@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.15

package/dist/component/schema.d.ts

@@ -1,5 +1,5 @@
-import * as convex_values119 from "convex/values";
-import * as convex_server3 from "convex/server";
+import * as convex_server60 from "convex/server";
+import * as convex_values121 from "convex/values";
 
 //#region src/component/schema.d.ts
 /**
@@ -9,30 +9,30 @@ import * as convex_server3 from "convex/server";
  * verification codes, PKCE verifiers, rate limits) and hierarchical group
  * management (groups, members, invites).
  */
-declare const _default: convex_server3.SchemaDefinition<{
+declare const _default: convex_server60.SchemaDefinition<{
   /**
    * Authenticated users. A user may have multiple linked accounts
    * and multiple concurrent sessions.
    */
-  User: convex_server3.TableDefinition<convex_values119.VObject<{
+  User: convex_server60.TableDefinition<convex_values121.VObject<{
+    email?: string | undefined;
+    phone?: string | undefined;
+    extend?: any;
     name?: string | undefined;
     image?: string | undefined;
-    email?: string | undefined;
     emailVerificationTime?: number | undefined;
-    phone?: string | undefined;
     phoneVerificationTime?: number | undefined;
     isAnonymous?: boolean | undefined;
-    extend?: any;
   }, {
-    name: convex_values119.VString<string | undefined, "optional">;
-    image: convex_values119.VString<string | undefined, "optional">;
-    email: convex_values119.VString<string | undefined, "optional">;
-    emailVerificationTime: convex_values119.VFloat64<number | undefined, "optional">;
-    phone: convex_values119.VString<string | undefined, "optional">;
-    phoneVerificationTime: convex_values119.VFloat64<number | undefined, "optional">;
-    isAnonymous: convex_values119.VBoolean<boolean | undefined, "optional">;
-    extend: convex_values119.VAny<any, "optional", string>;
-  }, "required", "name" | "image" | "email" | "emailVerificationTime" | "phone" | "phoneVerificationTime" | "isAnonymous" | "extend" | `extend.${string}`>, {
+    name: convex_values121.VString<string | undefined, "optional">;
+    image: convex_values121.VString<string | undefined, "optional">;
+    email: convex_values121.VString<string | undefined, "optional">;
+    emailVerificationTime: convex_values121.VFloat64<number | undefined, "optional">;
+    phone: convex_values121.VString<string | undefined, "optional">;
+    phoneVerificationTime: convex_values121.VFloat64<number | undefined, "optional">;
+    isAnonymous: convex_values121.VBoolean<boolean | undefined, "optional">;
+    extend: convex_values121.VAny<any, "optional", string>;
+  }, "required", "email" | "phone" | "extend" | "name" | "image" | "emailVerificationTime" | "phoneVerificationTime" | "isAnonymous" | `extend.${string}`>, {
     email: ["email", "_creationTime"];
     phone: ["phone", "_creationTime"];
   }, {}, {}>;
@@ -41,12 +41,12 @@ declare const _default: convex_server3.SchemaDefinition<{
    * across different devices or browsers. Sessions expire after a
    * configurable duration.
    */
-  Session: convex_server3.TableDefinition<convex_values119.VObject<{
-    userId: convex_values119.GenericId<"User">;
+  Session: convex_server60.TableDefinition<convex_values121.VObject<{
+    userId: convex_values121.GenericId<"User">;
     expirationTime: number;
   }, {
-    userId: convex_values119.VId<convex_values119.GenericId<"User">, "required">;
-    expirationTime: convex_values119.VFloat64<number, "required">;
+    userId: convex_values121.VId<convex_values121.GenericId<"User">, "required">;
+    expirationTime: convex_values121.VFloat64<number, "required">;
   }, "required", "userId" | "expirationTime">, {
     user_id: ["userId", "_creationTime"];
   }, {}, {}>;
@@ -55,23 +55,23 @@ declare const _default: convex_server3.SchemaDefinition<{
    * authentication provider (e.g. Google OAuth, email/password).
    * A user can have multiple accounts linked.
    */
-  Account: convex_server3.TableDefinition<convex_values119.VObject<{
+  Account: convex_server60.TableDefinition<convex_values121.VObject<{
     extend?: any;
     secret?: string | undefined;
     emailVerified?: string | undefined;
     phoneVerified?: string | undefined;
-    userId: convex_values119.GenericId<"User">;
     provider: string;
+    userId: convex_values121.GenericId<"User">;
     providerAccountId: string;
   }, {
-    userId: convex_values119.VId<convex_values119.GenericId<"User">, "required">;
-    provider: convex_values119.VString<string, "required">;
-    providerAccountId: convex_values119.VString<string, "required">;
-    secret: convex_values119.VString<string | undefined, "optional">;
-    emailVerified: convex_values119.VString<string | undefined, "optional">;
-    phoneVerified: convex_values119.VString<string | undefined, "optional">;
-    extend: convex_values119.VAny<any, "optional", string>;
-  }, "required", "extend" | `extend.${string}` | "userId" | "provider" | "providerAccountId" | "secret" | "emailVerified" | "phoneVerified">, {
+    userId: convex_values121.VId<convex_values121.GenericId<"User">, "required">;
+    provider: convex_values121.VString<string, "required">;
+    providerAccountId: convex_values121.VString<string, "required">;
+    secret: convex_values121.VString<string | undefined, "optional">;
+    emailVerified: convex_values121.VString<string | undefined, "optional">;
+    phoneVerified: convex_values121.VString<string | undefined, "optional">;
+    extend: convex_values121.VAny<any, "optional", string>;
+  }, "required", "provider" | "extend" | "userId" | "providerAccountId" | "secret" | `extend.${string}` | "emailVerified" | "phoneVerified">, {
     user_id_provider: ["userId", "provider", "_creationTime"];
     provider_account_id: ["provider", "providerAccountId", "_creationTime"];
   }, {}, {}>;
@@ -83,40 +83,40 @@ declare const _default: convex_server3.SchemaDefinition<{
    * been used yet. A 10-second reuse window allows for concurrent requests.
    * Any invalid use of a token invalidates the entire chain.
    */
-  RefreshToken: convex_server3.TableDefinition<convex_values119.VObject<{
+  RefreshToken: convex_server60.TableDefinition<convex_values121.VObject<{
     firstUsedTime?: number | undefined;
-    parentRefreshTokenId?: convex_values119.GenericId<"RefreshToken"> | undefined;
+    parentRefreshTokenId?: convex_values121.GenericId<"RefreshToken"> | undefined;
+    sessionId: convex_values121.GenericId<"Session">;
     expirationTime: number;
-    sessionId: convex_values119.GenericId<"Session">;
   }, {
-    sessionId: convex_values119.VId<convex_values119.GenericId<"Session">, "required">;
-    expirationTime: convex_values119.VFloat64<number, "required">;
-    firstUsedTime: convex_values119.VFloat64<number | undefined, "optional">;
-    parentRefreshTokenId: convex_values119.VId<convex_values119.GenericId<"RefreshToken"> | undefined, "optional">;
-  }, "required", "expirationTime" | "sessionId" | "firstUsedTime" | "parentRefreshTokenId">, {
+    sessionId: convex_values121.VId<convex_values121.GenericId<"Session">, "required">;
+    expirationTime: convex_values121.VFloat64<number, "required">;
+    firstUsedTime: convex_values121.VFloat64<number | undefined, "optional">;
+    parentRefreshTokenId: convex_values121.VId<convex_values121.GenericId<"RefreshToken"> | undefined, "optional">;
+  }, "required", "sessionId" | "expirationTime" | "firstUsedTime" | "parentRefreshTokenId">, {
     session_id: ["sessionId", "_creationTime"];
     session_id_parent_refresh_token_id: ["sessionId", "parentRefreshTokenId", "_creationTime"];
   }, {}, {}>;
   /**
    * Verification codes for OTP tokens, magic link tokens, and OAuth codes.
    */
-  VerificationCode: convex_server3.TableDefinition<convex_values119.VObject<{
+  VerificationCode: convex_server60.TableDefinition<convex_values121.VObject<{
+    verifier?: string | undefined;
     emailVerified?: string | undefined;
     phoneVerified?: string | undefined;
-    verifier?: string | undefined;
-    expirationTime: number;
     provider: string;
-    accountId: convex_values119.GenericId<"Account">;
+    accountId: convex_values121.GenericId<"Account">;
     code: string;
+    expirationTime: number;
   }, {
-    accountId: convex_values119.VId<convex_values119.GenericId<"Account">, "required">;
-    provider: convex_values119.VString<string, "required">;
-    code: convex_values119.VString<string, "required">;
-    expirationTime: convex_values119.VFloat64<number, "required">;
-    verifier: convex_values119.VString<string | undefined, "optional">;
-    emailVerified: convex_values119.VString<string | undefined, "optional">;
-    phoneVerified: convex_values119.VString<string | undefined, "optional">;
-  }, "required", "expirationTime" | "provider" | "emailVerified" | "phoneVerified" | "accountId" | "code" | "verifier">, {
+    accountId: convex_values121.VId<convex_values121.GenericId<"Account">, "required">;
+    provider: convex_values121.VString<string, "required">;
+    code: convex_values121.VString<string, "required">;
+    expirationTime: convex_values121.VFloat64<number, "required">;
+    verifier: convex_values121.VString<string | undefined, "optional">;
+    emailVerified: convex_values121.VString<string | undefined, "optional">;
+    phoneVerified: convex_values121.VString<string | undefined, "optional">;
+  }, "required", "provider" | "verifier" | "accountId" | "code" | "expirationTime" | "emailVerified" | "phoneVerified">, {
     account_id: ["accountId", "_creationTime"];
     code: ["code", "_creationTime"];
   }, {}, {}>;
@@ -124,12 +124,12 @@ declare const _default: convex_server3.SchemaDefinition<{
    * PKCE verifiers for OAuth flows. Stores the cryptographic verifier
    * used to prove the authorization request originated from this client.
    */
-  AuthVerifier: convex_server3.TableDefinition<convex_values119.VObject<{
-    sessionId?: convex_values119.GenericId<"Session"> | undefined;
+  AuthVerifier: convex_server60.TableDefinition<convex_values121.VObject<{
+    sessionId?: convex_values121.GenericId<"Session"> | undefined;
     signature?: string | undefined;
   }, {
-    sessionId: convex_values119.VId<convex_values119.GenericId<"Session"> | undefined, "optional">;
-    signature: convex_values119.VString<string | undefined, "optional">;
+    sessionId: convex_values121.VId<convex_values121.GenericId<"Session"> | undefined, "optional">;
+    signature: convex_values121.VString<string | undefined, "optional">;
   }, "required", "sessionId" | "signature">, {
     signature: ["signature", "_creationTime"];
   }, {}, {}>;
@@ -138,11 +138,11 @@ declare const _default: convex_server3.SchemaDefinition<{
    * registered authenticator (Touch ID, Face ID, security key, etc.).
    * A user can have multiple passkeys across different devices.
    */
-  Passkey: convex_server3.TableDefinition<convex_values119.VObject<{
+  Passkey: convex_server60.TableDefinition<convex_values121.VObject<{
     name?: string | undefined;
     transports?: string[] | undefined;
     lastUsedAt?: number | undefined;
-    userId: convex_values119.GenericId<"User">;
+    userId: convex_values121.GenericId<"User">;
     credentialId: string;
     publicKey: ArrayBuffer;
     algorithm: number;
@@ -151,18 +151,18 @@ declare const _default: convex_server3.SchemaDefinition<{
     backedUp: boolean;
     createdAt: number;
   }, {
-    userId: convex_values119.VId<convex_values119.GenericId<"User">, "required">; /** Base64url-encoded credential ID from the authenticator. */
-    credentialId: convex_values119.VString<string, "required">; /** Public key bytes (SEC1 uncompressed for EC, SPKI for RSA). */
-    publicKey: convex_values119.VBytes<ArrayBuffer, "required">; /** COSE algorithm identifier (-7 for ES256, -257 for RS256, -8 for EdDSA). */
-    algorithm: convex_values119.VFloat64<number, "required">; /** Signature counter for clone detection. Many authenticators return 0. */
-    counter: convex_values119.VFloat64<number, "required">; /** Authenticator transport hints (e.g. "internal", "hybrid", "usb", "ble", "nfc"). */
-    transports: convex_values119.VArray<string[] | undefined, convex_values119.VString<string, "required">, "optional">; /** Whether this is a single-device or multi-device (synced) credential. */
-    deviceType: convex_values119.VString<string, "required">; /** Whether the credential is backed up (synced passkey). */
-    backedUp: convex_values119.VBoolean<boolean, "required">; /** User-assigned friendly name (e.g. "MacBook Touch ID"). */
-    name: convex_values119.VString<string | undefined, "optional">;
-    createdAt: convex_values119.VFloat64<number, "required">;
-    lastUsedAt: convex_values119.VFloat64<number | undefined, "optional">;
-  }, "required", "name" | "userId" | "credentialId" | "publicKey" | "algorithm" | "counter" | "transports" | "deviceType" | "backedUp" | "createdAt" | "lastUsedAt">, {
+    userId: convex_values121.VId<convex_values121.GenericId<"User">, "required">; /** Base64url-encoded credential ID from the authenticator. */
+    credentialId: convex_values121.VString<string, "required">; /** Public key bytes (SEC1 uncompressed for EC, SPKI for RSA). */
+    publicKey: convex_values121.VBytes<ArrayBuffer, "required">; /** COSE algorithm identifier (-7 for ES256, -257 for RS256, -8 for EdDSA). */
+    algorithm: convex_values121.VFloat64<number, "required">; /** Signature counter for clone detection. Many authenticators return 0. */
+    counter: convex_values121.VFloat64<number, "required">; /** Authenticator transport hints (e.g. "internal", "hybrid", "usb", "ble", "nfc"). */
+    transports: convex_values121.VArray<string[] | undefined, convex_values121.VString<string, "required">, "optional">; /** Whether this is a single-device or multi-device (synced) credential. */
+    deviceType: convex_values121.VString<string, "required">; /** Whether the credential is backed up (synced passkey). */
+    backedUp: convex_values121.VBoolean<boolean, "required">; /** User-assigned friendly name (e.g. "MacBook Touch ID"). */
+    name: convex_values121.VString<string | undefined, "optional">;
+    createdAt: convex_values121.VFloat64<number, "required">;
+    lastUsedAt: convex_values121.VFloat64<number | undefined, "optional">;
+  }, "required", "userId" | "name" | "credentialId" | "publicKey" | "algorithm" | "counter" | "transports" | "deviceType" | "backedUp" | "createdAt" | "lastUsedAt">, {
     user_id: ["userId", "_creationTime"];
     credential_id: ["credentialId", "_creationTime"];
   }, {}, {}>;
@@ -175,25 +175,25 @@ declare const _default: convex_server3.SchemaDefinition<{
    * by successfully entering a code from their authenticator app.
    * Unverified enrollments are in-progress setup that can be discarded.
    */
-  TotpFactor: convex_server3.TableDefinition<convex_values119.VObject<{
+  TotpFactor: convex_server60.TableDefinition<convex_values121.VObject<{
     name?: string | undefined;
     lastUsedAt?: number | undefined;
-    userId: convex_values119.GenericId<"User">;
+    userId: convex_values121.GenericId<"User">;
     secret: ArrayBuffer;
     createdAt: number;
     digits: number;
     period: number;
     verified: boolean;
   }, {
-    userId: convex_values119.VId<convex_values119.GenericId<"User">, "required">; /** Raw TOTP secret key bytes. */
-    secret: convex_values119.VBytes<ArrayBuffer, "required">; /** Number of digits in each code (typically 6). */
-    digits: convex_values119.VFloat64<number, "required">; /** Time period in seconds for code rotation (typically 30). */
-    period: convex_values119.VFloat64<number, "required">; /** Whether setup has been confirmed with a valid code. */
-    verified: convex_values119.VBoolean<boolean, "required">; /** User-assigned friendly name (e.g. "Google Authenticator"). */
-    name: convex_values119.VString<string | undefined, "optional">;
-    createdAt: convex_values119.VFloat64<number, "required">;
-    lastUsedAt: convex_values119.VFloat64<number | undefined, "optional">;
-  }, "required", "name" | "userId" | "secret" | "createdAt" | "lastUsedAt" | "digits" | "period" | "verified">, {
+    userId: convex_values121.VId<convex_values121.GenericId<"User">, "required">; /** Raw TOTP secret key bytes. */
+    secret: convex_values121.VBytes<ArrayBuffer, "required">; /** Number of digits in each code (typically 6). */
+    digits: convex_values121.VFloat64<number, "required">; /** Time period in seconds for code rotation (typically 30). */
+    period: convex_values121.VFloat64<number, "required">; /** Whether setup has been confirmed with a valid code. */
+    verified: convex_values121.VBoolean<boolean, "required">; /** User-assigned friendly name (e.g. "Google Authenticator"). */
+    name: convex_values121.VString<string | undefined, "optional">;
+    createdAt: convex_values121.VFloat64<number, "required">;
+    lastUsedAt: convex_values121.VFloat64<number | undefined, "optional">;
+  }, "required", "userId" | "secret" | "name" | "createdAt" | "lastUsedAt" | "digits" | "period" | "verified">, {
     user_id: ["userId", "_creationTime"];
   }, {}, {}>;
   /**
@@ -201,39 +201,39 @@ declare const _default: convex_server3.SchemaDefinition<{
    * device auth session — the device polls with `deviceCode` while the
    * user authorizes via `userCode` on a secondary device.
    */
-  DeviceCode: convex_server3.TableDefinition<convex_values119.VObject<{
-    userId?: convex_values119.GenericId<"User"> | undefined;
-    sessionId?: convex_values119.GenericId<"Session"> | undefined;
+  DeviceCode: convex_server60.TableDefinition<convex_values121.VObject<{
+    userId?: convex_values121.GenericId<"User"> | undefined;
+    sessionId?: convex_values121.GenericId<"Session"> | undefined;
     lastPolledAt?: number | undefined;
+    status: "pending" | "authorized" | "denied";
     deviceCodeHash: string;
     userCode: string;
     expiresAt: number;
     interval: number;
-    status: "pending" | "authorized" | "denied";
   }, {
-    /** High-entropy code used by the device for polling. Stored as SHA-256 hash. */deviceCodeHash: convex_values119.VString<string, "required">; /** Short human-readable code the user enters (e.g. "WDJB-MJHT"). */
-    userCode: convex_values119.VString<string, "required">; /** Expiration timestamp (ms since epoch). */
-    expiresAt: convex_values119.VFloat64<number, "required">; /** Minimum polling interval in seconds. */
-    interval: convex_values119.VFloat64<number, "required">; /** Current status of this device authorization session. */
-    status: convex_values119.VUnion<"pending" | "authorized" | "denied", [convex_values119.VLiteral<"pending", "required">, convex_values119.VLiteral<"authorized", "required">, convex_values119.VLiteral<"denied", "required">], "required", never>; /** Set when the user authorizes — links to the authorizing user. */
-    userId: convex_values119.VId<convex_values119.GenericId<"User"> | undefined, "optional">; /** Set when the user authorizes — the session created for the device. */
-    sessionId: convex_values119.VId<convex_values119.GenericId<"Session"> | undefined, "optional">; /** Timestamp of the last poll request (for slow_down enforcement). */
-    lastPolledAt: convex_values119.VFloat64<number | undefined, "optional">;
-  }, "required", "userId" | "sessionId" | "deviceCodeHash" | "userCode" | "expiresAt" | "interval" | "status" | "lastPolledAt">, {
+    /** High-entropy code used by the device for polling. Stored as SHA-256 hash. */deviceCodeHash: convex_values121.VString<string, "required">; /** Short human-readable code the user enters (e.g. "WDJB-MJHT"). */
+    userCode: convex_values121.VString<string, "required">; /** Expiration timestamp (ms since epoch). */
+    expiresAt: convex_values121.VFloat64<number, "required">; /** Minimum polling interval in seconds. */
+    interval: convex_values121.VFloat64<number, "required">; /** Current status of this device authorization session. */
+    status: convex_values121.VUnion<"pending" | "authorized" | "denied", [convex_values121.VLiteral<"pending", "required">, convex_values121.VLiteral<"authorized", "required">, convex_values121.VLiteral<"denied", "required">], "required", never>; /** Set when the user authorizes — links to the authorizing user. */
+    userId: convex_values121.VId<convex_values121.GenericId<"User"> | undefined, "optional">; /** Set when the user authorizes — the session created for the device. */
+    sessionId: convex_values121.VId<convex_values121.GenericId<"Session"> | undefined, "optional">; /** Timestamp of the last poll request (for slow_down enforcement). */
+    lastPolledAt: convex_values121.VFloat64<number | undefined, "optional">;
+  }, "required", "userId" | "sessionId" | "status" | "deviceCodeHash" | "userCode" | "expiresAt" | "interval" | "lastPolledAt">, {
     device_code_hash: ["deviceCodeHash", "_creationTime"];
     user_code_status: ["userCode", "status", "_creationTime"];
   }, {}, {}>;
   /**
    * Rate limit tracking for OTP and password sign-in attempts.
    */
-  RateLimit: convex_server3.TableDefinition<convex_values119.VObject<{
+  RateLimit: convex_server60.TableDefinition<convex_values121.VObject<{
     identifier: string;
     last_attempt_time: number;
     attempts_left: number;
   }, {
-    identifier: convex_values119.VString<string, "required">;
-    last_attempt_time: convex_values119.VFloat64<number, "required">;
-    attempts_left: convex_values119.VFloat64<number, "required">;
+    identifier: convex_values121.VString<string, "required">;
+    last_attempt_time: convex_values121.VFloat64<number, "required">;
+    attempts_left: convex_values121.VFloat64<number, "required">;
   }, "required", "identifier" | "last_attempt_time" | "attempts_left">, {
     by_identifier: ["identifier", "_creationTime"];
   }, {}, {}>;
@@ -242,33 +242,33 @@ declare const _default: convex_server3.SchemaDefinition<{
    * Groups can nest arbitrarily deep via `parentGroupId` for modeling
    * organizations, teams, departments, or any tree structure.
    */
-  Group: convex_server3.TableDefinition<convex_values119.VObject<{
-    extend?: any;
+  Group: convex_server60.TableDefinition<convex_values121.VObject<{
     type?: string | undefined;
+    extend?: any;
     slug?: string | undefined;
-    parentGroupId?: convex_values119.GenericId<"Group"> | undefined;
+    parentGroupId?: convex_values121.GenericId<"Group"> | undefined;
     tags?: {
-      key: string;
       value: string;
+      key: string;
     }[] | undefined;
     name: string;
   }, {
-    name: convex_values119.VString<string, "required">;
-    slug: convex_values119.VString<string | undefined, "optional">;
-    type: convex_values119.VString<string | undefined, "optional">;
-    parentGroupId: convex_values119.VId<convex_values119.GenericId<"Group"> | undefined, "optional">; /** Faceted classification tags. Normalized at write time (trimmed, lowercased). */
-    tags: convex_values119.VArray<{
-      key: string;
+    name: convex_values121.VString<string, "required">;
+    slug: convex_values121.VString<string | undefined, "optional">;
+    type: convex_values121.VString<string | undefined, "optional">;
+    parentGroupId: convex_values121.VId<convex_values121.GenericId<"Group"> | undefined, "optional">; /** Faceted classification tags. Normalized at write time (trimmed, lowercased). */
+    tags: convex_values121.VArray<{
       value: string;
-    }[] | undefined, convex_values119.VObject<{
       key: string;
+    }[] | undefined, convex_values121.VObject<{
       value: string;
+      key: string;
     }, {
-      key: convex_values119.VString<string, "required">;
-      value: convex_values119.VString<string, "required">;
-    }, "required", "key" | "value">, "optional">;
-    extend: convex_values119.VAny<any, "optional", string>;
-  }, "required", "name" | "extend" | "type" | `extend.${string}` | "slug" | "parentGroupId" | "tags">, {
+      key: convex_values121.VString<string, "required">;
+      value: convex_values121.VString<string, "required">;
+    }, "required", "value" | "key">, "optional">;
+    extend: convex_values121.VAny<any, "optional", string>;
+  }, "required", "type" | "extend" | "name" | `extend.${string}` | "slug" | "parentGroupId" | "tags">, {
     slug: ["slug", "_creationTime"];
     parent_group_id: ["parentGroupId", "_creationTime"];
     type: ["type", "_creationTime"];
@@ -279,15 +279,15 @@ declare const _default: convex_server3.SchemaDefinition<{
    * Each row maps one `(key, value)` pair to a group. Kept in sync by
    * `groupCreate`, `groupUpdate`, and `groupDelete`.
    */
-  GroupTag: convex_server3.TableDefinition<convex_values119.VObject<{
-    key: string;
+  GroupTag: convex_server60.TableDefinition<convex_values121.VObject<{
     value: string;
-    group_id: convex_values119.GenericId<"Group">;
+    key: string;
+    group_id: convex_values121.GenericId<"Group">;
   }, {
-    group_id: convex_values119.VId<convex_values119.GenericId<"Group">, "required">;
-    key: convex_values119.VString<string, "required">;
-    value: convex_values119.VString<string, "required">;
-  }, "required", "key" | "value" | "group_id">, {
+    group_id: convex_values121.VId<convex_values121.GenericId<"Group">, "required">;
+    key: convex_values121.VString<string, "required">;
+    value: convex_values121.VString<string, "required">;
+  }, "required", "value" | "key" | "group_id">, {
     by_group: ["group_id", "_creationTime"];
     by_key_value: ["key", "value", "_creationTime"];
     by_key: ["key", "_creationTime"];
@@ -297,19 +297,19 @@ declare const _default: convex_server3.SchemaDefinition<{
    * role (e.g. "owner", "admin", "member", "viewer"). A user can be a
    * member of multiple groups with different roles in each.
    */
-  GroupMember: convex_server3.TableDefinition<convex_values119.VObject<{
+  GroupMember: convex_server60.TableDefinition<convex_values121.VObject<{
     extend?: any;
     status?: string | undefined;
     role?: string | undefined;
-    userId: convex_values119.GenericId<"User">;
-    groupId: convex_values119.GenericId<"Group">;
+    userId: convex_values121.GenericId<"User">;
+    groupId: convex_values121.GenericId<"Group">;
   }, {
-    groupId: convex_values119.VId<convex_values119.GenericId<"Group">, "required">;
-    userId: convex_values119.VId<convex_values119.GenericId<"User">, "required">;
-    role: convex_values119.VString<string | undefined, "optional">;
-    status: convex_values119.VString<string | undefined, "optional">;
-    extend: convex_values119.VAny<any, "optional", string>;
-  }, "required", "extend" | `extend.${string}` | "userId" | "status" | "groupId" | "role">, {
+    groupId: convex_values121.VId<convex_values121.GenericId<"Group">, "required">;
+    userId: convex_values121.VId<convex_values121.GenericId<"User">, "required">;
+    role: convex_values121.VString<string | undefined, "optional">;
+    status: convex_values121.VString<string | undefined, "optional">;
+    extend: convex_values121.VAny<any, "optional", string>;
+  }, "required", "extend" | "userId" | `extend.${string}` | "status" | "groupId" | "role">, {
     group_id: ["groupId", "_creationTime"];
     group_id_user_id: ["groupId", "userId", "_creationTime"];
     user_id: ["userId", "_creationTime"];
@@ -322,28 +322,28 @@ declare const _default: convex_server3.SchemaDefinition<{
    * `email` and `invitedByUserId` are optional to support CLI-generated
    * invite links where neither is known upfront.
    */
-  GroupInvite: convex_server3.TableDefinition<convex_values119.VObject<{
+  GroupInvite: convex_server60.TableDefinition<convex_values121.VObject<{
     email?: string | undefined;
     extend?: any;
-    groupId?: convex_values119.GenericId<"Group"> | undefined;
+    groupId?: convex_values121.GenericId<"Group"> | undefined;
     role?: string | undefined;
-    invitedByUserId?: convex_values119.GenericId<"User"> | undefined;
+    invitedByUserId?: convex_values121.GenericId<"User"> | undefined;
     expiresTime?: number | undefined;
-    acceptedByUserId?: convex_values119.GenericId<"User"> | undefined;
+    acceptedByUserId?: convex_values121.GenericId<"User"> | undefined;
     acceptedTime?: number | undefined;
     status: "pending" | "accepted" | "revoked" | "expired";
     tokenHash: string;
   }, {
-    groupId: convex_values119.VId<convex_values119.GenericId<"Group"> | undefined, "optional">;
-    invitedByUserId: convex_values119.VId<convex_values119.GenericId<"User"> | undefined, "optional">;
-    email: convex_values119.VString<string | undefined, "optional">;
-    tokenHash: convex_values119.VString<string, "required">;
-    role: convex_values119.VString<string | undefined, "optional">;
-    status: convex_values119.VUnion<"pending" | "accepted" | "revoked" | "expired", [convex_values119.VLiteral<"pending", "required">, convex_values119.VLiteral<"accepted", "required">, convex_values119.VLiteral<"revoked", "required">, convex_values119.VLiteral<"expired", "required">], "required", never>;
-    expiresTime: convex_values119.VFloat64<number | undefined, "optional">;
-    acceptedByUserId: convex_values119.VId<convex_values119.GenericId<"User"> | undefined, "optional">;
-    acceptedTime: convex_values119.VFloat64<number | undefined, "optional">;
-    extend: convex_values119.VAny<any, "optional", string>;
+    groupId: convex_values121.VId<convex_values121.GenericId<"Group"> | undefined, "optional">;
+    invitedByUserId: convex_values121.VId<convex_values121.GenericId<"User"> | undefined, "optional">;
+    email: convex_values121.VString<string | undefined, "optional">;
+    tokenHash: convex_values121.VString<string, "required">;
+    role: convex_values121.VString<string | undefined, "optional">;
+    status: convex_values121.VUnion<"pending" | "accepted" | "revoked" | "expired", [convex_values121.VLiteral<"pending", "required">, convex_values121.VLiteral<"accepted", "required">, convex_values121.VLiteral<"revoked", "required">, convex_values121.VLiteral<"expired", "required">], "required", never>;
+    expiresTime: convex_values121.VFloat64<number | undefined, "optional">;
+    acceptedByUserId: convex_values121.VId<convex_values121.GenericId<"User"> | undefined, "optional">;
+    acceptedTime: convex_values121.VFloat64<number | undefined, "optional">;
+    extend: convex_values121.VAny<any, "optional", string>;
   }, "required", "email" | "extend" | `extend.${string}` | "status" | "groupId" | "role" | "invitedByUserId" | "tokenHash" | "expiresTime" | "acceptedByUserId" | "acceptedTime">, {
     token_hash: ["tokenHash", "_creationTime"];
     status: ["status", "_creationTime"];
@@ -360,21 +360,112 @@ declare const _default: convex_server3.SchemaDefinition<{
    * SDK can evolve without forcing schema churn for every protocol-specific
    * field addition.
    */
-  Enterprise: convex_server3.TableDefinition<convex_values119.VObject<{
-    name?: string | undefined;
+  Enterprise: convex_server60.TableDefinition<convex_values121.VObject<{
     extend?: any;
+    name?: string | undefined;
     slug?: string | undefined;
+    policy?: {
+      extend?: any;
+      version: 1;
+      identity: {
+        accountLinking: {
+          oidc: "verifiedEmail" | "none";
+          saml: "verifiedEmail" | "none";
+        };
+      };
+      provisioning: {
+        scimReuse: {
+          user: "none" | "externalId";
+        };
+        jit: {
+          mode: "off" | "createUser" | "createUserAndMembership";
+          defaultRole: string;
+        };
+        deprovision: {
+          mode: "soft" | "hard";
+        };
+      };
+    } | undefined;
     config?: any;
     status: "draft" | "active" | "disabled";
-    groupId: convex_values119.GenericId<"Group">;
+    groupId: convex_values121.GenericId<"Group">;
   }, {
-    groupId: convex_values119.VId<convex_values119.GenericId<"Group">, "required">;
-    slug: convex_values119.VString<string | undefined, "optional">;
-    name: convex_values119.VString<string | undefined, "optional">;
-    status: convex_values119.VUnion<"draft" | "active" | "disabled", [convex_values119.VLiteral<"draft", "required">, convex_values119.VLiteral<"active", "required">, convex_values119.VLiteral<"disabled", "required">], "required", never>;
-    config: convex_values119.VAny<any, "optional", string>;
-    extend: convex_values119.VAny<any, "optional", string>;
-  }, "required", "name" | "extend" | `extend.${string}` | "status" | "slug" | "groupId" | "config" | `config.${string}`>, {
+    groupId: convex_values121.VId<convex_values121.GenericId<"Group">, "required">;
+    slug: convex_values121.VString<string | undefined, "optional">;
+    name: convex_values121.VString<string | undefined, "optional">;
+    status: convex_values121.VUnion<"draft" | "active" | "disabled", [convex_values121.VLiteral<"draft", "required">, convex_values121.VLiteral<"active", "required">, convex_values121.VLiteral<"disabled", "required">], "required", never>;
+    policy: convex_values121.VObject<{
+      extend?: any;
+      version: 1;
+      identity: {
+        accountLinking: {
+          oidc: "verifiedEmail" | "none";
+          saml: "verifiedEmail" | "none";
+        };
+      };
+      provisioning: {
+        scimReuse: {
+          user: "none" | "externalId";
+        };
+        jit: {
+          mode: "off" | "createUser" | "createUserAndMembership";
+          defaultRole: string;
+        };
+        deprovision: {
+          mode: "soft" | "hard";
+        };
+      };
+    } | undefined, {
+      version: convex_values121.VLiteral<1, "required">;
+      identity: convex_values121.VObject<{
+        accountLinking: {
+          oidc: "verifiedEmail" | "none";
+          saml: "verifiedEmail" | "none";
+        };
+      }, {
+        accountLinking: convex_values121.VObject<{
+          oidc: "verifiedEmail" | "none";
+          saml: "verifiedEmail" | "none";
+        }, {
+          oidc: convex_values121.VUnion<"verifiedEmail" | "none", [convex_values121.VLiteral<"verifiedEmail", "required">, convex_values121.VLiteral<"none", "required">], "required", never>;
+          saml: convex_values121.VUnion<"verifiedEmail" | "none", [convex_values121.VLiteral<"verifiedEmail", "required">, convex_values121.VLiteral<"none", "required">], "required", never>;
+        }, "required", "oidc" | "saml">;
+      }, "required", "accountLinking" | "accountLinking.oidc" | "accountLinking.saml">;
+      provisioning: convex_values121.VObject<{
+        scimReuse: {
+          user: "none" | "externalId";
+        };
+        jit: {
+          mode: "off" | "createUser" | "createUserAndMembership";
+          defaultRole: string;
+        };
+        deprovision: {
+          mode: "soft" | "hard";
+        };
+      }, {
+        scimReuse: convex_values121.VObject<{
+          user: "none" | "externalId";
+        }, {
+          user: convex_values121.VUnion<"none" | "externalId", [convex_values121.VLiteral<"externalId", "required">, convex_values121.VLiteral<"none", "required">], "required", never>;
+        }, "required", "user">;
+        jit: convex_values121.VObject<{
+          mode: "off" | "createUser" | "createUserAndMembership";
+          defaultRole: string;
+        }, {
+          mode: convex_values121.VUnion<"off" | "createUser" | "createUserAndMembership", [convex_values121.VLiteral<"off", "required">, convex_values121.VLiteral<"createUser", "required">, convex_values121.VLiteral<"createUserAndMembership", "required">], "required", never>;
+          defaultRole: convex_values121.VString<string, "required">;
+        }, "required", "mode" | "defaultRole">;
+        deprovision: convex_values121.VObject<{
+          mode: "soft" | "hard";
+        }, {
+          mode: convex_values121.VUnion<"soft" | "hard", [convex_values121.VLiteral<"soft", "required">, convex_values121.VLiteral<"hard", "required">], "required", never>;
+        }, "required", "mode">;
+      }, "required", "scimReuse" | "jit" | "deprovision" | "scimReuse.user" | "jit.mode" | "jit.defaultRole" | "deprovision.mode">;
+      extend: convex_values121.VAny<any, "optional", string>;
+    }, "optional", "extend" | `extend.${string}` | "version" | "identity" | "provisioning" | "identity.accountLinking" | "identity.accountLinking.oidc" | "identity.accountLinking.saml" | "provisioning.scimReuse" | "provisioning.jit" | "provisioning.deprovision" | "provisioning.scimReuse.user" | "provisioning.jit.mode" | "provisioning.jit.defaultRole" | "provisioning.deprovision.mode">;
+    config: convex_values121.VAny<any, "optional", string>;
+    extend: convex_values121.VAny<any, "optional", string>;
+  }, "required", "extend" | "name" | `extend.${string}` | "status" | "slug" | "groupId" | "policy" | "config" | "policy.extend" | `policy.extend.${string}` | "policy.version" | "policy.identity" | "policy.provisioning" | "policy.identity.accountLinking" | "policy.identity.accountLinking.oidc" | "policy.identity.accountLinking.saml" | "policy.provisioning.scimReuse" | "policy.provisioning.jit" | "policy.provisioning.deprovision" | "policy.provisioning.scimReuse.user" | "policy.provisioning.jit.mode" | "policy.provisioning.jit.defaultRole" | "policy.provisioning.deprovision.mode" | `config.${string}`>, {
     group_id: ["groupId", "_creationTime"];
     slug: ["slug", "_creationTime"];
     status: ["status", "_creationTime"];
@@ -382,45 +473,63 @@ declare const _default: convex_server3.SchemaDefinition<{
   /**
    * Verified or pending domains linked to an enterprise record.
    */
-  EnterpriseDomain: convex_server3.TableDefinition<convex_values119.VObject<{
+  EnterpriseDomain: convex_server60.TableDefinition<convex_values121.VObject<{
     verifiedAt?: number | undefined;
-    groupId: convex_values119.GenericId<"Group">;
-    enterpriseId: convex_values119.GenericId<"Enterprise">;
+    groupId: convex_values121.GenericId<"Group">;
+    enterpriseId: convex_values121.GenericId<"Enterprise">;
     domain: string;
     isPrimary: boolean;
   }, {
-    enterpriseId: convex_values119.VId<convex_values119.GenericId<"Enterprise">, "required">;
-    groupId: convex_values119.VId<convex_values119.GenericId<"Group">, "required">;
-    domain: convex_values119.VString<string, "required">;
-    isPrimary: convex_values119.VBoolean<boolean, "required">;
-    verifiedAt: convex_values119.VFloat64<number | undefined, "optional">;
+    enterpriseId: convex_values121.VId<convex_values121.GenericId<"Enterprise">, "required">;
+    groupId: convex_values121.VId<convex_values121.GenericId<"Group">, "required">;
+    domain: convex_values121.VString<string, "required">;
+    isPrimary: convex_values121.VBoolean<boolean, "required">;
+    verifiedAt: convex_values121.VFloat64<number | undefined, "optional">;
   }, "required", "groupId" | "enterpriseId" | "domain" | "isPrimary" | "verifiedAt">, {
     enterprise_id: ["enterpriseId", "_creationTime"];
     group_id: ["groupId", "_creationTime"];
     domain: ["domain", "_creationTime"];
   }, {}, {}>;
+  /**
+   * Encrypted enterprise secrets stored separately from protocol config.
+   */
+  EnterpriseSecret: convex_server60.TableDefinition<convex_values121.VObject<{
+    kind: "oidc_client_secret";
+    groupId: convex_values121.GenericId<"Group">;
+    enterpriseId: convex_values121.GenericId<"Enterprise">;
+    ciphertext: string;
+    updatedAt: number;
+  }, {
+    enterpriseId: convex_values121.VId<convex_values121.GenericId<"Enterprise">, "required">;
+    groupId: convex_values121.VId<convex_values121.GenericId<"Group">, "required">;
+    kind: convex_values121.VUnion<"oidc_client_secret", [convex_values121.VLiteral<"oidc_client_secret", "required">], "required", never>;
+    ciphertext: convex_values121.VString<string, "required">;
+    updatedAt: convex_values121.VFloat64<number, "required">;
+  }, "required", "kind" | "groupId" | "enterpriseId" | "ciphertext" | "updatedAt">, {
+    enterprise_id: ["enterpriseId", "_creationTime"];
+    enterprise_id_kind: ["enterpriseId", "kind", "_creationTime"];
+    group_id: ["groupId", "_creationTime"];
+  }, {}, {}>;
   /**
    * SCIM configuration for an enterprise tenant.
    */
-  EnterpriseScimConfig: convex_server3.TableDefinition<convex_values119.VObject<{
+  EnterpriseScimConfig: convex_server60.TableDefinition<convex_values121.VObject<{
     extend?: any;
     lastRotatedAt?: number | undefined;
-    deprovisionMode?: "soft" | "hard" | undefined;
     status: "draft" | "active" | "disabled";
-    groupId: convex_values119.GenericId<"Group">;
+    groupId: convex_values121.GenericId<"Group">;
     tokenHash: string;
-    enterpriseId: convex_values119.GenericId<"Enterprise">;
+    enterpriseId: convex_values121.GenericId<"Enterprise">;
     basePath: string;
   }, {
-    enterpriseId: convex_values119.VId<convex_values119.GenericId<"Enterprise">, "required">;
-    groupId: convex_values119.VId<convex_values119.GenericId<"Group">, "required">;
-    status: convex_values119.VUnion<"draft" | "active" | "disabled", [convex_values119.VLiteral<"draft", "required">, convex_values119.VLiteral<"active", "required">, convex_values119.VLiteral<"disabled", "required">], "required", never>;
-    basePath: convex_values119.VString<string, "required">;
-    tokenHash: convex_values119.VString<string, "required">;
-    lastRotatedAt: convex_values119.VFloat64<number | undefined, "optional">;
-    deprovisionMode: convex_values119.VUnion<"soft" | "hard" | undefined, [convex_values119.VLiteral<"soft", "required">, convex_values119.VLiteral<"hard", "required">], "optional", never>;
-    extend: convex_values119.VAny<any, "optional", string>;
-  }, "required", "extend" | `extend.${string}` | "status" | "groupId" | "tokenHash" | "enterpriseId" | "basePath" | "lastRotatedAt" | "deprovisionMode">, {
+    enterpriseId: convex_values121.VId<convex_values121.GenericId<"Enterprise">, "required">;
+    groupId: convex_values121.VId<convex_values121.GenericId<"Group">, "required">;
+    status: convex_values121.VUnion<"draft" | "active" | "disabled", [convex_values121.VLiteral<"draft", "required">, convex_values121.VLiteral<"active", "required">, convex_values121.VLiteral<"disabled", "required">], "required", never>;
+    basePath: convex_values121.VString<string, "required">;
+    tokenHash: convex_values121.VString<string, "required">;
+    lastRotatedAt: convex_values121.VFloat64<number | undefined, "optional">;
+    extend: convex_values121.VAny<any, "optional", string>;
+  }, "required", "extend" | `extend.${string}` | "status" | "groupId" | "tokenHash" | "enterpriseId" | "basePath" | "lastRotatedAt">, {
     enterprise_id: ["enterpriseId", "_creationTime"];
     group_id: ["groupId", "_creationTime"];
     token_hash: ["tokenHash", "_creationTime"];
@@ -429,63 +538,64 @@ declare const _default: convex_server3.SchemaDefinition<{
   /**
    * External SCIM identities mapped into local users/groups.
    */
-  EnterpriseScimIdentity: convex_server3.TableDefinition<convex_values119.VObject<{
-    userId?: convex_values119.GenericId<"User"> | undefined;
+  EnterpriseScimIdentity: convex_server60.TableDefinition<convex_values121.VObject<{
+    userId?: convex_values121.GenericId<"User"> | undefined;
     active?: boolean | undefined;
-    mappedGroupId?: convex_values119.GenericId<"Group"> | undefined;
+    mappedGroupId?: convex_values121.GenericId<"Group"> | undefined;
     lastProvisionedAt?: number | undefined;
     raw?: any;
-    groupId: convex_values119.GenericId<"Group">;
-    enterpriseId: convex_values119.GenericId<"Enterprise">;
-    resourceType: "user" | "group";
+    groupId: convex_values121.GenericId<"Group">;
     externalId: string;
+    enterpriseId: convex_values121.GenericId<"Enterprise">;
+    resourceType: "user" | "group";
   }, {
-    enterpriseId: convex_values119.VId<convex_values119.GenericId<"Enterprise">, "required">;
-    groupId: convex_values119.VId<convex_values119.GenericId<"Group">, "required">;
-    resourceType: convex_values119.VUnion<"user" | "group", [convex_values119.VLiteral<"user", "required">, convex_values119.VLiteral<"group", "required">], "required", never>;
-    externalId: convex_values119.VString<string, "required">;
-    userId: convex_values119.VId<convex_values119.GenericId<"User"> | undefined, "optional">;
-    mappedGroupId: convex_values119.VId<convex_values119.GenericId<"Group"> | undefined, "optional">;
-    lastProvisionedAt: convex_values119.VFloat64<number | undefined, "optional">;
-    active: convex_values119.VBoolean<boolean | undefined, "optional">;
-    raw: convex_values119.VAny<any, "optional", string>;
-  }, "required", "userId" | "groupId" | "active" | "enterpriseId" | "resourceType" | "externalId" | "mappedGroupId" | "lastProvisionedAt" | "raw" | `raw.${string}`>, {
+    enterpriseId: convex_values121.VId<convex_values121.GenericId<"Enterprise">, "required">;
+    groupId: convex_values121.VId<convex_values121.GenericId<"Group">, "required">;
+    resourceType: convex_values121.VUnion<"user" | "group", [convex_values121.VLiteral<"user", "required">, convex_values121.VLiteral<"group", "required">], "required", never>;
+    externalId: convex_values121.VString<string, "required">;
+    userId: convex_values121.VId<convex_values121.GenericId<"User"> | undefined, "optional">;
+    mappedGroupId: convex_values121.VId<convex_values121.GenericId<"Group"> | undefined, "optional">;
+    lastProvisionedAt: convex_values121.VFloat64<number | undefined, "optional">;
+    active: convex_values121.VBoolean<boolean | undefined, "optional">;
+    raw: convex_values121.VAny<any, "optional", string>;
+  }, "required", "userId" | "groupId" | "active" | "externalId" | "enterpriseId" | "resourceType" | "mappedGroupId" | "lastProvisionedAt" | "raw" | `raw.${string}`>, {
     enterprise_id: ["enterpriseId", "_creationTime"];
     group_id: ["groupId", "_creationTime"];
     enterprise_id_resource_type_external_id: ["enterpriseId", "resourceType", "externalId", "_creationTime"];
+    enterprise_id_user_id: ["enterpriseId", "userId", "_creationTime"];
     user_id: ["userId", "_creationTime"];
     mapped_group_id: ["mappedGroupId", "_creationTime"];
   }, {}, {}>;
   /**
    * Immutable audit trail for enterprise operations.
    */
-  EnterpriseAuditEvent: convex_server3.TableDefinition<convex_values119.VObject<{
+  EnterpriseAuditEvent: convex_server60.TableDefinition<convex_values121.VObject<{
     actorId?: string | undefined;
     subjectId?: string | undefined;
     requestId?: string | undefined;
     ip?: string | undefined;
     metadata?: any;
     status: "success" | "failure";
-    groupId: convex_values119.GenericId<"Group">;
-    enterpriseId: convex_values119.GenericId<"Enterprise">;
-    eventType: string;
+    groupId: convex_values121.GenericId<"Group">;
+    enterpriseId: convex_values121.GenericId<"Enterprise">;
     actorType: "user" | "system" | "scim" | "api_key" | "webhook";
+    eventType: string;
     subjectType: string;
     occurredAt: number;
   }, {
-    enterpriseId: convex_values119.VId<convex_values119.GenericId<"Enterprise">, "required">;
-    groupId: convex_values119.VId<convex_values119.GenericId<"Group">, "required">;
-    eventType: convex_values119.VString<string, "required">;
-    actorType: convex_values119.VUnion<"user" | "system" | "scim" | "api_key" | "webhook", [convex_values119.VLiteral<"user", "required">, convex_values119.VLiteral<"system", "required">, convex_values119.VLiteral<"scim", "required">, convex_values119.VLiteral<"api_key", "required">, convex_values119.VLiteral<"webhook", "required">], "required", never>;
-    actorId: convex_values119.VString<string | undefined, "optional">;
-    subjectType: convex_values119.VString<string, "required">;
-    subjectId: convex_values119.VString<string | undefined, "optional">;
-    status: convex_values119.VUnion<"success" | "failure", [convex_values119.VLiteral<"success", "required">, convex_values119.VLiteral<"failure", "required">], "required", never>;
-    occurredAt: convex_values119.VFloat64<number, "required">;
-    requestId: convex_values119.VString<string | undefined, "optional">;
-    ip: convex_values119.VString<string | undefined, "optional">;
-    metadata: convex_values119.VAny<any, "optional", string>;
-  }, "required", "status" | "groupId" | "enterpriseId" | "eventType" | "actorType" | "actorId" | "subjectType" | "subjectId" | "occurredAt" | "requestId" | "ip" | "metadata" | `metadata.${string}`>, {
+    enterpriseId: convex_values121.VId<convex_values121.GenericId<"Enterprise">, "required">;
+    groupId: convex_values121.VId<convex_values121.GenericId<"Group">, "required">;
+    eventType: convex_values121.VString<string, "required">;
+    actorType: convex_values121.VUnion<"user" | "system" | "scim" | "api_key" | "webhook", [convex_values121.VLiteral<"user", "required">, convex_values121.VLiteral<"system", "required">, convex_values121.VLiteral<"scim", "required">, convex_values121.VLiteral<"api_key", "required">, convex_values121.VLiteral<"webhook", "required">], "required", never>;
+    actorId: convex_values121.VString<string | undefined, "optional">;
+    subjectType: convex_values121.VString<string, "required">;
+    subjectId: convex_values121.VString<string | undefined, "optional">;
+    status: convex_values121.VUnion<"success" | "failure", [convex_values121.VLiteral<"success", "required">, convex_values121.VLiteral<"failure", "required">], "required", never>;
+    occurredAt: convex_values121.VFloat64<number, "required">;
+    requestId: convex_values121.VString<string | undefined, "optional">;
+    ip: convex_values121.VString<string | undefined, "optional">;
+    metadata: convex_values121.VAny<any, "optional", string>;
+  }, "required", "status" | "groupId" | "enterpriseId" | "actorType" | "eventType" | "actorId" | "subjectType" | "subjectId" | "occurredAt" | "requestId" | "ip" | "metadata" | `metadata.${string}`>, {
     enterprise_id_occurred_at: ["enterpriseId", "occurredAt", "_creationTime"];
     group_id_occurred_at: ["groupId", "occurredAt", "_creationTime"];
     event_type_occurred_at: ["eventType", "occurredAt", "_creationTime"];
@@ -493,30 +603,30 @@ declare const _default: convex_server3.SchemaDefinition<{
   /**
    * Webhook endpoints subscribed to enterprise audit and lifecycle events.
    */
-  EnterpriseWebhookEndpoint: convex_server3.TableDefinition<convex_values119.VObject<{
+  EnterpriseWebhookEndpoint: convex_server60.TableDefinition<convex_values121.VObject<{
     extend?: any;
-    createdByUserId?: convex_values119.GenericId<"User"> | undefined;
+    createdByUserId?: convex_values121.GenericId<"User"> | undefined;
     lastSuccessAt?: number | undefined;
     lastFailureAt?: number | undefined;
     status: "active" | "disabled";
-    groupId: convex_values119.GenericId<"Group">;
-    enterpriseId: convex_values119.GenericId<"Enterprise">;
+    groupId: convex_values121.GenericId<"Group">;
+    enterpriseId: convex_values121.GenericId<"Enterprise">;
     url: string;
     secretHash: string;
     subscriptions: string[];
     failureCount: number;
   }, {
-    enterpriseId: convex_values119.VId<convex_values119.GenericId<"Enterprise">, "required">;
-    groupId: convex_values119.VId<convex_values119.GenericId<"Group">, "required">;
-    url: convex_values119.VString<string, "required">;
-    status: convex_values119.VUnion<"active" | "disabled", [convex_values119.VLiteral<"active", "required">, convex_values119.VLiteral<"disabled", "required">], "required", never>;
-    secretHash: convex_values119.VString<string, "required">;
-    subscriptions: convex_values119.VArray<string[], convex_values119.VString<string, "required">, "required">;
-    createdByUserId: convex_values119.VId<convex_values119.GenericId<"User"> | undefined, "optional">;
-    lastSuccessAt: convex_values119.VFloat64<number | undefined, "optional">;
-    lastFailureAt: convex_values119.VFloat64<number | undefined, "optional">;
-    failureCount: convex_values119.VFloat64<number, "required">;
-    extend: convex_values119.VAny<any, "optional", string>;
+    enterpriseId: convex_values121.VId<convex_values121.GenericId<"Enterprise">, "required">;
+    groupId: convex_values121.VId<convex_values121.GenericId<"Group">, "required">;
+    url: convex_values121.VString<string, "required">;
+    status: convex_values121.VUnion<"active" | "disabled", [convex_values121.VLiteral<"active", "required">, convex_values121.VLiteral<"disabled", "required">], "required", never>;
+    secretHash: convex_values121.VString<string, "required">;
+    subscriptions: convex_values121.VArray<string[], convex_values121.VString<string, "required">, "required">;
+    createdByUserId: convex_values121.VId<convex_values121.GenericId<"User"> | undefined, "optional">;
+    lastSuccessAt: convex_values121.VFloat64<number | undefined, "optional">;
+    lastFailureAt: convex_values121.VFloat64<number | undefined, "optional">;
+    failureCount: convex_values121.VFloat64<number, "required">;
+    extend: convex_values121.VAny<any, "optional", string>;
   }, "required", "extend" | `extend.${string}` | "status" | "groupId" | "enterpriseId" | "url" | "secretHash" | "subscriptions" | "createdByUserId" | "lastSuccessAt" | "lastFailureAt" | "failureCount">, {
     enterprise_id: ["enterpriseId", "_creationTime"];
     group_id: ["groupId", "_creationTime"];
@@ -525,30 +635,30 @@ declare const _default: convex_server3.SchemaDefinition<{
   /**
    * Delivery queue for outbound enterprise webhooks.
    */
-  EnterpriseWebhookDelivery: convex_server3.TableDefinition<convex_values119.VObject<{
-    auditEventId?: convex_values119.GenericId<"EnterpriseAuditEvent"> | undefined;
+  EnterpriseWebhookDelivery: convex_server60.TableDefinition<convex_values121.VObject<{
+    auditEventId?: convex_values121.GenericId<"EnterpriseAuditEvent"> | undefined;
     lastAttemptAt?: number | undefined;
     lastResponseStatus?: number | undefined;
     lastError?: string | undefined;
     status: "pending" | "processing" | "delivered" | "failed";
-    enterpriseId: convex_values119.GenericId<"Enterprise">;
+    enterpriseId: convex_values121.GenericId<"Enterprise">;
     eventType: string;
-    endpointId: convex_values119.GenericId<"EnterpriseWebhookEndpoint">;
+    endpointId: convex_values121.GenericId<"EnterpriseWebhookEndpoint">;
     attemptCount: number;
     nextAttemptAt: number;
     payload: any;
   }, {
-    enterpriseId: convex_values119.VId<convex_values119.GenericId<"Enterprise">, "required">;
-    endpointId: convex_values119.VId<convex_values119.GenericId<"EnterpriseWebhookEndpoint">, "required">;
-    auditEventId: convex_values119.VId<convex_values119.GenericId<"EnterpriseAuditEvent"> | undefined, "optional">;
-    eventType: convex_values119.VString<string, "required">;
-    status: convex_values119.VUnion<"pending" | "processing" | "delivered" | "failed", [convex_values119.VLiteral<"pending", "required">, convex_values119.VLiteral<"processing", "required">, convex_values119.VLiteral<"delivered", "required">, convex_values119.VLiteral<"failed", "required">], "required", never>;
-    attemptCount: convex_values119.VFloat64<number, "required">;
-    nextAttemptAt: convex_values119.VFloat64<number, "required">;
-    lastAttemptAt: convex_values119.VFloat64<number | undefined, "optional">;
-    lastResponseStatus: convex_values119.VFloat64<number | undefined, "optional">;
-    lastError: convex_values119.VString<string | undefined, "optional">;
-    payload: convex_values119.VAny<any, "required", string>;
+    enterpriseId: convex_values121.VId<convex_values121.GenericId<"Enterprise">, "required">;
+    endpointId: convex_values121.VId<convex_values121.GenericId<"EnterpriseWebhookEndpoint">, "required">;
+    auditEventId: convex_values121.VId<convex_values121.GenericId<"EnterpriseAuditEvent"> | undefined, "optional">;
+    eventType: convex_values121.VString<string, "required">;
+    status: convex_values121.VUnion<"pending" | "processing" | "delivered" | "failed", [convex_values121.VLiteral<"pending", "required">, convex_values121.VLiteral<"processing", "required">, convex_values121.VLiteral<"delivered", "required">, convex_values121.VLiteral<"failed", "required">], "required", never>;
+    attemptCount: convex_values121.VFloat64<number, "required">;
+    nextAttemptAt: convex_values121.VFloat64<number, "required">;
+    lastAttemptAt: convex_values121.VFloat64<number | undefined, "optional">;
+    lastResponseStatus: convex_values121.VFloat64<number | undefined, "optional">;
+    lastError: convex_values121.VString<string | undefined, "optional">;
+    payload: convex_values121.VAny<any, "required", string>;
   }, "required", "status" | "enterpriseId" | "eventType" | "endpointId" | "auditEventId" | "attemptCount" | "nextAttemptAt" | "lastAttemptAt" | "lastResponseStatus" | "lastError" | "payload" | `payload.${string}`>, {
     enterprise_id: ["enterpriseId", "_creationTime"];
     status_next_attempt_at: ["status", "nextAttemptAt", "_creationTime"];
@@ -568,7 +678,7 @@ declare const _default: convex_server3.SchemaDefinition<{
    * - **Expiration**: optional TTL
    * - **Soft revocation**: `revoked` flag preserves audit trail
    */
-  ApiKey: convex_server3.TableDefinition<convex_values119.VObject<{
+  ApiKey: convex_server60.TableDefinition<convex_values121.VObject<{
     lastUsedAt?: number | undefined;
     expiresAt?: number | undefined;
     metadata?: any;
@@ -580,8 +690,8 @@ declare const _default: convex_server3.SchemaDefinition<{
       attemptsLeft: number;
       lastAttemptTime: number;
     } | undefined;
+    userId: convex_values121.GenericId<"User">;
     name: string;
-    userId: convex_values119.GenericId<"User">;
     createdAt: number;
     revoked: boolean;
     prefix: string;
@@ -591,40 +701,40 @@ declare const _default: convex_server3.SchemaDefinition<{
       actions: string[];
     }[];
   }, {
-    userId: convex_values119.VId<convex_values119.GenericId<"User">, "required">; /** First chars of the key for display (e.g. "sk_abc1..."). */
-    prefix: convex_values119.VString<string, "required">; /** SHA-256 hex hash of the full raw key. */
-    hashedKey: convex_values119.VString<string, "required">; /** User-assigned name (e.g. "CI Pipeline", "Production API"). */
-    name: convex_values119.VString<string, "required">; /** Scoped permissions: [{ resource: "users", actions: ["read", "list"] }]. */
-    scopes: convex_values119.VArray<{
+    userId: convex_values121.VId<convex_values121.GenericId<"User">, "required">; /** First chars of the key for display (e.g. "sk_abc1..."). */
+    prefix: convex_values121.VString<string, "required">; /** SHA-256 hex hash of the full raw key. */
+    hashedKey: convex_values121.VString<string, "required">; /** User-assigned name (e.g. "CI Pipeline", "Production API"). */
+    name: convex_values121.VString<string, "required">; /** Scoped permissions: [{ resource: "users", actions: ["read", "list"] }]. */
+    scopes: convex_values121.VArray<{
       resource: string;
       actions: string[];
-    }[], convex_values119.VObject<{
+    }[], convex_values121.VObject<{
       resource: string;
       actions: string[];
     }, {
-      resource: convex_values119.VString<string, "required">;
-      actions: convex_values119.VArray<string[], convex_values119.VString<string, "required">, "required">;
+      resource: convex_values121.VString<string, "required">;
+      actions: convex_values121.VArray<string[], convex_values121.VString<string, "required">, "required">;
     }, "required", "resource" | "actions">, "required">; /** Optional per-key rate limit configuration. */
-    rateLimit: convex_values119.VObject<{
+    rateLimit: convex_values121.VObject<{
       maxRequests: number;
       windowMs: number;
     } | undefined, {
-      maxRequests: convex_values119.VFloat64<number, "required">;
-      windowMs: convex_values119.VFloat64<number, "required">;
+      maxRequests: convex_values121.VFloat64<number, "required">;
+      windowMs: convex_values121.VFloat64<number, "required">;
     }, "optional", "maxRequests" | "windowMs">; /** Rate limit state tracking (token-bucket). */
-    rateLimitState: convex_values119.VObject<{
+    rateLimitState: convex_values121.VObject<{
       attemptsLeft: number;
       lastAttemptTime: number;
     } | undefined, {
-      attemptsLeft: convex_values119.VFloat64<number, "required">;
-      lastAttemptTime: convex_values119.VFloat64<number, "required">;
+      attemptsLeft: convex_values121.VFloat64<number, "required">;
+      lastAttemptTime: convex_values121.VFloat64<number, "required">;
     }, "optional", "attemptsLeft" | "lastAttemptTime">; /** Expiration timestamp. Null/undefined = never expires. */
-    expiresAt: convex_values119.VFloat64<number | undefined, "optional">;
-    lastUsedAt: convex_values119.VFloat64<number | undefined, "optional">;
-    createdAt: convex_values119.VFloat64<number, "required">; /** Soft-revoke flag. Revoked keys are kept for audit trail. */
-    revoked: convex_values119.VBoolean<boolean, "required">; /** Arbitrary app-specific metadata attached to the key. */
-    metadata: convex_values119.VAny<any, "optional", string>;
-  }, "required", "name" | "userId" | "createdAt" | "lastUsedAt" | "expiresAt" | "revoked" | "metadata" | `metadata.${string}` | "prefix" | "hashedKey" | "scopes" | "rateLimit" | "rateLimitState" | "rateLimit.maxRequests" | "rateLimit.windowMs" | "rateLimitState.attemptsLeft" | "rateLimitState.lastAttemptTime">, {
+    expiresAt: convex_values121.VFloat64<number | undefined, "optional">;
+    lastUsedAt: convex_values121.VFloat64<number | undefined, "optional">;
+    createdAt: convex_values121.VFloat64<number, "required">; /** Soft-revoke flag. Revoked keys are kept for audit trail. */
+    revoked: convex_values121.VBoolean<boolean, "required">; /** Arbitrary app-specific metadata attached to the key. */
+    metadata: convex_values121.VAny<any, "optional", string>;
+  }, "required", "userId" | "name" | "createdAt" | "lastUsedAt" | "expiresAt" | "revoked" | "metadata" | `metadata.${string}` | "prefix" | "hashedKey" | "scopes" | "rateLimit" | "rateLimitState" | "rateLimit.maxRequests" | "rateLimit.windowMs" | "rateLimitState.attemptsLeft" | "rateLimitState.lastAttemptTime">, {
     user_id: ["userId", "_creationTime"];
     hashed_key: ["hashedKey", "_creationTime"];
   }, {}, {}>;