npm - @tenantscale/sdk - Versions diffs - 0.2.0 → 0.3.0 - Mend

@tenantscale/sdk 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (30) hide show

package/dist/index.d.ts +1 -1
package/dist/index.d.ts.map +1 -1
package/dist/index.js.map +1 -1
package/dist/middleware/index.d.ts +6 -0
package/dist/middleware/index.d.ts.map +1 -0
package/dist/middleware/index.js +8 -0
package/dist/middleware/index.js.map +1 -0
package/dist/middleware/query-guard.d.ts +31 -0
package/dist/middleware/query-guard.d.ts.map +1 -0
package/dist/middleware/query-guard.js +137 -0
package/dist/middleware/query-guard.js.map +1 -0
package/dist/middleware/user-auth.d.ts +53 -0
package/dist/middleware/user-auth.d.ts.map +1 -0
package/dist/middleware/user-auth.js +154 -0
package/dist/middleware/user-auth.js.map +1 -0
package/dist/react/index.js +1 -1
package/dist/react/index.js.map +1 -1
package/dist/tenant-scale.d.ts +46 -0
package/dist/tenant-scale.d.ts.map +1 -1
package/dist/tenant-scale.js +111 -6
package/dist/tenant-scale.js.map +1 -1
package/dist/testing/index.d.ts +111 -0
package/dist/testing/index.d.ts.map +1 -0
package/dist/testing/index.js +198 -0
package/dist/testing/index.js.map +1 -0
package/dist/types.d.ts +29 -1
package/dist/types.d.ts.map +1 -1
package/dist/types.js +0 -3
package/dist/types.js.map +1 -1
package/package.json +72 -63

package/dist/index.d.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-export { type Tenant, type TenantUser, type TenantScaleOptions, type TenantResolver, type AuditEvent, type FeatureCheck, type ImpersonationSession, type PlanTier, type TenantSettings, TenantScaleError, PlanLimitError, UnauthorizedError, } from './types.js';
+export { type Tenant, type TenantUser, type TenantScaleOptions, type TenantScaleContext, type TenantResolver, type AuditEvent, type FeatureCheck, type ImpersonationSession, type PlanTier, type TenantSettings, type UserTenantContext, TenantScaleError, PlanLimitError, UnauthorizedError, } from './types.js';
 export { TenantScale } from './tenant-scale.js';
 export { TenantClient } from './tenant.js';
 //# sourceMappingURL=index.d.ts.map

package/dist/index.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAIA,OAAO,EACL,KAAK,MAAM,EACX,KAAK,UAAU,EACf,KAAK,kBAAkB,EACvB,KAAK,cAAc,EACnB,KAAK,UAAU,EACf,KAAK,YAAY,EACjB,KAAK,oBAAoB,EACzB,KAAK,QAAQ,EACb,KAAK,cAAc,EACnB,gBAAgB,EAChB,cAAc,EACd,iBAAiB,GAClB,MAAM,YAAY,CAAA;AAEnB,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA"}
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAIA,OAAO,EACL,KAAK,MAAM,EACX,KAAK,UAAU,EACf,KAAK,kBAAkB,EACvB,KAAK,kBAAkB,EACvB,KAAK,cAAc,EACnB,KAAK,UAAU,EACf,KAAK,YAAY,EACjB,KAAK,oBAAoB,EACzB,KAAK,QAAQ,EACb,KAAK,cAAc,EACnB,KAAK,iBAAiB,EACtB,gBAAgB,EAChB,cAAc,EACd,iBAAiB,GAClB,MAAM,YAAY,CAAA;AAEnB,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA"}

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,yDAAyD;AACzD,oCAAoC;AACpC,yDAAyD;AAEzD,OAAO,~~EAUL~~,gBAAgB,EAChB,cAAc,EACd,iBAAiB,GAClB,MAAM,YAAY,CAAA;AAEnB,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../src/index.ts"],"names":[],"mappings":"AAAA,yDAAyD;AACzD,oCAAoC;AACpC,yDAAyD;AAEzD,OAAO,EAYL,gBAAgB,EAChB,cAAc,EACd,iBAAiB,GAClB,MAAM,YAAY,CAAA;AAEnB,OAAO,EAAE,WAAW,EAAE,MAAM,mBAAmB,CAAA;AAC/C,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA"}

package/dist/middleware/index.d.ts ADDED Viewed

@@ -0,0 +1,6 @@
+export { tenantMiddleware, TenantClient } from './hono.js';
+export { expressMiddleware } from './express.js';
+export { createTenantSafeClient } from './query-guard.js';
+export { createUserTenantMiddleware, requireUserRole } from './user-auth.js';
+export type { UserTenantMiddlewareOptions } from './user-auth.js';
+//# sourceMappingURL=index.d.ts.map

package/dist/middleware/index.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/middleware/index.ts"],"names":[],"mappings":"AAIA,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,WAAW,CAAA;AAC1D,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAA;AAChD,OAAO,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAA;AACzD,OAAO,EAAE,0BAA0B,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA;AAC5E,YAAY,EAAE,2BAA2B,EAAE,MAAM,gBAAgB,CAAA"}

package/dist/middleware/index.js ADDED Viewed

@@ -0,0 +1,8 @@
+// ──────────────────────────────────────────────────────
+// Middleware barrel — import via '@tenantscale/sdk/middleware'
+// ──────────────────────────────────────────────────────
+export { tenantMiddleware, TenantClient } from './hono.js';
+export { expressMiddleware } from './express.js';
+export { createTenantSafeClient } from './query-guard.js';
+export { createUserTenantMiddleware, requireUserRole } from './user-auth.js';
+//# sourceMappingURL=index.js.map

package/dist/middleware/index.js.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/middleware/index.ts"],"names":[],"mappings":"AAAA,yDAAyD;AACzD,+DAA+D;AAC/D,yDAAyD;AAEzD,OAAO,EAAE,gBAAgB,EAAE,YAAY,EAAE,MAAM,WAAW,CAAA;AAC1D,OAAO,EAAE,iBAAiB,EAAE,MAAM,cAAc,CAAA;AAChD,OAAO,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAA;AACzD,OAAO,EAAE,0BAA0B,EAAE,eAAe,EAAE,MAAM,gBAAgB,CAAA"}

package/dist/middleware/query-guard.d.ts ADDED Viewed

@@ -0,0 +1,31 @@
+export type GuardMode = 'strict' | 'warn';
+export interface GuardOptions {
+    /** The tenant ID to enforce on all queries */
+    tenantId: string;
+    /**
+     * strict   — throw an error (default, prevents data leaks)
+     * warn     — log a warning and proceed (use during migration)
+     */
+    mode?: GuardMode;
+}
+/**
+ * Wrap a Supabase client so every query on every table must include
+ * `.eq('tenant_id', <tenantId>)` or explicitly call `.bypassIsolation()`.
+ *
+ * @example
+ * ```ts
+ * const supabase = createClient(url, key)
+ * const db = createTenantSafeClient(supabase, { tenantId: 'tenant-123' })
+ *
+ * // ✅ Works:
+ * await db.from('projects').select('*').eq('tenant_id', 'tenant-123')
+ *
+ * // ❌ Throws:
+ * await db.from('projects').select('*')
+ *
+ * // ✅ Admin bypass:
+ * await db.from('plans').select('*').bypassIsolation()
+ * ```
+ */
+export declare function createTenantSafeClient(supabase: any, options: GuardOptions): any;
+//# sourceMappingURL=query-guard.d.ts.map

package/dist/middleware/query-guard.d.ts.map ADDED Viewed

	@@ -0,0 +1 @@
1	+ {"version":3,"file":"query-guard.d.ts","sourceRoot":"","sources":["../../src/middleware/query-guard.ts"],"names":[],"mappings":"AAOA,MAAM,MAAM,SAAS,GAAG,QAAQ,GAAG,MAAM,CAAA;AAEzC,MAAM,WAAW,YAAY;IAC3B,8CAA8C;IAC9C,QAAQ,EAAE,MAAM,CAAA;IAChB;;;OAGG;IACH,IAAI,CAAC,EAAE,SAAS,CAAA;CACjB;AAED;;;;;;;;;;;;;;;;;;GAkBG;AACH,wBAAgB,sBAAsB,CACpC,QAAQ,EAAE,GAAG,EACb,OAAO,EAAE,YAAY,GACpB,GAAG,CAiBL"}

package/dist/middleware/query-guard.js ADDED Viewed

@@ -0,0 +1,137 @@
+// ──────────────────────────────────────────────────────
+// Query Guard — runtime tenant isolation enforcement
+// Wraps a Supabase client and rejects queries that don't
+// filter by tenant_id. Catches the #1 multi-tenant bug
+// at dev time instead of during a security audit.
+// ──────────────────────────────────────────────────────
+/**
+ * Wrap a Supabase client so every query on every table must include
+ * `.eq('tenant_id', <tenantId>)` or explicitly call `.bypassIsolation()`.
+ *
+ * @example
+ * ```ts
+ * const supabase = createClient(url, key)
+ * const db = createTenantSafeClient(supabase, { tenantId: 'tenant-123' })
+ *
+ * // ✅ Works:
+ * await db.from('projects').select('*').eq('tenant_id', 'tenant-123')
+ *
+ * // ❌ Throws:
+ * await db.from('projects').select('*')
+ *
+ * // ✅ Admin bypass:
+ * await db.from('plans').select('*').bypassIsolation()
+ * ```
+ */
+export function createTenantSafeClient(supabase, options) {
+    const { tenantId, mode = 'strict' } = options;
+    const strict = mode === 'strict';
+    return new Proxy(supabase, {
+        get(target, prop, receiver) {
+            if (prop === 'from') {
+                return (table) => {
+                    const rawQb = target.from(table);
+                    return wrapBuilder(rawQb, tenantId, strict, table);
+                };
+            }
+            const value = Reflect.get(target, prop, receiver);
+            if (typeof value === 'function')
+                return value.bind(target);
+            return value;
+        },
+    });
+}
+// ── Methods that return a new query builder (must wrap results) ──
+const CHAIN_METHODS = new Set([
+    'select', 'insert', 'update', 'delete', 'upsert',
+    'eq', 'neq', 'gt', 'gte', 'lt', 'lte',
+    'like', 'ilike', 'is', 'isNot', 'in', 'not',
+    'or', 'and', 'filter', 'match',
+    'contains', 'containedBy', 'overlaps',
+    'textSearch', 'csv',
+    'order', 'limit', 'range',
+]);
+function wrapBuilder(rootQb, tenantId, strict, table) {
+    let hasTenantFilter = false;
+    let bypassed = false;
+    function guardCheck() {
+        if (bypassed)
+            return;
+        if (hasTenantFilter)
+            return;
+        const msg = `[TenantScale] Query on "${table}" is missing a tenant_id filter. ` +
+            `Add .eq('tenant_id', '${tenantId}') to scope this query to the current tenant, ` +
+            `or use .bypassIsolation() for admin-only cross-tenant queries.`;
+        if (strict)
+            throw new TypeError(msg);
+        console.warn(msg);
+    }
+    // Build the proxy once, then reuse it for wrapped results.
+    // Chain methods return a new proxy on the same state.
+    function makeProxy(target) {
+        return new Proxy(target, proxyHandler);
+    }
+    // `.single()` and `.maybeSingle()` modify internal state and return `this`.
+    // We intercept them to return our proxy-wrapped `this`.
+    const TERMINAL_THIS = new Set(['single', 'maybeSingle']);
+    const proxyHandler = {
+        get(target, prop) {
+            // ── Track tenant_id filter ──
+            if (prop === 'eq') {
+                return (column, value) => {
+                    if (column === 'tenant_id')
+                        hasTenantFilter = true;
+                    const nextQb = target.eq(column, value);
+                    return makeProxy(nextQb);
+                };
+            }
+            // ── Bypass for admin routes ──
+            if (prop === 'bypassIsolation') {
+                return () => {
+                    bypassed = true;
+                    // Return a transparent pass-through proxy
+                    return new Proxy(target, {
+                        get(t, p) {
+                            if (p === 'bypassIsolation')
+                                return () => t;
+                            const v = Reflect.get(t, p);
+                            if (typeof v === 'function')
+                                return v.bind(t);
+                            return v;
+                        },
+                    });
+                };
+            }
+            // ── Intercept .then() — the HTTP request ──
+            if (prop === 'then') {
+                return (resolve, reject) => {
+                    guardCheck();
+                    return target.then(resolve, reject);
+                };
+            }
+            // ── Chain methods — wrap their return values ──
+            if (typeof prop === 'string' && CHAIN_METHODS.has(prop)) {
+                return (...args) => {
+                    const nextQb = target[prop](...args);
+                    return makeProxy(nextQb);
+                };
+            }
+            // ── Terminal-this methods (.single(), .maybeSingle()) ──
+            if (typeof prop === 'string' && TERMINAL_THIS.has(prop)) {
+                return (...args) => {
+                    const result = target[prop](...args);
+                    // single() returns `this` (the PostgrestFilterBuilder)
+                    // Wrap it so further chaining still works
+                    return makeProxy(result);
+                };
+            }
+            // ── Everything else passes through ──
+            const value = Reflect.get(target, prop, target);
+            if (typeof value === 'function')
+                return value.bind(target);
+            return value;
+        },
+    };
+    return makeProxy(rootQb);
+}
+//# sourceMappingURL=query-guard.js.map

package/dist/middleware/query-guard.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"query-guard.js","sourceRoot":"","sources":["../../src/middleware/query-guard.ts"],"names":[],"mappings":"AAAA,yDAAyD;AACzD,qDAAqD;AACrD,yDAAyD;AACzD,uDAAuD;AACvD,kDAAkD;AAClD,yDAAyD;AAczD;;;;;;;;;;;;;;;;;;GAkBG;AACH,MAAM,UAAU,sBAAsB,CACpC,QAAa,EACb,OAAqB;IAErB,MAAM,EAAE,QAAQ,EAAE,IAAI,GAAG,QAAQ,EAAE,GAAG,OAAO,CAAA;IAC7C,MAAM,MAAM,GAAG,IAAI,KAAK,QAAQ,CAAA;IAEhC,OAAO,IAAI,KAAK,CAAC,QAAQ,EAAE;QACzB,GAAG,CAAC,MAAM,EAAE,IAAqB,EAAE,QAAQ;YACzC,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;gBACpB,OAAO,CAAC,KAAa,EAAE,EAAE;oBACvB,MAAM,KAAK,GAAG,MAAM,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;oBAChC,OAAO,WAAW,CAAC,KAAK,EAAE,QAAQ,EAAE,MAAM,EAAE,KAAK,CAAC,CAAA;gBACpD,CAAC,CAAA;YACH,CAAC;YACD,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,QAAQ,CAAC,CAAA;YACjD,IAAI,OAAO,KAAK,KAAK,UAAU;gBAAE,OAAO,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;YAC1D,OAAO,KAAK,CAAA;QACd,CAAC;KACF,CAAC,CAAA;AACJ,CAAC;AAED,oEAAoE;AAEpE,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC;IAC5B,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ,EAAE,QAAQ;IAChD,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK,EAAE,IAAI,EAAE,KAAK;IACrC,MAAM,EAAE,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,IAAI,EAAE,KAAK;IAC3C,IAAI,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO;IAC9B,UAAU,EAAE,aAAa,EAAE,UAAU;IACrC,YAAY,EAAE,KAAK;IACnB,OAAO,EAAE,OAAO,EAAE,OAAO;CAC1B,CAAC,CAAA;AAEF,SAAS,WAAW,CAClB,MAAW,EACX,QAAgB,EAChB,MAAe,EACf,KAAa;IAEb,IAAI,eAAe,GAAG,KAAK,CAAA;IAC3B,IAAI,QAAQ,GAAG,KAAK,CAAA;IAEpB,SAAS,UAAU;QACjB,IAAI,QAAQ;YAAE,OAAM;QACpB,IAAI,eAAe;YAAE,OAAM;QAE3B,MAAM,GAAG,GACP,2BAA2B,KAAK,mCAAmC;YACnE,yBAAyB,QAAQ,gDAAgD;YACjF,gEAAgE,CAAA;QAElE,IAAI,MAAM;YAAE,MAAM,IAAI,SAAS,CAAC,GAAG,CAAC,CAAA;QACpC,OAAO,CAAC,IAAI,CAAC,GAAG,CAAC,CAAA;IACnB,CAAC;IAED,2DAA2D;IAC3D,sDAAsD;IACtD,SAAS,SAAS,CAAC,MAAW;QAC5B,OAAO,IAAI,KAAK,CAAC,MAAM,EAAE,YAAY,CAAC,CAAA;IACxC,CAAC;IAED,4EAA4E;IAC5E,wDAAwD;IACxD,MAAM,aAAa,GAAG,IAAI,GAAG,CAAC,CAAC,QAAQ,EAAE,aAAa,CAAC,CAAC,CAAA;IAExD,MAAM,YAAY,GAAG;QACnB,GAAG,CAAC,MAAW,EAAE,IAAqB;YACpC,+BAA+B;YAC/B,IAAI,IAAI,KAAK,IAAI,EAAE,CAAC;gBAClB,OAAO,CAAC,MAAc,EAAE,KAAc,EAAE,EAAE;oBACxC,IAAI,MAAM,KAAK,WAAW;wBAAE,eAAe,GAAG,IAAI,CAAA;oBAClD,MAAM,MAAM,GAAG,MAAM,CAAC,EAAE,CAAC,MAAM,EAAE,KAAK,CAAC,CAAA;oBACvC,OAAO,SAAS,CAAC,MAAM,CAAC,CAAA;gBAC1B,CAAC,CAAA;YACH,CAAC;YAED,gCAAgC;YAChC,IAAI,IAAI,KAAK,iBAAiB,EAAE,CAAC;gBAC/B,OAAO,GAAG,EAAE;oBACV,QAAQ,GAAG,IAAI,CAAA;oBACf,0CAA0C;oBAC1C,OAAO,IAAI,KAAK,CAAC,MAAM,EAAE;wBACvB,GAAG,CAAC,CAAC,EAAE,CAAkB;4BACvB,IAAI,CAAC,KAAK,iBAAiB;gCAAE,OAAO,GAAG,EAAE,CAAC,CAAC,CAAA;4BAC3C,MAAM,CAAC,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,CAAC,CAAA;4BAC3B,IAAI,OAAO,CAAC,KAAK,UAAU;gCAAE,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAA;4BAC7C,OAAO,CAAC,CAAA;wBACV,CAAC;qBACF,CAAC,CAAA;gBACJ,CAAC,CAAA;YACH,CAAC;YAED,6CAA6C;YAC7C,IAAI,IAAI,KAAK,MAAM,EAAE,CAAC;gBACpB,OAAO,CACL,OAA6B,EAC7B,MAA6B,EAC7B,EAAE;oBACF,UAAU,EAAE,CAAA;oBACZ,OAAO,MAAM,CAAC,IAAI,CAAC,OAAO,EAAE,MAAM,CAAC,CAAA;gBACrC,CAAC,CAAA;YACH,CAAC;YAED,iDAAiD;YACjD,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxD,OAAO,CAAC,GAAG,IAAW,EAAE,EAAE;oBACxB,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,CAAA;oBACpC,OAAO,SAAS,CAAC,MAAM,CAAC,CAAA;gBAC1B,CAAC,CAAA;YACH,CAAC;YAED,0DAA0D;YAC1D,IAAI,OAAO,IAAI,KAAK,QAAQ,IAAI,aAAa,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;gBACxD,OAAO,CAAC,GAAG,IAAW,EAAE,EAAE;oBACxB,MAAM,MAAM,GAAG,MAAM,CAAC,IAAI,CAAC,CAAC,GAAG,IAAI,CAAC,CAAA;oBACpC,uDAAuD;oBACvD,0CAA0C;oBAC1C,OAAO,SAAS,CAAC,MAAM,CAAC,CAAA;gBAC1B,CAAC,CAAA;YACH,CAAC;YAED,uCAAuC;YACvC,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,CAAA;YAC/C,IAAI,OAAO,KAAK,KAAK,UAAU;gBAAE,OAAO,KAAK,CAAC,IAAI,CAAC,MAAM,CAAC,CAAA;YAC1D,OAAO,KAAK,CAAA;QACd,CAAC;KACF,CAAA;IAED,OAAO,SAAS,CAAC,MAAM,CAAC,CAAA;AAC1B,CAAC"}

package/dist/middleware/user-auth.d.ts ADDED Viewed

@@ -0,0 +1,53 @@
+import { type Context, type MiddlewareHandler } from 'hono';
+import { type Tenant, type TenantScaleOptions, type UserTenantContext } from '../types.js';
+declare module 'hono' {
+    interface ContextVariableMap {
+        userTenant: UserTenantContext;
+        tenant: Tenant;
+    }
+}
+/** Options for the user tenant middleware */
+export interface UserTenantMiddlewareOptions extends TenantScaleOptions {
+    /**
+     * Function that extracts the authenticated user's ID from the request.
+     * Return null/undefined if the user is not authenticated.
+     */
+    getUser: (c: Context) => string | null | undefined | Promise<string | null | undefined>;
+    /**
+     * What to do when no authenticated user is found.
+     * - 'reject': Return 401 Unauthorized (default)
+     * - 'skip': Call next() without setting userTenant — useful when some routes are public
+     */
+    onUnauthenticated?: 'reject' | 'skip';
+    /**
+     * Optional: How to determine which tenant to use when a user belongs to multiple.
+     * - 'first': Use the first tenant (default)
+     * - 'header': Read tenant from a custom header (specify via tenantHeader)
+     * - 'domain': Resolve from the request's host/domain
+     */
+    multiTenantStrategy?: 'first' | 'header' | 'domain';
+    /** Header name to use when multiTenantStrategy is 'header' (default: 'X-Tenant-ID') */
+    tenantHeader?: string;
+    /**
+     * Role values that count as "admin" for the `isAdmin` flag.
+     * Default: ['owner', 'admin']
+     * Set this to match your own role model.
+     */
+    adminRoles?: string[];
+}
+/**
+ * Creates Hono middleware that resolves a user's tenant context
+ * from your existing auth system. BYOA — Bring Your Own Auth.
+ *
+ * The developer provides `getUser(c)` which extracts the user ID
+ * from their auth provider. TenantScale looks up the tenant membership
+ * and attaches the full context to the request.
+ */
+export declare function createUserTenantMiddleware(options: UserTenantMiddlewareOptions): MiddlewareHandler;
+/**
+ * Role guard middleware — restricts routes based on user role.
+ * Must be used after `createUserTenantMiddleware()`.
+ */
+export declare function requireUserRole(...roles: string[]): MiddlewareHandler;
+export { type UserTenantContext };
+//# sourceMappingURL=user-auth.d.ts.map

package/dist/middleware/user-auth.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"user-auth.d.ts","sourceRoot":"","sources":["../../src/middleware/user-auth.ts"],"names":[],"mappings":"AAoCA,OAAO,EAAE,KAAK,OAAO,EAAE,KAAK,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAE3D,OAAO,EACL,KAAK,MAAM,EACX,KAAK,kBAAkB,EACvB,KAAK,iBAAiB,EAGvB,MAAM,aAAa,CAAA;AAGpB,OAAO,QAAQ,MAAM,CAAC;IACpB,UAAU,kBAAkB;QAC1B,UAAU,EAAE,iBAAiB,CAAA;QAC7B,MAAM,EAAE,MAAM,CAAA;KACf;CACF;AAED,6CAA6C;AAC7C,MAAM,WAAW,2BAA4B,SAAQ,kBAAkB;IACrE;;;OAGG;IACH,OAAO,EAAE,CAAC,CAAC,EAAE,OAAO,KAAK,MAAM,GAAG,IAAI,GAAG,SAAS,GAAG,OAAO,CAAC,MAAM,GAAG,IAAI,GAAG,SAAS,CAAC,CAAA;IAEvF;;;;OAIG;IACH,iBAAiB,CAAC,EAAE,QAAQ,GAAG,MAAM,CAAA;IAErC;;;;;OAKG;IACH,mBAAmB,CAAC,EAAE,OAAO,GAAG,QAAQ,GAAG,QAAQ,CAAA;IAEnD,uFAAuF;IACvF,YAAY,CAAC,EAAE,MAAM,CAAA;IAErB;;;;OAIG;IACH,UAAU,CAAC,EAAE,MAAM,EAAE,CAAA;CACtB;AAED;;;;;;;GAOG;AACH,wBAAgB,0BAA0B,CACxC,OAAO,EAAE,2BAA2B,GACnC,iBAAiB,CA0HnB;AAED;;;GAGG;AACH,wBAAgB,eAAe,CAAC,GAAG,KAAK,EAAE,MAAM,EAAE,GAAG,iBAAiB,CAarE;AAED,OAAO,EAAE,KAAK,iBAAiB,EAAE,CAAA"}

package/dist/middleware/user-auth.js ADDED Viewed

@@ -0,0 +1,154 @@
+// ──────────────────────────────────────────────────────
+// User Auth Middleware — Bring Your Own Auth (BYOA)
+// ──────────────────────────────────────────────────────
+// Developers keep their auth provider (Clerk, Auth0, Supabase Auth,
+// Firebase, raw JWT, session cookies). TenantScale resolves the
+// tenant context from the authenticated user.
+//
+// Usage:
+// ```ts
+// import { Hono } from 'hono'
+// import { createUserTenantMiddleware } from '@tenantscale/sdk/user'
+//
+// const app = new Hono()
+//
+// // Developer's auth middleware (their own provider)
+// app.use('*', async (c, next) => {
+//   const session = await getMyAuthSession(c)  // Clerk, Auth0, etc.
+//   c.set('userId', session?.userId)
+//   await next()
+// })
+//
+// // TenantScale resolves tenant from the user
+// app.use('/api/*', createUserTenantMiddleware({
+//   apiKey: process.env.TENANTSCALE_API_KEY,
+//   baseUrl: 'https://api.tenantscale.com',
+//   getUser: (c) => c.get('userId'),
+//   onUnauthenticated: 'reject',  // or 'skip'
+// }))
+//
+// app.get('/api/projects', (c) => {
+//   const ctx = c.var.userTenant
+//   // ctx.userId, ctx.tenantId, ctx.role, ctx.tenant
+// })
+// ```
+// ──────────────────────────────────────────────────────
+import { TenantClient } from '../tenant.js';
+import { UnauthorizedError, TenantScaleError, } from '../types.js';
+/**
+ * Creates Hono middleware that resolves a user's tenant context
+ * from your existing auth system. BYOA — Bring Your Own Auth.
+ *
+ * The developer provides `getUser(c)` which extracts the user ID
+ * from their auth provider. TenantScale looks up the tenant membership
+ * and attaches the full context to the request.
+ */
+export function createUserTenantMiddleware(options) {
+    const { getUser, onUnauthenticated = 'reject', multiTenantStrategy = 'first', tenantHeader = 'X-Tenant-ID', adminRoles = ['owner', 'admin'], ...tsOptions } = options;
+    const client = new TenantClient(tsOptions);
+    return async (c, next) => {
+        // 1. Get the authenticated user from the developer's auth
+        const userId = await getUser(c);
+        if (!userId) {
+            if (onUnauthenticated === 'skip') {
+                // Let the request pass through — public routes handled downstream
+                await next();
+                return;
+            }
+            return c.json({ error: 'Authentication required' }, 401);
+        }
+        try {
+            // 2. Resolve tenant membership from TenantScale API
+            const baseUrl = tsOptions.baseUrl ?? 'https://api.tenantscale.com';
+            const apiKey = tsOptions.apiKey;
+            // Fetch user's tenant memberships
+            const res = await fetch(`${baseUrl}/v1/users/${userId}/tenants`, {
+                headers: {
+                    Authorization: `Bearer ${apiKey}`,
+                    'Content-Type': 'application/json',
+                },
+            });
+            if (!res.ok) {
+                throw new TenantScaleError(`Failed to resolve user tenants: ${res.statusText}`, 'USER_TENANT_RESOLVE_FAILED', res.status);
+            }
+            const body = await res.json();
+            if (!body.tenants || body.tenants.length === 0) {
+                return c.json({ error: 'User is not associated with any tenant' }, 403);
+            }
+            // 3. Determine which tenant to use
+            let selectedTenant;
+            if (body.tenants.length === 1 || multiTenantStrategy === 'first') {
+                selectedTenant = body.tenants[0];
+            }
+            else if (multiTenantStrategy === 'header') {
+                const requestedTenantId = c.req.header(tenantHeader);
+                const match = body.tenants.find(t => t.tenantId === requestedTenantId || t.tenantSlug === requestedTenantId);
+                if (!match) {
+                    return c.json({
+                        error: `Tenant not found or access denied`,
+                        available_tenants: body.tenants.map(t => ({
+                            id: t.tenantId,
+                            name: t.tenantName,
+                            slug: t.tenantSlug,
+                            role: t.role,
+                        })),
+                    }, 404);
+                }
+                selectedTenant = match;
+            }
+            else {
+                // 'domain' strategy — resolve from host
+                const host = c.req.header('host') ?? '';
+                const match = body.tenants.find(t => t.tenantSlug && host.startsWith(t.tenantSlug));
+                selectedTenant = match ?? body.tenants[0];
+            }
+            // 4. Build the user tenant context
+            const ctx = {
+                userId,
+                tenantId: selectedTenant.tenantId,
+                role: selectedTenant.role,
+                tenant: selectedTenant.tenant,
+                isAdmin: adminRoles.includes(selectedTenant.role),
+                tenants: body.tenants.map(t => ({
+                    tenantId: t.tenantId,
+                    tenantName: t.tenantName,
+                    tenantSlug: t.tenantSlug,
+                    role: t.role,
+                })),
+            };
+            // 5. Attach to Hono context
+            c.set('userTenant', ctx);
+            c.set('tenant', selectedTenant.tenant);
+            await next();
+        }
+        catch (err) {
+            if (err instanceof UnauthorizedError) {
+                return c.json({ error: err.message }, 401);
+            }
+            if (err instanceof TenantScaleError) {
+                return c.json({ error: err.message, code: err.code }, err.status);
+            }
+            console.error('[TenantScale] User auth error:', err);
+            return c.json({ error: 'Failed to resolve user tenant context' }, 500);
+        }
+    };
+}
+/**
+ * Role guard middleware — restricts routes based on user role.
+ * Must be used after `createUserTenantMiddleware()`.
+ */
+export function requireUserRole(...roles) {
+    return async (c, next) => {
+        const ctx = c.get('userTenant');
+        if (!ctx) {
+            return c.json({ error: 'Authentication required' }, 401);
+        }
+        if (!roles.includes(ctx.role)) {
+            return c.json({
+                error: `This endpoint requires one of these roles: ${roles.join(', ')}`,
+            }, 403);
+        }
+        await next();
+    };
+}
+//# sourceMappingURL=user-auth.js.map

package/dist/middleware/user-auth.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"user-auth.js","sourceRoot":"","sources":["../../src/middleware/user-auth.ts"],"names":[],"mappings":"AAAA,yDAAyD;AACzD,oDAAoD;AACpD,yDAAyD;AACzD,oEAAoE;AACpE,gEAAgE;AAChE,8CAA8C;AAC9C,EAAE;AACF,SAAS;AACT,QAAQ;AACR,8BAA8B;AAC9B,qEAAqE;AACrE,EAAE;AACF,yBAAyB;AACzB,EAAE;AACF,sDAAsD;AACtD,oCAAoC;AACpC,qEAAqE;AACrE,qCAAqC;AACrC,iBAAiB;AACjB,KAAK;AACL,EAAE;AACF,+CAA+C;AAC/C,iDAAiD;AACjD,6CAA6C;AAC7C,4CAA4C;AAC5C,qCAAqC;AACrC,+CAA+C;AAC/C,MAAM;AACN,EAAE;AACF,oCAAoC;AACpC,iCAAiC;AACjC,sDAAsD;AACtD,KAAK;AACL,MAAM;AACN,yDAAyD;AAGzD,OAAO,EAAE,YAAY,EAAE,MAAM,cAAc,CAAA;AAC3C,OAAO,EAIL,iBAAiB,EACjB,gBAAgB,GACjB,MAAM,aAAa,CAAA;AA4CpB;;;;;;;GAOG;AACH,MAAM,UAAU,0BAA0B,CACxC,OAAoC;IAEpC,MAAM,EACJ,OAAO,EACP,iBAAiB,GAAG,QAAQ,EAC5B,mBAAmB,GAAG,OAAO,EAC7B,YAAY,GAAG,aAAa,EAC5B,UAAU,GAAG,CAAC,OAAO,EAAE,OAAO,CAAC,EAC/B,GAAG,SAAS,EACb,GAAG,OAAO,CAAA;IAEX,MAAM,MAAM,GAAG,IAAI,YAAY,CAAC,SAAS,CAAC,CAAA;IAE1C,OAAO,KAAK,EAAE,CAAU,EAAE,IAAI,EAAE,EAAE;QAChC,0DAA0D;QAC1D,MAAM,MAAM,GAAG,MAAM,OAAO,CAAC,CAAC,CAAC,CAAA;QAE/B,IAAI,CAAC,MAAM,EAAE,CAAC;YACZ,IAAI,iBAAiB,KAAK,MAAM,EAAE,CAAC;gBACjC,kEAAkE;gBAClE,MAAM,IAAI,EAAE,CAAA;gBACZ,OAAM;YACR,CAAC;YACD,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,EAAE,GAAG,CAAC,CAAA;QAC1D,CAAC;QAED,IAAI,CAAC;YACH,oDAAoD;YACpD,MAAM,OAAO,GAAG,SAAS,CAAC,OAAO,IAAI,6BAA6B,CAAA;YAClE,MAAM,MAAM,GAAG,SAAS,CAAC,MAAM,CAAA;YAE/B,kCAAkC;YAClC,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,aAAa,MAAM,UAAU,EAAE;gBAC/D,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,MAAM,EAAE;oBACjC,cAAc,EAAE,kBAAkB;iBACnC;aACF,CAAC,CAAA;YAEF,IAAI,CAAC,GAAG,CAAC,EAAE,EAAE,CAAC;gBACZ,MAAM,IAAI,gBAAgB,CACxB,mCAAmC,GAAG,CAAC,UAAU,EAAE,EACnD,4BAA4B,EAC5B,GAAG,CAAC,MAAM,CACX,CAAA;YACH,CAAC;YAED,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAQ1B,CAAA;YAED,IAAI,CAAC,IAAI,CAAC,OAAO,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,EAAE,CAAC;gBAC/C,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,wCAAwC,EAAE,EAAE,GAAG,CAAC,CAAA;YACzE,CAAC;YAED,mCAAmC;YACnC,IAAI,cAAsC,CAAA;YAE1C,IAAI,IAAI,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,IAAI,mBAAmB,KAAK,OAAO,EAAE,CAAC;gBACjE,cAAc,GAAG,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAA;YAClC,CAAC;iBAAM,IAAI,mBAAmB,KAAK,QAAQ,EAAE,CAAC;gBAC5C,MAAM,iBAAiB,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,YAAY,CAAC,CAAA;gBACpD,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAC7B,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,QAAQ,KAAK,iBAAiB,IAAI,CAAC,CAAC,UAAU,KAAK,iBAAiB,CAC5E,CAAA;gBACD,IAAI,CAAC,KAAK,EAAE,CAAC;oBACX,OAAO,CAAC,CAAC,IAAI,CAAC;wBACZ,KAAK,EAAE,mCAAmC;wBAC1C,iBAAiB,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;4BACxC,EAAE,EAAE,CAAC,CAAC,QAAQ;4BACd,IAAI,EAAE,CAAC,CAAC,UAAU;4BAClB,IAAI,EAAE,CAAC,CAAC,UAAU;4BAClB,IAAI,EAAE,CAAC,CAAC,IAAI;yBACb,CAAC,CAAC;qBACJ,EAAE,GAAG,CAAC,CAAA;gBACT,CAAC;gBACD,cAAc,GAAG,KAAK,CAAA;YACxB,CAAC;iBAAM,CAAC;gBACN,wCAAwC;gBACxC,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,EAAE,CAAA;gBACvC,MAAM,KAAK,GAAG,IAAI,CAAC,OAAO,CAAC,IAAI,CAC7B,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,UAAU,IAAI,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,UAAU,CAAC,CACnD,CAAA;gBACD,cAAc,GAAG,KAAK,IAAI,IAAI,CAAC,OAAO,CAAC,CAAC,CAAC,CAAA;YAC3C,CAAC;YAED,mCAAmC;YACnC,MAAM,GAAG,GAAsB;gBAC7B,MAAM;gBACN,QAAQ,EAAE,cAAc,CAAC,QAAQ;gBACjC,IAAI,EAAE,cAAc,CAAC,IAAI;gBACzB,MAAM,EAAE,cAAc,CAAC,MAAM;gBAC7B,OAAO,EAAE,UAAU,CAAC,QAAQ,CAAC,cAAc,CAAC,IAAI,CAAC;gBACjD,OAAO,EAAE,IAAI,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;oBAC9B,QAAQ,EAAE,CAAC,CAAC,QAAQ;oBACpB,UAAU,EAAE,CAAC,CAAC,UAAU;oBACxB,UAAU,EAAE,CAAC,CAAC,UAAU;oBACxB,IAAI,EAAE,CAAC,CAAC,IAAI;iBACb,CAAC,CAAC;aACJ,CAAA;YAED,4BAA4B;YAC5B,CAAC,CAAC,GAAG,CAAC,YAAY,EAAE,GAAG,CAAC,CAAA;YACxB,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,cAAc,CAAC,MAAM,CAAC,CAAA;YAEtC,MAAM,IAAI,EAAE,CAAA;QACd,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,IAAI,GAAG,YAAY,iBAAiB,EAAE,CAAC;gBACrC,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,EAAE,GAAG,CAAC,CAAA;YAC5C,CAAC;YACD,IAAI,GAAG,YAAY,gBAAgB,EAAE,CAAC;gBACpC,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,EAAE,GAAG,CAAC,MAAwC,CAAC,CAAA;YACrG,CAAC;YACD,OAAO,CAAC,KAAK,CAAC,gCAAgC,EAAE,GAAG,CAAC,CAAA;YACpD,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,uCAAuC,EAAE,EAAE,GAAG,CAAC,CAAA;QACxE,CAAC;IACH,CAAC,CAAA;AACH,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,eAAe,CAAC,GAAG,KAAe;IAChD,OAAO,KAAK,EAAE,CAAU,EAAE,IAAI,EAAE,EAAE;QAChC,MAAM,GAAG,GAAG,CAAC,CAAC,GAAG,CAAC,YAAY,CAAC,CAAA;QAC/B,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yBAAyB,EAAE,EAAE,GAAG,CAAC,CAAA;QAC1D,CAAC;QACD,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC;YAC9B,OAAO,CAAC,CAAC,IAAI,CAAC;gBACZ,KAAK,EAAE,8CAA8C,KAAK,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE;aACxE,EAAE,GAAG,CAAC,CAAA;QACT,CAAC;QACD,MAAM,IAAI,EAAE,CAAA;IACd,CAAC,CAAA;AACH,CAAC"}

package/dist/react/index.js CHANGED Viewed

@@ -13,7 +13,7 @@ export const TenantContext = createContext({
 });
 export function useTenant() {
     const ctx = useContext(TenantContext);
-    if (!ctx) {
+    if (!ctx.tenant && !ctx.loading) {
         throw new Error('useTenant must be used within a TenantProvider');
     }
     return ctx;

package/dist/react/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/react/index.ts"],"names":[],"mappings":"AAAA,yDAAyD;AACzD,4DAA4D;AAC5D,yDAAyD;AAEzD,YAAY,CAAA;AAEZ,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,OAAO,CAAA;AAejD,MAAM,CAAC,MAAM,aAAa,GAAG,aAAa,CAAqB;IAC7D,MAAM,EAAE,IAAI;IACZ,IAAI,EAAE,IAAI;IACV,OAAO,EAAE,IAAI;IACb,YAAY,EAAE,KAAK,IAAI,EAAE,GAAE,CAAC;IAC5B,UAAU,EAAE,GAAG,EAAE,CAAC,KAAK;IACvB,MAAM,EAAE,KAAK,IAAI,EAAE,GAAE,CAAC;CACvB,CAAC,CAAA;AAEF,MAAM,UAAU,SAAS;IACvB,MAAM,GAAG,GAAG,UAAU,CAAC,aAAa,CAAC,CAAA;IACrC,IAAI,CAAC,GAAG,EAAE,CAAC;~~QACT~~,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAA;IACnE,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC"}
1	+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/react/index.ts"],"names":[],"mappings":"AAAA,yDAAyD;AACzD,4DAA4D;AAC5D,yDAAyD;AAEzD,YAAY,CAAA;AAEZ,OAAO,EAAE,aAAa,EAAE,UAAU,EAAE,MAAM,OAAO,CAAA;AAejD,MAAM,CAAC,MAAM,aAAa,GAAG,aAAa,CAAqB;IAC7D,MAAM,EAAE,IAAI;IACZ,IAAI,EAAE,IAAI;IACV,OAAO,EAAE,IAAI;IACb,YAAY,EAAE,KAAK,IAAI,EAAE,GAAE,CAAC;IAC5B,UAAU,EAAE,GAAG,EAAE,CAAC,KAAK;IACvB,MAAM,EAAE,KAAK,IAAI,EAAE,GAAE,CAAC;CACvB,CAAC,CAAA;AAEF,MAAM,UAAU,SAAS;IACvB,MAAM,GAAG,GAAG,UAAU,CAAC,aAAa,CAAC,CAAA;IACrC,IAAI,CAAC,GAAG,CAAC,MAAM,IAAI,CAAC,GAAG,CAAC,OAAO,EAAE,CAAC;QAChC,MAAM,IAAI,KAAK,CAAC,gDAAgD,CAAC,CAAA;IACnE,CAAC;IACD,OAAO,GAAG,CAAA;AACZ,CAAC"}

package/dist/tenant-scale.d.ts CHANGED Viewed

@@ -79,5 +79,51 @@ export declare class TenantScale {
         tenantId?: string;
         limit?: number;
     }): Promise<AuditEvent[]>;
+    /**
+     * Get a specific plan limit value for the current tenant.
+     * Returns null if the limit is not defined.
+     *
+     * Usage:
+     *   const maxUsers = ts.getPlanLimit(c, 'max_users')
+     *   // → 100 (or null if unlimited / not set)
+     */
+    getPlanLimit(c: Context, key: string): boolean | number | string | null;
+    /**
+     * Get all plan limits for the current tenant.
+     * Returns the merged feature map (plan defaults + tenant overrides).
+     *
+     * Usage:
+     *   const limits = ts.getPlanLimits(c)
+     *   // → { max_users: 100, audit_log_retention_days: 30, sso: true, ... }
+     */
+    getPlanLimits(c: Context): Record<string, boolean | number | string>;
+    /**
+     * Check if a usage value exceeds the plan limit.
+     * Returns true if the limit is exceeded (or is 0).
+     * Returns false if the limit is null (unlimited).
+     *
+     * Usage:
+     *   if (ts.planLimitExceeded(c, 'max_users', currentUserCount)) {
+     *     return c.json({ error: 'User limit reached' }, 403)
+     *   }
+     */
+    planLimitExceeded(c: Context, key: string, currentValue: number): boolean;
+    /**
+     * Fetch the full plan definition (metadata + limits) from the API.
+     * Use this when you need plan pricing, name, description, etc.
+     *
+     * Usage:
+     *   const plan = await ts.fetchPlan(c)
+     *   // → { id: 'pro', name: 'Pro', price_monthly: 39900, features: {...}, ... }
+     */
+    fetchPlan(c: Context): Promise<Record<string, unknown> | null>;
+    /**
+     * Fetch all available plans from the API.
+     *
+     * Usage:
+     *   const plans = await ts.fetchPlans()
+     *   // → [{ id: 'free', name: 'Free', ... }, { id: 'pro', ... }]
+     */
+    fetchPlans(): Promise<Record<string, unknown>[]>;
 }
 //# sourceMappingURL=tenant-scale.d.ts.map

package/dist/tenant-scale.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"tenant-scale.d.ts","sourceRoot":"","sources":["../src/tenant-scale.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,EAAE,KAAK,MAAM,EAAE,KAAK,kBAAkB,EAAE,KAAK,UAAU,EAAkB,MAAM,YAAY,CAAA;AAClG,OAAO,KAAK,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;~~AAUtD~~,OAAO,QAAQ,MAAM,CAAC;IACpB,UAAU,kBAAkB;QAC1B,MAAM,EAAE,MAAM,CAAA;QACd,YAAY,EAAE,YAAY,CAAA;KAC3B;CACF;~~AAED~~,qBAAa,WAAW;IACtB,OAAO,CAAC,MAAM,CAAc;IAC5B,OAAO,CAAC,MAAM,CAAQ;gBAEV,OAAO,EAAE,kBAAkB,GAAG;QAAE,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IAK7D;;;OAGG;IACH,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,WAAW;IAMvC;;;;;;OAMG;IACH,OAAO,IAAI,iBAAiB;IAwB5B;;;;;;OAMG;IACH,KAAK,IAAI,iBAAiB;IAsB1B;;;;;OAKG;IACH,YAAY,IAAI,iBAAiB;~~IAwBjC~~;;;OAGG;IACH,SAAS,CAAC,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,SAAS;IAIzC;;;OAGG;IACH,OAAO,CAAC,CAAC,EAAE,OAAO,GAAG;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,SAAS;IAO9E;;;;;;;OAOG;IACG,QAAQ,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAYzH;;OAEG;IACG,WAAW,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAKtC;;OAEG;IACG,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;~~CAGlG~~"}
1	+ {"version":3,"file":"tenant-scale.d.ts","sourceRoot":"","sources":["../src/tenant-scale.ts"],"names":[],"mappings":"AAWA,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,EAAE,KAAK,MAAM,EAAE,KAAK,kBAAkB,EAAE,KAAK,UAAU,EAAkB,MAAM,YAAY,CAAA;AAClG,OAAO,KAAK,EAAE,OAAO,EAAE,iBAAiB,EAAE,MAAM,MAAM,CAAA;AAGtD,OAAO,QAAQ,MAAM,CAAC;IACpB,UAAU,kBAAkB;QAC1B,MAAM,EAAE,MAAM,CAAA;QACd,YAAY,EAAE,YAAY,CAAA;KAC3B;CACF;AAKD,qBAAa,WAAW;IACtB,OAAO,CAAC,MAAM,CAAc;IAC5B,OAAO,CAAC,MAAM,CAAQ;gBAEV,OAAO,EAAE,kBAAkB,GAAG;QAAE,MAAM,CAAC,EAAE,MAAM,CAAA;KAAE;IAK7D;;;OAGG;IACH,UAAU,CAAC,MAAM,EAAE,MAAM,GAAG,WAAW;IAMvC;;;;;;OAMG;IACH,OAAO,IAAI,iBAAiB;IAwB5B;;;;;;OAMG;IACH,KAAK,IAAI,iBAAiB;IAsB1B;;;;;OAKG;IACH,YAAY,IAAI,iBAAiB;IAuBjC;;;OAGG;IACH,SAAS,CAAC,CAAC,EAAE,OAAO,GAAG,MAAM,GAAG,SAAS;IAIzC;;;OAGG;IACH,OAAO,CAAC,CAAC,EAAE,OAAO,GAAG;QAAE,EAAE,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAC;QAAC,IAAI,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,SAAS;IAO9E;;;;;;;OAOG;IACG,QAAQ,CAAC,CAAC,EAAE,OAAO,EAAE,KAAK,EAAE;QAAE,MAAM,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAC;QAAC,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;KAAE,GAAG,OAAO,CAAC,IAAI,CAAC;IAYzH;;OAEG;IACG,WAAW,IAAI,OAAO,CAAC,MAAM,EAAE,CAAC;IAKtC;;OAEG;IACG,WAAW,CAAC,CAAC,EAAE,OAAO,EAAE,IAAI,EAAE;QAAE,QAAQ,CAAC,EAAE,MAAM,CAAC;QAAC,KAAK,CAAC,EAAE,MAAM,CAAA;KAAE,GAAG,OAAO,CAAC,UAAU,EAAE,CAAC;IAMjG;;;;;;;OAOG;IACH,YAAY,CAAC,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,GAAG,OAAO,GAAG,MAAM,GAAG,MAAM,GAAG,IAAI;IAMvE;;;;;;;OAOG;IACH,aAAa,CAAC,CAAC,EAAE,OAAO,GAAG,MAAM,CAAC,MAAM,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,CAAC;IAKpE;;;;;;;;;OASG;IACH,iBAAiB,CAAC,CAAC,EAAE,OAAO,EAAE,GAAG,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,GAAG,OAAO;IAYzE;;;;;;;OAOG;IACG,SAAS,CAAC,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,GAAG,IAAI,CAAC;IAqBpE;;;;;;OAMG;IACG,UAAU,IAAI,OAAO,CAAC,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,EAAE,CAAC;CAiBvD"}

package/dist/tenant-scale.js CHANGED Viewed

@@ -10,6 +10,8 @@
 // ──────────────────────────────────────────────────────
 import { TenantClient } from './tenant.js';
 import { PlanLimitError } from './types.js';
+// Internal storage for the API key on the Hono context
+const API_KEY_SYMBOL = Symbol('__tenantscale_apiKey');
 export class TenantScale {
     client;
     apiKey;
@@ -43,7 +45,7 @@ export class TenantScale {
                 const tenant = await this.client.resolveTenant(apiKey);
                 c.set('tenant', tenant);
                 c.set('tenantClient', this.client);
-                c.__tenantscale_apiKey = apiKey;
+                c[API_KEY_SYMBOL] = apiKey;
                 await next();
             }
             catch (err) {
@@ -67,7 +69,7 @@ export class TenantScale {
             const tenant = c.get('tenant');
             if (!tenant)
                 return;
-            const apiKey = c.__tenantscale_apiKey || '';
+            const apiKey = c[API_KEY_SYMBOL] || '';
             const method = c.req.method;
             const path = c.req.path;
             const status = c.res.status;
@@ -94,13 +96,11 @@ export class TenantScale {
                 return c.json({ error: 'Missing Authorization header' }, 401);
             }
             const apiKey = authHeader.slice(7);
-            // Admin keys start with a special prefix — check via the API
             try {
                 const tenant = await this.client.resolveTenant(apiKey);
-                // The resolveTenant call succeeds for admin keys too
-                // but we flag it differently here
                 c.set('tenant', tenant);
                 c.set('tenantClient', this.client);
+                c[API_KEY_SYMBOL] = apiKey;
                 await next();
             }
             catch {
@@ -125,7 +125,7 @@ export class TenantScale {
         if (!tenant)
             return undefined;
         // For now, return the tenant's admin user as the current user
-        return { id: tenant.id, email: tenant.email, role: 'admin' };
+        return { id: tenant.id, email: undefined, role: 'admin' };
     }
     /**
      * Log a custom audit event from within a route handler.
@@ -158,5 +158,110 @@ export class TenantScale {
     async getAuditLog(c, opts) {
         throw new Error('getAuditLog() requires the hosted API — coming soon');
     }
+    // ── Plan Limit Helpers ──
+    /**
+     * Get a specific plan limit value for the current tenant.
+     * Returns null if the limit is not defined.
+     *
+     * Usage:
+     *   const maxUsers = ts.getPlanLimit(c, 'max_users')
+     *   // → 100 (or null if unlimited / not set)
+     */
+    getPlanLimit(c, key) {
+        const tenant = c.get('tenant');
+        if (!tenant)
+            return null;
+        return tenant.features[key] ?? null;
+    }
+    /**
+     * Get all plan limits for the current tenant.
+     * Returns the merged feature map (plan defaults + tenant overrides).
+     *
+     * Usage:
+     *   const limits = ts.getPlanLimits(c)
+     *   // → { max_users: 100, audit_log_retention_days: 30, sso: true, ... }
+     */
+    getPlanLimits(c) {
+        const tenant = c.get('tenant');
+        return (tenant?.features ?? {});
+    }
+    /**
+     * Check if a usage value exceeds the plan limit.
+     * Returns true if the limit is exceeded (or is 0).
+     * Returns false if the limit is null (unlimited).
+     *
+     * Usage:
+     *   if (ts.planLimitExceeded(c, 'max_users', currentUserCount)) {
+     *     return c.json({ error: 'User limit reached' }, 403)
+     *   }
+     */
+    planLimitExceeded(c, key, currentValue) {
+        const limit = this.getPlanLimit(c, key);
+        // null means unlimited
+        if (limit === null)
+            return false;
+        // Boolean limits: true means allowed, false means blocked
+        if (typeof limit === 'boolean')
+            return !limit;
+        // Numeric limits
+        if (typeof limit === 'number')
+            return currentValue >= limit;
+        // String limits — can't compare numerically
+        return false;
+    }
+    /**
+     * Fetch the full plan definition (metadata + limits) from the API.
+     * Use this when you need plan pricing, name, description, etc.
+     *
+     * Usage:
+     *   const plan = await ts.fetchPlan(c)
+     *   // → { id: 'pro', name: 'Pro', price_monthly: 39900, features: {...}, ... }
+     */
+    async fetchPlan(c) {
+        const tenant = c.get('tenant');
+        if (!tenant)
+            return null;
+        const baseUrl = this.client.getOptions().baseUrl ?? 'https://api.tenantscale.com';
+        const apiKey = c[API_KEY_SYMBOL] || this.apiKey;
+        try {
+            const res = await fetch(`${baseUrl}/v1/plans/${tenant.plan}`, {
+                headers: {
+                    Authorization: `Bearer ${apiKey}`,
+                    'Content-Type': 'application/json',
+                },
+            });
+            if (!res.ok)
+                return null;
+            return await res.json();
+        }
+        catch {
+            return null;
+        }
+    }
+    /**
+     * Fetch all available plans from the API.
+     *
+     * Usage:
+     *   const plans = await ts.fetchPlans()
+     *   // → [{ id: 'free', name: 'Free', ... }, { id: 'pro', ... }]
+     */
+    async fetchPlans() {
+        const baseUrl = this.client.getOptions().baseUrl ?? 'https://api.tenantscale.com';
+        try {
+            const res = await fetch(`${baseUrl}/v1/plans`, {
+                headers: {
+                    Authorization: `Bearer ${this.apiKey}`,
+                    'Content-Type': 'application/json',
+                },
+            });
+            if (!res.ok)
+                return [];
+            const data = await res.json();
+            return data.plans ?? [];
+        }
+        catch {
+            return [];
+        }
+    }
 }
 //# sourceMappingURL=tenant-scale.js.map

package/dist/tenant-scale.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"tenant-scale.js","sourceRoot":"","sources":["../src/tenant-scale.ts"],"names":[],"mappings":"AAAA,yDAAyD;AACzD,kCAAkC;AAClC,wDAAwD;AACxD,yDAAyD;AACzD,EAAE;AACF,SAAS;AACT,mDAAmD;AACnD,kDAAkD;AAClD,+BAA+B;AAC/B,yDAAyD;AAEzD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,EAAyD,cAAc,EAAE,MAAM,YAAY,CAAA;~~AAkBlG~~,MAAM,OAAO,WAAW;IACd,MAAM,CAAc;IACpB,MAAM,CAAQ;IAEtB,YAAY,OAAiD;QAC3D,IAAI,CAAC,MAAM,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,CAAA;QACvC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,EAAE,CAAA;IACpC,CAAC;IAED;;;OAGG;IACH,UAAU,CAAC,MAAc;QACvB,OAAO,IAAI,WAAW,CAAC,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE,MAAM,EAAE,CAAC,CAAA;IACjE,CAAC;IAED,mBAAmB;IAEnB;;;;;;OAMG;IACH,OAAO;QACL,OAAO,KAAK,EAAE,CAAU,EAAE,IAAI,EAAE,EAAE;YAChC,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAA;YAChD,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACvC,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yCAAyC,EAAE,EAAE,GAAG,CAAC,CAAA;YAC1E,CAAC;YACD,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;YAElC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,CAAA;gBACtD,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAA;gBACvB,CAAC,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,CAEjC;gBAAC,~~CAAS~~,CAAC,~~oBAAoB~~,GAAG,MAAM,CAAA;~~gBACzC~~,MAAM,IAAI,EAAE,CAAA;YACd,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,GAAG,YAAY,cAAc,EAAE,CAAC;oBAClC,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,EAAE,GAAG,CAAC,MAAa,CAAC,CAAA;gBAC1E,CAAC;gBACD,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,0BAA0B,EAAE,EAAE,GAAG,CAAC,CAAA;YAC3D,CAAC;QACH,CAAC,CAAA;IACH,CAAC;IAED;;;;;;OAMG;IACH,KAAK;QACH,OAAO,KAAK,EAAE,CAAU,EAAE,IAAI,EAAE,EAAE;YAChC,MAAM,IAAI,EAAE,CAAA;YACZ,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;YAC9B,IAAI,CAAC,MAAM;gBAAE,OAAM;YAEnB,MAAM,MAAM,GAAI,~~CAAS~~,CAAC,~~oBAAoB~~,IAAI,EAAE,CAAA;~~YACpD~~,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAA;YAC3B,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,CAAA;YACvB,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAA;YAE3B,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE;gBAC3B,MAAM,EAAE,GAAG,MAAM,IAAI,IAAI,EAAE;gBAC3B,QAAQ,EAAE,IAAI;gBACd,QAAQ,EAAE,MAAM,CAAC,EAAE;gBACnB,OAAO,EAAE,EAAE,WAAW,EAAE,MAAM,EAAE;aACjC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;gBACZ,2DAA2D;YAC7D,CAAC,CAAC,CAAA;QACJ,CAAC,CAAA;IACH,CAAC;IAED;;;;;OAKG;IACH,YAAY;QACV,OAAO,KAAK,EAAE,CAAU,EAAE,IAAI,EAAE,EAAE;YAChC,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAA;YAChD,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACvC,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,8BAA8B,EAAE,EAAE,GAAG,CAAC,CAAA;YAC/D,CAAC;YACD,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;YAElC,~~6DAA6D;YAC7D,~~IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,CAAA;gBACtD,~~qDAAqD;gBACrD,kCAAkC;gBAClC,~~CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAA;gBACvB,CAAC,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,CAAA;~~gBAClC~~,MAAM,IAAI,EAAE,CAAA;YACd,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,EAAE,GAAG,CAAC,CAAA;YACpD,CAAC;QACH,CAAC,CAAA;IACH,CAAC;IAED,sBAAsB;IAEtB;;;OAGG;IACH,SAAS,CAAC,CAAU;QAClB,OAAO,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IACxB,CAAC;IAED;;;OAGG;IACH,OAAO,CAAC,CAAU;QAChB,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QAC9B,IAAI,CAAC,MAAM;YAAE,OAAO,SAAS,CAAA;QAC7B,8DAA8D;QAC9D,OAAO,EAAE,EAAE,EAAE,MAAM,CAAC,EAAE,EAAE,KAAK,~~EAAG~~,~~MAAc~~,~~CAAC,KAAK,~~EAAE,IAAI,EAAE,OAAO,EAAE,CAAA;~~IACvE~~,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,QAAQ,CAAC,CAAU,EAAE,KAA8E;QACvG,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QAC9B,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,EAAE;YACtC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,MAAM,EAAE,EAAE,IAAI,SAAS;YACjC,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC,CAAA;IACJ,CAAC;IAED,sBAAsB;IAEtB;;OAEG;IACH,KAAK,CAAC,WAAW;QACf,yCAAyC;QACzC,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAA;IACxE,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW,CAAC,CAAU,EAAE,IAA2C;QACvE,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAA;IACxE,CAAC;CACF"}
1	+ {"version":3,"file":"tenant-scale.js","sourceRoot":"","sources":["../src/tenant-scale.ts"],"names":[],"mappings":"AAAA,yDAAyD;AACzD,kCAAkC;AAClC,wDAAwD;AACxD,yDAAyD;AACzD,EAAE;AACF,SAAS;AACT,mDAAmD;AACnD,kDAAkD;AAClD,+BAA+B;AAC/B,yDAAyD;AAEzD,OAAO,EAAE,YAAY,EAAE,MAAM,aAAa,CAAA;AAC1C,OAAO,EAAyD,cAAc,EAAE,MAAM,YAAY,CAAA;AAWlG,uDAAuD;AACvD,MAAM,cAAc,GAAG,MAAM,CAAC,sBAAsB,CAAC,CAAA;AAErD,MAAM,OAAO,WAAW;IACd,MAAM,CAAc;IACpB,MAAM,CAAQ;IAEtB,YAAY,OAAiD;QAC3D,IAAI,CAAC,MAAM,GAAG,IAAI,YAAY,CAAC,OAAO,CAAC,CAAA;QACvC,IAAI,CAAC,MAAM,GAAG,OAAO,CAAC,MAAM,IAAI,EAAE,CAAA;IACpC,CAAC;IAED;;;OAGG;IACH,UAAU,CAAC,MAAc;QACvB,OAAO,IAAI,WAAW,CAAC,EAAE,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,EAAE,MAAM,EAAE,CAAC,CAAA;IACjE,CAAC;IAED,mBAAmB;IAEnB;;;;;;OAMG;IACH,OAAO;QACL,OAAO,KAAK,EAAE,CAAU,EAAE,IAAI,EAAE,EAAE;YAChC,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAA;YAChD,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACvC,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,yCAAyC,EAAE,EAAE,GAAG,CAAC,CAAA;YAC1E,CAAC;YACD,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;YAElC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,CAAA;gBACtD,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAA;gBACvB,CAAC,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,CAEjC;gBAAC,CAAuC,CAAC,cAAc,CAAC,GAAG,MAAM,CAAA;gBAClE,MAAM,IAAI,EAAE,CAAA;YACd,CAAC;YAAC,OAAO,GAAG,EAAE,CAAC;gBACb,IAAI,GAAG,YAAY,cAAc,EAAE,CAAC;oBAClC,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,GAAG,CAAC,OAAO,EAAE,IAAI,EAAE,GAAG,CAAC,IAAI,EAAE,EAAE,GAAG,CAAC,MAAa,CAAC,CAAA;gBAC1E,CAAC;gBACD,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,0BAA0B,EAAE,EAAE,GAAG,CAAC,CAAA;YAC3D,CAAC;QACH,CAAC,CAAA;IACH,CAAC;IAED;;;;;;OAMG;IACH,KAAK;QACH,OAAO,KAAK,EAAE,CAAU,EAAE,IAAI,EAAE,EAAE;YAChC,MAAM,IAAI,EAAE,CAAA;YACZ,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;YAC9B,IAAI,CAAC,MAAM;gBAAE,OAAM;YAEnB,MAAM,MAAM,GAAI,CAAuC,CAAC,cAAc,CAAC,IAAI,EAAE,CAAA;YAC7E,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAA;YAC3B,MAAM,IAAI,GAAG,CAAC,CAAC,GAAG,CAAC,IAAI,CAAA;YACvB,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAA;YAE3B,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,MAAM,EAAE;gBAC3B,MAAM,EAAE,GAAG,MAAM,IAAI,IAAI,EAAE;gBAC3B,QAAQ,EAAE,IAAI;gBACd,QAAQ,EAAE,MAAM,CAAC,EAAE;gBACnB,OAAO,EAAE,EAAE,WAAW,EAAE,MAAM,EAAE;aACjC,CAAC,CAAC,KAAK,CAAC,GAAG,EAAE;gBACZ,2DAA2D;YAC7D,CAAC,CAAC,CAAA;QACJ,CAAC,CAAA;IACH,CAAC;IAED;;;;;OAKG;IACH,YAAY;QACV,OAAO,KAAK,EAAE,CAAU,EAAE,IAAI,EAAE,EAAE;YAChC,MAAM,UAAU,GAAG,CAAC,CAAC,GAAG,CAAC,MAAM,CAAC,eAAe,CAAC,CAAA;YAChD,IAAI,CAAC,UAAU,EAAE,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;gBACvC,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,8BAA8B,EAAE,EAAE,GAAG,CAAC,CAAA;YAC/D,CAAC;YACD,MAAM,MAAM,GAAG,UAAU,CAAC,KAAK,CAAC,CAAC,CAAC,CAAA;YAElC,IAAI,CAAC;gBACH,MAAM,MAAM,GAAG,MAAM,IAAI,CAAC,MAAM,CAAC,aAAa,CAAC,MAAM,CAAC,CAAA;gBACtD,CAAC,CAAC,GAAG,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAA;gBACvB,CAAC,CAAC,GAAG,CAAC,cAAc,EAAE,IAAI,CAAC,MAAM,CAAC,CAEjC;gBAAC,CAAuC,CAAC,cAAc,CAAC,GAAG,MAAM,CAAA;gBAClE,MAAM,IAAI,EAAE,CAAA;YACd,CAAC;YAAC,MAAM,CAAC;gBACP,OAAO,CAAC,CAAC,IAAI,CAAC,EAAE,KAAK,EAAE,mBAAmB,EAAE,EAAE,GAAG,CAAC,CAAA;YACpD,CAAC;QACH,CAAC,CAAA;IACH,CAAC;IAED,sBAAsB;IAEtB;;;OAGG;IACH,SAAS,CAAC,CAAU;QAClB,OAAO,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;IACxB,CAAC;IAED;;;OAGG;IACH,OAAO,CAAC,CAAU;QAChB,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QAC9B,IAAI,CAAC,MAAM;YAAE,OAAO,SAAS,CAAA;QAC7B,8DAA8D;QAC9D,OAAO,EAAE,EAAE,EAAE,MAAM,CAAC,EAAE,EAAE,KAAK,EAAE,SAAS,EAAE,IAAI,EAAE,OAAO,EAAE,CAAA;IAC3D,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,QAAQ,CAAC,CAAU,EAAE,KAA8E;QACvG,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QAC9B,MAAM,IAAI,CAAC,MAAM,CAAC,QAAQ,CAAC,IAAI,CAAC,MAAM,EAAE;YACtC,MAAM,EAAE,KAAK,CAAC,MAAM;YACpB,QAAQ,EAAE,KAAK,CAAC,QAAQ;YACxB,QAAQ,EAAE,MAAM,EAAE,EAAE,IAAI,SAAS;YACjC,OAAO,EAAE,KAAK,CAAC,OAAO;SACvB,CAAC,CAAA;IACJ,CAAC;IAED,sBAAsB;IAEtB;;OAEG;IACH,KAAK,CAAC,WAAW;QACf,yCAAyC;QACzC,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAA;IACxE,CAAC;IAED;;OAEG;IACH,KAAK,CAAC,WAAW,CAAC,CAAU,EAAE,IAA2C;QACvE,MAAM,IAAI,KAAK,CAAC,qDAAqD,CAAC,CAAA;IACxE,CAAC;IAED,2BAA2B;IAE3B;;;;;;;OAOG;IACH,YAAY,CAAC,CAAU,EAAE,GAAW;QAClC,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QAC9B,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAA;QACxB,OAAQ,MAAM,CAAC,QAA6D,CAAC,GAAG,CAAC,IAAI,IAAI,CAAA;IAC3F,CAAC;IAED;;;;;;;OAOG;IACH,aAAa,CAAC,CAAU;QACtB,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QAC9B,OAAO,CAAC,MAAM,EAAE,QAAQ,IAAI,EAAE,CAA8C,CAAA;IAC9E,CAAC;IAED;;;;;;;;;OASG;IACH,iBAAiB,CAAC,CAAU,EAAE,GAAW,EAAE,YAAoB;QAC7D,MAAM,KAAK,GAAG,IAAI,CAAC,YAAY,CAAC,CAAC,EAAE,GAAG,CAAC,CAAA;QACvC,uBAAuB;QACvB,IAAI,KAAK,KAAK,IAAI;YAAE,OAAO,KAAK,CAAA;QAChC,0DAA0D;QAC1D,IAAI,OAAO,KAAK,KAAK,SAAS;YAAE,OAAO,CAAC,KAAK,CAAA;QAC7C,iBAAiB;QACjB,IAAI,OAAO,KAAK,KAAK,QAAQ;YAAE,OAAO,YAAY,IAAI,KAAK,CAAA;QAC3D,4CAA4C;QAC5C,OAAO,KAAK,CAAA;IACd,CAAC;IAED;;;;;;;OAOG;IACH,KAAK,CAAC,SAAS,CAAC,CAAU;QACxB,MAAM,MAAM,GAAG,CAAC,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAA;QAC9B,IAAI,CAAC,MAAM;YAAE,OAAO,IAAI,CAAA;QAExB,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC,OAAO,IAAI,6BAA6B,CAAA;QACjF,MAAM,MAAM,GAAI,CAAuC,CAAC,cAAc,CAAC,IAAI,IAAI,CAAC,MAAM,CAAA;QAEtF,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,aAAa,MAAM,CAAC,IAAI,EAAE,EAAE;gBAC5D,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,MAAM,EAAE;oBACjC,cAAc,EAAE,kBAAkB;iBACnC;aACF,CAAC,CAAA;YACF,IAAI,CAAC,GAAG,CAAC,EAAE;gBAAE,OAAO,IAAI,CAAA;YACxB,OAAO,MAAM,GAAG,CAAC,IAAI,EAA6B,CAAA;QACpD,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAA;QACb,CAAC;IACH,CAAC;IAED;;;;;;OAMG;IACH,KAAK,CAAC,UAAU;QACd,MAAM,OAAO,GAAG,IAAI,CAAC,MAAM,CAAC,UAAU,EAAE,CAAC,OAAO,IAAI,6BAA6B,CAAA;QAEjF,IAAI,CAAC;YACH,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,OAAO,WAAW,EAAE;gBAC7C,OAAO,EAAE;oBACP,aAAa,EAAE,UAAU,IAAI,CAAC,MAAM,EAAE;oBACtC,cAAc,EAAE,kBAAkB;iBACnC;aACF,CAAC,CAAA;YACF,IAAI,CAAC,GAAG,CAAC,EAAE;gBAAE,OAAO,EAAE,CAAA;YACtB,MAAM,IAAI,GAAG,MAAM,GAAG,CAAC,IAAI,EAA0C,CAAA;YACrE,OAAO,IAAI,CAAC,KAAK,IAAI,EAAE,CAAA;QACzB,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,EAAE,CAAA;QACX,CAAC;IACH,CAAC;CACF"}

package/dist/testing/index.d.ts ADDED Viewed

@@ -0,0 +1,111 @@
+export interface ApiKeyPair {
+    apiKey: string;
+}
+/** Result of a single API call */
+interface ApiResponse {
+    status: number;
+    data: unknown;
+    headers: Record<string, string>;
+}
+/** A generic API client used internally */
+declare class ApiClient {
+    private baseUrl;
+    private apiKey;
+    constructor(baseUrl: string, apiKey: string);
+    request(method: string, path: string, body?: unknown): Promise<ApiResponse>;
+    get(path: string): Promise<ApiResponse>;
+    post(path: string, body?: unknown): Promise<ApiResponse>;
+    patch(path: string, body?: unknown): Promise<ApiResponse>;
+    del(path: string): Promise<ApiResponse>;
+}
+export interface EndpointPattern {
+    /** HTTP method */
+    method: 'GET' | 'POST' | 'PATCH' | 'DELETE';
+    /**
+     * Path template. If it's a function, it receives the resource ID
+     * from the setup step (for read/update/delete isolation tests).
+     * If it's a string, it's used as-is.
+     */
+    path: string | ((resourceId: string) => string);
+}
+export interface TestScenarios {
+    /**
+     * Test that tenant B cannot READ resources created by tenant A.
+     * For each pattern: setup creates a resource, then tenant B tries to GET it.
+     * Expected: 401/403/404 (not 200 with data from another tenant)
+     */
+    read?: EndpointPattern[];
+    /**
+     * Test that tenant B cannot WRITE (update) resources created by tenant A.
+     * For each pattern: setup creates a resource, then tenant B tries to PATCH it.
+     * Expected: 401/403/404
+     */
+    write?: EndpointPattern[];
+    /**
+     * Test that tenant B cannot DELETE resources created by tenant A.
+     * Expected: 401/403/404
+     */
+    delete?: EndpointPattern[];
+    /**
+     * Test that tenant B cannot CREATE resources in tenant A's context.
+     * For each pattern: tenant B tries to POST to the path.
+     * Expected: 401/403
+     */
+    create?: EndpointPattern[];
+    /**
+     * Custom test functions for more complex scenarios.
+     * Each receives helpers for making requests as both tenants.
+     */
+    custom?: CustomTest[];
+}
+export interface CustomTest {
+    name: string;
+    run: (helpers: {
+        asTenantA: ApiClient;
+        asTenantB: ApiClient;
+    }) => Promise<void>;
+}
+export interface IsolationTestConfig {
+    /** Base URL of the API under test */
+    baseUrl: string;
+    /** API key for tenant A (the "owner" of resources) */
+    tenantA: ApiKeyPair;
+    /** API key for tenant B (the "attacker" — should NOT have access) */
+    tenantB: ApiKeyPair;
+    /** Test scenarios to run */
+    tests: TestScenarios;
+}
+export interface IsolationTestResult {
+    passed: boolean;
+    totalTests: number;
+    passedTests: number;
+    failedTests: number;
+    failures: Array<{
+        name: string;
+        error: string;
+    }>;
+    details: Array<{
+        name: string;
+        status: 'pass' | 'fail' | 'skip';
+        error?: string;
+    }>;
+}
+/**
+ * Run a battery of tenant isolation tests.
+ * Creates resources as tenant A, then verifies tenant B cannot access them.
+ *
+ * @returns Detailed results including pass/fail counts and error messages.
+ */
+export declare function runIsolationTests(config: IsolationTestConfig): Promise<IsolationTestResult>;
+/**
+ * Quick assertion helper — use inside custom test functions.
+ * Throws with a descriptive message if the condition fails.
+ *
+ * @example
+ * ```ts
+ * await expectIsolated(res.status, 'Tenant B should not see this', 404)
+ * ```
+ */
+export declare function expectIsolated(actualStatus: number, description: string, expectedStatus?: number): void;
+export {};
+//# sourceMappingURL=index.d.ts.map

package/dist/testing/index.d.ts.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/testing/index.ts"],"names":[],"mappings":"AA4BA,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAA;CACf;AAED,kCAAkC;AAClC,UAAU,WAAW;IACnB,MAAM,EAAE,MAAM,CAAA;IACd,IAAI,EAAE,OAAO,CAAA;IACb,OAAO,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAA;CAChC;AAED,2CAA2C;AAC3C,cAAM,SAAS;IACb,OAAO,CAAC,OAAO,CAAQ;IACvB,OAAO,CAAC,MAAM,CAAQ;gBAEV,OAAO,EAAE,MAAM,EAAE,MAAM,EAAE,MAAM;IAKrC,OAAO,CAAC,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO,GAAG,OAAO,CAAC,WAAW,CAAC;IAwBjF,GAAG,CAAC,IAAI,EAAE,MAAM;IAChB,IAAI,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO;IACjC,KAAK,CAAC,IAAI,EAAE,MAAM,EAAE,IAAI,CAAC,EAAE,OAAO;IAClC,GAAG,CAAC,IAAI,EAAE,MAAM;CACjB;AAID,MAAM,WAAW,eAAe;IAC9B,kBAAkB;IAClB,MAAM,EAAE,KAAK,GAAG,MAAM,GAAG,OAAO,GAAG,QAAQ,CAAA;IAC3C;;;;OAIG;IACH,IAAI,EAAE,MAAM,GAAG,CAAC,CAAC,UAAU,EAAE,MAAM,KAAK,MAAM,CAAC,CAAA;CAChD;AAED,MAAM,WAAW,aAAa;IAC5B;;;;OAIG;IACH,IAAI,CAAC,EAAE,eAAe,EAAE,CAAA;IACxB;;;;OAIG;IACH,KAAK,CAAC,EAAE,eAAe,EAAE,CAAA;IACzB;;;OAGG;IACH,MAAM,CAAC,EAAE,eAAe,EAAE,CAAA;IAC1B;;;;OAIG;IACH,MAAM,CAAC,EAAE,eAAe,EAAE,CAAA;IAC1B;;;OAGG;IACH,MAAM,CAAC,EAAE,UAAU,EAAE,CAAA;CACtB;AAED,MAAM,WAAW,UAAU;IACzB,IAAI,EAAE,MAAM,CAAA;IACZ,GAAG,EAAE,CAAC,OAAO,EAAE;QACb,SAAS,EAAE,SAAS,CAAA;QACpB,SAAS,EAAE,SAAS,CAAA;KACrB,KAAK,OAAO,CAAC,IAAI,CAAC,CAAA;CACpB;AAED,MAAM,WAAW,mBAAmB;IAClC,qCAAqC;IACrC,OAAO,EAAE,MAAM,CAAA;IACf,sDAAsD;IACtD,OAAO,EAAE,UAAU,CAAA;IACnB,qEAAqE;IACrE,OAAO,EAAE,UAAU,CAAA;IACnB,4BAA4B;IAC5B,KAAK,EAAE,aAAa,CAAA;CACrB;AAED,MAAM,WAAW,mBAAmB;IAClC,MAAM,EAAE,OAAO,CAAA;IACf,UAAU,EAAE,MAAM,CAAA;IAClB,WAAW,EAAE,MAAM,CAAA;IACnB,WAAW,EAAE,MAAM,CAAA;IACnB,QAAQ,EAAE,KAAK,CAAC;QACd,IAAI,EAAE,MAAM,CAAA;QACZ,KAAK,EAAE,MAAM,CAAA;KACd,CAAC,CAAA;IACF,OAAO,EAAE,KAAK,CAAC;QACb,IAAI,EAAE,MAAM,CAAA;QACZ,MAAM,EAAE,MAAM,GAAG,MAAM,GAAG,MAAM,CAAA;QAChC,KAAK,CAAC,EAAE,MAAM,CAAA;KACf,CAAC,CAAA;CACH;AAYD;;;;;GAKG;AACH,wBAAsB,iBAAiB,CAAC,MAAM,EAAE,mBAAmB,GAAG,OAAO,CAAC,mBAAmB,CAAC,CA6GjG;AAsBD;;;;;;;;GAQG;AACH,wBAAgB,cAAc,CAC5B,YAAY,EAAE,MAAM,EACpB,WAAW,EAAE,MAAM,EACnB,cAAc,CAAC,EAAE,MAAM,GACtB,IAAI,CAaN"}

package/dist/testing/index.js ADDED Viewed

@@ -0,0 +1,198 @@
+// ──────────────────────────────────────────────────────
+// TenantScale Isolation Test Fixture
+// Verifies that one tenant cannot access another tenant's data.
+// Designed to run inside Vitest, Jest, or any test runner.
+// ──────────────────────────────────────────────────────
+//
+// Usage:
+//   import { runIsolationTests, expectIsolated } from '@tenantscale/sdk/testing'
+//
+//   it('enforces tenant isolation', async () => {
+//     const result = await runIsolationTests({
+//       baseUrl: 'http://localhost:3001',
+//       tenantA: { apiKey: 'tk_tenant_a_key' },
+//       tenantB: { apiKey: 'tk_tenant_b_key' },
+//       tests: {
+//         read: [
+//           { method: 'GET', path: (id) => `/v1/tenants/${id}` },
+//         ],
+//       },
+//     })
+//
+//     expect(result.passed).toBe(true)
+//     expect(result.failures).toHaveLength(0)
+//   })
+// ──────────────────────────────────────────────────────
+/** A generic API client used internally */
+class ApiClient {
+    baseUrl;
+    apiKey;
+    constructor(baseUrl, apiKey) {
+        this.baseUrl = baseUrl.replace(/\/+$/, '');
+        this.apiKey = apiKey;
+    }
+    async request(method, path, body) {
+        const url = `${this.baseUrl}${path}`;
+        const headers = {
+            Authorization: `Bearer ${this.apiKey}`,
+            'Content-Type': 'application/json',
+        };
+        const res = await fetch(url, {
+            method,
+            headers,
+            body: body !== undefined ? JSON.stringify(body) : undefined,
+        });
+        const contentType = res.headers.get('content-type') ?? '';
+        const data = contentType.includes('application/json')
+            ? await res.json()
+            : await res.text();
+        const responseHeaders = {};
+        res.headers.forEach((value, key) => { responseHeaders[key] = value; });
+        return { status: res.status, data, headers: responseHeaders };
+    }
+    get(path) { return this.request('GET', path); }
+    post(path, body) { return this.request('POST', path, body); }
+    patch(path, body) { return this.request('PATCH', path, body); }
+    del(path) { return this.request('DELETE', path); }
+}
+// ── Default expectations ──
+const DEFAULT_FORBIDDEN_STATUSES = [401, 403, 404];
+function isForbidden(status) {
+    return DEFAULT_FORBIDDEN_STATUSES.includes(status);
+}
+// ── Main runner ──
+/**
+ * Run a battery of tenant isolation tests.
+ * Creates resources as tenant A, then verifies tenant B cannot access them.
+ *
+ * @returns Detailed results including pass/fail counts and error messages.
+ */
+export async function runIsolationTests(config) {
+    const { baseUrl, tenantA, tenantB, tests } = config;
+    const apiA = new ApiClient(baseUrl, tenantA.apiKey);
+    const apiB = new ApiClient(baseUrl, tenantB.apiKey);
+    const details = [];
+    const failures = [];
+    let total = 0;
+    // ── Helper to run a single test ──
+    async function runTest(name, fn) {
+        total++;
+        try {
+            await fn();
+            details.push({ name, status: 'pass' });
+        }
+        catch (err) {
+            const msg = err instanceof Error ? err.message : String(err);
+            failures.push({ name, error: msg });
+            details.push({ name, status: 'fail', error: msg });
+        }
+    }
+    // ── Read isolation tests ──
+    if (tests.read) {
+        for (const pattern of tests.read) {
+            await runTest(`read: ${pattern.method} ${typeof pattern.path === 'string' ? pattern.path : '(dynamic)'}`, async () => {
+                const resourceId = await createTempResource(apiA);
+                const path = typeof pattern.path === 'function' ? pattern.path(resourceId) : pattern.path;
+                const res = await apiB.request(pattern.method, path);
+                if (!isForbidden(res.status)) {
+                    throw new Error(`Expected 401/403/404 when tenant B reads tenant A's resource, got ${res.status}`);
+                }
+            });
+        }
+    }
+    // ── Write isolation tests ──
+    if (tests.write) {
+        for (const pattern of tests.write) {
+            await runTest(`write: ${pattern.method} ${typeof pattern.path === 'string' ? pattern.path : '(dynamic)'}`, async () => {
+                const resourceId = await createTempResource(apiA);
+                const path = typeof pattern.path === 'function' ? pattern.path(resourceId) : pattern.path;
+                const res = await apiB.request(pattern.method, path, { name: 'should-not-work' });
+                if (!isForbidden(res.status)) {
+                    throw new Error(`Expected 401/403/404 when tenant B updates tenant A's resource, got ${res.status}`);
+                }
+            });
+        }
+    }
+    // ── Delete isolation tests ──
+    if (tests.delete) {
+        for (const pattern of tests.delete) {
+            await runTest(`delete: ${pattern.method} ${typeof pattern.path === 'string' ? pattern.path : '(dynamic)'}`, async () => {
+                const resourceId = await createTempResource(apiA);
+                const path = typeof pattern.path === 'function' ? pattern.path(resourceId) : pattern.path;
+                const res = await apiB.request(pattern.method, path);
+                if (!isForbidden(res.status)) {
+                    throw new Error(`Expected 401/403/404 when tenant B deletes tenant A's resource, got ${res.status}`);
+                }
+            });
+        }
+    }
+    // ── Create isolation tests ──
+    if (tests.create) {
+        for (const pattern of tests.create) {
+            await runTest(`create: ${pattern.method} ${typeof pattern.path === 'string' ? pattern.path : '(dynamic)'}`, async () => {
+                const path = typeof pattern.path === 'function' ? pattern.path('') : pattern.path;
+                const res = await apiB.request(pattern.method, path, { name: 'should-be-blocked' });
+                if (!isForbidden(res.status)) {
+                    throw new Error(`Expected 401/403/404 when tenant B creates resources, got ${res.status}`);
+                }
+            });
+        }
+    }
+    // ── Custom tests ──
+    if (tests.custom) {
+        for (const test of tests.custom) {
+            await runTest(`custom: ${test.name}`, () => test.run({
+                asTenantA: apiA,
+                asTenantB: apiB,
+            }));
+        }
+    }
+    const passed = failures.length === 0;
+    return {
+        passed,
+        totalTests: total,
+        passedTests: total - failures.length,
+        failedTests: failures.length,
+        failures,
+        details,
+    };
+}
+// ── Helpers ──
+/**
+ * Create a temporary resource for isolation testing.
+ * This creates a tenant via the public API endpoint.
+ * Override this if your setup flow is different.
+ */
+async function createTempResource(api) {
+    const slug = `test-${Date.now()}-${Math.random().toString(36).slice(2, 6)}`;
+    const res = await api.post('/v1/tenants', {
+        name: `Test Tenant ${slug}`,
+        slug,
+    });
+    if (res.status >= 400) {
+        throw new Error(`Setup: Failed to create resource (${res.status}): ${JSON.stringify(res.data)}`);
+    }
+    const data = res.data;
+    return String(data.id ?? '');
+}
+/**
+ * Quick assertion helper — use inside custom test functions.
+ * Throws with a descriptive message if the condition fails.
+ *
+ * @example
+ * ```ts
+ * await expectIsolated(res.status, 'Tenant B should not see this', 404)
+ * ```
+ */
+export function expectIsolated(actualStatus, description, expectedStatus) {
+    const acceptable = DEFAULT_FORBIDDEN_STATUSES;
+    if (expectedStatus !== undefined) {
+        if (actualStatus !== expectedStatus) {
+            throw new Error(`${description}: expected ${expectedStatus}, got ${actualStatus}`);
+        }
+    }
+    else if (!acceptable.includes(actualStatus)) {
+        throw new Error(`${description}: expected one of [${acceptable.join(', ')}], got ${actualStatus}`);
+    }
+}
+//# sourceMappingURL=index.js.map

package/dist/testing/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/testing/index.ts"],"names":[],"mappings":"AAAA,yDAAyD;AACzD,qCAAqC;AACrC,gEAAgE;AAChE,2DAA2D;AAC3D,yDAAyD;AACzD,EAAE;AACF,SAAS;AACT,iFAAiF;AACjF,EAAE;AACF,kDAAkD;AAClD,+CAA+C;AAC/C,0CAA0C;AAC1C,gDAAgD;AAChD,gDAAgD;AAChD,iBAAiB;AACjB,kBAAkB;AAClB,kEAAkE;AAClE,aAAa;AACb,WAAW;AACX,SAAS;AACT,EAAE;AACF,uCAAuC;AACvC,8CAA8C;AAC9C,OAAO;AACP,yDAAyD;AAezD,2CAA2C;AAC3C,MAAM,SAAS;IACL,OAAO,CAAQ;IACf,MAAM,CAAQ;IAEtB,YAAY,OAAe,EAAE,MAAc;QACzC,IAAI,CAAC,OAAO,GAAG,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAA;QAC1C,IAAI,CAAC,MAAM,GAAG,MAAM,CAAA;IACtB,CAAC;IAED,KAAK,CAAC,OAAO,CAAC,MAAc,EAAE,IAAY,EAAE,IAAc;QACxD,MAAM,GAAG,GAAG,GAAG,IAAI,CAAC,OAAO,GAAG,IAAI,EAAE,CAAA;QACpC,MAAM,OAAO,GAA2B;YACtC,aAAa,EAAE,UAAU,IAAI,CAAC,MAAM,EAAE;YACtC,cAAc,EAAE,kBAAkB;SACnC,CAAA;QAED,MAAM,GAAG,GAAG,MAAM,KAAK,CAAC,GAAG,EAAE;YAC3B,MAAM;YACN,OAAO;YACP,IAAI,EAAE,IAAI,KAAK,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,SAAS;SAC5D,CAAC,CAAA;QAEF,MAAM,WAAW,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,cAAc,CAAC,IAAI,EAAE,CAAA;QACzD,MAAM,IAAI,GAAG,WAAW,CAAC,QAAQ,CAAC,kBAAkB,CAAC;YACnD,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE;YAClB,CAAC,CAAC,MAAM,GAAG,CAAC,IAAI,EAAE,CAAA;QAEpB,MAAM,eAAe,GAA2B,EAAE,CAAA;QAClD,GAAG,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,KAAK,EAAE,GAAG,EAAE,EAAE,GAAG,eAAe,CAAC,GAAG,CAAC,GAAG,KAAK,CAAA,CAAC,CAAC,CAAC,CAAA;QAErE,OAAO,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,eAAe,EAAE,CAAA;IAC/D,CAAC;IAED,GAAG,CAAC,IAAY,IAAI,OAAO,IAAI,CAAC,OAAO,CAAC,KAAK,EAAE,IAAI,CAAC,CAAA,CAAC,CAAC;IACtD,IAAI,CAAC,IAAY,EAAE,IAAc,IAAI,OAAO,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,EAAE,IAAI,CAAC,CAAA,CAAC,CAAC;IAC9E,KAAK,CAAC,IAAY,EAAE,IAAc,IAAI,OAAO,IAAI,CAAC,OAAO,CAAC,OAAO,EAAE,IAAI,EAAE,IAAI,CAAC,CAAA,CAAC,CAAC;IAChF,GAAG,CAAC,IAAY,IAAI,OAAO,IAAI,CAAC,OAAO,CAAC,QAAQ,EAAE,IAAI,CAAC,CAAA,CAAC,CAAC;CAC1D;AAiFD,6BAA6B;AAE7B,MAAM,0BAA0B,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,CAAC,CAAA;AAElD,SAAS,WAAW,CAAC,MAAc;IACjC,OAAO,0BAA0B,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAA;AACpD,CAAC;AAED,oBAAoB;AAEpB;;;;;GAKG;AACH,MAAM,CAAC,KAAK,UAAU,iBAAiB,CAAC,MAA2B;IACjE,MAAM,EAAE,OAAO,EAAE,OAAO,EAAE,OAAO,EAAE,KAAK,EAAE,GAAG,MAAM,CAAA;IACnD,MAAM,IAAI,GAAG,IAAI,SAAS,CAAC,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,CAAA;IACnD,MAAM,IAAI,GAAG,IAAI,SAAS,CAAC,OAAO,EAAE,OAAO,CAAC,MAAM,CAAC,CAAA;IAEnD,MAAM,OAAO,GAAmC,EAAE,CAAA;IAClD,MAAM,QAAQ,GAAoC,EAAE,CAAA;IAEpD,IAAI,KAAK,GAAG,CAAC,CAAA;IAEb,oCAAoC;IACpC,KAAK,UAAU,OAAO,CACpB,IAAY,EACZ,EAAuB;QAEvB,KAAK,EAAE,CAAA;QACP,IAAI,CAAC;YACH,MAAM,EAAE,EAAE,CAAA;YACV,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,CAAC,CAAA;QACxC,CAAC;QAAC,OAAO,GAAG,EAAE,CAAC;YACb,MAAM,GAAG,GAAG,GAAG,YAAY,KAAK,CAAC,CAAC,CAAC,GAAG,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,GAAG,CAAC,CAAA;YAC5D,QAAQ,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAA;YACnC,OAAO,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE,MAAM,EAAE,KAAK,EAAE,GAAG,EAAE,CAAC,CAAA;QACpD,CAAC;IACH,CAAC;IAED,6BAA6B;IAC7B,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;QACf,KAAK,MAAM,OAAO,IAAI,KAAK,CAAC,IAAI,EAAE,CAAC;YACjC,MAAM,OAAO,CAAC,SAAS,OAAO,CAAC,MAAM,IAAI,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW,EAAE,EAAE,KAAK,IAAI,EAAE;gBACnH,MAAM,UAAU,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAA;gBACjD,MAAM,IAAI,GAAG,OAAO,OAAO,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAA;gBACzF,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;gBACpD,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC7B,MAAM,IAAI,KAAK,CACb,qEAAqE,GAAG,CAAC,MAAM,EAAE,CAClF,CAAA;gBACH,CAAC;YACH,CAAC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,8BAA8B;IAC9B,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;QAChB,KAAK,MAAM,OAAO,IAAI,KAAK,CAAC,KAAK,EAAE,CAAC;YAClC,MAAM,OAAO,CAAC,UAAU,OAAO,CAAC,MAAM,IAAI,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW,EAAE,EAAE,KAAK,IAAI,EAAE;gBACpH,MAAM,UAAU,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAA;gBACjD,MAAM,IAAI,GAAG,OAAO,OAAO,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAA;gBACzF,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,iBAAiB,EAAE,CAAC,CAAA;gBACjF,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC7B,MAAM,IAAI,KAAK,CACb,uEAAuE,GAAG,CAAC,MAAM,EAAE,CACpF,CAAA;gBACH,CAAC;YACH,CAAC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QACjB,KAAK,MAAM,OAAO,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YACnC,MAAM,OAAO,CAAC,WAAW,OAAO,CAAC,MAAM,IAAI,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW,EAAE,EAAE,KAAK,IAAI,EAAE;gBACrH,MAAM,UAAU,GAAG,MAAM,kBAAkB,CAAC,IAAI,CAAC,CAAA;gBACjD,MAAM,IAAI,GAAG,OAAO,OAAO,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAA;gBACzF,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,CAAC,CAAA;gBACpD,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC7B,MAAM,IAAI,KAAK,CACb,uEAAuE,GAAG,CAAC,MAAM,EAAE,CACpF,CAAA;gBACH,CAAC;YACH,CAAC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,+BAA+B;IAC/B,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QACjB,KAAK,MAAM,OAAO,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YACnC,MAAM,OAAO,CAAC,WAAW,OAAO,CAAC,MAAM,IAAI,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,CAAC,WAAW,EAAE,EAAE,KAAK,IAAI,EAAE;gBACrH,MAAM,IAAI,GAAG,OAAO,OAAO,CAAC,IAAI,KAAK,UAAU,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,IAAI,CAAA;gBACjF,MAAM,GAAG,GAAG,MAAM,IAAI,CAAC,OAAO,CAAC,OAAO,CAAC,MAAM,EAAE,IAAI,EAAE,EAAE,IAAI,EAAE,mBAAmB,EAAE,CAAC,CAAA;gBACnF,IAAI,CAAC,WAAW,CAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC;oBAC7B,MAAM,IAAI,KAAK,CACb,6DAA6D,GAAG,CAAC,MAAM,EAAE,CAC1E,CAAA;gBACH,CAAC;YACH,CAAC,CAAC,CAAA;QACJ,CAAC;IACH,CAAC;IAED,qBAAqB;IACrB,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;QACjB,KAAK,MAAM,IAAI,IAAI,KAAK,CAAC,MAAM,EAAE,CAAC;YAChC,MAAM,OAAO,CAAC,WAAW,IAAI,CAAC,IAAI,EAAE,EAAE,GAAG,EAAE,CAAC,IAAI,CAAC,GAAG,CAAC;gBACnD,SAAS,EAAE,IAAI;gBACf,SAAS,EAAE,IAAI;aAChB,CAAC,CAAC,CAAA;QACL,CAAC;IACH,CAAC;IAED,MAAM,MAAM,GAAG,QAAQ,CAAC,MAAM,KAAK,CAAC,CAAA;IAEpC,OAAO;QACL,MAAM;QACN,UAAU,EAAE,KAAK;QACjB,WAAW,EAAE,KAAK,GAAG,QAAQ,CAAC,MAAM;QACpC,WAAW,EAAE,QAAQ,CAAC,MAAM;QAC5B,QAAQ;QACR,OAAO;KACR,CAAA;AACH,CAAC;AAED,gBAAgB;AAEhB;;;;GAIG;AACH,KAAK,UAAU,kBAAkB,CAAC,GAAc;IAC9C,MAAM,IAAI,GAAG,QAAQ,IAAI,CAAC,GAAG,EAAE,IAAI,IAAI,CAAC,MAAM,EAAE,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,EAAE,CAAA;IAC3E,MAAM,GAAG,GAAG,MAAM,GAAG,CAAC,IAAI,CAAC,aAAa,EAAE;QACxC,IAAI,EAAE,eAAe,IAAI,EAAE;QAC3B,IAAI;KACL,CAAC,CAAA;IACF,IAAI,GAAG,CAAC,MAAM,IAAI,GAAG,EAAE,CAAC;QACtB,MAAM,IAAI,KAAK,CAAC,qCAAqC,GAAG,CAAC,MAAM,MAAM,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,IAAI,CAAC,EAAE,CAAC,CAAA;IAClG,CAAC;IACD,MAAM,IAAI,GAAG,GAAG,CAAC,IAA+B,CAAA;IAChD,OAAO,MAAM,CAAC,IAAI,CAAC,EAAE,IAAI,EAAE,CAAC,CAAA;AAC9B,CAAC;AAED;;;;;;;;GAQG;AACH,MAAM,UAAU,cAAc,CAC5B,YAAoB,EACpB,WAAmB,EACnB,cAAuB;IAEvB,MAAM,UAAU,GAAG,0BAA0B,CAAA;IAC7C,IAAI,cAAc,KAAK,SAAS,EAAE,CAAC;QACjC,IAAI,YAAY,KAAK,cAAc,EAAE,CAAC;YACpC,MAAM,IAAI,KAAK,CACb,GAAG,WAAW,cAAc,cAAc,SAAS,YAAY,EAAE,CAClE,CAAA;QACH,CAAC;IACH,CAAC;SAAM,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,YAAY,CAAC,EAAE,CAAC;QAC9C,MAAM,IAAI,KAAK,CACb,GAAG,WAAW,sBAAsB,UAAU,CAAC,IAAI,CAAC,IAAI,CAAC,UAAU,YAAY,EAAE,CAClF,CAAA;IACH,CAAC;AACH,CAAC"}

package/dist/types.d.ts CHANGED Viewed

@@ -20,9 +20,33 @@ export interface TenantUser {
     id: string;
     email: string;
     name: string;
-    role: 'owner' | 'admin' | 'member' | 'viewer';
+    /** Developer-defined role string. TenantScale only reserves 'owner' internally. */
+    role: string;
     tenant_id: string;
 }
+/**
+ * Resolved user+tenant context for BYOA auth.
+ * Set on the request after `resolveUserTenant()` middleware runs.
+ */
+export interface UserTenantContext {
+    /** The authenticated user's ID */
+    userId: string;
+    /** The tenant this user belongs to */
+    tenantId: string;
+    /** Developer-defined role string (e.g. 'owner', 'admin', 'editor', 'manager'). */
+    role: string;
+    /** The resolved tenant object (cached) */
+    tenant: Tenant;
+    /** Whether this user can perform admin actions */
+    isAdmin: boolean;
+    /** All tenants this user belongs to (for multi-tenant switching) */
+    tenants: Array<{
+        tenantId: string;
+        tenantName: string;
+        tenantSlug: string;
+        role: string;
+    }>;
+}
 /** Options passed to the TenantScale constructor */
 export interface TenantScaleOptions {
     /** Your TenantScale API key (tk_xxx) */
@@ -70,6 +94,10 @@ export interface ImpersonationSession {
     expiresAt: string;
     redirectUrl: string;
 }
+/** Internal context passed between TenantScale middleware methods */
+export interface TenantScaleContext {
+    apiKey: string;
+}
 export declare class TenantScaleError extends Error {
     code: string;
     status: number;

package/dist/types.d.ts.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAIA,0DAA0D;AAC1D,MAAM,WAAW,MAAM;IACrB,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,QAAQ,CAAA;IACd,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,CAAC,CAAA;IACnD,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAC/B,QAAQ,EAAE,cAAc,CAAA;CACzB;AAED,MAAM,MAAM,QAAQ,GAAG,MAAM,GAAG,OAAO,GAAG,KAAK,GAAG,UAAU,CAAA;AAE5D,MAAM,WAAW,cAAc;IAC7B,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB;AAED,uCAAuC;AACvC,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAA;IACV,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,OAAO,~~GAAG~~,OAAO,~~GAAG~~,~~QAAQ~~,~~GAAG~~,QAAQ,~~CAAA~~;~~IAC7C~~,~~SAAS~~,EAAE,MAAM,CAAA;~~CAClB~~;AAED,oDAAoD;AACpD,MAAM,WAAW,kBAAkB;IACjC,wCAAwC;IACxC,MAAM,EAAE,MAAM,CAAA;IACd,8EAA8E;IAC9E,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,yDAAyD;IACzD,cAAc,CAAC,EAAE,cAAc,CAAA;IAC/B,6BAA6B;IAC7B,OAAO,CAAC,EAAE,OAAO,CAAA;CAClB;AAED,MAAM,MAAM,cAAc,GACtB;IAAE,IAAI,EAAE,QAAQ,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAChC;IAAE,IAAI,EAAE,WAAW,CAAC;IAAC,OAAO,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAA;CAAE,GAC/D;IAAE,IAAI,EAAE,KAAK,CAAC;IAAC,IAAI,EAAE,MAAM,EAAE,CAAA;CAAE,GAC/B;IAAE,IAAI,EAAE,QAAQ,CAAC;IAAC,EAAE,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,MAAM,GAAG,IAAI,CAAA;CAAE,CAAA;AAE3D,kDAAkD;AAClD,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAA;IACd,QAAQ,EAAE,MAAM,CAAA;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACjC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED,gCAAgC;AAChC,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,OAAO,CAAA;IAChB,8DAA8D;IAC9D,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,oCAAoC;IACpC,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CACtB;AAED,iDAAiD;AACjD,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAA;IACb,YAAY,EAAE,MAAM,CAAA;IACpB,cAAc,EAAE,MAAM,CAAA;IACtB,SAAS,EAAE,MAAM,CAAA;IACjB,WAAW,EAAE,MAAM,CAAA;CACpB;AAMD,qBAAa,gBAAiB,SAAQ,KAAK;IAGhC,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,MAAM;gBAFrB,OAAO,EAAE,MAAM,EACR,IAAI,EAAE,MAAM,EACZ,MAAM,GAAE,MAAY;CAK9B;AAED,qBAAa,cAAe,SAAQ,gBAAgB;gBACtC,OAAO,EAAE,MAAM;CAQ5B;AAED,qBAAa,iBAAkB,SAAQ,gBAAgB;gBACzC,OAAO,SAA+B;CAInD"}
1	+ {"version":3,"file":"types.d.ts","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAIA,0DAA0D;AAC1D,MAAM,WAAW,MAAM;IACrB,EAAE,EAAE,MAAM,CAAA;IACV,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,MAAM,CAAA;IACZ,IAAI,EAAE,QAAQ,CAAA;IACd,QAAQ,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,GAAG,MAAM,GAAG,MAAM,CAAC,CAAA;IACnD,MAAM,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IAC/B,QAAQ,EAAE,cAAc,CAAA;CACzB;AAED,MAAM,MAAM,QAAQ,GAAG,MAAM,GAAG,OAAO,GAAG,KAAK,GAAG,UAAU,CAAA;AAE5D,MAAM,WAAW,cAAc;IAC7B,IAAI,CAAC,EAAE,MAAM,CAAA;IACb,QAAQ,CAAC,EAAE,MAAM,CAAA;IACjB,aAAa,CAAC,EAAE,MAAM,CAAA;IACtB,aAAa,CAAC,EAAE,MAAM,CAAA;CACvB;AAED,uCAAuC;AACvC,MAAM,WAAW,UAAU;IACzB,EAAE,EAAE,MAAM,CAAA;IACV,KAAK,EAAE,MAAM,CAAA;IACb,IAAI,EAAE,MAAM,CAAA;IACZ,mFAAmF;IACnF,IAAI,EAAE,MAAM,CAAA;IACZ,SAAS,EAAE,MAAM,CAAA;CAClB;AAED;;;GAGG;AACH,MAAM,WAAW,iBAAiB;IAChC,kCAAkC;IAClC,MAAM,EAAE,MAAM,CAAA;IACd,sCAAsC;IACtC,QAAQ,EAAE,MAAM,CAAA;IAChB,kFAAkF;IAClF,IAAI,EAAE,MAAM,CAAA;IACZ,0CAA0C;IAC1C,MAAM,EAAE,MAAM,CAAA;IACd,kDAAkD;IAClD,OAAO,EAAE,OAAO,CAAA;IAChB,oEAAoE;IACpE,OAAO,EAAE,KAAK,CAAC;QAAE,QAAQ,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAC;QAAC,UAAU,EAAE,MAAM,CAAC;QAAC,IAAI,EAAE,MAAM,CAAA;KAAE,CAAC,CAAA;CAC3F;AAED,oDAAoD;AACpD,MAAM,WAAW,kBAAkB;IACjC,wCAAwC;IACxC,MAAM,EAAE,MAAM,CAAA;IACd,8EAA8E;IAC9E,OAAO,CAAC,EAAE,MAAM,CAAA;IAChB,yDAAyD;IACzD,cAAc,CAAC,EAAE,cAAc,CAAA;IAC/B,6BAA6B;IAC7B,OAAO,CAAC,EAAE,OAAO,CAAA;CAClB;AAED,MAAM,MAAM,cAAc,GACtB;IAAE,IAAI,EAAE,QAAQ,CAAC;IAAC,IAAI,EAAE,MAAM,CAAA;CAAE,GAChC;IAAE,IAAI,EAAE,WAAW,CAAC;IAAC,OAAO,EAAE,CAAC,IAAI,EAAE,MAAM,KAAK,MAAM,GAAG,IAAI,CAAA;CAAE,GAC/D;IAAE,IAAI,EAAE,KAAK,CAAC;IAAC,IAAI,EAAE,MAAM,EAAE,CAAA;CAAE,GAC/B;IAAE,IAAI,EAAE,QAAQ,CAAC;IAAC,EAAE,EAAE,CAAC,GAAG,EAAE,OAAO,KAAK,MAAM,GAAG,IAAI,CAAA;CAAE,CAAA;AAE3D,kDAAkD;AAClD,MAAM,WAAW,UAAU;IACzB,MAAM,EAAE,MAAM,CAAA;IACd,QAAQ,EAAE,MAAM,CAAA;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAAA;IACjC,QAAQ,CAAC,EAAE,MAAM,CAAA;CAClB;AAED,gCAAgC;AAChC,MAAM,WAAW,YAAY;IAC3B,OAAO,EAAE,OAAO,CAAA;IAChB,8DAA8D;IAC9D,SAAS,CAAC,EAAE,MAAM,CAAA;IAClB,oCAAoC;IACpC,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAA;CACtB;AAED,iDAAiD;AACjD,MAAM,WAAW,oBAAoB;IACnC,KAAK,EAAE,MAAM,CAAA;IACb,YAAY,EAAE,MAAM,CAAA;IACpB,cAAc,EAAE,MAAM,CAAA;IACtB,SAAS,EAAE,MAAM,CAAA;IACjB,WAAW,EAAE,MAAM,CAAA;CACpB;AAMD,qEAAqE;AACrE,MAAM,WAAW,kBAAkB;IACjC,MAAM,EAAE,MAAM,CAAA;CACf;AAED,qBAAa,gBAAiB,SAAQ,KAAK;IAGhC,IAAI,EAAE,MAAM;IACZ,MAAM,EAAE,MAAM;gBAFrB,OAAO,EAAE,MAAM,EACR,IAAI,EAAE,MAAM,EACZ,MAAM,GAAE,MAAY;CAK9B;AAED,qBAAa,cAAe,SAAQ,gBAAgB;gBACtC,OAAO,EAAE,MAAM;CAQ5B;AAED,qBAAa,iBAAkB,SAAQ,gBAAgB;gBACzC,OAAO,SAA+B;CAInD"}

package/dist/types.js CHANGED Viewed

@@ -1,9 +1,6 @@
 // ──────────────────────────────────────────────────────
 // Tenant Types — the domain model for the SDK
 // ──────────────────────────────────────────────────────
-// ──────────────────────────────────────────────────────
-// Error types
-// ──────────────────────────────────────────────────────
 export class TenantScaleError extends Error {
     code;
     status;

package/dist/types.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,yDAAyD;AACzD,8CAA8C;AAC9C,yDAAyD;~~AA2EzD~~,~~yDAAyD;AACzD,cAAc;AACd,yDAAyD;AAEzD,~~MAAM,OAAO,gBAAiB,SAAQ,KAAK;IAGhC;IACA;IAHT,YACE,OAAe,EACR,IAAY,EACZ,SAAiB,GAAG;QAE3B,KAAK,CAAC,OAAO,CAAC,CAAA;QAHP,SAAI,GAAJ,IAAI,CAAQ;QACZ,WAAM,GAAN,MAAM,CAAc;QAG3B,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAA;IAChC,CAAC;CACF;AAED,MAAM,OAAO,cAAe,SAAQ,gBAAgB;IAClD,YAAY,OAAe;QACzB,KAAK,CACH,uBAAuB,OAAO,6CAA6C,EAC3E,oBAAoB,EACpB,GAAG,CACJ,CAAA;QACD,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAA;IAC9B,CAAC;CACF;AAED,MAAM,OAAO,iBAAkB,SAAQ,gBAAgB;IACrD,YAAY,OAAO,GAAG,4BAA4B;QAChD,KAAK,CAAC,OAAO,EAAE,cAAc,EAAE,GAAG,CAAC,CAAA;QACnC,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAA;IACjC,CAAC;CACF"}
1	+ {"version":3,"file":"types.js","sourceRoot":"","sources":["../src/types.ts"],"names":[],"mappings":"AAAA,yDAAyD;AACzD,8CAA8C;AAC9C,yDAAyD;AAwGzD,MAAM,OAAO,gBAAiB,SAAQ,KAAK;IAGhC;IACA;IAHT,YACE,OAAe,EACR,IAAY,EACZ,SAAiB,GAAG;QAE3B,KAAK,CAAC,OAAO,CAAC,CAAA;QAHP,SAAI,GAAJ,IAAI,CAAQ;QACZ,WAAM,GAAN,MAAM,CAAc;QAG3B,IAAI,CAAC,IAAI,GAAG,kBAAkB,CAAA;IAChC,CAAC;CACF;AAED,MAAM,OAAO,cAAe,SAAQ,gBAAgB;IAClD,YAAY,OAAe;QACzB,KAAK,CACH,uBAAuB,OAAO,6CAA6C,EAC3E,oBAAoB,EACpB,GAAG,CACJ,CAAA;QACD,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAA;IAC9B,CAAC;CACF;AAED,MAAM,OAAO,iBAAkB,SAAQ,gBAAgB;IACrD,YAAY,OAAO,GAAG,4BAA4B;QAChD,KAAK,CAAC,OAAO,EAAE,cAAc,EAAE,GAAG,CAAC,CAAA;QACnC,IAAI,CAAC,IAAI,GAAG,mBAAmB,CAAA;IACjC,CAAC;CACF"}

package/package.json CHANGED Viewed

@@ -1,63 +1,72 @@
-{
-  "name": "@tenantscale/sdk",
-  "version": "0.2.0",
-  "description": "Multi-tenant middleware SDK for B2B SaaS — tenant isolation, audit logging, admin tools",
-  "type": "module",
-  "main": "./dist/index.js",
-  "types": "./dist/index.d.ts",
-  "exports": {
-    ".": {
-      "import": "./dist/index.js",
-      "types": "./dist/index.d.ts"
-    },
-    "./middleware": {
-      "import": "./dist/middleware/index.js",
-      "types": "./dist/middleware/index.d.ts"
-    },
-    "./react": {
-      "import": "./dist/react/index.js",
-      "types": "./dist/react/index.d.ts"
-    }
-  },
-  "files": [
-    "dist"
-  ],
-  "scripts": {
-    "build": "tsc",
-    "dev": "tsc --watch",
-    "test": "vitest run",
-    "lint": "eslint src/"
-  },
-  "dependencies": {
-    "superjson": "^2.2.0"
-  },
-  "peerDependencies": {
-    "express": "^5.0.0",
-    "hono": "^4.6.0",
-    "next": "^15.0.0"
-  },
-  "peerDependenciesMeta": {
-    "hono": {
-      "optional": true
-    },
-    "next": {
-      "optional": true
-    },
-    "express": {
-      "optional": true
-    }
-  },
-  "devDependencies": {
-    "@types/express": "^5.0.0",
-    "@types/react": "^19.0.0",
-    "@vitest/coverage-v8": "^3.2.6",
-    "hono": "^4.6.0",
-    "next": "^15.0.0",
-    "react": "^19.0.0",
-    "typescript": "^5.7.0",
-    "vitest": "^3.0.0"
-  },
-  "publishConfig": {
-    "access": "public"
-  }
-}
+{
+  "name": "@tenantscale/sdk",
+  "version": "0.3.0",
+  "description": "Multi-tenant middleware SDK for B2B SaaS — tenant isolation, audit logging, admin tools",
+  "type": "module",
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts",
+  "exports": {
+    ".": {
+      "import": "./dist/index.js",
+      "types": "./dist/index.d.ts"
+    },
+    "./middleware": {
+      "import": "./dist/middleware/index.js",
+      "types": "./dist/middleware/index.d.ts"
+    },
+    "./react": {
+      "import": "./dist/react/index.js",
+      "types": "./dist/react/index.d.ts"
+    },
+    "./testing": {
+      "import": "./dist/testing/index.js",
+      "types": "./dist/testing/index.d.ts"
+    },
+    "./user": {
+      "import": "./dist/middleware/user-auth.js",
+      "types": "./dist/middleware/user-auth.d.ts"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "dependencies": {
+    "superjson": "^2.2.0"
+  },
+  "peerDependencies": {
+    "express": "^5.0.0",
+    "hono": "^4.6.0",
+    "next": "^15.0.0"
+  },
+  "peerDependenciesMeta": {
+    "hono": {
+      "optional": true
+    },
+    "next": {
+      "optional": true
+    },
+    "express": {
+      "optional": true
+    }
+  },
+  "devDependencies": {
+    "@supabase/supabase-js": "^2.49.0",
+    "@types/express": "^5.0.0",
+    "@types/react": "^19.0.0",
+    "@vitest/coverage-v8": "^3.2.6",
+    "hono": "^4.6.0",
+    "next": "^15.0.0",
+    "react": "^19.0.0",
+    "typescript": "^5.7.0",
+    "vitest": "^3.0.0"
+  },
+  "publishConfig": {
+    "access": "public"
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "test": "vitest run",
+    "lint": "eslint src/"
+  }
+}