npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.13 → 0.0.4-preview.16 - Mend

@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (328) hide show

package/README.md +140 -9
package/dist/bin.cjs +5957 -5478
package/dist/client/index.d.ts +3 -7
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +27 -26
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/api.d.ts +14 -0
package/dist/component/_generated/api.d.ts.map +1 -1
package/dist/component/_generated/api.js.map +1 -1
package/dist/component/_generated/component.d.ts +1672 -24
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/convex.config.d.ts.map +1 -1
package/dist/component/index.d.ts +1 -1
package/dist/component/index.js +2 -2
package/dist/component/model.d.ts +153 -0
package/dist/component/model.d.ts.map +1 -0
package/dist/component/model.js +343 -0
package/dist/component/model.js.map +1 -0
package/dist/component/providers/sso.d.ts +1 -1
package/dist/component/public/enterprise.d.ts +54 -0
package/dist/component/public/enterprise.d.ts.map +1 -0
package/dist/component/public/enterprise.js +515 -0
package/dist/component/public/enterprise.js.map +1 -0
package/dist/component/public/factors.d.ts +52 -0
package/dist/component/public/factors.d.ts.map +1 -0
package/dist/component/public/factors.js +285 -0
package/dist/component/public/factors.js.map +1 -0
package/dist/component/public/groups.d.ts +116 -0
package/dist/component/public/groups.d.ts.map +1 -0
package/dist/component/public/groups.js +596 -0
package/dist/component/public/groups.js.map +1 -0
package/dist/component/public/identity.d.ts +93 -0
package/dist/component/public/identity.d.ts.map +1 -0
package/dist/component/public/identity.js +426 -0
package/dist/component/public/identity.js.map +1 -0
package/dist/component/public/keys.d.ts +41 -0
package/dist/component/public/keys.d.ts.map +1 -0
package/dist/component/public/keys.js +157 -0
package/dist/component/public/keys.js.map +1 -0
package/dist/component/public/shared.d.ts +26 -0
package/dist/component/public/shared.d.ts.map +1 -0
package/dist/component/public/shared.js +32 -0
package/dist/component/public/shared.js.map +1 -0
package/dist/component/public.d.ts +9 -321
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +6 -2145
package/dist/component/schema.d.ts +406 -260
package/dist/component/schema.js +37 -32
package/dist/component/schema.js.map +1 -1
package/dist/component/server/auth.d.ts +161 -15
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +100 -7
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/cookies.js +3 -0
package/dist/component/server/cookies.js.map +1 -1
package/dist/component/server/db.js +1 -0
package/dist/component/server/db.js.map +1 -1
package/dist/component/server/device.js +3 -1
package/dist/component/server/device.js.map +1 -1
package/dist/component/server/domains/core.js +629 -0
package/dist/component/server/domains/core.js.map +1 -0
package/dist/component/server/domains/sso.js +884 -0
package/dist/component/server/domains/sso.js.map +1 -0
package/dist/component/server/factory.d.ts +136 -0
package/dist/component/server/factory.d.ts.map +1 -0
package/dist/component/server/factory.js +1134 -0
package/dist/component/server/factory.js.map +1 -0
package/dist/component/server/fx.js +2 -1
package/dist/component/server/fx.js.map +1 -1
package/dist/component/server/http.js +287 -0
package/dist/component/server/http.js.map +1 -0
package/dist/component/server/identity.js +13 -0
package/dist/component/server/identity.js.map +1 -0
package/dist/component/server/keys.js +4 -0
package/dist/component/server/keys.js.map +1 -1
package/dist/component/server/mutations/account.js +1 -1
package/dist/component/server/mutations/index.js +2 -2
package/dist/component/server/mutations/index.js.map +1 -1
package/dist/component/server/mutations/invalidate.js +1 -1
package/dist/component/server/mutations/oauth.js +10 -7
package/dist/component/server/mutations/oauth.js.map +1 -1
package/dist/component/server/mutations/refresh.js +1 -1
package/dist/component/server/mutations/register.js +1 -1
package/dist/component/server/mutations/retrieve.js +1 -1
package/dist/component/server/mutations/signature.js +1 -1
package/dist/component/server/mutations/store.js +6 -3
package/dist/component/server/mutations/store.js.map +1 -1
package/dist/component/server/mutations/verify.js +1 -1
package/dist/component/server/oauth.js +3 -0
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +3 -2
package/dist/component/server/passkey.js.map +1 -1
package/dist/component/server/provider.js +2 -0
package/dist/component/server/provider.js.map +1 -1
package/dist/component/server/providers.js +10 -0
package/dist/component/server/providers.js.map +1 -1
package/dist/component/server/ratelimit.js +3 -0
package/dist/component/server/ratelimit.js.map +1 -1
package/dist/component/server/redirects.js +2 -0
package/dist/component/server/redirects.js.map +1 -1
package/dist/component/server/refresh.js +5 -0
package/dist/component/server/refresh.js.map +1 -1
package/dist/component/server/sessions.js +5 -0
package/dist/component/server/sessions.js.map +1 -1
package/dist/component/server/signin.js +2 -1
package/dist/component/server/signin.js.map +1 -1
package/dist/component/server/sso.js +166 -19
package/dist/component/server/sso.js.map +1 -1
package/dist/component/server/tokens.js +1 -0
package/dist/component/server/tokens.js.map +1 -1
package/dist/component/server/totp.js +4 -2
package/dist/component/server/totp.js.map +1 -1
package/dist/component/server/types.d.ts +106 -38
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/types.js.map +1 -1
package/dist/component/server/users.js +1 -0
package/dist/component/server/users.js.map +1 -1
package/dist/component/server/utils.js +44 -2
package/dist/component/server/utils.js.map +1 -1
package/dist/providers/anonymous.d.ts +1 -1
package/dist/providers/credentials.d.ts +1 -1
package/dist/providers/password.d.ts +1 -1
package/dist/providers/sso.d.ts +1 -1
package/dist/providers/sso.js.map +1 -1
package/dist/server/auth.d.ts +163 -17
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +100 -7
package/dist/server/auth.js.map +1 -1
package/dist/server/cookies.d.ts +1 -38
package/dist/server/cookies.js +3 -0
package/dist/server/cookies.js.map +1 -1
package/dist/server/db.d.ts +1 -125
package/dist/server/db.js +1 -0
package/dist/server/db.js.map +1 -1
package/dist/server/device.d.ts +1 -24
package/dist/server/device.js +3 -1
package/dist/server/device.js.map +1 -1
package/dist/server/domains/core.d.ts +434 -0
package/dist/server/domains/core.d.ts.map +1 -0
package/dist/server/domains/core.js +629 -0
package/dist/server/domains/core.js.map +1 -0
package/dist/server/domains/sso.d.ts +409 -0
package/dist/server/domains/sso.d.ts.map +1 -0
package/dist/server/domains/sso.js +884 -0
package/dist/server/domains/sso.js.map +1 -0
package/dist/server/enterpriseValidators.d.ts +1 -0
package/dist/server/enterpriseValidators.js +60 -0
package/dist/server/enterpriseValidators.js.map +1 -0
package/dist/server/factory.d.ts +136 -0
package/dist/server/factory.d.ts.map +1 -0
package/dist/server/factory.js +1134 -0
package/dist/server/factory.js.map +1 -0
package/dist/server/fx.d.ts +1 -16
package/dist/server/fx.d.ts.map +1 -1
package/dist/server/fx.js +1 -0
package/dist/server/fx.js.map +1 -1
package/dist/server/http.d.ts +59 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +287 -0
package/dist/server/http.js.map +1 -0
package/dist/server/identity.d.ts +1 -0
package/dist/server/identity.js +13 -0
package/dist/server/identity.js.map +1 -0
package/dist/server/index.d.ts +468 -1
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +530 -36
package/dist/server/index.js.map +1 -1
package/dist/server/keys.d.ts +1 -57
package/dist/server/keys.js +4 -0
package/dist/server/keys.js.map +1 -1
package/dist/server/mutations/account.d.ts +7 -7
package/dist/server/mutations/account.d.ts.map +1 -1
package/dist/server/mutations/code.d.ts +13 -13
package/dist/server/mutations/code.d.ts.map +1 -1
package/dist/server/mutations/index.d.ts +107 -107
package/dist/server/mutations/index.d.ts.map +1 -1
package/dist/server/mutations/index.js +1 -1
package/dist/server/mutations/index.js.map +1 -1
package/dist/server/mutations/invalidate.d.ts +5 -5
package/dist/server/mutations/invalidate.d.ts.map +1 -1
package/dist/server/mutations/oauth.d.ts +10 -10
package/dist/server/mutations/oauth.d.ts.map +1 -1
package/dist/server/mutations/oauth.js +9 -6
package/dist/server/mutations/oauth.js.map +1 -1
package/dist/server/mutations/refresh.d.ts +4 -4
package/dist/server/mutations/register.d.ts +12 -12
package/dist/server/mutations/register.d.ts.map +1 -1
package/dist/server/mutations/retrieve.d.ts +7 -7
package/dist/server/mutations/signature.d.ts +5 -5
package/dist/server/mutations/signin.d.ts +6 -6
package/dist/server/mutations/signin.d.ts.map +1 -1
package/dist/server/mutations/signout.d.ts +1 -1
package/dist/server/mutations/store.d.ts +3 -2
package/dist/server/mutations/store.d.ts.map +1 -1
package/dist/server/mutations/store.js +6 -3
package/dist/server/mutations/store.js.map +1 -1
package/dist/server/mutations/verifier.d.ts +1 -1
package/dist/server/mutations/verify.d.ts +11 -11
package/dist/server/mutations/verify.d.ts.map +1 -1
package/dist/server/oauth.d.ts +1 -59
package/dist/server/oauth.js +3 -0
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts.map +1 -1
package/dist/server/passkey.js +3 -2
package/dist/server/passkey.js.map +1 -1
package/dist/server/provider.d.ts +1 -14
package/dist/server/provider.d.ts.map +1 -1
package/dist/server/provider.js +2 -0
package/dist/server/provider.js.map +1 -1
package/dist/server/providers.js +10 -0
package/dist/server/providers.js.map +1 -1
package/dist/server/ratelimit.d.ts +1 -22
package/dist/server/ratelimit.js +3 -0
package/dist/server/ratelimit.js.map +1 -1
package/dist/server/redirects.d.ts +1 -10
package/dist/server/redirects.js +2 -0
package/dist/server/redirects.js.map +1 -1
package/dist/server/refresh.d.ts +1 -37
package/dist/server/refresh.js +5 -0
package/dist/server/refresh.js.map +1 -1
package/dist/server/sessions.d.ts +1 -28
package/dist/server/sessions.js +5 -0
package/dist/server/sessions.js.map +1 -1
package/dist/server/signin.d.ts +1 -55
package/dist/server/signin.js +2 -1
package/dist/server/signin.js.map +1 -1
package/dist/server/sso.d.ts +1 -348
package/dist/server/sso.js +165 -18
package/dist/server/sso.js.map +1 -1
package/dist/server/templates.d.ts +1 -21
package/dist/server/templates.js +1 -0
package/dist/server/templates.js.map +1 -1
package/dist/server/tokens.d.ts +1 -11
package/dist/server/tokens.js +1 -0
package/dist/server/tokens.js.map +1 -1
package/dist/server/totp.d.ts +1 -23
package/dist/server/totp.js +4 -2
package/dist/server/totp.js.map +1 -1
package/dist/server/types.d.ts +114 -77
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js.map +1 -1
package/dist/server/users.d.ts +1 -31
package/dist/server/users.js +1 -0
package/dist/server/users.js.map +1 -1
package/dist/server/utils.d.ts +1 -27
package/dist/server/utils.js +44 -2
package/dist/server/utils.js.map +1 -1
package/dist/server/version.d.ts +1 -1
package/dist/server/version.js +1 -1
package/dist/server/version.js.map +1 -1
package/package.json +4 -5
package/src/cli/bin.ts +5 -0
package/src/cli/index.ts +22 -9
package/src/cli/keys.ts +3 -0
package/src/client/index.ts +36 -37
package/src/component/_generated/api.ts +14 -0
package/src/component/_generated/component.ts +2106 -9
package/src/component/index.ts +3 -1
package/src/component/model.ts +441 -0
package/src/component/public/enterprise.ts +753 -0
package/src/component/public/factors.ts +332 -0
package/src/component/public/groups.ts +932 -0
package/src/component/public/identity.ts +566 -0
package/src/component/public/keys.ts +209 -0
package/src/component/public/shared.ts +119 -0
package/src/component/public.ts +5 -2965
package/src/component/schema.ts +68 -63
package/src/providers/sso.ts +1 -1
package/src/server/auth.ts +413 -18
package/src/server/cookies.ts +3 -0
package/src/server/db.ts +3 -0
package/src/server/device.ts +3 -1
package/src/server/domains/core.ts +1071 -0
package/src/server/domains/sso.ts +1749 -0
package/src/server/enterpriseValidators.ts +93 -0
package/src/server/factory.ts +2181 -0
package/src/server/fx.ts +1 -0
package/src/server/http.ts +529 -0
package/src/server/identity.ts +18 -0
package/src/server/index.ts +806 -40
package/src/server/keys.ts +4 -0
package/src/server/mutations/index.ts +1 -1
package/src/server/mutations/oauth.ts +36 -8
package/src/server/mutations/store.ts +6 -3
package/src/server/oauth.ts +6 -0
package/src/server/passkey.ts +3 -2
package/src/server/provider.ts +2 -0
package/src/server/providers.ts +20 -0
package/src/server/ratelimit.ts +3 -0
package/src/server/redirects.ts +2 -0
package/src/server/refresh.ts +5 -0
package/src/server/sessions.ts +5 -0
package/src/server/signin.ts +1 -0
package/src/server/sso.ts +259 -17
package/src/server/templates.ts +1 -0
package/src/server/tokens.ts +1 -0
package/src/server/totp.ts +4 -2
package/src/server/types.ts +178 -83
package/src/server/users.ts +1 -0
package/src/server/utils.ts +71 -1
package/src/server/version.ts +1 -1
package/dist/component/public.js.map +0 -1
package/dist/component/server/implementation.d.ts +0 -1264
package/dist/component/server/implementation.d.ts.map +0 -1
package/dist/component/server/implementation.js +0 -2365
package/dist/component/server/implementation.js.map +0 -1
package/dist/server/cookies.d.ts.map +0 -1
package/dist/server/db.d.ts.map +0 -1
package/dist/server/device.d.ts.map +0 -1
package/dist/server/implementation.d.ts +0 -1264
package/dist/server/implementation.d.ts.map +0 -1
package/dist/server/implementation.js +0 -2365
package/dist/server/implementation.js.map +0 -1
package/dist/server/keys.d.ts.map +0 -1
package/dist/server/oauth.d.ts.map +0 -1
package/dist/server/ratelimit.d.ts.map +0 -1
package/dist/server/redirects.d.ts.map +0 -1
package/dist/server/refresh.d.ts.map +0 -1
package/dist/server/sessions.d.ts.map +0 -1
package/dist/server/signin.d.ts.map +0 -1
package/dist/server/sso.d.ts.map +0 -1
package/dist/server/templates.d.ts.map +0 -1
package/dist/server/tokens.d.ts.map +0 -1
package/dist/server/totp.d.ts.map +0 -1
package/dist/server/users.d.ts.map +0 -1
package/dist/server/utils.d.ts.map +0 -1
package/src/server/implementation.ts +0 -5336

package/src/server/index.ts CHANGED Viewed

@@ -1,21 +1,787 @@
 import { ConvexHttpClient } from "convex/browser";
-import { makeFunctionReference } from "convex/server";
-import { ConvexError } from "convex/values";
+import {
+  actionGeneric,
+  makeFunctionReference,
+  mutationGeneric,
+  queryGeneric,
+} from "convex/server";
+import { ConvexError, v } from "convex/values";
 import { parse, serialize } from "cookie";
 import { jwtDecode } from "jwt-decode";
-import { Fx } from "./fx";
+import type { AuthApi } from "./auth";
+import {
+  enterpriseConnectionWhereValidator,
+  enterpriseDomainInputValidator,
+  enterpriseDomainVerificationInputValidator,
+  enterprisePolicyPatchValidator,
+  enterpriseSamlAttributeMappingValidator,
+  enterpriseSamlSpValidator,
+  enterpriseStatusValidator,
+} from "./enterpriseValidators";
 import type {
   SignInAction,
   SignInActionResult,
   SignOutAction,
-} from "./implementation";
+} from "./factory";
+import { Fx } from "./fx";
+import type { AuthAuthorizationConfig, AuthRoleId } from "./types";
 import { isLocalHost } from "./utils";
-const signInActionRef: SignInAction =
-  makeFunctionReference("auth/session:start");
-const signOutActionRef: SignOutAction =
-  makeFunctionReference("auth/session:stop");
+const signInActionRef: SignInAction = makeFunctionReference("auth:signIn");
+const signOutActionRef: SignOutAction = makeFunctionReference("auth:signOut");
+export type EnterpriseAdminPermission =
+  | "sso.connection.create"
+  | "sso.connection.read"
+  | "sso.connection.manage"
+  | "sso.domain.manage"
+  | "sso.protocol.manage"
+  | "sso.policy.manage"
+  | "sso.audit.read"
+  | "sso.webhook.manage"
+  | "scim.manage";
+export type EnterpriseAdminAuthorizationInput = {
+  userId: string;
+  permission: EnterpriseAdminPermission;
+  enterpriseId?: string;
+  groupId?: string;
+  resolvedGroupId: string | null;
+};
+export type EnterpriseAuthorizer = (
+  ctx: { auth: import("convex/server").Auth },
+  input: EnterpriseAdminAuthorizationInput,
+) => Promise<void>;
+type RoleRef<TRoleId extends string> = { id: TRoleId };
+type MountedEnterpriseOptions<TRoleId extends string = string> = {
+  admin?: {
+    authorized?: EnterpriseAuthorizer;
+    roles?: Array<TRoleId | RoleRef<TRoleId>>;
+  };
+};
+export type EnterpriseMountOptions<TRoleId extends string = string> = {
+  admin: {
+    authorized: EnterpriseAuthorizer;
+    roles?: Array<TRoleId | RoleRef<TRoleId>>;
+  };
+};
+type MountedEnterpriseTarget = {
+  enterpriseId?: string;
+  groupId?: string;
+  domain?: string;
+};
+function requireSignedInUser(auth: Pick<AuthApi, "user">) {
+  return async (ctx: { auth: import("convex/server").Auth }) => {
+    return await auth.user.require(ctx as never);
+  };
+}
+function normalizeCreatorRoleIds<TRoleId extends string>(
+  roles?: Array<TRoleId | RoleRef<TRoleId>>,
+) {
+  return roles?.map((role) => (typeof role === "string" ? role : role.id));
+}
+async function resolveMountedEnterpriseTarget(
+  auth: Pick<AuthApi, "sso">,
+  ctx: { auth: import("convex/server").Auth },
+  target: MountedEnterpriseTarget,
+) {
+  if (target.groupId !== undefined) {
+    return {
+      enterpriseId: target.enterpriseId,
+      groupId: target.groupId,
+      resolvedGroupId: target.groupId,
+    };
+  }
+  if (target.enterpriseId !== undefined) {
+    const enterprise = await auth.sso.admin.connection.get(
+      ctx as never,
+      target.enterpriseId,
+    );
+    if (enterprise === null) {
+      throw new ConvexError({
+        code: "INVALID_PARAMETERS",
+        message: "Enterprise not found.",
+      });
+    }
+    return {
+      enterpriseId: enterprise._id,
+      groupId: enterprise.groupId,
+      resolvedGroupId: enterprise.groupId,
+    };
+  }
+  if (target.domain !== undefined) {
+    const resolved = await auth.sso.admin.connection.getByDomain(
+      ctx as never,
+      target.domain,
+    );
+    if (resolved?.enterprise === undefined) {
+      throw new ConvexError({
+        code: "INVALID_PARAMETERS",
+        message: "Enterprise not found.",
+      });
+    }
+    return {
+      enterpriseId: resolved.enterprise._id,
+      groupId: resolved.enterprise.groupId,
+      resolvedGroupId: resolved.enterprise.groupId,
+    };
+  }
+  return {
+    enterpriseId: undefined,
+    groupId: undefined,
+    resolvedGroupId: null,
+  };
+}
+function createMountedAdminAuthorizer(
+  auth: Pick<AuthApi, "sso" | "user">,
+  options?: MountedEnterpriseOptions,
+) {
+  const requireUserId = requireSignedInUser(auth);
+  return async (
+    ctx: { auth: import("convex/server").Auth },
+    permission: EnterpriseAdminPermission,
+    target: MountedEnterpriseTarget = {},
+  ) => {
+    const userId = await requireUserId(ctx);
+    if (!options?.admin?.authorized) {
+      throw new ConvexError({
+        code: "FORBIDDEN",
+        message:
+          "Mounted enterprise admin APIs require an authorized callback.",
+      });
+    }
+    const resolved = await resolveMountedEnterpriseTarget(auth, ctx, target);
+    await options.admin.authorized(ctx, {
+      userId,
+      permission,
+      enterpriseId: resolved.enterpriseId,
+      groupId: resolved.groupId,
+      resolvedGroupId: resolved.resolvedGroupId,
+    });
+    return { userId, ...resolved };
+  };
+}
+/**
+ * Build optional public SSO management actions that apps can mount under
+ * `convex/auth/sso/**` when they want client-callable enterprise APIs.
+ *
+ * `admin` is for tenant-admin control-plane operations and should be mounted
+ * with an explicit authorization policy. `client` is for end-user sign-in
+ * helpers and does not require tenant-admin authorization.
+ */
+export function sso<
+  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,
+>(
+  auth: Pick<AuthApi<TAuthorization>, "group" | "member" | "sso" | "user">,
+  options?: MountedEnterpriseOptions<AuthRoleId<TAuthorization>>,
+) {
+  const authorize = createMountedAdminAuthorizer(auth, options);
+  const adminRoleIds = normalizeCreatorRoleIds(options?.admin?.roles);
+  return {
+    admin: {
+      connection: {
+        create: mutationGeneric({
+          args: {
+            groupId: v.optional(v.string()),
+            name: v.optional(v.string()),
+            slug: v.optional(v.string()),
+            status: v.optional(enterpriseStatusValidator),
+            domain: v.optional(v.string()),
+          },
+          handler: async (ctx, args) => {
+            const { userId } = await authorize(ctx, "sso.connection.create", {
+              groupId: args.groupId,
+            });
+            const createsGroup = args.groupId === undefined;
+            const groupId =
+              args.groupId ??
+              (
+                await auth.group.create(ctx as never, {
+                  name: args.name?.trim() || args.slug?.trim() || "Enterprise",
+                  slug: args.slug,
+                  type: "enterprise",
+                })
+              ).groupId;
+            if (createsGroup) {
+              await auth.member.create(ctx as never, {
+                groupId,
+                userId,
+                roleIds: adminRoleIds,
+              });
+            }
+            const created = await auth.sso.admin.connection.create(
+              ctx as never,
+              {
+                groupId,
+                name: args.name,
+                slug: args.slug,
+                status: args.status,
+              },
+            );
+            if (args.domain) {
+              await auth.sso.admin.connection.domain.set(
+                ctx as never,
+                created.enterpriseId,
+                [{ domain: args.domain, isPrimary: true }],
+              );
+            }
+            return {
+              ...created,
+              groupId,
+              createdGroup: createsGroup,
+            };
+          },
+        }),
+        get: queryGeneric({
+          args: { enterpriseId: v.string() },
+          handler: async (ctx, args) => {
+            await authorize(ctx, "sso.connection.read", {
+              enterpriseId: args.enterpriseId,
+            });
+            return await auth.sso.admin.connection.get(
+              ctx as never,
+              args.enterpriseId,
+            );
+          },
+        }),
+        getByGroup: queryGeneric({
+          args: { groupId: v.string() },
+          handler: async (ctx, args) => {
+            await authorize(ctx, "sso.connection.read", {
+              groupId: args.groupId,
+            });
+            return await auth.sso.admin.connection.getByGroup(
+              ctx as never,
+              args.groupId,
+            );
+          },
+        }),
+        getByDomain: queryGeneric({
+          args: { domain: v.string() },
+          handler: async (ctx, args) => {
+            await authorize(ctx, "sso.connection.read", {
+              domain: args.domain,
+            });
+            return await auth.sso.admin.connection.getByDomain(
+              ctx as never,
+              args.domain,
+            );
+          },
+        }),
+        list: queryGeneric({
+          args: {
+            where: v.optional(enterpriseConnectionWhereValidator),
+            limit: v.optional(v.number()),
+            cursor: v.optional(v.union(v.string(), v.null())),
+            orderBy: v.optional(v.string()),
+            order: v.optional(v.union(v.literal("asc"), v.literal("desc"))),
+          },
+          handler: async (ctx, args) => {
+            await authorize(ctx, "sso.connection.read", {
+              groupId: args.where?.groupId,
+            });
+            return await auth.sso.admin.connection.list(
+              ctx as never,
+              args as never,
+            );
+          },
+        }),
+        update: mutationGeneric({
+          args: {
+            enterpriseId: v.string(),
+            data: v.object({
+              name: v.optional(v.string()),
+              slug: v.optional(v.string()),
+              status: v.optional(enterpriseStatusValidator),
+            }),
+          },
+          handler: async (ctx, args) => {
+            await authorize(ctx, "sso.connection.manage", {
+              enterpriseId: args.enterpriseId,
+            });
+            await auth.sso.admin.connection.update(
+              ctx as never,
+              args.enterpriseId,
+              args.data,
+            );
+            return { ok: true as const, enterpriseId: args.enterpriseId };
+          },
+        }),
+        delete: mutationGeneric({
+          args: { enterpriseId: v.string() },
+          handler: async (ctx, args) => {
+            await authorize(ctx, "sso.connection.manage", {
+              enterpriseId: args.enterpriseId,
+            });
+            return await auth.sso.admin.connection.delete(
+              ctx as never,
+              args.enterpriseId,
+            );
+          },
+        }),
+        status: queryGeneric({
+          args: { enterpriseId: v.string() },
+          handler: async (ctx, args) => {
+            await authorize(ctx, "sso.connection.read", {
+              enterpriseId: args.enterpriseId,
+            });
+            return await auth.sso.admin.connection.status(
+              ctx as never,
+              args.enterpriseId,
+            );
+          },
+        }),
+        domain: {
+          list: queryGeneric({
+            args: { enterpriseId: v.string() },
+            handler: async (ctx, args) => {
+              await authorize(ctx, "sso.connection.read", {
+                enterpriseId: args.enterpriseId,
+              });
+              return await auth.sso.admin.connection.domain.list(
+                ctx as never,
+                args.enterpriseId,
+              );
+            },
+          }),
+          validate: queryGeneric({
+            args: { enterpriseId: v.string() },
+            handler: async (ctx, args) => {
+              await authorize(ctx, "sso.domain.manage", {
+                enterpriseId: args.enterpriseId,
+              });
+              return await auth.sso.admin.connection.domain.validate(
+                ctx as never,
+                args.enterpriseId,
+              );
+            },
+          }),
+          set: mutationGeneric({
+            args: {
+              enterpriseId: v.string(),
+              domains: v.array(enterpriseDomainInputValidator),
+            },
+            handler: async (ctx, args) => {
+              await authorize(ctx, "sso.domain.manage", {
+                enterpriseId: args.enterpriseId,
+              });
+              return await auth.sso.admin.connection.domain.set(
+                ctx as never,
+                args.enterpriseId,
+                args.domains,
+              );
+            },
+          }),
+          verification: {
+            request: mutationGeneric({
+              args: enterpriseDomainVerificationInputValidator,
+              handler: async (ctx, args) => {
+                await authorize(ctx, "sso.domain.manage", {
+                  enterpriseId: args.enterpriseId,
+                });
+                return await auth.sso.admin.connection.domain.verification.request(
+                  ctx as never,
+                  args,
+                );
+              },
+            }),
+            confirm: actionGeneric({
+              args: enterpriseDomainVerificationInputValidator,
+              handler: async (ctx, args) => {
+                await authorize(ctx, "sso.domain.manage", {
+                  enterpriseId: args.enterpriseId,
+                });
+                return await auth.sso.admin.connection.domain.verification.confirm(
+                  ctx as never,
+                  args,
+                );
+              },
+            }),
+          },
+        },
+      },
+      oidc: {
+        configure: mutationGeneric({
+          args: {
+            enterpriseId: v.string(),
+            issuer: v.optional(v.string()),
+            discoveryUrl: v.optional(v.string()),
+            clientId: v.string(),
+            clientSecret: v.optional(v.string()),
+            scopes: v.optional(v.array(v.string())),
+            authorizationParams: v.optional(v.record(v.string(), v.string())),
+            clockToleranceSeconds: v.optional(v.number()),
+            strictIssuer: v.optional(v.boolean()),
+            extraFields: v.optional(v.record(v.string(), v.string())),
+          },
+          handler: async (ctx, args) => {
+            await authorize(ctx, "sso.protocol.manage", {
+              enterpriseId: args.enterpriseId,
+            });
+            return await auth.sso.admin.oidc.configure(ctx as never, args);
+          },
+        }),
+        get: queryGeneric({
+          args: { enterpriseId: v.string() },
+          handler: async (ctx, args) => {
+            await authorize(ctx, "sso.connection.read", {
+              enterpriseId: args.enterpriseId,
+            });
+            return await auth.sso.admin.oidc.get(
+              ctx as never,
+              args.enterpriseId,
+            );
+          },
+        }),
+        validate: actionGeneric({
+          args: { enterpriseId: v.string() },
+          handler: async (ctx, args) => {
+            await authorize(ctx, "sso.protocol.manage", {
+              enterpriseId: args.enterpriseId,
+            });
+            return await auth.sso.admin.oidc.validate(
+              ctx as never,
+              args.enterpriseId,
+            );
+          },
+        }),
+      },
+      saml: {
+        configure: actionGeneric({
+          args: {
+            enterpriseId: v.string(),
+            metadataXml: v.optional(v.string()),
+            metadataUrl: v.optional(v.string()),
+            domains: v.optional(v.array(v.string())),
+            signAuthnRequests: v.optional(v.boolean()),
+            attributeMapping: v.optional(
+              enterpriseSamlAttributeMappingValidator,
+            ),
+            sp: v.optional(enterpriseSamlSpValidator),
+          },
+          handler: async (ctx, args) => {
+            await authorize(ctx, "sso.protocol.manage", {
+              enterpriseId: args.enterpriseId,
+            });
+            return await auth.sso.admin.saml.configure(ctx as never, args);
+          },
+        }),
+        validate: queryGeneric({
+          args: { enterpriseId: v.string() },
+          handler: async (ctx, args) => {
+            await authorize(ctx, "sso.protocol.manage", {
+              enterpriseId: args.enterpriseId,
+            });
+            return await auth.sso.admin.saml.validate(
+              ctx as never,
+              args.enterpriseId,
+            );
+          },
+        }),
+      },
+      policy: {
+        get: queryGeneric({
+          args: { enterpriseId: v.string() },
+          handler: async (ctx, args) => {
+            await authorize(ctx, "sso.connection.read", {
+              enterpriseId: args.enterpriseId,
+            });
+            return await auth.sso.admin.policy.get(
+              ctx as never,
+              args.enterpriseId,
+            );
+          },
+        }),
+        update: mutationGeneric({
+          args: {
+            enterpriseId: v.string(),
+            patch: enterprisePolicyPatchValidator,
+          },
+          handler: async (ctx, args) => {
+            await authorize(ctx, "sso.policy.manage", {
+              enterpriseId: args.enterpriseId,
+            });
+            return await auth.sso.admin.policy.update(
+              ctx as never,
+              args.enterpriseId,
+              args.patch,
+            );
+          },
+        }),
+        validate: queryGeneric({
+          args: { enterpriseId: v.string() },
+          handler: async (ctx, args) => {
+            await authorize(ctx, "sso.policy.manage", {
+              enterpriseId: args.enterpriseId,
+            });
+            return await auth.sso.admin.policy.validate(
+              ctx as never,
+              args.enterpriseId,
+            );
+          },
+        }),
+      },
+      audit: {
+        list: queryGeneric({
+          args: {
+            enterpriseId: v.optional(v.string()),
+            groupId: v.optional(v.string()),
+            limit: v.optional(v.number()),
+          },
+          handler: async (ctx, args) => {
+            await authorize(ctx, "sso.audit.read", {
+              enterpriseId: args.enterpriseId,
+              groupId: args.groupId,
+            });
+            return await auth.sso.admin.audit.list(ctx as never, args);
+          },
+        }),
+      },
+      webhook: {
+        delivery: {
+          list: queryGeneric({
+            args: {
+              enterpriseId: v.string(),
+              limit: v.optional(v.number()),
+            },
+            handler: async (ctx, args) => {
+              await authorize(ctx, "sso.webhook.manage", {
+                enterpriseId: args.enterpriseId,
+              });
+              return await (auth.sso.admin.webhook as any).delivery.list(
+                ctx as never,
+                args,
+              );
+            },
+          }),
+        },
+        endpoint: {
+          create: mutationGeneric({
+            args: {
+              enterpriseId: v.string(),
+              url: v.string(),
+              secret: v.string(),
+              subscriptions: v.array(v.string()),
+              createdByUserId: v.optional(v.string()),
+            },
+            handler: async (ctx, args) => {
+              const { userId } = await authorize(ctx, "sso.webhook.manage", {
+                enterpriseId: args.enterpriseId,
+              });
+              const result = await auth.sso.admin.webhook.endpoint.create(
+                ctx as never,
+                {
+                  ...args,
+                  createdByUserId: args.createdByUserId ?? userId,
+                },
+              );
+              return {
+                _id: result.endpointId,
+                enterpriseId: args.enterpriseId,
+                url: args.url,
+                subscriptions: args.subscriptions,
+                createdByUserId: args.createdByUserId ?? userId,
+                status: "active",
+                failureCount: 0,
+              };
+            },
+          }),
+          list: queryGeneric({
+            args: { enterpriseId: v.string() },
+            handler: async (ctx, args) => {
+              await authorize(ctx, "sso.webhook.manage", {
+                enterpriseId: args.enterpriseId,
+              });
+              const endpoints = await auth.sso.admin.webhook.endpoint.list(
+                ctx as never,
+                args.enterpriseId,
+              );
+              return endpoints.map((endpoint: Record<string, unknown>) => {
+                const { secretHash: _secretHash, ...rest } = endpoint;
+                return rest;
+              });
+            },
+          }),
+          disable: mutationGeneric({
+            args: { endpointId: v.string() },
+            handler: async (ctx, args) => {
+              const endpoint = await auth.sso.admin.webhook.endpoint.get(
+                ctx as never,
+                args.endpointId,
+              );
+              if (!endpoint) {
+                throw new ConvexError({
+                  code: "INVALID_PARAMETERS",
+                  message: "Webhook endpoint not found.",
+                });
+              }
+              await authorize(ctx, "sso.webhook.manage", {
+                enterpriseId: endpoint.enterpriseId,
+                groupId: endpoint.groupId,
+              });
+              return await auth.sso.admin.webhook.endpoint.disable(
+                ctx as never,
+                args.endpointId,
+              );
+            },
+          }),
+        },
+      },
+    },
+    client: {
+      signIn: queryGeneric({
+        args: {
+          enterpriseId: v.optional(v.string()),
+          email: v.optional(v.string()),
+          domain: v.optional(v.string()),
+          redirectTo: v.optional(v.string()),
+        },
+        handler: async (ctx, args) => {
+          return await auth.sso.client.signIn(ctx as never, args);
+        },
+      }),
+      metadata: queryGeneric({
+        args: {
+          enterpriseId: v.string(),
+          entityId: v.optional(v.string()),
+          acsUrl: v.optional(v.string()),
+          sloUrl: v.optional(v.string()),
+        },
+        handler: async (ctx, args) => {
+          return await auth.sso.client.metadata(ctx as never, args);
+        },
+      }),
+    },
+  };
+}
+/**
+ * Build optional public SCIM management actions that apps can mount under
+ * `convex/auth/scim/**` when they want client-callable enterprise admin APIs.
+ */
+export function scim<
+  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,
+>(
+  auth: Pick<AuthApi<TAuthorization>, "scim" | "sso" | "user">,
+  options?: MountedEnterpriseOptions<AuthRoleId<TAuthorization>>,
+) {
+  const authorize = createMountedAdminAuthorizer(auth, options);
+  return {
+    admin: {
+      configure: mutationGeneric({
+        args: {
+          enterpriseId: v.string(),
+          basePath: v.optional(v.string()),
+          status: v.optional(enterpriseStatusValidator),
+        },
+        handler: async (ctx, args) => {
+          await authorize(ctx, "scim.manage", {
+            enterpriseId: args.enterpriseId,
+          });
+          return await auth.scim.admin.configure(ctx as never, args);
+        },
+      }),
+      get: queryGeneric({
+        args: { enterpriseId: v.string() },
+        handler: async (ctx, args) => {
+          await authorize(ctx, "scim.manage", {
+            enterpriseId: args.enterpriseId,
+          });
+          return await auth.scim.admin.get(ctx as never, args.enterpriseId);
+        },
+      }),
+      validate: queryGeneric({
+        args: { enterpriseId: v.string() },
+        handler: async (ctx, args) => {
+          await authorize(ctx, "scim.manage", {
+            enterpriseId: args.enterpriseId,
+          });
+          return await auth.scim.admin.validate(
+            ctx as never,
+            args.enterpriseId,
+          );
+        },
+      }),
+    },
+  };
+}
+/**
+ * Build a flat mounted enterprise API surface for app-owned Convex exports.
+ *
+ * The returned object contains tenant-admin SSO and SCIM control-plane
+ * functions plus end-user enterprise sign-in helpers. The `authorized`
+ * callback is required for admin operations.
+ */
+export function enterprise<
+  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,
+>(
+  auth: Pick<
+    AuthApi<TAuthorization>,
+    "group" | "member" | "scim" | "sso" | "user"
+  >,
+  options: EnterpriseMountOptions<AuthRoleId<TAuthorization>>,
+) {
+  const mountedSso = sso(auth, {
+    admin: options.admin,
+  });
+  const mountedScim = scim(auth, {
+    admin: { authorized: options.admin.authorized },
+  });
+  return {
+    createConnection: mountedSso.admin.connection.create,
+    getConnection: mountedSso.admin.connection.get,
+    getConnectionByGroup: mountedSso.admin.connection.getByGroup,
+    getConnectionByDomain: mountedSso.admin.connection.getByDomain,
+    listConnections: mountedSso.admin.connection.list,
+    updateConnection: mountedSso.admin.connection.update,
+    deleteConnection: mountedSso.admin.connection.delete,
+    getConnectionStatus: mountedSso.admin.connection.status,
+    listDomains: mountedSso.admin.connection.domain.list,
+    validateDomains: mountedSso.admin.connection.domain.validate,
+    setDomains: mountedSso.admin.connection.domain.set,
+    requestDomainVerification:
+      mountedSso.admin.connection.domain.verification.request,
+    confirmDomainVerification:
+      mountedSso.admin.connection.domain.verification.confirm,
+    configureOidc: mountedSso.admin.oidc.configure,
+    getOidc: mountedSso.admin.oidc.get,
+    validateOidc: mountedSso.admin.oidc.validate,
+    configureSaml: mountedSso.admin.saml.configure,
+    validateSaml: mountedSso.admin.saml.validate,
+    getPolicy: mountedSso.admin.policy.get,
+    updatePolicy: mountedSso.admin.policy.update,
+    validatePolicy: mountedSso.admin.policy.validate,
+    listAudit: mountedSso.admin.audit.list,
+    createWebhookEndpoint: mountedSso.admin.webhook.endpoint.create,
+    listWebhookEndpoints: mountedSso.admin.webhook.endpoint.list,
+    listWebhookDeliveries: mountedSso.admin.webhook.delivery.list,
+    disableWebhookEndpoint: mountedSso.admin.webhook.endpoint.disable,
+    configureScim: mountedScim.admin.configure,
+    getScim: mountedScim.admin.get,
+    validateScim: mountedScim.admin.validate,
+    signIn: mountedSso.client.signIn,
+    metadata: mountedSso.client.metadata,
+  };
+}
 /** Cookie lifetime configuration for auth tokens. */
 export type AuthCookieConfig = {
@@ -588,9 +1354,9 @@ export function server(options: ServerOptions) {
           : {};
       const actionDispatch =
-        action === "auth/session:start"
+        action === "auth:signIn"
           ? { action: "sessionStart" as const }
-          : action === "auth/session:stop"
+          : action === "auth:signOut"
             ? { action: "sessionStop" as const }
             : null;
@@ -943,37 +1709,37 @@ export function server(options: ServerOptions) {
                                   redirect: () =>
                                     Fx.fatal(
                                       new Error(
-                                        "Invalid `auth/session:start` result for sign-out fallback refresh",
+                                        "Invalid `auth:signIn` result for sign-out fallback refresh",
                                       ),
                                     ),
                                   started: () =>
                                     Fx.fatal(
                                       new Error(
-                                        "Invalid `auth/session:start` result for sign-out fallback refresh",
+                                        "Invalid `auth:signIn` result for sign-out fallback refresh",
                                       ),
                                     ),
                                   passkeyOptions: () =>
                                     Fx.fatal(
                                       new Error(
-                                        "Invalid `auth/session:start` result for sign-out fallback refresh",
+                                        "Invalid `auth:signIn` result for sign-out fallback refresh",
                                       ),
                                     ),
                                   totpRequired: () =>
                                     Fx.fatal(
                                       new Error(
-                                        "Invalid `auth/session:start` result for sign-out fallback refresh",
+                                        "Invalid `auth:signIn` result for sign-out fallback refresh",
                                       ),
                                     ),
                                   totpSetup: () =>
                                     Fx.fatal(
                                       new Error(
-                                        "Invalid `auth/session:start` result for sign-out fallback refresh",
+                                        "Invalid `auth:signIn` result for sign-out fallback refresh",
                                       ),
                                     ),
                                   deviceCode: () =>
                                     Fx.fatal(
                                       new Error(
-                                        "Invalid `auth/session:start` result for sign-out fallback refresh",
+                                        "Invalid `auth:signIn` result for sign-out fallback refresh",
                                       ),
                                     ),
                                 }),
@@ -1146,37 +1912,37 @@ export function server(options: ServerOptions) {
                       redirect: () =>
                         Fx.fatal(
                           new Error(
-                            "Invalid `auth/session:start` result for code exchange",
+                            "Invalid `auth:signIn` result for code exchange",
                           ),
                         ),
                       started: () =>
                         Fx.fatal(
                           new Error(
-                            "Invalid `auth/session:start` result for code exchange",
+                            "Invalid `auth:signIn` result for code exchange",
                           ),
                         ),
                       passkeyOptions: () =>
                         Fx.fatal(
                           new Error(
-                            "Invalid `auth/session:start` result for code exchange",
+                            "Invalid `auth:signIn` result for code exchange",
                           ),
                         ),
                       totpRequired: () =>
                         Fx.fatal(
                           new Error(
-                            "Invalid `auth/session:start` result for code exchange",
+                            "Invalid `auth:signIn` result for code exchange",
                           ),
                         ),
                       totpSetup: () =>
                         Fx.fatal(
                           new Error(
-                            "Invalid `auth/session:start` result for code exchange",
+                            "Invalid `auth:signIn` result for code exchange",
                           ),
                         ),
                       deviceCode: () =>
                         Fx.fatal(
                           new Error(
-                            "Invalid `auth/session:start` result for code exchange",
+                            "Invalid `auth:signIn` result for code exchange",
                           ),
                         ),
                     }),
@@ -1367,37 +2133,37 @@ export function server(options: ServerOptions) {
                       redirect: () =>
                         Fx.fatal(
                           new Error(
-                            "Invalid `auth/session:start` result for token refresh",
+                            "Invalid `auth:signIn` result for token refresh",
                           ),
                         ),
                       started: () =>
                         Fx.fatal(
                           new Error(
-                            "Invalid `auth/session:start` result for token refresh",
+                            "Invalid `auth:signIn` result for token refresh",
                           ),
                         ),
                       passkeyOptions: () =>
                         Fx.fatal(
                           new Error(
-                            "Invalid `auth/session:start` result for token refresh",
+                            "Invalid `auth:signIn` result for token refresh",
                           ),
                         ),
                       totpRequired: () =>
                         Fx.fatal(
                           new Error(
-                            "Invalid `auth/session:start` result for token refresh",
+                            "Invalid `auth:signIn` result for token refresh",
                           ),
                         ),
                       totpSetup: () =>
                         Fx.fatal(
                           new Error(
-                            "Invalid `auth/session:start` result for token refresh",
+                            "Invalid `auth:signIn` result for token refresh",
                           ),
                         ),
                       deviceCode: () =>
                         Fx.fatal(
                           new Error(
-                            "Invalid `auth/session:start` result for token refresh",
+                            "Invalid `auth:signIn` result for token refresh",
                           ),
                         ),
                     }),
@@ -1518,37 +2284,37 @@ export function server(options: ServerOptions) {
                           redirect: () =>
                             Fx.fatal(
                               new Error(
-                                "Invalid `auth/session:start` result for token refresh",
+                                "Invalid `auth:signIn` result for token refresh",
                               ),
                             ),
                           started: () =>
                             Fx.fatal(
                               new Error(
-                                "Invalid `auth/session:start` result for token refresh",
+                                "Invalid `auth:signIn` result for token refresh",
                               ),
                             ),
                           passkeyOptions: () =>
                             Fx.fatal(
                               new Error(
-                                "Invalid `auth/session:start` result for token refresh",
+                                "Invalid `auth:signIn` result for token refresh",
                               ),
                             ),
                           totpRequired: () =>
                             Fx.fatal(
                               new Error(
-                                "Invalid `auth/session:start` result for token refresh",
+                                "Invalid `auth:signIn` result for token refresh",
                               ),
                             ),
                           totpSetup: () =>
                             Fx.fatal(
                               new Error(
-                                "Invalid `auth/session:start` result for token refresh",
+                                "Invalid `auth:signIn` result for token refresh",
                               ),
                             ),
                           deviceCode: () =>
                             Fx.fatal(
                               new Error(
-                                "Invalid `auth/session:start` result for token refresh",
+                                "Invalid `auth:signIn` result for token refresh",
                               ),
                             ),
                         }),
@@ -1643,37 +2409,37 @@ export function server(options: ServerOptions) {
                               redirect: () =>
                                 Fx.fatal(
                                   new Error(
-                                    "Invalid `auth/session:start` result for token refresh",
+                                    "Invalid `auth:signIn` result for token refresh",
                                   ),
                                 ),
                               started: () =>
                                 Fx.fatal(
                                   new Error(
-                                    "Invalid `auth/session:start` result for token refresh",
+                                    "Invalid `auth:signIn` result for token refresh",
                                   ),
                                 ),
                               passkeyOptions: () =>
                                 Fx.fatal(
                                   new Error(
-                                    "Invalid `auth/session:start` result for token refresh",
+                                    "Invalid `auth:signIn` result for token refresh",
                                   ),
                                 ),
                               totpRequired: () =>
                                 Fx.fatal(
                                   new Error(
-                                    "Invalid `auth/session:start` result for token refresh",
+                                    "Invalid `auth:signIn` result for token refresh",
                                   ),
                                 ),
                               totpSetup: () =>
                                 Fx.fatal(
                                   new Error(
-                                    "Invalid `auth/session:start` result for token refresh",
+                                    "Invalid `auth:signIn` result for token refresh",
                                   ),
                                 ),
                               deviceCode: () =>
                                 Fx.fatal(
                                   new Error(
-                                    "Invalid `auth/session:start` result for token refresh",
+                                    "Invalid `auth:signIn` result for token refresh",
                                   ),
                                 ),
                             }),