@pattern-stack/codegen 0.15.0 → 0.15.2

package/dist/runtime/base-classes/integrated-entity-repository.js

@@ -1,489 +1,9 @@
-// runtime/base-classes/integrated-entity-repository.ts
-import { and as and2, eq as eq2, inArray as inArray2 } from "drizzle-orm";
-
-// runtime/base-classes/base-repository.ts
-import { and, eq, inArray, isNull, sql } from "drizzle-orm";
-
-// runtime/base-classes/tenant-context.ts
-import { AsyncLocalStorage } from "async_hooks";
-var als = new AsyncLocalStorage();
-function requireRequester() {
-  const ctx = als.getStore();
-  if (!ctx) {
-    throw new Error(
-      "No requester context active. Wrap the entry point in withRequester({ userId, organizationId }, fn). See tenant-context.ts."
-    );
-  }
-  return ctx;
-}
-function tryGetRequester() {
-  return als.getStore();
-}
-
-// runtime/base-classes/base-repository.ts
-var BaseRepository = class {
-  // eslint-disable-line @typescript-eslint/no-explicit-any
-  /**
-   * Behavior flags controlling automatic behavior injection.
-   * Override in concrete repositories to enable behaviors.
-   */
-  behaviors = {
-    timestamps: false,
-    softDelete: false,
-    userTracking: false
-  };
-  /**
-   * Ambient tenant-scope enforcement for `userTracking` repos (see
-   * `scopePredicate`). Only has effect when `behaviors.userTracking === true`.
-   *
-   * - `'lenient'` (default): when no ambient requester context is active,
-   *   reads/writes are NOT scoped — preserves pre-scoping behavior, so adopting
-   *   ambient scoping is additive. Scoping kicks in automatically once a
-   *   boundary installs `withRequester(...)`.
-   * - `'strict'`: a missing ambient context throws (`requireRequester`),
-   *   making a forgotten boundary fail loud instead of silently returning
-   *   cross-tenant rows. Recommended for new multi-tenant consumers — override
-   *   in a concrete repo or a family base class.
-   */
-  scopeEnforcement = "lenient";
-  db;
-  constructor(db) {
-    this.db = db;
-  }
-  /**
-   * Pick the runner for a write: the caller-supplied transaction handle
-   * if present, otherwise the repository's own client. Keeps the `tx`
-   * parameter purely additive — callers without a transaction call as
-   * before. Used by the write methods below + consumer overrides (e.g.
-   * the generated `upsertCurrentValues` on EAV value tables).
-   */
-  runner(tx) {
-    return tx ?? this.db;
-  }
-  // ============================================================================
-  // Read Operations
-  // ============================================================================
-  /**
-   * Find a single entity by its primary key.
-   * Returns null if not found (or soft-deleted when softDelete=true).
-   */
-  async findById(id) {
-    const rows = await this.baseQuery(eq(this.table["id"], id)).limit(1);
-    return rows[0] ?? null;
-  }
-  /**
-   * Find multiple entities by their primary keys.
-   * Returns empty array immediately for empty input (avoids DB errors).
-   */
-  async findByIds(ids) {
-    if (ids.length === 0) return [];
-    const rows = await this.baseQuery(inArray(this.table["id"], ids));
-    return rows;
-  }
-  /**
-   * List entities with optional filtering, pagination, and ordering.
-   */
-  async list(options) {
-    let query = this.baseQuery(options?.where);
-    if (options?.orderBy) {
-      query = query.orderBy(options.orderBy);
-    }
-    if (options?.limit !== void 0) {
-      query = query.limit(options.limit);
-    }
-    if (options?.offset !== void 0) {
-      query = query.offset(options.offset);
-    }
-    const rows = await query;
-    return rows;
-  }
-  /**
-   * Count entities matching an optional WHERE clause.
-   * Soft-deleted rows are always excluded when softDelete=true.
-   */
-  async count(where) {
-    let query = this.db.select({ count: sql`cast(count(*) as integer)` }).from(this.table);
-    const conditions = [];
-    if (this.behaviors.softDelete) {
-      conditions.push(isNull(this.table["deletedAt"]));
-    }
-    const scope = this.scopePredicate();
-    if (scope) {
-      conditions.push(scope);
-    }
-    if (where) {
-      conditions.push(where);
-    }
-    if (conditions.length === 1) {
-      query = query.where(conditions[0]);
-    } else if (conditions.length > 1) {
-      query = query.where(and(...conditions));
-    }
-    const rows = await query;
-    return rows[0]?.count ?? 0;
-  }
-  /**
-   * Check whether an entity with the given id exists.
-   */
-  async exists(id) {
-    const result = await this.findById(id);
-    return result !== null;
-  }
-  // ============================================================================
-  // Write Operations
-  // ============================================================================
-  /**
-   * Insert a new entity. Timestamps are auto-injected when timestamps=true.
-   */
-  async create(input, tx) {
-    const data = this.withTimestamps(input, "create");
-    const rows = await this.runner(tx).insert(this.table).values(data).returning();
-    return rows[0];
-  }
-  /**
-   * Update an existing entity by id. updatedAt is auto-injected when timestamps=true.
-   * Returns the updated entity.
-   */
-  async update(id, input, tx) {
-    const data = this.withTimestamps(input, "update");
-    const rows = await this.runner(tx).update(this.table).set(data).where(this.scopeAnd(eq(this.table["id"], id))).returning();
-    return rows[0];
-  }
-  /**
-   * Delete an entity by id.
-   * - softDelete=true: sets deletedAt to current timestamp
-   * - softDelete=false: hard-deletes the row
-   */
-  async delete(id, tx) {
-    const runner = this.runner(tx);
-    if (this.behaviors.softDelete) {
-      await runner.update(this.table).set({ deletedAt: /* @__PURE__ */ new Date() }).where(this.scopeAnd(eq(this.table["id"], id)));
-    } else {
-      await runner.delete(this.table).where(this.scopeAnd(eq(this.table["id"], id)));
-    }
-  }
-  /**
-   * Insert or update multiple entities.
-   * Default naive implementation — family repositories override with
-   * proper conflict-target upsert (e.g., CrmEntityRepository).
-   */
-  async upsertMany(inputs, tx) {
-    return Promise.all(inputs.map((input) => this.create(input, tx)));
-  }
-  // ============================================================================
-  // Protected Helpers
-  // ============================================================================
-  /**
-   * Base SELECT query that automatically applies the ambient guards —
-   * soft-delete exclusion (when `softDelete`) and tenant scope (when
-   * `userTracking` + an active requester context) — combined with an optional
-   * caller `extra` predicate into a SINGLE `WHERE`.
-   *
-   * Pass the leaf predicate as `extra` rather than chaining a second
-   * `.where(...)`: Drizzle's `.where()` OVERRIDES (does not AND) a prior
-   * `.where()` on a `$dynamic()` query, so a chained call would silently drop
-   * the soft-delete and scope guards. `baseQuery(extra)` is the safe form.
-   */
-  baseQuery(extra) {
-    const query = this.db.select().from(this.table).$dynamic();
-    const where = this.scopeAnd(extra, { softDelete: this.behaviors.softDelete });
-    return where ? query.where(where) : query;
-  }
-  /**
-   * Build the ambient tenant-scope predicate for this repo's table.
-   *
-   * Returns `undefined` (no scoping) when:
-   *   - `behaviors.userTracking` is false (repo is not user-owned), or
-   *   - no ambient requester context is active AND `scopeEnforcement` is
-   *     `'lenient'` (the default — preserves pre-scoping behavior).
-   *
-   * When a requester context is active, scopes by `user_id` per the ambient
-   * scope: `'user'` → `user_id = ctx.userId`; `'org'` → `user_id IN
-   * ctx.orgUserIds` (empty list matches nothing — fail-closed); `'superuser'`
-   * → no filter. See `tenant-context.ts` for the boundary-install contract.
-   */
-  scopePredicate() {
-    if (!this.behaviors.userTracking) return void 0;
-    const ctx = this.scopeEnforcement === "strict" ? requireRequester() : tryGetRequester();
-    if (!ctx) return void 0;
-    const scope = ctx.scope ?? "user";
-    switch (scope) {
-      case "superuser":
-        return void 0;
-      case "org":
-        return ctx.orgUserIds && ctx.orgUserIds.length > 0 ? inArray(this.table["userId"], ctx.orgUserIds) : sql`false`;
-      case "user":
-      default:
-        return eq(this.table["userId"], ctx.userId);
-    }
-  }
-  /**
-   * Combine the ambient scope predicate (and, optionally, the soft-delete
-   * guard) with a caller `extra` predicate into one `SQL`. Returns `undefined`
-   * when nothing applies. Used by read + by-id write paths so a single
-   * `.where(...)` carries every guard.
-   */
-  scopeAnd(extra, opts) {
-    const conditions = [];
-    if (opts?.softDelete) conditions.push(isNull(this.table["deletedAt"]));
-    const scope = this.scopePredicate();
-    if (scope) conditions.push(scope);
-    if (extra) conditions.push(extra);
-    if (conditions.length === 0) return void 0;
-    if (conditions.length === 1) return conditions[0];
-    return and(...conditions);
-  }
-  /**
-   * Merge timestamp fields into an input object.
-   * - mode='create': adds createdAt and updatedAt
-   * - mode='update': adds updatedAt only
-   *
-   * No-op when timestamps behavior is disabled.
-   */
-  withTimestamps(input, mode) {
-    if (!this.behaviors.timestamps) return input;
-    const now = /* @__PURE__ */ new Date();
-    if (mode === "create") {
-      return { ...input, createdAt: now, updatedAt: now };
-    }
-    return { ...input, updatedAt: now };
-  }
-  /**
-   * Build a WHERE clause fragment that restricts results to rows whose
-   * parent (identified by a belongs_to FK) is not soft-deleted.
-   *
-   * Use this in custom repository methods when you need "rows reachable
-   * from an active parent". The default findAll / findById behavior is
-   * NOT changed by this helper — opt in explicitly where needed.
-   *
-   * ADR-021 — Soft-delete cascade: Option A (filter at query time).
-   * `on_delete` FK rules do not fire for soft-deletes; use this helper
-   * instead of expecting cascade semantics on the DB level.
-   *
-   * Example:
-   *   async listActiveMessages(): Promise<Message[]> {
-   *     return this.list({
-   *       where: this.activeParentFilter(conversations, this.table['conversationId']),
-   *     });
-   *   }
-   *
-   * @param parentTable  The Drizzle table object for the parent entity.
-   * @param parentFkColumn  The FK column on this (child) table that references parent.id.
-   */
-  activeParentFilter(parentTable, parentFkColumn) {
-    return sql`EXISTS (
-      SELECT 1 FROM ${parentTable} p
-      WHERE p.id = ${parentFkColumn}
-        AND p.deleted_at IS NULL
-    )`;
-  }
-};
-
-// runtime/base-classes/integrated-entity-repository.ts
-var IntegratedEntityRepository = class extends BaseRepository {
-  /**
-   * Find a single entity by its external CRM identifier.
-   */
-  async findByExternalId(externalId) {
-    const rows = await this.baseQuery().where(eq2(this.table["externalId"], externalId)).limit(1);
-    return rows[0] ?? null;
-  }
-  /**
-   * Find multiple entities by external CRM identifiers.
-   */
-  async findManyByExternalIds(externalIds) {
-    if (externalIds.length === 0) return [];
-    const rows = await this.baseQuery().where(inArray2(this.table["externalId"], externalIds));
-    return rows;
-  }
-  /**
-   * Find all entities owned by a specific user.
-   */
-  async findAllByUserId(userId) {
-    const rows = await this.baseQuery().where(eq2(this.table["userId"], userId));
-    return rows;
-  }
-  // ==========================================================================
-  // Inbound integration (#374) — canonical→Drizzle write + provider-scoped FK
-  // resolution + EAV dual-write seam, all inside a SINGLE transaction.
-  // Driven entirely by `this.integrationConfig`; the per-entity shape lives there.
-  // ==========================================================================
-  /**
-   * Upsert ONE entity by its `(provider, externalId)` identity, in a single
-   * transaction:
-   *   1. resolve each `integrationConfig.fkResolvers` FK (provider-scoped). Strict
-   *      resolvers throw on unresolved; non-strict leave the column null.
-   *   2. insert-or-update the canonical columns via `onConflictDoUpdate` on the
-   *      `conflictTarget`. Resolved FKs are only written into `set` when
-   *      non-null this run (no-clobber).
-   *   3. EAV dual-write of `write.fields` via `writeCustomFields` when
-   *      `integrationConfig.eav` and the bag is non-empty (same tx).
-   *
-   * Idempotent: a second call with the same identity updates in place. Returns
-   * the canonical projection (so the orchestrator records `local_id`).
-   *
-   * @param write     canonical fields + parent external ids + custom-field bag
-   * @param provider  adapter/provider label persisted + used to scope lookups
-   * @param tx        optional outer transaction; when omitted we open our own
-   */
-  async integrationUpsertOne(write, provider, tx) {
-    const cfg = this.integrationConfig;
-    const w = write;
-    const run = async (db) => {
-      const resolvedFks = {};
-      for (const fk of cfg.fkResolvers) {
-        resolvedFks[fk.column] = await this.resolveFk(db, fk, w[fk.writeKey], provider);
-      }
-      const now = /* @__PURE__ */ new Date();
-      const copyThrough = {};
-      for (const col of cfg.writeColumns) copyThrough[col] = w[col];
-      const values = {
-        externalId: w["externalId"],
-        provider,
-        ...copyThrough,
-        ...resolvedFks,
-        ...this.behaviors.timestamps ? { updatedAt: now } : {}
-      };
-      const set = {
-        ...copyThrough,
-        ...this.behaviors.timestamps ? { updatedAt: now } : {}
-      };
-      for (const fk of cfg.fkResolvers) {
-        if (resolvedFks[fk.column] !== null) set[fk.column] = resolvedFks[fk.column];
-      }
-      const rows = await db.insert(this.table).values(values).onConflictDoUpdate({
-        target: cfg.conflictTarget.map((c) => this.table[c]),
-        set
-      }).returning();
-      const saved = rows[0];
-      const fields = w["fields"];
-      if (cfg.eav && fields && Object.keys(fields).length > 0) {
-        await this.writeCustomFields(
-          db,
-          saved["id"],
-          w["userId"],
-          fields
-        );
-      }
-      return this.toProjection(saved);
-    };
-    return tx ? run(tx) : this.db.transaction((t) => run(t));
-  }
-  /**
-   * Canonical-projected lookup by external id (differ-ready). Returns `null`
-   * when no local row exists. Provider-scoped so a HubSpot id can't match a
-   * Salesforce row.
-   */
-  async findByExternalIdProjected(externalId, provider) {
-    const rows = await this.db.select().from(this.table).where(
-      and2(
-        eq2(this.table["provider"], provider),
-        eq2(this.table["externalId"], externalId)
-      )
-    ).limit(1);
-    const row = rows[0];
-    return row ? this.toProjection(row) : null;
-  }
-  /**
-   * Integration "delete" by external id, provider-scoped. When `softDelete: true`,
-   * sets `deletedAt`. When `softDelete: false`, tombstone-by-clearing: null out
-   * `external_id`/`provider` so the row no longer matches future inbound
-   * changes while preserving local-id references. Returns `{ id }` or `null`.
-   */
-  async softDeleteByExternalId(externalId, provider, tx) {
-    const db = this.runner(tx);
-    const set = this.integrationConfig.softDelete ? { deletedAt: /* @__PURE__ */ new Date(), updatedAt: /* @__PURE__ */ new Date() } : { externalId: null, provider: null, updatedAt: /* @__PURE__ */ new Date() };
-    const rows = await db.update(this.table).set(set).where(
-      and2(
-        eq2(this.table["provider"], provider),
-        eq2(this.table["externalId"], externalId)
-      )
-    ).returning({ id: this.table["id"] });
-    return rows[0] ? { id: rows[0].id } : null;
-  }
-  /**
-   * Batch integration upsert — concretizes the former abstract stub. Delegates to
-   * `integrationUpsertOne` per input inside one transaction. Inputs are raw partial
-   * rows: provider is read from each input's own `provider` column; rows
-   * missing `externalId`/`provider` are skipped.
-   */
-  async integrationUpsert(inputs) {
-    if (inputs.length === 0) return [];
-    return this.db.transaction(async (tx) => {
-      const out = [];
-      for (const input of inputs) {
-        const rec = input;
-        if (!rec["externalId"] || !rec["provider"]) continue;
-        const proj = await this.integrationUpsertOne(
-          input,
-          rec["provider"],
-          tx
-        );
-        const id = proj["id"];
-        const row = await tx.select().from(this.table).where(eq2(this.table["id"], id)).limit(1);
-        out.push(row[0]);
-      }
-      return out;
-    });
-  }
-  /**
-   * Project a raw row to the canonical differ shape — a generic pick over
-   * `integrationConfig.projectionColumns`. Override only for synthesized projections
-   * (e.g. junctions); entities use this verbatim.
-   */
-  toProjection(row) {
-    const r = row;
-    const out = {};
-    for (const col of this.integrationConfig.projectionColumns) out[col] = r[col];
-    return out;
-  }
-  /**
-   * EAV dual-write seam (#374, live path lands in #124). No-op by default;
-   * `eav: true` entities emit a concrete override that injects
-   * `FieldValueService` and delegates to `upsertFieldsTransactional` so the
-   * dual-write joins the same tx (`db`). Kept as an explicit hook so the base
-   * stays portable (the FieldValueService dependency is eav-only).
-   */
-  async writeCustomFields(_db, _entityId, _userId, _fields) {
-  }
-  /**
-   * Resolve one FK from a parent external id (provider-scoped). `self` resolves
-   * against `this.table`. Strict resolvers throw when unresolved; non-strict
-   * return null. A null/absent write value short-circuits to null.
-   */
-  async resolveFk(db, fk, rawExternalId, provider) {
-    const parentExternalId = rawExternalId;
-    if (!parentExternalId) {
-      if (fk.strict) {
-        throw new Error(
-          `${this.constructor.name}.integrationUpsertOne: missing required parent external id for '${fk.column}' (writeKey '${fk.writeKey}')`
-        );
-      }
-      return null;
-    }
-    const refTable = fk.refTable === "self" ? this.table : fk.refTable;
-    const rows = await db.select({ id: refTable["id"] }).from(refTable).where(
-      and2(
-        eq2(refTable["provider"], provider),
-        eq2(refTable["externalId"], parentExternalId)
-      )
-    ).limit(1);
-    const id = rows[0]?.id ?? null;
-    if (id === null && fk.strict) {
-      throw new Error(
-        `${this.constructor.name}.integrationUpsertOne: unresolved parent '${parentExternalId}' (provider '${provider}') for '${fk.column}' \u2014 parent not integrated yet`
-      );
-    }
-    return id;
-  }
-  /**
-   * Find entities visible to a user (ownership + sharing rules).
-   * Concrete repositories must implement with visibility logic.
-   */
-  async findVisibleByUserId(_userId) {
-    throw new Error("findVisibleByUserId not implemented \u2014 override in concrete repository");
-  }
-};
+import {
+  IntegratedEntityRepository
+} from "../../chunk-OTDN3OUQ.js";
+import "../../chunk-J6KZS54B.js";
+import "../../chunk-ZUKFQL6E.js";
+import "../../chunk-2E224ZSN.js";
 export {
   IntegratedEntityRepository
 };

package/dist/runtime/base-classes/integrated-entity-repository.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../runtime/base-classes/integrated-entity-repository.ts","../../../runtime/base-classes/base-repository.ts","../../../runtime/base-classes/tenant-context.ts"],"sourcesContent":["/**\n * IntegratedEntityRepository<TEntity, TIntegrationWrite, TIntegrationProjection>\n *\n * Family-specific base for Integrated entities (contacts, accounts, opportunities).\n * Adds external ID lookups, user-scoped queries, and the generic inbound-integration\n * write surface (canonical→Drizzle upsert + provider-scoped FK resolution +\n * EAV dual-write seam), driven by the concrete repo's `integrationConfig`.\n *\n * The type params default so pre-existing single-param subclasses keep\n * compiling; `pattern: Integrated` repos declare all three plus `integrationConfig`.\n */\nimport { and, eq, inArray } from 'drizzle-orm';\n// eslint-disable-next-line @typescript-eslint/no-explicit-any\nimport type { PgTableWithColumns } from 'drizzle-orm/pg-core';\nimport type { DrizzleTx } from '../types/drizzle';\nimport { BaseRepository } from './base-repository';\nimport type { IntegrationUpsertConfig, IntegrationFkResolver } from './integration-upsert-config';\n\nexport abstract class IntegratedEntityRepository<\n  TEntity,\n  TIntegrationWrite = Partial<TEntity>,\n  TIntegrationProjection = TEntity,\n> extends BaseRepository<TEntity> {\n  /**\n   * Declarative integration write surface. Concrete (`pattern: Integrated`) repositories\n   * declare this — the template emits it from the entity's fields + FKs.\n   */\n  protected abstract readonly integrationConfig: IntegrationUpsertConfig;\n\n  /**\n   * Find a single entity by its external CRM identifier.\n   */\n  async findByExternalId(externalId: string): Promise<TEntity | null> {\n    const rows = await this.baseQuery()\n      .where(eq(this.table['externalId'], externalId))\n      .limit(1);\n    return (rows[0] as TEntity) ?? null;\n  }\n\n  /**\n   * Find multiple entities by external CRM identifiers.\n   */\n  async findManyByExternalIds(externalIds: string[]): Promise<TEntity[]> {\n    if (externalIds.length === 0) return [];\n    const rows = await this.baseQuery()\n      .where(inArray(this.table['externalId'], externalIds));\n    return rows as TEntity[];\n  }\n\n  /**\n   * Find all entities owned by a specific user.\n   */\n  async findAllByUserId(userId: string): Promise<TEntity[]> {\n    const rows = await this.baseQuery()\n      .where(eq(this.table['userId'], userId));\n    return rows as TEntity[];\n  }\n\n  // ==========================================================================\n  // Inbound integration (#374) — canonical→Drizzle write + provider-scoped FK\n  // resolution + EAV dual-write seam, all inside a SINGLE transaction.\n  // Driven entirely by `this.integrationConfig`; the per-entity shape lives there.\n  // ==========================================================================\n\n  /**\n   * Upsert ONE entity by its `(provider, externalId)` identity, in a single\n   * transaction:\n   *   1. resolve each `integrationConfig.fkResolvers` FK (provider-scoped). Strict\n   *      resolvers throw on unresolved; non-strict leave the column null.\n   *   2. insert-or-update the canonical columns via `onConflictDoUpdate` on the\n   *      `conflictTarget`. Resolved FKs are only written into `set` when\n   *      non-null this run (no-clobber).\n   *   3. EAV dual-write of `write.fields` via `writeCustomFields` when\n   *      `integrationConfig.eav` and the bag is non-empty (same tx).\n   *\n   * Idempotent: a second call with the same identity updates in place. Returns\n   * the canonical projection (so the orchestrator records `local_id`).\n   *\n   * @param write     canonical fields + parent external ids + custom-field bag\n   * @param provider  adapter/provider label persisted + used to scope lookups\n   * @param tx        optional outer transaction; when omitted we open our own\n   */\n  async integrationUpsertOne(\n    write: TIntegrationWrite,\n    provider: string,\n    tx?: DrizzleTx,\n  ): Promise<TIntegrationProjection> {\n    const cfg = this.integrationConfig;\n    const w = write as Record<string, unknown>;\n\n    const run = async (db: DrizzleTx): Promise<TIntegrationProjection> => {\n      // 1. FK resolution (provider-scoped). Strict → throw; else opportunistic null.\n      const resolvedFks: Record<string, string | null> = {};\n      for (const fk of cfg.fkResolvers) {\n        resolvedFks[fk.column] = await this.resolveFk(db, fk, w[fk.writeKey], provider);\n      }\n\n      // 2. Canonical → Drizzle insert-or-update by the conflict target.\n      const now = new Date();\n      const copyThrough: Record<string, unknown> = {};\n      for (const col of cfg.writeColumns) copyThrough[col] = w[col];\n\n      const values: Record<string, unknown> = {\n        externalId: w['externalId'],\n        provider,\n        ...copyThrough,\n        ...resolvedFks,\n        ...(this.behaviors.timestamps ? { updatedAt: now } : {}),\n      };\n\n      // `set` excludes the identity (externalId/provider). Resolved FKs are\n      // only written when non-null this run — never clobber a previously\n      // resolved parent with null on a later run that dropped the ref.\n      const set: Record<string, unknown> = {\n        ...copyThrough,\n        ...(this.behaviors.timestamps ? { updatedAt: now } : {}),\n      };\n      for (const fk of cfg.fkResolvers) {\n        if (resolvedFks[fk.column] !== null) set[fk.column] = resolvedFks[fk.column];\n      }\n\n      const rows = await db\n        .insert(this.table)\n        .values(values as never)\n        .onConflictDoUpdate({\n          target: cfg.conflictTarget.map((c: string) => this.table[c]),\n          set: set as never,\n        })\n        .returning();\n\n      const saved = rows[0] as Record<string, unknown>;\n\n      // 3. EAV dual-write seam — same tx. No-op unless the entity opts in.\n      const fields = w['fields'] as Record<string, unknown> | undefined;\n      if (cfg.eav && fields && Object.keys(fields).length > 0) {\n        await this.writeCustomFields(\n          db,\n          saved['id'] as string,\n          w['userId'] as string,\n          fields,\n        );\n      }\n\n      return this.toProjection(saved as TEntity);\n    };\n\n    return tx ? run(tx) : this.db.transaction((t) => run(t));\n  }\n\n  /**\n   * Canonical-projected lookup by external id (differ-ready). Returns `null`\n   * when no local row exists. Provider-scoped so a HubSpot id can't match a\n   * Salesforce row.\n   */\n  async findByExternalIdProjected(\n    externalId: string,\n    provider: string,\n  ): Promise<TIntegrationProjection | null> {\n    const rows = await this.db\n      .select()\n      .from(this.table)\n      .where(\n        and(\n          eq(this.table['provider'], provider),\n          eq(this.table['externalId'], externalId),\n        ),\n      )\n      .limit(1);\n    const row = rows[0] as TEntity | undefined;\n    return row ? this.toProjection(row) : null;\n  }\n\n  /**\n   * Integration \"delete\" by external id, provider-scoped. When `softDelete: true`,\n   * sets `deletedAt`. When `softDelete: false`, tombstone-by-clearing: null out\n   * `external_id`/`provider` so the row no longer matches future inbound\n   * changes while preserving local-id references. Returns `{ id }` or `null`.\n   */\n  async softDeleteByExternalId(\n    externalId: string,\n    provider: string,\n    tx?: DrizzleTx,\n  ): Promise<{ id: string } | null> {\n    const db = this.runner(tx);\n    const set = this.integrationConfig.softDelete\n      ? { deletedAt: new Date(), updatedAt: new Date() }\n      : { externalId: null, provider: null, updatedAt: new Date() };\n    const rows = await db\n      .update(this.table)\n      .set(set as never)\n      .where(\n        and(\n          eq(this.table['provider'], provider),\n          eq(this.table['externalId'], externalId),\n        ),\n      )\n      .returning({ id: this.table['id'] });\n    return rows[0] ? { id: rows[0].id as string } : null;\n  }\n\n  /**\n   * Batch integration upsert — concretizes the former abstract stub. Delegates to\n   * `integrationUpsertOne` per input inside one transaction. Inputs are raw partial\n   * rows: provider is read from each input's own `provider` column; rows\n   * missing `externalId`/`provider` are skipped.\n   */\n  async integrationUpsert(inputs: Array<Partial<TEntity>>): Promise<TEntity[]> {\n    if (inputs.length === 0) return [];\n    return this.db.transaction(async (tx) => {\n      const out: TEntity[] = [];\n      for (const input of inputs) {\n        const rec = input as Record<string, unknown>;\n        if (!rec['externalId'] || !rec['provider']) continue;\n        const proj = await this.integrationUpsertOne(\n          input as unknown as TIntegrationWrite,\n          rec['provider'] as string,\n          tx,\n        );\n        const id = (proj as Record<string, unknown>)['id'] as string;\n        const row = await tx\n          .select()\n          .from(this.table)\n          .where(eq(this.table['id'], id))\n          .limit(1);\n        out.push(row[0] as TEntity);\n      }\n      return out;\n    });\n  }\n\n  /**\n   * Project a raw row to the canonical differ shape — a generic pick over\n   * `integrationConfig.projectionColumns`. Override only for synthesized projections\n   * (e.g. junctions); entities use this verbatim.\n   */\n  protected toProjection(row: TEntity): TIntegrationProjection {\n    const r = row as Record<string, unknown>;\n    const out: Record<string, unknown> = {};\n    for (const col of this.integrationConfig.projectionColumns) out[col] = r[col];\n    return out as TIntegrationProjection;\n  }\n\n  /**\n   * EAV dual-write seam (#374, live path lands in #124). No-op by default;\n   * `eav: true` entities emit a concrete override that injects\n   * `FieldValueService` and delegates to `upsertFieldsTransactional` so the\n   * dual-write joins the same tx (`db`). Kept as an explicit hook so the base\n   * stays portable (the FieldValueService dependency is eav-only).\n   */\n  protected async writeCustomFields(\n    _db: DrizzleTx,\n    _entityId: string,\n    _userId: string,\n    _fields: Record<string, unknown>,\n  ): Promise<void> {\n    // Intentionally empty until the entity opts into EAV.\n  }\n\n  /**\n   * Resolve one FK from a parent external id (provider-scoped). `self` resolves\n   * against `this.table`. Strict resolvers throw when unresolved; non-strict\n   * return null. A null/absent write value short-circuits to null.\n   */\n  private async resolveFk(\n    db: DrizzleTx,\n    fk: IntegrationFkResolver,\n    rawExternalId: unknown,\n    provider: string,\n  ): Promise<string | null> {\n    const parentExternalId = rawExternalId as string | null | undefined;\n    if (!parentExternalId) {\n      if (fk.strict) {\n        throw new Error(\n          `${this.constructor.name}.integrationUpsertOne: missing required parent ` +\n            `external id for '${fk.column}' (writeKey '${fk.writeKey}')`,\n        );\n      }\n      return null;\n    }\n    // eslint-disable-next-line @typescript-eslint/no-explicit-any\n    const refTable: PgTableWithColumns<any> =\n      fk.refTable === 'self' ? this.table : fk.refTable;\n    const rows = await db\n      .select({ id: refTable['id'] })\n      .from(refTable)\n      .where(\n        and(\n          eq(refTable['provider'], provider),\n          eq(refTable['externalId'], parentExternalId),\n        ),\n      )\n      .limit(1);\n    const id = (rows[0]?.id as string | undefined) ?? null;\n    if (id === null && fk.strict) {\n      throw new Error(\n        `${this.constructor.name}.integrationUpsertOne: unresolved parent ` +\n          `'${parentExternalId}' (provider '${provider}') for '${fk.column}' — ` +\n          `parent not integrated yet`,\n      );\n    }\n    return id;\n  }\n\n  /**\n   * Find entities visible to a user (ownership + sharing rules).\n   * Concrete repositories must implement with visibility logic.\n   */\n  async findVisibleByUserId(_userId: string): Promise<TEntity[]> {\n    throw new Error('findVisibleByUserId not implemented — override in concrete repository');\n  }\n}\n","/**\n * BaseRepository<TEntity>\n *\n * Abstract base class providing standard CRUD operations via Drizzle ORM.\n * Every generated repository extends this class.\n *\n * Family-specific bases (CrmEntityRepository, etc.) extend this in v0.1\n * without any changes to BaseRepository.\n *\n * NOT @Injectable — concrete repositories are @Injectable and inject DRIZZLE.\n */\nimport { and, eq, inArray, isNull, sql } from 'drizzle-orm';\nimport type { PgTableWithColumns, PgColumn } from 'drizzle-orm/pg-core';\nimport type { SQL } from 'drizzle-orm';\nimport type { DrizzleClient, DrizzleTx } from '../types/drizzle';\nimport {\n  requireRequester,\n  tryGetRequester,\n  type RequesterScope,\n} from './tenant-context';\n\n// ============================================================================\n// Interfaces\n// ============================================================================\n\n/**\n * Behavior flags for the repository. Controls automatic timestamp injection\n * and soft-delete filtering.\n */\nexport interface BehaviorConfig {\n  timestamps: boolean;\n  softDelete: boolean;\n  userTracking: boolean;\n}\n\n/**\n * Options for the list() method.\n */\nexport interface ListOptions {\n  where?: SQL;\n  limit?: number;\n  offset?: number;\n  orderBy?: PgColumn | SQL;\n}\n\n// ============================================================================\n// BaseRepository\n// ============================================================================\n\nexport abstract class BaseRepository<TEntity> {\n  /**\n   * The Drizzle table schema for this entity.\n   * Concrete repositories declare this as a class property.\n   */\n  protected abstract readonly table: PgTableWithColumns<any>; // eslint-disable-line @typescript-eslint/no-explicit-any\n\n  /**\n   * Behavior flags controlling automatic behavior injection.\n   * Override in concrete repositories to enable behaviors.\n   */\n  protected readonly behaviors: BehaviorConfig = {\n    timestamps: false,\n    softDelete: false,\n    userTracking: false,\n  };\n\n  /**\n   * Ambient tenant-scope enforcement for `userTracking` repos (see\n   * `scopePredicate`). Only has effect when `behaviors.userTracking === true`.\n   *\n   * - `'lenient'` (default): when no ambient requester context is active,\n   *   reads/writes are NOT scoped — preserves pre-scoping behavior, so adopting\n   *   ambient scoping is additive. Scoping kicks in automatically once a\n   *   boundary installs `withRequester(...)`.\n   * - `'strict'`: a missing ambient context throws (`requireRequester`),\n   *   making a forgotten boundary fail loud instead of silently returning\n   *   cross-tenant rows. Recommended for new multi-tenant consumers — override\n   *   in a concrete repo or a family base class.\n   */\n  protected readonly scopeEnforcement: 'lenient' | 'strict' = 'lenient';\n\n  protected readonly db: DrizzleClient;\n\n  constructor(db: DrizzleClient) {\n    this.db = db;\n  }\n\n  /**\n   * Pick the runner for a write: the caller-supplied transaction handle\n   * if present, otherwise the repository's own client. Keeps the `tx`\n   * parameter purely additive — callers without a transaction call as\n   * before. Used by the write methods below + consumer overrides (e.g.\n   * the generated `upsertCurrentValues` on EAV value tables).\n   */\n  protected runner(tx?: DrizzleTx): DrizzleClient {\n    return tx ?? this.db;\n  }\n\n  // ============================================================================\n  // Read Operations\n  // ============================================================================\n\n  /**\n   * Find a single entity by its primary key.\n   * Returns null if not found (or soft-deleted when softDelete=true).\n   */\n  async findById(id: string): Promise<TEntity | null> {\n    const rows = await this.baseQuery(eq(this.table['id'], id)).limit(1);\n    return (rows[0] as TEntity) ?? null;\n  }\n\n  /**\n   * Find multiple entities by their primary keys.\n   * Returns empty array immediately for empty input (avoids DB errors).\n   */\n  async findByIds(ids: string[]): Promise<TEntity[]> {\n    if (ids.length === 0) return [];\n    const rows = await this.baseQuery(inArray(this.table['id'], ids));\n    return rows as TEntity[];\n  }\n\n  /**\n   * List entities with optional filtering, pagination, and ordering.\n   */\n  async list(options?: ListOptions): Promise<TEntity[]> {\n    let query = this.baseQuery(options?.where);\n\n    if (options?.orderBy) {\n      query = query.orderBy(options.orderBy as SQL) as typeof query;\n    }\n    if (options?.limit !== undefined) {\n      query = query.limit(options.limit) as typeof query;\n    }\n    if (options?.offset !== undefined) {\n      query = query.offset(options.offset) as typeof query;\n    }\n\n    const rows = await query;\n    return rows as TEntity[];\n  }\n\n  /**\n   * Count entities matching an optional WHERE clause.\n   * Soft-deleted rows are always excluded when softDelete=true.\n   */\n  async count(where?: SQL): Promise<number> {\n    let query = this.db\n      .select({ count: sql<number>`cast(count(*) as integer)` })\n      .from(this.table);\n\n    const conditions: SQL[] = [];\n    if (this.behaviors.softDelete) {\n      conditions.push(isNull(this.table['deletedAt']));\n    }\n    const scope = this.scopePredicate();\n    if (scope) {\n      conditions.push(scope);\n    }\n    if (where) {\n      conditions.push(where);\n    }\n\n    if (conditions.length === 1) {\n      query = query.where(conditions[0]) as typeof query;\n    } else if (conditions.length > 1) {\n      query = query.where(and(...conditions)) as typeof query;\n    }\n\n    const rows = await query;\n    return rows[0]?.count ?? 0;\n  }\n\n  /**\n   * Check whether an entity with the given id exists.\n   */\n  async exists(id: string): Promise<boolean> {\n    const result = await this.findById(id);\n    return result !== null;\n  }\n\n  // ============================================================================\n  // Write Operations\n  // ============================================================================\n\n  /**\n   * Insert a new entity. Timestamps are auto-injected when timestamps=true.\n   */\n  async create(input: Partial<TEntity>, tx?: DrizzleTx): Promise<TEntity> {\n    const data = this.withTimestamps(input as Record<string, unknown>, 'create');\n    const rows = await this.runner(tx)\n      .insert(this.table)\n      .values(data as any) // eslint-disable-line @typescript-eslint/no-explicit-any\n      .returning();\n    return rows[0] as TEntity;\n  }\n\n  /**\n   * Update an existing entity by id. updatedAt is auto-injected when timestamps=true.\n   * Returns the updated entity.\n   */\n  async update(id: string, input: Partial<TEntity>, tx?: DrizzleTx): Promise<TEntity> {\n    const data = this.withTimestamps(input as Record<string, unknown>, 'update');\n    const rows = await this.runner(tx)\n      .update(this.table)\n      .set(data as any) // eslint-disable-line @typescript-eslint/no-explicit-any\n      .where(this.scopeAnd(eq(this.table['id'], id)))\n      .returning();\n    return rows[0] as TEntity;\n  }\n\n  /**\n   * Delete an entity by id.\n   * - softDelete=true: sets deletedAt to current timestamp\n   * - softDelete=false: hard-deletes the row\n   */\n  async delete(id: string, tx?: DrizzleTx): Promise<void> {\n    const runner = this.runner(tx);\n    if (this.behaviors.softDelete) {\n      await runner\n        .update(this.table)\n        .set({ deletedAt: new Date() } as any) // eslint-disable-line @typescript-eslint/no-explicit-any\n        .where(this.scopeAnd(eq(this.table['id'], id)));\n    } else {\n      await runner\n        .delete(this.table)\n        .where(this.scopeAnd(eq(this.table['id'], id)));\n    }\n  }\n\n  /**\n   * Insert or update multiple entities.\n   * Default naive implementation — family repositories override with\n   * proper conflict-target upsert (e.g., CrmEntityRepository).\n   */\n  async upsertMany(inputs: Array<Partial<TEntity>>, tx?: DrizzleTx): Promise<TEntity[]> {\n    return Promise.all(inputs.map((input) => this.create(input, tx)));\n  }\n\n  // ============================================================================\n  // Protected Helpers\n  // ============================================================================\n\n  /**\n   * Base SELECT query that automatically applies the ambient guards —\n   * soft-delete exclusion (when `softDelete`) and tenant scope (when\n   * `userTracking` + an active requester context) — combined with an optional\n   * caller `extra` predicate into a SINGLE `WHERE`.\n   *\n   * Pass the leaf predicate as `extra` rather than chaining a second\n   * `.where(...)`: Drizzle's `.where()` OVERRIDES (does not AND) a prior\n   * `.where()` on a `$dynamic()` query, so a chained call would silently drop\n   * the soft-delete and scope guards. `baseQuery(extra)` is the safe form.\n   */\n  protected baseQuery(extra?: SQL) {\n    const query = this.db.select().from(this.table).$dynamic();\n    const where = this.scopeAnd(extra, { softDelete: this.behaviors.softDelete });\n    return where ? query.where(where) : query;\n  }\n\n  /**\n   * Build the ambient tenant-scope predicate for this repo's table.\n   *\n   * Returns `undefined` (no scoping) when:\n   *   - `behaviors.userTracking` is false (repo is not user-owned), or\n   *   - no ambient requester context is active AND `scopeEnforcement` is\n   *     `'lenient'` (the default — preserves pre-scoping behavior).\n   *\n   * When a requester context is active, scopes by `user_id` per the ambient\n   * scope: `'user'` → `user_id = ctx.userId`; `'org'` → `user_id IN\n   * ctx.orgUserIds` (empty list matches nothing — fail-closed); `'superuser'`\n   * → no filter. See `tenant-context.ts` for the boundary-install contract.\n   */\n  protected scopePredicate(): SQL | undefined {\n    if (!this.behaviors.userTracking) return undefined;\n    const ctx =\n      this.scopeEnforcement === 'strict'\n        ? requireRequester()\n        : tryGetRequester();\n    if (!ctx) return undefined;\n    const scope: RequesterScope = ctx.scope ?? 'user';\n    switch (scope) {\n      case 'superuser':\n        return undefined;\n      case 'org':\n        return ctx.orgUserIds && ctx.orgUserIds.length > 0\n          ? inArray(this.table['userId'], ctx.orgUserIds as string[])\n          : sql`false`;\n      case 'user':\n      default:\n        return eq(this.table['userId'], ctx.userId);\n    }\n  }\n\n  /**\n   * Combine the ambient scope predicate (and, optionally, the soft-delete\n   * guard) with a caller `extra` predicate into one `SQL`. Returns `undefined`\n   * when nothing applies. Used by read + by-id write paths so a single\n   * `.where(...)` carries every guard.\n   */\n  protected scopeAnd(\n    extra?: SQL,\n    opts?: { softDelete?: boolean },\n  ): SQL | undefined {\n    const conditions: SQL[] = [];\n    if (opts?.softDelete) conditions.push(isNull(this.table['deletedAt']));\n    const scope = this.scopePredicate();\n    if (scope) conditions.push(scope);\n    if (extra) conditions.push(extra);\n    if (conditions.length === 0) return undefined;\n    if (conditions.length === 1) return conditions[0];\n    return and(...conditions);\n  }\n\n  /**\n   * Merge timestamp fields into an input object.\n   * - mode='create': adds createdAt and updatedAt\n   * - mode='update': adds updatedAt only\n   *\n   * No-op when timestamps behavior is disabled.\n   */\n  protected withTimestamps(\n    input: Record<string, unknown>,\n    mode: 'create' | 'update',\n  ): Record<string, unknown> {\n    if (!this.behaviors.timestamps) return input;\n    const now = new Date();\n    if (mode === 'create') {\n      return { ...input, createdAt: now, updatedAt: now };\n    }\n    return { ...input, updatedAt: now };\n  }\n\n  /**\n   * Build a WHERE clause fragment that restricts results to rows whose\n   * parent (identified by a belongs_to FK) is not soft-deleted.\n   *\n   * Use this in custom repository methods when you need \"rows reachable\n   * from an active parent\". The default findAll / findById behavior is\n   * NOT changed by this helper — opt in explicitly where needed.\n   *\n   * ADR-021 — Soft-delete cascade: Option A (filter at query time).\n   * `on_delete` FK rules do not fire for soft-deletes; use this helper\n   * instead of expecting cascade semantics on the DB level.\n   *\n   * Example:\n   *   async listActiveMessages(): Promise<Message[]> {\n   *     return this.list({\n   *       where: this.activeParentFilter(conversations, this.table['conversationId']),\n   *     });\n   *   }\n   *\n   * @param parentTable  The Drizzle table object for the parent entity.\n   * @param parentFkColumn  The FK column on this (child) table that references parent.id.\n   */\n  protected activeParentFilter(\n    parentTable: PgTableWithColumns<any>, // eslint-disable-line @typescript-eslint/no-explicit-any\n    parentFkColumn: PgColumn,\n  ): SQL {\n    return sql`EXISTS (\n      SELECT 1 FROM ${parentTable} p\n      WHERE p.id = ${parentFkColumn}\n        AND p.deleted_at IS NULL\n    )`;\n  }\n}\n","/**\n * Ambient requester context — AsyncLocalStorage-backed tenant scope.\n *\n * The alternative to threading `userId`/`organizationId` through every\n * repository/service signature. Set ONCE at each boundary the generated app\n * owns, read implicitly inside `BaseRepository` (see `scopePredicate`).\n *\n * ## Where to set it (boundaries)\n *\n *   - HTTP / tRPC handlers — from the authenticated `ctx.user`\n *   - OAuth callback controllers — from the authenticated session\n *   - Queue/worker `process()` — from the job's owning user after the\n *     job's record is loaded\n *\n * Each boundary wraps the rest of the request in `withRequester({ userId,\n * organizationId }, () => ...)`. The context propagates through every `await`\n * to all downstream repo/service calls without being passed explicitly.\n *\n * ## Where to read it\n *\n *   - `BaseRepository.scopePredicate()` reads it (via `tryGetRequester` in\n *     lenient mode, `requireRequester` in strict mode) and filters every read\n *     by the ambient scope when the repo declares `userTracking: true`.\n *\n * ## Why AsyncLocalStorage over an explicit parameter\n *\n * Threading `userId` (and later `organizationId`) through dozens of method\n * signatures is pure parameter pollution. Ambient context also lets a repo\n * make the \"I forgot to scope\" mistake impossible at runtime: in strict mode\n * `requireRequester()` throws when no context is active, surfacing a missing\n * boundary call loudly rather than silently leaking cross-tenant data.\n *\n * ## Not-found semantics\n *\n * When a row exists but belongs to a different requester, scoped reads return\n * `null`/`[]` — identical to \"truly doesn't exist\". No existence oracle;\n * callers throw NotFound uniformly. Standard security practice.\n *\n * ## Testing\n *\n * Tests that exercise scoped repos must wrap the call in `withRequester(...)`.\n * In strict mode an unwrapped call hitting `requireRequester()` throws — by\n * design. In lenient mode (the default) an unwrapped call is simply unscoped.\n */\nimport { AsyncLocalStorage } from 'node:async_hooks';\n\n/**\n * Data-visibility scope. The auth layer decides which scope a request is\n * allowed to claim; the repo trusts whatever the ambient context says.\n *\n * - `'user'`: filter every read by `user_id = ctx.userId`. Default.\n * - `'org'`: filter every read by membership in the requester's org, resolved\n *   via `user_id IN (ctx.orgUserIds)` rather than via a per-entity\n *   `organization_id` column. Works for every user-owned table and keeps repos\n *   single-table — the org member list is pre-resolved at the boundary.\n * - `'superuser'`: no scope filter. Engineering / internal-tools only.\n *\n * AUTHORIZATION (who is allowed to claim each scope) lives in boundary\n * middleware, not in the repo. The repo trusts the ambient context — same\n * trust model as a threaded `userId`.\n */\nexport type RequesterScope = 'user' | 'org' | 'superuser';\n\nexport interface RequesterContext {\n  /**\n   * The user making the request. Always present — even in `'org'` and\n   * `'superuser'` scopes it is the audit-trail \"who actually did this\".\n   */\n  readonly userId: string;\n  /**\n   * The organization the requester belongs to. Required when\n   * `scope === 'org'`; may be null for `'user'` (users with no org) and for\n   * `'superuser'` (cross-org reads).\n   */\n  readonly organizationId: string | null;\n  /**\n   * Data-visibility scope. Defaults to `'user'` when omitted.\n   */\n  readonly scope?: RequesterScope;\n  /**\n   * For `scope === 'org'`: the list of user IDs in the requester's org,\n   * pre-resolved by the boundary middleware that established the `'org'`\n   * scope (one `SELECT users.id WHERE organization_id = X` at the trust\n   * boundary). Repos use this as a literal `IN (...)` filter — they never\n   * JOIN to `users` themselves. Required when `scope === 'org'`.\n   */\n  readonly orgUserIds?: readonly string[];\n}\n\nconst als = new AsyncLocalStorage<RequesterContext>();\n\n/**\n * Set the ambient requester context for the duration of `fn`. The context\n * propagates through `await` boundaries to all downstream calls. Nesting is\n * fine — an inner `withRequester` overrides the outer for its callback.\n */\nexport function withRequester<T>(\n  ctx: RequesterContext,\n  fn: () => Promise<T>,\n): Promise<T> {\n  return als.run(ctx, fn);\n}\n\n/**\n * Read the ambient requester context. Throws if no context is active — by\n * design. Used by repos in strict scope-enforcement mode; an unwrapped call\n * site is a missing boundary.\n */\nexport function requireRequester(): RequesterContext {\n  const ctx = als.getStore();\n  if (!ctx) {\n    throw new Error(\n      'No requester context active. Wrap the entry point in ' +\n        'withRequester({ userId, organizationId }, fn). See tenant-context.ts.',\n    );\n  }\n  return ctx;\n}\n\n/**\n * Read the ambient requester context without throwing. Returns `undefined`\n * when no context is active. Used by repos in lenient scope-enforcement mode\n * (the default) and by code paths that legitimately run outside a request.\n */\nexport function tryGetRequester(): RequesterContext | undefined {\n  return als.getStore();\n}\n\n/**\n * Resolve the effective scope for the ambient context, defaulting to `'user'`.\n */\nexport function requireRequesterScope(): RequesterScope {\n  return requireRequester().scope ?? 'user';\n}\n\n/**\n * Convenience helpers for setting scope explicitly. All three preserve\n * `userId` in the context (audit trail) regardless of scope.\n *\n * - `withUserScope`: regular end-user requests. Most call sites.\n * - `withOrgScope`: admin / org-shared resource access. The caller MUST verify\n *   the requester's role permits `'org'` before calling — the helper does not\n *   enforce authorization. `orgUserIds` is pre-resolved at the boundary.\n * - `withSuperuserScope`: engineering scripts / internal tools. `organizationId`\n *   is null (cross-org is the point). Same authorization caveat applies.\n */\nexport function withUserScope<T>(\n  userId: string,\n  organizationId: string | null,\n  fn: () => Promise<T>,\n): Promise<T> {\n  return withRequester({ userId, organizationId, scope: 'user' }, fn);\n}\n\nexport function withOrgScope<T>(\n  userId: string,\n  organizationId: string,\n  orgUserIds: readonly string[],\n  fn: () => Promise<T>,\n): Promise<T> {\n  return withRequester(\n    { userId, organizationId, scope: 'org', orgUserIds },\n    fn,\n  );\n}\n\nexport function withSuperuserScope<T>(\n  userId: string,\n  fn: () => Promise<T>,\n): Promise<T> {\n  return withRequester(\n    { userId, organizationId: null, scope: 'superuser' },\n    fn,\n  );\n}\n"],"mappings":";AAWA,SAAS,OAAAA,MAAK,MAAAC,KAAI,WAAAC,gBAAe;;;ACAjC,SAAS,KAAK,IAAI,SAAS,QAAQ,WAAW;;;ACiC9C,SAAS,yBAAyB;AA6ClC,IAAM,MAAM,IAAI,kBAAoC;AAmB7C,SAAS,mBAAqC;AACnD,QAAM,MAAM,IAAI,SAAS;AACzB,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AACA,SAAO;AACT;AAOO,SAAS,kBAAgD;AAC9D,SAAO,IAAI,SAAS;AACtB;;;AD7EO,IAAe,iBAAf,MAAuC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWzB,YAA4B;AAAA,IAC7C,YAAY;AAAA,IACZ,YAAY;AAAA,IACZ,cAAc;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAemB,mBAAyC;AAAA,EAEzC;AAAA,EAEnB,YAAY,IAAmB;AAC7B,SAAK,KAAK;AAAA,EACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASU,OAAO,IAA+B;AAC9C,WAAO,MAAM,KAAK;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,SAAS,IAAqC;AAClD,UAAM,OAAO,MAAM,KAAK,UAAU,GAAG,KAAK,MAAM,IAAI,GAAG,EAAE,CAAC,EAAE,MAAM,CAAC;AACnE,WAAQ,KAAK,CAAC,KAAiB;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,UAAU,KAAmC;AACjD,QAAI,IAAI,WAAW,EAAG,QAAO,CAAC;AAC9B,UAAM,OAAO,MAAM,KAAK,UAAU,QAAQ,KAAK,MAAM,IAAI,GAAG,GAAG,CAAC;AAChE,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KAAK,SAA2C;AACpD,QAAI,QAAQ,KAAK,UAAU,SAAS,KAAK;AAEzC,QAAI,SAAS,SAAS;AACpB,cAAQ,MAAM,QAAQ,QAAQ,OAAc;AAAA,IAC9C;AACA,QAAI,SAAS,UAAU,QAAW;AAChC,cAAQ,MAAM,MAAM,QAAQ,KAAK;AAAA,IACnC;AACA,QAAI,SAAS,WAAW,QAAW;AACjC,cAAQ,MAAM,OAAO,QAAQ,MAAM;AAAA,IACrC;AAEA,UAAM,OAAO,MAAM;AACnB,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,MAAM,OAA8B;AACxC,QAAI,QAAQ,KAAK,GACd,OAAO,EAAE,OAAO,+BAAuC,CAAC,EACxD,KAAK,KAAK,KAAK;AAElB,UAAM,aAAoB,CAAC;AAC3B,QAAI,KAAK,UAAU,YAAY;AAC7B,iBAAW,KAAK,OAAO,KAAK,MAAM,WAAW,CAAC,CAAC;AAAA,IACjD;AACA,UAAM,QAAQ,KAAK,eAAe;AAClC,QAAI,OAAO;AACT,iBAAW,KAAK,KAAK;AAAA,IACvB;AACA,QAAI,OAAO;AACT,iBAAW,KAAK,KAAK;AAAA,IACvB;AAEA,QAAI,WAAW,WAAW,GAAG;AAC3B,cAAQ,MAAM,MAAM,WAAW,CAAC,CAAC;AAAA,IACnC,WAAW,WAAW,SAAS,GAAG;AAChC,cAAQ,MAAM,MAAM,IAAI,GAAG,UAAU,CAAC;AAAA,IACxC;AAEA,UAAM,OAAO,MAAM;AACnB,WAAO,KAAK,CAAC,GAAG,SAAS;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,OAAO,IAA8B;AACzC,UAAM,SAAS,MAAM,KAAK,SAAS,EAAE;AACrC,WAAO,WAAW;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,OAAO,OAAyB,IAAkC;AACtE,UAAM,OAAO,KAAK,eAAe,OAAkC,QAAQ;AAC3E,UAAM,OAAO,MAAM,KAAK,OAAO,EAAE,EAC9B,OAAO,KAAK,KAAK,EACjB,OAAO,IAAW,EAClB,UAAU;AACb,WAAO,KAAK,CAAC;AAAA,EACf;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,OAAO,IAAY,OAAyB,IAAkC;AAClF,UAAM,OAAO,KAAK,eAAe,OAAkC,QAAQ;AAC3E,UAAM,OAAO,MAAM,KAAK,OAAO,EAAE,EAC9B,OAAO,KAAK,KAAK,EACjB,IAAI,IAAW,EACf,MAAM,KAAK,SAAS,GAAG,KAAK,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC,EAC7C,UAAU;AACb,WAAO,KAAK,CAAC;AAAA,EACf;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,OAAO,IAAY,IAA+B;AACtD,UAAM,SAAS,KAAK,OAAO,EAAE;AAC7B,QAAI,KAAK,UAAU,YAAY;AAC7B,YAAM,OACH,OAAO,KAAK,KAAK,EACjB,IAAI,EAAE,WAAW,oBAAI,KAAK,EAAE,CAAQ,EACpC,MAAM,KAAK,SAAS,GAAG,KAAK,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC;AAAA,IAClD,OAAO;AACL,YAAM,OACH,OAAO,KAAK,KAAK,EACjB,MAAM,KAAK,SAAS,GAAG,KAAK,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC;AAAA,IAClD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,WAAW,QAAiC,IAAoC;AACpF,WAAO,QAAQ,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,OAAO,OAAO,EAAE,CAAC,CAAC;AAAA,EAClE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBU,UAAU,OAAa;AAC/B,UAAM,QAAQ,KAAK,GAAG,OAAO,EAAE,KAAK,KAAK,KAAK,EAAE,SAAS;AACzD,UAAM,QAAQ,KAAK,SAAS,OAAO,EAAE,YAAY,KAAK,UAAU,WAAW,CAAC;AAC5E,WAAO,QAAQ,MAAM,MAAM,KAAK,IAAI;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeU,iBAAkC;AAC1C,QAAI,CAAC,KAAK,UAAU,aAAc,QAAO;AACzC,UAAM,MACJ,KAAK,qBAAqB,WACtB,iBAAiB,IACjB,gBAAgB;AACtB,QAAI,CAAC,IAAK,QAAO;AACjB,UAAM,QAAwB,IAAI,SAAS;AAC3C,YAAQ,OAAO;AAAA,MACb,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO,IAAI,cAAc,IAAI,WAAW,SAAS,IAC7C,QAAQ,KAAK,MAAM,QAAQ,GAAG,IAAI,UAAsB,IACxD;AAAA,MACN,KAAK;AAAA,MACL;AACE,eAAO,GAAG,KAAK,MAAM,QAAQ,GAAG,IAAI,MAAM;AAAA,IAC9C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQU,SACR,OACA,MACiB;AACjB,UAAM,aAAoB,CAAC;AAC3B,QAAI,MAAM,WAAY,YAAW,KAAK,OAAO,KAAK,MAAM,WAAW,CAAC,CAAC;AACrE,UAAM,QAAQ,KAAK,eAAe;AAClC,QAAI,MAAO,YAAW,KAAK,KAAK;AAChC,QAAI,MAAO,YAAW,KAAK,KAAK;AAChC,QAAI,WAAW,WAAW,EAAG,QAAO;AACpC,QAAI,WAAW,WAAW,EAAG,QAAO,WAAW,CAAC;AAChD,WAAO,IAAI,GAAG,UAAU;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASU,eACR,OACA,MACyB;AACzB,QAAI,CAAC,KAAK,UAAU,WAAY,QAAO;AACvC,UAAM,MAAM,oBAAI,KAAK;AACrB,QAAI,SAAS,UAAU;AACrB,aAAO,EAAE,GAAG,OAAO,WAAW,KAAK,WAAW,IAAI;AAAA,IACpD;AACA,WAAO,EAAE,GAAG,OAAO,WAAW,IAAI;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAwBU,mBACR,aACA,gBACK;AACL,WAAO;AAAA,sBACW,WAAW;AAAA,qBACZ,cAAc;AAAA;AAAA;AAAA,EAGjC;AACF;;;AD1VO,IAAe,6BAAf,cAIG,eAAwB;AAAA;AAAA;AAAA;AAAA,EAUhC,MAAM,iBAAiB,YAA6C;AAClE,UAAM,OAAO,MAAM,KAAK,UAAU,EAC/B,MAAMC,IAAG,KAAK,MAAM,YAAY,GAAG,UAAU,CAAC,EAC9C,MAAM,CAAC;AACV,WAAQ,KAAK,CAAC,KAAiB;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,sBAAsB,aAA2C;AACrE,QAAI,YAAY,WAAW,EAAG,QAAO,CAAC;AACtC,UAAM,OAAO,MAAM,KAAK,UAAU,EAC/B,MAAMC,SAAQ,KAAK,MAAM,YAAY,GAAG,WAAW,CAAC;AACvD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,gBAAgB,QAAoC;AACxD,UAAM,OAAO,MAAM,KAAK,UAAU,EAC/B,MAAMD,IAAG,KAAK,MAAM,QAAQ,GAAG,MAAM,CAAC;AACzC,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA0BA,MAAM,qBACJ,OACA,UACA,IACiC;AACjC,UAAM,MAAM,KAAK;AACjB,UAAM,IAAI;AAEV,UAAM,MAAM,OAAO,OAAmD;AAEpE,YAAM,cAA6C,CAAC;AACpD,iBAAW,MAAM,IAAI,aAAa;AAChC,oBAAY,GAAG,MAAM,IAAI,MAAM,KAAK,UAAU,IAAI,IAAI,EAAE,GAAG,QAAQ,GAAG,QAAQ;AAAA,MAChF;AAGA,YAAM,MAAM,oBAAI,KAAK;AACrB,YAAM,cAAuC,CAAC;AAC9C,iBAAW,OAAO,IAAI,aAAc,aAAY,GAAG,IAAI,EAAE,GAAG;AAE5D,YAAM,SAAkC;AAAA,QACtC,YAAY,EAAE,YAAY;AAAA,QAC1B;AAAA,QACA,GAAG;AAAA,QACH,GAAG;AAAA,QACH,GAAI,KAAK,UAAU,aAAa,EAAE,WAAW,IAAI,IAAI,CAAC;AAAA,MACxD;AAKA,YAAM,MAA+B;AAAA,QACnC,GAAG;AAAA,QACH,GAAI,KAAK,UAAU,aAAa,EAAE,WAAW,IAAI,IAAI,CAAC;AAAA,MACxD;AACA,iBAAW,MAAM,IAAI,aAAa;AAChC,YAAI,YAAY,GAAG,MAAM,MAAM,KAAM,KAAI,GAAG,MAAM,IAAI,YAAY,GAAG,MAAM;AAAA,MAC7E;AAEA,YAAM,OAAO,MAAM,GAChB,OAAO,KAAK,KAAK,EACjB,OAAO,MAAe,EACtB,mBAAmB;AAAA,QAClB,QAAQ,IAAI,eAAe,IAAI,CAAC,MAAc,KAAK,MAAM,CAAC,CAAC;AAAA,QAC3D;AAAA,MACF,CAAC,EACA,UAAU;AAEb,YAAM,QAAQ,KAAK,CAAC;AAGpB,YAAM,SAAS,EAAE,QAAQ;AACzB,UAAI,IAAI,OAAO,UAAU,OAAO,KAAK,MAAM,EAAE,SAAS,GAAG;AACvD,cAAM,KAAK;AAAA,UACT;AAAA,UACA,MAAM,IAAI;AAAA,UACV,EAAE,QAAQ;AAAA,UACV;AAAA,QACF;AAAA,MACF;AAEA,aAAO,KAAK,aAAa,KAAgB;AAAA,IAC3C;AAEA,WAAO,KAAK,IAAI,EAAE,IAAI,KAAK,GAAG,YAAY,CAAC,MAAM,IAAI,CAAC,CAAC;AAAA,EACzD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,0BACJ,YACA,UACwC;AACxC,UAAM,OAAO,MAAM,KAAK,GACrB,OAAO,EACP,KAAK,KAAK,KAAK,EACf;AAAA,MACCE;AAAA,QACEF,IAAG,KAAK,MAAM,UAAU,GAAG,QAAQ;AAAA,QACnCA,IAAG,KAAK,MAAM,YAAY,GAAG,UAAU;AAAA,MACzC;AAAA,IACF,EACC,MAAM,CAAC;AACV,UAAM,MAAM,KAAK,CAAC;AAClB,WAAO,MAAM,KAAK,aAAa,GAAG,IAAI;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,uBACJ,YACA,UACA,IACgC;AAChC,UAAM,KAAK,KAAK,OAAO,EAAE;AACzB,UAAM,MAAM,KAAK,kBAAkB,aAC/B,EAAE,WAAW,oBAAI,KAAK,GAAG,WAAW,oBAAI,KAAK,EAAE,IAC/C,EAAE,YAAY,MAAM,UAAU,MAAM,WAAW,oBAAI,KAAK,EAAE;AAC9D,UAAM,OAAO,MAAM,GAChB,OAAO,KAAK,KAAK,EACjB,IAAI,GAAY,EAChB;AAAA,MACCE;AAAA,QACEF,IAAG,KAAK,MAAM,UAAU,GAAG,QAAQ;AAAA,QACnCA,IAAG,KAAK,MAAM,YAAY,GAAG,UAAU;AAAA,MACzC;AAAA,IACF,EACC,UAAU,EAAE,IAAI,KAAK,MAAM,IAAI,EAAE,CAAC;AACrC,WAAO,KAAK,CAAC,IAAI,EAAE,IAAI,KAAK,CAAC,EAAE,GAAa,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,kBAAkB,QAAqD;AAC3E,QAAI,OAAO,WAAW,EAAG,QAAO,CAAC;AACjC,WAAO,KAAK,GAAG,YAAY,OAAO,OAAO;AACvC,YAAM,MAAiB,CAAC;AACxB,iBAAW,SAAS,QAAQ;AAC1B,cAAM,MAAM;AACZ,YAAI,CAAC,IAAI,YAAY,KAAK,CAAC,IAAI,UAAU,EAAG;AAC5C,cAAM,OAAO,MAAM,KAAK;AAAA,UACtB;AAAA,UACA,IAAI,UAAU;AAAA,UACd;AAAA,QACF;AACA,cAAM,KAAM,KAAiC,IAAI;AACjD,cAAM,MAAM,MAAM,GACf,OAAO,EACP,KAAK,KAAK,KAAK,EACf,MAAMA,IAAG,KAAK,MAAM,IAAI,GAAG,EAAE,CAAC,EAC9B,MAAM,CAAC;AACV,YAAI,KAAK,IAAI,CAAC,CAAY;AAAA,MAC5B;AACA,aAAO;AAAA,IACT,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOU,aAAa,KAAsC;AAC3D,UAAM,IAAI;AACV,UAAM,MAA+B,CAAC;AACtC,eAAW,OAAO,KAAK,kBAAkB,kBAAmB,KAAI,GAAG,IAAI,EAAE,GAAG;AAC5E,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAgB,kBACd,KACA,WACA,SACA,SACe;AAAA,EAEjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,UACZ,IACA,IACA,eACA,UACwB;AACxB,UAAM,mBAAmB;AACzB,QAAI,CAAC,kBAAkB;AACrB,UAAI,GAAG,QAAQ;AACb,cAAM,IAAI;AAAA,UACR,GAAG,KAAK,YAAY,IAAI,mEACF,GAAG,MAAM,gBAAgB,GAAG,QAAQ;AAAA,QAC5D;AAAA,MACF;AACA,aAAO;AAAA,IACT;AAEA,UAAM,WACJ,GAAG,aAAa,SAAS,KAAK,QAAQ,GAAG;AAC3C,UAAM,OAAO,MAAM,GAChB,OAAO,EAAE,IAAI,SAAS,IAAI,EAAE,CAAC,EAC7B,KAAK,QAAQ,EACb;AAAA,MACCE;AAAA,QACEF,IAAG,SAAS,UAAU,GAAG,QAAQ;AAAA,QACjCA,IAAG,SAAS,YAAY,GAAG,gBAAgB;AAAA,MAC7C;AAAA,IACF,EACC,MAAM,CAAC;AACV,UAAM,KAAM,KAAK,CAAC,GAAG,MAA6B;AAClD,QAAI,OAAO,QAAQ,GAAG,QAAQ;AAC5B,YAAM,IAAI;AAAA,QACR,GAAG,KAAK,YAAY,IAAI,6CAClB,gBAAgB,gBAAgB,QAAQ,WAAW,GAAG,MAAM;AAAA,MAEpE;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,oBAAoB,SAAqC;AAC7D,UAAM,IAAI,MAAM,4EAAuE;AAAA,EACzF;AACF;","names":["and","eq","inArray","eq","inArray","and"]}
+{"version":3,"sources":[],"sourcesContent":[],"mappings":"","names":[]}