@lenne.tech/nest-server 11.20.1 → 11.21.1

package/dist/core/modules/tenant/core-tenant.enums.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DefaultHR = exports.DEFAULT_ROLE_HIERARCHY = exports.TenantMemberStatus = exports.TENANT_MEMBER_MODEL_TOKEN = void 0;
+exports.createHierarchyRoles = createHierarchyRoles;
+exports.TENANT_MEMBER_MODEL_TOKEN = 'TenantMember';
+var TenantMemberStatus;
+(function (TenantMemberStatus) {
+    TenantMemberStatus["ACTIVE"] = "ACTIVE";
+    TenantMemberStatus["INVITED"] = "INVITED";
+    TenantMemberStatus["SUSPENDED"] = "SUSPENDED";
+})(TenantMemberStatus || (exports.TenantMemberStatus = TenantMemberStatus = {}));
+exports.DEFAULT_ROLE_HIERARCHY = {
+    member: 1,
+    manager: 2,
+    owner: 3,
+};
+function createHierarchyRoles(hierarchy) {
+    const result = {};
+    for (const key of Object.keys(hierarchy)) {
+        result[key.toUpperCase()] = key;
+    }
+    return result;
+}
+exports.DefaultHR = createHierarchyRoles(exports.DEFAULT_ROLE_HIERARCHY);
+//# sourceMappingURL=core-tenant.enums.js.map

package/dist/core/modules/tenant/core-tenant.enums.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"core-tenant.enums.js","sourceRoot":"","sources":["../../../../src/core/modules/tenant/core-tenant.enums.ts"],"names":[],"mappings":";;;AAuDA,oDAQC;AA3DY,QAAA,yBAAyB,GAAG,cAAc,CAAC;AAKxD,IAAY,kBAKX;AALD,WAAY,kBAAkB;IAC5B,uCAAiB,CAAA;IAEjB,yCAAmB,CAAA;IACnB,6CAAuB,CAAA;AACzB,CAAC,EALW,kBAAkB,kCAAlB,kBAAkB,QAK7B;AAmBY,QAAA,sBAAsB,GAA2B;IAC5D,MAAM,EAAE,CAAC;IACT,OAAO,EAAE,CAAC;IACV,KAAK,EAAE,CAAC;CACT,CAAC;AAkBF,SAAgB,oBAAoB,CAClC,SAAY;IAEZ,MAAM,MAAM,GAAG,EAAS,CAAC;IACzB,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QACzC,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,GAAG,GAAG,CAAC;IAClC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAaY,QAAA,SAAS,GAAG,oBAAoB,CAAC,8BAAsB,CAAC,CAAC"}

package/dist/core/modules/tenant/core-tenant.guard.d.ts

@@ -0,0 +1,25 @@
+import { CanActivate, ExecutionContext, OnModuleDestroy } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { Model } from 'mongoose';
+import { CoreTenantMemberModel } from './core-tenant-member.model';
+export declare class CoreTenantGuard implements CanActivate, OnModuleDestroy {
+    private readonly reflector;
+    private readonly memberModel;
+    private readonly logger;
+    private readonly membershipCache;
+    private readonly tenantIdsCache;
+    private cacheTtlMs;
+    private static readonly MAX_CACHE_SIZE;
+    private cleanupInterval;
+    private lastSeenConfig;
+    constructor(reflector: Reflector, memberModel: Model<CoreTenantMemberModel>);
+    onModuleDestroy(): void;
+    invalidateUser(userId: string): void;
+    invalidateAll(): void;
+    canActivate(context: ExecutionContext): Promise<boolean>;
+    private resolveUserTenantIds;
+    private getRequest;
+    private findMembershipCached;
+    private evictIfOverCapacity;
+    private evictExpired;
+}

package/dist/core/modules/tenant/core-tenant.guard.js

@@ -0,0 +1,271 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+var CoreTenantGuard_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CoreTenantGuard = void 0;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nestjs/core");
+const graphql_1 = require("@nestjs/graphql");
+const mongoose_1 = require("@nestjs/mongoose");
+const mongoose_2 = require("mongoose");
+const role_enum_1 = require("../../common/enums/role.enum");
+const config_service_1 = require("../../common/services/config.service");
+const core_tenant_decorators_1 = require("./core-tenant.decorators");
+const core_tenant_enums_1 = require("./core-tenant.enums");
+const core_tenant_helpers_1 = require("./core-tenant.helpers");
+let CoreTenantGuard = class CoreTenantGuard {
+    static { CoreTenantGuard_1 = this; }
+    reflector;
+    memberModel;
+    logger = new common_1.Logger(CoreTenantGuard_1.name);
+    membershipCache = new Map();
+    tenantIdsCache = new Map();
+    cacheTtlMs = 30_000;
+    static MAX_CACHE_SIZE = 500;
+    cleanupInterval = null;
+    lastSeenConfig = null;
+    constructor(reflector, memberModel) {
+        this.reflector = reflector;
+        this.memberModel = memberModel;
+        this.cleanupInterval = setInterval(() => this.evictExpired(), 60_000);
+        if (this.cleanupInterval.unref) {
+            this.cleanupInterval.unref();
+        }
+    }
+    onModuleDestroy() {
+        if (this.cleanupInterval) {
+            clearInterval(this.cleanupInterval);
+            this.cleanupInterval = null;
+        }
+        this.membershipCache.clear();
+        this.tenantIdsCache.clear();
+    }
+    invalidateUser(userId) {
+        for (const key of this.membershipCache.keys()) {
+            if (key.startsWith(`${userId}:`)) {
+                this.membershipCache.delete(key);
+            }
+        }
+        for (const key of this.tenantIdsCache.keys()) {
+            if (key === userId || key.startsWith(`${userId}:`)) {
+                this.tenantIdsCache.delete(key);
+            }
+        }
+    }
+    invalidateAll() {
+        this.membershipCache.clear();
+        this.tenantIdsCache.clear();
+    }
+    async canActivate(context) {
+        const config = config_service_1.ConfigService.configFastButReadOnly?.multiTenancy;
+        if (!config || config.enabled === false) {
+            return true;
+        }
+        if (this.lastSeenConfig !== config) {
+            this.lastSeenConfig = config;
+            const isTestEnv = process.env.VITEST === 'true' || process.env.NODE_ENV === 'test' || process.env.NODE_ENV === 'e2e';
+            this.cacheTtlMs = config.cacheTtlMs ?? (isTestEnv ? 0 : 30_000);
+            this.invalidateAll();
+        }
+        const request = this.getRequest(context);
+        if (!request) {
+            return true;
+        }
+        const headerName = (config.headerName ?? 'x-tenant-id').toLowerCase();
+        const rawHeader = request.headers?.[headerName];
+        const headerTenantId = rawHeader && typeof rawHeader === 'string' && rawHeader.length <= 128 ? rawHeader.trim() : undefined;
+        const rolesMetadata = this.reflector.getAll('roles', [context.getHandler(), context.getClass()]);
+        const roles = (0, core_tenant_helpers_1.mergeRolesMetadata)(rolesMetadata);
+        const user = request.user;
+        const adminBypass = config.adminBypass !== false;
+        const isAdmin = adminBypass && user?.roles?.includes(role_enum_1.RoleEnum.ADMIN);
+        const hasNonSystemRoles = roles.some((r) => !(0, core_tenant_helpers_1.isSystemRole)(r));
+        const checkableRoles = hasNonSystemRoles ? roles.filter((r) => !(0, core_tenant_helpers_1.isSystemRole)(r)) : [];
+        const minRequiredLevel = checkableRoles.length > 0 ? (0, core_tenant_helpers_1.getMinRequiredLevel)(checkableRoles) : undefined;
+        const skipTenantCheck = this.reflector.getAllAndOverride(core_tenant_decorators_1.SKIP_TENANT_CHECK_KEY, [
+            context.getHandler(),
+            context.getClass(),
+        ]);
+        if (skipTenantCheck) {
+            if (checkableRoles.length > 0 && user) {
+                if (!isAdmin && !(0, core_tenant_helpers_1.checkRoleAccess)(checkableRoles, user.roles, undefined)) {
+                    throw new common_1.ForbiddenException('Insufficient role');
+                }
+            }
+            return true;
+        }
+        if (headerTenantId) {
+            if (isAdmin) {
+                request.tenantId = headerTenantId;
+                request.isAdminBypass = true;
+                const requiredRole = checkableRoles.length > 0 ? checkableRoles.join(',') : 'none';
+                this.logger.log(`Admin bypass: user ${user.id} accessing tenant ${headerTenantId} (required: ${requiredRole})`);
+                return true;
+            }
+            if (!user) {
+                throw new common_1.ForbiddenException('Authentication required for tenant access');
+            }
+            const membership = await this.findMembershipCached(user.id, headerTenantId);
+            if (!membership) {
+                throw new common_1.ForbiddenException('Not a member of this tenant');
+            }
+            const memberRole = membership.role;
+            if (checkableRoles.length > 0) {
+                if (!(0, core_tenant_helpers_1.checkRoleAccess)(checkableRoles, undefined, memberRole)) {
+                    throw new common_1.ForbiddenException('Insufficient tenant role');
+                }
+            }
+            request.tenantId = headerTenantId;
+            request.tenantRole = memberRole;
+            return true;
+        }
+        if (isAdmin) {
+            request.isAdminBypass = true;
+            return true;
+        }
+        if (checkableRoles.length > 0) {
+            if (!user) {
+                throw new common_1.ForbiddenException('Authentication required');
+            }
+            if (!(0, core_tenant_helpers_1.checkRoleAccess)(checkableRoles, user.roles, undefined)) {
+                throw new common_1.ForbiddenException('Insufficient role');
+            }
+            await this.resolveUserTenantIds(request, minRequiredLevel);
+            return true;
+        }
+        if (user) {
+            await this.resolveUserTenantIds(request);
+        }
+        return true;
+    }
+    async resolveUserTenantIds(request, minLevel) {
+        if (request.tenantIds) {
+            return;
+        }
+        const userId = request.user.id;
+        const ttl = this.cacheTtlMs;
+        if (ttl > 0) {
+            const cacheKey = minLevel !== undefined ? `${userId}:${minLevel}` : userId;
+            const now = Date.now();
+            const cached = this.tenantIdsCache.get(cacheKey);
+            if (cached && now < cached.expiresAt) {
+                request.tenantIds = cached.ids;
+                return;
+            }
+        }
+        const memberships = await this.memberModel
+            .find({
+            status: core_tenant_enums_1.TenantMemberStatus.ACTIVE,
+            user: userId,
+        })
+            .select('tenant role')
+            .lean()
+            .exec();
+        let ids;
+        if (minLevel !== undefined) {
+            const hierarchy = (0, core_tenant_helpers_1.getRoleHierarchy)();
+            ids = memberships
+                .filter((m) => {
+                const level = hierarchy[m.role] ?? 0;
+                return level >= minLevel;
+            })
+                .map((m) => m.tenant);
+        }
+        else {
+            ids = memberships.map((m) => m.tenant);
+        }
+        request.tenantIds = ids;
+        if (ttl > 0) {
+            const cacheKey = minLevel !== undefined ? `${userId}:${minLevel}` : userId;
+            this.evictIfOverCapacity(this.tenantIdsCache);
+            this.tenantIdsCache.set(cacheKey, { expiresAt: Date.now() + ttl, ids });
+        }
+    }
+    getRequest(context) {
+        if (context.getType() === 'graphql') {
+            const ctx = graphql_1.GqlExecutionContext.create(context);
+            return ctx.getContext()?.req;
+        }
+        try {
+            return context.switchToHttp().getRequest();
+        }
+        catch {
+            return null;
+        }
+    }
+    async findMembershipCached(userId, tenantId) {
+        const ttl = this.cacheTtlMs;
+        if (ttl <= 0) {
+            return this.memberModel
+                .findOne({ status: core_tenant_enums_1.TenantMemberStatus.ACTIVE, tenant: tenantId, user: userId })
+                .lean()
+                .exec();
+        }
+        const key = `${userId}:${tenantId}`;
+        const now = Date.now();
+        const cached = this.membershipCache.get(key);
+        if (cached && now < cached.expiresAt) {
+            return cached.result;
+        }
+        const result = (await this.memberModel
+            .findOne({
+            status: core_tenant_enums_1.TenantMemberStatus.ACTIVE,
+            tenant: tenantId,
+            user: userId,
+        })
+            .lean()
+            .exec());
+        if (result) {
+            this.evictIfOverCapacity(this.membershipCache);
+            this.membershipCache.set(key, { expiresAt: now + ttl, result });
+        }
+        else {
+            this.membershipCache.delete(key);
+        }
+        return result;
+    }
+    evictIfOverCapacity(cache) {
+        if (cache.size >= CoreTenantGuard_1.MAX_CACHE_SIZE) {
+            const deleteCount = Math.max(1, Math.floor(CoreTenantGuard_1.MAX_CACHE_SIZE * 0.1));
+            let deleted = 0;
+            for (const key of cache.keys()) {
+                if (deleted >= deleteCount)
+                    break;
+                cache.delete(key);
+                deleted++;
+            }
+        }
+    }
+    evictExpired() {
+        const now = Date.now();
+        for (const [key, entry] of this.membershipCache.entries()) {
+            if (now >= entry.expiresAt) {
+                this.membershipCache.delete(key);
+            }
+        }
+        for (const [key, entry] of this.tenantIdsCache.entries()) {
+            if (now >= entry.expiresAt) {
+                this.tenantIdsCache.delete(key);
+            }
+        }
+    }
+};
+exports.CoreTenantGuard = CoreTenantGuard;
+exports.CoreTenantGuard = CoreTenantGuard = CoreTenantGuard_1 = __decorate([
+    (0, common_1.Injectable)(),
+    __param(1, (0, mongoose_1.InjectModel)(core_tenant_enums_1.TENANT_MEMBER_MODEL_TOKEN)),
+    __metadata("design:paramtypes", [core_1.Reflector,
+        mongoose_2.Model])
+], CoreTenantGuard);
+//# sourceMappingURL=core-tenant.guard.js.map

package/dist/core/modules/tenant/core-tenant.guard.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"core-tenant.guard.js","sourceRoot":"","sources":["../../../../src/core/modules/tenant/core-tenant.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,2CAAwH;AACxH,uCAAyC;AACzC,6CAAsE;AACtE,+CAA+C;AAC/C,uCAAiC;AAEjC,4DAAwD;AACxD,yEAAqE;AAErE,qEAAiE;AACjE,2DAAoF;AACpF,+DAM+B;AA2DxB,IAAM,eAAe,GAArB,MAAM,eAAe;;IA0BP;IACwC;IA1B1C,MAAM,GAAG,IAAI,eAAM,CAAC,iBAAe,CAAC,IAAI,CAAC,CAAC;IAO1C,eAAe,GAAG,IAAI,GAAG,EAA4B,CAAC;IAMtD,cAAc,GAAG,IAAI,GAAG,EAA2B,CAAC;IAG7D,UAAU,GAAW,MAAM,CAAC;IAE5B,MAAM,CAAU,cAAc,GAAG,GAAG,CAAC;IAErC,eAAe,GAA0B,IAAI,CAAC;IAE9C,cAAc,GAAkB,IAAI,CAAC;IAE7C,YACmB,SAAoB,EACoB,WAAyC;QADjF,cAAS,GAAT,SAAS,CAAW;QACoB,gBAAW,GAAX,WAAW,CAA8B;QAGlG,IAAI,CAAC,eAAe,GAAG,WAAW,CAAC,GAAG,EAAE,CAAC,IAAI,CAAC,YAAY,EAAE,EAAE,MAAM,CAAC,CAAC;QACtE,IAAI,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;YAC/B,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;QAC/B,CAAC;IACH,CAAC;IAED,eAAe;QACb,IAAI,IAAI,CAAC,eAAe,EAAE,CAAC;YACzB,aAAa,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YACpC,IAAI,CAAC,eAAe,GAAG,IAAI,CAAC;QAC9B,CAAC;QACD,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;QAC7B,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;IAC9B,CAAC;IAWD,cAAc,CAAC,MAAc;QAC3B,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,eAAe,CAAC,IAAI,EAAE,EAAE,CAAC;YAC9C,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC;gBACjC,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;QACD,KAAK,MAAM,GAAG,IAAI,IAAI,CAAC,cAAc,CAAC,IAAI,EAAE,EAAE,CAAC;YAC7C,IAAI,GAAG,KAAK,MAAM,IAAI,GAAG,CAAC,UAAU,CAAC,GAAG,MAAM,GAAG,CAAC,EAAE,CAAC;gBACnD,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;IACH,CAAC;IAMD,aAAa;QACX,IAAI,CAAC,eAAe,CAAC,KAAK,EAAE,CAAC;QAC7B,IAAI,CAAC,cAAc,CAAC,KAAK,EAAE,CAAC;IAC9B,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,OAAyB;QACzC,MAAM,MAAM,GAAG,8BAAa,CAAC,qBAAqB,EAAE,YAAY,CAAC;QACjE,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QACd,CAAC;QAGD,IAAI,IAAI,CAAC,cAAc,KAAK,MAAM,EAAE,CAAC;YACnC,IAAI,CAAC,cAAc,GAAG,MAAM,CAAC;YAE7B,MAAM,SAAS,GACb,OAAO,CAAC,GAAG,CAAC,MAAM,KAAK,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,MAAM,IAAI,OAAO,CAAC,GAAG,CAAC,QAAQ,KAAK,KAAK,CAAC;YACrG,IAAI,CAAC,UAAU,GAAG,MAAM,CAAC,UAAU,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;YAChE,IAAI,CAAC,aAAa,EAAE,CAAC;QACvB,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QACzC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QACd,CAAC;QAGD,MAAM,UAAU,GAAG,CAAC,MAAM,CAAC,UAAU,IAAI,aAAa,CAAC,CAAC,WAAW,EAAE,CAAC;QACtE,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,UAAU,CAAuB,CAAC;QACtE,MAAM,cAAc,GAClB,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,CAAC,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;QAGvG,MAAM,aAAa,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAa,OAAO,EAAE,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;QAC7G,MAAM,KAAK,GAAG,IAAA,wCAAkB,EAAC,aAAa,CAAC,CAAC;QAEhD,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;QAC1B,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,KAAK,KAAK,CAAC;QACjD,MAAM,OAAO,GAAG,WAAW,IAAI,IAAI,EAAE,KAAK,EAAE,QAAQ,CAAC,oBAAQ,CAAC,KAAK,CAAC,CAAC;QAGrE,MAAM,iBAAiB,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAA,kCAAY,EAAC,CAAC,CAAC,CAAC,CAAC;QAC9D,MAAM,cAAc,GAAG,iBAAiB,CAAC,CAAC,CAAC,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAA,kCAAY,EAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,EAAE,CAAC;QACtF,MAAM,gBAAgB,GAAG,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,IAAA,yCAAmB,EAAC,cAAc,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAGrG,MAAM,eAAe,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAU,8CAAqB,EAAE;YACvF,OAAO,CAAC,UAAU,EAAE;YACpB,OAAO,CAAC,QAAQ,EAAE;SACnB,CAAC,CAAC;QACH,IAAI,eAAe,EAAE,CAAC;YACpB,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;gBACtC,IAAI,CAAC,OAAO,IAAI,CAAC,IAAA,qCAAe,EAAC,cAAc,EAAE,IAAI,CAAC,KAAK,EAAE,SAAS,CAAC,EAAE,CAAC;oBACxE,MAAM,IAAI,2BAAkB,CAAC,mBAAmB,CAAC,CAAC;gBACpD,CAAC;YACH,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAGD,IAAI,cAAc,EAAE,CAAC;YAGnB,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,CAAC,QAAQ,GAAG,cAAc,CAAC;gBAClC,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;gBAC7B,MAAM,YAAY,GAAG,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;gBACnF,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,sBAAsB,IAAI,CAAC,EAAE,qBAAqB,cAAc,eAAe,YAAY,GAAG,CAAC,CAAC;gBAChH,OAAO,IAAI,CAAC;YACd,CAAC;YAGD,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,MAAM,IAAI,2BAAkB,CAAC,2CAA2C,CAAC,CAAC;YAC5E,CAAC;YAGD,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,oBAAoB,CAAC,IAAI,CAAC,EAAE,EAAE,cAAc,CAAC,CAAC;YAE5E,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,2BAAkB,CAAC,6BAA6B,CAAC,CAAC;YAC9D,CAAC;YAED,MAAM,UAAU,GAAG,UAAU,CAAC,IAAc,CAAC;YAG7C,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC9B,IAAI,CAAC,IAAA,qCAAe,EAAC,cAAc,EAAE,SAAS,EAAE,UAAU,CAAC,EAAE,CAAC;oBAC5D,MAAM,IAAI,2BAAkB,CAAC,0BAA0B,CAAC,CAAC;gBAC3D,CAAC;YACH,CAAC;YAID,OAAO,CAAC,QAAQ,GAAG,cAAc,CAAC;YAClC,OAAO,CAAC,UAAU,GAAG,UAAU,CAAC;YAChC,OAAO,IAAI,CAAC;QACd,CAAC;QAKD,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;YAC7B,OAAO,IAAI,CAAC;QACd,CAAC;QAGD,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAE9B,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,MAAM,IAAI,2BAAkB,CAAC,yBAAyB,CAAC,CAAC;YAC1D,CAAC;YAGD,IAAI,CAAC,IAAA,qCAAe,EAAC,cAAc,EAAE,IAAI,CAAC,KAAK,EAAE,SAAS,CAAC,EAAE,CAAC;gBAC5D,MAAM,IAAI,2BAAkB,CAAC,mBAAmB,CAAC,CAAC;YACpD,CAAC;YAGD,MAAM,IAAI,CAAC,oBAAoB,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC;YAC3D,OAAO,IAAI,CAAC;QACd,CAAC;QAID,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,IAAI,CAAC,oBAAoB,CAAC,OAAO,CAAC,CAAC;QAC3C,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAWO,KAAK,CAAC,oBAAoB,CAAC,OAAY,EAAE,QAAiB;QAEhE,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;YACtB,OAAO;QACT,CAAC;QAED,MAAM,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC;QAC/B,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC;QAG5B,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;YACZ,MAAM,QAAQ,GAAG,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,GAAG,MAAM,IAAI,QAAQ,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;YAC3E,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;YACvB,MAAM,MAAM,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;YACjD,IAAI,MAAM,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;gBACrC,OAAO,CAAC,SAAS,GAAG,MAAM,CAAC,GAAG,CAAC;gBAC/B,OAAO;YACT,CAAC;QACH,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,WAAW;aACvC,IAAI,CAAC;YACJ,MAAM,EAAE,sCAAkB,CAAC,MAAM;YACjC,IAAI,EAAE,MAAM;SACb,CAAC;aACD,MAAM,CAAC,aAAa,CAAC;aACrB,IAAI,EAAE;aACN,IAAI,EAAE,CAAC;QAEV,IAAI,GAAa,CAAC;QAClB,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,MAAM,SAAS,GAAG,IAAA,sCAAgB,GAAE,CAAC;YACrC,GAAG,GAAG,WAAW;iBACd,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;gBACZ,MAAM,KAAK,GAAG,SAAS,CAAC,CAAC,CAAC,IAAc,CAAC,IAAI,CAAC,CAAC;gBAC/C,OAAO,KAAK,IAAI,QAAQ,CAAC;YAC3B,CAAC,CAAC;iBACD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAgB,CAAC,CAAC;QACpC,CAAC;aAAM,CAAC;YACN,GAAG,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAgB,CAAC,CAAC;QACnD,CAAC;QAED,OAAO,CAAC,SAAS,GAAG,GAAG,CAAC;QAGxB,IAAI,GAAG,GAAG,CAAC,EAAE,CAAC;YACZ,MAAM,QAAQ,GAAG,QAAQ,KAAK,SAAS,CAAC,CAAC,CAAC,GAAG,MAAM,IAAI,QAAQ,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC;YAC3E,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;YAC9C,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,EAAE,EAAE,SAAS,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC;QAC1E,CAAC;IACH,CAAC;IAKO,UAAU,CAAC,OAAyB;QAC1C,IAAI,OAAO,CAAC,OAAO,EAAkB,KAAK,SAAS,EAAE,CAAC;YACpD,MAAM,GAAG,GAAG,6BAAmB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAChD,OAAO,GAAG,CAAC,UAAU,EAAE,EAAE,GAAG,CAAC;QAC/B,CAAC;QACD,IAAI,CAAC;YACH,OAAO,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAE,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAUO,KAAK,CAAC,oBAAoB,CAAC,MAAc,EAAE,QAAgB;QACjE,MAAM,GAAG,GAAG,IAAI,CAAC,UAAU,CAAC;QAG5B,IAAI,GAAG,IAAI,CAAC,EAAE,CAAC;YACb,OAAO,IAAI,CAAC,WAAW;iBACpB,OAAO,CAAC,EAAE,MAAM,EAAE,sCAAkB,CAAC,MAAM,EAAE,MAAM,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC;iBAC9E,IAAI,EAAE;iBACN,IAAI,EAA2C,CAAC;QACrD,CAAC;QAED,MAAM,GAAG,GAAG,GAAG,MAAM,IAAI,QAAQ,EAAE,CAAC;QACpC,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAEvB,MAAM,MAAM,GAAG,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,GAAG,CAAC,CAAC;QAC7C,IAAI,MAAM,IAAI,GAAG,GAAG,MAAM,CAAC,SAAS,EAAE,CAAC;YACrC,OAAO,MAAM,CAAC,MAAM,CAAC;QACvB,CAAC;QAED,MAAM,MAAM,GAAG,CAAC,MAAM,IAAI,CAAC,WAAW;aACnC,OAAO,CAAC;YACP,MAAM,EAAE,sCAAkB,CAAC,MAAM;YACjC,MAAM,EAAE,QAAQ;YAChB,IAAI,EAAE,MAAM;SACb,CAAC;aACD,IAAI,EAAE;aACN,IAAI,EAAE,CAAiC,CAAC;QAM3C,IAAI,MAAM,EAAE,CAAC;YACX,IAAI,CAAC,mBAAmB,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;YAC/C,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,GAAG,EAAE,EAAE,SAAS,EAAE,GAAG,GAAG,GAAG,EAAE,MAAM,EAAE,CAAC,CAAC;QAClE,CAAC;aAAM,CAAC;YAEN,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;QACnC,CAAC;QACD,OAAO,MAAM,CAAC;IAChB,CAAC;IAMO,mBAAmB,CAAI,KAAqB;QAClD,IAAI,KAAK,CAAC,IAAI,IAAI,iBAAe,CAAC,cAAc,EAAE,CAAC;YAEjD,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,KAAK,CAAC,iBAAe,CAAC,cAAc,GAAG,GAAG,CAAC,CAAC,CAAC;YAClF,IAAI,OAAO,GAAG,CAAC,CAAC;YAChB,KAAK,MAAM,GAAG,IAAI,KAAK,CAAC,IAAI,EAAE,EAAE,CAAC;gBAC/B,IAAI,OAAO,IAAI,WAAW;oBAAE,MAAM;gBAClC,KAAK,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;gBAClB,OAAO,EAAE,CAAC;YACZ,CAAC;QACH,CAAC;IACH,CAAC;IAMO,YAAY;QAClB,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,eAAe,CAAC,OAAO,EAAE,EAAE,CAAC;YAC1D,IAAI,GAAG,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;gBAC3B,IAAI,CAAC,eAAe,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YACnC,CAAC;QACH,CAAC;QACD,KAAK,MAAM,CAAC,GAAG,EAAE,KAAK,CAAC,IAAI,IAAI,CAAC,cAAc,CAAC,OAAO,EAAE,EAAE,CAAC;YACzD,IAAI,GAAG,IAAI,KAAK,CAAC,SAAS,EAAE,CAAC;gBAC3B,IAAI,CAAC,cAAc,CAAC,MAAM,CAAC,GAAG,CAAC,CAAC;YAClC,CAAC;QACH,CAAC;IACH,CAAC;;AA3WU,0CAAe;0BAAf,eAAe;IAD3B,IAAA,mBAAU,GAAE;IA4BR,WAAA,IAAA,sBAAW,EAAC,6CAAyB,CAAC,CAAA;qCADX,gBAAS;QACiC,gBAAK;GA3BlE,eAAe,CA4W3B"}

package/dist/core/modules/tenant/core-tenant.helpers.d.ts

@@ -0,0 +1,7 @@
+export declare function mergeRolesMetadata(meta: (string[] | undefined)[]): string[];
+export declare function getRoleHierarchy(): Record<string, number>;
+export declare function isSystemRole(role: string): boolean;
+export declare function isMultiTenancyActive(): boolean;
+export declare function isHierarchyRole(role: string): boolean;
+export declare function getMinRequiredLevel(roles: string[]): number | undefined;
+export declare function checkRoleAccess(requiredRoles: string[], userRoles?: string[], tenantRole?: string): boolean;

package/dist/core/modules/tenant/core-tenant.helpers.js

@@ -0,0 +1,60 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.mergeRolesMetadata = mergeRolesMetadata;
+exports.getRoleHierarchy = getRoleHierarchy;
+exports.isSystemRole = isSystemRole;
+exports.isMultiTenancyActive = isMultiTenancyActive;
+exports.isHierarchyRole = isHierarchyRole;
+exports.getMinRequiredLevel = getMinRequiredLevel;
+exports.checkRoleAccess = checkRoleAccess;
+const config_service_1 = require("../../common/services/config.service");
+const core_tenant_enums_1 = require("./core-tenant.enums");
+const SYSTEM_ROLE_PREFIX = 's_';
+function mergeRolesMetadata(meta) {
+    return meta[0] ? (meta[1] ? [...meta[0], ...meta[1]] : meta[0]) : meta[1] || [];
+}
+function getRoleHierarchy() {
+    return config_service_1.ConfigService.configFastButReadOnly?.multiTenancy?.roleHierarchy ?? core_tenant_enums_1.DEFAULT_ROLE_HIERARCHY;
+}
+function isSystemRole(role) {
+    return role.startsWith(SYSTEM_ROLE_PREFIX);
+}
+function isMultiTenancyActive() {
+    const config = config_service_1.ConfigService.configFastButReadOnly?.multiTenancy;
+    return !!config && config.enabled !== false;
+}
+function isHierarchyRole(role) {
+    if (!isMultiTenancyActive())
+        return false;
+    const hierarchy = getRoleHierarchy();
+    return role in hierarchy;
+}
+function getMinRequiredLevel(roles) {
+    const hierarchy = getRoleHierarchy();
+    const levels = roles.filter((r) => r in hierarchy).map((r) => hierarchy[r]);
+    if (levels.length === 0)
+        return undefined;
+    return Math.min(...levels);
+}
+function checkRoleAccess(requiredRoles, userRoles, tenantRole) {
+    const availableRoles = tenantRole ? [tenantRole] : (userRoles ?? []);
+    if (availableRoles.length === 0)
+        return false;
+    const multiTenancyActive = isMultiTenancyActive();
+    const hierarchy = multiTenancyActive ? getRoleHierarchy() : {};
+    const hierarchyRequired = requiredRoles.filter((r) => r in hierarchy);
+    const nonHierarchyRequired = requiredRoles.filter((r) => !(r in hierarchy));
+    if (hierarchyRequired.length === 0 && nonHierarchyRequired.length === 0)
+        return true;
+    if (hierarchyRequired.length > 0) {
+        const minRequired = Math.min(...hierarchyRequired.map((r) => hierarchy[r]));
+        if (availableRoles.some((r) => r in hierarchy && hierarchy[r] >= minRequired))
+            return true;
+    }
+    if (nonHierarchyRequired.length > 0) {
+        if (nonHierarchyRequired.some((r) => availableRoles.includes(r)))
+            return true;
+    }
+    return false;
+}
+//# sourceMappingURL=core-tenant.helpers.js.map

package/dist/core/modules/tenant/core-tenant.helpers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"core-tenant.helpers.js","sourceRoot":"","sources":["../../../../src/core/modules/tenant/core-tenant.helpers.ts"],"names":[],"mappings":";;AAWA,gDAEC;AAKD,4CAEC;AAMD,oCAEC;AAKD,oDAGC;AAMD,0CAIC;AAOD,kDAKC;AAkBD,0CA0BC;AAtGD,yEAAqE;AACrE,2DAA6D;AAE7D,MAAM,kBAAkB,GAAG,IAAI,CAAC;AAQhC,SAAgB,kBAAkB,CAAC,IAA8B;IAC/D,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;AAClF,CAAC;AAKD,SAAgB,gBAAgB;IAC9B,OAAO,8BAAa,CAAC,qBAAqB,EAAE,YAAY,EAAE,aAAa,IAAI,0CAAsB,CAAC;AACpG,CAAC;AAMD,SAAgB,YAAY,CAAC,IAAY;IACvC,OAAO,IAAI,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC;AAC7C,CAAC;AAKD,SAAgB,oBAAoB;IAClC,MAAM,MAAM,GAAG,8BAAa,CAAC,qBAAqB,EAAE,YAAY,CAAC;IACjE,OAAO,CAAC,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,KAAK,KAAK,CAAC;AAC9C,CAAC;AAMD,SAAgB,eAAe,CAAC,IAAY;IAC1C,IAAI,CAAC,oBAAoB,EAAE;QAAE,OAAO,KAAK,CAAC;IAC1C,MAAM,SAAS,GAAG,gBAAgB,EAAE,CAAC;IACrC,OAAO,IAAI,IAAI,SAAS,CAAC;AAC3B,CAAC;AAOD,SAAgB,mBAAmB,CAAC,KAAe;IACjD,MAAM,SAAS,GAAG,gBAAgB,EAAE,CAAC;IACrC,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5E,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IAC1C,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;AAC7B,CAAC;AAkBD,SAAgB,eAAe,CAAC,aAAuB,EAAE,SAAoB,EAAE,UAAmB;IAChG,MAAM,cAAc,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;IACrE,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAG9C,MAAM,kBAAkB,GAAG,oBAAoB,EAAE,CAAC;IAClD,MAAM,SAAS,GAAG,kBAAkB,CAAC,CAAC,CAAC,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAC/D,MAAM,iBAAiB,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC;IACtE,MAAM,oBAAoB,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC,CAAC;IAE5E,IAAI,iBAAiB,CAAC,MAAM,KAAK,CAAC,IAAI,oBAAoB,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAKrF,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5E,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,SAAS,IAAI,SAAS,CAAC,CAAC,CAAC,IAAI,WAAW,CAAC;YAAE,OAAO,IAAI,CAAC;IAC7F,CAAC;IAGD,IAAI,oBAAoB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpC,IAAI,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;IAChF,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}

package/dist/core/modules/tenant/core-tenant.module.d.ts

@@ -0,0 +1,12 @@
+import { CanActivate, DynamicModule, Type } from '@nestjs/common';
+import { CoreTenantMemberModel } from './core-tenant-member.model';
+import { CoreTenantService } from './core-tenant.service';
+export interface CoreTenantModuleOptions {
+    memberModel?: Type<CoreTenantMemberModel>;
+    guard?: Type<CanActivate>;
+    service?: Type<CoreTenantService>;
+    modelName?: string;
+}
+export declare class CoreTenantModule {
+    static forRoot(options?: CoreTenantModuleOptions): DynamicModule;
+}

package/dist/core/modules/tenant/core-tenant.module.js

@@ -0,0 +1,58 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var CoreTenantModule_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CoreTenantModule = void 0;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nestjs/core");
+const mongoose_1 = require("@nestjs/mongoose");
+const core_tenant_member_model_1 = require("./core-tenant-member.model");
+const core_tenant_enums_1 = require("./core-tenant.enums");
+const core_tenant_guard_1 = require("./core-tenant.guard");
+const core_tenant_service_1 = require("./core-tenant.service");
+let CoreTenantModule = CoreTenantModule_1 = class CoreTenantModule {
+    static forRoot(options = {}) {
+        const MemberModel = options.memberModel || core_tenant_member_model_1.CoreTenantMemberModel;
+        const Guard = options.guard || core_tenant_guard_1.CoreTenantGuard;
+        const Service = options.service || core_tenant_service_1.CoreTenantService;
+        const modelName = options.modelName || core_tenant_enums_1.TENANT_MEMBER_MODEL_TOKEN;
+        const memberSchema = mongoose_1.SchemaFactory.createForClass(MemberModel);
+        memberSchema.index({ user: 1, tenant: 1 }, { unique: true });
+        memberSchema.index({ user: 1, tenant: 1, status: 1 });
+        const providers = [
+            {
+                provide: core_tenant_service_1.CoreTenantService,
+                useClass: Service,
+            },
+            {
+                provide: core_1.APP_GUARD,
+                useClass: Guard,
+            },
+        ];
+        if (modelName !== core_tenant_enums_1.TENANT_MEMBER_MODEL_TOKEN) {
+            providers.push({
+                provide: (0, mongoose_1.getModelToken)(core_tenant_enums_1.TENANT_MEMBER_MODEL_TOKEN),
+                useFactory: (model) => model,
+                inject: [(0, mongoose_1.getModelToken)(modelName)],
+            });
+        }
+        return {
+            exports: [core_tenant_service_1.CoreTenantService],
+            global: true,
+            imports: [mongoose_1.MongooseModule.forFeature([{ name: modelName, schema: memberSchema }])],
+            module: CoreTenantModule_1,
+            providers,
+        };
+    }
+};
+exports.CoreTenantModule = CoreTenantModule;
+exports.CoreTenantModule = CoreTenantModule = CoreTenantModule_1 = __decorate([
+    (0, common_1.Global)(),
+    (0, common_1.Module)({})
+], CoreTenantModule);
+//# sourceMappingURL=core-tenant.module.js.map

package/dist/core/modules/tenant/core-tenant.module.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"core-tenant.module.js","sourceRoot":"","sources":["../../../../src/core/modules/tenant/core-tenant.module.ts"],"names":[],"mappings":";;;;;;;;;;AAAA,2CAAkF;AAClF,uCAAyC;AACzC,+CAAgF;AAGhF,yEAAmE;AACnE,2DAAgE;AAChE,2DAAsD;AACtD,+DAA0D;AAkDnD,IAAM,gBAAgB,wBAAtB,MAAM,gBAAgB;IAC3B,MAAM,CAAC,OAAO,CAAC,UAAmC,EAAE;QAClD,MAAM,WAAW,GAAG,OAAO,CAAC,WAAW,IAAI,gDAAqB,CAAC;QACjE,MAAM,KAAK,GAAG,OAAO,CAAC,KAAK,IAAI,mCAAe,CAAC;QAC/C,MAAM,OAAO,GAAG,OAAO,CAAC,OAAO,IAAI,uCAAiB,CAAC;QACrD,MAAM,SAAS,GAAG,OAAO,CAAC,SAAS,IAAI,6CAAyB,CAAC;QAEjE,MAAM,YAAY,GAAG,wBAAa,CAAC,cAAc,CAAC,WAAW,CAAC,CAAC;QAG/D,YAAY,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC;QAE7D,YAAY,CAAC,KAAK,CAAC,EAAE,IAAI,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,MAAM,EAAE,CAAC,EAAE,CAAC,CAAC;QAEtD,MAAM,SAAS,GAAU;YACvB;gBACE,OAAO,EAAE,uCAAiB;gBAC1B,QAAQ,EAAE,OAAO;aAClB;YACD;gBACE,OAAO,EAAE,gBAAS;gBAClB,QAAQ,EAAE,KAAK;aAChB;SACF,CAAC;QAIF,IAAI,SAAS,KAAK,6CAAyB,EAAE,CAAC;YAC5C,SAAS,CAAC,IAAI,CAAC;gBACb,OAAO,EAAE,IAAA,wBAAa,EAAC,6CAAyB,CAAC;gBACjD,UAAU,EAAE,CAAC,KAAiB,EAAE,EAAE,CAAC,KAAK;gBACxC,MAAM,EAAE,CAAC,IAAA,wBAAa,EAAC,SAAS,CAAC,CAAC;aACnC,CAAC,CAAC;QACL,CAAC;QAED,OAAO;YACL,OAAO,EAAE,CAAC,uCAAiB,CAAC;YAC5B,MAAM,EAAE,IAAI;YACZ,OAAO,EAAE,CAAC,yBAAc,CAAC,UAAU,CAAC,CAAC,EAAE,IAAI,EAAE,SAAS,EAAE,MAAM,EAAE,YAAY,EAAE,CAAC,CAAC,CAAC;YACjF,MAAM,EAAE,kBAAgB;YACxB,SAAS;SACV,CAAC;IACJ,CAAC;CACF,CAAA;AA3CY,4CAAgB;2BAAhB,gBAAgB;IAF5B,IAAA,eAAM,GAAE;IACR,IAAA,eAAM,EAAC,EAAE,CAAC;GACE,gBAAgB,CA2C5B"}

package/dist/core/modules/tenant/core-tenant.service.d.ts

@@ -0,0 +1,19 @@
+import { Logger } from '@nestjs/common';
+import { Model } from 'mongoose';
+import { CoreTenantMemberModel } from './core-tenant-member.model';
+import { CoreTenantGuard } from './core-tenant.guard';
+export declare class CoreTenantService {
+    protected readonly memberModel: Model<CoreTenantMemberModel>;
+    protected readonly tenantGuard?: CoreTenantGuard;
+    protected readonly logger: Logger;
+    constructor(memberModel: Model<CoreTenantMemberModel>, tenantGuard?: CoreTenantGuard);
+    protected getHierarchy(): Record<string, number>;
+    protected getDefaultRole(): string;
+    protected getHighestRole(): string;
+    findMemberships(userId: string): Promise<CoreTenantMemberModel[]>;
+    getMembership(tenantId: string, userId: string): Promise<CoreTenantMemberModel | null>;
+    addMember(tenantId: string, userId: string, role?: string, invitedById?: string): Promise<CoreTenantMemberModel>;
+    removeMember(tenantId: string, userId: string): Promise<CoreTenantMemberModel>;
+    updateMemberRole(tenantId: string, userId: string, role: string): Promise<CoreTenantMemberModel>;
+    assertNotLastOwner(tenantId: string, userId: string): Promise<void>;
+}