@gaganref/convex-api-keys 0.1.0

package/dist/client/crypto.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"crypto.js","sourceRoot":"","sources":["../../src/client/crypto.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,uBAAuB,EAAE,MAAM,aAAa,CAAC;AAEtD,MAAM,WAAW,GAAG,IAAI,WAAW,EAAE,CAAC;AAEtC,MAAM,UAAU,aAAa,CAAC,MAAc,EAAE,cAAsB;IAClE,MAAM,KAAK,GAAG,WAAW,CAAC,cAAc,CAAC,CAAC;IAC1C,OAAO,GAAG,MAAM,GAAG,eAAe,CAAC,KAAK,CAAC,EAAE,CAAC;AAC9C,CAAC;AAED,MAAM,CAAC,KAAK,UAAU,eAAe,CAAC,KAAa;IACjD,MAAM,IAAI,GAAG,MAAM,gBAAgB,EAAE,CAAC,MAAM,CAC1C,SAAS,EACT,WAAW,CAAC,MAAM,CAAC,KAAK,CAAC,CAC1B,CAAC;IACF,OAAO,eAAe,CAAC,IAAI,UAAU,CAAC,IAAI,CAAC,CAAC,CAAC;AAC/C,CAAC;AAED,MAAM,UAAU,UAAU,CAAC,KAAa;IACtC,OAAO,KAAK,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC,CAAC;AACzB,CAAC;AAED,SAAS,WAAW,CAAC,MAAc;IACjC,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC;IAClC,MAAM,KAAK,GAAG,IAAI,UAAU,CAAC,MAAM,CAAC,CAAC;IACrC,MAAM,CAAC,eAAe,CAAC,KAAK,CAAC,CAAC;IAC9B,OAAO,KAAK,CAAC;AACf,CAAC;AAED,SAAS,gBAAgB;IACvB,MAAM,MAAM,GAAG,gBAAgB,EAAE,CAAC,MAAM,CAAC;IACzC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,uBAAuB,CAC3B,+CAA+C,CAChD,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,gBAAgB;IACvB,MAAM,MAAM,GAAG,UAAU,CAAC,MAAM,CAAC;IACjC,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,uBAAuB,CAC3B,iDAAiD,CAClD,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAED,SAAS,eAAe,CAAC,KAAiB;IACxC,IAAI,MAAM,GAAG,EAAE,CAAC;IAChB,KAAK,MAAM,IAAI,IAAI,KAAK,EAAE,CAAC;QACzB,MAAM,IAAI,MAAM,CAAC,YAAY,CAAC,IAAI,CAAC,CAAC;IACtC,CAAC;IACD,IAAI,OAAO,UAAU,CAAC,IAAI,KAAK,UAAU,EAAE,CAAC;QAC1C,MAAM,uBAAuB,CAC3B,kDAAkD,CACnD,CAAC;IACJ,CAAC;IACD,OAAO,UAAU;SACd,IAAI,CAAC,MAAM,CAAC;SACZ,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,KAAK,EAAE,GAAG,CAAC;SACnB,OAAO,CAAC,MAAM,EAAE,EAAE,CAAC,CAAC;AACzB,CAAC"}

package/dist/client/errors.d.ts

@@ -0,0 +1,32 @@
+export type ApiKeysClientErrorCode = "INVALID_OPTIONS" | "TOKEN_REQUIRED" | "RUNTIME_UNAVAILABLE" | "OPERATION_FAILED";
+/**
+ * Structured runtime error thrown by client-side helpers.
+ *
+ * Chains the underlying error via `cause`, making it visible in
+ * stack traces and debuggers.
+ *
+ * ```ts
+ * try {
+ *   await apiKeys.create(ctx, args);
+ * } catch (error) {
+ *   if (isApiKeysClientError(error)) {
+ *     console.error(error.code, error.message);
+ *     if (error.cause) console.error("Caused by:", error.cause);
+ *   }
+ * }
+ * ```
+ */
+export declare class ApiKeysClientError extends Error {
+    readonly name = "ApiKeysClientError";
+    readonly code: ApiKeysClientErrorCode;
+    readonly cause?: unknown;
+    constructor(code: ApiKeysClientErrorCode, message: string, cause?: unknown);
+}
+/**
+ * Type guard for structured API keys client errors.
+ */
+export declare function isApiKeysClientError(error: unknown): error is ApiKeysClientError;
+export declare function optionsError(message: string): ApiKeysClientError;
+export declare function tokenRequiredError(): ApiKeysClientError;
+export declare function runtimeUnavailableError(message: string): ApiKeysClientError;
+//# sourceMappingURL=errors.d.ts.map

package/dist/client/errors.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.d.ts","sourceRoot":"","sources":["../../src/client/errors.ts"],"names":[],"mappings":"AAAA,MAAM,MAAM,sBAAsB,GAE9B,iBAAiB,GAEjB,gBAAgB,GAEhB,qBAAqB,GACrB,kBAAkB,CAAC;AAEvB;;;;;;;;;;;;;;;;GAgBG;AACH,qBAAa,kBAAmB,SAAQ,KAAK;IAC3C,QAAQ,CAAC,IAAI,wBAAwB;IACrC,QAAQ,CAAC,IAAI,EAAE,sBAAsB,CAAC;IACtC,QAAQ,CAAC,KAAK,CAAC,EAAE,OAAO,CAAC;gBAEb,IAAI,EAAE,sBAAsB,EAAE,OAAO,EAAE,MAAM,EAAE,KAAK,CAAC,EAAE,OAAO;CAK3E;AAED;;GAEG;AACH,wBAAgB,oBAAoB,CAClC,KAAK,EAAE,OAAO,GACb,KAAK,IAAI,kBAAkB,CAE7B;AAED,wBAAgB,YAAY,CAAC,OAAO,EAAE,MAAM,sBAK3C;AAED,wBAAgB,kBAAkB,uBAKjC;AAED,wBAAgB,uBAAuB,CAAC,OAAO,EAAE,MAAM,sBAKtD"}

package/dist/client/errors.js

@@ -0,0 +1,43 @@
+/**
+ * Structured runtime error thrown by client-side helpers.
+ *
+ * Chains the underlying error via `cause`, making it visible in
+ * stack traces and debuggers.
+ *
+ * ```ts
+ * try {
+ *   await apiKeys.create(ctx, args);
+ * } catch (error) {
+ *   if (isApiKeysClientError(error)) {
+ *     console.error(error.code, error.message);
+ *     if (error.cause) console.error("Caused by:", error.cause);
+ *   }
+ * }
+ * ```
+ */
+export class ApiKeysClientError extends Error {
+    name = "ApiKeysClientError";
+    code;
+    cause;
+    constructor(code, message, cause) {
+        super(message);
+        this.code = code;
+        this.cause = cause;
+    }
+}
+/**
+ * Type guard for structured API keys client errors.
+ */
+export function isApiKeysClientError(error) {
+    return error instanceof ApiKeysClientError;
+}
+export function optionsError(message) {
+    return new ApiKeysClientError("INVALID_OPTIONS", `api-keys options: ${message}`);
+}
+export function tokenRequiredError() {
+    return new ApiKeysClientError("TOKEN_REQUIRED", "api-keys: token must not be empty");
+}
+export function runtimeUnavailableError(message) {
+    return new ApiKeysClientError("RUNTIME_UNAVAILABLE", `api-keys runtime: ${message}`);
+}
+//# sourceMappingURL=errors.js.map

package/dist/client/errors.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"errors.js","sourceRoot":"","sources":["../../src/client/errors.ts"],"names":[],"mappings":"AASA;;;;;;;;;;;;;;;;GAgBG;AACH,MAAM,OAAO,kBAAmB,SAAQ,KAAK;IAClC,IAAI,GAAG,oBAAoB,CAAC;IAC5B,IAAI,CAAyB;IAC7B,KAAK,CAAW;IAEzB,YAAY,IAA4B,EAAE,OAAe,EAAE,KAAe;QACxE,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,IAAI,CAAC;QACjB,IAAI,CAAC,KAAK,GAAG,KAAK,CAAC;IACrB,CAAC;CACF;AAED;;GAEG;AACH,MAAM,UAAU,oBAAoB,CAClC,KAAc;IAEd,OAAO,KAAK,YAAY,kBAAkB,CAAC;AAC7C,CAAC;AAED,MAAM,UAAU,YAAY,CAAC,OAAe;IAC1C,OAAO,IAAI,kBAAkB,CAC3B,iBAAiB,EACjB,qBAAqB,OAAO,EAAE,CAC/B,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,kBAAkB;IAChC,OAAO,IAAI,kBAAkB,CAC3B,gBAAgB,EAChB,mCAAmC,CACpC,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,uBAAuB,CAAC,OAAe;IACrD,OAAO,IAAI,kBAAkB,CAC3B,qBAAqB,EACrB,qBAAqB,OAAO,EAAE,CAC/B,CAAC;AACJ,CAAC"}

package/dist/client/index.d.ts

@@ -0,0 +1,7 @@
+export { ApiKeys, ApiKeys as default } from "./operations.js";
+export { ApiKeysClientError, isApiKeysClientError } from "./errors.js";
+export type { ApiKeysClientErrorCode } from "./errors.js";
+export type { ApiKeysOptions } from "./options.js";
+export { onInvalidateHookPayloadValidator } from "./types.js";
+export type { ApiKeyId, ApiKeyEventMetadata, ApiKeyMetadata, ApiKeyToken, ApiKeysTypeOptions, CleanupExpiredArgs, CleanupExpiredResult, CreateArgs, CreateResult, GetKeyArgs, GetKeyResult, InvalidateArgs, InvalidateAllArgs, InvalidateAllResult, InvalidateResult, ListEventsArgs, ListEventsResult, ListKeyEventsArgs, ListKeyEventsResult, ListKeysArgs, ListKeysResult, PaginationOptions, OnInvalidateHookPayload, RefreshArgs, RefreshResult, RunMutationCtx, RunQueryCtx, TouchArgs, TouchResult, UpdateArgs, UpdateResult, ValidateArgs, ValidateResult, } from "./types.js";
+//# sourceMappingURL=index.d.ts.map

package/dist/client/index.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,OAAO,IAAI,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAE9D,OAAO,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AACvE,YAAY,EAAE,sBAAsB,EAAE,MAAM,aAAa,CAAC;AAE1D,YAAY,EAAE,cAAc,EAAE,MAAM,cAAc,CAAC;AAEnD,OAAO,EAAE,gCAAgC,EAAE,MAAM,YAAY,CAAC;AAE9D,YAAY,EACV,QAAQ,EACR,mBAAmB,EACnB,cAAc,EACd,WAAW,EACX,kBAAkB,EAClB,kBAAkB,EAClB,oBAAoB,EACpB,UAAU,EACV,YAAY,EACZ,UAAU,EACV,YAAY,EACZ,cAAc,EACd,iBAAiB,EACjB,mBAAmB,EACnB,gBAAgB,EAChB,cAAc,EACd,gBAAgB,EAChB,iBAAiB,EACjB,mBAAmB,EACnB,YAAY,EACZ,cAAc,EACd,iBAAiB,EACjB,uBAAuB,EACvB,WAAW,EACX,aAAa,EACb,cAAc,EACd,WAAW,EACX,SAAS,EACT,WAAW,EACX,UAAU,EACV,YAAY,EACZ,YAAY,EACZ,cAAc,GACf,MAAM,YAAY,CAAC"}

package/dist/client/index.js

@@ -0,0 +1,4 @@
+export { ApiKeys, ApiKeys as default } from "./operations.js";
+export { ApiKeysClientError, isApiKeysClientError } from "./errors.js";
+export { onInvalidateHookPayloadValidator } from "./types.js";
+//# sourceMappingURL=index.js.map

package/dist/client/index.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/client/index.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,OAAO,EAAE,OAAO,IAAI,OAAO,EAAE,MAAM,iBAAiB,CAAC;AAE9D,OAAO,EAAE,kBAAkB,EAAE,oBAAoB,EAAE,MAAM,aAAa,CAAC;AAKvE,OAAO,EAAE,gCAAgC,EAAE,MAAM,YAAY,CAAC"}

package/dist/client/operations.d.ts

@@ -0,0 +1,240 @@
+import type { ComponentApi } from "../component/_generated/component.js";
+import { type ApiKeysOptions, type NormalizedApiKeysOptions } from "./options.js";
+import type { FunctionReference, FunctionVisibility } from "convex/server";
+import type { ApiKeysTypeOptions, CleanupExpiredArgs, CleanupExpiredResult, CreateArgs, CreateResult, GetKeyArgs, GetKeyResult, InvalidateArgs, InvalidateAllArgs, InvalidateAllResult, InvalidateResult, ListKeysArgs, ListEventsArgs, ListEventsResult, ListKeyEventsArgs, ListKeyEventsResult, ListKeysResult, OnInvalidateHookPayload, RefreshArgs, RefreshResult, RunMutationCtx, RunQueryCtx, TouchArgs, TouchResult, UpdateArgs, UpdateResult, ValidateArgs, ValidateResult } from "./types.js";
+/**
+ * Client for managing API keys in a Convex application.
+ *
+ * Handles the full API key lifecycle: creation, validation, rotation,
+ * revocation, and cleanup. Tokens are hashed with SHA-256 before storage —
+ * plaintext tokens are only returned at creation and rotation time.
+ *
+ * Type-level configuration is passed via the generic parameter to narrow
+ * namespace literals, permission shapes, metadata types, and whether `name`
+ * is required on creation.
+ *
+ * ```ts
+ * import { ApiKeys } from "@gaganref/convex-api-keys";
+ * import { components } from "./_generated/api.js";
+ *
+ * export const apiKeys = new ApiKeys(components.apiKeys, {
+ *   keyDefaults: { prefix: "myapp_", ttlMs: 90 * 24 * 60 * 60 * 1000 },
+ *   logLevel: "debug",
+ * });
+ * ```
+ *
+ * @param component The API keys component. Like `components.apiKeys` from
+ *   `./_generated/api.js`.
+ * @param options Configuration for key defaults, permissions, and logging.
+ *   See {@link ApiKeysOptions} for details.
+ */
+export declare class ApiKeys<TOptions extends ApiKeysTypeOptions = Record<never, never>> {
+    readonly component: ComponentApi;
+    readonly options: NormalizedApiKeysOptions;
+    private _onInvalidate;
+    constructor(component: ComponentApi, options?: ApiKeysOptions<TOptions>);
+    /**
+     * Attach lifecycle hooks.
+     *
+     * Call this after construction to avoid circular module type inference
+     * that occurs when `internal.*` references appear in the constructor call.
+     *
+     * @example
+     * export const apiKeys = new ApiKeys<TOptions>(components.apiKeys, { ... })
+     *   .withHooks({ onInvalidate: internal.hooks.onInvalidate });
+     */
+    withHooks(hooks: {
+        onInvalidate?: FunctionReference<"mutation", FunctionVisibility, {
+            event: OnInvalidateHookPayload;
+        }, null>;
+    }): this;
+    /**
+     * Create a new API key.
+     *
+     * Generates a cryptographically random token, hashes it with SHA-256, and
+     * stores only the hash. The plaintext token is returned exactly once — it
+     * cannot be retrieved later.
+     *
+     * Per-key overrides for `prefix`, `ttlMs`, and `idleTimeoutMs` fall back to
+     * the defaults configured in {@link ApiKeysOptions.keyDefaults}. Permissions
+     * fall back to {@link ApiKeysOptions.permissionDefaults} when omitted.
+     *
+     * @param ctx Any context that can run a mutation.
+     * @param args Key configuration including namespace, name, permissions,
+     *   metadata, and optional lifecycle overrides. See {@link CreateArgs}.
+     * @returns The plaintext token, key ID, and computed expiry timestamps.
+     *   **Store or display the token immediately** — it will not be available again.
+     * @throws {ApiKeysClientError} With code `OPERATION_FAILED` if the mutation fails.
+     */
+    create(ctx: RunMutationCtx, args: CreateArgs<TOptions>): Promise<CreateResult>;
+    /**
+     * Validate a plaintext API key token.
+     *
+     * Hashes the token with SHA-256 and looks up the matching key. Returns the
+     * key's metadata and permissions on success (`ok: true`), or a failure
+     * reason on failure (`ok: false`).
+     *
+     * This method does **not** update `lastUsedAt` — call {@link touch} separately
+     * if you need idle-timeout tracking.
+     *
+     * @param ctx Any context that can run a query.
+     * @param args The plaintext token to validate. See {@link ValidateArgs}.
+     * @returns `{ ok: true, keyId, namespace, name, permissions, metadata }` on
+     *   success, or `{ ok: false, reason }` with one of `"not_found"`,
+     *   `"revoked"`, `"expired"`, or `"idle_timeout"`.
+     * @throws {ApiKeysClientError} With code `TOKEN_REQUIRED` if the token is empty.
+     * @throws {ApiKeysClientError} With code `OPERATION_FAILED` if the query fails.
+     */
+    validate(ctx: RunQueryCtx, args: ValidateArgs): Promise<ValidateResult<TOptions>>;
+    /**
+     * Get a single API key by ID.
+     *
+     * Returns the key's full metadata including its computed
+     * `effectiveStatus` (which accounts for expiry and idle timeout).
+     *
+     * @param ctx Any context that can run a query.
+     * @param args The key ID to look up. See {@link GetKeyArgs}.
+     * @returns `{ ok: true, ...keyData }` or `{ ok: false, reason: "not_found" }`.
+     */
+    getKey(ctx: RunQueryCtx, args: GetKeyArgs): Promise<GetKeyResult>;
+    /**
+     * List API keys with cursor-based pagination.
+     *
+     * Results include the computed `effectiveStatus` for each key. Supports
+     * optional filtering by namespace and/or stored status (`"active"` or
+     * `"revoked"`), and ordering by creation time.
+     *
+     * @param ctx Any context that can run a query.
+     * @param args Pagination options and optional filters. See {@link ListKeysArgs}.
+     * @returns `{ page, isDone, continueCursor }`.
+     */
+    listKeys(ctx: RunQueryCtx, args: ListKeysArgs<TOptions>): Promise<ListKeysResult>;
+    /**
+     * List audit events across all keys with cursor-based pagination.
+     *
+     * Events are immutable records of key lifecycle changes (`"created"`,
+     * `"revoked"`, `"rotated"`). Optionally filter by namespace.
+     *
+     * @param ctx Any context that can run a query.
+     * @param args Pagination options and optional namespace filter.
+     *   See {@link ListEventsArgs}.
+     * @returns `{ page, isDone, continueCursor }`.
+     */
+    listEvents(ctx: RunQueryCtx, args: ListEventsArgs<TOptions>): Promise<ListEventsResult>;
+    /**
+     * List audit events for a specific key with cursor-based pagination.
+     *
+     * @param ctx Any context that can run a query.
+     * @param args The key ID, pagination options, and optional order.
+     *   See {@link ListKeyEventsArgs}.
+     * @returns `{ page, isDone, continueCursor }`.
+     */
+    listKeyEvents(ctx: RunQueryCtx, args: ListKeyEventsArgs): Promise<ListKeyEventsResult>;
+    /**
+     * Touch an API key, updating `lastUsedAt` and resetting the idle timeout.
+     *
+     * If the key has a `maxIdleMs` configured, the idle expiry is derived from
+     * `lastUsedAt + maxIdleMs`. Call this during request handling to keep
+     * idle-timeout keys alive.
+     *
+     * @param ctx Any context that can run a mutation.
+     * @param args The key ID to touch. See {@link TouchArgs}.
+     * @returns `{ ok: true, keyId, touchedAt }` on success,
+     *   or `{ ok: false, reason }` if the key is not found or inactive.
+     */
+    touch(ctx: RunMutationCtx, args: TouchArgs): Promise<TouchResult>;
+    /**
+     * Invalidate (revoke) a single API key.
+     *
+     * Sets the key's status to `"revoked"` and records a revocation audit event.
+     * If an `onInvalidate` hook is configured, it fires after the revocation
+     * succeeds (hook failures are swallowed and logged).
+     *
+     * @param ctx Any context that can run a mutation.
+     * @param args The key ID, optional reason, and optional event metadata.
+     *   See {@link InvalidateArgs}.
+     * @returns `{ ok: true, keyId, revokedAt }` on success,
+     *   or `{ ok: false, reason }` if the key is not found or already revoked.
+     */
+    invalidate(ctx: RunMutationCtx, args: InvalidateArgs): Promise<InvalidateResult>;
+    /**
+     * Bulk-invalidate API keys matching the given filters.
+     *
+     * Iterates through all matching active keys in paginated batches,
+     * revoking each one and recording audit events. Supports filtering by
+     * namespace and creation-time range (`before` / `after`).
+     *
+     * The `onInvalidate` hook fires once after all pages are processed with
+     * aggregated stats.
+     *
+     * @param ctx Any context that can run a mutation.
+     * @param args Filters, optional reason/metadata, and page size.
+     *   See {@link InvalidateAllArgs}.
+     * @returns `{ processed, revoked, pages }` — total keys examined,
+     *   total keys revoked, and number of pages processed.
+     */
+    invalidateAll(ctx: RunMutationCtx, args: InvalidateAllArgs<TOptions>): Promise<InvalidateAllResult>;
+    /**
+     * Rotate an API key: revoke the current key and issue a replacement.
+     *
+     * The new key inherits the old key's namespace, name, permissions, metadata,
+     * expiry configuration, and idle timeout. A `"rotated"` event is recorded on
+     * the old key and a `"created"` event on the new key.
+     *
+     * The `onInvalidate` hook fires with `trigger: "refresh"` after success.
+     *
+     * @param ctx Any context that can run a mutation.
+     * @param args The key ID to rotate, optional reason, and optional event
+     *   metadata. See {@link RefreshArgs}.
+     * @returns On success: `{ ok: true, keyId, token, ... }` with the new
+     *   plaintext token. On failure: `{ ok: false, reason }` if the key is
+     *   not found or inactive.
+     */
+    refresh(ctx: RunMutationCtx, args: RefreshArgs): Promise<RefreshResult>;
+    /**
+     * Update a key's mutable properties: name, metadata, and/or expiry.
+     *
+     * Pass `expiresAt: null` to remove the absolute expiry entirely.
+     * Omitted fields are left unchanged.
+     *
+     * @param ctx Any context that can run a mutation.
+     * @param args The key ID and fields to update. See {@link UpdateArgs}.
+     * @returns `{ ok: true, keyId }` on success,
+     *   or `{ ok: false, reason }` where reason is `"not_found"` or `"already_revoked"`.
+     */
+    update(ctx: RunMutationCtx, args: UpdateArgs): Promise<UpdateResult>;
+    /**
+     * Hard-delete revoked keys older than the retention period.
+     *
+     * Expired and idle keys are automatically swept to revoked status by the
+     * component's internal cron — this method only deletes revoked keys past
+     * the retention window. Processes up to 100 keys per run and automatically
+     * reschedules itself when a full batch is found.
+     *
+     * Call this from your app's cron job to control the schedule:
+     *
+     * ```ts
+     * // convex/crons.ts
+     * crons.interval("cleanup api keys", { hours: 24 }, internal.tasks.cleanupApiKeys);
+     *
+     * // convex/tasks.ts
+     * export const cleanupApiKeys = internalMutation({
+     *   handler: (ctx) => apiKeys.cleanupExpired(ctx),
+     * });
+     * ```
+     *
+     * @param ctx Any context that can run a mutation.
+     * @param args Optional retention period override. Defaults to 30 days.
+     *   See {@link CleanupExpiredArgs}.
+     * @returns `{ deleted, isDone }` — keys hard-deleted and whether all
+     *   work was completed in this run.
+     */
+    cleanupExpired(ctx: RunMutationCtx, args?: CleanupExpiredArgs): Promise<CleanupExpiredResult>;
+    /**
+     * Executes the optional invalidation hook and reports hook failures without
+     * affecting the main API-key operation.
+     */
+    private runOnInvalidateHook;
+    private toThrownError;
+}
+//# sourceMappingURL=operations.d.ts.map

package/dist/client/operations.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"operations.d.ts","sourceRoot":"","sources":["../../src/client/operations.ts"],"names":[],"mappings":"AAAA,OAAO,KAAK,EAAE,YAAY,EAAE,MAAM,sCAAsC,CAAC;AAEzE,OAAO,EACL,KAAK,cAAc,EAGnB,KAAK,wBAAwB,EAC9B,MAAM,cAAc,CAAC;AAMtB,OAAO,KAAK,EAAE,iBAAiB,EAAE,kBAAkB,EAAE,MAAM,eAAe,CAAC;AAC3E,OAAO,KAAK,EACV,kBAAkB,EAClB,kBAAkB,EAClB,oBAAoB,EACpB,UAAU,EACV,YAAY,EACZ,UAAU,EACV,YAAY,EACZ,cAAc,EACd,iBAAiB,EAEjB,mBAAmB,EACnB,gBAAgB,EAChB,YAAY,EACZ,cAAc,EACd,gBAAgB,EAChB,iBAAiB,EACjB,mBAAmB,EACnB,cAAc,EACd,uBAAuB,EACvB,WAAW,EACX,aAAa,EACb,cAAc,EACd,WAAW,EACX,SAAS,EACT,WAAW,EACX,UAAU,EACV,YAAY,EACZ,YAAY,EACZ,cAAc,EACf,MAAM,YAAY,CAAC;AAoHpB;;;;;;;;;;;;;;;;;;;;;;;;;GAyBG;AACH,qBAAa,OAAO,CAClB,QAAQ,SAAS,kBAAkB,GAAG,MAAM,CAAC,KAAK,EAAE,KAAK,CAAC;IAE1D,SAAgB,SAAS,EAAE,YAAY,CAAC;IACxC,SAAgB,OAAO,EAAE,wBAAwB,CAAC;IAClD,OAAO,CAAC,aAAa,CAOP;gBAEF,SAAS,EAAE,YAAY,EAAE,OAAO,CAAC,EAAE,cAAc,CAAC,QAAQ,CAAC;IAKvE;;;;;;;;;OASG;IACH,SAAS,CAAC,KAAK,EAAE;QACf,YAAY,CAAC,EAAE,iBAAiB,CAC9B,UAAU,EACV,kBAAkB,EAClB;YAAE,KAAK,EAAE,uBAAuB,CAAA;SAAE,EAClC,IAAI,CACL,CAAC;KACH,GAAG,IAAI;IAKR;;;;;;;;;;;;;;;;;OAiBG;IACG,MAAM,CACV,GAAG,EAAE,cAAc,EACnB,IAAI,EAAE,UAAU,CAAC,QAAQ,CAAC,GACzB,OAAO,CAAC,YAAY,CAAC;IA2DxB;;;;;;;;;;;;;;;;;OAiBG;IACG,QAAQ,CACZ,GAAG,EAAE,WAAW,EAChB,IAAI,EAAE,YAAY,GACjB,OAAO,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC;IAwCpC;;;;;;;;;OASG;IACG,MAAM,CAAC,GAAG,EAAE,WAAW,EAAE,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,YAAY,CAAC;IAkBvE;;;;;;;;;;OAUG;IACG,QAAQ,CACZ,GAAG,EAAE,WAAW,EAChB,IAAI,EAAE,YAAY,CAAC,QAAQ,CAAC,GAC3B,OAAO,CAAC,cAAc,CAAC;IAqB1B;;;;;;;;;;OAUG;IACG,UAAU,CACd,GAAG,EAAE,WAAW,EAChB,IAAI,EAAE,cAAc,CAAC,QAAQ,CAAC,GAC7B,OAAO,CAAC,gBAAgB,CAAC;IAmB5B;;;;;;;OAOG;IACG,aAAa,CACjB,GAAG,EAAE,WAAW,EAChB,IAAI,EAAE,iBAAiB,GACtB,OAAO,CAAC,mBAAmB,CAAC;IAiB/B;;;;;;;;;;;OAWG;IACG,KAAK,CAAC,GAAG,EAAE,cAAc,EAAE,IAAI,EAAE,SAAS,GAAG,OAAO,CAAC,WAAW,CAAC;IA+BvE;;;;;;;;;;;;OAYG;IACG,UAAU,CACd,GAAG,EAAE,cAAc,EACnB,IAAI,EAAE,cAAc,GACnB,OAAO,CAAC,gBAAgB,CAAC;IAqC5B;;;;;;;;;;;;;;;OAeG;IACG,aAAa,CACjB,GAAG,EAAE,cAAc,EACnB,IAAI,EAAE,iBAAiB,CAAC,QAAQ,CAAC,GAChC,OAAO,CAAC,mBAAmB,CAAC;IAkE/B;;;;;;;;;;;;;;;OAeG;IACG,OAAO,CACX,GAAG,EAAE,cAAc,EACnB,IAAI,EAAE,WAAW,GAChB,OAAO,CAAC,aAAa,CAAC;IA2DzB;;;;;;;;;;OAUG;IACG,MAAM,CAAC,GAAG,EAAE,cAAc,EAAE,IAAI,EAAE,UAAU,GAAG,OAAO,CAAC,YAAY,CAAC;IAsC1E;;;;;;;;;;;;;;;;;;;;;;;;;OAyBG;IACG,cAAc,CAClB,GAAG,EAAE,cAAc,EACnB,IAAI,CAAC,EAAE,kBAAkB,GACxB,OAAO,CAAC,oBAAoB,CAAC;IAgBhC;;;OAGG;YACW,mBAAmB;IAoBjC,OAAO,CAAC,aAAa;CAWtB"}