@objectstack/core 10.3.0 → 11.0.0

package/dist/index.d.cts

@@ -1693,9 +1693,15 @@ interface GeneratedApiKey {
  */
 declare function generateApiKey(prefix?: string): GeneratedApiKey;
 /**
- * Extract an API key from request headers. Accepts `X-API-Key: <token>` or
- * `Authorization: ApiKey <token>` (case-insensitive scheme). Bearer tokens are
- * deliberately NOT treated as API keys — those flow through the session path.
+ * Extract an API key from request headers. Accepts, in order:
+ *  - `X-API-Key: <token>`
+ *  - `Authorization: ApiKey <token>` (case-insensitive scheme)
+ *  - `Authorization: Bearer <token>` ONLY when `<token>` carries the ObjectStack
+ *    api-key prefix (`osk_`). Remote MCP clients (Claude Desktop / Cursor /
+ *    Claude Code) authenticate to `/api/v1/mcp` with the key as a Bearer per the
+ *    MCP spec, so rejecting Bearer outright made every standard MCP client fail.
+ *    A better-auth *session* token never starts with `osk_`, so a session Bearer
+ *    still falls through to the session path — this can't shadow it.
  */
 declare function extractApiKey(headers: any): string | undefined;
 /** Parse a `scopes` value that may be a JSON-string textarea or a real array. */
@@ -1721,6 +1727,57 @@ interface ApiKeyPrincipal {
  */
 declare function resolveApiKeyPrincipal(ql: any, headers: any, nowMs?: number): Promise<ApiKeyPrincipal | undefined>;
 
+/** The transport-agnostic authorization envelope produced from a request. */
+interface ResolvedAuthzContext {
+    userId?: string;
+    tenantId?: string;
+    email?: string;
+    accessToken?: string;
+    roles: string[];
+    permissions: string[];
+    systemPermissions: string[];
+    tabPermissions?: Record<string, 'visible' | 'hidden' | 'default_on' | 'default_off'>;
+    /** Fellow-org user IDs for RLS scoping of identity tables (`id IN (...)`). */
+    org_user_ids: string[];
+}
+interface ResolveAuthzInput {
+    /** Data engine (ObjectQL) exposing `find(object, { where, limit, context })`. */
+    ql: any;
+    /** Inbound request headers (Web `Headers` or a plain record). */
+    headers: any;
+    /**
+     * Resolve a better-auth session from `headers`, returning `{ user?, session? }`
+     * (or undefined). Optional — when omitted or throwing, only the API-key path
+     * runs and anonymous requests resolve to an empty context.
+     */
+    getSession?: (headers: any) => Promise<any> | any;
+    /** Clock injection for API-key expiry (tests). */
+    nowMs?: number;
+}
+/**
+ * Resolve the authorization context for an inbound request. Always resolves —
+ * never throws. Anonymous requests yield `{ roles: [], permissions: [], ... }`.
+ */
+declare function resolveAuthzContext(input: ResolveAuthzInput): Promise<ResolvedAuthzContext>;
+interface ResolveLocalizationInput {
+    ql: any;
+    /** Settings service exposing `get(namespace, key, { tenantId, userId })`. */
+    settings?: any;
+    tenantId?: string;
+    userId?: string;
+}
+/**
+ * Resolve workspace localization defaults (reference `timezone` / `locale` /
+ * `currency`). Canonical path is the `localization` SettingsManifest (cascade:
+ * platform default → global → tenant); falls back to direct tenant-scoped
+ * `sys_setting` rows, then the built-ins `UTC` / `en-US`. Never throws.
+ */
+declare function resolveLocalizationContext(input: ResolveLocalizationInput): Promise<{
+    timezone: string;
+    locale: string;
+    currency?: string;
+}>;
+
 /**
  * Environment utilities for universal (Node/Browser) compatibility.
  */
@@ -2168,4 +2225,4 @@ declare class NamespaceResolver {
     private suggestAlternative;
 }
 
-export { API_KEY_PREFIX, type ApiKeyPrincipal, ApiRegistry, type ApiRegistryPluginConfig, CORE_FALLBACK_FACTORIES, type CalendarParts, DependencyResolver, type GeneratedApiKey, HotReloadManager, type KernelState, type KeyInput, LiteKernel, type NamespaceCheckResult, type NamespaceConflict, type NamespaceEntry, NamespaceResolver, ObjectKernel, ObjectKernelBase, type ObjectKernelConfig, ObjectLogger, type ParsedSignature, type PermissionCheckResult$1 as PermissionCheckResult, type PermissionGrant, type Plugin, type PluginArtifactVerifyResult, PluginConfigValidator, type PluginContext, PluginHealthMonitor, type PluginHealthStatus, type PluginLoadResult, PluginLoader, type PluginMetadata, type PermissionCheckResult as PluginPermissionCheckResult, PluginPermissionEnforcer, PluginPermissionManager, type PluginPermissions, PluginSandboxRuntime, PluginSecurityScanner, type PluginSignatureConfig, PluginSignatureVerifier, type PluginStartupResult, type PublisherVerifyResult, index as QA, type ResourceUsage, SIGNATURE_ALG, type SandboxContext, type ScanTarget, SecurePluginContext, type SecurityIssue, SemanticVersionManager, type ServiceFactory, ServiceLifecycle, type ServiceRegistration, type SignatureVerificationResult, type VersionCompatibility, buildPermissionsFromGrants, calendarPartsInTz, calendarPartsInTzOrUtc, counterSignPayload, createApiRegistryPlugin, createMemoryCache, createMemoryI18n, createMemoryJob, createMemoryMetadata, createMemoryQueue, createPluginConfigValidator, createPluginPermissionEnforcer, extractApiKey, generateApiKey, generateEd25519KeyPair, getEnv, getMemoryUsage, hashApiKey, isExpired, isNode, parseScopes, parseSignature, resolveApiKeyPrincipal, resolveLocale, safeExit, signPayload, verifyPayload, verifyPlatformSignature, verifyPluginArtifact, verifyPublisherSignature };
+export { API_KEY_PREFIX, type ApiKeyPrincipal, ApiRegistry, type ApiRegistryPluginConfig, CORE_FALLBACK_FACTORIES, type CalendarParts, DependencyResolver, type GeneratedApiKey, HotReloadManager, type KernelState, type KeyInput, LiteKernel, type NamespaceCheckResult, type NamespaceConflict, type NamespaceEntry, NamespaceResolver, ObjectKernel, ObjectKernelBase, type ObjectKernelConfig, ObjectLogger, type ParsedSignature, type PermissionCheckResult$1 as PermissionCheckResult, type PermissionGrant, type Plugin, type PluginArtifactVerifyResult, PluginConfigValidator, type PluginContext, PluginHealthMonitor, type PluginHealthStatus, type PluginLoadResult, PluginLoader, type PluginMetadata, type PermissionCheckResult as PluginPermissionCheckResult, PluginPermissionEnforcer, PluginPermissionManager, type PluginPermissions, PluginSandboxRuntime, PluginSecurityScanner, type PluginSignatureConfig, PluginSignatureVerifier, type PluginStartupResult, type PublisherVerifyResult, index as QA, type ResolveAuthzInput, type ResolveLocalizationInput, type ResolvedAuthzContext, type ResourceUsage, SIGNATURE_ALG, type SandboxContext, type ScanTarget, SecurePluginContext, type SecurityIssue, SemanticVersionManager, type ServiceFactory, ServiceLifecycle, type ServiceRegistration, type SignatureVerificationResult, type VersionCompatibility, buildPermissionsFromGrants, calendarPartsInTz, calendarPartsInTzOrUtc, counterSignPayload, createApiRegistryPlugin, createMemoryCache, createMemoryI18n, createMemoryJob, createMemoryMetadata, createMemoryQueue, createPluginConfigValidator, createPluginPermissionEnforcer, extractApiKey, generateApiKey, generateEd25519KeyPair, getEnv, getMemoryUsage, hashApiKey, isExpired, isNode, parseScopes, parseSignature, resolveApiKeyPrincipal, resolveAuthzContext, resolveLocale, resolveLocalizationContext, safeExit, signPayload, verifyPayload, verifyPlatformSignature, verifyPluginArtifact, verifyPublisherSignature };

package/dist/index.d.ts

@@ -1693,9 +1693,15 @@ interface GeneratedApiKey {
  */
 declare function generateApiKey(prefix?: string): GeneratedApiKey;
 /**
- * Extract an API key from request headers. Accepts `X-API-Key: <token>` or
- * `Authorization: ApiKey <token>` (case-insensitive scheme). Bearer tokens are
- * deliberately NOT treated as API keys — those flow through the session path.
+ * Extract an API key from request headers. Accepts, in order:
+ *  - `X-API-Key: <token>`
+ *  - `Authorization: ApiKey <token>` (case-insensitive scheme)
+ *  - `Authorization: Bearer <token>` ONLY when `<token>` carries the ObjectStack
+ *    api-key prefix (`osk_`). Remote MCP clients (Claude Desktop / Cursor /
+ *    Claude Code) authenticate to `/api/v1/mcp` with the key as a Bearer per the
+ *    MCP spec, so rejecting Bearer outright made every standard MCP client fail.
+ *    A better-auth *session* token never starts with `osk_`, so a session Bearer
+ *    still falls through to the session path — this can't shadow it.
  */
 declare function extractApiKey(headers: any): string | undefined;
 /** Parse a `scopes` value that may be a JSON-string textarea or a real array. */
@@ -1721,6 +1727,57 @@ interface ApiKeyPrincipal {
  */
 declare function resolveApiKeyPrincipal(ql: any, headers: any, nowMs?: number): Promise<ApiKeyPrincipal | undefined>;
 
+/** The transport-agnostic authorization envelope produced from a request. */
+interface ResolvedAuthzContext {
+    userId?: string;
+    tenantId?: string;
+    email?: string;
+    accessToken?: string;
+    roles: string[];
+    permissions: string[];
+    systemPermissions: string[];
+    tabPermissions?: Record<string, 'visible' | 'hidden' | 'default_on' | 'default_off'>;
+    /** Fellow-org user IDs for RLS scoping of identity tables (`id IN (...)`). */
+    org_user_ids: string[];
+}
+interface ResolveAuthzInput {
+    /** Data engine (ObjectQL) exposing `find(object, { where, limit, context })`. */
+    ql: any;
+    /** Inbound request headers (Web `Headers` or a plain record). */
+    headers: any;
+    /**
+     * Resolve a better-auth session from `headers`, returning `{ user?, session? }`
+     * (or undefined). Optional — when omitted or throwing, only the API-key path
+     * runs and anonymous requests resolve to an empty context.
+     */
+    getSession?: (headers: any) => Promise<any> | any;
+    /** Clock injection for API-key expiry (tests). */
+    nowMs?: number;
+}
+/**
+ * Resolve the authorization context for an inbound request. Always resolves —
+ * never throws. Anonymous requests yield `{ roles: [], permissions: [], ... }`.
+ */
+declare function resolveAuthzContext(input: ResolveAuthzInput): Promise<ResolvedAuthzContext>;
+interface ResolveLocalizationInput {
+    ql: any;
+    /** Settings service exposing `get(namespace, key, { tenantId, userId })`. */
+    settings?: any;
+    tenantId?: string;
+    userId?: string;
+}
+/**
+ * Resolve workspace localization defaults (reference `timezone` / `locale` /
+ * `currency`). Canonical path is the `localization` SettingsManifest (cascade:
+ * platform default → global → tenant); falls back to direct tenant-scoped
+ * `sys_setting` rows, then the built-ins `UTC` / `en-US`. Never throws.
+ */
+declare function resolveLocalizationContext(input: ResolveLocalizationInput): Promise<{
+    timezone: string;
+    locale: string;
+    currency?: string;
+}>;
+
 /**
  * Environment utilities for universal (Node/Browser) compatibility.
  */
@@ -2168,4 +2225,4 @@ declare class NamespaceResolver {
     private suggestAlternative;
 }
 
-export { API_KEY_PREFIX, type ApiKeyPrincipal, ApiRegistry, type ApiRegistryPluginConfig, CORE_FALLBACK_FACTORIES, type CalendarParts, DependencyResolver, type GeneratedApiKey, HotReloadManager, type KernelState, type KeyInput, LiteKernel, type NamespaceCheckResult, type NamespaceConflict, type NamespaceEntry, NamespaceResolver, ObjectKernel, ObjectKernelBase, type ObjectKernelConfig, ObjectLogger, type ParsedSignature, type PermissionCheckResult$1 as PermissionCheckResult, type PermissionGrant, type Plugin, type PluginArtifactVerifyResult, PluginConfigValidator, type PluginContext, PluginHealthMonitor, type PluginHealthStatus, type PluginLoadResult, PluginLoader, type PluginMetadata, type PermissionCheckResult as PluginPermissionCheckResult, PluginPermissionEnforcer, PluginPermissionManager, type PluginPermissions, PluginSandboxRuntime, PluginSecurityScanner, type PluginSignatureConfig, PluginSignatureVerifier, type PluginStartupResult, type PublisherVerifyResult, index as QA, type ResourceUsage, SIGNATURE_ALG, type SandboxContext, type ScanTarget, SecurePluginContext, type SecurityIssue, SemanticVersionManager, type ServiceFactory, ServiceLifecycle, type ServiceRegistration, type SignatureVerificationResult, type VersionCompatibility, buildPermissionsFromGrants, calendarPartsInTz, calendarPartsInTzOrUtc, counterSignPayload, createApiRegistryPlugin, createMemoryCache, createMemoryI18n, createMemoryJob, createMemoryMetadata, createMemoryQueue, createPluginConfigValidator, createPluginPermissionEnforcer, extractApiKey, generateApiKey, generateEd25519KeyPair, getEnv, getMemoryUsage, hashApiKey, isExpired, isNode, parseScopes, parseSignature, resolveApiKeyPrincipal, resolveLocale, safeExit, signPayload, verifyPayload, verifyPlatformSignature, verifyPluginArtifact, verifyPublisherSignature };
+export { API_KEY_PREFIX, type ApiKeyPrincipal, ApiRegistry, type ApiRegistryPluginConfig, CORE_FALLBACK_FACTORIES, type CalendarParts, DependencyResolver, type GeneratedApiKey, HotReloadManager, type KernelState, type KeyInput, LiteKernel, type NamespaceCheckResult, type NamespaceConflict, type NamespaceEntry, NamespaceResolver, ObjectKernel, ObjectKernelBase, type ObjectKernelConfig, ObjectLogger, type ParsedSignature, type PermissionCheckResult$1 as PermissionCheckResult, type PermissionGrant, type Plugin, type PluginArtifactVerifyResult, PluginConfigValidator, type PluginContext, PluginHealthMonitor, type PluginHealthStatus, type PluginLoadResult, PluginLoader, type PluginMetadata, type PermissionCheckResult as PluginPermissionCheckResult, PluginPermissionEnforcer, PluginPermissionManager, type PluginPermissions, PluginSandboxRuntime, PluginSecurityScanner, type PluginSignatureConfig, PluginSignatureVerifier, type PluginStartupResult, type PublisherVerifyResult, index as QA, type ResolveAuthzInput, type ResolveLocalizationInput, type ResolvedAuthzContext, type ResourceUsage, SIGNATURE_ALG, type SandboxContext, type ScanTarget, SecurePluginContext, type SecurityIssue, SemanticVersionManager, type ServiceFactory, ServiceLifecycle, type ServiceRegistration, type SignatureVerificationResult, type VersionCompatibility, buildPermissionsFromGrants, calendarPartsInTz, calendarPartsInTzOrUtc, counterSignPayload, createApiRegistryPlugin, createMemoryCache, createMemoryI18n, createMemoryJob, createMemoryMetadata, createMemoryQueue, createPluginConfigValidator, createPluginPermissionEnforcer, extractApiKey, generateApiKey, generateEd25519KeyPair, getEnv, getMemoryUsage, hashApiKey, isExpired, isNode, parseScopes, parseSignature, resolveApiKeyPrincipal, resolveAuthzContext, resolveLocale, resolveLocalizationContext, safeExit, signPayload, verifyPayload, verifyPlatformSignature, verifyPluginArtifact, verifyPublisherSignature };

package/dist/index.js

@@ -3919,9 +3919,11 @@ function extractApiKey(headers) {
   if (x && x.trim()) return x.trim();
   const auth = readHeader(headers, "authorization");
   if (!auth) return void 0;
-  const m = auth.match(/^ApiKey\s+(.+)$/i);
-  const token = m?.[1]?.trim();
-  return token || void 0;
+  const apiKeyScheme = auth.match(/^ApiKey\s+(\S.*)$/i);
+  if (apiKeyScheme?.[1]?.trim()) return apiKeyScheme[1].trim();
+  const bearer = auth.match(/^Bearer\s+(\S.*)$/i)?.[1]?.trim();
+  if (bearer && bearer.startsWith(API_KEY_PREFIX)) return bearer;
+  return void 0;
 }
 function parseScopes(value) {
   if (Array.isArray(value)) {
@@ -4000,6 +4002,197 @@ function safeJsonParse(s, fallback) {
   }
 }
 
+// src/security/resolve-authz-context.ts
+import {
+  mapMembershipRole,
+  BUILTIN_ROLE_PLATFORM_ADMIN,
+  ADMIN_FULL_ACCESS
+} from "@objectstack/spec";
+function safeJsonParse2(s, fallback) {
+  try {
+    return JSON.parse(s);
+  } catch {
+    return fallback;
+  }
+}
+async function tryFind(ql, object, where, limit = 100) {
+  if (!ql || typeof ql.find !== "function") return [];
+  try {
+    let rows = await ql.find(object, { where, limit, context: { isSystem: true } });
+    if (rows && rows.value) rows = rows.value;
+    return Array.isArray(rows) ? rows : [];
+  } catch {
+    return [];
+  }
+}
+async function resolveAuthzContext(input) {
+  const { ql, headers } = input;
+  const ctx = {
+    roles: [],
+    permissions: [],
+    systemPermissions: [],
+    org_user_ids: []
+  };
+  let userId;
+  let tenantId;
+  const keyPrincipal = await resolveApiKeyPrincipal(ql, headers, input.nowMs);
+  if (keyPrincipal) {
+    userId = keyPrincipal.userId;
+    tenantId = keyPrincipal.tenantId;
+    for (const scope of keyPrincipal.scopes) {
+      if (!ctx.permissions.includes(scope)) ctx.permissions.push(scope);
+    }
+  }
+  if (!userId && typeof input.getSession === "function") {
+    try {
+      const sessionData = await input.getSession(headers);
+      userId = sessionData?.user?.id ?? sessionData?.session?.userId;
+      tenantId = tenantId ?? sessionData?.session?.activeOrganizationId;
+      ctx.accessToken = sessionData?.session?.token ?? ctx.accessToken;
+      if (sessionData?.user?.email) ctx.email = String(sessionData.user.email);
+    } catch {
+    }
+  }
+  if (!userId) return ctx;
+  ctx.userId = userId;
+  if (tenantId) ctx.tenantId = tenantId;
+  if (!ql || typeof ql.find !== "function") return ctx;
+  if (!ctx.email) {
+    const userRows = await tryFind(ql, "sys_user", { id: userId }, 1);
+    if (userRows[0]?.email) ctx.email = String(userRows[0].email);
+  }
+  const memberWhere = tenantId ? { user_id: userId, organization_id: tenantId } : { user_id: userId };
+  const members = await tryFind(ql, "sys_member", memberWhere, 50);
+  for (const m of members) {
+    if (m.role && typeof m.role === "string") {
+      for (const raw of m.role.split(",").map((s) => s.trim()).filter(Boolean)) {
+        const r = mapMembershipRole(raw);
+        if (!ctx.roles.includes(r)) ctx.roles.push(r);
+      }
+    }
+  }
+  const userRoleRows = await tryFind(ql, "sys_user_role", { user_id: userId }, 200);
+  for (const ur of userRoleRows) {
+    const org = ur.organization_id ?? null;
+    if (org && tenantId && org !== tenantId) continue;
+    const r = ur.role;
+    if (typeof r === "string" && r && !ctx.roles.includes(r)) ctx.roles.push(r);
+  }
+  if (tenantId) {
+    const orgMembers = await tryFind(ql, "sys_member", { organization_id: tenantId }, 1e3);
+    const ids = new Set(
+      orgMembers.map((m) => m.user_id ?? m.userId).filter((v) => typeof v === "string" && v.length > 0)
+    );
+    ids.add(userId);
+    ctx.org_user_ids = Array.from(ids);
+  } else {
+    ctx.org_user_ids = [userId];
+  }
+  const upsRows = await tryFind(ql, "sys_user_permission_set", { user_id: userId }, 100);
+  const psIds = new Set(
+    upsRows.filter((r) => {
+      const org = r.organization_id ?? r.organizationId ?? null;
+      return !(org && tenantId && org !== tenantId);
+    }).map((r) => r.permission_set_id ?? r.permissionSetId).filter(Boolean)
+  );
+  const unscopedUserPsIds = new Set(
+    upsRows.filter((r) => (r.organization_id ?? r.organizationId ?? null) === null).map((r) => r.permission_set_id ?? r.permissionSetId).filter(Boolean)
+  );
+  let hasPlatformAdminGrant = false;
+  if (ctx.roles.length > 0) {
+    const roleRows = await tryFind(ql, "sys_role", { name: { $in: ctx.roles } }, 100);
+    const roleIds = roleRows.map((r) => r.id).filter(Boolean);
+    if (roleIds.length > 0) {
+      const rpsRows = await tryFind(ql, "sys_role_permission_set", { role_id: { $in: roleIds } }, 500);
+      for (const r of rpsRows) {
+        const id = r.permission_set_id ?? r.permissionSetId;
+        if (id) psIds.add(id);
+      }
+    }
+  }
+  if (psIds.size > 0) {
+    const psRows = await tryFind(ql, "sys_permission_set", { id: { $in: Array.from(psIds) } }, 500);
+    const tabRank = { hidden: 0, default_off: 1, default_on: 2, visible: 3 };
+    const mergedTabs = {};
+    for (const ps of psRows) {
+      if (ps.name && !ctx.permissions.includes(ps.name)) ctx.permissions.push(ps.name);
+      if (ps.name === ADMIN_FULL_ACCESS && unscopedUserPsIds.has(ps.id)) hasPlatformAdminGrant = true;
+      const sysPerms = typeof ps.system_permissions === "string" ? safeJsonParse2(ps.system_permissions, []) : ps.system_permissions ?? ps.systemPermissions;
+      if (Array.isArray(sysPerms)) {
+        for (const p of sysPerms) {
+          if (typeof p === "string" && !ctx.systemPermissions.includes(p)) ctx.systemPermissions.push(p);
+        }
+      }
+      const tabs = typeof ps.tab_permissions === "string" ? safeJsonParse2(ps.tab_permissions, {}) : ps.tab_permissions ?? ps.tabPermissions;
+      if (tabs && typeof tabs === "object") {
+        for (const [app, val] of Object.entries(tabs)) {
+          if (typeof val !== "string" || !(val in tabRank)) continue;
+          const cur = mergedTabs[app];
+          if (!cur || tabRank[val] > tabRank[cur]) {
+            mergedTabs[app] = val;
+          }
+        }
+      }
+    }
+    if (Object.keys(mergedTabs).length > 0) ctx.tabPermissions = mergedTabs;
+  }
+  if (hasPlatformAdminGrant && !ctx.roles.includes(BUILTIN_ROLE_PLATFORM_ADMIN)) {
+    ctx.roles.unshift(BUILTIN_ROLE_PLATFORM_ADMIN);
+  }
+  if (!ctx.permissions.includes("ai_seat")) {
+    const seatRows = await tryFind(ql, "sys_user", { id: userId }, 1);
+    const aiAccess = seatRows?.[0]?.ai_access;
+    if (aiAccess === true || aiAccess === 1 || aiAccess === "1") ctx.permissions.push("ai_seat");
+  }
+  return ctx;
+}
+function isValidTimeZone(tz) {
+  try {
+    new Intl.DateTimeFormat("en-US", { timeZone: tz });
+    return true;
+  } catch {
+    return false;
+  }
+}
+function coerceTimeZone(value) {
+  const s = typeof value === "string" ? value.trim() : value != null ? String(value).trim() : "";
+  return s && isValidTimeZone(s) ? s : void 0;
+}
+function coerceLocale(value) {
+  const s = typeof value === "string" ? value.trim() : value != null ? String(value).trim() : "";
+  return s || void 0;
+}
+function coerceCurrency(value) {
+  const s = typeof value === "string" ? value.trim().toUpperCase() : "";
+  return /^[A-Z]{3}$/.test(s) ? s : void 0;
+}
+async function resolveLocalizationContext(input) {
+  const { ql, settings, tenantId, userId } = input;
+  try {
+    if (settings && typeof settings.get === "function") {
+      const sctx = { tenantId, userId };
+      const [tzRes, localeRes, currencyRes] = await Promise.all([
+        settings.get("localization", "timezone", sctx).catch(() => void 0),
+        settings.get("localization", "locale", sctx).catch(() => void 0),
+        settings.get("localization", "currency", sctx).catch(() => void 0)
+      ]);
+      const tz = coerceTimeZone(tzRes?.value);
+      const locale = coerceLocale(localeRes?.value);
+      const currency = coerceCurrency(currencyRes?.value);
+      if (tz || locale || currency) return { timezone: tz ?? "UTC", locale: locale ?? "en-US", currency };
+    }
+  } catch {
+  }
+  const tzRows = await tryFind(ql, "sys_setting", { namespace: "localization", key: "timezone", scope: "tenant" }, 1);
+  const localeRows = await tryFind(ql, "sys_setting", { namespace: "localization", key: "locale", scope: "tenant" }, 1);
+  const currencyRows = await tryFind(ql, "sys_setting", { namespace: "localization", key: "currency", scope: "tenant" }, 1);
+  return {
+    timezone: coerceTimeZone(tzRows[0]?.value) ?? "UTC",
+    locale: coerceLocale(localeRows[0]?.value) ?? "en-US",
+    currency: coerceCurrency(currencyRows[0]?.value)
+  };
+}
+
 // src/utils/datetime.ts
 function calendarPartsInTz(d, tz) {
   const parts = new Intl.DateTimeFormat("en-US", {
@@ -4986,7 +5179,9 @@ export {
   parseScopes,
   parseSignature,
   resolveApiKeyPrincipal,
+  resolveAuthzContext,
   resolveLocale,
+  resolveLocalizationContext,
   safeExit,
   signPayload,
   verifyPayload,