@authhero/drizzle 0.43.1 → 0.43.3

package/dist/drizzle-adapter.mjs

@@ -1580,7 +1580,8 @@ const B = $("tenants", {
     connections: s("connections").notNull().default("[]"),
     owner_user_id: s("owner_user_id", { length: 255 }),
     registration_type: s("registration_type", { length: 32 }),
-    registration_metadata: s("registration_metadata")
+    registration_metadata: s("registration_metadata"),
+    user_linking_mode: s("user_linking_mode", { length: 16 })
   },
   (n) => [
     Te({
@@ -3011,7 +3012,7 @@ var Xn;
     // second overwrites first
   });
 })(Xn || (Xn = {}));
-const x = H.arrayToEnum([
+const k = H.arrayToEnum([
   "string",
   "nan",
   "number",
@@ -3035,23 +3036,23 @@ const x = H.arrayToEnum([
 ]), We = (n) => {
   switch (typeof n) {
     case "undefined":
-      return x.undefined;
+      return k.undefined;
     case "string":
-      return x.string;
+      return k.string;
     case "number":
-      return Number.isNaN(n) ? x.nan : x.number;
+      return Number.isNaN(n) ? k.nan : k.number;
     case "boolean":
-      return x.boolean;
+      return k.boolean;
     case "function":
-      return x.function;
+      return k.function;
     case "bigint":
-      return x.bigint;
+      return k.bigint;
     case "symbol":
-      return x.symbol;
+      return k.symbol;
     case "object":
-      return Array.isArray(n) ? x.array : n === null ? x.null : n.then && typeof n.then == "function" && n.catch && typeof n.catch == "function" ? x.promise : typeof Map < "u" && n instanceof Map ? x.map : typeof Set < "u" && n instanceof Set ? x.set : typeof Date < "u" && n instanceof Date ? x.date : x.object;
+      return Array.isArray(n) ? k.array : n === null ? k.null : n.then && typeof n.then == "function" && n.catch && typeof n.catch == "function" ? k.promise : typeof Map < "u" && n instanceof Map ? k.map : typeof Set < "u" && n instanceof Set ? k.set : typeof Date < "u" && n instanceof Date ? k.date : k.object;
     default:
-      return x.unknown;
+      return k.unknown;
   }
 }, N = H.arrayToEnum([
   "invalid_type",
@@ -3139,7 +3140,7 @@ const ln = (n, e) => {
   let t;
   switch (n.code) {
     case N.invalid_type:
-      n.received === x.undefined ? t = "Required" : t = `Expected ${n.expected}, received ${n.received}`;
+      n.received === k.undefined ? t = "Required" : t = `Expected ${n.expected}, received ${n.received}`;
       break;
     case N.invalid_literal:
       t = `Invalid literal value, expected ${JSON.stringify(n.expected, H.jsonStringifyReplacer)}`;
@@ -3573,11 +3574,11 @@ function Us(n, e) {
 }
 class Ze extends q {
   _parse(e) {
-    if (this._def.coerce && (e.data = String(e.data)), this._getType(e) !== x.string) {
+    if (this._def.coerce && (e.data = String(e.data)), this._getType(e) !== k.string) {
       const r = this._getOrReturnCtx(e);
       return E(r, {
         code: N.invalid_type,
-        expected: x.string,
+        expected: k.string,
         received: r.parsedType
       }), R;
     }
@@ -3963,11 +3964,11 @@ class yt extends q {
     super(...arguments), this.min = this.gte, this.max = this.lte, this.step = this.multipleOf;
   }
   _parse(e) {
-    if (this._def.coerce && (e.data = Number(e.data)), this._getType(e) !== x.number) {
+    if (this._def.coerce && (e.data = Number(e.data)), this._getType(e) !== k.number) {
       const r = this._getOrReturnCtx(e);
       return E(r, {
         code: N.invalid_type,
-        expected: x.number,
+        expected: k.number,
         received: r.parsedType
       }), R;
     }
@@ -4141,7 +4142,7 @@ class Et extends q {
       } catch {
         return this._getInvalidInput(e);
       }
-    if (this._getType(e) !== x.bigint)
+    if (this._getType(e) !== k.bigint)
       return this._getInvalidInput(e);
     let i;
     const a = new ke();
@@ -4169,7 +4170,7 @@ class Et extends q {
     const t = this._getOrReturnCtx(e);
     return E(t, {
       code: N.invalid_type,
-      expected: x.bigint,
+      expected: k.bigint,
       received: t.parsedType
     }), R;
   }
@@ -4265,11 +4266,11 @@ Et.create = (n) => new Et({
 });
 class dn extends q {
   _parse(e) {
-    if (this._def.coerce && (e.data = !!e.data), this._getType(e) !== x.boolean) {
+    if (this._def.coerce && (e.data = !!e.data), this._getType(e) !== k.boolean) {
       const i = this._getOrReturnCtx(e);
       return E(i, {
         code: N.invalid_type,
-        expected: x.boolean,
+        expected: k.boolean,
         received: i.parsedType
       }), R;
     }
@@ -4283,11 +4284,11 @@ dn.create = (n) => new dn({
 });
 class zt extends q {
   _parse(e) {
-    if (this._def.coerce && (e.data = new Date(e.data)), this._getType(e) !== x.date) {
+    if (this._def.coerce && (e.data = new Date(e.data)), this._getType(e) !== k.date) {
       const r = this._getOrReturnCtx(e);
       return E(r, {
         code: N.invalid_type,
-        expected: x.date,
+        expected: k.date,
         received: r.parsedType
       }), R;
     }
@@ -4361,11 +4362,11 @@ zt.create = (n) => new zt({
 });
 class ti extends q {
   _parse(e) {
-    if (this._getType(e) !== x.symbol) {
+    if (this._getType(e) !== k.symbol) {
       const i = this._getOrReturnCtx(e);
       return E(i, {
         code: N.invalid_type,
-        expected: x.symbol,
+        expected: k.symbol,
         received: i.parsedType
       }), R;
     }
@@ -4378,11 +4379,11 @@ ti.create = (n) => new ti({
 });
 class cn extends q {
   _parse(e) {
-    if (this._getType(e) !== x.undefined) {
+    if (this._getType(e) !== k.undefined) {
       const i = this._getOrReturnCtx(e);
       return E(i, {
         code: N.invalid_type,
-        expected: x.undefined,
+        expected: k.undefined,
         received: i.parsedType
       }), R;
     }
@@ -4395,11 +4396,11 @@ cn.create = (n) => new cn({
 });
 class _n extends q {
   _parse(e) {
-    if (this._getType(e) !== x.null) {
+    if (this._getType(e) !== k.null) {
       const i = this._getOrReturnCtx(e);
       return E(i, {
         code: N.invalid_type,
-        expected: x.null,
+        expected: k.null,
         received: i.parsedType
       }), R;
     }
@@ -4439,7 +4440,7 @@ class et extends q {
     const t = this._getOrReturnCtx(e);
     return E(t, {
       code: N.invalid_type,
-      expected: x.never,
+      expected: k.never,
       received: t.parsedType
     }), R;
   }
@@ -4450,11 +4451,11 @@ et.create = (n) => new et({
 });
 class ni extends q {
   _parse(e) {
-    if (this._getType(e) !== x.undefined) {
+    if (this._getType(e) !== k.undefined) {
       const i = this._getOrReturnCtx(e);
       return E(i, {
         code: N.invalid_type,
-        expected: x.void,
+        expected: k.void,
         received: i.parsedType
       }), R;
     }
@@ -4468,10 +4469,10 @@ ni.create = (n) => new ni({
 class $e extends q {
   _parse(e) {
     const { ctx: t, status: i } = this._processInputParams(e), a = this._def;
-    if (t.parsedType !== x.array)
+    if (t.parsedType !== k.array)
       return E(t, {
         code: N.invalid_type,
-        expected: x.array,
+        expected: k.array,
         received: t.parsedType
       }), R;
     if (a.exactLength !== null) {
@@ -4565,11 +4566,11 @@ class le extends q {
     return this._cached = { shape: e, keys: t }, this._cached;
   }
   _parse(e) {
-    if (this._getType(e) !== x.object) {
+    if (this._getType(e) !== k.object) {
       const f = this._getOrReturnCtx(e);
       return E(f, {
         code: N.invalid_type,
-        expected: x.object,
+        expected: k.object,
         received: f.parsedType
       }), R;
     }
@@ -4919,10 +4920,10 @@ const Je = (n) => n instanceof pn ? Je(n.schema) : n instanceof tt ? Je(n.innerT
 class gn extends q {
   _parse(e) {
     const { ctx: t } = this._processInputParams(e);
-    if (t.parsedType !== x.object)
+    if (t.parsedType !== k.object)
       return E(t, {
         code: N.invalid_type,
-        expected: x.object,
+        expected: k.object,
         received: t.parsedType
       }), R;
     const i = this.discriminator, a = t.data[i], r = this.optionsMap.get(a);
@@ -4982,7 +4983,7 @@ function ii(n, e) {
   const t = We(n), i = We(e);
   if (n === e)
     return { valid: !0, data: n };
-  if (t === x.object && i === x.object) {
+  if (t === k.object && i === k.object) {
     const a = H.objectKeys(e), r = H.objectKeys(n).filter((d) => a.indexOf(d) !== -1), l = { ...n, ...e };
     for (const d of r) {
       const u = ii(n[d], e[d]);
@@ -4991,7 +4992,7 @@ function ii(n, e) {
       l[d] = u.data;
     }
     return { valid: !0, data: l };
-  } else if (t === x.array && i === x.array) {
+  } else if (t === k.array && i === k.array) {
     if (n.length !== e.length)
       return { valid: !1 };
     const a = [];
@@ -5002,7 +5003,7 @@ function ii(n, e) {
       a.push(u.data);
     }
     return { valid: !0, data: a };
-  } else return t === x.date && i === x.date && +n == +e ? { valid: !0, data: n } : { valid: !1 };
+  } else return t === k.date && i === k.date && +n == +e ? { valid: !0, data: n } : { valid: !1 };
 }
 class Mt extends q {
   _parse(e) {
@@ -5045,10 +5046,10 @@ Mt.create = (n, e, t) => new Mt({
 class st extends q {
   _parse(e) {
     const { status: t, ctx: i } = this._processInputParams(e);
-    if (i.parsedType !== x.array)
+    if (i.parsedType !== k.array)
       return E(i, {
         code: N.invalid_type,
-        expected: x.array,
+        expected: k.array,
         received: i.parsedType
       }), R;
     if (i.data.length < this._def.items.length)
@@ -5101,10 +5102,10 @@ class qt extends q {
   }
   _parse(e) {
     const { status: t, ctx: i } = this._processInputParams(e);
-    if (i.parsedType !== x.object)
+    if (i.parsedType !== k.object)
       return E(i, {
         code: N.invalid_type,
-        expected: x.object,
+        expected: k.object,
         received: i.parsedType
       }), R;
     const a = [], r = this._def.keyType, l = this._def.valueType;
@@ -5142,10 +5143,10 @@ class ai extends q {
   }
   _parse(e) {
     const { status: t, ctx: i } = this._processInputParams(e);
-    if (i.parsedType !== x.map)
+    if (i.parsedType !== k.map)
       return E(i, {
         code: N.invalid_type,
-        expected: x.map,
+        expected: k.map,
         received: i.parsedType
       }), R;
     const a = this._def.keyType, r = this._def.valueType, l = [...i.data.entries()].map(([d, u], f) => ({
@@ -5184,10 +5185,10 @@ ai.create = (n, e, t) => new ai({
 class xt extends q {
   _parse(e) {
     const { status: t, ctx: i } = this._processInputParams(e);
-    if (i.parsedType !== x.set)
+    if (i.parsedType !== k.set)
       return E(i, {
         code: N.invalid_type,
-        expected: x.set,
+        expected: k.set,
         received: i.parsedType
       }), R;
     const a = this._def;
@@ -5345,7 +5346,7 @@ lt.create = _r;
 class $t extends q {
   _parse(e) {
     const t = H.getValidEnumValues(this._def.values), i = this._getOrReturnCtx(e);
-    if (i.parsedType !== x.string && i.parsedType !== x.number) {
+    if (i.parsedType !== k.string && i.parsedType !== k.number) {
       const a = H.objectValues(t);
       return E(i, {
         expected: H.joinValues(a),
@@ -5378,13 +5379,13 @@ class jt extends q {
   }
   _parse(e) {
     const { ctx: t } = this._processInputParams(e);
-    if (t.parsedType !== x.promise && t.common.async === !1)
+    if (t.parsedType !== k.promise && t.common.async === !1)
       return E(t, {
         code: N.invalid_type,
-        expected: x.promise,
+        expected: k.promise,
         received: t.parsedType
       }), R;
-    const i = t.parsedType === x.promise ? t.data : Promise.resolve(t.data);
+    const i = t.parsedType === k.promise ? t.data : Promise.resolve(t.data);
     return De(i.then((a) => this._def.type.parseAsync(a, {
       path: t.path,
       errorMap: t.common.contextualErrorMap
@@ -5490,7 +5491,7 @@ tt.createWithPreprocess = (n, e, t) => new tt({
 });
 class He extends q {
   _parse(e) {
-    return this._getType(e) === x.undefined ? De(void 0) : this._def.innerType._parse(e);
+    return this._getType(e) === k.undefined ? De(void 0) : this._def.innerType._parse(e);
   }
   unwrap() {
     return this._def.innerType;
@@ -5503,7 +5504,7 @@ He.create = (n, e) => new He({
 });
 class dt extends q {
   _parse(e) {
-    return this._getType(e) === x.null ? De(null) : this._def.innerType._parse(e);
+    return this._getType(e) === k.null ? De(null) : this._def.innerType._parse(e);
   }
   unwrap() {
     return this._def.innerType;
@@ -5518,7 +5519,7 @@ class Vt extends q {
   _parse(e) {
     const { ctx: t } = this._processInputParams(e);
     let i = t.data;
-    return t.parsedType === x.undefined && (i = this._def.defaultValue()), this._def.innerType._parse({
+    return t.parsedType === k.undefined && (i = this._def.defaultValue()), this._def.innerType._parse({
       data: i,
       path: t.path,
       parent: t
@@ -5579,11 +5580,11 @@ Zt.create = (n, e) => new Zt({
 });
 class oi extends q {
   _parse(e) {
-    if (this._getType(e) !== x.nan) {
+    if (this._getType(e) !== k.nan) {
       const i = this._getOrReturnCtx(e);
       return E(i, {
         code: N.invalid_type,
-        expected: x.nan,
+        expected: k.nan,
         received: i.parsedType
       }), R;
     }
@@ -5673,7 +5674,7 @@ et.create;
 const b = $e.create, _ = le.create, Pe = Pt.create, kt = gn.create;
 Mt.create;
 st.create;
-const P = qt.create, O = Bt.create, k = lt.create, gt = $t.create;
+const P = qt.create, O = Bt.create, x = lt.create, gt = $t.create;
 jt.create;
 He.create;
 dt.create;
@@ -5712,7 +5713,7 @@ const Fs = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
   ZodNumber: yt,
   ZodObject: le,
   ZodOptional: He,
-  ZodParsedType: x,
+  ZodParsedType: k,
   ZodPipeline: mn,
   ZodPromise: jt,
   ZodReadonly: Ht,
@@ -5736,7 +5737,7 @@ const Fs = /* @__PURE__ */ Object.freeze(/* @__PURE__ */ Object.defineProperty({
   datetimeRegex: cr,
   defaultErrorMap: ln,
   discriminatedUnion: kt,
-  enum: k,
+  enum: x,
   getErrorMap: rr,
   getParsedType: We,
   isAborted: Yn,
@@ -5781,13 +5782,13 @@ const Ve = _({
   secrets: b(qs).optional()
 });
 ur.partial().extend({
-  status: k(["draft", "built"]).optional(),
+  status: x(["draft", "built"]).optional(),
   deployed_at: o().optional()
 });
 ur.extend({
   id: o(),
   tenant_id: o(),
-  status: k(["draft", "built"]).default("built"),
+  status: x(["draft", "built"]).default("built"),
   deployed_at: o().optional(),
   // Override secrets to return names only (no values) in responses
   secrets: b(
@@ -5798,13 +5799,13 @@ ur.extend({
   ).optional(),
   ...Ve.shape
 });
-const Bs = k([
+const Bs = x([
   "user_action",
   "admin_action",
   "system",
   "api"
 ]), $s = _({
-  type: k(["user", "admin", "system", "api_key", "client_credentials"]),
+  type: x(["user", "admin", "system", "api_key", "client_credentials"]),
   id: o().optional(),
   email: o().optional(),
   org_id: o().optional(),
@@ -5863,15 +5864,15 @@ const Bs = k([
 Qs.extend({
   id: o()
 });
-k(["AUTH0", "EMAIL", "REDIRECT"]);
-k([
+x(["AUTH0", "EMAIL", "REDIRECT"]);
+x([
   "CREATE_USER",
   "GET_USER",
   "UPDATE_USER",
   "SEND_REQUEST",
   "SEND_EMAIL"
 ]);
-k(["VERIFY_EMAIL"]);
+x(["VERIFY_EMAIL"]);
 const Gs = _({
   require_mx_record: h().optional(),
   block_aliases: h().optional(),
@@ -5902,7 +5903,7 @@ const Gs = _({
     email: o(),
     rules: Gs.optional()
   })
-}), Xs = k(["change-email", "account", "custom"]), Ys = _({
+}), Xs = x(["change-email", "account", "custom"]), Ys = _({
   id: o(),
   alias: o().max(100).optional(),
   type: O("REDIRECT"),
@@ -6094,7 +6095,7 @@ const dl = _({
   client_secret: o().default(() => ll()).optional().openapi({
     description: "Client secret (which you must not make public)."
   }),
-  app_type: k([
+  app_type: x([
     "native",
     "spa",
     "regular_web",
@@ -6201,7 +6202,7 @@ const dl = _({
   addons: P(j()).default({}).optional().openapi({
     description: "Addons enabled for this client and their associated configurations."
   }),
-  token_endpoint_auth_method: k(["none", "client_secret_post", "client_secret_basic"]).default("client_secret_basic").optional().openapi({
+  token_endpoint_auth_method: x(["none", "client_secret_post", "client_secret_basic"]).default("client_secret_basic").optional().openapi({
     description: "Defines the requested authentication method for the token endpoint. Can be none (public client without a client secret), client_secret_post (client uses HTTP POST parameters), or client_secret_basic (client uses HTTP Basic)."
   }),
   client_metadata: P(o().max(255)).default({}).optional().openapi({
@@ -6220,10 +6221,10 @@ const dl = _({
   default_organization: P(j()).default({}).optional().openapi({
     description: "Defines the default Organization ID and flows"
   }),
-  organization_usage: k(["deny", "allow", "require"]).default("deny").optional().openapi({
+  organization_usage: x(["deny", "allow", "require"]).default("deny").optional().openapi({
     description: "Defines how to proceed during an authentication transaction with regards an organization. Can be deny (default), allow or require."
   }),
-  organization_require_behavior: k(["no_prompt", "pre_login_prompt", "post_login_prompt"]).default("no_prompt").optional().openapi({
+  organization_require_behavior: x(["no_prompt", "pre_login_prompt", "post_login_prompt"]).default("no_prompt").optional().openapi({
     description: "Defines how to proceed during an authentication transaction when client.organization_usage: 'require'. Can be no_prompt (default), pre_login_prompt or post_login_prompt. post_login_prompt requires oidc_conformant: true."
   }),
   client_authentication_methods: P(j()).default({}).optional().openapi({
@@ -6238,7 +6239,7 @@ const dl = _({
   signed_request_object: P(j()).default({}).optional().openapi({
     description: "JWT-secured Authorization Requests (JAR) settings."
   }),
-  compliance_level: k([
+  compliance_level: x([
     "none",
     "fapi1_adv_pkj_par",
     "fapi1_adv_mtls_par",
@@ -6254,11 +6255,14 @@ const dl = _({
   owner_user_id: o().optional().openapi({
     description: "User ID of the consenting user when this client was created via IAT-gated Dynamic Client Registration. NULL for clients created via the Management API or open DCR."
   }),
-  registration_type: k(["manual", "open_dcr", "iat_dcr"]).optional().openapi({
+  registration_type: x(["manual", "open_dcr", "iat_dcr"]).optional().openapi({
     description: "Provenance of this client. `manual` = Management API; `open_dcr` = RFC 7591 without IAT; `iat_dcr` = RFC 7591 with an Initial Access Token."
   }),
   registration_metadata: P(j()).default({}).optional().openapi({
     description: "Arbitrary metadata captured at Dynamic Client Registration time that isn't a first-class client field (e.g. integration_type, domain). Also stores `iat_constraints` for clients created via IAT so RFC 7592 PUT can enforce field immutability."
+  }),
+  user_linking_mode: x(["builtin", "off"]).optional().openapi({
+    description: "Per-client override for the built-in email-based user-linking path. `builtin` runs the legacy in-process linking at user creation/email update. `off` disables the legacy path; linking only happens if the tenant has enabled the `account-linking` template hook. When unset, the service-level `userLinkingMode` default applies."
   })
 });
 _({
@@ -6276,7 +6280,7 @@ const cl = _({
   scope: b(o()).optional().openapi({
     description: "Scopes allowed for this client grant."
   }),
-  organization_usage: k(["deny", "allow", "require"]).optional().openapi({
+  organization_usage: x(["deny", "allow", "require"]).optional().openapi({
     description: "Defines whether organizations can be used with client credentials exchanges for this grant."
   }),
   allow_any_organization: h().optional().openapi({
@@ -6285,7 +6289,7 @@ const cl = _({
   is_system: h().optional().openapi({
     description: "If enabled, this grant is a special grant created by Auth0. It cannot be modified or deleted directly."
   }),
-  subject_type: k(["client", "user"]).optional().openapi({
+  subject_type: x(["client", "user"]).optional().openapi({
     description: "The type of application access the client grant allows. Use of this field is subject to the applicable Free Trial terms in Okta's Master Subscription Agreement."
   }),
   authorization_details_types: b(o()).optional().openapi({
@@ -6300,7 +6304,7 @@ const cl = _({
   updated_at: o().optional()
 });
 b(_l);
-const fr = k(["iat", "rat"]), ul = _({
+const fr = x(["iat", "rat"]), ul = _({
   id: o(),
   token_hash: o(),
   type: fr,
@@ -6469,10 +6473,10 @@ const yn = _({
   coordinates: Ot,
   alias: o().optional(),
   config: _({
-    action_type: k(["REDIRECT"]).openapi({
+    action_type: x(["REDIRECT"]).openapi({
       description: "The type of action to perform"
     }),
-    target: k(["change-email", "account", "custom"]).openapi({
+    target: x(["change-email", "account", "custom"]).openapi({
       description: "The predefined target to redirect to"
     }),
     custom_url: o().optional().openapi({
@@ -6561,7 +6565,7 @@ _({
     url: o()
   }).optional()
 });
-const Tl = k([
+const Tl = x([
   "password_reset",
   "email_verification",
   "otp",
@@ -6586,7 +6590,7 @@ const Tl = k([
   code_challenge: o().optional().openapi({
     description: "The code challenge used in PKCE in outbound flows"
   }),
-  code_challenge_method: k(["plain", "S256"]).optional().openapi({
+  code_challenge_method: x(["plain", "S256"]).optional().openapi({
     description: "The code challenge method used in PKCE in outbound flows"
   }),
   redirect_uri: o().optional().openapi({
@@ -6630,7 +6634,7 @@ const Il = _({
   twilio_token: o().optional(),
   icon_url: o().optional(),
   // Password policy options for Username-Password-Authentication connections
-  passwordPolicy: k(["none", "low", "fair", "good", "excellent"]).optional(),
+  passwordPolicy: x(["none", "low", "fair", "good", "excellent"]).optional(),
   password_complexity_options: _({
     min_length: I().optional()
   }).optional(),
@@ -6658,7 +6662,7 @@ const Il = _({
         active: h().optional()
       }).optional(),
       signup: _({
-        status: k(["required", "optional", "disabled"]).optional(),
+        status: x(["required", "optional", "disabled"]).optional(),
         verification: _({
           active: h().optional()
         }).optional()
@@ -6668,14 +6672,14 @@ const Il = _({
       }).optional(),
       unique: h().optional(),
       profile_required: h().optional(),
-      verification_method: k(["link", "code"]).optional()
+      verification_method: x(["link", "code"]).optional()
     }).optional(),
     username: _({
       identifier: _({
         active: h().optional()
       }).optional(),
       signup: _({
-        status: k(["required", "optional", "disabled"]).optional()
+        status: x(["required", "optional", "disabled"]).optional()
       }).optional(),
       validation: _({
         max_length: I().optional(),
@@ -6692,7 +6696,7 @@ const Il = _({
         active: h().optional()
       }).optional(),
       signup: _({
-        status: k(["required", "optional", "disabled"]).optional()
+        status: x(["required", "optional", "disabled"]).optional()
       }).optional()
     }).optional()
   }).optional(),
@@ -6707,7 +6711,7 @@ const Il = _({
   }).optional(),
   // Passkey options for Username-Password-Authentication connections
   passkey_options: _({
-    challenge_ui: k(["both", "autofill", "button"]).optional(),
+    challenge_ui: x(["both", "autofill", "button"]).optional(),
     local_enrollment_enabled: h().optional(),
     progressive_enrollment_enabled: h().optional()
   }).optional(),
@@ -6720,7 +6724,7 @@ const Il = _({
     }).optional()
   }).optional(),
   // Controls when root user attributes are updated from external IdP
-  set_user_root_attributes: k(["on_each_login", "on_first_login", "never_on_login"]).optional()
+  set_user_root_attributes: x(["on_each_login", "on_first_login", "never_on_login"]).optional()
 }), Cl = _({
   id: o().optional(),
   name: o(),
@@ -6743,10 +6747,10 @@ _({
 const Dl = _({
   domain: o(),
   custom_domain_id: o().optional(),
-  type: k(["auth0_managed_certs", "self_managed_certs"]),
-  verification_method: k(["txt"]).optional(),
-  tls_policy: k(["recommended"]).optional(),
-  custom_client_ip_header: k([
+  type: x(["auth0_managed_certs", "self_managed_certs"]),
+  verification_method: x(["txt"]).optional(),
+  tls_policy: x(["recommended"]).optional(),
+  custom_client_ip_header: x([
     "true-client-ip",
     "cf-connecting-ip",
     "x-forwarded-for",
@@ -6769,7 +6773,7 @@ const Dl = _({
   ...Dl.shape,
   custom_domain_id: o(),
   primary: h(),
-  status: k(["disabled", "pending", "pending_verification", "ready"]),
+  status: x(["disabled", "pending", "pending_verification", "ready"]),
   origin_domain_name: o().optional(),
   verification: _({
     methods: b(Ll)
@@ -6859,7 +6863,7 @@ const vi = _({
     _({
       id: I().optional(),
       text: o(),
-      type: k(["info", "error", "success", "warning"])
+      type: x(["info", "error", "success", "warning"])
     })
   ).optional(),
   required: h().optional(),
@@ -6891,7 +6895,7 @@ const vi = _({
         label: o()
       })
     ).optional(),
-    display: k(["radio", "checkbox"]).optional(),
+    display: x(["radio", "checkbox"]).optional(),
     multiple: h().optional(),
     default_value: Pe([o(), b(o())]).optional()
   }).optional()
@@ -7142,7 +7146,7 @@ _({
 const md = _({
   id: I().optional(),
   text: o(),
-  type: k(["info", "error", "success", "warning"])
+  type: x(["info", "error", "success", "warning"])
 }), yd = _({
   id: o().optional(),
   text: o(),
@@ -7153,7 +7157,7 @@ _({
   /** Screen identifier for CSS targeting (e.g., 'identifier', 'enter-password', 'signup') */
   name: o().optional(),
   action: o(),
-  method: k(["POST", "GET"]),
+  method: x(["POST", "GET"]),
   title: o().optional(),
   description: o().optional(),
   components: b(wr),
@@ -7162,32 +7166,36 @@ _({
   /** Footer HTML content displayed at the very bottom of the widget (e.g., terms and conditions) */
   footer: o().optional()
 });
-const Nr = k([
+const Nr = x([
   "pre-user-registration",
   "post-user-registration",
   "post-user-login",
+  "post-user-update",
   "validate-registration-username",
   "pre-user-deletion",
   "post-user-deletion"
   // Potentially other triggers specific to webhooks in the future
-]), Sr = k([
+]), Sr = x([
   "pre-user-registration",
   "post-user-registration",
   "post-user-login",
   "validate-registration-username",
   "pre-user-deletion",
   "post-user-deletion"
-]), br = k([
+]), br = x([
   "post-user-login",
+  "post-user-registration",
+  "post-user-update",
   "credentials-exchange"
-]), Er = k([
+]), Er = x([
   "post-user-login",
   "credentials-exchange",
   "pre-user-registration",
   "post-user-registration"
-]), xr = k([
+]), xr = x([
   "ensure-username",
-  "set-preferred-username"
+  "set-preferred-username",
+  "account-linking"
 ]), _t = {
   enabled: h().default(!1),
   synchronous: h().default(!1),
@@ -7281,7 +7289,7 @@ _({
   ticket_id: o().optional()
 }).extend(Id.shape);
 const Cd = _({
-  alg: k([
+  alg: x([
     "RS256",
     "RS384",
     "RS512",
@@ -7294,11 +7302,11 @@ const Cd = _({
   ]),
   e: o(),
   kid: o(),
-  kty: k(["RSA", "EC", "oct"]),
+  kty: x(["RSA", "EC", "oct"]),
   n: o(),
   x5t: o().optional(),
   x5c: b(o()).optional(),
-  use: k(["sig", "enc"]).optional()
+  use: x(["sig", "enc"]).optional()
 });
 _({
   keys: b(Cd)
@@ -7584,7 +7592,7 @@ const qd = _({
   id: o().optional(),
   user_id: o(),
   password: o(),
-  algorithm: k(["bcrypt", "argon2id"]).default("argon2id"),
+  algorithm: x(["bcrypt", "argon2id"]).default("argon2id"),
   is_current: h().default(!0)
 });
 qd.extend({
@@ -7641,7 +7649,7 @@ _({
   connection: o().optional().openapi({
     description: "The connection identifier associated with the key"
   }),
-  type: k(["jwt_signing", "saml_encryption"]).openapi({
+  type: x(["jwt_signing", "saml_encryption"]).openapi({
     description: "The type of the signing key"
   })
 });
@@ -7663,7 +7671,7 @@ const $d = _({
   ephemeral_session_lifetime: I().optional(),
   idle_ephemeral_session_lifetime: I().optional(),
   session_cookie: _({
-    mode: k(["persistent", "non-persistent"]).optional()
+    mode: x(["persistent", "non-persistent"]).optional()
   }).optional(),
   // Logout settings
   allowed_logout_urls: b(o()).optional(),
@@ -7701,10 +7709,6 @@ const $d = _({
     // access tokens and a per-tenant grant-type allowlist.
     dcr_require_initial_access_token: h().optional(),
     dcr_allowed_grant_types: b(o()).optional(),
-    // Allowlist of `integration_type` values accepted by the
-    // `/connect/start` consent-mediated IAT flow. Empty/undefined disables
-    // the flow.
-    dcr_allowed_integration_types: b(o()).optional(),
     // Per-tenant allowlist of fully-qualified http origins (scheme + host
     // + port, no path) that may be used as `return_to` / `domain` on
     // `/connect/start` despite not being loopback. Off by default.
@@ -7759,7 +7763,7 @@ const $d = _({
   }).optional(),
   // Device flow settings
   device_flow: _({
-    charset: k(["base20", "digits"]).optional(),
+    charset: x(["base20", "digits"]).optional(),
     mask: o().max(20).optional()
   }).optional(),
   // Default token quota
@@ -7799,7 +7803,7 @@ const $d = _({
   // Guardian MFA Factors configuration (internal storage, exposed via /guardian API)
   mfa: _({
     // MFA policy: "never" = MFA disabled, "always" = MFA required for all logins
-    policy: k(["never", "always"]).default("never").optional(),
+    policy: x(["never", "always"]).default("never").optional(),
     // Factor states
     factors: _({
       sms: h().default(!1),
@@ -7813,7 +7817,7 @@ const $d = _({
     }).optional(),
     // SMS provider configuration
     sms_provider: _({
-      provider: k(["twilio", "vonage", "aws_sns", "phone_message_hook"]).optional()
+      provider: x(["twilio", "vonage", "aws_sns", "phone_message_hook"]).optional()
     }).optional(),
     // Twilio-specific configuration
     twilio: _({
@@ -7850,10 +7854,10 @@ _({
 const jd = _({
   button_border_radius: I(),
   button_border_weight: I(),
-  buttons_style: k(["pill", "rounded", "sharp"]),
+  buttons_style: x(["pill", "rounded", "sharp"]),
   input_border_radius: I(),
   input_border_weight: I(),
-  inputs_style: k(["pill", "rounded", "sharp"]),
+  inputs_style: x(["pill", "rounded", "sharp"]),
   show_widget_shadow: h(),
   widget_border_weight: I(),
   widget_corner_radius: I()
@@ -7861,7 +7865,7 @@ const jd = _({
   base_focus_color: o(),
   base_hover_color: o(),
   body_text: o(),
-  captcha_widget_theme: k(["auto", "dark", "light"]),
+  captcha_widget_theme: x(["auto", "dark", "light"]),
   error: o(),
   header: o(),
   icons: o(),
@@ -7886,20 +7890,20 @@ const jd = _({
   font_url: o(),
   input_labels: vt,
   links: vt,
-  links_style: k(["normal", "underlined"]),
+  links_style: x(["normal", "underlined"]),
   reference_text_size: I(),
   subtitle: vt,
   title: vt
 }), Hd = _({
   background_color: o(),
   background_image_url: o(),
-  page_layout: k(["center", "left", "right"])
+  page_layout: x(["center", "left", "right"])
 }), Kd = _({
-  header_text_alignment: k(["center", "left", "right"]),
+  header_text_alignment: x(["center", "left", "right"]),
   logo_height: I(),
-  logo_position: k(["center", "left", "none", "right"]),
+  logo_position: x(["center", "left", "none", "right"]),
   logo_url: o(),
-  social_buttons_layout: k(["bottom", "top"])
+  social_buttons_layout: x(["bottom", "top"])
 }), Qd = _({
   borders: jd,
   colors: Vd,
@@ -7912,7 +7916,7 @@ Qd.extend({
   themeId: o()
 });
 _({
-  universal_login_experience: k(["new", "classic"]).default("new"),
+  universal_login_experience: x(["new", "classic"]).default("new"),
   identifier_first: h().default(!0),
   password_first: h().default(!1),
   webauthn_platform_first_factor: h()
@@ -7990,7 +7994,7 @@ const Jd = _({
   value: o(),
   description: o().optional()
 }), Wd = _({
-  token_dialect: k(["access_token", "access_token_authz"]).optional(),
+  token_dialect: x(["access_token", "access_token_authz"]).optional(),
   enforce_policies: h().optional(),
   allow_skipping_userinfo: h().optional(),
   skip_userinfo: h().optional(),
@@ -8167,7 +8171,7 @@ _({
   idle_session_lifetime: I().default(72),
   session_lifetime: I().default(168),
   session_cookie: _({
-    mode: k(["persistent", "non-persistent"]).optional()
+    mode: x(["persistent", "non-persistent"]).optional()
   }).optional(),
   // MFA settings
   enable_client_connections: h().optional(),
@@ -8234,7 +8238,7 @@ _({
   // Guardian MFA Factors configuration (internal storage, exposed via /guardian API)
   mfa: _({
     // MFA policy: "never" = MFA disabled, "always" = MFA required for all logins
-    policy: k(["never", "always"]).default("never").optional(),
+    policy: x(["never", "always"]).default("never").optional(),
     // Factor states
     factors: _({
       sms: h().default(!1),
@@ -8248,7 +8252,7 @@ _({
     }).optional(),
     // SMS provider configuration
     sms_provider: _({
-      provider: k(["twilio", "vonage", "aws_sns", "phone_message_hook"]).optional()
+      provider: x(["twilio", "vonage", "aws_sns", "phone_message_hook"]).optional()
     }).optional(),
     // Twilio-specific configuration
     twilio: _({
@@ -8293,7 +8297,7 @@ I().openapi({
   description: "Number of active users in the last 30 days",
   example: 1234
 });
-const fc = k([
+const fc = x([
   "login",
   "login-id",
   "login-password",
@@ -8334,7 +8338,7 @@ _({
   language: o(),
   custom_text: hc
 });
-const gc = k([
+const gc = x([
   "phone",
   "totp",
   "email",