@parsrun/auth 0.1.38 → 0.2.0

package/dist/adapters/hono.d.ts

@@ -1,9 +1,9 @@
 import 'hono/types';
 import 'hono';
-export { Q as AuthVariables, W as HonoAdapterConfig, w as createAuthMiddleware, y as createAuthRoutes, z as createHonoAuth, x as createOptionalAuthMiddleware, K as requireAdmin, N as requireAll, O as requireAny, G as requireAnyPermission, L as requireOwnerOrPermission, F as requirePermission, E as requireRole, H as requireTenant, J as requireTenantAccess } from '../index-DOGcetyD.js';
+export { Q as AuthVariables, W as HonoAdapterConfig, w as createAuthMiddleware, y as createAuthRoutes, z as createHonoAuth, x as createOptionalAuthMiddleware, K as requireAdmin, N as requireAll, O as requireAny, G as requireAnyPermission, L as requireOwnerOrPermission, F as requirePermission, E as requireRole, H as requireTenant, J as requireTenantAccess } from '../index-kATaLVps.js';
 import '../authorization-By1Xp8Za.js';
 import '../jwt-manager-CH8H0kmm.js';
 import 'jose';
 import '../types-DSjafxJ4.js';
-import '../base-BKyR8rcE.js';
-import '../index-C3kz9XqE.js';
+import '../base-BI-SilX-.js';
+import '../index-DC7A0IbX.js';

package/dist/adapters/index.d.ts

@@ -1,9 +1,9 @@
-export { X as AuthContext, Z as AuthResponse, Q as AuthVariables, Y as CookieOptions, W as HonoAdapterConfig, a1 as RefreshBody, _ as RequestOtpBody, a0 as SignInBody, $ as VerifyOtpBody, B as createAuthCookies, w as createAuthMiddleware, y as createAuthRoutes, z as createHonoAuth, D as createLogoutCookies, x as createOptionalAuthMiddleware, K as requireAdmin, N as requireAll, O as requireAny, G as requireAnyPermission, L as requireOwnerOrPermission, F as requirePermission, E as requireRole, H as requireTenant, J as requireTenantAccess } from '../index-DOGcetyD.js';
+export { X as AuthContext, Z as AuthResponse, Q as AuthVariables, Y as CookieOptions, W as HonoAdapterConfig, a1 as RefreshBody, _ as RequestOtpBody, a0 as SignInBody, $ as VerifyOtpBody, B as createAuthCookies, w as createAuthMiddleware, y as createAuthRoutes, z as createHonoAuth, D as createLogoutCookies, x as createOptionalAuthMiddleware, K as requireAdmin, N as requireAll, O as requireAny, G as requireAnyPermission, L as requireOwnerOrPermission, F as requirePermission, E as requireRole, H as requireTenant, J as requireTenantAccess } from '../index-kATaLVps.js';
 import '../jwt-manager-CH8H0kmm.js';
 import 'jose';
 import 'hono/types';
 import 'hono';
 import '../types-DSjafxJ4.js';
-import '../base-BKyR8rcE.js';
-import '../index-C3kz9XqE.js';
+import '../base-BI-SilX-.js';
+import '../index-DC7A0IbX.js';
 import '../authorization-By1Xp8Za.js';

package/dist/{base-BKyR8rcE.d.ts → base-BI-SilX-.d.ts}

@@ -266,6 +266,12 @@ interface AuthAdapter {
     deleteAuthMethod(id: string): Promise<void>;
     findTenantById?(id: string): Promise<AdapterTenant | null>;
     findTenantBySlug?(slug: string): Promise<AdapterTenant | null>;
+    createTenant?(data: CreateTenantInput): Promise<AdapterTenant>;
+    updateTenant?(id: string, data: Partial<AdapterTenant>): Promise<AdapterTenant>;
+    deleteTenant?(id: string): Promise<void>;
+    findTenantsByParentId?(parentId: string | null): Promise<AdapterTenant[]>;
+    findTenantsByPath?(pathPrefix: string): Promise<AdapterTenant[]>;
+    updateTenantPath?(tenantId: string, path: string, depth: number): Promise<void>;
     findMembership?(userId: string, tenantId: string): Promise<AdapterMembership | null>;
     findMembershipsByUserId?(userId: string): Promise<AdapterMembership[]>;
     createMembership?(data: CreateMembershipInput): Promise<AdapterMembership>;
@@ -314,6 +320,12 @@ interface AdapterTenant {
     name: string;
     slug: string;
     status: 'active' | 'suspended' | 'inactive';
+    /** Parent tenant ID for hierarchical tenants */
+    parentId?: string | null;
+    /** Materialized path for efficient ancestor/descendant queries (e.g., "/root-id/parent-id/id/") */
+    path?: string | null;
+    /** Hierarchy depth (0 = root tenant) */
+    depth?: number | null;
     createdAt: Date;
     updatedAt: Date;
 }
@@ -358,6 +370,14 @@ interface CreateMembershipInput {
     role: string;
     permissions?: string[];
 }
+interface CreateTenantInput {
+    name: string;
+    slug: string;
+    status?: 'active' | 'suspended' | 'inactive';
+    parentId?: string | null;
+    path?: string | null;
+    depth?: number | null;
+}
 /**
  * Main Pars Auth Configuration
  */

package/dist/{index-C3kz9XqE.d.ts → index-DC7A0IbX.d.ts}

@@ -1,5 +1,5 @@
 import { K as KVStorage } from './types-DSjafxJ4.js';
-import { A as AuthProvider, g as OtpConfig, V as VerifyInput, d as VerifyResult, b as AuthInput, c as AuthResult, a as ProviderInfo } from './base-BKyR8rcE.js';
+import { A as AuthProvider, g as OtpConfig, V as VerifyInput, d as VerifyResult, b as AuthInput, c as AuthResult, a as ProviderInfo } from './base-BI-SilX-.js';
 
 /**
  * OTP Manager

package/dist/{index-DOGcetyD.d.ts → index-kATaLVps.d.ts}

@@ -2,8 +2,8 @@ import { T as TokenPair, d as JwtPayload, J as JwtManager } from './jwt-manager-
 import * as hono_types from 'hono/types';
 import { Context, MiddlewareHandler, Hono } from 'hono';
 import { K as KVStorage } from './types-DSjafxJ4.js';
-import { h as AuthAdapter, u as AdapterTenant, v as AdapterMembership, l as TenantResolutionStrategy, i as ParsAuthConfig, a as ProviderInfo, r as AdapterUser, s as AdapterSession } from './base-BKyR8rcE.js';
-import { R as RequestOTPInput, d as RequestOTPResult } from './index-C3kz9XqE.js';
+import { h as AuthAdapter, u as AdapterTenant, v as AdapterMembership, l as TenantResolutionStrategy, i as ParsAuthConfig, a as ProviderInfo, r as AdapterUser, s as AdapterSession } from './base-BI-SilX-.js';
+import { R as RequestOTPInput, d as RequestOTPResult } from './index-DC7A0IbX.js';
 import { f as PermissionPattern } from './authorization-By1Xp8Za.js';
 
 /**
@@ -25,6 +25,8 @@ interface CreateTenantInput {
     ownerRole?: string;
     /** Initial status (default: 'active') */
     status?: 'active' | 'suspended' | 'inactive';
+    /** Parent tenant ID for creating child tenants */
+    parentId?: string;
 }
 /**
  * Tenant update input
@@ -95,6 +97,46 @@ declare class TenantManager {
      * Get tenant by slug
      */
     getTenantBySlug(slug: string): Promise<AdapterTenant | null>;
+    /**
+     * Get direct children of a tenant
+     */
+    getChildren(tenantId: string): Promise<AdapterTenant[]>;
+    /**
+     * Get parent of a tenant
+     */
+    getParent(tenantId: string): Promise<AdapterTenant | null>;
+    /**
+     * Get all ancestors of a tenant (from immediate parent to root)
+     */
+    getAncestors(tenantId: string): Promise<AdapterTenant[]>;
+    /**
+     * Get all descendants of a tenant (all levels)
+     */
+    getDescendants(tenantId: string): Promise<AdapterTenant[]>;
+    /**
+     * Get siblings of a tenant (same parent)
+     */
+    getSiblings(tenantId: string): Promise<AdapterTenant[]>;
+    /**
+     * Get root tenant of a hierarchy
+     */
+    getRootTenant(tenantId: string): Promise<AdapterTenant | null>;
+    /**
+     * Move a tenant to a new parent
+     */
+    moveToParent(tenantId: string, newParentId: string | null): Promise<void>;
+    /**
+     * Check if a tenant is an ancestor of another tenant
+     */
+    isAncestorOf(ancestorId: string, descendantId: string): Promise<boolean>;
+    /**
+     * Check if a tenant is a descendant of another tenant
+     */
+    isDescendantOf(descendantId: string, ancestorId: string): Promise<boolean>;
+    /**
+     * Get all root tenants (tenants without parent)
+     */
+    getRootTenants(): Promise<AdapterTenant[]>;
     /**
      * Check if user is member of tenant
      */

package/dist/index.d.ts

@@ -1,9 +1,9 @@
-import { A as AuthProvider, b as AuthInput, c as AuthResult, a as ProviderInfo, T as TwoFactorProvider, e as TwoFactorSetupResult, h as AuthAdapter, i as ParsAuthConfig } from './base-BKyR8rcE.js';
-export { t as AdapterAuthMethod, v as AdapterMembership, s as AdapterSession, u as AdapterTenant, r as AdapterUser, q as AuthCallbacks, C as CookieConfig, y as CreateAuthMethodInput, z as CreateMembershipInput, x as CreateSessionInput, w as CreateUserInput, j as CsrfConfig, J as JwtConfig, M as MagicLinkConfig, O as OAuthProvider, o as OAuthProviderConfig, f as OAuthUserInfo, g as OtpConfig, n as PasswordConfig, P as ProviderType, p as SecurityConfig, S as SessionConfig, k as TenantConfig, l as TenantResolutionStrategy, m as TotpConfig, V as VerifyInput, d as VerifyResult, W as WebAuthnConfig, D as defaultConfig, E as mergeConfig, F as validateConfig } from './base-BKyR8rcE.js';
-import { P as ParsAuthEngine } from './index-DOGcetyD.js';
-export { t as AcceptInvitationInput, u as AcceptInvitationResult, X as AdapterAuthContext, k as AddMemberInput, A as AuthContext, Z as AuthResponse, Q as AuthVariables, Y as CookieOptions, C as CreateTenantInput, W as HonoAdapterConfig, p as InvitationConfig, q as InvitationRecord, I as InvitationService, v as InvitationStatusResult, M as MultiStrategyTenantResolver, R as RefreshTokenResult, r as SendInvitationInput, s as SendInvitationResult, d as SessionInfo, S as SignInInput, a as SignInResult, b as SignUpInput, c as SignUpResult, i as TenantManager, h as TenantResolutionResult, T as TenantResolver, g as TenantResolverConfig, m as TenantWithMembers, l as UpdateMemberInput, U as UpdateTenantInput, n as UserTenantMembership, V as VerifyTokenResult, B as createAuthCookies, w as createAuthMiddleware, y as createAuthRoutes, z as createHonoAuth, o as createInvitationService, D as createLogoutCookies, f as createMultiStrategyResolver, x as createOptionalAuthMiddleware, j as createTenantManager, e as createTenantResolver, K as requireAdmin, N as requireAll, O as requireAny, G as requireAnyPermission, L as requireOwnerOrPermission, F as requirePermission, E as requireRole, H as requireTenant, J as requireTenantAccess } from './index-DOGcetyD.js';
+import { A as AuthProvider, b as AuthInput, c as AuthResult, a as ProviderInfo, T as TwoFactorProvider, e as TwoFactorSetupResult, h as AuthAdapter, i as ParsAuthConfig } from './base-BI-SilX-.js';
+export { t as AdapterAuthMethod, v as AdapterMembership, s as AdapterSession, u as AdapterTenant, r as AdapterUser, q as AuthCallbacks, C as CookieConfig, y as CreateAuthMethodInput, z as CreateMembershipInput, x as CreateSessionInput, w as CreateUserInput, j as CsrfConfig, J as JwtConfig, M as MagicLinkConfig, O as OAuthProvider, o as OAuthProviderConfig, f as OAuthUserInfo, g as OtpConfig, n as PasswordConfig, P as ProviderType, p as SecurityConfig, S as SessionConfig, k as TenantConfig, l as TenantResolutionStrategy, m as TotpConfig, V as VerifyInput, d as VerifyResult, W as WebAuthnConfig, D as defaultConfig, E as mergeConfig, F as validateConfig } from './base-BI-SilX-.js';
+import { P as ParsAuthEngine } from './index-kATaLVps.js';
+export { t as AcceptInvitationInput, u as AcceptInvitationResult, X as AdapterAuthContext, k as AddMemberInput, A as AuthContext, Z as AuthResponse, Q as AuthVariables, Y as CookieOptions, C as CreateTenantInput, W as HonoAdapterConfig, p as InvitationConfig, q as InvitationRecord, I as InvitationService, v as InvitationStatusResult, M as MultiStrategyTenantResolver, R as RefreshTokenResult, r as SendInvitationInput, s as SendInvitationResult, d as SessionInfo, S as SignInInput, a as SignInResult, b as SignUpInput, c as SignUpResult, i as TenantManager, h as TenantResolutionResult, T as TenantResolver, g as TenantResolverConfig, m as TenantWithMembers, l as UpdateMemberInput, U as UpdateTenantInput, n as UserTenantMembership, V as VerifyTokenResult, B as createAuthCookies, w as createAuthMiddleware, y as createAuthRoutes, z as createHonoAuth, o as createInvitationService, D as createLogoutCookies, f as createMultiStrategyResolver, x as createOptionalAuthMiddleware, j as createTenantManager, e as createTenantResolver, K as requireAdmin, N as requireAll, O as requireAny, G as requireAnyPermission, L as requireOwnerOrPermission, F as requirePermission, E as requireRole, H as requireTenant, J as requireTenantAccess } from './index-kATaLVps.js';
 export { ProviderRegistry } from './providers/index.js';
-export { e as OTPConfig, a as OTPManager, O as OTPProvider, f as OTPRecord, g as RateLimitCheck, R as RequestOTPInput, d as RequestOTPResult, S as StoreOTPResult, V as VerifyOTPResult, b as createOTPManager, c as createOTPProvider } from './index-C3kz9XqE.js';
+export { e as OTPConfig, a as OTPManager, O as OTPProvider, f as OTPRecord, g as RateLimitCheck, R as RequestOTPInput, d as RequestOTPResult, S as StoreOTPResult, V as VerifyOTPResult, b as createOTPManager, c as createOTPProvider } from './index-DC7A0IbX.js';
 import { K as KVStorage } from './types-DSjafxJ4.js';
 export { C as CloudflareKVConfig, D as DenoKVConfig, M as MemoryConfig, R as RedisConfig, S as StorageConfig, a as StorageType } from './types-DSjafxJ4.js';
 export { a as JwtError, J as JwtManager, b as JwtManagerConfig, d as JwtPayload, K as KeyRotationResult, T as TokenPair, c as createJwtManager, e as extractBearerToken, p as parseDuration } from './jwt-manager-CH8H0kmm.js';
@@ -962,6 +962,12 @@ interface DrizzleTenant {
     status: string;
     subscriptionPlan: string;
     settings: Record<string, unknown>;
+    /** Parent tenant ID for hierarchical tenants */
+    parentId: string | null;
+    /** Materialized path for efficient ancestor/descendant queries (e.g., "/root-id/parent-id/id/") */
+    path: string | null;
+    /** Hierarchy depth (0 = root tenant) */
+    depth: number | null;
     insertedAt: Date;
     updatedAt: Date;
     deletedAt: Date | null;

package/dist/index.js

@@ -11,7 +11,7 @@ import { OTPProvider } from './chunk-IB4WUQDZ.js';
 export { OTPManager, OTPProvider, createOTPManager, createOTPProvider } from './chunk-IB4WUQDZ.js';
 import { createStorage } from './chunk-42MGHABB.js';
 export { MemoryStorage, StorageKeys, createMemoryStorage, createStorage, createStorageSync, detectRuntime, getEnv, isBun, isCloudflare, isDeno, isEdge, isNode } from './chunk-42MGHABB.js';
-import { eq, and, isNull, desc } from 'drizzle-orm';
+import { eq, and, isNull, like, desc } from 'drizzle-orm';
 
 // src/config.ts
 var defaultConfig = {
@@ -165,17 +165,55 @@ var TenantManager = class {
    * Create a new tenant with owner
    */
   async createTenant(input) {
-    if (!this.adapter.findTenantById) {
+    if (!this.adapter.findTenantById || !this.adapter.createTenant) {
       throw new Error("Tenant operations not supported by adapter");
     }
+    if (!this.adapter.createMembership) {
+      throw new Error("Membership operations not supported by adapter");
+    }
     const slug = input.slug ?? this.generateSlug(input.name);
     const existingTenant = await this.adapter.findTenantBySlug?.(slug);
     if (existingTenant) {
       throw new Error(`Tenant with slug '${slug}' already exists`);
     }
-    throw new Error(
-      "createTenant not implemented in adapter. Please implement createTenant in your adapter or use direct database access."
-    );
+    let parentId = null;
+    let path = null;
+    let depth = 0;
+    if (input.parentId) {
+      const parent = await this.adapter.findTenantById(input.parentId);
+      if (!parent) {
+        throw new Error(`Parent tenant '${input.parentId}' not found`);
+      }
+      parentId = input.parentId;
+      depth = (parent.depth ?? 0) + 1;
+    }
+    const tenant = await this.adapter.createTenant({
+      name: input.name,
+      slug,
+      status: input.status ?? "active",
+      parentId,
+      path: null,
+      // Will be updated after creation
+      depth
+    });
+    if (input.parentId) {
+      const parent = await this.adapter.findTenantById(input.parentId);
+      const parentPath = parent?.path ?? `/${input.parentId}/`;
+      path = `${parentPath.replace(/\/$/, "")}/${tenant.id}/`;
+    } else {
+      path = `/${tenant.id}/`;
+    }
+    if (this.adapter.updateTenantPath) {
+      await this.adapter.updateTenantPath(tenant.id, path, depth);
+      tenant.path = path;
+      tenant.depth = depth;
+    }
+    const membership = await this.adapter.createMembership({
+      userId: input.ownerId,
+      tenantId: tenant.id,
+      role: input.ownerRole ?? "owner"
+    });
+    return { tenant, membership };
   }
   /**
    * Get tenant by ID
@@ -195,6 +233,185 @@ var TenantManager = class {
     }
     return this.adapter.findTenantBySlug(slug);
   }
+  // ============================================
+  // Tenant Hierarchy Operations
+  // ============================================
+  /**
+   * Get direct children of a tenant
+   */
+  async getChildren(tenantId) {
+    if (!this.adapter.findTenantsByParentId) {
+      return [];
+    }
+    return this.adapter.findTenantsByParentId(tenantId);
+  }
+  /**
+   * Get parent of a tenant
+   */
+  async getParent(tenantId) {
+    if (!this.adapter.findTenantById) {
+      return null;
+    }
+    const tenant = await this.adapter.findTenantById(tenantId);
+    if (!tenant || !tenant.parentId) {
+      return null;
+    }
+    return this.adapter.findTenantById(tenant.parentId);
+  }
+  /**
+   * Get all ancestors of a tenant (from immediate parent to root)
+   */
+  async getAncestors(tenantId) {
+    if (!this.adapter.findTenantById) {
+      return [];
+    }
+    const tenant = await this.adapter.findTenantById(tenantId);
+    if (!tenant || !tenant.path) {
+      return [];
+    }
+    const pathParts = tenant.path.split("/").filter(Boolean);
+    const ancestorIds = pathParts.slice(0, -1);
+    const ancestors = [];
+    for (const ancestorId of ancestorIds) {
+      const ancestor = await this.adapter.findTenantById(ancestorId);
+      if (ancestor) {
+        ancestors.push(ancestor);
+      }
+    }
+    return ancestors;
+  }
+  /**
+   * Get all descendants of a tenant (all levels)
+   */
+  async getDescendants(tenantId) {
+    if (!this.adapter.findTenantById || !this.adapter.findTenantsByPath) {
+      return [];
+    }
+    const tenant = await this.adapter.findTenantById(tenantId);
+    if (!tenant) {
+      return [];
+    }
+    const path = tenant.path ?? `/${tenantId}/`;
+    const allDescendants = await this.adapter.findTenantsByPath(path);
+    return allDescendants.filter((t) => t.id !== tenantId);
+  }
+  /**
+   * Get siblings of a tenant (same parent)
+   */
+  async getSiblings(tenantId) {
+    if (!this.adapter.findTenantById || !this.adapter.findTenantsByParentId) {
+      return [];
+    }
+    const tenant = await this.adapter.findTenantById(tenantId);
+    if (!tenant) {
+      return [];
+    }
+    const siblings = await this.adapter.findTenantsByParentId(tenant.parentId ?? null);
+    return siblings.filter((t) => t.id !== tenantId);
+  }
+  /**
+   * Get root tenant of a hierarchy
+   */
+  async getRootTenant(tenantId) {
+    if (!this.adapter.findTenantById) {
+      return null;
+    }
+    const tenant = await this.adapter.findTenantById(tenantId);
+    if (!tenant) {
+      return null;
+    }
+    if (!tenant.parentId) {
+      return tenant;
+    }
+    if (tenant.path) {
+      const pathParts = tenant.path.split("/").filter(Boolean);
+      const rootId = pathParts[0];
+      if (rootId) {
+        return this.adapter.findTenantById(rootId);
+      }
+    }
+    let current = tenant;
+    while (current.parentId) {
+      const parent = await this.adapter.findTenantById(current.parentId);
+      if (!parent) break;
+      current = parent;
+    }
+    return current;
+  }
+  /**
+   * Move a tenant to a new parent
+   */
+  async moveToParent(tenantId, newParentId) {
+    if (!this.adapter.findTenantById || !this.adapter.updateTenant || !this.adapter.updateTenantPath) {
+      throw new Error("Tenant hierarchy operations not supported by adapter");
+    }
+    const tenant = await this.adapter.findTenantById(tenantId);
+    if (!tenant) {
+      throw new Error("Tenant not found");
+    }
+    if (newParentId) {
+      const isDescendant = await this.isDescendantOf(newParentId, tenantId);
+      if (isDescendant) {
+        throw new Error("Cannot move tenant to its own descendant");
+      }
+    }
+    const oldPath = tenant.path ?? `/${tenantId}/`;
+    const descendants = await this.getDescendants(tenantId);
+    let newPath;
+    let newDepth;
+    if (newParentId) {
+      const newParent = await this.adapter.findTenantById(newParentId);
+      if (!newParent) {
+        throw new Error("New parent tenant not found");
+      }
+      const parentPath = newParent.path ?? `/${newParentId}/`;
+      newPath = `${parentPath.replace(/\/$/, "")}/${tenantId}/`;
+      newDepth = (newParent.depth ?? 0) + 1;
+    } else {
+      newPath = `/${tenantId}/`;
+      newDepth = 0;
+    }
+    await this.adapter.updateTenant(tenantId, { parentId: newParentId });
+    await this.adapter.updateTenantPath(tenantId, newPath, newDepth);
+    for (const descendant of descendants) {
+      if (descendant.path) {
+        const descendantNewPath = descendant.path.replace(oldPath, newPath);
+        const descendantNewDepth = (descendant.depth ?? 0) - (tenant.depth ?? 0) + newDepth;
+        await this.adapter.updateTenantPath(descendant.id, descendantNewPath, descendantNewDepth);
+      }
+    }
+  }
+  /**
+   * Check if a tenant is an ancestor of another tenant
+   */
+  async isAncestorOf(ancestorId, descendantId) {
+    if (!this.adapter.findTenantById) {
+      return false;
+    }
+    const descendant = await this.adapter.findTenantById(descendantId);
+    if (!descendant || !descendant.path) {
+      return false;
+    }
+    return descendant.path.includes(`/${ancestorId}/`);
+  }
+  /**
+   * Check if a tenant is a descendant of another tenant
+   */
+  async isDescendantOf(descendantId, ancestorId) {
+    return this.isAncestorOf(ancestorId, descendantId);
+  }
+  /**
+   * Get all root tenants (tenants without parent)
+   */
+  async getRootTenants() {
+    if (!this.adapter.findTenantsByParentId) {
+      return [];
+    }
+    return this.adapter.findTenantsByParentId(null);
+  }
+  // ============================================
+  // Membership Operations
+  // ============================================
   /**
    * Check if user is member of tenant
    */
@@ -3195,6 +3412,9 @@ function toAdapterTenant(tenant) {
     name: tenant.name,
     slug: tenant.slug,
     status: tenant.status,
+    parentId: tenant.parentId,
+    path: tenant.path,
+    depth: tenant.depth,
     createdAt: tenant.insertedAt,
     updatedAt: tenant.updatedAt
   };
@@ -3399,6 +3619,73 @@ function createDrizzleAdapter(config) {
       if (!tenant) return null;
       return toAdapterTenant(tenant);
     },
+    async createTenant(input) {
+      if (!tenants) {
+        throw new Error("Tenants table not configured");
+      }
+      const [tenant] = await db.insert(tenants).values({
+        name: input.name,
+        slug: input.slug,
+        status: input.status ?? "active",
+        parentId: input.parentId ?? null,
+        path: input.path ?? null,
+        depth: input.depth ?? null,
+        subscriptionPlan: "free",
+        settings: {}
+      }).returning();
+      return toAdapterTenant(tenant);
+    },
+    async updateTenant(id, data) {
+      if (!tenants) {
+        throw new Error("Tenants table not configured");
+      }
+      const updateData = {
+        updatedAt: /* @__PURE__ */ new Date()
+      };
+      if (data.name !== void 0) updateData["name"] = data.name;
+      if (data.slug !== void 0) updateData["slug"] = data.slug;
+      if (data.status !== void 0) updateData["status"] = data.status;
+      if (data.parentId !== void 0) updateData["parentId"] = data.parentId;
+      if (data.path !== void 0) updateData["path"] = data.path;
+      if (data.depth !== void 0) updateData["depth"] = data.depth;
+      const [tenant] = await db.update(tenants).set(updateData).where(eq(tenants.id, id)).returning();
+      return toAdapterTenant(tenant);
+    },
+    async deleteTenant(id) {
+      if (!tenants) return;
+      if (softDelete) {
+        await db.update(tenants).set({ deletedAt: /* @__PURE__ */ new Date() }).where(eq(tenants.id, id));
+      } else {
+        await db.delete(tenants).where(eq(tenants.id, id));
+      }
+    },
+    // ============================================
+    // Tenant Hierarchy Operations (Optional)
+    // ============================================
+    async findTenantsByParentId(parentId) {
+      if (!tenants) return [];
+      const result = await db.select().from(tenants).where(
+        and(
+          parentId === null ? isNull(tenants.parentId) : eq(tenants.parentId, parentId),
+          softDelete ? isNull(tenants.deletedAt) : void 0
+        )
+      );
+      return result.map(toAdapterTenant);
+    },
+    async findTenantsByPath(pathPrefix) {
+      if (!tenants) return [];
+      const result = await db.select().from(tenants).where(
+        and(
+          like(tenants.path, `${pathPrefix}%`),
+          softDelete ? isNull(tenants.deletedAt) : void 0
+        )
+      );
+      return result.map(toAdapterTenant);
+    },
+    async updateTenantPath(tenantId, path, depth) {
+      if (!tenants) return;
+      await db.update(tenants).set({ path, depth, updatedAt: /* @__PURE__ */ new Date() }).where(eq(tenants.id, tenantId));
+    },
     // ============================================
     // Membership Operations (Optional)
     // ============================================