirrors the\n * `_meta_type` scoping `list()` applies: STI **child** collections scope the\n * shared table to their own subtype, while STI **base** and CTI collections do\n * not (a base legitimately spans subtypes; CTI tables have no `_meta_type`).\n * Callers never hand-classify their collection. Promoted from\n * `@happyvertical/smrt-messages` (#1596) so every package shares one\n * implementation.\n */\n\nimport type { SmrtCollection, SmrtObject } from '@happyvertical/smrt-core';\nimport {\n getCurrentTenant,\n isSuperAdminBypass,\n TenantIsolationError,\n} from './context.js';\n\n/**\n * Fail closed when an active tenant context requests a different tenant's rows.\n *\n * @param tenantId - The tenant id the caller asked for.\n * @param label - `Class.method` identifier for the error message.\n * @throws {TenantIsolationError} when a non-bypass tenant context is active and\n * does not match `tenantId`.\n */\nexport function assertTenantReadAllowed(tenantId: string, label: string): void {\n const tenantContext = getCurrentTenant();\n if (\n tenantContext &&\n !isSuperAdminBypass() &&\n tenantContext.tenantId !== tenantId\n ) {\n throw new TenantIsolationError(\n `Tenant isolation violation in ${label}: context tenant is ` +\n `'${tenantContext.tenantId}' but query requested '${tenantId}'`,\n { tenantId: tenantContext.tenantId, attemptedTenantId: tenantId },\n );\n }\n}\n\n/**\n * Return all global (tenant-less) rows for a tenant-scoped collection.\n *\n * STI child collections are auto-scoped to their own `_meta_type` (via\n * `collection.getStiChildMetaType()`) so the shared table never returns sibling\n * subtypes; STI base / CTI collections are not scoped.\n *\n * @param collection - The tenant-scoped collection to query.\n */\nexport async function queryGlobal<T, M extends SmrtObject = SmrtObject>(\n collection: SmrtCollection<M>,\n): Promise<T[]> {\n const metaType = collection.getStiChildMetaType();\n const where = metaType\n ? 'WHERE _meta_type = ? AND tenant_id IS NULL'\n : 'WHERE tenant_id IS NULL';\n const params = metaType ? [metaType] : [];\n // Two decoupled type params by design (STI). `M` is inferred from the\n // collection's declared item type — the STI *base* (e.g. `Email`) — and keeps\n // the parameter assignable despite `SmrtCollection`'s contravariant\n // `ModelType` positions. `T` is the caller-declared *row* type: an STI child\n // collection (e.g. `EmailAccountCollection`, statically `SmrtCollection<Email>`)\n // filters by `_meta_type` and hydrates child rows (`EmailAccount`) that differ\n // from `M`. `query()` is statically `M[]` but yields those child instances at\n // runtime, so the bridge cast is required — returning `M[]` would break every\n // STI-child caller.\n return (await collection.query(\n `SELECT * FROM ${collection.tableName} ${where}`,\n params,\n { allowRawOnTenantScoped: true },\n )) as unknown as T[];\n}\n\n/**\n * Return a tenant's rows plus all global rows for a tenant-scoped collection.\n *\n * Fails closed (`assertTenantReadAllowed`) before issuing the bypassed query.\n * STI child collections are auto-scoped to their own `_meta_type` (via\n * `collection.getStiChildMetaType()`); STI base / CTI collections are not.\n *\n * @param collection - The tenant-scoped collection to query.\n * @param tenantId - The tenant id to include alongside globals.\n * @param label - `Class.method` identifier for the isolation error message.\n */\nexport async function queryWithGlobals<T, M extends SmrtObject = SmrtObject>(\n collection: SmrtCollection<M>,\n tenantId: string,\n label: string,\n): Promise<T[]> {\n assertTenantReadAllowed(tenantId, label);\n const metaType = collection.getStiChildMetaType();\n const where = metaType\n ? 'WHERE _meta_type = ? AND (tenant_id = ? OR tenant_id IS NULL)'\n : 'WHERE tenant_id = ? OR tenant_id IS NULL';\n const params = metaType ? [metaType, tenantId] : [tenantId];\n // See `queryGlobal` above: `T` (caller's STI child row type) is intentionally\n // decoupled from `M` (the collection's inferred base type), so the cast\n // bridges `query()`'s static `M[]` to the hydrated child rows.\n return (await collection.query(\n `SELECT * FROM ${collection.tableName} ${where}`,\n params,\n { allowRawOnTenantScoped: true },\n )) as unknown as T[];\n}\n"],"names":["tenantId"],"mappings":";;;;;;AAsBA,eAAe;AAAA,EACb,IAAA,IAAA,mBAAA,YAAA,GAAA;AACF;ACwGO,SAAS,aAAa,UAA+B,IAAI;AAC9D,SAAO,CACL,QACA,qBACM;AACN,uCAAmC,QAAQ,gBAAgB;AAE3D,UAAM,YAAY,OAAO;AAGzB,UAAM,SAAsC;AAAA,MAC1C,MAAM,QAAQ,QAAQ;AAAA,MACtB,OAAO,QAAQ,SAAS;AAAA,MACxB,YAAY,QAAQ,cAAc;AAAA,MAClC,cAAc,QAAQ,gBAAgB;AAAA,MACtC,uBAAuB,QAAQ,yBAAyB;AAAA,IAAA;AAI1D,8BAA0B,WAAW,MAAM;AAG3C,WAAO;AAAA,EACT;AACF;AA0CO,SAAS,SAAS,UAAgC,IAAI;AAC3D,QAAM,OAAO;AAAA,IACX,YAAY;AAAA,IACZ,UAAU;AAAA,IACV,cAAc;AAAA,IACd,UAAU;AAAA,IACV,GAAG;AAAA,EAAA;AAGL,UAAQ,CACN,eACA,yBACG;AACH;AAAA,MACE;AAAA,MACA;AAAA,MACA,CAAC,WAAW,gBAAgB;AAC1B,uBAAe,uBAAuB,WAAW,aAAa;AAAA,UAC5D,MAAM;AAAA,UACN,SAAS;AAAA,UACT,SAAS;AAAA,UACT,UAAU,KAAK;AAAA,UACf,UAAU,KAAK;AAAA,UACf,WAAW;AAAA,YACT,GAAG;AAAA,YACH,iBAAiB;AAAA,UAAA;AAAA,QACnB,CACD;AAAA,MACH;AAAA,IAAA;AAAA,EAEJ;AACF;ACpIO,SAAS,gBAAgB,OAAyB;AACvD,MAAI,CAAC,SAAS,OAAO,UAAU,UAAU;AACvC,WAAO;AAAA,EACT;AACA,QAAM,MAAM;AACZ,QAAM,UAAU,IAAI;AACpB,SAAO,SAAS,oBAAoB;AACtC;AAgBO,SAAS,wBACd,OAC6B;AAC7B,MAAI,CAAC,gBAAgB,KAAK,GAAG;AAC3B,WAAO;AAAA,EACT;AACA,QAAM,MAAM;AACZ,SAAO,IAAI;AACb;ACrEO,SAAS,wBAAwBA,WAAkB,OAAqB;AAC7E,QAAM,gBAAgB,iBAAA;AACtB,MACE,iBACA,CAAC,mBAAA,KACD,cAAc,aAAaA,WAC3B;AACA,UAAM,IAAI;AAAA,MACR,iCAAiC,KAAK,wBAChC,cAAc,QAAQ,0BAA0BA,SAAQ;AAAA,MAC9D,EAAE,UAAU,cAAc,UAAU,mBAAmBA,UAAA;AAAA,IAAS;AAAA,EAEpE;AACF;AAWA,eAAsB,YACpB,YACc;AACd,QAAM,WAAW,WAAW,oBAAA;AAC5B,QAAM,QAAQ,WACV,+CACA;AACJ,QAAM,SAAS,WAAW,CAAC,QAAQ,IAAI,CAAA;AAUvC,SAAQ,MAAM,WAAW;AAAA,IACvB,iBAAiB,WAAW,SAAS,IAAI,KAAK;AAAA,IAC9C;AAAA,IACA,EAAE,wBAAwB,KAAA;AAAA,EAAK;AAEnC;AAaA,eAAsB,iBACpB,YACAA,WACA,OACc;AACd,0BAAwBA,WAAU,KAAK;AACvC,QAAM,WAAW,WAAW,oBAAA;AAC5B,QAAM,QAAQ,WACV,kEACA;AACJ,QAAM,SAAS,WAAW,CAAC,UAAUA,SAAQ,IAAI,CAACA,SAAQ;AAI1D,SAAQ,MAAM,WAAW;AAAA,IACvB,iBAAiB,WAAW,SAAS,IAAI,KAAK;AAAA,IAC9C;AAAA,IACA,EAAE,wBAAwB,KAAA;AAAA,EAAK;AAEnC;"}
package/dist/interceptor.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"interceptor.d.ts","sourceRoot":"","sources":["../src/interceptor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,EACL,KAAK,qBAAqB,EAC1B,KAAK,WAAW,EAEhB,KAAK,kBAAkB,EAMxB,MAAM,0BAA0B,CAAC;AASlC,OAAO,EAAE,gBAAgB,EAAqB,MAAM,oBAAoB,CAAC;AAMzE;;;;;;;;;;;GAWG;AACH,MAAM,MAAM,cAAc,GAAG,OAAO,GAAG,MAAM,GAAG,OAAO,CAAC;AAExD;;;;;;;;;;GAUG;AACH,MAAM,WAAW,wBAAwB;IACvC;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAEhC;;;OAGG;IACH,UAAU,CAAC,EAAE,CACX,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,kBAAkB,KACxB,IAAI,CAAC;IAEV;;OAEG;IACH,gBAAgB,CAAC,EAAE,CACjB,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,kBAAkB,KACxB,IAAI,CAAC;IAEV;;OAEG;IACH,oBAAoB,CAAC,EAAE,CACrB,SAAS,EAAE,MAAM,EACjB,gBAAgB,EAAE,MAAM,EACxB,cAAc,EAAE,MAAM,EACtB,OAAO,EAAE,kBAAkB,KACxB,IAAI,CAAC;IAEV;;;;OAIG;IACH,WAAW,CAAC,EAAE,WAAW,CAAC;IAE1B;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC7B;AA2CD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,wBAAgB,uBAAuB,CACrC,OAAO,GAAE,wBAA6B,GACrC,qBAAqB,CA6ZvB;AAWD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,aAAa,CAAC,OAAO,GAAE,wBAA6B,GAAG,IAAI,CAuB1E;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,cAAc,IAAI,IAAI,CAarC;AAED;;;;;;;;;GASG;AACH,OAAO,EAAE,gBAAgB,EAAE,CAAC"}
1
+ {"version":3,"file":"interceptor.d.ts","sourceRoot":"","sources":["../src/interceptor.ts"],"names":[],"mappings":"AAAA;;;;;;;;;GASG;AAIH,OAAO,EACL,KAAK,qBAAqB,EAC1B,KAAK,WAAW,EAEhB,KAAK,kBAAkB,EAMxB,MAAM,0BAA0B,CAAC;AASlC,OAAO,EAAE,gBAAgB,EAAqB,MAAM,oBAAoB,CAAC;AAMzE;;;;;;;;;;;GAWG;AACH,MAAM,MAAM,cAAc,GAAG,OAAO,GAAG,MAAM,GAAG,OAAO,CAAC;AAExD;;;;;;;;;;GAUG;AACH,MAAM,WAAW,wBAAwB;IACvC;;;;;;OAMG;IACH,cAAc,CAAC,EAAE,cAAc,CAAC;IAEhC;;;OAGG;IACH,UAAU,CAAC,EAAE,CACX,SAAS,EAAE,MAAM,EACjB,GAAG,EAAE,MAAM,EACX,OAAO,EAAE,kBAAkB,KACxB,IAAI,CAAC;IAEV;;OAEG;IACH,gBAAgB,CAAC,EAAE,CACjB,SAAS,EAAE,MAAM,EACjB,SAAS,EAAE,MAAM,EACjB,OAAO,EAAE,kBAAkB,KACxB,IAAI,CAAC;IAEV;;OAEG;IACH,oBAAoB,CAAC,EAAE,CACrB,SAAS,EAAE,MAAM,EACjB,gBAAgB,EAAE,MAAM,EACxB,cAAc,EAAE,MAAM,EACtB,OAAO,EAAE,kBAAkB,KACxB,IAAI,CAAC;IAEV;;;;OAIG;IACH,WAAW,CAAC,EAAE,WAAW,CAAC;IAE1B;;;;OAIG;IACH,gBAAgB,CAAC,EAAE,MAAM,EAAE,CAAC;CAC7B;AAgDD;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAqCG;AACH,wBAAgB,uBAAuB,CACrC,OAAO,GAAE,wBAA6B,GACrC,qBAAqB,CAqavB;AAWD;;;;;;;;;;;;;;;;;;;GAmBG;AACH,wBAAgB,aAAa,CAAC,OAAO,GAAE,wBAA6B,GAAG,IAAI,CAuB1E;AAED;;;;;;;;;;;;;;;;;;;;;GAqBG;AACH,wBAAgB,cAAc,IAAI,IAAI,CAarC;AAED;;;;;;;;;GASG;AACH,OAAO,EAAE,gBAAgB,EAAE,CAAC"}
package/dist/manifest.json CHANGED
@@ -1,8 +1,8 @@
1
1
  {
2
2
  "version": "1.0.0",
3
- "timestamp": 1782330594196,
3
+ "timestamp": 1782340014560,
4
4
  "packageName": "@happyvertical/smrt-tenancy",
5
- "packageVersion": "0.35.0",
5
+ "packageVersion": "0.35.2",
6
6
  "objects": {},
7
7
  "moduleType": "smrt",
8
8
  "smrtDependencies": [
package/dist/smrt-knowledge.json CHANGED
@@ -1,13 +1,13 @@
1
1
  {
2
2
  "schemaVersion": 1,
3
- "generatedAt": "2026-06-24T19:49:54.431Z",
3
+ "generatedAt": "2026-06-24T22:26:54.823Z",
4
4
  "packageName": "@happyvertical/smrt-tenancy",
5
- "packageVersion": "0.35.0",
5
+ "packageVersion": "0.35.2",
6
6
  "sourceManifestPath": "dist/manifest.json",
7
7
  "agentDocPath": "AGENTS.md",
8
8
  "sourceHashes": {
9
- "manifest": "d8431fa91a69fd15a281793eb0826aac0e55654f44aa4a8607cb24d527265fa3",
10
- "packageJson": "50ed4cf0bd077b437d2b4a6303de2e8214cf0bbbe30aa63ec97b0778ce9a4545",
9
+ "manifest": "c09eb66ffe46684c1b71dfdff0866fcc2f245f6ff530fcd7e634360ae1e508b8",
10
+ "packageJson": "61f281a315d26e2acec182fb03d0cde3a595f413995cee051d92e0b3004d4f23",
11
11
  "agents": "6466580ac48829d3e51e940aaf42578919619e3a43fa7efbb741b744c80530c8"
12
12
  },
13
13
  "exports": [
package/dist/tenant-global-queries.d.ts CHANGED
@@ -1,4 +1,4 @@
1
- import { SmrtCollection } from '@happyvertical/smrt-core';
1
+ import { SmrtCollection, SmrtObject } from '@happyvertical/smrt-core';
2
2
  /**
3
3
  * Fail closed when an active tenant context requests a different tenant's rows.
4
4
  *
@@ -17,7 +17,7 @@ export declare function assertTenantReadAllowed(tenantId: string, label: string)
17
17
  *
18
18
  * @param collection - The tenant-scoped collection to query.
19
19
  */
20
- export declare function queryGlobal<T>(collection: SmrtCollection<any>): Promise<T[]>;
20
+ export declare function queryGlobal<T, M extends SmrtObject = SmrtObject>(collection: SmrtCollection<M>): Promise<T[]>;
21
21
  /**
22
22
  * Return a tenant's rows plus all global rows for a tenant-scoped collection.
23
23
  *
@@ -29,5 +29,5 @@ export declare function queryGlobal<T>(collection: SmrtCollection<any>): Promise
29
29
  * @param tenantId - The tenant id to include alongside globals.
30
30
  * @param label - `Class.method` identifier for the isolation error message.
31
31
  */
32
- export declare function queryWithGlobals<T>(collection: SmrtCollection<any>, tenantId: string, label: string): Promise<T[]>;
32
+ export declare function queryWithGlobals<T, M extends SmrtObject = SmrtObject>(collection: SmrtCollection<M>, tenantId: string, label: string): Promise<T[]>;
33
33
  //# sourceMappingURL=tenant-global-queries.d.ts.map
package/dist/tenant-global-queries.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"tenant-global-queries.d.ts","sourceRoot":"","sources":["../src/tenant-global-queries.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,MAAM,0BAA0B,CAAC;AAO/D;;;;;;;GAOG;AACH,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAa7E;AAED;;;;;;;;GAQG;AACH,wBAAsB,WAAW,CAAC,CAAC,EACjC,UAAU,EAAE,cAAc,CAAC,GAAG,CAAC,GAC9B,OAAO,CAAC,CAAC,EAAE,CAAC,CAWd;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,gBAAgB,CAAC,CAAC,EACtC,UAAU,EAAE,cAAc,CAAC,GAAG,CAAC,EAC/B,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,CAAC,EAAE,CAAC,CAYd"}
1
+ {"version":3,"file":"tenant-global-queries.d.ts","sourceRoot":"","sources":["../src/tenant-global-queries.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAsCG;AAEH,OAAO,KAAK,EAAE,cAAc,EAAE,UAAU,EAAE,MAAM,0BAA0B,CAAC;AAO3E;;;;;;;GAOG;AACH,wBAAgB,uBAAuB,CAAC,QAAQ,EAAE,MAAM,EAAE,KAAK,EAAE,MAAM,GAAG,IAAI,CAa7E;AAED;;;;;;;;GAQG;AACH,wBAAsB,WAAW,CAAC,CAAC,EAAE,CAAC,SAAS,UAAU,GAAG,UAAU,EACpE,UAAU,EAAE,cAAc,CAAC,CAAC,CAAC,GAC5B,OAAO,CAAC,CAAC,EAAE,CAAC,CAoBd;AAED;;;;;;;;;;GAUG;AACH,wBAAsB,gBAAgB,CAAC,CAAC,EAAE,CAAC,SAAS,UAAU,GAAG,UAAU,EACzE,UAAU,EAAE,cAAc,CAAC,CAAC,CAAC,EAC7B,QAAQ,EAAE,MAAM,EAChB,KAAK,EAAE,MAAM,GACZ,OAAO,CAAC,CAAC,EAAE,CAAC,CAed"}
package/dist/testing.js CHANGED
@@ -1,5 +1,5 @@
1
1
  import "./chunks/context-DfTygamS.js";
2
- import { a, b, e, l, s, t } from "./chunks/testing-DyAqaOBC.js";
2
+ import { a, b, e, l, s, t } from "./chunks/testing-BWF_N0FL.js";
3
3
  export {
4
4
  a as assertTenantContextRequired,
5
5
  b as assertTenantIsolationViolation,
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@happyvertical/smrt-tenancy",
3
- "version": "0.35.0",
3
+ "version": "0.35.2",
4
4
  "description": "Production-ready multi-tenancy framework for SMRT with automatic tenant isolation and enforcement",
5
5
  "type": "module",
6
6
  "smrtRawPrimitives": "strict",
@@ -44,9 +44,9 @@
44
44
  "@happyvertical/logger": "^0.74.7",
45
45
  "@happyvertical/sql": "^0.74.7",
46
46
  "@happyvertical/utils": "^0.74.7",
47
- "@happyvertical/smrt-core": "0.35.0",
48
- "@happyvertical/smrt-ui": "0.35.0",
49
- "@happyvertical/smrt-types": "0.35.0"
47
+ "@happyvertical/smrt-core": "0.35.2",
48
+ "@happyvertical/smrt-types": "0.35.2",
49
+ "@happyvertical/smrt-ui": "0.35.2"
50
50
  },
51
51
  "peerDependencies": {
52
52
  "svelte": "^5.46.4"
@@ -65,7 +65,7 @@
65
65
  "typescript": "^5.9.3",
66
66
  "vite": "^7.3.1",
67
67
  "vitest": "^4.0.17",
68
- "@happyvertical/smrt-vitest": "0.35.0"
68
+ "@happyvertical/smrt-vitest": "0.35.2"
69
69
  },
70
70
  "keywords": [
71
71
  "ai",
package/dist/chunks/testing-DyAqaOBC.js.map DELETED
@@ -1 +0,0 @@
1
- {"version":3,"file":"testing-DyAqaOBC.js","sources":["../../src/registry.ts","../../src/enabled-state.ts","../../src/entry-point.ts","../../src/interceptor.ts","../../src/testing.ts"],"sourcesContent":["/**\n * Tenant-Scoped Class Registry\n *\n * Tracks which classes are tenant-scoped and their configuration.\n * Used by the interceptor to determine how to handle operations.\n *\n * This registry supports two patterns:\n * 1. @TenantScoped() decorator + tenantId field (original pattern)\n * 2. @smrt({ tenantScoped: true }) in smrt-core (Issue #688 pattern)\n *\n * Both patterns are automatically recognized by the interceptor.\n *\n * @see https://github.com/happyvertical/smrt/issues/675\n * @see https://github.com/happyvertical/smrt/issues/688\n */\n\nimport { ObjectRegistry } from '@happyvertical/smrt-core';\n\n/**\n * Resolved tenancy configuration for a single class, as stored in the registry.\n *\n * Every field has a concrete (non-optional) value — defaults are applied by\n * `registerTenantScopedClass()` when the class is registered via `@TenantScoped()`.\n *\n * @see TenantScopedOptions\n * @see registerTenantScopedClass\n */\nexport interface TenantScopedConfig {\n /**\n * Tenancy mode for this class\n * - 'required': Must have tenant context for all operations\n * - 'optional': Works with or without tenant context\n * @default 'required'\n */\n mode: 'required' | 'optional';\n\n /**\n * Field name containing tenant ID\n * @default 'tenantId'\n */\n field: string;\n\n /**\n * Auto-filter all queries by tenant\n * @default true\n */\n autoFilter: boolean;\n\n /**\n * Auto-populate tenant ID from context on create\n * @default true\n */\n autoPopulate: boolean;\n\n /**\n * Allow super admin bypass for this class\n * @default false\n */\n allowSuperAdminBypass: boolean;\n}\n\nconst DEFAULT_CONFIG: TenantScopedConfig = {\n mode: 'required',\n field: 'tenantId',\n autoFilter: true,\n autoPopulate: true,\n allowSuperAdminBypass: false,\n};\n\n// Registry storing tenant-scoped class configurations\nconst tenantScopedClasses = new Map<string, TenantScopedConfig>();\n\n/**\n * Register a class as tenant-scoped with the given configuration.\n *\n * Called automatically by the `@TenantScoped()` decorator. You can also call\n * this directly when you cannot use decorators (e.g., third-party classes or\n * plain objects in tests). Defaults from `DEFAULT_CONFIG` are merged over any\n * omitted options.\n *\n * Calling this again for the same `className` overwrites the previous entry.\n *\n * @param className - The class's `name` property (e.g., `'Document'`).\n * @param config - Partial tenancy configuration; omitted fields receive defaults.\n *\n * @example\n * ```typescript\n * // Manually register a class (e.g., for testing)\n * registerTenantScopedClass('Document', { mode: 'optional' });\n * ```\n *\n * @see TenantScoped\n * @see unregisterTenantScopedClass\n */\nexport function registerTenantScopedClass(\n className: string,\n config: Partial<TenantScopedConfig> = {},\n): void {\n tenantScopedClasses.set(className, {\n ...DEFAULT_CONFIG,\n ...config,\n });\n}\n\n/**\n * Remove a class from the tenant-scoped registry.\n *\n * Primarily intended for test teardown — use `clearTenantScopedRegistry()` to\n * reset the entire registry at once.\n *\n * @param className - The class name to remove (e.g., `'Document'`).\n *\n * @see clearTenantScopedRegistry\n * @see registerTenantScopedClass\n */\nexport function unregisterTenantScopedClass(className: string): void {\n tenantScopedClasses.delete(className);\n}\n\n/**\n * Strip a qualified `@scope/pkg:ClassName` name down to its bare class name.\n *\n * `@TenantScoped` registers classes by their simple name (`target.name`), but\n * `ObjectRegistry.getInheritanceChain()` emits **qualified** names where a\n * class has package context. The simple-name bridge this enables is confined to\n * the inheritance walk (`getInheritedTenantScopedConfig`) — never the direct\n * lookup — so a *direct* qualified lookup can't strip the namespace and\n * cross-match a same-simple-name class in another package.\n */\nfunction toSimpleClassName(className: string): string {\n const idx = className.lastIndexOf(':');\n return idx === -1 ? className : className.slice(idx + 1);\n}\n\n/**\n * Return a shallow copy of a config so callers can never mutate the stored\n * registration. The same backing object is shared by the base and every\n * inheriting descendant, so handing out the reference would let an accidental\n * caller mutation silently corrupt the base (and all children). (#1598 review)\n */\nfunction cloneConfig(config: TenantScopedConfig): TenantScopedConfig {\n return { ...config };\n}\n\n/**\n * Resolve a class's OWN tenancy configuration — no STI inheritance, EXACT name\n * match only.\n *\n * Checks the two registration mechanisms in order, with the local registry\n * taking precedence:\n * 1. The local registry populated by `@TenantScoped()` (keyed by simple name).\n * 2. The core `ObjectRegistry` populated by `@smrt({ tenantScoped: true })`.\n *\n * Lookups are by exact name only — no simple-name fallback — so a qualified\n * lookup (e.g. `@happyvertical/smrt-affiliates:Payout`, explicitly not scoped)\n * can never strip its namespace and match a same-simple-name scoped class in\n * another package (e.g. `@happyvertical/smrt-commerce:Payout`). The\n * namespace-stripping bridge lives only in the inheritance walk. (#1598 review)\n */\nfunction getDirectTenantScopedConfig(\n className: string,\n): TenantScopedConfig | undefined {\n // 1. Local registry (explicit @TenantScoped decorator).\n const localConfig = tenantScopedClasses.get(className);\n if (localConfig) {\n return cloneConfig(localConfig);\n }\n\n // 2. Core registry (@smrt({ tenantScoped: true }) pattern - Issue #688).\n // findClass() resolves qualified names package-safely, so this branch is\n // already disambiguated.\n const coreConfig = ObjectRegistry.getTenantScopedConfig(className);\n if (coreConfig) {\n // Convert core config to TenantScopedConfig format\n return {\n mode: coreConfig.mode,\n field: coreConfig.field,\n autoFilter: coreConfig.autoFilter,\n autoPopulate: coreConfig.autoPopulate,\n allowSuperAdminBypass: coreConfig.allowSuperAdminBypass,\n };\n }\n\n return undefined;\n}\n\n/**\n * Resolve tenancy configuration inherited from an STI/ancestor class.\n *\n * `@TenantScoped` (and `@smrt({ tenantScoped })`) register ONLY the exact class\n * decorated — recognition does NOT propagate to subclasses. Before #1596 this\n * meant an STI child with its own collection (the child is the collection's\n * `_itemClass`) was treated as non-tenant-scoped at runtime: the interceptor\n * skipped tenant filtering on its `list()`/`get()` (cross-tenant reads), skipped\n * tenant population in `beforeSave`, and skipped the raw-SQL policy. Manual\n * re-declaration on every child was the fragile pattern that already bit images\n * (#1407) and messages.\n *\n * We now walk the STI inheritance chain so any descendant of a tenant-scoped\n * base is recognized automatically and inherits the base's config. A subclass\n * of a tenant-scoped class is always itself tenant-scoped — there is no safe\n * reason for it to opt out — so the walk intentionally covers any inheritance\n * (the motivating leak is STI child collections, but this is correct for CTI\n * hierarchies too).\n *\n * Ancestors are walked from nearest-to-self toward the root, returning the\n * first tenant-scoped ancestor's config so a closer ancestor wins. The class's\n * OWN declaration is resolved by the direct lookup in `getTenantScopedConfig`\n * and always takes precedence over anything inherited here.\n */\nfunction getInheritedTenantScopedConfig(\n className: string,\n): TenantScopedConfig | undefined {\n // getInheritanceChain returns [root, ..., self] (qualified names where the\n // class has package context). It is cached by core and only reached here when\n // the direct lookup misses, so the per-call cost on non-tenant classes is a\n // cache hit plus this short loop. Returns [] for unregistered classes.\n const chain = ObjectRegistry.getInheritanceChain(className);\n // chain[length - 1] is the class itself (already covered by the direct\n // lookup); walk its ancestors from nearest to root.\n for (let i = chain.length - 2; i >= 0; i--) {\n const ancestor = chain[i];\n\n // Exact, package-safe match first — covers `@smrt({ tenantScoped })` bases\n // (resolved through the core registry by qualified name) and any class\n // whose @TenantScoped key matches the chain entry verbatim.\n const direct = getDirectTenantScopedConfig(ancestor);\n if (direct) {\n return direct;\n }\n\n // @TenantScoped registers by SIMPLE name (`target.name`), but the chain\n // emits QUALIFIED names. Bridge to the simple-keyed local registry here —\n // scoped to the inheritance walk only, so a direct qualified lookup never\n // strips the namespace (see getDirectTenantScopedConfig). The chain entry\n // is a verified ancestor of `className`, so matching its simple name is the\n // intended hop. (Residual: the @TenantScoped registry is simple-keyed, so\n // two DISTINCT same-simple-name classes that are BOTH @TenantScoped across\n // packages could cross-match here — a pre-existing decorator-keying limit,\n // not the direct-lookup hazard fixed above.)\n const simple = toSimpleClassName(ancestor);\n if (simple !== ancestor) {\n const bySimple = tenantScopedClasses.get(simple);\n if (bySimple) {\n return cloneConfig(bySimple);\n }\n }\n }\n return undefined;\n}\n\n/**\n * Retrieve the resolved tenancy configuration for a class.\n *\n * Resolution order:\n * 1. The class's OWN declaration — local `@TenantScoped()` registry first, then\n * the core `@smrt({ tenantScoped: true })` registry.\n * 2. STI inheritance — the nearest tenant-scoped ancestor's config (#1596).\n *\n * A class that declares its own tenancy never reaches step 2, so an explicit\n * child `@TenantScoped` always overrides the inherited base config.\n *\n * @param className - The class name to look up.\n * @returns The `TenantScopedConfig` if the class is tenant-scoped directly or\n * by inheritance, or `undefined` if it is not.\n *\n * @see isTenantScopedClass\n * @see getAllTenantScopedClasses\n */\nexport function getTenantScopedConfig(\n className: string,\n): TenantScopedConfig | undefined {\n // A class's own @TenantScoped / @smrt({ tenantScoped }) declaration wins.\n const direct = getDirectTenantScopedConfig(className);\n if (direct) {\n return direct;\n }\n // Otherwise inherit recognition from a tenant-scoped STI ancestor (#1596).\n return getInheritedTenantScopedConfig(className);\n}\n\n/**\n * Return `true` if the named class is tenant-scoped — directly (via\n * `@TenantScoped()` / `@smrt({ tenantScoped: true })`) or by inheriting from a\n * tenant-scoped STI ancestor (#1596).\n *\n * @param className - The class name to look up (e.g., `'Document'`).\n * @returns `true` if the class is tenant-scoped by any mechanism.\n *\n * @see getTenantScopedConfig\n * @see registerTenantScopedClass\n */\nexport function isTenantScopedClass(className: string): boolean {\n return getTenantScopedConfig(className) !== undefined;\n}\n\n/**\n * Return a snapshot of all classes registered via `@TenantScoped()`.\n *\n * Returns a new `Map` so mutations to the returned value do not affect the\n * internal registry. Note that classes registered only through the core\n * `ObjectRegistry` (`@smrt({ tenantScoped: true })`) are **not** included in\n * this map.\n *\n * @returns A copy of the local tenant-scoped class registry, keyed by class name.\n *\n * @see isTenantScopedClass\n * @see getTenantScopedConfig\n */\nexport function getAllTenantScopedClasses(): Map<string, TenantScopedConfig> {\n return new Map(tenantScopedClasses);\n}\n\n/**\n * Remove all entries from the local tenant-scoped class registry.\n *\n * Intended for test teardown via `resetTenancy()`. Does not affect\n * registrations held by the core `ObjectRegistry`.\n *\n * @see resetTenancy\n * @see unregisterTenantScopedClass\n */\nexport function clearTenantScopedRegistry(): void {\n tenantScopedClasses.clear();\n}\n","/**\n * Shared tenancy-enabled flag.\n *\n * Holds the single boolean toggled by `enableTenancy()` / `disableTenancy()`.\n * It lives in its own leaf module (importing nothing from the package) so that\n * both `interceptor.ts` and `entry-point.ts` can read it without forming a\n * circular import: `interceptor.ts` imports `runTenantScopedEntryPoint` from\n * `entry-point.ts`, and `entry-point.ts` needs the enabled flag — routing the\n * flag through here keeps that dependency one-directional.\n */\n\nlet enabled = false;\n\n/**\n * Set the global tenancy-enabled flag. Internal — called by `enableTenancy()` /\n * `disableTenancy()` in `interceptor.ts`.\n *\n * @param value - `true` to mark tenancy enabled, `false` to clear it.\n */\nexport function setTenancyEnabled(value: boolean): void {\n enabled = value;\n}\n\n/**\n * Return `true` if tenant enforcement is currently active.\n *\n * @returns Whether `enableTenancy()` has been called without a later\n * `disableTenancy()`.\n */\nexport function isTenancyEnabled(): boolean {\n return enabled;\n}\n","/**\n * Fail-closed tenant-context establishment for non-web entry points (#1554).\n *\n * The SvelteKit/Express adapters establish tenant context from the authenticated\n * request principal, so the web surface of a `@TenantScoped({ mode: 'optional' })`\n * model never reads across tenants without an active context. The generated\n * **CLI** and **MCP** entry points have no request principal, so an invocation\n * with no active context would fall through the interceptor's optional-mode\n * pass-through and return rows across **all** tenants.\n *\n * `runTenantScopedEntryPoint()` closes that gap. It is the single fail-closed\n * gate both generated surfaces wrap their per-command/per-tool execution in.\n *\n * @see createCliContext for the richer CLI runner (resolveTenantId, super-admin).\n */\n\nimport {\n hasTenantContext,\n isSystemContext,\n TenantContextError,\n withSystemContext,\n withTenant,\n} from './context.js';\nimport { isTenancyEnabled } from './enabled-state.js';\nimport { isTenantScopedClass } from './registry.js';\n\n/**\n * Inputs for {@link runTenantScopedEntryPoint}.\n *\n * Provide **either** `className` (the gate resolves tenant-scoping from the\n * authoritative tenancy registry — the same source the interceptor uses, so it\n * covers both `@TenantScoped` and `@smrt({ tenantScoped })` registrations) or an\n * explicit `tenantScoped` boolean (when the caller already resolved it, e.g. a\n * build-time generated surface). An explicit boolean wins when both are given.\n */\nexport interface TenantEntryPointOptions {\n /**\n * Class name of the target model. When provided, tenant-scoping is resolved\n * via `isTenantScopedClass(className)`.\n */\n className?: string;\n\n /**\n * Explicit tenant-scoping decision. Overrides `className` resolution when set.\n * Non-scoped models always pass through unchanged — the gate is a no-op.\n */\n tenantScoped?: boolean;\n\n /**\n * Explicit operator-provided tenant selector (CLI `--tenant <id>`, MCP\n * `context.tenantId`). When present (and no context is already active) the\n * function runs inside this tenant's context.\n */\n tenantId?: string | null;\n\n /**\n * Explicit operator opt-in to cross-tenant / system access (CLI\n * `--all-tenants`, an MCP host that trusts the caller as an operator). When\n * set the function runs in system context, bypassing tenant filtering.\n *\n * @default false\n */\n allowCrossTenant?: boolean;\n\n /**\n * Human-facing surface name used in the fail-closed error message, e.g.\n * `'CLI'` or `'MCP'`.\n *\n * @default 'entry point'\n */\n surface?: string;\n}\n\n/**\n * Run `fn` inside an appropriate tenant context for a generated CLI/MCP entry\n * point, failing closed for tenant-scoped models when no authorized context can\n * be established.\n *\n * Resolution order (tenant-scoped models only):\n * 1. A tenant context is already active, or an explicit `withSystemContext()`\n * bypass is in effect (e.g. `runAsSystem()`, migrations) → run as-is.\n * 2. `allowCrossTenant` was explicitly set → run in system context. Checked\n * before `tenantId` so an explicit cross-tenant opt-in wins over a default\n * principal/host tenant rather than being silently scoped.\n * 3. An explicit `tenantId` was provided → run inside that tenant.\n * 4. Tenancy is enabled but none of the above → **throw** `TenantContextError`\n * (the fail-closed branch — never silently read across tenants).\n * 5. Tenancy is disabled (single-/no-tenant deployment) → pass through.\n *\n * Non-tenant-scoped models always pass straight through.\n *\n * @param options - {@link TenantEntryPointOptions}.\n * @param fn - The command/tool body to execute.\n * @returns The resolved value of `fn`.\n * @throws {TenantContextError} When a tenant-scoped model is reached with\n * tenancy enabled and no tenant/cross-tenant selector.\n */\nexport async function runTenantScopedEntryPoint<T>(\n options: TenantEntryPointOptions,\n fn: () => Promise<T>,\n): Promise<T> {\n const {\n className,\n tenantScoped,\n tenantId,\n allowCrossTenant = false,\n surface = 'entry point',\n } = options;\n\n // Resolve tenant-scoping: an explicit boolean wins; otherwise consult the\n // authoritative tenancy registry by class name (matches the interceptor).\n const scoped =\n typeof tenantScoped === 'boolean'\n ? tenantScoped\n : className\n ? isTenantScopedClass(className)\n : false;\n\n // Non-scoped models run as-is. So do calls already inside a tenant context\n // (an upstream handle) or an explicit system-context bypass — the interceptor\n // honors `withSystemContext()` (migrations, `runAsSystem()`), so the gate must\n // not fail-close over it (hasTenantContext() is false for the system marker).\n if (!scoped) return fn();\n if (hasTenantContext() || isSystemContext()) return fn();\n\n // Explicit operator opt-in to cross-tenant access. Checked before the tenant\n // selector so a deliberate `--all-tenants` / `allowCrossTenant` overrides a\n // default host/principal tenant instead of being silently scoped to it.\n if (allowCrossTenant) {\n return withSystemContext(fn);\n }\n\n // Explicit tenant selector.\n if (typeof tenantId === 'string' && tenantId) {\n return withTenant({ tenantId }, fn);\n }\n\n // Fail closed: tenancy is on but the caller gave us nothing to scope by.\n if (isTenancyEnabled()) {\n throw new TenantContextError(\n `Tenant context required for tenant-scoped access via ${surface}. ` +\n 'Pass an explicit tenant (e.g. --tenant <id> / a tenantId) or opt into ' +\n 'cross-tenant access (e.g. --all-tenants) to read across all tenants.',\n );\n }\n\n // Tenancy disabled → single-tenant deployment, pass through.\n return fn();\n}\n","/**\n * Tenant Interceptor - Core enforcement mechanism\n *\n * Registers with GlobalInterceptors in smrt-core to automatically:\n * - Filter queries by tenant ID\n * - Validate tenant context on save/delete\n * - Block or audit raw SQL on tenant-scoped classes\n *\n * @see https://github.com/happyvertical/smrt/issues/675\n */\n\nimport { createLogger } from '@happyvertical/logger';\nimport type { SmrtObject } from '@happyvertical/smrt-core';\nimport {\n type CollectionInterceptor,\n type DispatchBus,\n GlobalInterceptors,\n type InterceptorContext,\n type ListOptions,\n type QueryInterceptResult,\n type QueryOptions,\n setDispatchTenantResolver,\n setTenantEntryPointRunner,\n} from '@happyvertical/smrt-core';\nimport {\n getCurrentTenant,\n getTenantId,\n isSuperAdminBypass,\n isSystemContext,\n TenantContextError,\n TenantIsolationError,\n} from './context.js';\nimport { isTenancyEnabled, setTenancyEnabled } from './enabled-state.js';\nimport { runTenantScopedEntryPoint } from './entry-point.js';\nimport { getTenantScopedConfig, isTenantScopedClass } from './registry.js';\n\nconst logger = createLogger({ level: 'info' });\n\n/**\n * Policy controlling what happens when raw SQL is executed against a\n * tenant-scoped class without an explicit bypass.\n *\n * - `'throw'` — Raises a `TenantIsolationError` (most secure; default).\n * - `'warn'` — Logs a `console.warn` but allows the query to proceed (useful\n * during migration periods).\n * - `'allow'` — Silently allows the query; not recommended for production.\n *\n * @see TenantInterceptorOptions.rawQueryPolicy\n * @see enableTenancy\n */\nexport type RawQueryPolicy = 'throw' | 'warn' | 'allow';\n\n/**\n * Configuration options accepted by `createTenantInterceptor()` and\n * `enableTenancy()`.\n *\n * All options are optional; reasonable defaults are applied. The callback\n * hooks (`onRawQuery`, `onMissingContext`, `onIsolationViolation`) are useful\n * for logging and alerting without altering the enforcement behaviour.\n *\n * @see createTenantInterceptor\n * @see enableTenancy\n */\nexport interface TenantInterceptorOptions {\n /**\n * Policy for raw SQL queries on tenant-scoped classes\n * - 'throw': Throw error (most secure, default)\n * - 'warn': Log warning but allow (for migration)\n * - 'allow': Silently allow (not recommended for production)\n * @default 'throw'\n */\n rawQueryPolicy?: RawQueryPolicy;\n\n /**\n * Called when a raw query is attempted on a tenant-scoped class\n * Useful for logging/auditing\n */\n onRawQuery?: (\n className: string,\n sql: string,\n context: InterceptorContext,\n ) => void;\n\n /**\n * Called when tenant context is missing for a tenant-scoped operation\n */\n onMissingContext?: (\n className: string,\n operation: string,\n context: InterceptorContext,\n ) => void;\n\n /**\n * Called when an isolation violation is detected\n */\n onIsolationViolation?: (\n className: string,\n expectedTenantId: string,\n actualTenantId: string,\n context: InterceptorContext,\n ) => void;\n\n /**\n * DispatchBus instance for emitting provisioning events on lifecycle changes.\n * When provided along with directoryClasses, afterSave/afterDelete hooks\n * emit dispatches like `directory.membership.created`.\n */\n dispatchBus?: DispatchBus;\n\n /**\n * Class names to emit directory dispatches for on save/delete lifecycle events.\n * Only classes listed here will trigger dispatch emissions.\n * @example ['Tenant', 'Membership', 'User']\n */\n directoryClasses?: string[];\n}\n\nconst DEFAULT_OPTIONS: TenantInterceptorOptions = {\n rawQueryPolicy: 'throw',\n};\n\n/**\n * Extract a plain-object snapshot of an instance for dispatch payloads.\n *\n * Prefers `toJSON()` when available (all real SmrtObject instances) because\n * it returns only data fields and excludes internal handles like `_db`, `_ai`,\n * and `_fs` which may contain circular references (e.g. connection pools with\n * Timeout objects).\n *\n * @see https://github.com/happyvertical/smrt/issues/946\n */\nfunction serializeInstance(\n instance: SmrtObject,\n className: string,\n): Record<string, unknown> {\n // Documented exception to the \"never call toJSON() directly\" convention\n // (docs/content/standards.md §7): the interceptor must serialize whatever\n // instance is handed to it, including workspace stubs and plain-object\n // doubles used in unit tests whose classes may not extend SmrtObject and\n // therefore have no `transformJSON()` hook. Using `toJSON()` here is a\n // duck-typed fallback — when present, it strips framework-internal handles\n // for us; when absent, we fall through to manual key iteration below.\n if (typeof (instance as any).toJSON === 'function') {\n return { className, ...(instance as any).toJSON() };\n }\n\n // Fallback for plain-object stubs (e.g. in unit tests):\n // skip functions and framework-internal properties\n const result: Record<string, unknown> = { className };\n for (const key of Object.keys(instance)) {\n const value = (instance as any)[key];\n if (typeof value !== 'function') {\n result[key] = value;\n }\n }\n return result;\n}\n\n/**\n * Create a `CollectionInterceptor` that enforces tenant isolation on all\n * `SmrtCollection` operations.\n *\n * The returned interceptor hooks into the smrt-core `GlobalInterceptors`\n * pipeline at priority 100 (runs before all other interceptors) and\n * handles the following lifecycle hooks:\n *\n * | Hook | Behaviour |\n * |---------------|-----------|\n * | `beforeList` | Injects tenant filter into `WHERE`; validates explicit filters. |\n * | `beforeGet` | Converts ID lookups to `{ id, tenantId }` filter objects. |\n * | `beforeSave` | Auto-populates `tenantId`; validates existing values. |\n * | `beforeDelete`| Validates the instance's `tenantId` matches context. |\n * | `beforeQuery` | Enforces `rawQueryPolicy` on raw SQL calls. |\n * | `afterSave` | Emits `directory.<class>.created/updated` via `dispatchBus`. |\n * | `afterDelete` | Emits `directory.<class>.deleted` via `dispatchBus`. |\n *\n * Use `enableTenancy()` to register the interceptor globally. Call this\n * directly only when you need multiple interceptor instances (e.g., for\n * isolated tests or feature flags).\n *\n * @param options - Configuration for the interceptor.\n * @returns A `CollectionInterceptor` ready to be registered with\n * `GlobalInterceptors.register()`.\n *\n * @example\n * ```typescript\n * import { createTenantInterceptor } from '@happyvertical/smrt-tenancy';\n * import { GlobalInterceptors } from '@happyvertical/smrt-core';\n *\n * const interceptor = createTenantInterceptor({ rawQueryPolicy: 'warn' });\n * GlobalInterceptors.register(interceptor);\n * ```\n *\n * @see enableTenancy\n * @see TenantInterceptorOptions\n */\nexport function createTenantInterceptor(\n options: TenantInterceptorOptions = {},\n): CollectionInterceptor {\n const opts = { ...DEFAULT_OPTIONS, ...options };\n\n return {\n name: 'smrt-tenancy',\n priority: 100, // High priority - should run first\n\n /**\n * Before list: Add tenant filter to queries\n */\n beforeList(\n className: string,\n listOptions: ListOptions,\n context: InterceptorContext,\n ): ListOptions | undefined {\n // Check if this class is tenant-scoped\n if (!isTenantScopedClass(className)) {\n return; // Not tenant-scoped, pass through\n }\n\n // Check for super admin bypass\n if (isSuperAdminBypass()) {\n return; // Bypass enabled, pass through\n }\n\n // Check for system context (explicit bypass via withSystemContext)\n if (isSystemContext()) {\n return; // System context bypasses tenant checks\n }\n\n const config = getTenantScopedConfig(className);\n const tenantContext = getCurrentTenant();\n\n // If no tenant context and mode is 'required', throw\n if (!tenantContext) {\n if (config?.mode === 'required') {\n opts.onMissingContext?.(className, 'list', context);\n throw new TenantContextError(\n `Tenant context required for listing ${className}. ` +\n `Use withTenant() or configure TenantContext middleware.`,\n );\n }\n return; // Mode is 'optional', allow without filtering\n }\n\n // Add tenant filter to where clause\n const tenantField = config?.field || 'tenantId';\n const where = listOptions.where || {};\n\n // Check if tenant filter is already present\n if (tenantField in where) {\n // Validate it matches context. The filter may be a scalar\n // (`tenantId: 'x'`) or an IN-style array (`tenantId: ['x']`) —\n // smrt-core auto-converts array values to SQL IN clauses, so an\n // array containing only the context tenant is a valid filter.\n // See https://github.com/happyvertical/smrt/issues/1495\n const existingFilter = where[tenantField];\n const filterValues = Array.isArray(existingFilter)\n ? existingFilter\n : [existingFilter];\n // findIndex (not find) so a literal null/undefined filter value is\n // still flagged as a violation rather than mistaken for \"not found\"\n const offendingIndex = filterValues.findIndex(\n (value) => value !== tenantContext.tenantId,\n );\n if (offendingIndex !== -1) {\n const offending = filterValues[offendingIndex];\n opts.onIsolationViolation?.(\n className,\n tenantContext.tenantId,\n String(offending),\n context,\n );\n throw new TenantIsolationError(\n `Tenant isolation violation in ${className} query: ` +\n `context tenant is '${tenantContext.tenantId}' but query filters by '${String(offending)}'`,\n {\n tenantId: tenantContext.tenantId,\n attemptedTenantId: String(offending),\n },\n );\n }\n return; // Filter already correct\n }\n\n // Inject tenant filter\n return {\n ...listOptions,\n where: {\n ...where,\n [tenantField]: tenantContext.tenantId,\n },\n };\n },\n\n /**\n * Before get: Add tenant filter to single record fetches\n */\n beforeGet(\n className: string,\n filter: string | Record<string, unknown>,\n context: InterceptorContext,\n ): string | Record<string, unknown> | undefined {\n if (!isTenantScopedClass(className)) {\n return;\n }\n\n if (isSuperAdminBypass()) {\n return;\n }\n\n // Check for system context (explicit bypass via withSystemContext)\n if (isSystemContext()) {\n return; // System context bypasses tenant checks\n }\n\n const config = getTenantScopedConfig(className);\n const tenantContext = getCurrentTenant();\n\n if (!tenantContext) {\n if (config?.mode === 'required') {\n opts.onMissingContext?.(className, 'get', context);\n throw new TenantContextError(\n `Tenant context required for getting ${className}. ` +\n `Use withTenant() or configure TenantContext middleware.`,\n );\n }\n return;\n }\n\n const tenantField = config?.field || 'tenantId';\n\n // If filter is a string (ID), convert to object filter with tenant\n if (typeof filter === 'string') {\n return {\n id: filter,\n [tenantField]: tenantContext.tenantId,\n };\n }\n\n // Add tenant filter to object\n if (!(tenantField in filter)) {\n return {\n ...filter,\n [tenantField]: tenantContext.tenantId,\n };\n }\n\n // Validate existing filter. Like beforeList, accept scalar or\n // IN-style array filters (smrt-core auto-converts arrays to SQL IN).\n // See https://github.com/happyvertical/smrt/issues/1495\n const existingFilter = filter[tenantField];\n const filterValues = Array.isArray(existingFilter)\n ? existingFilter\n : [existingFilter];\n // findIndex (not find) so a literal null/undefined filter value is\n // still flagged as a violation rather than mistaken for \"not found\"\n const offendingIndex = filterValues.findIndex(\n (value) => value !== tenantContext.tenantId,\n );\n if (offendingIndex !== -1) {\n const offending = filterValues[offendingIndex];\n opts.onIsolationViolation?.(\n className,\n tenantContext.tenantId,\n String(offending),\n context,\n );\n throw new TenantIsolationError(\n `Tenant isolation violation in ${className} get: ` +\n `context tenant is '${tenantContext.tenantId}' but query filters by '${String(offending)}'`,\n {\n tenantId: tenantContext.tenantId,\n attemptedTenantId: String(offending),\n },\n );\n }\n\n return;\n },\n\n /**\n * Before query: Handle raw SQL on tenant-scoped classes\n */\n beforeQuery(\n className: string,\n queryOptions: QueryOptions,\n context: InterceptorContext,\n ): QueryInterceptResult | undefined {\n if (!isTenantScopedClass(className)) {\n return;\n }\n\n // Check for explicit bypass flag\n if (queryOptions.allowRawOnTenantScoped) {\n opts.onRawQuery?.(className, queryOptions.sql, context);\n return; // Explicitly allowed\n }\n\n if (isSuperAdminBypass()) {\n opts.onRawQuery?.(className, queryOptions.sql, context);\n return;\n }\n\n // Check for system context (explicit bypass via withSystemContext)\n if (isSystemContext()) {\n opts.onRawQuery?.(className, queryOptions.sql, context);\n return;\n }\n\n // Handle based on policy\n const message =\n `Raw SQL query attempted on tenant-scoped class ${className}. ` +\n `Use list()/get() for automatic tenant filtering, or call ` +\n `query() with { allowRawOnTenantScoped: true } if you're handling ` +\n `tenant filtering manually.`;\n\n opts.onRawQuery?.(className, queryOptions.sql, context);\n\n switch (opts.rawQueryPolicy) {\n case 'throw':\n throw new TenantIsolationError(message);\n\n case 'warn':\n logger.warn(`[smrt-tenancy] WARNING: ${message}`);\n return;\n default:\n return;\n }\n },\n\n /**\n * Before save: Validate tenant ID is set and matches context\n */\n beforeSave(instance: SmrtObject, context: InterceptorContext): void {\n // Use context.className which is always correct\n // (instance.constructor.name may not match for proxies or plain objects in tests)\n const className = context.className;\n\n // Stash isNew flag for afterSave dispatch detection\n if (opts.directoryClasses?.includes(className)) {\n const id = (instance as any).id;\n context.metadata = {\n ...context.metadata,\n _directoryIsNew: id === undefined || id === null,\n };\n }\n\n if (!isTenantScopedClass(className)) {\n return;\n }\n\n if (isSuperAdminBypass()) {\n return;\n }\n\n // Check for system context (explicit bypass via withSystemContext)\n if (isSystemContext()) {\n return; // System context bypasses tenant checks\n }\n\n const config = getTenantScopedConfig(className);\n const tenantField = config?.field || 'tenantId';\n const instanceTenantId = (instance as any)[tenantField];\n\n const tenantContext = getCurrentTenant();\n\n // Check if tenant context is required\n if (!tenantContext) {\n if (config?.mode === 'required') {\n opts.onMissingContext?.(className, 'save', context);\n throw new TenantContextError(\n `Tenant context required for saving ${className}. ` +\n `Use withTenant() or configure TenantContext middleware.`,\n );\n }\n return; // Mode is 'optional'\n }\n\n // Auto-populate tenant ID if not set\n if (!instanceTenantId && config?.autoPopulate !== false) {\n (instance as any)[tenantField] = tenantContext.tenantId;\n return;\n }\n\n // Validate tenant ID matches context\n if (instanceTenantId && instanceTenantId !== tenantContext.tenantId) {\n opts.onIsolationViolation?.(\n className,\n tenantContext.tenantId,\n instanceTenantId,\n context,\n );\n throw new TenantIsolationError(\n `Tenant isolation violation: cannot save ${className} with ` +\n `tenantId '${instanceTenantId}' in context of tenant '${tenantContext.tenantId}'`,\n {\n tenantId: tenantContext.tenantId,\n attemptedTenantId: instanceTenantId,\n },\n );\n }\n },\n\n /**\n * Before delete: Validate instance belongs to current tenant\n */\n beforeDelete(instance: SmrtObject, context: InterceptorContext): void {\n // Use context.className which is always correct\n const className = context.className;\n\n if (!isTenantScopedClass(className)) {\n return;\n }\n\n if (isSuperAdminBypass()) {\n return;\n }\n\n // Check for system context (explicit bypass via withSystemContext)\n if (isSystemContext()) {\n return; // System context bypasses tenant checks\n }\n\n const config = getTenantScopedConfig(className);\n const tenantField = config?.field || 'tenantId';\n const instanceTenantId = (instance as any)[tenantField];\n\n const tenantContext = getCurrentTenant();\n\n if (!tenantContext) {\n if (config?.mode === 'required') {\n opts.onMissingContext?.(className, 'delete', context);\n throw new TenantContextError(\n `Tenant context required for deleting ${className}. ` +\n `Use withTenant() or configure TenantContext middleware.`,\n );\n }\n return;\n }\n\n // Validate tenant ID matches\n if (instanceTenantId && instanceTenantId !== tenantContext.tenantId) {\n opts.onIsolationViolation?.(\n className,\n tenantContext.tenantId,\n instanceTenantId,\n context,\n );\n throw new TenantIsolationError(\n `Tenant isolation violation: cannot delete ${className} with ` +\n `tenantId '${instanceTenantId}' in context of tenant '${tenantContext.tenantId}'`,\n {\n tenantId: tenantContext.tenantId,\n attemptedTenantId: instanceTenantId,\n },\n );\n }\n },\n\n /**\n * After save: Emit directory dispatch for configured classes\n */\n async afterSave(\n instance: SmrtObject,\n context: InterceptorContext,\n ): Promise<void> {\n if (\n !opts.dispatchBus ||\n !opts.directoryClasses?.includes(context.className)\n )\n return;\n\n const rawIsNew = context.metadata?._directoryIsNew;\n const isNew =\n typeof rawIsNew === 'boolean' ? rawIsNew : (instance as any).id == null;\n const event = isNew\n ? `directory.${context.className.toLowerCase()}.created`\n : `directory.${context.className.toLowerCase()}.updated`;\n\n await opts.dispatchBus.emit(\n event,\n serializeInstance(instance, context.className),\n {\n source: 'smrt-tenancy',\n sourceId: (instance as any).id,\n },\n );\n },\n\n /**\n * After delete: Emit directory dispatch for configured classes\n */\n async afterDelete(\n instance: SmrtObject,\n context: InterceptorContext,\n ): Promise<void> {\n if (\n !opts.dispatchBus ||\n !opts.directoryClasses?.includes(context.className)\n )\n return;\n\n await opts.dispatchBus.emit(\n `directory.${context.className.toLowerCase()}.deleted`,\n serializeInstance(instance, context.className),\n {\n source: 'smrt-tenancy',\n sourceId: (instance as any).id,\n },\n );\n },\n };\n}\n\n// ─────────────────────────────────────────────────────────────────────────────\n// Registration Functions\n// ─────────────────────────────────────────────────────────────────────────────\n\n// The enabled flag lives in `enabled-state.ts` (a leaf module) so `entry-point.ts`\n// can read it without importing this module — breaking the otherwise-circular\n// interceptor ↔ entry-point dependency.\nlet registeredInterceptor: CollectionInterceptor | null = null;\n\n/**\n * Enable tenant enforcement globally\n *\n * Call this once at application startup to enable automatic tenant isolation.\n *\n * @param options - Configuration options\n *\n * @example\n * ```typescript\n * // In your app initialization\n * import { enableTenancy } from '@happyvertical/smrt-tenancy';\n *\n * enableTenancy({\n * rawQueryPolicy: 'throw',\n * onMissingContext: (className, operation) => {\n * console.error(`Missing tenant context for ${operation} on ${className}`);\n * }\n * });\n * ```\n */\nexport function enableTenancy(options: TenantInterceptorOptions = {}): void {\n if (isTenancyEnabled()) {\n logger.warn(\n '[smrt-tenancy] Tenancy is already enabled. Call disableTenancy() first to reconfigure.',\n );\n return;\n }\n\n registeredInterceptor = createTenantInterceptor(options);\n GlobalInterceptors.register(registeredInterceptor);\n\n // Wire the DispatchBus tenant-scope resolver (S5 #1398). Core cannot depend\n // on tenancy, so it reads the active tenant through this injected hook; the\n // bus stamps/filters dispatches by the active tenant only while tenancy is\n // enabled. Mirrors the GlobalInterceptors inversion above.\n setDispatchTenantResolver(() => getTenantId());\n\n // Wire the fail-closed tenant gate for generated CLI/MCP entry points (#1554).\n // Core invokes this runner around tenant-scoped CLI/MCP execution; without it\n // (tenancy disabled) those surfaces pass through unchanged.\n setTenantEntryPointRunner(runTenantScopedEntryPoint);\n\n setTenancyEnabled(true);\n}\n\n/**\n * Disable global tenant enforcement.\n *\n * Unregisters the interceptor previously installed by `enableTenancy()` and\n * resets the internal enabled flag so `enableTenancy()` can be called again.\n * Idempotent — safe to call even when tenancy was never enabled.\n *\n * Common use-cases:\n * - Test teardown (via `resetTenancy()`).\n * - Temporarily disabling tenancy before reconfiguring with new options.\n *\n * @example\n * ```typescript\n * afterAll(() => {\n * disableTenancy();\n * });\n * ```\n *\n * @see enableTenancy\n * @see isTenancyEnabled\n * @see resetTenancy\n */\nexport function disableTenancy(): void {\n if (!isTenancyEnabled() || !registeredInterceptor) {\n return;\n }\n\n GlobalInterceptors.unregister(registeredInterceptor);\n // Clear the DispatchBus tenant resolver so the bus reverts to its no-op\n // (pre-tenancy) behavior when tenancy is disabled.\n setDispatchTenantResolver(undefined);\n // Clear the CLI/MCP tenant gate so those surfaces pass through (#1554).\n setTenantEntryPointRunner(undefined);\n registeredInterceptor = null;\n setTenancyEnabled(false);\n}\n\n/**\n * Return `true` if tenant enforcement is currently active.\n *\n * Reflects whether `enableTenancy()` has been called and the interceptor has not\n * yet been removed by `disableTenancy()`. Re-exported from `enabled-state.ts`\n * (the shared leaf module) so the public API surface is unchanged.\n *\n * @see enableTenancy\n * @see disableTenancy\n */\nexport { isTenancyEnabled };\n","/**\n * Testing Utilities for smrt-tenancy\n *\n * Helpers for testing tenant-scoped applications.\n *\n * @example\n * ```typescript\n * import { createTestTenantContext, resetTenancy } from '@happyvertical/smrt-tenancy/testing';\n *\n * beforeEach(() => {\n * resetTenancy(); // Clear all state\n * });\n *\n * it('should filter by tenant', async () => {\n * await createTestTenantContext({ tenantId: 'tenant-1' }, async () => {\n * const docs = await collection.list({});\n * // Only tenant-1 documents\n * });\n * });\n * ```\n */\n\nimport {\n type MinimalTenantContext,\n type TenantContextData,\n withTenant,\n} from './context.js';\nimport { disableTenancy, enableTenancy } from './interceptor.js';\nimport { clearTenantScopedRegistry } from './registry.js';\n\n/**\n * Reset all tenancy state (for use in beforeEach/afterEach)\n *\n * This clears:\n * - Registered interceptors\n * - Tenant-scoped class registry\n *\n * @example\n * ```typescript\n * afterEach(() => {\n * resetTenancy();\n * });\n * ```\n */\nexport function resetTenancy(): void {\n disableTenancy();\n clearTenantScopedRegistry();\n}\n\n/**\n * Create a test tenant context and run code within it\n *\n * Convenience wrapper around withTenant() with sensible defaults for testing.\n *\n * @param context - Tenant context (can be minimal, just tenantId)\n * @param fn - Async function to run in the context\n *\n * @example\n * ```typescript\n * await createTestTenantContext({ tenantId: 'test-tenant' }, async () => {\n * const product = await collection.create({ name: 'Test' });\n * expect(product.tenantId).toBe('test-tenant');\n * });\n * ```\n */\nexport async function createTestTenantContext<T>(\n context: MinimalTenantContext | TenantContextData,\n fn: () => Promise<T>,\n): Promise<T> {\n return withTenant(context, fn);\n}\n\n/**\n * Create multiple tenant contexts for isolation testing\n *\n * @param tenantIds - Array of tenant IDs to create contexts for\n * @param fn - Function that receives an object mapping tenant IDs to context runners\n *\n * @example\n * ```typescript\n * await testTenantIsolation(['tenant-a', 'tenant-b'], async (tenants) => {\n * // Create in tenant A\n * const docA = await tenants['tenant-a'](async () => {\n * return collection.create({ title: 'A doc' });\n * });\n *\n * // Verify not visible in tenant B\n * await tenants['tenant-b'](async () => {\n * const found = await collection.get(docA.id);\n * expect(found).toBeNull();\n * });\n * });\n * ```\n */\nexport async function testTenantIsolation<T>(\n tenantIds: string[],\n fn: (\n tenants: Record<string, <R>(runner: () => Promise<R>) => Promise<R>>,\n ) => Promise<T>,\n): Promise<T> {\n const tenants: Record<string, <R>(runner: () => Promise<R>) => Promise<R>> =\n {};\n\n for (const tenantId of tenantIds) {\n tenants[tenantId] = async <R>(runner: () => Promise<R>) => {\n return withTenant({ tenantId }, runner);\n };\n }\n\n return fn(tenants);\n}\n\n/**\n * Options for `setupTestTenancy()`.\n *\n * @see setupTestTenancy\n */\nexport interface SetupTestTenancyOptions {\n /**\n * Enable tenancy interceptors\n * @default true\n */\n enableInterceptors?: boolean;\n\n /**\n * Raw query policy for tests\n * @default 'throw'\n */\n rawQueryPolicy?: 'throw' | 'warn' | 'allow';\n}\n\n/**\n * Set up tenancy for a test suite\n *\n * Call in beforeAll or at the start of tests to configure tenancy.\n *\n * @param options - Setup options\n *\n * @example\n * ```typescript\n * beforeAll(() => {\n * setupTestTenancy({ enableInterceptors: true });\n * });\n *\n * afterAll(() => {\n * resetTenancy();\n * });\n * ```\n */\nexport function setupTestTenancy(options: SetupTestTenancyOptions = {}): void {\n const { enableInterceptors = true, rawQueryPolicy = 'throw' } = options;\n\n // Clear any existing state\n resetTenancy();\n\n // Enable interceptors if requested\n if (enableInterceptors) {\n enableTenancy({ rawQueryPolicy });\n }\n}\n\n/**\n * Assert that executing `fn` throws a `TenantContextError`.\n *\n * Fails with a descriptive message if `fn` completes without throwing, or if\n * it throws a different error type. Optionally verifies that the error message\n * contains a specific substring.\n *\n * Useful for testing that business-logic code correctly rejects calls that are\n * made outside a tenant context.\n *\n * @param fn - Async function that should throw `TenantContextError`.\n * @param messageContains - Optional substring the error message must include.\n *\n * @example\n * ```typescript\n * await assertTenantContextRequired(async () => {\n * // No withTenant() in scope\n * await documentCollection.list({});\n * });\n * ```\n *\n * @see assertTenantIsolationViolation\n * @see TenantContextError\n */\nexport async function assertTenantContextRequired(\n fn: () => Promise<unknown>,\n messageContains?: string,\n): Promise<void> {\n try {\n await fn();\n throw new Error('Expected TenantContextError but no error was thrown');\n } catch (error: unknown) {\n const err = error as Error & { code?: string };\n if (err.code !== 'TENANT_CONTEXT_REQUIRED') {\n throw new Error(\n `Expected TenantContextError but got ${err.constructor.name}: ${err.message}`,\n );\n }\n if (messageContains && !err.message.includes(messageContains)) {\n throw new Error(\n `Expected error message to contain '${messageContains}' but got: ${err.message}`,\n );\n }\n }\n}\n\n/**\n * Assert that executing `fn` throws a `TenantIsolationError`.\n *\n * Fails with a descriptive message if `fn` completes without throwing, or if\n * it throws a different error type. Optionally verifies that the error message\n * contains a specific substring.\n *\n * Use this to verify that cross-tenant data access attempts are correctly\n * blocked by the interceptor.\n *\n * @param fn - Async function that should throw `TenantIsolationError`.\n * @param messageContains - Optional substring the error message must include.\n *\n * @example\n * ```typescript\n * await withTenant({ tenantId: 'tenant-a' }, async () => {\n * await assertTenantIsolationViolation(async () => {\n * // Attempt to filter by a different tenant\n * await collection.list({ where: { tenantId: 'tenant-b' } });\n * });\n * });\n * ```\n *\n * @see assertTenantContextRequired\n * @see TenantIsolationError\n */\nexport async function assertTenantIsolationViolation(\n fn: () => Promise<unknown>,\n messageContains?: string,\n): Promise<void> {\n try {\n await fn();\n throw new Error('Expected TenantIsolationError but no error was thrown');\n } catch (error: unknown) {\n const err = error as Error & { code?: string };\n if (err.code !== 'TENANT_ISOLATION_VIOLATION') {\n throw new Error(\n `Expected TenantIsolationError but got ${err.constructor.name}: ${err.message}`,\n );\n }\n if (messageContains && !err.message.includes(messageContains)) {\n throw new Error(\n `Expected error message to contain '${messageContains}' but got: ${err.message}`,\n );\n }\n }\n}\n"],"names":[],"mappings":";;;AA6DA,MAAM,iBAAqC;AAAA,EACzC,MAAM;AAAA,EACN,OAAO;AAAA,EACP,YAAY;AAAA,EACZ,cAAc;AAAA,EACd,uBAAuB;AACzB;AAGA,MAAM,0CAA0B,IAAA;AAwBzB,SAAS,0BACd,WACA,SAAsC,IAChC;AACN,sBAAoB,IAAI,WAAW;AAAA,IACjC,GAAG;AAAA,IACH,GAAG;AAAA,EAAA,CACJ;AACH;AAaO,SAAS,4BAA4B,WAAyB;AACnE,sBAAoB,OAAO,SAAS;AACtC;AAYA,SAAS,kBAAkB,WAA2B;AACpD,QAAM,MAAM,UAAU,YAAY,GAAG;AACrC,SAAO,QAAQ,KAAK,YAAY,UAAU,MAAM,MAAM,CAAC;AACzD;AAQA,SAAS,YAAY,QAAgD;AACnE,SAAO,EAAE,GAAG,OAAA;AACd;AAiBA,SAAS,4BACP,WACgC;AAEhC,QAAM,cAAc,oBAAoB,IAAI,SAAS;AACrD,MAAI,aAAa;AACf,WAAO,YAAY,WAAW;AAAA,EAChC;AAKA,QAAM,aAAa,eAAe,sBAAsB,SAAS;AACjE,MAAI,YAAY;AAEd,WAAO;AAAA,MACL,MAAM,WAAW;AAAA,MACjB,OAAO,WAAW;AAAA,MAClB,YAAY,WAAW;AAAA,MACvB,cAAc,WAAW;AAAA,MACzB,uBAAuB,WAAW;AAAA,IAAA;AAAA,EAEtC;AAEA,SAAO;AACT;AA0BA,SAAS,+BACP,WACgC;AAKhC,QAAM,QAAQ,eAAe,oBAAoB,SAAS;AAG1D,WAAS,IAAI,MAAM,SAAS,GAAG,KAAK,GAAG,KAAK;AAC1C,UAAM,WAAW,MAAM,CAAC;AAKxB,UAAM,SAAS,4BAA4B,QAAQ;AACnD,QAAI,QAAQ;AACV,aAAO;AAAA,IACT;AAWA,UAAM,SAAS,kBAAkB,QAAQ;AACzC,QAAI,WAAW,UAAU;AACvB,YAAM,WAAW,oBAAoB,IAAI,MAAM;AAC/C,UAAI,UAAU;AACZ,eAAO,YAAY,QAAQ;AAAA,MAC7B;AAAA,IACF;AAAA,EACF;AACA,SAAO;AACT;AAoBO,SAAS,sBACd,WACgC;AAEhC,QAAM,SAAS,4BAA4B,SAAS;AACpD,MAAI,QAAQ;AACV,WAAO;AAAA,EACT;AAEA,SAAO,+BAA+B,SAAS;AACjD;AAaO,SAAS,oBAAoB,WAA4B;AAC9D,SAAO,sBAAsB,SAAS,MAAM;AAC9C;AAeO,SAAS,4BAA6D;AAC3E,SAAO,IAAI,IAAI,mBAAmB;AACpC;AAWO,SAAS,4BAAkC;AAChD,sBAAoB,MAAA;AACtB;ACzTA,IAAI,UAAU;AAQP,SAAS,kBAAkB,OAAsB;AACtD,YAAU;AACZ;AAQO,SAAS,mBAA4B;AAC1C,SAAO;AACT;ACkEA,eAAsB,0BACpB,SACA,IACY;AACZ,QAAM;AAAA,IACJ;AAAA,IACA;AAAA,IACA;AAAA,IACA,mBAAmB;AAAA,IACnB,UAAU;AAAA,EAAA,IACR;AAIJ,QAAM,SACJ,OAAO,iBAAiB,YACpB,eACA,YACE,oBAAoB,SAAS,IAC7B;AAMR,MAAI,CAAC,OAAQ,QAAO,GAAA;AACpB,MAAI,iBAAA,KAAsB,gBAAA,UAA0B,GAAA;AAKpD,MAAI,kBAAkB;AACpB,WAAO,kBAAkB,EAAE;AAAA,EAC7B;AAGA,MAAI,OAAO,aAAa,YAAY,UAAU;AAC5C,WAAO,WAAW,EAAE,SAAA,GAAY,EAAE;AAAA,EACpC;AAGA,MAAI,oBAAoB;AACtB,UAAM,IAAI;AAAA,MACR,wDAAwD,OAAO;AAAA,IAAA;AAAA,EAInE;AAGA,SAAO,GAAA;AACT;AChHA,MAAM,SAAS,aAAa,EAAE,OAAO,QAAQ;AAiF7C,MAAM,kBAA4C;AAAA,EAChD,gBAAgB;AAClB;AAYA,SAAS,kBACP,UACA,WACyB;AAQzB,MAAI,OAAQ,SAAiB,WAAW,YAAY;AAClD,WAAO,EAAE,WAAW,GAAI,SAAiB,SAAO;AAAA,EAClD;AAIA,QAAM,SAAkC,EAAE,UAAA;AAC1C,aAAW,OAAO,OAAO,KAAK,QAAQ,GAAG;AACvC,UAAM,QAAS,SAAiB,GAAG;AACnC,QAAI,OAAO,UAAU,YAAY;AAC/B,aAAO,GAAG,IAAI;AAAA,IAChB;AAAA,EACF;AACA,SAAO;AACT;AAwCO,SAAS,wBACd,UAAoC,IACb;AACvB,QAAM,OAAO,EAAE,GAAG,iBAAiB,GAAG,QAAA;AAEtC,SAAO;AAAA,IACL,MAAM;AAAA,IACN,UAAU;AAAA;AAAA;AAAA;AAAA;AAAA,IAKV,WACE,WACA,aACA,SACyB;AAEzB,UAAI,CAAC,oBAAoB,SAAS,GAAG;AACnC;AAAA,MACF;AAGA,UAAI,sBAAsB;AACxB;AAAA,MACF;AAGA,UAAI,mBAAmB;AACrB;AAAA,MACF;AAEA,YAAM,SAAS,sBAAsB,SAAS;AAC9C,YAAM,gBAAgB,iBAAA;AAGtB,UAAI,CAAC,eAAe;AAClB,YAAI,QAAQ,SAAS,YAAY;AAC/B,eAAK,mBAAmB,WAAW,QAAQ,OAAO;AAClD,gBAAM,IAAI;AAAA,YACR,uCAAuC,SAAS;AAAA,UAAA;AAAA,QAGpD;AACA;AAAA,MACF;AAGA,YAAM,cAAc,QAAQ,SAAS;AACrC,YAAM,QAAQ,YAAY,SAAS,CAAA;AAGnC,UAAI,eAAe,OAAO;AAMxB,cAAM,iBAAiB,MAAM,WAAW;AACxC,cAAM,eAAe,MAAM,QAAQ,cAAc,IAC7C,iBACA,CAAC,cAAc;AAGnB,cAAM,iBAAiB,aAAa;AAAA,UAClC,CAAC,UAAU,UAAU,cAAc;AAAA,QAAA;AAErC,YAAI,mBAAmB,IAAI;AACzB,gBAAM,YAAY,aAAa,cAAc;AAC7C,eAAK;AAAA,YACH;AAAA,YACA,cAAc;AAAA,YACd,OAAO,SAAS;AAAA,YAChB;AAAA,UAAA;AAEF,gBAAM,IAAI;AAAA,YACR,iCAAiC,SAAS,8BAClB,cAAc,QAAQ,2BAA2B,OAAO,SAAS,CAAC;AAAA,YAC1F;AAAA,cACE,UAAU,cAAc;AAAA,cACxB,mBAAmB,OAAO,SAAS;AAAA,YAAA;AAAA,UACrC;AAAA,QAEJ;AACA;AAAA,MACF;AAGA,aAAO;AAAA,QACL,GAAG;AAAA,QACH,OAAO;AAAA,UACL,GAAG;AAAA,UACH,CAAC,WAAW,GAAG,cAAc;AAAA,QAAA;AAAA,MAC/B;AAAA,IAEJ;AAAA;AAAA;AAAA;AAAA,IAKA,UACE,WACA,QACA,SAC8C;AAC9C,UAAI,CAAC,oBAAoB,SAAS,GAAG;AACnC;AAAA,MACF;AAEA,UAAI,sBAAsB;AACxB;AAAA,MACF;AAGA,UAAI,mBAAmB;AACrB;AAAA,MACF;AAEA,YAAM,SAAS,sBAAsB,SAAS;AAC9C,YAAM,gBAAgB,iBAAA;AAEtB,UAAI,CAAC,eAAe;AAClB,YAAI,QAAQ,SAAS,YAAY;AAC/B,eAAK,mBAAmB,WAAW,OAAO,OAAO;AACjD,gBAAM,IAAI;AAAA,YACR,uCAAuC,SAAS;AAAA,UAAA;AAAA,QAGpD;AACA;AAAA,MACF;AAEA,YAAM,cAAc,QAAQ,SAAS;AAGrC,UAAI,OAAO,WAAW,UAAU;AAC9B,eAAO;AAAA,UACL,IAAI;AAAA,UACJ,CAAC,WAAW,GAAG,cAAc;AAAA,QAAA;AAAA,MAEjC;AAGA,UAAI,EAAE,eAAe,SAAS;AAC5B,eAAO;AAAA,UACL,GAAG;AAAA,UACH,CAAC,WAAW,GAAG,cAAc;AAAA,QAAA;AAAA,MAEjC;AAKA,YAAM,iBAAiB,OAAO,WAAW;AACzC,YAAM,eAAe,MAAM,QAAQ,cAAc,IAC7C,iBACA,CAAC,cAAc;AAGnB,YAAM,iBAAiB,aAAa;AAAA,QAClC,CAAC,UAAU,UAAU,cAAc;AAAA,MAAA;AAErC,UAAI,mBAAmB,IAAI;AACzB,cAAM,YAAY,aAAa,cAAc;AAC7C,aAAK;AAAA,UACH;AAAA,UACA,cAAc;AAAA,UACd,OAAO,SAAS;AAAA,UAChB;AAAA,QAAA;AAEF,cAAM,IAAI;AAAA,UACR,iCAAiC,SAAS,4BAClB,cAAc,QAAQ,2BAA2B,OAAO,SAAS,CAAC;AAAA,UAC1F;AAAA,YACE,UAAU,cAAc;AAAA,YACxB,mBAAmB,OAAO,SAAS;AAAA,UAAA;AAAA,QACrC;AAAA,MAEJ;AAEA;AAAA,IACF;AAAA;AAAA;AAAA;AAAA,IAKA,YACE,WACA,cACA,SACkC;AAClC,UAAI,CAAC,oBAAoB,SAAS,GAAG;AACnC;AAAA,MACF;AAGA,UAAI,aAAa,wBAAwB;AACvC,aAAK,aAAa,WAAW,aAAa,KAAK,OAAO;AACtD;AAAA,MACF;AAEA,UAAI,sBAAsB;AACxB,aAAK,aAAa,WAAW,aAAa,KAAK,OAAO;AACtD;AAAA,MACF;AAGA,UAAI,mBAAmB;AACrB,aAAK,aAAa,WAAW,aAAa,KAAK,OAAO;AACtD;AAAA,MACF;AAGA,YAAM,UACJ,kDAAkD,SAAS;AAK7D,WAAK,aAAa,WAAW,aAAa,KAAK,OAAO;AAEtD,cAAQ,KAAK,gBAAA;AAAA,QACX,KAAK;AACH,gBAAM,IAAI,qBAAqB,OAAO;AAAA,QAExC,KAAK;AACH,iBAAO,KAAK,2BAA2B,OAAO,EAAE;AAChD;AAAA,QACF;AACE;AAAA,MAAA;AAAA,IAEN;AAAA;AAAA;AAAA;AAAA,IAKA,WAAW,UAAsB,SAAmC;AAGlE,YAAM,YAAY,QAAQ;AAG1B,UAAI,KAAK,kBAAkB,SAAS,SAAS,GAAG;AAC9C,cAAM,KAAM,SAAiB;AAC7B,gBAAQ,WAAW;AAAA,UACjB,GAAG,QAAQ;AAAA,UACX,iBAAiB,OAAO,UAAa,OAAO;AAAA,QAAA;AAAA,MAEhD;AAEA,UAAI,CAAC,oBAAoB,SAAS,GAAG;AACnC;AAAA,MACF;AAEA,UAAI,sBAAsB;AACxB;AAAA,MACF;AAGA,UAAI,mBAAmB;AACrB;AAAA,MACF;AAEA,YAAM,SAAS,sBAAsB,SAAS;AAC9C,YAAM,cAAc,QAAQ,SAAS;AACrC,YAAM,mBAAoB,SAAiB,WAAW;AAEtD,YAAM,gBAAgB,iBAAA;AAGtB,UAAI,CAAC,eAAe;AAClB,YAAI,QAAQ,SAAS,YAAY;AAC/B,eAAK,mBAAmB,WAAW,QAAQ,OAAO;AAClD,gBAAM,IAAI;AAAA,YACR,sCAAsC,SAAS;AAAA,UAAA;AAAA,QAGnD;AACA;AAAA,MACF;AAGA,UAAI,CAAC,oBAAoB,QAAQ,iBAAiB,OAAO;AACtD,iBAAiB,WAAW,IAAI,cAAc;AAC/C;AAAA,MACF;AAGA,UAAI,oBAAoB,qBAAqB,cAAc,UAAU;AACnE,aAAK;AAAA,UACH;AAAA,UACA,cAAc;AAAA,UACd;AAAA,UACA;AAAA,QAAA;AAEF,cAAM,IAAI;AAAA,UACR,2CAA2C,SAAS,mBACrC,gBAAgB,2BAA2B,cAAc,QAAQ;AAAA,UAChF;AAAA,YACE,UAAU,cAAc;AAAA,YACxB,mBAAmB;AAAA,UAAA;AAAA,QACrB;AAAA,MAEJ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA,IAKA,aAAa,UAAsB,SAAmC;AAEpE,YAAM,YAAY,QAAQ;AAE1B,UAAI,CAAC,oBAAoB,SAAS,GAAG;AACnC;AAAA,MACF;AAEA,UAAI,sBAAsB;AACxB;AAAA,MACF;AAGA,UAAI,mBAAmB;AACrB;AAAA,MACF;AAEA,YAAM,SAAS,sBAAsB,SAAS;AAC9C,YAAM,cAAc,QAAQ,SAAS;AACrC,YAAM,mBAAoB,SAAiB,WAAW;AAEtD,YAAM,gBAAgB,iBAAA;AAEtB,UAAI,CAAC,eAAe;AAClB,YAAI,QAAQ,SAAS,YAAY;AAC/B,eAAK,mBAAmB,WAAW,UAAU,OAAO;AACpD,gBAAM,IAAI;AAAA,YACR,wCAAwC,SAAS;AAAA,UAAA;AAAA,QAGrD;AACA;AAAA,MACF;AAGA,UAAI,oBAAoB,qBAAqB,cAAc,UAAU;AACnE,aAAK;AAAA,UACH;AAAA,UACA,cAAc;AAAA,UACd;AAAA,UACA;AAAA,QAAA;AAEF,cAAM,IAAI;AAAA,UACR,6CAA6C,SAAS,mBACvC,gBAAgB,2BAA2B,cAAc,QAAQ;AAAA,UAChF;AAAA,YACE,UAAU,cAAc;AAAA,YACxB,mBAAmB;AAAA,UAAA;AAAA,QACrB;AAAA,MAEJ;AAAA,IACF;AAAA;AAAA;AAAA;AAAA,IAKA,MAAM,UACJ,UACA,SACe;AACf,UACE,CAAC,KAAK,eACN,CAAC,KAAK,kBAAkB,SAAS,QAAQ,SAAS;AAElD;AAEF,YAAM,WAAW,QAAQ,UAAU;AACnC,YAAM,QACJ,OAAO,aAAa,YAAY,WAAY,SAAiB,MAAM;AACrE,YAAM,QAAQ,QACV,aAAa,QAAQ,UAAU,YAAA,CAAa,aAC5C,aAAa,QAAQ,UAAU,YAAA,CAAa;AAEhD,YAAM,KAAK,YAAY;AAAA,QACrB;AAAA,QACA,kBAAkB,UAAU,QAAQ,SAAS;AAAA,QAC7C;AAAA,UACE,QAAQ;AAAA,UACR,UAAW,SAAiB;AAAA,QAAA;AAAA,MAC9B;AAAA,IAEJ;AAAA;AAAA;AAAA;AAAA,IAKA,MAAM,YACJ,UACA,SACe;AACf,UACE,CAAC,KAAK,eACN,CAAC,KAAK,kBAAkB,SAAS,QAAQ,SAAS;AAElD;AAEF,YAAM,KAAK,YAAY;AAAA,QACrB,aAAa,QAAQ,UAAU,YAAA,CAAa;AAAA,QAC5C,kBAAkB,UAAU,QAAQ,SAAS;AAAA,QAC7C;AAAA,UACE,QAAQ;AAAA,UACR,UAAW,SAAiB;AAAA,QAAA;AAAA,MAC9B;AAAA,IAEJ;AAAA,EAAA;AAEJ;AASA,IAAI,wBAAsD;AAsBnD,SAAS,cAAc,UAAoC,IAAU;AAC1E,MAAI,oBAAoB;AACtB,WAAO;AAAA,MACL;AAAA,IAAA;AAEF;AAAA,EACF;AAEA,0BAAwB,wBAAwB,OAAO;AACvD,qBAAmB,SAAS,qBAAqB;AAMjD,4BAA0B,MAAM,aAAa;AAK7C,4BAA0B,yBAAyB;AAEnD,oBAAkB,IAAI;AACxB;AAwBO,SAAS,iBAAuB;AACrC,MAAI,CAAC,sBAAsB,CAAC,uBAAuB;AACjD;AAAA,EACF;AAEA,qBAAmB,WAAW,qBAAqB;AAGnD,4BAA0B,MAAS;AAEnC,4BAA0B,MAAS;AACnC,0BAAwB;AACxB,oBAAkB,KAAK;AACzB;AClpBO,SAAS,eAAqB;AACnC,iBAAA;AACA,4BAAA;AACF;AAkBA,eAAsB,wBACpB,SACA,IACY;AACZ,SAAO,WAAW,SAAS,EAAE;AAC/B;AAwBA,eAAsB,oBACpB,WACA,IAGY;AACZ,QAAM,UACJ,CAAA;AAEF,aAAW,YAAY,WAAW;AAChC,YAAQ,QAAQ,IAAI,OAAU,WAA6B;AACzD,aAAO,WAAW,EAAE,SAAA,GAAY,MAAM;AAAA,IACxC;AAAA,EACF;AAEA,SAAO,GAAG,OAAO;AACnB;AAuCO,SAAS,iBAAiB,UAAmC,IAAU;AAC5E,QAAM,EAAE,qBAAqB,MAAM,iBAAiB,YAAY;AAGhE,eAAA;AAGA,MAAI,oBAAoB;AACtB,kBAAc,EAAE,gBAAgB;AAAA,EAClC;AACF;AA0BA,eAAsB,4BACpB,IACA,iBACe;AACf,MAAI;AACF,UAAM,GAAA;AACN,UAAM,IAAI,MAAM,qDAAqD;AAAA,EACvE,SAAS,OAAgB;AACvB,UAAM,MAAM;AACZ,QAAI,IAAI,SAAS,2BAA2B;AAC1C,YAAM,IAAI;AAAA,QACR,uCAAuC,IAAI,YAAY,IAAI,KAAK,IAAI,OAAO;AAAA,MAAA;AAAA,IAE/E;AACA,QAAI,mBAAmB,CAAC,IAAI,QAAQ,SAAS,eAAe,GAAG;AAC7D,YAAM,IAAI;AAAA,QACR,sCAAsC,eAAe,cAAc,IAAI,OAAO;AAAA,MAAA;AAAA,IAElF;AAAA,EACF;AACF;AA4BA,eAAsB,+BACpB,IACA,iBACe;AACf,MAAI;AACF,UAAM,GAAA;AACN,UAAM,IAAI,MAAM,uDAAuD;AAAA,EACzE,SAAS,OAAgB;AACvB,UAAM,MAAM;AACZ,QAAI,IAAI,SAAS,8BAA8B;AAC7C,YAAM,IAAI;AAAA,QACR,yCAAyC,IAAI,YAAY,IAAI,KAAK,IAAI,OAAO;AAAA,MAAA;AAAA,IAEjF;AACA,QAAI,mBAAmB,CAAC,IAAI,QAAQ,SAAS,eAAe,GAAG;AAC7D,YAAM,IAAI;AAAA,QACR,sCAAsC,eAAe,cAAc,IAAI,OAAO;AAAA,MAAA;AAAA,IAElF;AAAA,EACF;AACF;"}