npm - @authhero/adapter-interfaces - Versions diffs - 0.148.0 → 0.150.0 - Mend

@authhero/adapter-interfaces 0.148.0 → 0.150.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/adapter-interfaces.cjs +1 -1
package/dist/adapter-interfaces.d.ts +224 -10
package/dist/adapter-interfaces.mjs +506 -446
package/package.json +1 -1

package/dist/adapter-interfaces.mjs CHANGED Viewed

@@ -1,21 +1,21 @@
 import { z as e } from "@hono/zod-openapi";
-const s = e.object({
+const r = e.object({
   created_at: e.string(),
   updated_at: e.string()
-}), ct = e.enum(["AUTH0", "EMAIL", "REDIRECT"]), _t = e.enum([
+}), gt = e.enum(["AUTH0", "EMAIL", "REDIRECT"]), ut = e.enum([
   "CREATE_USER",
   "GET_USER",
   "UPDATE_USER",
   "SEND_REQUEST",
   "SEND_EMAIL"
-]), dt = e.enum(["VERIFY_EMAIL"]), K = e.object({
+]), mt = e.enum(["VERIFY_EMAIL"]), q = e.object({
   require_mx_record: e.boolean().optional(),
   block_aliases: e.boolean().optional(),
   block_free_emails: e.boolean().optional(),
   block_disposable_emails: e.boolean().optional(),
   blocklist: e.array(e.string()).optional(),
   allowlist: e.array(e.string()).optional()
-}), z = e.object({
+}), X = e.object({
   id: e.string(),
   alias: e.string().max(100).optional(),
   type: e.literal("AUTH0"),
@@ -27,7 +27,7 @@ const s = e.object({
     user_id: e.string(),
     changes: e.record(e.string(), e.any())
   })
-}), X = e.object({
+}), V = e.object({
   id: e.string(),
   alias: e.string().max(100).optional(),
   type: e.literal("EMAIL"),
@@ -36,9 +36,9 @@ const s = e.object({
   mask_output: e.boolean().optional(),
   params: e.object({
     email: e.string(),
-    rules: K.optional()
+    rules: q.optional()
   })
-}), q = e.enum(["change-email", "account", "custom"]), V = e.object({
+}), Y = e.enum(["change-email", "account", "custom"]), Q = e.object({
   id: e.string(),
   alias: e.string().max(100).optional(),
   type: e.literal("REDIRECT"),
@@ -46,32 +46,32 @@ const s = e.object({
   allow_failure: e.boolean().optional(),
   mask_output: e.boolean().optional(),
   params: e.object({
-    target: q.openapi({
+    target: Y.openapi({
       description: "The predefined target to redirect to, or 'custom' for a custom URL"
     }),
     custom_url: e.string().optional().openapi({
       description: "Custom URL to redirect to when target is 'custom'"
     })
   })
-}), Y = e.union([
-  z,
+}), Z = e.union([
   X,
-  V
-]), Q = e.object({
+  V,
+  Q
+]), $ = e.object({
   name: e.string().min(1).max(150).openapi({
     description: "The name of the flow"
   }),
   // Actions is an array of action steps (Auth0 stores as JSON blob)
-  actions: e.array(Y).optional().default([]).openapi({
+  actions: e.array(Z).optional().default([]).openapi({
     description: "The list of actions to execute in sequence"
   })
-}), gt = Q.extend({
-  ...s.shape,
+}), ht = $.extend({
+  ...r.shape,
   id: e.string().openapi({
     description: "Unique identifier for the flow",
     example: "af_12tMpdJ3iek7svMyZkSh5M"
   })
-}), ut = e.object({
+}), bt = e.object({
   page: e.string().min(0).optional().default("0").transform((o) => parseInt(o, 10)).openapi({
     description: "The page number where 0 is the first page"
   }),
@@ -87,7 +87,7 @@ const s = e.object({
   q: e.string().optional().openapi({
     description: "A lucene query string used to filter the results"
   })
-}), mt = e.object({
+}), ft = e.object({
   start: e.number(),
   limit: e.number(),
   length: e.number(),
@@ -101,7 +101,7 @@ const s = e.object({
   phone_number: e.string().optional(),
   phone_verified: e.boolean().optional(),
   family_name: e.string().optional()
-}).catchall(e.any()), Z = e.object({
+}).catchall(e.any()), ee = e.object({
   connection: e.string(),
   user_id: e.string(),
   provider: e.string(),
@@ -115,7 +115,7 @@ const s = e.object({
   access_token_secret: e.string().optional(),
   refresh_token: e.string().optional(),
   profileData: J.optional()
-}), $ = e.object({
+}), oe = e.object({
   formatted: e.string().optional(),
   // Full mailing address
   street_address: e.string().optional(),
@@ -160,8 +160,8 @@ const s = e.object({
   zoneinfo: e.string().optional(),
   // e.g., "Europe/Paris"
   // OIDC address claim (OIDC Core 5.1.1)
-  address: $
-}), ee = N.extend({
+  address: oe
+}), te = N.extend({
   email_verified: e.boolean().default(!1),
   verify_email: e.boolean().optional(),
   last_ip: e.string().optional(),
@@ -176,29 +176,29 @@ const s = e.object({
     hash: e.string(),
     algorithm: e.string()
   }).optional()
-}), oe = e.object({
-  ...ee.omit({ password: !0 }).shape,
-  ...s.shape,
+}), ne = e.object({
+  ...te.omit({ password: !0 }).shape,
+  ...r.shape,
   user_id: e.string(),
   provider: e.string(),
   is_social: e.boolean(),
   email: e.string().optional(),
   login_count: e.number().default(0),
-  identities: e.array(Z).optional()
-}), ht = oe, bt = N.extend({
+  identities: e.array(ee).optional()
+}), Et = ne, St = N.extend({
   login_count: e.number(),
   multifactor: e.array(e.string()).optional(),
   last_ip: e.string().optional(),
   last_login: e.string().optional(),
   user_id: e.string()
 }).catchall(e.any());
-let te = "useandom-26T198340PX75pxJACKVERYMINDBUSHWOLF_GQZbfghjklqvwyzrict", ne = (o = 21) => {
-  let n = "", i = crypto.getRandomValues(new Uint8Array(o |= 0));
+let ie = "useandom-26T198340PX75pxJACKVERYMINDBUSHWOLF_GQZbfghjklqvwyzrict", ae = (o = 21) => {
+  let t = "", i = crypto.getRandomValues(new Uint8Array(o |= 0));
   for (; o--; )
-    n += te[i[o] & 63];
-  return n;
+    t += ie[i[o] & 63];
+  return t;
 };
-const ie = e.object({
+const se = e.object({
   client_id: e.string().openapi({
     description: "ID of this client."
   }),
@@ -211,7 +211,7 @@ const ie = e.object({
   global: e.boolean().default(!1).openapi({
     description: "Whether this is your global 'All Applications' client representing legacy tenant settings (true) or a regular client (false)."
   }),
-  client_secret: e.string().default(() => ne()).optional().openapi({
+  client_secret: e.string().default(() => ae()).optional().openapi({
     description: "Client secret (which you must not make public)."
   }),
   app_type: e.enum([
@@ -371,11 +371,11 @@ const ie = e.object({
     description: "Specifies how long, in seconds, a Pushed Authorization Request URI remains valid"
   }),
   token_quota: e.record(e.any()).default({}).optional()
-}), ft = e.object({
+}), At = e.object({
   created_at: e.string(),
   updated_at: e.string(),
-  ...ie.shape
-}), ae = e.object({
+  ...se.shape
+}), re = e.object({
   client_id: e.string().min(1).openapi({
     description: "ID of the client."
   }),
@@ -400,23 +400,23 @@ const ie = e.object({
   authorization_details_types: e.array(e.string()).optional().openapi({
     description: "Types of authorization_details allowed for this client grant. Use of this field is subject to the applicable Free Trial terms in Okta's Master Subscription Agreement."
   })
-}), re = e.object({
+}), le = e.object({
   id: e.string().openapi({
     description: "ID of the client grant."
   }),
-  ...ae.shape,
+  ...re.shape,
   created_at: e.string().optional(),
   updated_at: e.string().optional()
-}), Et = e.array(re), u = e.object({
+}), It = e.array(le), u = e.object({
   x: e.number(),
   y: e.number()
 });
-var R = /* @__PURE__ */ ((o) => (o.RICH_TEXT = "RICH_TEXT", o.NEXT_BUTTON = "NEXT_BUTTON", o.BACK_BUTTON = "BACK_BUTTON", o.SUBMIT_BUTTON = "SUBMIT_BUTTON", o.DIVIDER = "DIVIDER", o.TEXT = "TEXT", o.EMAIL = "EMAIL", o.PASSWORD = "PASSWORD", o.NUMBER = "NUMBER", o.PHONE = "PHONE", o.DATE = "DATE", o.CHECKBOX = "CHECKBOX", o.RADIO = "RADIO", o.SELECT = "SELECT", o.HIDDEN = "HIDDEN", o.LEGAL = "LEGAL", o))(R || {}), w = /* @__PURE__ */ ((o) => (o.BLOCK = "BLOCK", o.FIELD = "FIELD", o))(w || {});
+var w = /* @__PURE__ */ ((o) => (o.RICH_TEXT = "RICH_TEXT", o.NEXT_BUTTON = "NEXT_BUTTON", o.BACK_BUTTON = "BACK_BUTTON", o.SUBMIT_BUTTON = "SUBMIT_BUTTON", o.DIVIDER = "DIVIDER", o.TEXT = "TEXT", o.EMAIL = "EMAIL", o.PASSWORD = "PASSWORD", o.NUMBER = "NUMBER", o.PHONE = "PHONE", o.DATE = "DATE", o.CHECKBOX = "CHECKBOX", o.RADIO = "RADIO", o.SELECT = "SELECT", o.HIDDEN = "HIDDEN", o.LEGAL = "LEGAL", o))(w || {}), R = /* @__PURE__ */ ((o) => (o.BLOCK = "BLOCK", o.FIELD = "FIELD", o))(R || {});
 const y = e.object({
   id: e.string(),
-  category: e.nativeEnum(w),
-  type: e.nativeEnum(R)
-}), se = y.extend({
+  category: e.nativeEnum(R),
+  type: e.nativeEnum(w)
+}), pe = y.extend({
   category: e.literal(
     "BLOCK"
     /* BLOCK */
@@ -428,7 +428,7 @@ const y = e.object({
   config: e.object({
     content: e.string()
   }).passthrough()
-}), le = y.extend({
+}), ce = y.extend({
   category: e.literal(
     "BLOCK"
     /* BLOCK */
@@ -450,7 +450,7 @@ const y = e.object({
   config: e.object({
     text: e.string()
   }).passthrough()
-}), pe = y.extend({
+}), _e = y.extend({
   category: e.literal(
     "FIELD"
     /* FIELD */
@@ -464,7 +464,7 @@ const y = e.object({
   config: e.object({
     text: e.string()
   }).passthrough()
-}), ce = y.extend({
+}), de = y.extend({
   category: e.literal(
     "FIELD"
     /* FIELD */
@@ -517,19 +517,19 @@ const y = e.object({
     label: e.string().optional(),
     placeholder: e.string().optional()
   }).passthrough()
-}), _e = e.object({
+}), ge = e.object({
   id: e.string(),
   category: e.string(),
   type: e.string()
-}).passthrough(), de = e.union([
-  se,
-  le,
+}).passthrough(), ue = e.union([
   pe,
   ce,
-  _e
+  _e,
+  de,
+  ge
 ]);
-var ge = /* @__PURE__ */ ((o) => (o.STEP = "STEP", o.FLOW = "FLOW", o.CONDITION = "CONDITION", o.ACTION = "ACTION", o))(ge || {});
-const ue = e.object({
+var me = /* @__PURE__ */ ((o) => (o.STEP = "STEP", o.FLOW = "FLOW", o.CONDITION = "CONDITION", o.ACTION = "ACTION", o))(me || {});
+const he = e.object({
   id: e.string(),
   type: e.literal(
     "STEP"
@@ -538,10 +538,10 @@ const ue = e.object({
   coordinates: u,
   alias: e.string().optional(),
   config: e.object({
-    components: e.array(de),
+    components: e.array(ue),
     next_node: e.string()
   }).passthrough()
-}), me = e.object({
+}), be = e.object({
   id: e.string(),
   type: e.literal(
     "FLOW"
@@ -553,7 +553,7 @@ const ue = e.object({
     flow_id: e.string(),
     next_node: e.string()
   })
-}), he = e.object({
+}), fe = e.object({
   id: e.string(),
   type: e.literal(
     "ACTION"
@@ -575,43 +575,43 @@ const ue = e.object({
       description: "The next node to navigate to after action (for non-redirect actions)"
     })
   }).passthrough()
-}), be = e.object({
+}), Ee = e.object({
   id: e.string(),
   type: e.string(),
   coordinates: u
-}).passthrough(), fe = e.union([
-  ue,
-  me,
+}).passthrough(), Se = e.union([
   he,
-  be
-]), Ee = e.object({
+  be,
+  fe,
+  Ee
+]), Ae = e.object({
   next_node: e.string(),
   coordinates: u
-}).passthrough(), Se = e.object({
+}).passthrough(), Ie = e.object({
   resume_flow: e.boolean().optional(),
   coordinates: u
-}).passthrough(), Ae = e.object({
+}).passthrough(), ye = e.object({
   id: e.string(),
   name: e.string(),
   languages: e.object({
     primary: e.string()
   }).passthrough(),
-  nodes: e.array(fe),
-  start: Ee,
-  ending: Se,
+  nodes: e.array(Se),
+  start: Ae,
+  ending: Ie,
   created_at: e.string(),
   updated_at: e.string(),
   links: e.object({
     sdkSrc: e.string().optional(),
     sdk_src: e.string().optional()
   }).passthrough()
-}).passthrough(), St = Ae.omit({
+}).passthrough(), yt = ye.omit({
   id: !0,
   created_at: !0,
   updated_at: !0
 });
 var j = /* @__PURE__ */ ((o) => (o.TOKEN = "token", o.ID_TOKEN = "id_token", o.TOKEN_ID_TOKEN = "token id_token", o.CODE = "code", o))(j || {}), D = /* @__PURE__ */ ((o) => (o.QUERY = "query", o.FRAGMENT = "fragment", o.FORM_POST = "form_post", o.WEB_MESSAGE = "web_message", o.SAML_POST = "saml_post", o))(D || {}), L = /* @__PURE__ */ ((o) => (o.S256 = "S256", o.Plain = "plain", o))(L || {});
-const Ie = e.object({
+const Ce = e.object({
   client_id: e.string(),
   act_as: e.string().optional(),
   response_type: e.nativeEnum(j).optional(),
@@ -635,7 +635,7 @@ const Ie = e.object({
   acr_values: e.string().optional(),
   // The following fields are not available in Auth0
   vendor_id: e.string().optional()
-}), At = e.object({
+}), Ct = e.object({
   colors: e.object({
     primary: e.string(),
     page_background: e.object({
@@ -651,14 +651,15 @@ const Ie = e.object({
   font: e.object({
     url: e.string()
   }).optional()
-}), ye = e.enum([
+}), Te = e.enum([
   "password_reset",
   "email_verification",
   "otp",
+  "mfa_otp",
   "authorization_code",
   "oauth2_state",
   "ticket"
-]), Ce = e.object({
+]), Oe = e.object({
   code_id: e.string().openapi({
     description: "The code that will be used in for instance an email verification flow"
   }),
@@ -668,7 +669,7 @@ const Ie = e.object({
   connection_id: e.string().optional().openapi({
     description: "The connection that the code is connected to"
   }),
-  code_type: ye,
+  code_type: Te,
   code_verifier: e.string().optional().openapi({
     description: "The code verifier used in PKCE in outbound flows"
   }),
@@ -681,6 +682,9 @@ const Ie = e.object({
   redirect_uri: e.string().optional().openapi({
     description: "The redirect URI associated with the code"
   }),
+  otp: e.string().optional().openapi({
+    description: "The one-time password value for OTP-based flows"
+  }),
   nonce: e.string().optional().openapi({
     description: "The nonce value used for security in OIDC flows"
   }),
@@ -690,10 +694,10 @@ const Ie = e.object({
   expires_at: e.string(),
   used_at: e.string().optional(),
   user_id: e.string().optional()
-}), It = e.object({
-  ...Ce.shape,
+}), Tt = e.object({
+  ...Oe.shape,
   created_at: e.string()
-}), Oe = e.object({
+}), Ne = e.object({
   kid: e.string().optional(),
   team_id: e.string().optional(),
   realms: e.string().optional(),
@@ -805,12 +809,12 @@ const Ie = e.object({
   }).optional(),
   // Controls when root user attributes are updated from external IdP
   set_user_root_attributes: e.enum(["on_each_login", "on_first_login", "never_on_login"]).optional()
-}), Te = e.object({
+}), we = e.object({
   id: e.string().optional(),
   name: e.string(),
   display_name: e.string().optional(),
   strategy: e.string(),
-  options: Oe.default({}),
+  options: Ne.default({}),
   enabled_clients: e.array(e.string()).default([]).optional(),
   response_type: e.custom().optional(),
   response_mode: e.custom().optional(),
@@ -818,11 +822,11 @@ const Ie = e.object({
   show_as_button: e.boolean().optional(),
   metadata: e.record(e.any()).optional(),
   is_system: e.boolean().optional()
-}), yt = e.object({
+}), Ot = e.object({
   id: e.string(),
   created_at: e.string().transform((o) => o === null ? "" : o),
   updated_at: e.string().transform((o) => o === null ? "" : o)
-}).extend(Te.shape), Ne = e.object({
+}).extend(we.shape), Re = e.object({
   domain: e.string(),
   custom_domain_id: e.string().optional(),
   type: e.enum(["auth0_managed_certs", "self_managed_certs"]),
@@ -836,7 +840,7 @@ const Ie = e.object({
     "null"
   ]).optional(),
   domain_metadata: e.record(e.string().max(255)).optional()
-}), Re = e.discriminatedUnion("name", [
+}), je = e.discriminatedUnion("name", [
   e.object({
     name: e.literal("txt"),
     record: e.string(),
@@ -847,17 +851,17 @@ const Ie = e.object({
     http_body: e.string(),
     http_url: e.string()
   })
-]), we = e.object({
-  ...Ne.shape,
+]), De = e.object({
+  ...Re.shape,
   custom_domain_id: e.string(),
   primary: e.boolean(),
   status: e.enum(["disabled", "pending", "pending_verification", "ready"]),
   origin_domain_name: e.string().optional(),
   verification: e.object({
-    methods: e.array(Re)
+    methods: e.array(je)
   }).optional(),
   tls_policy: e.string().optional()
-}), Ct = we.extend({
+}), Nt = De.extend({
   tenant_id: e.string()
 }), C = e.object({
   id: e.string(),
@@ -865,17 +869,17 @@ const Ie = e.object({
   visible: e.boolean().optional().default(!0)
 }), l = C.extend({
   category: e.literal("BLOCK").optional()
-}), je = l.extend({
+}), Le = l.extend({
   type: e.literal("DIVIDER"),
   config: e.object({
     text: e.string().optional()
   }).optional()
-}), De = l.extend({
+}), ve = l.extend({
   type: e.literal("HTML"),
   config: e.object({
     content: e.string().optional()
   }).optional()
-}), Le = l.extend({
+}), ke = l.extend({
   type: e.literal("IMAGE"),
   config: e.object({
     src: e.string().optional(),
@@ -883,55 +887,55 @@ const Ie = e.object({
     width: e.number().optional(),
     height: e.number().optional()
   }).optional()
-}), ve = l.extend({
+}), Ue = l.extend({
   type: e.literal("JUMP_BUTTON"),
   config: e.object({
     text: e.string().optional(),
     target_step: e.string().optional()
   })
-}), ke = l.extend({
+}), Fe = l.extend({
   type: e.literal("RESEND_BUTTON"),
   config: e.object({
     text: e.string().optional(),
     resend_action: e.string().optional()
   })
-}), Ue = l.extend({
+}), xe = l.extend({
   type: e.literal("NEXT_BUTTON"),
   config: e.object({
     text: e.string().optional()
   })
-}), Fe = l.extend({
+}), Pe = l.extend({
   type: e.literal("PREVIOUS_BUTTON"),
   config: e.object({
     text: e.string().optional()
   })
-}), xe = l.extend({
+}), Me = l.extend({
   type: e.literal("RICH_TEXT"),
   config: e.object({
     content: e.string().optional()
   }).optional()
-}), O = C.extend({
+}), T = C.extend({
   category: e.literal("WIDGET").optional(),
   label: e.string().min(1).optional(),
   hint: e.string().min(1).max(500).optional(),
   required: e.boolean().optional(),
   sensitive: e.boolean().optional()
-}), Pe = O.extend({
+}), He = T.extend({
   type: e.literal("AUTH0_VERIFIABLE_CREDENTIALS"),
   config: e.object({
     credential_type: e.string().optional()
   })
-}), Me = O.extend({
+}), Ge = T.extend({
   type: e.literal("GMAPS_ADDRESS"),
   config: e.object({
     api_key: e.string().optional()
   })
-}), He = O.extend({
+}), Be = T.extend({
   type: e.literal("RECAPTCHA"),
   config: e.object({
     site_key: e.string().optional()
   })
-}), t = C.extend({
+}), n = C.extend({
   category: e.literal("FIELD").optional(),
   label: e.string().min(1).optional(),
   hint: e.string().min(1).max(500).optional(),
@@ -944,12 +948,12 @@ const Ie = e.object({
   ).optional(),
   required: e.boolean().optional(),
   sensitive: e.boolean().optional()
-}), Ge = t.extend({
+}), We = n.extend({
   type: e.literal("BOOLEAN"),
   config: e.object({
     default_value: e.boolean().optional()
   }).optional()
-}), Be = t.extend({
+}), Ke = n.extend({
   type: e.literal("CARDS"),
   config: e.object({
     options: e.array(
@@ -962,7 +966,7 @@ const Ie = e.object({
     ).optional(),
     multi_select: e.boolean().optional()
   }).optional()
-}), We = t.extend({
+}), ze = n.extend({
   type: e.literal("CHOICE"),
   config: e.object({
     options: e.array(
@@ -975,7 +979,7 @@ const Ie = e.object({
     multiple: e.boolean().optional(),
     default_value: e.union([e.string(), e.array(e.string())]).optional()
   }).optional()
-}), Ke = t.extend({
+}), qe = n.extend({
   type: e.literal("CUSTOM"),
   config: e.object({
     component: e.string().optional(),
@@ -983,7 +987,7 @@ const Ie = e.object({
     schema: e.record(e.any()).optional(),
     code: e.string().optional()
   })
-}), ze = t.extend({
+}), Xe = n.extend({
   type: e.literal("DATE"),
   config: e.object({
     format: e.string().optional(),
@@ -991,7 +995,7 @@ const Ie = e.object({
     max: e.string().optional(),
     default_value: e.string().optional()
   }).optional()
-}), Xe = t.extend({
+}), Ve = n.extend({
   type: e.literal("DROPDOWN"),
   config: e.object({
     options: e.array(
@@ -1005,26 +1009,26 @@ const Ie = e.object({
     multiple: e.boolean().optional(),
     default_value: e.union([e.string(), e.array(e.string())]).optional()
   }).optional()
-}), qe = t.extend({
+}), Ye = n.extend({
   type: e.literal("EMAIL"),
   config: e.object({
     placeholder: e.string().optional(),
     default_value: e.string().optional()
   }).optional()
-}), Ve = t.extend({
+}), Qe = n.extend({
   type: e.literal("FILE"),
   config: e.object({
     accept: e.string().optional(),
     max_size: e.number().optional(),
     multiple: e.boolean().optional()
   }).optional()
-}), Ye = t.extend({
+}), Ze = n.extend({
   type: e.literal("LEGAL"),
   config: e.object({
     text: e.string(),
     html: e.boolean().optional()
   }).optional()
-}), Qe = t.extend({
+}), $e = n.extend({
   type: e.literal("NUMBER"),
   config: e.object({
     placeholder: e.string().optional(),
@@ -1033,7 +1037,7 @@ const Ie = e.object({
     step: e.number().optional(),
     default_value: e.string().optional()
   }).optional()
-}), Je = t.extend({
+}), Je = n.extend({
   type: e.literal("PASSWORD"),
   config: e.object({
     placeholder: e.string().optional(),
@@ -1042,13 +1046,13 @@ const Ie = e.object({
     forgot_password_link: e.string().optional(),
     default_value: e.string().optional()
   }).optional()
-}), Ze = t.extend({
+}), eo = n.extend({
   type: e.literal("PAYMENT"),
   config: e.object({
     provider: e.string().optional(),
     currency: e.string().optional()
   }).optional()
-}), $e = t.extend({
+}), oo = n.extend({
   type: e.literal("SOCIAL"),
   config: e.object({
     providers: e.array(e.string()).optional(),
@@ -1063,7 +1067,7 @@ const Ie = e.object({
       })
     ).optional()
   }).optional()
-}), eo = t.extend({
+}), to = n.extend({
   type: e.literal("TEL"),
   config: e.object({
     placeholder: e.string().optional(),
@@ -1071,7 +1075,7 @@ const Ie = e.object({
     default_value: e.string().optional(),
     allow_email: e.boolean().optional()
   }).optional()
-}), oo = t.extend({
+}), no = n.extend({
   type: e.literal("TEXT"),
   config: e.object({
     placeholder: e.string().optional(),
@@ -1079,54 +1083,54 @@ const Ie = e.object({
     max_length: e.number().optional(),
     default_value: e.string().optional()
   }).optional()
-}), to = t.extend({
+}), io = n.extend({
   type: e.literal("COUNTRY"),
   config: e.object({
     placeholder: e.string().optional(),
     default_value: e.string().optional()
   }).optional()
-}), no = t.extend({
+}), ao = n.extend({
   type: e.literal("URL"),
   config: e.object({
     placeholder: e.string().optional(),
     default_value: e.string().optional()
   }).optional()
-}), io = e.discriminatedUnion("type", [
-  je,
-  De,
+}), so = e.discriminatedUnion("type", [
   Le,
   ve,
   ke,
   Ue,
   Fe,
-  xe
-]), ao = e.discriminatedUnion("type", [
+  xe,
   Pe,
-  Me,
-  He
+  Me
 ]), ro = e.discriminatedUnion("type", [
+  He,
   Ge,
-  Be,
+  Be
+]), lo = e.discriminatedUnion("type", [
   We,
-  to,
   Ke,
   ze,
-  Xe,
+  io,
   qe,
+  Xe,
   Ve,
   Ye,
   Qe,
-  Je,
   Ze,
   $e,
+  Je,
   eo,
   oo,
-  no
+  to,
+  no,
+  ao
 ]), v = e.union([
-  io,
-  ao,
-  ro
-]), Ot = /* @__PURE__ */ new Set([
+  so,
+  ro,
+  lo
+]), wt = /* @__PURE__ */ new Set([
   "BOOLEAN",
   "CARDS",
   "CHOICE",
@@ -1140,7 +1144,7 @@ const Ie = e.object({
   "TEL",
   "TEXT",
   "URL"
-]), Tt = e.object({
+]), Rt = e.object({
   id: e.string(),
   type: e.literal("submit"),
   label: e.string(),
@@ -1152,7 +1156,7 @@ const Ie = e.object({
 }), f = e.object({
   x: e.number(),
   y: e.number()
-}), so = e.object({
+}), po = e.object({
   id: e.string(),
   type: e.literal("FLOW"),
   coordinates: f,
@@ -1161,7 +1165,7 @@ const Ie = e.object({
     flow_id: e.string().max(30),
     next_node: e.string().optional()
   })
-}), lo = e.object({
+}), co = e.object({
   id: e.string(),
   type: e.literal("ROUTER"),
   coordinates: f,
@@ -1177,7 +1181,7 @@ const Ie = e.object({
     ),
     fallback: e.string()
   })
-}), po = e.object({
+}), _o = e.object({
   id: e.string(),
   type: e.literal("STEP"),
   coordinates: f,
@@ -1186,11 +1190,11 @@ const Ie = e.object({
     components: e.array(v),
     next_node: e.string().optional()
   })
-}), co = e.discriminatedUnion("type", [
-  so,
-  lo,
-  po
-]), _o = e.object({
+}), go = e.discriminatedUnion("type", [
+  po,
+  co,
+  _o
+]), uo = e.object({
   name: e.string().openapi({
     description: "The name of the form"
   }),
@@ -1203,7 +1207,7 @@ const Ie = e.object({
     default: e.string().optional()
   }).optional(),
   translations: e.record(e.string(), e.any()).optional(),
-  nodes: e.array(co).optional(),
+  nodes: e.array(go).optional(),
   start: e.object({
     hidden_fields: e.array(e.object({ key: e.string(), value: e.string() })).optional(),
     next_node: e.string().optional(),
@@ -1225,20 +1229,20 @@ const Ie = e.object({
   }).optional()
 }).openapi({
   description: "Schema for flow-based forms (matches Auth0 Forms structure)"
-}), Nt = e.object({
-  ...s.shape,
-  ..._o.shape,
+}), jt = e.object({
+  ...r.shape,
+  ...uo.shape,
   id: e.string()
-}), go = e.object({
+}), mo = e.object({
   id: e.number().optional(),
   text: e.string(),
   type: e.enum(["info", "error", "success", "warning"])
-}), uo = e.object({
+}), ho = e.object({
   id: e.string().optional(),
   text: e.string(),
   href: e.string(),
   linkText: e.string().optional()
-}), Rt = e.object({
+}), Dt = e.object({
   /** Screen identifier for CSS targeting (e.g., 'identifier', 'enter-password', 'signup') */
   name: e.string().optional(),
   action: e.string(),
@@ -1246,18 +1250,18 @@ const Ie = e.object({
   title: e.string().optional(),
   description: e.string().optional(),
   components: e.array(v),
-  messages: e.array(go).optional(),
-  links: e.array(uo).optional(),
+  messages: e.array(mo).optional(),
+  links: e.array(ho).optional(),
   /** Footer HTML content displayed at the very bottom of the widget (e.g., terms and conditions) */
   footer: e.string().optional()
 });
-function wt(o) {
+function Lt(o) {
   return o.category === "BLOCK";
 }
-function jt(o) {
+function vt(o) {
   return o.category === "WIDGET";
 }
-function Dt(o) {
+function kt(o) {
   return o.category === "FIELD";
 }
 const k = e.enum([
@@ -1281,7 +1285,7 @@ const k = e.enum([
 ]), x = e.enum([
   "ensure-username",
   "set-preferred-username"
-]), Lt = {
+]), Ut = {
   "ensure-username": {
     name: "Ensure Username",
     description: "Automatically assigns a username to users who sign in without one. Creates a linked username account for social/email users.",
@@ -1297,52 +1301,52 @@ const k = e.enum([
   synchronous: e.boolean().default(!1),
   priority: e.number().optional(),
   hook_id: e.string().optional()
-}, mo = e.object({
+}, bo = e.object({
   ...m,
   trigger_id: k,
   url: e.string()
-}), ho = e.object({
+}), fo = e.object({
   ...m,
   trigger_id: U,
   form_id: e.string()
-}), bo = e.object({
+}), Eo = e.object({
   ...m,
   trigger_id: F,
   template_id: x
-}), vt = e.union([
-  mo,
-  ho,
-  bo
-]), fo = e.object({
+}), Ft = e.union([
+  bo,
+  fo,
+  Eo
+]), So = e.object({
   ...m,
   trigger_id: k,
-  ...s.shape,
+  ...r.shape,
   hook_id: e.string(),
   url: e.string()
-}), Eo = e.object({
+}), Ao = e.object({
   ...m,
   trigger_id: U,
-  ...s.shape,
+  ...r.shape,
   hook_id: e.string(),
   form_id: e.string()
-}), So = e.object({
+}), Io = e.object({
   ...m,
   trigger_id: F,
-  ...s.shape,
+  ...r.shape,
   hook_id: e.string(),
   template_id: x
-}), kt = e.union([
-  fo,
-  Eo,
-  So
-]), Ao = e.object({
+}), xt = e.union([
+  So,
+  Ao,
+  Io
+]), yo = e.object({
   name: e.string().optional()
-}), Io = e.object({
+}), Co = e.object({
   email: e.string().optional()
-}), yo = e.object({
+}), To = e.object({
   organization_id: e.string().max(50),
-  inviter: Ao,
-  invitee: Io,
+  inviter: yo,
+  invitee: Co,
   invitation_url: e.string().url(),
   client_id: e.string(),
   connection_id: e.string().optional(),
@@ -1351,13 +1355,13 @@ const k = e.enum([
   ttl_sec: e.number().int().max(2592e3).default(604800).optional(),
   roles: e.array(e.string()).default([]).optional(),
   send_invitation_email: e.boolean().default(!0).optional()
-}), Ut = e.object({
+}), Pt = e.object({
   id: e.string(),
   organization_id: e.string().max(50),
   created_at: e.string().datetime(),
   expires_at: e.string().datetime(),
   ticket_id: e.string().optional()
-}).extend(yo.shape), Co = e.object({
+}).extend(To.shape), Oo = e.object({
   alg: e.enum([
     "RS256",
     "RS384",
@@ -1376,9 +1380,9 @@ const k = e.enum([
   x5t: e.string().optional(),
   x5c: e.array(e.string()).optional(),
   use: e.enum(["sig", "enc"]).optional()
-}), Ft = e.object({
-  keys: e.array(Co)
-}), xt = e.object({
+}), Mt = e.object({
+  keys: e.array(Oo)
+}), Ht = e.object({
   issuer: e.string(),
   authorization_endpoint: e.string(),
   token_endpoint: e.string(),
@@ -1400,18 +1404,18 @@ const k = e.enum([
   request_parameter_supported: e.boolean(),
   token_endpoint_auth_signing_alg_values_supported: e.array(e.string())
 });
-var P = /* @__PURE__ */ ((o) => (o.PENDING = "pending", o.AUTHENTICATED = "authenticated", o.AWAITING_EMAIL_VERIFICATION = "awaiting_email_verification", o.AWAITING_HOOK = "awaiting_hook", o.AWAITING_CONTINUATION = "awaiting_continuation", o.COMPLETED = "completed", o.FAILED = "failed", o.EXPIRED = "expired", o))(P || {});
-const Oo = e.nativeEnum(P), To = e.object({
+var P = /* @__PURE__ */ ((o) => (o.PENDING = "pending", o.AUTHENTICATED = "authenticated", o.AWAITING_EMAIL_VERIFICATION = "awaiting_email_verification", o.AWAITING_MFA = "awaiting_mfa", o.AWAITING_HOOK = "awaiting_hook", o.AWAITING_CONTINUATION = "awaiting_continuation", o.COMPLETED = "completed", o.FAILED = "failed", o.EXPIRED = "expired", o))(P || {});
+const No = e.nativeEnum(P), wo = e.object({
   csrf_token: e.string(),
   auth0Client: e.string().optional(),
-  authParams: Ie,
+  authParams: Ce,
   expires_at: e.string(),
   deleted_at: e.string().optional(),
   ip: e.string().optional(),
   useragent: e.string().optional(),
   session_id: e.string().optional(),
   authorization_url: e.string().optional(),
-  state: Oo.optional().default(
+  state: No.optional().default(
     "pending"
     /* PENDING */
   ),
@@ -1424,14 +1428,14 @@ const Oo = e.nativeEnum(P), To = e.object({
   // The connection used to authenticate (may differ from primary user's connection)
 }).openapi({
   description: "This represents a login sesion"
-}), Pt = e.object({
-  ...To.shape,
+}), Gt = e.object({
+  ...wo.shape,
   id: e.string().openapi({
     description: "This is is used as the state in the universal login"
   }),
   created_at: e.string(),
   updated_at: e.string()
-}), No = {
+}), Ro = {
   // Network & System
   ACLS_SUMMARY: "acls_summary",
   ACTIONS_EXECUTION_FAILED: "actions_execution_failed",
@@ -1602,24 +1606,24 @@ const Oo = e.nativeEnum(P), To = e.object({
   WARNING_DURING_LOGIN: "w",
   WARNING_SENDING_NOTIFICATION: "wn",
   WARNING_USER_MANAGEMENT: "wum"
-}, Ro = e.string().refine(
-  (o) => Object.values(No).includes(o),
+}, jo = e.string().refine(
+  (o) => Object.values(Ro).includes(o),
   { message: "Invalid log type" }
-), wo = e.object({
+), Do = e.object({
   name: e.string(),
   version: e.string(),
   env: e.object({
     node: e.string().optional()
   }).optional()
-}), jo = e.object({
+}), Lo = e.object({
   country_code: e.string().length(2),
   city_name: e.string(),
   latitude: e.string(),
   longitude: e.string(),
   time_zone: e.string(),
   continent_code: e.string()
-}), Do = e.object({
-  type: Ro,
+}), vo = e.object({
+  type: jo,
   date: e.string(),
   description: e.string().optional(),
   ip: e.string().optional(),
@@ -1638,19 +1642,19 @@ const Oo = e.nativeEnum(P), To = e.object({
   strategy: e.string().optional(),
   strategy_type: e.string().optional(),
   hostname: e.string().optional(),
-  auth0_client: wo.optional(),
+  auth0_client: Do.optional(),
   log_id: e.string().optional(),
-  location_info: jo.optional()
-}), Mt = e.object({
-  ...Do.shape,
+  location_info: Lo.optional()
+}), Bt = e.object({
+  ...vo.shape,
   log_id: e.string()
-}), Lo = e.object({
+}), ko = e.object({
   id: e.string().optional(),
   user_id: e.string(),
   password: e.string(),
   algorithm: e.enum(["bcrypt", "argon2id"]).default("argon2id"),
   is_current: e.boolean().default(!0)
-}), Ht = Lo.extend({
+}), Wt = ko.extend({
   id: e.string(),
   created_at: e.string(),
   updated_at: e.string()
@@ -1661,7 +1665,7 @@ const Oo = e.nativeEnum(P), To = e.object({
   last_user_agent: e.string().describe("Last user agent of the device from which this user logged in"),
   last_ip: e.string().describe("Last IP address from which this user logged in"),
   last_asn: e.string().describe("Last autonomous system number from which this user logged in")
-}), vo = e.object({
+}), Uo = e.object({
   id: e.string(),
   revoked_at: e.string().optional(),
   used_at: e.string().optional(),
@@ -1673,13 +1677,13 @@ const Oo = e.nativeEnum(P), To = e.object({
     "Metadata related to the device used in the session"
   ),
   clients: e.array(e.string()).describe("List of client details for the session")
-}), Gt = e.object({
+}), Kt = e.object({
   created_at: e.string(),
   updated_at: e.string(),
   authenticated_at: e.string(),
   last_interaction_at: e.string(),
-  ...vo.shape
-}), Bt = e.object({
+  ...Uo.shape
+}), zt = e.object({
   kid: e.string().openapi({ description: "The key id of the signing key" }),
   cert: e.string().openapi({ description: "The public certificate of the signing key" }),
   fingerprint: e.string().openapi({ description: "The cert fingerprint" }),
@@ -1704,7 +1708,7 @@ const Oo = e.nativeEnum(P), To = e.object({
   type: e.enum(["jwt_signing", "saml_encryption"]).openapi({
     description: "The type of the signing key"
   })
-}), ko = e.object({
+}), Fo = e.object({
   id: e.string().optional(),
   // Basic settings
   audience: e.string(),
@@ -1830,6 +1834,8 @@ const Oo = e.nativeEnum(P), To = e.object({
   authorization_response_iss_parameter_supported: e.boolean().optional(),
   // Guardian MFA Factors configuration (internal storage, exposed via /guardian API)
   mfa: e.object({
+    // MFA policy: "never" = MFA disabled, "always" = MFA required for all logins
+    policy: e.enum(["never", "always"]).default("never").optional(),
     // Factor states
     factors: e.object({
       sms: e.boolean().default(!1),
@@ -1857,14 +1863,14 @@ const Oo = e.nativeEnum(P), To = e.object({
       message: e.string().optional()
     }).optional()
   }).optional()
-}), Wt = e.object({
+}), qt = e.object({
   created_at: e.string().nullable().transform((o) => o ?? ""),
   updated_at: e.string().nullable().transform((o) => o ?? ""),
-  ...ko.shape,
+  ...Fo.shape,
   id: e.string()
 });
-var Uo = /* @__PURE__ */ ((o) => (o.RefreshToken = "refresh_token", o.AuthorizationCode = "authorization_code", o.ClientCredential = "client_credentials", o.Passwordless = "passwordless", o.Password = "password", o.OTP = "http://auth0.com/oauth/grant-type/passwordless/otp", o))(Uo || {});
-const Kt = e.object({
+var xo = /* @__PURE__ */ ((o) => (o.RefreshToken = "refresh_token", o.AuthorizationCode = "authorization_code", o.ClientCredential = "client_credentials", o.Passwordless = "passwordless", o.Password = "password", o.OTP = "http://auth0.com/oauth/grant-type/passwordless/otp", o))(xo || {});
+const Xt = e.object({
   access_token: e.string(),
   id_token: e.string().optional(),
   scope: e.string().optional(),
@@ -1877,7 +1883,7 @@ e.object({
   code: e.string(),
   state: e.string().optional()
 });
-const Fo = e.object({
+const Po = e.object({
   button_border_radius: e.number(),
   button_border_weight: e.number(),
   buttons_style: e.enum(["pill", "rounded", "sharp"]),
@@ -1887,7 +1893,7 @@ const Fo = e.object({
   show_widget_shadow: e.boolean(),
   widget_border_weight: e.number(),
   widget_corner_radius: e.number()
-}), xo = e.object({
+}), Mo = e.object({
   base_focus_color: e.string(),
   base_hover_color: e.string(),
   body_text: e.string(),
@@ -1910,7 +1916,7 @@ const Fo = e.object({
 }), g = e.object({
   bold: e.boolean(),
   size: e.number()
-}), Po = e.object({
+}), Ho = e.object({
   body_text: g,
   buttons_text: g,
   font_url: e.string(),
@@ -1920,31 +1926,31 @@ const Fo = e.object({
   reference_text_size: e.number(),
   subtitle: g,
   title: g
-}), Mo = e.object({
+}), Go = e.object({
   background_color: e.string(),
   background_image_url: e.string(),
   page_layout: e.enum(["center", "left", "right"])
-}), Ho = e.object({
+}), Bo = e.object({
   header_text_alignment: e.enum(["center", "left", "right"]),
   logo_height: e.number(),
   logo_position: e.enum(["center", "left", "none", "right"]),
   logo_url: e.string(),
   social_buttons_layout: e.enum(["bottom", "top"])
-}), Go = e.object({
-  borders: Fo,
-  colors: xo,
+}), Wo = e.object({
+  borders: Po,
+  colors: Mo,
   displayName: e.string(),
-  fonts: Po,
-  page_background: Mo,
-  widget: Ho
-}), zt = Go.extend({
+  fonts: Ho,
+  page_background: Go,
+  widget: Bo
+}), Vt = Wo.extend({
   themeId: e.string()
-}), Xt = e.object({
+}), Yt = e.object({
   universal_login_experience: e.enum(["new", "classic"]).default("new"),
   identifier_first: e.boolean().default(!0),
   password_first: e.boolean().default(!1),
   webauthn_platform_first_factor: e.boolean()
-}), qt = e.object({
+}), Qt = e.object({
   name: e.string(),
   enabled: e.boolean().optional().default(!0),
   default_from_address: e.string().optional(),
@@ -1974,7 +1980,7 @@ const Fo = e.object({
     })
   ]),
   settings: e.object({}).optional()
-}), Bo = e.object({
+}), Ko = e.object({
   // The actual refresh token value (primary key).
   id: e.string(),
   // Link to the login session
@@ -1995,21 +2001,21 @@ const Fo = e.object({
     })
   ),
   rotating: e.boolean()
-}), Vt = e.object({
+}), Zt = e.object({
   // When the refresh token record was created.
   created_at: e.string(),
   // Spread in the rest of the refresh token properties.
-  ...Bo.shape
-}), Yt = e.object({
+  ...Ko.shape
+}), $t = e.object({
   to: e.string(),
   message: e.string()
-}), Qt = e.object({
+}), Jt = e.object({
   name: e.string(),
   options: e.object({})
-}), Wo = e.object({
+}), zo = e.object({
   value: e.string(),
   description: e.string().optional()
-}), Ko = e.object({
+}), qo = e.object({
   token_dialect: e.enum(["access_token", "access_token_authz"]).optional(),
   enforce_policies: e.boolean().optional(),
   allow_skipping_userinfo: e.boolean().optional(),
@@ -2019,11 +2025,11 @@ const Fo = e.object({
   mtls: e.object({
     bound_access_tokens: e.boolean().optional()
   }).optional()
-}), zo = e.object({
+}), Xo = e.object({
   id: e.string().optional(),
   name: e.string(),
   identifier: e.string(),
-  scopes: e.array(Wo).optional(),
+  scopes: e.array(zo).optional(),
   signing_alg: e.string().optional(),
   signing_secret: e.string().optional(),
   token_lifetime: e.number().optional(),
@@ -2031,30 +2037,30 @@ const Fo = e.object({
   skip_consent_for_verifiable_first_party_clients: e.boolean().optional(),
   allow_offline_access: e.boolean().optional(),
   verificationKey: e.string().optional(),
-  options: Ko.optional(),
+  options: qo.optional(),
   is_system: e.boolean().optional(),
   metadata: e.record(e.any()).optional()
-}), Xo = e.object({
-  ...zo.shape,
+}), Vo = e.object({
+  ...Xo.shape,
   created_at: e.string().optional(),
   updated_at: e.string().optional()
-}), Jt = e.array(Xo), qo = e.object({
+}), en = e.array(Vo), Yo = e.object({
   role_id: e.string(),
   resource_server_identifier: e.string(),
   permission_name: e.string()
-}), Vo = e.object({
-  ...qo.shape,
+}), Qo = e.object({
+  ...Yo.shape,
   created_at: e.string()
-}), Zt = e.array(Vo), Yo = e.object({
+}), on = e.array(Qo), Zo = e.object({
   user_id: e.string(),
   resource_server_identifier: e.string(),
   permission_name: e.string(),
   organization_id: e.string().optional()
-}), Qo = e.object({
-  ...Yo.shape,
+}), $o = e.object({
+  ...Zo.shape,
   tenant_id: e.string(),
   created_at: e.string().optional()
-}), $t = e.array(Qo), Jo = e.object({
+}), tn = e.array($o), Jo = e.object({
   user_id: e.string(),
   resource_server_identifier: e.string(),
   resource_server_name: e.string(),
@@ -2062,17 +2068,17 @@ const Fo = e.object({
   description: e.string().nullable().optional(),
   created_at: e.string().optional(),
   organization_id: e.string().optional()
-}), en = e.array(
+}), nn = e.array(
   Jo
-), Zo = e.object({
+), et = e.object({
   user_id: e.string(),
   role_id: e.string(),
   organization_id: e.string().optional()
-}), $o = e.object({
-  ...Zo.shape,
+}), ot = e.object({
+  ...et.shape,
   tenant_id: e.string(),
   created_at: e.string().optional()
-}), on = e.array($o), et = e.object({
+}), an = e.array(ot), tt = e.object({
   id: e.string().optional().openapi({
     description: "The unique identifier of the role. If not provided, one will be generated."
   }),
@@ -2086,13 +2092,13 @@ const Fo = e.object({
   metadata: e.record(e.any()).optional().openapi({
     description: "Metadata associated with the role. Can be used to control sync behavior in multi-tenancy scenarios."
   })
-}), ot = et.extend({
+}), nt = tt.extend({
   id: e.string().openapi({
     description: "The unique identifier of the role"
   }),
   created_at: e.string().optional(),
   updated_at: e.string().optional()
-}), tn = e.array(ot), tt = e.object({
+}), sn = e.array(nt), it = e.object({
   logo_url: e.string().optional().openapi({
     description: "URL of the organization's logo"
   }),
@@ -2104,7 +2110,7 @@ const Fo = e.object({
       description: "Page background color in hex format (e.g., #FFFFFF)"
     })
   }).optional()
-}).optional(), nt = e.object({
+}).optional(), at = e.object({
   connection_id: e.string().openapi({
     description: "ID of the connection"
   }),
@@ -2117,7 +2123,7 @@ const Fo = e.object({
   is_signup_enabled: e.boolean().default(!0).openapi({
     description: "Whether signup is enabled for this connection"
   })
-}), it = e.object({
+}), st = e.object({
   client_credentials: e.object({
     enforce: e.boolean().default(!1).openapi({
       description: "Whether to enforce token quota limits"
@@ -2129,7 +2135,7 @@ const Fo = e.object({
       description: "Maximum tokens per hour (0 = unlimited)"
     })
   }).optional()
-}).optional(), at = e.object({
+}).optional(), rt = e.object({
   id: e.string().optional(),
   name: e.string().min(1).regex(/^[a-z0-9_-]+$/, {
     message: "Organization name must be lowercase and can only contain letters, numbers, hyphens, and underscores"
@@ -2139,34 +2145,34 @@ const Fo = e.object({
   display_name: e.string().optional().openapi({
     description: "The display name of the organization"
   }),
-  branding: tt,
+  branding: it,
   metadata: e.record(e.any()).default({}).optional().openapi({
     description: "Custom metadata for the organization"
   }),
-  enabled_connections: e.array(nt).default([]).optional().openapi({
+  enabled_connections: e.array(at).default([]).optional().openapi({
     description: "List of enabled connections for the organization"
   }),
-  token_quota: it
-}), nn = e.object({
-  ...at.shape,
-  ...s.shape,
+  token_quota: st
+}), rn = e.object({
+  ...rt.shape,
+  ...r.shape,
   id: e.string(),
   // Override name to be lenient when reading from database (to support existing uppercase names)
   name: e.string().min(1).openapi({
     description: "The name of the organization"
   })
-}), rt = e.object({
+}), lt = e.object({
   user_id: e.string().openapi({
     description: "ID of the user"
   }),
   organization_id: e.string().openapi({
     description: "ID of the organization"
   })
-}), an = e.object({
-  ...rt.shape,
-  ...s.shape,
+}), ln = e.object({
+  ...lt.shape,
+  ...r.shape,
   id: e.string()
-}), rn = e.object({
+}), pn = e.object({
   // Session settings
   idle_session_lifetime: e.number().optional(),
   session_lifetime: e.number().optional(),
@@ -2237,6 +2243,8 @@ const Fo = e.object({
   }).optional(),
   // Guardian MFA Factors configuration (internal storage, exposed via /guardian API)
   mfa: e.object({
+    // MFA policy: "never" = MFA disabled, "always" = MFA required for all logins
+    policy: e.enum(["never", "always"]).default("never").optional(),
     // Factor states
     factors: e.object({
       sms: e.boolean().default(!1),
@@ -2264,7 +2272,7 @@ const Fo = e.object({
       message: e.string().optional()
     }).optional()
   }).optional()
-}), sn = e.object({
+}), cn = e.object({
   date: e.string().openapi({
     description: "Date these events occurred in ISO 8601 format",
     example: "2025-12-19"
@@ -2289,10 +2297,10 @@ const Fo = e.object({
     description: "Approximate date and time the first event occurred in ISO 8601 format",
     example: "2025-12-19T00:00:00.000Z"
   })
-}), ln = e.number().openapi({
+}), _n = e.number().openapi({
   description: "Number of active users in the last 30 days",
   example: 1234
-}), st = e.enum([
+}), pt = e.enum([
   "login",
   "login-id",
   "login-password",
@@ -2307,7 +2315,6 @@ const Fo = e.object({
   "mfa-voice",
   "mfa-phone",
   "mfa-webauthn",
-  "mfa-sms",
   "mfa-email",
   "mfa-recovery-code",
   "status",
@@ -2320,18 +2327,19 @@ const Fo = e.object({
   "passkeys",
   "captcha",
   "custom-form",
-  "login-passwordless"
-]), lt = e.record(e.string(), e.record(e.string(), e.string())).openapi({
+  "login-passwordless",
+  "mfa-login-options"
+]), ct = e.record(e.string(), e.record(e.string(), e.string())).openapi({
   type: "object",
   additionalProperties: {
     type: "object",
     additionalProperties: { type: "string" }
   }
-}), pn = e.object({
-  prompt: st,
+}), dn = e.object({
+  prompt: pt,
   language: e.string(),
-  custom_text: lt
-}), cn = {
+  custom_text: ct
+}), gn = {
   EMAIL: "email",
   SMS: "sms",
   USERNAME_PASSWORD: "Username-Password-Authentication",
@@ -2346,39 +2354,88 @@ const Fo = e.object({
   SAMLP: "samlp",
   WAAD: "waad",
   ADFS: "adfs"
-}, _n = {
+}, un = {
   DATABASE: "database",
   SOCIAL: "social",
   PASSWORDLESS: "passwordless"
-};
-function dn(o) {
-  const [n, i] = o.split("|");
-  if (!n || !i)
+}, _t = e.enum([
+  "phone",
+  "totp",
+  "email",
+  "push",
+  "webauthn-roaming",
+  "webauthn-platform",
+  "passkey"
+]), H = e.object({
+  user_id: e.string(),
+  type: _t,
+  // Phone-specific
+  phone_number: e.string().optional(),
+  // TOTP-specific
+  totp_secret: e.string().optional(),
+  // WebAuthn/Passkey-specific
+  credential_id: e.string().optional(),
+  public_key: e.string().optional(),
+  sign_count: e.number().int().nonnegative().optional(),
+  credential_backed_up: e.boolean().optional(),
+  transports: e.array(e.string()).optional(),
+  friendly_name: e.string().optional(),
+  // Common
+  confirmed: e.boolean().default(!1)
+});
+function G(o, t) {
+  o.type === "phone" && !o.phone_number && t.addIssue({
+    code: e.ZodIssueCode.custom,
+    message: "phone_number is required when type is 'phone'",
+    path: ["phone_number"]
+  }), o.type === "totp" && !o.totp_secret && t.addIssue({
+    code: e.ZodIssueCode.custom,
+    message: "totp_secret is required when type is 'totp'",
+    path: ["totp_secret"]
+  }), ["webauthn-roaming", "webauthn-platform", "passkey"].includes(o.type) && (o.credential_id || t.addIssue({
+    code: e.ZodIssueCode.custom,
+    message: `credential_id is required when type is '${o.type}'`,
+    path: ["credential_id"]
+  }), o.public_key || t.addIssue({
+    code: e.ZodIssueCode.custom,
+    message: `public_key is required when type is '${o.type}'`,
+    path: ["public_key"]
+  }));
+}
+const mn = H.superRefine(G), hn = e.object({
+  ...H.shape,
+  id: e.string(),
+  created_at: e.string(),
+  updated_at: e.string()
+}).superRefine(G);
+function bn(o) {
+  const [t, i] = o.split("|");
+  if (!t || !i)
     throw new Error(`Invalid user_id: ${o}`);
-  return { connection: n, id: i };
+  return { connection: t, id: i };
 }
-function gn(o) {
+function fn(o) {
   const {
-    primary: n,
+    primary: t,
     secondaries: i,
-    syncMethods: T = ["create", "update", "remove", "delete", "set"]
+    syncMethods: O = ["create", "update", "remove", "delete", "set"]
   } = o, E = {
     get(p, a) {
       if (typeof a == "symbol")
         return p[a];
       const c = p[a];
-      return typeof c != "function" ? c : T.includes(a) ? async (..._) => {
+      return typeof c != "function" ? c : O.includes(a) ? async (..._) => {
         const S = await c.apply(p, _), d = [];
-        for (const r of i) {
-          const h = r.adapter[a];
+        for (const s of i) {
+          const h = s.adapter[a];
           if (typeof h != "function")
             continue;
           const A = (async () => {
             try {
-              await h.apply(r.adapter, _);
+              await h.apply(s.adapter, _);
             } catch (b) {
               try {
-                r.onError ? r.onError(b, a, _) : console.error(
+                s.onError ? s.onError(b, a, _) : console.error(
                   `Passthrough adapter: secondary write failed for ${a}:`,
                   b
                 );
@@ -2390,199 +2447,202 @@ function gn(o) {
               }
             }
           })();
-          r.blocking && d.push(A);
+          s.blocking && d.push(A);
         }
         return d.length > 0 && await Promise.all(d), S;
       } : c.bind(p);
     }
   };
-  return new Proxy(n, E);
+  return new Proxy(t, E);
 }
-function un(o) {
+function En(o) {
   return o;
 }
-function mn(o) {
-  var E, p, a, c, _, S, d, r, h, A, b, I;
-  const n = o == null ? void 0 : o.options;
-  if (!n)
+function Sn(o) {
+  var E, p, a, c, _, S, d, s, h, A, b, I;
+  const t = o == null ? void 0 : o.options;
+  if (!t)
     return {
       usernameIdentifierActive: !1,
       emailIdentifierActive: !0,
       usernameMinLength: 1,
       usernameMaxLength: 15
     };
-  const i = n.attributes;
+  const i = t.attributes;
   if (i) {
-    const H = ((p = (E = i.username) == null ? void 0 : E.identifier) == null ? void 0 : p.active) === !0, G = ((c = (a = i.email) == null ? void 0 : a.identifier) == null ? void 0 : c.active) !== !1, B = ((S = (_ = i.username) == null ? void 0 : _.validation) == null ? void 0 : S.min_length) ?? 1, W = ((r = (d = i.username) == null ? void 0 : d.validation) == null ? void 0 : r.max_length) ?? 15;
+    const B = ((p = (E = i.username) == null ? void 0 : E.identifier) == null ? void 0 : p.active) === !0, W = ((c = (a = i.email) == null ? void 0 : a.identifier) == null ? void 0 : c.active) !== !1, K = ((S = (_ = i.username) == null ? void 0 : _.validation) == null ? void 0 : S.min_length) ?? 1, z = ((s = (d = i.username) == null ? void 0 : d.validation) == null ? void 0 : s.max_length) ?? 15;
     return {
-      usernameIdentifierActive: H,
-      emailIdentifierActive: G,
-      usernameMinLength: B,
-      usernameMaxLength: W
+      usernameIdentifierActive: B,
+      emailIdentifierActive: W,
+      usernameMinLength: K,
+      usernameMaxLength: z
     };
   }
   return {
-    usernameIdentifierActive: n.requires_username === !0,
+    usernameIdentifierActive: t.requires_username === !0,
     emailIdentifierActive: !0,
-    usernameMinLength: ((A = (h = n.validation) == null ? void 0 : h.username) == null ? void 0 : A.min) ?? 1,
-    usernameMaxLength: ((I = (b = n.validation) == null ? void 0 : b.username) == null ? void 0 : I.max) ?? 15
+    usernameMinLength: ((A = (h = t.validation) == null ? void 0 : h.username) == null ? void 0 : A.min) ?? 1,
+    usernameMaxLength: ((I = (b = t.validation) == null ? void 0 : b.username) == null ? void 0 : I.max) ?? 15
   };
 }
 export {
-  _t as Auth0ActionEnum,
-  wo as Auth0Client,
+  ut as Auth0ActionEnum,
+  Do as Auth0Client,
   D as AuthorizationResponseMode,
   j as AuthorizationResponseType,
   L as CodeChallengeMethod,
-  w as ComponentCategory,
-  R as ComponentType,
-  dt as EmailActionEnum,
-  Ot as FORM_FIELD_TYPES,
-  ct as FlowActionTypeEnum,
-  Uo as GrantType,
-  jo as LocationInfo,
-  No as LogTypes,
+  R as ComponentCategory,
+  w as ComponentType,
+  mt as EmailActionEnum,
+  wt as FORM_FIELD_TYPES,
+  gt as FlowActionTypeEnum,
+  xo as GrantType,
+  Lo as LocationInfo,
+  Ro as LogTypes,
   P as LoginSessionState,
-  ge as NodeType,
-  q as RedirectTargetEnum,
-  cn as Strategy,
-  _n as StrategyType,
-  he as actionNodeSchema,
-  ln as activeUsersResponseSchema,
-  $ as addressSchema,
-  St as auth0FlowInsertSchema,
-  Ae as auth0FlowSchema,
-  ut as auth0QuerySchema,
-  z as auth0UpdateUserActionSchema,
-  ht as auth0UserResponseSchema,
-  Ie as authParamsSchema,
+  me as NodeType,
+  Y as RedirectTargetEnum,
+  gn as Strategy,
+  un as StrategyType,
+  fe as actionNodeSchema,
+  _n as activeUsersResponseSchema,
+  oe as addressSchema,
+  yt as auth0FlowInsertSchema,
+  ye as auth0FlowSchema,
+  bt as auth0QuerySchema,
+  X as auth0UpdateUserActionSchema,
+  Et as auth0UserResponseSchema,
+  Ce as authParamsSchema,
+  mn as authenticationMethodInsertSchema,
+  hn as authenticationMethodSchema,
+  _t as authenticationMethodTypeSchema,
   N as baseUserSchema,
-  io as blockComponentSchema,
-  Fo as bordersSchema,
-  At as brandingSchema,
-  le as buttonComponentSchema,
-  ae as clientGrantInsertSchema,
-  Et as clientGrantListSchema,
-  re as clientGrantSchema,
-  ie as clientInsertSchema,
-  ft as clientSchema,
-  Ce as codeInsertSchema,
-  It as codeSchema,
-  ye as codeTypeSchema,
-  xo as colorsSchema,
-  go as componentMessageSchema,
-  de as componentSchema,
-  Te as connectionInsertSchema,
-  Oe as connectionOptionsSchema,
-  yt as connectionSchema,
+  so as blockComponentSchema,
+  Po as bordersSchema,
+  Ct as brandingSchema,
+  ce as buttonComponentSchema,
+  re as clientGrantInsertSchema,
+  It as clientGrantListSchema,
+  le as clientGrantSchema,
+  se as clientInsertSchema,
+  At as clientSchema,
+  Oe as codeInsertSchema,
+  Tt as codeSchema,
+  Te as codeTypeSchema,
+  Mo as colorsSchema,
+  mo as componentMessageSchema,
+  ue as componentSchema,
+  we as connectionInsertSchema,
+  Ne as connectionOptionsSchema,
+  Ot as connectionSchema,
   u as coordinatesSchema,
-  gn as createPassthroughAdapter,
-  un as createWriteOnlyAdapter,
-  Ne as customDomainInsertSchema,
-  we as customDomainSchema,
-  Ct as customDomainWithTenantIdSchema,
-  pn as customTextEntrySchema,
-  lt as customTextSchema,
-  sn as dailyStatsSchema,
-  qt as emailProviderSchema,
-  K as emailVerificationRulesSchema,
-  X as emailVerifyActionSchema,
-  Se as endingSchema,
-  ro as fieldComponentSchema,
-  Y as flowActionStepSchema,
-  Q as flowInsertSchema,
-  gt as flowSchema,
-  ce as flowsFieldComponentSchema,
-  me as flowsFlowNodeSchema,
-  ue as flowsStepNodeSchema,
+  fn as createPassthroughAdapter,
+  En as createWriteOnlyAdapter,
+  Re as customDomainInsertSchema,
+  De as customDomainSchema,
+  Nt as customDomainWithTenantIdSchema,
+  dn as customTextEntrySchema,
+  ct as customTextSchema,
+  cn as dailyStatsSchema,
+  Qt as emailProviderSchema,
+  q as emailVerificationRulesSchema,
+  V as emailVerifyActionSchema,
+  Ie as endingSchema,
+  lo as fieldComponentSchema,
+  Z as flowActionStepSchema,
+  $ as flowInsertSchema,
+  ht as flowSchema,
+  de as flowsFieldComponentSchema,
+  be as flowsFlowNodeSchema,
+  he as flowsStepNodeSchema,
   g as fontDetailsSchema,
-  Po as fontsSchema,
-  Tt as formControlSchema,
-  _o as formInsertSchema,
+  Ho as fontsSchema,
+  Rt as formControlSchema,
+  uo as formInsertSchema,
   v as formNodeComponentDefinition,
-  co as formNodeSchema,
-  Nt as formSchema,
-  _e as genericComponentSchema,
-  be as genericNodeSchema,
-  mn as getConnectionIdentifierConfig,
-  vt as hookInsertSchema,
-  kt as hookSchema,
+  go as formNodeSchema,
+  jt as formSchema,
+  ge as genericComponentSchema,
+  Ee as genericNodeSchema,
+  Sn as getConnectionIdentifierConfig,
+  Ft as hookInsertSchema,
+  xt as hookSchema,
   x as hookTemplateId,
-  Lt as hookTemplates,
-  Z as identitySchema,
-  yo as inviteInsertSchema,
-  Ut as inviteSchema,
-  Io as inviteeSchema,
-  Ao as inviterSchema,
-  wt as isBlockComponent,
-  Dt as isFieldComponent,
-  jt as isWidgetComponent,
-  Ft as jwksKeySchema,
-  Co as jwksSchema,
-  pe as legalComponentSchema,
-  Do as logInsertSchema,
-  Mt as logSchema,
-  To as loginSessionInsertSchema,
-  Pt as loginSessionSchema,
-  Oo as loginSessionStateSchema,
-  fe as nodeSchema,
-  xt as openIDConfigurationSchema,
-  tt as organizationBrandingSchema,
-  nt as organizationEnabledConnectionSchema,
-  at as organizationInsertSchema,
-  nn as organizationSchema,
-  it as organizationTokenQuotaSchema,
-  Mo as pageBackgroundSchema,
-  dn as parseUserId,
-  Lo as passwordInsertSchema,
-  Ht as passwordSchema,
+  Ut as hookTemplates,
+  ee as identitySchema,
+  To as inviteInsertSchema,
+  Pt as inviteSchema,
+  Co as inviteeSchema,
+  yo as inviterSchema,
+  Lt as isBlockComponent,
+  kt as isFieldComponent,
+  vt as isWidgetComponent,
+  Mt as jwksKeySchema,
+  Oo as jwksSchema,
+  _e as legalComponentSchema,
+  vo as logInsertSchema,
+  Bt as logSchema,
+  wo as loginSessionInsertSchema,
+  Gt as loginSessionSchema,
+  No as loginSessionStateSchema,
+  Se as nodeSchema,
+  Ht as openIDConfigurationSchema,
+  it as organizationBrandingSchema,
+  at as organizationEnabledConnectionSchema,
+  rt as organizationInsertSchema,
+  rn as organizationSchema,
+  st as organizationTokenQuotaSchema,
+  Go as pageBackgroundSchema,
+  bn as parseUserId,
+  ko as passwordInsertSchema,
+  Wt as passwordSchema,
   J as profileDataSchema,
-  st as promptScreenSchema,
-  Xt as promptSettingSchema,
-  V as redirectActionSchema,
-  Bo as refreshTokenInsertSchema,
-  Vt as refreshTokenSchema,
-  zo as resourceServerInsertSchema,
-  Jt as resourceServerListSchema,
-  Ko as resourceServerOptionsSchema,
-  Xo as resourceServerSchema,
-  Wo as resourceServerScopeSchema,
-  se as richTextComponentSchema,
-  et as roleInsertSchema,
-  tn as roleListSchema,
-  qo as rolePermissionInsertSchema,
-  Zt as rolePermissionListSchema,
-  Vo as rolePermissionSchema,
-  ot as roleSchema,
-  uo as screenLinkSchema,
-  vo as sessionInsertSchema,
-  Gt as sessionSchema,
-  Bt as signingKeySchema,
-  Qt as smsProviderSchema,
-  Yt as smsSendParamsSchema,
-  Ee as startSchema,
-  ko as tenantInsertSchema,
-  Wt as tenantSchema,
-  rn as tenantSettingsSchema,
-  Go as themeInsertSchema,
-  zt as themeSchema,
-  Kt as tokenResponseSchema,
-  mt as totalsSchema,
-  Rt as uiScreenSchema,
-  ee as userInsertSchema,
-  rt as userOrganizationInsertSchema,
-  an as userOrganizationSchema,
-  Yo as userPermissionInsertSchema,
-  $t as userPermissionListSchema,
-  Qo as userPermissionSchema,
-  en as userPermissionWithDetailsListSchema,
+  pt as promptScreenSchema,
+  Yt as promptSettingSchema,
+  Q as redirectActionSchema,
+  Ko as refreshTokenInsertSchema,
+  Zt as refreshTokenSchema,
+  Xo as resourceServerInsertSchema,
+  en as resourceServerListSchema,
+  qo as resourceServerOptionsSchema,
+  Vo as resourceServerSchema,
+  zo as resourceServerScopeSchema,
+  pe as richTextComponentSchema,
+  tt as roleInsertSchema,
+  sn as roleListSchema,
+  Yo as rolePermissionInsertSchema,
+  on as rolePermissionListSchema,
+  Qo as rolePermissionSchema,
+  nt as roleSchema,
+  ho as screenLinkSchema,
+  Uo as sessionInsertSchema,
+  Kt as sessionSchema,
+  zt as signingKeySchema,
+  Jt as smsProviderSchema,
+  $t as smsSendParamsSchema,
+  Ae as startSchema,
+  Fo as tenantInsertSchema,
+  qt as tenantSchema,
+  pn as tenantSettingsSchema,
+  Wo as themeInsertSchema,
+  Vt as themeSchema,
+  Xt as tokenResponseSchema,
+  ft as totalsSchema,
+  Dt as uiScreenSchema,
+  te as userInsertSchema,
+  lt as userOrganizationInsertSchema,
+  ln as userOrganizationSchema,
+  Zo as userPermissionInsertSchema,
+  tn as userPermissionListSchema,
+  $o as userPermissionSchema,
+  nn as userPermissionWithDetailsListSchema,
   Jo as userPermissionWithDetailsSchema,
-  bt as userResponseSchema,
-  Zo as userRoleInsertSchema,
-  on as userRoleListSchema,
-  $o as userRoleSchema,
-  oe as userSchema,
-  Re as verificationMethodsSchema,
-  ao as widgetComponentSchema,
-  Ho as widgetSchema
+  St as userResponseSchema,
+  et as userRoleInsertSchema,
+  an as userRoleListSchema,
+  ot as userRoleSchema,
+  ne as userSchema,
+  je as verificationMethodsSchema,
+  ro as widgetComponentSchema,
+  Bo as widgetSchema
 };