npm - @banata-auth/shared - Versions diffs - 0.1.0 - Mend

@banata-auth/shared 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (9) hide show

package/dist/index.d.ts ADDED Viewed

@@ -0,0 +1,1204 @@
+import { z } from 'zod';
+/**
+ * ID prefixes for all Banata Auth resources.
+ * Each resource type gets a unique prefix for type-safety and debuggability.
+ * Follows the WorkOS pattern of prefixed identifiers.
+ */
+declare const ID_PREFIXES: {
+    readonly user: "usr";
+    readonly session: "ses";
+    readonly account: "acc";
+    readonly organization: "org";
+    readonly organizationMember: "mem";
+    readonly organizationInvitation: "inv";
+    readonly team: "team";
+    readonly ssoConnection: "conn";
+    readonly ssoProfile: "prof";
+    readonly directory: "dir";
+    readonly directoryUser: "diru";
+    readonly directoryGroup: "dirg";
+    readonly auditEvent: "evt";
+    readonly event: "event";
+    readonly webhookEndpoint: "wh";
+    readonly webhookDelivery: "whd";
+    readonly apiKey: "ak";
+    readonly role: "role";
+    readonly vaultSecret: "vsec";
+    readonly domainVerification: "dv";
+    readonly fgaTuple: "fga";
+    readonly radarEvent: "radar";
+    readonly project: "proj";
+    readonly environment: "env";
+    readonly emailTemplate: "etpl";
+};
+type ResourceType = keyof typeof ID_PREFIXES;
+type IdPrefix = (typeof ID_PREFIXES)[ResourceType];
+/**
+ * Default rate limits per endpoint category (requests per minute).
+ */
+declare const RATE_LIMITS: {
+    readonly general: 600;
+    readonly signIn: 30;
+    readonly signUp: 10;
+    readonly passwordReset: 10;
+    readonly emailOperations: 10;
+    readonly scim: 100;
+    readonly admin: 120;
+    readonly webhookDelivery: 0;
+};
+/**
+ * Default token/session lifetimes in seconds.
+ */
+declare const TOKEN_LIFETIMES: {
+    /** JWT access token: 15 minutes */
+    readonly accessToken: number;
+    /** Session record: 7 days */
+    readonly session: number;
+    /** Session absolute max: 30 days */
+    readonly sessionAbsoluteMax: number;
+    /** Password reset token: 1 hour */
+    readonly passwordReset: number;
+    /** Email verification token: 24 hours */
+    readonly emailVerification: number;
+    /** Magic link: 10 minutes */
+    readonly magicLink: number;
+    /** Email OTP: 10 minutes */
+    readonly emailOtp: number;
+    /** Admin portal link (short-lived): 5 minutes */
+    readonly adminPortalShort: number;
+    /** Admin portal link (long-lived): 30 days */
+    readonly adminPortalLong: number;
+    /** Organization invitation: 7 days */
+    readonly invitation: number;
+    /** JWKS key rotation: 90 days */
+    readonly jwksRotation: number;
+};
+/**
+ * Size limits.
+ */
+declare const SIZE_LIMITS: {
+    /** Max custom metadata size in bytes */
+    readonly metadataMaxBytes: number;
+    /** Max SAML response size in bytes */
+    readonly samlMaxBytes: number;
+    /** Max SAML XML depth */
+    readonly samlMaxDepth: 50;
+    /** Max webhook payload size in bytes */
+    readonly webhookMaxBytes: number;
+    /** Max webhook response body stored (bytes) */
+    readonly webhookResponseMaxBytes: number;
+    /** Max SCIM request body size in bytes */
+    readonly scimMaxBytes: number;
+    /** Max password length */
+    readonly passwordMaxLength: 128;
+    /** Min password length */
+    readonly passwordMinLength: 8;
+    /** Max FGA hierarchy depth */
+    readonly fgaMaxDepth: 10;
+};
+/**
+ * Webhook retry delays in milliseconds.
+ */
+declare const WEBHOOK_RETRY_DELAYS: readonly [0, number, number, number, number];
+/**
+ * Max consecutive webhook failures before auto-disabling endpoint.
+ */
+declare const WEBHOOK_MAX_CONSECUTIVE_FAILURES = 3;
+/**
+ * Max number of webhook retry attempts.
+ */
+declare const WEBHOOK_MAX_ATTEMPTS = 5;
+/**
+ * Generate a ULID (Universally Unique Lexicographically Sortable Identifier).
+ */
+declare function ulid(): string;
+/**
+ * Generate a prefixed ID for a given resource type.
+ *
+ * @example
+ * ```ts
+ * generateId("user");       // "usr_01H9GBQN5WP3FVJKZ0JGMH3RXE"
+ * generateId("organization"); // "org_01H9GBQN5WP3FVJKZ0JGMH3RXE"
+ * generateId("ssoConnection"); // "conn_01H9GBQN5WP3FVJKZ0JGMH3RXE"
+ * ```
+ */
+declare function generateId(resourceType: ResourceType): string;
+/**
+ * Extract the resource type from a prefixed ID.
+ *
+ * @returns The resource type, or null if the prefix is unrecognized.
+ *
+ * @example
+ * ```ts
+ * getResourceType("usr_01H9GBQN5WP3FVJKZ0JGMH3RXE"); // "user"
+ * getResourceType("org_01H9GBQN5WP3FVJKZ0JGMH3RXE"); // "organization"
+ * getResourceType("invalid"); // null
+ * ```
+ */
+declare function getResourceType(id: string): ResourceType | null;
+/**
+ * Validate that an ID has the expected prefix for a resource type.
+ *
+ * @example
+ * ```ts
+ * validateId("usr_01H9...", "user");   // true
+ * validateId("org_01H9...", "user");   // false
+ * ```
+ */
+declare function validateId(id: string, expectedType: ResourceType): boolean;
+/**
+ * Generate a cryptographically random string of the specified byte length,
+ * encoded as URL-safe base64.
+ */
+declare function generateRandomToken(byteLength?: number): string;
+/**
+ * Generate a random 6-digit numeric OTP.
+ */
+declare function generateOtp(length?: number): string;
+/**
+ * Base error class for all Banata Auth errors.
+ * Matches WorkOS SDK error patterns with status, code, and requestId.
+ */
+declare class BanataAuthError extends Error {
+    readonly status: number;
+    readonly code: string;
+    readonly requestId: string;
+    readonly retryable: boolean;
+    constructor(options: {
+        message: string;
+        status: number;
+        code: string;
+        requestId?: string;
+        retryable?: boolean;
+    });
+    toJSON(): {
+        name: string;
+        message: string;
+        status: number;
+        code: string;
+        requestId: string;
+    };
+}
+/**
+ * 401 - Missing or invalid API key / session.
+ */
+declare class AuthenticationError extends BanataAuthError {
+    constructor(options?: {
+        message?: string;
+        requestId?: string;
+    });
+}
+/**
+ * 403 - Valid credentials but insufficient permissions.
+ */
+declare class ForbiddenError extends BanataAuthError {
+    constructor(options?: {
+        message?: string;
+        requestId?: string;
+    });
+}
+/**
+ * 404 - Resource not found.
+ */
+declare class NotFoundError extends BanataAuthError {
+    constructor(options?: {
+        message?: string;
+        resource?: string;
+        requestId?: string;
+    });
+}
+/**
+ * 409 - Conflict (duplicate resource, etc.)
+ */
+declare class ConflictError extends BanataAuthError {
+    constructor(options?: {
+        message?: string;
+        requestId?: string;
+    });
+}
+/**
+ * Individual field validation error.
+ */
+interface FieldError {
+    field: string;
+    message: string;
+    code: string;
+}
+/**
+ * 422 - Validation error with field-level details.
+ */
+declare class ValidationError extends BanataAuthError {
+    readonly errors: FieldError[];
+    constructor(options: {
+        message?: string;
+        errors: FieldError[];
+        requestId?: string;
+    });
+    toJSON(): {
+        errors: FieldError[];
+        name: string;
+        message: string;
+        status: number;
+        code: string;
+        requestId: string;
+    };
+}
+/**
+ * 429 - Rate limited.
+ */
+declare class RateLimitError extends BanataAuthError {
+    readonly retryAfter: number;
+    constructor(options: {
+        retryAfter: number;
+        requestId?: string;
+    });
+}
+/**
+ * 500 - Internal server error.
+ */
+declare class InternalError extends BanataAuthError {
+    constructor(options?: {
+        message?: string;
+        requestId?: string;
+    });
+}
+/**
+ * Maps an HTTP status code to the appropriate error class.
+ */
+declare function createErrorFromStatus(status: number, body: {
+    message?: string;
+    code?: string;
+    errors?: FieldError[];
+}, requestId?: string): BanataAuthError;
+declare const emailSchema: z.ZodString;
+declare const passwordSchema: z.ZodString;
+declare const nameSchema: z.ZodString;
+declare const slugSchema: z.ZodString;
+declare const urlSchema: z.ZodString;
+declare const httpsUrlSchema: z.ZodEffects<z.ZodString, string, string>;
+declare const metadataSchema: z.ZodOptional<z.ZodEffects<z.ZodRecord<z.ZodString, z.ZodUnknown>, Record<string, unknown>, Record<string, unknown>>>;
+declare const domainSchema: z.ZodString;
+declare const paginationSchema: z.ZodObject<{
+    limit: z.ZodDefault<z.ZodNumber>;
+    before: z.ZodOptional<z.ZodString>;
+    after: z.ZodOptional<z.ZodString>;
+    order: z.ZodDefault<z.ZodEnum<["asc", "desc"]>>;
+}, "strip", z.ZodTypeAny, {
+    limit: number;
+    order: "asc" | "desc";
+    before?: string | undefined;
+    after?: string | undefined;
+}, {
+    limit?: number | undefined;
+    before?: string | undefined;
+    after?: string | undefined;
+    order?: "asc" | "desc" | undefined;
+}>;
+type PaginationOptions = z.infer<typeof paginationSchema>;
+declare const createUserSchema: z.ZodObject<{
+    email: z.ZodString;
+    password: z.ZodOptional<z.ZodString>;
+    name: z.ZodString;
+    image: z.ZodOptional<z.ZodString>;
+    username: z.ZodOptional<z.ZodString>;
+    phoneNumber: z.ZodOptional<z.ZodString>;
+    emailVerified: z.ZodDefault<z.ZodBoolean>;
+    role: z.ZodDefault<z.ZodEnum<["user", "admin"]>>;
+    metadata: z.ZodOptional<z.ZodEffects<z.ZodRecord<z.ZodString, z.ZodUnknown>, Record<string, unknown>, Record<string, unknown>>>;
+}, "strip", z.ZodTypeAny, {
+    role: "user" | "admin";
+    email: string;
+    name: string;
+    emailVerified: boolean;
+    password?: string | undefined;
+    image?: string | undefined;
+    username?: string | undefined;
+    phoneNumber?: string | undefined;
+    metadata?: Record<string, unknown> | undefined;
+}, {
+    email: string;
+    name: string;
+    role?: "user" | "admin" | undefined;
+    password?: string | undefined;
+    image?: string | undefined;
+    username?: string | undefined;
+    phoneNumber?: string | undefined;
+    emailVerified?: boolean | undefined;
+    metadata?: Record<string, unknown> | undefined;
+}>;
+type CreateUserInput = z.infer<typeof createUserSchema>;
+declare const updateUserSchema: z.ZodObject<{
+    name: z.ZodOptional<z.ZodString>;
+    image: z.ZodNullable<z.ZodOptional<z.ZodString>>;
+    username: z.ZodOptional<z.ZodString>;
+    phoneNumber: z.ZodNullable<z.ZodOptional<z.ZodString>>;
+    metadata: z.ZodOptional<z.ZodEffects<z.ZodRecord<z.ZodString, z.ZodUnknown>, Record<string, unknown>, Record<string, unknown>>>;
+}, "strip", z.ZodTypeAny, {
+    name?: string | undefined;
+    image?: string | null | undefined;
+    username?: string | undefined;
+    phoneNumber?: string | null | undefined;
+    metadata?: Record<string, unknown> | undefined;
+}, {
+    name?: string | undefined;
+    image?: string | null | undefined;
+    username?: string | undefined;
+    phoneNumber?: string | null | undefined;
+    metadata?: Record<string, unknown> | undefined;
+}>;
+type UpdateUserInput = z.infer<typeof updateUserSchema>;
+declare const createOrganizationSchema: z.ZodObject<{
+    name: z.ZodString;
+    slug: z.ZodOptional<z.ZodString>;
+    logo: z.ZodOptional<z.ZodString>;
+    metadata: z.ZodOptional<z.ZodEffects<z.ZodRecord<z.ZodString, z.ZodUnknown>, Record<string, unknown>, Record<string, unknown>>>;
+    requireMfa: z.ZodDefault<z.ZodBoolean>;
+    allowedEmailDomains: z.ZodOptional<z.ZodArray<z.ZodString, "many">>;
+    maxMembers: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    name: string;
+    requireMfa: boolean;
+    metadata?: Record<string, unknown> | undefined;
+    slug?: string | undefined;
+    logo?: string | undefined;
+    allowedEmailDomains?: string[] | undefined;
+    maxMembers?: number | undefined;
+}, {
+    name: string;
+    metadata?: Record<string, unknown> | undefined;
+    slug?: string | undefined;
+    logo?: string | undefined;
+    requireMfa?: boolean | undefined;
+    allowedEmailDomains?: string[] | undefined;
+    maxMembers?: number | undefined;
+}>;
+type CreateOrganizationInput = z.infer<typeof createOrganizationSchema>;
+declare const updateOrganizationSchema: z.ZodObject<{
+    name: z.ZodOptional<z.ZodString>;
+    slug: z.ZodOptional<z.ZodString>;
+    logo: z.ZodNullable<z.ZodOptional<z.ZodString>>;
+    metadata: z.ZodOptional<z.ZodEffects<z.ZodRecord<z.ZodString, z.ZodUnknown>, Record<string, unknown>, Record<string, unknown>>>;
+    requireMfa: z.ZodOptional<z.ZodBoolean>;
+    ssoEnforced: z.ZodOptional<z.ZodBoolean>;
+    allowedEmailDomains: z.ZodNullable<z.ZodOptional<z.ZodArray<z.ZodString, "many">>>;
+    maxMembers: z.ZodNullable<z.ZodOptional<z.ZodNumber>>;
+}, "strip", z.ZodTypeAny, {
+    name?: string | undefined;
+    metadata?: Record<string, unknown> | undefined;
+    slug?: string | undefined;
+    logo?: string | null | undefined;
+    requireMfa?: boolean | undefined;
+    allowedEmailDomains?: string[] | null | undefined;
+    maxMembers?: number | null | undefined;
+    ssoEnforced?: boolean | undefined;
+}, {
+    name?: string | undefined;
+    metadata?: Record<string, unknown> | undefined;
+    slug?: string | undefined;
+    logo?: string | null | undefined;
+    requireMfa?: boolean | undefined;
+    allowedEmailDomains?: string[] | null | undefined;
+    maxMembers?: number | null | undefined;
+    ssoEnforced?: boolean | undefined;
+}>;
+type UpdateOrganizationInput = z.infer<typeof updateOrganizationSchema>;
+declare const inviteMemberSchema: z.ZodObject<{
+    email: z.ZodString;
+    role: z.ZodString;
+}, "strip", z.ZodTypeAny, {
+    role: string;
+    email: string;
+}, {
+    role: string;
+    email: string;
+}>;
+type InviteMemberInput = z.infer<typeof inviteMemberSchema>;
+declare const createSsoConnectionSchema: z.ZodObject<{
+    organizationId: z.ZodString;
+    type: z.ZodEnum<["saml", "oidc"]>;
+    name: z.ZodString;
+    domains: z.ZodArray<z.ZodString, "many">;
+    samlConfig: z.ZodOptional<z.ZodObject<{
+        idpEntityId: z.ZodString;
+        idpSsoUrl: z.ZodString;
+        idpCertificate: z.ZodString;
+        nameIdFormat: z.ZodOptional<z.ZodString>;
+        signRequest: z.ZodDefault<z.ZodBoolean>;
+        allowIdpInitiated: z.ZodDefault<z.ZodBoolean>;
+        attributeMapping: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    }, "strip", z.ZodTypeAny, {
+        idpEntityId: string;
+        idpSsoUrl: string;
+        idpCertificate: string;
+        signRequest: boolean;
+        allowIdpInitiated: boolean;
+        nameIdFormat?: string | undefined;
+        attributeMapping?: Record<string, string> | undefined;
+    }, {
+        idpEntityId: string;
+        idpSsoUrl: string;
+        idpCertificate: string;
+        nameIdFormat?: string | undefined;
+        signRequest?: boolean | undefined;
+        allowIdpInitiated?: boolean | undefined;
+        attributeMapping?: Record<string, string> | undefined;
+    }>>;
+    oidcConfig: z.ZodOptional<z.ZodObject<{
+        issuer: z.ZodString;
+        clientId: z.ZodString;
+        clientSecret: z.ZodString;
+        scopes: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    }, "strip", z.ZodTypeAny, {
+        issuer: string;
+        clientId: string;
+        clientSecret: string;
+        scopes: string[];
+    }, {
+        issuer: string;
+        clientId: string;
+        clientSecret: string;
+        scopes?: string[] | undefined;
+    }>>;
+}, "strip", z.ZodTypeAny, {
+    type: "saml" | "oidc";
+    name: string;
+    organizationId: string;
+    domains: string[];
+    samlConfig?: {
+        idpEntityId: string;
+        idpSsoUrl: string;
+        idpCertificate: string;
+        signRequest: boolean;
+        allowIdpInitiated: boolean;
+        nameIdFormat?: string | undefined;
+        attributeMapping?: Record<string, string> | undefined;
+    } | undefined;
+    oidcConfig?: {
+        issuer: string;
+        clientId: string;
+        clientSecret: string;
+        scopes: string[];
+    } | undefined;
+}, {
+    type: "saml" | "oidc";
+    name: string;
+    organizationId: string;
+    domains: string[];
+    samlConfig?: {
+        idpEntityId: string;
+        idpSsoUrl: string;
+        idpCertificate: string;
+        nameIdFormat?: string | undefined;
+        signRequest?: boolean | undefined;
+        allowIdpInitiated?: boolean | undefined;
+        attributeMapping?: Record<string, string> | undefined;
+    } | undefined;
+    oidcConfig?: {
+        issuer: string;
+        clientId: string;
+        clientSecret: string;
+        scopes?: string[] | undefined;
+    } | undefined;
+}>;
+type CreateSsoConnectionInput = z.infer<typeof createSsoConnectionSchema>;
+declare const createWebhookEndpointSchema: z.ZodObject<{
+    url: z.ZodEffects<z.ZodString, string, string>;
+    eventTypes: z.ZodDefault<z.ZodArray<z.ZodString, "many">>;
+    enabled: z.ZodDefault<z.ZodBoolean>;
+}, "strip", z.ZodTypeAny, {
+    url: string;
+    eventTypes: string[];
+    enabled: boolean;
+}, {
+    url: string;
+    eventTypes?: string[] | undefined;
+    enabled?: boolean | undefined;
+}>;
+type CreateWebhookEndpointInput = z.infer<typeof createWebhookEndpointSchema>;
+declare const createAuditEventSchema: z.ZodObject<{
+    action: z.ZodString;
+    actor: z.ZodObject<{
+        type: z.ZodEnum<["user", "admin", "system", "api_key", "scim"]>;
+        id: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+        email: z.ZodOptional<z.ZodString>;
+        metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    }, "strip", z.ZodTypeAny, {
+        type: "user" | "admin" | "system" | "api_key" | "scim";
+        id: string;
+        email?: string | undefined;
+        name?: string | undefined;
+        metadata?: Record<string, string> | undefined;
+    }, {
+        type: "user" | "admin" | "system" | "api_key" | "scim";
+        id: string;
+        email?: string | undefined;
+        name?: string | undefined;
+        metadata?: Record<string, string> | undefined;
+    }>;
+    targets: z.ZodDefault<z.ZodArray<z.ZodObject<{
+        type: z.ZodString;
+        id: z.ZodString;
+        name: z.ZodOptional<z.ZodString>;
+        metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    }, "strip", z.ZodTypeAny, {
+        type: string;
+        id: string;
+        name?: string | undefined;
+        metadata?: Record<string, string> | undefined;
+    }, {
+        type: string;
+        id: string;
+        name?: string | undefined;
+        metadata?: Record<string, string> | undefined;
+    }>, "many">>;
+    context: z.ZodDefault<z.ZodObject<{
+        organizationId: z.ZodOptional<z.ZodString>;
+        ipAddress: z.ZodOptional<z.ZodString>;
+        userAgent: z.ZodOptional<z.ZodString>;
+        requestId: z.ZodOptional<z.ZodString>;
+    }, "strip", z.ZodTypeAny, {
+        requestId?: string | undefined;
+        organizationId?: string | undefined;
+        ipAddress?: string | undefined;
+        userAgent?: string | undefined;
+    }, {
+        requestId?: string | undefined;
+        organizationId?: string | undefined;
+        ipAddress?: string | undefined;
+        userAgent?: string | undefined;
+    }>>;
+    changes: z.ZodOptional<z.ZodObject<{
+        before: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+        after: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodUnknown>>;
+    }, "strip", z.ZodTypeAny, {
+        before?: Record<string, unknown> | undefined;
+        after?: Record<string, unknown> | undefined;
+    }, {
+        before?: Record<string, unknown> | undefined;
+        after?: Record<string, unknown> | undefined;
+    }>>;
+    idempotencyKey: z.ZodOptional<z.ZodString>;
+    metadata: z.ZodOptional<z.ZodRecord<z.ZodString, z.ZodString>>;
+    occurredAt: z.ZodOptional<z.ZodNumber>;
+}, "strip", z.ZodTypeAny, {
+    action: string;
+    actor: {
+        type: "user" | "admin" | "system" | "api_key" | "scim";
+        id: string;
+        email?: string | undefined;
+        name?: string | undefined;
+        metadata?: Record<string, string> | undefined;
+    };
+    targets: {
+        type: string;
+        id: string;
+        name?: string | undefined;
+        metadata?: Record<string, string> | undefined;
+    }[];
+    context: {
+        requestId?: string | undefined;
+        organizationId?: string | undefined;
+        ipAddress?: string | undefined;
+        userAgent?: string | undefined;
+    };
+    metadata?: Record<string, string> | undefined;
+    changes?: {
+        before?: Record<string, unknown> | undefined;
+        after?: Record<string, unknown> | undefined;
+    } | undefined;
+    idempotencyKey?: string | undefined;
+    occurredAt?: number | undefined;
+}, {
+    action: string;
+    actor: {
+        type: "user" | "admin" | "system" | "api_key" | "scim";
+        id: string;
+        email?: string | undefined;
+        name?: string | undefined;
+        metadata?: Record<string, string> | undefined;
+    };
+    metadata?: Record<string, string> | undefined;
+    targets?: {
+        type: string;
+        id: string;
+        name?: string | undefined;
+        metadata?: Record<string, string> | undefined;
+    }[] | undefined;
+    context?: {
+        requestId?: string | undefined;
+        organizationId?: string | undefined;
+        ipAddress?: string | undefined;
+        userAgent?: string | undefined;
+    } | undefined;
+    changes?: {
+        before?: Record<string, unknown> | undefined;
+        after?: Record<string, unknown> | undefined;
+    } | undefined;
+    idempotencyKey?: string | undefined;
+    occurredAt?: number | undefined;
+}>;
+type CreateAuditEventInput = z.infer<typeof createAuditEventSchema>;
+/**
+ * Core type definitions for Banata Auth.
+ * These are the SDK-facing types (camelCase).
+ * Wire types (snake_case) are separate and serializers convert between them.
+ */
+interface ListMetadata {
+    before: string | null;
+    after: string | null;
+}
+interface PaginatedResult<T> {
+    data: T[];
+    listMetadata: ListMetadata;
+}
+interface User {
+    id: string;
+    email: string;
+    emailVerified: boolean;
+    name: string;
+    image: string | null;
+    username: string | null;
+    phoneNumber: string | null;
+    phoneNumberVerified: boolean;
+    role: "user" | "admin";
+    banned: boolean;
+    banReason: string | null;
+    banExpires: Date | null;
+    twoFactorEnabled: boolean;
+    metadata: Record<string, unknown> | null;
+    createdAt: Date;
+    updatedAt: Date;
+}
+interface Session {
+    id: string;
+    userId: string;
+    token: string;
+    expiresAt: Date;
+    ipAddress: string | null;
+    userAgent: string | null;
+    activeOrganizationId: string | null;
+    impersonatedBy: string | null;
+    createdAt: Date;
+    updatedAt: Date;
+}
+interface Account {
+    id: string;
+    userId: string;
+    accountId: string;
+    providerId: string;
+    createdAt: Date;
+    updatedAt: Date;
+}
+interface Organization {
+    id: string;
+    name: string;
+    slug: string;
+    logo: string | null;
+    metadata: Record<string, unknown> | null;
+    requireMfa: boolean;
+    ssoEnforced: boolean;
+    allowedEmailDomains: string[] | null;
+    maxMembers: number | null;
+    createdAt: Date;
+    updatedAt: Date;
+}
+interface OrganizationMember {
+    id: string;
+    organizationId: string;
+    userId: string;
+    role: string;
+    source: "manual" | "invitation" | "sso" | "scim" | "api";
+    teamIds: string[];
+    createdAt: Date;
+    updatedAt: Date;
+}
+interface OrganizationInvitation {
+    id: string;
+    organizationId: string;
+    email: string;
+    role: string;
+    inviterId: string;
+    status: "pending" | "accepted" | "expired" | "revoked";
+    expiresAt: Date;
+    createdAt: Date;
+}
+interface Team {
+    id: string;
+    organizationId: string;
+    name: string;
+    description: string | null;
+    metadata: Record<string, unknown> | null;
+    createdAt: Date;
+    updatedAt: Date;
+}
+type SsoConnectionType = "saml" | "oidc";
+type SsoConnectionState = "draft" | "active" | "inactive" | "validating";
+interface SsoConnection {
+    id: string;
+    organizationId: string;
+    type: SsoConnectionType;
+    state: SsoConnectionState;
+    name: string;
+    domains: string[];
+    samlConfig: SamlConfig | null;
+    oidcConfig: OidcConfig | null;
+    domainVerified?: boolean;
+    spMetadataUrl?: string | null;
+    projectId?: string | null;
+    createdAt: Date;
+    updatedAt: Date;
+}
+interface SamlConfig {
+    idpEntityId: string;
+    idpSsoUrl: string;
+    idpSloUrl: string | null;
+    idpCertificate: string;
+    idpCertificateExpiresAt: Date | null;
+    spEntityId: string;
+    spAcsUrl: string;
+    spMetadataUrl: string;
+    nameIdFormat: string;
+    signatureAlgorithm: "RSA-SHA256" | "RSA-SHA384" | "RSA-SHA512";
+    digestAlgorithm: "SHA256" | "SHA384" | "SHA512";
+    signRequest: boolean;
+    allowIdpInitiated: boolean;
+    attributeMapping: Record<string, string>;
+}
+interface OidcConfig {
+    issuer: string;
+    clientId: string;
+    discoveryUrl: string;
+    authorizationUrl: string;
+    tokenUrl: string;
+    userinfoUrl: string;
+    jwksUrl: string;
+    scopes: string[];
+    responseType: "code";
+    tokenEndpointAuthMethod: "client_secret_post" | "client_secret_basic";
+    claimMapping: Record<string, string>;
+}
+interface SsoProfile {
+    id: string;
+    connectionId: string;
+    connectionType: SsoConnectionType;
+    organizationId: string;
+    userId: string;
+    idpId: string;
+    email: string;
+    firstName: string | null;
+    lastName: string | null;
+    displayName: string | null;
+    groups: string[];
+    rawAttributes: Record<string, string>;
+    lastLoginAt: Date;
+    createdAt: Date;
+}
+type DirectoryProvider = "okta" | "azure_scim_v2" | "google_workspace" | "onelogin" | "jumpcloud" | "pingfederate" | "generic_scim_v2";
+type DirectoryState = "linked" | "unlinked" | "invalid_credentials";
+interface Directory {
+    id: string;
+    organizationId: string;
+    type: "scim";
+    state: DirectoryState;
+    name: string;
+    provider: DirectoryProvider;
+    userCount: number;
+    groupCount: number;
+    lastSyncAt: Date | null;
+    lastSyncStatus: "success" | "partial" | "failed" | null;
+    scimConfig?: {
+        baseUrl: string;
+        bearerToken: string;
+    };
+    projectId?: string | null;
+    createdAt: Date;
+    updatedAt: Date;
+}
+interface DirectoryUser {
+    id: string;
+    directoryId: string;
+    organizationId: string;
+    userId: string | null;
+    externalId: string;
+    userName: string;
+    emails: Array<{
+        value: string;
+        type: string;
+        primary: boolean;
+    }>;
+    name: {
+        givenName: string;
+        familyName: string;
+        formatted?: string;
+    };
+    displayName: string;
+    active: boolean;
+    title: string | null;
+    department: string | null;
+    groups: Array<{
+        id: string;
+        name: string;
+    }>;
+    state: "active" | "suspended" | "deprovisioned";
+    createdAt: Date;
+    updatedAt: Date;
+}
+interface DirectoryGroup {
+    id: string;
+    directoryId: string;
+    organizationId: string;
+    externalId: string;
+    name: string;
+    displayName: string;
+    memberCount: number;
+    createdAt: Date;
+    updatedAt: Date;
+}
+interface AuditEvent {
+    id: string;
+    action: string;
+    version: number;
+    actor: {
+        type: "user" | "admin" | "system" | "api_key" | "scim";
+        id: string;
+        name?: string;
+        email?: string;
+        metadata?: Record<string, string>;
+    };
+    targets: Array<{
+        type: string;
+        id: string;
+        name?: string;
+        metadata?: Record<string, string>;
+    }>;
+    context: {
+        organizationId?: string;
+        ipAddress?: string;
+        userAgent?: string;
+        location?: {
+            city?: string;
+            country?: string;
+            countryCode?: string;
+        };
+        requestId?: string;
+    };
+    changes?: {
+        before?: Record<string, unknown>;
+        after?: Record<string, unknown>;
+    };
+    idempotencyKey?: string;
+    metadata?: Record<string, string>;
+    occurredAt: Date;
+    createdAt: Date;
+}
+interface WebhookEndpoint {
+    id: string;
+    url: string;
+    eventTypes: string[];
+    enabled: boolean;
+    successCount: number;
+    failureCount: number;
+    lastDeliveryAt: Date | null;
+    lastDeliveryStatus: "success" | "failure" | null;
+    createdAt: Date;
+    updatedAt: Date;
+}
+interface WebhookEvent {
+    id: string;
+    type: string;
+    data: Record<string, unknown>;
+    createdAt: Date;
+}
+interface VaultSecret {
+    id: string;
+    name: string;
+    context: string | null;
+    organizationId: string | null;
+    metadata: Record<string, string> | null;
+    createdAt: Date;
+    updatedAt: Date;
+}
+type PortalIntent = "sso" | "dsync" | "domain_verification" | "audit_logs" | "log_streams" | "users";
+interface PortalSession {
+    link: string;
+    sessionId: string;
+    intent: PortalIntent;
+    organizationId: string;
+    expiresAt: string;
+}
+type DomainVerificationState = "pending" | "verified" | "failed" | "expired";
+interface DomainVerification {
+    id: string;
+    organizationId: string;
+    domain: string;
+    state: DomainVerificationState;
+    method: "dns_txt";
+    txtRecord: {
+        name: string;
+        value: string;
+    };
+    verifiedAt: Date | null;
+    expiresAt: Date | null;
+    lastCheckedAt: Date | null;
+    checkCount: number;
+    createdAt: Date;
+    updatedAt: Date;
+}
+interface ApiKey {
+    id: string;
+    name: string;
+    prefix: string;
+    organizationId: string | null;
+    permissions: string[];
+    expiresAt: Date | null;
+    lastUsedAt: Date | null;
+    createdAt: Date;
+}
+/**
+ * A project represents a fully isolated auth tenant.
+ * Each product/app powered by Banata Auth is a separate project
+ * with its own users, sessions, organizations, branding, etc.
+ */
+interface Project {
+    id: string;
+    name: string;
+    slug: string;
+    description: string | null;
+    logoUrl: string | null;
+    ownerId: string;
+    createdAt: Date;
+    updatedAt: Date;
+}
+interface RuntimeAuthMethods {
+    sso: boolean;
+    emailPassword: boolean;
+    passkey: boolean;
+    magicLink: boolean;
+    emailOtp: boolean;
+    twoFactor: boolean;
+    organization: boolean;
+    anonymous: boolean;
+    username: boolean;
+}
+interface RuntimeSocialProviderStatus {
+    enabled: boolean;
+    demo: boolean;
+}
+interface RuntimeAuthFeatures {
+    hostedUi: boolean;
+    signUp: boolean;
+    mfa: boolean;
+    localization: boolean;
+}
+interface RuntimeAuthSessions {
+    maxSessionLength: string;
+    accessTokenDuration: string;
+    inactivityTimeout: string;
+    corsOrigins: string[];
+}
+interface RuntimeAuthConfig {
+    authMethods: RuntimeAuthMethods;
+    socialProviders: Record<string, RuntimeSocialProviderStatus>;
+    features: RuntimeAuthFeatures;
+    sessions: RuntimeAuthSessions;
+}
+declare function listEnabledSocialProviderIds(config: Pick<RuntimeAuthConfig, "socialProviders"> | null | undefined): string[];
+/**
+ * Email template block types for the block-based email editor.
+ *
+ * Each email template is stored as an ordered array of typed blocks.
+ * These blocks map 1:1 to React Email components and are rendered
+ * at design time in the dashboard (live preview) and at send time
+ * via `@react-email/render` to produce final HTML.
+ *
+ * The block schema is the single source of truth shared across:
+ * - Dashboard editor (visual editing)
+ * - SDK (programmatic template CRUD)
+ * - Convex backend (storage + send-time rendering)
+ */
+/** Common inline style properties for email blocks. */
+interface EmailBlockStyle {
+    color?: string;
+    backgroundColor?: string;
+    fontSize?: number;
+    fontWeight?: "normal" | "bold" | "600" | "700";
+    fontStyle?: "normal" | "italic";
+    textAlign?: "left" | "center" | "right";
+    lineHeight?: number | string;
+    padding?: string;
+    margin?: string;
+    borderRadius?: number;
+    width?: string;
+    maxWidth?: string;
+}
+/** Base properties shared by all blocks. */
+interface BaseBlock {
+    /** Unique block ID (UUID). */
+    id: string;
+    /** Display label for the editor sidebar (optional override). */
+    label?: string;
+}
+/** Heading block — maps to React Email `<Heading>`. */
+interface HeadingBlock extends BaseBlock {
+    type: "heading";
+    /** Heading level: h1–h6. */
+    as: "h1" | "h2" | "h3" | "h4" | "h5" | "h6";
+    /** The heading text. Supports {{variable}} interpolation. */
+    text: string;
+    style?: EmailBlockStyle;
+}
+/** Text/paragraph block — maps to React Email `<Text>`. */
+interface TextBlock extends BaseBlock {
+    type: "text";
+    /** The paragraph text. Supports {{variable}} interpolation and basic HTML. */
+    text: string;
+    style?: EmailBlockStyle;
+}
+/** Button (CTA) block — maps to React Email `<Button>`. */
+interface ButtonBlock extends BaseBlock {
+    type: "button";
+    /** Button label text. */
+    text: string;
+    /** URL the button links to. Supports {{variable}} interpolation. */
+    href: string;
+    /** Variant style. */
+    variant?: "primary" | "secondary" | "outline";
+    style?: EmailBlockStyle;
+}
+/** Image block — maps to React Email `<Img>`. */
+interface ImageBlock extends BaseBlock {
+    type: "image";
+    /** Image source URL. */
+    src: string;
+    /** Alt text for accessibility. */
+    alt: string;
+    /** Width in pixels. */
+    width?: number;
+    /** Height in pixels. */
+    height?: number;
+    style?: EmailBlockStyle;
+}
+/** Divider/horizontal rule — maps to React Email `<Hr>`. */
+interface DividerBlock extends BaseBlock {
+    type: "divider";
+    style?: EmailBlockStyle;
+}
+/** Spacer block — empty space with configurable height. */
+interface SpacerBlock extends BaseBlock {
+    type: "spacer";
+    /** Height in pixels. */
+    height: number;
+}
+/** Link block — maps to React Email `<Link>`. */
+interface LinkBlock extends BaseBlock {
+    type: "link";
+    /** Link text. */
+    text: string;
+    /** URL. Supports {{variable}} interpolation. */
+    href: string;
+    style?: EmailBlockStyle;
+}
+/** Code block — styled monospace text for OTPs, tokens, etc. */
+interface CodeBlock extends BaseBlock {
+    type: "code";
+    /** The code/OTP text. Supports {{variable}} interpolation. */
+    text: string;
+    style?: EmailBlockStyle;
+}
+/** Column definition inside a columns block. */
+interface ColumnDef {
+    /** Width as CSS value (e.g. "50%", "200px"). */
+    width?: string;
+    /** Blocks nested inside this column. */
+    blocks: EmailBlock[];
+}
+/** Columns (multi-column layout) — maps to React Email `<Row>` + `<Column>`. */
+interface ColumnsBlock extends BaseBlock {
+    type: "columns";
+    /** Column definitions (2–4 columns). */
+    columns: ColumnDef[];
+}
+/** Any email block. Discriminated union on `type`. */
+type EmailBlock = HeadingBlock | TextBlock | ButtonBlock | ImageBlock | DividerBlock | SpacerBlock | LinkBlock | CodeBlock | ColumnsBlock;
+/** All possible block type strings. */
+type EmailBlockType = EmailBlock["type"];
+/** Category for organizing templates. */
+type EmailTemplateCategory = "auth" | "marketing" | "transactional" | "onboarding" | "notification" | "custom";
+/**
+ * A complete email template definition.
+ * Stored as JSON in the database and editable through the dashboard.
+ */
+interface EmailTemplateDefinition {
+    /** Unique template ID (generated). */
+    id: string;
+    /** Human-readable template name (e.g. "Welcome Email", "Marketing Blast"). */
+    name: string;
+    /** URL-safe slug for SDK usage (e.g. "welcome-email", "marketing-blast"). */
+    slug: string;
+    /** Email subject line. Supports {{variable}} interpolation. */
+    subject: string;
+    /** Preview text shown in inbox (optional). */
+    previewText?: string;
+    /** Template category for organization. */
+    category: EmailTemplateCategory;
+    /** Description of what this template is for. */
+    description?: string;
+    /** The ordered array of content blocks. */
+    blocks: EmailBlock[];
+    /** Variables this template expects (for documentation / SDK hints). */
+    variables?: EmailTemplateVariable[];
+    /** Whether this is a built-in auth template (not deletable). */
+    builtIn?: boolean;
+    /** The built-in email type this template overrides (if any). */
+    builtInType?: "verification" | "password-reset" | "magic-link" | "email-otp" | "invitation" | "welcome";
+    /** Timestamps. */
+    createdAt: number;
+    updatedAt: number;
+}
+/** Variable definition for template documentation. */
+interface EmailTemplateVariable {
+    /** Variable name (without braces, e.g. "userName"). */
+    name: string;
+    /** Human-readable description. */
+    description?: string;
+    /** Default value for previews. */
+    defaultValue?: string;
+    /** Whether this variable is required. */
+    required?: boolean;
+}
+/** Metadata for the editor's block palette (drag source). */
+interface BlockPaletteMeta {
+    type: EmailBlockType;
+    label: string;
+    description: string;
+    icon: string;
+}
+/** Default palette entries for the editor sidebar. */
+declare const BLOCK_PALETTE: BlockPaletteMeta[];
+/** Create a default block of the given type. */
+declare function createDefaultBlock(type: EmailBlockType): EmailBlock;
+/**
+ * Replace `{{variableName}}` placeholders in a string with values from a map.
+ * Unmatched variables are left as-is.
+ */
+declare function interpolateVariables(text: string, variables: Record<string, string>): string;
+/**
+ * Extract all `{{variableName}}` references from an array of blocks.
+ * Returns a deduplicated list of variable names.
+ */
+declare function extractVariables(blocks: EmailBlock[]): string[];
+/**
+ * Default block definitions for the 6 built-in auth email templates.
+ * These serve as starting points that users can customize.
+ */
+declare function getBuiltInTemplateBlocks(type: "verification" | "password-reset" | "magic-link" | "email-otp" | "invitation" | "welcome"): EmailBlock[];
+export { type Account, type ApiKey, type AuditEvent, AuthenticationError, BLOCK_PALETTE, BanataAuthError, type BlockPaletteMeta, type ButtonBlock, type CodeBlock, type ColumnDef, type ColumnsBlock, ConflictError, type CreateAuditEventInput, type CreateOrganizationInput, type CreateSsoConnectionInput, type CreateUserInput, type CreateWebhookEndpointInput, type Directory, type DirectoryGroup, type DirectoryProvider, type DirectoryState, type DirectoryUser, type DividerBlock, type DomainVerification, type DomainVerificationState, type EmailBlock, type EmailBlockStyle, type EmailBlockType, type EmailTemplateCategory, type EmailTemplateDefinition, type EmailTemplateVariable, type FieldError, ForbiddenError, type HeadingBlock, ID_PREFIXES, type IdPrefix, type ImageBlock, InternalError, type InviteMemberInput, type LinkBlock, type ListMetadata, NotFoundError, type OidcConfig, type Organization, type OrganizationInvitation, type OrganizationMember, type PaginatedResult, type PaginationOptions, type PortalIntent, type PortalSession, type Project, RATE_LIMITS, RateLimitError, type ResourceType, type RuntimeAuthConfig, type RuntimeAuthFeatures, type RuntimeAuthMethods, type RuntimeAuthSessions, type RuntimeSocialProviderStatus, SIZE_LIMITS, type SamlConfig, type Session, type SpacerBlock, type SsoConnection, type SsoConnectionState, type SsoConnectionType, type SsoProfile, TOKEN_LIFETIMES, type Team, type TextBlock, type UpdateOrganizationInput, type UpdateUserInput, type User, ValidationError, type VaultSecret, WEBHOOK_MAX_ATTEMPTS, WEBHOOK_MAX_CONSECUTIVE_FAILURES, WEBHOOK_RETRY_DELAYS, type WebhookEndpoint, type WebhookEvent, createAuditEventSchema, createDefaultBlock, createErrorFromStatus, createOrganizationSchema, createSsoConnectionSchema, createUserSchema, createWebhookEndpointSchema, domainSchema, emailSchema, extractVariables, generateId, generateOtp, generateRandomToken, getBuiltInTemplateBlocks, getResourceType, httpsUrlSchema, interpolateVariables, inviteMemberSchema, listEnabledSocialProviderIds, metadataSchema, nameSchema, paginationSchema, passwordSchema, slugSchema, ulid, updateOrganizationSchema, updateUserSchema, urlSchema, validateId };