npm - @pattern-stack/codegen - Versions diffs - 0.7.8 → 0.8.1 - Mend

@pattern-stack/codegen 0.7.8 → 0.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (40) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -4,6 +4,101 @@ All notable changes to this project will be documented in this file.
 ## [Unreleased]
+## [0.8.1] — 2026-05-25
+Closes the loop on ambient tenant scoping (0.8.0): adds the **RequesterContext
+boundary** that turns an authenticated request into ambient scope, so scoping
+actually engages over HTTP — including Swagger's "Authorize" bearer flow. See
+ADR-0002 (`ai-docs/adrs/0002-requester-context-boundary.md`).
+### Added
+- **`feat(auth)` — `RequesterContextMiddleware` + `installRequesterContext`.** New
+  `runtime/subsystems/auth/middleware/requester-context.ts`. The Express-style
+  middleware resolves the requester via the consumer's `IUserContext` and runs the
+  rest of the request inside `withRequester(...)`, so every downstream repository
+  read/write is auto-scoped (ADR-0001) with no threaded `userId`. ALS-correct
+  (middleware, not interceptor). `installRequesterContext(app)` is the one-liner
+  for `main.ts`: resolves `AUTH_USER_CONTEXT` from the root container
+  (`app.get(token, { strict: false })`), no-ops with a warning when unbound.
+  Exported from the auth barrel. Verified over real HTTP — two concurrent requests
+  with different bearer tokens each observe their own scope; an unauthenticated
+  request observes none (`requester-context.http.spec.ts`).
+- **`feat(auth)` — optional `IUserContext.resolveRequester(req)`.** Supplies the
+  full `org`/`superuser` `RequesterContext` (org member list resolved at the
+  boundary). Backward compatible: when absent, the boundary derives plain `'user'`
+  scope from `getCurrentUserId`.
+### Changed
+- **`feat(scaffold)` — generated `main.ts` persists Swagger auth.**
+  `SwaggerModule.setup(...)` now passes `{ swaggerOptions: { persistAuthorization:
+  true } }`, so the "Authorize" bearer token survives reloads and keeps flowing as
+  the `Authorization` header the boundary reads. The generated `main.ts` also
+  carries a commented `installRequesterContext(app)` hint (not a static import — so
+  scaffolds without the auth subsystem still compile).
+### Notes
+- Wiring is opt-in: add `installRequesterContext(app)` to your bootstrap after
+  `NestFactory.create`. Auto-patching it in at `subsystem install auth` time (like
+  the Swagger block) is a deferred follow-up (ADR-0002). A tRPC-side boundary and
+  junction-repo scoping remain deferred.
+## [0.8.0] — 2026-05-25
+Adds **ambient tenant scoping** to `BaseRepository`: user-owned repos filter every
+read/write by the requester automatically, instead of relying on hand-threaded
+`userId` parameters. Ports the proven `dealbrain` `RequesterContext` pattern into
+the codegen substrate. See ADR-0001 (`ai-docs/adrs/0001-ambient-tenant-scoping.md`).
+### Added
+- **`feat(runtime)` — `tenant-context.ts` ambient scope primitive.** New
+  `runtime/base-classes/tenant-context.ts`: an `AsyncLocalStorage`-backed
+  `RequesterContext { userId, organizationId, scope?, orgUserIds? }` with
+  `withRequester(ctx, fn)` (set at a boundary), `requireRequester()` /
+  `tryGetRequester()` (read inside repos), and `withUserScope` / `withOrgScope` /
+  `withSuperuserScope` helpers. Scope model (`'user' | 'org' | 'superuser'`)
+  copied verbatim from `dealbrain` `packages/integrations/src/framework`.
+  Vendored into consumers via `init-scaffold` and exported from the base-classes
+  barrel.
+- **`feat(runtime)` — `BaseRepository.scopePredicate()` + `scopeAnd()`.** When a
+  repo declares `behaviors.userTracking` (i.e. the entity has the `user_tracking`
+  behavior) and an ambient `RequesterContext` is active, `findById`, `findByIds`,
+  `list`, `count`, `update`, and `delete` automatically filter by `user_id`:
+  `= ctx.userId` (`user`), `IN ctx.orgUserIds` (`org`; empty ⇒ matches nothing),
+  or unfiltered (`superuser`). **No new per-entity config knob** — it rides the
+  existing (previously dormant) `userTracking` flag. No template changes.
+- **Unit coverage** — `base-repository.spec.ts` gains a scoping suite that renders
+  real Drizzle SQL (via `QueryBuilder`) to assert the emitted `WHERE` per scope,
+  gating (off when `userTracking` false / no context), strict-mode throw, and the
+  combined soft-delete + scope + leaf predicate.
+### Changed
+- **`scopeEnforcement` (lenient default).** With no ambient context active, a
+  `userTracking` repo is **not** scoped — adopting ambient scoping is additive,
+  and isolation engages only once a boundary installs `withRequester(...)`. Set
+  `protected readonly scopeEnforcement = 'strict'` on a repo or family base to
+  make a missing boundary throw (fail-loud). Validated against
+  `dealbrain-integrations` (no `userTracking` repos today): typecheck + 737 tests
+  green, behavior unchanged.
+### Fixed
+- **`fix(runtime)` — soft-delete guard no longer dropped on `findById` /
+  `list({where})` / bespoke query methods.** Drizzle's `.where()` *overrides* a
+  prior `.where()` on a `$dynamic()` query, so the soft-delete `isNull` filter
+  that `baseQuery()` added was being silently discarded whenever a leaf method
+  chained its own `.where()` — only no-arg `list()` and `count()` actually
+  excluded soft-deleted rows. `baseQuery(extra?)` now folds soft-delete + scope +
+  the leaf predicate into a single AND-joined `WHERE`.
+  - **Migration:** on `soft_delete` entities, `findById(id)` and `list({ where })`
+    now correctly **exclude** soft-deleted rows (previously returned them). Code
+    that relied on the old behavior to read a soft-deleted row must query
+    `deletedAt` explicitly.
 ## [0.7.8] — 2026-05-25
 Fixes a NestJS DI-resolution bug in cross-entity module wiring. A generated service that injects a sibling entity's **repository** — junction `.list()` composition (CGP-60), EAV value→definition resolution (`eav_value_table`) — failed at runtime because the sibling module exported only its **service**, never its repository (ADR-002). The code typechecked (`tsc` can't see DI wiring), so it shipped and only surfaced on a consumer's first `NestFactory` boot (dealbrain-integrations).

package/dist/runtime/base-classes/activity-entity-repository.js CHANGED Viewed

@@ -2,7 +2,25 @@
 import { eq as eq2, between, desc } from "drizzle-orm";
 // runtime/base-classes/base-repository.ts
-import { eq, inArray, isNull, sql } from "drizzle-orm";
+import { and, eq, inArray, isNull, sql } from "drizzle-orm";
+// runtime/base-classes/tenant-context.ts
+import { AsyncLocalStorage } from "async_hooks";
+var als = new AsyncLocalStorage();
+function requireRequester() {
+  const ctx = als.getStore();
+  if (!ctx) {
+    throw new Error(
+      "No requester context active. Wrap the entry point in withRequester({ userId, organizationId }, fn). See tenant-context.ts."
+    );
+  }
+  return ctx;
+}
+function tryGetRequester() {
+  return als.getStore();
+}
+// runtime/base-classes/base-repository.ts
 var BaseRepository = class {
   // eslint-disable-line @typescript-eslint/no-explicit-any
   /**
@@ -14,6 +32,20 @@ var BaseRepository = class {
     softDelete: false,
     userTracking: false
   };
+  /**
+   * Ambient tenant-scope enforcement for `userTracking` repos (see
+   * `scopePredicate`). Only has effect when `behaviors.userTracking === true`.
+   *
+   * - `'lenient'` (default): when no ambient requester context is active,
+   *   reads/writes are NOT scoped — preserves pre-scoping behavior, so adopting
+   *   ambient scoping is additive. Scoping kicks in automatically once a
+   *   boundary installs `withRequester(...)`.
+   * - `'strict'`: a missing ambient context throws (`requireRequester`),
+   *   making a forgotten boundary fail loud instead of silently returning
+   *   cross-tenant rows. Recommended for new multi-tenant consumers — override
+   *   in a concrete repo or a family base class.
+   */
+  scopeEnforcement = "lenient";
   db;
   constructor(db) {
     this.db = db;
@@ -36,7 +68,7 @@ var BaseRepository = class {
    * Returns null if not found (or soft-deleted when softDelete=true).
    */
   async findById(id) {
-    const rows = await this.baseQuery().where(eq(this.table["id"], id)).limit(1);
+    const rows = await this.baseQuery(eq(this.table["id"], id)).limit(1);
     return rows[0] ?? null;
   }
   /**
@@ -45,17 +77,14 @@ var BaseRepository = class {
    */
   async findByIds(ids) {
     if (ids.length === 0) return [];
-    const rows = await this.baseQuery().where(inArray(this.table["id"], ids));
+    const rows = await this.baseQuery(inArray(this.table["id"], ids));
     return rows;
   }
   /**
    * List entities with optional filtering, pagination, and ordering.
    */
   async list(options) {
-    let query = this.baseQuery();
-    if (options?.where) {
-      query = query.where(options.where);
-    }
+    let query = this.baseQuery(options?.where);
     if (options?.orderBy) {
       query = query.orderBy(options.orderBy);
     }
@@ -78,13 +107,16 @@ var BaseRepository = class {
     if (this.behaviors.softDelete) {
       conditions.push(isNull(this.table["deletedAt"]));
     }
+    const scope = this.scopePredicate();
+    if (scope) {
+      conditions.push(scope);
+    }
     if (where) {
       conditions.push(where);
     }
     if (conditions.length === 1) {
       query = query.where(conditions[0]);
     } else if (conditions.length > 1) {
-      const { and } = await import("drizzle-orm");
       query = query.where(and(...conditions));
     }
     const rows = await query;
@@ -114,7 +146,7 @@ var BaseRepository = class {
    */
   async update(id, input, tx) {
     const data = this.withTimestamps(input, "update");
-    const rows = await this.runner(tx).update(this.table).set(data).where(eq(this.table["id"], id)).returning();
+    const rows = await this.runner(tx).update(this.table).set(data).where(this.scopeAnd(eq(this.table["id"], id))).returning();
     return rows[0];
   }
   /**
@@ -125,9 +157,9 @@ var BaseRepository = class {
   async delete(id, tx) {
     const runner = this.runner(tx);
     if (this.behaviors.softDelete) {
-      await runner.update(this.table).set({ deletedAt: /* @__PURE__ */ new Date() }).where(eq(this.table["id"], id));
+      await runner.update(this.table).set({ deletedAt: /* @__PURE__ */ new Date() }).where(this.scopeAnd(eq(this.table["id"], id)));
     } else {
-      await runner.delete(this.table).where(eq(this.table["id"], id));
+      await runner.delete(this.table).where(this.scopeAnd(eq(this.table["id"], id)));
     }
   }
   /**
@@ -142,15 +174,64 @@ var BaseRepository = class {
   // Protected Helpers
   // ============================================================================
   /**
-   * Base SELECT query that automatically excludes soft-deleted rows
-   * when softDelete behavior is enabled.
+   * Base SELECT query that automatically applies the ambient guards —
+   * soft-delete exclusion (when `softDelete`) and tenant scope (when
+   * `userTracking` + an active requester context) — combined with an optional
+   * caller `extra` predicate into a SINGLE `WHERE`.
+   *
+   * Pass the leaf predicate as `extra` rather than chaining a second
+   * `.where(...)`: Drizzle's `.where()` OVERRIDES (does not AND) a prior
+   * `.where()` on a `$dynamic()` query, so a chained call would silently drop
+   * the soft-delete and scope guards. `baseQuery(extra)` is the safe form.
    */
-  baseQuery() {
+  baseQuery(extra) {
     const query = this.db.select().from(this.table).$dynamic();
-    if (this.behaviors.softDelete) {
-      return query.where(isNull(this.table["deletedAt"]));
+    const where = this.scopeAnd(extra, { softDelete: this.behaviors.softDelete });
+    return where ? query.where(where) : query;
+  }
+  /**
+   * Build the ambient tenant-scope predicate for this repo's table.
+   *
+   * Returns `undefined` (no scoping) when:
+   *   - `behaviors.userTracking` is false (repo is not user-owned), or
+   *   - no ambient requester context is active AND `scopeEnforcement` is
+   *     `'lenient'` (the default — preserves pre-scoping behavior).
+   *
+   * When a requester context is active, scopes by `user_id` per the ambient
+   * scope: `'user'` → `user_id = ctx.userId`; `'org'` → `user_id IN
+   * ctx.orgUserIds` (empty list matches nothing — fail-closed); `'superuser'`
+   * → no filter. See `tenant-context.ts` for the boundary-install contract.
+   */
+  scopePredicate() {
+    if (!this.behaviors.userTracking) return void 0;
+    const ctx = this.scopeEnforcement === "strict" ? requireRequester() : tryGetRequester();
+    if (!ctx) return void 0;
+    const scope = ctx.scope ?? "user";
+    switch (scope) {
+      case "superuser":
+        return void 0;
+      case "org":
+        return ctx.orgUserIds && ctx.orgUserIds.length > 0 ? inArray(this.table["userId"], ctx.orgUserIds) : sql`false`;
+      case "user":
+      default:
+        return eq(this.table["userId"], ctx.userId);
     }
-    return query;
+  }
+  /**
+   * Combine the ambient scope predicate (and, optionally, the soft-delete
+   * guard) with a caller `extra` predicate into one `SQL`. Returns `undefined`
+   * when nothing applies. Used by read + by-id write paths so a single
+   * `.where(...)` carries every guard.
+   */
+  scopeAnd(extra, opts) {
+    const conditions = [];
+    if (opts?.softDelete) conditions.push(isNull(this.table["deletedAt"]));
+    const scope = this.scopePredicate();
+    if (scope) conditions.push(scope);
+    if (extra) conditions.push(extra);
+    if (conditions.length === 0) return void 0;
+    if (conditions.length === 1) return conditions[0];
+    return and(...conditions);
   }
   /**
    * Merge timestamp fields into an input object.

package/dist/runtime/base-classes/activity-entity-repository.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../../../runtime/base-classes/activity-entity-repository.ts","../../../runtime/base-classes/base-repository.ts"],"sourcesContent":["/*\n ActivityEntityRepository<TEntity>\n \n Family-specific base for activity entities (emails, calls, meetings, notes).\n * Adds date-range queries, user/opportunity scoping, and recency ordering.\n \n Concrete repos extend this and declare their table + behaviors.\n /\nimport { eq, between, desc } from 'drizzle-orm';\nimport { BaseRepository } from './base-repository';\n\nexport abstract class ActivityEntityRepository<TEntity> extends BaseRepository<TEntity> {\n /\n Find activities within a date range (inclusive).\n /\n async findByDateRange(start: Date, end: Date): Promise<TEntity[]> {\n const rows = await this.baseQuery()\n .where(between(this.table['occurredAt'], start, end));\n return rows as TEntity[];\n }\n\n /\n Find all activities for a specific user.\n /\n async findByUserId(userId: string): Promise<TEntity[]> {\n const rows = await this.baseQuery()\n .where(eq(this.table['userId'], userId));\n return rows as TEntity[];\n }\n\n /\n Find all activities for a specific opportunity.\n /\n async findByOpportunityId(opportunityId: string): Promise<TEntity[]> {\n const rows = await this.baseQuery()\n .where(eq(this.table['opportunityId'], opportunityId));\n return rows as TEntity[];\n }\n\n /\n Find the most recent activities for an opportunity, ordered by occurredAt desc.\n /\n async findRecentByOpportunityId(opportunityId: string, limit = 10): Promise<TEntity[]> {\n const rows = await this.baseQuery()\n .where(eq(this.table['opportunityId'], opportunityId))\n .orderBy(desc(this.table['occurredAt']))\n .limit(limit);\n return rows as TEntity[];\n }\n}\n","/\n BaseRepository<TEntity>\n \n Abstract base class providing standard CRUD operations via Drizzle ORM.\n * Every generated repository extends this class.\n \n Family-specific bases (CrmEntityRepository, etc.) extend this in v0.1\n * without any changes to BaseRepository.\n \n NOT @Injectable — concrete repositories are @Injectable and inject DRIZZLE.\n /\nimport { eq, inArray, isNull, sql } from 'drizzle-orm';\nimport type { PgTableWithColumns, PgColumn } from 'drizzle-orm/pg-core';\nimport type { SQL } from 'drizzle-orm';\nimport type { DrizzleClient, DrizzleTx } from '../types/drizzle';\n\n// ============================================================================\n// Interfaces\n// ============================================================================\n\n/\n Behavior flags for the repository. Controls automatic timestamp injection\n * and soft-delete filtering.\n /\nexport interface BehaviorConfig {\n timestamps: boolean;\n softDelete: boolean;\n userTracking: boolean;\n}\n\n/\n Options for the list() method.\n /\nexport interface ListOptions {\n where?: SQL;\n limit?: number;\n offset?: number;\n orderBy?: PgColumn \| SQL;\n}\n\n// ============================================================================\n// BaseRepository\n// ============================================================================\n\nexport abstract class BaseRepository<TEntity> {\n /\n The Drizzle table schema for this entity.\n * Concrete repositories declare this as a class property.\n /\n protected abstract readonly table: PgTableWithColumns<any>; // eslint-disable-line @typescript-eslint/no-explicit-any\n\n /\n Behavior flags controlling automatic behavior injection.\n * Override in concrete repositories to enable behaviors.\n /\n protected readonly behaviors: BehaviorConfig = {\n timestamps: false,\n softDelete: false,\n userTracking: false,\n };\n\n protected readonly db: DrizzleClient;\n\n constructor(db: DrizzleClient) {\n this.db = db;\n }\n\n /\n Pick the runner for a write: the caller-supplied transaction handle\n * if present, otherwise the repository's own client. Keeps the `tx`\n * parameter purely additive — callers without a transaction call as\n * before. Used by the write methods below + consumer overrides (e.g.\n * the generated `upsertCurrentValues` on EAV value tables).\n /\n protected runner(tx?: DrizzleTx): DrizzleClient {\n return tx ?? this.db;\n }\n\n // ============================================================================\n // Read Operations\n // ============================================================================\n\n /\n Find a single entity by its primary key.\n * Returns null if not found (or soft-deleted when softDelete=true).\n /\n async findById(id: string): Promise<TEntity \| null> {\n const rows = await this.baseQuery()\n .where(eq(this.table['id'], id))\n .limit(1);\n return (rows[0] as TEntity) ?? null;\n }\n\n /\n Find multiple entities by their primary keys.\n * Returns empty array immediately for empty input (avoids DB errors).\n /\n async findByIds(ids: string[]): Promise<TEntity[]> {\n if (ids.length === 0) return [];\n const rows = await this.baseQuery().where(inArray(this.table['id'], ids));\n return rows as TEntity[];\n }\n\n /\n List entities with optional filtering, pagination, and ordering.\n /\n async list(options?: ListOptions): Promise<TEntity[]> {\n let query = this.baseQuery();\n\n if (options?.where) {\n query = query.where(options.where) as typeof query;\n }\n if (options?.orderBy) {\n query = query.orderBy(options.orderBy as SQL) as typeof query;\n }\n if (options?.limit !== undefined) {\n query = query.limit(options.limit) as typeof query;\n }\n if (options?.offset !== undefined) {\n query = query.offset(options.offset) as typeof query;\n }\n\n const rows = await query;\n return rows as TEntity[];\n }\n\n /\n Count entities matching an optional WHERE clause.\n * Soft-deleted rows are always excluded when softDelete=true.\n /\n async count(where?: SQL): Promise<number> {\n let query = this.db\n .select({ count: sql<number>`cast(count() as integer)` })\n .from(this.table);\n\n const conditions: SQL[] = [];\n if (this.behaviors.softDelete) {\n conditions.push(isNull(this.table['deletedAt']));\n }\n if (where) {\n conditions.push(where);\n }\n\n if (conditions.length === 1) {\n query = query.where(conditions[0]) as typeof query;\n } else if (conditions.length > 1) {\n // Combine with AND by building the condition inline\n const { and } = await import('drizzle-orm');\n query = query.where(and(...conditions)) as typeof query;\n }\n\n const rows = await query;\n return rows[0]?.count ?? 0;\n }\n\n /*\n Check whether an entity with the given id exists.\n /\n async exists(id: string): Promise<boolean> {\n const result = await this.findById(id);\n return result !== null;\n }\n\n // ============================================================================\n // Write Operations\n // ============================================================================\n\n /\n Insert a new entity. Timestamps are auto-injected when timestamps=true.\n /\n async create(input: Partial<TEntity>, tx?: DrizzleTx): Promise<TEntity> {\n const data = this.withTimestamps(input as Record<string, unknown>, 'create');\n const rows = await this.runner(tx)\n .insert(this.table)\n .values(data as any) // eslint-disable-line @typescript-eslint/no-explicit-any\n .returning();\n return rows[0] as TEntity;\n }\n\n /\n Update an existing entity by id. updatedAt is auto-injected when timestamps=true.\n * Returns the updated entity.\n /\n async update(id: string, input: Partial<TEntity>, tx?: DrizzleTx): Promise<TEntity> {\n const data = this.withTimestamps(input as Record<string, unknown>, 'update');\n const rows = await this.runner(tx)\n .update(this.table)\n .set(data as any) // eslint-disable-line @typescript-eslint/no-explicit-any\n .where(eq(this.table['id'], id))\n .returning();\n return rows[0] as TEntity;\n }\n\n /\n Delete an entity by id.\n * - softDelete=true: sets deletedAt to current timestamp\n * - softDelete=false: hard-deletes the row\n /\n async delete(id: string, tx?: DrizzleTx): Promise<void> {\n const runner = this.runner(tx);\n if (this.behaviors.softDelete) {\n await runner\n .update(this.table)\n .set({ deletedAt: new Date() } as any) // eslint-disable-line @typescript-eslint/no-explicit-any\n .where(eq(this.table['id'], id));\n } else {\n await runner\n .delete(this.table)\n .where(eq(this.table['id'], id));\n }\n }\n\n /\n Insert or update multiple entities.\n * Default naive implementation — family repositories override with\n * proper conflict-target upsert (e.g., CrmEntityRepository).\n /\n async upsertMany(inputs: Array<Partial<TEntity>>, tx?: DrizzleTx): Promise<TEntity[]> {\n return Promise.all(inputs.map((input) => this.create(input, tx)));\n }\n\n // ============================================================================\n // Protected Helpers\n // ============================================================================\n\n /\n Base SELECT query that automatically excludes soft-deleted rows\n * when softDelete behavior is enabled.\n /\n protected baseQuery() {\n const query = this.db.select().from(this.table).$dynamic();\n if (this.behaviors.softDelete) {\n return query.where(isNull(this.table['deletedAt']));\n }\n return query;\n }\n\n /\n Merge timestamp fields into an input object.\n * - mode='create': adds createdAt and updatedAt\n * - mode='update': adds updatedAt only\n \n No-op when timestamps behavior is disabled.\n /\n protected withTimestamps(\n input: Record<string, unknown>,\n mode: 'create' \| 'update',\n ): Record<string, unknown> {\n if (!this.behaviors.timestamps) return input;\n const now = new Date();\n if (mode === 'create') {\n return { ...input, createdAt: now, updatedAt: now };\n }\n return { ...input, updatedAt: now };\n }\n\n /\n Build a WHERE clause fragment that restricts results to rows whose\n * parent (identified by a belongs_to FK) is not soft-deleted.\n \n Use this in custom repository methods when you need \"rows reachable\n * from an active parent\". The default findAll / findById behavior is\n * NOT changed by this helper — opt in explicitly where needed.\n \n ADR-021 — Soft-delete cascade: Option A (filter at query time).\n * `on_delete` FK rules do not fire for soft-deletes; use this helper\n * instead of expecting cascade semantics on the DB level.\n \n Example:\n * async listActiveMessages(): Promise<Message[]> {\n * return this.list({\n * where: this.activeParentFilter(conversations, this.table['conversationId']),\n * });\n * }\n \n @param parentTable The Drizzle table object for the parent entity.\n * @param parentFkColumn The FK column on this (child) table that references parent.id.\n */\n protected activeParentFilter(\n parentTable: PgTableWithColumns<any>, // eslint-disable-line @typescript-eslint/no-explicit-any\n parentFkColumn: PgColumn,\n ): SQL {\n return sql`EXISTS (\n SELECT 1 FROM ${parentTable} p\n WHERE p.id = ${parentFkColumn}\n AND p.deleted_at IS NULL\n )`;\n }\n}\n"],"mappings":";AAQA,SAAS,MAAAA,KAAI,SAAS,YAAY;;;ACGlC,SAAS,IAAI,SAAS,QAAQ,WAAW;AAiClC,IAAe,iBAAf,MAAuC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWzB,YAA4B;AAAA,IAC7C,YAAY;AAAA,IACZ,YAAY;AAAA,IACZ,cAAc;AAAA,EAChB;AAAA,EAEmB;AAAA,EAEnB,YAAY,IAAmB;AAC7B,SAAK,KAAK;AAAA,EACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASU,OAAO,IAA+B;AAC9C,WAAO,MAAM,KAAK;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,SAAS,IAAqC;AAClD,UAAM,OAAO,MAAM,KAAK,UAAU,EAC/B,MAAM,GAAG,KAAK,MAAM,IAAI,GAAG,EAAE,CAAC,EAC9B,MAAM,CAAC;AACV,WAAQ,KAAK,CAAC,KAAiB;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,UAAU,KAAmC;AACjD,QAAI,IAAI,WAAW,EAAG,QAAO,CAAC;AAC9B,UAAM,OAAO,MAAM,KAAK,UAAU,EAAE,MAAM,QAAQ,KAAK,MAAM,IAAI,GAAG,GAAG,CAAC;AACxE,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KAAK,SAA2C;AACpD,QAAI,QAAQ,KAAK,UAAU;AAE3B,QAAI,SAAS,OAAO;AAClB,cAAQ,MAAM,MAAM,QAAQ,KAAK;AAAA,IACnC;AACA,QAAI,SAAS,SAAS;AACpB,cAAQ,MAAM,QAAQ,QAAQ,OAAc;AAAA,IAC9C;AACA,QAAI,SAAS,UAAU,QAAW;AAChC,cAAQ,MAAM,MAAM,QAAQ,KAAK;AAAA,IACnC;AACA,QAAI,SAAS,WAAW,QAAW;AACjC,cAAQ,MAAM,OAAO,QAAQ,MAAM;AAAA,IACrC;AAEA,UAAM,OAAO,MAAM;AACnB,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,MAAM,OAA8B;AACxC,QAAI,QAAQ,KAAK,GACd,OAAO,EAAE,OAAO,+BAAuC,CAAC,EACxD,KAAK,KAAK,KAAK;AAElB,UAAM,aAAoB,CAAC;AAC3B,QAAI,KAAK,UAAU,YAAY;AAC7B,iBAAW,KAAK,OAAO,KAAK,MAAM,WAAW,CAAC,CAAC;AAAA,IACjD;AACA,QAAI,OAAO;AACT,iBAAW,KAAK,KAAK;AAAA,IACvB;AAEA,QAAI,WAAW,WAAW,GAAG;AAC3B,cAAQ,MAAM,MAAM,WAAW,CAAC,CAAC;AAAA,IACnC,WAAW,WAAW,SAAS,GAAG;AAEhC,YAAM,EAAE,IAAI,IAAI,MAAM,OAAO,aAAa;AAC1C,cAAQ,MAAM,MAAM,IAAI,GAAG,UAAU,CAAC;AAAA,IACxC;AAEA,UAAM,OAAO,MAAM;AACnB,WAAO,KAAK,CAAC,GAAG,SAAS;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,OAAO,IAA8B;AACzC,UAAM,SAAS,MAAM,KAAK,SAAS,EAAE;AACrC,WAAO,WAAW;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,OAAO,OAAyB,IAAkC;AACtE,UAAM,OAAO,KAAK,eAAe,OAAkC,QAAQ;AAC3E,UAAM,OAAO,MAAM,KAAK,OAAO,EAAE,EAC9B,OAAO,KAAK,KAAK,EACjB,OAAO,IAAW,EAClB,UAAU;AACb,WAAO,KAAK,CAAC;AAAA,EACf;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,OAAO,IAAY,OAAyB,IAAkC;AAClF,UAAM,OAAO,KAAK,eAAe,OAAkC,QAAQ;AAC3E,UAAM,OAAO,MAAM,KAAK,OAAO,EAAE,EAC9B,OAAO,KAAK,KAAK,EACjB,IAAI,IAAW,EACf,MAAM,GAAG,KAAK,MAAM,IAAI,GAAG,EAAE,CAAC,EAC9B,UAAU;AACb,WAAO,KAAK,CAAC;AAAA,EACf;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,OAAO,IAAY,IAA+B;AACtD,UAAM,SAAS,KAAK,OAAO,EAAE;AAC7B,QAAI,KAAK,UAAU,YAAY;AAC7B,YAAM,OACH,OAAO,KAAK,KAAK,EACjB,IAAI,EAAE,WAAW,oBAAI,KAAK,EAAE,CAAQ,EACpC,MAAM,GAAG,KAAK,MAAM,IAAI,GAAG,EAAE,CAAC;AAAA,IACnC,OAAO;AACL,YAAM,OACH,OAAO,KAAK,KAAK,EACjB,MAAM,GAAG,KAAK,MAAM,IAAI,GAAG,EAAE,CAAC;AAAA,IACnC;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,WAAW,QAAiC,IAAoC;AACpF,WAAO,QAAQ,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,OAAO,OAAO,EAAE,CAAC,CAAC;AAAA,EAClE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUU,YAAY;AACpB,UAAM,QAAQ,KAAK,GAAG,OAAO,EAAE,KAAK,KAAK,KAAK,EAAE,SAAS;AACzD,QAAI,KAAK,UAAU,YAAY;AAC7B,aAAO,MAAM,MAAM,OAAO,KAAK,MAAM,WAAW,CAAC,CAAC;AAAA,IACpD;AACA,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASU,eACR,OACA,MACyB;AACzB,QAAI,CAAC,KAAK,UAAU,WAAY,QAAO;AACvC,UAAM,MAAM,oBAAI,KAAK;AACrB,QAAI,SAAS,UAAU;AACrB,aAAO,EAAE,GAAG,OAAO,WAAW,KAAK,WAAW,IAAI;AAAA,IACpD;AACA,WAAO,EAAE,GAAG,OAAO,WAAW,IAAI;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAwBU,mBACR,aACA,gBACK;AACL,WAAO;AAAA,sBACW,WAAW;AAAA,qBACZ,cAAc;AAAA;AAAA;AAAA,EAGjC;AACF;;;ADrRO,IAAe,2BAAf,cAAyD,eAAwB;AAAA;AAAA;AAAA;AAAA,EAItF,MAAM,gBAAgB,OAAa,KAA+B;AAChE,UAAM,OAAO,MAAM,KAAK,UAAU,EAC/B,MAAM,QAAQ,KAAK,MAAM,YAAY,GAAG,OAAO,GAAG,CAAC;AACtD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,aAAa,QAAoC;AACrD,UAAM,OAAO,MAAM,KAAK,UAAU,EAC/B,MAAMC,IAAG,KAAK,MAAM,QAAQ,GAAG,MAAM,CAAC;AACzC,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,oBAAoB,eAA2C;AACnE,UAAM,OAAO,MAAM,KAAK,UAAU,EAC/B,MAAMA,IAAG,KAAK,MAAM,eAAe,GAAG,aAAa,CAAC;AACvD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,0BAA0B,eAAuB,QAAQ,IAAwB;AACrF,UAAM,OAAO,MAAM,KAAK,UAAU,EAC/B,MAAMA,IAAG,KAAK,MAAM,eAAe,GAAG,aAAa,CAAC,EACpD,QAAQ,KAAK,KAAK,MAAM,YAAY,CAAC,CAAC,EACtC,MAAM,KAAK;AACd,WAAO;AAAA,EACT;AACF;","names":["eq","eq"]}
1	+ {"version":3,"sources":["../../../runtime/base-classes/activity-entity-repository.ts","../../../runtime/base-classes/base-repository.ts","../../../runtime/base-classes/tenant-context.ts"],"sourcesContent":["/*\n ActivityEntityRepository<TEntity>\n \n Family-specific base for activity entities (emails, calls, meetings, notes).\n * Adds date-range queries, user/opportunity scoping, and recency ordering.\n \n Concrete repos extend this and declare their table + behaviors.\n /\nimport { eq, between, desc } from 'drizzle-orm';\nimport { BaseRepository } from './base-repository';\n\nexport abstract class ActivityEntityRepository<TEntity> extends BaseRepository<TEntity> {\n /\n Find activities within a date range (inclusive).\n /\n async findByDateRange(start: Date, end: Date): Promise<TEntity[]> {\n const rows = await this.baseQuery()\n .where(between(this.table['occurredAt'], start, end));\n return rows as TEntity[];\n }\n\n /\n Find all activities for a specific user.\n /\n async findByUserId(userId: string): Promise<TEntity[]> {\n const rows = await this.baseQuery()\n .where(eq(this.table['userId'], userId));\n return rows as TEntity[];\n }\n\n /\n Find all activities for a specific opportunity.\n /\n async findByOpportunityId(opportunityId: string): Promise<TEntity[]> {\n const rows = await this.baseQuery()\n .where(eq(this.table['opportunityId'], opportunityId));\n return rows as TEntity[];\n }\n\n /\n Find the most recent activities for an opportunity, ordered by occurredAt desc.\n /\n async findRecentByOpportunityId(opportunityId: string, limit = 10): Promise<TEntity[]> {\n const rows = await this.baseQuery()\n .where(eq(this.table['opportunityId'], opportunityId))\n .orderBy(desc(this.table['occurredAt']))\n .limit(limit);\n return rows as TEntity[];\n }\n}\n","/\n BaseRepository<TEntity>\n \n Abstract base class providing standard CRUD operations via Drizzle ORM.\n * Every generated repository extends this class.\n \n Family-specific bases (CrmEntityRepository, etc.) extend this in v0.1\n * without any changes to BaseRepository.\n \n NOT @Injectable — concrete repositories are @Injectable and inject DRIZZLE.\n /\nimport { and, eq, inArray, isNull, sql } from 'drizzle-orm';\nimport type { PgTableWithColumns, PgColumn } from 'drizzle-orm/pg-core';\nimport type { SQL } from 'drizzle-orm';\nimport type { DrizzleClient, DrizzleTx } from '../types/drizzle';\nimport {\n requireRequester,\n tryGetRequester,\n type RequesterScope,\n} from './tenant-context';\n\n// ============================================================================\n// Interfaces\n// ============================================================================\n\n/\n Behavior flags for the repository. Controls automatic timestamp injection\n * and soft-delete filtering.\n /\nexport interface BehaviorConfig {\n timestamps: boolean;\n softDelete: boolean;\n userTracking: boolean;\n}\n\n/\n Options for the list() method.\n /\nexport interface ListOptions {\n where?: SQL;\n limit?: number;\n offset?: number;\n orderBy?: PgColumn \| SQL;\n}\n\n// ============================================================================\n// BaseRepository\n// ============================================================================\n\nexport abstract class BaseRepository<TEntity> {\n /\n The Drizzle table schema for this entity.\n * Concrete repositories declare this as a class property.\n /\n protected abstract readonly table: PgTableWithColumns<any>; // eslint-disable-line @typescript-eslint/no-explicit-any\n\n /\n Behavior flags controlling automatic behavior injection.\n * Override in concrete repositories to enable behaviors.\n /\n protected readonly behaviors: BehaviorConfig = {\n timestamps: false,\n softDelete: false,\n userTracking: false,\n };\n\n /\n Ambient tenant-scope enforcement for `userTracking` repos (see\n * `scopePredicate`). Only has effect when `behaviors.userTracking === true`.\n \n - `'lenient'` (default): when no ambient requester context is active,\n * reads/writes are NOT scoped — preserves pre-scoping behavior, so adopting\n * ambient scoping is additive. Scoping kicks in automatically once a\n * boundary installs `withRequester(...)`.\n * - `'strict'`: a missing ambient context throws (`requireRequester`),\n * making a forgotten boundary fail loud instead of silently returning\n * cross-tenant rows. Recommended for new multi-tenant consumers — override\n * in a concrete repo or a family base class.\n /\n protected readonly scopeEnforcement: 'lenient' \| 'strict' = 'lenient';\n\n protected readonly db: DrizzleClient;\n\n constructor(db: DrizzleClient) {\n this.db = db;\n }\n\n /\n Pick the runner for a write: the caller-supplied transaction handle\n * if present, otherwise the repository's own client. Keeps the `tx`\n * parameter purely additive — callers without a transaction call as\n * before. Used by the write methods below + consumer overrides (e.g.\n * the generated `upsertCurrentValues` on EAV value tables).\n /\n protected runner(tx?: DrizzleTx): DrizzleClient {\n return tx ?? this.db;\n }\n\n // ============================================================================\n // Read Operations\n // ============================================================================\n\n /\n Find a single entity by its primary key.\n * Returns null if not found (or soft-deleted when softDelete=true).\n /\n async findById(id: string): Promise<TEntity \| null> {\n const rows = await this.baseQuery(eq(this.table['id'], id)).limit(1);\n return (rows[0] as TEntity) ?? null;\n }\n\n /\n Find multiple entities by their primary keys.\n * Returns empty array immediately for empty input (avoids DB errors).\n /\n async findByIds(ids: string[]): Promise<TEntity[]> {\n if (ids.length === 0) return [];\n const rows = await this.baseQuery(inArray(this.table['id'], ids));\n return rows as TEntity[];\n }\n\n /\n List entities with optional filtering, pagination, and ordering.\n /\n async list(options?: ListOptions): Promise<TEntity[]> {\n let query = this.baseQuery(options?.where);\n\n if (options?.orderBy) {\n query = query.orderBy(options.orderBy as SQL) as typeof query;\n }\n if (options?.limit !== undefined) {\n query = query.limit(options.limit) as typeof query;\n }\n if (options?.offset !== undefined) {\n query = query.offset(options.offset) as typeof query;\n }\n\n const rows = await query;\n return rows as TEntity[];\n }\n\n /\n Count entities matching an optional WHERE clause.\n * Soft-deleted rows are always excluded when softDelete=true.\n /\n async count(where?: SQL): Promise<number> {\n let query = this.db\n .select({ count: sql<number>`cast(count() as integer)` })\n .from(this.table);\n\n const conditions: SQL[] = [];\n if (this.behaviors.softDelete) {\n conditions.push(isNull(this.table['deletedAt']));\n }\n const scope = this.scopePredicate();\n if (scope) {\n conditions.push(scope);\n }\n if (where) {\n conditions.push(where);\n }\n\n if (conditions.length === 1) {\n query = query.where(conditions[0]) as typeof query;\n } else if (conditions.length > 1) {\n query = query.where(and(...conditions)) as typeof query;\n }\n\n const rows = await query;\n return rows[0]?.count ?? 0;\n }\n\n /*\n Check whether an entity with the given id exists.\n /\n async exists(id: string): Promise<boolean> {\n const result = await this.findById(id);\n return result !== null;\n }\n\n // ============================================================================\n // Write Operations\n // ============================================================================\n\n /\n Insert a new entity. Timestamps are auto-injected when timestamps=true.\n /\n async create(input: Partial<TEntity>, tx?: DrizzleTx): Promise<TEntity> {\n const data = this.withTimestamps(input as Record<string, unknown>, 'create');\n const rows = await this.runner(tx)\n .insert(this.table)\n .values(data as any) // eslint-disable-line @typescript-eslint/no-explicit-any\n .returning();\n return rows[0] as TEntity;\n }\n\n /\n Update an existing entity by id. updatedAt is auto-injected when timestamps=true.\n * Returns the updated entity.\n /\n async update(id: string, input: Partial<TEntity>, tx?: DrizzleTx): Promise<TEntity> {\n const data = this.withTimestamps(input as Record<string, unknown>, 'update');\n const rows = await this.runner(tx)\n .update(this.table)\n .set(data as any) // eslint-disable-line @typescript-eslint/no-explicit-any\n .where(this.scopeAnd(eq(this.table['id'], id)))\n .returning();\n return rows[0] as TEntity;\n }\n\n /\n Delete an entity by id.\n * - softDelete=true: sets deletedAt to current timestamp\n * - softDelete=false: hard-deletes the row\n /\n async delete(id: string, tx?: DrizzleTx): Promise<void> {\n const runner = this.runner(tx);\n if (this.behaviors.softDelete) {\n await runner\n .update(this.table)\n .set({ deletedAt: new Date() } as any) // eslint-disable-line @typescript-eslint/no-explicit-any\n .where(this.scopeAnd(eq(this.table['id'], id)));\n } else {\n await runner\n .delete(this.table)\n .where(this.scopeAnd(eq(this.table['id'], id)));\n }\n }\n\n /\n Insert or update multiple entities.\n * Default naive implementation — family repositories override with\n * proper conflict-target upsert (e.g., CrmEntityRepository).\n /\n async upsertMany(inputs: Array<Partial<TEntity>>, tx?: DrizzleTx): Promise<TEntity[]> {\n return Promise.all(inputs.map((input) => this.create(input, tx)));\n }\n\n // ============================================================================\n // Protected Helpers\n // ============================================================================\n\n /\n Base SELECT query that automatically applies the ambient guards —\n * soft-delete exclusion (when `softDelete`) and tenant scope (when\n * `userTracking` + an active requester context) — combined with an optional\n * caller `extra` predicate into a SINGLE `WHERE`.\n \n Pass the leaf predicate as `extra` rather than chaining a second\n * `.where(...)`: Drizzle's `.where()` OVERRIDES (does not AND) a prior\n * `.where()` on a `$dynamic()` query, so a chained call would silently drop\n * the soft-delete and scope guards. `baseQuery(extra)` is the safe form.\n /\n protected baseQuery(extra?: SQL) {\n const query = this.db.select().from(this.table).$dynamic();\n const where = this.scopeAnd(extra, { softDelete: this.behaviors.softDelete });\n return where ? query.where(where) : query;\n }\n\n /\n Build the ambient tenant-scope predicate for this repo's table.\n \n Returns `undefined` (no scoping) when:\n * - `behaviors.userTracking` is false (repo is not user-owned), or\n * - no ambient requester context is active AND `scopeEnforcement` is\n * `'lenient'` (the default — preserves pre-scoping behavior).\n \n When a requester context is active, scopes by `user_id` per the ambient\n * scope: `'user'` → `user_id = ctx.userId`; `'org'` → `user_id IN\n * ctx.orgUserIds` (empty list matches nothing — fail-closed); `'superuser'`\n * → no filter. See `tenant-context.ts` for the boundary-install contract.\n /\n protected scopePredicate(): SQL \| undefined {\n if (!this.behaviors.userTracking) return undefined;\n const ctx =\n this.scopeEnforcement === 'strict'\n ? requireRequester()\n : tryGetRequester();\n if (!ctx) return undefined;\n const scope: RequesterScope = ctx.scope ?? 'user';\n switch (scope) {\n case 'superuser':\n return undefined;\n case 'org':\n return ctx.orgUserIds && ctx.orgUserIds.length > 0\n ? inArray(this.table['userId'], ctx.orgUserIds as string[])\n : sql`false`;\n case 'user':\n default:\n return eq(this.table['userId'], ctx.userId);\n }\n }\n\n /\n Combine the ambient scope predicate (and, optionally, the soft-delete\n * guard) with a caller `extra` predicate into one `SQL`. Returns `undefined`\n * when nothing applies. Used by read + by-id write paths so a single\n * `.where(...)` carries every guard.\n /\n protected scopeAnd(\n extra?: SQL,\n opts?: { softDelete?: boolean },\n ): SQL \| undefined {\n const conditions: SQL[] = [];\n if (opts?.softDelete) conditions.push(isNull(this.table['deletedAt']));\n const scope = this.scopePredicate();\n if (scope) conditions.push(scope);\n if (extra) conditions.push(extra);\n if (conditions.length === 0) return undefined;\n if (conditions.length === 1) return conditions[0];\n return and(...conditions);\n }\n\n /\n Merge timestamp fields into an input object.\n * - mode='create': adds createdAt and updatedAt\n * - mode='update': adds updatedAt only\n \n No-op when timestamps behavior is disabled.\n /\n protected withTimestamps(\n input: Record<string, unknown>,\n mode: 'create' \| 'update',\n ): Record<string, unknown> {\n if (!this.behaviors.timestamps) return input;\n const now = new Date();\n if (mode === 'create') {\n return { ...input, createdAt: now, updatedAt: now };\n }\n return { ...input, updatedAt: now };\n }\n\n /\n Build a WHERE clause fragment that restricts results to rows whose\n * parent (identified by a belongs_to FK) is not soft-deleted.\n \n Use this in custom repository methods when you need \"rows reachable\n * from an active parent\". The default findAll / findById behavior is\n * NOT changed by this helper — opt in explicitly where needed.\n \n ADR-021 — Soft-delete cascade: Option A (filter at query time).\n * `on_delete` FK rules do not fire for soft-deletes; use this helper\n * instead of expecting cascade semantics on the DB level.\n \n Example:\n * async listActiveMessages(): Promise<Message[]> {\n * return this.list({\n * where: this.activeParentFilter(conversations, this.table['conversationId']),\n * });\n * }\n \n @param parentTable The Drizzle table object for the parent entity.\n * @param parentFkColumn The FK column on this (child) table that references parent.id.\n /\n protected activeParentFilter(\n parentTable: PgTableWithColumns<any>, // eslint-disable-line @typescript-eslint/no-explicit-any\n parentFkColumn: PgColumn,\n ): SQL {\n return sql`EXISTS (\n SELECT 1 FROM ${parentTable} p\n WHERE p.id = ${parentFkColumn}\n AND p.deleted_at IS NULL\n )`;\n }\n}\n","/\n Ambient requester context — AsyncLocalStorage-backed tenant scope.\n \n The alternative to threading `userId`/`organizationId` through every\n * repository/service signature. Set ONCE at each boundary the generated app\n * owns, read implicitly inside `BaseRepository` (see `scopePredicate`).\n \n ## Where to set it (boundaries)\n \n - HTTP / tRPC handlers — from the authenticated `ctx.user`\n * - OAuth callback controllers — from the authenticated session\n * - Queue/worker `process()` — from the job's owning user after the\n * job's record is loaded\n \n Each boundary wraps the rest of the request in `withRequester({ userId,\n * organizationId }, () => ...)`. The context propagates through every `await`\n * to all downstream repo/service calls without being passed explicitly.\n \n ## Where to read it\n \n - `BaseRepository.scopePredicate()` reads it (via `tryGetRequester` in\n * lenient mode, `requireRequester` in strict mode) and filters every read\n * by the ambient scope when the repo declares `userTracking: true`.\n \n ## Why AsyncLocalStorage over an explicit parameter\n \n Threading `userId` (and later `organizationId`) through dozens of method\n * signatures is pure parameter pollution. Ambient context also lets a repo\n * make the \"I forgot to scope\" mistake impossible at runtime: in strict mode\n * `requireRequester()` throws when no context is active, surfacing a missing\n * boundary call loudly rather than silently leaking cross-tenant data.\n \n ## Not-found semantics\n \n When a row exists but belongs to a different requester, scoped reads return\n * `null`/`[]` — identical to \"truly doesn't exist\". No existence oracle;\n * callers throw NotFound uniformly. Standard security practice.\n \n ## Testing\n \n Tests that exercise scoped repos must wrap the call in `withRequester(...)`.\n * In strict mode an unwrapped call hitting `requireRequester()` throws — by\n * design. In lenient mode (the default) an unwrapped call is simply unscoped.\n /\nimport { AsyncLocalStorage } from 'node:async_hooks';\n\n/\n Data-visibility scope. The auth layer decides which scope a request is\n * allowed to claim; the repo trusts whatever the ambient context says.\n \n - `'user'`: filter every read by `user_id = ctx.userId`. Default.\n * - `'org'`: filter every read by membership in the requester's org, resolved\n * via `user_id IN (ctx.orgUserIds)` rather than via a per-entity\n * `organization_id` column. Works for every user-owned table and keeps repos\n * single-table — the org member list is pre-resolved at the boundary.\n * - `'superuser'`: no scope filter. Engineering / internal-tools only.\n \n AUTHORIZATION (who is allowed to claim each scope) lives in boundary\n * middleware, not in the repo. The repo trusts the ambient context — same\n * trust model as a threaded `userId`.\n /\nexport type RequesterScope = 'user' \| 'org' \| 'superuser';\n\nexport interface RequesterContext {\n /\n The user making the request. Always present — even in `'org'` and\n * `'superuser'` scopes it is the audit-trail \"who actually did this\".\n /\n readonly userId: string;\n /\n The organization the requester belongs to. Required when\n * `scope === 'org'`; may be null for `'user'` (users with no org) and for\n * `'superuser'` (cross-org reads).\n /\n readonly organizationId: string \| null;\n /\n Data-visibility scope. Defaults to `'user'` when omitted.\n /\n readonly scope?: RequesterScope;\n /\n For `scope === 'org'`: the list of user IDs in the requester's org,\n * pre-resolved by the boundary middleware that established the `'org'`\n * scope (one `SELECT users.id WHERE organization_id = X` at the trust\n * boundary). Repos use this as a literal `IN (...)` filter — they never\n * JOIN to `users` themselves. Required when `scope === 'org'`.\n /\n readonly orgUserIds?: readonly string[];\n}\n\nconst als = new AsyncLocalStorage<RequesterContext>();\n\n/\n Set the ambient requester context for the duration of `fn`. The context\n * propagates through `await` boundaries to all downstream calls. Nesting is\n * fine — an inner `withRequester` overrides the outer for its callback.\n /\nexport function withRequester<T>(\n ctx: RequesterContext,\n fn: () => Promise<T>,\n): Promise<T> {\n return als.run(ctx, fn);\n}\n\n/\n Read the ambient requester context. Throws if no context is active — by\n * design. Used by repos in strict scope-enforcement mode; an unwrapped call\n * site is a missing boundary.\n /\nexport function requireRequester(): RequesterContext {\n const ctx = als.getStore();\n if (!ctx) {\n throw new Error(\n 'No requester context active. Wrap the entry point in ' +\n 'withRequester({ userId, organizationId }, fn). See tenant-context.ts.',\n );\n }\n return ctx;\n}\n\n/\n Read the ambient requester context without throwing. Returns `undefined`\n * when no context is active. Used by repos in lenient scope-enforcement mode\n * (the default) and by code paths that legitimately run outside a request.\n /\nexport function tryGetRequester(): RequesterContext \| undefined {\n return als.getStore();\n}\n\n/\n Resolve the effective scope for the ambient context, defaulting to `'user'`.\n /\nexport function requireRequesterScope(): RequesterScope {\n return requireRequester().scope ?? 'user';\n}\n\n/\n Convenience helpers for setting scope explicitly. All three preserve\n * `userId` in the context (audit trail) regardless of scope.\n \n - `withUserScope`: regular end-user requests. Most call sites.\n * - `withOrgScope`: admin / org-shared resource access. The caller MUST verify\n * the requester's role permits `'org'` before calling — the helper does not\n * enforce authorization. `orgUserIds` is pre-resolved at the boundary.\n * - `withSuperuserScope`: engineering scripts / internal tools. `organizationId`\n * is null (cross-org is the point). Same authorization caveat applies.\n */\nexport function withUserScope<T>(\n userId: string,\n organizationId: string \| null,\n fn: () => Promise<T>,\n): Promise<T> {\n return withRequester({ userId, organizationId, scope: 'user' }, fn);\n}\n\nexport function withOrgScope<T>(\n userId: string,\n organizationId: string,\n orgUserIds: readonly string[],\n fn: () => Promise<T>,\n): Promise<T> {\n return withRequester(\n { userId, organizationId, scope: 'org', orgUserIds },\n fn,\n );\n}\n\nexport function withSuperuserScope<T>(\n userId: string,\n fn: () => Promise<T>,\n): Promise<T> {\n return withRequester(\n { userId, organizationId: null, scope: 'superuser' },\n fn,\n );\n}\n"],"mappings":";AAQA,SAAS,MAAAA,KAAI,SAAS,YAAY;;;ACGlC,SAAS,KAAK,IAAI,SAAS,QAAQ,WAAW;;;ACiC9C,SAAS,yBAAyB;AA6ClC,IAAM,MAAM,IAAI,kBAAoC;AAmB7C,SAAS,mBAAqC;AACnD,QAAM,MAAM,IAAI,SAAS;AACzB,MAAI,CAAC,KAAK;AACR,UAAM,IAAI;AAAA,MACR;AAAA,IAEF;AAAA,EACF;AACA,SAAO;AACT;AAOO,SAAS,kBAAgD;AAC9D,SAAO,IAAI,SAAS;AACtB;;;AD7EO,IAAe,iBAAf,MAAuC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAWzB,YAA4B;AAAA,IAC7C,YAAY;AAAA,IACZ,YAAY;AAAA,IACZ,cAAc;AAAA,EAChB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAemB,mBAAyC;AAAA,EAEzC;AAAA,EAEnB,YAAY,IAAmB;AAC7B,SAAK,KAAK;AAAA,EACZ;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASU,OAAO,IAA+B;AAC9C,WAAO,MAAM,KAAK;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAUA,MAAM,SAAS,IAAqC;AAClD,UAAM,OAAO,MAAM,KAAK,UAAU,GAAG,KAAK,MAAM,IAAI,GAAG,EAAE,CAAC,EAAE,MAAM,CAAC;AACnE,WAAQ,KAAK,CAAC,KAAiB;AAAA,EACjC;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,UAAU,KAAmC;AACjD,QAAI,IAAI,WAAW,EAAG,QAAO,CAAC;AAC9B,UAAM,OAAO,MAAM,KAAK,UAAU,QAAQ,KAAK,MAAM,IAAI,GAAG,GAAG,CAAC;AAChE,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,KAAK,SAA2C;AACpD,QAAI,QAAQ,KAAK,UAAU,SAAS,KAAK;AAEzC,QAAI,SAAS,SAAS;AACpB,cAAQ,MAAM,QAAQ,QAAQ,OAAc;AAAA,IAC9C;AACA,QAAI,SAAS,UAAU,QAAW;AAChC,cAAQ,MAAM,MAAM,QAAQ,KAAK;AAAA,IACnC;AACA,QAAI,SAAS,WAAW,QAAW;AACjC,cAAQ,MAAM,OAAO,QAAQ,MAAM;AAAA,IACrC;AAEA,UAAM,OAAO,MAAM;AACnB,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,MAAM,OAA8B;AACxC,QAAI,QAAQ,KAAK,GACd,OAAO,EAAE,OAAO,+BAAuC,CAAC,EACxD,KAAK,KAAK,KAAK;AAElB,UAAM,aAAoB,CAAC;AAC3B,QAAI,KAAK,UAAU,YAAY;AAC7B,iBAAW,KAAK,OAAO,KAAK,MAAM,WAAW,CAAC,CAAC;AAAA,IACjD;AACA,UAAM,QAAQ,KAAK,eAAe;AAClC,QAAI,OAAO;AACT,iBAAW,KAAK,KAAK;AAAA,IACvB;AACA,QAAI,OAAO;AACT,iBAAW,KAAK,KAAK;AAAA,IACvB;AAEA,QAAI,WAAW,WAAW,GAAG;AAC3B,cAAQ,MAAM,MAAM,WAAW,CAAC,CAAC;AAAA,IACnC,WAAW,WAAW,SAAS,GAAG;AAChC,cAAQ,MAAM,MAAM,IAAI,GAAG,UAAU,CAAC;AAAA,IACxC;AAEA,UAAM,OAAO,MAAM;AACnB,WAAO,KAAK,CAAC,GAAG,SAAS;AAAA,EAC3B;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,OAAO,IAA8B;AACzC,UAAM,SAAS,MAAM,KAAK,SAAS,EAAE;AACrC,WAAO,WAAW;AAAA,EACpB;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASA,MAAM,OAAO,OAAyB,IAAkC;AACtE,UAAM,OAAO,KAAK,eAAe,OAAkC,QAAQ;AAC3E,UAAM,OAAO,MAAM,KAAK,OAAO,EAAE,EAC9B,OAAO,KAAK,KAAK,EACjB,OAAO,IAAW,EAClB,UAAU;AACb,WAAO,KAAK,CAAC;AAAA,EACf;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,MAAM,OAAO,IAAY,OAAyB,IAAkC;AAClF,UAAM,OAAO,KAAK,eAAe,OAAkC,QAAQ;AAC3E,UAAM,OAAO,MAAM,KAAK,OAAO,EAAE,EAC9B,OAAO,KAAK,KAAK,EACjB,IAAI,IAAW,EACf,MAAM,KAAK,SAAS,GAAG,KAAK,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC,EAC7C,UAAU;AACb,WAAO,KAAK,CAAC;AAAA,EACf;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,OAAO,IAAY,IAA+B;AACtD,UAAM,SAAS,KAAK,OAAO,EAAE;AAC7B,QAAI,KAAK,UAAU,YAAY;AAC7B,YAAM,OACH,OAAO,KAAK,KAAK,EACjB,IAAI,EAAE,WAAW,oBAAI,KAAK,EAAE,CAAQ,EACpC,MAAM,KAAK,SAAS,GAAG,KAAK,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC;AAAA,IAClD,OAAO;AACL,YAAM,OACH,OAAO,KAAK,KAAK,EACjB,MAAM,KAAK,SAAS,GAAG,KAAK,MAAM,IAAI,GAAG,EAAE,CAAC,CAAC;AAAA,IAClD;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,MAAM,WAAW,QAAiC,IAAoC;AACpF,WAAO,QAAQ,IAAI,OAAO,IAAI,CAAC,UAAU,KAAK,OAAO,OAAO,EAAE,CAAC,CAAC;AAAA,EAClE;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAiBU,UAAU,OAAa;AAC/B,UAAM,QAAQ,KAAK,GAAG,OAAO,EAAE,KAAK,KAAK,KAAK,EAAE,SAAS;AACzD,UAAM,QAAQ,KAAK,SAAS,OAAO,EAAE,YAAY,KAAK,UAAU,WAAW,CAAC;AAC5E,WAAO,QAAQ,MAAM,MAAM,KAAK,IAAI;AAAA,EACtC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAeU,iBAAkC;AAC1C,QAAI,CAAC,KAAK,UAAU,aAAc,QAAO;AACzC,UAAM,MACJ,KAAK,qBAAqB,WACtB,iBAAiB,IACjB,gBAAgB;AACtB,QAAI,CAAC,IAAK,QAAO;AACjB,UAAM,QAAwB,IAAI,SAAS;AAC3C,YAAQ,OAAO;AAAA,MACb,KAAK;AACH,eAAO;AAAA,MACT,KAAK;AACH,eAAO,IAAI,cAAc,IAAI,WAAW,SAAS,IAC7C,QAAQ,KAAK,MAAM,QAAQ,GAAG,IAAI,UAAsB,IACxD;AAAA,MACN,KAAK;AAAA,MACL;AACE,eAAO,GAAG,KAAK,MAAM,QAAQ,GAAG,IAAI,MAAM;AAAA,IAC9C;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAQU,SACR,OACA,MACiB;AACjB,UAAM,aAAoB,CAAC;AAC3B,QAAI,MAAM,WAAY,YAAW,KAAK,OAAO,KAAK,MAAM,WAAW,CAAC,CAAC;AACrE,UAAM,QAAQ,KAAK,eAAe;AAClC,QAAI,MAAO,YAAW,KAAK,KAAK;AAChC,QAAI,MAAO,YAAW,KAAK,KAAK;AAChC,QAAI,WAAW,WAAW,EAAG,QAAO;AACpC,QAAI,WAAW,WAAW,EAAG,QAAO,WAAW,CAAC;AAChD,WAAO,IAAI,GAAG,UAAU;AAAA,EAC1B;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EASU,eACR,OACA,MACyB;AACzB,QAAI,CAAC,KAAK,UAAU,WAAY,QAAO;AACvC,UAAM,MAAM,oBAAI,KAAK;AACrB,QAAI,SAAS,UAAU;AACrB,aAAO,EAAE,GAAG,OAAO,WAAW,KAAK,WAAW,IAAI;AAAA,IACpD;AACA,WAAO,EAAE,GAAG,OAAO,WAAW,IAAI;AAAA,EACpC;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAwBU,mBACR,aACA,gBACK;AACL,WAAO;AAAA,sBACW,WAAW;AAAA,qBACZ,cAAc;AAAA;AAAA;AAAA,EAGjC;AACF;;;ADjWO,IAAe,2BAAf,cAAyD,eAAwB;AAAA;AAAA;AAAA;AAAA,EAItF,MAAM,gBAAgB,OAAa,KAA+B;AAChE,UAAM,OAAO,MAAM,KAAK,UAAU,EAC/B,MAAM,QAAQ,KAAK,MAAM,YAAY,GAAG,OAAO,GAAG,CAAC;AACtD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,aAAa,QAAoC;AACrD,UAAM,OAAO,MAAM,KAAK,UAAU,EAC/B,MAAMC,IAAG,KAAK,MAAM,QAAQ,GAAG,MAAM,CAAC;AACzC,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,oBAAoB,eAA2C;AACnE,UAAM,OAAO,MAAM,KAAK,UAAU,EAC/B,MAAMA,IAAG,KAAK,MAAM,eAAe,GAAG,aAAa,CAAC;AACvD,WAAO;AAAA,EACT;AAAA;AAAA;AAAA;AAAA,EAKA,MAAM,0BAA0B,eAAuB,QAAQ,IAAwB;AACrF,UAAM,OAAO,MAAM,KAAK,UAAU,EAC/B,MAAMA,IAAG,KAAK,MAAM,eAAe,GAAG,aAAa,CAAC,EACpD,QAAQ,KAAK,KAAK,MAAM,YAAY,CAAC,CAAC,EACtC,MAAM,KAAK;AACd,WAAO;AAAA,EACT;AACF;","names":["eq","eq"]}

package/dist/runtime/base-classes/base-repository.d.ts CHANGED Viewed

@@ -33,6 +33,20 @@ declare abstract class BaseRepository<TEntity> {
      * Override in concrete repositories to enable behaviors.
      */
     protected readonly behaviors: BehaviorConfig;
+    /**
+     * Ambient tenant-scope enforcement for `userTracking` repos (see
+     * `scopePredicate`). Only has effect when `behaviors.userTracking === true`.
+     *
+     * - `'lenient'` (default): when no ambient requester context is active,
+     *   reads/writes are NOT scoped — preserves pre-scoping behavior, so adopting
+     *   ambient scoping is additive. Scoping kicks in automatically once a
+     *   boundary installs `withRequester(...)`.
+     * - `'strict'`: a missing ambient context throws (`requireRequester`),
+     *   making a forgotten boundary fail loud instead of silently returning
+     *   cross-tenant rows. Recommended for new multi-tenant consumers — override
+     *   in a concrete repo or a family base class.
+     */
+    protected readonly scopeEnforcement: 'lenient' | 'strict';
     protected readonly db: DrizzleClient;
     constructor(db: DrizzleClient);
     /**
@@ -88,12 +102,42 @@ declare abstract class BaseRepository<TEntity> {
      */
     upsertMany(inputs: Array<Partial<TEntity>>, tx?: DrizzleTx): Promise<TEntity[]>;
     /**
-     * Base SELECT query that automatically excludes soft-deleted rows
-     * when softDelete behavior is enabled.
+     * Base SELECT query that automatically applies the ambient guards —
+     * soft-delete exclusion (when `softDelete`) and tenant scope (when
+     * `userTracking` + an active requester context) — combined with an optional
+     * caller `extra` predicate into a SINGLE `WHERE`.
+     *
+     * Pass the leaf predicate as `extra` rather than chaining a second
+     * `.where(...)`: Drizzle's `.where()` OVERRIDES (does not AND) a prior
+     * `.where()` on a `$dynamic()` query, so a chained call would silently drop
+     * the soft-delete and scope guards. `baseQuery(extra)` is the safe form.
      */
-    protected baseQuery(): drizzle_orm_pg_core.PgSelectBase<any, any, "single", {} | Record<any, "not-null">, true, never, {
+    protected baseQuery(extra?: SQL): drizzle_orm_pg_core.PgSelectBase<any, any, "single", {} | Record<any, "not-null">, true, never, {
         [x: string]: any;
     }[], any>;
+    /**
+     * Build the ambient tenant-scope predicate for this repo's table.
+     *
+     * Returns `undefined` (no scoping) when:
+     *   - `behaviors.userTracking` is false (repo is not user-owned), or
+     *   - no ambient requester context is active AND `scopeEnforcement` is
+     *     `'lenient'` (the default — preserves pre-scoping behavior).
+     *
+     * When a requester context is active, scopes by `user_id` per the ambient
+     * scope: `'user'` → `user_id = ctx.userId`; `'org'` → `user_id IN
+     * ctx.orgUserIds` (empty list matches nothing — fail-closed); `'superuser'`
+     * → no filter. See `tenant-context.ts` for the boundary-install contract.
+     */
+    protected scopePredicate(): SQL | undefined;
+    /**
+     * Combine the ambient scope predicate (and, optionally, the soft-delete
+     * guard) with a caller `extra` predicate into one `SQL`. Returns `undefined`
+     * when nothing applies. Used by read + by-id write paths so a single
+     * `.where(...)` carries every guard.
+     */
+    protected scopeAnd(extra?: SQL, opts?: {
+        softDelete?: boolean;
+    }): SQL | undefined;
     /**
      * Merge timestamp fields into an input object.
      * - mode='create': adds createdAt and updatedAt

package/dist/runtime/base-classes/base-repository.js CHANGED Viewed

@@ -1,5 +1,23 @@
 // runtime/base-classes/base-repository.ts
-import { eq, inArray, isNull, sql } from "drizzle-orm";
+import { and, eq, inArray, isNull, sql } from "drizzle-orm";
+// runtime/base-classes/tenant-context.ts
+import { AsyncLocalStorage } from "async_hooks";
+var als = new AsyncLocalStorage();
+function requireRequester() {
+  const ctx = als.getStore();
+  if (!ctx) {
+    throw new Error(
+      "No requester context active. Wrap the entry point in withRequester({ userId, organizationId }, fn). See tenant-context.ts."
+    );
+  }
+  return ctx;
+}
+function tryGetRequester() {
+  return als.getStore();
+}
+// runtime/base-classes/base-repository.ts
 var BaseRepository = class {
   // eslint-disable-line @typescript-eslint/no-explicit-any
   /**
@@ -11,6 +29,20 @@ var BaseRepository = class {
     softDelete: false,
     userTracking: false
   };
+  /**
+   * Ambient tenant-scope enforcement for `userTracking` repos (see
+   * `scopePredicate`). Only has effect when `behaviors.userTracking === true`.
+   *
+   * - `'lenient'` (default): when no ambient requester context is active,
+   *   reads/writes are NOT scoped — preserves pre-scoping behavior, so adopting
+   *   ambient scoping is additive. Scoping kicks in automatically once a
+   *   boundary installs `withRequester(...)`.
+   * - `'strict'`: a missing ambient context throws (`requireRequester`),
+   *   making a forgotten boundary fail loud instead of silently returning
+   *   cross-tenant rows. Recommended for new multi-tenant consumers — override
+   *   in a concrete repo or a family base class.
+   */
+  scopeEnforcement = "lenient";
   db;
   constructor(db) {
     this.db = db;
@@ -33,7 +65,7 @@ var BaseRepository = class {
    * Returns null if not found (or soft-deleted when softDelete=true).
    */
   async findById(id) {
-    const rows = await this.baseQuery().where(eq(this.table["id"], id)).limit(1);
+    const rows = await this.baseQuery(eq(this.table["id"], id)).limit(1);
     return rows[0] ?? null;
   }
   /**
@@ -42,17 +74,14 @@ var BaseRepository = class {
    */
   async findByIds(ids) {
     if (ids.length === 0) return [];
-    const rows = await this.baseQuery().where(inArray(this.table["id"], ids));
+    const rows = await this.baseQuery(inArray(this.table["id"], ids));
     return rows;
   }
   /**
    * List entities with optional filtering, pagination, and ordering.
    */
   async list(options) {
-    let query = this.baseQuery();
-    if (options?.where) {
-      query = query.where(options.where);
-    }
+    let query = this.baseQuery(options?.where);
     if (options?.orderBy) {
       query = query.orderBy(options.orderBy);
     }
@@ -75,13 +104,16 @@ var BaseRepository = class {
     if (this.behaviors.softDelete) {
       conditions.push(isNull(this.table["deletedAt"]));
     }
+    const scope = this.scopePredicate();
+    if (scope) {
+      conditions.push(scope);
+    }
     if (where) {
       conditions.push(where);
     }
     if (conditions.length === 1) {
       query = query.where(conditions[0]);
     } else if (conditions.length > 1) {
-      const { and } = await import("drizzle-orm");
       query = query.where(and(...conditions));
     }
     const rows = await query;
@@ -111,7 +143,7 @@ var BaseRepository = class {
    */
   async update(id, input, tx) {
     const data = this.withTimestamps(input, "update");
-    const rows = await this.runner(tx).update(this.table).set(data).where(eq(this.table["id"], id)).returning();
+    const rows = await this.runner(tx).update(this.table).set(data).where(this.scopeAnd(eq(this.table["id"], id))).returning();
     return rows[0];
   }
   /**
@@ -122,9 +154,9 @@ var BaseRepository = class {
   async delete(id, tx) {
     const runner = this.runner(tx);
     if (this.behaviors.softDelete) {
-      await runner.update(this.table).set({ deletedAt: /* @__PURE__ */ new Date() }).where(eq(this.table["id"], id));
+      await runner.update(this.table).set({ deletedAt: /* @__PURE__ */ new Date() }).where(this.scopeAnd(eq(this.table["id"], id)));
     } else {
-      await runner.delete(this.table).where(eq(this.table["id"], id));
+      await runner.delete(this.table).where(this.scopeAnd(eq(this.table["id"], id)));
     }
   }
   /**
@@ -139,15 +171,64 @@ var BaseRepository = class {
   // Protected Helpers
   // ============================================================================
   /**
-   * Base SELECT query that automatically excludes soft-deleted rows
-   * when softDelete behavior is enabled.
+   * Base SELECT query that automatically applies the ambient guards —
+   * soft-delete exclusion (when `softDelete`) and tenant scope (when
+   * `userTracking` + an active requester context) — combined with an optional
+   * caller `extra` predicate into a SINGLE `WHERE`.
+   *
+   * Pass the leaf predicate as `extra` rather than chaining a second
+   * `.where(...)`: Drizzle's `.where()` OVERRIDES (does not AND) a prior
+   * `.where()` on a `$dynamic()` query, so a chained call would silently drop
+   * the soft-delete and scope guards. `baseQuery(extra)` is the safe form.
    */
-  baseQuery() {
+  baseQuery(extra) {
     const query = this.db.select().from(this.table).$dynamic();
-    if (this.behaviors.softDelete) {
-      return query.where(isNull(this.table["deletedAt"]));
+    const where = this.scopeAnd(extra, { softDelete: this.behaviors.softDelete });
+    return where ? query.where(where) : query;
+  }
+  /**
+   * Build the ambient tenant-scope predicate for this repo's table.
+   *
+   * Returns `undefined` (no scoping) when:
+   *   - `behaviors.userTracking` is false (repo is not user-owned), or
+   *   - no ambient requester context is active AND `scopeEnforcement` is
+   *     `'lenient'` (the default — preserves pre-scoping behavior).
+   *
+   * When a requester context is active, scopes by `user_id` per the ambient
+   * scope: `'user'` → `user_id = ctx.userId`; `'org'` → `user_id IN
+   * ctx.orgUserIds` (empty list matches nothing — fail-closed); `'superuser'`
+   * → no filter. See `tenant-context.ts` for the boundary-install contract.
+   */
+  scopePredicate() {
+    if (!this.behaviors.userTracking) return void 0;
+    const ctx = this.scopeEnforcement === "strict" ? requireRequester() : tryGetRequester();
+    if (!ctx) return void 0;
+    const scope = ctx.scope ?? "user";
+    switch (scope) {
+      case "superuser":
+        return void 0;
+      case "org":
+        return ctx.orgUserIds && ctx.orgUserIds.length > 0 ? inArray(this.table["userId"], ctx.orgUserIds) : sql`false`;
+      case "user":
+      default:
+        return eq(this.table["userId"], ctx.userId);
     }
-    return query;
+  }
+  /**
+   * Combine the ambient scope predicate (and, optionally, the soft-delete
+   * guard) with a caller `extra` predicate into one `SQL`. Returns `undefined`
+   * when nothing applies. Used by read + by-id write paths so a single
+   * `.where(...)` carries every guard.
+   */
+  scopeAnd(extra, opts) {
+    const conditions = [];
+    if (opts?.softDelete) conditions.push(isNull(this.table["deletedAt"]));
+    const scope = this.scopePredicate();
+    if (scope) conditions.push(scope);
+    if (extra) conditions.push(extra);
+    if (conditions.length === 0) return void 0;
+    if (conditions.length === 1) return conditions[0];
+    return and(...conditions);
   }
   /**
    * Merge timestamp fields into an input object.