npm - @openmdm/core - Versions diffs - 0.2.0 → 0.3.0 - Mend

@openmdm/core 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (20) hide show

package/dist/index.js CHANGED Viewed

@@ -27,6 +27,26 @@ var ApplicationNotFoundError = class extends MDMError {
     super(`Application not found: ${identifier}`, "APPLICATION_NOT_FOUND", 404);
   }
 };
+var TenantNotFoundError = class extends MDMError {
+  constructor(identifier) {
+    super(`Tenant not found: ${identifier}`, "TENANT_NOT_FOUND", 404);
+  }
+};
+var RoleNotFoundError = class extends MDMError {
+  constructor(identifier) {
+    super(`Role not found: ${identifier}`, "ROLE_NOT_FOUND", 404);
+  }
+};
+var GroupNotFoundError = class extends MDMError {
+  constructor(identifier) {
+    super(`Group not found: ${identifier}`, "GROUP_NOT_FOUND", 404);
+  }
+};
+var UserNotFoundError = class extends MDMError {
+  constructor(identifier) {
+    super(`User not found: ${identifier}`, "USER_NOT_FOUND", 404);
+  }
+};
 var EnrollmentError = class extends MDMError {
   constructor(message, details) {
     super(message, "ENROLLMENT_ERROR", 400, details);
@@ -162,56 +182,1170 @@ function createWebhookManager(config) {
           );
         }
       }
-      return results;
+      return results;
+    },
+    addEndpoint(endpoint) {
+      endpoints.set(endpoint.id, endpoint);
+    },
+    removeEndpoint(endpointId) {
+      endpoints.delete(endpointId);
+    },
+    updateEndpoint(endpointId, updates) {
+      const existing = endpoints.get(endpointId);
+      if (existing) {
+        endpoints.set(endpointId, { ...existing, ...updates });
+      }
+    },
+    getEndpoints() {
+      return Array.from(endpoints.values());
+    },
+    async testEndpoint(endpointId) {
+      const endpoint = endpoints.get(endpointId);
+      if (!endpoint) {
+        return {
+          endpointId,
+          success: false,
+          error: "Endpoint not found",
+          retryCount: 0
+        };
+      }
+      const testPayload = {
+        id: randomUUID(),
+        event: "device.heartbeat",
+        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
+        data: {
+          test: true,
+          message: "OpenMDM webhook test"
+        }
+      };
+      return deliverToEndpoint(endpoint, testPayload);
+    }
+  };
+}
+function verifyWebhookSignature(payload, signature, secret) {
+  const expectedSignature = `sha256=${createHmac("sha256", secret).update(payload).digest("hex")}`;
+  if (signature.length !== expectedSignature.length) {
+    return false;
+  }
+  let result = 0;
+  for (let i = 0; i < signature.length; i++) {
+    result |= signature.charCodeAt(i) ^ expectedSignature.charCodeAt(i);
+  }
+  return result === 0;
+}
+// src/tenant.ts
+function validateSlug(slug) {
+  const slugRegex = /^[a-z0-9][a-z0-9-]{1,48}[a-z0-9]$/;
+  return slugRegex.test(slug);
+}
+function createTenantManager(db) {
+  return {
+    async get(id) {
+      if (!db.findTenant) {
+        throw new Error("Database adapter does not support tenant operations");
+      }
+      return db.findTenant(id);
+    },
+    async getBySlug(slug) {
+      if (!db.findTenantBySlug) {
+        throw new Error("Database adapter does not support tenant operations");
+      }
+      return db.findTenantBySlug(slug);
+    },
+    async list(filter) {
+      if (!db.listTenants) {
+        throw new Error("Database adapter does not support tenant operations");
+      }
+      return db.listTenants(filter);
+    },
+    async create(data) {
+      if (!db.createTenant || !db.findTenantBySlug) {
+        throw new Error("Database adapter does not support tenant operations");
+      }
+      if (!validateSlug(data.slug)) {
+        throw new ValidationError(
+          "Invalid slug format. Must be 3-50 lowercase alphanumeric characters with hyphens.",
+          { slug: data.slug }
+        );
+      }
+      const existing = await db.findTenantBySlug(data.slug);
+      if (existing) {
+        throw new ValidationError(`Tenant with slug '${data.slug}' already exists`, {
+          slug: data.slug
+        });
+      }
+      return db.createTenant({
+        ...data,
+        slug: data.slug.toLowerCase()
+      });
+    },
+    async update(id, data) {
+      if (!db.updateTenant || !db.findTenant || !db.findTenantBySlug) {
+        throw new Error("Database adapter does not support tenant operations");
+      }
+      const tenant = await db.findTenant(id);
+      if (!tenant) {
+        throw new TenantNotFoundError(id);
+      }
+      if (data.slug) {
+        if (!validateSlug(data.slug)) {
+          throw new ValidationError(
+            "Invalid slug format. Must be 3-50 lowercase alphanumeric characters with hyphens.",
+            { slug: data.slug }
+          );
+        }
+        const existing = await db.findTenantBySlug(data.slug);
+        if (existing && existing.id !== id) {
+          throw new ValidationError(`Tenant with slug '${data.slug}' already exists`, {
+            slug: data.slug
+          });
+        }
+        data.slug = data.slug.toLowerCase();
+      }
+      return db.updateTenant(id, data);
+    },
+    async delete(id, cascade = false) {
+      if (!db.deleteTenant || !db.findTenant) {
+        throw new Error("Database adapter does not support tenant operations");
+      }
+      const tenant = await db.findTenant(id);
+      if (!tenant) {
+        throw new TenantNotFoundError(id);
+      }
+      await db.deleteTenant(id);
+    },
+    async getStats(tenantId) {
+      if (!db.getTenantStats || !db.findTenant) {
+        throw new Error("Database adapter does not support tenant operations");
+      }
+      const tenant = await db.findTenant(tenantId);
+      if (!tenant) {
+        throw new TenantNotFoundError(tenantId);
+      }
+      return db.getTenantStats(tenantId);
+    },
+    async activate(id) {
+      if (!db.updateTenant || !db.findTenant) {
+        throw new Error("Database adapter does not support tenant operations");
+      }
+      const tenant = await db.findTenant(id);
+      if (!tenant) {
+        throw new TenantNotFoundError(id);
+      }
+      if (tenant.status === "active") {
+        return tenant;
+      }
+      return db.updateTenant(id, { status: "active" });
+    },
+    async deactivate(id) {
+      if (!db.updateTenant || !db.findTenant) {
+        throw new Error("Database adapter does not support tenant operations");
+      }
+      const tenant = await db.findTenant(id);
+      if (!tenant) {
+        throw new TenantNotFoundError(id);
+      }
+      if (tenant.status === "suspended") {
+        return tenant;
+      }
+      return db.updateTenant(id, { status: "suspended" });
+    }
+  };
+}
+// src/authorization.ts
+function actionMatches(required, granted) {
+  if (granted === "*") return true;
+  if (granted === "manage") {
+    return ["create", "read", "update", "delete", "manage"].includes(required);
+  }
+  return required === granted;
+}
+function resourceMatches(required, granted) {
+  if (granted === "*") return true;
+  return required === granted;
+}
+function permissionMatches(required, granted) {
+  return actionMatches(required.action, granted.action) && resourceMatches(required.resource, granted.resource);
+}
+function hasPermission(permissions, action, resource) {
+  return permissions.some((p) => permissionMatches({ action, resource }, p));
+}
+function isAdminPermission(permissions) {
+  return permissions.some(
+    (p) => p.action === "*" && p.resource === "*"
+  );
+}
+function validateEmail(email) {
+  const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+  return emailRegex.test(email);
+}
+function createAuthorizationManager(db) {
+  async function getAllUserPermissions(userId) {
+    if (!db.getUserRoles) {
+      throw new Error("Database adapter does not support RBAC operations");
+    }
+    const roles = await db.getUserRoles(userId);
+    const permissions = [];
+    for (const role of roles) {
+      permissions.push(...role.permissions);
+    }
+    return permissions;
+  }
+  return {
+    // ========================================
+    // Role Management
+    // ========================================
+    async createRole(data) {
+      if (!db.createRole) {
+        throw new Error("Database adapter does not support RBAC operations");
+      }
+      if (!data.permissions || !Array.isArray(data.permissions)) {
+        throw new ValidationError("Permissions must be an array");
+      }
+      for (const permission of data.permissions) {
+        if (!permission.action || !permission.resource) {
+          throw new ValidationError("Each permission must have action and resource");
+        }
+      }
+      return db.createRole(data);
+    },
+    async getRole(id) {
+      if (!db.findRole) {
+        throw new Error("Database adapter does not support RBAC operations");
+      }
+      return db.findRole(id);
+    },
+    async listRoles(tenantId) {
+      if (!db.listRoles) {
+        throw new Error("Database adapter does not support RBAC operations");
+      }
+      return db.listRoles(tenantId);
+    },
+    async updateRole(id, data) {
+      if (!db.updateRole || !db.findRole) {
+        throw new Error("Database adapter does not support RBAC operations");
+      }
+      const role = await db.findRole(id);
+      if (!role) {
+        throw new RoleNotFoundError(id);
+      }
+      if (role.isSystem) {
+        throw new AuthorizationError("Cannot modify system roles");
+      }
+      if (data.permissions) {
+        if (!Array.isArray(data.permissions)) {
+          throw new ValidationError("Permissions must be an array");
+        }
+        for (const permission of data.permissions) {
+          if (!permission.action || !permission.resource) {
+            throw new ValidationError("Each permission must have action and resource");
+          }
+        }
+      }
+      return db.updateRole(id, data);
+    },
+    async deleteRole(id) {
+      if (!db.deleteRole || !db.findRole) {
+        throw new Error("Database adapter does not support RBAC operations");
+      }
+      const role = await db.findRole(id);
+      if (!role) {
+        throw new RoleNotFoundError(id);
+      }
+      if (role.isSystem) {
+        throw new AuthorizationError("Cannot delete system roles");
+      }
+      await db.deleteRole(id);
+    },
+    // ========================================
+    // User Management
+    // ========================================
+    async createUser(data) {
+      if (!db.createUser || !db.findUserByEmail) {
+        throw new Error("Database adapter does not support RBAC operations");
+      }
+      if (!validateEmail(data.email)) {
+        throw new ValidationError("Invalid email format", { email: data.email });
+      }
+      const existing = await db.findUserByEmail(data.email, data.tenantId);
+      if (existing) {
+        throw new ValidationError(`User with email '${data.email}' already exists`, {
+          email: data.email
+        });
+      }
+      return db.createUser({
+        ...data,
+        email: data.email.toLowerCase()
+      });
+    },
+    async getUser(id) {
+      if (!db.findUser || !db.getUserRoles) {
+        throw new Error("Database adapter does not support RBAC operations");
+      }
+      const user = await db.findUser(id);
+      if (!user) return null;
+      const roles = await db.getUserRoles(id);
+      return { ...user, roles };
+    },
+    async getUserByEmail(email, tenantId) {
+      if (!db.findUserByEmail || !db.getUserRoles) {
+        throw new Error("Database adapter does not support RBAC operations");
+      }
+      const user = await db.findUserByEmail(email.toLowerCase(), tenantId);
+      if (!user) return null;
+      const roles = await db.getUserRoles(user.id);
+      return { ...user, roles };
+    },
+    async listUsers(filter) {
+      if (!db.listUsers) {
+        throw new Error("Database adapter does not support RBAC operations");
+      }
+      return db.listUsers(filter);
+    },
+    async updateUser(id, data) {
+      if (!db.updateUser || !db.findUser) {
+        throw new Error("Database adapter does not support RBAC operations");
+      }
+      const user = await db.findUser(id);
+      if (!user) {
+        throw new UserNotFoundError(id);
+      }
+      if (data.email) {
+        if (!validateEmail(data.email)) {
+          throw new ValidationError("Invalid email format", { email: data.email });
+        }
+        data.email = data.email.toLowerCase();
+      }
+      return db.updateUser(id, data);
+    },
+    async deleteUser(id) {
+      if (!db.deleteUser || !db.findUser) {
+        throw new Error("Database adapter does not support RBAC operations");
+      }
+      const user = await db.findUser(id);
+      if (!user) {
+        throw new UserNotFoundError(id);
+      }
+      await db.deleteUser(id);
+    },
+    // ========================================
+    // Role Assignment
+    // ========================================
+    async assignRole(userId, roleId) {
+      if (!db.assignRoleToUser || !db.findUser || !db.findRole) {
+        throw new Error("Database adapter does not support RBAC operations");
+      }
+      const user = await db.findUser(userId);
+      if (!user) {
+        throw new UserNotFoundError(userId);
+      }
+      const role = await db.findRole(roleId);
+      if (!role) {
+        throw new RoleNotFoundError(roleId);
+      }
+      if (role.tenantId && user.tenantId && role.tenantId !== user.tenantId) {
+        throw new AuthorizationError("Role belongs to a different tenant");
+      }
+      await db.assignRoleToUser(userId, roleId);
+    },
+    async removeRole(userId, roleId) {
+      if (!db.removeRoleFromUser || !db.findUser) {
+        throw new Error("Database adapter does not support RBAC operations");
+      }
+      const user = await db.findUser(userId);
+      if (!user) {
+        throw new UserNotFoundError(userId);
+      }
+      await db.removeRoleFromUser(userId, roleId);
+    },
+    async getUserRoles(userId) {
+      if (!db.getUserRoles || !db.findUser) {
+        throw new Error("Database adapter does not support RBAC operations");
+      }
+      const user = await db.findUser(userId);
+      if (!user) {
+        throw new UserNotFoundError(userId);
+      }
+      return db.getUserRoles(userId);
+    },
+    // ========================================
+    // Permission Checking
+    // ========================================
+    async can(userId, action, resource, _resourceId) {
+      if (!db.findUser) {
+        throw new Error("Database adapter does not support RBAC operations");
+      }
+      const user = await db.findUser(userId);
+      if (!user) return false;
+      if (user.status !== "active") return false;
+      const permissions = await getAllUserPermissions(userId);
+      return hasPermission(permissions, action, resource);
+    },
+    async requirePermission(userId, action, resource, resourceId) {
+      const allowed = await this.can(userId, action, resource, resourceId);
+      if (!allowed) {
+        throw new AuthorizationError(
+          `Permission denied: ${action} on ${resource}${resourceId ? ` (${resourceId})` : ""}`
+        );
+      }
+    },
+    async canAny(userId, permissions) {
+      if (!db.findUser) {
+        throw new Error("Database adapter does not support RBAC operations");
+      }
+      const user = await db.findUser(userId);
+      if (!user) return false;
+      if (user.status !== "active") return false;
+      const userPermissions = await getAllUserPermissions(userId);
+      return permissions.some(
+        (required) => hasPermission(userPermissions, required.action, required.resource)
+      );
+    },
+    async isAdmin(userId) {
+      if (!db.findUser) {
+        throw new Error("Database adapter does not support RBAC operations");
+      }
+      const user = await db.findUser(userId);
+      if (!user || user.status !== "active") return false;
+      const permissions = await getAllUserPermissions(userId);
+      return isAdminPermission(permissions);
+    }
+  };
+}
+// src/audit.ts
+var DEFAULT_RETENTION_DAYS = 90;
+function auditLogToCsvRow(log) {
+  const fields = [
+    log.id,
+    log.tenantId || "",
+    log.userId || "",
+    log.action,
+    log.resource,
+    log.resourceId || "",
+    log.status,
+    log.ipAddress || "",
+    log.userAgent || "",
+    log.error || "",
+    log.createdAt.toISOString(),
+    JSON.stringify(log.details || {})
+  ];
+  return fields.map((f) => `"${String(f).replace(/"/g, '""')}"`).join(",");
+}
+var CSV_HEADER = "id,tenant_id,user_id,action,resource,resource_id,status,ip_address,user_agent,error,created_at,details";
+function createAuditManager(db, config) {
+  const retentionDays = config?.retentionDays ?? DEFAULT_RETENTION_DAYS;
+  function shouldLog(action, resource) {
+    if (!config?.enabled) return false;
+    if (config.skipReadOperations && action === "read") {
+      return false;
+    }
+    if (config.logActions && config.logActions.length > 0) {
+      if (!config.logActions.includes(action)) {
+        return false;
+      }
+    }
+    if (config.logResources && config.logResources.length > 0) {
+      if (!config.logResources.includes(resource)) {
+        return false;
+      }
+    }
+    return true;
+  }
+  return {
+    async log(entry) {
+      if (!db.createAuditLog) {
+        throw new Error("Database adapter does not support audit operations");
+      }
+      if (config && !shouldLog(entry.action, entry.resource)) {
+        return {
+          id: "skipped",
+          ...entry,
+          createdAt: /* @__PURE__ */ new Date()
+        };
+      }
+      return db.createAuditLog(entry);
+    },
+    async list(filter) {
+      if (!db.listAuditLogs) {
+        throw new Error("Database adapter does not support audit operations");
+      }
+      return db.listAuditLogs(filter);
+    },
+    async getByResource(resource, resourceId) {
+      if (!db.listAuditLogs) {
+        throw new Error("Database adapter does not support audit operations");
+      }
+      const result = await db.listAuditLogs({
+        resource,
+        resourceId,
+        limit: 1e3
+        // Reasonable limit for resource-specific queries
+      });
+      return result.logs;
+    },
+    async getByUser(userId, filter) {
+      if (!db.listAuditLogs) {
+        throw new Error("Database adapter does not support audit operations");
+      }
+      return db.listAuditLogs({
+        ...filter,
+        userId
+      });
+    },
+    async export(filter, format) {
+      if (!db.listAuditLogs) {
+        throw new Error("Database adapter does not support audit operations");
+      }
+      const allLogs = [];
+      let offset = 0;
+      const batchSize = 1e3;
+      while (true) {
+        const result = await db.listAuditLogs({
+          ...filter,
+          limit: batchSize,
+          offset
+        });
+        allLogs.push(...result.logs);
+        if (result.logs.length < batchSize || allLogs.length >= 1e5) {
+          break;
+        }
+        offset += batchSize;
+      }
+      if (format === "json") {
+        return JSON.stringify(allLogs, null, 2);
+      }
+      const rows = allLogs.map(auditLogToCsvRow);
+      return [CSV_HEADER, ...rows].join("\n");
+    },
+    async purge(olderThanDays) {
+      if (!db.deleteAuditLogs) {
+        throw new Error("Database adapter does not support audit operations");
+      }
+      const days = olderThanDays ?? retentionDays;
+      const cutoffDate = /* @__PURE__ */ new Date();
+      cutoffDate.setDate(cutoffDate.getDate() - days);
+      return db.deleteAuditLogs({ olderThan: cutoffDate });
+    },
+    async getSummary(tenantId, days = 30) {
+      if (!db.listAuditLogs) {
+        throw new Error("Database adapter does not support audit operations");
+      }
+      const startDate = /* @__PURE__ */ new Date();
+      startDate.setDate(startDate.getDate() - days);
+      const result = await db.listAuditLogs({
+        tenantId,
+        startDate,
+        limit: 1e4
+        // Reasonable limit for summary
+      });
+      const logs = result.logs;
+      const byAction = {};
+      const byResource = {};
+      const byStatus = { success: 0, failure: 0 };
+      const userCounts = {};
+      const recentFailures = [];
+      for (const log of logs) {
+        byAction[log.action] = (byAction[log.action] || 0) + 1;
+        byResource[log.resource] = (byResource[log.resource] || 0) + 1;
+        byStatus[log.status]++;
+        if (log.userId) {
+          userCounts[log.userId] = (userCounts[log.userId] || 0) + 1;
+        }
+        if (log.status === "failure" && recentFailures.length < 10) {
+          recentFailures.push(log);
+        }
+      }
+      const topUsers = Object.entries(userCounts).sort((a, b) => b[1] - a[1]).slice(0, 10).map(([userId, count]) => ({ userId, count }));
+      return {
+        totalLogs: result.total,
+        byAction,
+        byResource,
+        byStatus,
+        topUsers,
+        recentFailures
+      };
+    }
+  };
+}
+// src/schedule.ts
+function parseCronNextRun(cron, from = /* @__PURE__ */ new Date()) {
+  try {
+    const parts = cron.trim().split(/\s+/);
+    if (parts.length !== 5) return null;
+    const [minute, hour, dayOfMonth, month, dayOfWeek] = parts;
+    const now = new Date(from);
+    const next = new Date(now);
+    next.setSeconds(0);
+    next.setMilliseconds(0);
+    next.setMinutes(next.getMinutes() + 1);
+    const maxIterations = 365 * 24 * 60;
+    for (let i = 0; i < maxIterations; i++) {
+      const matches = matchesCronField(minute, next.getMinutes()) && matchesCronField(hour, next.getHours()) && matchesCronField(dayOfMonth, next.getDate()) && matchesCronField(month, next.getMonth() + 1) && matchesCronField(dayOfWeek, next.getDay());
+      if (matches) {
+        return next;
+      }
+      next.setMinutes(next.getMinutes() + 1);
+    }
+    return null;
+  } catch {
+    return null;
+  }
+}
+function matchesCronField(pattern, value) {
+  if (pattern === "*") return true;
+  if (pattern.startsWith("*/")) {
+    const step = parseInt(pattern.slice(2), 10);
+    return value % step === 0;
+  }
+  if (pattern.includes("-")) {
+    const [start, end] = pattern.split("-").map((n) => parseInt(n, 10));
+    return value >= start && value <= end;
+  }
+  if (pattern.includes(",")) {
+    const values = pattern.split(",").map((n) => parseInt(n, 10));
+    return values.includes(value);
+  }
+  return parseInt(pattern, 10) === value;
+}
+function calculateNextWindowRun(window, from = /* @__PURE__ */ new Date()) {
+  if (!window) return null;
+  const [startHour, startMin] = window.startTime.split(":").map(Number);
+  for (let dayOffset = 0; dayOffset <= 7; dayOffset++) {
+    const candidate = new Date(from);
+    candidate.setDate(candidate.getDate() + dayOffset);
+    candidate.setHours(startHour, startMin, 0, 0);
+    if (candidate <= from) continue;
+    if (window.daysOfWeek.includes(candidate.getDay())) {
+      return candidate;
+    }
+  }
+  return null;
+}
+function createScheduleManager(db) {
+  function calculateNextRun(schedule) {
+    const now = /* @__PURE__ */ new Date();
+    switch (schedule.type) {
+      case "once":
+        if (schedule.executeAt && new Date(schedule.executeAt) > now) {
+          return new Date(schedule.executeAt);
+        }
+        return null;
+      case "recurring":
+        if (schedule.cron) {
+          return parseCronNextRun(schedule.cron, now);
+        }
+        return null;
+      case "window":
+        if (schedule.window) {
+          return calculateNextWindowRun(schedule.window, now);
+        }
+        return null;
+      default:
+        return null;
+    }
+  }
+  return {
+    async get(id) {
+      if (!db.findScheduledTask) {
+        throw new Error("Database adapter does not support task scheduling");
+      }
+      return db.findScheduledTask(id);
+    },
+    async list(filter) {
+      if (!db.listScheduledTasks) {
+        throw new Error("Database adapter does not support task scheduling");
+      }
+      return db.listScheduledTasks(filter);
+    },
+    async create(data) {
+      if (!db.createScheduledTask) {
+        throw new Error("Database adapter does not support task scheduling");
+      }
+      const nextRunAt = calculateNextRun(data.schedule);
+      const task = await db.createScheduledTask({
+        ...data
+        // Note: nextRunAt is set by the database adapter based on schedule
+      });
+      if (nextRunAt && db.updateScheduledTask) {
+        return db.updateScheduledTask(task.id, {
+          ...data
+        });
+      }
+      return task;
+    },
+    async update(id, data) {
+      if (!db.updateScheduledTask || !db.findScheduledTask) {
+        throw new Error("Database adapter does not support task scheduling");
+      }
+      const existing = await db.findScheduledTask(id);
+      if (!existing) {
+        throw new Error(`Scheduled task not found: ${id}`);
+      }
+      return db.updateScheduledTask(id, data);
+    },
+    async delete(id) {
+      if (!db.deleteScheduledTask) {
+        throw new Error("Database adapter does not support task scheduling");
+      }
+      await db.deleteScheduledTask(id);
+    },
+    async pause(id) {
+      if (!db.updateScheduledTask || !db.findScheduledTask) {
+        throw new Error("Database adapter does not support task scheduling");
+      }
+      const task = await db.findScheduledTask(id);
+      if (!task) {
+        throw new Error(`Scheduled task not found: ${id}`);
+      }
+      if (task.status === "paused") {
+        return task;
+      }
+      return db.updateScheduledTask(id, { status: "paused" });
+    },
+    async resume(id) {
+      if (!db.updateScheduledTask || !db.findScheduledTask) {
+        throw new Error("Database adapter does not support task scheduling");
+      }
+      const task = await db.findScheduledTask(id);
+      if (!task) {
+        throw new Error(`Scheduled task not found: ${id}`);
+      }
+      if (task.status !== "paused") {
+        return task;
+      }
+      calculateNextRun(task.schedule);
+      return db.updateScheduledTask(id, { status: "active" });
+    },
+    async runNow(id) {
+      if (!db.findScheduledTask || !db.createTaskExecution || !db.updateScheduledTask) {
+        throw new Error("Database adapter does not support task scheduling");
+      }
+      const task = await db.findScheduledTask(id);
+      if (!task) {
+        throw new Error(`Scheduled task not found: ${id}`);
+      }
+      const execution = await db.createTaskExecution({ taskId: id });
+      await db.updateScheduledTask(id, {});
+      return execution;
+    },
+    async getUpcoming(hours) {
+      if (!db.getUpcomingTasks) {
+        throw new Error("Database adapter does not support task scheduling");
+      }
+      return db.getUpcomingTasks(hours);
+    },
+    async getExecutions(taskId, limit = 10) {
+      if (!db.listTaskExecutions) {
+        throw new Error("Database adapter does not support task scheduling");
+      }
+      return db.listTaskExecutions(taskId, limit);
+    },
+    calculateNextRun
+  };
+}
+// src/queue.ts
+var DEFAULT_MAX_ATTEMPTS = 3;
+var DEFAULT_TTL_SECONDS = 86400;
+function createMessageQueueManager(db) {
+  return {
+    async enqueue(message) {
+      if (!db.enqueueMessage) {
+        throw new Error("Database adapter does not support message queue");
+      }
+      const enrichedMessage = {
+        ...message,
+        priority: message.priority ?? "normal",
+        maxAttempts: message.maxAttempts ?? DEFAULT_MAX_ATTEMPTS,
+        ttlSeconds: message.ttlSeconds ?? DEFAULT_TTL_SECONDS
+      };
+      return db.enqueueMessage(enrichedMessage);
+    },
+    async enqueueBatch(messages) {
+      if (!db.enqueueMessage) {
+        throw new Error("Database adapter does not support message queue");
+      }
+      const results = [];
+      for (const message of messages) {
+        const enrichedMessage = {
+          ...message,
+          priority: message.priority ?? "normal",
+          maxAttempts: message.maxAttempts ?? DEFAULT_MAX_ATTEMPTS,
+          ttlSeconds: message.ttlSeconds ?? DEFAULT_TTL_SECONDS
+        };
+        const queued = await db.enqueueMessage(enrichedMessage);
+        results.push(queued);
+      }
+      return results;
+    },
+    async dequeue(deviceId, limit = 10) {
+      if (!db.dequeueMessages) {
+        throw new Error("Database adapter does not support message queue");
+      }
+      return db.dequeueMessages(deviceId, limit);
+    },
+    async acknowledge(messageId) {
+      if (!db.acknowledgeMessage) {
+        throw new Error("Database adapter does not support message queue");
+      }
+      await db.acknowledgeMessage(messageId);
+    },
+    async fail(messageId, error) {
+      if (!db.failMessage) {
+        throw new Error("Database adapter does not support message queue");
+      }
+      await db.failMessage(messageId, error);
+    },
+    async retryFailed(maxAttempts = DEFAULT_MAX_ATTEMPTS) {
+      if (!db.retryFailedMessages) {
+        throw new Error("Database adapter does not support message queue");
+      }
+      return db.retryFailedMessages(maxAttempts);
+    },
+    async purgeExpired() {
+      if (!db.purgeExpiredMessages) {
+        throw new Error("Database adapter does not support message queue");
+      }
+      return db.purgeExpiredMessages();
+    },
+    async getStats(tenantId) {
+      if (!db.getQueueStats) {
+        throw new Error("Database adapter does not support message queue");
+      }
+      return db.getQueueStats(tenantId);
+    },
+    async peek(deviceId, limit = 10) {
+      if (!db.peekMessages) {
+        throw new Error("Database adapter does not support message queue");
+      }
+      return db.peekMessages(deviceId, limit);
+    }
+  };
+}
+// src/dashboard.ts
+function createDashboardManager(db) {
+  return {
+    async getStats(_tenantId) {
+      if (db.getDashboardStats) {
+        return db.getDashboardStats(_tenantId);
+      }
+      const devices = await db.listDevices({
+        limit: 1e4
+        // Get all for counting
+      });
+      const deviceStats = {
+        total: devices.total,
+        enrolled: devices.devices.filter((d) => d.status === "enrolled").length,
+        active: devices.devices.filter((d) => d.status === "enrolled").length,
+        // 'active' = 'enrolled' for dashboard
+        blocked: devices.devices.filter((d) => d.status === "blocked").length,
+        pending: devices.devices.filter((d) => d.status === "pending").length
+      };
+      const allPolicies = await db.listPolicies();
+      const policyStats = {
+        total: allPolicies.length,
+        deployed: allPolicies.filter((p) => p.isDefault).length
+      };
+      const allApps = await db.listApplications();
+      const appStats = {
+        total: allApps.length,
+        deployed: allApps.length
+        // All apps in db are considered deployed
+      };
+      const now = /* @__PURE__ */ new Date();
+      const yesterday = new Date(now.getTime() - 24 * 60 * 60 * 1e3);
+      const allCommands = await db.listCommands({ limit: 1e4 });
+      const pendingCommands = allCommands.filter((c) => c.status === "pending");
+      const last24hCommands = allCommands.filter(
+        (c) => new Date(c.createdAt) >= yesterday
+      );
+      const commandStats = {
+        pendingCount: pendingCommands.length,
+        last24hTotal: last24hCommands.length,
+        last24hSuccess: last24hCommands.filter((c) => c.status === "completed").length,
+        last24hFailed: last24hCommands.filter((c) => c.status === "failed").length
+      };
+      const allGroups = await db.listGroups();
+      let groupsWithDevices = 0;
+      for (const group of allGroups) {
+        const groupDevices = await db.listDevicesInGroup(group.id);
+        if (groupDevices.length > 0) groupsWithDevices++;
+      }
+      return {
+        devices: deviceStats,
+        policies: policyStats,
+        applications: appStats,
+        commands: commandStats,
+        groups: {
+          total: allGroups.length,
+          withDevices: groupsWithDevices
+        }
+      };
+    },
+    async getDeviceStatusBreakdown(_tenantId) {
+      if (db.getDeviceStatusBreakdown) {
+        return db.getDeviceStatusBreakdown(_tenantId);
+      }
+      const devices = await db.listDevices({
+        limit: 1e4
+      });
+      const byStatus = {
+        pending: 0,
+        enrolled: 0,
+        blocked: 0,
+        unenrolled: 0
+      };
+      const byOs = {};
+      const byManufacturer = {};
+      const byModel = {};
+      for (const device of devices.devices) {
+        byStatus[device.status]++;
+        const osKey = device.osVersion || "Unknown";
+        byOs[osKey] = (byOs[osKey] || 0) + 1;
+        const mfr = device.manufacturer || "Unknown";
+        byManufacturer[mfr] = (byManufacturer[mfr] || 0) + 1;
+        const model = device.model || "Unknown";
+        byModel[model] = (byModel[model] || 0) + 1;
+      }
+      return {
+        byStatus,
+        byOs,
+        byManufacturer,
+        byModel
+      };
+    },
+    async getEnrollmentTrend(days, _tenantId) {
+      if (db.getEnrollmentTrend) {
+        return db.getEnrollmentTrend(days, _tenantId);
+      }
+      const now = /* @__PURE__ */ new Date();
+      const startDate = new Date(now.getTime() - days * 24 * 60 * 60 * 1e3);
+      const events = await db.listEvents({
+        type: "device.enrolled",
+        startDate,
+        limit: 1e4
+      });
+      const unenrollEvents = await db.listEvents({
+        type: "device.unenrolled",
+        startDate,
+        limit: 1e4
+      });
+      const trendByDate = /* @__PURE__ */ new Map();
+      for (let i = 0; i < days; i++) {
+        const date = new Date(startDate.getTime() + i * 24 * 60 * 60 * 1e3);
+        const dateKey = date.toISOString().split("T")[0];
+        trendByDate.set(dateKey, { enrolled: 0, unenrolled: 0 });
+      }
+      for (const event of events) {
+        const dateKey = new Date(event.createdAt).toISOString().split("T")[0];
+        const entry = trendByDate.get(dateKey);
+        if (entry) {
+          entry.enrolled++;
+        }
+      }
+      for (const event of unenrollEvents) {
+        const dateKey = new Date(event.createdAt).toISOString().split("T")[0];
+        const entry = trendByDate.get(dateKey);
+        if (entry) {
+          entry.unenrolled++;
+        }
+      }
+      const initialDevices = await db.listDevices({
+        limit: 1e4
+      });
+      let runningTotal = initialDevices.total;
+      const result = [];
+      const sortedDates = Array.from(trendByDate.keys()).sort();
+      for (const dateKey of sortedDates) {
+        const entry = trendByDate.get(dateKey);
+        const netChange = entry.enrolled - entry.unenrolled;
+        runningTotal += netChange;
+        result.push({
+          date: new Date(dateKey),
+          enrolled: entry.enrolled,
+          unenrolled: entry.unenrolled,
+          netChange,
+          totalDevices: runningTotal
+        });
+      }
+      return result;
+    },
+    async getCommandSuccessRates(_tenantId) {
+      if (db.getCommandSuccessRates) {
+        return db.getCommandSuccessRates(_tenantId);
+      }
+      const now = /* @__PURE__ */ new Date();
+      const yesterday = new Date(now.getTime() - 24 * 60 * 60 * 1e3);
+      const commands = await db.listCommands({ limit: 1e4 });
+      const completed = commands.filter((c) => c.status === "completed").length;
+      const failed = commands.filter((c) => c.status === "failed").length;
+      const total = commands.length;
+      const byType = {};
+      for (const cmd of commands) {
+        if (!byType[cmd.type]) {
+          byType[cmd.type] = {
+            total: 0,
+            completed: 0,
+            failed: 0,
+            successRate: 0
+          };
+        }
+        byType[cmd.type].total++;
+        if (cmd.status === "completed") byType[cmd.type].completed++;
+        if (cmd.status === "failed") byType[cmd.type].failed++;
+      }
+      for (const type of Object.keys(byType)) {
+        const stats = byType[type];
+        const finishedCount = stats.completed + stats.failed;
+        stats.successRate = finishedCount > 0 ? stats.completed / finishedCount * 100 : 0;
+      }
+      const last24hCommands = commands.filter(
+        (c) => new Date(c.createdAt) >= yesterday
+      );
+      return {
+        overall: {
+          total,
+          completed,
+          failed,
+          successRate: completed + failed > 0 ? completed / (completed + failed) * 100 : 0
+        },
+        byType,
+        last24h: {
+          total: last24hCommands.length,
+          completed: last24hCommands.filter((c) => c.status === "completed").length,
+          failed: last24hCommands.filter((c) => c.status === "failed").length,
+          pending: last24hCommands.filter((c) => c.status === "pending").length
+        }
+      };
     },
-    addEndpoint(endpoint) {
-      endpoints.set(endpoint.id, endpoint);
+    async getAppInstallationSummary(_tenantId) {
+      if (db.getAppInstallationSummary) {
+        return db.getAppInstallationSummary(_tenantId);
+      }
+      const apps = await db.listApplications();
+      const appMap = new Map(apps.map((a) => [a.packageName, a]));
+      const byStatus = {
+        installed: 0,
+        installing: 0,
+        failed: 0,
+        pending: 0
+      };
+      const installCounts = {};
+      const devices = await db.listDevices({
+        limit: 1e4
+      });
+      for (const device of devices.devices) {
+        if (device.installedApps) {
+          for (const app of device.installedApps) {
+            const key = app.packageName;
+            installCounts[key] = (installCounts[key] || 0) + 1;
+            byStatus["installed"]++;
+          }
+        }
+      }
+      const topInstalled = Object.entries(installCounts).sort(([, a], [, b]) => b - a).slice(0, 10).map(([packageName, count]) => ({
+        packageName,
+        name: appMap.get(packageName)?.name || packageName,
+        installedCount: count
+      }));
+      return {
+        total: Object.values(byStatus).reduce((a, b) => a + b, 0),
+        byStatus,
+        recentFailures: [],
+        // Would need installation status tracking
+        topInstalled
+      };
+    }
+  };
+}
+// src/plugin-storage.ts
+function createPluginStorageAdapter(db) {
+  return {
+    async get(pluginName, key) {
+      if (db.getPluginValue) {
+        const value = await db.getPluginValue(pluginName, key);
+        return value;
+      }
+      console.warn("Plugin storage not supported by database adapter");
+      return null;
     },
-    removeEndpoint(endpointId) {
-      endpoints.delete(endpointId);
+    async set(pluginName, key, value) {
+      if (db.setPluginValue) {
+        await db.setPluginValue(pluginName, key, value);
+        return;
+      }
+      console.warn("Plugin storage not supported by database adapter");
     },
-    updateEndpoint(endpointId, updates) {
-      const existing = endpoints.get(endpointId);
-      if (existing) {
-        endpoints.set(endpointId, { ...existing, ...updates });
+    async delete(pluginName, key) {
+      if (db.deletePluginValue) {
+        await db.deletePluginValue(pluginName, key);
+        return;
       }
+      console.warn("Plugin storage not supported by database adapter");
     },
-    getEndpoints() {
-      return Array.from(endpoints.values());
+    async list(pluginName, prefix) {
+      if (db.listPluginKeys) {
+        return db.listPluginKeys(pluginName, prefix);
+      }
+      console.warn("Plugin storage not supported by database adapter");
+      return [];
     },
-    async testEndpoint(endpointId) {
-      const endpoint = endpoints.get(endpointId);
-      if (!endpoint) {
-        return {
-          endpointId,
-          success: false,
-          error: "Endpoint not found",
-          retryCount: 0
-        };
+    async clear(pluginName) {
+      if (db.clearPluginData) {
+        await db.clearPluginData(pluginName);
+        return;
       }
-      const testPayload = {
-        id: randomUUID(),
-        event: "device.heartbeat",
-        timestamp: (/* @__PURE__ */ new Date()).toISOString(),
-        data: {
-          test: true,
-          message: "OpenMDM webhook test"
-        }
-      };
-      return deliverToEndpoint(endpoint, testPayload);
+      console.warn("Plugin storage not supported by database adapter");
     }
   };
 }
-function verifyWebhookSignature(payload, signature, secret) {
-  const expectedSignature = `sha256=${createHmac("sha256", secret).update(payload).digest("hex")}`;
-  if (signature.length !== expectedSignature.length) {
-    return false;
-  }
-  let result = 0;
-  for (let i = 0; i < signature.length; i++) {
-    result |= signature.charCodeAt(i) ^ expectedSignature.charCodeAt(i);
+function createMemoryPluginStorageAdapter() {
+  const store = /* @__PURE__ */ new Map();
+  function getPluginStore(pluginName) {
+    if (!store.has(pluginName)) {
+      store.set(pluginName, /* @__PURE__ */ new Map());
+    }
+    return store.get(pluginName);
   }
-  return result === 0;
+  return {
+    async get(pluginName, key) {
+      const pluginStore = getPluginStore(pluginName);
+      const value = pluginStore.get(key);
+      return value === void 0 ? null : value;
+    },
+    async set(pluginName, key, value) {
+      const pluginStore = getPluginStore(pluginName);
+      pluginStore.set(key, value);
+    },
+    async delete(pluginName, key) {
+      const pluginStore = getPluginStore(pluginName);
+      pluginStore.delete(key);
+    },
+    async list(pluginName, prefix) {
+      const pluginStore = getPluginStore(pluginName);
+      const keys = Array.from(pluginStore.keys());
+      if (prefix) {
+        return keys.filter((k) => k.startsWith(prefix));
+      }
+      return keys;
+    },
+    async clear(pluginName) {
+      store.delete(pluginName);
+    }
+  };
+}
+function createPluginKey(namespace, ...parts) {
+  return [namespace, ...parts].join(":");
+}
+function parsePluginKey(key) {
+  const [namespace, ...parts] = key.split(":");
+  return { namespace, parts };
 }
 // src/schema.ts
@@ -586,6 +1720,265 @@ var mdmSchema = {
         { columns: ["status"] },
         { columns: ["created_at"] }
       ]
+    },
+    // ----------------------------------------
+    // Tenants Table (Multi-tenancy)
+    // ----------------------------------------
+    mdm_tenants: {
+      columns: {
+        id: { type: "string", primaryKey: true },
+        name: { type: "string" },
+        slug: { type: "string", unique: true },
+        status: {
+          type: "enum",
+          enumValues: ["active", "suspended", "pending"],
+          default: "pending"
+        },
+        settings: { type: "json", nullable: true },
+        metadata: { type: "json", nullable: true },
+        created_at: { type: "datetime", default: "now" },
+        updated_at: { type: "datetime", default: "now" }
+      },
+      indexes: [
+        { columns: ["slug"], unique: true },
+        { columns: ["status"] }
+      ]
+    },
+    // ----------------------------------------
+    // Roles Table (RBAC)
+    // ----------------------------------------
+    mdm_roles: {
+      columns: {
+        id: { type: "string", primaryKey: true },
+        tenant_id: {
+          type: "string",
+          nullable: true,
+          references: { table: "mdm_tenants", column: "id", onDelete: "cascade" }
+        },
+        name: { type: "string" },
+        description: { type: "text", nullable: true },
+        permissions: { type: "json" },
+        is_system: { type: "boolean", default: false },
+        created_at: { type: "datetime", default: "now" },
+        updated_at: { type: "datetime", default: "now" }
+      },
+      indexes: [
+        { columns: ["tenant_id"] },
+        { columns: ["name"] },
+        { columns: ["tenant_id", "name"], unique: true }
+      ]
+    },
+    // ----------------------------------------
+    // Users Table (RBAC)
+    // ----------------------------------------
+    mdm_users: {
+      columns: {
+        id: { type: "string", primaryKey: true },
+        tenant_id: {
+          type: "string",
+          nullable: true,
+          references: { table: "mdm_tenants", column: "id", onDelete: "cascade" }
+        },
+        email: { type: "string" },
+        name: { type: "string", nullable: true },
+        status: {
+          type: "enum",
+          enumValues: ["active", "inactive", "pending"],
+          default: "pending"
+        },
+        metadata: { type: "json", nullable: true },
+        last_login_at: { type: "datetime", nullable: true },
+        created_at: { type: "datetime", default: "now" },
+        updated_at: { type: "datetime", default: "now" }
+      },
+      indexes: [
+        { columns: ["tenant_id"] },
+        { columns: ["email"] },
+        { columns: ["tenant_id", "email"], unique: true },
+        { columns: ["status"] }
+      ]
+    },
+    // ----------------------------------------
+    // User Roles (Many-to-Many)
+    // ----------------------------------------
+    mdm_user_roles: {
+      columns: {
+        user_id: {
+          type: "string",
+          references: { table: "mdm_users", column: "id", onDelete: "cascade" }
+        },
+        role_id: {
+          type: "string",
+          references: { table: "mdm_roles", column: "id", onDelete: "cascade" }
+        },
+        created_at: { type: "datetime", default: "now" }
+      },
+      indexes: [
+        { columns: ["user_id", "role_id"], unique: true },
+        { columns: ["user_id"] },
+        { columns: ["role_id"] }
+      ]
+    },
+    // ----------------------------------------
+    // Audit Logs Table
+    // ----------------------------------------
+    mdm_audit_logs: {
+      columns: {
+        id: { type: "string", primaryKey: true },
+        tenant_id: {
+          type: "string",
+          nullable: true,
+          references: { table: "mdm_tenants", column: "id", onDelete: "cascade" }
+        },
+        user_id: {
+          type: "string",
+          nullable: true,
+          references: { table: "mdm_users", column: "id", onDelete: "set null" }
+        },
+        action: { type: "string" },
+        resource: { type: "string" },
+        resource_id: { type: "string", nullable: true },
+        details: { type: "json", nullable: true },
+        ip_address: { type: "string", nullable: true },
+        user_agent: { type: "text", nullable: true },
+        created_at: { type: "datetime", default: "now" }
+      },
+      indexes: [
+        { columns: ["tenant_id"] },
+        { columns: ["user_id"] },
+        { columns: ["action"] },
+        { columns: ["resource"] },
+        { columns: ["resource", "resource_id"] },
+        { columns: ["created_at"] }
+      ]
+    },
+    // ----------------------------------------
+    // Scheduled Tasks Table
+    // ----------------------------------------
+    mdm_scheduled_tasks: {
+      columns: {
+        id: { type: "string", primaryKey: true },
+        tenant_id: {
+          type: "string",
+          nullable: true,
+          references: { table: "mdm_tenants", column: "id", onDelete: "cascade" }
+        },
+        name: { type: "string" },
+        description: { type: "text", nullable: true },
+        task_type: {
+          type: "enum",
+          enumValues: ["command", "policy_update", "app_install", "maintenance", "custom"]
+        },
+        schedule: { type: "json" },
+        target: { type: "json", nullable: true },
+        payload: { type: "json", nullable: true },
+        status: {
+          type: "enum",
+          enumValues: ["active", "paused", "completed", "failed"],
+          default: "active"
+        },
+        next_run_at: { type: "datetime", nullable: true },
+        last_run_at: { type: "datetime", nullable: true },
+        max_retries: { type: "integer", default: 3 },
+        retry_count: { type: "integer", default: 0 },
+        created_at: { type: "datetime", default: "now" },
+        updated_at: { type: "datetime", default: "now" }
+      },
+      indexes: [
+        { columns: ["tenant_id"] },
+        { columns: ["task_type"] },
+        { columns: ["status"] },
+        { columns: ["next_run_at"] }
+      ]
+    },
+    // ----------------------------------------
+    // Task Executions Table
+    // ----------------------------------------
+    mdm_task_executions: {
+      columns: {
+        id: { type: "string", primaryKey: true },
+        task_id: {
+          type: "string",
+          references: { table: "mdm_scheduled_tasks", column: "id", onDelete: "cascade" }
+        },
+        status: {
+          type: "enum",
+          enumValues: ["running", "completed", "failed"],
+          default: "running"
+        },
+        started_at: { type: "datetime", default: "now" },
+        completed_at: { type: "datetime", nullable: true },
+        devices_processed: { type: "integer", default: 0 },
+        devices_succeeded: { type: "integer", default: 0 },
+        devices_failed: { type: "integer", default: 0 },
+        error: { type: "text", nullable: true },
+        details: { type: "json", nullable: true }
+      },
+      indexes: [
+        { columns: ["task_id"] },
+        { columns: ["status"] },
+        { columns: ["started_at"] }
+      ]
+    },
+    // ----------------------------------------
+    // Message Queue Table
+    // ----------------------------------------
+    mdm_message_queue: {
+      columns: {
+        id: { type: "string", primaryKey: true },
+        tenant_id: {
+          type: "string",
+          nullable: true,
+          references: { table: "mdm_tenants", column: "id", onDelete: "cascade" }
+        },
+        device_id: {
+          type: "string",
+          references: { table: "mdm_devices", column: "id", onDelete: "cascade" }
+        },
+        message_type: { type: "string" },
+        payload: { type: "json" },
+        priority: {
+          type: "enum",
+          enumValues: ["high", "normal", "low"],
+          default: "normal"
+        },
+        status: {
+          type: "enum",
+          enumValues: ["pending", "processing", "delivered", "failed", "expired"],
+          default: "pending"
+        },
+        attempts: { type: "integer", default: 0 },
+        max_attempts: { type: "integer", default: 3 },
+        last_attempt_at: { type: "datetime", nullable: true },
+        last_error: { type: "text", nullable: true },
+        expires_at: { type: "datetime", nullable: true },
+        created_at: { type: "datetime", default: "now" },
+        updated_at: { type: "datetime", default: "now" }
+      },
+      indexes: [
+        { columns: ["tenant_id"] },
+        { columns: ["device_id"] },
+        { columns: ["status"] },
+        { columns: ["priority"] },
+        { columns: ["expires_at"] },
+        { columns: ["device_id", "status", "priority"] }
+      ]
+    },
+    // ----------------------------------------
+    // Plugin Storage Table
+    // ----------------------------------------
+    mdm_plugin_storage: {
+      columns: {
+        plugin_name: { type: "string" },
+        key: { type: "string" },
+        value: { type: "json" },
+        created_at: { type: "datetime", default: "now" },
+        updated_at: { type: "datetime", default: "now" }
+      },
+      indexes: [
+        { columns: ["plugin_name", "key"], unique: true },
+        { columns: ["plugin_name"] }
+      ]
     }
   }
 };
@@ -632,6 +2025,13 @@ function createMDM(config) {
   const eventHandlers = /* @__PURE__ */ new Map();
   const pushAdapter = push ? createPushAdapter(push, database) : createStubPushAdapter();
   const webhookManager = webhooksConfig ? createWebhookManager(webhooksConfig) : void 0;
+  const tenantManager = config.multiTenancy?.enabled ? createTenantManager(database) : void 0;
+  const authorizationManager = config.authorization?.enabled ? createAuthorizationManager(database) : void 0;
+  const auditManager = config.audit?.enabled ? createAuditManager(database) : void 0;
+  const scheduleManager = config.scheduling?.enabled ? createScheduleManager(database) : void 0;
+  const messageQueueManager = database.enqueueMessage ? createMessageQueueManager(database) : void 0;
+  const dashboardManager = createDashboardManager(database);
+  const pluginStorageAdapter = config.pluginStorage?.adapter === "database" ? createPluginStorageAdapter(database) : config.pluginStorage?.adapter === "memory" ? createMemoryPluginStorageAdapter() : void 0;
   const on = (event, handler) => {
     if (!eventHandlers.has(event)) {
       eventHandlers.set(event, /* @__PURE__ */ new Set());
@@ -1034,6 +2434,110 @@ function createMDM(config) {
     async getChildren(groupId) {
       const allGroups = await database.listGroups();
       return allGroups.filter((g) => g.parentId === groupId);
+    },
+    async getTree(rootId) {
+      if (database.getGroupTree) {
+        return database.getGroupTree(rootId);
+      }
+      const allGroups = await database.listGroups();
+      new Map(allGroups.map((g) => [g.id, g]));
+      const buildNode = (group, depth, path) => {
+        const children = allGroups.filter((g) => g.parentId === group.id).map((child) => buildNode(child, depth + 1, [...path, group.id]));
+        return {
+          ...group,
+          children,
+          depth,
+          path,
+          effectivePolicyId: group.policyId
+        };
+      };
+      const roots = allGroups.filter(
+        (g) => rootId ? g.id === rootId : !g.parentId
+      );
+      return roots.map((root) => buildNode(root, 0, []));
+    },
+    async getAncestors(groupId) {
+      if (database.getGroupAncestors) {
+        return database.getGroupAncestors(groupId);
+      }
+      const ancestors = [];
+      const allGroups = await database.listGroups();
+      const groupMap = new Map(allGroups.map((g) => [g.id, g]));
+      let current = groupMap.get(groupId);
+      while (current?.parentId) {
+        const parent = groupMap.get(current.parentId);
+        if (parent) {
+          ancestors.push(parent);
+          current = parent;
+        } else {
+          break;
+        }
+      }
+      return ancestors;
+    },
+    async getDescendants(groupId) {
+      if (database.getGroupDescendants) {
+        return database.getGroupDescendants(groupId);
+      }
+      const allGroups = await database.listGroups();
+      const descendants = [];
+      const findDescendants = (parentId) => {
+        const children = allGroups.filter((g) => g.parentId === parentId);
+        for (const child of children) {
+          descendants.push(child);
+          findDescendants(child.id);
+        }
+      };
+      findDescendants(groupId);
+      return descendants;
+    },
+    async move(groupId, newParentId) {
+      if (newParentId) {
+        const ancestors = await this.getAncestors(newParentId);
+        if (ancestors.some((a) => a.id === groupId)) {
+          throw new Error("Cannot move group: would create circular reference");
+        }
+      }
+      return database.updateGroup(groupId, { parentId: newParentId });
+    },
+    async getEffectivePolicy(groupId) {
+      if (database.getGroupEffectivePolicy) {
+        return database.getGroupEffectivePolicy(groupId);
+      }
+      const group = await database.findGroup(groupId);
+      if (!group) return null;
+      if (group.policyId) {
+        return database.findPolicy(group.policyId);
+      }
+      const ancestors = await this.getAncestors(groupId);
+      for (const ancestor of ancestors) {
+        if (ancestor.policyId) {
+          return database.findPolicy(ancestor.policyId);
+        }
+      }
+      return null;
+    },
+    async getHierarchyStats() {
+      if (database.getGroupHierarchyStats) {
+        return database.getGroupHierarchyStats();
+      }
+      const allGroups = await database.listGroups();
+      let maxDepth = 0;
+      let groupsWithDevices = 0;
+      let groupsWithPolicies = 0;
+      for (const group of allGroups) {
+        const ancestors = await this.getAncestors(group.id);
+        maxDepth = Math.max(maxDepth, ancestors.length);
+        const devices2 = await database.listDevicesInGroup(group.id);
+        if (devices2.length > 0) groupsWithDevices++;
+        if (group.policyId) groupsWithPolicies++;
+      }
+      return {
+        totalGroups: allGroups.length,
+        maxDepth,
+        groupsWithDevices,
+        groupsWithPolicies
+      };
     }
   };
   const enroll = async (request) => {
@@ -1245,7 +2749,15 @@ function createMDM(config) {
     processHeartbeat,
     verifyDeviceToken,
     getPlugins,
-    getPlugin
+    getPlugin,
+    // Enterprise managers (optional)
+    tenants: tenantManager,
+    authorization: authorizationManager,
+    audit: auditManager,
+    schedules: scheduleManager,
+    messageQueue: messageQueueManager,
+    dashboard: dashboardManager,
+    pluginStorage: pluginStorageAdapter
   };
   (async () => {
     for (const plugin of plugins) {
@@ -1363,6 +2875,6 @@ function generateDeviceToken(deviceId, secret, expirationSeconds) {
   return `${header}.${payload}.${signature}`;
 }
-export { ApplicationNotFoundError, AuthenticationError, AuthorizationError, DeviceNotFoundError, EnrollmentError, MDMError, PolicyNotFoundError, ValidationError, camelToSnake, createMDM, createWebhookManager, getColumnNames, getPrimaryKey, getTableNames, mdmSchema, snakeToCamel, transformToCamelCase, transformToSnakeCase, verifyWebhookSignature };
+export { ApplicationNotFoundError, AuthenticationError, AuthorizationError, DeviceNotFoundError, EnrollmentError, GroupNotFoundError, MDMError, PolicyNotFoundError, RoleNotFoundError, TenantNotFoundError, UserNotFoundError, ValidationError, camelToSnake, createAuditManager, createAuthorizationManager, createDashboardManager, createMDM, createMemoryPluginStorageAdapter, createMessageQueueManager, createPluginKey, createPluginStorageAdapter, createScheduleManager, createTenantManager, createWebhookManager, getColumnNames, getPrimaryKey, getTableNames, mdmSchema, parsePluginKey, snakeToCamel, transformToCamelCase, transformToSnakeCase, verifyWebhookSignature };
 //# sourceMappingURL=index.js.map
 //# sourceMappingURL=index.js.map