npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.13 → 0.0.4-preview.16 - Mend

@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (328) hide show

package/README.md +140 -9
package/dist/bin.cjs +5957 -5478
package/dist/client/index.d.ts +3 -7
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +27 -26
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/api.d.ts +14 -0
package/dist/component/_generated/api.d.ts.map +1 -1
package/dist/component/_generated/api.js.map +1 -1
package/dist/component/_generated/component.d.ts +1672 -24
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/convex.config.d.ts.map +1 -1
package/dist/component/index.d.ts +1 -1
package/dist/component/index.js +2 -2
package/dist/component/model.d.ts +153 -0
package/dist/component/model.d.ts.map +1 -0
package/dist/component/model.js +343 -0
package/dist/component/model.js.map +1 -0
package/dist/component/providers/sso.d.ts +1 -1
package/dist/component/public/enterprise.d.ts +54 -0
package/dist/component/public/enterprise.d.ts.map +1 -0
package/dist/component/public/enterprise.js +515 -0
package/dist/component/public/enterprise.js.map +1 -0
package/dist/component/public/factors.d.ts +52 -0
package/dist/component/public/factors.d.ts.map +1 -0
package/dist/component/public/factors.js +285 -0
package/dist/component/public/factors.js.map +1 -0
package/dist/component/public/groups.d.ts +116 -0
package/dist/component/public/groups.d.ts.map +1 -0
package/dist/component/public/groups.js +596 -0
package/dist/component/public/groups.js.map +1 -0
package/dist/component/public/identity.d.ts +93 -0
package/dist/component/public/identity.d.ts.map +1 -0
package/dist/component/public/identity.js +426 -0
package/dist/component/public/identity.js.map +1 -0
package/dist/component/public/keys.d.ts +41 -0
package/dist/component/public/keys.d.ts.map +1 -0
package/dist/component/public/keys.js +157 -0
package/dist/component/public/keys.js.map +1 -0
package/dist/component/public/shared.d.ts +26 -0
package/dist/component/public/shared.d.ts.map +1 -0
package/dist/component/public/shared.js +32 -0
package/dist/component/public/shared.js.map +1 -0
package/dist/component/public.d.ts +9 -321
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +6 -2145
package/dist/component/schema.d.ts +406 -260
package/dist/component/schema.js +37 -32
package/dist/component/schema.js.map +1 -1
package/dist/component/server/auth.d.ts +161 -15
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +100 -7
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/cookies.js +3 -0
package/dist/component/server/cookies.js.map +1 -1
package/dist/component/server/db.js +1 -0
package/dist/component/server/db.js.map +1 -1
package/dist/component/server/device.js +3 -1
package/dist/component/server/device.js.map +1 -1
package/dist/component/server/domains/core.js +629 -0
package/dist/component/server/domains/core.js.map +1 -0
package/dist/component/server/domains/sso.js +884 -0
package/dist/component/server/domains/sso.js.map +1 -0
package/dist/component/server/factory.d.ts +136 -0
package/dist/component/server/factory.d.ts.map +1 -0
package/dist/component/server/factory.js +1134 -0
package/dist/component/server/factory.js.map +1 -0
package/dist/component/server/fx.js +2 -1
package/dist/component/server/fx.js.map +1 -1
package/dist/component/server/http.js +287 -0
package/dist/component/server/http.js.map +1 -0
package/dist/component/server/identity.js +13 -0
package/dist/component/server/identity.js.map +1 -0
package/dist/component/server/keys.js +4 -0
package/dist/component/server/keys.js.map +1 -1
package/dist/component/server/mutations/account.js +1 -1
package/dist/component/server/mutations/index.js +2 -2
package/dist/component/server/mutations/index.js.map +1 -1
package/dist/component/server/mutations/invalidate.js +1 -1
package/dist/component/server/mutations/oauth.js +10 -7
package/dist/component/server/mutations/oauth.js.map +1 -1
package/dist/component/server/mutations/refresh.js +1 -1
package/dist/component/server/mutations/register.js +1 -1
package/dist/component/server/mutations/retrieve.js +1 -1
package/dist/component/server/mutations/signature.js +1 -1
package/dist/component/server/mutations/store.js +6 -3
package/dist/component/server/mutations/store.js.map +1 -1
package/dist/component/server/mutations/verify.js +1 -1
package/dist/component/server/oauth.js +3 -0
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +3 -2
package/dist/component/server/passkey.js.map +1 -1
package/dist/component/server/provider.js +2 -0
package/dist/component/server/provider.js.map +1 -1
package/dist/component/server/providers.js +10 -0
package/dist/component/server/providers.js.map +1 -1
package/dist/component/server/ratelimit.js +3 -0
package/dist/component/server/ratelimit.js.map +1 -1
package/dist/component/server/redirects.js +2 -0
package/dist/component/server/redirects.js.map +1 -1
package/dist/component/server/refresh.js +5 -0
package/dist/component/server/refresh.js.map +1 -1
package/dist/component/server/sessions.js +5 -0
package/dist/component/server/sessions.js.map +1 -1
package/dist/component/server/signin.js +2 -1
package/dist/component/server/signin.js.map +1 -1
package/dist/component/server/sso.js +166 -19
package/dist/component/server/sso.js.map +1 -1
package/dist/component/server/tokens.js +1 -0
package/dist/component/server/tokens.js.map +1 -1
package/dist/component/server/totp.js +4 -2
package/dist/component/server/totp.js.map +1 -1
package/dist/component/server/types.d.ts +106 -38
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/types.js.map +1 -1
package/dist/component/server/users.js +1 -0
package/dist/component/server/users.js.map +1 -1
package/dist/component/server/utils.js +44 -2
package/dist/component/server/utils.js.map +1 -1
package/dist/providers/anonymous.d.ts +1 -1
package/dist/providers/credentials.d.ts +1 -1
package/dist/providers/password.d.ts +1 -1
package/dist/providers/sso.d.ts +1 -1
package/dist/providers/sso.js.map +1 -1
package/dist/server/auth.d.ts +163 -17
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +100 -7
package/dist/server/auth.js.map +1 -1
package/dist/server/cookies.d.ts +1 -38
package/dist/server/cookies.js +3 -0
package/dist/server/cookies.js.map +1 -1
package/dist/server/db.d.ts +1 -125
package/dist/server/db.js +1 -0
package/dist/server/db.js.map +1 -1
package/dist/server/device.d.ts +1 -24
package/dist/server/device.js +3 -1
package/dist/server/device.js.map +1 -1
package/dist/server/domains/core.d.ts +434 -0
package/dist/server/domains/core.d.ts.map +1 -0
package/dist/server/domains/core.js +629 -0
package/dist/server/domains/core.js.map +1 -0
package/dist/server/domains/sso.d.ts +409 -0
package/dist/server/domains/sso.d.ts.map +1 -0
package/dist/server/domains/sso.js +884 -0
package/dist/server/domains/sso.js.map +1 -0
package/dist/server/enterpriseValidators.d.ts +1 -0
package/dist/server/enterpriseValidators.js +60 -0
package/dist/server/enterpriseValidators.js.map +1 -0
package/dist/server/factory.d.ts +136 -0
package/dist/server/factory.d.ts.map +1 -0
package/dist/server/factory.js +1134 -0
package/dist/server/factory.js.map +1 -0
package/dist/server/fx.d.ts +1 -16
package/dist/server/fx.d.ts.map +1 -1
package/dist/server/fx.js +1 -0
package/dist/server/fx.js.map +1 -1
package/dist/server/http.d.ts +59 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +287 -0
package/dist/server/http.js.map +1 -0
package/dist/server/identity.d.ts +1 -0
package/dist/server/identity.js +13 -0
package/dist/server/identity.js.map +1 -0
package/dist/server/index.d.ts +468 -1
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +530 -36
package/dist/server/index.js.map +1 -1
package/dist/server/keys.d.ts +1 -57
package/dist/server/keys.js +4 -0
package/dist/server/keys.js.map +1 -1
package/dist/server/mutations/account.d.ts +7 -7
package/dist/server/mutations/account.d.ts.map +1 -1
package/dist/server/mutations/code.d.ts +13 -13
package/dist/server/mutations/code.d.ts.map +1 -1
package/dist/server/mutations/index.d.ts +107 -107
package/dist/server/mutations/index.d.ts.map +1 -1
package/dist/server/mutations/index.js +1 -1
package/dist/server/mutations/index.js.map +1 -1
package/dist/server/mutations/invalidate.d.ts +5 -5
package/dist/server/mutations/invalidate.d.ts.map +1 -1
package/dist/server/mutations/oauth.d.ts +10 -10
package/dist/server/mutations/oauth.d.ts.map +1 -1
package/dist/server/mutations/oauth.js +9 -6
package/dist/server/mutations/oauth.js.map +1 -1
package/dist/server/mutations/refresh.d.ts +4 -4
package/dist/server/mutations/register.d.ts +12 -12
package/dist/server/mutations/register.d.ts.map +1 -1
package/dist/server/mutations/retrieve.d.ts +7 -7
package/dist/server/mutations/signature.d.ts +5 -5
package/dist/server/mutations/signin.d.ts +6 -6
package/dist/server/mutations/signin.d.ts.map +1 -1
package/dist/server/mutations/signout.d.ts +1 -1
package/dist/server/mutations/store.d.ts +3 -2
package/dist/server/mutations/store.d.ts.map +1 -1
package/dist/server/mutations/store.js +6 -3
package/dist/server/mutations/store.js.map +1 -1
package/dist/server/mutations/verifier.d.ts +1 -1
package/dist/server/mutations/verify.d.ts +11 -11
package/dist/server/mutations/verify.d.ts.map +1 -1
package/dist/server/oauth.d.ts +1 -59
package/dist/server/oauth.js +3 -0
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts.map +1 -1
package/dist/server/passkey.js +3 -2
package/dist/server/passkey.js.map +1 -1
package/dist/server/provider.d.ts +1 -14
package/dist/server/provider.d.ts.map +1 -1
package/dist/server/provider.js +2 -0
package/dist/server/provider.js.map +1 -1
package/dist/server/providers.js +10 -0
package/dist/server/providers.js.map +1 -1
package/dist/server/ratelimit.d.ts +1 -22
package/dist/server/ratelimit.js +3 -0
package/dist/server/ratelimit.js.map +1 -1
package/dist/server/redirects.d.ts +1 -10
package/dist/server/redirects.js +2 -0
package/dist/server/redirects.js.map +1 -1
package/dist/server/refresh.d.ts +1 -37
package/dist/server/refresh.js +5 -0
package/dist/server/refresh.js.map +1 -1
package/dist/server/sessions.d.ts +1 -28
package/dist/server/sessions.js +5 -0
package/dist/server/sessions.js.map +1 -1
package/dist/server/signin.d.ts +1 -55
package/dist/server/signin.js +2 -1
package/dist/server/signin.js.map +1 -1
package/dist/server/sso.d.ts +1 -348
package/dist/server/sso.js +165 -18
package/dist/server/sso.js.map +1 -1
package/dist/server/templates.d.ts +1 -21
package/dist/server/templates.js +1 -0
package/dist/server/templates.js.map +1 -1
package/dist/server/tokens.d.ts +1 -11
package/dist/server/tokens.js +1 -0
package/dist/server/tokens.js.map +1 -1
package/dist/server/totp.d.ts +1 -23
package/dist/server/totp.js +4 -2
package/dist/server/totp.js.map +1 -1
package/dist/server/types.d.ts +114 -77
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js.map +1 -1
package/dist/server/users.d.ts +1 -31
package/dist/server/users.js +1 -0
package/dist/server/users.js.map +1 -1
package/dist/server/utils.d.ts +1 -27
package/dist/server/utils.js +44 -2
package/dist/server/utils.js.map +1 -1
package/dist/server/version.d.ts +1 -1
package/dist/server/version.js +1 -1
package/dist/server/version.js.map +1 -1
package/package.json +4 -5
package/src/cli/bin.ts +5 -0
package/src/cli/index.ts +22 -9
package/src/cli/keys.ts +3 -0
package/src/client/index.ts +36 -37
package/src/component/_generated/api.ts +14 -0
package/src/component/_generated/component.ts +2106 -9
package/src/component/index.ts +3 -1
package/src/component/model.ts +441 -0
package/src/component/public/enterprise.ts +753 -0
package/src/component/public/factors.ts +332 -0
package/src/component/public/groups.ts +932 -0
package/src/component/public/identity.ts +566 -0
package/src/component/public/keys.ts +209 -0
package/src/component/public/shared.ts +119 -0
package/src/component/public.ts +5 -2965
package/src/component/schema.ts +68 -63
package/src/providers/sso.ts +1 -1
package/src/server/auth.ts +413 -18
package/src/server/cookies.ts +3 -0
package/src/server/db.ts +3 -0
package/src/server/device.ts +3 -1
package/src/server/domains/core.ts +1071 -0
package/src/server/domains/sso.ts +1749 -0
package/src/server/enterpriseValidators.ts +93 -0
package/src/server/factory.ts +2181 -0
package/src/server/fx.ts +1 -0
package/src/server/http.ts +529 -0
package/src/server/identity.ts +18 -0
package/src/server/index.ts +806 -40
package/src/server/keys.ts +4 -0
package/src/server/mutations/index.ts +1 -1
package/src/server/mutations/oauth.ts +36 -8
package/src/server/mutations/store.ts +6 -3
package/src/server/oauth.ts +6 -0
package/src/server/passkey.ts +3 -2
package/src/server/provider.ts +2 -0
package/src/server/providers.ts +20 -0
package/src/server/ratelimit.ts +3 -0
package/src/server/redirects.ts +2 -0
package/src/server/refresh.ts +5 -0
package/src/server/sessions.ts +5 -0
package/src/server/signin.ts +1 -0
package/src/server/sso.ts +259 -17
package/src/server/templates.ts +1 -0
package/src/server/tokens.ts +1 -0
package/src/server/totp.ts +4 -2
package/src/server/types.ts +178 -83
package/src/server/users.ts +1 -0
package/src/server/utils.ts +71 -1
package/src/server/version.ts +1 -1
package/dist/component/public.js.map +0 -1
package/dist/component/server/implementation.d.ts +0 -1264
package/dist/component/server/implementation.d.ts.map +0 -1
package/dist/component/server/implementation.js +0 -2365
package/dist/component/server/implementation.js.map +0 -1
package/dist/server/cookies.d.ts.map +0 -1
package/dist/server/db.d.ts.map +0 -1
package/dist/server/device.d.ts.map +0 -1
package/dist/server/implementation.d.ts +0 -1264
package/dist/server/implementation.d.ts.map +0 -1
package/dist/server/implementation.js +0 -2365
package/dist/server/implementation.js.map +0 -1
package/dist/server/keys.d.ts.map +0 -1
package/dist/server/oauth.d.ts.map +0 -1
package/dist/server/ratelimit.d.ts.map +0 -1
package/dist/server/redirects.d.ts.map +0 -1
package/dist/server/refresh.d.ts.map +0 -1
package/dist/server/sessions.d.ts.map +0 -1
package/dist/server/signin.d.ts.map +0 -1
package/dist/server/sso.d.ts.map +0 -1
package/dist/server/templates.d.ts.map +0 -1
package/dist/server/tokens.d.ts.map +0 -1
package/dist/server/totp.d.ts.map +0 -1
package/dist/server/users.d.ts.map +0 -1
package/dist/server/utils.d.ts.map +0 -1
package/src/server/implementation.ts +0 -5336

package/src/server/domains/sso.ts ADDED Viewed

@@ -0,0 +1,1749 @@
+import { GenericActionCtx, GenericDataModel } from "convex/server";
+import { AuthError, Fx } from "../fx";
+import type { EnterprisePolicyPatch } from "../types";
+type ComponentCtx = Pick<
+  GenericActionCtx<GenericDataModel>,
+  "runQuery" | "runMutation"
+>;
+type ComponentReadCtx = Pick<GenericActionCtx<GenericDataModel>, "runQuery">;
+/**
+ * Build the enterprise and SSO management domain.
+ */
+export function createSsoDomain(deps: any) {
+  const {
+    config,
+    normalizeEnterprisePolicy,
+    normalizeDomain,
+    getEnterpriseSecret,
+    loadEnterpriseOrThrow,
+    validateEnterprisePolicy,
+    recordEnterpriseAuditEvent,
+    emitEnterpriseWebhookDeliveries,
+    enterpriseNotFoundError,
+    ENTERPRISE_OIDC_CLIENT_SECRET_KIND,
+    requireEnv,
+    generateRandomString,
+    INVITE_TOKEN_ALPHABET,
+    sha256,
+    encryptSecret,
+    upsertProtocolConfig,
+    parseSamlIdpMetadata,
+    createServiceProviderMetadata,
+    getSamlServiceProviderOptions,
+    getPublicOidcConfig,
+    withOidcSecretState,
+    getOidcConfig,
+    getEnterpriseOidcUrls,
+    enterpriseOidcProviderId,
+    getPolicyFromEnterprise,
+    patchEnterprisePolicy,
+  } = deps;
+  const ENTERPRISE_DOMAIN_VERIFICATION_PREFIX = "_convex-auth-verification";
+  const ENTERPRISE_DOMAIN_VERIFICATION_TTL_MS = 1000 * 60 * 60 * 24 * 7;
+  const toDomainSummary = (domain: {
+    _id: string;
+    domain: string;
+    isPrimary: boolean;
+    verifiedAt?: number;
+  }) => ({
+    domainId: domain._id,
+    domain: domain.domain,
+    isPrimary: domain.isPrimary,
+    verified: domain.verifiedAt !== undefined,
+    verifiedAt: domain.verifiedAt ?? null,
+  });
+  const getDomainVerificationRecordName = (domain: string) =>
+    `${ENTERPRISE_DOMAIN_VERIFICATION_PREFIX}.${normalizeDomain(domain)}`;
+  const parseTxtAnswer = (value: string) => {
+    const quoted = [...value.matchAll(/"([^"]*)"/g)].map((match) => match[1]);
+    if (quoted.length > 0) {
+      return quoted.join("");
+    }
+    return value.replace(/^"|"$/g, "").trim();
+  };
+  const resolveTxtValues = async (recordName: string) => {
+    const url = new URL("https://dns.google/resolve");
+    url.searchParams.set("name", recordName);
+    url.searchParams.set("type", "TXT");
+    const response = await fetch(url, {
+      headers: { accept: "application/json" },
+    });
+    if (!response.ok) {
+      throw new Error(`DNS TXT lookup failed with status ${response.status}.`);
+    }
+    const data = (await response.json()) as {
+      Answer?: Array<{ data?: string }>;
+    };
+    return (data.Answer ?? [])
+      .map((answer) =>
+        typeof answer.data === "string" ? parseTxtAnswer(answer.data) : null,
+      )
+      .filter((value): value is string => value !== null && value.length > 0);
+  };
+  return {
+    connection: {
+      create: async (
+        ctx: ComponentCtx,
+        data: {
+          groupId: string;
+          slug?: string;
+          name?: string;
+          status?: "draft" | "active" | "disabled";
+          policy?: EnterprisePolicyPatch;
+          config?: Record<string, unknown>;
+          extend?: Record<string, unknown>;
+        },
+      ): Promise<{ ok: true; enterpriseId: string; groupId: string }> => {
+        const enterpriseId = (await ctx.runMutation(
+          config.component.public.enterpriseCreate,
+          {
+            ...data,
+            policy: normalizeEnterprisePolicy(data.policy),
+          },
+        )) as string;
+        return {
+          ok: true,
+          enterpriseId,
+          groupId: data.groupId,
+        };
+      },
+      get: async (ctx: ComponentReadCtx, enterpriseId: string) => {
+        return await ctx.runQuery(config.component.public.enterpriseGet, {
+          enterpriseId,
+        });
+      },
+      getByGroup: async (ctx: ComponentReadCtx, groupId: string) => {
+        return await ctx.runQuery(
+          config.component.public.enterpriseGetByGroup,
+          {
+            groupId,
+          },
+        );
+      },
+      getByDomain: async (ctx: ComponentReadCtx, domain: string) => {
+        return await ctx.runQuery(
+          config.component.public.enterpriseGetByDomain,
+          {
+            domain: normalizeDomain(domain),
+          },
+        );
+      },
+      list: async (
+        ctx: ComponentReadCtx,
+        opts?: {
+          where?: {
+            groupId?: string;
+            slug?: string;
+            status?: "draft" | "active" | "disabled";
+          };
+          limit?: number;
+          cursor?: string | null;
+          orderBy?: "_creationTime" | "name" | "slug" | "status";
+          order?: "asc" | "desc";
+        },
+      ) => {
+        return await ctx.runQuery(config.component.public.enterpriseList, {
+          where: opts?.where,
+          limit: opts?.limit,
+          cursor: opts?.cursor,
+          orderBy: opts?.orderBy,
+          order: opts?.order,
+        });
+      },
+      update: async (
+        ctx: ComponentCtx,
+        enterpriseId: string,
+        data: Record<string, unknown>,
+      ) => {
+        await ctx.runMutation(config.component.public.enterpriseUpdate, {
+          enterpriseId,
+          data,
+        });
+        return { ok: true as const, enterpriseId };
+      },
+      delete: async (ctx: ComponentCtx, enterpriseId: string) => {
+        await ctx.runMutation(config.component.public.enterpriseDelete, {
+          enterpriseId,
+        });
+        return { ok: true as const, enterpriseId };
+      },
+      /**
+       * Aggregate readiness status across all configured protocols for an
+       * enterprise connection.
+       *
+       * Returns a structured result indicating whether the connection is
+       * ready, with per-protocol checks so callers can surface actionable
+       * diagnostics without running full network validation.
+       */
+      status: async (ctx: ComponentReadCtx, enterpriseId: string) => {
+        const enterprise = await ctx.runQuery(
+          config.component.public.enterpriseGet,
+          { enterpriseId },
+        );
+        if (!enterprise) {
+          throw new AuthError(
+            "INVALID_PARAMETERS",
+            enterpriseNotFoundError,
+          ).toConvexError();
+        }
+        const policy = getPolicyFromEnterprise(enterprise);
+        const protocols = enterprise.config?.protocols ?? {};
+        const oidcConfig = protocols.oidc;
+        const oidcSecret = await getEnterpriseSecret(
+          ctx,
+          enterprise._id,
+          ENTERPRISE_OIDC_CLIENT_SECRET_KIND,
+        );
+        const samlConfig = protocols.saml;
+        const scimConfig = await ctx.runQuery(
+          config.component.public.enterpriseScimConfigGetByEnterprise,
+          { enterpriseId },
+        );
+        const domains = await ctx.runQuery(
+          config.component.public.enterpriseDomainList,
+          { enterpriseId },
+        );
+        const oidcReady =
+          oidcConfig?.enabled === true &&
+          typeof oidcConfig?.clientId === "string" &&
+          oidcConfig.clientId.length > 0 &&
+          oidcSecret !== null &&
+          (typeof oidcConfig?.issuer === "string" ||
+            typeof oidcConfig?.discoveryUrl === "string");
+        const samlReady =
+          samlConfig?.enabled === true &&
+          typeof samlConfig?.idp?.entityId === "string";
+        const scimReady =
+          scimConfig !== null &&
+          scimConfig !== undefined &&
+          (scimConfig as any).status === "active";
+        const ready =
+          enterprise.status === "active" && (oidcReady || samlReady);
+        return {
+          enterpriseId: enterprise._id,
+          status: enterprise.status,
+          ready,
+          domainCount: (domains as unknown[]).length,
+          protocols: {
+            oidc: {
+              configured: oidcReady,
+              ready: oidcReady,
+              clientId: oidcConfig?.clientId ?? null,
+              issuer: oidcConfig?.issuer ?? oidcConfig?.discoveryUrl ?? null,
+            },
+            saml: {
+              configured: samlReady,
+              ready: samlReady,
+              entityId: samlConfig?.idp?.entityId ?? null,
+            },
+            scim: {
+              configured: scimReady,
+              ready: scimReady,
+              basePath: scimConfig?.basePath ?? null,
+              deprovisionMode: policy.provisioning.deprovision.mode,
+            },
+          },
+        };
+      },
+    },
+    domain: {
+      add: async (
+        ctx: ComponentCtx,
+        data: {
+          enterpriseId: string;
+          groupId: string;
+          domain: string;
+          isPrimary?: boolean;
+        },
+      ): Promise<string> => {
+        return (await ctx.runMutation(
+          config.component.public.enterpriseDomainAdd,
+          {
+            ...data,
+            domain: normalizeDomain(data.domain),
+          },
+        )) as string;
+      },
+      list: async (ctx: ComponentReadCtx, enterpriseId: string) => {
+        return await ctx.runQuery(
+          config.component.public.enterpriseDomainList,
+          {
+            enterpriseId,
+          },
+        );
+      },
+      validate: async (ctx: ComponentReadCtx, enterpriseId: string) => {
+        const enterprise = await ctx.runQuery(
+          config.component.public.enterpriseGet,
+          { enterpriseId },
+        );
+        if (enterprise === null) {
+          throw new AuthError(
+            "INVALID_PARAMETERS",
+            enterpriseNotFoundError,
+          ).toConvexError();
+        }
+        const domains = await ctx.runQuery(
+          config.component.public.enterpriseDomainList,
+          { enterpriseId },
+        );
+        const primaryDomains = domains.filter(
+          (domain: (typeof domains)[number]) => domain.isPrimary,
+        );
+        const verifiedDomains = domains.filter(
+          (domain: (typeof domains)[number]) => domain.verifiedAt !== undefined,
+        );
+        const warnings: string[] = [];
+        if (domains.length === 0) {
+          warnings.push("No domains configured.");
+        }
+        if (primaryDomains.length === 0 && domains.length > 0) {
+          warnings.push("No primary domain configured.");
+        }
+        if (primaryDomains.length > 1) {
+          warnings.push("Multiple primary domains configured.");
+        }
+        if (verifiedDomains.length === 0 && domains.length > 0) {
+          warnings.push("No verified domains yet.");
+        }
+        return {
+          enterpriseId,
+          ready:
+            enterprise.status === "active" &&
+            domains.length > 0 &&
+            primaryDomains.length === 1 &&
+            verifiedDomains.length > 0,
+          summary: {
+            domainCount: domains.length,
+            primaryCount: primaryDomains.length,
+            verifiedCount: verifiedDomains.length,
+          },
+          domains: domains.map((domain: (typeof domains)[number]) =>
+            toDomainSummary(domain),
+          ),
+          warnings,
+        };
+      },
+      remove: async (ctx: ComponentCtx, domainId: string) => {
+        await ctx.runMutation(config.component.public.enterpriseDomainDelete, {
+          domainId,
+        });
+      },
+      verification: {
+        request: async (
+          ctx: ComponentCtx,
+          args: { enterpriseId: string; domain: string },
+        ) => {
+          const enterprise = await loadEnterpriseOrThrow(
+            ctx,
+            args.enterpriseId,
+          );
+          const normalizedDomain = normalizeDomain(args.domain);
+          const domains = await ctx.runQuery(
+            config.component.public.enterpriseDomainList,
+            { enterpriseId: enterprise._id },
+          );
+          const domain = domains.find(
+            (entry: (typeof domains)[number]) =>
+              entry.domain === normalizedDomain,
+          );
+          if (!domain) {
+            throw new AuthError(
+              "INVALID_PARAMETERS",
+              "Domain is not attached to this enterprise.",
+            ).toConvexError();
+          }
+          const requestedAt = Date.now();
+          const expiresAt = requestedAt + ENTERPRISE_DOMAIN_VERIFICATION_TTL_MS;
+          const token = generateRandomString(32, INVITE_TOKEN_ALPHABET);
+          const tokenHash = await sha256(token);
+          const recordName = getDomainVerificationRecordName(normalizedDomain);
+          await ctx.runMutation(
+            config.component.public.enterpriseDomainVerificationUpsert,
+            {
+              enterpriseId: enterprise._id,
+              groupId: enterprise.groupId,
+              domainId: domain._id,
+              domain: normalizedDomain,
+              recordName,
+              token,
+              tokenHash,
+              requestedAt,
+              expiresAt,
+            },
+          );
+          await recordEnterpriseAuditEvent(ctx, {
+            enterpriseId: enterprise._id,
+            groupId: enterprise.groupId,
+            eventType: "enterprise.domain.verification_requested",
+            actorType: "system",
+            subjectType: "enterprise_domain",
+            subjectId: domain._id,
+            ok: true,
+            metadata: { domain: normalizedDomain, recordName, expiresAt },
+          });
+          return {
+            ok: true as const,
+            enterpriseId: enterprise._id,
+            domain: normalizedDomain,
+            requestedAt,
+            expiresAt,
+            challenge: {
+              recordType: "TXT" as const,
+              recordName,
+              recordValue: token,
+            },
+          };
+        },
+        confirm: async (
+          ctx: ComponentCtx,
+          args: { enterpriseId: string; domain: string },
+        ) => {
+          const enterprise = await loadEnterpriseOrThrow(
+            ctx,
+            args.enterpriseId,
+          );
+          const normalizedDomain = normalizeDomain(args.domain);
+          const domains = await ctx.runQuery(
+            config.component.public.enterpriseDomainList,
+            { enterpriseId: enterprise._id },
+          );
+          const domain = domains.find(
+            (entry: (typeof domains)[number]) =>
+              entry.domain === normalizedDomain,
+          );
+          if (!domain) {
+            throw new AuthError(
+              "INVALID_PARAMETERS",
+              "Domain is not attached to this enterprise.",
+            ).toConvexError();
+          }
+          if (domain.verifiedAt !== undefined) {
+            return {
+              ok: true,
+              enterpriseId: enterprise._id,
+              domain: normalizedDomain,
+              verifiedAt: domain.verifiedAt,
+              checks: [
+                {
+                  name: "domain_verified",
+                  ok: true,
+                  message: "Domain is already verified.",
+                },
+              ],
+            };
+          }
+          const verification = await ctx.runQuery(
+            config.component.public.enterpriseDomainVerificationGet,
+            { domainId: domain._id },
+          );
+          const checks: Array<{ name: string; ok: boolean; message?: string }> =
+            [];
+          if (!verification) {
+            checks.push({
+              name: "verification_requested",
+              ok: false,
+              message: "No active domain verification challenge exists.",
+            });
+            return {
+              ok: false,
+              enterpriseId: enterprise._id,
+              domain: normalizedDomain,
+              checks,
+            };
+          }
+          checks.push({ name: "verification_requested", ok: true });
+          if (verification.expiresAt < Date.now()) {
+            await ctx.runMutation(
+              config.component.public.enterpriseDomainVerificationDelete,
+              { domainId: domain._id },
+            );
+            checks.push({
+              name: "challenge_active",
+              ok: false,
+              message: "The verification challenge expired. Request a new one.",
+            });
+            return {
+              ok: false,
+              enterpriseId: enterprise._id,
+              domain: normalizedDomain,
+              checks,
+            };
+          }
+          checks.push({ name: "challenge_active", ok: true });
+          let txtValues: string[];
+          try {
+            txtValues = await resolveTxtValues(verification.recordName);
+          } catch (error) {
+            throw new AuthError(
+              "INTERNAL_ERROR",
+              error instanceof Error
+                ? error.message
+                : "Failed to resolve DNS TXT records.",
+            ).toConvexError();
+          }
+          checks.push({
+            name: "dns_record_present",
+            ok: txtValues.length > 0,
+            message:
+              txtValues.length > 0
+                ? undefined
+                : `No TXT records found at ${verification.recordName}.`,
+          });
+          const matches = txtValues.includes(verification.token);
+          checks.push({
+            name: "dns_record_matches",
+            ok: matches,
+            message: matches
+              ? undefined
+              : `TXT record at ${verification.recordName} does not match the expected value.`,
+          });
+          if (!checks.every((check) => check.ok)) {
+            return {
+              ok: false,
+              enterpriseId: enterprise._id,
+              domain: normalizedDomain,
+              checks,
+            };
+          }
+          const verifiedAt = Date.now();
+          await ctx.runMutation(
+            config.component.public.enterpriseDomainVerify,
+            {
+              domainId: domain._id,
+              verifiedAt,
+            },
+          );
+          await recordEnterpriseAuditEvent(ctx, {
+            enterpriseId: enterprise._id,
+            groupId: enterprise.groupId,
+            eventType: "enterprise.domain.verified",
+            actorType: "system",
+            subjectType: "enterprise_domain",
+            subjectId: domain._id,
+            ok: true,
+            metadata: { domain: normalizedDomain, verifiedAt },
+          });
+          return {
+            ok: true,
+            enterpriseId: enterprise._id,
+            domain: normalizedDomain,
+            verifiedAt,
+            checks,
+          };
+        },
+      },
+    },
+    saml: {
+      configure: async <DataModel extends GenericDataModel>(
+        ctx: GenericActionCtx<DataModel>,
+        data: {
+          enterpriseId: string;
+          metadataXml?: string;
+          metadataUrl?: string;
+          domains?: string[];
+          signAuthnRequests?: boolean;
+          attributeMapping?: {
+            subject?: string;
+            email?: string;
+            name?: string;
+            firstName?: string;
+            lastName?: string;
+          };
+          sp?: {
+            entityId?: string;
+            acsUrl?: string;
+            sloUrl?: string;
+            signingCert?: string | string[];
+            encryptCert?: string | string[];
+            privateKey?: string;
+            privateKeyPass?: string;
+            encPrivateKey?: string;
+            encPrivateKeyPass?: string;
+          };
+        },
+      ) => {
+        return await Fx.run(
+          Fx.gen(function* () {
+            const enterprise = yield* Fx.from({
+              ok: () =>
+                ctx.runQuery(config.component.public.enterpriseGet, {
+                  enterpriseId: data.enterpriseId,
+                }),
+              err: () =>
+                new AuthError("INTERNAL_ERROR", "Failed to load enterprise."),
+            }).pipe(
+              Fx.chain((ent) =>
+                ent === null
+                  ? Fx.fail(
+                      new AuthError(
+                        "INVALID_PARAMETERS",
+                        enterpriseNotFoundError,
+                      ),
+                    )
+                  : Fx.succeed(ent),
+              ),
+            );
+            const metadataXml = yield* data.metadataXml
+              ? Fx.succeed(data.metadataXml)
+              : data.metadataUrl
+                ? Fx.defer(() =>
+                    Fx.from({
+                      ok: async () => {
+                        const response = await fetch(data.metadataUrl!);
+                        if (!response.ok) {
+                          throw new Error(
+                            `Failed to fetch SAML metadata: ${response.status}`,
+                          );
+                        }
+                        return await response.text();
+                      },
+                      err: (error) =>
+                        new AuthError(
+                          "INVALID_PARAMETERS",
+                          error instanceof Error
+                            ? error.message
+                            : "Failed to fetch SAML metadata",
+                        ),
+                    }),
+                  ).pipe(
+                    Fx.timeout(10_000),
+                    Fx.retry(
+                      Fx.retry.compose(
+                        Fx.retry.jittered(Fx.retry.exponential(200)),
+                        Fx.retry.recurs(2),
+                      ),
+                    ),
+                    Fx.recover((error) =>
+                      Fx.fail(
+                        new AuthError(
+                          "INVALID_PARAMETERS",
+                          error instanceof Error
+                            ? error.message
+                            : "Failed to fetch SAML metadata",
+                        ),
+                      ),
+                    ),
+                  )
+                : Fx.fail(
+                    new AuthError(
+                      "INVALID_PARAMETERS",
+                      "SAML registration requires metadataXml or metadataUrl.",
+                    ),
+                  );
+            const parsed = yield* Fx.from({
+              ok: () => parseSamlIdpMetadata(metadataXml),
+              err: () =>
+                new AuthError(
+                  "INVALID_PARAMETERS",
+                  "Failed to parse SAML metadata.",
+                ),
+            });
+            const baseConfig = upsertProtocolConfig(enterprise.config, "saml", {
+              enabled: true,
+              idp: {
+                metadataXml,
+                ...parsed,
+              },
+              sp: data.sp,
+              signAuthnRequests:
+                data.signAuthnRequests ?? parsed.wantsSignedAuthnRequests,
+              attributeMapping: data.attributeMapping,
+            });
+            const normalizedDomains = data.domains?.map(normalizeDomain);
+            const nextConfig = normalizedDomains
+              ? { ...baseConfig, domains: normalizedDomains }
+              : baseConfig;
+            yield* Fx.from({
+              ok: () =>
+                ctx.runMutation(config.component.public.enterpriseUpdate, {
+                  enterpriseId: enterprise._id,
+                  data: {
+                    status: "active",
+                    config: nextConfig,
+                  },
+                }),
+              err: () =>
+                new AuthError(
+                  "INTERNAL_ERROR",
+                  "Failed to persist SAML registration.",
+                ),
+            });
+            if (normalizedDomains) {
+              for (const [index, domain] of normalizedDomains.entries()) {
+                yield* Fx.from({
+                  ok: () =>
+                    ctx.runMutation(
+                      config.component.public.enterpriseDomainAdd,
+                      {
+                        enterpriseId: enterprise._id,
+                        groupId: enterprise.groupId,
+                        domain,
+                        isPrimary: index === 0,
+                      },
+                    ),
+                  err: () =>
+                    new AuthError(
+                      "INTERNAL_ERROR",
+                      "Failed to persist enterprise domain.",
+                    ),
+                });
+              }
+            }
+            yield* Fx.from({
+              ok: () =>
+                recordEnterpriseAuditEvent(ctx, {
+                  enterpriseId: enterprise._id,
+                  groupId: enterprise.groupId,
+                  eventType: "enterprise.saml.registered",
+                  actorType: "system",
+                  subjectType: "enterprise_saml",
+                  subjectId: enterprise._id,
+                  ok: true,
+                  metadata: {
+                    metadataUrl: data.metadataUrl,
+                    domains: normalizedDomains,
+                  },
+                }),
+              err: () =>
+                new AuthError(
+                  "INTERNAL_ERROR",
+                  "Failed to record SAML registration audit event.",
+                ),
+            });
+            return {
+              ok: true as const,
+              enterpriseId: enterprise._id,
+              groupId: enterprise.groupId,
+            };
+          }).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))),
+        );
+      },
+      metadata: async <DataModel extends GenericDataModel>(
+        ctx: GenericActionCtx<DataModel>,
+        opts: {
+          enterpriseId: string;
+          entityId?: string;
+          acsUrl?: string;
+          sloUrl?: string;
+        },
+      ) => {
+        const enterprise = await ctx.runQuery(
+          config.component.public.enterpriseGet,
+          {
+            enterpriseId: opts.enterpriseId,
+          },
+        );
+        if (!enterprise) {
+          throw new AuthError(
+            "INVALID_PARAMETERS",
+            "Enterprise not found.",
+          ).toConvexError();
+        }
+        return createServiceProviderMetadata(
+          getSamlServiceProviderOptions({
+            rootUrl: requireEnv("CONVEX_SITE_URL"),
+            source: { kind: "enterprise", id: enterprise._id },
+            config: enterprise.config,
+            overrides: {
+              entityId: opts.entityId,
+              acsUrl: opts.acsUrl,
+              sloUrl: opts.sloUrl,
+            },
+          }),
+        );
+      },
+      /**
+       * Validate the stored SAML config for an enterprise connection.
+       *
+       * Re-parses IdP metadata, checks signing cert presence, and verifies
+       * SP metadata can be generated. Returns a structured result with
+       * per-check details rather than throwing on first failure.
+       */
+      validate: async <DataModel extends GenericDataModel>(
+        ctx: GenericActionCtx<DataModel>,
+        enterpriseId: string,
+      ) => {
+        const checks: Array<{
+          name: string;
+          ok: boolean;
+          message?: string;
+        }> = [];
+        const enterprise = await ctx.runQuery(
+          config.component.public.enterpriseGet,
+          { enterpriseId },
+        );
+        if (!enterprise) {
+          return {
+            ok: false,
+            enterpriseId,
+            checks: [
+              {
+                name: "enterprise_exists",
+                ok: false,
+                message: "Enterprise not found.",
+              },
+            ],
+          };
+        }
+        const samlConfig = enterprise.config?.protocols?.saml;
+        const samlConfigured =
+          samlConfig?.enabled === true &&
+          typeof samlConfig?.idp?.metadataXml === "string";
+        checks.push({
+          name: "saml_configured",
+          ok: samlConfigured,
+          message: samlConfigured ? undefined : "SAML is not configured.",
+        });
+        const hasIdpMetadata =
+          typeof samlConfig?.idp?.metadataXml === "string" &&
+          samlConfig.idp.metadataXml.length > 0;
+        checks.push({
+          name: "idp_metadata_present",
+          ok: hasIdpMetadata,
+          message: hasIdpMetadata ? undefined : "IdP metadata XML is missing.",
+        });
+        const hasEntityId =
+          typeof samlConfig?.idp?.entityId === "string" &&
+          samlConfig.idp.entityId.length > 0;
+        checks.push({
+          name: "idp_entity_id",
+          ok: hasEntityId,
+          message: hasEntityId
+            ? undefined
+            : "IdP entityId could not be parsed from metadata.",
+        });
+        let spMetadataOk = false;
+        let spMetadataMessage: string | undefined;
+        if (samlConfigured) {
+          try {
+            createServiceProviderMetadata(
+              getSamlServiceProviderOptions({
+                rootUrl: requireEnv("CONVEX_SITE_URL"),
+                source: { kind: "enterprise", id: enterprise._id },
+                config: enterprise.config,
+                overrides: {},
+              }),
+            );
+            spMetadataOk = true;
+          } catch (e) {
+            spMetadataMessage =
+              e instanceof Error ? e.message : "SP metadata generation failed.";
+          }
+        } else {
+          spMetadataMessage = "Skipped — SAML not configured.";
+        }
+        checks.push({
+          name: "sp_metadata_generates",
+          ok: spMetadataOk,
+          message: spMetadataMessage,
+        });
+        return {
+          ok: checks.every((c) => c.ok),
+          enterpriseId: enterprise._id,
+          checks,
+        };
+      },
+    },
+    policy: {
+      get: async (ctx: ComponentReadCtx, enterpriseId: string) => {
+        const enterprise = await loadEnterpriseOrThrow(ctx, enterpriseId);
+        return getPolicyFromEnterprise(enterprise);
+      },
+      update: async (
+        ctx: ComponentCtx,
+        enterpriseId: string,
+        patch: EnterprisePolicyPatch,
+      ) => {
+        const enterprise = await loadEnterpriseOrThrow(ctx, enterpriseId);
+        const policy = patchEnterprisePolicy(enterprise.policy, patch);
+        await ctx.runMutation(config.component.public.enterpriseUpdate, {
+          enterpriseId,
+          data: { policy },
+        });
+        await recordEnterpriseAuditEvent(ctx, {
+          enterpriseId: enterprise._id,
+          groupId: enterprise.groupId,
+          eventType: "enterprise.policy.updated",
+          actorType: "system",
+          subjectType: "enterprise_policy",
+          subjectId: enterprise._id,
+          ok: true,
+          metadata: { version: policy.version },
+        });
+        return policy;
+      },
+      validate: async (ctx: ComponentReadCtx, enterpriseId: string) => {
+        const enterprise = await ctx.runQuery(
+          config.component.public.enterpriseGet,
+          { enterpriseId },
+        );
+        if (!enterprise) {
+          return {
+            ok: false,
+            enterpriseId,
+            checks: [
+              {
+                name: "enterprise_exists",
+                ok: false,
+                message: enterpriseNotFoundError,
+              },
+            ],
+          };
+        }
+        const policy = getPolicyFromEnterprise(enterprise);
+        const checks = validateEnterprisePolicy(policy);
+        return {
+          ok: checks.every((check: { ok: boolean }) => check.ok),
+          enterpriseId,
+          policy,
+          checks,
+        };
+      },
+    },
+    oidc: {
+      /**
+       * Register or update enterprise OIDC connection settings.
+       *
+       * Persists protocol config under `enterprise.config.protocols.oidc` and
+       * records an `enterprise.oidc.registered` audit event.
+       */
+      configure: async (
+        ctx: ComponentCtx,
+        data: {
+          enterpriseId: string;
+          issuer?: string;
+          discoveryUrl?: string;
+          clientId: string;
+          clientSecret?: string;
+          scopes?: string[];
+          authorizationParams?: Record<string, string>;
+          clockToleranceSeconds?: number;
+          strictIssuer?: boolean;
+          /**
+           * Map OIDC claim names to `user.extend` field names.
+           * Example: `{ department: "department", role: "job_title" }` means
+           * the OIDC `department` claim is stored as `user.extend.department`.
+           */
+          extraFields?: Record<string, string>;
+        },
+      ) => {
+        return await Fx.run(
+          Fx.gen(function* () {
+            yield* Fx.guard(
+              data.issuer === undefined && data.discoveryUrl === undefined,
+              Fx.fail(
+                new AuthError(
+                  "INVALID_PARAMETERS",
+                  "OIDC registration requires issuer or discoveryUrl.",
+                ),
+              ),
+            );
+            const enterprise = yield* Fx.from({
+              ok: () =>
+                ctx.runQuery(config.component.public.enterpriseGet, {
+                  enterpriseId: data.enterpriseId,
+                }),
+              err: () =>
+                new AuthError("INTERNAL_ERROR", "Failed to load enterprise."),
+            }).pipe(
+              Fx.chain((ent) =>
+                ent === null
+                  ? Fx.fail(
+                      new AuthError(
+                        "INVALID_PARAMETERS",
+                        enterpriseNotFoundError,
+                      ),
+                    )
+                  : Fx.succeed(ent),
+              ),
+            );
+            const nextConfig = upsertProtocolConfig(enterprise.config, "oidc", {
+              enabled: true,
+              issuer: data.issuer,
+              discoveryUrl: data.discoveryUrl,
+              clientId: data.clientId,
+              scopes: data.scopes ?? ["openid", "profile", "email"],
+              authorizationParams: data.authorizationParams,
+              clockToleranceSeconds: data.clockToleranceSeconds,
+              strictIssuer: data.strictIssuer,
+              extraFields: data.extraFields,
+            });
+            yield* Fx.from({
+              ok: () =>
+                ctx.runMutation(config.component.public.enterpriseUpdate, {
+                  enterpriseId: data.enterpriseId,
+                  data: { config: nextConfig },
+                }),
+              err: () =>
+                new AuthError(
+                  "INTERNAL_ERROR",
+                  "Failed to persist OIDC registration.",
+                ),
+            });
+            if (data.clientSecret !== undefined) {
+              const ciphertext = yield* Fx.from({
+                ok: () => encryptSecret(data.clientSecret!),
+                err: () =>
+                  new AuthError(
+                    "INTERNAL_ERROR",
+                    "Failed to encrypt OIDC client secret.",
+                  ),
+              });
+              yield* Fx.from({
+                ok: () =>
+                  ctx.runMutation(
+                    config.component.public.enterpriseSecretUpsert,
+                    {
+                      enterpriseId: data.enterpriseId,
+                      groupId: enterprise.groupId,
+                      kind: ENTERPRISE_OIDC_CLIENT_SECRET_KIND,
+                      ciphertext,
+                      updatedAt: Date.now(),
+                    },
+                  ),
+                err: () =>
+                  new AuthError(
+                    "INTERNAL_ERROR",
+                    "Failed to persist OIDC client secret.",
+                  ),
+              });
+            }
+            yield* Fx.from({
+              ok: () =>
+                recordEnterpriseAuditEvent(ctx, {
+                  enterpriseId: data.enterpriseId,
+                  groupId: enterprise.groupId,
+                  eventType: "enterprise.oidc.registered",
+                  actorType: "system",
+                  subjectType: "enterprise_oidc",
+                  subjectId: data.enterpriseId,
+                  ok: true,
+                  metadata: {
+                    issuer: data.issuer,
+                    discoveryUrl: data.discoveryUrl,
+                  },
+                }),
+              err: () =>
+                new AuthError(
+                  "INTERNAL_ERROR",
+                  "Failed to record OIDC registration audit event.",
+                ),
+            });
+            const secret = yield* Fx.from({
+              ok: () =>
+                getEnterpriseSecret(
+                  ctx,
+                  data.enterpriseId,
+                  ENTERPRISE_OIDC_CLIENT_SECRET_KIND,
+                ),
+              err: () =>
+                new AuthError(
+                  "INTERNAL_ERROR",
+                  "Failed to load OIDC secret metadata.",
+                ),
+            });
+            return withOidcSecretState(
+              getPublicOidcConfig(nextConfig),
+              secret !== null,
+            );
+          }).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))),
+        );
+      },
+      /**
+       * Fetch the stored OIDC config for an enterprise.
+       */
+      get: async (ctx: ComponentReadCtx, enterpriseId: string) => {
+        return await Fx.run(
+          Fx.from({
+            ok: () =>
+              ctx.runQuery(config.component.public.enterpriseGet, {
+                enterpriseId,
+              }),
+            err: () =>
+              new AuthError("INTERNAL_ERROR", "Failed to load enterprise."),
+          }).pipe(
+            Fx.chain((ent) =>
+              ent === null
+                ? Fx.fail(
+                    new AuthError(
+                      "INVALID_PARAMETERS",
+                      enterpriseNotFoundError,
+                    ),
+                  )
+                : Fx.succeed(ent),
+            ),
+            Fx.chain((enterprise) =>
+              Fx.from({
+                ok: async () => {
+                  const secret = await getEnterpriseSecret(
+                    ctx,
+                    enterprise._id,
+                    ENTERPRISE_OIDC_CLIENT_SECRET_KIND,
+                  );
+                  return withOidcSecretState(
+                    getPublicOidcConfig(enterprise.config),
+                    secret !== null,
+                  );
+                },
+                err: () =>
+                  new AuthError(
+                    "INTERNAL_ERROR",
+                    "Failed to load OIDC secret metadata.",
+                  ),
+              }),
+            ),
+            Fx.recover((e) => Fx.fatal(e.toConvexError())),
+          ),
+        );
+      },
+      /**
+       * Resolve enterprise OIDC sign-in route from enterprise id, domain, or
+       * user email domain.
+       */
+      signIn: async (
+        ctx: ComponentReadCtx,
+        data: {
+          enterpriseId?: string;
+          email?: string;
+          domain?: string;
+          redirectTo?: string;
+        },
+      ) => {
+        return await Fx.run(
+          Fx.gen(function* () {
+            const enterprise =
+              data.enterpriseId !== undefined
+                ? yield* Fx.from({
+                    ok: () =>
+                      ctx.runQuery(config.component.public.enterpriseGet, {
+                        enterpriseId: data.enterpriseId,
+                      }),
+                    err: () =>
+                      new AuthError(
+                        "INTERNAL_ERROR",
+                        "Failed to load enterprise.",
+                      ),
+                  }).pipe(
+                    Fx.chain((ent) =>
+                      ent === null
+                        ? Fx.fail(
+                            new AuthError(
+                              "INVALID_PARAMETERS",
+                              enterpriseNotFoundError,
+                            ),
+                          )
+                        : Fx.succeed(ent),
+                    ),
+                  )
+                : data.domain !== undefined || data.email !== undefined
+                  ? yield* Fx.from({
+                      ok: () =>
+                        ctx.runQuery(
+                          config.component.public.enterpriseGetByDomain,
+                          {
+                            domain: normalizeDomain(
+                              data.domain ??
+                                String(data.email).split("@").at(-1) ??
+                                "",
+                            ),
+                          },
+                        ),
+                      err: () =>
+                        new AuthError(
+                          "INTERNAL_ERROR",
+                          "Failed to resolve enterprise by domain.",
+                        ),
+                    }).pipe(
+                      Fx.chain((result) =>
+                        result?.enterprise &&
+                        result.domain?.verifiedAt !== undefined
+                          ? Fx.succeed(result.enterprise)
+                          : Fx.fail(
+                              new AuthError(
+                                "INVALID_PARAMETERS",
+                                "No enterprise OIDC connection matched the provided input.",
+                              ),
+                            ),
+                      ),
+                    )
+                  : yield* Fx.fail(
+                      new AuthError(
+                        "INVALID_PARAMETERS",
+                        "No enterprise OIDC connection matched the provided input.",
+                      ),
+                    );
+            yield* Fx.guard(
+              enterprise.status !== "active",
+              Fx.fail(
+                new AuthError(
+                  "INVALID_PARAMETERS",
+                  "Enterprise connection is not active.",
+                ),
+              ),
+            );
+            const oidc = getOidcConfig(enterprise.config);
+            yield* Fx.guard(
+              oidc.enabled !== true,
+              Fx.fail(
+                new AuthError(
+                  "PROVIDER_NOT_CONFIGURED",
+                  "OIDC is not configured for this enterprise.",
+                ),
+              ),
+            );
+            const urls = getEnterpriseOidcUrls({
+              rootUrl: requireEnv("CONVEX_SITE_URL"),
+              enterpriseId: enterprise._id,
+            });
+            return {
+              enterpriseId: enterprise._id,
+              providerId: enterpriseOidcProviderId(enterprise._id),
+              signInPath: urls.signInUrl,
+              callbackPath: urls.callbackUrl,
+              redirectTo: data.redirectTo,
+            };
+          }).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))),
+        );
+      },
+      /**
+       * Validate the stored OIDC config for an enterprise connection.
+       *
+       * Fetches the OIDC discovery document from the configured issuer or
+       * discoveryUrl, verifies required fields are present, and checks that
+       * clientId is set. Returns a structured result with per-check details.
+       */
+      validate: async (ctx: ComponentReadCtx, enterpriseId: string) => {
+        const checks: Array<{
+          name: string;
+          ok: boolean;
+          message?: string;
+        }> = [];
+        const enterprise = await ctx.runQuery(
+          config.component.public.enterpriseGet,
+          { enterpriseId },
+        );
+        if (!enterprise) {
+          return {
+            ok: false,
+            enterpriseId,
+            checks: [
+              {
+                name: "enterprise_exists",
+                ok: false,
+                message: "Enterprise not found.",
+              },
+            ],
+          };
+        }
+        const oidc = getOidcConfig(enterprise.config);
+        const secret = await getEnterpriseSecret(
+          ctx,
+          enterprise._id,
+          ENTERPRISE_OIDC_CLIENT_SECRET_KIND,
+        );
+        const oidcConfigured =
+          oidc.enabled === true &&
+          typeof oidc.clientId === "string" &&
+          oidc.clientId.length > 0;
+        checks.push({
+          name: "oidc_configured",
+          ok: oidcConfigured,
+          message: oidcConfigured ? undefined : "OIDC is not configured.",
+        });
+        const hasClientId =
+          typeof oidc.clientId === "string" && oidc.clientId.length > 0;
+        checks.push({
+          name: "client_id_present",
+          ok: hasClientId,
+          message: hasClientId ? undefined : "clientId is missing.",
+        });
+        checks.push({
+          name: "client_secret_stored",
+          ok: secret !== null,
+          message:
+            secret !== null ? undefined : "OIDC client secret is missing.",
+        });
+        const discoveryTarget = oidc.discoveryUrl ?? oidc.issuer;
+        const hasDiscovery =
+          typeof discoveryTarget === "string" && discoveryTarget.length > 0;
+        checks.push({
+          name: "issuer_or_discovery_url_present",
+          ok: hasDiscovery,
+          message: hasDiscovery
+            ? undefined
+            : "issuer or discoveryUrl is missing.",
+        });
+        let discoveryOk = false;
+        let discoveryMessage: string | undefined;
+        if (hasDiscovery) {
+          const discoveryUrl = oidc.discoveryUrl?.length
+            ? oidc.discoveryUrl
+            : `${oidc.issuer}/.well-known/openid-configuration`;
+          try {
+            const res = await fetch(discoveryUrl, {
+              headers: { Accept: "application/json" },
+              signal: AbortSignal.timeout(8_000),
+            });
+            if (!res.ok) {
+              discoveryMessage = `Discovery endpoint returned ${res.status}.`;
+            } else {
+              const json = (await res.json()) as Record<string, unknown>;
+              if (typeof json.issuer !== "string") {
+                discoveryMessage =
+                  "Discovery document is missing issuer field.";
+              } else if (typeof json.authorization_endpoint !== "string") {
+                discoveryMessage =
+                  "Discovery document is missing authorization_endpoint.";
+              } else {
+                discoveryOk = true;
+              }
+            }
+          } catch (e) {
+            discoveryMessage =
+              e instanceof Error
+                ? `Discovery fetch failed: ${e.message}`
+                : "Discovery fetch failed.";
+          }
+        } else {
+          discoveryMessage = "Skipped — issuer or discoveryUrl not set.";
+        }
+        checks.push({
+          name: "discovery_reachable",
+          ok: discoveryOk,
+          message: discoveryMessage,
+        });
+        return {
+          ok: checks.every((c) => c.ok),
+          enterpriseId: enterprise._id,
+          checks,
+        };
+      },
+    },
+    scim: {
+      configure: async (
+        ctx: ComponentCtx,
+        data: {
+          enterpriseId: string;
+          basePath?: string;
+          status?: "draft" | "active" | "disabled";
+        },
+      ) => {
+        const enterprise = await ctx.runQuery(
+          config.component.public.enterpriseGet,
+          {
+            enterpriseId: data.enterpriseId,
+          },
+        );
+        if (enterprise === null) {
+          throw new AuthError(
+            "INVALID_PARAMETERS",
+            "Enterprise not found.",
+          ).toConvexError();
+        }
+        const rawToken = generateRandomString(48, INVITE_TOKEN_ALPHABET);
+        const tokenHash = await sha256(rawToken);
+        const configId = (await ctx.runMutation(
+          config.component.public.enterpriseScimConfigUpsert,
+          {
+            enterpriseId: enterprise._id,
+            groupId: enterprise.groupId,
+            status: data.status ?? "active",
+            basePath:
+              data.basePath ??
+              `${requireEnv("CONVEX_SITE_URL")}/api/auth/sso/${enterprise._id}/scim/v2`,
+            tokenHash,
+            lastRotatedAt: Date.now(),
+          },
+        )) as string;
+        const auditEventId = await recordEnterpriseAuditEvent(ctx, {
+          enterpriseId: enterprise._id,
+          groupId: enterprise.groupId,
+          eventType: "enterprise.scim.configured",
+          actorType: "system",
+          subjectType: "enterprise_scim",
+          subjectId: configId,
+          ok: true,
+        });
+        await emitEnterpriseWebhookDeliveries(ctx, {
+          enterpriseId: enterprise._id,
+          eventType: "enterprise.scim.configured",
+          auditEventId,
+          payload: { enterpriseId: enterprise._id, scimConfigId: configId },
+        });
+        return {
+          ok: true as const,
+          enterpriseId: enterprise._id,
+          configId,
+          basePath:
+            data.basePath ??
+            `${requireEnv("CONVEX_SITE_URL")}/api/auth/sso/${enterprise._id}/scim/v2`,
+          token: rawToken,
+        };
+      },
+      get: async (ctx: ComponentReadCtx, enterpriseId: string) => {
+        return await ctx.runQuery(
+          config.component.public.enterpriseScimConfigGetByEnterprise,
+          { enterpriseId },
+        );
+      },
+      getConfigByToken: async (ctx: ComponentReadCtx, token: string) => {
+        return await ctx.runQuery(
+          config.component.public.enterpriseScimConfigGetByTokenHash,
+          { tokenHash: await sha256(token) },
+        );
+      },
+      /**
+       * Validate the stored SCIM config for an enterprise connection.
+       *
+       * Checks that a SCIM config record exists, is active, has a token
+       * hash set, and has a non-empty basePath. Returns a structured result
+       * with per-check details.
+       */
+      validate: async (ctx: ComponentReadCtx, enterpriseId: string) => {
+        const checks: Array<{
+          name: string;
+          ok: boolean;
+          message?: string;
+        }> = [];
+        const enterprise = await ctx.runQuery(
+          config.component.public.enterpriseGet,
+          { enterpriseId },
+        );
+        if (!enterprise) {
+          return {
+            ok: false,
+            enterpriseId,
+            checks: [
+              {
+                name: "enterprise_exists",
+                ok: false,
+                message: "Enterprise not found.",
+              },
+            ],
+          };
+        }
+        const policy = getPolicyFromEnterprise(enterprise);
+        const scimConfig = await ctx.runQuery(
+          config.component.public.enterpriseScimConfigGetByEnterprise,
+          { enterpriseId },
+        );
+        const hasConfig = scimConfig !== null && scimConfig !== undefined;
+        checks.push({
+          name: "scim_config_exists",
+          ok: hasConfig,
+          message: hasConfig ? undefined : "SCIM has not been configured.",
+        });
+        const isActive = hasConfig && (scimConfig as any).status === "active";
+        checks.push({
+          name: "scim_config_active",
+          ok: isActive,
+          message: isActive
+            ? undefined
+            : `SCIM config status is ${hasConfig ? (scimConfig as any).status : "unknown"}.`,
+        });
+        const hasToken =
+          hasConfig &&
+          typeof (scimConfig as any).tokenHash === "string" &&
+          (scimConfig as any).tokenHash.length > 0;
+        checks.push({
+          name: "token_hash_set",
+          ok: hasToken,
+          message: hasToken ? undefined : "SCIM bearer token has not been set.",
+        });
+        const hasBasePath =
+          hasConfig &&
+          typeof (scimConfig as any).basePath === "string" &&
+          (scimConfig as any).basePath.length > 0;
+        checks.push({
+          name: "base_path_set",
+          ok: hasBasePath,
+          message: hasBasePath ? undefined : "SCIM basePath is missing.",
+        });
+        return {
+          ok: checks.every((c) => c.ok),
+          enterpriseId: enterprise._id,
+          basePath: hasBasePath ? (scimConfig as any).basePath : null,
+          deprovisionMode: policy.provisioning.deprovision.mode,
+          checks,
+        };
+      },
+      identity: {
+        get: async (
+          ctx: ComponentReadCtx,
+          data: {
+            enterpriseId: string;
+            resourceType: "user" | "group";
+            externalId: string;
+          },
+        ) => {
+          return await ctx.runQuery(
+            config.component.public.enterpriseScimIdentityGet,
+            data,
+          );
+        },
+        upsert: async (
+          ctx: ComponentCtx,
+          data: {
+            enterpriseId: string;
+            groupId: string;
+            resourceType: "user" | "group";
+            externalId: string;
+            userId?: string;
+            mappedGroupId?: string;
+            active?: boolean;
+            raw?: Record<string, unknown>;
+          },
+        ) => {
+          return (await ctx.runMutation(
+            config.component.public.enterpriseScimIdentityUpsert,
+            { ...data, lastProvisionedAt: Date.now() },
+          )) as string;
+        },
+      },
+    },
+    audit: {
+      record: async (
+        ctx: ComponentCtx,
+        data: {
+          enterpriseId: string;
+          groupId: string;
+          eventType: string;
+          actorType: "user" | "system" | "scim" | "api_key" | "webhook";
+          actorId?: string;
+          subjectType: string;
+          subjectId?: string;
+          ok: boolean;
+          requestId?: string;
+          ip?: string;
+          metadata?: Record<string, unknown>;
+        },
+      ) => {
+        return await recordEnterpriseAuditEvent(ctx, data);
+      },
+      list: async (
+        ctx: ComponentReadCtx,
+        data: { enterpriseId?: string; groupId?: string; limit?: number },
+      ) => {
+        return await ctx.runQuery(
+          config.component.public.enterpriseAuditEventList,
+          data,
+        );
+      },
+    },
+    webhook: {
+      endpoint: {
+        get: async (ctx: ComponentReadCtx, endpointId: string) => {
+          return await ctx.runQuery(
+            config.component.public.enterpriseWebhookEndpointGet,
+            { endpointId },
+          );
+        },
+        create: async (
+          ctx: ComponentCtx,
+          data: {
+            enterpriseId: string;
+            url: string;
+            secret: string;
+            subscriptions: string[];
+            createdByUserId?: string;
+          },
+        ) => {
+          const enterprise = await ctx.runQuery(
+            config.component.public.enterpriseGet,
+            {
+              enterpriseId: data.enterpriseId,
+            },
+          );
+          if (enterprise === null) {
+            throw new AuthError(
+              "INVALID_PARAMETERS",
+              "Enterprise not found.",
+            ).toConvexError();
+          }
+          const secretHash = await sha256(data.secret);
+          const endpointId = (await ctx.runMutation(
+            config.component.public.enterpriseWebhookEndpointCreate,
+            {
+              enterpriseId: enterprise._id,
+              groupId: enterprise.groupId,
+              url: data.url,
+              secretHash,
+              subscriptions: data.subscriptions,
+              createdByUserId: data.createdByUserId,
+            },
+          )) as string;
+          await recordEnterpriseAuditEvent(ctx, {
+            enterpriseId: enterprise._id,
+            groupId: enterprise.groupId,
+            eventType: "enterprise.webhook.endpoint.created",
+            actorType: data.createdByUserId ? "user" : "system",
+            actorId: data.createdByUserId,
+            subjectType: "enterprise_webhook_endpoint",
+            subjectId: endpointId,
+            ok: true,
+          });
+          return { ok: true as const, endpointId };
+        },
+        list: async (ctx: ComponentReadCtx, enterpriseId: string) => {
+          return await ctx.runQuery(
+            config.component.public.enterpriseWebhookEndpointList,
+            { enterpriseId },
+          );
+        },
+        disable: async (ctx: ComponentCtx, endpointId: string) => {
+          await ctx.runMutation(
+            config.component.public.enterpriseWebhookEndpointUpdate,
+            { endpointId, data: { status: "disabled" } },
+          );
+          return { ok: true as const, endpointId };
+        },
+      },
+      emit: async (
+        ctx: ComponentCtx,
+        data: {
+          enterpriseId: string;
+          eventType: string;
+          payload: Record<string, unknown>;
+          auditEventId?: string;
+        },
+      ) => {
+        await emitEnterpriseWebhookDeliveries(ctx, data);
+      },
+      delivery: {
+        list: async (
+          ctx: ComponentReadCtx,
+          data: { enterpriseId: string; limit?: number },
+        ) => {
+          return await ctx.runQuery(
+            (config.component.public as any).enterpriseWebhookDeliveryList,
+            data,
+          );
+        },
+        listReady: async (ctx: ComponentReadCtx, limit?: number) => {
+          return await ctx.runQuery(
+            config.component.public.enterpriseWebhookDeliveryListReady,
+            { now: Date.now(), limit },
+          );
+        },
+        markDelivered: async (
+          ctx: ComponentCtx,
+          deliveryId: string,
+          responseStatus?: number,
+        ) => {
+          await ctx.runMutation(
+            config.component.public.enterpriseWebhookDeliveryPatch,
+            {
+              deliveryId,
+              data: {
+                status: "delivered",
+                attemptCount: 1,
+                lastAttemptAt: Date.now(),
+                lastResponseStatus: responseStatus,
+              },
+            },
+          );
+        },
+        markFailed: async (
+          ctx: ComponentCtx,
+          deliveryId: string,
+          data: {
+            attemptCount: number;
+            responseStatus?: number;
+            error?: string;
+            retryAt?: number;
+          },
+        ) => {
+          await ctx.runMutation(
+            config.component.public.enterpriseWebhookDeliveryPatch,
+            {
+              deliveryId,
+              data: {
+                status: data.retryAt ? "pending" : "failed",
+                attemptCount: data.attemptCount,
+                lastAttemptAt: Date.now(),
+                lastResponseStatus: data.responseStatus,
+                lastError: data.error,
+                nextAttemptAt: data.retryAt ?? Date.now(),
+              },
+            },
+          );
+        },
+      },
+    },
+  };
+}