npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.13 → 0.0.4-preview.16 - Mend

@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (328) hide show

package/README.md +140 -9
package/dist/bin.cjs +5957 -5478
package/dist/client/index.d.ts +3 -7
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +27 -26
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/api.d.ts +14 -0
package/dist/component/_generated/api.d.ts.map +1 -1
package/dist/component/_generated/api.js.map +1 -1
package/dist/component/_generated/component.d.ts +1672 -24
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/convex.config.d.ts.map +1 -1
package/dist/component/index.d.ts +1 -1
package/dist/component/index.js +2 -2
package/dist/component/model.d.ts +153 -0
package/dist/component/model.d.ts.map +1 -0
package/dist/component/model.js +343 -0
package/dist/component/model.js.map +1 -0
package/dist/component/providers/sso.d.ts +1 -1
package/dist/component/public/enterprise.d.ts +54 -0
package/dist/component/public/enterprise.d.ts.map +1 -0
package/dist/component/public/enterprise.js +515 -0
package/dist/component/public/enterprise.js.map +1 -0
package/dist/component/public/factors.d.ts +52 -0
package/dist/component/public/factors.d.ts.map +1 -0
package/dist/component/public/factors.js +285 -0
package/dist/component/public/factors.js.map +1 -0
package/dist/component/public/groups.d.ts +116 -0
package/dist/component/public/groups.d.ts.map +1 -0
package/dist/component/public/groups.js +596 -0
package/dist/component/public/groups.js.map +1 -0
package/dist/component/public/identity.d.ts +93 -0
package/dist/component/public/identity.d.ts.map +1 -0
package/dist/component/public/identity.js +426 -0
package/dist/component/public/identity.js.map +1 -0
package/dist/component/public/keys.d.ts +41 -0
package/dist/component/public/keys.d.ts.map +1 -0
package/dist/component/public/keys.js +157 -0
package/dist/component/public/keys.js.map +1 -0
package/dist/component/public/shared.d.ts +26 -0
package/dist/component/public/shared.d.ts.map +1 -0
package/dist/component/public/shared.js +32 -0
package/dist/component/public/shared.js.map +1 -0
package/dist/component/public.d.ts +9 -321
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +6 -2145
package/dist/component/schema.d.ts +406 -260
package/dist/component/schema.js +37 -32
package/dist/component/schema.js.map +1 -1
package/dist/component/server/auth.d.ts +161 -15
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +100 -7
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/cookies.js +3 -0
package/dist/component/server/cookies.js.map +1 -1
package/dist/component/server/db.js +1 -0
package/dist/component/server/db.js.map +1 -1
package/dist/component/server/device.js +3 -1
package/dist/component/server/device.js.map +1 -1
package/dist/component/server/domains/core.js +629 -0
package/dist/component/server/domains/core.js.map +1 -0
package/dist/component/server/domains/sso.js +884 -0
package/dist/component/server/domains/sso.js.map +1 -0
package/dist/component/server/factory.d.ts +136 -0
package/dist/component/server/factory.d.ts.map +1 -0
package/dist/component/server/factory.js +1134 -0
package/dist/component/server/factory.js.map +1 -0
package/dist/component/server/fx.js +2 -1
package/dist/component/server/fx.js.map +1 -1
package/dist/component/server/http.js +287 -0
package/dist/component/server/http.js.map +1 -0
package/dist/component/server/identity.js +13 -0
package/dist/component/server/identity.js.map +1 -0
package/dist/component/server/keys.js +4 -0
package/dist/component/server/keys.js.map +1 -1
package/dist/component/server/mutations/account.js +1 -1
package/dist/component/server/mutations/index.js +2 -2
package/dist/component/server/mutations/index.js.map +1 -1
package/dist/component/server/mutations/invalidate.js +1 -1
package/dist/component/server/mutations/oauth.js +10 -7
package/dist/component/server/mutations/oauth.js.map +1 -1
package/dist/component/server/mutations/refresh.js +1 -1
package/dist/component/server/mutations/register.js +1 -1
package/dist/component/server/mutations/retrieve.js +1 -1
package/dist/component/server/mutations/signature.js +1 -1
package/dist/component/server/mutations/store.js +6 -3
package/dist/component/server/mutations/store.js.map +1 -1
package/dist/component/server/mutations/verify.js +1 -1
package/dist/component/server/oauth.js +3 -0
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +3 -2
package/dist/component/server/passkey.js.map +1 -1
package/dist/component/server/provider.js +2 -0
package/dist/component/server/provider.js.map +1 -1
package/dist/component/server/providers.js +10 -0
package/dist/component/server/providers.js.map +1 -1
package/dist/component/server/ratelimit.js +3 -0
package/dist/component/server/ratelimit.js.map +1 -1
package/dist/component/server/redirects.js +2 -0
package/dist/component/server/redirects.js.map +1 -1
package/dist/component/server/refresh.js +5 -0
package/dist/component/server/refresh.js.map +1 -1
package/dist/component/server/sessions.js +5 -0
package/dist/component/server/sessions.js.map +1 -1
package/dist/component/server/signin.js +2 -1
package/dist/component/server/signin.js.map +1 -1
package/dist/component/server/sso.js +166 -19
package/dist/component/server/sso.js.map +1 -1
package/dist/component/server/tokens.js +1 -0
package/dist/component/server/tokens.js.map +1 -1
package/dist/component/server/totp.js +4 -2
package/dist/component/server/totp.js.map +1 -1
package/dist/component/server/types.d.ts +106 -38
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/types.js.map +1 -1
package/dist/component/server/users.js +1 -0
package/dist/component/server/users.js.map +1 -1
package/dist/component/server/utils.js +44 -2
package/dist/component/server/utils.js.map +1 -1
package/dist/providers/anonymous.d.ts +1 -1
package/dist/providers/credentials.d.ts +1 -1
package/dist/providers/password.d.ts +1 -1
package/dist/providers/sso.d.ts +1 -1
package/dist/providers/sso.js.map +1 -1
package/dist/server/auth.d.ts +163 -17
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +100 -7
package/dist/server/auth.js.map +1 -1
package/dist/server/cookies.d.ts +1 -38
package/dist/server/cookies.js +3 -0
package/dist/server/cookies.js.map +1 -1
package/dist/server/db.d.ts +1 -125
package/dist/server/db.js +1 -0
package/dist/server/db.js.map +1 -1
package/dist/server/device.d.ts +1 -24
package/dist/server/device.js +3 -1
package/dist/server/device.js.map +1 -1
package/dist/server/domains/core.d.ts +434 -0
package/dist/server/domains/core.d.ts.map +1 -0
package/dist/server/domains/core.js +629 -0
package/dist/server/domains/core.js.map +1 -0
package/dist/server/domains/sso.d.ts +409 -0
package/dist/server/domains/sso.d.ts.map +1 -0
package/dist/server/domains/sso.js +884 -0
package/dist/server/domains/sso.js.map +1 -0
package/dist/server/enterpriseValidators.d.ts +1 -0
package/dist/server/enterpriseValidators.js +60 -0
package/dist/server/enterpriseValidators.js.map +1 -0
package/dist/server/factory.d.ts +136 -0
package/dist/server/factory.d.ts.map +1 -0
package/dist/server/factory.js +1134 -0
package/dist/server/factory.js.map +1 -0
package/dist/server/fx.d.ts +1 -16
package/dist/server/fx.d.ts.map +1 -1
package/dist/server/fx.js +1 -0
package/dist/server/fx.js.map +1 -1
package/dist/server/http.d.ts +59 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +287 -0
package/dist/server/http.js.map +1 -0
package/dist/server/identity.d.ts +1 -0
package/dist/server/identity.js +13 -0
package/dist/server/identity.js.map +1 -0
package/dist/server/index.d.ts +468 -1
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +530 -36
package/dist/server/index.js.map +1 -1
package/dist/server/keys.d.ts +1 -57
package/dist/server/keys.js +4 -0
package/dist/server/keys.js.map +1 -1
package/dist/server/mutations/account.d.ts +7 -7
package/dist/server/mutations/account.d.ts.map +1 -1
package/dist/server/mutations/code.d.ts +13 -13
package/dist/server/mutations/code.d.ts.map +1 -1
package/dist/server/mutations/index.d.ts +107 -107
package/dist/server/mutations/index.d.ts.map +1 -1
package/dist/server/mutations/index.js +1 -1
package/dist/server/mutations/index.js.map +1 -1
package/dist/server/mutations/invalidate.d.ts +5 -5
package/dist/server/mutations/invalidate.d.ts.map +1 -1
package/dist/server/mutations/oauth.d.ts +10 -10
package/dist/server/mutations/oauth.d.ts.map +1 -1
package/dist/server/mutations/oauth.js +9 -6
package/dist/server/mutations/oauth.js.map +1 -1
package/dist/server/mutations/refresh.d.ts +4 -4
package/dist/server/mutations/register.d.ts +12 -12
package/dist/server/mutations/register.d.ts.map +1 -1
package/dist/server/mutations/retrieve.d.ts +7 -7
package/dist/server/mutations/signature.d.ts +5 -5
package/dist/server/mutations/signin.d.ts +6 -6
package/dist/server/mutations/signin.d.ts.map +1 -1
package/dist/server/mutations/signout.d.ts +1 -1
package/dist/server/mutations/store.d.ts +3 -2
package/dist/server/mutations/store.d.ts.map +1 -1
package/dist/server/mutations/store.js +6 -3
package/dist/server/mutations/store.js.map +1 -1
package/dist/server/mutations/verifier.d.ts +1 -1
package/dist/server/mutations/verify.d.ts +11 -11
package/dist/server/mutations/verify.d.ts.map +1 -1
package/dist/server/oauth.d.ts +1 -59
package/dist/server/oauth.js +3 -0
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts.map +1 -1
package/dist/server/passkey.js +3 -2
package/dist/server/passkey.js.map +1 -1
package/dist/server/provider.d.ts +1 -14
package/dist/server/provider.d.ts.map +1 -1
package/dist/server/provider.js +2 -0
package/dist/server/provider.js.map +1 -1
package/dist/server/providers.js +10 -0
package/dist/server/providers.js.map +1 -1
package/dist/server/ratelimit.d.ts +1 -22
package/dist/server/ratelimit.js +3 -0
package/dist/server/ratelimit.js.map +1 -1
package/dist/server/redirects.d.ts +1 -10
package/dist/server/redirects.js +2 -0
package/dist/server/redirects.js.map +1 -1
package/dist/server/refresh.d.ts +1 -37
package/dist/server/refresh.js +5 -0
package/dist/server/refresh.js.map +1 -1
package/dist/server/sessions.d.ts +1 -28
package/dist/server/sessions.js +5 -0
package/dist/server/sessions.js.map +1 -1
package/dist/server/signin.d.ts +1 -55
package/dist/server/signin.js +2 -1
package/dist/server/signin.js.map +1 -1
package/dist/server/sso.d.ts +1 -348
package/dist/server/sso.js +165 -18
package/dist/server/sso.js.map +1 -1
package/dist/server/templates.d.ts +1 -21
package/dist/server/templates.js +1 -0
package/dist/server/templates.js.map +1 -1
package/dist/server/tokens.d.ts +1 -11
package/dist/server/tokens.js +1 -0
package/dist/server/tokens.js.map +1 -1
package/dist/server/totp.d.ts +1 -23
package/dist/server/totp.js +4 -2
package/dist/server/totp.js.map +1 -1
package/dist/server/types.d.ts +114 -77
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js.map +1 -1
package/dist/server/users.d.ts +1 -31
package/dist/server/users.js +1 -0
package/dist/server/users.js.map +1 -1
package/dist/server/utils.d.ts +1 -27
package/dist/server/utils.js +44 -2
package/dist/server/utils.js.map +1 -1
package/dist/server/version.d.ts +1 -1
package/dist/server/version.js +1 -1
package/dist/server/version.js.map +1 -1
package/package.json +4 -5
package/src/cli/bin.ts +5 -0
package/src/cli/index.ts +22 -9
package/src/cli/keys.ts +3 -0
package/src/client/index.ts +36 -37
package/src/component/_generated/api.ts +14 -0
package/src/component/_generated/component.ts +2106 -9
package/src/component/index.ts +3 -1
package/src/component/model.ts +441 -0
package/src/component/public/enterprise.ts +753 -0
package/src/component/public/factors.ts +332 -0
package/src/component/public/groups.ts +932 -0
package/src/component/public/identity.ts +566 -0
package/src/component/public/keys.ts +209 -0
package/src/component/public/shared.ts +119 -0
package/src/component/public.ts +5 -2965
package/src/component/schema.ts +68 -63
package/src/providers/sso.ts +1 -1
package/src/server/auth.ts +413 -18
package/src/server/cookies.ts +3 -0
package/src/server/db.ts +3 -0
package/src/server/device.ts +3 -1
package/src/server/domains/core.ts +1071 -0
package/src/server/domains/sso.ts +1749 -0
package/src/server/enterpriseValidators.ts +93 -0
package/src/server/factory.ts +2181 -0
package/src/server/fx.ts +1 -0
package/src/server/http.ts +529 -0
package/src/server/identity.ts +18 -0
package/src/server/index.ts +806 -40
package/src/server/keys.ts +4 -0
package/src/server/mutations/index.ts +1 -1
package/src/server/mutations/oauth.ts +36 -8
package/src/server/mutations/store.ts +6 -3
package/src/server/oauth.ts +6 -0
package/src/server/passkey.ts +3 -2
package/src/server/provider.ts +2 -0
package/src/server/providers.ts +20 -0
package/src/server/ratelimit.ts +3 -0
package/src/server/redirects.ts +2 -0
package/src/server/refresh.ts +5 -0
package/src/server/sessions.ts +5 -0
package/src/server/signin.ts +1 -0
package/src/server/sso.ts +259 -17
package/src/server/templates.ts +1 -0
package/src/server/tokens.ts +1 -0
package/src/server/totp.ts +4 -2
package/src/server/types.ts +178 -83
package/src/server/users.ts +1 -0
package/src/server/utils.ts +71 -1
package/src/server/version.ts +1 -1
package/dist/component/public.js.map +0 -1
package/dist/component/server/implementation.d.ts +0 -1264
package/dist/component/server/implementation.d.ts.map +0 -1
package/dist/component/server/implementation.js +0 -2365
package/dist/component/server/implementation.js.map +0 -1
package/dist/server/cookies.d.ts.map +0 -1
package/dist/server/db.d.ts.map +0 -1
package/dist/server/device.d.ts.map +0 -1
package/dist/server/implementation.d.ts +0 -1264
package/dist/server/implementation.d.ts.map +0 -1
package/dist/server/implementation.js +0 -2365
package/dist/server/implementation.js.map +0 -1
package/dist/server/keys.d.ts.map +0 -1
package/dist/server/oauth.d.ts.map +0 -1
package/dist/server/ratelimit.d.ts.map +0 -1
package/dist/server/redirects.d.ts.map +0 -1
package/dist/server/refresh.d.ts.map +0 -1
package/dist/server/sessions.d.ts.map +0 -1
package/dist/server/signin.d.ts.map +0 -1
package/dist/server/sso.d.ts.map +0 -1
package/dist/server/templates.d.ts.map +0 -1
package/dist/server/tokens.d.ts.map +0 -1
package/dist/server/totp.d.ts.map +0 -1
package/dist/server/users.d.ts.map +0 -1
package/dist/server/utils.d.ts.map +0 -1
package/src/server/implementation.ts +0 -5336

package/dist/server/domains/sso.js ADDED Viewed

@@ -0,0 +1,884 @@
+import { AuthError, Fx } from "../fx.js";
+//#region src/server/domains/sso.ts
+/**
+* Build the enterprise and SSO management domain.
+*/
+function createSsoDomain(deps) {
+	const { config, normalizeEnterprisePolicy, normalizeDomain, getEnterpriseSecret, loadEnterpriseOrThrow, validateEnterprisePolicy, recordEnterpriseAuditEvent, emitEnterpriseWebhookDeliveries, enterpriseNotFoundError, ENTERPRISE_OIDC_CLIENT_SECRET_KIND, requireEnv, generateRandomString, INVITE_TOKEN_ALPHABET, sha256, encryptSecret, upsertProtocolConfig, parseSamlIdpMetadata, createServiceProviderMetadata, getSamlServiceProviderOptions, getPublicOidcConfig, withOidcSecretState, getOidcConfig, getEnterpriseOidcUrls, enterpriseOidcProviderId, getPolicyFromEnterprise, patchEnterprisePolicy } = deps;
+	const ENTERPRISE_DOMAIN_VERIFICATION_PREFIX = "_convex-auth-verification";
+	const ENTERPRISE_DOMAIN_VERIFICATION_TTL_MS = 1e3 * 60 * 60 * 24 * 7;
+	const toDomainSummary = (domain) => ({
+		domainId: domain._id,
+		domain: domain.domain,
+		isPrimary: domain.isPrimary,
+		verified: domain.verifiedAt !== void 0,
+		verifiedAt: domain.verifiedAt ?? null
+	});
+	const getDomainVerificationRecordName = (domain) => `${ENTERPRISE_DOMAIN_VERIFICATION_PREFIX}.${normalizeDomain(domain)}`;
+	const parseTxtAnswer = (value) => {
+		const quoted = [...value.matchAll(/"([^"]*)"/g)].map((match) => match[1]);
+		if (quoted.length > 0) return quoted.join("");
+		return value.replace(/^"|"$/g, "").trim();
+	};
+	const resolveTxtValues = async (recordName) => {
+		const url = new URL("https://dns.google/resolve");
+		url.searchParams.set("name", recordName);
+		url.searchParams.set("type", "TXT");
+		const response = await fetch(url, { headers: { accept: "application/json" } });
+		if (!response.ok) throw new Error(`DNS TXT lookup failed with status ${response.status}.`);
+		return ((await response.json()).Answer ?? []).map((answer) => typeof answer.data === "string" ? parseTxtAnswer(answer.data) : null).filter((value) => value !== null && value.length > 0);
+	};
+	return {
+		connection: {
+			create: async (ctx, data) => {
+				return {
+					ok: true,
+					enterpriseId: await ctx.runMutation(config.component.public.enterpriseCreate, {
+						...data,
+						policy: normalizeEnterprisePolicy(data.policy)
+					}),
+					groupId: data.groupId
+				};
+			},
+			get: async (ctx, enterpriseId) => {
+				return await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
+			},
+			getByGroup: async (ctx, groupId) => {
+				return await ctx.runQuery(config.component.public.enterpriseGetByGroup, { groupId });
+			},
+			getByDomain: async (ctx, domain) => {
+				return await ctx.runQuery(config.component.public.enterpriseGetByDomain, { domain: normalizeDomain(domain) });
+			},
+			list: async (ctx, opts) => {
+				return await ctx.runQuery(config.component.public.enterpriseList, {
+					where: opts?.where,
+					limit: opts?.limit,
+					cursor: opts?.cursor,
+					orderBy: opts?.orderBy,
+					order: opts?.order
+				});
+			},
+			update: async (ctx, enterpriseId, data) => {
+				await ctx.runMutation(config.component.public.enterpriseUpdate, {
+					enterpriseId,
+					data
+				});
+				return {
+					ok: true,
+					enterpriseId
+				};
+			},
+			delete: async (ctx, enterpriseId) => {
+				await ctx.runMutation(config.component.public.enterpriseDelete, { enterpriseId });
+				return {
+					ok: true,
+					enterpriseId
+				};
+			},
+			status: async (ctx, enterpriseId) => {
+				const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
+				if (!enterprise) throw new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError).toConvexError();
+				const policy = getPolicyFromEnterprise(enterprise);
+				const protocols = enterprise.config?.protocols ?? {};
+				const oidcConfig = protocols.oidc;
+				const oidcSecret = await getEnterpriseSecret(ctx, enterprise._id, ENTERPRISE_OIDC_CLIENT_SECRET_KIND);
+				const samlConfig = protocols.saml;
+				const scimConfig = await ctx.runQuery(config.component.public.enterpriseScimConfigGetByEnterprise, { enterpriseId });
+				const domains = await ctx.runQuery(config.component.public.enterpriseDomainList, { enterpriseId });
+				const oidcReady = oidcConfig?.enabled === true && typeof oidcConfig?.clientId === "string" && oidcConfig.clientId.length > 0 && oidcSecret !== null && (typeof oidcConfig?.issuer === "string" || typeof oidcConfig?.discoveryUrl === "string");
+				const samlReady = samlConfig?.enabled === true && typeof samlConfig?.idp?.entityId === "string";
+				const scimReady = scimConfig !== null && scimConfig !== void 0 && scimConfig.status === "active";
+				const ready = enterprise.status === "active" && (oidcReady || samlReady);
+				return {
+					enterpriseId: enterprise._id,
+					status: enterprise.status,
+					ready,
+					domainCount: domains.length,
+					protocols: {
+						oidc: {
+							configured: oidcReady,
+							ready: oidcReady,
+							clientId: oidcConfig?.clientId ?? null,
+							issuer: oidcConfig?.issuer ?? oidcConfig?.discoveryUrl ?? null
+						},
+						saml: {
+							configured: samlReady,
+							ready: samlReady,
+							entityId: samlConfig?.idp?.entityId ?? null
+						},
+						scim: {
+							configured: scimReady,
+							ready: scimReady,
+							basePath: scimConfig?.basePath ?? null,
+							deprovisionMode: policy.provisioning.deprovision.mode
+						}
+					}
+				};
+			}
+		},
+		domain: {
+			add: async (ctx, data) => {
+				return await ctx.runMutation(config.component.public.enterpriseDomainAdd, {
+					...data,
+					domain: normalizeDomain(data.domain)
+				});
+			},
+			list: async (ctx, enterpriseId) => {
+				return await ctx.runQuery(config.component.public.enterpriseDomainList, { enterpriseId });
+			},
+			validate: async (ctx, enterpriseId) => {
+				const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
+				if (enterprise === null) throw new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError).toConvexError();
+				const domains = await ctx.runQuery(config.component.public.enterpriseDomainList, { enterpriseId });
+				const primaryDomains = domains.filter((domain) => domain.isPrimary);
+				const verifiedDomains = domains.filter((domain) => domain.verifiedAt !== void 0);
+				const warnings = [];
+				if (domains.length === 0) warnings.push("No domains configured.");
+				if (primaryDomains.length === 0 && domains.length > 0) warnings.push("No primary domain configured.");
+				if (primaryDomains.length > 1) warnings.push("Multiple primary domains configured.");
+				if (verifiedDomains.length === 0 && domains.length > 0) warnings.push("No verified domains yet.");
+				return {
+					enterpriseId,
+					ready: enterprise.status === "active" && domains.length > 0 && primaryDomains.length === 1 && verifiedDomains.length > 0,
+					summary: {
+						domainCount: domains.length,
+						primaryCount: primaryDomains.length,
+						verifiedCount: verifiedDomains.length
+					},
+					domains: domains.map((domain) => toDomainSummary(domain)),
+					warnings
+				};
+			},
+			remove: async (ctx, domainId) => {
+				await ctx.runMutation(config.component.public.enterpriseDomainDelete, { domainId });
+			},
+			verification: {
+				request: async (ctx, args) => {
+					const enterprise = await loadEnterpriseOrThrow(ctx, args.enterpriseId);
+					const normalizedDomain = normalizeDomain(args.domain);
+					const domain = (await ctx.runQuery(config.component.public.enterpriseDomainList, { enterpriseId: enterprise._id })).find((entry) => entry.domain === normalizedDomain);
+					if (!domain) throw new AuthError("INVALID_PARAMETERS", "Domain is not attached to this enterprise.").toConvexError();
+					const requestedAt = Date.now();
+					const expiresAt = requestedAt + ENTERPRISE_DOMAIN_VERIFICATION_TTL_MS;
+					const token = generateRandomString(32, INVITE_TOKEN_ALPHABET);
+					const tokenHash = await sha256(token);
+					const recordName = getDomainVerificationRecordName(normalizedDomain);
+					await ctx.runMutation(config.component.public.enterpriseDomainVerificationUpsert, {
+						enterpriseId: enterprise._id,
+						groupId: enterprise.groupId,
+						domainId: domain._id,
+						domain: normalizedDomain,
+						recordName,
+						token,
+						tokenHash,
+						requestedAt,
+						expiresAt
+					});
+					await recordEnterpriseAuditEvent(ctx, {
+						enterpriseId: enterprise._id,
+						groupId: enterprise.groupId,
+						eventType: "enterprise.domain.verification_requested",
+						actorType: "system",
+						subjectType: "enterprise_domain",
+						subjectId: domain._id,
+						ok: true,
+						metadata: {
+							domain: normalizedDomain,
+							recordName,
+							expiresAt
+						}
+					});
+					return {
+						ok: true,
+						enterpriseId: enterprise._id,
+						domain: normalizedDomain,
+						requestedAt,
+						expiresAt,
+						challenge: {
+							recordType: "TXT",
+							recordName,
+							recordValue: token
+						}
+					};
+				},
+				confirm: async (ctx, args) => {
+					const enterprise = await loadEnterpriseOrThrow(ctx, args.enterpriseId);
+					const normalizedDomain = normalizeDomain(args.domain);
+					const domain = (await ctx.runQuery(config.component.public.enterpriseDomainList, { enterpriseId: enterprise._id })).find((entry) => entry.domain === normalizedDomain);
+					if (!domain) throw new AuthError("INVALID_PARAMETERS", "Domain is not attached to this enterprise.").toConvexError();
+					if (domain.verifiedAt !== void 0) return {
+						ok: true,
+						enterpriseId: enterprise._id,
+						domain: normalizedDomain,
+						verifiedAt: domain.verifiedAt,
+						checks: [{
+							name: "domain_verified",
+							ok: true,
+							message: "Domain is already verified."
+						}]
+					};
+					const verification = await ctx.runQuery(config.component.public.enterpriseDomainVerificationGet, { domainId: domain._id });
+					const checks = [];
+					if (!verification) {
+						checks.push({
+							name: "verification_requested",
+							ok: false,
+							message: "No active domain verification challenge exists."
+						});
+						return {
+							ok: false,
+							enterpriseId: enterprise._id,
+							domain: normalizedDomain,
+							checks
+						};
+					}
+					checks.push({
+						name: "verification_requested",
+						ok: true
+					});
+					if (verification.expiresAt < Date.now()) {
+						await ctx.runMutation(config.component.public.enterpriseDomainVerificationDelete, { domainId: domain._id });
+						checks.push({
+							name: "challenge_active",
+							ok: false,
+							message: "The verification challenge expired. Request a new one."
+						});
+						return {
+							ok: false,
+							enterpriseId: enterprise._id,
+							domain: normalizedDomain,
+							checks
+						};
+					}
+					checks.push({
+						name: "challenge_active",
+						ok: true
+					});
+					let txtValues;
+					try {
+						txtValues = await resolveTxtValues(verification.recordName);
+					} catch (error) {
+						throw new AuthError("INTERNAL_ERROR", error instanceof Error ? error.message : "Failed to resolve DNS TXT records.").toConvexError();
+					}
+					checks.push({
+						name: "dns_record_present",
+						ok: txtValues.length > 0,
+						message: txtValues.length > 0 ? void 0 : `No TXT records found at ${verification.recordName}.`
+					});
+					const matches = txtValues.includes(verification.token);
+					checks.push({
+						name: "dns_record_matches",
+						ok: matches,
+						message: matches ? void 0 : `TXT record at ${verification.recordName} does not match the expected value.`
+					});
+					if (!checks.every((check) => check.ok)) return {
+						ok: false,
+						enterpriseId: enterprise._id,
+						domain: normalizedDomain,
+						checks
+					};
+					const verifiedAt = Date.now();
+					await ctx.runMutation(config.component.public.enterpriseDomainVerify, {
+						domainId: domain._id,
+						verifiedAt
+					});
+					await recordEnterpriseAuditEvent(ctx, {
+						enterpriseId: enterprise._id,
+						groupId: enterprise.groupId,
+						eventType: "enterprise.domain.verified",
+						actorType: "system",
+						subjectType: "enterprise_domain",
+						subjectId: domain._id,
+						ok: true,
+						metadata: {
+							domain: normalizedDomain,
+							verifiedAt
+						}
+					});
+					return {
+						ok: true,
+						enterpriseId: enterprise._id,
+						domain: normalizedDomain,
+						verifiedAt,
+						checks
+					};
+				}
+			}
+		},
+		saml: {
+			configure: async (ctx, data) => {
+				return await Fx.run(Fx.gen(function* () {
+					const enterprise = yield* Fx.from({
+						ok: () => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId }),
+						err: () => new AuthError("INTERNAL_ERROR", "Failed to load enterprise.")
+					}).pipe(Fx.chain((ent) => ent === null ? Fx.fail(new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError)) : Fx.succeed(ent)));
+					const metadataXml = yield* data.metadataXml ? Fx.succeed(data.metadataXml) : data.metadataUrl ? Fx.defer(() => Fx.from({
+						ok: async () => {
+							const response = await fetch(data.metadataUrl);
+							if (!response.ok) throw new Error(`Failed to fetch SAML metadata: ${response.status}`);
+							return await response.text();
+						},
+						err: (error) => new AuthError("INVALID_PARAMETERS", error instanceof Error ? error.message : "Failed to fetch SAML metadata")
+					})).pipe(Fx.timeout(1e4), Fx.retry(Fx.retry.compose(Fx.retry.jittered(Fx.retry.exponential(200)), Fx.retry.recurs(2))), Fx.recover((error) => Fx.fail(new AuthError("INVALID_PARAMETERS", error instanceof Error ? error.message : "Failed to fetch SAML metadata")))) : Fx.fail(new AuthError("INVALID_PARAMETERS", "SAML registration requires metadataXml or metadataUrl."));
+					const parsed = yield* Fx.from({
+						ok: () => parseSamlIdpMetadata(metadataXml),
+						err: () => new AuthError("INVALID_PARAMETERS", "Failed to parse SAML metadata.")
+					});
+					const baseConfig = upsertProtocolConfig(enterprise.config, "saml", {
+						enabled: true,
+						idp: {
+							metadataXml,
+							...parsed
+						},
+						sp: data.sp,
+						signAuthnRequests: data.signAuthnRequests ?? parsed.wantsSignedAuthnRequests,
+						attributeMapping: data.attributeMapping
+					});
+					const normalizedDomains = data.domains?.map(normalizeDomain);
+					const nextConfig = normalizedDomains ? {
+						...baseConfig,
+						domains: normalizedDomains
+					} : baseConfig;
+					yield* Fx.from({
+						ok: () => ctx.runMutation(config.component.public.enterpriseUpdate, {
+							enterpriseId: enterprise._id,
+							data: {
+								status: "active",
+								config: nextConfig
+							}
+						}),
+						err: () => new AuthError("INTERNAL_ERROR", "Failed to persist SAML registration.")
+					});
+					if (normalizedDomains) for (const [index, domain] of normalizedDomains.entries()) yield* Fx.from({
+						ok: () => ctx.runMutation(config.component.public.enterpriseDomainAdd, {
+							enterpriseId: enterprise._id,
+							groupId: enterprise.groupId,
+							domain,
+							isPrimary: index === 0
+						}),
+						err: () => new AuthError("INTERNAL_ERROR", "Failed to persist enterprise domain.")
+					});
+					yield* Fx.from({
+						ok: () => recordEnterpriseAuditEvent(ctx, {
+							enterpriseId: enterprise._id,
+							groupId: enterprise.groupId,
+							eventType: "enterprise.saml.registered",
+							actorType: "system",
+							subjectType: "enterprise_saml",
+							subjectId: enterprise._id,
+							ok: true,
+							metadata: {
+								metadataUrl: data.metadataUrl,
+								domains: normalizedDomains
+							}
+						}),
+						err: () => new AuthError("INTERNAL_ERROR", "Failed to record SAML registration audit event.")
+					});
+					return {
+						ok: true,
+						enterpriseId: enterprise._id,
+						groupId: enterprise.groupId
+					};
+				}).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))));
+			},
+			metadata: async (ctx, opts) => {
+				const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: opts.enterpriseId });
+				if (!enterprise) throw new AuthError("INVALID_PARAMETERS", "Enterprise not found.").toConvexError();
+				return createServiceProviderMetadata(getSamlServiceProviderOptions({
+					rootUrl: requireEnv("CONVEX_SITE_URL"),
+					source: {
+						kind: "enterprise",
+						id: enterprise._id
+					},
+					config: enterprise.config,
+					overrides: {
+						entityId: opts.entityId,
+						acsUrl: opts.acsUrl,
+						sloUrl: opts.sloUrl
+					}
+				}));
+			},
+			validate: async (ctx, enterpriseId) => {
+				const checks = [];
+				const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
+				if (!enterprise) return {
+					ok: false,
+					enterpriseId,
+					checks: [{
+						name: "enterprise_exists",
+						ok: false,
+						message: "Enterprise not found."
+					}]
+				};
+				const samlConfig = enterprise.config?.protocols?.saml;
+				const samlConfigured = samlConfig?.enabled === true && typeof samlConfig?.idp?.metadataXml === "string";
+				checks.push({
+					name: "saml_configured",
+					ok: samlConfigured,
+					message: samlConfigured ? void 0 : "SAML is not configured."
+				});
+				const hasIdpMetadata = typeof samlConfig?.idp?.metadataXml === "string" && samlConfig.idp.metadataXml.length > 0;
+				checks.push({
+					name: "idp_metadata_present",
+					ok: hasIdpMetadata,
+					message: hasIdpMetadata ? void 0 : "IdP metadata XML is missing."
+				});
+				const hasEntityId = typeof samlConfig?.idp?.entityId === "string" && samlConfig.idp.entityId.length > 0;
+				checks.push({
+					name: "idp_entity_id",
+					ok: hasEntityId,
+					message: hasEntityId ? void 0 : "IdP entityId could not be parsed from metadata."
+				});
+				let spMetadataOk = false;
+				let spMetadataMessage;
+				if (samlConfigured) try {
+					createServiceProviderMetadata(getSamlServiceProviderOptions({
+						rootUrl: requireEnv("CONVEX_SITE_URL"),
+						source: {
+							kind: "enterprise",
+							id: enterprise._id
+						},
+						config: enterprise.config,
+						overrides: {}
+					}));
+					spMetadataOk = true;
+				} catch (e) {
+					spMetadataMessage = e instanceof Error ? e.message : "SP metadata generation failed.";
+				}
+				else spMetadataMessage = "Skipped — SAML not configured.";
+				checks.push({
+					name: "sp_metadata_generates",
+					ok: spMetadataOk,
+					message: spMetadataMessage
+				});
+				return {
+					ok: checks.every((c) => c.ok),
+					enterpriseId: enterprise._id,
+					checks
+				};
+			}
+		},
+		policy: {
+			get: async (ctx, enterpriseId) => {
+				return getPolicyFromEnterprise(await loadEnterpriseOrThrow(ctx, enterpriseId));
+			},
+			update: async (ctx, enterpriseId, patch) => {
+				const enterprise = await loadEnterpriseOrThrow(ctx, enterpriseId);
+				const policy = patchEnterprisePolicy(enterprise.policy, patch);
+				await ctx.runMutation(config.component.public.enterpriseUpdate, {
+					enterpriseId,
+					data: { policy }
+				});
+				await recordEnterpriseAuditEvent(ctx, {
+					enterpriseId: enterprise._id,
+					groupId: enterprise.groupId,
+					eventType: "enterprise.policy.updated",
+					actorType: "system",
+					subjectType: "enterprise_policy",
+					subjectId: enterprise._id,
+					ok: true,
+					metadata: { version: policy.version }
+				});
+				return policy;
+			},
+			validate: async (ctx, enterpriseId) => {
+				const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
+				if (!enterprise) return {
+					ok: false,
+					enterpriseId,
+					checks: [{
+						name: "enterprise_exists",
+						ok: false,
+						message: enterpriseNotFoundError
+					}]
+				};
+				const policy = getPolicyFromEnterprise(enterprise);
+				const checks = validateEnterprisePolicy(policy);
+				return {
+					ok: checks.every((check) => check.ok),
+					enterpriseId,
+					policy,
+					checks
+				};
+			}
+		},
+		oidc: {
+			configure: async (ctx, data) => {
+				return await Fx.run(Fx.gen(function* () {
+					yield* Fx.guard(data.issuer === void 0 && data.discoveryUrl === void 0, Fx.fail(new AuthError("INVALID_PARAMETERS", "OIDC registration requires issuer or discoveryUrl.")));
+					const enterprise = yield* Fx.from({
+						ok: () => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId }),
+						err: () => new AuthError("INTERNAL_ERROR", "Failed to load enterprise.")
+					}).pipe(Fx.chain((ent) => ent === null ? Fx.fail(new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError)) : Fx.succeed(ent)));
+					const nextConfig = upsertProtocolConfig(enterprise.config, "oidc", {
+						enabled: true,
+						issuer: data.issuer,
+						discoveryUrl: data.discoveryUrl,
+						clientId: data.clientId,
+						scopes: data.scopes ?? [
+							"openid",
+							"profile",
+							"email"
+						],
+						authorizationParams: data.authorizationParams,
+						clockToleranceSeconds: data.clockToleranceSeconds,
+						strictIssuer: data.strictIssuer,
+						extraFields: data.extraFields
+					});
+					yield* Fx.from({
+						ok: () => ctx.runMutation(config.component.public.enterpriseUpdate, {
+							enterpriseId: data.enterpriseId,
+							data: { config: nextConfig }
+						}),
+						err: () => new AuthError("INTERNAL_ERROR", "Failed to persist OIDC registration.")
+					});
+					if (data.clientSecret !== void 0) {
+						const ciphertext = yield* Fx.from({
+							ok: () => encryptSecret(data.clientSecret),
+							err: () => new AuthError("INTERNAL_ERROR", "Failed to encrypt OIDC client secret.")
+						});
+						yield* Fx.from({
+							ok: () => ctx.runMutation(config.component.public.enterpriseSecretUpsert, {
+								enterpriseId: data.enterpriseId,
+								groupId: enterprise.groupId,
+								kind: ENTERPRISE_OIDC_CLIENT_SECRET_KIND,
+								ciphertext,
+								updatedAt: Date.now()
+							}),
+							err: () => new AuthError("INTERNAL_ERROR", "Failed to persist OIDC client secret.")
+						});
+					}
+					yield* Fx.from({
+						ok: () => recordEnterpriseAuditEvent(ctx, {
+							enterpriseId: data.enterpriseId,
+							groupId: enterprise.groupId,
+							eventType: "enterprise.oidc.registered",
+							actorType: "system",
+							subjectType: "enterprise_oidc",
+							subjectId: data.enterpriseId,
+							ok: true,
+							metadata: {
+								issuer: data.issuer,
+								discoveryUrl: data.discoveryUrl
+							}
+						}),
+						err: () => new AuthError("INTERNAL_ERROR", "Failed to record OIDC registration audit event.")
+					});
+					const secret = yield* Fx.from({
+						ok: () => getEnterpriseSecret(ctx, data.enterpriseId, ENTERPRISE_OIDC_CLIENT_SECRET_KIND),
+						err: () => new AuthError("INTERNAL_ERROR", "Failed to load OIDC secret metadata.")
+					});
+					return withOidcSecretState(getPublicOidcConfig(nextConfig), secret !== null);
+				}).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))));
+			},
+			get: async (ctx, enterpriseId) => {
+				return await Fx.run(Fx.from({
+					ok: () => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId }),
+					err: () => new AuthError("INTERNAL_ERROR", "Failed to load enterprise.")
+				}).pipe(Fx.chain((ent) => ent === null ? Fx.fail(new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError)) : Fx.succeed(ent)), Fx.chain((enterprise) => Fx.from({
+					ok: async () => {
+						const secret = await getEnterpriseSecret(ctx, enterprise._id, ENTERPRISE_OIDC_CLIENT_SECRET_KIND);
+						return withOidcSecretState(getPublicOidcConfig(enterprise.config), secret !== null);
+					},
+					err: () => new AuthError("INTERNAL_ERROR", "Failed to load OIDC secret metadata.")
+				})), Fx.recover((e) => Fx.fatal(e.toConvexError()))));
+			},
+			signIn: async (ctx, data) => {
+				return await Fx.run(Fx.gen(function* () {
+					const enterprise = data.enterpriseId !== void 0 ? yield* Fx.from({
+						ok: () => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId }),
+						err: () => new AuthError("INTERNAL_ERROR", "Failed to load enterprise.")
+					}).pipe(Fx.chain((ent) => ent === null ? Fx.fail(new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError)) : Fx.succeed(ent))) : data.domain !== void 0 || data.email !== void 0 ? yield* Fx.from({
+						ok: () => ctx.runQuery(config.component.public.enterpriseGetByDomain, { domain: normalizeDomain(data.domain ?? String(data.email).split("@").at(-1) ?? "") }),
+						err: () => new AuthError("INTERNAL_ERROR", "Failed to resolve enterprise by domain.")
+					}).pipe(Fx.chain((result) => result?.enterprise && result.domain?.verifiedAt !== void 0 ? Fx.succeed(result.enterprise) : Fx.fail(new AuthError("INVALID_PARAMETERS", "No enterprise OIDC connection matched the provided input.")))) : yield* Fx.fail(new AuthError("INVALID_PARAMETERS", "No enterprise OIDC connection matched the provided input."));
+					yield* Fx.guard(enterprise.status !== "active", Fx.fail(new AuthError("INVALID_PARAMETERS", "Enterprise connection is not active.")));
+					const oidc = getOidcConfig(enterprise.config);
+					yield* Fx.guard(oidc.enabled !== true, Fx.fail(new AuthError("PROVIDER_NOT_CONFIGURED", "OIDC is not configured for this enterprise.")));
+					const urls = getEnterpriseOidcUrls({
+						rootUrl: requireEnv("CONVEX_SITE_URL"),
+						enterpriseId: enterprise._id
+					});
+					return {
+						enterpriseId: enterprise._id,
+						providerId: enterpriseOidcProviderId(enterprise._id),
+						signInPath: urls.signInUrl,
+						callbackPath: urls.callbackUrl,
+						redirectTo: data.redirectTo
+					};
+				}).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))));
+			},
+			validate: async (ctx, enterpriseId) => {
+				const checks = [];
+				const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
+				if (!enterprise) return {
+					ok: false,
+					enterpriseId,
+					checks: [{
+						name: "enterprise_exists",
+						ok: false,
+						message: "Enterprise not found."
+					}]
+				};
+				const oidc = getOidcConfig(enterprise.config);
+				const secret = await getEnterpriseSecret(ctx, enterprise._id, ENTERPRISE_OIDC_CLIENT_SECRET_KIND);
+				const oidcConfigured = oidc.enabled === true && typeof oidc.clientId === "string" && oidc.clientId.length > 0;
+				checks.push({
+					name: "oidc_configured",
+					ok: oidcConfigured,
+					message: oidcConfigured ? void 0 : "OIDC is not configured."
+				});
+				const hasClientId = typeof oidc.clientId === "string" && oidc.clientId.length > 0;
+				checks.push({
+					name: "client_id_present",
+					ok: hasClientId,
+					message: hasClientId ? void 0 : "clientId is missing."
+				});
+				checks.push({
+					name: "client_secret_stored",
+					ok: secret !== null,
+					message: secret !== null ? void 0 : "OIDC client secret is missing."
+				});
+				const discoveryTarget = oidc.discoveryUrl ?? oidc.issuer;
+				const hasDiscovery = typeof discoveryTarget === "string" && discoveryTarget.length > 0;
+				checks.push({
+					name: "issuer_or_discovery_url_present",
+					ok: hasDiscovery,
+					message: hasDiscovery ? void 0 : "issuer or discoveryUrl is missing."
+				});
+				let discoveryOk = false;
+				let discoveryMessage;
+				if (hasDiscovery) {
+					const discoveryUrl = oidc.discoveryUrl?.length ? oidc.discoveryUrl : `${oidc.issuer}/.well-known/openid-configuration`;
+					try {
+						const res = await fetch(discoveryUrl, {
+							headers: { Accept: "application/json" },
+							signal: AbortSignal.timeout(8e3)
+						});
+						if (!res.ok) discoveryMessage = `Discovery endpoint returned ${res.status}.`;
+						else {
+							const json = await res.json();
+							if (typeof json.issuer !== "string") discoveryMessage = "Discovery document is missing issuer field.";
+							else if (typeof json.authorization_endpoint !== "string") discoveryMessage = "Discovery document is missing authorization_endpoint.";
+							else discoveryOk = true;
+						}
+					} catch (e) {
+						discoveryMessage = e instanceof Error ? `Discovery fetch failed: ${e.message}` : "Discovery fetch failed.";
+					}
+				} else discoveryMessage = "Skipped — issuer or discoveryUrl not set.";
+				checks.push({
+					name: "discovery_reachable",
+					ok: discoveryOk,
+					message: discoveryMessage
+				});
+				return {
+					ok: checks.every((c) => c.ok),
+					enterpriseId: enterprise._id,
+					checks
+				};
+			}
+		},
+		scim: {
+			configure: async (ctx, data) => {
+				const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId });
+				if (enterprise === null) throw new AuthError("INVALID_PARAMETERS", "Enterprise not found.").toConvexError();
+				const rawToken = generateRandomString(48, INVITE_TOKEN_ALPHABET);
+				const tokenHash = await sha256(rawToken);
+				const configId = await ctx.runMutation(config.component.public.enterpriseScimConfigUpsert, {
+					enterpriseId: enterprise._id,
+					groupId: enterprise.groupId,
+					status: data.status ?? "active",
+					basePath: data.basePath ?? `${requireEnv("CONVEX_SITE_URL")}/api/auth/sso/${enterprise._id}/scim/v2`,
+					tokenHash,
+					lastRotatedAt: Date.now()
+				});
+				const auditEventId = await recordEnterpriseAuditEvent(ctx, {
+					enterpriseId: enterprise._id,
+					groupId: enterprise.groupId,
+					eventType: "enterprise.scim.configured",
+					actorType: "system",
+					subjectType: "enterprise_scim",
+					subjectId: configId,
+					ok: true
+				});
+				await emitEnterpriseWebhookDeliveries(ctx, {
+					enterpriseId: enterprise._id,
+					eventType: "enterprise.scim.configured",
+					auditEventId,
+					payload: {
+						enterpriseId: enterprise._id,
+						scimConfigId: configId
+					}
+				});
+				return {
+					ok: true,
+					enterpriseId: enterprise._id,
+					configId,
+					basePath: data.basePath ?? `${requireEnv("CONVEX_SITE_URL")}/api/auth/sso/${enterprise._id}/scim/v2`,
+					token: rawToken
+				};
+			},
+			get: async (ctx, enterpriseId) => {
+				return await ctx.runQuery(config.component.public.enterpriseScimConfigGetByEnterprise, { enterpriseId });
+			},
+			getConfigByToken: async (ctx, token) => {
+				return await ctx.runQuery(config.component.public.enterpriseScimConfigGetByTokenHash, { tokenHash: await sha256(token) });
+			},
+			validate: async (ctx, enterpriseId) => {
+				const checks = [];
+				const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
+				if (!enterprise) return {
+					ok: false,
+					enterpriseId,
+					checks: [{
+						name: "enterprise_exists",
+						ok: false,
+						message: "Enterprise not found."
+					}]
+				};
+				const policy = getPolicyFromEnterprise(enterprise);
+				const scimConfig = await ctx.runQuery(config.component.public.enterpriseScimConfigGetByEnterprise, { enterpriseId });
+				const hasConfig = scimConfig !== null && scimConfig !== void 0;
+				checks.push({
+					name: "scim_config_exists",
+					ok: hasConfig,
+					message: hasConfig ? void 0 : "SCIM has not been configured."
+				});
+				const isActive = hasConfig && scimConfig.status === "active";
+				checks.push({
+					name: "scim_config_active",
+					ok: isActive,
+					message: isActive ? void 0 : `SCIM config status is ${hasConfig ? scimConfig.status : "unknown"}.`
+				});
+				const hasToken = hasConfig && typeof scimConfig.tokenHash === "string" && scimConfig.tokenHash.length > 0;
+				checks.push({
+					name: "token_hash_set",
+					ok: hasToken,
+					message: hasToken ? void 0 : "SCIM bearer token has not been set."
+				});
+				const hasBasePath = hasConfig && typeof scimConfig.basePath === "string" && scimConfig.basePath.length > 0;
+				checks.push({
+					name: "base_path_set",
+					ok: hasBasePath,
+					message: hasBasePath ? void 0 : "SCIM basePath is missing."
+				});
+				return {
+					ok: checks.every((c) => c.ok),
+					enterpriseId: enterprise._id,
+					basePath: hasBasePath ? scimConfig.basePath : null,
+					deprovisionMode: policy.provisioning.deprovision.mode,
+					checks
+				};
+			},
+			identity: {
+				get: async (ctx, data) => {
+					return await ctx.runQuery(config.component.public.enterpriseScimIdentityGet, data);
+				},
+				upsert: async (ctx, data) => {
+					return await ctx.runMutation(config.component.public.enterpriseScimIdentityUpsert, {
+						...data,
+						lastProvisionedAt: Date.now()
+					});
+				}
+			}
+		},
+		audit: {
+			record: async (ctx, data) => {
+				return await recordEnterpriseAuditEvent(ctx, data);
+			},
+			list: async (ctx, data) => {
+				return await ctx.runQuery(config.component.public.enterpriseAuditEventList, data);
+			}
+		},
+		webhook: {
+			endpoint: {
+				get: async (ctx, endpointId) => {
+					return await ctx.runQuery(config.component.public.enterpriseWebhookEndpointGet, { endpointId });
+				},
+				create: async (ctx, data) => {
+					const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId });
+					if (enterprise === null) throw new AuthError("INVALID_PARAMETERS", "Enterprise not found.").toConvexError();
+					const secretHash = await sha256(data.secret);
+					const endpointId = await ctx.runMutation(config.component.public.enterpriseWebhookEndpointCreate, {
+						enterpriseId: enterprise._id,
+						groupId: enterprise.groupId,
+						url: data.url,
+						secretHash,
+						subscriptions: data.subscriptions,
+						createdByUserId: data.createdByUserId
+					});
+					await recordEnterpriseAuditEvent(ctx, {
+						enterpriseId: enterprise._id,
+						groupId: enterprise.groupId,
+						eventType: "enterprise.webhook.endpoint.created",
+						actorType: data.createdByUserId ? "user" : "system",
+						actorId: data.createdByUserId,
+						subjectType: "enterprise_webhook_endpoint",
+						subjectId: endpointId,
+						ok: true
+					});
+					return {
+						ok: true,
+						endpointId
+					};
+				},
+				list: async (ctx, enterpriseId) => {
+					return await ctx.runQuery(config.component.public.enterpriseWebhookEndpointList, { enterpriseId });
+				},
+				disable: async (ctx, endpointId) => {
+					await ctx.runMutation(config.component.public.enterpriseWebhookEndpointUpdate, {
+						endpointId,
+						data: { status: "disabled" }
+					});
+					return {
+						ok: true,
+						endpointId
+					};
+				}
+			},
+			emit: async (ctx, data) => {
+				await emitEnterpriseWebhookDeliveries(ctx, data);
+			},
+			delivery: {
+				list: async (ctx, data) => {
+					return await ctx.runQuery(config.component.public.enterpriseWebhookDeliveryList, data);
+				},
+				listReady: async (ctx, limit) => {
+					return await ctx.runQuery(config.component.public.enterpriseWebhookDeliveryListReady, {
+						now: Date.now(),
+						limit
+					});
+				},
+				markDelivered: async (ctx, deliveryId, responseStatus) => {
+					await ctx.runMutation(config.component.public.enterpriseWebhookDeliveryPatch, {
+						deliveryId,
+						data: {
+							status: "delivered",
+							attemptCount: 1,
+							lastAttemptAt: Date.now(),
+							lastResponseStatus: responseStatus
+						}
+					});
+				},
+				markFailed: async (ctx, deliveryId, data) => {
+					await ctx.runMutation(config.component.public.enterpriseWebhookDeliveryPatch, {
+						deliveryId,
+						data: {
+							status: data.retryAt ? "pending" : "failed",
+							attemptCount: data.attemptCount,
+							lastAttemptAt: Date.now(),
+							lastResponseStatus: data.responseStatus,
+							lastError: data.error,
+							nextAttemptAt: data.retryAt ?? Date.now()
+						}
+					});
+				}
+			}
+		}
+	};
+}
+//#endregion
+export { createSsoDomain };
+//# sourceMappingURL=sso.js.map