@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.16

package/dist/server/domains/core.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"core.js","names":[],"sources":["../../../src/server/domains/core.ts"],"sourcesContent":["import { Auth, GenericActionCtx, GenericDataModel } from \"convex/server\";\nimport { GenericId } from \"convex/values\";\n\nimport { AuthError, Fx } from \"../fx\";\nimport {\n  buildScopeChecker,\n  checkKeyRateLimit,\n  generateApiKey,\n  hashApiKey,\n} from \"../keys\";\nimport { materializeProvider } from \"../providers\";\nimport { signInImpl } from \"../signin\";\nimport type {\n  AuthProviderConfig,\n  KeyDoc,\n  KeyScope,\n  ScopeChecker,\n  UserOrderBy,\n  UserWhere,\n} from \"../types\";\nimport {\n  generateRandomString,\n  sha256,\n  TOKEN_SUB_CLAIM_DIVIDER,\n} from \"../utils\";\n\ntype ComponentCtx = Pick<\n  GenericActionCtx<GenericDataModel>,\n  \"runQuery\" | \"runMutation\"\n>;\ntype ComponentReadCtx = Pick<GenericActionCtx<GenericDataModel>, \"runQuery\">;\ntype ComponentAuthReadCtx = ComponentReadCtx & { auth: Auth };\ntype AccountCredentials = { id: string; secret?: string };\ntype CreateAccountArgs = {\n  provider: string;\n  account: AccountCredentials;\n  profile: Record<string, unknown>;\n  shouldLinkViaEmail?: boolean;\n  shouldLinkViaPhone?: boolean;\n};\ntype RetrieveAccountArgs = { provider: string; account: AccountCredentials };\ntype UpdateAccountCredentialsArgs = {\n  provider: string;\n  account: { id: string; secret: string };\n};\n\ntype CoreDeps = {\n  config: any;\n  getAuth: () => any;\n  callInvalidateSessions: <DataModel extends GenericDataModel>(\n    ctx: GenericActionCtx<DataModel>,\n    args: { userId: GenericId<\"User\">; except?: GenericId<\"Session\">[] },\n  ) => Promise<void>;\n  callCreateAccountFromCredentials: <DataModel extends GenericDataModel>(\n    ctx: GenericActionCtx<DataModel>,\n    args: CreateAccountArgs,\n  ) => Promise<any>;\n  callRetrieveAccountWithCredentials: <DataModel extends GenericDataModel>(\n    ctx: GenericActionCtx<DataModel>,\n    args: RetrieveAccountArgs,\n  ) => Promise<any>;\n  callModifyAccount: <DataModel extends GenericDataModel>(\n    ctx: GenericActionCtx<DataModel>,\n    args: UpdateAccountCredentialsArgs,\n  ) => Promise<void>;\n  getEnrichCtx: () => <DataModel extends GenericDataModel>(\n    ctx: GenericActionCtx<DataModel>,\n  ) => any;\n  inviteTokenAlphabet: string;\n  inviteTokenLength: number;\n};\n\n/**\n * Build the core auth domains that back the canonical app API surface.\n */\nexport function createCoreDomains(deps: CoreDeps) {\n  const {\n    config,\n    getAuth,\n    callInvalidateSessions,\n    callCreateAccountFromCredentials,\n    callRetrieveAccountWithCredentials,\n    callModifyAccount,\n    getEnrichCtx,\n    inviteTokenAlphabet,\n    inviteTokenLength,\n  } = deps;\n\n  const roleDefinitions = config.authorization.roles as Record<\n    string,\n    { label?: string; grants: string[] }\n  >;\n\n  const getRoleDefinition = (roleId: string) => {\n    const role = roleDefinitions[roleId];\n    if (!role) {\n      throw new AuthError(\n        \"INVALID_PARAMETERS\",\n        `Unknown roleId \"${roleId}\".`,\n      ).toConvexError();\n    }\n    return role;\n  };\n\n  const normalizeRoleIds = (roleIds?: string[]) => {\n    const normalized = Array.from(new Set(roleIds ?? []));\n    for (const roleId of normalized) {\n      getRoleDefinition(roleId);\n    }\n    return normalized;\n  };\n\n  const resolveGrantedPermissions = (roleIds?: string[]) => {\n    const grants = new Set<string>();\n    for (const roleId of roleIds ?? []) {\n      const role = getRoleDefinition(roleId);\n      for (const grant of role.grants) {\n        grants.add(grant);\n      }\n    }\n    return Array.from(grants).sort();\n  };\n\n  const user = {\n    current: async (\n      ctx: { auth: Auth } & Partial<ComponentCtx>,\n      request?: Request,\n    ): Promise<string | null> => {\n      const identity = await ctx.auth.getUserIdentity();\n      if (identity !== null) {\n        const [userId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);\n        return userId;\n      }\n      if (request !== undefined && \"runMutation\" in ctx && ctx.runMutation) {\n        const authHeader = request.headers.get(\"Authorization\");\n        if (authHeader?.startsWith(\"Bearer sk_\")) {\n          const rawKey = authHeader.slice(7);\n          try {\n            const result = await getAuth().key.verify(\n              ctx as ComponentCtx,\n              rawKey,\n            );\n            return result.userId;\n          } catch {\n            return null;\n          }\n        }\n      }\n      return null;\n    },\n    require: async (\n      ctx: { auth: Auth } & Partial<ComponentCtx>,\n      request?: Request,\n    ): Promise<string> => {\n      const userId = await user.current(ctx, request);\n      if (userId === null) {\n        throw new AuthError(\"NOT_SIGNED_IN\").toConvexError();\n      }\n      return userId;\n    },\n    get: async (ctx: ComponentReadCtx, userId: string) => {\n      return await ctx.runQuery(config.component.public.userGetById, {\n        userId,\n      });\n    },\n    list: async (\n      ctx: ComponentReadCtx,\n      opts: {\n        where?: UserWhere;\n        limit?: number;\n        cursor?: string | null;\n        orderBy?: UserOrderBy;\n        order?: \"asc\" | \"desc\";\n      } = {},\n    ) => {\n      return await ctx.runQuery(config.component.public.userList, opts);\n    },\n    viewer: async (ctx: ComponentAuthReadCtx) => {\n      const userId = await user.current(ctx);\n      if (userId === null) return null;\n      return await ctx.runQuery(config.component.public.userGetById, {\n        userId,\n      });\n    },\n    update: async (\n      ctx: ComponentCtx,\n      userId: string,\n      data: Record<string, unknown>,\n    ) => {\n      await ctx.runMutation(config.component.public.userPatch, {\n        userId,\n        data,\n      });\n      return { ok: true as const, userId };\n    },\n    setActiveGroup: async (\n      ctx: ComponentCtx,\n      opts: { userId: string; groupId: string | null },\n    ) => {\n      const doc = await user.get(ctx, opts.userId);\n      const existingExtend =\n        doc !== null &&\n        doc.extend !== null &&\n        typeof doc.extend === \"object\" &&\n        !Array.isArray(doc.extend)\n          ? { ...(doc.extend as Record<string, unknown>) }\n          : {};\n      if (opts.groupId === null) {\n        const { lastActiveGroup: _omit, ...rest } = existingExtend;\n        await user.update(ctx, opts.userId, { extend: rest });\n        return { ok: true as const, userId: opts.userId, groupId: null };\n      }\n      await user.update(ctx, opts.userId, {\n        extend: { ...existingExtend, lastActiveGroup: opts.groupId },\n      });\n      return { ok: true as const, userId: opts.userId, groupId: opts.groupId };\n    },\n    getActiveGroup: async (\n      ctx: ComponentReadCtx,\n      opts: { userId: string },\n    ): Promise<string | null> => {\n      const doc = await user.get(ctx, opts.userId);\n      if (\n        doc !== null &&\n        doc.extend !== null &&\n        typeof doc.extend === \"object\" &&\n        !Array.isArray(doc.extend)\n      ) {\n        const val = (doc.extend as Record<string, unknown>).lastActiveGroup;\n        if (typeof val === \"string\") return val;\n      }\n      return null;\n    },\n    delete: async (\n      ctx: ComponentCtx,\n      userId: string,\n      opts?: { cascade?: boolean },\n    ) => {\n      const cascade = opts?.cascade !== false;\n      const [sessions, accounts, keys, members, passkeys, totps] =\n        await Promise.all([\n          ctx.runQuery(config.component.public.sessionListByUser, {\n            userId,\n          }) as Promise<Array<{ _id: string }>>,\n          ctx.runQuery(config.component.public.accountListByUser, {\n            userId,\n          }) as Promise<Array<{ _id: string }>>,\n          ctx.runQuery(config.component.public.keyListByUserId, {\n            userId,\n          }) as Promise<Array<{ _id: string }>>,\n          ctx.runQuery(config.component.public.memberListByUser, {\n            userId,\n          }) as Promise<Array<{ _id: string }>>,\n          ctx.runQuery(config.component.public.passkeyListByUserId, {\n            userId,\n          }) as Promise<Array<{ _id: string }>>,\n          ctx.runQuery(config.component.public.totpListByUserId, {\n            userId,\n          }) as Promise<Array<{ _id: string }>>,\n        ]);\n      const totalLinked =\n        sessions.length +\n        accounts.length +\n        keys.length +\n        members.length +\n        passkeys.length +\n        totps.length;\n      if (!cascade && totalLinked > 0) {\n        throw new AuthError(\n          \"INVALID_PARAMETERS\",\n          `Cannot delete user with ${totalLinked} linked records. Pass { cascade: true } to delete all linked records, or remove them manually first.`,\n        ).toConvexError();\n      }\n      const deletions: Promise<unknown>[] = [];\n      for (const s of sessions)\n        deletions.push(\n          ctx.runMutation(config.component.public.sessionDelete, {\n            sessionId: s._id,\n          }),\n        );\n      for (const a of accounts)\n        deletions.push(\n          ctx.runMutation(config.component.public.accountDelete, {\n            accountId: a._id,\n          }),\n        );\n      for (const k of keys)\n        deletions.push(\n          ctx.runMutation(config.component.public.keyDelete, { keyId: k._id }),\n        );\n      for (const m of members)\n        deletions.push(\n          ctx.runMutation(config.component.public.memberRemove, {\n            memberId: m._id,\n          }),\n        );\n      for (const p of passkeys)\n        deletions.push(\n          ctx.runMutation(config.component.public.passkeyDelete, {\n            passkeyId: p._id,\n          }),\n        );\n      for (const t of totps)\n        deletions.push(\n          ctx.runMutation(config.component.public.totpDelete, {\n            totpId: t._id,\n          }),\n        );\n      await Promise.all(deletions);\n      await ctx.runMutation(config.component.public.userDelete, { userId });\n      return { ok: true as const, userId };\n    },\n  };\n\n  const session = {\n    current: async (ctx: { auth: Auth }) => {\n      const identity = await ctx.auth.getUserIdentity();\n      if (identity === null) return null;\n      const [, sessionId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);\n      return sessionId as GenericId<\"Session\">;\n    },\n    invalidate: async <DataModel extends GenericDataModel>(\n      ctx: GenericActionCtx<DataModel>,\n      args: { userId: GenericId<\"User\">; except?: GenericId<\"Session\">[] },\n    ) => {\n      await callInvalidateSessions(ctx, args);\n      return {\n        ok: true as const,\n        userId: args.userId,\n        except: args.except ?? [],\n      };\n    },\n    get: async (ctx: ComponentReadCtx, sessionId: string) => {\n      return await ctx.runQuery(config.component.public.sessionGetById, {\n        sessionId,\n      });\n    },\n    list: async (ctx: ComponentReadCtx, opts: { userId: string }) => {\n      return await ctx.runQuery(config.component.public.sessionListByUser, {\n        userId: opts.userId,\n      });\n    },\n  };\n\n  const account = {\n    create: async <DataModel extends GenericDataModel>(\n      ctx: GenericActionCtx<DataModel>,\n      args: CreateAccountArgs,\n    ) => {\n      const created = await callCreateAccountFromCredentials(ctx, args);\n      return { ok: true as const, ...created };\n    },\n    get: async <DataModel extends GenericDataModel>(\n      ctx: GenericActionCtx<DataModel>,\n      args: RetrieveAccountArgs,\n    ) => {\n      const result = await callRetrieveAccountWithCredentials(ctx, args);\n      if (typeof result === \"string\") {\n        throw new AuthError(\"ACCOUNT_NOT_FOUND\", result).toConvexError();\n      }\n      return result;\n    },\n    update: async <DataModel extends GenericDataModel>(\n      ctx: GenericActionCtx<DataModel>,\n      args: UpdateAccountCredentialsArgs,\n    ) => {\n      await callModifyAccount(ctx, args);\n      return { ok: true as const, accountId: args.account.id };\n    },\n    delete: async (ctx: ComponentCtx, accountId: string) => {\n      const doc = await ctx.runQuery(config.component.public.accountGetById, {\n        accountId,\n      });\n      if (doc === null) {\n        throw new AuthError(\n          \"ACCOUNT_NOT_FOUND\",\n          \"Account not found.\",\n        ).toConvexError();\n      }\n      const allAccounts = (await ctx.runQuery(\n        config.component.public.accountListByUser,\n        { userId: (doc as any).userId },\n      )) as Array<{ _id: string }>;\n      if (allAccounts.length <= 1) {\n        throw new AuthError(\n          \"INVALID_PARAMETERS\",\n          \"Cannot unlink the user's only account. This would lock them out.\",\n        ).toConvexError();\n      }\n      await ctx.runMutation(config.component.public.accountDelete, {\n        accountId,\n      });\n      return { ok: true as const, accountId };\n    },\n    listPasskeys: async (ctx: ComponentReadCtx, opts: { userId: string }) => {\n      return await ctx.runQuery(\n        config.component.public.passkeyListByUserId,\n        opts,\n      );\n    },\n    renamePasskey: async (\n      ctx: ComponentCtx,\n      passkeyId: string,\n      name: string,\n    ) => {\n      await ctx.runMutation(config.component.public.passkeyUpdateMeta, {\n        passkeyId,\n        data: { name },\n      });\n      return { ok: true as const, passkeyId };\n    },\n    deletePasskey: async (ctx: ComponentCtx, passkeyId: string) => {\n      await ctx.runMutation(config.component.public.passkeyDelete, {\n        passkeyId,\n      });\n      return { ok: true as const, passkeyId };\n    },\n    listTotps: async (ctx: ComponentReadCtx, opts: { userId: string }) => {\n      return await ctx.runQuery(config.component.public.totpListByUserId, opts);\n    },\n    deleteTotp: async (ctx: ComponentCtx, totpId: string) => {\n      await ctx.runMutation(config.component.public.totpDelete, { totpId });\n      return { ok: true as const, totpId };\n    },\n  };\n\n  const provider = {\n    signIn: async <DataModel extends GenericDataModel>(\n      ctx: GenericActionCtx<DataModel>,\n      providerConfig: AuthProviderConfig,\n      args: {\n        accountId?: GenericId<\"Account\">;\n        params?: Record<string, unknown>;\n      },\n    ) => {\n      const result = await signInImpl(\n        getEnrichCtx()(ctx),\n        materializeProvider(providerConfig),\n        args as {\n          accountId?: GenericId<\"Account\">;\n          params?: Record<string, any>;\n        },\n        { generateTokens: false, allowExtraProviders: true },\n      );\n      return result.kind === \"signedIn\"\n        ? result.signedIn !== null\n          ? {\n              userId: result.signedIn.userId,\n              sessionId: result.signedIn.sessionId,\n            }\n          : null\n        : null;\n    },\n  };\n\n  const group = {\n    create: async (\n      ctx: ComponentCtx,\n      data: {\n        name: string;\n        slug?: string;\n        type?: string;\n        parentGroupId?: string;\n        tags?: Array<{ key: string; value: string }>;\n        extend?: Record<string, unknown>;\n      },\n    ): Promise<{ ok: true; groupId: string }> => {\n      const groupId = (await ctx.runMutation(\n        config.component.public.groupCreate,\n        data,\n      )) as string;\n      return { ok: true, groupId };\n    },\n    get: async (ctx: ComponentReadCtx, groupId: string) => {\n      return await ctx.runQuery(config.component.public.groupGet, { groupId });\n    },\n    list: async (\n      ctx: ComponentReadCtx,\n      opts?: {\n        where?: {\n          slug?: string;\n          type?: string;\n          parentGroupId?: string;\n          name?: string;\n          isRoot?: boolean;\n          tagsAll?: Array<{ key: string; value: string }>;\n          tagsAny?: Array<{ key: string; value: string }>;\n        };\n        limit?: number;\n        cursor?: string | null;\n        orderBy?: \"_creationTime\" | \"name\" | \"slug\" | \"type\";\n        order?: \"asc\" | \"desc\";\n      },\n    ) => {\n      return await ctx.runQuery(config.component.public.groupList, {\n        where: opts?.where,\n        limit: opts?.limit,\n        cursor: opts?.cursor,\n        orderBy: opts?.orderBy,\n        order: opts?.order,\n      });\n    },\n    update: async (\n      ctx: ComponentCtx,\n      groupId: string,\n      data: Record<string, unknown>,\n    ) => {\n      await ctx.runMutation(config.component.public.groupUpdate, {\n        groupId,\n        data,\n      });\n      return { ok: true as const, groupId };\n    },\n    delete: async (ctx: ComponentCtx, groupId: string) => {\n      await ctx.runMutation(config.component.public.groupDelete, { groupId });\n      return { ok: true as const, groupId };\n    },\n    ancestors: async (\n      ctx: ComponentReadCtx,\n      opts: { groupId: string; maxDepth?: number; includeSelf?: boolean },\n    ) => {\n      const maxDepth = Math.max(0, Math.floor(opts.maxDepth ?? 32));\n      const visited = new Set<string>();\n      const ancestors: any[] = [];\n      let cycleDetected = false;\n      let maxDepthReached = false;\n      let currentGroupId: string | undefined = opts.groupId;\n      let depth = 0;\n      let isFirst = true;\n      while (currentGroupId !== undefined) {\n        if (depth > maxDepth) {\n          maxDepthReached = true;\n          break;\n        }\n        if (visited.has(currentGroupId)) {\n          cycleDetected = true;\n          break;\n        }\n        visited.add(currentGroupId);\n        const doc = await group.get(ctx, currentGroupId);\n        if (doc === null) break;\n        if (isFirst) {\n          isFirst = false;\n          if (opts.includeSelf) ancestors.push(doc);\n          currentGroupId = doc.parentGroupId;\n          depth += 1;\n          continue;\n        }\n        ancestors.push(doc);\n        currentGroupId = doc.parentGroupId;\n        depth += 1;\n      }\n      return { ancestors, cycleDetected, maxDepthReached };\n    },\n  };\n\n  const member = {\n    create: async (\n      ctx: ComponentCtx,\n      data: {\n        groupId: string;\n        userId: string;\n        roleIds?: string[];\n        status?: string;\n        extend?: Record<string, unknown>;\n      },\n    ): Promise<{ ok: true; memberId: string }> => {\n      const roleIds = normalizeRoleIds(data.roleIds);\n      const memberId = (await ctx.runMutation(\n        config.component.public.memberAdd,\n        { ...data, roleIds },\n      )) as string;\n      return { ok: true, memberId };\n    },\n    get: async (ctx: ComponentReadCtx, memberId: string) => {\n      return await ctx.runQuery(config.component.public.memberGet, {\n        memberId,\n      });\n    },\n    getByUserAndGroup: async (\n      ctx: ComponentReadCtx,\n      opts: { userId: string; groupId: string },\n    ) => {\n      return await ctx.runQuery(\n        config.component.public.memberGetByGroupAndUser,\n        opts,\n      );\n    },\n    list: async (\n      ctx: ComponentReadCtx,\n      opts?: {\n        where?: {\n          groupId?: string;\n          userId?: string;\n          roleId?: string;\n          status?: string;\n        };\n        limit?: number;\n        cursor?: string | null;\n        orderBy?: \"_creationTime\" | \"status\";\n        order?: \"asc\" | \"desc\";\n      },\n    ) => {\n      return await ctx.runQuery(config.component.public.memberList, {\n        where: opts?.where,\n        limit: opts?.limit,\n        cursor: opts?.cursor,\n        orderBy: opts?.orderBy,\n        order: opts?.order,\n      });\n    },\n    delete: async (ctx: ComponentCtx, memberId: string) => {\n      await ctx.runMutation(config.component.public.memberRemove, { memberId });\n      return { ok: true as const, memberId };\n    },\n    update: async (\n      ctx: ComponentCtx,\n      memberId: string,\n      data: Record<string, unknown>,\n    ) => {\n      const nextData = { ...data };\n      if (\"roleIds\" in nextData) {\n        nextData.roleIds = normalizeRoleIds(\n          Array.isArray(nextData.roleIds)\n            ? (nextData.roleIds as string[])\n            : undefined,\n        );\n      }\n      await ctx.runMutation(config.component.public.memberUpdate, {\n        memberId,\n        data: nextData,\n      });\n      return { ok: true as const, memberId };\n    },\n    inherit: async (\n      ctx: ComponentReadCtx,\n      opts: {\n        userId: string;\n        groupId: string;\n        roleIds?: string[];\n        grants?: string[];\n        maxDepth?: number;\n      },\n    ) => {\n      const requestedRoleIds = normalizeRoleIds(opts.roleIds);\n      const roleFilter =\n        requestedRoleIds.length > 0 ? new Set(requestedRoleIds) : null;\n      const requiredGrants = Array.from(new Set(opts.grants ?? []));\n      const maxDepth = Math.max(0, Math.floor(opts.maxDepth ?? 32));\n      const visited = new Set<string>();\n      const traversedGroupIds: string[] = [];\n      let currentGroupId: string | undefined = opts.groupId;\n      let depth = 0;\n      let cycleDetected = false;\n      let maxDepthReached = false;\n      while (currentGroupId !== undefined) {\n        if (depth > maxDepth) {\n          maxDepthReached = true;\n          break;\n        }\n        if (visited.has(currentGroupId)) {\n          cycleDetected = true;\n          break;\n        }\n        visited.add(currentGroupId);\n        traversedGroupIds.push(currentGroupId);\n        const membership = await member.getByUserAndGroup(ctx, {\n          userId: opts.userId,\n          groupId: currentGroupId,\n        });\n        const membershipRoleIds = membership?.roleIds ?? [];\n        const membershipGrants = resolveGrantedPermissions(membershipRoleIds);\n        if (\n          membership !== null &&\n          (roleFilter === null ||\n            membershipRoleIds.some((roleId: string) =>\n              roleFilter.has(roleId),\n            )) &&\n          requiredGrants.every((grant) => membershipGrants.includes(grant))\n        ) {\n          return {\n            requestedGroupId: opts.groupId,\n            matchedGroupId: currentGroupId,\n            membership,\n            roleIds: membershipRoleIds,\n            grants: membershipGrants,\n            missingGrants: [] as string[],\n            depth,\n            isDirect: depth === 0,\n            isInherited: depth > 0,\n            traversedGroupIds,\n            cycleDetected: false,\n            maxDepthReached: false,\n          };\n        }\n        const doc = await group.get(ctx, currentGroupId);\n        if (doc === null || doc.parentGroupId === undefined) break;\n        currentGroupId = doc.parentGroupId;\n        depth += 1;\n      }\n      return {\n        requestedGroupId: opts.groupId,\n        matchedGroupId: null,\n        membership: null,\n        roleIds: [] as string[],\n        grants: [] as string[],\n        missingGrants: requiredGrants,\n        depth: null,\n        isDirect: false,\n        isInherited: false,\n        traversedGroupIds,\n        cycleDetected,\n        maxDepthReached,\n      };\n    },\n    require: async (\n      ctx: ComponentReadCtx,\n      opts: {\n        userId: string;\n        groupId: string;\n        roleIds?: string[];\n        grants?: string[];\n        maxDepth?: number;\n      },\n    ) => {\n      const result = await member.inherit(ctx, opts);\n      if (result.membership === null) {\n        throw new AuthError(\n          \"FORBIDDEN\",\n          `User ${opts.userId} has no membership on group ${opts.groupId} or its ancestors.`,\n        ).toConvexError();\n      }\n      return {\n        membership: result.membership,\n        matchedGroupId: result.matchedGroupId,\n        roleIds: result.roleIds,\n        grants: result.grants,\n        isDirect: result.isDirect,\n        isInherited: result.isInherited,\n        depth: result.depth,\n      };\n    },\n  };\n\n  const access = {\n    check: async (\n      ctx: ComponentReadCtx,\n      opts: {\n        userId: string;\n        groupId: string;\n        grants: string[];\n        maxDepth?: number;\n      },\n    ) => {\n      const requiredGrants = Array.from(new Set(opts.grants));\n      const result = await member.inherit(ctx, {\n        userId: opts.userId,\n        groupId: opts.groupId,\n        grants: requiredGrants,\n        maxDepth: opts.maxDepth,\n      });\n      const missingGrants = requiredGrants.filter(\n        (grant) => !result.grants.includes(grant),\n      );\n      return {\n        ok: result.membership !== null && missingGrants.length === 0,\n        membership: result.membership,\n        matchedGroupId: result.matchedGroupId,\n        roleIds: result.roleIds,\n        grants: result.grants,\n        missingGrants,\n        isDirect: result.isDirect,\n        isInherited: result.isInherited,\n        depth: result.depth,\n      };\n    },\n    require: async (\n      ctx: ComponentReadCtx,\n      opts: {\n        userId: string;\n        groupId: string;\n        grants: string[];\n        maxDepth?: number;\n      },\n    ) => {\n      const result = await access.check(ctx, opts);\n      if (!result.ok) {\n        throw new AuthError(\n          \"FORBIDDEN\",\n          `User ${opts.userId} is missing required grants on group ${opts.groupId}: ${result.missingGrants.join(\", \")}.`,\n        ).toConvexError();\n      }\n      return result;\n    },\n  };\n\n  const invite = {\n    create: async (\n      ctx: ComponentCtx,\n      data: {\n        groupId?: string;\n        invitedByUserId?: string;\n        email?: string;\n        roleIds?: string[];\n        expiresTime?: number;\n        extend?: Record<string, unknown>;\n      },\n    ): Promise<{ ok: true; inviteId: string; token: string }> => {\n      const roleIds = normalizeRoleIds(data.roleIds);\n      const token = generateRandomString(\n        inviteTokenLength,\n        inviteTokenAlphabet,\n      );\n      const tokenHash = await sha256(token);\n      const inviteId = (await ctx.runMutation(\n        config.component.public.inviteCreate,\n        { ...data, roleIds, tokenHash, status: \"pending\" },\n      )) as string;\n      return { ok: true, inviteId, token };\n    },\n    get: async (ctx: ComponentReadCtx, inviteId: string) => {\n      return await ctx.runQuery(config.component.public.inviteGet, {\n        inviteId,\n      });\n    },\n    token: {\n      get: async (ctx: ComponentReadCtx, token: string) => {\n        const tokenHash = await sha256(token);\n        return await ctx.runQuery(\n          config.component.public.inviteGetByTokenHash,\n          { tokenHash },\n        );\n      },\n      accept: async (\n        ctx: ComponentCtx,\n        args: { token: string; acceptedByUserId: string },\n      ) => {\n        const tokenHash = await sha256(args.token);\n        const result = await ctx.runMutation(\n          config.component.public.inviteAcceptByToken,\n          { tokenHash, acceptedByUserId: args.acceptedByUserId },\n        );\n        return { ok: true as const, ...result };\n      },\n    },\n    list: async (\n      ctx: ComponentReadCtx,\n      opts?: {\n        where?: {\n          tokenHash?: string;\n          groupId?: string;\n          status?: \"pending\" | \"accepted\" | \"revoked\" | \"expired\";\n          email?: string;\n          invitedByUserId?: string;\n          roleId?: string;\n          acceptedByUserId?: string;\n        };\n        limit?: number;\n        cursor?: string | null;\n        orderBy?:\n          | \"_creationTime\"\n          | \"status\"\n          | \"email\"\n          | \"expiresTime\"\n          | \"acceptedTime\";\n        order?: \"asc\" | \"desc\";\n      },\n    ) => {\n      return await ctx.runQuery(config.component.public.inviteList, {\n        where: opts?.where,\n        limit: opts?.limit,\n        cursor: opts?.cursor,\n        orderBy: opts?.orderBy,\n        order: opts?.order,\n      });\n    },\n    accept: async (\n      ctx: ComponentCtx,\n      inviteId: string,\n      acceptedByUserId?: string,\n    ) => {\n      await ctx.runMutation(config.component.public.inviteAccept, {\n        inviteId,\n        ...(acceptedByUserId ? { acceptedByUserId } : {}),\n      });\n      return {\n        ok: true as const,\n        inviteId,\n        acceptedByUserId: acceptedByUserId ?? null,\n      };\n    },\n    revoke: async (ctx: ComponentCtx, inviteId: string) => {\n      await ctx.runMutation(config.component.public.inviteRevoke, { inviteId });\n      return { ok: true as const, inviteId };\n    },\n  };\n\n  const key = {\n    create: async (\n      ctx: ComponentCtx,\n      opts: {\n        userId: string;\n        name: string;\n        scopes: KeyScope[];\n        rateLimit?: { maxRequests: number; windowMs: number };\n        expiresAt?: number;\n        metadata?: Record<string, unknown>;\n      },\n    ): Promise<{ ok: true; keyId: string; secret: string }> => {\n      const { raw, hashedKey, displayPrefix } = await generateApiKey(\"sk_\");\n      const keyId = (await ctx.runMutation(config.component.public.keyInsert, {\n        userId: opts.userId,\n        prefix: displayPrefix,\n        hashedKey,\n        name: opts.name,\n        scopes: opts.scopes,\n        rateLimit: opts.rateLimit,\n        expiresAt: opts.expiresAt,\n        metadata: opts.metadata,\n      })) as string;\n      return { ok: true, keyId, secret: raw };\n    },\n    verify: async (\n      ctx: ComponentCtx,\n      rawKey: string,\n    ): Promise<{ userId: string; keyId: string; scopes: ScopeChecker }> => {\n      const hashedKey = await hashApiKey(rawKey);\n      const doc = (await ctx.runQuery(\n        config.component.public.keyGetByHashedKey,\n        { hashedKey },\n      )) as KeyDoc | null;\n      return Fx.run(\n        Fx.gen(function* () {\n          yield* Fx.guard(!doc, Fx.fail(new AuthError(\"INVALID_API_KEY\")));\n          const k = doc!;\n          yield* Fx.guard(k.revoked, Fx.fail(new AuthError(\"API_KEY_REVOKED\")));\n          yield* Fx.guard(\n            !!(k.expiresAt && k.expiresAt < Date.now()),\n            Fx.fail(new AuthError(\"API_KEY_EXPIRED\")),\n          );\n          const patchData: Record<string, unknown> = { lastUsedAt: Date.now() };\n          if (k.rateLimit) {\n            const { limited, newState } = checkKeyRateLimit(\n              k.rateLimit,\n              k.rateLimitState ?? undefined,\n            );\n            yield* Fx.guard(\n              limited,\n              Fx.fail(new AuthError(\"API_KEY_RATE_LIMITED\")),\n            );\n            patchData.rateLimitState = newState;\n          }\n          yield* Fx.promise(() =>\n            ctx.runMutation(config.component.public.keyPatch, {\n              keyId: k._id,\n              data: patchData,\n            }),\n          );\n          return {\n            userId: k.userId,\n            keyId: k._id,\n            scopes: buildScopeChecker(k.scopes),\n          };\n        }).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))),\n      );\n    },\n    list: async (\n      ctx: ComponentReadCtx,\n      opts?: {\n        where?: {\n          userId?: string;\n          revoked?: boolean;\n          name?: string;\n          prefix?: string;\n        };\n        limit?: number;\n        cursor?: string | null;\n        orderBy?:\n          | \"_creationTime\"\n          | \"name\"\n          | \"lastUsedAt\"\n          | \"expiresAt\"\n          | \"revoked\";\n        order?: \"asc\" | \"desc\";\n      },\n    ) => {\n      return await ctx.runQuery(config.component.public.keyList, {\n        where: opts?.where,\n        limit: opts?.limit,\n        cursor: opts?.cursor,\n        orderBy: opts?.orderBy,\n        order: opts?.order,\n      });\n    },\n    get: async (\n      ctx: ComponentReadCtx,\n      keyId: string,\n    ): Promise<KeyDoc | null> => {\n      return (await ctx.runQuery(config.component.public.keyGetById, {\n        keyId,\n      })) as KeyDoc | null;\n    },\n    update: async (\n      ctx: ComponentCtx,\n      keyId: string,\n      data: {\n        name?: string;\n        scopes?: KeyScope[];\n        rateLimit?: { maxRequests: number; windowMs: number };\n      },\n    ) => {\n      await ctx.runMutation(config.component.public.keyPatch, { keyId, data });\n      return { ok: true as const, keyId };\n    },\n    revoke: async (ctx: ComponentCtx, keyId: string) => {\n      await ctx.runMutation(config.component.public.keyPatch, {\n        keyId,\n        data: { revoked: true },\n      });\n      return { ok: true as const, keyId };\n    },\n    delete: async (ctx: ComponentCtx, keyId: string) => {\n      await ctx.runMutation(config.component.public.keyDelete, { keyId });\n      return { ok: true as const, keyId };\n    },\n    rotate: async (\n      ctx: ComponentCtx,\n      keyId: string,\n      opts?: { name?: string; expiresAt?: number },\n    ): Promise<{ ok: true; keyId: string; secret: string }> => {\n      const existing = await ctx.runQuery(config.component.public.keyGetById, {\n        keyId,\n      });\n      if (!existing)\n        throw new AuthError(\n          \"INVALID_PARAMETERS\",\n          \"API key not found.\",\n        ).toConvexError();\n      if ((existing as any).revoked === true) {\n        throw new AuthError(\n          \"API_KEY_REVOKED\",\n          \"Cannot rotate a key that is already revoked.\",\n        ).toConvexError();\n      }\n      await ctx.runMutation(config.component.public.keyPatch, {\n        keyId,\n        data: { revoked: true },\n      });\n      return await key.create(ctx, {\n        userId: (existing as any).userId,\n        name: opts?.name ?? (existing as any).name,\n        scopes: (existing as any).scopes ?? [],\n        rateLimit: (existing as any).rateLimit,\n        expiresAt: opts?.expiresAt,\n        metadata: (existing as any).metadata,\n      });\n    },\n  };\n\n  return {\n    user,\n    session,\n    account,\n    provider,\n    group,\n    member,\n    access,\n    invite,\n    key,\n  };\n}\n"],"mappings":";;;;;;;;;;AA2EA,SAAgB,kBAAkB,MAAgB;CAChD,MAAM,EACJ,QACA,SACA,wBACA,kCACA,oCACA,mBACA,cACA,qBACA,sBACE;CAEJ,MAAM,kBAAkB,OAAO,cAAc;CAK7C,MAAM,qBAAqB,WAAmB;EAC5C,MAAM,OAAO,gBAAgB;AAC7B,MAAI,CAAC,KACH,OAAM,IAAI,UACR,sBACA,mBAAmB,OAAO,IAC3B,CAAC,eAAe;AAEnB,SAAO;;CAGT,MAAM,oBAAoB,YAAuB;EAC/C,MAAM,aAAa,MAAM,KAAK,IAAI,IAAI,WAAW,EAAE,CAAC,CAAC;AACrD,OAAK,MAAM,UAAU,WACnB,mBAAkB,OAAO;AAE3B,SAAO;;CAGT,MAAM,6BAA6B,YAAuB;EACxD,MAAM,yBAAS,IAAI,KAAa;AAChC,OAAK,MAAM,UAAU,WAAW,EAAE,EAAE;GAClC,MAAM,OAAO,kBAAkB,OAAO;AACtC,QAAK,MAAM,SAAS,KAAK,OACvB,QAAO,IAAI,MAAM;;AAGrB,SAAO,MAAM,KAAK,OAAO,CAAC,MAAM;;CAGlC,MAAM,OAAO;EACX,SAAS,OACP,KACA,YAC2B;GAC3B,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,OAAI,aAAa,MAAM;IACrB,MAAM,CAAC,UAAU,SAAS,QAAQ,MAAM,wBAAwB;AAChE,WAAO;;AAET,OAAI,YAAY,UAAa,iBAAiB,OAAO,IAAI,aAAa;IACpE,MAAM,aAAa,QAAQ,QAAQ,IAAI,gBAAgB;AACvD,QAAI,YAAY,WAAW,aAAa,EAAE;KACxC,MAAM,SAAS,WAAW,MAAM,EAAE;AAClC,SAAI;AAKF,cAJe,MAAM,SAAS,CAAC,IAAI,OACjC,KACA,OACD,EACa;aACR;AACN,aAAO;;;;AAIb,UAAO;;EAET,SAAS,OACP,KACA,YACoB;GACpB,MAAM,SAAS,MAAM,KAAK,QAAQ,KAAK,QAAQ;AAC/C,OAAI,WAAW,KACb,OAAM,IAAI,UAAU,gBAAgB,CAAC,eAAe;AAEtD,UAAO;;EAET,KAAK,OAAO,KAAuB,WAAmB;AACpD,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,aAAa,EAC7D,QACD,CAAC;;EAEJ,MAAM,OACJ,KACA,OAMI,EAAE,KACH;AACH,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,UAAU,KAAK;;EAEnE,QAAQ,OAAO,QAA8B;GAC3C,MAAM,SAAS,MAAM,KAAK,QAAQ,IAAI;AACtC,OAAI,WAAW,KAAM,QAAO;AAC5B,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,aAAa,EAC7D,QACD,CAAC;;EAEJ,QAAQ,OACN,KACA,QACA,SACG;AACH,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW;IACvD;IACA;IACD,CAAC;AACF,UAAO;IAAE,IAAI;IAAe;IAAQ;;EAEtC,gBAAgB,OACd,KACA,SACG;GACH,MAAM,MAAM,MAAM,KAAK,IAAI,KAAK,KAAK,OAAO;GAC5C,MAAM,iBACJ,QAAQ,QACR,IAAI,WAAW,QACf,OAAO,IAAI,WAAW,YACtB,CAAC,MAAM,QAAQ,IAAI,OAAO,GACtB,EAAE,GAAI,IAAI,QAAoC,GAC9C,EAAE;AACR,OAAI,KAAK,YAAY,MAAM;IACzB,MAAM,EAAE,iBAAiB,OAAO,GAAG,SAAS;AAC5C,UAAM,KAAK,OAAO,KAAK,KAAK,QAAQ,EAAE,QAAQ,MAAM,CAAC;AACrD,WAAO;KAAE,IAAI;KAAe,QAAQ,KAAK;KAAQ,SAAS;KAAM;;AAElE,SAAM,KAAK,OAAO,KAAK,KAAK,QAAQ,EAClC,QAAQ;IAAE,GAAG;IAAgB,iBAAiB,KAAK;IAAS,EAC7D,CAAC;AACF,UAAO;IAAE,IAAI;IAAe,QAAQ,KAAK;IAAQ,SAAS,KAAK;IAAS;;EAE1E,gBAAgB,OACd,KACA,SAC2B;GAC3B,MAAM,MAAM,MAAM,KAAK,IAAI,KAAK,KAAK,OAAO;AAC5C,OACE,QAAQ,QACR,IAAI,WAAW,QACf,OAAO,IAAI,WAAW,YACtB,CAAC,MAAM,QAAQ,IAAI,OAAO,EAC1B;IACA,MAAM,MAAO,IAAI,OAAmC;AACpD,QAAI,OAAO,QAAQ,SAAU,QAAO;;AAEtC,UAAO;;EAET,QAAQ,OACN,KACA,QACA,SACG;GACH,MAAM,UAAU,MAAM,YAAY;GAClC,MAAM,CAAC,UAAU,UAAU,MAAM,SAAS,UAAU,SAClD,MAAM,QAAQ,IAAI;IAChB,IAAI,SAAS,OAAO,UAAU,OAAO,mBAAmB,EACtD,QACD,CAAC;IACF,IAAI,SAAS,OAAO,UAAU,OAAO,mBAAmB,EACtD,QACD,CAAC;IACF,IAAI,SAAS,OAAO,UAAU,OAAO,iBAAiB,EACpD,QACD,CAAC;IACF,IAAI,SAAS,OAAO,UAAU,OAAO,kBAAkB,EACrD,QACD,CAAC;IACF,IAAI,SAAS,OAAO,UAAU,OAAO,qBAAqB,EACxD,QACD,CAAC;IACF,IAAI,SAAS,OAAO,UAAU,OAAO,kBAAkB,EACrD,QACD,CAAC;IACH,CAAC;GACJ,MAAM,cACJ,SAAS,SACT,SAAS,SACT,KAAK,SACL,QAAQ,SACR,SAAS,SACT,MAAM;AACR,OAAI,CAAC,WAAW,cAAc,EAC5B,OAAM,IAAI,UACR,sBACA,2BAA2B,YAAY,sGACxC,CAAC,eAAe;GAEnB,MAAM,YAAgC,EAAE;AACxC,QAAK,MAAM,KAAK,SACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,eAAe,EACrD,WAAW,EAAE,KACd,CAAC,CACH;AACH,QAAK,MAAM,KAAK,SACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,eAAe,EACrD,WAAW,EAAE,KACd,CAAC,CACH;AACH,QAAK,MAAM,KAAK,KACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW,EAAE,OAAO,EAAE,KAAK,CAAC,CACrE;AACH,QAAK,MAAM,KAAK,QACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc,EACpD,UAAU,EAAE,KACb,CAAC,CACH;AACH,QAAK,MAAM,KAAK,SACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,eAAe,EACrD,WAAW,EAAE,KACd,CAAC,CACH;AACH,QAAK,MAAM,KAAK,MACd,WAAU,KACR,IAAI,YAAY,OAAO,UAAU,OAAO,YAAY,EAClD,QAAQ,EAAE,KACX,CAAC,CACH;AACH,SAAM,QAAQ,IAAI,UAAU;AAC5B,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,YAAY,EAAE,QAAQ,CAAC;AACrE,UAAO;IAAE,IAAI;IAAe;IAAQ;;EAEvC;CAED,MAAM,UAAU;EACd,SAAS,OAAO,QAAwB;GACtC,MAAM,WAAW,MAAM,IAAI,KAAK,iBAAiB;AACjD,OAAI,aAAa,KAAM,QAAO;GAC9B,MAAM,GAAG,aAAa,SAAS,QAAQ,MAAM,wBAAwB;AACrE,UAAO;;EAET,YAAY,OACV,KACA,SACG;AACH,SAAM,uBAAuB,KAAK,KAAK;AACvC,UAAO;IACL,IAAI;IACJ,QAAQ,KAAK;IACb,QAAQ,KAAK,UAAU,EAAE;IAC1B;;EAEH,KAAK,OAAO,KAAuB,cAAsB;AACvD,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,gBAAgB,EAChE,WACD,CAAC;;EAEJ,MAAM,OAAO,KAAuB,SAA6B;AAC/D,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,mBAAmB,EACnE,QAAQ,KAAK,QACd,CAAC;;EAEL;CAED,MAAM,UAAU;EACd,QAAQ,OACN,KACA,SACG;AAEH,UAAO;IAAE,IAAI;IAAe,GADZ,MAAM,iCAAiC,KAAK,KAAK;IACzB;;EAE1C,KAAK,OACH,KACA,SACG;GACH,MAAM,SAAS,MAAM,mCAAmC,KAAK,KAAK;AAClE,OAAI,OAAO,WAAW,SACpB,OAAM,IAAI,UAAU,qBAAqB,OAAO,CAAC,eAAe;AAElE,UAAO;;EAET,QAAQ,OACN,KACA,SACG;AACH,SAAM,kBAAkB,KAAK,KAAK;AAClC,UAAO;IAAE,IAAI;IAAe,WAAW,KAAK,QAAQ;IAAI;;EAE1D,QAAQ,OAAO,KAAmB,cAAsB;GACtD,MAAM,MAAM,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,gBAAgB,EACrE,WACD,CAAC;AACF,OAAI,QAAQ,KACV,OAAM,IAAI,UACR,qBACA,qBACD,CAAC,eAAe;AAMnB,QAJqB,MAAM,IAAI,SAC7B,OAAO,UAAU,OAAO,mBACxB,EAAE,QAAS,IAAY,QAAQ,CAChC,EACe,UAAU,EACxB,OAAM,IAAI,UACR,sBACA,mEACD,CAAC,eAAe;AAEnB,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,eAAe,EAC3D,WACD,CAAC;AACF,UAAO;IAAE,IAAI;IAAe;IAAW;;EAEzC,cAAc,OAAO,KAAuB,SAA6B;AACvE,UAAO,MAAM,IAAI,SACf,OAAO,UAAU,OAAO,qBACxB,KACD;;EAEH,eAAe,OACb,KACA,WACA,SACG;AACH,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,mBAAmB;IAC/D;IACA,MAAM,EAAE,MAAM;IACf,CAAC;AACF,UAAO;IAAE,IAAI;IAAe;IAAW;;EAEzC,eAAe,OAAO,KAAmB,cAAsB;AAC7D,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,eAAe,EAC3D,WACD,CAAC;AACF,UAAO;IAAE,IAAI;IAAe;IAAW;;EAEzC,WAAW,OAAO,KAAuB,SAA6B;AACpE,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,kBAAkB,KAAK;;EAE3E,YAAY,OAAO,KAAmB,WAAmB;AACvD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,YAAY,EAAE,QAAQ,CAAC;AACrE,UAAO;IAAE,IAAI;IAAe;IAAQ;;EAEvC;CAED,MAAM,WAAW,EACf,QAAQ,OACN,KACA,gBACA,SAIG;EACH,MAAM,SAAS,MAAM,WACnB,cAAc,CAAC,IAAI,EACnB,oBAAoB,eAAe,EACnC,MAIA;GAAE,gBAAgB;GAAO,qBAAqB;GAAM,CACrD;AACD,SAAO,OAAO,SAAS,aACnB,OAAO,aAAa,OAClB;GACE,QAAQ,OAAO,SAAS;GACxB,WAAW,OAAO,SAAS;GAC5B,GACD,OACF;IAEP;CAED,MAAM,QAAQ;EACZ,QAAQ,OACN,KACA,SAQ2C;AAK3C,UAAO;IAAE,IAAI;IAAM,SAJF,MAAM,IAAI,YACzB,OAAO,UAAU,OAAO,aACxB,KACD;IAC2B;;EAE9B,KAAK,OAAO,KAAuB,YAAoB;AACrD,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,UAAU,EAAE,SAAS,CAAC;;EAE1E,MAAM,OACJ,KACA,SAeG;AACH,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,WAAW;IAC3D,OAAO,MAAM;IACb,OAAO,MAAM;IACb,QAAQ,MAAM;IACd,SAAS,MAAM;IACf,OAAO,MAAM;IACd,CAAC;;EAEJ,QAAQ,OACN,KACA,SACA,SACG;AACH,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,aAAa;IACzD;IACA;IACD,CAAC;AACF,UAAO;IAAE,IAAI;IAAe;IAAS;;EAEvC,QAAQ,OAAO,KAAmB,YAAoB;AACpD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,aAAa,EAAE,SAAS,CAAC;AACvE,UAAO;IAAE,IAAI;IAAe;IAAS;;EAEvC,WAAW,OACT,KACA,SACG;GACH,MAAM,WAAW,KAAK,IAAI,GAAG,KAAK,MAAM,KAAK,YAAY,GAAG,CAAC;GAC7D,MAAM,0BAAU,IAAI,KAAa;GACjC,MAAM,YAAmB,EAAE;GAC3B,IAAI,gBAAgB;GACpB,IAAI,kBAAkB;GACtB,IAAI,iBAAqC,KAAK;GAC9C,IAAI,QAAQ;GACZ,IAAI,UAAU;AACd,UAAO,mBAAmB,QAAW;AACnC,QAAI,QAAQ,UAAU;AACpB,uBAAkB;AAClB;;AAEF,QAAI,QAAQ,IAAI,eAAe,EAAE;AAC/B,qBAAgB;AAChB;;AAEF,YAAQ,IAAI,eAAe;IAC3B,MAAM,MAAM,MAAM,MAAM,IAAI,KAAK,eAAe;AAChD,QAAI,QAAQ,KAAM;AAClB,QAAI,SAAS;AACX,eAAU;AACV,SAAI,KAAK,YAAa,WAAU,KAAK,IAAI;AACzC,sBAAiB,IAAI;AACrB,cAAS;AACT;;AAEF,cAAU,KAAK,IAAI;AACnB,qBAAiB,IAAI;AACrB,aAAS;;AAEX,UAAO;IAAE;IAAW;IAAe;IAAiB;;EAEvD;CAED,MAAM,SAAS;EACb,QAAQ,OACN,KACA,SAO4C;GAC5C,MAAM,UAAU,iBAAiB,KAAK,QAAQ;AAK9C,UAAO;IAAE,IAAI;IAAM,UAJD,MAAM,IAAI,YAC1B,OAAO,UAAU,OAAO,WACxB;KAAE,GAAG;KAAM;KAAS,CACrB;IAC4B;;EAE/B,KAAK,OAAO,KAAuB,aAAqB;AACtD,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,WAAW,EAC3D,UACD,CAAC;;EAEJ,mBAAmB,OACjB,KACA,SACG;AACH,UAAO,MAAM,IAAI,SACf,OAAO,UAAU,OAAO,yBACxB,KACD;;EAEH,MAAM,OACJ,KACA,SAYG;AACH,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,YAAY;IAC5D,OAAO,MAAM;IACb,OAAO,MAAM;IACb,QAAQ,MAAM;IACd,SAAS,MAAM;IACf,OAAO,MAAM;IACd,CAAC;;EAEJ,QAAQ,OAAO,KAAmB,aAAqB;AACrD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc,EAAE,UAAU,CAAC;AACzE,UAAO;IAAE,IAAI;IAAe;IAAU;;EAExC,QAAQ,OACN,KACA,UACA,SACG;GACH,MAAM,WAAW,EAAE,GAAG,MAAM;AAC5B,OAAI,aAAa,SACf,UAAS,UAAU,iBACjB,MAAM,QAAQ,SAAS,QAAQ,GAC1B,SAAS,UACV,OACL;AAEH,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc;IAC1D;IACA,MAAM;IACP,CAAC;AACF,UAAO;IAAE,IAAI;IAAe;IAAU;;EAExC,SAAS,OACP,KACA,SAOG;GACH,MAAM,mBAAmB,iBAAiB,KAAK,QAAQ;GACvD,MAAM,aACJ,iBAAiB,SAAS,IAAI,IAAI,IAAI,iBAAiB,GAAG;GAC5D,MAAM,iBAAiB,MAAM,KAAK,IAAI,IAAI,KAAK,UAAU,EAAE,CAAC,CAAC;GAC7D,MAAM,WAAW,KAAK,IAAI,GAAG,KAAK,MAAM,KAAK,YAAY,GAAG,CAAC;GAC7D,MAAM,0BAAU,IAAI,KAAa;GACjC,MAAM,oBAA8B,EAAE;GACtC,IAAI,iBAAqC,KAAK;GAC9C,IAAI,QAAQ;GACZ,IAAI,gBAAgB;GACpB,IAAI,kBAAkB;AACtB,UAAO,mBAAmB,QAAW;AACnC,QAAI,QAAQ,UAAU;AACpB,uBAAkB;AAClB;;AAEF,QAAI,QAAQ,IAAI,eAAe,EAAE;AAC/B,qBAAgB;AAChB;;AAEF,YAAQ,IAAI,eAAe;AAC3B,sBAAkB,KAAK,eAAe;IACtC,MAAM,aAAa,MAAM,OAAO,kBAAkB,KAAK;KACrD,QAAQ,KAAK;KACb,SAAS;KACV,CAAC;IACF,MAAM,oBAAoB,YAAY,WAAW,EAAE;IACnD,MAAM,mBAAmB,0BAA0B,kBAAkB;AACrE,QACE,eAAe,SACd,eAAe,QACd,kBAAkB,MAAM,WACtB,WAAW,IAAI,OAAO,CACvB,KACH,eAAe,OAAO,UAAU,iBAAiB,SAAS,MAAM,CAAC,CAEjE,QAAO;KACL,kBAAkB,KAAK;KACvB,gBAAgB;KAChB;KACA,SAAS;KACT,QAAQ;KACR,eAAe,EAAE;KACjB;KACA,UAAU,UAAU;KACpB,aAAa,QAAQ;KACrB;KACA,eAAe;KACf,iBAAiB;KAClB;IAEH,MAAM,MAAM,MAAM,MAAM,IAAI,KAAK,eAAe;AAChD,QAAI,QAAQ,QAAQ,IAAI,kBAAkB,OAAW;AACrD,qBAAiB,IAAI;AACrB,aAAS;;AAEX,UAAO;IACL,kBAAkB,KAAK;IACvB,gBAAgB;IAChB,YAAY;IACZ,SAAS,EAAE;IACX,QAAQ,EAAE;IACV,eAAe;IACf,OAAO;IACP,UAAU;IACV,aAAa;IACb;IACA;IACA;IACD;;EAEH,SAAS,OACP,KACA,SAOG;GACH,MAAM,SAAS,MAAM,OAAO,QAAQ,KAAK,KAAK;AAC9C,OAAI,OAAO,eAAe,KACxB,OAAM,IAAI,UACR,aACA,QAAQ,KAAK,OAAO,8BAA8B,KAAK,QAAQ,oBAChE,CAAC,eAAe;AAEnB,UAAO;IACL,YAAY,OAAO;IACnB,gBAAgB,OAAO;IACvB,SAAS,OAAO;IAChB,QAAQ,OAAO;IACf,UAAU,OAAO;IACjB,aAAa,OAAO;IACpB,OAAO,OAAO;IACf;;EAEJ;CAED,MAAM,SAAS;EACb,OAAO,OACL,KACA,SAMG;GACH,MAAM,iBAAiB,MAAM,KAAK,IAAI,IAAI,KAAK,OAAO,CAAC;GACvD,MAAM,SAAS,MAAM,OAAO,QAAQ,KAAK;IACvC,QAAQ,KAAK;IACb,SAAS,KAAK;IACd,QAAQ;IACR,UAAU,KAAK;IAChB,CAAC;GACF,MAAM,gBAAgB,eAAe,QAClC,UAAU,CAAC,OAAO,OAAO,SAAS,MAAM,CAC1C;AACD,UAAO;IACL,IAAI,OAAO,eAAe,QAAQ,cAAc,WAAW;IAC3D,YAAY,OAAO;IACnB,gBAAgB,OAAO;IACvB,SAAS,OAAO;IAChB,QAAQ,OAAO;IACf;IACA,UAAU,OAAO;IACjB,aAAa,OAAO;IACpB,OAAO,OAAO;IACf;;EAEH,SAAS,OACP,KACA,SAMG;GACH,MAAM,SAAS,MAAM,OAAO,MAAM,KAAK,KAAK;AAC5C,OAAI,CAAC,OAAO,GACV,OAAM,IAAI,UACR,aACA,QAAQ,KAAK,OAAO,uCAAuC,KAAK,QAAQ,IAAI,OAAO,cAAc,KAAK,KAAK,CAAC,GAC7G,CAAC,eAAe;AAEnB,UAAO;;EAEV;CAED,MAAM,SAAS;EACb,QAAQ,OACN,KACA,SAQ2D;GAC3D,MAAM,UAAU,iBAAiB,KAAK,QAAQ;GAC9C,MAAM,QAAQ,qBACZ,mBACA,oBACD;GACD,MAAM,YAAY,MAAM,OAAO,MAAM;AAKrC,UAAO;IAAE,IAAI;IAAM,UAJD,MAAM,IAAI,YAC1B,OAAO,UAAU,OAAO,cACxB;KAAE,GAAG;KAAM;KAAS;KAAW,QAAQ;KAAW,CACnD;IAC4B;IAAO;;EAEtC,KAAK,OAAO,KAAuB,aAAqB;AACtD,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,WAAW,EAC3D,UACD,CAAC;;EAEJ,OAAO;GACL,KAAK,OAAO,KAAuB,UAAkB;IACnD,MAAM,YAAY,MAAM,OAAO,MAAM;AACrC,WAAO,MAAM,IAAI,SACf,OAAO,UAAU,OAAO,sBACxB,EAAE,WAAW,CACd;;GAEH,QAAQ,OACN,KACA,SACG;IACH,MAAM,YAAY,MAAM,OAAO,KAAK,MAAM;AAK1C,WAAO;KAAE,IAAI;KAAe,GAJb,MAAM,IAAI,YACvB,OAAO,UAAU,OAAO,qBACxB;MAAE;MAAW,kBAAkB,KAAK;MAAkB,CACvD;KACsC;;GAE1C;EACD,MAAM,OACJ,KACA,SAoBG;AACH,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,YAAY;IAC5D,OAAO,MAAM;IACb,OAAO,MAAM;IACb,QAAQ,MAAM;IACd,SAAS,MAAM;IACf,OAAO,MAAM;IACd,CAAC;;EAEJ,QAAQ,OACN,KACA,UACA,qBACG;AACH,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc;IAC1D;IACA,GAAI,mBAAmB,EAAE,kBAAkB,GAAG,EAAE;IACjD,CAAC;AACF,UAAO;IACL,IAAI;IACJ;IACA,kBAAkB,oBAAoB;IACvC;;EAEH,QAAQ,OAAO,KAAmB,aAAqB;AACrD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,cAAc,EAAE,UAAU,CAAC;AACzE,UAAO;IAAE,IAAI;IAAe;IAAU;;EAEzC;CAED,MAAM,MAAM;EACV,QAAQ,OACN,KACA,SAQyD;GACzD,MAAM,EAAE,KAAK,WAAW,kBAAkB,MAAM,eAAe,MAAM;AAWrE,UAAO;IAAE,IAAI;IAAM,OAVJ,MAAM,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW;KACtE,QAAQ,KAAK;KACb,QAAQ;KACR;KACA,MAAM,KAAK;KACX,QAAQ,KAAK;KACb,WAAW,KAAK;KAChB,WAAW,KAAK;KAChB,UAAU,KAAK;KAChB,CAAC;IACwB,QAAQ;IAAK;;EAEzC,QAAQ,OACN,KACA,WACqE;GACrE,MAAM,YAAY,MAAM,WAAW,OAAO;GAC1C,MAAM,MAAO,MAAM,IAAI,SACrB,OAAO,UAAU,OAAO,mBACxB,EAAE,WAAW,CACd;AACD,UAAO,GAAG,IACR,GAAG,IAAI,aAAa;AAClB,WAAO,GAAG,MAAM,CAAC,KAAK,GAAG,KAAK,IAAI,UAAU,kBAAkB,CAAC,CAAC;IAChE,MAAM,IAAI;AACV,WAAO,GAAG,MAAM,EAAE,SAAS,GAAG,KAAK,IAAI,UAAU,kBAAkB,CAAC,CAAC;AACrE,WAAO,GAAG,MACR,CAAC,EAAE,EAAE,aAAa,EAAE,YAAY,KAAK,KAAK,GAC1C,GAAG,KAAK,IAAI,UAAU,kBAAkB,CAAC,CAC1C;IACD,MAAM,YAAqC,EAAE,YAAY,KAAK,KAAK,EAAE;AACrE,QAAI,EAAE,WAAW;KACf,MAAM,EAAE,SAAS,aAAa,kBAC5B,EAAE,WACF,EAAE,kBAAkB,OACrB;AACD,YAAO,GAAG,MACR,SACA,GAAG,KAAK,IAAI,UAAU,uBAAuB,CAAC,CAC/C;AACD,eAAU,iBAAiB;;AAE7B,WAAO,GAAG,cACR,IAAI,YAAY,OAAO,UAAU,OAAO,UAAU;KAChD,OAAO,EAAE;KACT,MAAM;KACP,CAAC,CACH;AACD,WAAO;KACL,QAAQ,EAAE;KACV,OAAO,EAAE;KACT,QAAQ,kBAAkB,EAAE,OAAO;KACpC;KACD,CAAC,KAAK,GAAG,SAAS,MAAM,GAAG,MAAM,EAAE,eAAe,CAAC,CAAC,CAAC,CACxD;;EAEH,MAAM,OACJ,KACA,SAiBG;AACH,UAAO,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,SAAS;IACzD,OAAO,MAAM;IACb,OAAO,MAAM;IACb,QAAQ,MAAM;IACd,SAAS,MAAM;IACf,OAAO,MAAM;IACd,CAAC;;EAEJ,KAAK,OACH,KACA,UAC2B;AAC3B,UAAQ,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,YAAY,EAC7D,OACD,CAAC;;EAEJ,QAAQ,OACN,KACA,OACA,SAKG;AACH,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,UAAU;IAAE;IAAO;IAAM,CAAC;AACxE,UAAO;IAAE,IAAI;IAAe;IAAO;;EAErC,QAAQ,OAAO,KAAmB,UAAkB;AAClD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,UAAU;IACtD;IACA,MAAM,EAAE,SAAS,MAAM;IACxB,CAAC;AACF,UAAO;IAAE,IAAI;IAAe;IAAO;;EAErC,QAAQ,OAAO,KAAmB,UAAkB;AAClD,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,WAAW,EAAE,OAAO,CAAC;AACnE,UAAO;IAAE,IAAI;IAAe;IAAO;;EAErC,QAAQ,OACN,KACA,OACA,SACyD;GACzD,MAAM,WAAW,MAAM,IAAI,SAAS,OAAO,UAAU,OAAO,YAAY,EACtE,OACD,CAAC;AACF,OAAI,CAAC,SACH,OAAM,IAAI,UACR,sBACA,qBACD,CAAC,eAAe;AACnB,OAAK,SAAiB,YAAY,KAChC,OAAM,IAAI,UACR,mBACA,+CACD,CAAC,eAAe;AAEnB,SAAM,IAAI,YAAY,OAAO,UAAU,OAAO,UAAU;IACtD;IACA,MAAM,EAAE,SAAS,MAAM;IACxB,CAAC;AACF,UAAO,MAAM,IAAI,OAAO,KAAK;IAC3B,QAAS,SAAiB;IAC1B,MAAM,MAAM,QAAS,SAAiB;IACtC,QAAS,SAAiB,UAAU,EAAE;IACtC,WAAY,SAAiB;IAC7B,WAAW,MAAM;IACjB,UAAW,SAAiB;IAC7B,CAAC;;EAEL;AAED,QAAO;EACL;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACA;EACD"}

package/dist/server/domains/sso.d.ts

@@ -0,0 +1,409 @@
+import { EnterprisePolicyPatch } from "../types.js";
+import { GenericActionCtx, GenericDataModel } from "convex/server";
+
+//#region src/server/domains/sso.d.ts
+type ComponentCtx = Pick<GenericActionCtx<GenericDataModel>, "runQuery" | "runMutation">;
+type ComponentReadCtx = Pick<GenericActionCtx<GenericDataModel>, "runQuery">;
+/**
+ * Build the enterprise and SSO management domain.
+ */
+declare function createSsoDomain(deps: any): {
+  connection: {
+    create: (ctx: ComponentCtx, data: {
+      groupId: string;
+      slug?: string;
+      name?: string;
+      status?: "draft" | "active" | "disabled";
+      policy?: EnterprisePolicyPatch;
+      config?: Record<string, unknown>;
+      extend?: Record<string, unknown>;
+    }) => Promise<{
+      ok: true;
+      enterpriseId: string;
+      groupId: string;
+    }>;
+    get: (ctx: ComponentReadCtx, enterpriseId: string) => Promise<any>;
+    getByGroup: (ctx: ComponentReadCtx, groupId: string) => Promise<any>;
+    getByDomain: (ctx: ComponentReadCtx, domain: string) => Promise<any>;
+    list: (ctx: ComponentReadCtx, opts?: {
+      where?: {
+        groupId?: string;
+        slug?: string;
+        status?: "draft" | "active" | "disabled";
+      };
+      limit?: number;
+      cursor?: string | null;
+      orderBy?: "_creationTime" | "name" | "slug" | "status";
+      order?: "asc" | "desc";
+    }) => Promise<any>;
+    update: (ctx: ComponentCtx, enterpriseId: string, data: Record<string, unknown>) => Promise<{
+      ok: true;
+      enterpriseId: string;
+    }>;
+    delete: (ctx: ComponentCtx, enterpriseId: string) => Promise<{
+      ok: true;
+      enterpriseId: string;
+    }>;
+    /**
+     * Aggregate readiness status across all configured protocols for an
+     * enterprise connection.
+     *
+     * Returns a structured result indicating whether the connection is
+     * ready, with per-protocol checks so callers can surface actionable
+     * diagnostics without running full network validation.
+     */
+    status: (ctx: ComponentReadCtx, enterpriseId: string) => Promise<{
+      enterpriseId: any;
+      status: any;
+      ready: boolean;
+      domainCount: number;
+      protocols: {
+        oidc: {
+          configured: boolean;
+          ready: boolean;
+          clientId: any;
+          issuer: any;
+        };
+        saml: {
+          configured: boolean;
+          ready: boolean;
+          entityId: any;
+        };
+        scim: {
+          configured: boolean;
+          ready: boolean;
+          basePath: any;
+          deprovisionMode: any;
+        };
+      };
+    }>;
+  };
+  domain: {
+    add: (ctx: ComponentCtx, data: {
+      enterpriseId: string;
+      groupId: string;
+      domain: string;
+      isPrimary?: boolean;
+    }) => Promise<string>;
+    list: (ctx: ComponentReadCtx, enterpriseId: string) => Promise<any>;
+    validate: (ctx: ComponentReadCtx, enterpriseId: string) => Promise<{
+      enterpriseId: string;
+      ready: boolean;
+      summary: {
+        domainCount: any;
+        primaryCount: any;
+        verifiedCount: any;
+      };
+      domains: any;
+      warnings: string[];
+    }>;
+    remove: (ctx: ComponentCtx, domainId: string) => Promise<void>;
+    verification: {
+      request: (ctx: ComponentCtx, args: {
+        enterpriseId: string;
+        domain: string;
+      }) => Promise<{
+        ok: true;
+        enterpriseId: any;
+        domain: any;
+        requestedAt: number;
+        expiresAt: number;
+        challenge: {
+          recordType: "TXT";
+          recordName: string;
+          recordValue: any;
+        };
+      }>;
+      confirm: (ctx: ComponentCtx, args: {
+        enterpriseId: string;
+        domain: string;
+      }) => Promise<{
+        ok: boolean;
+        enterpriseId: any;
+        domain: any;
+        verifiedAt: any;
+        checks: {
+          name: string;
+          ok: boolean;
+          message: string;
+        }[];
+      } | {
+        ok: boolean;
+        enterpriseId: any;
+        domain: any;
+        checks: {
+          name: string;
+          ok: boolean;
+          message?: string;
+        }[];
+        verifiedAt?: undefined;
+      } | {
+        ok: boolean;
+        enterpriseId: any;
+        domain: any;
+        verifiedAt: number;
+        checks: {
+          name: string;
+          ok: boolean;
+          message?: string;
+        }[];
+      }>;
+    };
+  };
+  saml: {
+    configure: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, data: {
+      enterpriseId: string;
+      metadataXml?: string;
+      metadataUrl?: string;
+      domains?: string[];
+      signAuthnRequests?: boolean;
+      attributeMapping?: {
+        subject?: string;
+        email?: string;
+        name?: string;
+        firstName?: string;
+        lastName?: string;
+      };
+      sp?: {
+        entityId?: string;
+        acsUrl?: string;
+        sloUrl?: string;
+        signingCert?: string | string[];
+        encryptCert?: string | string[];
+        privateKey?: string;
+        privateKeyPass?: string;
+        encPrivateKey?: string;
+        encPrivateKeyPass?: string;
+      };
+    }) => Promise<{
+      ok: true;
+      enterpriseId: any;
+      groupId: any;
+    }>;
+    metadata: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, opts: {
+      enterpriseId: string;
+      entityId?: string;
+      acsUrl?: string;
+      sloUrl?: string;
+    }) => Promise<any>;
+    /**
+     * Validate the stored SAML config for an enterprise connection.
+     *
+     * Re-parses IdP metadata, checks signing cert presence, and verifies
+     * SP metadata can be generated. Returns a structured result with
+     * per-check details rather than throwing on first failure.
+     */
+    validate: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, enterpriseId: string) => Promise<{
+      ok: boolean;
+      enterpriseId: any;
+      checks: {
+        name: string;
+        ok: boolean;
+        message?: string;
+      }[];
+    }>;
+  };
+  policy: {
+    get: (ctx: ComponentReadCtx, enterpriseId: string) => Promise<any>;
+    update: (ctx: ComponentCtx, enterpriseId: string, patch: EnterprisePolicyPatch) => Promise<any>;
+    validate: (ctx: ComponentReadCtx, enterpriseId: string) => Promise<{
+      ok: boolean;
+      enterpriseId: string;
+      checks: {
+        name: string;
+        ok: boolean;
+        message: any;
+      }[];
+      policy?: undefined;
+    } | {
+      ok: any;
+      enterpriseId: string;
+      policy: any;
+      checks: any;
+    }>;
+  };
+  oidc: {
+    /**
+     * Register or update enterprise OIDC connection settings.
+     *
+     * Persists protocol config under `enterprise.config.protocols.oidc` and
+     * records an `enterprise.oidc.registered` audit event.
+     */
+    configure: (ctx: ComponentCtx, data: {
+      enterpriseId: string;
+      issuer?: string;
+      discoveryUrl?: string;
+      clientId: string;
+      clientSecret?: string;
+      scopes?: string[];
+      authorizationParams?: Record<string, string>;
+      clockToleranceSeconds?: number;
+      strictIssuer?: boolean;
+      /**
+       * Map OIDC claim names to `user.extend` field names.
+       * Example: `{ department: "department", role: "job_title" }` means
+       * the OIDC `department` claim is stored as `user.extend.department`.
+       */
+      extraFields?: Record<string, string>;
+    }) => Promise<any>;
+    /**
+     * Fetch the stored OIDC config for an enterprise.
+     */
+    get: (ctx: ComponentReadCtx, enterpriseId: string) => Promise<any>;
+    /**
+     * Resolve enterprise OIDC sign-in route from enterprise id, domain, or
+     * user email domain.
+     */
+    signIn: (ctx: ComponentReadCtx, data: {
+      enterpriseId?: string;
+      email?: string;
+      domain?: string;
+      redirectTo?: string;
+    }) => Promise<{
+      enterpriseId: any;
+      providerId: any;
+      signInPath: any;
+      callbackPath: any;
+      redirectTo: string | undefined;
+    }>;
+    /**
+     * Validate the stored OIDC config for an enterprise connection.
+     *
+     * Fetches the OIDC discovery document from the configured issuer or
+     * discoveryUrl, verifies required fields are present, and checks that
+     * clientId is set. Returns a structured result with per-check details.
+     */
+    validate: (ctx: ComponentReadCtx, enterpriseId: string) => Promise<{
+      ok: boolean;
+      enterpriseId: any;
+      checks: {
+        name: string;
+        ok: boolean;
+        message?: string;
+      }[];
+    }>;
+  };
+  scim: {
+    configure: (ctx: ComponentCtx, data: {
+      enterpriseId: string;
+      basePath?: string;
+      status?: "draft" | "active" | "disabled";
+    }) => Promise<{
+      ok: true;
+      enterpriseId: any;
+      configId: string;
+      basePath: string;
+      token: any;
+    }>;
+    get: (ctx: ComponentReadCtx, enterpriseId: string) => Promise<any>;
+    getConfigByToken: (ctx: ComponentReadCtx, token: string) => Promise<any>;
+    /**
+     * Validate the stored SCIM config for an enterprise connection.
+     *
+     * Checks that a SCIM config record exists, is active, has a token
+     * hash set, and has a non-empty basePath. Returns a structured result
+     * with per-check details.
+     */
+    validate: (ctx: ComponentReadCtx, enterpriseId: string) => Promise<{
+      ok: boolean;
+      enterpriseId: string;
+      checks: {
+        name: string;
+        ok: boolean;
+        message: string;
+      }[];
+      basePath?: undefined;
+      deprovisionMode?: undefined;
+    } | {
+      ok: boolean;
+      enterpriseId: any;
+      basePath: any;
+      deprovisionMode: any;
+      checks: {
+        name: string;
+        ok: boolean;
+        message?: string;
+      }[];
+    }>;
+    identity: {
+      get: (ctx: ComponentReadCtx, data: {
+        enterpriseId: string;
+        resourceType: "user" | "group";
+        externalId: string;
+      }) => Promise<any>;
+      upsert: (ctx: ComponentCtx, data: {
+        enterpriseId: string;
+        groupId: string;
+        resourceType: "user" | "group";
+        externalId: string;
+        userId?: string;
+        mappedGroupId?: string;
+        active?: boolean;
+        raw?: Record<string, unknown>;
+      }) => Promise<string>;
+    };
+  };
+  audit: {
+    record: (ctx: ComponentCtx, data: {
+      enterpriseId: string;
+      groupId: string;
+      eventType: string;
+      actorType: "user" | "system" | "scim" | "api_key" | "webhook";
+      actorId?: string;
+      subjectType: string;
+      subjectId?: string;
+      ok: boolean;
+      requestId?: string;
+      ip?: string;
+      metadata?: Record<string, unknown>;
+    }) => Promise<any>;
+    list: (ctx: ComponentReadCtx, data: {
+      enterpriseId?: string;
+      groupId?: string;
+      limit?: number;
+    }) => Promise<any>;
+  };
+  webhook: {
+    endpoint: {
+      get: (ctx: ComponentReadCtx, endpointId: string) => Promise<any>;
+      create: (ctx: ComponentCtx, data: {
+        enterpriseId: string;
+        url: string;
+        secret: string;
+        subscriptions: string[];
+        createdByUserId?: string;
+      }) => Promise<{
+        ok: true;
+        endpointId: string;
+      }>;
+      list: (ctx: ComponentReadCtx, enterpriseId: string) => Promise<any>;
+      disable: (ctx: ComponentCtx, endpointId: string) => Promise<{
+        ok: true;
+        endpointId: string;
+      }>;
+    };
+    emit: (ctx: ComponentCtx, data: {
+      enterpriseId: string;
+      eventType: string;
+      payload: Record<string, unknown>;
+      auditEventId?: string;
+    }) => Promise<void>;
+    delivery: {
+      list: (ctx: ComponentReadCtx, data: {
+        enterpriseId: string;
+        limit?: number;
+      }) => Promise<any>;
+      listReady: (ctx: ComponentReadCtx, limit?: number) => Promise<any>;
+      markDelivered: (ctx: ComponentCtx, deliveryId: string, responseStatus?: number) => Promise<void>;
+      markFailed: (ctx: ComponentCtx, deliveryId: string, data: {
+        attemptCount: number;
+        responseStatus?: number;
+        error?: string;
+        retryAt?: number;
+      }) => Promise<void>;
+    };
+  };
+};
+//#endregion
+export { createSsoDomain };
+//# sourceMappingURL=sso.d.ts.map

package/dist/server/domains/sso.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sso.d.ts","names":[],"sources":["../../../src/server/domains/sso.ts"],"mappings":";;;;KAKK,YAAA,GAAe,IAAA,CAClB,gBAAA,CAAiB,gBAAA;AAAA,KAGd,gBAAA,GAAmB,IAAA,CAAK,gBAAA,CAAiB,gBAAA;AANQ;;;AAAA,iBAWtC,eAAA,CAAgB,IAAA;;kBAiFnB,YAAA,EAAY,IAAA;MAEf,OAAA;MACA,IAAA;MACA,IAAA;MACA,MAAA;MACA,MAAA,GAAS,qBAAA;MACT,MAAA,GAAS,MAAA;MACT,MAAA,GAAS,MAAA;IAAA,MAEV,OAAA;MAAU,EAAA;MAAU,YAAA;MAAsB,OAAA;IAAA;eAc5B,gBAAA,EAAgB,YAAA,aAAsB,OAAA;sBAK/B,gBAAA,EAAgB,OAAA,aAAiB,OAAA;uBAQhC,gBAAA,EAAgB,MAAA,aAAgB,OAAA;gBASlD,gBAAA,EAAgB,IAAA;MAEnB,KAAA;QACE,OAAA;QACA,IAAA;QACA,MAAA;MAAA;MAEF,KAAA;MACA,MAAA;MACA,OAAA;MACA,KAAA;IAAA,MACD,OAAA;kBAWI,YAAA,EAAY,YAAA,UACG,IAAA,EACd,MAAA,sBAAuB,OAAA;;;;kBAQX,YAAA,EAAY,YAAA,aAAsB,OAAA;;;;IAhC/C;;;;;;;;kBA8Ca,gBAAA,EAAgB,YAAA,aAAsB,OAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;eA4EnD,YAAA,EAAY,IAAA;MAEf,YAAA;MACA,OAAA;MACA,MAAA;MACA,SAAA;IAAA,MAED,OAAA;gBASe,gBAAA,EAAgB,YAAA,aAAsB,OAAA;oBAQlC,gBAAA,EAAgB,YAAA,aAAsB,OAAA;;;;;;;;;;;kBAuDxC,YAAA,EAAY,QAAA,aAAkB,OAAA;;qBAOzC,YAAA,EAAY,IAAA;QACT,YAAA;QAAsB,MAAA;MAAA,MAAgB,OAAA;;;;;;;;;;;;qBAoEzC,YAAA,EAAY,IAAA;QACT,YAAA;QAAsB,MAAA;MAAA,MAAgB,OAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;kCAsJd,gBAAA,EAAgB,GAAA,EAC7C,gBAAA,CAAiB,SAAA,GAAU,IAAA;MAE9B,YAAA;MACA,WAAA;MACA,WAAA;MACA,OAAA;MACA,iBAAA;MACA,gBAAA;QACE,OAAA;QACA,KAAA;QACA,IAAA;QACA,SAAA;QACA,QAAA;MAAA;MAEF,EAAA;QACE,QAAA;QACA,MAAA;QACA,MAAA;QACA,WAAA;QACA,WAAA;QACA,UAAA;QACA,cAAA;QACA,aAAA;QACA,iBAAA;MAAA;IAAA,MAEH,OAAA;;;;;iCAoKgC,gBAAA,EAAgB,GAAA,EAC5C,gBAAA,CAAiB,SAAA,GAAU,IAAA;MAE9B,YAAA;MACA,QAAA;MACA,MAAA;MACA,MAAA;IAAA,MACD,OAAA;IA1lBmB;;;;;;;iCA6nBa,gBAAA,EAAgB,GAAA,EAC5C,gBAAA,CAAiB,SAAA,GAAU,YAAA,aACZ,OAAA;;;;;;;;;;;eA4FL,gBAAA,EAAgB,YAAA,aAAsB,OAAA;kBAKhD,YAAA,EAAY,YAAA,UACG,KAAA,EACb,qBAAA,KAAqB,OAAA;oBAoBR,gBAAA,EAAgB,YAAA,aAAsB,OAAA;;;;;;;;;;;;;;;;;IAnpBrD;;;;;;qBAurBA,YAAA,EAAY,IAAA;MAEf,YAAA;MACA,MAAA;MACA,YAAA;MACA,QAAA;MACA,YAAA;MACA,MAAA;MACA,mBAAA,GAAsB,MAAA;MACtB,qBAAA;MACA,YAAA;MAzqBkC;;;;;MA+qBlC,WAAA,GAAc,MAAA;IAAA,MACf,OAAA;;;;eAqIc,gBAAA,EAAgB,YAAA,aAAsB,OAAA;IA9vBnC;;;;kBA+yBb,gBAAA,EAAgB,IAAA;MAEnB,YAAA;MACA,KAAA;MACA,MAAA;MACA,UAAA;IAAA,MACD,OAAA;;;;;;;;;;;;;;oBA4GmB,gBAAA,EAAgB,YAAA,aAAsB,OAAA;;;;;;;;;;;qBAsHrD,YAAA,EAAY,IAAA;MAEf,YAAA;MACA,QAAA;MACA,MAAA;IAAA,MACD,OAAA;;;;;;;eAsDc,gBAAA,EAAgB,YAAA,aAAsB,OAAA;4BAMzB,gBAAA,EAAgB,KAAA,aAAe,OAAA;;;;;;;;oBAavC,gBAAA,EAAgB,YAAA,aAAsB,OAAA;;;;;;;;;;;;;;;;;;;;;;iBA+EnD,gBAAA,EAAgB,IAAA;QAEnB,YAAA;QACA,YAAA;QACA,UAAA;MAAA,MACD,OAAA;oBAQI,YAAA,EAAY,IAAA;QAEf,YAAA;QACA,OAAA;QACA,YAAA;QACA,UAAA;QACA,MAAA;QACA,aAAA;QACA,MAAA;QACA,GAAA,GAAM,MAAA;MAAA,MACP,OAAA;IAAA;EAAA;;kBAWE,YAAA,EAAY,IAAA;MAEf,YAAA;MACA,OAAA;MACA,SAAA;MACA,SAAA;MACA,OAAA;MACA,WAAA;MACA,SAAA;MACA,EAAA;MACA,SAAA;MACA,EAAA;MACA,QAAA,GAAW,MAAA;IAAA,MACZ,OAAA;gBAKI,gBAAA,EAAgB,IAAA;MACb,YAAA;MAAuB,OAAA;MAAkB,KAAA;IAAA,MAAgB,OAAA;EAAA;;;iBAUhD,gBAAA,EAAgB,UAAA,aAAoB,OAAA;oBAO9C,YAAA,EAAY,IAAA;QAEf,YAAA;QACA,GAAA;QACA,MAAA;QACA,aAAA;QACA,eAAA;MAAA,MACD,OAAA;;;;kBAsCe,gBAAA,EAAgB,YAAA,aAAsB,OAAA;qBAMnC,YAAA,EAAY,UAAA,aAAoB,OAAA;;;;;gBAShD,YAAA,EAAY,IAAA;MAEf,YAAA;MACA,SAAA;MACA,OAAA,EAAS,MAAA;MACT,YAAA;IAAA,MACD,OAAA;;kBAMM,gBAAA,EAAgB,IAAA;QACb,YAAA;QAAsB,KAAA;MAAA,MAAgB,OAAA;uBAOzB,gBAAA,EAAgB,KAAA,cAAgB,OAAA;2BAOhD,YAAA,EAAY,UAAA,UACC,cAAA,cACK,OAAA;wBAgBlB,YAAA,EAAY,UAAA,UACC,IAAA;QAEhB,YAAA;QACA,cAAA;QACA,KAAA;QACA,OAAA;MAAA,MACD,OAAA;IAAA;EAAA;AAAA"}