@pattern-stack/codegen 0.7.8 → 0.8.0

package/dist/runtime/base-classes/synced-entity-repository.js.map

@@ -1 +1 @@
-{"version":3,"sources":["../../../runtime/base-classes/synced-entity-repository.ts","../../../runtime/base-classes/base-repository.ts"],"sourcesContent":["/**\n * SyncedEntityRepository<TEntity, TSyncWrite, TSyncProjection>\n *\n * Family-specific base for Synced entities (contacts, accounts, opportunities).\n * Adds external ID lookups, user-scoped queries, and the generic inbound-sync\n * write surface (canonical→Drizzle upsert + provider-scoped FK resolution +\n * EAV dual-write seam), driven by the concrete repo's `syncConfig`.\n *\n * The type params default so pre-existing single-param subclasses keep\n * compiling; `pattern: Synced` repos declare all three plus `syncConfig`.\n */\nimport { and, eq, inArray } from 'drizzle-orm';\n// eslint-disable-next-line @typescript-eslint/no-explicit-any\nimport type { PgTableWithColumns } from 'drizzle-orm/pg-core';\nimport type { DrizzleTx } from '../types/drizzle';\nimport { BaseRepository } from './base-repository';\nimport type { SyncUpsertConfig, SyncFkResolver } from './sync-upsert-config';\n\nexport abstract class SyncedEntityRepository<\n  TEntity,\n  TSyncWrite = Partial<TEntity>,\n  TSyncProjection = TEntity,\n> extends BaseRepository<TEntity> {\n  /**\n   * Declarative sync write surface. Concrete (`pattern: Synced`) repositories\n   * declare this — the template emits it from the entity's fields + FKs.\n   */\n  protected abstract readonly syncConfig: SyncUpsertConfig;\n\n  /**\n   * Find a single entity by its external CRM identifier.\n   */\n  async findByExternalId(externalId: string): Promise<TEntity | null> {\n    const rows = await this.baseQuery()\n      .where(eq(this.table['externalId'], externalId))\n      .limit(1);\n    return (rows[0] as TEntity) ?? null;\n  }\n\n  /**\n   * Find multiple entities by external CRM identifiers.\n   */\n  async findManyByExternalIds(externalIds: string[]): Promise<TEntity[]> {\n    if (externalIds.length === 0) return [];\n    const rows = await this.baseQuery()\n      .where(inArray(this.table['externalId'], externalIds));\n    return rows as TEntity[];\n  }\n\n  /**\n   * Find all entities owned by a specific user.\n   */\n  async findAllByUserId(userId: string): Promise<TEntity[]> {\n    const rows = await this.baseQuery()\n      .where(eq(this.table['userId'], userId));\n    return rows as TEntity[];\n  }\n\n  // ==========================================================================\n  // Inbound sync (#374) — canonical→Drizzle write + provider-scoped FK\n  // resolution + EAV dual-write seam, all inside a SINGLE transaction.\n  // Driven entirely by `this.syncConfig`; the per-entity shape lives there.\n  // ==========================================================================\n\n  /**\n   * Upsert ONE entity by its `(provider, externalId)` identity, in a single\n   * transaction:\n   *   1. resolve each `syncConfig.fkResolvers` FK (provider-scoped). Strict\n   *      resolvers throw on unresolved; non-strict leave the column null.\n   *   2. insert-or-update the canonical columns via `onConflictDoUpdate` on the\n   *      `conflictTarget`. Resolved FKs are only written into `set` when\n   *      non-null this run (no-clobber).\n   *   3. EAV dual-write of `write.fields` via `writeCustomFields` when\n   *      `syncConfig.eav` and the bag is non-empty (same tx).\n   *\n   * Idempotent: a second call with the same identity updates in place. Returns\n   * the canonical projection (so the orchestrator records `local_id`).\n   *\n   * @param write     canonical fields + parent external ids + custom-field bag\n   * @param provider  adapter/provider label persisted + used to scope lookups\n   * @param tx        optional outer transaction; when omitted we open our own\n   */\n  async syncUpsertOne(\n    write: TSyncWrite,\n    provider: string,\n    tx?: DrizzleTx,\n  ): Promise<TSyncProjection> {\n    const cfg = this.syncConfig;\n    const w = write as Record<string, unknown>;\n\n    const run = async (db: DrizzleTx): Promise<TSyncProjection> => {\n      // 1. FK resolution (provider-scoped). Strict → throw; else opportunistic null.\n      const resolvedFks: Record<string, string | null> = {};\n      for (const fk of cfg.fkResolvers) {\n        resolvedFks[fk.column] = await this.resolveFk(db, fk, w[fk.writeKey], provider);\n      }\n\n      // 2. Canonical → Drizzle insert-or-update by the conflict target.\n      const now = new Date();\n      const copyThrough: Record<string, unknown> = {};\n      for (const col of cfg.writeColumns) copyThrough[col] = w[col];\n\n      const values: Record<string, unknown> = {\n        externalId: w['externalId'],\n        provider,\n        ...copyThrough,\n        ...resolvedFks,\n        ...(this.behaviors.timestamps ? { updatedAt: now } : {}),\n      };\n\n      // `set` excludes the identity (externalId/provider). Resolved FKs are\n      // only written when non-null this run — never clobber a previously\n      // resolved parent with null on a later run that dropped the ref.\n      const set: Record<string, unknown> = {\n        ...copyThrough,\n        ...(this.behaviors.timestamps ? { updatedAt: now } : {}),\n      };\n      for (const fk of cfg.fkResolvers) {\n        if (resolvedFks[fk.column] !== null) set[fk.column] = resolvedFks[fk.column];\n      }\n\n      const rows = await db\n        .insert(this.table)\n        .values(values as never)\n        .onConflictDoUpdate({\n          target: cfg.conflictTarget.map((c: string) => this.table[c]),\n          set: set as never,\n        })\n        .returning();\n\n      const saved = rows[0] as Record<string, unknown>;\n\n      // 3. EAV dual-write seam — same tx. No-op unless the entity opts in.\n      const fields = w['fields'] as Record<string, unknown> | undefined;\n      if (cfg.eav && fields && Object.keys(fields).length > 0) {\n        await this.writeCustomFields(\n          db,\n          saved['id'] as string,\n          w['userId'] as string,\n          fields,\n        );\n      }\n\n      return this.toProjection(saved as TEntity);\n    };\n\n    return tx ? run(tx) : this.db.transaction((t) => run(t));\n  }\n\n  /**\n   * Canonical-projected lookup by external id (differ-ready). Returns `null`\n   * when no local row exists. Provider-scoped so a HubSpot id can't match a\n   * Salesforce row.\n   */\n  async findByExternalIdProjected(\n    externalId: string,\n    provider: string,\n  ): Promise<TSyncProjection | null> {\n    const rows = await this.db\n      .select()\n      .from(this.table)\n      .where(\n        and(\n          eq(this.table['provider'], provider),\n          eq(this.table['externalId'], externalId),\n        ),\n      )\n      .limit(1);\n    const row = rows[0] as TEntity | undefined;\n    return row ? this.toProjection(row) : null;\n  }\n\n  /**\n   * Sync \"delete\" by external id, provider-scoped. When `softDelete: true`,\n   * sets `deletedAt`. When `softDelete: false`, tombstone-by-clearing: null out\n   * `external_id`/`provider` so the row no longer matches future inbound\n   * changes while preserving local-id references. Returns `{ id }` or `null`.\n   */\n  async softDeleteByExternalId(\n    externalId: string,\n    provider: string,\n    tx?: DrizzleTx,\n  ): Promise<{ id: string } | null> {\n    const db = this.runner(tx);\n    const set = this.syncConfig.softDelete\n      ? { deletedAt: new Date(), updatedAt: new Date() }\n      : { externalId: null, provider: null, updatedAt: new Date() };\n    const rows = await db\n      .update(this.table)\n      .set(set as never)\n      .where(\n        and(\n          eq(this.table['provider'], provider),\n          eq(this.table['externalId'], externalId),\n        ),\n      )\n      .returning({ id: this.table['id'] });\n    return rows[0] ? { id: rows[0].id as string } : null;\n  }\n\n  /**\n   * Batch sync upsert — concretizes the former abstract stub. Delegates to\n   * `syncUpsertOne` per input inside one transaction. Inputs are raw partial\n   * rows: provider is read from each input's own `provider` column; rows\n   * missing `externalId`/`provider` are skipped.\n   */\n  async syncUpsert(inputs: Array<Partial<TEntity>>): Promise<TEntity[]> {\n    if (inputs.length === 0) return [];\n    return this.db.transaction(async (tx) => {\n      const out: TEntity[] = [];\n      for (const input of inputs) {\n        const rec = input as Record<string, unknown>;\n        if (!rec['externalId'] || !rec['provider']) continue;\n        const proj = await this.syncUpsertOne(\n          input as unknown as TSyncWrite,\n          rec['provider'] as string,\n          tx,\n        );\n        const id = (proj as Record<string, unknown>)['id'] as string;\n        const row = await tx\n          .select()\n          .from(this.table)\n          .where(eq(this.table['id'], id))\n          .limit(1);\n        out.push(row[0] as TEntity);\n      }\n      return out;\n    });\n  }\n\n  /**\n   * Project a raw row to the canonical differ shape — a generic pick over\n   * `syncConfig.projectionColumns`. Override only for synthesized projections\n   * (e.g. junctions); entities use this verbatim.\n   */\n  protected toProjection(row: TEntity): TSyncProjection {\n    const r = row as Record<string, unknown>;\n    const out: Record<string, unknown> = {};\n    for (const col of this.syncConfig.projectionColumns) out[col] = r[col];\n    return out as TSyncProjection;\n  }\n\n  /**\n   * EAV dual-write seam (#374, live path lands in #124). No-op by default;\n   * `eav: true` entities emit a concrete override that injects\n   * `FieldValueService` and delegates to `upsertFieldsTransactional` so the\n   * dual-write joins the same tx (`db`). Kept as an explicit hook so the base\n   * stays portable (the FieldValueService dependency is eav-only).\n   */\n  protected async writeCustomFields(\n    _db: DrizzleTx,\n    _entityId: string,\n    _userId: string,\n    _fields: Record<string, unknown>,\n  ): Promise<void> {\n    // Intentionally empty until the entity opts into EAV.\n  }\n\n  /**\n   * Resolve one FK from a parent external id (provider-scoped). `self` resolves\n   * against `this.table`. Strict resolvers throw when unresolved; non-strict\n   * return null. A null/absent write value short-circuits to null.\n   */\n  private async resolveFk(\n    db: DrizzleTx,\n    fk: SyncFkResolver,\n    rawExternalId: unknown,\n    provider: string,\n  ): Promise<string | null> {\n    const parentExternalId = rawExternalId as string | null | undefined;\n    if (!parentExternalId) {\n      if (fk.strict) {\n        throw new Error(\n          `${this.constructor.name}.syncUpsertOne: missing required parent ` +\n            `external id for '${fk.column}' (writeKey '${fk.writeKey}')`,\n        );\n      }\n      return null;\n    }\n    // eslint-disable-next-line @typescript-eslint/no-explicit-any\n    const refTable: PgTableWithColumns<any> =\n      fk.refTable === 'self' ? this.table : fk.refTable;\n    const rows = await db\n      .select({ id: refTable['id'] })\n      .from(refTable)\n      .where(\n        and(\n          eq(refTable['provider'], provider),\n          eq(refTable['externalId'], parentExternalId),\n        ),\n      )\n      .limit(1);\n    const id = (rows[0]?.id as string | undefined) ?? null;\n    if (id === null && fk.strict) {\n      throw new Error(\n        `${this.constructor.name}.syncUpsertOne: unresolved parent ` +\n          `'${parentExternalId}' (provider '${provider}') for '${fk.column}' — ` +\n          `parent not synced yet`,\n      );\n    }\n    return id;\n  }\n\n  /**\n   * Find entities visible to a user (ownership + sharing rules).\n   * Concrete repositories must implement with visibility logic.\n   */\n  async findVisibleByUserId(_userId: string): Promise<TEntity[]> {\n    throw new Error('findVisibleByUserId not implemented — override in concrete repository');\n  }\n}\n","/**\n * BaseRepository<TEntity>\n *\n * Abstract base class providing standard CRUD operations via Drizzle ORM.\n * Every generated repository extends this class.\n *\n * Family-specific bases (CrmEntityRepository, etc.) extend this in v0.1\n * without any changes to BaseRepository.\n *\n * NOT @Injectable — concrete repositories are @Injectable and inject DRIZZLE.\n */\nimport { eq, inArray, isNull, sql } from 'drizzle-orm';\nimport type { PgTableWithColumns, PgColumn } from 'drizzle-orm/pg-core';\nimport type { SQL } from 'drizzle-orm';\nimport type { DrizzleClient, DrizzleTx } from '../types/drizzle';\n\n// ============================================================================\n// Interfaces\n// ============================================================================\n\n/**\n * Behavior flags for the repository. Controls automatic timestamp injection\n * and soft-delete filtering.\n */\nexport interface BehaviorConfig {\n  timestamps: boolean;\n  softDelete: boolean;\n  userTracking: boolean;\n}\n\n/**\n * Options for the list() method.\n */\nexport interface ListOptions {\n  where?: SQL;\n  limit?: number;\n  offset?: number;\n  orderBy?: PgColumn | SQL;\n}\n\n// ============================================================================\n// BaseRepository\n// ============================================================================\n\nexport abstract class BaseRepository<TEntity> {\n  /**\n   * The Drizzle table schema for this entity.\n   * Concrete repositories declare this as a class property.\n   */\n  protected abstract readonly table: PgTableWithColumns<any>; // eslint-disable-line @typescript-eslint/no-explicit-any\n\n  /**\n   * Behavior flags controlling automatic behavior injection.\n   * Override in concrete repositories to enable behaviors.\n   */\n  protected readonly behaviors: BehaviorConfig = {\n    timestamps: false,\n    softDelete: false,\n    userTracking: false,\n  };\n\n  protected readonly db: DrizzleClient;\n\n  constructor(db: DrizzleClient) {\n    this.db = db;\n  }\n\n  /**\n   * Pick the runner for a write: the caller-supplied transaction handle\n   * if present, otherwise the repository's own client. Keeps the `tx`\n   * parameter purely additive — callers without a transaction call as\n   * before. Used by the write methods below + consumer overrides (e.g.\n   * the generated `upsertCurrentValues` on EAV value tables).\n   */\n  protected runner(tx?: DrizzleTx): DrizzleClient {\n    return tx ?? this.db;\n  }\n\n  // ============================================================================\n  // Read Operations\n  // ============================================================================\n\n  /**\n   * Find a single entity by its primary key.\n   * Returns null if not found (or soft-deleted when softDelete=true).\n   */\n  async findById(id: string): Promise<TEntity | null> {\n    const rows = await this.baseQuery()\n      .where(eq(this.table['id'], id))\n      .limit(1);\n    return (rows[0] as TEntity) ?? null;\n  }\n\n  /**\n   * Find multiple entities by their primary keys.\n   * Returns empty array immediately for empty input (avoids DB errors).\n   */\n  async findByIds(ids: string[]): Promise<TEntity[]> {\n    if (ids.length === 0) return [];\n    const rows = await this.baseQuery().where(inArray(this.table['id'], ids));\n    return rows as TEntity[];\n  }\n\n  /**\n   * List entities with optional filtering, pagination, and ordering.\n   */\n  async list(options?: ListOptions): Promise<TEntity[]> {\n    let query = this.baseQuery();\n\n    if (options?.where) {\n      query = query.where(options.where) as typeof query;\n    }\n    if (options?.orderBy) {\n      query = query.orderBy(options.orderBy as SQL) as typeof query;\n    }\n    if (options?.limit !== undefined) {\n      query = query.limit(options.limit) as typeof query;\n    }\n    if (options?.offset !== undefined) {\n      query = query.offset(options.offset) as typeof query;\n    }\n\n    const rows = await query;\n    return rows as TEntity[];\n  }\n\n  /**\n   * Count entities matching an optional WHERE clause.\n   * Soft-deleted rows are always excluded when softDelete=true.\n   */\n  async count(where?: SQL): Promise<number> {\n    let query = this.db\n      .select({ count: sql<number>`cast(count(*) as integer)` })\n      .from(this.table);\n\n    const conditions: SQL[] = [];\n    if (this.behaviors.softDelete) {\n      conditions.push(isNull(this.table['deletedAt']));\n    }\n    if (where) {\n      conditions.push(where);\n    }\n\n    if (conditions.length === 1) {\n      query = query.where(conditions[0]) as typeof query;\n    } else if (conditions.length > 1) {\n      // Combine with AND by building the condition inline\n      const { and } = await import('drizzle-orm');\n      query = query.where(and(...conditions)) as typeof query;\n    }\n\n    const rows = await query;\n    return rows[0]?.count ?? 0;\n  }\n\n  /**\n   * Check whether an entity with the given id exists.\n   */\n  async exists(id: string): Promise<boolean> {\n    const result = await this.findById(id);\n    return result !== null;\n  }\n\n  // ============================================================================\n  // Write Operations\n  // ============================================================================\n\n  /**\n   * Insert a new entity. Timestamps are auto-injected when timestamps=true.\n   */\n  async create(input: Partial<TEntity>, tx?: DrizzleTx): Promise<TEntity> {\n    const data = this.withTimestamps(input as Record<string, unknown>, 'create');\n    const rows = await this.runner(tx)\n      .insert(this.table)\n      .values(data as any) // eslint-disable-line @typescript-eslint/no-explicit-any\n      .returning();\n    return rows[0] as TEntity;\n  }\n\n  /**\n   * Update an existing entity by id. updatedAt is auto-injected when timestamps=true.\n   * Returns the updated entity.\n   */\n  async update(id: string, input: Partial<TEntity>, tx?: DrizzleTx): Promise<TEntity> {\n    const data = this.withTimestamps(input as Record<string, unknown>, 'update');\n    const rows = await this.runner(tx)\n      .update(this.table)\n      .set(data as any) // eslint-disable-line @typescript-eslint/no-explicit-any\n      .where(eq(this.table['id'], id))\n      .returning();\n    return rows[0] as TEntity;\n  }\n\n  /**\n   * Delete an entity by id.\n   * - softDelete=true: sets deletedAt to current timestamp\n   * - softDelete=false: hard-deletes the row\n   */\n  async delete(id: string, tx?: DrizzleTx): Promise<void> {\n    const runner = this.runner(tx);\n    if (this.behaviors.softDelete) {\n      await runner\n        .update(this.table)\n        .set({ deletedAt: new Date() } as any) // eslint-disable-line @typescript-eslint/no-explicit-any\n        .where(eq(this.table['id'], id));\n    } else {\n      await runner\n        .delete(this.table)\n        .where(eq(this.table['id'], id));\n    }\n  }\n\n  /**\n   * Insert or update multiple entities.\n   * Default naive implementation — family repositories override with\n   * proper conflict-target upsert (e.g., CrmEntityRepository).\n   */\n  async upsertMany(inputs: Array<Partial<TEntity>>, tx?: DrizzleTx): Promise<TEntity[]> {\n    return Promise.all(inputs.map((input) => this.create(input, tx)));\n  }\n\n  // ============================================================================\n  // Protected Helpers\n  // ============================================================================\n\n  /**\n   * Base SELECT query that automatically excludes soft-deleted rows\n   * when softDelete behavior is enabled.\n   */\n  protected baseQuery() {\n    const query = this.db.select().from(this.table).$dynamic();\n    if (this.behaviors.softDelete) {\n      return query.where(isNull(this.table['deletedAt']));\n    }\n    return query;\n  }\n\n  /**\n   * Merge timestamp fields into an input object.\n   * - mode='create': adds createdAt and updatedAt\n   * - mode='update': adds updatedAt only\n   *\n   * No-op when timestamps behavior is disabled.\n   */\n  protected withTimestamps(\n    input: Record<string, unknown>,\n    mode: 'create' | 'update',\n  ): Record<string, unknown> {\n    if (!this.behaviors.timestamps) return input;\n    const now = new Date();\n    if (mode === 'create') {\n      return { ...input, createdAt: now, updatedAt: now };\n    }\n    return { ...input, updatedAt: now };\n  }\n\n  /**\n   * Build a WHERE clause fragment that restricts results to rows whose\n   * parent (identified by a belongs_to FK) is not soft-deleted.\n   *\n   * Use this in custom repository methods when you need \"rows reachable\n   * from an active parent\". The default findAll / findById behavior is\n   * NOT changed by this helper — opt in explicitly where needed.\n   *\n   * ADR-021 — Soft-delete cascade: Option A (filter at query time).\n   * `on_delete` FK rules do not fire for soft-deletes; use this helper\n   * instead of expecting cascade semantics on the DB level.\n   *\n   * Example:\n   *   async listActiveMessages(): Promise<Message[]> {\n   *     return this.list({\n   *       where: this.activeParentFilter(conversations, this.table['conversationId']),\n   *     });\n   *   }\n   *\n   * @param parentTable  The Drizzle table object for the parent entity.\n   * @param parentFkColumn  The FK column on this (child) table that references parent.id.\n   */\n  protected activeParentFilter(\n    parentTable: PgTableWithColumns<any>, // eslint-disable-line @typescript-eslint/no-explicit-any\n    parentFkColumn: PgColumn,\n  ): SQL {\n    return sql`EXISTS (\n      SELECT 1 FROM ${parentTable} p\n      WHERE p.id = ${parentFkColumn}\n        AND p.deleted_at IS NULL\n    )`;\n  }\n}\n"],"mappings":";AAWA,SAAS,KAAK,MAAAA,KAAI,WAAAC,gBAAe;;;ACAjC,SAAS,IAAI,SAAS,QAAQ,WAAW;AAiClC,IAAe,iBAAf,MAAuC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWzB,YAA4B;AAAA,IAC7C,YAAY;AAAA,IACZ,YAAY;AAAA,IACZ,cAAc;AAAA,EAChB;AAAA,EAEmB;AAAA,EAEnB,YAAY,IAAmB;AAC7B,SAAK,KAAK;AAAA,EACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASU,OAAO,IAA+B;AAC9C,WAAO,MAAM,KAAK;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,SAAS,IAAqC;AAClD,UAAM,OAAO,MAAM,KAAK,UAAU,EAC/B,MAAM,GAAG,KAAK,MAAM,IAAI,GAAG,EAAE,CAAC,EAC9B,MAAM,CAAC;AACV,WAAQ,KAAK,CAAC,KAAiB;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,UAAU,KAAmC;AACjD,QAAI,IAAI,WAAW,EAAG,QAAO,CAAC;AAC9B,UAAM,OAAO,MAAM,KAAK,UAAU,EAAE,MAAM,QAAQ,KAAK,MAAM,IAAI,GAAG,GAAG,CAAC;AACxE,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KAAK,SAA2C;AACpD,QAAI,QAAQ,KAAK,UAAU;AAE3B,QAAI,SAAS,OAAO;AAClB,cAAQ,MAAM,MAAM,QAAQ,KAAK;AAAA,IACnC;AACA,QAAI,SAAS,SAAS;AACpB,cAAQ,MAAM,QAAQ,QAAQ,OAAc;AAAA,IAC9C;AACA,QAAI,SAAS,UAAU,QAAW;AAChC,cAAQ,MAAM,MAAM,QAAQ,KAAK;AAAA,IACnC;AACA,QAAI,SAAS,WAAW,QAAW;AACjC,cAAQ,MAAM,OAAO,QAAQ,MAAM;AAAA,IACrC;AAEA,UAAM,OAAO,MAAM;AACnB,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,MAAM,OAA8B;AACxC,QAAI,QAAQ,KAAK,GACd,OAAO,EAAE,OAAO,+BAAuC,CAAC,EACxD,KAAK,KAAK,KAAK;AAElB,UAAM,aAAoB,CAAC;AAC3B,QAAI,KAAK,UAAU,YAAY;AAC7B,iBAAW,KAAK,OAAO,KAAK,MAAM,WAAW,CAAC,CAAC;AAAA,IACjD;AACA,QAAI,OAAO;AACT,iBAAW,KAAK,KAAK;AAAA,IACvB;AAEA,QAAI,WAAW,WAAW,GAAG;AAC3B,cAAQ,MAAM,MAAM,WAAW,CAAC,CAAC;AAAA,IACnC,WAAW,WAAW,SAAS,GAAG;AAEhC,YAAM,EAAE,KAAAC,KAAI,IAAI,MAAM,OAAO,aAAa;AAC1C,cAAQ,MAAM,MAAMA,KAAI,GAAG,UAAU,CAAC;AAAA,IACxC;AAEA,UAAM,OAAO,MAAM;AACnB,WAAO,KAAK,CAAC,GAAG,SAAS;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,OAAO,IAA8B;AACzC,UAAM,SAAS,MAAM,KAAK,SAAS,EAAE;AACrC,WAAO,WAAW;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,OAAO,OAAyB,IAAkC;AACtE,UAAM,OAAO,KAAK,eAAe,OAAkC,QAAQ;AAC3E,UAAM,OAAO,MAAM,KAAK,OAAO,EAAE,EAC9B,OAAO,KAAK,KAAK,EACjB,OAAO,IAAW,EAClB,UAAU;AACb,WAAO,KAAK,CAAC;AAAA,EACf;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,OAAO,IAAY,OAAyB,IAAkC;AAClF,UAAM,OAAO,KAAK,eAAe,OAAkC,QAAQ;AAC3E,UAAM,OAAO,MAAM,KAAK,OAAO,EAAE,EAC9B,OAAO,KAAK,KAAK,EACjB,IAAI,IAAW,EACf,MAAM,GAAG,KAAK,MAAM,IAAI,GAAG,EAAE,CAAC,EAC9B,UAAU;AACb,WAAO,KAAK,CAAC;AAAA,EACf;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,OAAO,IAAY,IAA+B;AACtD,UAAM,SAAS,KAAK,OAAO,EAAE;AAC7B,QAAI,KAAK,UAAU,YAAY;AAC7B,YAAM,OACH,OAAO,KAAK,KAAK,EACjB,IAAI,EAAE,WAAW,oBAAI,KAAK,EAAE,CAAQ,EACpC,MAAM,GAAG,KAAK,MAAM,IAAI,GAAG,EAAE,CAAC;AAAA,IACnC,OAAO;AACL,YAAM,OACH,OAAO,KAAK,KAAK,EACjB,MAAM,GAAG,KAAK,MAAM,IAAI,GAAG,EAAE,CAAC;AAAA,IACnC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,WAAW,QAAiC,IAAoC;AACpF,WAAO,QAAQ,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,OAAO,OAAO,EAAE,CAAC,CAAC;AAAA,EAClE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUU,YAAY;AACpB,UAAM,QAAQ,KAAK,GAAG,OAAO,EAAE,KAAK,KAAK,KAAK,EAAE,SAAS;AACzD,QAAI,KAAK,UAAU,YAAY;AAC7B,aAAO,MAAM,MAAM,OAAO,KAAK,MAAM,WAAW,CAAC,CAAC;AAAA,IACpD;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASU,eACR,OACA,MACyB;AACzB,QAAI,CAAC,KAAK,UAAU,WAAY,QAAO;AACvC,UAAM,MAAM,oBAAI,KAAK;AACrB,QAAI,SAAS,UAAU;AACrB,aAAO,EAAE,GAAG,OAAO,WAAW,KAAK,WAAW,IAAI;AAAA,IACpD;AACA,WAAO,EAAE,GAAG,OAAO,WAAW,IAAI;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAwBU,mBACR,aACA,gBACK;AACL,WAAO;AAAA,sBACW,WAAW;AAAA,qBACZ,cAAc;AAAA;AAAA;AAAA,EAGjC;AACF;;;AD9QO,IAAe,yBAAf,cAIG,eAAwB;AAAA;AAAA;AAAA;AAAA,EAUhC,MAAM,iBAAiB,YAA6C;AAClE,UAAM,OAAO,MAAM,KAAK,UAAU,EAC/B,MAAMC,IAAG,KAAK,MAAM,YAAY,GAAG,UAAU,CAAC,EAC9C,MAAM,CAAC;AACV,WAAQ,KAAK,CAAC,KAAiB;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,sBAAsB,aAA2C;AACrE,QAAI,YAAY,WAAW,EAAG,QAAO,CAAC;AACtC,UAAM,OAAO,MAAM,KAAK,UAAU,EAC/B,MAAMC,SAAQ,KAAK,MAAM,YAAY,GAAG,WAAW,CAAC;AACvD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,gBAAgB,QAAoC;AACxD,UAAM,OAAO,MAAM,KAAK,UAAU,EAC/B,MAAMD,IAAG,KAAK,MAAM,QAAQ,GAAG,MAAM,CAAC;AACzC,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA0BA,MAAM,cACJ,OACA,UACA,IAC0B;AAC1B,UAAM,MAAM,KAAK;AACjB,UAAM,IAAI;AAEV,UAAM,MAAM,OAAO,OAA4C;AAE7D,YAAM,cAA6C,CAAC;AACpD,iBAAW,MAAM,IAAI,aAAa;AAChC,oBAAY,GAAG,MAAM,IAAI,MAAM,KAAK,UAAU,IAAI,IAAI,EAAE,GAAG,QAAQ,GAAG,QAAQ;AAAA,MAChF;AAGA,YAAM,MAAM,oBAAI,KAAK;AACrB,YAAM,cAAuC,CAAC;AAC9C,iBAAW,OAAO,IAAI,aAAc,aAAY,GAAG,IAAI,EAAE,GAAG;AAE5D,YAAM,SAAkC;AAAA,QACtC,YAAY,EAAE,YAAY;AAAA,QAC1B;AAAA,QACA,GAAG;AAAA,QACH,GAAG;AAAA,QACH,GAAI,KAAK,UAAU,aAAa,EAAE,WAAW,IAAI,IAAI,CAAC;AAAA,MACxD;AAKA,YAAM,MAA+B;AAAA,QACnC,GAAG;AAAA,QACH,GAAI,KAAK,UAAU,aAAa,EAAE,WAAW,IAAI,IAAI,CAAC;AAAA,MACxD;AACA,iBAAW,MAAM,IAAI,aAAa;AAChC,YAAI,YAAY,GAAG,MAAM,MAAM,KAAM,KAAI,GAAG,MAAM,IAAI,YAAY,GAAG,MAAM;AAAA,MAC7E;AAEA,YAAM,OAAO,MAAM,GAChB,OAAO,KAAK,KAAK,EACjB,OAAO,MAAe,EACtB,mBAAmB;AAAA,QAClB,QAAQ,IAAI,eAAe,IAAI,CAAC,MAAc,KAAK,MAAM,CAAC,CAAC;AAAA,QAC3D;AAAA,MACF,CAAC,EACA,UAAU;AAEb,YAAM,QAAQ,KAAK,CAAC;AAGpB,YAAM,SAAS,EAAE,QAAQ;AACzB,UAAI,IAAI,OAAO,UAAU,OAAO,KAAK,MAAM,EAAE,SAAS,GAAG;AACvD,cAAM,KAAK;AAAA,UACT;AAAA,UACA,MAAM,IAAI;AAAA,UACV,EAAE,QAAQ;AAAA,UACV;AAAA,QACF;AAAA,MACF;AAEA,aAAO,KAAK,aAAa,KAAgB;AAAA,IAC3C;AAEA,WAAO,KAAK,IAAI,EAAE,IAAI,KAAK,GAAG,YAAY,CAAC,MAAM,IAAI,CAAC,CAAC;AAAA,EACzD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,0BACJ,YACA,UACiC;AACjC,UAAM,OAAO,MAAM,KAAK,GACrB,OAAO,EACP,KAAK,KAAK,KAAK,EACf;AAAA,MACC;AAAA,QACEA,IAAG,KAAK,MAAM,UAAU,GAAG,QAAQ;AAAA,QACnCA,IAAG,KAAK,MAAM,YAAY,GAAG,UAAU;AAAA,MACzC;AAAA,IACF,EACC,MAAM,CAAC;AACV,UAAM,MAAM,KAAK,CAAC;AAClB,WAAO,MAAM,KAAK,aAAa,GAAG,IAAI;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,uBACJ,YACA,UACA,IACgC;AAChC,UAAM,KAAK,KAAK,OAAO,EAAE;AACzB,UAAM,MAAM,KAAK,WAAW,aACxB,EAAE,WAAW,oBAAI,KAAK,GAAG,WAAW,oBAAI,KAAK,EAAE,IAC/C,EAAE,YAAY,MAAM,UAAU,MAAM,WAAW,oBAAI,KAAK,EAAE;AAC9D,UAAM,OAAO,MAAM,GAChB,OAAO,KAAK,KAAK,EACjB,IAAI,GAAY,EAChB;AAAA,MACC;AAAA,QACEA,IAAG,KAAK,MAAM,UAAU,GAAG,QAAQ;AAAA,QACnCA,IAAG,KAAK,MAAM,YAAY,GAAG,UAAU;AAAA,MACzC;AAAA,IACF,EACC,UAAU,EAAE,IAAI,KAAK,MAAM,IAAI,EAAE,CAAC;AACrC,WAAO,KAAK,CAAC,IAAI,EAAE,IAAI,KAAK,CAAC,EAAE,GAAa,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,WAAW,QAAqD;AACpE,QAAI,OAAO,WAAW,EAAG,QAAO,CAAC;AACjC,WAAO,KAAK,GAAG,YAAY,OAAO,OAAO;AACvC,YAAM,MAAiB,CAAC;AACxB,iBAAW,SAAS,QAAQ;AAC1B,cAAM,MAAM;AACZ,YAAI,CAAC,IAAI,YAAY,KAAK,CAAC,IAAI,UAAU,EAAG;AAC5C,cAAM,OAAO,MAAM,KAAK;AAAA,UACtB;AAAA,UACA,IAAI,UAAU;AAAA,UACd;AAAA,QACF;AACA,cAAM,KAAM,KAAiC,IAAI;AACjD,cAAM,MAAM,MAAM,GACf,OAAO,EACP,KAAK,KAAK,KAAK,EACf,MAAMA,IAAG,KAAK,MAAM,IAAI,GAAG,EAAE,CAAC,EAC9B,MAAM,CAAC;AACV,YAAI,KAAK,IAAI,CAAC,CAAY;AAAA,MAC5B;AACA,aAAO;AAAA,IACT,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOU,aAAa,KAA+B;AACpD,UAAM,IAAI;AACV,UAAM,MAA+B,CAAC;AACtC,eAAW,OAAO,KAAK,WAAW,kBAAmB,KAAI,GAAG,IAAI,EAAE,GAAG;AACrE,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAgB,kBACd,KACA,WACA,SACA,SACe;AAAA,EAEjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,UACZ,IACA,IACA,eACA,UACwB;AACxB,UAAM,mBAAmB;AACzB,QAAI,CAAC,kBAAkB;AACrB,UAAI,GAAG,QAAQ;AACb,cAAM,IAAI;AAAA,UACR,GAAG,KAAK,YAAY,IAAI,4DACF,GAAG,MAAM,gBAAgB,GAAG,QAAQ;AAAA,QAC5D;AAAA,MACF;AACA,aAAO;AAAA,IACT;AAEA,UAAM,WACJ,GAAG,aAAa,SAAS,KAAK,QAAQ,GAAG;AAC3C,UAAM,OAAO,MAAM,GAChB,OAAO,EAAE,IAAI,SAAS,IAAI,EAAE,CAAC,EAC7B,KAAK,QAAQ,EACb;AAAA,MACC;AAAA,QACEA,IAAG,SAAS,UAAU,GAAG,QAAQ;AAAA,QACjCA,IAAG,SAAS,YAAY,GAAG,gBAAgB;AAAA,MAC7C;AAAA,IACF,EACC,MAAM,CAAC;AACV,UAAM,KAAM,KAAK,CAAC,GAAG,MAA6B;AAClD,QAAI,OAAO,QAAQ,GAAG,QAAQ;AAC5B,YAAM,IAAI;AAAA,QACR,GAAG,KAAK,YAAY,IAAI,sCAClB,gBAAgB,gBAAgB,QAAQ,WAAW,GAAG,MAAM;AAAA,MAEpE;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,oBAAoB,SAAqC;AAC7D,UAAM,IAAI,MAAM,4EAAuE;AAAA,EACzF;AACF;","names":["eq","inArray","and","eq","inArray"]}
+{"version":3,"sources":["../../../runtime/base-classes/synced-entity-repository.ts","../../../runtime/base-classes/base-repository.ts","../../../runtime/base-classes/tenant-context.ts"],"sourcesContent":["/**\n * SyncedEntityRepository<TEntity, TSyncWrite, TSyncProjection>\n *\n * Family-specific base for Synced entities (contacts, accounts, opportunities).\n * Adds external ID lookups, user-scoped queries, and the generic inbound-sync\n * write surface (canonical→Drizzle upsert + provider-scoped FK resolution +\n * EAV dual-write seam), driven by the concrete repo's `syncConfig`.\n *\n * The type params default so pre-existing single-param subclasses keep\n * compiling; `pattern: Synced` repos declare all three plus `syncConfig`.\n */\nimport { and, eq, inArray } from 'drizzle-orm';\n// eslint-disable-next-line @typescript-eslint/no-explicit-any\nimport type { PgTableWithColumns } from 'drizzle-orm/pg-core';\nimport type { DrizzleTx } from '../types/drizzle';\nimport { BaseRepository } from './base-repository';\nimport type { SyncUpsertConfig, SyncFkResolver } from './sync-upsert-config';\n\nexport abstract class SyncedEntityRepository<\n  TEntity,\n  TSyncWrite = Partial<TEntity>,\n  TSyncProjection = TEntity,\n> extends BaseRepository<TEntity> {\n  /**\n   * Declarative sync write surface. Concrete (`pattern: Synced`) repositories\n   * declare this — the template emits it from the entity's fields + FKs.\n   */\n  protected abstract readonly syncConfig: SyncUpsertConfig;\n\n  /**\n   * Find a single entity by its external CRM identifier.\n   */\n  async findByExternalId(externalId: string): Promise<TEntity | null> {\n    const rows = await this.baseQuery()\n      .where(eq(this.table['externalId'], externalId))\n      .limit(1);\n    return (rows[0] as TEntity) ?? null;\n  }\n\n  /**\n   * Find multiple entities by external CRM identifiers.\n   */\n  async findManyByExternalIds(externalIds: string[]): Promise<TEntity[]> {\n    if (externalIds.length === 0) return [];\n    const rows = await this.baseQuery()\n      .where(inArray(this.table['externalId'], externalIds));\n    return rows as TEntity[];\n  }\n\n  /**\n   * Find all entities owned by a specific user.\n   */\n  async findAllByUserId(userId: string): Promise<TEntity[]> {\n    const rows = await this.baseQuery()\n      .where(eq(this.table['userId'], userId));\n    return rows as TEntity[];\n  }\n\n  // ==========================================================================\n  // Inbound sync (#374) — canonical→Drizzle write + provider-scoped FK\n  // resolution + EAV dual-write seam, all inside a SINGLE transaction.\n  // Driven entirely by `this.syncConfig`; the per-entity shape lives there.\n  // ==========================================================================\n\n  /**\n   * Upsert ONE entity by its `(provider, externalId)` identity, in a single\n   * transaction:\n   *   1. resolve each `syncConfig.fkResolvers` FK (provider-scoped). Strict\n   *      resolvers throw on unresolved; non-strict leave the column null.\n   *   2. insert-or-update the canonical columns via `onConflictDoUpdate` on the\n   *      `conflictTarget`. Resolved FKs are only written into `set` when\n   *      non-null this run (no-clobber).\n   *   3. EAV dual-write of `write.fields` via `writeCustomFields` when\n   *      `syncConfig.eav` and the bag is non-empty (same tx).\n   *\n   * Idempotent: a second call with the same identity updates in place. Returns\n   * the canonical projection (so the orchestrator records `local_id`).\n   *\n   * @param write     canonical fields + parent external ids + custom-field bag\n   * @param provider  adapter/provider label persisted + used to scope lookups\n   * @param tx        optional outer transaction; when omitted we open our own\n   */\n  async syncUpsertOne(\n    write: TSyncWrite,\n    provider: string,\n    tx?: DrizzleTx,\n  ): Promise<TSyncProjection> {\n    const cfg = this.syncConfig;\n    const w = write as Record<string, unknown>;\n\n    const run = async (db: DrizzleTx): Promise<TSyncProjection> => {\n      // 1. FK resolution (provider-scoped). Strict → throw; else opportunistic null.\n      const resolvedFks: Record<string, string | null> = {};\n      for (const fk of cfg.fkResolvers) {\n        resolvedFks[fk.column] = await this.resolveFk(db, fk, w[fk.writeKey], provider);\n      }\n\n      // 2. Canonical → Drizzle insert-or-update by the conflict target.\n      const now = new Date();\n      const copyThrough: Record<string, unknown> = {};\n      for (const col of cfg.writeColumns) copyThrough[col] = w[col];\n\n      const values: Record<string, unknown> = {\n        externalId: w['externalId'],\n        provider,\n        ...copyThrough,\n        ...resolvedFks,\n        ...(this.behaviors.timestamps ? { updatedAt: now } : {}),\n      };\n\n      // `set` excludes the identity (externalId/provider). Resolved FKs are\n      // only written when non-null this run — never clobber a previously\n      // resolved parent with null on a later run that dropped the ref.\n      const set: Record<string, unknown> = {\n        ...copyThrough,\n        ...(this.behaviors.timestamps ? { updatedAt: now } : {}),\n      };\n      for (const fk of cfg.fkResolvers) {\n        if (resolvedFks[fk.column] !== null) set[fk.column] = resolvedFks[fk.column];\n      }\n\n      const rows = await db\n        .insert(this.table)\n        .values(values as never)\n        .onConflictDoUpdate({\n          target: cfg.conflictTarget.map((c: string) => this.table[c]),\n          set: set as never,\n        })\n        .returning();\n\n      const saved = rows[0] as Record<string, unknown>;\n\n      // 3. EAV dual-write seam — same tx. No-op unless the entity opts in.\n      const fields = w['fields'] as Record<string, unknown> | undefined;\n      if (cfg.eav && fields && Object.keys(fields).length > 0) {\n        await this.writeCustomFields(\n          db,\n          saved['id'] as string,\n          w['userId'] as string,\n          fields,\n        );\n      }\n\n      return this.toProjection(saved as TEntity);\n    };\n\n    return tx ? run(tx) : this.db.transaction((t) => run(t));\n  }\n\n  /**\n   * Canonical-projected lookup by external id (differ-ready). Returns `null`\n   * when no local row exists. Provider-scoped so a HubSpot id can't match a\n   * Salesforce row.\n   */\n  async findByExternalIdProjected(\n    externalId: string,\n    provider: string,\n  ): Promise<TSyncProjection | null> {\n    const rows = await this.db\n      .select()\n      .from(this.table)\n      .where(\n        and(\n          eq(this.table['provider'], provider),\n          eq(this.table['externalId'], externalId),\n        ),\n      )\n      .limit(1);\n    const row = rows[0] as TEntity | undefined;\n    return row ? this.toProjection(row) : null;\n  }\n\n  /**\n   * Sync \"delete\" by external id, provider-scoped. When `softDelete: true`,\n   * sets `deletedAt`. When `softDelete: false`, tombstone-by-clearing: null out\n   * `external_id`/`provider` so the row no longer matches future inbound\n   * changes while preserving local-id references. Returns `{ id }` or `null`.\n   */\n  async softDeleteByExternalId(\n    externalId: string,\n    provider: string,\n    tx?: DrizzleTx,\n  ): Promise<{ id: string } | null> {\n    const db = this.runner(tx);\n    const set = this.syncConfig.softDelete\n      ? { deletedAt: new Date(), updatedAt: new Date() }\n      : { externalId: null, provider: null, updatedAt: new Date() };\n    const rows = await db\n      .update(this.table)\n      .set(set as never)\n      .where(\n        and(\n          eq(this.table['provider'], provider),\n          eq(this.table['externalId'], externalId),\n        ),\n      )\n      .returning({ id: this.table['id'] });\n    return rows[0] ? { id: rows[0].id as string } : null;\n  }\n\n  /**\n   * Batch sync upsert — concretizes the former abstract stub. Delegates to\n   * `syncUpsertOne` per input inside one transaction. Inputs are raw partial\n   * rows: provider is read from each input's own `provider` column; rows\n   * missing `externalId`/`provider` are skipped.\n   */\n  async syncUpsert(inputs: Array<Partial<TEntity>>): Promise<TEntity[]> {\n    if (inputs.length === 0) return [];\n    return this.db.transaction(async (tx) => {\n      const out: TEntity[] = [];\n      for (const input of inputs) {\n        const rec = input as Record<string, unknown>;\n        if (!rec['externalId'] || !rec['provider']) continue;\n        const proj = await this.syncUpsertOne(\n          input as unknown as TSyncWrite,\n          rec['provider'] as string,\n          tx,\n        );\n        const id = (proj as Record<string, unknown>)['id'] as string;\n        const row = await tx\n          .select()\n          .from(this.table)\n          .where(eq(this.table['id'], id))\n          .limit(1);\n        out.push(row[0] as TEntity);\n      }\n      return out;\n    });\n  }\n\n  /**\n   * Project a raw row to the canonical differ shape — a generic pick over\n   * `syncConfig.projectionColumns`. Override only for synthesized projections\n   * (e.g. junctions); entities use this verbatim.\n   */\n  protected toProjection(row: TEntity): TSyncProjection {\n    const r = row as Record<string, unknown>;\n    const out: Record<string, unknown> = {};\n    for (const col of this.syncConfig.projectionColumns) out[col] = r[col];\n    return out as TSyncProjection;\n  }\n\n  /**\n   * EAV dual-write seam (#374, live path lands in #124). No-op by default;\n   * `eav: true` entities emit a concrete override that injects\n   * `FieldValueService` and delegates to `upsertFieldsTransactional` so the\n   * dual-write joins the same tx (`db`). Kept as an explicit hook so the base\n   * stays portable (the FieldValueService dependency is eav-only).\n   */\n  protected async writeCustomFields(\n    _db: DrizzleTx,\n    _entityId: string,\n    _userId: string,\n    _fields: Record<string, unknown>,\n  ): Promise<void> {\n    // Intentionally empty until the entity opts into EAV.\n  }\n\n  /**\n   * Resolve one FK from a parent external id (provider-scoped). `self` resolves\n   * against `this.table`. Strict resolvers throw when unresolved; non-strict\n   * return null. A null/absent write value short-circuits to null.\n   */\n  private async resolveFk(\n    db: DrizzleTx,\n    fk: SyncFkResolver,\n    rawExternalId: unknown,\n    provider: string,\n  ): Promise<string | null> {\n    const parentExternalId = rawExternalId as string | null | undefined;\n    if (!parentExternalId) {\n      if (fk.strict) {\n        throw new Error(\n          `${this.constructor.name}.syncUpsertOne: missing required parent ` +\n            `external id for '${fk.column}' (writeKey '${fk.writeKey}')`,\n        );\n      }\n      return null;\n    }\n    // eslint-disable-next-line @typescript-eslint/no-explicit-any\n    const refTable: PgTableWithColumns<any> =\n      fk.refTable === 'self' ? this.table : fk.refTable;\n    const rows = await db\n      .select({ id: refTable['id'] })\n      .from(refTable)\n      .where(\n        and(\n          eq(refTable['provider'], provider),\n          eq(refTable['externalId'], parentExternalId),\n        ),\n      )\n      .limit(1);\n    const id = (rows[0]?.id as string | undefined) ?? null;\n    if (id === null && fk.strict) {\n      throw new Error(\n        `${this.constructor.name}.syncUpsertOne: unresolved parent ` +\n          `'${parentExternalId}' (provider '${provider}') for '${fk.column}' — ` +\n          `parent not synced yet`,\n      );\n    }\n    return id;\n  }\n\n  /**\n   * Find entities visible to a user (ownership + sharing rules).\n   * Concrete repositories must implement with visibility logic.\n   */\n  async findVisibleByUserId(_userId: string): Promise<TEntity[]> {\n    throw new Error('findVisibleByUserId not implemented — override in concrete repository');\n  }\n}\n","/**\n * BaseRepository<TEntity>\n *\n * Abstract base class providing standard CRUD operations via Drizzle ORM.\n * Every generated repository extends this class.\n *\n * Family-specific bases (CrmEntityRepository, etc.) extend this in v0.1\n * without any changes to BaseRepository.\n *\n * NOT @Injectable — concrete repositories are @Injectable and inject DRIZZLE.\n */\nimport { and, eq, inArray, isNull, sql } from 'drizzle-orm';\nimport type { PgTableWithColumns, PgColumn } from 'drizzle-orm/pg-core';\nimport type { SQL } from 'drizzle-orm';\nimport type { DrizzleClient, DrizzleTx } from '../types/drizzle';\nimport {\n  requireRequester,\n  tryGetRequester,\n  type RequesterScope,\n} from './tenant-context';\n\n// ============================================================================\n// Interfaces\n// ============================================================================\n\n/**\n * Behavior flags for the repository. Controls automatic timestamp injection\n * and soft-delete filtering.\n */\nexport interface BehaviorConfig {\n  timestamps: boolean;\n  softDelete: boolean;\n  userTracking: boolean;\n}\n\n/**\n * Options for the list() method.\n */\nexport interface ListOptions {\n  where?: SQL;\n  limit?: number;\n  offset?: number;\n  orderBy?: PgColumn | SQL;\n}\n\n// ============================================================================\n// BaseRepository\n// ============================================================================\n\nexport abstract class BaseRepository<TEntity> {\n  /**\n   * The Drizzle table schema for this entity.\n   * Concrete repositories declare this as a class property.\n   */\n  protected abstract readonly table: PgTableWithColumns<any>; // eslint-disable-line @typescript-eslint/no-explicit-any\n\n  /**\n   * Behavior flags controlling automatic behavior injection.\n   * Override in concrete repositories to enable behaviors.\n   */\n  protected readonly behaviors: BehaviorConfig = {\n    timestamps: false,\n    softDelete: false,\n    userTracking: false,\n  };\n\n  /**\n   * Ambient tenant-scope enforcement for `userTracking` repos (see\n   * `scopePredicate`). Only has effect when `behaviors.userTracking === true`.\n   *\n   * - `'lenient'` (default): when no ambient requester context is active,\n   *   reads/writes are NOT scoped — preserves pre-scoping behavior, so adopting\n   *   ambient scoping is additive. Scoping kicks in automatically once a\n   *   boundary installs `withRequester(...)`.\n   * - `'strict'`: a missing ambient context throws (`requireRequester`),\n   *   making a forgotten boundary fail loud instead of silently returning\n   *   cross-tenant rows. Recommended for new multi-tenant consumers — override\n   *   in a concrete repo or a family base class.\n   */\n  protected readonly scopeEnforcement: 'lenient' | 'strict' = 'lenient';\n\n  protected readonly db: DrizzleClient;\n\n  constructor(db: DrizzleClient) {\n    this.db = db;\n  }\n\n  /**\n   * Pick the runner for a write: the caller-supplied transaction handle\n   * if present, otherwise the repository's own client. Keeps the `tx`\n   * parameter purely additive — callers without a transaction call as\n   * before. Used by the write methods below + consumer overrides (e.g.\n   * the generated `upsertCurrentValues` on EAV value tables).\n   */\n  protected runner(tx?: DrizzleTx): DrizzleClient {\n    return tx ?? this.db;\n  }\n\n  // ============================================================================\n  // Read Operations\n  // ============================================================================\n\n  /**\n   * Find a single entity by its primary key.\n   * Returns null if not found (or soft-deleted when softDelete=true).\n   */\n  async findById(id: string): Promise<TEntity | null> {\n    const rows = await this.baseQuery(eq(this.table['id'], id)).limit(1);\n    return (rows[0] as TEntity) ?? null;\n  }\n\n  /**\n   * Find multiple entities by their primary keys.\n   * Returns empty array immediately for empty input (avoids DB errors).\n   */\n  async findByIds(ids: string[]): Promise<TEntity[]> {\n    if (ids.length === 0) return [];\n    const rows = await this.baseQuery(inArray(this.table['id'], ids));\n    return rows as TEntity[];\n  }\n\n  /**\n   * List entities with optional filtering, pagination, and ordering.\n   */\n  async list(options?: ListOptions): Promise<TEntity[]> {\n    let query = this.baseQuery(options?.where);\n\n    if (options?.orderBy) {\n      query = query.orderBy(options.orderBy as SQL) as typeof query;\n    }\n    if (options?.limit !== undefined) {\n      query = query.limit(options.limit) as typeof query;\n    }\n    if (options?.offset !== undefined) {\n      query = query.offset(options.offset) as typeof query;\n    }\n\n    const rows = await query;\n    return rows as TEntity[];\n  }\n\n  /**\n   * Count entities matching an optional WHERE clause.\n   * Soft-deleted rows are always excluded when softDelete=true.\n   */\n  async count(where?: SQL): Promise<number> {\n    let query = this.db\n      .select({ count: sql<number>`cast(count(*) as integer)` })\n      .from(this.table);\n\n    const conditions: SQL[] = [];\n    if (this.behaviors.softDelete) {\n      conditions.push(isNull(this.table['deletedAt']));\n    }\n    const scope = this.scopePredicate();\n    if (scope) {\n      conditions.push(scope);\n    }\n    if (where) {\n      conditions.push(where);\n    }\n\n    if (conditions.length === 1) {\n      query = query.where(conditions[0]) as typeof query;\n    } else if (conditions.length > 1) {\n      query = query.where(and(...conditions)) as typeof query;\n    }\n\n    const rows = await query;\n    return rows[0]?.count ?? 0;\n  }\n\n  /**\n   * Check whether an entity with the given id exists.\n   */\n  async exists(id: string): Promise<boolean> {\n    const result = await this.findById(id);\n    return result !== null;\n  }\n\n  // ============================================================================\n  // Write Operations\n  // ============================================================================\n\n  /**\n   * Insert a new entity. Timestamps are auto-injected when timestamps=true.\n   */\n  async create(input: Partial<TEntity>, tx?: DrizzleTx): Promise<TEntity> {\n    const data = this.withTimestamps(input as Record<string, unknown>, 'create');\n    const rows = await this.runner(tx)\n      .insert(this.table)\n      .values(data as any) // eslint-disable-line @typescript-eslint/no-explicit-any\n      .returning();\n    return rows[0] as TEntity;\n  }\n\n  /**\n   * Update an existing entity by id. updatedAt is auto-injected when timestamps=true.\n   * Returns the updated entity.\n   */\n  async update(id: string, input: Partial<TEntity>, tx?: DrizzleTx): Promise<TEntity> {\n    const data = this.withTimestamps(input as Record<string, unknown>, 'update');\n    const rows = await this.runner(tx)\n      .update(this.table)\n      .set(data as any) // eslint-disable-line @typescript-eslint/no-explicit-any\n      .where(this.scopeAnd(eq(this.table['id'], id)))\n      .returning();\n    return rows[0] as TEntity;\n  }\n\n  /**\n   * Delete an entity by id.\n   * - softDelete=true: sets deletedAt to current timestamp\n   * - softDelete=false: hard-deletes the row\n   */\n  async delete(id: string, tx?: DrizzleTx): Promise<void> {\n    const runner = this.runner(tx);\n    if (this.behaviors.softDelete) {\n      await runner\n        .update(this.table)\n        .set({ deletedAt: new Date() } as any) // eslint-disable-line @typescript-eslint/no-explicit-any\n        .where(this.scopeAnd(eq(this.table['id'], id)));\n    } else {\n      await runner\n        .delete(this.table)\n        .where(this.scopeAnd(eq(this.table['id'], id)));\n    }\n  }\n\n  /**\n   * Insert or update multiple entities.\n   * Default naive implementation — family repositories override with\n   * proper conflict-target upsert (e.g., CrmEntityRepository).\n   */\n  async upsertMany(inputs: Array<Partial<TEntity>>, tx?: DrizzleTx): Promise<TEntity[]> {\n    return Promise.all(inputs.map((input) => this.create(input, tx)));\n  }\n\n  // ============================================================================\n  // Protected Helpers\n  // ============================================================================\n\n  /**\n   * Base SELECT query that automatically applies the ambient guards —\n   * soft-delete exclusion (when `softDelete`) and tenant scope (when\n   * `userTracking` + an active requester context) — combined with an optional\n   * caller `extra` predicate into a SINGLE `WHERE`.\n   *\n   * Pass the leaf predicate as `extra` rather than chaining a second\n   * `.where(...)`: Drizzle's `.where()` OVERRIDES (does not AND) a prior\n   * `.where()` on a `$dynamic()` query, so a chained call would silently drop\n   * the soft-delete and scope guards. `baseQuery(extra)` is the safe form.\n   */\n  protected baseQuery(extra?: SQL) {\n    const query = this.db.select().from(this.table).$dynamic();\n    const where = this.scopeAnd(extra, { softDelete: this.behaviors.softDelete });\n    return where ? query.where(where) : query;\n  }\n\n  /**\n   * Build the ambient tenant-scope predicate for this repo's table.\n   *\n   * Returns `undefined` (no scoping) when:\n   *   - `behaviors.userTracking` is false (repo is not user-owned), or\n   *   - no ambient requester context is active AND `scopeEnforcement` is\n   *     `'lenient'` (the default — preserves pre-scoping behavior).\n   *\n   * When a requester context is active, scopes by `user_id` per the ambient\n   * scope: `'user'` → `user_id = ctx.userId`; `'org'` → `user_id IN\n   * ctx.orgUserIds` (empty list matches nothing — fail-closed); `'superuser'`\n   * → no filter. See `tenant-context.ts` for the boundary-install contract.\n   */\n  protected scopePredicate(): SQL | undefined {\n    if (!this.behaviors.userTracking) return undefined;\n    const ctx =\n      this.scopeEnforcement === 'strict'\n        ? requireRequester()\n        : tryGetRequester();\n    if (!ctx) return undefined;\n    const scope: RequesterScope = ctx.scope ?? 'user';\n    switch (scope) {\n      case 'superuser':\n        return undefined;\n      case 'org':\n        return ctx.orgUserIds && ctx.orgUserIds.length > 0\n          ? inArray(this.table['userId'], ctx.orgUserIds as string[])\n          : sql`false`;\n      case 'user':\n      default:\n        return eq(this.table['userId'], ctx.userId);\n    }\n  }\n\n  /**\n   * Combine the ambient scope predicate (and, optionally, the soft-delete\n   * guard) with a caller `extra` predicate into one `SQL`. Returns `undefined`\n   * when nothing applies. Used by read + by-id write paths so a single\n   * `.where(...)` carries every guard.\n   */\n  protected scopeAnd(\n    extra?: SQL,\n    opts?: { softDelete?: boolean },\n  ): SQL | undefined {\n    const conditions: SQL[] = [];\n    if (opts?.softDelete) conditions.push(isNull(this.table['deletedAt']));\n    const scope = this.scopePredicate();\n    if (scope) conditions.push(scope);\n    if (extra) conditions.push(extra);\n    if (conditions.length === 0) return undefined;\n    if (conditions.length === 1) return conditions[0];\n    return and(...conditions);\n  }\n\n  /**\n   * Merge timestamp fields into an input object.\n   * - mode='create': adds createdAt and updatedAt\n   * - mode='update': adds updatedAt only\n   *\n   * No-op when timestamps behavior is disabled.\n   */\n  protected withTimestamps(\n    input: Record<string, unknown>,\n    mode: 'create' | 'update',\n  ): Record<string, unknown> {\n    if (!this.behaviors.timestamps) return input;\n    const now = new Date();\n    if (mode === 'create') {\n      return { ...input, createdAt: now, updatedAt: now };\n    }\n    return { ...input, updatedAt: now };\n  }\n\n  /**\n   * Build a WHERE clause fragment that restricts results to rows whose\n   * parent (identified by a belongs_to FK) is not soft-deleted.\n   *\n   * Use this in custom repository methods when you need \"rows reachable\n   * from an active parent\". The default findAll / findById behavior is\n   * NOT changed by this helper — opt in explicitly where needed.\n   *\n   * ADR-021 — Soft-delete cascade: Option A (filter at query time).\n   * `on_delete` FK rules do not fire for soft-deletes; use this helper\n   * instead of expecting cascade semantics on the DB level.\n   *\n   * Example:\n   *   async listActiveMessages(): Promise<Message[]> {\n   *     return this.list({\n   *       where: this.activeParentFilter(conversations, this.table['conversationId']),\n   *     });\n   *   }\n   *\n   * @param parentTable  The Drizzle table object for the parent entity.\n   * @param parentFkColumn  The FK column on this (child) table that references parent.id.\n   */\n  protected activeParentFilter(\n    parentTable: PgTableWithColumns<any>, // eslint-disable-line @typescript-eslint/no-explicit-any\n    parentFkColumn: PgColumn,\n  ): SQL {\n    return sql`EXISTS (\n      SELECT 1 FROM ${parentTable} p\n      WHERE p.id = ${parentFkColumn}\n        AND p.deleted_at IS NULL\n    )`;\n  }\n}\n","/**\n * Ambient requester context — AsyncLocalStorage-backed tenant scope.\n *\n * The alternative to threading `userId`/`organizationId` through every\n * repository/service signature. Set ONCE at each boundary the generated app\n * owns, read implicitly inside `BaseRepository` (see `scopePredicate`).\n *\n * ## Where to set it (boundaries)\n *\n *   - HTTP / tRPC handlers — from the authenticated `ctx.user`\n *   - OAuth callback controllers — from the authenticated session\n *   - Queue/worker `process()` — from the job's owning user after the\n *     job's record is loaded\n *\n * Each boundary wraps the rest of the request in `withRequester({ userId,\n * organizationId }, () => ...)`. The context propagates through every `await`\n * to all downstream repo/service calls without being passed explicitly.\n *\n * ## Where to read it\n *\n *   - `BaseRepository.scopePredicate()` reads it (via `tryGetRequester` in\n *     lenient mode, `requireRequester` in strict mode) and filters every read\n *     by the ambient scope when the repo declares `userTracking: true`.\n *\n * ## Why AsyncLocalStorage over an explicit parameter\n *\n * Threading `userId` (and later `organizationId`) through dozens of method\n * signatures is pure parameter pollution. Ambient context also lets a repo\n * make the \"I forgot to scope\" mistake impossible at runtime: in strict mode\n * `requireRequester()` throws when no context is active, surfacing a missing\n * boundary call loudly rather than silently leaking cross-tenant data.\n *\n * ## Not-found semantics\n *\n * When a row exists but belongs to a different requester, scoped reads return\n * `null`/`[]` — identical to \"truly doesn't exist\". No existence oracle;\n * callers throw NotFound uniformly. Standard security practice.\n *\n * ## Testing\n *\n * Tests that exercise scoped repos must wrap the call in `withRequester(...)`.\n * In strict mode an unwrapped call hitting `requireRequester()` throws — by\n * design. In lenient mode (the default) an unwrapped call is simply unscoped.\n */\nimport { AsyncLocalStorage } from 'node:async_hooks';\n\n/**\n * Data-visibility scope. The auth layer decides which scope a request is\n * allowed to claim; the repo trusts whatever the ambient context says.\n *\n * - `'user'`: filter every read by `user_id = ctx.userId`. Default.\n * - `'org'`: filter every read by membership in the requester's org, resolved\n *   via `user_id IN (ctx.orgUserIds)` rather than via a per-entity\n *   `organization_id` column. Works for every user-owned table and keeps repos\n *   single-table — the org member list is pre-resolved at the boundary.\n * - `'superuser'`: no scope filter. Engineering / internal-tools only.\n *\n * AUTHORIZATION (who is allowed to claim each scope) lives in boundary\n * middleware, not in the repo. The repo trusts the ambient context — same\n * trust model as a threaded `userId`.\n */\nexport type RequesterScope = 'user' | 'org' | 'superuser';\n\nexport interface RequesterContext {\n  /**\n   * The user making the request. Always present — even in `'org'` and\n   * `'superuser'` scopes it is the audit-trail \"who actually did this\".\n   */\n  readonly userId: string;\n  /**\n   * The organization the requester belongs to. Required when\n   * `scope === 'org'`; may be null for `'user'` (users with no org) and for\n   * `'superuser'` (cross-org reads).\n   */\n  readonly organizationId: string | null;\n  /**\n   * Data-visibility scope. Defaults to `'user'` when omitted.\n   */\n  readonly scope?: RequesterScope;\n  /**\n   * For `scope === 'org'`: the list of user IDs in the requester's org,\n   * pre-resolved by the boundary middleware that established the `'org'`\n   * scope (one `SELECT users.id WHERE organization_id = X` at the trust\n   * boundary). Repos use this as a literal `IN (...)` filter — they never\n   * JOIN to `users` themselves. Required when `scope === 'org'`.\n   */\n  readonly orgUserIds?: readonly string[];\n}\n\nconst als = new AsyncLocalStorage<RequesterContext>();\n\n/**\n * Set the ambient requester context for the duration of `fn`. The context\n * propagates through `await` boundaries to all downstream calls. Nesting is\n * fine — an inner `withRequester` overrides the outer for its callback.\n */\nexport function withRequester<T>(\n  ctx: RequesterContext,\n  fn: () => Promise<T>,\n): Promise<T> {\n  return als.run(ctx, fn);\n}\n\n/**\n * Read the ambient requester context. Throws if no context is active — by\n * design. Used by repos in strict scope-enforcement mode; an unwrapped call\n * site is a missing boundary.\n */\nexport function requireRequester(): RequesterContext {\n  const ctx = als.getStore();\n  if (!ctx) {\n    throw new Error(\n      'No requester context active. Wrap the entry point in ' +\n        'withRequester({ userId, organizationId }, fn). See tenant-context.ts.',\n    );\n  }\n  return ctx;\n}\n\n/**\n * Read the ambient requester context without throwing. Returns `undefined`\n * when no context is active. Used by repos in lenient scope-enforcement mode\n * (the default) and by code paths that legitimately run outside a request.\n */\nexport function tryGetRequester(): RequesterContext | undefined {\n  return als.getStore();\n}\n\n/**\n * Resolve the effective scope for the ambient context, defaulting to `'user'`.\n */\nexport function requireRequesterScope(): RequesterScope {\n  return requireRequester().scope ?? 'user';\n}\n\n/**\n * Convenience helpers for setting scope explicitly. All three preserve\n * `userId` in the context (audit trail) regardless of scope.\n *\n * - `withUserScope`: regular end-user requests. Most call sites.\n * - `withOrgScope`: admin / org-shared resource access. The caller MUST verify\n *   the requester's role permits `'org'` before calling — the helper does not\n *   enforce authorization. `orgUserIds` is pre-resolved at the boundary.\n * - `withSuperuserScope`: engineering scripts / internal tools. `organizationId`\n *   is null (cross-org is the point). Same authorization caveat applies.\n */\nexport function withUserScope<T>(\n  userId: string,\n  organizationId: string | null,\n  fn: () => Promise<T>,\n): Promise<T> {\n  return withRequester({ userId, organizationId, scope: 'user' }, fn);\n}\n\nexport function withOrgScope<T>(\n  userId: string,\n  organizationId: string,\n  orgUserIds: readonly string[],\n  fn: () => Promise<T>,\n): Promise<T> {\n  return withRequester(\n    { userId, organizationId, scope: 'org', orgUserIds },\n    fn,\n  );\n}\n\nexport function withSuperuserScope<T>(\n  userId: string,\n  fn: () => Promise<T>,\n): Promise<T> {\n  return withRequester(\n    { userId, organizationId: null, scope: 'superuser' },\n    fn,\n  );\n}\n"],"mappings":";AAWA,SAAS,OAAAA,MAAK,MAAAC,KAAI,WAAAC,gBAAe;;;ACAjC,SAAS,KAAK,IAAI,SAAS,QAAQ,WAAW;;;ACiC9C,SAAS,yBAAyB;AA6ClC,IAAM,MAAM,IAAI,kBAAoC;AAmB7C,SAAS,mBAAqC;AACnD,QAAM,MAAM,IAAI,SAAS;AACzB,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AACA,SAAO;AACT;AAOO,SAAS,kBAAgD;AAC9D,SAAO,IAAI,SAAS;AACtB;;;AD7EO,IAAe,iBAAf,MAAuC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWzB,YAA4B;AAAA,IAC7C,YAAY;AAAA,IACZ,YAAY;AAAA,IACZ,cAAc;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAemB,mBAAyC;AAAA,EAEzC;AAAA,EAEnB,YAAY,IAAmB;AAC7B,SAAK,KAAK;AAAA,EACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASU,OAAO,IAA+B;AAC9C,WAAO,MAAM,KAAK;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,SAAS,IAAqC;AAClD,UAAM,OAAO,MAAM,KAAK,UAAU,GAAG,KAAK,MAAM,IAAI,GAAG,EAAE,CAAC,EAAE,MAAM,CAAC;AACnE,WAAQ,KAAK,CAAC,KAAiB;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,UAAU,KAAmC;AACjD,QAAI,IAAI,WAAW,EAAG,QAAO,CAAC;AAC9B,UAAM,OAAO,MAAM,KAAK,UAAU,QAAQ,KAAK,MAAM,IAAI,GAAG,GAAG,CAAC;AAChE,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KAAK,SAA2C;AACpD,QAAI,QAAQ,KAAK,UAAU,SAAS,KAAK;AAEzC,QAAI,SAAS,SAAS;AACpB,cAAQ,MAAM,QAAQ,QAAQ,OAAc;AAAA,IAC9C;AACA,QAAI,SAAS,UAAU,QAAW;AAChC,cAAQ,MAAM,MAAM,QAAQ,KAAK;AAAA,IACnC;AACA,QAAI,SAAS,WAAW,QAAW;AACjC,cAAQ,MAAM,OAAO,QAAQ,MAAM;AAAA,IACrC;AAEA,UAAM,OAAO,MAAM;AACnB,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,MAAM,OAA8B;AACxC,QAAI,QAAQ,KAAK,GACd,OAAO,EAAE,OAAO,+BAAuC,CAAC,EACxD,KAAK,KAAK,KAAK;AAElB,UAAM,aAAoB,CAAC;AAC3B,QAAI,KAAK,UAAU,YAAY;AAC7B,iBAAW,KAAK,OAAO,KAAK,MAAM,WAAW,CAAC,CAAC;AAAA,IACjD;AACA,UAAM,QAAQ,KAAK,eAAe;AAClC,QAAI,OAAO;AACT,iBAAW,KAAK,KAAK;AAAA,IACvB;AACA,QAAI,OAAO;AACT,iBAAW,KAAK,KAAK;AAAA,IACvB;AAEA,QAAI,WAAW,WAAW,GAAG;AAC3B,cAAQ,MAAM,MAAM,WAAW,CAAC,CAAC;AAAA,IACnC,WAAW,WAAW,SAAS,GAAG;AAChC,cAAQ,MAAM,MAAM,IAAI,GAAG,UAAU,CAAC;AAAA,IACxC;AAEA,UAAM,OAAO,MAAM;AACnB,WAAO,KAAK,CAAC,GAAG,SAAS;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,OAAO,IAA8B;AACzC,UAAM,SAAS,MAAM,KAAK,SAAS,EAAE;AACrC,WAAO,WAAW;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,OAAO,OAAyB,IAAkC;AACtE,UAAM,OAAO,KAAK,eAAe,OAAkC,QAAQ;AAC3E,UAAM,OAAO,MAAM,KAAK,OAAO,EAAE,EAC9B,OAAO,KAAK,KAAK,EACjB,OAAO,IAAW,EAClB,UAAU;AACb,WAAO,KAAK,CAAC;AAAA,EACf;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,OAAO,IAAY,OAAyB,IAAkC;AAClF,UAAM,OAAO,KAAK,eAAe,OAAkC,QAAQ;AAC3E,UAAM,OAAO,MAAM,KAAK,OAAO,EAAE,EAC9B,OAAO,KAAK,KAAK,EACjB,IAAI,IAAW,EACf,MAAM,KAAK,SAAS,GAAG,KAAK,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC,EAC7C,UAAU;AACb,WAAO,KAAK,CAAC;AAAA,EACf;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,OAAO,IAAY,IAA+B;AACtD,UAAM,SAAS,KAAK,OAAO,EAAE;AAC7B,QAAI,KAAK,UAAU,YAAY;AAC7B,YAAM,OACH,OAAO,KAAK,KAAK,EACjB,IAAI,EAAE,WAAW,oBAAI,KAAK,EAAE,CAAQ,EACpC,MAAM,KAAK,SAAS,GAAG,KAAK,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC;AAAA,IAClD,OAAO;AACL,YAAM,OACH,OAAO,KAAK,KAAK,EACjB,MAAM,KAAK,SAAS,GAAG,KAAK,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC;AAAA,IAClD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,WAAW,QAAiC,IAAoC;AACpF,WAAO,QAAQ,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,OAAO,OAAO,EAAE,CAAC,CAAC;AAAA,EAClE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBU,UAAU,OAAa;AAC/B,UAAM,QAAQ,KAAK,GAAG,OAAO,EAAE,KAAK,KAAK,KAAK,EAAE,SAAS;AACzD,UAAM,QAAQ,KAAK,SAAS,OAAO,EAAE,YAAY,KAAK,UAAU,WAAW,CAAC;AAC5E,WAAO,QAAQ,MAAM,MAAM,KAAK,IAAI;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeU,iBAAkC;AAC1C,QAAI,CAAC,KAAK,UAAU,aAAc,QAAO;AACzC,UAAM,MACJ,KAAK,qBAAqB,WACtB,iBAAiB,IACjB,gBAAgB;AACtB,QAAI,CAAC,IAAK,QAAO;AACjB,UAAM,QAAwB,IAAI,SAAS;AAC3C,YAAQ,OAAO;AAAA,MACb,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO,IAAI,cAAc,IAAI,WAAW,SAAS,IAC7C,QAAQ,KAAK,MAAM,QAAQ,GAAG,IAAI,UAAsB,IACxD;AAAA,MACN,KAAK;AAAA,MACL;AACE,eAAO,GAAG,KAAK,MAAM,QAAQ,GAAG,IAAI,MAAM;AAAA,IAC9C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQU,SACR,OACA,MACiB;AACjB,UAAM,aAAoB,CAAC;AAC3B,QAAI,MAAM,WAAY,YAAW,KAAK,OAAO,KAAK,MAAM,WAAW,CAAC,CAAC;AACrE,UAAM,QAAQ,KAAK,eAAe;AAClC,QAAI,MAAO,YAAW,KAAK,KAAK;AAChC,QAAI,MAAO,YAAW,KAAK,KAAK;AAChC,QAAI,WAAW,WAAW,EAAG,QAAO;AACpC,QAAI,WAAW,WAAW,EAAG,QAAO,WAAW,CAAC;AAChD,WAAO,IAAI,GAAG,UAAU;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASU,eACR,OACA,MACyB;AACzB,QAAI,CAAC,KAAK,UAAU,WAAY,QAAO;AACvC,UAAM,MAAM,oBAAI,KAAK;AACrB,QAAI,SAAS,UAAU;AACrB,aAAO,EAAE,GAAG,OAAO,WAAW,KAAK,WAAW,IAAI;AAAA,IACpD;AACA,WAAO,EAAE,GAAG,OAAO,WAAW,IAAI;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAwBU,mBACR,aACA,gBACK;AACL,WAAO;AAAA,sBACW,WAAW;AAAA,qBACZ,cAAc;AAAA;AAAA;AAAA,EAGjC;AACF;;;AD1VO,IAAe,yBAAf,cAIG,eAAwB;AAAA;AAAA;AAAA;AAAA,EAUhC,MAAM,iBAAiB,YAA6C;AAClE,UAAM,OAAO,MAAM,KAAK,UAAU,EAC/B,MAAMC,IAAG,KAAK,MAAM,YAAY,GAAG,UAAU,CAAC,EAC9C,MAAM,CAAC;AACV,WAAQ,KAAK,CAAC,KAAiB;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,sBAAsB,aAA2C;AACrE,QAAI,YAAY,WAAW,EAAG,QAAO,CAAC;AACtC,UAAM,OAAO,MAAM,KAAK,UAAU,EAC/B,MAAMC,SAAQ,KAAK,MAAM,YAAY,GAAG,WAAW,CAAC;AACvD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,gBAAgB,QAAoC;AACxD,UAAM,OAAO,MAAM,KAAK,UAAU,EAC/B,MAAMD,IAAG,KAAK,MAAM,QAAQ,GAAG,MAAM,CAAC;AACzC,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EA0BA,MAAM,cACJ,OACA,UACA,IAC0B;AAC1B,UAAM,MAAM,KAAK;AACjB,UAAM,IAAI;AAEV,UAAM,MAAM,OAAO,OAA4C;AAE7D,YAAM,cAA6C,CAAC;AACpD,iBAAW,MAAM,IAAI,aAAa;AAChC,oBAAY,GAAG,MAAM,IAAI,MAAM,KAAK,UAAU,IAAI,IAAI,EAAE,GAAG,QAAQ,GAAG,QAAQ;AAAA,MAChF;AAGA,YAAM,MAAM,oBAAI,KAAK;AACrB,YAAM,cAAuC,CAAC;AAC9C,iBAAW,OAAO,IAAI,aAAc,aAAY,GAAG,IAAI,EAAE,GAAG;AAE5D,YAAM,SAAkC;AAAA,QACtC,YAAY,EAAE,YAAY;AAAA,QAC1B;AAAA,QACA,GAAG;AAAA,QACH,GAAG;AAAA,QACH,GAAI,KAAK,UAAU,aAAa,EAAE,WAAW,IAAI,IAAI,CAAC;AAAA,MACxD;AAKA,YAAM,MAA+B;AAAA,QACnC,GAAG;AAAA,QACH,GAAI,KAAK,UAAU,aAAa,EAAE,WAAW,IAAI,IAAI,CAAC;AAAA,MACxD;AACA,iBAAW,MAAM,IAAI,aAAa;AAChC,YAAI,YAAY,GAAG,MAAM,MAAM,KAAM,KAAI,GAAG,MAAM,IAAI,YAAY,GAAG,MAAM;AAAA,MAC7E;AAEA,YAAM,OAAO,MAAM,GAChB,OAAO,KAAK,KAAK,EACjB,OAAO,MAAe,EACtB,mBAAmB;AAAA,QAClB,QAAQ,IAAI,eAAe,IAAI,CAAC,MAAc,KAAK,MAAM,CAAC,CAAC;AAAA,QAC3D;AAAA,MACF,CAAC,EACA,UAAU;AAEb,YAAM,QAAQ,KAAK,CAAC;AAGpB,YAAM,SAAS,EAAE,QAAQ;AACzB,UAAI,IAAI,OAAO,UAAU,OAAO,KAAK,MAAM,EAAE,SAAS,GAAG;AACvD,cAAM,KAAK;AAAA,UACT;AAAA,UACA,MAAM,IAAI;AAAA,UACV,EAAE,QAAQ;AAAA,UACV;AAAA,QACF;AAAA,MACF;AAEA,aAAO,KAAK,aAAa,KAAgB;AAAA,IAC3C;AAEA,WAAO,KAAK,IAAI,EAAE,IAAI,KAAK,GAAG,YAAY,CAAC,MAAM,IAAI,CAAC,CAAC;AAAA,EACzD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,0BACJ,YACA,UACiC;AACjC,UAAM,OAAO,MAAM,KAAK,GACrB,OAAO,EACP,KAAK,KAAK,KAAK,EACf;AAAA,MACCE;AAAA,QACEF,IAAG,KAAK,MAAM,UAAU,GAAG,QAAQ;AAAA,QACnCA,IAAG,KAAK,MAAM,YAAY,GAAG,UAAU;AAAA,MACzC;AAAA,IACF,EACC,MAAM,CAAC;AACV,UAAM,MAAM,KAAK,CAAC;AAClB,WAAO,MAAM,KAAK,aAAa,GAAG,IAAI;AAAA,EACxC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,uBACJ,YACA,UACA,IACgC;AAChC,UAAM,KAAK,KAAK,OAAO,EAAE;AACzB,UAAM,MAAM,KAAK,WAAW,aACxB,EAAE,WAAW,oBAAI,KAAK,GAAG,WAAW,oBAAI,KAAK,EAAE,IAC/C,EAAE,YAAY,MAAM,UAAU,MAAM,WAAW,oBAAI,KAAK,EAAE;AAC9D,UAAM,OAAO,MAAM,GAChB,OAAO,KAAK,KAAK,EACjB,IAAI,GAAY,EAChB;AAAA,MACCE;AAAA,QACEF,IAAG,KAAK,MAAM,UAAU,GAAG,QAAQ;AAAA,QACnCA,IAAG,KAAK,MAAM,YAAY,GAAG,UAAU;AAAA,MACzC;AAAA,IACF,EACC,UAAU,EAAE,IAAI,KAAK,MAAM,IAAI,EAAE,CAAC;AACrC,WAAO,KAAK,CAAC,IAAI,EAAE,IAAI,KAAK,CAAC,EAAE,GAAa,IAAI;AAAA,EAClD;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQA,MAAM,WAAW,QAAqD;AACpE,QAAI,OAAO,WAAW,EAAG,QAAO,CAAC;AACjC,WAAO,KAAK,GAAG,YAAY,OAAO,OAAO;AACvC,YAAM,MAAiB,CAAC;AACxB,iBAAW,SAAS,QAAQ;AAC1B,cAAM,MAAM;AACZ,YAAI,CAAC,IAAI,YAAY,KAAK,CAAC,IAAI,UAAU,EAAG;AAC5C,cAAM,OAAO,MAAM,KAAK;AAAA,UACtB;AAAA,UACA,IAAI,UAAU;AAAA,UACd;AAAA,QACF;AACA,cAAM,KAAM,KAAiC,IAAI;AACjD,cAAM,MAAM,MAAM,GACf,OAAO,EACP,KAAK,KAAK,KAAK,EACf,MAAMA,IAAG,KAAK,MAAM,IAAI,GAAG,EAAE,CAAC,EAC9B,MAAM,CAAC;AACV,YAAI,KAAK,IAAI,CAAC,CAAY;AAAA,MAC5B;AACA,aAAO;AAAA,IACT,CAAC;AAAA,EACH;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOU,aAAa,KAA+B;AACpD,UAAM,IAAI;AACV,UAAM,MAA+B,CAAC;AACtC,eAAW,OAAO,KAAK,WAAW,kBAAmB,KAAI,GAAG,IAAI,EAAE,GAAG;AACrE,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAgB,kBACd,KACA,WACA,SACA,SACe;AAAA,EAEjB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAc,UACZ,IACA,IACA,eACA,UACwB;AACxB,UAAM,mBAAmB;AACzB,QAAI,CAAC,kBAAkB;AACrB,UAAI,GAAG,QAAQ;AACb,cAAM,IAAI;AAAA,UACR,GAAG,KAAK,YAAY,IAAI,4DACF,GAAG,MAAM,gBAAgB,GAAG,QAAQ;AAAA,QAC5D;AAAA,MACF;AACA,aAAO;AAAA,IACT;AAEA,UAAM,WACJ,GAAG,aAAa,SAAS,KAAK,QAAQ,GAAG;AAC3C,UAAM,OAAO,MAAM,GAChB,OAAO,EAAE,IAAI,SAAS,IAAI,EAAE,CAAC,EAC7B,KAAK,QAAQ,EACb;AAAA,MACCE;AAAA,QACEF,IAAG,SAAS,UAAU,GAAG,QAAQ;AAAA,QACjCA,IAAG,SAAS,YAAY,GAAG,gBAAgB;AAAA,MAC7C;AAAA,IACF,EACC,MAAM,CAAC;AACV,UAAM,KAAM,KAAK,CAAC,GAAG,MAA6B;AAClD,QAAI,OAAO,QAAQ,GAAG,QAAQ;AAC5B,YAAM,IAAI;AAAA,QACR,GAAG,KAAK,YAAY,IAAI,sCAClB,gBAAgB,gBAAgB,QAAQ,WAAW,GAAG,MAAM;AAAA,MAEpE;AAAA,IACF;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,oBAAoB,SAAqC;AAC7D,UAAM,IAAI,MAAM,4EAAuE;AAAA,EACzF;AACF;","names":["and","eq","inArray","eq","inArray","and"]}

package/dist/runtime/base-classes/tenant-context.d.ts

@@ -0,0 +1,79 @@
+/**
+ * Data-visibility scope. The auth layer decides which scope a request is
+ * allowed to claim; the repo trusts whatever the ambient context says.
+ *
+ * - `'user'`: filter every read by `user_id = ctx.userId`. Default.
+ * - `'org'`: filter every read by membership in the requester's org, resolved
+ *   via `user_id IN (ctx.orgUserIds)` rather than via a per-entity
+ *   `organization_id` column. Works for every user-owned table and keeps repos
+ *   single-table — the org member list is pre-resolved at the boundary.
+ * - `'superuser'`: no scope filter. Engineering / internal-tools only.
+ *
+ * AUTHORIZATION (who is allowed to claim each scope) lives in boundary
+ * middleware, not in the repo. The repo trusts the ambient context — same
+ * trust model as a threaded `userId`.
+ */
+type RequesterScope = 'user' | 'org' | 'superuser';
+interface RequesterContext {
+    /**
+     * The user making the request. Always present — even in `'org'` and
+     * `'superuser'` scopes it is the audit-trail "who actually did this".
+     */
+    readonly userId: string;
+    /**
+     * The organization the requester belongs to. Required when
+     * `scope === 'org'`; may be null for `'user'` (users with no org) and for
+     * `'superuser'` (cross-org reads).
+     */
+    readonly organizationId: string | null;
+    /**
+     * Data-visibility scope. Defaults to `'user'` when omitted.
+     */
+    readonly scope?: RequesterScope;
+    /**
+     * For `scope === 'org'`: the list of user IDs in the requester's org,
+     * pre-resolved by the boundary middleware that established the `'org'`
+     * scope (one `SELECT users.id WHERE organization_id = X` at the trust
+     * boundary). Repos use this as a literal `IN (...)` filter — they never
+     * JOIN to `users` themselves. Required when `scope === 'org'`.
+     */
+    readonly orgUserIds?: readonly string[];
+}
+/**
+ * Set the ambient requester context for the duration of `fn`. The context
+ * propagates through `await` boundaries to all downstream calls. Nesting is
+ * fine — an inner `withRequester` overrides the outer for its callback.
+ */
+declare function withRequester<T>(ctx: RequesterContext, fn: () => Promise<T>): Promise<T>;
+/**
+ * Read the ambient requester context. Throws if no context is active — by
+ * design. Used by repos in strict scope-enforcement mode; an unwrapped call
+ * site is a missing boundary.
+ */
+declare function requireRequester(): RequesterContext;
+/**
+ * Read the ambient requester context without throwing. Returns `undefined`
+ * when no context is active. Used by repos in lenient scope-enforcement mode
+ * (the default) and by code paths that legitimately run outside a request.
+ */
+declare function tryGetRequester(): RequesterContext | undefined;
+/**
+ * Resolve the effective scope for the ambient context, defaulting to `'user'`.
+ */
+declare function requireRequesterScope(): RequesterScope;
+/**
+ * Convenience helpers for setting scope explicitly. All three preserve
+ * `userId` in the context (audit trail) regardless of scope.
+ *
+ * - `withUserScope`: regular end-user requests. Most call sites.
+ * - `withOrgScope`: admin / org-shared resource access. The caller MUST verify
+ *   the requester's role permits `'org'` before calling — the helper does not
+ *   enforce authorization. `orgUserIds` is pre-resolved at the boundary.
+ * - `withSuperuserScope`: engineering scripts / internal tools. `organizationId`
+ *   is null (cross-org is the point). Same authorization caveat applies.
+ */
+declare function withUserScope<T>(userId: string, organizationId: string | null, fn: () => Promise<T>): Promise<T>;
+declare function withOrgScope<T>(userId: string, organizationId: string, orgUserIds: readonly string[], fn: () => Promise<T>): Promise<T>;
+declare function withSuperuserScope<T>(userId: string, fn: () => Promise<T>): Promise<T>;
+
+export { type RequesterContext, type RequesterScope, requireRequester, requireRequesterScope, tryGetRequester, withOrgScope, withRequester, withSuperuserScope, withUserScope };

package/dist/runtime/base-classes/tenant-context.js

@@ -0,0 +1,46 @@
+// runtime/base-classes/tenant-context.ts
+import { AsyncLocalStorage } from "async_hooks";
+var als = new AsyncLocalStorage();
+function withRequester(ctx, fn) {
+  return als.run(ctx, fn);
+}
+function requireRequester() {
+  const ctx = als.getStore();
+  if (!ctx) {
+    throw new Error(
+      "No requester context active. Wrap the entry point in withRequester({ userId, organizationId }, fn). See tenant-context.ts."
+    );
+  }
+  return ctx;
+}
+function tryGetRequester() {
+  return als.getStore();
+}
+function requireRequesterScope() {
+  return requireRequester().scope ?? "user";
+}
+function withUserScope(userId, organizationId, fn) {
+  return withRequester({ userId, organizationId, scope: "user" }, fn);
+}
+function withOrgScope(userId, organizationId, orgUserIds, fn) {
+  return withRequester(
+    { userId, organizationId, scope: "org", orgUserIds },
+    fn
+  );
+}
+function withSuperuserScope(userId, fn) {
+  return withRequester(
+    { userId, organizationId: null, scope: "superuser" },
+    fn
+  );
+}
+export {
+  requireRequester,
+  requireRequesterScope,
+  tryGetRequester,
+  withOrgScope,
+  withRequester,
+  withSuperuserScope,
+  withUserScope
+};
+//# sourceMappingURL=tenant-context.js.map

package/dist/runtime/base-classes/tenant-context.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../../../runtime/base-classes/tenant-context.ts"],"sourcesContent":["/**\n * Ambient requester context — AsyncLocalStorage-backed tenant scope.\n *\n * The alternative to threading `userId`/`organizationId` through every\n * repository/service signature. Set ONCE at each boundary the generated app\n * owns, read implicitly inside `BaseRepository` (see `scopePredicate`).\n *\n * ## Where to set it (boundaries)\n *\n *   - HTTP / tRPC handlers — from the authenticated `ctx.user`\n *   - OAuth callback controllers — from the authenticated session\n *   - Queue/worker `process()` — from the job's owning user after the\n *     job's record is loaded\n *\n * Each boundary wraps the rest of the request in `withRequester({ userId,\n * organizationId }, () => ...)`. The context propagates through every `await`\n * to all downstream repo/service calls without being passed explicitly.\n *\n * ## Where to read it\n *\n *   - `BaseRepository.scopePredicate()` reads it (via `tryGetRequester` in\n *     lenient mode, `requireRequester` in strict mode) and filters every read\n *     by the ambient scope when the repo declares `userTracking: true`.\n *\n * ## Why AsyncLocalStorage over an explicit parameter\n *\n * Threading `userId` (and later `organizationId`) through dozens of method\n * signatures is pure parameter pollution. Ambient context also lets a repo\n * make the \"I forgot to scope\" mistake impossible at runtime: in strict mode\n * `requireRequester()` throws when no context is active, surfacing a missing\n * boundary call loudly rather than silently leaking cross-tenant data.\n *\n * ## Not-found semantics\n *\n * When a row exists but belongs to a different requester, scoped reads return\n * `null`/`[]` — identical to \"truly doesn't exist\". No existence oracle;\n * callers throw NotFound uniformly. Standard security practice.\n *\n * ## Testing\n *\n * Tests that exercise scoped repos must wrap the call in `withRequester(...)`.\n * In strict mode an unwrapped call hitting `requireRequester()` throws — by\n * design. In lenient mode (the default) an unwrapped call is simply unscoped.\n */\nimport { AsyncLocalStorage } from 'node:async_hooks';\n\n/**\n * Data-visibility scope. The auth layer decides which scope a request is\n * allowed to claim; the repo trusts whatever the ambient context says.\n *\n * - `'user'`: filter every read by `user_id = ctx.userId`. Default.\n * - `'org'`: filter every read by membership in the requester's org, resolved\n *   via `user_id IN (ctx.orgUserIds)` rather than via a per-entity\n *   `organization_id` column. Works for every user-owned table and keeps repos\n *   single-table — the org member list is pre-resolved at the boundary.\n * - `'superuser'`: no scope filter. Engineering / internal-tools only.\n *\n * AUTHORIZATION (who is allowed to claim each scope) lives in boundary\n * middleware, not in the repo. The repo trusts the ambient context — same\n * trust model as a threaded `userId`.\n */\nexport type RequesterScope = 'user' | 'org' | 'superuser';\n\nexport interface RequesterContext {\n  /**\n   * The user making the request. Always present — even in `'org'` and\n   * `'superuser'` scopes it is the audit-trail \"who actually did this\".\n   */\n  readonly userId: string;\n  /**\n   * The organization the requester belongs to. Required when\n   * `scope === 'org'`; may be null for `'user'` (users with no org) and for\n   * `'superuser'` (cross-org reads).\n   */\n  readonly organizationId: string | null;\n  /**\n   * Data-visibility scope. Defaults to `'user'` when omitted.\n   */\n  readonly scope?: RequesterScope;\n  /**\n   * For `scope === 'org'`: the list of user IDs in the requester's org,\n   * pre-resolved by the boundary middleware that established the `'org'`\n   * scope (one `SELECT users.id WHERE organization_id = X` at the trust\n   * boundary). Repos use this as a literal `IN (...)` filter — they never\n   * JOIN to `users` themselves. Required when `scope === 'org'`.\n   */\n  readonly orgUserIds?: readonly string[];\n}\n\nconst als = new AsyncLocalStorage<RequesterContext>();\n\n/**\n * Set the ambient requester context for the duration of `fn`. The context\n * propagates through `await` boundaries to all downstream calls. Nesting is\n * fine — an inner `withRequester` overrides the outer for its callback.\n */\nexport function withRequester<T>(\n  ctx: RequesterContext,\n  fn: () => Promise<T>,\n): Promise<T> {\n  return als.run(ctx, fn);\n}\n\n/**\n * Read the ambient requester context. Throws if no context is active — by\n * design. Used by repos in strict scope-enforcement mode; an unwrapped call\n * site is a missing boundary.\n */\nexport function requireRequester(): RequesterContext {\n  const ctx = als.getStore();\n  if (!ctx) {\n    throw new Error(\n      'No requester context active. Wrap the entry point in ' +\n        'withRequester({ userId, organizationId }, fn). See tenant-context.ts.',\n    );\n  }\n  return ctx;\n}\n\n/**\n * Read the ambient requester context without throwing. Returns `undefined`\n * when no context is active. Used by repos in lenient scope-enforcement mode\n * (the default) and by code paths that legitimately run outside a request.\n */\nexport function tryGetRequester(): RequesterContext | undefined {\n  return als.getStore();\n}\n\n/**\n * Resolve the effective scope for the ambient context, defaulting to `'user'`.\n */\nexport function requireRequesterScope(): RequesterScope {\n  return requireRequester().scope ?? 'user';\n}\n\n/**\n * Convenience helpers for setting scope explicitly. All three preserve\n * `userId` in the context (audit trail) regardless of scope.\n *\n * - `withUserScope`: regular end-user requests. Most call sites.\n * - `withOrgScope`: admin / org-shared resource access. The caller MUST verify\n *   the requester's role permits `'org'` before calling — the helper does not\n *   enforce authorization. `orgUserIds` is pre-resolved at the boundary.\n * - `withSuperuserScope`: engineering scripts / internal tools. `organizationId`\n *   is null (cross-org is the point). Same authorization caveat applies.\n */\nexport function withUserScope<T>(\n  userId: string,\n  organizationId: string | null,\n  fn: () => Promise<T>,\n): Promise<T> {\n  return withRequester({ userId, organizationId, scope: 'user' }, fn);\n}\n\nexport function withOrgScope<T>(\n  userId: string,\n  organizationId: string,\n  orgUserIds: readonly string[],\n  fn: () => Promise<T>,\n): Promise<T> {\n  return withRequester(\n    { userId, organizationId, scope: 'org', orgUserIds },\n    fn,\n  );\n}\n\nexport function withSuperuserScope<T>(\n  userId: string,\n  fn: () => Promise<T>,\n): Promise<T> {\n  return withRequester(\n    { userId, organizationId: null, scope: 'superuser' },\n    fn,\n  );\n}\n"],"mappings":";AA4CA,SAAS,yBAAyB;AA6ClC,IAAM,MAAM,IAAI,kBAAoC;AAO7C,SAAS,cACd,KACA,IACY;AACZ,SAAO,IAAI,IAAI,KAAK,EAAE;AACxB;AAOO,SAAS,mBAAqC;AACnD,QAAM,MAAM,IAAI,SAAS;AACzB,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AACA,SAAO;AACT;AAOO,SAAS,kBAAgD;AAC9D,SAAO,IAAI,SAAS;AACtB;AAKO,SAAS,wBAAwC;AACtD,SAAO,iBAAiB,EAAE,SAAS;AACrC;AAaO,SAAS,cACd,QACA,gBACA,IACY;AACZ,SAAO,cAAc,EAAE,QAAQ,gBAAgB,OAAO,OAAO,GAAG,EAAE;AACpE;AAEO,SAAS,aACd,QACA,gBACA,YACA,IACY;AACZ,SAAO;AAAA,IACL,EAAE,QAAQ,gBAAgB,OAAO,OAAO,WAAW;AAAA,IACnD;AAAA,EACF;AACF;AAEO,SAAS,mBACd,QACA,IACY;AACZ,SAAO;AAAA,IACL,EAAE,QAAQ,gBAAgB,MAAM,OAAO,YAAY;AAAA,IACnD;AAAA,EACF;AACF;","names":[]}

package/dist/src/cli/index.js

@@ -10102,6 +10102,8 @@ function loadRuntimeFile(relPath2) {
 var VENDORED_RUNTIME_FILES = [
   // base-classes — consumer-facing inheritance targets
   { runtime: "base-classes/base-repository.ts", target: "src/shared/base-classes/base-repository.ts" },
+  // Ambient tenant scope — imported by base-repository.ts (scopePredicate)
+  { runtime: "base-classes/tenant-context.ts", target: "src/shared/base-classes/tenant-context.ts" },
   { runtime: "base-classes/base-service.ts", target: "src/shared/base-classes/base-service.ts" },
   { runtime: "base-classes/synced-entity-repository.ts", target: "src/shared/base-classes/synced-entity-repository.ts" },
   { runtime: "base-classes/synced-entity-service.ts", target: "src/shared/base-classes/synced-entity-service.ts" },