alepha 0.20.6 → 0.20.8

package/dist/scheduler/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","names":["ICronDefinition","Set","seconds","minutes","hours","days","months","weekdays","Cron","ReadonlyArray","Date","Generator","reversed","constructor","findAllowedHour","findAllowedMinute","findAllowedSecond","findAllowedTime","findAllowedDayInMonth","getNextDate","startDate","getNextDates","amount","getNextDatesIterator","endDate","getPrevDate","getPrevDates","getPrevDatesIterator","matchDate","date"],"sources":["../../src/scheduler/constants/CRON.ts","../../../../node_modules/cron-schedule/dist/cron.d.ts","../../src/scheduler/providers/CronProvider.ts","../../src/scheduler/primitives/$scheduler.ts","../../src/scheduler/providers/WorkerdCronProvider.ts","../../src/scheduler/index.ts"],"x_google_ignoreList":[1],"mappings":";;;;;;cAAa,IAAA;;;;;;;;;;;;;;UCIIA,eAAAA;EAAAA,SACJE,OAAAA,EAASD,GAAAA;EAAAA,SACTE,OAAAA,EAASF,GAAAA;EAAAA,SACTG,KAAAA,EAAOH,GAAAA;EAAAA,SACPI,IAAAA,EAAMJ,GAAAA;EAAAA,SACNK,MAAAA,EAAQL,GAAAA;EAAAA,SACRM,QAAAA,EAAUN,GAAAA;AAAAA;AAAAA,cAEFO,IAAAA;EAAAA,SACRN,OAAAA,EAASO,aAAAA;EAAAA,SACTN,OAAAA,EAASM,aAAAA;EAAAA,SACTL,KAAAA,EAAOK,aAAAA;EAAAA,SACPJ,IAAAA,EAAMI,aAAAA;EAAAA,SACNH,MAAAA,EAAQG,aAAAA;EAAAA,SACRF,QAAAA,EAAUE,aAAAA;EAAAA,SACVG,QAAAA;IACLV,OAAAA,EAASO,aAAAA;IACTN,OAAAA,EAASM,aAAAA;IACTL,KAAAA,EAAOK,aAAAA;IACPJ,IAAAA,EAAMI,aAAAA;IACNH,MAAAA,EAAQG,aAAAA;IACRF,QAAAA,EAAUE,aAAAA;EAAAA;EAEdI,WAAAA,CAAAA;IAAcX,OAAAA;IAASC,OAAAA;IAASC,KAAAA;IAAOC,IAAAA;IAAMC,MAAAA;IAAQC;EAAAA,GAAaP,eAAAA;EAlBjDC;;;;EAAAA,QAuBTa,eAAAA;EA3BUb;;;;EAAAA,QAgCVc,iBAAAA;EA7BCV;;;;EAAAA,QAkCDW,iBAAAA;EAhCWf;;;AAEvB;EAFuBA,QAqCXgB,eAAAA;;;;;UAKAC,qBAAAA;EAnCST;EAqCjBU,WAAAA,CAAYC,SAAAA,GAAYV,IAAAA,GAAOA,IAAAA;EAlClBD;EAoCbY,YAAAA,CAAaC,MAAAA,UAAgBF,SAAAA,GAAYV,IAAAA,GAAOA,IAAAA;EAlCrCD;;;;EAuCXc,oBAAAA,CAAqBH,SAAAA,GAAYV,IAAAA,EAAMc,OAAAA,GAAUd,IAAAA,GAAOC,SAAAA,CAAUD,IAAAA;EAlC3CP;EAoCvBsB,WAAAA,CAAYL,SAAAA,GAAYV,IAAAA,GAAOA,IAAAA;EApCQL;EAsCvCqB,YAAAA,CAAaJ,MAAAA,UAAgBF,SAAAA,GAAYV,IAAAA,GAAOA,IAAAA;EAtCKH;;;;EA2CrDoB,oBAAAA,CAAqBP,SAAAA,GAAYV,IAAAA,EAAMc,OAAAA,GAAUd,IAAAA,GAAOC,SAAAA,CAAUD,IAAAA;EAdlBA;EAgBhDkB,SAAAA,CAAUC,IAAAA,EAAMnB,IAAAA;AAAAA;;;cCnEP,YAAA;EAAA,mBACQ,EAAA,EAAE,gBAAA;EAAA,mBACF,MAAA,EAAM,MAAA;EAAA,mBACN,GAAA,EADM,gBAAA,CACH,MAAA;EAAA,mBACH,QAAA,EAAU,KAAA,CAAM,OAAA;EAE5B,WAAA,CAAA,GAAe,KAAA,CAAM,OAAA;EAAA,mBAIT,KAAA,EAJQ,QAAA,CAIH,aAAA;EAAA,mBAoBL,IAAA,EApBK,QAAA,CAoBD,aAAA;;;;;;;qBAeJ,gBAAA,EAfI,QAAA,CAeY,aAAA;EAAA,UAOzB,IAAA,CAAK,IAAA,WAAe,OAAA;EAmBvB,KAAA,CAAM,IAAA,WAAe,OAAA;;ADxE9B;;;;EC4FS,aAAA,CACL,IAAA,UACA,UAAA,UACA,OAAA,GAAU,OAAA;IAAW,GAAA,EAAK,QAAA;EAAA,MAAe,OAAA,QACzC,KAAA;EAAA,UAkBQ,GAAA,CAAI,IAAA,EAAM,OAAA,EAAS,GAAA,GAAG,QAAA;ED5GXT;;;EC2KR,OAAA,CAAQ,IAAA,WAAe,OAAA;EDhLhBA;;;EC4LP,UAAA,CAAA,GAAc,OAAA;ED1LTA;;;EAAAA,UCiMF,OAAA,CAAQ,IAAA,EAAM,OAAA,IAAW,GAAA,EAAK,QAAA,GAAW,OAAA;AAAA;AAAA,UAqB1C,OAAA;EACf,IAAA;EACA,UAAA;EACA,OAAA,GAAU,OAAA;IAAW,GAAA,EAAK,QAAA;EAAA,MAAe,OAAA;EACzC,IAAA,EAAM,IAAA;EACN,IAAA;EACA,OAAA;EACA,SAAA;EACA,OAAA,IAAW,KAAA,EAAO,KAAA;EAClB,KAAA,GAAQ,eAAA;AAAA;;;;;;cC7MG,UAAA;EAAA,UACF,yBAAA,GACR,kBAAA;EAAA;;KAMS,yBAAA;;;;EAIV,OAAA,GAAU,IAAA,EAAM,yBAAA,KAA8B,KAAA;;;;EAK9C,IAAA;;;AFtCF;EE2CE,WAAA;;;;EAKA,IAAA;EF5CiBA;;;EEiDjB,QAAA,GAAW,YAAA;EF/Ca;;;;;;EEuDxB,IAAA;AAAA;;;;cAQW,gBAAA,EAAgB,QAAA,CAAA,IAAA,UAAA,OAAA;6BAU3B,QAAA,CAAA,OAAA;AAAA;AAAA,KAEU,oBAAA,GAAuB,MAAA,QAAc,gBAAA,CAAiB,MAAA;AAAA;EAAA,UAGtD,KAAA;IAAA,CACP,gBAAA,CAAiB,GAAA,GAAM,oBAAA;EAAA;AAAA;AAAA,cAIf,kBAAA,SAA2B,SAAA,CAAU,yBAAA;EAAA,mBAC7B,GAAA,EADsD,gBAAA,CACnD,MAAA;EAAA,mBACH,QAAA,EAAQ,QAAA;;;qBACR,MAAA,EAAM,MAAA;EAAA,mBACN,gBAAA,EAAgB,gBAAA;EAAA,mBAChB,YAAA,EAAY,YAAA;EAAA,IAEpB,IAAA,CAAA;EAAA,UAOD,MAAA,CAAA;EAcG,OAAA,CAAA,GAAW,OAAA;EAAA,UAmEd,aAAA,EASuC,QAAA,CAT1B,mBAAA,EAAA,IAAA,EASC,yBAAA,KAAyB,OAAA;AAAA;AAAA,UAUlC,yBAAA;EACf,GAAA,EAAK,QAAA;AAAA;;;;YCxMK,KAAA;;;AJRZ;;;IIcI,sBAAA;MACE,IAAA;MACA,aAAA;IAAA;EAAA;AAAA;;;;;;;AHZN;;;;;;;;;;;;;;cGuCa,mBAAA,SAA4B,YAAA;EHpC5BG;;;;EGyCK,aAAA,CACd,IAAA,UACA,UAAA,UACA,OAAA,GAAU,OAAA;IAAW,GAAA,EAAK,QAAA;EAAA,MAAe,OAAA;EHzCtBH;;;EAAAA,mBGuDF,gBAAA,EAd+B,QAAA,CAcf,aAAA;AAAA;;;;YCjDzB,KAAA;IACR,iBAAA;MACE,IAAA;MACA,GAAA,EAAK,QAAA;MACL,OAAA;IAAA;IAGF,mBAAA;MAAuB,IAAA;MAAc,OAAA;IAAA;IAErC,iBAAA;MACE,IAAA;MACA,KAAA,EAAO,KAAA;MACP,OAAA;IAAA;IAGF,eAAA;MAAmB,IAAA;MAAc,OAAA;IAAA;IJzBfA;;;;;;;;;;;;IIuClB,iBAAA;MAAqB,IAAA;IAAA;EAAA;AAAA;;;;;AJjCzB;;;;;;;cIkDa,eAAA,EAAe,QAAA,CAAA,OAAA,CAI1B,QAAA,CAJ0B,MAAA"}
+{"version":3,"file":"index.d.ts","names":["ICronDefinition","Set","seconds","minutes","hours","days","months","weekdays","Cron","ReadonlyArray","Date","Generator","reversed","constructor","findAllowedHour","findAllowedMinute","findAllowedSecond","findAllowedTime","findAllowedDayInMonth","getNextDate","startDate","getNextDates","amount","getNextDatesIterator","endDate","getPrevDate","getPrevDates","getPrevDatesIterator","matchDate","date"],"sources":["../../src/scheduler/constants/CRON.ts","../../../../node_modules/cron-schedule/dist/cron.d.ts","../../src/scheduler/providers/CronProvider.ts","../../src/scheduler/primitives/$scheduler.ts","../../src/scheduler/providers/WorkerdCronProvider.ts","../../src/scheduler/index.ts"],"x_google_ignoreList":[1],"mappings":";;;;;;;cAAa,IAAA;;;;;;;;;;;;;;UCIIA,eAAAA;EAAAA,SACJE,OAAAA,EAASD,GAAAA;EAAAA,SACTE,OAAAA,EAASF,GAAAA;EAAAA,SACTG,KAAAA,EAAOH,GAAAA;EAAAA,SACPI,IAAAA,EAAMJ,GAAAA;EAAAA,SACNK,MAAAA,EAAQL,GAAAA;EAAAA,SACRM,QAAAA,EAAUN,GAAAA;AAAAA;AAAAA,cAEFO,IAAAA;EAAAA,SACRN,OAAAA,EAASO,aAAAA;EAAAA,SACTN,OAAAA,EAASM,aAAAA;EAAAA,SACTL,KAAAA,EAAOK,aAAAA;EAAAA,SACPJ,IAAAA,EAAMI,aAAAA;EAAAA,SACNH,MAAAA,EAAQG,aAAAA;EAAAA,SACRF,QAAAA,EAAUE,aAAAA;EAAAA,SACVG,QAAAA;IACLV,OAAAA,EAASO,aAAAA;IACTN,OAAAA,EAASM,aAAAA;IACTL,KAAAA,EAAOK,aAAAA;IACPJ,IAAAA,EAAMI,aAAAA;IACNH,MAAAA,EAAQG,aAAAA;IACRF,QAAAA,EAAUE,aAAAA;EAAAA;EAEdI,WAAAA,CAAAA;IAAcX,OAAAA;IAASC,OAAAA;IAASC,KAAAA;IAAOC,IAAAA;IAAMC,MAAAA;IAAQC;EAAAA,GAAaP,eAAAA;EAnBnDC;;;;EAAAA,QAwBPa,eAAAA;EA3BCZ;;;;EAAAA,QAgCDa,iBAAAA;EA9BQd;;;;EAAAA,QAmCRe,iBAAAA;EAhCCT;;;;EAAAA,QAqCDU,eAAAA;EAnCa;;;;EAAA,QAwCbC,qBAAAA;EApCOT;EAsCfU,WAAAA,CAAYC,SAAAA,GAAYV,IAAAA,GAAOA,IAAAA;EApCZD;EAsCnBY,YAAAA,CAAaC,MAAAA,UAAgBF,SAAAA,GAAYV,IAAAA,GAAOA,IAAAA;EAnCnCD;;;;EAwCbc,oBAAAA,CAAqBH,SAAAA,GAAYV,IAAAA,EAAMc,OAAAA,GAAUd,IAAAA,GAAOC,SAAAA,CAAUD,IAAAA;EAlCpDR;EAoCduB,WAAAA,CAAYL,SAAAA,GAAYV,IAAAA,GAAOA,IAAAA;EApCCN;EAsChCsB,YAAAA,CAAaJ,MAAAA,UAAgBF,SAAAA,GAAYV,IAAAA,GAAOA,IAAAA;EAtCHJ;;;;EA2C7CqB,oBAAAA,CAAqBP,SAAAA,GAAYV,IAAAA,EAAMc,OAAAA,GAAUd,IAAAA,GAAOC,SAAAA,CAAUD,IAAAA;EAdzBA;EAgBzCkB,SAAAA,CAAUC,IAAAA,EAAMnB,IAAAA;AAAAA;;;cCnEP,YAAA;EAAA,mBACQ,EAAA,EAAE,gBAAA;EAAA,mBACF,MAAA,EAAM,MAAA;EAAA,mBACN,GAAA,EADM,gBAAA,CACH,MAAA;EAAA,mBACH,QAAA,EAAU,KAAA,CAAM,OAAA;EAE5B,WAAA,CAAA,GAAe,KAAA,CAAM,OAAA;EAAA,mBAIT,KAAA,EAJQ,QAAA,CAIH,aAAA;EAAA,mBAoBL,IAAA,EApBK,QAAA,CAoBD,aAAA;;;;;;;qBAeJ,gBAAA,EAfI,QAAA,CAeY,aAAA;EAAA,UAOzB,IAAA,CAAK,IAAA,WAAe,OAAA;EAmBvB,KAAA,CAAM,IAAA,WAAe,OAAA;;;ADxE9B;;;EC4FS,aAAA,CACL,IAAA,UACA,UAAA,UACA,OAAA,GAAU,OAAA;IAAW,GAAA,EAAK,QAAA;EAAA,MAAe,OAAA,QACzC,KAAA;EAAA,UAkBQ,GAAA,CAAI,IAAA,EAAM,OAAA,EAAS,GAAA,GAAG,QAAA;ED7GbT;;;EC4KN,OAAA,CAAQ,IAAA,WAAe,OAAA;EDhLzBC;;;EC4LE,UAAA,CAAA,GAAc,OAAA;ED1LhBE;;;EAAAA,UCiMK,OAAA,CAAQ,IAAA,EAAM,OAAA,IAAW,GAAA,EAAK,QAAA,GAAW,OAAA;AAAA;AAAA,UAqB1C,OAAA;EACf,IAAA;EACA,UAAA;EACA,OAAA,GAAU,OAAA;IAAW,GAAA,EAAK,QAAA;EAAA,MAAe,OAAA;EACzC,IAAA,EAAM,IAAA;EACN,IAAA;EACA,OAAA;EACA,SAAA;EACA,OAAA,IAAW,KAAA,EAAO,KAAA;EAClB,KAAA,GAAQ,eAAA;AAAA;;;;;;cC7MG,UAAA;EAAA,UACF,yBAAA,GACR,kBAAA;EAAA;;KAMS,yBAAA;;;;EAIV,OAAA,GAAU,IAAA,EAAM,yBAAA,KAA8B,KAAA;;;;EAK9C,IAAA;;;;EAKA,WAAA;EF3C8B;;;EEgD9B,IAAA;EF7CkBH;;;EEkDlB,QAAA,GAAW,YAAA;EF/Ca;;;;;;EEuDxB,IAAA;AAAA;;;;cAQW,gBAAA,EAAgB,QAAA,CAAA,IAAA,WAAA,OAAA;8BAU3B,SAAA,CAAA,OAAA;AAAA;AAAA,KAEU,oBAAA,GAAuB,MAAA,QAAc,gBAAA,CAAiB,MAAA;AAAA;EAAA,UAGtD,KAAA;IAAA,CACP,gBAAA,CAAiB,GAAA,GAAM,oBAAA;EAAA;AAAA;AAAA,cAIf,kBAAA,SAA2B,SAAA,CAAU,yBAAA;EAAA,mBAC7B,GAAA,EADsD,gBAAA,CACnD,MAAA;EAAA,mBACH,QAAA,EAAQ,QAAA;;;qBACR,MAAA,EAAM,MAAA;EAAA,mBACN,gBAAA,EAAgB,gBAAA;EAAA,mBAChB,YAAA,EAAY,YAAA;EAAA,IAEpB,IAAA,CAAA;EAAA,UAOD,MAAA,CAAA;EAcG,OAAA,CAAA,GAAW,OAAA;EAAA,UAmEd,aAAA,EASuC,QAAA,CAT1B,mBAAA,EAAA,IAAA,EASC,yBAAA,KAAyB,OAAA;AAAA;AAAA,UAUlC,yBAAA;EACf,GAAA,EAAK,QAAA;AAAA;;;;YCxMK,KAAA;;;;AJRZ;;IIcI,sBAAA;MACE,IAAA;MACA,aAAA;IAAA;EAAA;AAAA;;;;;;;;AHZN;;;;;;;;;;;;;cGuCa,mBAAA,SAA4B,YAAA;EHrCnBA;;;;EG0CJ,aAAA,CACd,IAAA,UACA,UAAA,UACA,OAAA,GAAU,OAAA;IAAW,GAAA,EAAK,QAAA;EAAA,MAAe,OAAA;EHzChCM;;;EAAAA,mBGuDQ,gBAAA,EAd+B,QAAA,CAcf,aAAA;AAAA;;;;YCjDzB,KAAA;IACR,iBAAA;MACE,IAAA;MACA,GAAA,EAAK,QAAA;MACL,OAAA;IAAA;IAGF,mBAAA;MAAuB,IAAA;MAAc,OAAA;IAAA;IAErC,iBAAA;MACE,IAAA;MACA,KAAA,EAAO,KAAA;MACP,OAAA;IAAA;IAGF,eAAA;MAAmB,IAAA;MAAc,OAAA;IAAA;IJ1BfN;;;;;;;;;;;;IIwClB,iBAAA;MAAqB,IAAA;IAAA;EAAA;AAAA;;;;;;AJjCzB;;;;;;cIkDa,eAAA,EAAe,QAAA,CAAA,OAAA,CAI1B,QAAA,CAJ0B,MAAA"}

package/dist/security/index.browser.js

@@ -1,5 +1,33 @@
 import { $atom, $module, createMiddleware, t } from "alepha";
 import { UnauthorizedError } from "alepha/server";
+//#region ../../src/security/atoms/currentTenantAtom.ts
+/**
+* Atom storing the active tenant for the current request.
+*
+* Transport-agnostic — works with HTTP, MCP, pipelines, jobs, and any context
+* that sets the atom before calling tenant-scoped logic.
+*
+* Typically set by an app-level middleware that resolves the tenant from the
+* request `Host` header (or another signal) and writes the resolved id to the
+* store. Framework code that reads this atom:
+*
+* - Repository scoping: `withOrganization` / `stampOrganization` prefer this
+*   value over `currentUserAtom.organization` so cross-tenant users (admins,
+*   agency operators) are scoped to the tenant they are currently acting in
+*   rather than the one they belong to.
+* - Session creation: the value is persisted into the JWT as a `tenant` claim,
+*   and the issuer resolver rejects tokens whose claim does not match the
+*   tenant resolved from the current request.
+*
+* `id` is a free-form string so the framework stays neutral on tenant identity
+* (slug, UUID, composite). Pick whatever matches the column marked with
+* `PG_ORGANIZATION` in your entities.
+*/
+const currentTenantAtom = $atom({
+	name: "alepha.security.tenant",
+	schema: t.optional(t.object({ id: t.text({ description: "Tenant identifier (slug, UUID, or composite)." }) }))
+});
+//#endregion
 //#region ../../src/security/schemas/userAccountInfoSchema.ts
 const userAccountInfoSchema = t.object({
 	id: t.text({ description: "Unique identifier for the user." }),
@@ -127,6 +155,6 @@ const roleSchema = t.object({
 //#region ../../src/security/index.browser.ts
 const AlephaSecurity = $module({ name: "alepha.security" });
 //#endregion
-export { $secure, AlephaSecurity, InvalidCredentialsError, InvalidPermissionError, SecurityError, currentUserAtom, permissionSchema, roleSchema, userAccountInfoSchema };
+export { $secure, AlephaSecurity, InvalidCredentialsError, InvalidPermissionError, SecurityError, currentTenantAtom, currentUserAtom, permissionSchema, roleSchema, userAccountInfoSchema };
 
 //# sourceMappingURL=index.browser.js.map

package/dist/security/index.browser.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.browser.js","names":[],"sources":["../../src/security/schemas/userAccountInfoSchema.ts","../../src/security/atoms/currentUserAtom.ts","../../src/security/errors/InvalidCredentialsError.ts","../../src/security/errors/InvalidPermissionError.ts","../../src/security/errors/SecurityError.ts","../../src/security/primitives/$secure.browser.ts","../../src/security/schemas/permissionSchema.ts","../../src/security/schemas/roleSchema.ts","../../src/security/index.browser.ts"],"sourcesContent":["import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const userAccountInfoSchema = t.object({\n  id: t.text({\n    description: \"Unique identifier for the user.\",\n  }),\n\n  name: t.optional(\n    t.text({\n      description: \"Full name of the user.\",\n    }),\n  ),\n\n  email: t.optional(\n    t.text({\n      description: \"Email address of the user.\",\n      format: \"email\",\n    }),\n  ),\n\n  username: t.optional(\n    t.text({\n      description: \"Preferred username of the user.\",\n    }),\n  ),\n\n  picture: t.optional(\n    t.text({\n      description: \"URL to the user's profile picture.\",\n    }),\n  ),\n\n  sessionId: t.optional(\n    t.text({\n      description: \"Session identifier for the user, if applicable.\",\n    }),\n  ),\n\n  // -------------------------------------------------------------------------------------------------------------------\n\n  organization: t.optional(\n    t.uuid({\n      description: \"Organization the user belongs to.\",\n    }),\n  ),\n\n  roles: t.optional(\n    t.array(t.text(), {\n      description: \"List of roles assigned to the user.\",\n    }),\n  ),\n\n  realm: t.optional(\n    t.text({\n      description: \"The realm (issuer) the user was authenticated from.\",\n    }),\n  ),\n});\n\nexport type UserAccount = Static<typeof userAccountInfoSchema>;\n","import { $atom, t } from \"alepha\";\nimport { userAccountInfoSchema } from \"../schemas/userAccountInfoSchema.ts\";\n\n/**\n * Atom storing the current authenticated user.\n *\n * Transport-agnostic — works with HTTP, MCP, pipelines, jobs, and any context\n * that sets the atom before calling secured logic.\n */\nexport const currentUserAtom = $atom({\n  name: \"alepha.security.user\",\n  schema: t.optional(userAccountInfoSchema),\n});\n","import { UnauthorizedError } from \"alepha/server\";\n\n/**\n * Error thrown when the provided credentials are invalid.\n *\n * Message can not be changed to avoid leaking information.\n * Cause is omitted for the same reason.\n */\nexport class InvalidCredentialsError extends UnauthorizedError {\n  readonly name = \"UnauthorizedError\";\n  constructor() {\n    super(\"Invalid credentials\");\n  }\n}\n","export class InvalidPermissionError extends Error {\n  constructor(name: string) {\n    super(`Permission '${name}' is invalid`);\n  }\n}\n","export class SecurityError extends Error {\n  public name = \"SecurityError\";\n  public readonly status = 403;\n}\n","import { createMiddleware, type Middleware } from \"alepha\";\nimport { currentUserAtom } from \"../atoms/currentUserAtom.ts\";\nimport type { UserAccountToken } from \"../interfaces/UserAccountToken.ts\";\nimport type { SecureOptions } from \"./$secure.ts\";\n\nexport type { SecureOptions };\n\n/**\n * Browser-side middleware that enforces authentication and authorization.\n *\n * Resolves the user from `currentUserAtom` only (no HTTP header resolution).\n * Checks roles from the user object and permissions from the user's roles.\n *\n * In the browser, an unauthenticated or unauthorized user is not an exception —\n * the middleware short-circuits by returning `undefined` and the handler is not called.\n * Components should use `action.can()` to conditionally render UI elements.\n *\n * ```typescript\n * class OrderController {\n *   getOrders = $action({\n *     use: [$secure()],\n *     handler: async ({ query }) => { ... },\n *   });\n *\n *   deleteOrder = $action({\n *     use: [$secure({ permissions: [\"orders:delete\"] })],\n *     handler: async ({ params }) => { ... },\n *   });\n * }\n * ```\n */\nexport function $secure(options?: SecureOptions): Middleware {\n  return createMiddleware({\n    name: \"$secure\",\n    options: (options as unknown as Record<string, unknown>) ?? undefined,\n    handler: ({ alepha, next }) => {\n      return async (...args: any[]) => {\n        const user: UserAccountToken | undefined =\n          alepha.store.get(currentUserAtom);\n\n        if (!user) {\n          return undefined;\n        }\n\n        // Issuer check\n        if (options?.issuers?.length) {\n          if (!user.realm || !options.issuers.includes(user.realm)) {\n            return undefined;\n          }\n        }\n\n        // Role check\n        if (options?.roles?.length) {\n          const hasRole = options.roles.some((role) =>\n            user.roles?.includes(role),\n          );\n          if (!hasRole) {\n            return undefined;\n          }\n        }\n\n        // Permission check (browser-side: check against user roles)\n        // Server-side permissions are enforced by the API — the browser version\n        // trusts that the API registry already filtered actions by permission.\n\n        // Custom guard\n        if (options?.guard) {\n          if (!options.guard(user)) {\n            return undefined;\n          }\n        }\n\n        return next(...args);\n      };\n    },\n  });\n}\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const permissionSchema = t.object({\n  name: t.text({\n    description: \"Name of the permission.\",\n  }),\n\n  group: t.optional(\n    t.text({\n      description: \"Group of the permission.\",\n    }),\n  ),\n\n  description: t.optional(\n    t.text({\n      description: \"Describe the permission.\",\n    }),\n  ),\n\n  // HTTP Only\n\n  method: t.optional(\n    t.text({\n      description: \"HTTP method of the permission. When available.\",\n    }),\n  ),\n\n  path: t.optional(\n    t.text({\n      description: \"Pathname of the permission. When available.\",\n    }),\n  ),\n});\n\nexport type Permission = Static<typeof permissionSchema>;\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const roleSchema = t.object({\n  name: t.text({\n    description: \"Name of the role.\",\n  }),\n\n  description: t.optional(\n    t.text({\n      description: \"Describe the role.\",\n    }),\n  ),\n\n  default: t.optional(\n    t.boolean({\n      description:\n        \"If true, this role will be assigned to all users by default.\",\n    }),\n  ),\n\n  permissions: t.array(\n    t.object({\n      name: t.text({\n        description: \"Name of the permission.\",\n      }),\n      ownership: t.optional(\n        t.boolean({\n          description:\n            \"If true, user will only have access to it's own resources.\",\n        }),\n      ),\n      exclude: t.optional(\n        t.array(t.text(), {\n          description:\n            \"Exclude some permissions. Useful when 'name' is a wildcard.\",\n        }),\n      ),\n    }),\n  ),\n});\n\nexport type Role = Static<typeof roleSchema>;\n","import { $module } from \"alepha\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport * from \"./atoms/currentUserAtom.ts\";\nexport * from \"./errors/InvalidCredentialsError.ts\";\nexport * from \"./errors/InvalidPermissionError.ts\";\nexport * from \"./errors/SecurityError.ts\";\nexport * from \"./interfaces/UserAccountToken.ts\";\nexport * from \"./primitives/$secure.browser.ts\";\nexport * from \"./schemas/permissionSchema.ts\";\nexport * from \"./schemas/roleSchema.ts\";\nexport * from \"./schemas/userAccountInfoSchema.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport const AlephaSecurity = $module({\n  name: \"alepha.security\",\n});\n"],"mappings":";;;AAGA,MAAa,wBAAwB,EAAE,OAAO;CAC5C,IAAI,EAAE,KAAK,EACT,aAAa,mCACd,CAAC;CAEF,MAAM,EAAE,SACN,EAAE,KAAK,EACL,aAAa,0BACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,KAAK;EACL,aAAa;EACb,QAAQ;EACT,CAAC,CACH;CAED,UAAU,EAAE,SACV,EAAE,KAAK,EACL,aAAa,mCACd,CAAC,CACH;CAED,SAAS,EAAE,SACT,EAAE,KAAK,EACL,aAAa,sCACd,CAAC,CACH;CAED,WAAW,EAAE,SACX,EAAE,KAAK,EACL,aAAa,mDACd,CAAC,CACH;CAID,cAAc,EAAE,SACd,EAAE,KAAK,EACL,aAAa,qCACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aAAa,uCACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,KAAK,EACL,aAAa,uDACd,CAAC,CACH;CACF,CAAC;;;;;;;;;ACjDF,MAAa,kBAAkB,MAAM;CACnC,MAAM;CACN,QAAQ,EAAE,SAAS,sBAAsB;CAC1C,CAAC;;;;;;;;;ACJF,IAAa,0BAAb,cAA6C,kBAAkB;CAC7D,OAAgB;CAChB,cAAc;EACZ,MAAM,sBAAsB;;;;;ACXhC,IAAa,yBAAb,cAA4C,MAAM;CAChD,YAAY,MAAc;EACxB,MAAM,eAAe,KAAK,cAAc;;;;;ACF5C,IAAa,gBAAb,cAAmC,MAAM;CACvC,OAAc;CACd,SAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;AC6B3B,SAAgB,QAAQ,SAAqC;CAC3D,OAAO,iBAAiB;EACtB,MAAM;EACN,SAAU,WAAkD,KAAA;EAC5D,UAAU,EAAE,QAAQ,WAAW;GAC7B,OAAO,OAAO,GAAG,SAAgB;IAC/B,MAAM,OACJ,OAAO,MAAM,IAAI,gBAAgB;IAEnC,IAAI,CAAC,MACH;IAIF,IAAI,SAAS,SAAS;SAChB,CAAC,KAAK,SAAS,CAAC,QAAQ,QAAQ,SAAS,KAAK,MAAM,EACtD;;IAKJ,IAAI,SAAS,OAAO;SAId,CAHY,QAAQ,MAAM,MAAM,SAClC,KAAK,OAAO,SAAS,KAAK,CAEhB,EACV;;IASJ,IAAI,SAAS;SACP,CAAC,QAAQ,MAAM,KAAK,EACtB;;IAIJ,OAAO,KAAK,GAAG,KAAK;;;EAGzB,CAAC;;;;ACxEJ,MAAa,mBAAmB,EAAE,OAAO;CACvC,MAAM,EAAE,KAAK,EACX,aAAa,2BACd,CAAC;CAEF,OAAO,EAAE,SACP,EAAE,KAAK,EACL,aAAa,4BACd,CAAC,CACH;CAED,aAAa,EAAE,SACb,EAAE,KAAK,EACL,aAAa,4BACd,CAAC,CACH;CAID,QAAQ,EAAE,SACR,EAAE,KAAK,EACL,aAAa,kDACd,CAAC,CACH;CAED,MAAM,EAAE,SACN,EAAE,KAAK,EACL,aAAa,+CACd,CAAC,CACH;CACF,CAAC;;;AC9BF,MAAa,aAAa,EAAE,OAAO;CACjC,MAAM,EAAE,KAAK,EACX,aAAa,qBACd,CAAC;CAEF,aAAa,EAAE,SACb,EAAE,KAAK,EACL,aAAa,sBACd,CAAC,CACH;CAED,SAAS,EAAE,SACT,EAAE,QAAQ,EACR,aACE,gEACH,CAAC,CACH;CAED,aAAa,EAAE,MACb,EAAE,OAAO;EACP,MAAM,EAAE,KAAK,EACX,aAAa,2BACd,CAAC;EACF,WAAW,EAAE,SACX,EAAE,QAAQ,EACR,aACE,8DACH,CAAC,CACH;EACD,SAAS,EAAE,SACT,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aACE,+DACH,CAAC,CACH;EACF,CAAC,CACH;CACF,CAAC;;;ACxBF,MAAa,iBAAiB,QAAQ,EACpC,MAAM,mBACP,CAAC"}
+{"version":3,"file":"index.browser.js","names":[],"sources":["../../src/security/atoms/currentTenantAtom.ts","../../src/security/schemas/userAccountInfoSchema.ts","../../src/security/atoms/currentUserAtom.ts","../../src/security/errors/InvalidCredentialsError.ts","../../src/security/errors/InvalidPermissionError.ts","../../src/security/errors/SecurityError.ts","../../src/security/primitives/$secure.browser.ts","../../src/security/schemas/permissionSchema.ts","../../src/security/schemas/roleSchema.ts","../../src/security/index.browser.ts"],"sourcesContent":["import { $atom, t } from \"alepha\";\n\n/**\n * Atom storing the active tenant for the current request.\n *\n * Transport-agnostic — works with HTTP, MCP, pipelines, jobs, and any context\n * that sets the atom before calling tenant-scoped logic.\n *\n * Typically set by an app-level middleware that resolves the tenant from the\n * request `Host` header (or another signal) and writes the resolved id to the\n * store. Framework code that reads this atom:\n *\n * - Repository scoping: `withOrganization` / `stampOrganization` prefer this\n *   value over `currentUserAtom.organization` so cross-tenant users (admins,\n *   agency operators) are scoped to the tenant they are currently acting in\n *   rather than the one they belong to.\n * - Session creation: the value is persisted into the JWT as a `tenant` claim,\n *   and the issuer resolver rejects tokens whose claim does not match the\n *   tenant resolved from the current request.\n *\n * `id` is a free-form string so the framework stays neutral on tenant identity\n * (slug, UUID, composite). Pick whatever matches the column marked with\n * `PG_ORGANIZATION` in your entities.\n */\nexport const currentTenantAtom = $atom({\n  name: \"alepha.security.tenant\",\n  schema: t.optional(\n    t.object({\n      id: t.text({\n        description: \"Tenant identifier (slug, UUID, or composite).\",\n      }),\n    }),\n  ),\n});\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const userAccountInfoSchema = t.object({\n  id: t.text({\n    description: \"Unique identifier for the user.\",\n  }),\n\n  name: t.optional(\n    t.text({\n      description: \"Full name of the user.\",\n    }),\n  ),\n\n  email: t.optional(\n    t.text({\n      description: \"Email address of the user.\",\n      format: \"email\",\n    }),\n  ),\n\n  username: t.optional(\n    t.text({\n      description: \"Preferred username of the user.\",\n    }),\n  ),\n\n  picture: t.optional(\n    t.text({\n      description: \"URL to the user's profile picture.\",\n    }),\n  ),\n\n  sessionId: t.optional(\n    t.text({\n      description: \"Session identifier for the user, if applicable.\",\n    }),\n  ),\n\n  // -------------------------------------------------------------------------------------------------------------------\n\n  organization: t.optional(\n    t.uuid({\n      description: \"Organization the user belongs to.\",\n    }),\n  ),\n\n  roles: t.optional(\n    t.array(t.text(), {\n      description: \"List of roles assigned to the user.\",\n    }),\n  ),\n\n  realm: t.optional(\n    t.text({\n      description: \"The realm (issuer) the user was authenticated from.\",\n    }),\n  ),\n});\n\nexport type UserAccount = Static<typeof userAccountInfoSchema>;\n","import { $atom, t } from \"alepha\";\nimport { userAccountInfoSchema } from \"../schemas/userAccountInfoSchema.ts\";\n\n/**\n * Atom storing the current authenticated user.\n *\n * Transport-agnostic — works with HTTP, MCP, pipelines, jobs, and any context\n * that sets the atom before calling secured logic.\n */\nexport const currentUserAtom = $atom({\n  name: \"alepha.security.user\",\n  schema: t.optional(userAccountInfoSchema),\n});\n","import { UnauthorizedError } from \"alepha/server\";\n\n/**\n * Error thrown when the provided credentials are invalid.\n *\n * Message can not be changed to avoid leaking information.\n * Cause is omitted for the same reason.\n */\nexport class InvalidCredentialsError extends UnauthorizedError {\n  readonly name = \"UnauthorizedError\";\n  constructor() {\n    super(\"Invalid credentials\");\n  }\n}\n","export class InvalidPermissionError extends Error {\n  constructor(name: string) {\n    super(`Permission '${name}' is invalid`);\n  }\n}\n","export class SecurityError extends Error {\n  public name = \"SecurityError\";\n  public readonly status = 403;\n}\n","import { createMiddleware, type Middleware } from \"alepha\";\nimport { currentUserAtom } from \"../atoms/currentUserAtom.ts\";\nimport type { UserAccountToken } from \"../interfaces/UserAccountToken.ts\";\nimport type { SecureOptions } from \"./$secure.ts\";\n\nexport type { SecureOptions };\n\n/**\n * Browser-side middleware that enforces authentication and authorization.\n *\n * Resolves the user from `currentUserAtom` only (no HTTP header resolution).\n * Checks roles from the user object and permissions from the user's roles.\n *\n * In the browser, an unauthenticated or unauthorized user is not an exception —\n * the middleware short-circuits by returning `undefined` and the handler is not called.\n * Components should use `action.can()` to conditionally render UI elements.\n *\n * ```typescript\n * class OrderController {\n *   getOrders = $action({\n *     use: [$secure()],\n *     handler: async ({ query }) => { ... },\n *   });\n *\n *   deleteOrder = $action({\n *     use: [$secure({ permissions: [\"orders:delete\"] })],\n *     handler: async ({ params }) => { ... },\n *   });\n * }\n * ```\n */\nexport function $secure(options?: SecureOptions): Middleware {\n  return createMiddleware({\n    name: \"$secure\",\n    options: (options as unknown as Record<string, unknown>) ?? undefined,\n    handler: ({ alepha, next }) => {\n      return async (...args: any[]) => {\n        const user: UserAccountToken | undefined =\n          alepha.store.get(currentUserAtom);\n\n        if (!user) {\n          return undefined;\n        }\n\n        // Issuer check\n        if (options?.issuers?.length) {\n          if (!user.realm || !options.issuers.includes(user.realm)) {\n            return undefined;\n          }\n        }\n\n        // Role check\n        if (options?.roles?.length) {\n          const hasRole = options.roles.some((role) =>\n            user.roles?.includes(role),\n          );\n          if (!hasRole) {\n            return undefined;\n          }\n        }\n\n        // Permission check (browser-side: check against user roles)\n        // Server-side permissions are enforced by the API — the browser version\n        // trusts that the API registry already filtered actions by permission.\n\n        // Custom guard\n        if (options?.guard) {\n          if (!options.guard(user)) {\n            return undefined;\n          }\n        }\n\n        return next(...args);\n      };\n    },\n  });\n}\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const permissionSchema = t.object({\n  name: t.text({\n    description: \"Name of the permission.\",\n  }),\n\n  group: t.optional(\n    t.text({\n      description: \"Group of the permission.\",\n    }),\n  ),\n\n  description: t.optional(\n    t.text({\n      description: \"Describe the permission.\",\n    }),\n  ),\n\n  // HTTP Only\n\n  method: t.optional(\n    t.text({\n      description: \"HTTP method of the permission. When available.\",\n    }),\n  ),\n\n  path: t.optional(\n    t.text({\n      description: \"Pathname of the permission. When available.\",\n    }),\n  ),\n});\n\nexport type Permission = Static<typeof permissionSchema>;\n","import type { Static } from \"alepha\";\nimport { t } from \"alepha\";\n\nexport const roleSchema = t.object({\n  name: t.text({\n    description: \"Name of the role.\",\n  }),\n\n  description: t.optional(\n    t.text({\n      description: \"Describe the role.\",\n    }),\n  ),\n\n  default: t.optional(\n    t.boolean({\n      description:\n        \"If true, this role will be assigned to all users by default.\",\n    }),\n  ),\n\n  permissions: t.array(\n    t.object({\n      name: t.text({\n        description: \"Name of the permission.\",\n      }),\n      ownership: t.optional(\n        t.boolean({\n          description:\n            \"If true, user will only have access to it's own resources.\",\n        }),\n      ),\n      exclude: t.optional(\n        t.array(t.text(), {\n          description:\n            \"Exclude some permissions. Useful when 'name' is a wildcard.\",\n        }),\n      ),\n    }),\n  ),\n});\n\nexport type Role = Static<typeof roleSchema>;\n","import { $module } from \"alepha\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport * from \"./atoms/currentTenantAtom.ts\";\nexport * from \"./atoms/currentUserAtom.ts\";\nexport * from \"./errors/InvalidCredentialsError.ts\";\nexport * from \"./errors/InvalidPermissionError.ts\";\nexport * from \"./errors/SecurityError.ts\";\nexport * from \"./interfaces/UserAccountToken.ts\";\nexport * from \"./primitives/$secure.browser.ts\";\nexport * from \"./schemas/permissionSchema.ts\";\nexport * from \"./schemas/roleSchema.ts\";\nexport * from \"./schemas/userAccountInfoSchema.ts\";\n\n// ---------------------------------------------------------------------------------------------------------------------\n\nexport const AlephaSecurity = $module({\n  name: \"alepha.security\",\n});\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAwBA,MAAa,oBAAoB,MAAM;CACrC,MAAM;CACN,QAAQ,EAAE,SACR,EAAE,OAAO,EACP,IAAI,EAAE,KAAK,EACT,aAAa,iDACd,CAAC,EACH,CAAC,CACH;CACF,CAAC;;;AC9BF,MAAa,wBAAwB,EAAE,OAAO;CAC5C,IAAI,EAAE,KAAK,EACT,aAAa,mCACd,CAAC;CAEF,MAAM,EAAE,SACN,EAAE,KAAK,EACL,aAAa,0BACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,KAAK;EACL,aAAa;EACb,QAAQ;EACT,CAAC,CACH;CAED,UAAU,EAAE,SACV,EAAE,KAAK,EACL,aAAa,mCACd,CAAC,CACH;CAED,SAAS,EAAE,SACT,EAAE,KAAK,EACL,aAAa,sCACd,CAAC,CACH;CAED,WAAW,EAAE,SACX,EAAE,KAAK,EACL,aAAa,mDACd,CAAC,CACH;CAID,cAAc,EAAE,SACd,EAAE,KAAK,EACL,aAAa,qCACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aAAa,uCACd,CAAC,CACH;CAED,OAAO,EAAE,SACP,EAAE,KAAK,EACL,aAAa,uDACd,CAAC,CACH;CACF,CAAC;;;;;;;;;ACjDF,MAAa,kBAAkB,MAAM;CACnC,MAAM;CACN,QAAQ,EAAE,SAAS,sBAAsB;CAC1C,CAAC;;;;;;;;;ACJF,IAAa,0BAAb,cAA6C,kBAAkB;CAC7D,OAAgB;CAChB,cAAc;EACZ,MAAM,sBAAsB;;;;;ACXhC,IAAa,yBAAb,cAA4C,MAAM;CAChD,YAAY,MAAc;EACxB,MAAM,eAAe,KAAK,cAAc;;;;;ACF5C,IAAa,gBAAb,cAAmC,MAAM;CACvC,OAAc;CACd,SAAyB;;;;;;;;;;;;;;;;;;;;;;;;;;;;AC6B3B,SAAgB,QAAQ,SAAqC;CAC3D,OAAO,iBAAiB;EACtB,MAAM;EACN,SAAU,WAAkD,KAAA;EAC5D,UAAU,EAAE,QAAQ,WAAW;GAC7B,OAAO,OAAO,GAAG,SAAgB;IAC/B,MAAM,OACJ,OAAO,MAAM,IAAI,gBAAgB;IAEnC,IAAI,CAAC,MACH;IAIF,IAAI,SAAS,SAAS;SAChB,CAAC,KAAK,SAAS,CAAC,QAAQ,QAAQ,SAAS,KAAK,MAAM,EACtD;;IAKJ,IAAI,SAAS,OAAO;SAId,CAHY,QAAQ,MAAM,MAAM,SAClC,KAAK,OAAO,SAAS,KAAK,CAEhB,EACV;;IASJ,IAAI,SAAS;SACP,CAAC,QAAQ,MAAM,KAAK,EACtB;;IAIJ,OAAO,KAAK,GAAG,KAAK;;;EAGzB,CAAC;;;;ACxEJ,MAAa,mBAAmB,EAAE,OAAO;CACvC,MAAM,EAAE,KAAK,EACX,aAAa,2BACd,CAAC;CAEF,OAAO,EAAE,SACP,EAAE,KAAK,EACL,aAAa,4BACd,CAAC,CACH;CAED,aAAa,EAAE,SACb,EAAE,KAAK,EACL,aAAa,4BACd,CAAC,CACH;CAID,QAAQ,EAAE,SACR,EAAE,KAAK,EACL,aAAa,kDACd,CAAC,CACH;CAED,MAAM,EAAE,SACN,EAAE,KAAK,EACL,aAAa,+CACd,CAAC,CACH;CACF,CAAC;;;AC9BF,MAAa,aAAa,EAAE,OAAO;CACjC,MAAM,EAAE,KAAK,EACX,aAAa,qBACd,CAAC;CAEF,aAAa,EAAE,SACb,EAAE,KAAK,EACL,aAAa,sBACd,CAAC,CACH;CAED,SAAS,EAAE,SACT,EAAE,QAAQ,EACR,aACE,gEACH,CAAC,CACH;CAED,aAAa,EAAE,MACb,EAAE,OAAO;EACP,MAAM,EAAE,KAAK,EACX,aAAa,2BACd,CAAC;EACF,WAAW,EAAE,SACX,EAAE,QAAQ,EACR,aACE,8DACH,CAAC,CACH;EACD,SAAS,EAAE,SACT,EAAE,MAAM,EAAE,MAAM,EAAE,EAChB,aACE,+DACH,CAAC,CACH;EACF,CAAC,CACH;CACF,CAAC;;;ACvBF,MAAa,iBAAiB,QAAQ,EACpC,MAAM,mBACP,CAAC"}

package/dist/security/index.d.ts

@@ -4,19 +4,20 @@ import { DateTimeProvider, Duration, DurationLike } from "alepha/datetime";
 import * as _$alepha_logger0 from "alepha/logger";
 import { SecretProvider } from "alepha/crypto";
 import { FetchOptions, ServerRequest, UnauthorizedError } from "alepha/server";
+import * as _$typebox from "typebox";
 export * from "alepha/crypto";
 
 //#region ../../src/security/schemas/userAccountInfoSchema.d.ts
-declare const userAccountInfoSchema: _$alepha.TObject<{
-  id: _$alepha.TString;
-  name: _$alepha.TOptional<_$alepha.TString>;
-  email: _$alepha.TOptional<_$alepha.TString>;
-  username: _$alepha.TOptional<_$alepha.TString>;
-  picture: _$alepha.TOptional<_$alepha.TString>;
-  sessionId: _$alepha.TOptional<_$alepha.TString>;
-  organization: _$alepha.TOptional<_$alepha.TString>;
-  roles: _$alepha.TOptional<_$alepha.TArray<_$alepha.TString>>;
-  realm: _$alepha.TOptional<_$alepha.TString>;
+declare const userAccountInfoSchema: _$typebox.TObject<{
+  id: _$typebox.TString;
+  name: _$typebox.TOptional<_$typebox.TString>;
+  email: _$typebox.TOptional<_$typebox.TString>;
+  username: _$typebox.TOptional<_$typebox.TString>;
+  picture: _$typebox.TOptional<_$typebox.TString>;
+  sessionId: _$typebox.TOptional<_$typebox.TString>;
+  organization: _$typebox.TOptional<_$typebox.TString>;
+  roles: _$typebox.TOptional<_$typebox.TArray<_$typebox.TString>>;
+  realm: _$typebox.TOptional<_$typebox.TString>;
 }>;
 type UserAccount = Static<typeof userAccountInfoSchema>;
 //#endregion
@@ -41,6 +42,33 @@ interface UserAccountToken extends UserAccount {
   ownership?: string | boolean;
 }
 //#endregion
+//#region ../../src/security/atoms/currentTenantAtom.d.ts
+/**
+ * Atom storing the active tenant for the current request.
+ *
+ * Transport-agnostic — works with HTTP, MCP, pipelines, jobs, and any context
+ * that sets the atom before calling tenant-scoped logic.
+ *
+ * Typically set by an app-level middleware that resolves the tenant from the
+ * request `Host` header (or another signal) and writes the resolved id to the
+ * store. Framework code that reads this atom:
+ *
+ * - Repository scoping: `withOrganization` / `stampOrganization` prefer this
+ *   value over `currentUserAtom.organization` so cross-tenant users (admins,
+ *   agency operators) are scoped to the tenant they are currently acting in
+ *   rather than the one they belong to.
+ * - Session creation: the value is persisted into the JWT as a `tenant` claim,
+ *   and the issuer resolver rejects tokens whose claim does not match the
+ *   tenant resolved from the current request.
+ *
+ * `id` is a free-form string so the framework stays neutral on tenant identity
+ * (slug, UUID, composite). Pick whatever matches the column marked with
+ * `PG_ORGANIZATION` in your entities.
+ */
+declare const currentTenantAtom: _$alepha.Atom<_$typebox.TOptional<_$typebox.TObject<{
+  id: _$typebox.TString;
+}>>, "alepha.security.tenant">;
+//#endregion
 //#region ../../src/security/atoms/currentUserAtom.d.ts
 /**
  * Atom storing the current authenticated user.
@@ -48,16 +76,16 @@ interface UserAccountToken extends UserAccount {
  * Transport-agnostic — works with HTTP, MCP, pipelines, jobs, and any context
  * that sets the atom before calling secured logic.
  */
-declare const currentUserAtom: _$alepha.Atom<_$alepha.TOptional<_$alepha.TObject<{
-  id: _$alepha.TString;
-  name: _$alepha.TOptional<_$alepha.TString>;
-  email: _$alepha.TOptional<_$alepha.TString>;
-  username: _$alepha.TOptional<_$alepha.TString>;
-  picture: _$alepha.TOptional<_$alepha.TString>;
-  sessionId: _$alepha.TOptional<_$alepha.TString>;
-  organization: _$alepha.TOptional<_$alepha.TString>;
-  roles: _$alepha.TOptional<_$alepha.TArray<_$alepha.TString>>;
-  realm: _$alepha.TOptional<_$alepha.TString>;
+declare const currentUserAtom: _$alepha.Atom<_$typebox.TOptional<_$typebox.TObject<{
+  id: _$typebox.TString;
+  name: _$typebox.TOptional<_$typebox.TString>;
+  email: _$typebox.TOptional<_$typebox.TString>;
+  username: _$typebox.TOptional<_$typebox.TString>;
+  picture: _$typebox.TOptional<_$typebox.TString>;
+  sessionId: _$typebox.TOptional<_$typebox.TString>;
+  organization: _$typebox.TOptional<_$typebox.TString>;
+  roles: _$typebox.TOptional<_$typebox.TArray<_$typebox.TString>>;
+  realm: _$typebox.TOptional<_$typebox.TString>;
 }>>, "alepha.security.user">;
 //#endregion
 //#region ../../src/security/errors/InvalidCredentialsError.d.ts
@@ -521,24 +549,24 @@ interface JwtParseResult {
 }
 //#endregion
 //#region ../../src/security/schemas/permissionSchema.d.ts
-declare const permissionSchema: _$alepha.TObject<{
-  name: _$alepha.TString;
-  group: _$alepha.TOptional<_$alepha.TString>;
-  description: _$alepha.TOptional<_$alepha.TString>;
-  method: _$alepha.TOptional<_$alepha.TString>;
-  path: _$alepha.TOptional<_$alepha.TString>;
+declare const permissionSchema: _$typebox.TObject<{
+  name: _$typebox.TString;
+  group: _$typebox.TOptional<_$typebox.TString>;
+  description: _$typebox.TOptional<_$typebox.TString>;
+  method: _$typebox.TOptional<_$typebox.TString>;
+  path: _$typebox.TOptional<_$typebox.TString>;
 }>;
 type Permission = Static<typeof permissionSchema>;
 //#endregion
 //#region ../../src/security/schemas/roleSchema.d.ts
-declare const roleSchema: _$alepha.TObject<{
-  name: _$alepha.TString;
-  description: _$alepha.TOptional<_$alepha.TString>;
-  default: _$alepha.TOptional<_$alepha.TBoolean>;
-  permissions: _$alepha.TArray<_$alepha.TObject<{
-    name: _$alepha.TString;
-    ownership: _$alepha.TOptional<_$alepha.TBoolean>;
-    exclude: _$alepha.TOptional<_$alepha.TArray<_$alepha.TString>>;
+declare const roleSchema: _$typebox.TObject<{
+  name: _$typebox.TString;
+  description: _$typebox.TOptional<_$typebox.TString>;
+  default: _$typebox.TOptional<_$typebox.TBoolean>;
+  permissions: _$typebox.TArray<_$typebox.TObject<{
+    name: _$typebox.TString;
+    ownership: _$typebox.TOptional<_$typebox.TBoolean>;
+    exclude: _$typebox.TOptional<_$typebox.TArray<_$typebox.TString>>;
   }>>;
 }>;
 type Role = Static<typeof roleSchema>;
@@ -720,6 +748,14 @@ declare class SecurityProvider {
    */
   getNameFromPayload(payload: Record<string, any>): string;
   getOrganizationFromPayload(payload: Record<string, any>): string | undefined;
+  /**
+   * Extracts the tenant id from the JWT payload, when present.
+   *
+   * Tokens minted with no active tenant (single-tenant apps, server-to-server
+   * calls before any request-scoped middleware runs) omit the claim, in which
+   * case the resolver does not enforce a tenant match.
+   */
+  getTenantFromPayload(payload: Record<string, any>): string | undefined;
 }
 /**
  * A realm definition.
@@ -827,6 +863,7 @@ interface IssuerExternal {
   jwks: (() => string) | JSONWebKeySet;
 }
 declare class IssuerPrimitive extends Primitive<IssuerPrimitiveOptions> {
+  protected readonly alepha: Alepha;
   protected readonly securityProvider: SecurityProvider;
   protected readonly dateTimeProvider: DateTimeProvider;
   protected readonly jwt: JwtProvider;
@@ -1124,6 +1161,16 @@ declare module "alepha" {
      * The current authenticated user.
      */
     "alepha.security.user"?: UserAccount;
+    /**
+     * The tenant the current request is acting in.
+     *
+     * Typically set by an app-level middleware from the request `Host`. When
+     * present, `Repository` scoping and session creation prefer this value
+     * over `currentUserAtom.organization`.
+     */
+    "alepha.security.tenant"?: {
+      id: string;
+    };
   }
 }
 declare module "alepha/server" {
@@ -1162,5 +1209,5 @@ declare module "alepha/server" {
  */
 declare const AlephaSecurity: _$alepha.Service<_$alepha.Module>;
 //#endregion
-export { $basicAuth, $issuer, $permission, $role, $secure, $serviceAccount, AccessTokenResponse, AlephaSecurity, BasicAuthOptions, CreateTokenOptions, ExtendedJWTPayload, InvalidCredentialsError, InvalidPermissionError, IssuerExternal, IssuerInternal, IssuerPrimitive, IssuerPrimitiveOptions, IssuerResolver, IssuerSettings, JwtParseResult, JwtProvider, JwtSignOptions, KeyLoader, KeyLoaderHolder, Oauth2ServiceAccountPrimitiveOptions, Permission, PermissionPrimitive, PermissionPrimitiveOptions, Realm, Role, RolePrimitive, RolePrimitiveOptions, SecureOptions, SecurityCheckResult, SecurityError, SecurityProvider, ServerSecurityProvider, ServerSecurityUserResolver, ServiceAccountPrimitive, ServiceAccountPrimitiveOptions, ServiceAccountStore, UserAccount, UserAccountToken, UserInfo, currentUserAtom, permissionSchema, roleSchema, userAccountInfoSchema };
+export { $basicAuth, $issuer, $permission, $role, $secure, $serviceAccount, AccessTokenResponse, AlephaSecurity, BasicAuthOptions, CreateTokenOptions, ExtendedJWTPayload, InvalidCredentialsError, InvalidPermissionError, IssuerExternal, IssuerInternal, IssuerPrimitive, IssuerPrimitiveOptions, IssuerResolver, IssuerSettings, JwtParseResult, JwtProvider, JwtSignOptions, KeyLoader, KeyLoaderHolder, Oauth2ServiceAccountPrimitiveOptions, Permission, PermissionPrimitive, PermissionPrimitiveOptions, Realm, Role, RolePrimitive, RolePrimitiveOptions, SecureOptions, SecurityCheckResult, SecurityError, SecurityProvider, ServerSecurityProvider, ServerSecurityUserResolver, ServiceAccountPrimitive, ServiceAccountPrimitiveOptions, ServiceAccountStore, UserAccount, UserAccountToken, UserInfo, currentTenantAtom, currentUserAtom, permissionSchema, roleSchema, userAccountInfoSchema };
 //# sourceMappingURL=index.d.ts.map

package/dist/security/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","names":["JWKParameters","kty","alg","key_ops","ext","use","x5c","x5t","x5u","kid","JWK_OKP_Public","crv","x","JWK_OKP_Private","d","JWK_AKP_Public","pub","JWK_AKP_Private","priv","JWK_EC_Public","y","JWK_EC_Private","JWK_RSA_Public","e","n","JWK_RSA_Private","dp","dq","p","q","qi","JWK_oct","k","JWK","GenericGetKeyFunction","IProtectedHeader","IToken","ReturnKeyTypes","Promise","protectedHeader","token","GetKeyFunction","CryptoKey","KeyObject","Uint8Array","FlattenedJWSInput","JWSHeaderParameters","header","payload","protected","signature","GeneralJWSInput","Omit","signatures","FlattenedJWS","Partial","GeneralJWS","JoseHeaderParameters","Pick","jku","jwk","typ","cty","b64","crit","propName","JWEKeyManagementHeaderParameters","apu","apv","p2c","p2s","iv","epk","FlattenedJWE","JWEHeaderParameters","aad","ciphertext","encrypted_key","tag","unprotected","GeneralJWE","recipients","enc","zip","CritOption","DecryptOptions","keyManagementAlgorithms","contentEncryptionAlgorithms","maxPBES2Count","maxDecompressedLength","EncryptOptions","JWTClaimVerificationOptions","Date","audience","clockTolerance","issuer","maxTokenAge","subject","currentDate","requiredClaims","VerifyOptions","algorithms","SignOptions","JWTPayload","iss","sub","aud","jti","nbf","exp","iat","FlattenedDecryptResult","additionalAuthenticatedData","plaintext","sharedUnprotectedHeader","unprotectedHeader","GeneralDecryptResult","CompactDecryptResult","CompactJWEHeaderParameters","FlattenedVerifyResult","GeneralVerifyResult","CompactVerifyResult","CompactJWSHeaderParameters","JWTVerifyResult","PayloadType","JWTHeaderParameters","JWTDecryptResult","ResolvedKey","key","JSONWebKeySet","keys","type","crypto","subtle","generateKey","ReturnType","Awaited","Extract","ProduceJWT","setIssuer","setSubject","setAudience","setJti","jwtId","setNotBefore","input","setExpirationTime","setIssuedAt","types","JWTVerifyOptions","VerifyOptions","JWTClaimVerificationOptions","JWTVerifyGetKey","JWTHeaderParameters","FlattenedJWSInput","CryptoKey","KeyObject","JWK","Uint8Array","GenericGetKeyFunction","jwtVerify","PayloadType","JWTPayload","JWTVerifyResult","Promise","jwt","key","options","ResolvedKey","getKey"],"sources":["../../src/security/schemas/userAccountInfoSchema.ts","../../src/security/interfaces/UserAccountToken.ts","../../src/security/atoms/currentUserAtom.ts","../../src/security/errors/InvalidCredentialsError.ts","../../src/security/errors/InvalidPermissionError.ts","../../src/security/errors/SecurityError.ts","../../src/security/interfaces/IssuerResolver.ts","../../src/security/primitives/$basicAuth.ts","../../../../node_modules/jose/dist/types/types.d.ts","../../../../node_modules/jose/dist/types/jwt/verify.d.ts","../../src/security/providers/JwtProvider.ts","../../src/security/schemas/permissionSchema.ts","../../src/security/schemas/roleSchema.ts","../../src/security/providers/SecurityProvider.ts","../../src/security/primitives/$issuer.ts","../../src/security/primitives/$permission.ts","../../src/security/primitives/$role.ts","../../src/security/primitives/$secure.ts","../../src/security/primitives/$serviceAccount.ts","../../src/security/providers/ServerSecurityProvider.ts","../../src/security/index.ts"],"x_google_ignoreList":[8,9],"mappings":";;;;;;;;;cAGa,qBAAA,WAAqB,OAAA;MAuDhC,QAAA,CAAA,OAAA;;;;;;;;;;KAEU,WAAA,GAAc,MAAA,QAAc,qBAAA;;;;;;;UCtDvB,gBAAA,SAAyB,WAAA;;;;EAIxC,KAAA;EDPW;;;ECYX,KAAA;;;;;EAMA,SAAA;AAAA;;;;;;;;;cCZW,eAAA,EAAe,QAAA,CAAA,IAAA,CAAA,QAAA,CAAA,SAAA,UAAA,OAAA;MAG1B,QAAA,CAAA,OAAA;;;;;;;;;;;;;;;;;;cCJW,uBAAA,SAAgC,iBAAA;EAAA,SAClC,IAAA;;;;;cCTE,sBAAA,SAA+B,KAAA;cAC9B,IAAA;AAAA;;;cCDD,aAAA,SAAsB,KAAA;EAC1B,IAAA;EAAA,SACS,MAAA;AAAA;;;;;;;KCKN,QAAA,GAAW,IAAA,CAAK,WAAA;EAC1B,SAAA;AAAA;;ANLF;;UMWiB,cAAA;EN4Cf;;;EMxCA,QAAA;;;;;;EAOA,SAAA,GAAY,GAAA,EAAK,aAAA,KAAkB,OAAA,CAAQ,QAAA;AAAA;;;UCrB5B,gBAAA;EACf,QAAA;EACA,QAAA;AAAA;;;;;;APHF;;;;;;;;;;iBOqBgB,UAAA,CAAW,OAAA,EAAS,gBAAA,GAAmB,UAAA;;;;UCvBtCA,aAAAA;;EAEfC,GAAAA;;;;;;EAMAC,GAAAA;ERNF;EQQEC,OAAAA;;EAEAC,GAAAA;;EAEAC,GAAAA;;EAEAC,GAAAA;;EAEAC,GAAAA;;EAEA,UAAA;;EAEAC,GAAAA;;EAEAC,GAAAA;AAAAA;;;;;;;;;;;;;;;UA2FewB,GAAAA,SAAYjC,aAAAA;;;;;EAK3BW,GAAAA;;;;;;EAMAG,CAAAA;;EAEAY,EAAAA;;EAEAC,EAAAA;;EAEAJ,CAAAA;;EAEAS,CAAAA;;EAEAR,CAAAA;;EAEAI,CAAAA;;EAEAC,CAAAA;;EAEAC,EAAAA;;;ALvIF;;EK4IElB,CAAAA;EL5I4D;EK8I5DQ,CAAAA;EL7IS;EK+ITJ,GAAAA;;EAEAE,IAAAA;AAAAA;;;;;UAqCe2B,iBAAAA;EFjLc;;;;;;EEwL7BE,MAAAA,GAASD,mBAAAA;EF7KT;;;;EEmLAE,OAAAA,WAAkBJ,UAAAA;EFnLiC;;;;ACrBrD;EC+MEK,SAAAA;ED9MA;ECiNAC,SAAAA;AAAAA;;UAyCeO,oBAAAA;EAlHf5B;EAoHApB,GAAAA;EA3GAW;EA8GAb,GAAAA;EA1GI;EA6GJD,GAAAA;EAxEgC;EA2EhCE,GAAAA;EApEAuC;EAuEAY,GAAAA;EAjEkBf;EAoElBgB,GAAAA,GAAMF,IAAAA,CAAKzB,GAAAA;EA1DF;EA6DT4B,GAAAA;EApBmC;EAuBnCC,GAAAA;AAAAA;;UAIehB,mBAAAA,SAA4BW,oBAAAA;EAhB3CjD;;;;;EAsBAN,GAAAA;EAVG;;AAIL;;EAYE6D,GAAAA;EAZ2CN;EAe3CO,IAAAA;EAAAA;EAAAA,CAGCC,QAAAA;AAAAA;;UAmIcmB,UAAAA;EEpZI;;;;;;;;;;;;;;;;;;EFuanBpB,IAAAA;IAAAA,CACGC,QAAAA;EAAAA;AAAAA;;UA0CY0B,2BAAAA;EE7TN;;;;AAGX;EFgUEE,QAAAA;EEhUoD;;;;;;;;;EF2UpDC,cAAAA;EEhUF;;;;;EFuUEC,MAAAA;EErUwB;;;;;;AC7L1B;;EH4gBEC,WAAAA;;;;;;EAOAC,OAAAA;;;;;;EAOApC,GAAAA;;EAGAqC,WAAAA,GAAcN,IAAAA;;;;;;;;;EAUdO,cAAAA;AAAAA;AGvgBF;AAAA,UH2gBiBC,aAAAA,SAAsBhB,UAAAA;;;;;;;AI3iBvC;EJmjBEiB,UAAAA;AAAAA;;UAOeE,UAAAA;;;;;;EAMfC,GAAAA;;;;;;EAOAC,GAAAA;;;;;;EAOAC,GAAAA;;;;;;EAOAC,GAAAA;;;;;;EAOAC,GAAAA;;;;;;EAOAC,GAAAA;EK3kB2B;;;;;ELklB3BC,GAAAA;EKzkBiC;EAAA,CL4kBhC7C,QAAAA;AAAAA;;UA0Dc0D,eAAAA,eAA8BpB,UAAAA;EKtoB1B;ELwoBnBvD,OAAAA,EAAS4E,WAAAA,GAAcrB,UAAAA;EK/nBJ;ELkoBnBhE,eAAAA,EAAiBsF,mBAAAA;AAAAA;;UAmBFH,0BAAAA,SAAmC5E,mBAAAA;EAClD5C,GAAAA;AAAAA;;UAIe2H,mBAAAA,SAA4BH,0BAAAA;EAC3C3D,GAAAA;AAAAA;;UAUekE,aAAAA;EACfC,IAAAA,EAAMjG,GAAAA;AAAAA;;;;;;UAQSU,SAAAA;EACfwF,IAAAA;AAAAA;;;;;;;KASUzF,SAAAA,GAAY+F,OAAAA,CACtBD,OAAAA,CAAQD,UAAAA,QAAkBH,MAAAA,CAAOC,MAAAA,CAAOC,WAAAA;EACtCH,IAAAA;AAAAA;;;;UChuBakB,gBAAAA,SAAyBD,aAAAA,EAAqBA,2BAAAA;;;;;;cCkBlD,WAAA;EAAA,mBACQ,GAAA,EADG,gBAAA,CACA,MAAA;EAAA,mBACH,QAAA,EAAU,eAAA;EAAA,mBACV,gBAAA,EAAgB,gBAAA;EAAA,mBAChB,OAAA,EAAO,WAAA;EV6B1B;;;;;;EUrBO,YAAA,CAAa,IAAA,UAAc,eAAA,WAA0B,aAAA;;;;;;;;EAiC/C,KAAA,CACX,KAAA,UACA,OAAA,WACA,OAAA,GAAU,gBAAA,GACT,OAAA,CAAQ,cAAA;;;;;;;;;;EAwDE,MAAA,CACX,OAAA,EAAS,kBAAA,EACT,OAAA,WACA,WAAA,GAAc,cAAA,GACb,OAAA;;;;;;;YAyBO,WAAA,CAAY,GAAA;AAAA;AAAA,KAKZ,SAAA,IACV,eAAA,GAAkB,mBAAA,EAClB,KAAA,GAAQ,iBAAA,KACL,OAAA,CAAQ,SAAA,GAAY,SAAA;AAAA,UAER,eAAA;EACf,IAAA;EACA,SAAA,EAAW,SAAA;EACX,SAAA;AAAA;AAAA,UAGe,cAAA;EACf,MAAA,GAAS,OAAA,CAAQ,mBAAA;AAAA;AAAA,UAGF,kBAAA,SAA2B,UAAA;EAC1C,GAAA;EAEA,IAAA;EACA,KAAA;EACA,KAAA;EACA,YAAA;EAEA,YAAA;IAAiB,KAAA;EAAA;AAAA;AAAA,UAGF,cAAA;EACf,OAAA;EACA,MAAA,EAAQ,eAAA,CAAgB,kBAAA;AAAA;;;cC7Lb,gBAAA,WAAgB,OAAA;QA8B3B,QAAA,CAAA,OAAA;;;;;;KAEU,UAAA,GAAa,MAAA,QAAc,gBAAA;;;cChC1B,UAAA,WAAU,OAAA;QAqCrB,QAAA,CAAA,OAAA;;;;;;;;;KAEU,IAAA,GAAO,MAAA,QAAc,UAAA;;;cCfpB,gBAAA;EAAA,mBACQ,iBAAA;EAAA,mBACA,iBAAA,EAAiB,MAAA;EAAA,mBACjB,0BAAA,EAA0B,MAAA;EAAA,mBAG1B,GAAA,EAH0B,gBAAA,CAGvB,MAAA;EAAA,mBACH,GAAA,EAAG,WAAA;EAAA,mBACH,MAAA,EAAM,MAAA;EAAA,mBACN,cAAA,EAAc,cAAA;EAAA,IAEtB,SAAA,CAAA;;;;qBAOQ,WAAA,EAAa,UAAA;;;;qBAKb,MAAA,EAAQ,KAAA;EAAA,UAmBjB,KAAA,EAnBsB,QAAA,CAmBjB,aAAA;;;;YAwBL,wBAAA,CAAyB,SAAA,WAAoB,cAAA;Eb1FvB;;;;;;EayHzB,UAAA,CAAW,IAAA,EAAM,IAAA,KAAS,MAAA,aAAmB,IAAA;;;;;;EAgE7C,gBAAA,CAAiB,GAAA,EAAK,UAAA,YAAsB,UAAA;EA0D5C,WAAA,CAAY,KAAA,EAAO,KAAA;;;;;;;;;EAiBb,WAAA,CAAY,KAAA,UAAe,KAAA,EAAO,IAAA,KAAS,OAAA;;;;;;;;;EAuBjD,qBAAA,CACL,OAAA,EAAS,UAAA,EACT,SAAA,YACC,WAAA;EbrOO;;;;Ea4QH,UAAA,CACL,QAAA,EAAU,QAAA,EACV,OAAA;IACE,KAAA;IACA,UAAA,GAAa,UAAA;EAAA,IAEd,gBAAA;EZxUY;;;;EY4WR,gBAAA,CAAiB,QAAA,EAAU,cAAA,EAAgB,SAAA;EZxWlD;;;;EYsXO,QAAA,CAAS,SAAA,YAAqB,KAAA;;;;AXvXvC;;;;;;EW4Ye,4BAAA,CACX,GAAA;IAAO,GAAA,EAAK,GAAA;IAAc,OAAA;MAAW,aAAA;IAAA;EAAA,GACrC,OAAA;IACE,KAAA;IACA,UAAA,GAAa,UAAA;EAAA,IAEd,OAAA,CAAQ,gBAAA;;;;;;;;;EA0DJ,eAAA,CACL,cAAA,WAAyB,UAAA,KACtB,WAAA,aACF,mBAAA;EX/cuB;;;EWuiBb,mBAAA,CACX,aAAA,WACA,OAAA;IACE,UAAA,GAAa,UAAA;IACb,KAAA;IACA,MAAA,GAAS,gBAAA;EAAA,IAEV,OAAA,CAAQ,gBAAA;;;;;;;;EA2DJ,GAAA,CAAI,QAAA,UAAkB,UAAA,WAAqB,UAAA;;;;EAO3C,SAAA,CACL,QAAA,UACA,UAAA,WAAqB,UAAA;;;;;;EAUhB,kBAAA,CAAmB,UAAA,EAAY,UAAA;;;;EAoB/B,YAAA,CAAa,IAAA,EAAM,gBAAA,EAAkB,OAAA;;;;EAWrC,kBAAA,CAAmB,IAAA,EAAM,gBAAA;EAOzB,SAAA,CAAA,GAAa,KAAA;;;AVnqBtB;;;EU4qBS,QAAA,CAAS,KAAA,YAAiB,IAAA;EV5qBU;;;;;;;EU2rBpC,cAAA,CAAe,IAAA;IACpB,KAAA,GAAQ,KAAA,CAAM,IAAA;IACd,KAAA;EAAA,IACE,UAAA;ETtsB2C;;;;;;ESqyBxC,gBAAA,CAAiB,OAAA,EAAS,MAAA;EAgB1B,uBAAA,CACL,OAAA,EAAS,MAAA;;ARtzBb;;;;EQq0BS,mBAAA,CAAoB,OAAA,EAAS,MAAA;EAI7B,qBAAA,CACL,OAAA,EAAS,MAAA;EAqBJ,sBAAA,CACL,OAAA,EAAS,MAAA;EAiBJ,mBAAA,CAAoB,OAAA,EAAS,MAAA;ER/2Bd;;;;ACKxB;;EO43BS,kBAAA,CAAmB,OAAA,EAAS,MAAA;EAmB5B,0BAAA,CACL,OAAA,EAAS,MAAA;AAAA;;;;UAiBI,KAAA;EACf,IAAA;EAEA,KAAA,EAAO,IAAA;;;;;;EAOP,MAAA,YAAkB,aAAA;EPh6BlB;;;;EOs6BA,OAAA,IAAW,GAAA,EAAK,MAAA,kBAAwB,WAAA;EP/5BG;;;EOo6B3C,SAAA,GAAY,cAAA;AAAA;AAAA,UAGG,mBAAA;EACf,YAAA;EACA,SAAA;AAAA;;;;;Ab/7BF;;;;ccmBa,OAAA;EAAA,UAAoB,sBAAA,GAAyB,eAAA;EAAA;;KAM9C,sBAAA;;;;;EAKV,IAAA;;;;EAKA,WAAA;;;;EAKA,KAAA,GAAQ,KAAA,UAAe,IAAA;EdxCS;;;Ec6ChC,QAAA,GAAW,cAAA;;;;EAKX,OAAA,IAAW,UAAA,EAAY,MAAA,kBAAwB,WAAA;;;;EAK/C,SAAA,GAAY,cAAA;AAAA,KACT,cAAA,GAAiB,cAAA;AAAA,UAEL,cAAA;EACf,WAAA;;;;;IAKE,UAAA,GAAa,YAAA;EAAA;EAGf,YAAA;;;;;IAKE,UAAA,GAAa,YAAA;EAAA;EAUf,eAAA,IACE,IAAA,EAAM,WAAA,EACN,MAAA;IACE,SAAA;EAAA,MAEC,OAAA;IACH,YAAA;IACA,SAAA;EAAA;EAGF,gBAAA,IAAoB,YAAA,aAAyB,OAAA;IAC3C,IAAA,EAAM,WAAA;IACN,SAAA;IACA,SAAA;EAAA;EAGF,eAAA,IAAmB,YAAA,aAAyB,OAAA;AAAA;AAAA,KAGlC,cAAA;;;;EAIV,MAAA;AAAA;AAAA,UAGe,cAAA;Eb1FN;;;Ea8FT,IAAA,mBAAuB,aAAA;AAAA;AAAA,cAKZ,eAAA,SAAwB,SAAA,CAAU,sBAAA;EAAA,mBAC1B,gBAAA,EAAgB,gBAAA;EAAA,mBAChB,gBAAA,EAAgB,gBAAA;EAAA,mBAChB,GAAA,EAAG,WAAA;EAAA,mBACH,GAAA,EADG,gBAAA,CACA,MAAA;EAAA,IAEX,IAAA,CAAA;EAAA,IAIA,qBAAA,CAAA,GAAyB,QAAA;EAAA,IAMzB,sBAAA,CAAA,GAA0B,QAAA;EAAA,UAM3B,MAAA,CAAA;;;;YAkCA,iBAAA,CAAA,GAAqB,cAAA;;;;;EAgCxB,gBAAA,CAAiB,QAAA,EAAU,cAAA;;;;EAO3B,QAAA,CAAA,GAAY,IAAA;EZ9MO;;;EYqNb,QAAA,CAAS,KAAA,EAAO,IAAA,KAAS,OAAA;EZrNZ;;;EY4NnB,aAAA,CAAc,IAAA,WAAe,IAAA;EAQvB,UAAA,CAAW,KAAA,WAAgB,OAAA,CAAQ,UAAA;;;;EAQnC,WAAA,CACX,IAAA,EAAM,WAAA,EACN,YAAA;IACE,GAAA;IACA,aAAA;IACA,wBAAA;EAAA,IAED,OAAA,CAAQ,mBAAA;EAoFE,YAAA,CACX,YAAA,UACA,WAAA,YACC,OAAA;IACD,MAAA,EAAQ,mBAAA;IACR,IAAA,EAAM,WAAA;EAAA;AAAA;AAAA,UAoEO,kBAAA;EACf,GAAA;EACA,KAAA;EACA,KAAA;AAAA;AAAA,UAGe,mBAAA;EACf,YAAA;EACA,UAAA;EACA,UAAA;EACA,SAAA;EACA,aAAA;EACA,wBAAA;EACA,KAAA;AAAA;;;;;;cC/ZW,WAAA;EAAA,WACF,0BAAA,GACR,mBAAA;EAAA;;UAMc,0BAAA;Ef2Cf;;;EevCA,IAAA;;;;EAKA,KAAA;;;;EAKA,WAAA;AAAA;AAAA,cAKW,mBAAA,SAA4B,SAAA,CAAU,0BAAA;EAAA,mBAC9B,gBAAA,EAAgB,gBAAA;EAAA,IAExB,IAAA,CAAA;EAAA,IAIA,KAAA,CAAA;EAIJ,QAAA,CAAA;EAAA,UAIG,MAAA,CAAA;;;;EAWH,GAAA,CAAI,IAAA,GAAO,WAAA;AAAA;;;;;;cCpDP,KAAA;EAAA,WAAkB,oBAAA,GAA4B,aAAA;EAAA;;UAM1C,oBAAA;;;;EAIf,IAAA;;;;EAKA,WAAA;EAEA,MAAA,YAAkB,eAAA;EAElB,WAAA,GAAc,KAAA;IAGR,IAAA;IACA,SAAA;IACA,OAAA;EAAA;AAAA;AAAA,cAKK,aAAA,SAAsB,SAAA,CAAU,oBAAA;EAAA,mBACxB,gBAAA,EAAgB,gBAAA;EAAA,IAExB,IAAA,CAAA;EAAA,UAID,MAAA,CAAA;;;;MAoBC,MAAA,CAAA,YAAmB,eAAA;EAIvB,GAAA,CAAI,UAAA,WAAqB,mBAAA;EAIzB,KAAA,CAAM,UAAA,WAAqB,mBAAA,GAAmB,mBAAA;AAAA;;;UCjEtC,aAAA;;;;;EAKf,OAAA;;AjBTF;;EiBcE,KAAA;EjByCA;;;EiBpCA,WAAA,aAAwB,UAAA;;;;;EAMxB,KAAA,IAAS,IAAA,EAAM,gBAAA;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AjBgCjB;;;;;;;;ACtDA;;;;;iBgB+EgB,OAAA,CAAQ,OAAA,GAAU,aAAA,GAAgB,UAAA;;;;;;;;;;;AjBlFlD;;;;;;;;;;;;;;;;;;;;ckB8Ba,eAAA,GACX,OAAA,EAAS,8BAAA,KACR,uBAAA;AAAA,KAqHS,8BAAA;EACV,WAAA;AAAA;EAGI,MAAA,EAAQ,oCAAA;AAAA;EAGR,MAAA,EAAQ,eAAA;EACR,IAAA,EAAM,WAAA;AAAA;AAAA,UAIK,oCAAA;;;;EAIf,GAAA;;;;EAKA,QAAA;;;;EAKA,YAAA;AAAA;AAAA,UAGe,uBAAA;EACf,KAAA,QAAa,OAAA;AAAA;AAAA,UAGE,mBAAA;EACf,QAAA,GAAW,mBAAA;AAAA;;;cCjLA,sBAAA;EAAA,mBACQ,GAAA,EADc,gBAAA,CACX,MAAA;EAAA,mBACH,gBAAA,EAAgB,gBAAA;EAAA,mBAChB,WAAA,EAAW,WAAA;EAAA,mBACX,MAAA,EAAM,MAAA;EAAA,mBAEN,eAAA,EAFM,QAAA,CAES,aAAA;EAAA,mBA8Bf,eAAA,EA9Be,QAAA,CA8BA,aAAA;EAAA,UA0BxB,cAAA,CAAA,GAAkB,gBAAA;EAAA,mBAQT,eAAA,EARyB,QAAA,CAQV,aAAA;AAAA;AAAA,KAmCxB,0BAAA,IACV,OAAA,EAAS,aAAA,KACN,OAAA,CAAQ,gBAAA;;;;YC/ED,KAAA;IACR,uBAAA;MACE,KAAA;MACA,IAAA,EAAM,WAAA;IAAA;EAAA;EAAA,UAIA,KAAA;;;;;;;IAOR,6BAAA,GAAgC,gBAAA;;;;IAKhC,sBAAA,GAAyB,WAAA;EAAA;AAAA;AAAA;EAAA,UAKjB,aAAA;IACR,IAAA,GAAO,gBAAA;EAAA;EAAA,UAGC,mBAAA;IACR,IAAA,EAAM,gBAAA;EAAA;EAAA,UAGE,oBAAA,SAA6B,YAAA;;;;;;;;IAQrC,IAAA,GAAO,gBAAA;EAAA;AAAA;;;;ApBjBX;;;;;;;;ACtDA;;;;;cmB6Fa,cAAA,EAAc,QAAA,CAAA,OAAA,CAKzB,QAAA,CALyB,MAAA"}
+{"version":3,"file":"index.d.ts","names":["JWKParameters","kty","alg","key_ops","ext","use","x5c","x5t","x5u","kid","JWK_OKP_Public","crv","x","JWK_OKP_Private","d","JWK_AKP_Public","pub","JWK_AKP_Private","priv","JWK_EC_Public","y","JWK_EC_Private","JWK_RSA_Public","e","n","JWK_RSA_Private","dp","dq","p","q","qi","JWK_oct","k","JWK","GenericGetKeyFunction","IProtectedHeader","IToken","ReturnKeyTypes","Promise","protectedHeader","token","GetKeyFunction","CryptoKey","KeyObject","Uint8Array","FlattenedJWSInput","JWSHeaderParameters","header","payload","protected","signature","GeneralJWSInput","Omit","signatures","FlattenedJWS","Partial","GeneralJWS","JoseHeaderParameters","Pick","jku","jwk","typ","cty","b64","crit","propName","JWEKeyManagementHeaderParameters","apu","apv","p2c","p2s","iv","epk","FlattenedJWE","JWEHeaderParameters","aad","ciphertext","encrypted_key","tag","unprotected","GeneralJWE","recipients","enc","zip","CritOption","DecryptOptions","keyManagementAlgorithms","contentEncryptionAlgorithms","maxPBES2Count","maxDecompressedLength","EncryptOptions","JWTClaimVerificationOptions","Date","audience","clockTolerance","issuer","maxTokenAge","subject","currentDate","requiredClaims","VerifyOptions","algorithms","SignOptions","JWTPayload","iss","sub","aud","jti","nbf","exp","iat","FlattenedDecryptResult","additionalAuthenticatedData","plaintext","sharedUnprotectedHeader","unprotectedHeader","GeneralDecryptResult","CompactDecryptResult","CompactJWEHeaderParameters","FlattenedVerifyResult","GeneralVerifyResult","CompactVerifyResult","CompactJWSHeaderParameters","JWTVerifyResult","PayloadType","JWTHeaderParameters","JWTDecryptResult","ResolvedKey","key","JSONWebKeySet","keys","type","crypto","subtle","generateKey","ReturnType","Awaited","Extract","ProduceJWT","setIssuer","setSubject","setAudience","setJti","jwtId","setNotBefore","input","setExpirationTime","setIssuedAt","types","JWTVerifyOptions","VerifyOptions","JWTClaimVerificationOptions","JWTVerifyGetKey","JWTHeaderParameters","FlattenedJWSInput","CryptoKey","KeyObject","JWK","Uint8Array","GenericGetKeyFunction","jwtVerify","PayloadType","JWTPayload","JWTVerifyResult","Promise","jwt","key","options","ResolvedKey","getKey"],"sources":["../../src/security/schemas/userAccountInfoSchema.ts","../../src/security/interfaces/UserAccountToken.ts","../../src/security/atoms/currentTenantAtom.ts","../../src/security/atoms/currentUserAtom.ts","../../src/security/errors/InvalidCredentialsError.ts","../../src/security/errors/InvalidPermissionError.ts","../../src/security/errors/SecurityError.ts","../../src/security/interfaces/IssuerResolver.ts","../../src/security/primitives/$basicAuth.ts","../../../../node_modules/jose/dist/types/types.d.ts","../../../../node_modules/jose/dist/types/jwt/verify.d.ts","../../src/security/providers/JwtProvider.ts","../../src/security/schemas/permissionSchema.ts","../../src/security/schemas/roleSchema.ts","../../src/security/providers/SecurityProvider.ts","../../src/security/primitives/$issuer.ts","../../src/security/primitives/$permission.ts","../../src/security/primitives/$role.ts","../../src/security/primitives/$secure.ts","../../src/security/primitives/$serviceAccount.ts","../../src/security/providers/ServerSecurityProvider.ts","../../src/security/index.ts"],"x_google_ignoreList":[9,10],"mappings":";;;;;;;;;;cAGa,qBAAA,YAAqB,OAAA;MAuDhC,SAAA,CAAA,OAAA;;;;;;;;;;KAEU,WAAA,GAAc,MAAA,QAAc,qBAAA;;;;;;;UCtDvB,gBAAA,SAAyB,WAAA;;;;EAIxC,KAAA;;ADPF;;ECYE,KAAA;ED2CA;;;;ECrCA,SAAA;AAAA;;;;;;;;;;;;;;ADlBF;;;;;;;;;;;cEqBa,iBAAA,EAAiB,QAAA,CAAA,IAAA,CAAA,SAAA,CAAA,SAAA,WAAA,OAAA;MAS5B,SAAA,CAAA,OAAA;AAAA;;;;;;;;;cCxBW,eAAA,EAAe,QAAA,CAAA,IAAA,CAAA,SAAA,CAAA,SAAA,WAAA,OAAA;MAG1B,SAAA,CAAA,OAAA;;;;;;;;;;;;;;;;;;cCJW,uBAAA,SAAgC,iBAAA;EAAA,SAClC,IAAA;;;;;cCTE,sBAAA,SAA+B,KAAA;cAC9B,IAAA;AAAA;;;cCDD,aAAA,SAAsB,KAAA;EAC1B,IAAA;EAAA,SACS,MAAA;AAAA;;;;;;;KCKN,QAAA,GAAW,IAAA,CAAK,WAAA;EAC1B,SAAA;AAAA;;;APLF;UOWiB,cAAA;;;;EAIf,QAAA;;;;;;EAOA,SAAA,GAAY,GAAA,EAAK,aAAA,KAAkB,OAAA,CAAQ,QAAA;AAAA;;;UCrB5B,gBAAA;EACf,QAAA;EACA,QAAA;AAAA;;;;;;;ARHF;;;;;;;;;iBQqBgB,UAAA,CAAW,OAAA,EAAS,gBAAA,GAAmB,UAAA;;;;UCvBtCA,aAAAA;;EAEfC,GAAAA;;;;;;EAMAC,GAAAA;;EAEAC,OAAAA;ET+CA;ES7CAC,GAAAA;ET6CA;ES3CAC,GAAAA;;EAEAC,GAAAA;;EAEAC,GAAAA;;EAEA,UAAA;;EAEAC,GAAAA;;EAEAC,GAAAA;AAAAA;;;;ANhBF;;;;;;;;;;;UM2GiBwB,GAAAA,SAAYjC,aAAAA;;;;;EAK3BW,GAAAA;;;;;;EAMAG,CAAAA;ENtH0B;EMwH1BY,EAAAA;ENxH0B;EM0H1BC,EAAAA;EN1H0B;EM4H1BJ,CAAAA;;EAEAS,CAAAA;;EAEAR,CAAAA;;EAEAI,CAAAA;;EAEAC,CAAAA;;EAEAC,EAAAA;;;;;EAKAlB,CAAAA;;EAEAQ,CAAAA;;EAEAJ,GAAAA;;EAEAE,IAAAA;AAAAA;;;;AH1JF;UG+LiB2B,iBAAAA;;;;;;;EAOfE,MAAAA,GAASD,mBAAAA;;;AF/LX;;EEqMEE,OAAAA,WAAkBJ,UAAAA;EFrMG;;;;;EE4MrBK,SAAAA;;EAGAC,SAAAA;AAAAA;;UAyCeO,oBAAAA;EA9OfnD;EAgPAG,GAAAA;EA1OAD;EA6OAD,GAAAA;EA3OG;EA8OHD,GAAAA;;EAGAE,GAAAA;EAjJAG;EAoJAgD,GAAAA;EA1IAhC;EA6IAiC,GAAAA,GAAMF,IAAAA,CAAKzB,GAAAA;EAvIXT;EA0IAqC,GAAAA;EApIA/B;EAuIAgC,GAAAA;AAAAA;;UAIehB,mBAAAA,SAA4BW,oBAAAA;EAhIvC;AAqCN;;;;EAiGEvD,GAAAA;EApFA8C;;;;EA0FAe,GAAAA;EAvCF;EA0CEC,IAAAA;EAzBU;EAAA,CA4BTC,QAAAA;AAAAA;;UAmIcmB,UAAAA;;;AEtZjB;;;;;;;;;;;;;;;;EFyaEpB,IAAAA;IAAAA,CACGC,QAAAA;EAAAA;AAAAA;;UA0CY0B,2BAAAA;EEtUZ;;;;;EF4UHE,QAAAA;;;;;;;;;AEpUF;EF+UEC,cAAAA;EE9UgB;;;;;EFqVhBC,MAAAA;EElVkC;;;;;;;;EF4VlCC,WAAAA;EEpViB;;;AAGnB;;EFwVEC,OAAAA;EEvVA;;;;;EF8VApC,GAAAA;;EAGAqC,WAAAA,GAAcN,IAAAA;EG/fd;;;;;;;;EHygBAO,cAAAA;AAAAA;;UAIeC,aAAAA,SAAsBhB,UAAAA;EG3iBV;;;;;;;EHmjB3BiB,UAAAA;AAAAA;;UAOeE,UAAAA;;;;AG1hBjB;;EHgiBEC,GAAAA;EGhiBqD;;;;AChCvD;EJukBEC,GAAAA;EIliBA;;;;;EJyiBAC,GAAAA;;;;;;EAOAC,GAAAA;EIrlBqB;;;;;EJ4lBrBC,GAAAA;;;;;;EAOAC,GAAAA;;;;;;EAOAC,GAAAA;;GAGC7C,QAAAA;AAAAA;;UA0Dc0D,eAAAA,eAA8BpB,UAAAA;EK8JlC;EL5JXvD,OAAAA,EAAS4E,WAAAA,GAAcrB,UAAAA;EKsMZ;ELnMXhE,eAAAA,EAAiBsF,mBAAAA;AAAAA;;UAmBFH,0BAAAA,SAAmC5E,mBAAAA;EAClD5C,GAAAA;AAAAA;;UAIe2H,mBAAAA,SAA4BH,0BAAAA;EAC3C3D,GAAAA;AAAAA;;UAUekE,aAAAA;EACfC,IAAAA,EAAMjG,GAAAA;AAAAA;;;;;;UAQSU,SAAAA;EACfwF,IAAAA;AAAAA;;;;;;;KASUzF,SAAAA,GAAY+F,OAAAA,CACtBD,OAAAA,CAAQD,UAAAA,QAAkBH,MAAAA,CAAOC,MAAAA,CAAOC,WAAAA;EACtCH,IAAAA;AAAAA;;;;UChuBakB,gBAAAA,SAAyBD,aAAAA,EAAqBA,2BAAAA;;;;;;cCkBlD,WAAA;EAAA,mBACQ,GAAA,EADG,gBAAA,CACA,MAAA;EAAA,mBACH,QAAA,EAAU,eAAA;EAAA,mBACV,gBAAA,EAAgB,gBAAA;EAAA,mBAChB,OAAA,EAAO,WAAA;EX1Bf;;;;;;EWkCJ,YAAA,CAAa,IAAA,UAAc,eAAA,WAA0B,aAAA;;;;;;;;EAiC/C,KAAA,CACX,KAAA,UACA,OAAA,WACA,OAAA,GAAU,gBAAA,GACT,OAAA,CAAQ,cAAA;;;;;;;;;;EAwDE,MAAA,CACX,OAAA,EAAS,kBAAA,EACT,OAAA,WACA,WAAA,GAAc,cAAA,GACb,OAAA;;;;;;;YAyBO,WAAA,CAAY,GAAA;AAAA;AAAA,KAKZ,SAAA,IACV,eAAA,GAAkB,mBAAA,EAClB,KAAA,GAAQ,iBAAA,KACL,OAAA,CAAQ,SAAA,GAAY,SAAA;AAAA,UAER,eAAA;EACf,IAAA;EACA,SAAA,EAAW,SAAA;EACX,SAAA;AAAA;AAAA,UAGe,cAAA;EACf,MAAA,GAAS,OAAA,CAAQ,mBAAA;AAAA;AAAA,UAGF,kBAAA,SAA2B,UAAA;EAC1C,GAAA;EAEA,IAAA;EACA,KAAA;EACA,KAAA;EACA,YAAA;EAEA,YAAA;IAAiB,KAAA;EAAA;AAAA;AAAA,UAGF,cAAA;EACf,OAAA;EACA,MAAA,EAAQ,eAAA,CAAgB,kBAAA;AAAA;;;cC7Lb,gBAAA,YAAgB,OAAA;QA8B3B,SAAA,CAAA,OAAA;;;;;;KAEU,UAAA,GAAa,MAAA,QAAc,gBAAA;;;cChC1B,UAAA,YAAU,OAAA;QAqCrB,SAAA,CAAA,OAAA;;;;;;;;;KAEU,IAAA,GAAO,MAAA,QAAc,UAAA;;;cCdpB,gBAAA;EAAA,mBACQ,iBAAA;EAAA,mBACA,iBAAA,EAAiB,MAAA;EAAA,mBACjB,0BAAA,EAA0B,MAAA;EAAA,mBAG1B,GAAA,EAH0B,gBAAA,CAGvB,MAAA;EAAA,mBACH,GAAA,EAAG,WAAA;EAAA,mBACH,MAAA,EAAM,MAAA;EAAA,mBACN,cAAA,EAAc,cAAA;EAAA,IAEtB,SAAA,CAAA;;;;qBAOQ,WAAA,EAAa,UAAA;;;;qBAKb,MAAA,EAAQ,KAAA;EAAA,UAmBjB,KAAA,EAnBsB,QAAA,CAmBjB,aAAA;;;;YAwBL,wBAAA,CAAyB,SAAA,WAAoB,cAAA;;;;;;;EAgDhD,UAAA,CAAW,IAAA,EAAM,IAAA,KAAS,MAAA,aAAmB,IAAA;;;;;;EAgE7C,gBAAA,CAAiB,GAAA,EAAK,UAAA,YAAsB,UAAA;EA0D5C,WAAA,CAAY,KAAA,EAAO,KAAA;;;;;;;;;EAiBb,WAAA,CAAY,KAAA,UAAe,KAAA,EAAO,IAAA,KAAS,OAAA;;;;;;;;;EAuBjD,qBAAA,CACL,OAAA,EAAS,UAAA,EACT,SAAA,YACC,WAAA;;AdvPL;;;Ec8RS,UAAA,CACL,QAAA,EAAU,QAAA,EACV,OAAA;IACE,KAAA;IACA,UAAA,GAAa,UAAA;EAAA,IAEd,gBAAA;;Ab1VL;;;Ea8XS,gBAAA,CAAiB,QAAA,EAAU,cAAA,EAAgB,SAAA;Eb9XV;;;;Ea4YjC,QAAA,CAAS,SAAA,YAAqB,KAAA;Eb7X5B;;;;ACGX;;;;;EY+Ye,4BAAA,CACX,GAAA;IAAO,GAAA,EAAK,GAAA;IAAc,OAAA;MAAW,aAAA;IAAA;EAAA,GACrC,OAAA;IACE,KAAA;IACA,UAAA,GAAa,UAAA;EAAA,IAEd,OAAA,CAAQ,gBAAA;;;;;;AXpab;;;EW8dS,eAAA,CACL,cAAA,WAAyB,UAAA,KACtB,WAAA,aACF,mBAAA;;;;EAwFU,mBAAA,CACX,aAAA,WACA,OAAA;IACE,UAAA,GAAa,UAAA;IACb,KAAA;IACA,MAAA,GAAS,gBAAA;EAAA,IAEV,OAAA,CAAQ,gBAAA;;;;;;;;EA2DJ,GAAA,CAAI,QAAA,UAAkB,UAAA,WAAqB,UAAA;;;;EAO3C,SAAA,CACL,QAAA,UACA,UAAA,WAAqB,UAAA;EXpoBG;;;;;EW8oBnB,kBAAA,CAAmB,UAAA,EAAY,UAAA;;;;EAoB/B,YAAA,CAAa,IAAA,EAAM,gBAAA,EAAkB,OAAA;;;;EAWrC,kBAAA,CAAmB,IAAA,EAAM,gBAAA;EAOzB,SAAA,CAAA,GAAa,KAAA;;;;;;EASb,QAAA,CAAS,KAAA,YAAiB,IAAA;;;;;;;;EAe1B,cAAA,CAAe,IAAA;IACpB,KAAA,GAAQ,KAAA,CAAM,IAAA;IACd,KAAA;EAAA,IACE,UAAA;;;;;;AVhtBN;EU+yBS,gBAAA,CAAiB,OAAA,EAAS,MAAA;EAgB1B,uBAAA,CACL,OAAA,EAAS,MAAA;EVh0BiD;;;;;EU+0BrD,mBAAA,CAAoB,OAAA,EAAS,MAAA;EAI7B,qBAAA,CACL,OAAA,EAAS,MAAA;EAqBJ,sBAAA,CACL,OAAA,EAAS,MAAA;EAiBJ,mBAAA,CAAoB,OAAA,EAAS,MAAA;ETn4BzB;;;;;;ESq5BJ,kBAAA,CAAmB,OAAA,EAAS,MAAA;EAmB5B,0BAAA,CACL,OAAA,EAAS,MAAA;ETx6Ba;;;;ACD1B;;;EQ27BS,oBAAA,CACL,OAAA,EAAS,MAAA;AAAA;;;;UAiBI,KAAA;EACf,IAAA;EAEA,KAAA,EAAO,IAAA;;APz8BT;;;;EOg9BE,MAAA,YAAkB,aAAA;EPh9BQ;;;;EOs9B1B,OAAA,IAAW,GAAA,EAAK,MAAA,kBAAwB,WAAA;EP/8BX;;;EOo9B7B,SAAA,GAAY,cAAA;AAAA;AAAA,UAGG,mBAAA;EACf,YAAA;EACA,SAAA;AAAA;;;;;;Adp+BF;;;ce2Ba,OAAA;EAAA,UAAoB,sBAAA,GAAyB,eAAA;EAAA;;KAM9C,sBAAA;;;;;EAKV,IAAA;;;;EAKA,WAAA;;;;EAKA,KAAA,GAAQ,KAAA,UAAe,IAAA;;;;EAKvB,QAAA,GAAW,cAAA;;;;EAKX,OAAA,IAAW,UAAA,EAAY,MAAA,kBAAwB,WAAA;;;;EAK/C,SAAA,GAAY,cAAA;AAAA,KACT,cAAA,GAAiB,cAAA;AAAA,UAEL,cAAA;EACf,WAAA;;;;;IAKE,UAAA,GAAa,YAAA;EAAA;EAGf,YAAA;;;;;IAKE,UAAA,GAAa,YAAA;EAAA;EAUf,eAAA,IACE,IAAA,EAAM,WAAA,EACN,MAAA;IACE,SAAA;EAAA,MAEC,OAAA;IACH,YAAA;IACA,SAAA;EAAA;EAGF,gBAAA,IAAoB,YAAA,aAAyB,OAAA;IAC3C,IAAA,EAAM,WAAA;IACN,SAAA;IACA,SAAA;EAAA;EAGF,eAAA,IAAmB,YAAA,aAAyB,OAAA;AAAA;AAAA,KAGlC,cAAA;Ed1GsB;;;Ec8GhC,MAAA;AAAA;AAAA,UAGe,cAAA;EdlGf;;;EcsGA,IAAA,mBAAuB,aAAA;AAAA;AAAA,cAKZ,eAAA,SAAwB,SAAA,CAAU,sBAAA;EAAA,mBAC1B,MAAA,EAAM,MAAA;EAAA,mBACN,gBAAA,EAAgB,gBAAA;EAAA,mBAChB,gBAAA,EAAgB,gBAAA;EAAA,mBAChB,GAAA,EAAG,WAAA;EAAA,mBACH,GAAA,EADG,gBAAA,CACA,MAAA;EAAA,IAEX,IAAA,CAAA;EAAA,IAIA,qBAAA,CAAA,GAAyB,QAAA;EAAA,IAMzB,sBAAA,CAAA,GAA0B,QAAA;EAAA,UAM3B,MAAA,CAAA;Eb/HkB;;;EAAA,UaiKlB,iBAAA,CAAA,GAAqB,cAAA;;;;;EAgCxB,gBAAA,CAAiB,QAAA,EAAU,cAAA;;AZhNpC;;EYuNS,QAAA,CAAA,GAAY,IAAA;EZpNnB;;;EY2Na,QAAA,CAAS,KAAA,EAAO,IAAA,KAAS,OAAA;;;;EAO/B,aAAA,CAAc,IAAA,WAAe,IAAA;EAQvB,UAAA,CAAW,KAAA,WAAgB,OAAA,CAAQ,UAAA;;;;EAQnC,WAAA,CACX,IAAA,EAAM,WAAA,EACN,YAAA;IACE,GAAA;IACA,aAAA;IACA,wBAAA;EAAA,IAED,OAAA,CAAQ,mBAAA;EA2FE,YAAA,CACX,YAAA,UACA,WAAA,YACC,OAAA;IACD,MAAA,EAAQ,mBAAA;IACR,IAAA,EAAM,WAAA;EAAA;AAAA;AAAA,UAoEO,kBAAA;EACf,GAAA;EACA,KAAA;EACA,KAAA;AAAA;AAAA,UAGe,mBAAA;EACf,YAAA;EACA,UAAA;EACA,UAAA;EACA,SAAA;EACA,aAAA;EACA,wBAAA;EACA,KAAA;AAAA;;;;;;cC/aW,WAAA;EAAA,WACF,0BAAA,GACR,mBAAA;EAAA;;UAMc,0BAAA;EhBZJ;;;EgBgBX,IAAA;;;;EAKA,KAAA;;;;EAKA,WAAA;AAAA;AAAA,cAKW,mBAAA,SAA4B,SAAA,CAAU,0BAAA;EAAA,mBAC9B,gBAAA,EAAgB,gBAAA;EAAA,IAExB,IAAA,CAAA;EAAA,IAIA,KAAA,CAAA;EAIJ,QAAA,CAAA;EAAA,UAIG,MAAA,CAAA;;;;EAWH,GAAA,CAAI,IAAA,GAAO,WAAA;AAAA;;;;;;cCpDP,KAAA;EAAA,WAAkB,oBAAA,GAA4B,aAAA;EAAA;;UAM1C,oBAAA;EjB4Cf;;;EiBxCA,IAAA;;;;EAKA,WAAA;EAEA,MAAA,YAAkB,eAAA;EAElB,WAAA,GAAc,KAAA;IAGR,IAAA;IACA,SAAA;IACA,OAAA;EAAA;AAAA;AAAA,cAKK,aAAA,SAAsB,SAAA,CAAU,oBAAA;EAAA,mBACxB,gBAAA,EAAgB,gBAAA;EAAA,IAExB,IAAA,CAAA;EAAA,UAID,MAAA,CAAA;;;;MAoBC,MAAA,CAAA,YAAmB,eAAA;EAIvB,GAAA,CAAI,UAAA,WAAqB,mBAAA;EAIzB,KAAA,CAAM,UAAA,WAAqB,mBAAA,GAAmB,mBAAA;AAAA;;;UCjEtC,aAAA;;;;;EAKf,OAAA;;;AlBTF;EkBcE,KAAA;;;;EAKA,WAAA,aAAwB,UAAA;;;;;EAMxB,KAAA,IAAS,IAAA,EAAM,gBAAA;AAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AlBgCjB;;;;;;;;ACtDA;;;;iBiB+EgB,OAAA,CAAQ,OAAA,GAAU,aAAA,GAAgB,UAAA;;;;;;;;;;;;AlBlFlD;;;;;;;;;;;;;;;;;;;cmB8Ba,eAAA,GACX,OAAA,EAAS,8BAAA,KACR,uBAAA;AAAA,KAqHS,8BAAA;EACV,WAAA;AAAA;EAGI,MAAA,EAAQ,oCAAA;AAAA;EAGR,MAAA,EAAQ,eAAA;EACR,IAAA,EAAM,WAAA;AAAA;AAAA,UAIK,oCAAA;;;;EAIf,GAAA;;;;EAKA,QAAA;;;;EAKA,YAAA;AAAA;AAAA,UAGe,uBAAA;EACf,KAAA,QAAa,OAAA;AAAA;AAAA,UAGE,mBAAA;EACf,QAAA,GAAW,mBAAA;AAAA;;;cCjLA,sBAAA;EAAA,mBACQ,GAAA,EADc,gBAAA,CACX,MAAA;EAAA,mBACH,gBAAA,EAAgB,gBAAA;EAAA,mBAChB,WAAA,EAAW,WAAA;EAAA,mBACX,MAAA,EAAM,MAAA;EAAA,mBAEN,eAAA,EAFM,QAAA,CAES,aAAA;EAAA,mBA8Bf,eAAA,EA9Be,QAAA,CA8BA,aAAA;EAAA,UA0BxB,cAAA,CAAA,GAAkB,gBAAA;EAAA,mBAQT,eAAA,EARyB,QAAA,CAQV,aAAA;AAAA;AAAA,KAmCxB,0BAAA,IACV,OAAA,EAAS,aAAA,KACN,OAAA,CAAQ,gBAAA;;;;YC7ED,KAAA;IACR,uBAAA;MACE,KAAA;MACA,IAAA,EAAM,WAAA;IAAA;EAAA;EAAA,UAIA,KAAA;;;;;;;IAOR,6BAAA,GAAgC,gBAAA;;;;IAKhC,sBAAA,GAAyB,WAAA;;;;;;;;IASzB,wBAAA;MAA6B,EAAA;IAAA;EAAA;AAAA;AAAA;EAAA,UAKrB,aAAA;IACR,IAAA,GAAO,gBAAA;EAAA;EAAA,UAGC,mBAAA;IACR,IAAA,EAAM,gBAAA;EAAA;EAAA,UAGE,oBAAA,SAA6B,YAAA;;;;ArBpBzC;;;;IqB4BI,IAAA,GAAO,gBAAA;EAAA;AAAA;;ApBlFX;;;;;;;;;;;;;ACkBA;;cmBsFa,cAAA,EAAc,QAAA,CAAA,OAAA,CAKzB,QAAA,CALyB,MAAA"}

package/dist/security/index.js

@@ -5,6 +5,34 @@ import { createSecretKey, randomUUID, timingSafeEqual } from "node:crypto";
 import { SecretProvider } from "alepha/crypto";
 import { ForbiddenError, HttpError, UnauthorizedError } from "alepha/server";
 export * from "alepha/crypto";
+//#region ../../src/security/atoms/currentTenantAtom.ts
+/**
+* Atom storing the active tenant for the current request.
+*
+* Transport-agnostic — works with HTTP, MCP, pipelines, jobs, and any context
+* that sets the atom before calling tenant-scoped logic.
+*
+* Typically set by an app-level middleware that resolves the tenant from the
+* request `Host` header (or another signal) and writes the resolved id to the
+* store. Framework code that reads this atom:
+*
+* - Repository scoping: `withOrganization` / `stampOrganization` prefer this
+*   value over `currentUserAtom.organization` so cross-tenant users (admins,
+*   agency operators) are scoped to the tenant they are currently acting in
+*   rather than the one they belong to.
+* - Session creation: the value is persisted into the JWT as a `tenant` claim,
+*   and the issuer resolver rejects tokens whose claim does not match the
+*   tenant resolved from the current request.
+*
+* `id` is a free-form string so the framework stays neutral on tenant identity
+* (slug, UUID, composite). Pick whatever matches the column marked with
+* `PG_ORGANIZATION` in your entities.
+*/
+const currentTenantAtom = $atom({
+	name: "alepha.security.tenant",
+	schema: t.optional(t.object({ id: t.text({ description: "Tenant identifier (slug, UUID, or composite)." }) }))
+});
+//#endregion
 //#region ../../src/security/schemas/userAccountInfoSchema.ts
 const userAccountInfoSchema = t.object({
 	id: t.text({ description: "Unique identifier for the user." }),
@@ -1571,6 +1599,17 @@ var SecurityProvider = class {
 				const token = auth.slice(7);
 				if (!token.includes(".")) return null;
 				const { result } = await this.jwt.parse(token, realmName);
+				const claimTenant = this.getTenantFromPayload(result.payload);
+				if (claimTenant) {
+					const activeTenant = this.alepha.store.get(currentTenantAtom)?.id;
+					if (activeTenant && activeTenant !== claimTenant) {
+						this.log.warn("JWT tenant claim does not match active tenant", {
+							claim: claimTenant,
+							active: activeTenant
+						});
+						return null;
+					}
+				}
 				return this.createUserFromPayload(result.payload, realmName);
 			}
 		};
@@ -2005,6 +2044,17 @@ var SecurityProvider = class {
 		if (!payload) return;
 		if (typeof payload.organization === "string") return payload.organization;
 	}
+	/**
+	* Extracts the tenant id from the JWT payload, when present.
+	*
+	* Tokens minted with no active tenant (single-tenant apps, server-to-server
+	* calls before any request-scoped middleware runs) omit the claim, in which
+	* case the resolver does not enforce a tenant match.
+	*/
+	getTenantFromPayload(payload) {
+		if (!payload) return;
+		if (typeof payload.tenant === "string") return payload.tenant;
+	}
 };
 //#endregion
 //#region ../../src/security/primitives/$issuer.ts
@@ -2018,6 +2068,7 @@ const $issuer = (options) => {
 	return createPrimitive(IssuerPrimitive, options);
 };
 var IssuerPrimitive = class extends Primitive {
+	alepha = $inject(Alepha);
 	securityProvider = $inject(SecurityProvider);
 	dateTimeProvider = $inject(DateTimeProvider);
 	jwt = $inject(JwtProvider);
@@ -2133,6 +2184,7 @@ var IssuerPrimitive = class extends Primitive {
 			iat,
 			aud: this.name
 		});
+		const tenant = this.alepha.store.get(currentTenantAtom)?.id;
 		return {
 			access_token: await this.jwt.create({
 				sub: user.id,
@@ -2145,7 +2197,8 @@ var IssuerPrimitive = class extends Primitive {
 				preferred_username: user.username,
 				picture: user.picture,
 				organization: user.organization,
-				roles: user.roles
+				roles: user.roles,
+				tenant
 			}, this.name),
 			token_type: "Bearer",
 			expires_in: this.accessTokenExpiration.asSeconds(),
@@ -2648,7 +2701,7 @@ const AlephaSecurity = $module({
 		$role,
 		$permission
 	],
-	atoms: [currentUserAtom],
+	atoms: [currentUserAtom, currentTenantAtom],
 	services: [
 		SecurityProvider,
 		JwtProvider,
@@ -2656,6 +2709,6 @@ const AlephaSecurity = $module({
 	]
 });
 //#endregion
-export { $basicAuth, $issuer, $permission, $role, $secure, $serviceAccount, AlephaSecurity, InvalidCredentialsError, InvalidPermissionError, IssuerPrimitive, JwtProvider, PermissionPrimitive, RolePrimitive, SecurityError, SecurityProvider, ServerSecurityProvider, currentUserAtom, permissionSchema, roleSchema, userAccountInfoSchema };
+export { $basicAuth, $issuer, $permission, $role, $secure, $serviceAccount, AlephaSecurity, InvalidCredentialsError, InvalidPermissionError, IssuerPrimitive, JwtProvider, PermissionPrimitive, RolePrimitive, SecurityError, SecurityProvider, ServerSecurityProvider, currentTenantAtom, currentUserAtom, permissionSchema, roleSchema, userAccountInfoSchema };
 
 //# sourceMappingURL=index.js.map