npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.13 → 0.0.4-preview.16 - Mend

@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (328) hide show

package/README.md +140 -9
package/dist/bin.cjs +5957 -5478
package/dist/client/index.d.ts +3 -7
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +27 -26
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/api.d.ts +14 -0
package/dist/component/_generated/api.d.ts.map +1 -1
package/dist/component/_generated/api.js.map +1 -1
package/dist/component/_generated/component.d.ts +1672 -24
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/convex.config.d.ts.map +1 -1
package/dist/component/index.d.ts +1 -1
package/dist/component/index.js +2 -2
package/dist/component/model.d.ts +153 -0
package/dist/component/model.d.ts.map +1 -0
package/dist/component/model.js +343 -0
package/dist/component/model.js.map +1 -0
package/dist/component/providers/sso.d.ts +1 -1
package/dist/component/public/enterprise.d.ts +54 -0
package/dist/component/public/enterprise.d.ts.map +1 -0
package/dist/component/public/enterprise.js +515 -0
package/dist/component/public/enterprise.js.map +1 -0
package/dist/component/public/factors.d.ts +52 -0
package/dist/component/public/factors.d.ts.map +1 -0
package/dist/component/public/factors.js +285 -0
package/dist/component/public/factors.js.map +1 -0
package/dist/component/public/groups.d.ts +116 -0
package/dist/component/public/groups.d.ts.map +1 -0
package/dist/component/public/groups.js +596 -0
package/dist/component/public/groups.js.map +1 -0
package/dist/component/public/identity.d.ts +93 -0
package/dist/component/public/identity.d.ts.map +1 -0
package/dist/component/public/identity.js +426 -0
package/dist/component/public/identity.js.map +1 -0
package/dist/component/public/keys.d.ts +41 -0
package/dist/component/public/keys.d.ts.map +1 -0
package/dist/component/public/keys.js +157 -0
package/dist/component/public/keys.js.map +1 -0
package/dist/component/public/shared.d.ts +26 -0
package/dist/component/public/shared.d.ts.map +1 -0
package/dist/component/public/shared.js +32 -0
package/dist/component/public/shared.js.map +1 -0
package/dist/component/public.d.ts +9 -321
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +6 -2145
package/dist/component/schema.d.ts +406 -260
package/dist/component/schema.js +37 -32
package/dist/component/schema.js.map +1 -1
package/dist/component/server/auth.d.ts +161 -15
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +100 -7
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/cookies.js +3 -0
package/dist/component/server/cookies.js.map +1 -1
package/dist/component/server/db.js +1 -0
package/dist/component/server/db.js.map +1 -1
package/dist/component/server/device.js +3 -1
package/dist/component/server/device.js.map +1 -1
package/dist/component/server/domains/core.js +629 -0
package/dist/component/server/domains/core.js.map +1 -0
package/dist/component/server/domains/sso.js +884 -0
package/dist/component/server/domains/sso.js.map +1 -0
package/dist/component/server/factory.d.ts +136 -0
package/dist/component/server/factory.d.ts.map +1 -0
package/dist/component/server/factory.js +1134 -0
package/dist/component/server/factory.js.map +1 -0
package/dist/component/server/fx.js +2 -1
package/dist/component/server/fx.js.map +1 -1
package/dist/component/server/http.js +287 -0
package/dist/component/server/http.js.map +1 -0
package/dist/component/server/identity.js +13 -0
package/dist/component/server/identity.js.map +1 -0
package/dist/component/server/keys.js +4 -0
package/dist/component/server/keys.js.map +1 -1
package/dist/component/server/mutations/account.js +1 -1
package/dist/component/server/mutations/index.js +2 -2
package/dist/component/server/mutations/index.js.map +1 -1
package/dist/component/server/mutations/invalidate.js +1 -1
package/dist/component/server/mutations/oauth.js +10 -7
package/dist/component/server/mutations/oauth.js.map +1 -1
package/dist/component/server/mutations/refresh.js +1 -1
package/dist/component/server/mutations/register.js +1 -1
package/dist/component/server/mutations/retrieve.js +1 -1
package/dist/component/server/mutations/signature.js +1 -1
package/dist/component/server/mutations/store.js +6 -3
package/dist/component/server/mutations/store.js.map +1 -1
package/dist/component/server/mutations/verify.js +1 -1
package/dist/component/server/oauth.js +3 -0
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +3 -2
package/dist/component/server/passkey.js.map +1 -1
package/dist/component/server/provider.js +2 -0
package/dist/component/server/provider.js.map +1 -1
package/dist/component/server/providers.js +10 -0
package/dist/component/server/providers.js.map +1 -1
package/dist/component/server/ratelimit.js +3 -0
package/dist/component/server/ratelimit.js.map +1 -1
package/dist/component/server/redirects.js +2 -0
package/dist/component/server/redirects.js.map +1 -1
package/dist/component/server/refresh.js +5 -0
package/dist/component/server/refresh.js.map +1 -1
package/dist/component/server/sessions.js +5 -0
package/dist/component/server/sessions.js.map +1 -1
package/dist/component/server/signin.js +2 -1
package/dist/component/server/signin.js.map +1 -1
package/dist/component/server/sso.js +166 -19
package/dist/component/server/sso.js.map +1 -1
package/dist/component/server/tokens.js +1 -0
package/dist/component/server/tokens.js.map +1 -1
package/dist/component/server/totp.js +4 -2
package/dist/component/server/totp.js.map +1 -1
package/dist/component/server/types.d.ts +106 -38
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/types.js.map +1 -1
package/dist/component/server/users.js +1 -0
package/dist/component/server/users.js.map +1 -1
package/dist/component/server/utils.js +44 -2
package/dist/component/server/utils.js.map +1 -1
package/dist/providers/anonymous.d.ts +1 -1
package/dist/providers/credentials.d.ts +1 -1
package/dist/providers/password.d.ts +1 -1
package/dist/providers/sso.d.ts +1 -1
package/dist/providers/sso.js.map +1 -1
package/dist/server/auth.d.ts +163 -17
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +100 -7
package/dist/server/auth.js.map +1 -1
package/dist/server/cookies.d.ts +1 -38
package/dist/server/cookies.js +3 -0
package/dist/server/cookies.js.map +1 -1
package/dist/server/db.d.ts +1 -125
package/dist/server/db.js +1 -0
package/dist/server/db.js.map +1 -1
package/dist/server/device.d.ts +1 -24
package/dist/server/device.js +3 -1
package/dist/server/device.js.map +1 -1
package/dist/server/domains/core.d.ts +434 -0
package/dist/server/domains/core.d.ts.map +1 -0
package/dist/server/domains/core.js +629 -0
package/dist/server/domains/core.js.map +1 -0
package/dist/server/domains/sso.d.ts +409 -0
package/dist/server/domains/sso.d.ts.map +1 -0
package/dist/server/domains/sso.js +884 -0
package/dist/server/domains/sso.js.map +1 -0
package/dist/server/enterpriseValidators.d.ts +1 -0
package/dist/server/enterpriseValidators.js +60 -0
package/dist/server/enterpriseValidators.js.map +1 -0
package/dist/server/factory.d.ts +136 -0
package/dist/server/factory.d.ts.map +1 -0
package/dist/server/factory.js +1134 -0
package/dist/server/factory.js.map +1 -0
package/dist/server/fx.d.ts +1 -16
package/dist/server/fx.d.ts.map +1 -1
package/dist/server/fx.js +1 -0
package/dist/server/fx.js.map +1 -1
package/dist/server/http.d.ts +59 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +287 -0
package/dist/server/http.js.map +1 -0
package/dist/server/identity.d.ts +1 -0
package/dist/server/identity.js +13 -0
package/dist/server/identity.js.map +1 -0
package/dist/server/index.d.ts +468 -1
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +530 -36
package/dist/server/index.js.map +1 -1
package/dist/server/keys.d.ts +1 -57
package/dist/server/keys.js +4 -0
package/dist/server/keys.js.map +1 -1
package/dist/server/mutations/account.d.ts +7 -7
package/dist/server/mutations/account.d.ts.map +1 -1
package/dist/server/mutations/code.d.ts +13 -13
package/dist/server/mutations/code.d.ts.map +1 -1
package/dist/server/mutations/index.d.ts +107 -107
package/dist/server/mutations/index.d.ts.map +1 -1
package/dist/server/mutations/index.js +1 -1
package/dist/server/mutations/index.js.map +1 -1
package/dist/server/mutations/invalidate.d.ts +5 -5
package/dist/server/mutations/invalidate.d.ts.map +1 -1
package/dist/server/mutations/oauth.d.ts +10 -10
package/dist/server/mutations/oauth.d.ts.map +1 -1
package/dist/server/mutations/oauth.js +9 -6
package/dist/server/mutations/oauth.js.map +1 -1
package/dist/server/mutations/refresh.d.ts +4 -4
package/dist/server/mutations/register.d.ts +12 -12
package/dist/server/mutations/register.d.ts.map +1 -1
package/dist/server/mutations/retrieve.d.ts +7 -7
package/dist/server/mutations/signature.d.ts +5 -5
package/dist/server/mutations/signin.d.ts +6 -6
package/dist/server/mutations/signin.d.ts.map +1 -1
package/dist/server/mutations/signout.d.ts +1 -1
package/dist/server/mutations/store.d.ts +3 -2
package/dist/server/mutations/store.d.ts.map +1 -1
package/dist/server/mutations/store.js +6 -3
package/dist/server/mutations/store.js.map +1 -1
package/dist/server/mutations/verifier.d.ts +1 -1
package/dist/server/mutations/verify.d.ts +11 -11
package/dist/server/mutations/verify.d.ts.map +1 -1
package/dist/server/oauth.d.ts +1 -59
package/dist/server/oauth.js +3 -0
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts.map +1 -1
package/dist/server/passkey.js +3 -2
package/dist/server/passkey.js.map +1 -1
package/dist/server/provider.d.ts +1 -14
package/dist/server/provider.d.ts.map +1 -1
package/dist/server/provider.js +2 -0
package/dist/server/provider.js.map +1 -1
package/dist/server/providers.js +10 -0
package/dist/server/providers.js.map +1 -1
package/dist/server/ratelimit.d.ts +1 -22
package/dist/server/ratelimit.js +3 -0
package/dist/server/ratelimit.js.map +1 -1
package/dist/server/redirects.d.ts +1 -10
package/dist/server/redirects.js +2 -0
package/dist/server/redirects.js.map +1 -1
package/dist/server/refresh.d.ts +1 -37
package/dist/server/refresh.js +5 -0
package/dist/server/refresh.js.map +1 -1
package/dist/server/sessions.d.ts +1 -28
package/dist/server/sessions.js +5 -0
package/dist/server/sessions.js.map +1 -1
package/dist/server/signin.d.ts +1 -55
package/dist/server/signin.js +2 -1
package/dist/server/signin.js.map +1 -1
package/dist/server/sso.d.ts +1 -348
package/dist/server/sso.js +165 -18
package/dist/server/sso.js.map +1 -1
package/dist/server/templates.d.ts +1 -21
package/dist/server/templates.js +1 -0
package/dist/server/templates.js.map +1 -1
package/dist/server/tokens.d.ts +1 -11
package/dist/server/tokens.js +1 -0
package/dist/server/tokens.js.map +1 -1
package/dist/server/totp.d.ts +1 -23
package/dist/server/totp.js +4 -2
package/dist/server/totp.js.map +1 -1
package/dist/server/types.d.ts +114 -77
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js.map +1 -1
package/dist/server/users.d.ts +1 -31
package/dist/server/users.js +1 -0
package/dist/server/users.js.map +1 -1
package/dist/server/utils.d.ts +1 -27
package/dist/server/utils.js +44 -2
package/dist/server/utils.js.map +1 -1
package/dist/server/version.d.ts +1 -1
package/dist/server/version.js +1 -1
package/dist/server/version.js.map +1 -1
package/package.json +4 -5
package/src/cli/bin.ts +5 -0
package/src/cli/index.ts +22 -9
package/src/cli/keys.ts +3 -0
package/src/client/index.ts +36 -37
package/src/component/_generated/api.ts +14 -0
package/src/component/_generated/component.ts +2106 -9
package/src/component/index.ts +3 -1
package/src/component/model.ts +441 -0
package/src/component/public/enterprise.ts +753 -0
package/src/component/public/factors.ts +332 -0
package/src/component/public/groups.ts +932 -0
package/src/component/public/identity.ts +566 -0
package/src/component/public/keys.ts +209 -0
package/src/component/public/shared.ts +119 -0
package/src/component/public.ts +5 -2965
package/src/component/schema.ts +68 -63
package/src/providers/sso.ts +1 -1
package/src/server/auth.ts +413 -18
package/src/server/cookies.ts +3 -0
package/src/server/db.ts +3 -0
package/src/server/device.ts +3 -1
package/src/server/domains/core.ts +1071 -0
package/src/server/domains/sso.ts +1749 -0
package/src/server/enterpriseValidators.ts +93 -0
package/src/server/factory.ts +2181 -0
package/src/server/fx.ts +1 -0
package/src/server/http.ts +529 -0
package/src/server/identity.ts +18 -0
package/src/server/index.ts +806 -40
package/src/server/keys.ts +4 -0
package/src/server/mutations/index.ts +1 -1
package/src/server/mutations/oauth.ts +36 -8
package/src/server/mutations/store.ts +6 -3
package/src/server/oauth.ts +6 -0
package/src/server/passkey.ts +3 -2
package/src/server/provider.ts +2 -0
package/src/server/providers.ts +20 -0
package/src/server/ratelimit.ts +3 -0
package/src/server/redirects.ts +2 -0
package/src/server/refresh.ts +5 -0
package/src/server/sessions.ts +5 -0
package/src/server/signin.ts +1 -0
package/src/server/sso.ts +259 -17
package/src/server/templates.ts +1 -0
package/src/server/tokens.ts +1 -0
package/src/server/totp.ts +4 -2
package/src/server/types.ts +178 -83
package/src/server/users.ts +1 -0
package/src/server/utils.ts +71 -1
package/src/server/version.ts +1 -1
package/dist/component/public.js.map +0 -1
package/dist/component/server/implementation.d.ts +0 -1264
package/dist/component/server/implementation.d.ts.map +0 -1
package/dist/component/server/implementation.js +0 -2365
package/dist/component/server/implementation.js.map +0 -1
package/dist/server/cookies.d.ts.map +0 -1
package/dist/server/db.d.ts.map +0 -1
package/dist/server/device.d.ts.map +0 -1
package/dist/server/implementation.d.ts +0 -1264
package/dist/server/implementation.d.ts.map +0 -1
package/dist/server/implementation.js +0 -2365
package/dist/server/implementation.js.map +0 -1
package/dist/server/keys.d.ts.map +0 -1
package/dist/server/oauth.d.ts.map +0 -1
package/dist/server/ratelimit.d.ts.map +0 -1
package/dist/server/redirects.d.ts.map +0 -1
package/dist/server/refresh.d.ts.map +0 -1
package/dist/server/sessions.d.ts.map +0 -1
package/dist/server/signin.d.ts.map +0 -1
package/dist/server/sso.d.ts.map +0 -1
package/dist/server/templates.d.ts.map +0 -1
package/dist/server/tokens.d.ts.map +0 -1
package/dist/server/totp.d.ts.map +0 -1
package/dist/server/users.d.ts.map +0 -1
package/dist/server/utils.d.ts.map +0 -1
package/src/server/implementation.ts +0 -5336

package/dist/component/server/domains/core.js ADDED Viewed

@@ -0,0 +1,629 @@
+import { AuthError, Fx } from "../fx.js";
+import { TOKEN_SUB_CLAIM_DIVIDER, generateRandomString, sha256 } from "../utils.js";
+import { buildScopeChecker, checkKeyRateLimit, generateApiKey, hashApiKey } from "../keys.js";
+import { materializeProvider } from "../providers.js";
+import { signInImpl } from "../signin.js";
+//#region src/server/domains/core.ts
+/**
+* Build the core auth domains that back the canonical app API surface.
+*/
+function createCoreDomains(deps) {
+	const { config, getAuth, callInvalidateSessions, callCreateAccountFromCredentials, callRetrieveAccountWithCredentials, callModifyAccount, getEnrichCtx, inviteTokenAlphabet, inviteTokenLength } = deps;
+	const roleDefinitions = config.authorization.roles;
+	const getRoleDefinition = (roleId) => {
+		const role = roleDefinitions[roleId];
+		if (!role) throw new AuthError("INVALID_PARAMETERS", `Unknown roleId "${roleId}".`).toConvexError();
+		return role;
+	};
+	const normalizeRoleIds = (roleIds) => {
+		const normalized = Array.from(new Set(roleIds ?? []));
+		for (const roleId of normalized) getRoleDefinition(roleId);
+		return normalized;
+	};
+	const resolveGrantedPermissions = (roleIds) => {
+		const grants = /* @__PURE__ */ new Set();
+		for (const roleId of roleIds ?? []) {
+			const role = getRoleDefinition(roleId);
+			for (const grant of role.grants) grants.add(grant);
+		}
+		return Array.from(grants).sort();
+	};
+	const user = {
+		current: async (ctx, request) => {
+			const identity = await ctx.auth.getUserIdentity();
+			if (identity !== null) {
+				const [userId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);
+				return userId;
+			}
+			if (request !== void 0 && "runMutation" in ctx && ctx.runMutation) {
+				const authHeader = request.headers.get("Authorization");
+				if (authHeader?.startsWith("Bearer sk_")) {
+					const rawKey = authHeader.slice(7);
+					try {
+						return (await getAuth().key.verify(ctx, rawKey)).userId;
+					} catch {
+						return null;
+					}
+				}
+			}
+			return null;
+		},
+		require: async (ctx, request) => {
+			const userId = await user.current(ctx, request);
+			if (userId === null) throw new AuthError("NOT_SIGNED_IN").toConvexError();
+			return userId;
+		},
+		get: async (ctx, userId) => {
+			return await ctx.runQuery(config.component.public.userGetById, { userId });
+		},
+		list: async (ctx, opts = {}) => {
+			return await ctx.runQuery(config.component.public.userList, opts);
+		},
+		viewer: async (ctx) => {
+			const userId = await user.current(ctx);
+			if (userId === null) return null;
+			return await ctx.runQuery(config.component.public.userGetById, { userId });
+		},
+		update: async (ctx, userId, data) => {
+			await ctx.runMutation(config.component.public.userPatch, {
+				userId,
+				data
+			});
+			return {
+				ok: true,
+				userId
+			};
+		},
+		setActiveGroup: async (ctx, opts) => {
+			const doc = await user.get(ctx, opts.userId);
+			const existingExtend = doc !== null && doc.extend !== null && typeof doc.extend === "object" && !Array.isArray(doc.extend) ? { ...doc.extend } : {};
+			if (opts.groupId === null) {
+				const { lastActiveGroup: _omit, ...rest } = existingExtend;
+				await user.update(ctx, opts.userId, { extend: rest });
+				return {
+					ok: true,
+					userId: opts.userId,
+					groupId: null
+				};
+			}
+			await user.update(ctx, opts.userId, { extend: {
+				...existingExtend,
+				lastActiveGroup: opts.groupId
+			} });
+			return {
+				ok: true,
+				userId: opts.userId,
+				groupId: opts.groupId
+			};
+		},
+		getActiveGroup: async (ctx, opts) => {
+			const doc = await user.get(ctx, opts.userId);
+			if (doc !== null && doc.extend !== null && typeof doc.extend === "object" && !Array.isArray(doc.extend)) {
+				const val = doc.extend.lastActiveGroup;
+				if (typeof val === "string") return val;
+			}
+			return null;
+		},
+		delete: async (ctx, userId, opts) => {
+			const cascade = opts?.cascade !== false;
+			const [sessions, accounts, keys, members, passkeys, totps] = await Promise.all([
+				ctx.runQuery(config.component.public.sessionListByUser, { userId }),
+				ctx.runQuery(config.component.public.accountListByUser, { userId }),
+				ctx.runQuery(config.component.public.keyListByUserId, { userId }),
+				ctx.runQuery(config.component.public.memberListByUser, { userId }),
+				ctx.runQuery(config.component.public.passkeyListByUserId, { userId }),
+				ctx.runQuery(config.component.public.totpListByUserId, { userId })
+			]);
+			const totalLinked = sessions.length + accounts.length + keys.length + members.length + passkeys.length + totps.length;
+			if (!cascade && totalLinked > 0) throw new AuthError("INVALID_PARAMETERS", `Cannot delete user with ${totalLinked} linked records. Pass { cascade: true } to delete all linked records, or remove them manually first.`).toConvexError();
+			const deletions = [];
+			for (const s of sessions) deletions.push(ctx.runMutation(config.component.public.sessionDelete, { sessionId: s._id }));
+			for (const a of accounts) deletions.push(ctx.runMutation(config.component.public.accountDelete, { accountId: a._id }));
+			for (const k of keys) deletions.push(ctx.runMutation(config.component.public.keyDelete, { keyId: k._id }));
+			for (const m of members) deletions.push(ctx.runMutation(config.component.public.memberRemove, { memberId: m._id }));
+			for (const p of passkeys) deletions.push(ctx.runMutation(config.component.public.passkeyDelete, { passkeyId: p._id }));
+			for (const t of totps) deletions.push(ctx.runMutation(config.component.public.totpDelete, { totpId: t._id }));
+			await Promise.all(deletions);
+			await ctx.runMutation(config.component.public.userDelete, { userId });
+			return {
+				ok: true,
+				userId
+			};
+		}
+	};
+	const session = {
+		current: async (ctx) => {
+			const identity = await ctx.auth.getUserIdentity();
+			if (identity === null) return null;
+			const [, sessionId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);
+			return sessionId;
+		},
+		invalidate: async (ctx, args) => {
+			await callInvalidateSessions(ctx, args);
+			return {
+				ok: true,
+				userId: args.userId,
+				except: args.except ?? []
+			};
+		},
+		get: async (ctx, sessionId) => {
+			return await ctx.runQuery(config.component.public.sessionGetById, { sessionId });
+		},
+		list: async (ctx, opts) => {
+			return await ctx.runQuery(config.component.public.sessionListByUser, { userId: opts.userId });
+		}
+	};
+	const account = {
+		create: async (ctx, args) => {
+			return {
+				ok: true,
+				...await callCreateAccountFromCredentials(ctx, args)
+			};
+		},
+		get: async (ctx, args) => {
+			const result = await callRetrieveAccountWithCredentials(ctx, args);
+			if (typeof result === "string") throw new AuthError("ACCOUNT_NOT_FOUND", result).toConvexError();
+			return result;
+		},
+		update: async (ctx, args) => {
+			await callModifyAccount(ctx, args);
+			return {
+				ok: true,
+				accountId: args.account.id
+			};
+		},
+		delete: async (ctx, accountId) => {
+			const doc = await ctx.runQuery(config.component.public.accountGetById, { accountId });
+			if (doc === null) throw new AuthError("ACCOUNT_NOT_FOUND", "Account not found.").toConvexError();
+			if ((await ctx.runQuery(config.component.public.accountListByUser, { userId: doc.userId })).length <= 1) throw new AuthError("INVALID_PARAMETERS", "Cannot unlink the user's only account. This would lock them out.").toConvexError();
+			await ctx.runMutation(config.component.public.accountDelete, { accountId });
+			return {
+				ok: true,
+				accountId
+			};
+		},
+		listPasskeys: async (ctx, opts) => {
+			return await ctx.runQuery(config.component.public.passkeyListByUserId, opts);
+		},
+		renamePasskey: async (ctx, passkeyId, name) => {
+			await ctx.runMutation(config.component.public.passkeyUpdateMeta, {
+				passkeyId,
+				data: { name }
+			});
+			return {
+				ok: true,
+				passkeyId
+			};
+		},
+		deletePasskey: async (ctx, passkeyId) => {
+			await ctx.runMutation(config.component.public.passkeyDelete, { passkeyId });
+			return {
+				ok: true,
+				passkeyId
+			};
+		},
+		listTotps: async (ctx, opts) => {
+			return await ctx.runQuery(config.component.public.totpListByUserId, opts);
+		},
+		deleteTotp: async (ctx, totpId) => {
+			await ctx.runMutation(config.component.public.totpDelete, { totpId });
+			return {
+				ok: true,
+				totpId
+			};
+		}
+	};
+	const provider = { signIn: async (ctx, providerConfig, args) => {
+		const result = await signInImpl(getEnrichCtx()(ctx), materializeProvider(providerConfig), args, {
+			generateTokens: false,
+			allowExtraProviders: true
+		});
+		return result.kind === "signedIn" ? result.signedIn !== null ? {
+			userId: result.signedIn.userId,
+			sessionId: result.signedIn.sessionId
+		} : null : null;
+	} };
+	const group = {
+		create: async (ctx, data) => {
+			return {
+				ok: true,
+				groupId: await ctx.runMutation(config.component.public.groupCreate, data)
+			};
+		},
+		get: async (ctx, groupId) => {
+			return await ctx.runQuery(config.component.public.groupGet, { groupId });
+		},
+		list: async (ctx, opts) => {
+			return await ctx.runQuery(config.component.public.groupList, {
+				where: opts?.where,
+				limit: opts?.limit,
+				cursor: opts?.cursor,
+				orderBy: opts?.orderBy,
+				order: opts?.order
+			});
+		},
+		update: async (ctx, groupId, data) => {
+			await ctx.runMutation(config.component.public.groupUpdate, {
+				groupId,
+				data
+			});
+			return {
+				ok: true,
+				groupId
+			};
+		},
+		delete: async (ctx, groupId) => {
+			await ctx.runMutation(config.component.public.groupDelete, { groupId });
+			return {
+				ok: true,
+				groupId
+			};
+		},
+		ancestors: async (ctx, opts) => {
+			const maxDepth = Math.max(0, Math.floor(opts.maxDepth ?? 32));
+			const visited = /* @__PURE__ */ new Set();
+			const ancestors = [];
+			let cycleDetected = false;
+			let maxDepthReached = false;
+			let currentGroupId = opts.groupId;
+			let depth = 0;
+			let isFirst = true;
+			while (currentGroupId !== void 0) {
+				if (depth > maxDepth) {
+					maxDepthReached = true;
+					break;
+				}
+				if (visited.has(currentGroupId)) {
+					cycleDetected = true;
+					break;
+				}
+				visited.add(currentGroupId);
+				const doc = await group.get(ctx, currentGroupId);
+				if (doc === null) break;
+				if (isFirst) {
+					isFirst = false;
+					if (opts.includeSelf) ancestors.push(doc);
+					currentGroupId = doc.parentGroupId;
+					depth += 1;
+					continue;
+				}
+				ancestors.push(doc);
+				currentGroupId = doc.parentGroupId;
+				depth += 1;
+			}
+			return {
+				ancestors,
+				cycleDetected,
+				maxDepthReached
+			};
+		}
+	};
+	const member = {
+		create: async (ctx, data) => {
+			const roleIds = normalizeRoleIds(data.roleIds);
+			return {
+				ok: true,
+				memberId: await ctx.runMutation(config.component.public.memberAdd, {
+					...data,
+					roleIds
+				})
+			};
+		},
+		get: async (ctx, memberId) => {
+			return await ctx.runQuery(config.component.public.memberGet, { memberId });
+		},
+		getByUserAndGroup: async (ctx, opts) => {
+			return await ctx.runQuery(config.component.public.memberGetByGroupAndUser, opts);
+		},
+		list: async (ctx, opts) => {
+			return await ctx.runQuery(config.component.public.memberList, {
+				where: opts?.where,
+				limit: opts?.limit,
+				cursor: opts?.cursor,
+				orderBy: opts?.orderBy,
+				order: opts?.order
+			});
+		},
+		delete: async (ctx, memberId) => {
+			await ctx.runMutation(config.component.public.memberRemove, { memberId });
+			return {
+				ok: true,
+				memberId
+			};
+		},
+		update: async (ctx, memberId, data) => {
+			const nextData = { ...data };
+			if ("roleIds" in nextData) nextData.roleIds = normalizeRoleIds(Array.isArray(nextData.roleIds) ? nextData.roleIds : void 0);
+			await ctx.runMutation(config.component.public.memberUpdate, {
+				memberId,
+				data: nextData
+			});
+			return {
+				ok: true,
+				memberId
+			};
+		},
+		inherit: async (ctx, opts) => {
+			const requestedRoleIds = normalizeRoleIds(opts.roleIds);
+			const roleFilter = requestedRoleIds.length > 0 ? new Set(requestedRoleIds) : null;
+			const requiredGrants = Array.from(new Set(opts.grants ?? []));
+			const maxDepth = Math.max(0, Math.floor(opts.maxDepth ?? 32));
+			const visited = /* @__PURE__ */ new Set();
+			const traversedGroupIds = [];
+			let currentGroupId = opts.groupId;
+			let depth = 0;
+			let cycleDetected = false;
+			let maxDepthReached = false;
+			while (currentGroupId !== void 0) {
+				if (depth > maxDepth) {
+					maxDepthReached = true;
+					break;
+				}
+				if (visited.has(currentGroupId)) {
+					cycleDetected = true;
+					break;
+				}
+				visited.add(currentGroupId);
+				traversedGroupIds.push(currentGroupId);
+				const membership = await member.getByUserAndGroup(ctx, {
+					userId: opts.userId,
+					groupId: currentGroupId
+				});
+				const membershipRoleIds = membership?.roleIds ?? [];
+				const membershipGrants = resolveGrantedPermissions(membershipRoleIds);
+				if (membership !== null && (roleFilter === null || membershipRoleIds.some((roleId) => roleFilter.has(roleId))) && requiredGrants.every((grant) => membershipGrants.includes(grant))) return {
+					requestedGroupId: opts.groupId,
+					matchedGroupId: currentGroupId,
+					membership,
+					roleIds: membershipRoleIds,
+					grants: membershipGrants,
+					missingGrants: [],
+					depth,
+					isDirect: depth === 0,
+					isInherited: depth > 0,
+					traversedGroupIds,
+					cycleDetected: false,
+					maxDepthReached: false
+				};
+				const doc = await group.get(ctx, currentGroupId);
+				if (doc === null || doc.parentGroupId === void 0) break;
+				currentGroupId = doc.parentGroupId;
+				depth += 1;
+			}
+			return {
+				requestedGroupId: opts.groupId,
+				matchedGroupId: null,
+				membership: null,
+				roleIds: [],
+				grants: [],
+				missingGrants: requiredGrants,
+				depth: null,
+				isDirect: false,
+				isInherited: false,
+				traversedGroupIds,
+				cycleDetected,
+				maxDepthReached
+			};
+		},
+		require: async (ctx, opts) => {
+			const result = await member.inherit(ctx, opts);
+			if (result.membership === null) throw new AuthError("FORBIDDEN", `User ${opts.userId} has no membership on group ${opts.groupId} or its ancestors.`).toConvexError();
+			return {
+				membership: result.membership,
+				matchedGroupId: result.matchedGroupId,
+				roleIds: result.roleIds,
+				grants: result.grants,
+				isDirect: result.isDirect,
+				isInherited: result.isInherited,
+				depth: result.depth
+			};
+		}
+	};
+	const access = {
+		check: async (ctx, opts) => {
+			const requiredGrants = Array.from(new Set(opts.grants));
+			const result = await member.inherit(ctx, {
+				userId: opts.userId,
+				groupId: opts.groupId,
+				grants: requiredGrants,
+				maxDepth: opts.maxDepth
+			});
+			const missingGrants = requiredGrants.filter((grant) => !result.grants.includes(grant));
+			return {
+				ok: result.membership !== null && missingGrants.length === 0,
+				membership: result.membership,
+				matchedGroupId: result.matchedGroupId,
+				roleIds: result.roleIds,
+				grants: result.grants,
+				missingGrants,
+				isDirect: result.isDirect,
+				isInherited: result.isInherited,
+				depth: result.depth
+			};
+		},
+		require: async (ctx, opts) => {
+			const result = await access.check(ctx, opts);
+			if (!result.ok) throw new AuthError("FORBIDDEN", `User ${opts.userId} is missing required grants on group ${opts.groupId}: ${result.missingGrants.join(", ")}.`).toConvexError();
+			return result;
+		}
+	};
+	const invite = {
+		create: async (ctx, data) => {
+			const roleIds = normalizeRoleIds(data.roleIds);
+			const token = generateRandomString(inviteTokenLength, inviteTokenAlphabet);
+			const tokenHash = await sha256(token);
+			return {
+				ok: true,
+				inviteId: await ctx.runMutation(config.component.public.inviteCreate, {
+					...data,
+					roleIds,
+					tokenHash,
+					status: "pending"
+				}),
+				token
+			};
+		},
+		get: async (ctx, inviteId) => {
+			return await ctx.runQuery(config.component.public.inviteGet, { inviteId });
+		},
+		token: {
+			get: async (ctx, token) => {
+				const tokenHash = await sha256(token);
+				return await ctx.runQuery(config.component.public.inviteGetByTokenHash, { tokenHash });
+			},
+			accept: async (ctx, args) => {
+				const tokenHash = await sha256(args.token);
+				return {
+					ok: true,
+					...await ctx.runMutation(config.component.public.inviteAcceptByToken, {
+						tokenHash,
+						acceptedByUserId: args.acceptedByUserId
+					})
+				};
+			}
+		},
+		list: async (ctx, opts) => {
+			return await ctx.runQuery(config.component.public.inviteList, {
+				where: opts?.where,
+				limit: opts?.limit,
+				cursor: opts?.cursor,
+				orderBy: opts?.orderBy,
+				order: opts?.order
+			});
+		},
+		accept: async (ctx, inviteId, acceptedByUserId) => {
+			await ctx.runMutation(config.component.public.inviteAccept, {
+				inviteId,
+				...acceptedByUserId ? { acceptedByUserId } : {}
+			});
+			return {
+				ok: true,
+				inviteId,
+				acceptedByUserId: acceptedByUserId ?? null
+			};
+		},
+		revoke: async (ctx, inviteId) => {
+			await ctx.runMutation(config.component.public.inviteRevoke, { inviteId });
+			return {
+				ok: true,
+				inviteId
+			};
+		}
+	};
+	const key = {
+		create: async (ctx, opts) => {
+			const { raw, hashedKey, displayPrefix } = await generateApiKey("sk_");
+			return {
+				ok: true,
+				keyId: await ctx.runMutation(config.component.public.keyInsert, {
+					userId: opts.userId,
+					prefix: displayPrefix,
+					hashedKey,
+					name: opts.name,
+					scopes: opts.scopes,
+					rateLimit: opts.rateLimit,
+					expiresAt: opts.expiresAt,
+					metadata: opts.metadata
+				}),
+				secret: raw
+			};
+		},
+		verify: async (ctx, rawKey) => {
+			const hashedKey = await hashApiKey(rawKey);
+			const doc = await ctx.runQuery(config.component.public.keyGetByHashedKey, { hashedKey });
+			return Fx.run(Fx.gen(function* () {
+				yield* Fx.guard(!doc, Fx.fail(new AuthError("INVALID_API_KEY")));
+				const k = doc;
+				yield* Fx.guard(k.revoked, Fx.fail(new AuthError("API_KEY_REVOKED")));
+				yield* Fx.guard(!!(k.expiresAt && k.expiresAt < Date.now()), Fx.fail(new AuthError("API_KEY_EXPIRED")));
+				const patchData = { lastUsedAt: Date.now() };
+				if (k.rateLimit) {
+					const { limited, newState } = checkKeyRateLimit(k.rateLimit, k.rateLimitState ?? void 0);
+					yield* Fx.guard(limited, Fx.fail(new AuthError("API_KEY_RATE_LIMITED")));
+					patchData.rateLimitState = newState;
+				}
+				yield* Fx.promise(() => ctx.runMutation(config.component.public.keyPatch, {
+					keyId: k._id,
+					data: patchData
+				}));
+				return {
+					userId: k.userId,
+					keyId: k._id,
+					scopes: buildScopeChecker(k.scopes)
+				};
+			}).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))));
+		},
+		list: async (ctx, opts) => {
+			return await ctx.runQuery(config.component.public.keyList, {
+				where: opts?.where,
+				limit: opts?.limit,
+				cursor: opts?.cursor,
+				orderBy: opts?.orderBy,
+				order: opts?.order
+			});
+		},
+		get: async (ctx, keyId) => {
+			return await ctx.runQuery(config.component.public.keyGetById, { keyId });
+		},
+		update: async (ctx, keyId, data) => {
+			await ctx.runMutation(config.component.public.keyPatch, {
+				keyId,
+				data
+			});
+			return {
+				ok: true,
+				keyId
+			};
+		},
+		revoke: async (ctx, keyId) => {
+			await ctx.runMutation(config.component.public.keyPatch, {
+				keyId,
+				data: { revoked: true }
+			});
+			return {
+				ok: true,
+				keyId
+			};
+		},
+		delete: async (ctx, keyId) => {
+			await ctx.runMutation(config.component.public.keyDelete, { keyId });
+			return {
+				ok: true,
+				keyId
+			};
+		},
+		rotate: async (ctx, keyId, opts) => {
+			const existing = await ctx.runQuery(config.component.public.keyGetById, { keyId });
+			if (!existing) throw new AuthError("INVALID_PARAMETERS", "API key not found.").toConvexError();
+			if (existing.revoked === true) throw new AuthError("API_KEY_REVOKED", "Cannot rotate a key that is already revoked.").toConvexError();
+			await ctx.runMutation(config.component.public.keyPatch, {
+				keyId,
+				data: { revoked: true }
+			});
+			return await key.create(ctx, {
+				userId: existing.userId,
+				name: opts?.name ?? existing.name,
+				scopes: existing.scopes ?? [],
+				rateLimit: existing.rateLimit,
+				expiresAt: opts?.expiresAt,
+				metadata: existing.metadata
+			});
+		}
+	};
+	return {
+		user,
+		session,
+		account,
+		provider,
+		group,
+		member,
+		access,
+		invite,
+		key
+	};
+}
+//#endregion
+export { createCoreDomains };
+//# sourceMappingURL=core.js.map