@happyvertical/smrt-users 0.30.0

package/dist/index.js

@@ -0,0 +1,1482 @@
+import { D as DEFAULT_ROLES, n as normalizeEmail, i as isValidEmail, P as PermissionCollection, p as parsePermissionSlug, a as isValidPermissionSlug, b as DEFAULT_TENANT_POLICY, T as TenantCollection, M as MembershipCollection, c as DEFAULT_ROLE_SLUGS } from "./chunks/TerminalAuthService-DoAMQ_yn.js";
+import { U, d, e, f, g, h, G, j, k, l, m, o, q, r, O, s, t, u, R, v, S, w, x, y, z, A, B, C, E, F, H, I, U as U2, d as d2, J, K, L, N, Q, V, W, X } from "./chunks/TerminalAuthService-DoAMQ_yn.js";
+import { foreignKey, smrt, SmrtObject, SmrtCollection, field, ObjectRegistry, findManifestEntryByQualifiedName } from "@happyvertical/smrt-core";
+import { getPackageConfig } from "@happyvertical/smrt-config";
+import { createHash } from "node:crypto";
+import { MembershipStatus } from "@happyvertical/smrt-types";
+import { MembershipStatus as MembershipStatus2, OverrideEffect, SessionStatus, TenantPermissionEffect, TenantStatus, UserStatus } from "@happyvertical/smrt-types";
+var __defProp$2 = Object.defineProperty;
+var __getOwnPropDesc$2 = Object.getOwnPropertyDescriptor;
+var __decorateClass$2 = (decorators, target, key, kind) => {
+  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc$2(target, key) : target;
+  for (var i = decorators.length - 1, decorator; i >= 0; i--)
+    if (decorator = decorators[i])
+      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
+  if (kind && result) __defProp$2(target, key, result);
+  return result;
+};
+let Group = class extends SmrtObject {
+  tenantId;
+  /**
+   * Display name for the group
+   */
+  name = "";
+  /**
+   * Description of the group
+   */
+  description = "";
+  constructor(options = {}) {
+    super(options);
+    if (options.tenantId !== void 0) this.tenantId = options.tenantId;
+    if (options.name !== void 0) this.name = options.name;
+    if (options.description !== void 0)
+      this.description = options.description;
+  }
+};
+__decorateClass$2([
+  foreignKey("Tenant", { required: true })
+], Group.prototype, "tenantId", 2);
+Group = __decorateClass$2([
+  smrt({
+    // #1400: read-only generated surface — RBAC/identity writes go through
+    // permission-gated services, not auth-only generated CRUD.
+    api: { include: ["list", "get"] },
+    mcp: { include: ["list", "get"] },
+    cli: true
+  })
+], Group);
+class GroupCollection extends SmrtCollection {
+  static _itemClass = Group;
+  /**
+   * Find all groups in a tenant
+   */
+  async findByTenant(tenantId) {
+    return await this.list({
+      where: { tenantId },
+      orderBy: "name ASC"
+    });
+  }
+  /**
+   * Find group by slug within a tenant
+   */
+  async findBySlug(slug, tenantId) {
+    const results = await this.list({
+      where: { slug, tenantId },
+      limit: 1
+    });
+    return results.length > 0 ? results[0] : null;
+  }
+}
+var __defProp$1 = Object.defineProperty;
+var __getOwnPropDesc$1 = Object.getOwnPropertyDescriptor;
+var __decorateClass$1 = (decorators, target, key, kind) => {
+  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc$1(target, key) : target;
+  for (var i = decorators.length - 1, decorator; i >= 0; i--)
+    if (decorator = decorators[i])
+      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
+  if (kind && result) __defProp$1(target, key, result);
+  return result;
+};
+const DEFAULT_TOKEN_EXPIRY_SECONDS = 10 * 60;
+let UsersMagicLinkToken = class extends SmrtObject {
+  nonce = "";
+  /** Email address this token was generated for */
+  email = "";
+  /** Whether this token has been used */
+  used = false;
+  /** When this token expires */
+  expiresAt = new Date(Date.now() + DEFAULT_TOKEN_EXPIRY_SECONDS * 1e3);
+  constructor(options = {}) {
+    super(options);
+    if (options.nonce !== void 0) this.nonce = options.nonce;
+    if (options.email !== void 0) this.email = options.email;
+    if (options.used !== void 0) this.used = options.used;
+    if (options.expiresAt !== void 0) {
+      this.expiresAt = options.expiresAt instanceof Date ? options.expiresAt : new Date(options.expiresAt);
+    }
+  }
+  /** Check if the token has expired */
+  isExpired() {
+    return /* @__PURE__ */ new Date() > this.expiresAt;
+  }
+  /** Check if the token is still valid (unused and not expired) */
+  isValid() {
+    return !this.used && !this.isExpired();
+  }
+};
+__decorateClass$1([
+  field({ required: true, unique: true })
+], UsersMagicLinkToken.prototype, "nonce", 2);
+UsersMagicLinkToken = __decorateClass$1([
+  smrt({
+    tableName: "users_magic_link_tokens",
+    // Magic link tokens are security-sensitive — no public API
+    api: { include: [] },
+    mcp: { include: [] },
+    cli: true
+  })
+], UsersMagicLinkToken);
+class UsersMagicLinkTokenCollection extends SmrtCollection {
+  static _itemClass = UsersMagicLinkToken;
+  /**
+   * Find a token by its nonce
+   */
+  async findByNonce(nonce) {
+    return this.findOne({
+      where: { nonce }
+    });
+  }
+  /**
+   * Atomically mark a token as used (single-use enforcement).
+   *
+   * Returns true if the nonce was successfully claimed (transitioned from
+   * unused to used). Returns false if the nonce was already used, expired,
+   * or doesn't exist — preventing race conditions in concurrent verify() calls.
+   */
+  async markUsed(nonce) {
+    const now = (/* @__PURE__ */ new Date()).toISOString();
+    const { rowCount } = await this.db.query(
+      `UPDATE ${this.tableName}
+       SET used = ?, updated_at = ?
+       WHERE nonce = ? AND used = ? AND expires_at > ?`,
+      true,
+      now,
+      nonce,
+      false,
+      now
+    );
+    return rowCount > 0;
+  }
+  /**
+   * Delete expired tokens (cleanup job)
+   */
+  async deleteExpired() {
+    const now = /* @__PURE__ */ new Date();
+    const tokens = await this.list({
+      where: {
+        "expiresAt <": now.toISOString()
+      }
+    });
+    let count = 0;
+    for (const token of tokens) {
+      await token.delete();
+      count++;
+    }
+    return count;
+  }
+}
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __decorateClass = (decorators, target, key, kind) => {
+  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
+  for (var i = decorators.length - 1, decorator; i >= 0; i--)
+    if (decorator = decorators[i])
+      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
+  if (kind && result) __defProp(target, key, result);
+  return result;
+};
+let Role = class extends SmrtObject {
+  tenantId;
+  /**
+   * Display name for the role
+   */
+  name = "";
+  /**
+   * Description of the role
+   */
+  description = "";
+  /**
+   * Whether this is a system role (cannot be deleted)
+   */
+  isSystem = false;
+  constructor(options = {}) {
+    super(options);
+    if (options.tenantId !== void 0) this.tenantId = options.tenantId;
+    if (options.name !== void 0) this.name = options.name;
+    if (options.description !== void 0)
+      this.description = options.description;
+    if (options.isSystem !== void 0) this.isSystem = options.isSystem;
+  }
+  /**
+   * Check if this is a system-wide role
+   */
+  isSystemRole() {
+    return this.tenantId === null || this.tenantId === void 0;
+  }
+  /**
+   * Check if this is a tenant-specific role
+   */
+  isTenantRole() {
+    return this.tenantId !== null && this.tenantId !== void 0;
+  }
+  /**
+   * Check if this role can be deleted.
+   * System roles (isSystem = true) cannot be deleted.
+   * @returns true if the role can be deleted
+   */
+  canDelete() {
+    return !this.isSystem;
+  }
+  /**
+   * Delete guard - prevents deletion of system roles.
+   * Override the delete method to check isSystem flag first.
+   */
+  async delete() {
+    if (this.isSystem) {
+      throw new Error(
+        `Cannot delete system role '${this.slug}'. System roles are protected.`
+      );
+    }
+    return super.delete();
+  }
+};
+__decorateClass([
+  foreignKey("Tenant", { nullable: true })
+], Role.prototype, "tenantId", 2);
+Role = __decorateClass([
+  smrt({
+    // #1400: read-only generated surface — RBAC/identity writes go through
+    // permission-gated services, not auth-only generated CRUD.
+    api: { include: ["list", "get"] },
+    mcp: { include: ["list", "get"] },
+    cli: true
+  })
+], Role);
+class RoleCollection extends SmrtCollection {
+  static _itemClass = Role;
+  /**
+   * Find all system roles (tenantId is null)
+   */
+  async findSystemRoles() {
+    return await this.query(
+      `SELECT * FROM ${this.tableName} WHERE tenant_id IS NULL ORDER BY name ASC`
+    );
+  }
+  /**
+   * Find roles available for a tenant (system + tenant-specific)
+   */
+  async findByTenant(tenantId) {
+    return await this.query(
+      `SELECT * FROM ${this.tableName}
+       WHERE tenant_id IS NULL OR tenant_id = ?
+       ORDER BY is_system DESC, name ASC`,
+      [tenantId]
+    );
+  }
+  /**
+   * Find tenant-specific roles only
+   */
+  async findTenantRoles(tenantId) {
+    return await this.list({
+      where: { tenantId },
+      orderBy: "name ASC"
+    });
+  }
+  /**
+   * Find role by slug within a tenant context
+   */
+  async findBySlug(slug, tenantId) {
+    if (tenantId) {
+      const tenantRoles = await this.list({
+        where: { slug, tenantId },
+        limit: 1
+      });
+      if (tenantRoles.length > 0) {
+        return tenantRoles[0];
+      }
+    }
+    const systemRoles = await this.query(
+      `SELECT * FROM ${this.tableName} WHERE slug = ? AND tenant_id IS NULL LIMIT 1`,
+      [slug]
+    );
+    return systemRoles.length > 0 ? systemRoles[0] : null;
+  }
+  /**
+   * Seed default system roles
+   */
+  async seedSystemRoles() {
+    const roles = [];
+    for (const roleDef of DEFAULT_ROLES) {
+      const existing = await this.findBySlug(roleDef.slug);
+      if (existing) {
+        roles.push(existing);
+        continue;
+      }
+      const role = await this.create({
+        slug: roleDef.slug,
+        name: roleDef.name,
+        description: roleDef.description,
+        tenantId: null,
+        isSystem: true
+      });
+      await role.save();
+      roles.push(role);
+    }
+    return roles;
+  }
+}
+class MagicLinkError extends Error {
+  constructor(message) {
+    super(message);
+    this.name = "MagicLinkError";
+  }
+}
+class MagicLinkService {
+  tokenCollection;
+  signingKey = null;
+  secret;
+  tokenExpiry;
+  issuer;
+  options;
+  constructor(options) {
+    if (!options.secret) {
+      throw new Error("MagicLinkService requires a secret for token signing");
+    }
+    this.secret = options.secret;
+    this.tokenExpiry = options.tokenExpiry ?? DEFAULT_TOKEN_EXPIRY_SECONDS;
+    this.issuer = options.issuer ?? "smrt:magiclink";
+    this.options = options;
+  }
+  /**
+   * Initialize collections
+   */
+  async initialize() {
+    this.tokenCollection = await UsersMagicLinkTokenCollection.create(
+      this.options
+    );
+  }
+  /**
+   * Derive the HMAC signing key from the secret
+   */
+  async getSigningKey() {
+    if (this.signingKey) return this.signingKey;
+    const encoder = new TextEncoder();
+    const data = encoder.encode(`magiclink:${this.secret}`);
+    const hashBuffer = await crypto.subtle.digest("SHA-256", data);
+    this.signingKey = new Uint8Array(hashBuffer);
+    return this.signingKey;
+  }
+  /**
+   * Generate a magic link token for the given email.
+   *
+   * Stores a nonce in the database for replay protection.
+   * The caller is responsible for emailing the token to the user.
+   */
+  async generate(email) {
+    const { SignJWT } = await import("./chunks/index-DkoYIvIu.js");
+    const key = await this.getSigningKey();
+    const nonce = crypto.randomUUID();
+    const normalizedEmail = normalizeEmail(email);
+    if (!isValidEmail(normalizedEmail)) {
+      throw new MagicLinkError("Invalid email address");
+    }
+    const expiresAt = new Date(Date.now() + this.tokenExpiry * 1e3);
+    await this.tokenCollection.create({
+      nonce,
+      email: normalizedEmail,
+      used: false,
+      expiresAt
+    });
+    const token = await new SignJWT({
+      email: normalizedEmail,
+      nonce
+    }).setProtectedHeader({ alg: "HS256" }).setIssuedAt().setExpirationTime(`${this.tokenExpiry}s`).setIssuer(this.issuer).sign(key);
+    return { token, expiresAt };
+  }
+  /**
+   * Verify a magic link token.
+   *
+   * Checks JWT signature, expiry, and that the nonce hasn't been used.
+   * Marks the nonce as used on success (single-use enforcement).
+   *
+   * @throws {MagicLinkError} If the token is invalid, expired, or already used
+   */
+  async verify(token) {
+    const { jwtVerify, errors } = await import("./chunks/index-DkoYIvIu.js");
+    const key = await this.getSigningKey();
+    let payload;
+    try {
+      const result = await jwtVerify(token, key, {
+        issuer: this.issuer
+      });
+      payload = result.payload;
+    } catch (err) {
+      if (err instanceof errors.JWTExpired) {
+        throw new MagicLinkError("Token has expired");
+      }
+      throw new MagicLinkError("Invalid token");
+    }
+    const email = payload.email;
+    const nonce = payload.nonce;
+    if (typeof email !== "string" || typeof nonce !== "string") {
+      throw new MagicLinkError("Invalid token payload");
+    }
+    const claimed = await this.tokenCollection.markUsed(nonce);
+    if (!claimed) {
+      throw new MagicLinkError("Token has already been used or has expired");
+    }
+    return { email: normalizeEmail(email), nonce };
+  }
+  /**
+   * Clean up expired tokens (run periodically)
+   */
+  async cleanupExpiredTokens() {
+    return this.tokenCollection.deleteExpired();
+  }
+  /**
+   * Static factory method
+   */
+  static async create(options) {
+    const service = new MagicLinkService(options);
+    await service.initialize();
+    return service;
+  }
+}
+function getRuntimePermissionRegistrations() {
+  globalThis.__smrtUsersPermissionRegistrations ??= /* @__PURE__ */ new Map();
+  return globalThis.__smrtUsersPermissionRegistrations;
+}
+function toSnakeCase$1(value) {
+  return value.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[-\s]+/g, "_").toLowerCase();
+}
+function pluralize(word) {
+  if (word.endsWith("y") && !/[aeiou]y$/i.test(word)) {
+    return `${word.slice(0, -1)}ies`;
+  }
+  if (word.endsWith("s") || word.endsWith("x") || word.endsWith("z") || word.endsWith("ch") || word.endsWith("sh")) {
+    return `${word}es`;
+  }
+  return `${word}s`;
+}
+function deriveCollectionName(className) {
+  return pluralize(toSnakeCase$1(className));
+}
+function humanizeResource(resource) {
+  return resource.replace(/[_-]+/g, " ").replace(/\b\w/g, (char) => char.toUpperCase());
+}
+function capitalize(value) {
+  return `${value[0]?.toUpperCase() ?? ""}${value.slice(1)}`;
+}
+function defaultPermissionName(slug) {
+  const parsed = parsePermissionSlug(slug);
+  if (!parsed.isValid) {
+    return humanizeResource(slug);
+  }
+  return `${capitalize(parsed.action)} ${humanizeResource(parsed.resource)}`;
+}
+function defaultPermissionDescription(slug) {
+  const parsed = parsePermissionSlug(slug);
+  if (!parsed.isValid) {
+    return `Allows ${slug}`;
+  }
+  return `Allows ${parsed.action} access for ${humanizeResource(parsed.resource).toLowerCase()}`;
+}
+function isCollectionManifestEntry(objectDef) {
+  return objectDef?.extends === "SmrtCollection" || objectDef?.extendsTypeArg !== void 0;
+}
+function getPublicCustomMethodNames(methodEntries, standardActions) {
+  return Array.from(
+    new Set(
+      methodEntries.filter(
+        (method) => Boolean(method?.name) && method?.isPublic === true && !standardActions.includes(method.name)
+      ).map((method) => method.name)
+    )
+  );
+}
+function getCustomMethodExposureNames(config, availableCustomMethods) {
+  if (!config || config === false) {
+    return /* @__PURE__ */ new Set();
+  }
+  if (config === true || typeof config !== "object") {
+    return new Set(availableCustomMethods);
+  }
+  const rawInclude = config.include;
+  const include = Array.isArray(rawInclude) ? [...rawInclude] : void 0;
+  const rawExclude = config.exclude;
+  const exclude = Array.isArray(rawExclude) ? [...rawExclude] : [];
+  if (!include) {
+    return new Set(
+      availableCustomMethods.filter(
+        (methodName) => !exclude.includes(methodName)
+      )
+    );
+  }
+  const baseMethods = include.filter(
+    (methodName) => availableCustomMethods.includes(methodName)
+  );
+  return new Set(
+    baseMethods.filter((methodName) => !exclude.includes(methodName))
+  );
+}
+function isOperationEnabled(config, action) {
+  if (config === false) {
+    return false;
+  }
+  if (config && typeof config === "object") {
+    const include = Array.isArray(config.include) ? config.include : void 0;
+    const rawExclude = config.exclude;
+    const exclude = Array.isArray(rawExclude) ? [...rawExclude] : [];
+    if (include && !include.includes(action)) {
+      return false;
+    }
+    if (exclude.includes(action)) {
+      return false;
+    }
+  }
+  return true;
+}
+function normalizePostgresAction(action) {
+  const normalized = action.toUpperCase();
+  if (normalized === "SELECT" || normalized === "INSERT" || normalized === "UPDATE" || normalized === "DELETE") {
+    return normalized;
+  }
+  throw new Error(
+    `Unsupported Postgres permission action '${action}'. Expected SELECT, INSERT, UPDATE, or DELETE.`
+  );
+}
+function normalizeBinding(binding, fallbackPermission) {
+  return {
+    action: normalizePostgresAction(binding.action),
+    permission: binding.permission || fallbackPermission,
+    schemaName: binding.schemaName,
+    tableName: binding.tableName,
+    tenantField: binding.tenantField
+  };
+}
+function mergeStringField(fieldName, existing, incoming, slug) {
+  const existingValue = existing[fieldName];
+  const incomingValue = incoming[fieldName];
+  if (!incomingValue) {
+    return;
+  }
+  if (!existingValue) {
+    existing[fieldName] = incomingValue;
+    return;
+  }
+  if (existingValue !== incomingValue) {
+    throw new Error(
+      `Conflicting permission metadata for '${slug}' field '${fieldName}': '${existingValue}' !== '${incomingValue}'`
+    );
+  }
+}
+function mergeBindings(existing, incoming) {
+  const existingBindings = existing.postgres?.bindings ?? [];
+  const incomingBindings = incoming.postgres?.bindings ?? [];
+  if (incomingBindings.length === 0) {
+    return;
+  }
+  const seen = new Set(
+    existingBindings.map(
+      (binding) => [
+        binding.permission,
+        binding.action,
+        binding.schemaName ?? "",
+        binding.tableName,
+        binding.tenantField ?? ""
+      ].join("|")
+    )
+  );
+  const mergedBindings = [...existingBindings];
+  for (const binding of incomingBindings) {
+    const normalized = normalizeBinding(binding, incoming.slug);
+    const key = [
+      normalized.permission,
+      normalized.action,
+      normalized.schemaName ?? "",
+      normalized.tableName,
+      normalized.tenantField ?? ""
+    ].join("|");
+    if (!seen.has(key)) {
+      seen.add(key);
+      mergedBindings.push(normalized);
+    }
+  }
+  existing.postgres = {
+    bindings: mergedBindings
+  };
+}
+function normalizeDefinition(definition, source) {
+  if (!definition.slug || !isValidPermissionSlug(definition.slug.trim())) {
+    throw new Error(
+      `Invalid permission slug '${definition.slug}'. Expected 'resource.action'.`
+    );
+  }
+  const slug = definition.slug.trim();
+  return {
+    category: definition.category ?? parsePermissionSlug(slug).resource,
+    className: definition.className,
+    collection: definition.collection,
+    description: definition.description ?? defaultPermissionDescription(slug),
+    name: definition.name ?? defaultPermissionName(slug),
+    postgres: definition.postgres?.bindings ? {
+      bindings: definition.postgres.bindings.map(
+        (binding) => normalizeBinding(binding, slug)
+      )
+    } : void 0,
+    qualifiedName: definition.qualifiedName,
+    slug,
+    source
+  };
+}
+function mergeDefinitionSet(current, incomingDefinitions, source) {
+  for (const rawDefinition of incomingDefinitions) {
+    const definition = normalizeDefinition(rawDefinition, source);
+    const existing = current.get(definition.slug);
+    if (!existing) {
+      current.set(definition.slug, definition);
+      continue;
+    }
+    mergeStringField("category", existing, definition, definition.slug);
+    mergeStringField("className", existing, definition, definition.slug);
+    mergeStringField("collection", existing, definition, definition.slug);
+    mergeStringField("description", existing, definition, definition.slug);
+    mergeStringField("name", existing, definition, definition.slug);
+    mergeStringField("qualifiedName", existing, definition, definition.slug);
+    mergeBindings(existing, definition);
+  }
+}
+function registerPermissionDefinitions(definitions) {
+  globalThis.__smrtUsersPermissionRegistrationCounter = (globalThis.__smrtUsersPermissionRegistrationCounter ?? 0) + 1;
+  const registrationId = globalThis.__smrtUsersPermissionRegistrationCounter;
+  getRuntimePermissionRegistrations().set(registrationId, definitions);
+  return () => {
+    getRuntimePermissionRegistrations().delete(registrationId);
+  };
+}
+class PermissionCatalogService {
+  constructor(options = {}) {
+    this.options = options;
+  }
+  options;
+  getUsersConfig() {
+    return getPackageConfig("users", {});
+  }
+  getRuntimePermissionDefinitions() {
+    return Array.from(getRuntimePermissionRegistrations().values()).flat();
+  }
+  getCustomPermissionDefinitions() {
+    return this.getUsersConfig().permissions?.custom ?? [];
+  }
+  getCatalog() {
+    const manifestPermissions = this.getManifestPermissionDefinitions();
+    const customPermissions = this.getCustomPermissionDefinitions();
+    const runtimePermissions = this.getRuntimePermissionDefinitions();
+    const merged = /* @__PURE__ */ new Map();
+    mergeDefinitionSet(merged, manifestPermissions, "manifest");
+    mergeDefinitionSet(merged, customPermissions, "config");
+    mergeDefinitionSet(merged, runtimePermissions, "runtime");
+    return {
+      customPermissions: customPermissions.map(
+        (definition) => normalizeDefinition(definition, "config")
+      ),
+      manifestPermissions: manifestPermissions.map(
+        (definition) => normalizeDefinition(definition, "manifest")
+      ),
+      permissions: Array.from(merged.values()).sort(
+        (left, right) => left.slug.localeCompare(right.slug)
+      ),
+      runtimePermissions: runtimePermissions.map(
+        (definition) => normalizeDefinition(definition, "runtime")
+      )
+    };
+  }
+  async syncPermissionCatalog() {
+    const catalog = this.getCatalog();
+    const permissions = await PermissionCollection.create(this.options);
+    const created = [];
+    const unchanged = [];
+    const updated = [];
+    for (const definition of catalog.permissions) {
+      const existing = await permissions.findBySlug(definition.slug);
+      if (!existing) {
+        const permission = await permissions.create({
+          category: definition.category ?? parsePermissionSlug(definition.slug).resource,
+          description: definition.description ?? "",
+          name: definition.name ?? definition.slug,
+          slug: definition.slug
+        });
+        await permission.save();
+        created.push(definition.slug);
+        continue;
+      }
+      const nextName = definition.name ?? existing.name;
+      const nextDescription = definition.description ?? existing.description;
+      const nextCategory = definition.category ?? existing.category;
+      if (existing.name === nextName && existing.description === nextDescription && existing.category === nextCategory) {
+        unchanged.push(definition.slug);
+        continue;
+      }
+      existing.name = nextName;
+      existing.description = nextDescription;
+      existing.category = nextCategory;
+      await existing.save();
+      updated.push(definition.slug);
+    }
+    return {
+      catalog,
+      created,
+      unchanged,
+      updated
+    };
+  }
+  getManifestPermissionDefinitions() {
+    const standardActions = ["list", "get", "create", "update", "delete"];
+    const definitions = /* @__PURE__ */ new Map();
+    for (const metadata of ObjectRegistry.getAllObjectMetadata()) {
+      const registered = ObjectRegistry.getClassByConstructor(metadata.constructor) ?? ObjectRegistry.getClass(metadata.name);
+      const manifestEntry = registered?.qualifiedName ? findManifestEntryByQualifiedName(registered.qualifiedName) : void 0;
+      if (isCollectionManifestEntry(manifestEntry)) {
+        continue;
+      }
+      const className = metadata.name;
+      const qualifiedName = registered?.qualifiedName;
+      const objectConfig = manifestEntry?.decoratorConfig ?? metadata.config;
+      const rawCollection = objectConfig?.collection;
+      const configuredCollection = typeof rawCollection === "string" && rawCollection.length > 0 ? rawCollection : void 0;
+      const collection = configuredCollection ?? manifestEntry?.collection ?? deriveCollectionName(metadata.name);
+      const readExposed = isOperationEnabled(objectConfig.api, "list") || isOperationEnabled(objectConfig.api, "get") || isOperationEnabled(objectConfig.cli, "list") || isOperationEnabled(objectConfig.cli, "get") || isOperationEnabled(objectConfig.mcp, "list") || isOperationEnabled(objectConfig.mcp, "get");
+      if (readExposed) {
+        definitions.set(`${collection}.read`, {
+          className,
+          collection,
+          qualifiedName,
+          slug: `${collection}.read`
+        });
+      }
+      for (const action of ["create", "update", "delete"]) {
+        const exposed = isOperationEnabled(objectConfig.api, action) || isOperationEnabled(objectConfig.cli, action) || isOperationEnabled(objectConfig.mcp, action);
+        if (!exposed) {
+          continue;
+        }
+        definitions.set(`${collection}.${action}`, {
+          className,
+          collection,
+          qualifiedName,
+          slug: `${collection}.${action}`
+        });
+      }
+      const methodEntries = manifestEntry?.methods ? Object.values(manifestEntry.methods) : Array.from(metadata.methods.values());
+      const publicCustomMethodNames = getPublicCustomMethodNames(
+        methodEntries,
+        standardActions
+      );
+      const customApiMethods = /* @__PURE__ */ new Set();
+      const customCliMethods = getCustomMethodExposureNames(
+        objectConfig.cli,
+        publicCustomMethodNames
+      );
+      const customMcpMethods = getCustomMethodExposureNames(
+        objectConfig.mcp,
+        publicCustomMethodNames
+      );
+      for (const methodName of publicCustomMethodNames) {
+        if (isOperationEnabled(objectConfig.api, methodName)) {
+          customApiMethods.add(methodName);
+        }
+      }
+      const customMethods = /* @__PURE__ */ new Set([
+        ...customApiMethods,
+        ...customCliMethods,
+        ...customMcpMethods
+      ]);
+      for (const methodName of customMethods) {
+        definitions.set(`${collection}.${methodName}`, {
+          className,
+          collection,
+          description: `Allows ${methodName} on ${humanizeResource(collection).toLowerCase()}`,
+          name: `${capitalize(methodName)} ${humanizeResource(collection)}`,
+          qualifiedName,
+          slug: `${collection}.${methodName}`
+        });
+      }
+    }
+    return Array.from(definitions.values()).sort(
+      (left, right) => left.slug.localeCompare(right.slug)
+    );
+  }
+  static create(options = {}) {
+    return new PermissionCatalogService(options);
+  }
+}
+async function syncPermissionCatalog(options = {}) {
+  return PermissionCatalogService.create(options).syncPermissionCatalog();
+}
+function toSnakeCase(value) {
+  return value.replace(/([a-z0-9])([A-Z])/g, "$1_$2").replace(/[-\s]+/g, "_").toLowerCase();
+}
+function quoteIdent(identifier) {
+  return `"${identifier.replaceAll('"', '""')}"`;
+}
+function quoteLiteral(value) {
+  return `'${value.replaceAll("'", "''")}'`;
+}
+function isProbablyPostgres(configDb, database) {
+  if (configDb && typeof configDb === "object" && !("query" in configDb) && "type" in configDb && configDb.type === "postgres") {
+    return true;
+  }
+  if (typeof database.url === "string" && database.url.startsWith("postgres")) {
+    return true;
+  }
+  return (database.constructor?.name || "").toLowerCase().includes("postgres");
+}
+function normalizePostgresPermissionAction(action) {
+  const normalized = action.toUpperCase();
+  if (normalized === "SELECT" || normalized === "INSERT" || normalized === "UPDATE" || normalized === "DELETE") {
+    return normalized;
+  }
+  throw new Error(
+    `Invalid Postgres permission binding action "${action}". Expected one of SELECT, INSERT, UPDATE, DELETE.`
+  );
+}
+function normalizePostgresPermissionBinding(binding, fallbackPermission) {
+  const tableName = binding.tableName?.trim();
+  if (!tableName) {
+    throw new Error(
+      "Postgres permission binding is missing a tableName value."
+    );
+  }
+  const permission = binding.permission ?? fallbackPermission;
+  if (!permission) {
+    throw new Error(
+      "Postgres permission binding is missing a permission value."
+    );
+  }
+  return {
+    action: normalizePostgresPermissionAction(binding.action),
+    permission,
+    schemaName: binding.schemaName,
+    tableName,
+    tenantField: binding.tenantField
+  };
+}
+function parseTableReference(binding) {
+  if (binding.tableName.includes(".")) {
+    const [schemaName, tableName] = binding.tableName.split(".", 2);
+    return {
+      schemaName,
+      tableName
+    };
+  }
+  return {
+    schemaName: binding.schemaName ?? "public",
+    tableName: binding.tableName
+  };
+}
+function buildPolicyName(tableName, action) {
+  const actionSegment = action.toLowerCase();
+  const hash = createHash("sha1").update(`${tableName}:${action}`).digest("hex").slice(0, 8);
+  const sanitizedTable = tableName.replace(/[^a-zA-Z0-9_]+/g, "_").replace(/^_+|_+$/g, "");
+  const prefix = "smrt_";
+  const separatorLength = 2;
+  const maxTableSegmentLength = 63 - prefix.length - actionSegment.length - hash.length - separatorLength;
+  const tableSegment = (sanitizedTable || "table").slice(
+    0,
+    Math.max(maxTableSegmentLength, 1)
+  );
+  return `${prefix}${tableSegment}_${actionSegment}_${hash}`;
+}
+function buildPermissionExpression(permissionSlugs) {
+  if (permissionSlugs.length === 0) {
+    return "FALSE";
+  }
+  return permissionSlugs.map((permission) => `smrt_has_permission(${quoteLiteral(permission)})`).join(" OR ");
+}
+function buildTenantMatchExpression(tenantField) {
+  return `${quoteIdent(tenantField)}::text = smrt_current_tenant_id()`;
+}
+function buildSelectPolicySql(target, permissions) {
+  const qualifiedTable = `${quoteIdent(target.schemaName)}.${quoteIdent(target.tableName)}`;
+  const policyName = buildPolicyName(target.tableName, "SELECT");
+  const condition = `smrt_rls_bypass() OR ((${buildTenantMatchExpression(target.tenantField)}) AND (${buildPermissionExpression(permissions)}))`;
+  return [
+    `DROP POLICY IF EXISTS ${quoteIdent(policyName)} ON ${qualifiedTable}`,
+    `CREATE POLICY ${quoteIdent(policyName)} ON ${qualifiedTable} FOR SELECT USING (${condition})`
+  ];
+}
+function buildInsertPolicySql(target, permissions) {
+  const qualifiedTable = `${quoteIdent(target.schemaName)}.${quoteIdent(target.tableName)}`;
+  const policyName = buildPolicyName(target.tableName, "INSERT");
+  const condition = `smrt_rls_bypass() OR ((${buildTenantMatchExpression(target.tenantField)}) AND (${buildPermissionExpression(permissions)}))`;
+  return [
+    `DROP POLICY IF EXISTS ${quoteIdent(policyName)} ON ${qualifiedTable}`,
+    `CREATE POLICY ${quoteIdent(policyName)} ON ${qualifiedTable} FOR INSERT WITH CHECK (${condition})`
+  ];
+}
+function buildUpdatePolicySql(target, permissions) {
+  const qualifiedTable = `${quoteIdent(target.schemaName)}.${quoteIdent(target.tableName)}`;
+  const policyName = buildPolicyName(target.tableName, "UPDATE");
+  const condition = `smrt_rls_bypass() OR ((${buildTenantMatchExpression(target.tenantField)}) AND (${buildPermissionExpression(permissions)}))`;
+  return [
+    `DROP POLICY IF EXISTS ${quoteIdent(policyName)} ON ${qualifiedTable}`,
+    `CREATE POLICY ${quoteIdent(policyName)} ON ${qualifiedTable} FOR UPDATE USING (${condition}) WITH CHECK (${condition})`
+  ];
+}
+function buildDeletePolicySql(target, permissions) {
+  const qualifiedTable = `${quoteIdent(target.schemaName)}.${quoteIdent(target.tableName)}`;
+  const policyName = buildPolicyName(target.tableName, "DELETE");
+  const condition = `smrt_rls_bypass() OR ((${buildTenantMatchExpression(target.tenantField)}) AND (${buildPermissionExpression(permissions)}))`;
+  return [
+    `DROP POLICY IF EXISTS ${quoteIdent(policyName)} ON ${qualifiedTable}`,
+    `CREATE POLICY ${quoteIdent(policyName)} ON ${qualifiedTable} FOR DELETE USING (${condition})`
+  ];
+}
+function buildHelperStatements() {
+  return [
+    [
+      "CREATE OR REPLACE FUNCTION smrt_rls_bypass()",
+      "RETURNS boolean",
+      "LANGUAGE sql",
+      "STABLE",
+      "AS $$",
+      "  SELECT COALESCE(NULLIF(current_setting('smrt.system_context', true), ''), 'false')::boolean",
+      "      OR COALESCE(NULLIF(current_setting('smrt.super_admin_bypass', true), ''), 'false')::boolean",
+      "$$"
+    ].join("\n"),
+    [
+      "CREATE OR REPLACE FUNCTION smrt_current_tenant_id()",
+      "RETURNS text",
+      "LANGUAGE sql",
+      "STABLE",
+      "AS $$",
+      "  SELECT NULLIF(current_setting('smrt.tenant_id', true), '')",
+      "$$"
+    ].join("\n"),
+    [
+      "CREATE OR REPLACE FUNCTION smrt_has_permission(required_permission text)",
+      "RETURNS boolean",
+      "LANGUAGE sql",
+      "STABLE",
+      "AS $$",
+      "  SELECT smrt_rls_bypass()",
+      "      OR jsonb_exists(COALESCE(NULLIF(current_setting('smrt.permissions', true), ''), '[]')::jsonb, required_permission)",
+      "$$"
+    ].join("\n")
+  ];
+}
+function addBindingToTarget(targets, binding, source = {}) {
+  const { schemaName, tableName } = parseTableReference(binding);
+  const targetKey = `${schemaName}.${tableName}`;
+  const existing = targets.get(targetKey);
+  const tenantField = binding.tenantField ?? "tenant_id";
+  if (existing && existing.tenantField !== tenantField) {
+    throw new Error(
+      `Conflicting tenant fields for table '${targetKey}': '${existing.tenantField}' !== '${tenantField}'`
+    );
+  }
+  const target = existing ?? {
+    actions: /* @__PURE__ */ new Map(),
+    ...source,
+    schemaName,
+    tableName,
+    tenantField
+  };
+  const action = normalizePostgresPermissionAction(binding.action);
+  const permissions = target.actions.get(action) ?? /* @__PURE__ */ new Set();
+  if (binding.permission) {
+    permissions.add(binding.permission);
+  }
+  target.actions.set(action, permissions);
+  targets.set(targetKey, target);
+}
+function generatePostgresPermissionSql(options = {}) {
+  const catalogService = PermissionCatalogService.create(options);
+  const catalog = catalogService.getCatalog();
+  const config = catalogService.getUsersConfig();
+  const candidateTargets = /* @__PURE__ */ new Map();
+  const skipped = [];
+  const autoCandidates = /* @__PURE__ */ new Map();
+  for (const metadata of ObjectRegistry.getAllObjectMetadata()) {
+    const registered = ObjectRegistry.getClassByConstructor(metadata.constructor) ?? ObjectRegistry.getClass(metadata.name);
+    const tenantScoped = registered?.tenantScopedConfig;
+    const manifestEntry = registered?.qualifiedName ? findManifestEntryByQualifiedName(registered.qualifiedName) : void 0;
+    if (!tenantScoped) {
+      skipped.push({
+        className: metadata.name,
+        qualifiedName: registered?.qualifiedName,
+        reason: "not tenant-scoped"
+      });
+      continue;
+    }
+    if (tenantScoped.mode !== "required") {
+      skipped.push({
+        className: metadata.name,
+        qualifiedName: registered?.qualifiedName,
+        reason: `tenant mode '${tenantScoped.mode}' is not supported for automatic Postgres RLS generation`
+      });
+      continue;
+    }
+    const rawTableName = registered?.schema?.tableName ?? manifestEntry?.schema?.tableName;
+    if (!rawTableName) {
+      skipped.push({
+        className: metadata.name,
+        qualifiedName: registered?.qualifiedName,
+        reason: "no schema table name available"
+      });
+      continue;
+    }
+    const parsedTable = parseTableReference({
+      tableName: rawTableName
+    });
+    const tableKey = `${parsedTable.schemaName}.${parsedTable.tableName}`;
+    const objectConfig = manifestEntry?.decoratorConfig ?? metadata.config;
+    const rawCollection = objectConfig?.collection;
+    const configuredCollection = typeof rawCollection === "string" && rawCollection.length > 0 ? rawCollection : void 0;
+    const collection = configuredCollection ?? manifestEntry?.collection ?? `${toSnakeCase(metadata.name)}s`;
+    const entries = autoCandidates.get(tableKey) ?? [];
+    entries.push({
+      className: metadata.name,
+      collection,
+      qualifiedName: registered?.qualifiedName,
+      schemaName: parsedTable.schemaName,
+      tableName: parsedTable.tableName,
+      tenantField: toSnakeCase(tenantScoped.field)
+    });
+    autoCandidates.set(tableKey, entries);
+  }
+  for (const [tableKey, entries] of autoCandidates) {
+    if (entries.length > 1) {
+      for (const entry2 of entries) {
+        skipped.push({
+          className: entry2.className,
+          collection: entry2.collection,
+          qualifiedName: entry2.qualifiedName,
+          reason: `table '${tableKey}' is shared by multiple objects, so automatic policy generation was skipped`,
+          schemaName: entry2.schemaName,
+          tableName: entry2.tableName
+        });
+      }
+      continue;
+    }
+    const entry = entries[0];
+    addBindingToTarget(
+      candidateTargets,
+      {
+        action: "SELECT",
+        permission: `${entry.collection}.read`,
+        schemaName: entry.schemaName,
+        tableName: entry.tableName,
+        tenantField: entry.tenantField
+      },
+      entry
+    );
+    addBindingToTarget(
+      candidateTargets,
+      {
+        action: "INSERT",
+        permission: `${entry.collection}.create`,
+        schemaName: entry.schemaName,
+        tableName: entry.tableName,
+        tenantField: entry.tenantField
+      },
+      entry
+    );
+    addBindingToTarget(
+      candidateTargets,
+      {
+        action: "UPDATE",
+        permission: `${entry.collection}.update`,
+        schemaName: entry.schemaName,
+        tableName: entry.tableName,
+        tenantField: entry.tenantField
+      },
+      entry
+    );
+    addBindingToTarget(
+      candidateTargets,
+      {
+        action: "DELETE",
+        permission: `${entry.collection}.delete`,
+        schemaName: entry.schemaName,
+        tableName: entry.tableName,
+        tenantField: entry.tenantField
+      },
+      entry
+    );
+  }
+  const explicitBindings = [];
+  for (const definition of catalog.permissions) {
+    for (const binding of definition.postgres?.bindings ?? []) {
+      explicitBindings.push(
+        normalizePostgresPermissionBinding(binding, definition.slug)
+      );
+    }
+  }
+  for (const binding of config.permissions?.postgres?.bindings ?? []) {
+    explicitBindings.push(normalizePostgresPermissionBinding(binding));
+  }
+  for (const binding of explicitBindings) {
+    addBindingToTarget(candidateTargets, binding);
+  }
+  const statements = [...buildHelperStatements()];
+  const targets = Array.from(candidateTargets.values()).sort(
+    (left, right) => `${left.schemaName}.${left.tableName}`.localeCompare(
+      `${right.schemaName}.${right.tableName}`
+    )
+  ).map((target) => ({
+    actions: Object.fromEntries(
+      Array.from(target.actions.entries()).map(([action, permissions]) => [
+        action,
+        Array.from(permissions).sort()
+      ])
+    ),
+    className: target.className,
+    collection: target.collection,
+    qualifiedName: target.qualifiedName,
+    schemaName: target.schemaName,
+    tableName: target.tableName,
+    tenantField: target.tenantField
+  }));
+  for (const target of Array.from(candidateTargets.values())) {
+    const qualifiedTable = `${quoteIdent(target.schemaName)}.${quoteIdent(target.tableName)}`;
+    statements.push(`ALTER TABLE ${qualifiedTable} ENABLE ROW LEVEL SECURITY`);
+    statements.push(`ALTER TABLE ${qualifiedTable} FORCE ROW LEVEL SECURITY`);
+    const selectPermissions = Array.from(
+      target.actions.get("SELECT") ?? []
+    ).sort();
+    const insertPermissions = Array.from(
+      target.actions.get("INSERT") ?? []
+    ).sort();
+    const updatePermissions = Array.from(
+      target.actions.get("UPDATE") ?? []
+    ).sort();
+    const deletePermissions = Array.from(
+      target.actions.get("DELETE") ?? []
+    ).sort();
+    if (selectPermissions.length > 0) {
+      statements.push(...buildSelectPolicySql(target, selectPermissions));
+    }
+    if (insertPermissions.length > 0) {
+      statements.push(...buildInsertPolicySql(target, insertPermissions));
+    }
+    if (updatePermissions.length > 0) {
+      statements.push(...buildUpdatePolicySql(target, updatePermissions));
+    }
+    if (deletePermissions.length > 0) {
+      statements.push(...buildDeletePolicySql(target, deletePermissions));
+    }
+  }
+  return {
+    bindings: explicitBindings,
+    skipped,
+    sql: `${statements.join(";\n")};
+`,
+    statements,
+    targets
+  };
+}
+async function applyPostgresPermissionPolicies(options = {}) {
+  const permissions = await PermissionCollection.create(options);
+  const databaseOptions = options.db ?? options.persistence;
+  if (!isProbablyPostgres(databaseOptions, permissions.db)) {
+    throw new Error(
+      "applyPostgresPermissionPolicies() requires a Postgres database connection."
+    );
+  }
+  const result = generatePostgresPermissionSql(options);
+  for (const statement of result.statements) {
+    try {
+      await permissions.db.query(statement);
+    } catch (error) {
+      throw new Error(
+        `Failed to apply Postgres permission policy statement:
+${statement}`,
+        {
+          cause: error
+        }
+      );
+    }
+  }
+  return result;
+}
+class TenantService {
+  options;
+  policy;
+  tenantCollection;
+  membershipCollection;
+  roleCollection;
+  constructor(options, policy) {
+    this.options = options;
+    this.policy = policy ?? DEFAULT_TENANT_POLICY;
+  }
+  /**
+   * Initialize collections
+   */
+  async initialize() {
+    this.tenantCollection = await TenantCollection.create(
+      this.options
+    );
+    this.membershipCollection = await MembershipCollection.create(
+      this.options
+    );
+    this.roleCollection = await RoleCollection.create(this.options);
+    await this.roleCollection.seedSystemRoles();
+  }
+  /**
+   * Get the current policy
+   */
+  getPolicy() {
+    return { ...this.policy };
+  }
+  /**
+   * Create a tenant and make the user the owner
+   *
+   * @param userId - The user to make owner
+   * @param name - Tenant name
+   * @param options - Optional slug override
+   * @returns The created tenant and membership
+   */
+  async createTenantWithOwnership(userId, name, options) {
+    if (!await this.canCreateTenant(userId)) {
+      throw new Error(
+        `User has reached maximum tenant limit (${this.policy.maxTenants})`
+      );
+    }
+    const tenant = await this.tenantCollection.create({
+      name,
+      slug: options?.slug
+    });
+    await tenant.save();
+    const ownerRole = await this.roleCollection.findBySlug(
+      DEFAULT_ROLE_SLUGS.OWNER
+    );
+    if (!ownerRole) {
+      throw new Error("Owner role not found - run seedSystemRoles first");
+    }
+    const membership = await this.membershipCollection.create({
+      userId,
+      tenantId: tenant.id,
+      roleId: ownerRole.id,
+      status: MembershipStatus.ACTIVE
+    });
+    await membership.save();
+    return { tenant, membership };
+  }
+  /**
+   * Check if a user can create a new tenant
+   *
+   * Returns false if maxTenants limit is reached (0 = unlimited)
+   */
+  async canCreateTenant(userId) {
+    if (this.policy.maxTenants === 0) {
+      return true;
+    }
+    const ownerRole = await this.roleCollection.findBySlug(
+      DEFAULT_ROLE_SLUGS.OWNER
+    );
+    if (!ownerRole) {
+      return false;
+    }
+    const memberships = await this.membershipCollection.findActiveByUser(userId);
+    const ownedCount = memberships.filter(
+      (m2) => m2.roleId === ownerRole.id
+    ).length;
+    return ownedCount < this.policy.maxTenants;
+  }
+  /**
+   * Get a specific error message explaining why a tenant cannot be deleted.
+   *
+   * @returns Error message if deletion is not allowed, or null if allowed.
+   */
+  async getDeleteTenantError(userId, tenantId) {
+    const membership = await this.membershipCollection.findByUserAndTenant(
+      userId,
+      tenantId
+    );
+    if (!membership || membership.status !== MembershipStatus.ACTIVE) {
+      return "You are not a member of this tenant or it does not exist.";
+    }
+    const ownerRole = await this.roleCollection.findBySlug(
+      DEFAULT_ROLE_SLUGS.OWNER
+    );
+    if (!ownerRole) {
+      return "Owner role is not configured. Cannot determine deletion permissions.";
+    }
+    if (membership.roleId !== ownerRole.id) {
+      return "Only the tenant owner can delete this tenant.";
+    }
+    if (this.policy.mode === "required") {
+      const allMemberships = await this.membershipCollection.findActiveByUser(userId);
+      const ownerMemberships = allMemberships.filter(
+        (m2) => m2.roleId === ownerRole.id
+      );
+      if (ownerMemberships.length <= 1) {
+        return "Cannot delete your last tenant. Policy requires at least one tenant.";
+      }
+    }
+    return null;
+  }
+  /**
+   * Check if a user can delete a specific tenant
+   *
+   * Returns false if:
+   * - User is not an active member
+   * - User is not the owner
+   * - Policy is 'required' and this is the last tenant
+   */
+  async canDeleteTenant(userId, tenantId) {
+    const error = await this.getDeleteTenantError(userId, tenantId);
+    return error === null;
+  }
+  /**
+   * Delete a tenant
+   *
+   * Note: This does not cascade delete related records (memberships, etc.).
+   * The caller should handle cleanup of related data if needed.
+   *
+   * @throws Error if user cannot delete the tenant (with specific reason)
+   */
+  async deleteTenant(userId, tenantId) {
+    const error = await this.getDeleteTenantError(userId, tenantId);
+    if (error) {
+      throw new Error(error);
+    }
+    const tenant = await this.tenantCollection.get(tenantId);
+    if (tenant) {
+      await tenant.delete();
+    }
+  }
+  /**
+   * Ensure a tenant exists for the user based on policy
+   *
+   * Called during OIDC login to apply tenant policy:
+   * - `flexible`: Returns first existing tenant or null (no auto-create)
+   * - `personal`/`required`: Creates default tenant if none exists
+   *
+   * @param userId - The user ID
+   * @param userInfo - User info for naming the auto-created tenant
+   * @returns Tenant and membership (may be null in flexible mode)
+   */
+  async ensureTenantForUser(userId, userInfo) {
+    const memberships = await this.membershipCollection.findActiveByUser(userId);
+    if (memberships.length > 0) {
+      const firstMembership = memberships[0];
+      const tenant2 = await this.tenantCollection.get(
+        firstMembership.tenantId
+      );
+      return {
+        tenant: tenant2 ?? null,
+        membership: firstMembership,
+        created: false
+      };
+    }
+    if (this.policy.mode === "flexible") {
+      return {
+        tenant: null,
+        membership: null,
+        created: false
+      };
+    }
+    const tenantName = userInfo.name ? `${userInfo.name}'s Workspace` : this.policy.defaultName;
+    const { tenant, membership } = await this.createTenantWithOwnership(
+      userId,
+      tenantName
+    );
+    return {
+      tenant,
+      membership,
+      created: true
+    };
+  }
+  /**
+   * Get all tenants for a user (where they are owner)
+   */
+  async getOwnedTenants(userId) {
+    const ownerRole = await this.roleCollection.findBySlug(
+      DEFAULT_ROLE_SLUGS.OWNER
+    );
+    if (!ownerRole) {
+      return [];
+    }
+    const memberships = await this.membershipCollection.findActiveByUser(userId);
+    const ownerMemberships = memberships.filter(
+      (m2) => m2.roleId === ownerRole.id
+    );
+    const tenantPromises = ownerMemberships.map(
+      (m2) => this.tenantCollection.get(m2.tenantId)
+    );
+    const tenantsOrNull = await Promise.all(tenantPromises);
+    return tenantsOrNull.filter((tenant) => tenant !== null);
+  }
+  /**
+   * Static factory method
+   */
+  static async create(options, policy) {
+    const service = new TenantService(options, policy);
+    await service.initialize();
+    return service;
+  }
+}
+export {
+  U as CliAuthRequest,
+  d as CliAuthRequestCollection,
+  e as DEFAULT_CLI_AUTH_POLL_INTERVAL_SECONDS,
+  f as DEFAULT_CLI_AUTH_REQUEST_TTL_SECONDS,
+  g as DEFAULT_CLI_SESSION_TTL_SECONDS,
+  DEFAULT_ROLES,
+  DEFAULT_ROLE_SLUGS,
+  h as DEFAULT_SESSION_TTL,
+  DEFAULT_TENANT_POLICY,
+  DEFAULT_TOKEN_EXPIRY_SECONDS,
+  Group,
+  GroupCollection,
+  G as GroupMember,
+  j as GroupMemberCollection,
+  k as GroupRole,
+  l as GroupRoleCollection,
+  m as MAX_TENANT_HIERARCHY_DEPTH,
+  MagicLinkError,
+  MagicLinkService,
+  UsersMagicLinkToken as MagicLinkToken,
+  UsersMagicLinkTokenCollection as MagicLinkTokenCollection,
+  o as Membership,
+  MembershipCollection,
+  q as MembershipOverride,
+  r as MembershipOverrideCollection,
+  MembershipStatus2 as MembershipStatus,
+  O as OidcLoginError,
+  s as OidcLoginService,
+  OverrideEffect,
+  t as Permission,
+  PermissionCatalogService,
+  PermissionCollection,
+  u as PermissionResolver,
+  Role,
+  RoleCollection,
+  R as RolePermission,
+  v as RolePermissionCollection,
+  S as Session,
+  w as SessionCollection,
+  x as SessionService,
+  SessionStatus,
+  y as Tenant,
+  TenantCollection,
+  z as TenantHierarchyError,
+  TenantPermissionEffect,
+  A as TenantPermissionOverride,
+  B as TenantPermissionOverrideCollection,
+  TenantService,
+  TenantStatus,
+  C as TerminalAuthError,
+  E as TerminalAuthRateLimitError,
+  F as TerminalAuthService,
+  H as User,
+  I as UserCollection,
+  UserStatus,
+  U2 as UsersCliAuthRequest,
+  d2 as UsersCliAuthRequestCollection,
+  UsersMagicLinkToken,
+  UsersMagicLinkTokenCollection,
+  applyPostgresPermissionPolicies,
+  J as decodeOidcTransaction,
+  K as encodeOidcTransaction,
+  generatePostgresPermissionSql,
+  L as generateSessionId,
+  N as getCurrentSessionPermissionContext,
+  Q as getRequestScopedDatabase,
+  V as getUsersOidcConfig,
+  registerPermissionDefinitions,
+  W as resolveOidcProviderConfig,
+  syncPermissionCatalog,
+  X as withSessionPermissionContext
+};
+//# sourceMappingURL=index.js.map