npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.13 → 0.0.4-preview.15 - Mend

@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.15

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (323) hide show

package/README.md +140 -9
package/dist/bin.cjs +5957 -5478
package/dist/client/index.d.ts +3 -7
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +27 -26
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/api.d.ts +14 -0
package/dist/component/_generated/api.d.ts.map +1 -1
package/dist/component/_generated/api.js.map +1 -1
package/dist/component/_generated/component.d.ts +1513 -3
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/convex.config.d.ts.map +1 -1
package/dist/component/model.d.ts +153 -0
package/dist/component/model.d.ts.map +1 -0
package/dist/component/model.js +327 -0
package/dist/component/model.js.map +1 -0
package/dist/component/providers/sso.d.ts +1 -1
package/dist/component/public/enterprise.d.ts +49 -0
package/dist/component/public/enterprise.d.ts.map +1 -0
package/dist/component/public/enterprise.js +450 -0
package/dist/component/public/enterprise.js.map +1 -0
package/dist/component/public/factors.d.ts +52 -0
package/dist/component/public/factors.d.ts.map +1 -0
package/dist/component/public/factors.js +285 -0
package/dist/component/public/factors.js.map +1 -0
package/dist/component/public/groups.d.ts +118 -0
package/dist/component/public/groups.d.ts.map +1 -0
package/dist/component/public/groups.js +599 -0
package/dist/component/public/groups.js.map +1 -0
package/dist/component/public/identity.d.ts +93 -0
package/dist/component/public/identity.d.ts.map +1 -0
package/dist/component/public/identity.js +426 -0
package/dist/component/public/identity.js.map +1 -0
package/dist/component/public/keys.d.ts +41 -0
package/dist/component/public/keys.d.ts.map +1 -0
package/dist/component/public/keys.js +157 -0
package/dist/component/public/keys.js.map +1 -0
package/dist/component/public/shared.d.ts +26 -0
package/dist/component/public/shared.d.ts.map +1 -0
package/dist/component/public/shared.js +32 -0
package/dist/component/public/shared.js.map +1 -0
package/dist/component/public.d.ts +9 -321
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +6 -2145
package/dist/component/schema.d.ts +368 -258
package/dist/component/schema.js +23 -27
package/dist/component/schema.js.map +1 -1
package/dist/component/server/auth.d.ts +42 -7
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +70 -6
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/cookies.js +3 -0
package/dist/component/server/cookies.js.map +1 -1
package/dist/component/server/db.js +1 -0
package/dist/component/server/db.js.map +1 -1
package/dist/component/server/device.js +3 -1
package/dist/component/server/device.js.map +1 -1
package/dist/component/server/domains/core.js +466 -0
package/dist/component/server/domains/core.js.map +1 -0
package/dist/component/server/domains/sso.js +689 -0
package/dist/component/server/domains/sso.js.map +1 -0
package/dist/component/server/factory.d.ts +136 -0
package/dist/component/server/factory.d.ts.map +1 -0
package/dist/component/server/factory.js +1128 -0
package/dist/component/server/factory.js.map +1 -0
package/dist/component/server/fx.js +2 -1
package/dist/component/server/fx.js.map +1 -1
package/dist/component/server/http.js +287 -0
package/dist/component/server/http.js.map +1 -0
package/dist/component/server/identity.js +13 -0
package/dist/component/server/identity.js.map +1 -0
package/dist/component/server/keys.js +4 -0
package/dist/component/server/keys.js.map +1 -1
package/dist/component/server/mutations/account.js +1 -1
package/dist/component/server/mutations/index.js +2 -2
package/dist/component/server/mutations/index.js.map +1 -1
package/dist/component/server/mutations/invalidate.js +1 -1
package/dist/component/server/mutations/oauth.js +10 -7
package/dist/component/server/mutations/oauth.js.map +1 -1
package/dist/component/server/mutations/refresh.js +1 -1
package/dist/component/server/mutations/register.js +1 -1
package/dist/component/server/mutations/retrieve.js +1 -1
package/dist/component/server/mutations/signature.js +1 -1
package/dist/component/server/mutations/store.js +6 -3
package/dist/component/server/mutations/store.js.map +1 -1
package/dist/component/server/mutations/verify.js +1 -1
package/dist/component/server/oauth.js +3 -0
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +3 -2
package/dist/component/server/passkey.js.map +1 -1
package/dist/component/server/provider.js +2 -0
package/dist/component/server/provider.js.map +1 -1
package/dist/component/server/providers.js +3 -0
package/dist/component/server/providers.js.map +1 -1
package/dist/component/server/ratelimit.js +3 -0
package/dist/component/server/ratelimit.js.map +1 -1
package/dist/component/server/redirects.js +2 -0
package/dist/component/server/redirects.js.map +1 -1
package/dist/component/server/refresh.js +5 -0
package/dist/component/server/refresh.js.map +1 -1
package/dist/component/server/sessions.js +5 -0
package/dist/component/server/sessions.js.map +1 -1
package/dist/component/server/signin.js +2 -1
package/dist/component/server/signin.js.map +1 -1
package/dist/component/server/sso.js +166 -19
package/dist/component/server/sso.js.map +1 -1
package/dist/component/server/tokens.js +1 -0
package/dist/component/server/tokens.js.map +1 -1
package/dist/component/server/totp.js +4 -2
package/dist/component/server/totp.js.map +1 -1
package/dist/component/server/types.d.ts +50 -35
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/types.js.map +1 -1
package/dist/component/server/users.js +1 -0
package/dist/component/server/users.js.map +1 -1
package/dist/component/server/utils.js +44 -2
package/dist/component/server/utils.js.map +1 -1
package/dist/providers/anonymous.d.ts +1 -1
package/dist/providers/credentials.d.ts +1 -1
package/dist/providers/password.d.ts +1 -1
package/dist/providers/sso.d.ts +1 -1
package/dist/providers/sso.js.map +1 -1
package/dist/server/auth.d.ts +44 -9
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +70 -6
package/dist/server/auth.js.map +1 -1
package/dist/server/cookies.d.ts +1 -38
package/dist/server/cookies.js +3 -0
package/dist/server/cookies.js.map +1 -1
package/dist/server/db.d.ts +1 -125
package/dist/server/db.js +1 -0
package/dist/server/db.js.map +1 -1
package/dist/server/device.d.ts +1 -24
package/dist/server/device.js +3 -1
package/dist/server/device.js.map +1 -1
package/dist/server/domains/core.d.ts +320 -0
package/dist/server/domains/core.d.ts.map +1 -0
package/dist/server/domains/core.js +466 -0
package/dist/server/domains/core.js.map +1 -0
package/dist/server/domains/sso.d.ts +340 -0
package/dist/server/domains/sso.d.ts.map +1 -0
package/dist/server/domains/sso.js +689 -0
package/dist/server/domains/sso.js.map +1 -0
package/dist/server/enterpriseValidators.d.ts +1 -0
package/dist/server/enterpriseValidators.js +56 -0
package/dist/server/enterpriseValidators.js.map +1 -0
package/dist/server/factory.d.ts +136 -0
package/dist/server/factory.d.ts.map +1 -0
package/dist/server/factory.js +1128 -0
package/dist/server/factory.js.map +1 -0
package/dist/server/fx.d.ts +1 -16
package/dist/server/fx.d.ts.map +1 -1
package/dist/server/fx.js +1 -0
package/dist/server/fx.js.map +1 -1
package/dist/server/http.d.ts +59 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +287 -0
package/dist/server/http.js.map +1 -0
package/dist/server/identity.d.ts +1 -0
package/dist/server/identity.js +13 -0
package/dist/server/identity.js.map +1 -0
package/dist/server/index.d.ts +432 -1
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +486 -36
package/dist/server/index.js.map +1 -1
package/dist/server/keys.d.ts +1 -57
package/dist/server/keys.js +4 -0
package/dist/server/keys.js.map +1 -1
package/dist/server/mutations/account.d.ts +7 -7
package/dist/server/mutations/account.d.ts.map +1 -1
package/dist/server/mutations/code.d.ts +13 -13
package/dist/server/mutations/index.d.ts +107 -107
package/dist/server/mutations/index.d.ts.map +1 -1
package/dist/server/mutations/index.js +1 -1
package/dist/server/mutations/index.js.map +1 -1
package/dist/server/mutations/invalidate.d.ts +5 -5
package/dist/server/mutations/oauth.d.ts +10 -10
package/dist/server/mutations/oauth.d.ts.map +1 -1
package/dist/server/mutations/oauth.js +9 -6
package/dist/server/mutations/oauth.js.map +1 -1
package/dist/server/mutations/refresh.d.ts +4 -4
package/dist/server/mutations/register.d.ts +12 -12
package/dist/server/mutations/register.d.ts.map +1 -1
package/dist/server/mutations/retrieve.d.ts +1 -1
package/dist/server/mutations/signature.d.ts +5 -5
package/dist/server/mutations/signature.d.ts.map +1 -1
package/dist/server/mutations/signin.d.ts +1 -1
package/dist/server/mutations/signout.d.ts +1 -1
package/dist/server/mutations/store.d.ts +3 -2
package/dist/server/mutations/store.d.ts.map +1 -1
package/dist/server/mutations/store.js +6 -3
package/dist/server/mutations/store.js.map +1 -1
package/dist/server/mutations/verifier.d.ts +1 -1
package/dist/server/mutations/verify.d.ts +4 -4
package/dist/server/oauth.d.ts +1 -59
package/dist/server/oauth.js +3 -0
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts.map +1 -1
package/dist/server/passkey.js +3 -2
package/dist/server/passkey.js.map +1 -1
package/dist/server/provider.d.ts +1 -14
package/dist/server/provider.d.ts.map +1 -1
package/dist/server/provider.js +2 -0
package/dist/server/provider.js.map +1 -1
package/dist/server/providers.js +3 -0
package/dist/server/providers.js.map +1 -1
package/dist/server/ratelimit.d.ts +1 -22
package/dist/server/ratelimit.js +3 -0
package/dist/server/ratelimit.js.map +1 -1
package/dist/server/redirects.d.ts +1 -10
package/dist/server/redirects.js +2 -0
package/dist/server/redirects.js.map +1 -1
package/dist/server/refresh.d.ts +1 -37
package/dist/server/refresh.js +5 -0
package/dist/server/refresh.js.map +1 -1
package/dist/server/sessions.d.ts +1 -28
package/dist/server/sessions.js +5 -0
package/dist/server/sessions.js.map +1 -1
package/dist/server/signin.d.ts +1 -55
package/dist/server/signin.js +2 -1
package/dist/server/signin.js.map +1 -1
package/dist/server/sso.d.ts +1 -348
package/dist/server/sso.js +165 -18
package/dist/server/sso.js.map +1 -1
package/dist/server/templates.d.ts +1 -21
package/dist/server/templates.js +1 -0
package/dist/server/templates.js.map +1 -1
package/dist/server/tokens.d.ts +1 -11
package/dist/server/tokens.js +1 -0
package/dist/server/tokens.js.map +1 -1
package/dist/server/totp.d.ts +1 -23
package/dist/server/totp.js +4 -2
package/dist/server/totp.js.map +1 -1
package/dist/server/types.d.ts +55 -71
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js.map +1 -1
package/dist/server/users.d.ts +1 -31
package/dist/server/users.js +1 -0
package/dist/server/users.js.map +1 -1
package/dist/server/utils.d.ts +1 -27
package/dist/server/utils.js +44 -2
package/dist/server/utils.js.map +1 -1
package/dist/server/version.d.ts +1 -1
package/dist/server/version.js +1 -1
package/dist/server/version.js.map +1 -1
package/package.json +4 -5
package/src/cli/bin.ts +5 -0
package/src/cli/index.ts +22 -9
package/src/cli/keys.ts +3 -0
package/src/client/index.ts +36 -37
package/src/component/_generated/api.ts +14 -0
package/src/component/_generated/component.ts +1920 -3
package/src/component/index.ts +2 -0
package/src/component/model.ts +424 -0
package/src/component/public/enterprise.ts +654 -0
package/src/component/public/factors.ts +332 -0
package/src/component/public/groups.ts +951 -0
package/src/component/public/identity.ts +566 -0
package/src/component/public/keys.ts +209 -0
package/src/component/public/shared.ts +117 -0
package/src/component/public.ts +5 -2965
package/src/component/schema.ts +47 -57
package/src/providers/sso.ts +1 -1
package/src/server/auth.ts +192 -9
package/src/server/cookies.ts +3 -0
package/src/server/db.ts +3 -0
package/src/server/device.ts +3 -1
package/src/server/domains/core.ts +916 -0
package/src/server/domains/sso.ts +1462 -0
package/src/server/enterpriseValidators.ts +88 -0
package/src/server/factory.ts +2168 -0
package/src/server/fx.ts +1 -0
package/src/server/http.ts +529 -0
package/src/server/identity.ts +18 -0
package/src/server/index.ts +712 -40
package/src/server/keys.ts +4 -0
package/src/server/mutations/index.ts +1 -1
package/src/server/mutations/oauth.ts +36 -8
package/src/server/mutations/store.ts +6 -3
package/src/server/oauth.ts +6 -0
package/src/server/passkey.ts +3 -2
package/src/server/provider.ts +2 -0
package/src/server/providers.ts +3 -0
package/src/server/ratelimit.ts +3 -0
package/src/server/redirects.ts +2 -0
package/src/server/refresh.ts +5 -0
package/src/server/sessions.ts +5 -0
package/src/server/signin.ts +1 -0
package/src/server/sso.ts +251 -17
package/src/server/templates.ts +1 -0
package/src/server/tokens.ts +1 -0
package/src/server/totp.ts +4 -2
package/src/server/types.ts +85 -77
package/src/server/users.ts +1 -0
package/src/server/utils.ts +71 -1
package/src/server/version.ts +1 -1
package/dist/component/public.js.map +0 -1
package/dist/component/server/implementation.d.ts +0 -1264
package/dist/component/server/implementation.d.ts.map +0 -1
package/dist/component/server/implementation.js +0 -2365
package/dist/component/server/implementation.js.map +0 -1
package/dist/server/cookies.d.ts.map +0 -1
package/dist/server/db.d.ts.map +0 -1
package/dist/server/device.d.ts.map +0 -1
package/dist/server/implementation.d.ts +0 -1264
package/dist/server/implementation.d.ts.map +0 -1
package/dist/server/implementation.js +0 -2365
package/dist/server/implementation.js.map +0 -1
package/dist/server/keys.d.ts.map +0 -1
package/dist/server/oauth.d.ts.map +0 -1
package/dist/server/ratelimit.d.ts.map +0 -1
package/dist/server/redirects.d.ts.map +0 -1
package/dist/server/refresh.d.ts.map +0 -1
package/dist/server/sessions.d.ts.map +0 -1
package/dist/server/signin.d.ts.map +0 -1
package/dist/server/sso.d.ts.map +0 -1
package/dist/server/templates.d.ts.map +0 -1
package/dist/server/tokens.d.ts.map +0 -1
package/dist/server/totp.d.ts.map +0 -1
package/dist/server/users.d.ts.map +0 -1
package/dist/server/utils.d.ts.map +0 -1
package/src/server/implementation.ts +0 -5336

package/src/component/public/enterprise.ts ADDED Viewed

@@ -0,0 +1,654 @@
+import {
+  ConvexError,
+  mutation,
+  query,
+  v,
+  vAuditActorType,
+  vAuditStatus,
+  vEnterpriseAuditEventDoc,
+  vEnterpriseDoc,
+  vEnterpriseDomainDoc,
+  vEnterprisePolicy,
+  vEnterpriseScimConfigDoc,
+  vEnterpriseScimIdentityDoc,
+  vEnterpriseSecretDoc,
+  vEnterpriseSecretKind,
+  vEnterpriseStatus,
+  vEnterpriseWebhookDeliveryDoc,
+  vEnterpriseWebhookEndpointDoc,
+  vPaginated,
+  vScimResourceType,
+  vScimStatus,
+  vWebhookEndpointStatus,
+} from "./shared";
+// ============================================================================
+// Enterprise
+// ============================================================================
+/** Create an enterprise record attached to a root group. */
+export const enterpriseCreate = mutation({
+  args: {
+    groupId: v.id("Group"),
+    slug: v.optional(v.string()),
+    name: v.optional(v.string()),
+    status: v.optional(vEnterpriseStatus),
+    policy: v.optional(vEnterprisePolicy),
+    config: v.optional(v.any()),
+    extend: v.optional(v.any()),
+  },
+  returns: v.id("Enterprise"),
+  handler: async (ctx, args) => {
+    const existing = await ctx.db
+      .query("Enterprise")
+      .withIndex("group_id", (idx) => idx.eq("groupId", args.groupId))
+      .first();
+    if (existing) {
+      throw new ConvexError({
+        code: "ENTERPRISE_ALREADY_EXISTS",
+        message: "An enterprise record already exists for this group.",
+      });
+    }
+    return await ctx.db.insert("Enterprise", {
+      ...args,
+      status: args.status ?? "draft",
+    });
+  },
+});
+/** Retrieve an enterprise record by ID. */
+export const enterpriseGet = query({
+  args: { enterpriseId: v.id("Enterprise") },
+  returns: v.union(vEnterpriseDoc, v.null()),
+  handler: async (ctx, { enterpriseId }) => {
+    return await ctx.db.get("Enterprise", enterpriseId);
+  },
+});
+/** Retrieve an enterprise record by group ID. */
+export const enterpriseGetByGroup = query({
+  args: { groupId: v.id("Group") },
+  returns: v.union(vEnterpriseDoc, v.null()),
+  handler: async (ctx, { groupId }) => {
+    return await ctx.db
+      .query("Enterprise")
+      .withIndex("group_id", (idx) => idx.eq("groupId", groupId))
+      .first();
+  },
+});
+/** Retrieve an enterprise record by a linked domain. */
+export const enterpriseGetByDomain = query({
+  args: { domain: v.string() },
+  returns: v.union(
+    v.object({
+      enterprise: vEnterpriseDoc,
+      domain: vEnterpriseDomainDoc,
+    }),
+    v.null(),
+  ),
+  handler: async (ctx, { domain }) => {
+    const domainRow = await ctx.db
+      .query("EnterpriseDomain")
+      .withIndex("domain", (idx) => idx.eq("domain", domain))
+      .first();
+    if (!domainRow) {
+      return null;
+    }
+    const enterprise = await ctx.db.get("Enterprise", domainRow.enterpriseId);
+    if (!enterprise) {
+      return null;
+    }
+    return { enterprise, domain: domainRow };
+  },
+});
+/** List enterprises with lightweight filtering and cursor pagination. */
+export const enterpriseList = query({
+  args: {
+    where: v.optional(
+      v.object({
+        groupId: v.optional(v.id("Group")),
+        slug: v.optional(v.string()),
+        status: v.optional(vEnterpriseStatus),
+      }),
+    ),
+    limit: v.optional(v.number()),
+    cursor: v.optional(v.union(v.string(), v.null())),
+    orderBy: v.optional(
+      v.union(
+        v.literal("_creationTime"),
+        v.literal("name"),
+        v.literal("slug"),
+        v.literal("status"),
+      ),
+    ),
+    order: v.optional(v.union(v.literal("asc"), v.literal("desc"))),
+  },
+  returns: vPaginated(vEnterpriseDoc),
+  handler: async (ctx, args) => {
+    const where = args.where ?? {};
+    const limit = Math.min(Math.max(args.limit ?? 50, 1), 100);
+    const order = args.order ?? "desc";
+    let q;
+    if (where.groupId !== undefined) {
+      q = ctx.db
+        .query("Enterprise")
+        .withIndex("group_id", (idx) => idx.eq("groupId", where.groupId!));
+    } else if (where.slug !== undefined) {
+      q = ctx.db
+        .query("Enterprise")
+        .withIndex("slug", (idx) => idx.eq("slug", where.slug!));
+    } else if (where.status !== undefined) {
+      q = ctx.db
+        .query("Enterprise")
+        .withIndex("status", (idx) => idx.eq("status", where.status!));
+    } else {
+      q = ctx.db.query("Enterprise");
+    }
+    if (where.groupId !== undefined && where.slug !== undefined) {
+      q = q.filter((f) => f.eq(f.field("slug"), where.slug!));
+    }
+    if (where.status !== undefined && where.groupId === undefined) {
+      // already handled by index in the dedicated branch
+    } else if (where.status !== undefined) {
+      q = q.filter((f) => f.eq(f.field("status"), where.status!));
+    }
+    q = q.order(order);
+    const all = await q.collect();
+    let startIdx = 0;
+    if (args.cursor) {
+      const cursorIdx = all.findIndex((doc) => doc._id === args.cursor);
+      if (cursorIdx !== -1) {
+        startIdx = cursorIdx + 1;
+      }
+    }
+    const page = all.slice(startIdx, startIdx + limit + 1);
+    const hasMore = page.length > limit;
+    const items = hasMore ? page.slice(0, limit) : page;
+    const nextCursor = hasMore ? items[items.length - 1]._id : null;
+    return { items, nextCursor };
+  },
+});
+/** Patch an enterprise record. */
+export const enterpriseUpdate = mutation({
+  args: { enterpriseId: v.id("Enterprise"), data: v.any() },
+  returns: v.null(),
+  handler: async (ctx, { enterpriseId, data }) => {
+    await ctx.db.patch(enterpriseId, data);
+    return null;
+  },
+});
+/** Delete an enterprise record. */
+export const enterpriseDelete = mutation({
+  args: { enterpriseId: v.id("Enterprise") },
+  returns: v.null(),
+  handler: async (ctx, { enterpriseId }) => {
+    const domains = await ctx.db
+      .query("EnterpriseDomain")
+      .withIndex("enterprise_id", (idx) => idx.eq("enterpriseId", enterpriseId))
+      .collect();
+    for (const domain of domains) {
+      await ctx.db.delete(domain._id);
+    }
+    const secrets = await ctx.db
+      .query("EnterpriseSecret")
+      .withIndex("enterprise_id", (idx) => idx.eq("enterpriseId", enterpriseId))
+      .collect();
+    for (const secret of secrets) {
+      await ctx.db.delete(secret._id);
+    }
+    await ctx.db.delete(enterpriseId);
+    return null;
+  },
+});
+/** Link a domain to an enterprise record. */
+export const enterpriseDomainAdd = mutation({
+  args: {
+    enterpriseId: v.id("Enterprise"),
+    groupId: v.id("Group"),
+    domain: v.string(),
+    isPrimary: v.optional(v.boolean()),
+    verifiedAt: v.optional(v.number()),
+  },
+  returns: v.id("EnterpriseDomain"),
+  handler: async (ctx, args) => {
+    const existingByDomain = await ctx.db
+      .query("EnterpriseDomain")
+      .withIndex("domain", (idx) => idx.eq("domain", args.domain))
+      .first();
+    if (
+      existingByDomain &&
+      existingByDomain.enterpriseId !== args.enterpriseId
+    ) {
+      throw new ConvexError({
+        code: "ENTERPRISE_DOMAIN_TAKEN",
+        message: "That domain is already attached to another enterprise.",
+      });
+    }
+    const existingForEnterprise = await ctx.db
+      .query("EnterpriseDomain")
+      .withIndex("enterprise_id", (idx) =>
+        idx.eq("enterpriseId", args.enterpriseId),
+      )
+      .collect();
+    for (const row of existingForEnterprise) {
+      if (row.domain === args.domain) {
+        await ctx.db.patch(row._id, {
+          isPrimary: args.isPrimary ?? row.isPrimary,
+          verifiedAt: args.verifiedAt ?? row.verifiedAt,
+        });
+        return row._id;
+      }
+    }
+    if (args.isPrimary === true) {
+      for (const row of existingForEnterprise) {
+        if (row.isPrimary) {
+          await ctx.db.patch(row._id, { isPrimary: false });
+        }
+      }
+    }
+    return await ctx.db.insert("EnterpriseDomain", {
+      ...args,
+      isPrimary: args.isPrimary ?? existingForEnterprise.length === 0,
+    });
+  },
+});
+/** List domains linked to an enterprise. */
+export const enterpriseDomainList = query({
+  args: { enterpriseId: v.id("Enterprise") },
+  returns: v.array(vEnterpriseDomainDoc),
+  handler: async (ctx, { enterpriseId }) => {
+    return await ctx.db
+      .query("EnterpriseDomain")
+      .withIndex("enterprise_id", (idx) => idx.eq("enterpriseId", enterpriseId))
+      .collect();
+  },
+});
+/** Remove a linked enterprise domain. */
+export const enterpriseDomainDelete = mutation({
+  args: { domainId: v.id("EnterpriseDomain") },
+  returns: v.null(),
+  handler: async (ctx, { domainId }) => {
+    await ctx.db.delete(domainId);
+    return null;
+  },
+});
+export const enterpriseSecretUpsert = mutation({
+  args: {
+    enterpriseId: v.id("Enterprise"),
+    groupId: v.id("Group"),
+    kind: vEnterpriseSecretKind,
+    ciphertext: v.string(),
+    updatedAt: v.number(),
+  },
+  returns: v.id("EnterpriseSecret"),
+  handler: async (ctx, args) => {
+    const existing = await ctx.db
+      .query("EnterpriseSecret")
+      .withIndex("enterprise_id_kind", (idx) =>
+        idx.eq("enterpriseId", args.enterpriseId).eq("kind", args.kind),
+      )
+      .first();
+    if (existing) {
+      await ctx.db.patch(existing._id, args);
+      return existing._id;
+    }
+    return await ctx.db.insert("EnterpriseSecret", args);
+  },
+});
+export const enterpriseSecretGet = query({
+  args: {
+    enterpriseId: v.id("Enterprise"),
+    kind: vEnterpriseSecretKind,
+  },
+  returns: v.union(vEnterpriseSecretDoc, v.null()),
+  handler: async (ctx, { enterpriseId, kind }) => {
+    return await ctx.db
+      .query("EnterpriseSecret")
+      .withIndex("enterprise_id_kind", (idx) =>
+        idx.eq("enterpriseId", enterpriseId).eq("kind", kind),
+      )
+      .first();
+  },
+});
+export const enterpriseSecretDelete = mutation({
+  args: {
+    enterpriseId: v.id("Enterprise"),
+    kind: vEnterpriseSecretKind,
+  },
+  returns: v.null(),
+  handler: async (ctx, { enterpriseId, kind }) => {
+    const existing = await ctx.db
+      .query("EnterpriseSecret")
+      .withIndex("enterprise_id_kind", (idx) =>
+        idx.eq("enterpriseId", enterpriseId).eq("kind", kind),
+      )
+      .first();
+    if (existing) {
+      await ctx.db.delete(existing._id);
+    }
+    return null;
+  },
+});
+/** Create or rotate SCIM configuration for an enterprise. */
+export const enterpriseScimConfigUpsert = mutation({
+  args: {
+    enterpriseId: v.id("Enterprise"),
+    groupId: v.id("Group"),
+    status: vScimStatus,
+    basePath: v.string(),
+    tokenHash: v.string(),
+    lastRotatedAt: v.optional(v.number()),
+    extend: v.optional(v.any()),
+  },
+  returns: v.id("EnterpriseScimConfig"),
+  handler: async (ctx, args) => {
+    const existing = await ctx.db
+      .query("EnterpriseScimConfig")
+      .withIndex("enterprise_id", (idx) =>
+        idx.eq("enterpriseId", args.enterpriseId),
+      )
+      .first();
+    if (existing) {
+      await ctx.db.patch(existing._id, args);
+      return existing._id;
+    }
+    return await ctx.db.insert("EnterpriseScimConfig", args);
+  },
+});
+export const enterpriseScimConfigGetByEnterprise = query({
+  args: { enterpriseId: v.id("Enterprise") },
+  returns: v.union(vEnterpriseScimConfigDoc, v.null()),
+  handler: async (ctx, { enterpriseId }) => {
+    return await ctx.db
+      .query("EnterpriseScimConfig")
+      .withIndex("enterprise_id", (idx) => idx.eq("enterpriseId", enterpriseId))
+      .first();
+  },
+});
+export const enterpriseScimConfigGetByTokenHash = query({
+  args: { tokenHash: v.string() },
+  returns: v.union(vEnterpriseScimConfigDoc, v.null()),
+  handler: async (ctx, { tokenHash }) => {
+    return await ctx.db
+      .query("EnterpriseScimConfig")
+      .withIndex("token_hash", (idx) => idx.eq("tokenHash", tokenHash))
+      .first();
+  },
+});
+export const enterpriseScimIdentityGet = query({
+  args: {
+    enterpriseId: v.id("Enterprise"),
+    resourceType: vScimResourceType,
+    externalId: v.string(),
+  },
+  returns: v.union(vEnterpriseScimIdentityDoc, v.null()),
+  handler: async (ctx, args) => {
+    return await ctx.db
+      .query("EnterpriseScimIdentity")
+      .withIndex("enterprise_id_resource_type_external_id", (idx) =>
+        idx
+          .eq("enterpriseId", args.enterpriseId)
+          .eq("resourceType", args.resourceType)
+          .eq("externalId", args.externalId),
+      )
+      .first();
+  },
+});
+export const enterpriseScimIdentityGetByUser = query({
+  args: { userId: v.id("User") },
+  returns: v.union(vEnterpriseScimIdentityDoc, v.null()),
+  handler: async (ctx, { userId }) => {
+    return await ctx.db
+      .query("EnterpriseScimIdentity")
+      .withIndex("user_id", (idx) => idx.eq("userId", userId))
+      .first();
+  },
+});
+export const enterpriseScimIdentityGetByEnterpriseAndUser = query({
+  args: {
+    enterpriseId: v.id("Enterprise"),
+    userId: v.id("User"),
+  },
+  returns: v.union(vEnterpriseScimIdentityDoc, v.null()),
+  handler: async (ctx, { enterpriseId, userId }) => {
+    return await ctx.db
+      .query("EnterpriseScimIdentity")
+      .withIndex("enterprise_id_user_id", (idx) =>
+        idx.eq("enterpriseId", enterpriseId).eq("userId", userId),
+      )
+      .first();
+  },
+});
+export const enterpriseScimIdentityGetByMappedGroup = query({
+  args: { mappedGroupId: v.id("Group") },
+  returns: v.union(vEnterpriseScimIdentityDoc, v.null()),
+  handler: async (ctx, { mappedGroupId }) => {
+    return await ctx.db
+      .query("EnterpriseScimIdentity")
+      .withIndex("mapped_group_id", (idx) =>
+        idx.eq("mappedGroupId", mappedGroupId),
+      )
+      .first();
+  },
+});
+export const enterpriseScimIdentityListByEnterprise = query({
+  args: { enterpriseId: v.id("Enterprise") },
+  returns: v.array(vEnterpriseScimIdentityDoc),
+  handler: async (ctx, { enterpriseId }) => {
+    return await ctx.db
+      .query("EnterpriseScimIdentity")
+      .withIndex("enterprise_id", (idx) => idx.eq("enterpriseId", enterpriseId))
+      .collect();
+  },
+});
+export const enterpriseScimIdentityUpsert = mutation({
+  args: {
+    enterpriseId: v.id("Enterprise"),
+    groupId: v.id("Group"),
+    resourceType: vScimResourceType,
+    externalId: v.string(),
+    userId: v.optional(v.id("User")),
+    mappedGroupId: v.optional(v.id("Group")),
+    lastProvisionedAt: v.optional(v.number()),
+    active: v.optional(v.boolean()),
+    raw: v.optional(v.any()),
+  },
+  returns: v.id("EnterpriseScimIdentity"),
+  handler: async (ctx, args) => {
+    const existing = await ctx.db
+      .query("EnterpriseScimIdentity")
+      .withIndex("enterprise_id_resource_type_external_id", (idx) =>
+        idx
+          .eq("enterpriseId", args.enterpriseId)
+          .eq("resourceType", args.resourceType)
+          .eq("externalId", args.externalId),
+      )
+      .first();
+    if (existing) {
+      await ctx.db.patch(existing._id, args);
+      return existing._id;
+    }
+    return await ctx.db.insert("EnterpriseScimIdentity", args);
+  },
+});
+export const enterpriseScimIdentityDelete = mutation({
+  args: { identityId: v.id("EnterpriseScimIdentity") },
+  returns: v.null(),
+  handler: async (ctx, { identityId }) => {
+    await ctx.db.delete(identityId);
+    return null;
+  },
+});
+export const enterpriseAuditEventCreate = mutation({
+  args: {
+    enterpriseId: v.id("Enterprise"),
+    groupId: v.id("Group"),
+    eventType: v.string(),
+    actorType: vAuditActorType,
+    actorId: v.optional(v.string()),
+    subjectType: v.string(),
+    subjectId: v.optional(v.string()),
+    status: vAuditStatus,
+    occurredAt: v.number(),
+    requestId: v.optional(v.string()),
+    ip: v.optional(v.string()),
+    metadata: v.optional(v.any()),
+  },
+  returns: v.id("EnterpriseAuditEvent"),
+  handler: async (ctx, args) => {
+    return await ctx.db.insert("EnterpriseAuditEvent", args);
+  },
+});
+export const enterpriseAuditEventList = query({
+  args: {
+    enterpriseId: v.optional(v.id("Enterprise")),
+    groupId: v.optional(v.id("Group")),
+    limit: v.optional(v.number()),
+  },
+  returns: v.array(vEnterpriseAuditEventDoc),
+  handler: async (ctx, args) => {
+    const limit = Math.min(Math.max(args.limit ?? 50, 1), 100);
+    if (args.enterpriseId !== undefined) {
+      return await ctx.db
+        .query("EnterpriseAuditEvent")
+        .withIndex("enterprise_id_occurred_at", (idx) =>
+          idx.eq("enterpriseId", args.enterpriseId!),
+        )
+        .order("desc")
+        .take(limit);
+    }
+    if (args.groupId !== undefined) {
+      return await ctx.db
+        .query("EnterpriseAuditEvent")
+        .withIndex("group_id_occurred_at", (idx) =>
+          idx.eq("groupId", args.groupId!),
+        )
+        .order("desc")
+        .take(limit);
+    }
+    return await ctx.db.query("EnterpriseAuditEvent").order("desc").take(limit);
+  },
+});
+export const enterpriseWebhookEndpointCreate = mutation({
+  args: {
+    enterpriseId: v.id("Enterprise"),
+    groupId: v.id("Group"),
+    url: v.string(),
+    status: v.optional(vWebhookEndpointStatus),
+    secretHash: v.string(),
+    subscriptions: v.array(v.string()),
+    createdByUserId: v.optional(v.id("User")),
+    extend: v.optional(v.any()),
+  },
+  returns: v.id("EnterpriseWebhookEndpoint"),
+  handler: async (ctx, args) => {
+    return await ctx.db.insert("EnterpriseWebhookEndpoint", {
+      ...args,
+      status: args.status ?? "active",
+      failureCount: 0,
+    });
+  },
+});
+export const enterpriseWebhookEndpointList = query({
+  args: { enterpriseId: v.id("Enterprise") },
+  returns: v.array(vEnterpriseWebhookEndpointDoc),
+  handler: async (ctx, { enterpriseId }) => {
+    return await ctx.db
+      .query("EnterpriseWebhookEndpoint")
+      .withIndex("enterprise_id", (idx) => idx.eq("enterpriseId", enterpriseId))
+      .collect();
+  },
+});
+export const enterpriseWebhookEndpointUpdate = mutation({
+  args: { endpointId: v.id("EnterpriseWebhookEndpoint"), data: v.any() },
+  returns: v.null(),
+  handler: async (ctx, { endpointId, data }) => {
+    await ctx.db.patch(endpointId, data);
+    return null;
+  },
+});
+export const enterpriseWebhookDeliveryEnqueue = mutation({
+  args: {
+    enterpriseId: v.id("Enterprise"),
+    endpointId: v.id("EnterpriseWebhookEndpoint"),
+    auditEventId: v.optional(v.id("EnterpriseAuditEvent")),
+    eventType: v.string(),
+    payload: v.any(),
+    nextAttemptAt: v.number(),
+  },
+  returns: v.id("EnterpriseWebhookDelivery"),
+  handler: async (ctx, args) => {
+    return await ctx.db.insert("EnterpriseWebhookDelivery", {
+      ...args,
+      status: "pending",
+      attemptCount: 0,
+    });
+  },
+});
+export const enterpriseWebhookDeliveryListReady = query({
+  args: { now: v.number(), limit: v.optional(v.number()) },
+  returns: v.array(vEnterpriseWebhookDeliveryDoc),
+  handler: async (ctx, { now, limit }) => {
+    return await ctx.db
+      .query("EnterpriseWebhookDelivery")
+      .withIndex("status_next_attempt_at", (idx) =>
+        idx.eq("status", "pending").lte("nextAttemptAt", now),
+      )
+      .take(Math.min(Math.max(limit ?? 50, 1), 100));
+  },
+});
+export const enterpriseWebhookDeliveryList = query({
+  args: { enterpriseId: v.id("Enterprise"), limit: v.optional(v.number()) },
+  returns: v.array(vEnterpriseWebhookDeliveryDoc),
+  handler: async (ctx, { enterpriseId, limit }) => {
+    return await ctx.db
+      .query("EnterpriseWebhookDelivery")
+      .withIndex("enterprise_id", (idx) => idx.eq("enterpriseId", enterpriseId))
+      .order("desc")
+      .take(Math.min(Math.max(limit ?? 50, 1), 100));
+  },
+});
+export const enterpriseWebhookDeliveryPatch = mutation({
+  args: { deliveryId: v.id("EnterpriseWebhookDelivery"), data: v.any() },
+  returns: v.null(),
+  handler: async (ctx, { deliveryId, data }) => {
+    await ctx.db.patch(deliveryId, data);
+    return null;
+  },
+});