@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.16
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +140 -9
- package/dist/bin.cjs +5957 -5478
- package/dist/client/index.d.ts +3 -7
- package/dist/client/index.d.ts.map +1 -1
- package/dist/client/index.js +27 -26
- package/dist/client/index.js.map +1 -1
- package/dist/component/_generated/api.d.ts +14 -0
- package/dist/component/_generated/api.d.ts.map +1 -1
- package/dist/component/_generated/api.js.map +1 -1
- package/dist/component/_generated/component.d.ts +1672 -24
- package/dist/component/_generated/component.d.ts.map +1 -1
- package/dist/component/convex.config.d.ts +2 -2
- package/dist/component/convex.config.d.ts.map +1 -1
- package/dist/component/index.d.ts +1 -1
- package/dist/component/index.js +2 -2
- package/dist/component/model.d.ts +153 -0
- package/dist/component/model.d.ts.map +1 -0
- package/dist/component/model.js +343 -0
- package/dist/component/model.js.map +1 -0
- package/dist/component/providers/sso.d.ts +1 -1
- package/dist/component/public/enterprise.d.ts +54 -0
- package/dist/component/public/enterprise.d.ts.map +1 -0
- package/dist/component/public/enterprise.js +515 -0
- package/dist/component/public/enterprise.js.map +1 -0
- package/dist/component/public/factors.d.ts +52 -0
- package/dist/component/public/factors.d.ts.map +1 -0
- package/dist/component/public/factors.js +285 -0
- package/dist/component/public/factors.js.map +1 -0
- package/dist/component/public/groups.d.ts +116 -0
- package/dist/component/public/groups.d.ts.map +1 -0
- package/dist/component/public/groups.js +596 -0
- package/dist/component/public/groups.js.map +1 -0
- package/dist/component/public/identity.d.ts +93 -0
- package/dist/component/public/identity.d.ts.map +1 -0
- package/dist/component/public/identity.js +426 -0
- package/dist/component/public/identity.js.map +1 -0
- package/dist/component/public/keys.d.ts +41 -0
- package/dist/component/public/keys.d.ts.map +1 -0
- package/dist/component/public/keys.js +157 -0
- package/dist/component/public/keys.js.map +1 -0
- package/dist/component/public/shared.d.ts +26 -0
- package/dist/component/public/shared.d.ts.map +1 -0
- package/dist/component/public/shared.js +32 -0
- package/dist/component/public/shared.js.map +1 -0
- package/dist/component/public.d.ts +9 -321
- package/dist/component/public.d.ts.map +1 -1
- package/dist/component/public.js +6 -2145
- package/dist/component/schema.d.ts +406 -260
- package/dist/component/schema.js +37 -32
- package/dist/component/schema.js.map +1 -1
- package/dist/component/server/auth.d.ts +161 -15
- package/dist/component/server/auth.d.ts.map +1 -1
- package/dist/component/server/auth.js +100 -7
- package/dist/component/server/auth.js.map +1 -1
- package/dist/component/server/cookies.js +3 -0
- package/dist/component/server/cookies.js.map +1 -1
- package/dist/component/server/db.js +1 -0
- package/dist/component/server/db.js.map +1 -1
- package/dist/component/server/device.js +3 -1
- package/dist/component/server/device.js.map +1 -1
- package/dist/component/server/domains/core.js +629 -0
- package/dist/component/server/domains/core.js.map +1 -0
- package/dist/component/server/domains/sso.js +884 -0
- package/dist/component/server/domains/sso.js.map +1 -0
- package/dist/component/server/factory.d.ts +136 -0
- package/dist/component/server/factory.d.ts.map +1 -0
- package/dist/component/server/factory.js +1134 -0
- package/dist/component/server/factory.js.map +1 -0
- package/dist/component/server/fx.js +2 -1
- package/dist/component/server/fx.js.map +1 -1
- package/dist/component/server/http.js +287 -0
- package/dist/component/server/http.js.map +1 -0
- package/dist/component/server/identity.js +13 -0
- package/dist/component/server/identity.js.map +1 -0
- package/dist/component/server/keys.js +4 -0
- package/dist/component/server/keys.js.map +1 -1
- package/dist/component/server/mutations/account.js +1 -1
- package/dist/component/server/mutations/index.js +2 -2
- package/dist/component/server/mutations/index.js.map +1 -1
- package/dist/component/server/mutations/invalidate.js +1 -1
- package/dist/component/server/mutations/oauth.js +10 -7
- package/dist/component/server/mutations/oauth.js.map +1 -1
- package/dist/component/server/mutations/refresh.js +1 -1
- package/dist/component/server/mutations/register.js +1 -1
- package/dist/component/server/mutations/retrieve.js +1 -1
- package/dist/component/server/mutations/signature.js +1 -1
- package/dist/component/server/mutations/store.js +6 -3
- package/dist/component/server/mutations/store.js.map +1 -1
- package/dist/component/server/mutations/verify.js +1 -1
- package/dist/component/server/oauth.js +3 -0
- package/dist/component/server/oauth.js.map +1 -1
- package/dist/component/server/passkey.js +3 -2
- package/dist/component/server/passkey.js.map +1 -1
- package/dist/component/server/provider.js +2 -0
- package/dist/component/server/provider.js.map +1 -1
- package/dist/component/server/providers.js +10 -0
- package/dist/component/server/providers.js.map +1 -1
- package/dist/component/server/ratelimit.js +3 -0
- package/dist/component/server/ratelimit.js.map +1 -1
- package/dist/component/server/redirects.js +2 -0
- package/dist/component/server/redirects.js.map +1 -1
- package/dist/component/server/refresh.js +5 -0
- package/dist/component/server/refresh.js.map +1 -1
- package/dist/component/server/sessions.js +5 -0
- package/dist/component/server/sessions.js.map +1 -1
- package/dist/component/server/signin.js +2 -1
- package/dist/component/server/signin.js.map +1 -1
- package/dist/component/server/sso.js +166 -19
- package/dist/component/server/sso.js.map +1 -1
- package/dist/component/server/tokens.js +1 -0
- package/dist/component/server/tokens.js.map +1 -1
- package/dist/component/server/totp.js +4 -2
- package/dist/component/server/totp.js.map +1 -1
- package/dist/component/server/types.d.ts +106 -38
- package/dist/component/server/types.d.ts.map +1 -1
- package/dist/component/server/types.js.map +1 -1
- package/dist/component/server/users.js +1 -0
- package/dist/component/server/users.js.map +1 -1
- package/dist/component/server/utils.js +44 -2
- package/dist/component/server/utils.js.map +1 -1
- package/dist/providers/anonymous.d.ts +1 -1
- package/dist/providers/credentials.d.ts +1 -1
- package/dist/providers/password.d.ts +1 -1
- package/dist/providers/sso.d.ts +1 -1
- package/dist/providers/sso.js.map +1 -1
- package/dist/server/auth.d.ts +163 -17
- package/dist/server/auth.d.ts.map +1 -1
- package/dist/server/auth.js +100 -7
- package/dist/server/auth.js.map +1 -1
- package/dist/server/cookies.d.ts +1 -38
- package/dist/server/cookies.js +3 -0
- package/dist/server/cookies.js.map +1 -1
- package/dist/server/db.d.ts +1 -125
- package/dist/server/db.js +1 -0
- package/dist/server/db.js.map +1 -1
- package/dist/server/device.d.ts +1 -24
- package/dist/server/device.js +3 -1
- package/dist/server/device.js.map +1 -1
- package/dist/server/domains/core.d.ts +434 -0
- package/dist/server/domains/core.d.ts.map +1 -0
- package/dist/server/domains/core.js +629 -0
- package/dist/server/domains/core.js.map +1 -0
- package/dist/server/domains/sso.d.ts +409 -0
- package/dist/server/domains/sso.d.ts.map +1 -0
- package/dist/server/domains/sso.js +884 -0
- package/dist/server/domains/sso.js.map +1 -0
- package/dist/server/enterpriseValidators.d.ts +1 -0
- package/dist/server/enterpriseValidators.js +60 -0
- package/dist/server/enterpriseValidators.js.map +1 -0
- package/dist/server/factory.d.ts +136 -0
- package/dist/server/factory.d.ts.map +1 -0
- package/dist/server/factory.js +1134 -0
- package/dist/server/factory.js.map +1 -0
- package/dist/server/fx.d.ts +1 -16
- package/dist/server/fx.d.ts.map +1 -1
- package/dist/server/fx.js +1 -0
- package/dist/server/fx.js.map +1 -1
- package/dist/server/http.d.ts +59 -0
- package/dist/server/http.d.ts.map +1 -0
- package/dist/server/http.js +287 -0
- package/dist/server/http.js.map +1 -0
- package/dist/server/identity.d.ts +1 -0
- package/dist/server/identity.js +13 -0
- package/dist/server/identity.js.map +1 -0
- package/dist/server/index.d.ts +468 -1
- package/dist/server/index.d.ts.map +1 -1
- package/dist/server/index.js +530 -36
- package/dist/server/index.js.map +1 -1
- package/dist/server/keys.d.ts +1 -57
- package/dist/server/keys.js +4 -0
- package/dist/server/keys.js.map +1 -1
- package/dist/server/mutations/account.d.ts +7 -7
- package/dist/server/mutations/account.d.ts.map +1 -1
- package/dist/server/mutations/code.d.ts +13 -13
- package/dist/server/mutations/code.d.ts.map +1 -1
- package/dist/server/mutations/index.d.ts +107 -107
- package/dist/server/mutations/index.d.ts.map +1 -1
- package/dist/server/mutations/index.js +1 -1
- package/dist/server/mutations/index.js.map +1 -1
- package/dist/server/mutations/invalidate.d.ts +5 -5
- package/dist/server/mutations/invalidate.d.ts.map +1 -1
- package/dist/server/mutations/oauth.d.ts +10 -10
- package/dist/server/mutations/oauth.d.ts.map +1 -1
- package/dist/server/mutations/oauth.js +9 -6
- package/dist/server/mutations/oauth.js.map +1 -1
- package/dist/server/mutations/refresh.d.ts +4 -4
- package/dist/server/mutations/register.d.ts +12 -12
- package/dist/server/mutations/register.d.ts.map +1 -1
- package/dist/server/mutations/retrieve.d.ts +7 -7
- package/dist/server/mutations/signature.d.ts +5 -5
- package/dist/server/mutations/signin.d.ts +6 -6
- package/dist/server/mutations/signin.d.ts.map +1 -1
- package/dist/server/mutations/signout.d.ts +1 -1
- package/dist/server/mutations/store.d.ts +3 -2
- package/dist/server/mutations/store.d.ts.map +1 -1
- package/dist/server/mutations/store.js +6 -3
- package/dist/server/mutations/store.js.map +1 -1
- package/dist/server/mutations/verifier.d.ts +1 -1
- package/dist/server/mutations/verify.d.ts +11 -11
- package/dist/server/mutations/verify.d.ts.map +1 -1
- package/dist/server/oauth.d.ts +1 -59
- package/dist/server/oauth.js +3 -0
- package/dist/server/oauth.js.map +1 -1
- package/dist/server/passkey.d.ts.map +1 -1
- package/dist/server/passkey.js +3 -2
- package/dist/server/passkey.js.map +1 -1
- package/dist/server/provider.d.ts +1 -14
- package/dist/server/provider.d.ts.map +1 -1
- package/dist/server/provider.js +2 -0
- package/dist/server/provider.js.map +1 -1
- package/dist/server/providers.js +10 -0
- package/dist/server/providers.js.map +1 -1
- package/dist/server/ratelimit.d.ts +1 -22
- package/dist/server/ratelimit.js +3 -0
- package/dist/server/ratelimit.js.map +1 -1
- package/dist/server/redirects.d.ts +1 -10
- package/dist/server/redirects.js +2 -0
- package/dist/server/redirects.js.map +1 -1
- package/dist/server/refresh.d.ts +1 -37
- package/dist/server/refresh.js +5 -0
- package/dist/server/refresh.js.map +1 -1
- package/dist/server/sessions.d.ts +1 -28
- package/dist/server/sessions.js +5 -0
- package/dist/server/sessions.js.map +1 -1
- package/dist/server/signin.d.ts +1 -55
- package/dist/server/signin.js +2 -1
- package/dist/server/signin.js.map +1 -1
- package/dist/server/sso.d.ts +1 -348
- package/dist/server/sso.js +165 -18
- package/dist/server/sso.js.map +1 -1
- package/dist/server/templates.d.ts +1 -21
- package/dist/server/templates.js +1 -0
- package/dist/server/templates.js.map +1 -1
- package/dist/server/tokens.d.ts +1 -11
- package/dist/server/tokens.js +1 -0
- package/dist/server/tokens.js.map +1 -1
- package/dist/server/totp.d.ts +1 -23
- package/dist/server/totp.js +4 -2
- package/dist/server/totp.js.map +1 -1
- package/dist/server/types.d.ts +114 -77
- package/dist/server/types.d.ts.map +1 -1
- package/dist/server/types.js.map +1 -1
- package/dist/server/users.d.ts +1 -31
- package/dist/server/users.js +1 -0
- package/dist/server/users.js.map +1 -1
- package/dist/server/utils.d.ts +1 -27
- package/dist/server/utils.js +44 -2
- package/dist/server/utils.js.map +1 -1
- package/dist/server/version.d.ts +1 -1
- package/dist/server/version.js +1 -1
- package/dist/server/version.js.map +1 -1
- package/package.json +4 -5
- package/src/cli/bin.ts +5 -0
- package/src/cli/index.ts +22 -9
- package/src/cli/keys.ts +3 -0
- package/src/client/index.ts +36 -37
- package/src/component/_generated/api.ts +14 -0
- package/src/component/_generated/component.ts +2106 -9
- package/src/component/index.ts +3 -1
- package/src/component/model.ts +441 -0
- package/src/component/public/enterprise.ts +753 -0
- package/src/component/public/factors.ts +332 -0
- package/src/component/public/groups.ts +932 -0
- package/src/component/public/identity.ts +566 -0
- package/src/component/public/keys.ts +209 -0
- package/src/component/public/shared.ts +119 -0
- package/src/component/public.ts +5 -2965
- package/src/component/schema.ts +68 -63
- package/src/providers/sso.ts +1 -1
- package/src/server/auth.ts +413 -18
- package/src/server/cookies.ts +3 -0
- package/src/server/db.ts +3 -0
- package/src/server/device.ts +3 -1
- package/src/server/domains/core.ts +1071 -0
- package/src/server/domains/sso.ts +1749 -0
- package/src/server/enterpriseValidators.ts +93 -0
- package/src/server/factory.ts +2181 -0
- package/src/server/fx.ts +1 -0
- package/src/server/http.ts +529 -0
- package/src/server/identity.ts +18 -0
- package/src/server/index.ts +806 -40
- package/src/server/keys.ts +4 -0
- package/src/server/mutations/index.ts +1 -1
- package/src/server/mutations/oauth.ts +36 -8
- package/src/server/mutations/store.ts +6 -3
- package/src/server/oauth.ts +6 -0
- package/src/server/passkey.ts +3 -2
- package/src/server/provider.ts +2 -0
- package/src/server/providers.ts +20 -0
- package/src/server/ratelimit.ts +3 -0
- package/src/server/redirects.ts +2 -0
- package/src/server/refresh.ts +5 -0
- package/src/server/sessions.ts +5 -0
- package/src/server/signin.ts +1 -0
- package/src/server/sso.ts +259 -17
- package/src/server/templates.ts +1 -0
- package/src/server/tokens.ts +1 -0
- package/src/server/totp.ts +4 -2
- package/src/server/types.ts +178 -83
- package/src/server/users.ts +1 -0
- package/src/server/utils.ts +71 -1
- package/src/server/version.ts +1 -1
- package/dist/component/public.js.map +0 -1
- package/dist/component/server/implementation.d.ts +0 -1264
- package/dist/component/server/implementation.d.ts.map +0 -1
- package/dist/component/server/implementation.js +0 -2365
- package/dist/component/server/implementation.js.map +0 -1
- package/dist/server/cookies.d.ts.map +0 -1
- package/dist/server/db.d.ts.map +0 -1
- package/dist/server/device.d.ts.map +0 -1
- package/dist/server/implementation.d.ts +0 -1264
- package/dist/server/implementation.d.ts.map +0 -1
- package/dist/server/implementation.js +0 -2365
- package/dist/server/implementation.js.map +0 -1
- package/dist/server/keys.d.ts.map +0 -1
- package/dist/server/oauth.d.ts.map +0 -1
- package/dist/server/ratelimit.d.ts.map +0 -1
- package/dist/server/redirects.d.ts.map +0 -1
- package/dist/server/refresh.d.ts.map +0 -1
- package/dist/server/sessions.d.ts.map +0 -1
- package/dist/server/signin.d.ts.map +0 -1
- package/dist/server/sso.d.ts.map +0 -1
- package/dist/server/templates.d.ts.map +0 -1
- package/dist/server/tokens.d.ts.map +0 -1
- package/dist/server/totp.d.ts.map +0 -1
- package/dist/server/users.d.ts.map +0 -1
- package/dist/server/utils.d.ts.map +0 -1
- package/src/server/implementation.ts +0 -5336
package/dist/component/schema.js
CHANGED
|
@@ -1,3 +1,4 @@
|
|
|
1
|
+
import { vApiKeyRateLimit, vApiKeyRateLimitState, vApiKeyScope, vAuditActorType, vAuditStatus, vDeviceStatus, vEnterprisePolicy, vEnterpriseSecretKind, vEnterpriseStatus, vInviteStatus, vScimResourceType, vScimStatus, vTag, vWebhookDeliveryStatus, vWebhookEndpointStatus } from "./model.js";
|
|
1
2
|
import { defineSchema, defineTable } from "convex/server";
|
|
2
3
|
import { v } from "convex/values";
|
|
3
4
|
|
|
@@ -80,7 +81,7 @@ var schema_default = defineSchema({
|
|
|
80
81
|
userCode: v.string(),
|
|
81
82
|
expiresAt: v.number(),
|
|
82
83
|
interval: v.number(),
|
|
83
|
-
status:
|
|
84
|
+
status: vDeviceStatus,
|
|
84
85
|
userId: v.optional(v.id("User")),
|
|
85
86
|
sessionId: v.optional(v.id("Session")),
|
|
86
87
|
lastPolledAt: v.optional(v.number())
|
|
@@ -95,10 +96,7 @@ var schema_default = defineSchema({
|
|
|
95
96
|
slug: v.optional(v.string()),
|
|
96
97
|
type: v.optional(v.string()),
|
|
97
98
|
parentGroupId: v.optional(v.id("Group")),
|
|
98
|
-
tags: v.optional(v.array(
|
|
99
|
-
key: v.string(),
|
|
100
|
-
value: v.string()
|
|
101
|
-
}))),
|
|
99
|
+
tags: v.optional(v.array(vTag)),
|
|
102
100
|
extend: v.optional(v.any())
|
|
103
101
|
}).index("slug", ["slug"]).index("parent_group_id", ["parentGroupId"]).index("type", ["type"]).index("type_parent_group_id", ["type", "parentGroupId"]),
|
|
104
102
|
GroupTag: defineTable({
|
|
@@ -110,6 +108,7 @@ var schema_default = defineSchema({
|
|
|
110
108
|
groupId: v.id("Group"),
|
|
111
109
|
userId: v.id("User"),
|
|
112
110
|
role: v.optional(v.string()),
|
|
111
|
+
roleIds: v.optional(v.array(v.string())),
|
|
113
112
|
status: v.optional(v.string()),
|
|
114
113
|
extend: v.optional(v.any())
|
|
115
114
|
}).index("group_id", ["groupId"]).index("group_id_user_id", ["groupId", "userId"]).index("user_id", ["userId"]),
|
|
@@ -119,21 +118,19 @@ var schema_default = defineSchema({
|
|
|
119
118
|
email: v.optional(v.string()),
|
|
120
119
|
tokenHash: v.string(),
|
|
121
120
|
role: v.optional(v.string()),
|
|
122
|
-
|
|
121
|
+
roleIds: v.optional(v.array(v.string())),
|
|
122
|
+
status: vInviteStatus,
|
|
123
123
|
expiresTime: v.optional(v.number()),
|
|
124
124
|
acceptedByUserId: v.optional(v.id("User")),
|
|
125
125
|
acceptedTime: v.optional(v.number()),
|
|
126
126
|
extend: v.optional(v.any())
|
|
127
|
-
}).index("token_hash", ["tokenHash"]).index("status", ["status"]).index("email_status", ["email", "status"]).index("invited_by_user_id_status", ["invitedByUserId", "status"]).index("group_id", ["groupId"]).index("group_id_status", ["groupId", "status"])
|
|
128
|
-
"role",
|
|
129
|
-
"status",
|
|
130
|
-
"acceptedByUserId"
|
|
131
|
-
]),
|
|
127
|
+
}).index("token_hash", ["tokenHash"]).index("status", ["status"]).index("email_status", ["email", "status"]).index("invited_by_user_id_status", ["invitedByUserId", "status"]).index("group_id", ["groupId"]).index("group_id_status", ["groupId", "status"]),
|
|
132
128
|
Enterprise: defineTable({
|
|
133
129
|
groupId: v.id("Group"),
|
|
134
130
|
slug: v.optional(v.string()),
|
|
135
131
|
name: v.optional(v.string()),
|
|
136
|
-
status:
|
|
132
|
+
status: vEnterpriseStatus,
|
|
133
|
+
policy: v.optional(vEnterprisePolicy),
|
|
137
134
|
config: v.optional(v.any()),
|
|
138
135
|
extend: v.optional(v.any())
|
|
139
136
|
}).index("group_id", ["groupId"]).index("slug", ["slug"]).index("status", ["status"]),
|
|
@@ -144,20 +141,37 @@ var schema_default = defineSchema({
|
|
|
144
141
|
isPrimary: v.boolean(),
|
|
145
142
|
verifiedAt: v.optional(v.number())
|
|
146
143
|
}).index("enterprise_id", ["enterpriseId"]).index("group_id", ["groupId"]).index("domain", ["domain"]),
|
|
144
|
+
EnterpriseDomainVerification: defineTable({
|
|
145
|
+
enterpriseId: v.id("Enterprise"),
|
|
146
|
+
groupId: v.id("Group"),
|
|
147
|
+
domainId: v.id("EnterpriseDomain"),
|
|
148
|
+
domain: v.string(),
|
|
149
|
+
recordName: v.string(),
|
|
150
|
+
token: v.string(),
|
|
151
|
+
tokenHash: v.string(),
|
|
152
|
+
requestedAt: v.number(),
|
|
153
|
+
expiresAt: v.number()
|
|
154
|
+
}).index("enterprise_id", ["enterpriseId"]).index("domain_id", ["domainId"]).index("token_hash", ["tokenHash"]),
|
|
155
|
+
EnterpriseSecret: defineTable({
|
|
156
|
+
enterpriseId: v.id("Enterprise"),
|
|
157
|
+
groupId: v.id("Group"),
|
|
158
|
+
kind: vEnterpriseSecretKind,
|
|
159
|
+
ciphertext: v.string(),
|
|
160
|
+
updatedAt: v.number()
|
|
161
|
+
}).index("enterprise_id", ["enterpriseId"]).index("enterprise_id_kind", ["enterpriseId", "kind"]).index("group_id", ["groupId"]),
|
|
147
162
|
EnterpriseScimConfig: defineTable({
|
|
148
163
|
enterpriseId: v.id("Enterprise"),
|
|
149
164
|
groupId: v.id("Group"),
|
|
150
|
-
status:
|
|
165
|
+
status: vScimStatus,
|
|
151
166
|
basePath: v.string(),
|
|
152
167
|
tokenHash: v.string(),
|
|
153
168
|
lastRotatedAt: v.optional(v.number()),
|
|
154
|
-
deprovisionMode: v.optional(v.union(v.literal("soft"), v.literal("hard"))),
|
|
155
169
|
extend: v.optional(v.any())
|
|
156
170
|
}).index("enterprise_id", ["enterpriseId"]).index("group_id", ["groupId"]).index("token_hash", ["tokenHash"]).index("status", ["status"]),
|
|
157
171
|
EnterpriseScimIdentity: defineTable({
|
|
158
172
|
enterpriseId: v.id("Enterprise"),
|
|
159
173
|
groupId: v.id("Group"),
|
|
160
|
-
resourceType:
|
|
174
|
+
resourceType: vScimResourceType,
|
|
161
175
|
externalId: v.string(),
|
|
162
176
|
userId: v.optional(v.id("User")),
|
|
163
177
|
mappedGroupId: v.optional(v.id("Group")),
|
|
@@ -168,16 +182,16 @@ var schema_default = defineSchema({
|
|
|
168
182
|
"enterpriseId",
|
|
169
183
|
"resourceType",
|
|
170
184
|
"externalId"
|
|
171
|
-
]).index("user_id", ["userId"]).index("mapped_group_id", ["mappedGroupId"]),
|
|
185
|
+
]).index("enterprise_id_user_id", ["enterpriseId", "userId"]).index("user_id", ["userId"]).index("mapped_group_id", ["mappedGroupId"]),
|
|
172
186
|
EnterpriseAuditEvent: defineTable({
|
|
173
187
|
enterpriseId: v.id("Enterprise"),
|
|
174
188
|
groupId: v.id("Group"),
|
|
175
189
|
eventType: v.string(),
|
|
176
|
-
actorType:
|
|
190
|
+
actorType: vAuditActorType,
|
|
177
191
|
actorId: v.optional(v.string()),
|
|
178
192
|
subjectType: v.string(),
|
|
179
193
|
subjectId: v.optional(v.string()),
|
|
180
|
-
status:
|
|
194
|
+
status: vAuditStatus,
|
|
181
195
|
occurredAt: v.number(),
|
|
182
196
|
requestId: v.optional(v.string()),
|
|
183
197
|
ip: v.optional(v.string()),
|
|
@@ -187,7 +201,7 @@ var schema_default = defineSchema({
|
|
|
187
201
|
enterpriseId: v.id("Enterprise"),
|
|
188
202
|
groupId: v.id("Group"),
|
|
189
203
|
url: v.string(),
|
|
190
|
-
status:
|
|
204
|
+
status: vWebhookEndpointStatus,
|
|
191
205
|
secretHash: v.string(),
|
|
192
206
|
subscriptions: v.array(v.string()),
|
|
193
207
|
createdByUserId: v.optional(v.id("User")),
|
|
@@ -201,7 +215,7 @@ var schema_default = defineSchema({
|
|
|
201
215
|
endpointId: v.id("EnterpriseWebhookEndpoint"),
|
|
202
216
|
auditEventId: v.optional(v.id("EnterpriseAuditEvent")),
|
|
203
217
|
eventType: v.string(),
|
|
204
|
-
status:
|
|
218
|
+
status: vWebhookDeliveryStatus,
|
|
205
219
|
attemptCount: v.number(),
|
|
206
220
|
nextAttemptAt: v.number(),
|
|
207
221
|
lastAttemptAt: v.optional(v.number()),
|
|
@@ -214,18 +228,9 @@ var schema_default = defineSchema({
|
|
|
214
228
|
prefix: v.string(),
|
|
215
229
|
hashedKey: v.string(),
|
|
216
230
|
name: v.string(),
|
|
217
|
-
scopes: v.array(
|
|
218
|
-
|
|
219
|
-
|
|
220
|
-
})),
|
|
221
|
-
rateLimit: v.optional(v.object({
|
|
222
|
-
maxRequests: v.number(),
|
|
223
|
-
windowMs: v.number()
|
|
224
|
-
})),
|
|
225
|
-
rateLimitState: v.optional(v.object({
|
|
226
|
-
attemptsLeft: v.number(),
|
|
227
|
-
lastAttemptTime: v.number()
|
|
228
|
-
})),
|
|
231
|
+
scopes: v.array(vApiKeyScope),
|
|
232
|
+
rateLimit: v.optional(vApiKeyRateLimit),
|
|
233
|
+
rateLimitState: v.optional(vApiKeyRateLimitState),
|
|
229
234
|
expiresAt: v.optional(v.number()),
|
|
230
235
|
lastUsedAt: v.optional(v.number()),
|
|
231
236
|
createdAt: v.number(),
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"schema.js","names":[],"sources":["../../src/component/schema.ts"],"sourcesContent":["import { defineSchema, defineTable } from \"convex/server\";\nimport { v } from \"convex/values\";\n\n/**\n * Schema for the auth component.\n *\n * Contains tables for core authentication (users, sessions, accounts, tokens,\n * verification codes, PKCE verifiers, rate limits) and hierarchical group\n * management (groups, members, invites).\n */\nexport default defineSchema({\n /**\n * Authenticated users. A user may have multiple linked accounts\n * and multiple concurrent sessions.\n */\n User: defineTable({\n name: v.optional(v.string()),\n image: v.optional(v.string()),\n email: v.optional(v.string()),\n emailVerificationTime: v.optional(v.number()),\n phone: v.optional(v.string()),\n phoneVerificationTime: v.optional(v.number()),\n isAnonymous: v.optional(v.boolean()),\n extend: v.optional(v.any()),\n })\n .index(\"email\", [\"email\"])\n .index(\"phone\", [\"phone\"]),\n\n /**\n * Active sessions. A single user can have multiple concurrent sessions\n * across different devices or browsers. Sessions expire after a\n * configurable duration.\n */\n Session: defineTable({\n userId: v.id(\"User\"),\n expirationTime: v.number(),\n }).index(\"user_id\", [\"userId\"]),\n\n /**\n * Authentication accounts. Each account links a user to a single\n * authentication provider (e.g. Google OAuth, email/password).\n * A user can have multiple accounts linked.\n */\n Account: defineTable({\n userId: v.id(\"User\"),\n provider: v.string(),\n providerAccountId: v.string(),\n secret: v.optional(v.string()),\n emailVerified: v.optional(v.string()),\n phoneVerified: v.optional(v.string()),\n extend: v.optional(v.any()),\n })\n .index(\"user_id_provider\", [\"userId\", \"provider\"])\n .index(\"provider_account_id\", [\"provider\", \"providerAccountId\"]),\n\n /**\n * Refresh tokens for session continuity. Tokens are single-use and form\n * a chain — each token references the one it was exchanged from.\n *\n * The active refresh token is the most recently created token that has not\n * been used yet. A 10-second reuse window allows for concurrent requests.\n * Any invalid use of a token invalidates the entire chain.\n */\n RefreshToken: defineTable({\n sessionId: v.id(\"Session\"),\n expirationTime: v.number(),\n firstUsedTime: v.optional(v.number()),\n parentRefreshTokenId: v.optional(v.id(\"RefreshToken\")),\n })\n .index(\"session_id\", [\"sessionId\"])\n .index(\"session_id_parent_refresh_token_id\", [\n \"sessionId\",\n \"parentRefreshTokenId\",\n ]),\n\n /**\n * Verification codes for OTP tokens, magic link tokens, and OAuth codes.\n */\n VerificationCode: defineTable({\n accountId: v.id(\"Account\"),\n provider: v.string(),\n code: v.string(),\n expirationTime: v.number(),\n verifier: v.optional(v.string()),\n emailVerified: v.optional(v.string()),\n phoneVerified: v.optional(v.string()),\n })\n .index(\"account_id\", [\"accountId\"])\n .index(\"code\", [\"code\"]),\n\n /**\n * PKCE verifiers for OAuth flows. Stores the cryptographic verifier\n * used to prove the authorization request originated from this client.\n */\n AuthVerifier: defineTable({\n sessionId: v.optional(v.id(\"Session\")),\n signature: v.optional(v.string()),\n }).index(\"signature\", [\"signature\"]),\n\n /**\n * WebAuthn passkey credentials. Each credential links a user to a\n * registered authenticator (Touch ID, Face ID, security key, etc.).\n * A user can have multiple passkeys across different devices.\n */\n Passkey: defineTable({\n userId: v.id(\"User\"),\n /** Base64url-encoded credential ID from the authenticator. */\n credentialId: v.string(),\n /** Public key bytes (SEC1 uncompressed for EC, SPKI for RSA). */\n publicKey: v.bytes(),\n /** COSE algorithm identifier (-7 for ES256, -257 for RS256, -8 for EdDSA). */\n algorithm: v.number(),\n /** Signature counter for clone detection. Many authenticators return 0. */\n counter: v.number(),\n /** Authenticator transport hints (e.g. \"internal\", \"hybrid\", \"usb\", \"ble\", \"nfc\"). */\n transports: v.optional(v.array(v.string())),\n /** Whether this is a single-device or multi-device (synced) credential. */\n deviceType: v.string(),\n /** Whether the credential is backed up (synced passkey). */\n backedUp: v.boolean(),\n /** User-assigned friendly name (e.g. \"MacBook Touch ID\"). */\n name: v.optional(v.string()),\n createdAt: v.number(),\n lastUsedAt: v.optional(v.number()),\n })\n .index(\"user_id\", [\"userId\"])\n .index(\"credential_id\", [\"credentialId\"]),\n\n /**\n * TOTP two-factor authentication secrets. Each record links a user to\n * an authenticator app. A user can have multiple TOTP enrollments\n * (e.g. different authenticator apps) but typically has one.\n *\n * The `verified` flag indicates whether the user has completed setup\n * by successfully entering a code from their authenticator app.\n * Unverified enrollments are in-progress setup that can be discarded.\n */\n TotpFactor: defineTable({\n userId: v.id(\"User\"),\n /** Raw TOTP secret key bytes. */\n secret: v.bytes(),\n /** Number of digits in each code (typically 6). */\n digits: v.number(),\n /** Time period in seconds for code rotation (typically 30). */\n period: v.number(),\n /** Whether setup has been confirmed with a valid code. */\n verified: v.boolean(),\n /** User-assigned friendly name (e.g. \"Google Authenticator\"). */\n name: v.optional(v.string()),\n createdAt: v.number(),\n lastUsedAt: v.optional(v.number()),\n }).index(\"user_id\", [\"userId\"]),\n\n /**\n * Device authorization codes (RFC 8628). Each record tracks a pending\n * device auth session — the device polls with `deviceCode` while the\n * user authorizes via `userCode` on a secondary device.\n */\n DeviceCode: defineTable({\n /** High-entropy code used by the device for polling. Stored as SHA-256 hash. */\n deviceCodeHash: v.string(),\n /** Short human-readable code the user enters (e.g. \"WDJB-MJHT\"). */\n userCode: v.string(),\n /** Expiration timestamp (ms since epoch). */\n expiresAt: v.number(),\n /** Minimum polling interval in seconds. */\n interval: v.number(),\n /** Current status of this device authorization session. */\n status: v.union(\n v.literal(\"pending\"),\n v.literal(\"authorized\"),\n v.literal(\"denied\"),\n ),\n /** Set when the user authorizes — links to the authorizing user. */\n userId: v.optional(v.id(\"User\")),\n /** Set when the user authorizes — the session created for the device. */\n sessionId: v.optional(v.id(\"Session\")),\n /** Timestamp of the last poll request (for slow_down enforcement). */\n lastPolledAt: v.optional(v.number()),\n })\n .index(\"device_code_hash\", [\"deviceCodeHash\"])\n .index(\"user_code_status\", [\"userCode\", \"status\"]),\n\n /**\n * Rate limit tracking for OTP and password sign-in attempts.\n */\n RateLimit: defineTable({\n identifier: v.string(),\n last_attempt_time: v.number(),\n attempts_left: v.number(),\n }).index(\"by_identifier\", [\"identifier\"]),\n\n /**\n * Hierarchical groups. A group with no `parentGroupId` is a root group.\n * Groups can nest arbitrarily deep via `parentGroupId` for modeling\n * organizations, teams, departments, or any tree structure.\n */\n Group: defineTable({\n name: v.string(),\n slug: v.optional(v.string()),\n type: v.optional(v.string()),\n parentGroupId: v.optional(v.id(\"Group\")),\n /** Faceted classification tags. Normalized at write time (trimmed, lowercased). */\n tags: v.optional(v.array(v.object({ key: v.string(), value: v.string() }))),\n extend: v.optional(v.any()),\n })\n .index(\"slug\", [\"slug\"])\n .index(\"parent_group_id\", [\"parentGroupId\"])\n .index(\"type\", [\"type\"])\n .index(\"type_parent_group_id\", [\"type\", \"parentGroupId\"]),\n\n /**\n * Denormalized group-tag index table for efficient tag-based filtering.\n * Each row maps one `(key, value)` pair to a group. Kept in sync by\n * `groupCreate`, `groupUpdate`, and `groupDelete`.\n */\n GroupTag: defineTable({\n group_id: v.id(\"Group\"),\n key: v.string(),\n value: v.string(),\n })\n .index(\"by_group\", [\"group_id\"])\n .index(\"by_key_value\", [\"key\", \"value\"])\n .index(\"by_key\", [\"key\"]),\n\n /**\n * Group membership. Links a user to a group with an application-defined\n * role (e.g. \"owner\", \"admin\", \"member\", \"viewer\"). A user can be a\n * member of multiple groups with different roles in each.\n */\n GroupMember: defineTable({\n groupId: v.id(\"Group\"),\n userId: v.id(\"User\"),\n role: v.optional(v.string()),\n status: v.optional(v.string()),\n extend: v.optional(v.any()),\n })\n .index(\"group_id\", [\"groupId\"])\n .index(\"group_id_user_id\", [\"groupId\", \"userId\"])\n .index(\"user_id\", [\"userId\"]),\n\n /**\n * Invitations. Tracks pending, accepted, revoked, and expired\n * invitations. Optionally scoped to a group via `groupId`, or\n * platform-level when `groupId` is omitted.\n *\n * `email` and `invitedByUserId` are optional to support CLI-generated\n * invite links where neither is known upfront.\n */\n GroupInvite: defineTable({\n groupId: v.optional(v.id(\"Group\")),\n invitedByUserId: v.optional(v.id(\"User\")),\n email: v.optional(v.string()),\n tokenHash: v.string(),\n role: v.optional(v.string()),\n status: v.union(\n v.literal(\"pending\"),\n v.literal(\"accepted\"),\n v.literal(\"revoked\"),\n v.literal(\"expired\"),\n ),\n expiresTime: v.optional(v.number()),\n acceptedByUserId: v.optional(v.id(\"User\")),\n acceptedTime: v.optional(v.number()),\n extend: v.optional(v.any()),\n })\n .index(\"token_hash\", [\"tokenHash\"])\n .index(\"status\", [\"status\"])\n .index(\"email_status\", [\"email\", \"status\"])\n .index(\"invited_by_user_id_status\", [\"invitedByUserId\", \"status\"])\n .index(\"group_id\", [\"groupId\"])\n .index(\"group_id_status\", [\"groupId\", \"status\"])\n .index(\"role_status_accepted_by_user_id\", [\n \"role\",\n \"status\",\n \"acceptedByUserId\",\n ]),\n\n /**\n * Enterprise configuration attached to a root group/organization.\n *\n * The `config` payload intentionally stays flexible so the headless enterprise\n * SDK can evolve without forcing schema churn for every protocol-specific\n * field addition.\n */\n Enterprise: defineTable({\n groupId: v.id(\"Group\"),\n slug: v.optional(v.string()),\n name: v.optional(v.string()),\n status: v.union(\n v.literal(\"draft\"),\n v.literal(\"active\"),\n v.literal(\"disabled\"),\n ),\n config: v.optional(v.any()),\n extend: v.optional(v.any()),\n })\n .index(\"group_id\", [\"groupId\"])\n .index(\"slug\", [\"slug\"])\n .index(\"status\", [\"status\"]),\n\n /**\n * Verified or pending domains linked to an enterprise record.\n */\n EnterpriseDomain: defineTable({\n enterpriseId: v.id(\"Enterprise\"),\n groupId: v.id(\"Group\"),\n domain: v.string(),\n isPrimary: v.boolean(),\n verifiedAt: v.optional(v.number()),\n })\n .index(\"enterprise_id\", [\"enterpriseId\"])\n .index(\"group_id\", [\"groupId\"])\n .index(\"domain\", [\"domain\"]),\n\n /**\n * SCIM configuration for an enterprise tenant.\n */\n EnterpriseScimConfig: defineTable({\n enterpriseId: v.id(\"Enterprise\"),\n groupId: v.id(\"Group\"),\n status: v.union(\n v.literal(\"draft\"),\n v.literal(\"active\"),\n v.literal(\"disabled\"),\n ),\n basePath: v.string(),\n tokenHash: v.string(),\n lastRotatedAt: v.optional(v.number()),\n deprovisionMode: v.optional(v.union(v.literal(\"soft\"), v.literal(\"hard\"))),\n extend: v.optional(v.any()),\n })\n .index(\"enterprise_id\", [\"enterpriseId\"])\n .index(\"group_id\", [\"groupId\"])\n .index(\"token_hash\", [\"tokenHash\"])\n .index(\"status\", [\"status\"]),\n\n /**\n * External SCIM identities mapped into local users/groups.\n */\n EnterpriseScimIdentity: defineTable({\n enterpriseId: v.id(\"Enterprise\"),\n groupId: v.id(\"Group\"),\n resourceType: v.union(v.literal(\"user\"), v.literal(\"group\")),\n externalId: v.string(),\n userId: v.optional(v.id(\"User\")),\n mappedGroupId: v.optional(v.id(\"Group\")),\n lastProvisionedAt: v.optional(v.number()),\n active: v.optional(v.boolean()),\n raw: v.optional(v.any()),\n })\n .index(\"enterprise_id\", [\"enterpriseId\"])\n .index(\"group_id\", [\"groupId\"])\n .index(\"enterprise_id_resource_type_external_id\", [\n \"enterpriseId\",\n \"resourceType\",\n \"externalId\",\n ])\n .index(\"user_id\", [\"userId\"])\n .index(\"mapped_group_id\", [\"mappedGroupId\"]),\n\n /**\n * Immutable audit trail for enterprise operations.\n */\n EnterpriseAuditEvent: defineTable({\n enterpriseId: v.id(\"Enterprise\"),\n groupId: v.id(\"Group\"),\n eventType: v.string(),\n actorType: v.union(\n v.literal(\"user\"),\n v.literal(\"system\"),\n v.literal(\"scim\"),\n v.literal(\"api_key\"),\n v.literal(\"webhook\"),\n ),\n actorId: v.optional(v.string()),\n subjectType: v.string(),\n subjectId: v.optional(v.string()),\n status: v.union(v.literal(\"success\"), v.literal(\"failure\")),\n occurredAt: v.number(),\n requestId: v.optional(v.string()),\n ip: v.optional(v.string()),\n metadata: v.optional(v.any()),\n })\n .index(\"enterprise_id_occurred_at\", [\"enterpriseId\", \"occurredAt\"])\n .index(\"group_id_occurred_at\", [\"groupId\", \"occurredAt\"])\n .index(\"event_type_occurred_at\", [\"eventType\", \"occurredAt\"]),\n\n /**\n * Webhook endpoints subscribed to enterprise audit and lifecycle events.\n */\n EnterpriseWebhookEndpoint: defineTable({\n enterpriseId: v.id(\"Enterprise\"),\n groupId: v.id(\"Group\"),\n url: v.string(),\n status: v.union(v.literal(\"active\"), v.literal(\"disabled\")),\n secretHash: v.string(),\n subscriptions: v.array(v.string()),\n createdByUserId: v.optional(v.id(\"User\")),\n lastSuccessAt: v.optional(v.number()),\n lastFailureAt: v.optional(v.number()),\n failureCount: v.number(),\n extend: v.optional(v.any()),\n })\n .index(\"enterprise_id\", [\"enterpriseId\"])\n .index(\"group_id\", [\"groupId\"])\n .index(\"status\", [\"status\"]),\n\n /**\n * Delivery queue for outbound enterprise webhooks.\n */\n EnterpriseWebhookDelivery: defineTable({\n enterpriseId: v.id(\"Enterprise\"),\n endpointId: v.id(\"EnterpriseWebhookEndpoint\"),\n auditEventId: v.optional(v.id(\"EnterpriseAuditEvent\")),\n eventType: v.string(),\n status: v.union(\n v.literal(\"pending\"),\n v.literal(\"processing\"),\n v.literal(\"delivered\"),\n v.literal(\"failed\"),\n ),\n attemptCount: v.number(),\n nextAttemptAt: v.number(),\n lastAttemptAt: v.optional(v.number()),\n lastResponseStatus: v.optional(v.number()),\n lastError: v.optional(v.string()),\n payload: v.any(),\n })\n .index(\"enterprise_id\", [\"enterpriseId\"])\n .index(\"status_next_attempt_at\", [\"status\", \"nextAttemptAt\"])\n .index(\"endpoint_id_status\", [\"endpointId\", \"status\"])\n .index(\"audit_event_id\", [\"auditEventId\"]),\n\n /**\n * API keys for programmatic access. Each key links a user to a set of\n * scoped permissions and optional per-key rate limiting.\n *\n * The raw key is never stored — only a SHA-256 hash. A short prefix\n * (e.g. \"sk_abc1...\") is kept for display in admin interfaces.\n *\n * Keys support:\n * - **Scoped permissions**: resource:action pairs (e.g. users:read)\n * - **Per-key rate limiting**: token-bucket with configurable window\n * - **Expiration**: optional TTL\n * - **Soft revocation**: `revoked` flag preserves audit trail\n */\n ApiKey: defineTable({\n userId: v.id(\"User\"),\n /** First chars of the key for display (e.g. \"sk_abc1...\"). */\n prefix: v.string(),\n /** SHA-256 hex hash of the full raw key. */\n hashedKey: v.string(),\n /** User-assigned name (e.g. \"CI Pipeline\", \"Production API\"). */\n name: v.string(),\n /** Scoped permissions: [{ resource: \"users\", actions: [\"read\", \"list\"] }]. */\n scopes: v.array(\n v.object({\n resource: v.string(),\n actions: v.array(v.string()),\n }),\n ),\n /** Optional per-key rate limit configuration. */\n rateLimit: v.optional(\n v.object({\n maxRequests: v.number(),\n windowMs: v.number(),\n }),\n ),\n /** Rate limit state tracking (token-bucket). */\n rateLimitState: v.optional(\n v.object({\n attemptsLeft: v.number(),\n lastAttemptTime: v.number(),\n }),\n ),\n /** Expiration timestamp. Null/undefined = never expires. */\n expiresAt: v.optional(v.number()),\n lastUsedAt: v.optional(v.number()),\n createdAt: v.number(),\n /** Soft-revoke flag. Revoked keys are kept for audit trail. */\n revoked: v.boolean(),\n /** Arbitrary app-specific metadata attached to the key. */\n metadata: v.optional(v.any()),\n })\n .index(\"user_id\", [\"userId\"])\n .index(\"hashed_key\", [\"hashedKey\"]),\n});\n"],"mappings":";;;;;;;;;;;AAUA,qBAAe,aAAa;CAK1B,MAAM,YAAY;EAChB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7B,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7B,uBAAuB,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7C,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7B,uBAAuB,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7C,aAAa,EAAE,SAAS,EAAE,SAAS,CAAC;EACpC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,SAAS,CAAC,QAAQ,CAAC,CACzB,MAAM,SAAS,CAAC,QAAQ,CAAC;CAO5B,SAAS,YAAY;EACnB,QAAQ,EAAE,GAAG,OAAO;EACpB,gBAAgB,EAAE,QAAQ;EAC3B,CAAC,CAAC,MAAM,WAAW,CAAC,SAAS,CAAC;CAO/B,SAAS,YAAY;EACnB,QAAQ,EAAE,GAAG,OAAO;EACpB,UAAU,EAAE,QAAQ;EACpB,mBAAmB,EAAE,QAAQ;EAC7B,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC9B,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,oBAAoB,CAAC,UAAU,WAAW,CAAC,CACjD,MAAM,uBAAuB,CAAC,YAAY,oBAAoB,CAAC;CAUlE,cAAc,YAAY;EACxB,WAAW,EAAE,GAAG,UAAU;EAC1B,gBAAgB,EAAE,QAAQ;EAC1B,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,sBAAsB,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC;EACvD,CAAC,CACC,MAAM,cAAc,CAAC,YAAY,CAAC,CAClC,MAAM,sCAAsC,CAC3C,aACA,uBACD,CAAC;CAKJ,kBAAkB,YAAY;EAC5B,WAAW,EAAE,GAAG,UAAU;EAC1B,UAAU,EAAE,QAAQ;EACpB,MAAM,EAAE,QAAQ;EAChB,gBAAgB,EAAE,QAAQ;EAC1B,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;EAChC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACtC,CAAC,CACC,MAAM,cAAc,CAAC,YAAY,CAAC,CAClC,MAAM,QAAQ,CAAC,OAAO,CAAC;CAM1B,cAAc,YAAY;EACxB,WAAW,EAAE,SAAS,EAAE,GAAG,UAAU,CAAC;EACtC,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;EAClC,CAAC,CAAC,MAAM,aAAa,CAAC,YAAY,CAAC;CAOpC,SAAS,YAAY;EACnB,QAAQ,EAAE,GAAG,OAAO;EAEpB,cAAc,EAAE,QAAQ;EAExB,WAAW,EAAE,OAAO;EAEpB,WAAW,EAAE,QAAQ;EAErB,SAAS,EAAE,QAAQ;EAEnB,YAAY,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;EAE3C,YAAY,EAAE,QAAQ;EAEtB,UAAU,EAAE,SAAS;EAErB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,WAAW,EAAE,QAAQ;EACrB,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;EACnC,CAAC,CACC,MAAM,WAAW,CAAC,SAAS,CAAC,CAC5B,MAAM,iBAAiB,CAAC,eAAe,CAAC;CAW3C,YAAY,YAAY;EACtB,QAAQ,EAAE,GAAG,OAAO;EAEpB,QAAQ,EAAE,OAAO;EAEjB,QAAQ,EAAE,QAAQ;EAElB,QAAQ,EAAE,QAAQ;EAElB,UAAU,EAAE,SAAS;EAErB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,WAAW,EAAE,QAAQ;EACrB,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;EACnC,CAAC,CAAC,MAAM,WAAW,CAAC,SAAS,CAAC;CAO/B,YAAY,YAAY;EAEtB,gBAAgB,EAAE,QAAQ;EAE1B,UAAU,EAAE,QAAQ;EAEpB,WAAW,EAAE,QAAQ;EAErB,UAAU,EAAE,QAAQ;EAEpB,QAAQ,EAAE,MACR,EAAE,QAAQ,UAAU,EACpB,EAAE,QAAQ,aAAa,EACvB,EAAE,QAAQ,SAAS,CACpB;EAED,QAAQ,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;EAEhC,WAAW,EAAE,SAAS,EAAE,GAAG,UAAU,CAAC;EAEtC,cAAc,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,CAAC,CACC,MAAM,oBAAoB,CAAC,iBAAiB,CAAC,CAC7C,MAAM,oBAAoB,CAAC,YAAY,SAAS,CAAC;CAKpD,WAAW,YAAY;EACrB,YAAY,EAAE,QAAQ;EACtB,mBAAmB,EAAE,QAAQ;EAC7B,eAAe,EAAE,QAAQ;EAC1B,CAAC,CAAC,MAAM,iBAAiB,CAAC,aAAa,CAAC;CAOzC,OAAO,YAAY;EACjB,MAAM,EAAE,QAAQ;EAChB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,eAAe,EAAE,SAAS,EAAE,GAAG,QAAQ,CAAC;EAExC,MAAM,EAAE,SAAS,EAAE,MAAM,EAAE,OAAO;GAAE,KAAK,EAAE,QAAQ;GAAE,OAAO,EAAE,QAAQ;GAAE,CAAC,CAAC,CAAC;EAC3E,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,QAAQ,CAAC,OAAO,CAAC,CACvB,MAAM,mBAAmB,CAAC,gBAAgB,CAAC,CAC3C,MAAM,QAAQ,CAAC,OAAO,CAAC,CACvB,MAAM,wBAAwB,CAAC,QAAQ,gBAAgB,CAAC;CAO3D,UAAU,YAAY;EACpB,UAAU,EAAE,GAAG,QAAQ;EACvB,KAAK,EAAE,QAAQ;EACf,OAAO,EAAE,QAAQ;EAClB,CAAC,CACC,MAAM,YAAY,CAAC,WAAW,CAAC,CAC/B,MAAM,gBAAgB,CAAC,OAAO,QAAQ,CAAC,CACvC,MAAM,UAAU,CAAC,MAAM,CAAC;CAO3B,aAAa,YAAY;EACvB,SAAS,EAAE,GAAG,QAAQ;EACtB,QAAQ,EAAE,GAAG,OAAO;EACpB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC9B,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,YAAY,CAAC,UAAU,CAAC,CAC9B,MAAM,oBAAoB,CAAC,WAAW,SAAS,CAAC,CAChD,MAAM,WAAW,CAAC,SAAS,CAAC;CAU/B,aAAa,YAAY;EACvB,SAAS,EAAE,SAAS,EAAE,GAAG,QAAQ,CAAC;EAClC,iBAAiB,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;EACzC,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7B,WAAW,EAAE,QAAQ;EACrB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,QAAQ,EAAE,MACR,EAAE,QAAQ,UAAU,EACpB,EAAE,QAAQ,WAAW,EACrB,EAAE,QAAQ,UAAU,EACpB,EAAE,QAAQ,UAAU,CACrB;EACD,aAAa,EAAE,SAAS,EAAE,QAAQ,CAAC;EACnC,kBAAkB,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;EAC1C,cAAc,EAAE,SAAS,EAAE,QAAQ,CAAC;EACpC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,cAAc,CAAC,YAAY,CAAC,CAClC,MAAM,UAAU,CAAC,SAAS,CAAC,CAC3B,MAAM,gBAAgB,CAAC,SAAS,SAAS,CAAC,CAC1C,MAAM,6BAA6B,CAAC,mBAAmB,SAAS,CAAC,CACjE,MAAM,YAAY,CAAC,UAAU,CAAC,CAC9B,MAAM,mBAAmB,CAAC,WAAW,SAAS,CAAC,CAC/C,MAAM,mCAAmC;EACxC;EACA;EACA;EACD,CAAC;CASJ,YAAY,YAAY;EACtB,SAAS,EAAE,GAAG,QAAQ;EACtB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,QAAQ,EAAE,MACR,EAAE,QAAQ,QAAQ,EAClB,EAAE,QAAQ,SAAS,EACnB,EAAE,QAAQ,WAAW,CACtB;EACD,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC3B,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,YAAY,CAAC,UAAU,CAAC,CAC9B,MAAM,QAAQ,CAAC,OAAO,CAAC,CACvB,MAAM,UAAU,CAAC,SAAS,CAAC;CAK9B,kBAAkB,YAAY;EAC5B,cAAc,EAAE,GAAG,aAAa;EAChC,SAAS,EAAE,GAAG,QAAQ;EACtB,QAAQ,EAAE,QAAQ;EAClB,WAAW,EAAE,SAAS;EACtB,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;EACnC,CAAC,CACC,MAAM,iBAAiB,CAAC,eAAe,CAAC,CACxC,MAAM,YAAY,CAAC,UAAU,CAAC,CAC9B,MAAM,UAAU,CAAC,SAAS,CAAC;CAK9B,sBAAsB,YAAY;EAChC,cAAc,EAAE,GAAG,aAAa;EAChC,SAAS,EAAE,GAAG,QAAQ;EACtB,QAAQ,EAAE,MACR,EAAE,QAAQ,QAAQ,EAClB,EAAE,QAAQ,SAAS,EACnB,EAAE,QAAQ,WAAW,CACtB;EACD,UAAU,EAAE,QAAQ;EACpB,WAAW,EAAE,QAAQ;EACrB,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,iBAAiB,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,OAAO,EAAE,EAAE,QAAQ,OAAO,CAAC,CAAC;EAC1E,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,iBAAiB,CAAC,eAAe,CAAC,CACxC,MAAM,YAAY,CAAC,UAAU,CAAC,CAC9B,MAAM,cAAc,CAAC,YAAY,CAAC,CAClC,MAAM,UAAU,CAAC,SAAS,CAAC;CAK9B,wBAAwB,YAAY;EAClC,cAAc,EAAE,GAAG,aAAa;EAChC,SAAS,EAAE,GAAG,QAAQ;EACtB,cAAc,EAAE,MAAM,EAAE,QAAQ,OAAO,EAAE,EAAE,QAAQ,QAAQ,CAAC;EAC5D,YAAY,EAAE,QAAQ;EACtB,QAAQ,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;EAChC,eAAe,EAAE,SAAS,EAAE,GAAG,QAAQ,CAAC;EACxC,mBAAmB,EAAE,SAAS,EAAE,QAAQ,CAAC;EACzC,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC;EAC/B,KAAK,EAAE,SAAS,EAAE,KAAK,CAAC;EACzB,CAAC,CACC,MAAM,iBAAiB,CAAC,eAAe,CAAC,CACxC,MAAM,YAAY,CAAC,UAAU,CAAC,CAC9B,MAAM,2CAA2C;EAChD;EACA;EACA;EACD,CAAC,CACD,MAAM,WAAW,CAAC,SAAS,CAAC,CAC5B,MAAM,mBAAmB,CAAC,gBAAgB,CAAC;CAK9C,sBAAsB,YAAY;EAChC,cAAc,EAAE,GAAG,aAAa;EAChC,SAAS,EAAE,GAAG,QAAQ;EACtB,WAAW,EAAE,QAAQ;EACrB,WAAW,EAAE,MACX,EAAE,QAAQ,OAAO,EACjB,EAAE,QAAQ,SAAS,EACnB,EAAE,QAAQ,OAAO,EACjB,EAAE,QAAQ,UAAU,EACpB,EAAE,QAAQ,UAAU,CACrB;EACD,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC/B,aAAa,EAAE,QAAQ;EACvB,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;EACjC,QAAQ,EAAE,MAAM,EAAE,QAAQ,UAAU,EAAE,EAAE,QAAQ,UAAU,CAAC;EAC3D,YAAY,EAAE,QAAQ;EACtB,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;EACjC,IAAI,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC1B,UAAU,EAAE,SAAS,EAAE,KAAK,CAAC;EAC9B,CAAC,CACC,MAAM,6BAA6B,CAAC,gBAAgB,aAAa,CAAC,CAClE,MAAM,wBAAwB,CAAC,WAAW,aAAa,CAAC,CACxD,MAAM,0BAA0B,CAAC,aAAa,aAAa,CAAC;CAK/D,2BAA2B,YAAY;EACrC,cAAc,EAAE,GAAG,aAAa;EAChC,SAAS,EAAE,GAAG,QAAQ;EACtB,KAAK,EAAE,QAAQ;EACf,QAAQ,EAAE,MAAM,EAAE,QAAQ,SAAS,EAAE,EAAE,QAAQ,WAAW,CAAC;EAC3D,YAAY,EAAE,QAAQ;EACtB,eAAe,EAAE,MAAM,EAAE,QAAQ,CAAC;EAClC,iBAAiB,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;EACzC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,cAAc,EAAE,QAAQ;EACxB,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,iBAAiB,CAAC,eAAe,CAAC,CACxC,MAAM,YAAY,CAAC,UAAU,CAAC,CAC9B,MAAM,UAAU,CAAC,SAAS,CAAC;CAK9B,2BAA2B,YAAY;EACrC,cAAc,EAAE,GAAG,aAAa;EAChC,YAAY,EAAE,GAAG,4BAA4B;EAC7C,cAAc,EAAE,SAAS,EAAE,GAAG,uBAAuB,CAAC;EACtD,WAAW,EAAE,QAAQ;EACrB,QAAQ,EAAE,MACR,EAAE,QAAQ,UAAU,EACpB,EAAE,QAAQ,aAAa,EACvB,EAAE,QAAQ,YAAY,EACtB,EAAE,QAAQ,SAAS,CACpB;EACD,cAAc,EAAE,QAAQ;EACxB,eAAe,EAAE,QAAQ;EACzB,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,oBAAoB,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC1C,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;EACjC,SAAS,EAAE,KAAK;EACjB,CAAC,CACC,MAAM,iBAAiB,CAAC,eAAe,CAAC,CACxC,MAAM,0BAA0B,CAAC,UAAU,gBAAgB,CAAC,CAC5D,MAAM,sBAAsB,CAAC,cAAc,SAAS,CAAC,CACrD,MAAM,kBAAkB,CAAC,eAAe,CAAC;CAe5C,QAAQ,YAAY;EAClB,QAAQ,EAAE,GAAG,OAAO;EAEpB,QAAQ,EAAE,QAAQ;EAElB,WAAW,EAAE,QAAQ;EAErB,MAAM,EAAE,QAAQ;EAEhB,QAAQ,EAAE,MACR,EAAE,OAAO;GACP,UAAU,EAAE,QAAQ;GACpB,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC;GAC7B,CAAC,CACH;EAED,WAAW,EAAE,SACX,EAAE,OAAO;GACP,aAAa,EAAE,QAAQ;GACvB,UAAU,EAAE,QAAQ;GACrB,CAAC,CACH;EAED,gBAAgB,EAAE,SAChB,EAAE,OAAO;GACP,cAAc,EAAE,QAAQ;GACxB,iBAAiB,EAAE,QAAQ;GAC5B,CAAC,CACH;EAED,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;EACjC,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;EAClC,WAAW,EAAE,QAAQ;EAErB,SAAS,EAAE,SAAS;EAEpB,UAAU,EAAE,SAAS,EAAE,KAAK,CAAC;EAC9B,CAAC,CACC,MAAM,WAAW,CAAC,SAAS,CAAC,CAC5B,MAAM,cAAc,CAAC,YAAY,CAAC;CACtC,CAAC"}
|
|
1
|
+
{"version":3,"file":"schema.js","names":[],"sources":["../../src/component/schema.ts"],"sourcesContent":["import { defineSchema, defineTable } from \"convex/server\";\nimport { v } from \"convex/values\";\n\nimport {\n vApiKeyRateLimit,\n vApiKeyRateLimitState,\n vApiKeyScope,\n vAuditActorType,\n vAuditStatus,\n vDeviceStatus,\n vEnterprisePolicy,\n vEnterpriseSecretKind,\n vEnterpriseStatus,\n vInviteStatus,\n vScimResourceType,\n vScimStatus,\n vTag,\n vWebhookDeliveryStatus,\n vWebhookEndpointStatus,\n} from \"./model\";\n\n/**\n * Schema for the auth component.\n *\n * Contains tables for core authentication (users, sessions, accounts, tokens,\n * verification codes, PKCE verifiers, rate limits) and hierarchical group\n * management (groups, members, invites).\n */\nexport default defineSchema({\n /**\n * Authenticated users. A user may have multiple linked accounts\n * and multiple concurrent sessions.\n */\n User: defineTable({\n name: v.optional(v.string()),\n image: v.optional(v.string()),\n email: v.optional(v.string()),\n emailVerificationTime: v.optional(v.number()),\n phone: v.optional(v.string()),\n phoneVerificationTime: v.optional(v.number()),\n isAnonymous: v.optional(v.boolean()),\n extend: v.optional(v.any()),\n })\n .index(\"email\", [\"email\"])\n .index(\"phone\", [\"phone\"]),\n\n /**\n * Active sessions. A single user can have multiple concurrent sessions\n * across different devices or browsers. Sessions expire after a\n * configurable duration.\n */\n Session: defineTable({\n userId: v.id(\"User\"),\n expirationTime: v.number(),\n }).index(\"user_id\", [\"userId\"]),\n\n /**\n * Authentication accounts. Each account links a user to a single\n * authentication provider (e.g. Google OAuth, email/password).\n * A user can have multiple accounts linked.\n */\n Account: defineTable({\n userId: v.id(\"User\"),\n provider: v.string(),\n providerAccountId: v.string(),\n secret: v.optional(v.string()),\n emailVerified: v.optional(v.string()),\n phoneVerified: v.optional(v.string()),\n extend: v.optional(v.any()),\n })\n .index(\"user_id_provider\", [\"userId\", \"provider\"])\n .index(\"provider_account_id\", [\"provider\", \"providerAccountId\"]),\n\n /**\n * Refresh tokens for session continuity. Tokens are single-use and form\n * a chain — each token references the one it was exchanged from.\n *\n * The active refresh token is the most recently created token that has not\n * been used yet. A 10-second reuse window allows for concurrent requests.\n * Any invalid use of a token invalidates the entire chain.\n */\n RefreshToken: defineTable({\n sessionId: v.id(\"Session\"),\n expirationTime: v.number(),\n firstUsedTime: v.optional(v.number()),\n parentRefreshTokenId: v.optional(v.id(\"RefreshToken\")),\n })\n .index(\"session_id\", [\"sessionId\"])\n .index(\"session_id_parent_refresh_token_id\", [\n \"sessionId\",\n \"parentRefreshTokenId\",\n ]),\n\n /**\n * Verification codes for OTP tokens, magic link tokens, and OAuth codes.\n */\n VerificationCode: defineTable({\n accountId: v.id(\"Account\"),\n provider: v.string(),\n code: v.string(),\n expirationTime: v.number(),\n verifier: v.optional(v.string()),\n emailVerified: v.optional(v.string()),\n phoneVerified: v.optional(v.string()),\n })\n .index(\"account_id\", [\"accountId\"])\n .index(\"code\", [\"code\"]),\n\n /**\n * PKCE verifiers for OAuth flows. Stores the cryptographic verifier\n * used to prove the authorization request originated from this client.\n */\n AuthVerifier: defineTable({\n sessionId: v.optional(v.id(\"Session\")),\n signature: v.optional(v.string()),\n }).index(\"signature\", [\"signature\"]),\n\n /**\n * WebAuthn passkey credentials. Each credential links a user to a\n * registered authenticator (Touch ID, Face ID, security key, etc.).\n * A user can have multiple passkeys across different devices.\n */\n Passkey: defineTable({\n userId: v.id(\"User\"),\n /** Base64url-encoded credential ID from the authenticator. */\n credentialId: v.string(),\n /** Public key bytes (SEC1 uncompressed for EC, SPKI for RSA). */\n publicKey: v.bytes(),\n /** COSE algorithm identifier (-7 for ES256, -257 for RS256, -8 for EdDSA). */\n algorithm: v.number(),\n /** Signature counter for clone detection. Many authenticators return 0. */\n counter: v.number(),\n /** Authenticator transport hints (e.g. \"internal\", \"hybrid\", \"usb\", \"ble\", \"nfc\"). */\n transports: v.optional(v.array(v.string())),\n /** Whether this is a single-device or multi-device (synced) credential. */\n deviceType: v.string(),\n /** Whether the credential is backed up (synced passkey). */\n backedUp: v.boolean(),\n /** User-assigned friendly name (e.g. \"MacBook Touch ID\"). */\n name: v.optional(v.string()),\n createdAt: v.number(),\n lastUsedAt: v.optional(v.number()),\n })\n .index(\"user_id\", [\"userId\"])\n .index(\"credential_id\", [\"credentialId\"]),\n\n /**\n * TOTP two-factor authentication secrets. Each record links a user to\n * an authenticator app. A user can have multiple TOTP enrollments\n * (e.g. different authenticator apps) but typically has one.\n *\n * The `verified` flag indicates whether the user has completed setup\n * by successfully entering a code from their authenticator app.\n * Unverified enrollments are in-progress setup that can be discarded.\n */\n TotpFactor: defineTable({\n userId: v.id(\"User\"),\n /** Raw TOTP secret key bytes. */\n secret: v.bytes(),\n /** Number of digits in each code (typically 6). */\n digits: v.number(),\n /** Time period in seconds for code rotation (typically 30). */\n period: v.number(),\n /** Whether setup has been confirmed with a valid code. */\n verified: v.boolean(),\n /** User-assigned friendly name (e.g. \"Google Authenticator\"). */\n name: v.optional(v.string()),\n createdAt: v.number(),\n lastUsedAt: v.optional(v.number()),\n }).index(\"user_id\", [\"userId\"]),\n\n /**\n * Device authorization codes (RFC 8628). Each record tracks a pending\n * device auth session — the device polls with `deviceCode` while the\n * user authorizes via `userCode` on a secondary device.\n */\n DeviceCode: defineTable({\n /** High-entropy code used by the device for polling. Stored as SHA-256 hash. */\n deviceCodeHash: v.string(),\n /** Short human-readable code the user enters (e.g. \"WDJB-MJHT\"). */\n userCode: v.string(),\n /** Expiration timestamp (ms since epoch). */\n expiresAt: v.number(),\n /** Minimum polling interval in seconds. */\n interval: v.number(),\n /** Current status of this device authorization session. */\n status: vDeviceStatus,\n /** Set when the user authorizes — links to the authorizing user. */\n userId: v.optional(v.id(\"User\")),\n /** Set when the user authorizes — the session created for the device. */\n sessionId: v.optional(v.id(\"Session\")),\n /** Timestamp of the last poll request (for slow_down enforcement). */\n lastPolledAt: v.optional(v.number()),\n })\n .index(\"device_code_hash\", [\"deviceCodeHash\"])\n .index(\"user_code_status\", [\"userCode\", \"status\"]),\n\n /**\n * Rate limit tracking for OTP and password sign-in attempts.\n */\n RateLimit: defineTable({\n identifier: v.string(),\n last_attempt_time: v.number(),\n attempts_left: v.number(),\n }).index(\"by_identifier\", [\"identifier\"]),\n\n /**\n * Hierarchical groups. A group with no `parentGroupId` is a root group.\n * Groups can nest arbitrarily deep via `parentGroupId` for modeling\n * organizations, teams, departments, or any tree structure.\n */\n Group: defineTable({\n name: v.string(),\n slug: v.optional(v.string()),\n type: v.optional(v.string()),\n parentGroupId: v.optional(v.id(\"Group\")),\n /** Faceted classification tags. Normalized at write time (trimmed, lowercased). */\n tags: v.optional(v.array(vTag)),\n extend: v.optional(v.any()),\n })\n .index(\"slug\", [\"slug\"])\n .index(\"parent_group_id\", [\"parentGroupId\"])\n .index(\"type\", [\"type\"])\n .index(\"type_parent_group_id\", [\"type\", \"parentGroupId\"]),\n\n /**\n * Denormalized group-tag index table for efficient tag-based filtering.\n * Each row maps one `(key, value)` pair to a group. Kept in sync by\n * `groupCreate`, `groupUpdate`, and `groupDelete`.\n */\n GroupTag: defineTable({\n group_id: v.id(\"Group\"),\n key: v.string(),\n value: v.string(),\n })\n .index(\"by_group\", [\"group_id\"])\n .index(\"by_key_value\", [\"key\", \"value\"])\n .index(\"by_key\", [\"key\"]),\n\n /**\n * Group membership. Links a user to a group with an application-defined\n * role (e.g. \"owner\", \"admin\", \"member\", \"viewer\"). A user can be a\n * member of multiple groups with different roles in each.\n */\n GroupMember: defineTable({\n groupId: v.id(\"Group\"),\n userId: v.id(\"User\"),\n role: v.optional(v.string()),\n roleIds: v.optional(v.array(v.string())),\n status: v.optional(v.string()),\n extend: v.optional(v.any()),\n })\n .index(\"group_id\", [\"groupId\"])\n .index(\"group_id_user_id\", [\"groupId\", \"userId\"])\n .index(\"user_id\", [\"userId\"]),\n\n /**\n * Invitations. Tracks pending, accepted, revoked, and expired\n * invitations. Optionally scoped to a group via `groupId`, or\n * platform-level when `groupId` is omitted.\n *\n * `email` and `invitedByUserId` are optional to support CLI-generated\n * invite links where neither is known upfront.\n */\n GroupInvite: defineTable({\n groupId: v.optional(v.id(\"Group\")),\n invitedByUserId: v.optional(v.id(\"User\")),\n email: v.optional(v.string()),\n tokenHash: v.string(),\n role: v.optional(v.string()),\n roleIds: v.optional(v.array(v.string())),\n status: vInviteStatus,\n expiresTime: v.optional(v.number()),\n acceptedByUserId: v.optional(v.id(\"User\")),\n acceptedTime: v.optional(v.number()),\n extend: v.optional(v.any()),\n })\n .index(\"token_hash\", [\"tokenHash\"])\n .index(\"status\", [\"status\"])\n .index(\"email_status\", [\"email\", \"status\"])\n .index(\"invited_by_user_id_status\", [\"invitedByUserId\", \"status\"])\n .index(\"group_id\", [\"groupId\"])\n .index(\"group_id_status\", [\"groupId\", \"status\"]),\n\n /**\n * Enterprise configuration attached to a root group/organization.\n *\n * The `config` payload intentionally stays flexible so the headless enterprise\n * SDK can evolve without forcing schema churn for every protocol-specific\n * field addition.\n */\n Enterprise: defineTable({\n groupId: v.id(\"Group\"),\n slug: v.optional(v.string()),\n name: v.optional(v.string()),\n status: vEnterpriseStatus,\n policy: v.optional(vEnterprisePolicy),\n config: v.optional(v.any()),\n extend: v.optional(v.any()),\n })\n .index(\"group_id\", [\"groupId\"])\n .index(\"slug\", [\"slug\"])\n .index(\"status\", [\"status\"]),\n\n /**\n * Verified or pending domains linked to an enterprise record.\n */\n EnterpriseDomain: defineTable({\n enterpriseId: v.id(\"Enterprise\"),\n groupId: v.id(\"Group\"),\n domain: v.string(),\n isPrimary: v.boolean(),\n verifiedAt: v.optional(v.number()),\n })\n .index(\"enterprise_id\", [\"enterpriseId\"])\n .index(\"group_id\", [\"groupId\"])\n .index(\"domain\", [\"domain\"]),\n\n /**\n * Pending DNS TXT verification challenges for enterprise domains.\n */\n EnterpriseDomainVerification: defineTable({\n enterpriseId: v.id(\"Enterprise\"),\n groupId: v.id(\"Group\"),\n domainId: v.id(\"EnterpriseDomain\"),\n domain: v.string(),\n recordName: v.string(),\n token: v.string(),\n tokenHash: v.string(),\n requestedAt: v.number(),\n expiresAt: v.number(),\n })\n .index(\"enterprise_id\", [\"enterpriseId\"])\n .index(\"domain_id\", [\"domainId\"])\n .index(\"token_hash\", [\"tokenHash\"]),\n\n /**\n * Encrypted enterprise secrets stored separately from protocol config.\n */\n EnterpriseSecret: defineTable({\n enterpriseId: v.id(\"Enterprise\"),\n groupId: v.id(\"Group\"),\n kind: vEnterpriseSecretKind,\n ciphertext: v.string(),\n updatedAt: v.number(),\n })\n .index(\"enterprise_id\", [\"enterpriseId\"])\n .index(\"enterprise_id_kind\", [\"enterpriseId\", \"kind\"])\n .index(\"group_id\", [\"groupId\"]),\n\n /**\n * SCIM configuration for an enterprise tenant.\n */\n EnterpriseScimConfig: defineTable({\n enterpriseId: v.id(\"Enterprise\"),\n groupId: v.id(\"Group\"),\n status: vScimStatus,\n basePath: v.string(),\n tokenHash: v.string(),\n lastRotatedAt: v.optional(v.number()),\n extend: v.optional(v.any()),\n })\n .index(\"enterprise_id\", [\"enterpriseId\"])\n .index(\"group_id\", [\"groupId\"])\n .index(\"token_hash\", [\"tokenHash\"])\n .index(\"status\", [\"status\"]),\n\n /**\n * External SCIM identities mapped into local users/groups.\n */\n EnterpriseScimIdentity: defineTable({\n enterpriseId: v.id(\"Enterprise\"),\n groupId: v.id(\"Group\"),\n resourceType: vScimResourceType,\n externalId: v.string(),\n userId: v.optional(v.id(\"User\")),\n mappedGroupId: v.optional(v.id(\"Group\")),\n lastProvisionedAt: v.optional(v.number()),\n active: v.optional(v.boolean()),\n raw: v.optional(v.any()),\n })\n .index(\"enterprise_id\", [\"enterpriseId\"])\n .index(\"group_id\", [\"groupId\"])\n .index(\"enterprise_id_resource_type_external_id\", [\n \"enterpriseId\",\n \"resourceType\",\n \"externalId\",\n ])\n .index(\"enterprise_id_user_id\", [\"enterpriseId\", \"userId\"])\n .index(\"user_id\", [\"userId\"])\n .index(\"mapped_group_id\", [\"mappedGroupId\"]),\n\n /**\n * Immutable audit trail for enterprise operations.\n */\n EnterpriseAuditEvent: defineTable({\n enterpriseId: v.id(\"Enterprise\"),\n groupId: v.id(\"Group\"),\n eventType: v.string(),\n actorType: vAuditActorType,\n actorId: v.optional(v.string()),\n subjectType: v.string(),\n subjectId: v.optional(v.string()),\n status: vAuditStatus,\n occurredAt: v.number(),\n requestId: v.optional(v.string()),\n ip: v.optional(v.string()),\n metadata: v.optional(v.any()),\n })\n .index(\"enterprise_id_occurred_at\", [\"enterpriseId\", \"occurredAt\"])\n .index(\"group_id_occurred_at\", [\"groupId\", \"occurredAt\"])\n .index(\"event_type_occurred_at\", [\"eventType\", \"occurredAt\"]),\n\n /**\n * Webhook endpoints subscribed to enterprise audit and lifecycle events.\n */\n EnterpriseWebhookEndpoint: defineTable({\n enterpriseId: v.id(\"Enterprise\"),\n groupId: v.id(\"Group\"),\n url: v.string(),\n status: vWebhookEndpointStatus,\n secretHash: v.string(),\n subscriptions: v.array(v.string()),\n createdByUserId: v.optional(v.id(\"User\")),\n lastSuccessAt: v.optional(v.number()),\n lastFailureAt: v.optional(v.number()),\n failureCount: v.number(),\n extend: v.optional(v.any()),\n })\n .index(\"enterprise_id\", [\"enterpriseId\"])\n .index(\"group_id\", [\"groupId\"])\n .index(\"status\", [\"status\"]),\n\n /**\n * Delivery queue for outbound enterprise webhooks.\n */\n EnterpriseWebhookDelivery: defineTable({\n enterpriseId: v.id(\"Enterprise\"),\n endpointId: v.id(\"EnterpriseWebhookEndpoint\"),\n auditEventId: v.optional(v.id(\"EnterpriseAuditEvent\")),\n eventType: v.string(),\n status: vWebhookDeliveryStatus,\n attemptCount: v.number(),\n nextAttemptAt: v.number(),\n lastAttemptAt: v.optional(v.number()),\n lastResponseStatus: v.optional(v.number()),\n lastError: v.optional(v.string()),\n payload: v.any(),\n })\n .index(\"enterprise_id\", [\"enterpriseId\"])\n .index(\"status_next_attempt_at\", [\"status\", \"nextAttemptAt\"])\n .index(\"endpoint_id_status\", [\"endpointId\", \"status\"])\n .index(\"audit_event_id\", [\"auditEventId\"]),\n\n /**\n * API keys for programmatic access. Each key links a user to a set of\n * scoped permissions and optional per-key rate limiting.\n *\n * The raw key is never stored — only a SHA-256 hash. A short prefix\n * (e.g. \"sk_abc1...\") is kept for display in admin interfaces.\n *\n * Keys support:\n * - **Scoped permissions**: resource:action pairs (e.g. users:read)\n * - **Per-key rate limiting**: token-bucket with configurable window\n * - **Expiration**: optional TTL\n * - **Soft revocation**: `revoked` flag preserves audit trail\n */\n ApiKey: defineTable({\n userId: v.id(\"User\"),\n /** First chars of the key for display (e.g. \"sk_abc1...\"). */\n prefix: v.string(),\n /** SHA-256 hex hash of the full raw key. */\n hashedKey: v.string(),\n /** User-assigned name (e.g. \"CI Pipeline\", \"Production API\"). */\n name: v.string(),\n /** Scoped permissions: [{ resource: \"users\", actions: [\"read\", \"list\"] }]. */\n scopes: v.array(vApiKeyScope),\n /** Optional per-key rate limit configuration. */\n rateLimit: v.optional(vApiKeyRateLimit),\n /** Rate limit state tracking (token-bucket). */\n rateLimitState: v.optional(vApiKeyRateLimitState),\n /** Expiration timestamp. Null/undefined = never expires. */\n expiresAt: v.optional(v.number()),\n lastUsedAt: v.optional(v.number()),\n createdAt: v.number(),\n /** Soft-revoke flag. Revoked keys are kept for audit trail. */\n revoked: v.boolean(),\n /** Arbitrary app-specific metadata attached to the key. */\n metadata: v.optional(v.any()),\n })\n .index(\"user_id\", [\"userId\"])\n .index(\"hashed_key\", [\"hashedKey\"]),\n});\n"],"mappings":";;;;;;;;;;;;AA4BA,qBAAe,aAAa;CAK1B,MAAM,YAAY;EAChB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7B,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7B,uBAAuB,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7C,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7B,uBAAuB,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7C,aAAa,EAAE,SAAS,EAAE,SAAS,CAAC;EACpC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,SAAS,CAAC,QAAQ,CAAC,CACzB,MAAM,SAAS,CAAC,QAAQ,CAAC;CAO5B,SAAS,YAAY;EACnB,QAAQ,EAAE,GAAG,OAAO;EACpB,gBAAgB,EAAE,QAAQ;EAC3B,CAAC,CAAC,MAAM,WAAW,CAAC,SAAS,CAAC;CAO/B,SAAS,YAAY;EACnB,QAAQ,EAAE,GAAG,OAAO;EACpB,UAAU,EAAE,QAAQ;EACpB,mBAAmB,EAAE,QAAQ;EAC7B,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC9B,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,oBAAoB,CAAC,UAAU,WAAW,CAAC,CACjD,MAAM,uBAAuB,CAAC,YAAY,oBAAoB,CAAC;CAUlE,cAAc,YAAY;EACxB,WAAW,EAAE,GAAG,UAAU;EAC1B,gBAAgB,EAAE,QAAQ;EAC1B,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,sBAAsB,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC;EACvD,CAAC,CACC,MAAM,cAAc,CAAC,YAAY,CAAC,CAClC,MAAM,sCAAsC,CAC3C,aACA,uBACD,CAAC;CAKJ,kBAAkB,YAAY;EAC5B,WAAW,EAAE,GAAG,UAAU;EAC1B,UAAU,EAAE,QAAQ;EACpB,MAAM,EAAE,QAAQ;EAChB,gBAAgB,EAAE,QAAQ;EAC1B,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;EAChC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACtC,CAAC,CACC,MAAM,cAAc,CAAC,YAAY,CAAC,CAClC,MAAM,QAAQ,CAAC,OAAO,CAAC;CAM1B,cAAc,YAAY;EACxB,WAAW,EAAE,SAAS,EAAE,GAAG,UAAU,CAAC;EACtC,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;EAClC,CAAC,CAAC,MAAM,aAAa,CAAC,YAAY,CAAC;CAOpC,SAAS,YAAY;EACnB,QAAQ,EAAE,GAAG,OAAO;EAEpB,cAAc,EAAE,QAAQ;EAExB,WAAW,EAAE,OAAO;EAEpB,WAAW,EAAE,QAAQ;EAErB,SAAS,EAAE,QAAQ;EAEnB,YAAY,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;EAE3C,YAAY,EAAE,QAAQ;EAEtB,UAAU,EAAE,SAAS;EAErB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,WAAW,EAAE,QAAQ;EACrB,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;EACnC,CAAC,CACC,MAAM,WAAW,CAAC,SAAS,CAAC,CAC5B,MAAM,iBAAiB,CAAC,eAAe,CAAC;CAW3C,YAAY,YAAY;EACtB,QAAQ,EAAE,GAAG,OAAO;EAEpB,QAAQ,EAAE,OAAO;EAEjB,QAAQ,EAAE,QAAQ;EAElB,QAAQ,EAAE,QAAQ;EAElB,UAAU,EAAE,SAAS;EAErB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,WAAW,EAAE,QAAQ;EACrB,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;EACnC,CAAC,CAAC,MAAM,WAAW,CAAC,SAAS,CAAC;CAO/B,YAAY,YAAY;EAEtB,gBAAgB,EAAE,QAAQ;EAE1B,UAAU,EAAE,QAAQ;EAEpB,WAAW,EAAE,QAAQ;EAErB,UAAU,EAAE,QAAQ;EAEpB,QAAQ;EAER,QAAQ,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;EAEhC,WAAW,EAAE,SAAS,EAAE,GAAG,UAAU,CAAC;EAEtC,cAAc,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,CAAC,CACC,MAAM,oBAAoB,CAAC,iBAAiB,CAAC,CAC7C,MAAM,oBAAoB,CAAC,YAAY,SAAS,CAAC;CAKpD,WAAW,YAAY;EACrB,YAAY,EAAE,QAAQ;EACtB,mBAAmB,EAAE,QAAQ;EAC7B,eAAe,EAAE,QAAQ;EAC1B,CAAC,CAAC,MAAM,iBAAiB,CAAC,aAAa,CAAC;CAOzC,OAAO,YAAY;EACjB,MAAM,EAAE,QAAQ;EAChB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,eAAe,EAAE,SAAS,EAAE,GAAG,QAAQ,CAAC;EAExC,MAAM,EAAE,SAAS,EAAE,MAAM,KAAK,CAAC;EAC/B,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,QAAQ,CAAC,OAAO,CAAC,CACvB,MAAM,mBAAmB,CAAC,gBAAgB,CAAC,CAC3C,MAAM,QAAQ,CAAC,OAAO,CAAC,CACvB,MAAM,wBAAwB,CAAC,QAAQ,gBAAgB,CAAC;CAO3D,UAAU,YAAY;EACpB,UAAU,EAAE,GAAG,QAAQ;EACvB,KAAK,EAAE,QAAQ;EACf,OAAO,EAAE,QAAQ;EAClB,CAAC,CACC,MAAM,YAAY,CAAC,WAAW,CAAC,CAC/B,MAAM,gBAAgB,CAAC,OAAO,QAAQ,CAAC,CACvC,MAAM,UAAU,CAAC,MAAM,CAAC;CAO3B,aAAa,YAAY;EACvB,SAAS,EAAE,GAAG,QAAQ;EACtB,QAAQ,EAAE,GAAG,OAAO;EACpB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;EACxC,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC9B,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,YAAY,CAAC,UAAU,CAAC,CAC9B,MAAM,oBAAoB,CAAC,WAAW,SAAS,CAAC,CAChD,MAAM,WAAW,CAAC,SAAS,CAAC;CAU/B,aAAa,YAAY;EACvB,SAAS,EAAE,SAAS,EAAE,GAAG,QAAQ,CAAC;EAClC,iBAAiB,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;EACzC,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7B,WAAW,EAAE,QAAQ;EACrB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;EACxC,QAAQ;EACR,aAAa,EAAE,SAAS,EAAE,QAAQ,CAAC;EACnC,kBAAkB,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;EAC1C,cAAc,EAAE,SAAS,EAAE,QAAQ,CAAC;EACpC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,cAAc,CAAC,YAAY,CAAC,CAClC,MAAM,UAAU,CAAC,SAAS,CAAC,CAC3B,MAAM,gBAAgB,CAAC,SAAS,SAAS,CAAC,CAC1C,MAAM,6BAA6B,CAAC,mBAAmB,SAAS,CAAC,CACjE,MAAM,YAAY,CAAC,UAAU,CAAC,CAC9B,MAAM,mBAAmB,CAAC,WAAW,SAAS,CAAC;CASlD,YAAY,YAAY;EACtB,SAAS,EAAE,GAAG,QAAQ;EACtB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,QAAQ;EACR,QAAQ,EAAE,SAAS,kBAAkB;EACrC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC3B,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,YAAY,CAAC,UAAU,CAAC,CAC9B,MAAM,QAAQ,CAAC,OAAO,CAAC,CACvB,MAAM,UAAU,CAAC,SAAS,CAAC;CAK9B,kBAAkB,YAAY;EAC5B,cAAc,EAAE,GAAG,aAAa;EAChC,SAAS,EAAE,GAAG,QAAQ;EACtB,QAAQ,EAAE,QAAQ;EAClB,WAAW,EAAE,SAAS;EACtB,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;EACnC,CAAC,CACC,MAAM,iBAAiB,CAAC,eAAe,CAAC,CACxC,MAAM,YAAY,CAAC,UAAU,CAAC,CAC9B,MAAM,UAAU,CAAC,SAAS,CAAC;CAK9B,8BAA8B,YAAY;EACxC,cAAc,EAAE,GAAG,aAAa;EAChC,SAAS,EAAE,GAAG,QAAQ;EACtB,UAAU,EAAE,GAAG,mBAAmB;EAClC,QAAQ,EAAE,QAAQ;EAClB,YAAY,EAAE,QAAQ;EACtB,OAAO,EAAE,QAAQ;EACjB,WAAW,EAAE,QAAQ;EACrB,aAAa,EAAE,QAAQ;EACvB,WAAW,EAAE,QAAQ;EACtB,CAAC,CACC,MAAM,iBAAiB,CAAC,eAAe,CAAC,CACxC,MAAM,aAAa,CAAC,WAAW,CAAC,CAChC,MAAM,cAAc,CAAC,YAAY,CAAC;CAKrC,kBAAkB,YAAY;EAC5B,cAAc,EAAE,GAAG,aAAa;EAChC,SAAS,EAAE,GAAG,QAAQ;EACtB,MAAM;EACN,YAAY,EAAE,QAAQ;EACtB,WAAW,EAAE,QAAQ;EACtB,CAAC,CACC,MAAM,iBAAiB,CAAC,eAAe,CAAC,CACxC,MAAM,sBAAsB,CAAC,gBAAgB,OAAO,CAAC,CACrD,MAAM,YAAY,CAAC,UAAU,CAAC;CAKjC,sBAAsB,YAAY;EAChC,cAAc,EAAE,GAAG,aAAa;EAChC,SAAS,EAAE,GAAG,QAAQ;EACtB,QAAQ;EACR,UAAU,EAAE,QAAQ;EACpB,WAAW,EAAE,QAAQ;EACrB,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,iBAAiB,CAAC,eAAe,CAAC,CACxC,MAAM,YAAY,CAAC,UAAU,CAAC,CAC9B,MAAM,cAAc,CAAC,YAAY,CAAC,CAClC,MAAM,UAAU,CAAC,SAAS,CAAC;CAK9B,wBAAwB,YAAY;EAClC,cAAc,EAAE,GAAG,aAAa;EAChC,SAAS,EAAE,GAAG,QAAQ;EACtB,cAAc;EACd,YAAY,EAAE,QAAQ;EACtB,QAAQ,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;EAChC,eAAe,EAAE,SAAS,EAAE,GAAG,QAAQ,CAAC;EACxC,mBAAmB,EAAE,SAAS,EAAE,QAAQ,CAAC;EACzC,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC;EAC/B,KAAK,EAAE,SAAS,EAAE,KAAK,CAAC;EACzB,CAAC,CACC,MAAM,iBAAiB,CAAC,eAAe,CAAC,CACxC,MAAM,YAAY,CAAC,UAAU,CAAC,CAC9B,MAAM,2CAA2C;EAChD;EACA;EACA;EACD,CAAC,CACD,MAAM,yBAAyB,CAAC,gBAAgB,SAAS,CAAC,CAC1D,MAAM,WAAW,CAAC,SAAS,CAAC,CAC5B,MAAM,mBAAmB,CAAC,gBAAgB,CAAC;CAK9C,sBAAsB,YAAY;EAChC,cAAc,EAAE,GAAG,aAAa;EAChC,SAAS,EAAE,GAAG,QAAQ;EACtB,WAAW,EAAE,QAAQ;EACrB,WAAW;EACX,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC/B,aAAa,EAAE,QAAQ;EACvB,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;EACjC,QAAQ;EACR,YAAY,EAAE,QAAQ;EACtB,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;EACjC,IAAI,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC1B,UAAU,EAAE,SAAS,EAAE,KAAK,CAAC;EAC9B,CAAC,CACC,MAAM,6BAA6B,CAAC,gBAAgB,aAAa,CAAC,CAClE,MAAM,wBAAwB,CAAC,WAAW,aAAa,CAAC,CACxD,MAAM,0BAA0B,CAAC,aAAa,aAAa,CAAC;CAK/D,2BAA2B,YAAY;EACrC,cAAc,EAAE,GAAG,aAAa;EAChC,SAAS,EAAE,GAAG,QAAQ;EACtB,KAAK,EAAE,QAAQ;EACf,QAAQ;EACR,YAAY,EAAE,QAAQ;EACtB,eAAe,EAAE,MAAM,EAAE,QAAQ,CAAC;EAClC,iBAAiB,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;EACzC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,cAAc,EAAE,QAAQ;EACxB,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,iBAAiB,CAAC,eAAe,CAAC,CACxC,MAAM,YAAY,CAAC,UAAU,CAAC,CAC9B,MAAM,UAAU,CAAC,SAAS,CAAC;CAK9B,2BAA2B,YAAY;EACrC,cAAc,EAAE,GAAG,aAAa;EAChC,YAAY,EAAE,GAAG,4BAA4B;EAC7C,cAAc,EAAE,SAAS,EAAE,GAAG,uBAAuB,CAAC;EACtD,WAAW,EAAE,QAAQ;EACrB,QAAQ;EACR,cAAc,EAAE,QAAQ;EACxB,eAAe,EAAE,QAAQ;EACzB,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,oBAAoB,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC1C,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;EACjC,SAAS,EAAE,KAAK;EACjB,CAAC,CACC,MAAM,iBAAiB,CAAC,eAAe,CAAC,CACxC,MAAM,0BAA0B,CAAC,UAAU,gBAAgB,CAAC,CAC5D,MAAM,sBAAsB,CAAC,cAAc,SAAS,CAAC,CACrD,MAAM,kBAAkB,CAAC,eAAe,CAAC;CAe5C,QAAQ,YAAY;EAClB,QAAQ,EAAE,GAAG,OAAO;EAEpB,QAAQ,EAAE,QAAQ;EAElB,WAAW,EAAE,QAAQ;EAErB,MAAM,EAAE,QAAQ;EAEhB,QAAQ,EAAE,MAAM,aAAa;EAE7B,WAAW,EAAE,SAAS,iBAAiB;EAEvC,gBAAgB,EAAE,SAAS,sBAAsB;EAEjD,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;EACjC,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;EAClC,WAAW,EAAE,QAAQ;EAErB,SAAS,EAAE,SAAS;EAEpB,UAAU,EAAE,SAAS,EAAE,KAAK,CAAC;EAC9B,CAAC,CACC,MAAM,WAAW,CAAC,SAAS,CAAC,CAC5B,MAAM,cAAc,CAAC,YAAY,CAAC;CACtC,CAAC"}
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
import "../client/index.js";
|
|
2
|
-
import { AuthProviderConfig, ConvexAuthConfig, Doc, HasSSO } from "./types.js";
|
|
3
|
-
import { Auth } from "./
|
|
2
|
+
import { AuthAuthorizationConfig, AuthGrant, AuthProviderConfig, AuthRoleId, ConvexAuthConfig, Doc, HasSSO } from "./types.js";
|
|
3
|
+
import { Auth } from "./factory.js";
|
|
4
4
|
import { UserIdentity } from "convex/server";
|
|
5
5
|
import { GenericId } from "convex/values";
|
|
6
6
|
|
|
@@ -10,8 +10,66 @@ import { GenericId } from "convex/values";
|
|
|
10
10
|
* minus `component` (which is passed as the first constructor argument).
|
|
11
11
|
*/
|
|
12
12
|
type AuthConfig = Omit<ConvexAuthConfig, "component">;
|
|
13
|
+
type MemberApiWithAuthorization<TAuthorization extends AuthAuthorizationConfig | undefined> = Omit<ReturnType<typeof Auth>["auth"]["member"], "create" | "list" | "update" | "inherit" | "require"> & {
|
|
14
|
+
create: (ctx: Parameters<ReturnType<typeof Auth>["auth"]["member"]["create"]>[0], data: {
|
|
15
|
+
groupId: string;
|
|
16
|
+
userId: string;
|
|
17
|
+
roleIds?: AuthRoleId<TAuthorization>[];
|
|
18
|
+
status?: string;
|
|
19
|
+
extend?: Record<string, unknown>;
|
|
20
|
+
}) => Promise<{
|
|
21
|
+
ok: true;
|
|
22
|
+
memberId: string;
|
|
23
|
+
}>;
|
|
24
|
+
list: (ctx: Parameters<ReturnType<typeof Auth>["auth"]["member"]["list"]>[0], opts?: {
|
|
25
|
+
where?: {
|
|
26
|
+
groupId?: string;
|
|
27
|
+
userId?: string;
|
|
28
|
+
roleId?: AuthRoleId<TAuthorization>;
|
|
29
|
+
status?: string;
|
|
30
|
+
};
|
|
31
|
+
limit?: number;
|
|
32
|
+
cursor?: string | null;
|
|
33
|
+
orderBy?: "_creationTime" | "status";
|
|
34
|
+
order?: "asc" | "desc";
|
|
35
|
+
}) => ReturnType<ReturnType<typeof Auth>["auth"]["member"]["list"]>;
|
|
36
|
+
update: (ctx: Parameters<ReturnType<typeof Auth>["auth"]["member"]["update"]>[0], memberId: string, data: Record<string, unknown> & {
|
|
37
|
+
roleIds?: AuthRoleId<TAuthorization>[];
|
|
38
|
+
}) => Promise<{
|
|
39
|
+
ok: true;
|
|
40
|
+
memberId: string;
|
|
41
|
+
}>;
|
|
42
|
+
inherit: (ctx: Parameters<ReturnType<typeof Auth>["auth"]["member"]["inherit"]>[0], opts: {
|
|
43
|
+
userId: string;
|
|
44
|
+
groupId: string;
|
|
45
|
+
roleIds?: AuthRoleId<TAuthorization>[];
|
|
46
|
+
grants?: AuthGrant<TAuthorization>[];
|
|
47
|
+
maxDepth?: number;
|
|
48
|
+
}) => ReturnType<ReturnType<typeof Auth>["auth"]["member"]["inherit"]>;
|
|
49
|
+
require: (ctx: Parameters<ReturnType<typeof Auth>["auth"]["member"]["require"]>[0], opts: {
|
|
50
|
+
userId: string;
|
|
51
|
+
groupId: string;
|
|
52
|
+
roleIds?: AuthRoleId<TAuthorization>[];
|
|
53
|
+
grants?: AuthGrant<TAuthorization>[];
|
|
54
|
+
maxDepth?: number;
|
|
55
|
+
}) => ReturnType<ReturnType<typeof Auth>["auth"]["member"]["require"]>;
|
|
56
|
+
};
|
|
57
|
+
type AccessApiWithAuthorization<TAuthorization extends AuthAuthorizationConfig | undefined> = {
|
|
58
|
+
check: (ctx: Parameters<ReturnType<typeof Auth>["auth"]["access"]["check"]>[0], opts: {
|
|
59
|
+
userId: string;
|
|
60
|
+
groupId: string;
|
|
61
|
+
grants: AuthGrant<TAuthorization>[];
|
|
62
|
+
maxDepth?: number;
|
|
63
|
+
}) => ReturnType<ReturnType<typeof Auth>["auth"]["access"]["check"]>;
|
|
64
|
+
require: (ctx: Parameters<ReturnType<typeof Auth>["auth"]["access"]["require"]>[0], opts: {
|
|
65
|
+
userId: string;
|
|
66
|
+
groupId: string;
|
|
67
|
+
grants: AuthGrant<TAuthorization>[];
|
|
68
|
+
maxDepth?: number;
|
|
69
|
+
}) => ReturnType<ReturnType<typeof Auth>["auth"]["access"]["require"]>;
|
|
70
|
+
};
|
|
13
71
|
/** The base auth API surface, without conditional namespaces. */
|
|
14
|
-
type AuthApiBase = {
|
|
72
|
+
type AuthApiBase<TAuthorization extends AuthAuthorizationConfig | undefined = undefined> = {
|
|
15
73
|
signIn: ReturnType<typeof Auth>["signIn"];
|
|
16
74
|
signOut: ReturnType<typeof Auth>["signOut"];
|
|
17
75
|
store: ReturnType<typeof Auth>["store"];
|
|
@@ -20,31 +78,119 @@ type AuthApiBase = {
|
|
|
20
78
|
provider: ReturnType<typeof Auth>["auth"]["provider"];
|
|
21
79
|
account: ReturnType<typeof Auth>["auth"]["account"];
|
|
22
80
|
group: ReturnType<typeof Auth>["auth"]["group"];
|
|
23
|
-
member:
|
|
81
|
+
member: MemberApiWithAuthorization<TAuthorization>;
|
|
82
|
+
access: AccessApiWithAuthorization<TAuthorization>;
|
|
24
83
|
invite: ReturnType<typeof Auth>["auth"]["invite"];
|
|
25
84
|
key: ReturnType<typeof Auth>["auth"]["key"];
|
|
26
85
|
http: ReturnType<typeof Auth>["auth"]["http"];
|
|
27
86
|
};
|
|
28
|
-
|
|
29
|
-
type
|
|
30
|
-
|
|
87
|
+
type InternalSsoApi = ReturnType<typeof Auth>["auth"]["sso"];
|
|
88
|
+
type PublicSsoAdminApi = {
|
|
89
|
+
connection: InternalSsoApi["connection"] & {
|
|
90
|
+
domain: {
|
|
91
|
+
list: InternalSsoApi["domain"]["list"];
|
|
92
|
+
validate: InternalSsoApi["domain"]["validate"];
|
|
93
|
+
set: (ctx: Parameters<InternalSsoApi["connection"]["create"]>[0], enterpriseId: string, domains: Array<{
|
|
94
|
+
domain: string;
|
|
95
|
+
isPrimary?: boolean;
|
|
96
|
+
}>) => Promise<{
|
|
97
|
+
ok: true;
|
|
98
|
+
enterpriseId: string;
|
|
99
|
+
domains: Array<{
|
|
100
|
+
domainId: string;
|
|
101
|
+
domain: string;
|
|
102
|
+
isPrimary: boolean;
|
|
103
|
+
verified: boolean;
|
|
104
|
+
verifiedAt: number | null;
|
|
105
|
+
}>;
|
|
106
|
+
}>;
|
|
107
|
+
verification: {
|
|
108
|
+
request: (ctx: Parameters<InternalSsoApi["connection"]["create"]>[0], args: {
|
|
109
|
+
enterpriseId: string;
|
|
110
|
+
domain: string;
|
|
111
|
+
}) => Promise<{
|
|
112
|
+
ok: true;
|
|
113
|
+
enterpriseId: string;
|
|
114
|
+
domain: string;
|
|
115
|
+
requestedAt: number;
|
|
116
|
+
expiresAt: number;
|
|
117
|
+
challenge: {
|
|
118
|
+
recordType: "TXT";
|
|
119
|
+
recordName: string;
|
|
120
|
+
recordValue: string;
|
|
121
|
+
};
|
|
122
|
+
}>;
|
|
123
|
+
confirm: (ctx: Parameters<InternalSsoApi["connection"]["create"]>[0], args: {
|
|
124
|
+
enterpriseId: string;
|
|
125
|
+
domain: string;
|
|
126
|
+
}) => Promise<{
|
|
127
|
+
ok: boolean;
|
|
128
|
+
enterpriseId: string;
|
|
129
|
+
domain: string;
|
|
130
|
+
verifiedAt?: number;
|
|
131
|
+
checks: Array<{
|
|
132
|
+
name: string;
|
|
133
|
+
ok: boolean;
|
|
134
|
+
message?: string;
|
|
135
|
+
}>;
|
|
136
|
+
}>;
|
|
137
|
+
};
|
|
138
|
+
};
|
|
139
|
+
};
|
|
140
|
+
oidc: Omit<InternalSsoApi["oidc"], "signIn">;
|
|
141
|
+
saml: Omit<InternalSsoApi["saml"], "metadata">;
|
|
142
|
+
policy: InternalSsoApi["policy"];
|
|
143
|
+
audit: {
|
|
144
|
+
list: InternalSsoApi["audit"]["list"];
|
|
145
|
+
};
|
|
146
|
+
webhook: {
|
|
147
|
+
endpoint: InternalSsoApi["webhook"]["endpoint"];
|
|
148
|
+
delivery: {
|
|
149
|
+
list: InternalSsoApi["webhook"]["delivery"]["list"];
|
|
150
|
+
};
|
|
151
|
+
};
|
|
152
|
+
};
|
|
153
|
+
type PublicSsoClientApi = {
|
|
154
|
+
signIn: InternalSsoApi["oidc"]["signIn"];
|
|
155
|
+
metadata: InternalSsoApi["saml"]["metadata"];
|
|
156
|
+
};
|
|
157
|
+
type PublicSsoApi = {
|
|
158
|
+
admin: PublicSsoAdminApi;
|
|
159
|
+
client: PublicSsoClientApi;
|
|
160
|
+
};
|
|
161
|
+
type PublicScimApi = {
|
|
162
|
+
admin: Omit<InternalSsoApi["scim"], "getConfigByToken" | "identity">;
|
|
163
|
+
};
|
|
164
|
+
/** Auth API with enterprise namespaces — present only when `new SSO()` is in providers. */
|
|
165
|
+
type AuthApi<TAuthorization extends AuthAuthorizationConfig | undefined = undefined> = AuthApiBase<TAuthorization> & {
|
|
166
|
+
sso: PublicSsoApi;
|
|
167
|
+
scim: PublicScimApi;
|
|
31
168
|
};
|
|
32
169
|
/**
|
|
33
170
|
* The return type of `createAuth`. Conditional namespaces:
|
|
34
|
-
* - `auth.sso` — only when `new SSO()` is in providers
|
|
171
|
+
* - `auth.sso` and `auth.scim` — only when `new SSO()` is in providers
|
|
35
172
|
* - `auth.clientApi` — typed API refs for the client SDK with capabilities
|
|
36
173
|
*/
|
|
37
|
-
type ConvexAuthResult<P extends AuthProviderConfig[]> = HasSSO<P> extends true ? AuthApi : AuthApiBase
|
|
174
|
+
type ConvexAuthResult<P extends AuthProviderConfig[], TAuthorization extends AuthAuthorizationConfig | undefined = undefined> = HasSSO<P> extends true ? AuthApi<TAuthorization> : AuthApiBase<TAuthorization>;
|
|
38
175
|
/**
|
|
39
176
|
* Create an auth API object.
|
|
40
177
|
*
|
|
41
|
-
* When `new SSO()` is included in providers, `auth.sso`
|
|
42
|
-
* on the returned object. Without it,
|
|
43
|
-
* accessing
|
|
178
|
+
* When `new SSO()` is included in providers, `auth.sso` and `auth.scim`
|
|
179
|
+
* are available on the returned object. Without it, those namespaces are
|
|
180
|
+
* absent and accessing them is a TypeScript compile error.
|
|
44
181
|
*/
|
|
45
|
-
declare function createAuth<P extends AuthProviderConfig[]>(component: ConvexAuthConfig["component"], config: Omit<AuthConfig, "providers"> & {
|
|
182
|
+
declare function createAuth<P extends AuthProviderConfig[], TAuthorization extends AuthAuthorizationConfig | undefined = undefined>(component: ConvexAuthConfig["component"], config: Omit<AuthConfig, "providers" | "authorization"> & {
|
|
46
183
|
providers: P;
|
|
47
|
-
|
|
184
|
+
authorization?: TAuthorization;
|
|
185
|
+
}): ConvexAuthResult<P, TAuthorization>;
|
|
186
|
+
declare function defineRoles<const TRoles extends Record<string, {
|
|
187
|
+
label?: string;
|
|
188
|
+
grants: readonly string[];
|
|
189
|
+
}>>(roles: TRoles): { [K in keyof TRoles]: {
|
|
190
|
+
id: K & string;
|
|
191
|
+
label?: TRoles[K]["label"];
|
|
192
|
+
grants: Array<TRoles[K]["grants"][number] & string>;
|
|
193
|
+
} };
|
|
48
194
|
type UserDoc = Doc<"User">;
|
|
49
195
|
type AuthCtxConfig<TResolve extends Record<string, unknown> = Record<string, never>> = {
|
|
50
196
|
optional?: boolean;
|
|
@@ -88,5 +234,5 @@ type InferAuth<T extends {
|
|
|
88
234
|
}>;
|
|
89
235
|
}> = Awaited<ReturnType<T["input"]>>["ctx"]["auth"];
|
|
90
236
|
//#endregion
|
|
91
|
-
export { AuthApi, AuthConfig, AuthCtx, AuthCtxConfig, InferAuth, UserDoc, createAuth };
|
|
237
|
+
export { AuthApi, AuthConfig, AuthCtx, AuthCtxConfig, InferAuth, UserDoc, createAuth, defineRoles };
|
|
92
238
|
//# sourceMappingURL=auth.d.ts.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"auth.d.ts","names":[],"sources":["../../../src/server/auth.ts"],"mappings":";;;;;;;;
|
|
1
|
+
{"version":3,"file":"auth.d.ts","names":[],"sources":["../../../src/server/auth.ts"],"mappings":";;;;;;;;AAmC6D;;;KAAjD,UAAA,GAAa,IAAA,CAAK,gBAAA;AAAA,KAEzB,0BAAA,wBACoB,uBAAA,gBACrB,IAAA,CACF,UAAA,QAAkB,IAAA;EAGlB,MAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,IAAA,mCAEpB,IAAA;IACE,OAAA;IACA,MAAA;IACA,OAAA,GAAU,UAAA,CAAW,cAAA;IACrB,MAAA;IACA,MAAA,GAAS,MAAA;EAAA,MAER,OAAA;IAAU,EAAA;IAAU,QAAA;EAAA;EACzB,IAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,IAAA,iCAEpB,IAAA;IACE,KAAA;MACE,OAAA;MACA,MAAA;MACA,MAAA,GAAS,UAAA,CAAW,cAAA;MACpB,MAAA;IAAA;IAEF,KAAA;IACA,MAAA;IACA,OAAA;IACA,KAAA;EAAA,MAEC,UAAA,CAAW,UAAA,QAAkB,IAAA;EAClC,MAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,IAAA,mCAEpB,QAAA,UACA,IAAA,EAAM,MAAA;IAA4B,OAAA,GAAU,UAAA,CAAW,cAAA;EAAA,MACpD,OAAA;IAAU,EAAA;IAAU,QAAA;EAAA;EACzB,OAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,IAAA,oCAEpB,IAAA;IACE,MAAA;IACA,OAAA;IACA,OAAA,GAAU,UAAA,CAAW,cAAA;IACrB,MAAA,GAAS,SAAA,CAAU,cAAA;IACnB,QAAA;EAAA,MAEC,UAAA,CAAW,UAAA,QAAkB,IAAA;EAClC,OAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,IAAA,oCAEpB,IAAA;IACE,MAAA;IACA,OAAA;IACA,OAAA,GAAU,UAAA,CAAW,cAAA;IACrB,MAAA,GAAS,SAAA,CAAU,cAAA;IACnB,QAAA;EAAA,MAEC,UAAA,CAAW,UAAA,QAAkB,IAAA;AAAA;AAAA,KAG/B,0BAAA,wBACoB,uBAAA;EAEvB,KAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,IAAA,kCAEpB,IAAA;IACE,MAAA;IACA,OAAA;IACA,MAAA,EAAQ,SAAA,CAAU,cAAA;IAClB,QAAA;EAAA,MAEC,UAAA,CAAW,UAAA,QAAkB,IAAA;EAClC,OAAA,GACE,GAAA,EAAK,UAAA,CACH,UAAA,QAAkB,IAAA,oCAEpB,IAAA;IACE,MAAA;IACA,OAAA;IACA,MAAA,EAAQ,SAAA,CAAU,cAAA;IAClB,QAAA;EAAA,MAEC,UAAA,CAAW,UAAA,QAAkB,IAAA;AAAA;;KAIxB,WAAA,wBACa,uBAAA;EAEvB,MAAA,EAAQ,UAAA,QAAkB,IAAA;EAC1B,OAAA,EAAS,UAAA,QAAkB,IAAA;EAC3B,KAAA,EAAO,UAAA,QAAkB,IAAA;EACzB,IAAA,EAAM,UAAA,QAAkB,IAAA;EACxB,OAAA,EAAS,UAAA,QAAkB,IAAA;EAC3B,QAAA,EAAU,UAAA,QAAkB,IAAA;EAC5B,OAAA,EAAS,UAAA,QAAkB,IAAA;EAC3B,KAAA,EAAO,UAAA,QAAkB,IAAA;EACzB,MAAA,EAAQ,0BAAA,CAA2B,cAAA;EACnC,MAAA,EAAQ,0BAAA,CAA2B,cAAA;EACnC,MAAA,EAAQ,UAAA,QAAkB,IAAA;EAC1B,GAAA,EAAK,UAAA,QAAkB,IAAA;EACvB,IAAA,EAAM,UAAA,QAAkB,IAAA;AAAA;AAAA,KAGrB,cAAA,GAAiB,UAAA,QAAkB,IAAA;AAAA,KAEnC,iBAAA;EACH,UAAA,EAAY,cAAA;IACV,MAAA;MACE,IAAA,EAAM,cAAA;MACN,QAAA,EAAU,cAAA;MACV,GAAA,GACE,GAAA,EAAK,UAAA,CAAW,cAAA,8BAChB,YAAA,UACA,OAAA,EAAS,KAAA;QACP,MAAA;QACA,SAAA;MAAA,OAEC,OAAA;QACH,EAAA;QACA,YAAA;QACA,OAAA,EAAS,KAAA;UACP,QAAA;UACA,MAAA;UACA,SAAA;UACA,QAAA;UACA,UAAA;QAAA;MAAA;MAGJ,YAAA;QACE,OAAA,GACE,GAAA,EAAK,UAAA,CAAW,cAAA,8BAChB,IAAA;UAAQ,YAAA;UAAsB,MAAA;QAAA,MAC3B,OAAA;UACH,EAAA;UACA,YAAA;UACA,MAAA;UACA,WAAA;UACA,SAAA;UACA,SAAA;YACE,UAAA;YACA,UAAA;YACA,WAAA;UAAA;QAAA;QAGJ,OAAA,GACE,GAAA,EAAK,UAAA,CAAW,cAAA,8BAChB,IAAA;UAAQ,YAAA;UAAsB,MAAA;QAAA,MAC3B,OAAA;UACH,EAAA;UACA,YAAA;UACA,MAAA;UACA,UAAA;UACA,MAAA,EAAQ,KAAA;YAAQ,IAAA;YAAc,EAAA;YAAa,OAAA;UAAA;QAAA;MAAA;IAAA;EAAA;EAKnD,IAAA,EAAM,IAAA,CAAK,cAAA;EACX,IAAA,EAAM,IAAA,CAAK,cAAA;EACX,MAAA,EAAQ,cAAA;EACR,KAAA;IACE,IAAA,EAAM,cAAA;EAAA;EAER,OAAA;IACE,QAAA,EAAU,cAAA;IACV,QAAA;MACE,IAAA,EAAM,cAAA;IAAA;EAAA;AAAA;AAAA,KAKP,kBAAA;EACH,MAAA,EAAQ,cAAA;EACR,QAAA,EAAU,cAAA;AAAA;AAAA,KAGP,YAAA;EACH,KAAA,EAAO,iBAAA;EACP,MAAA,EAAQ,kBAAA;AAAA;AAAA,KAGL,aAAA;EACH,KAAA,EAAO,IAAA,CAAK,cAAA;AAAA;;KAIF,OAAA,wBACa,uBAAA,4BACrB,WAAA,CAAY,cAAA;EACd,GAAA,EAAK,YAAA;EACL,IAAA,EAAM,aAAA;AAAA;;;;;;KAQI,gBAAA,WACA,kBAAA,2BACa,uBAAA,4BAEvB,MAAA,CAAO,CAAA,iBACH,OAAA,CAAQ,cAAA,IACR,WAAA,CAAY,cAAA;;;;;;;;iBAwCF,UAAA,WACJ,kBAAA,2BACa,uBAAA,yBAAA,CAEvB,SAAA,EAAW,gBAAA,eACX,MAAA,EAAQ,IAAA,CAAK,UAAA;EACX,SAAA,EAAW,CAAA;EACX,aAAA,GAAgB,cAAA;AAAA,IAEjB,gBAAA,CAAiB,CAAA,EAAG,cAAA;AAAA,iBA6LP,WAAA,sBACO,MAAA;EAEjB,KAAA;EAAgB,MAAA;AAAA,GAAA,CAGpB,KAAA,EAAO,MAAA,iBAEK,MAAA;EACV,EAAA,EAAI,CAAA;EACJ,KAAA,GAAQ,MAAA,CAAO,CAAA;EACf,MAAA,EAAQ,KAAA,CAAM,MAAA,CAAO,CAAA;AAAA;AAAA,KAyBb,OAAA,GAAU,GAAA;AAAA,KAEV,aAAA,kBACO,MAAA,oBAA0B,MAAA;EAE3C,QAAA;EACA,OAAA,IAAW,GAAA,OAAU,IAAA,EAAM,OAAA,KAAY,OAAA,CAAQ,QAAA,IAAY,QAAA;AAAA;;iBAI7C,OAAA,kBACG,MAAA,oBAA0B,MAAA,gBAAA,CAE3C,IAAA,EAAM,QAAA,EACN,MAAA,EAAQ,aAAA,CAAc,QAAA;EAAc,QAAA;AAAA;EAEpC,IAAA;EACA,KAAA,GACE,GAAA,OACA,KAAA,OACA,MAAA,WACG,OAAA;IACH,GAAA;MACE,IAAA;QACE,eAAA,QAAuB,OAAA,CAAQ,YAAA;QAC/B,MAAA,EAAQ,SAAA;QACR,IAAA,EAAM,OAAA;MAAA,IACJ,QAAA;IAAA;IAEN,IAAA;EAAA;AAAA;;iBAIY,OAAA,kBACG,MAAA,oBAA0B,MAAA,gBAAA,CAE3C,IAAA,EAAM,QAAA,EACN,MAAA,GAAS,aAAA,CAAc,QAAA;EAEvB,IAAA;EACA,KAAA,GACE,GAAA,OACA,KAAA,OACA,MAAA,WACG,OAAA;IACH,GAAA;MACE,IAAA;QACE,eAAA,QAAuB,OAAA,CAAQ,YAAA;QAC/B,MAAA,EAAQ,SAAA;QACR,IAAA,EAAM,OAAA;MAAA,IACJ,QAAA;IAAA;IAEN,IAAA;EAAA;AAAA;AAAA,KAgEQ,SAAA;EACE,KAAA,MAAW,IAAA,YAAgB,OAAA;IAAU,GAAA;MAAO,IAAA;IAAA;EAAA;AAAA,KACtD,OAAA,CAAQ,UAAA,CAAW,CAAA"}
|