npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.13 → 0.0.4-preview.16 - Mend

@robelest/convex-auth 0.0.4-preview.13 → 0.0.4-preview.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (328) hide show

package/README.md +140 -9
package/dist/bin.cjs +5957 -5478
package/dist/client/index.d.ts +3 -7
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +27 -26
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/api.d.ts +14 -0
package/dist/component/_generated/api.d.ts.map +1 -1
package/dist/component/_generated/api.js.map +1 -1
package/dist/component/_generated/component.d.ts +1672 -24
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/convex.config.d.ts.map +1 -1
package/dist/component/index.d.ts +1 -1
package/dist/component/index.js +2 -2
package/dist/component/model.d.ts +153 -0
package/dist/component/model.d.ts.map +1 -0
package/dist/component/model.js +343 -0
package/dist/component/model.js.map +1 -0
package/dist/component/providers/sso.d.ts +1 -1
package/dist/component/public/enterprise.d.ts +54 -0
package/dist/component/public/enterprise.d.ts.map +1 -0
package/dist/component/public/enterprise.js +515 -0
package/dist/component/public/enterprise.js.map +1 -0
package/dist/component/public/factors.d.ts +52 -0
package/dist/component/public/factors.d.ts.map +1 -0
package/dist/component/public/factors.js +285 -0
package/dist/component/public/factors.js.map +1 -0
package/dist/component/public/groups.d.ts +116 -0
package/dist/component/public/groups.d.ts.map +1 -0
package/dist/component/public/groups.js +596 -0
package/dist/component/public/groups.js.map +1 -0
package/dist/component/public/identity.d.ts +93 -0
package/dist/component/public/identity.d.ts.map +1 -0
package/dist/component/public/identity.js +426 -0
package/dist/component/public/identity.js.map +1 -0
package/dist/component/public/keys.d.ts +41 -0
package/dist/component/public/keys.d.ts.map +1 -0
package/dist/component/public/keys.js +157 -0
package/dist/component/public/keys.js.map +1 -0
package/dist/component/public/shared.d.ts +26 -0
package/dist/component/public/shared.d.ts.map +1 -0
package/dist/component/public/shared.js +32 -0
package/dist/component/public/shared.js.map +1 -0
package/dist/component/public.d.ts +9 -321
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +6 -2145
package/dist/component/schema.d.ts +406 -260
package/dist/component/schema.js +37 -32
package/dist/component/schema.js.map +1 -1
package/dist/component/server/auth.d.ts +161 -15
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +100 -7
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/cookies.js +3 -0
package/dist/component/server/cookies.js.map +1 -1
package/dist/component/server/db.js +1 -0
package/dist/component/server/db.js.map +1 -1
package/dist/component/server/device.js +3 -1
package/dist/component/server/device.js.map +1 -1
package/dist/component/server/domains/core.js +629 -0
package/dist/component/server/domains/core.js.map +1 -0
package/dist/component/server/domains/sso.js +884 -0
package/dist/component/server/domains/sso.js.map +1 -0
package/dist/component/server/factory.d.ts +136 -0
package/dist/component/server/factory.d.ts.map +1 -0
package/dist/component/server/factory.js +1134 -0
package/dist/component/server/factory.js.map +1 -0
package/dist/component/server/fx.js +2 -1
package/dist/component/server/fx.js.map +1 -1
package/dist/component/server/http.js +287 -0
package/dist/component/server/http.js.map +1 -0
package/dist/component/server/identity.js +13 -0
package/dist/component/server/identity.js.map +1 -0
package/dist/component/server/keys.js +4 -0
package/dist/component/server/keys.js.map +1 -1
package/dist/component/server/mutations/account.js +1 -1
package/dist/component/server/mutations/index.js +2 -2
package/dist/component/server/mutations/index.js.map +1 -1
package/dist/component/server/mutations/invalidate.js +1 -1
package/dist/component/server/mutations/oauth.js +10 -7
package/dist/component/server/mutations/oauth.js.map +1 -1
package/dist/component/server/mutations/refresh.js +1 -1
package/dist/component/server/mutations/register.js +1 -1
package/dist/component/server/mutations/retrieve.js +1 -1
package/dist/component/server/mutations/signature.js +1 -1
package/dist/component/server/mutations/store.js +6 -3
package/dist/component/server/mutations/store.js.map +1 -1
package/dist/component/server/mutations/verify.js +1 -1
package/dist/component/server/oauth.js +3 -0
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +3 -2
package/dist/component/server/passkey.js.map +1 -1
package/dist/component/server/provider.js +2 -0
package/dist/component/server/provider.js.map +1 -1
package/dist/component/server/providers.js +10 -0
package/dist/component/server/providers.js.map +1 -1
package/dist/component/server/ratelimit.js +3 -0
package/dist/component/server/ratelimit.js.map +1 -1
package/dist/component/server/redirects.js +2 -0
package/dist/component/server/redirects.js.map +1 -1
package/dist/component/server/refresh.js +5 -0
package/dist/component/server/refresh.js.map +1 -1
package/dist/component/server/sessions.js +5 -0
package/dist/component/server/sessions.js.map +1 -1
package/dist/component/server/signin.js +2 -1
package/dist/component/server/signin.js.map +1 -1
package/dist/component/server/sso.js +166 -19
package/dist/component/server/sso.js.map +1 -1
package/dist/component/server/tokens.js +1 -0
package/dist/component/server/tokens.js.map +1 -1
package/dist/component/server/totp.js +4 -2
package/dist/component/server/totp.js.map +1 -1
package/dist/component/server/types.d.ts +106 -38
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/types.js.map +1 -1
package/dist/component/server/users.js +1 -0
package/dist/component/server/users.js.map +1 -1
package/dist/component/server/utils.js +44 -2
package/dist/component/server/utils.js.map +1 -1
package/dist/providers/anonymous.d.ts +1 -1
package/dist/providers/credentials.d.ts +1 -1
package/dist/providers/password.d.ts +1 -1
package/dist/providers/sso.d.ts +1 -1
package/dist/providers/sso.js.map +1 -1
package/dist/server/auth.d.ts +163 -17
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +100 -7
package/dist/server/auth.js.map +1 -1
package/dist/server/cookies.d.ts +1 -38
package/dist/server/cookies.js +3 -0
package/dist/server/cookies.js.map +1 -1
package/dist/server/db.d.ts +1 -125
package/dist/server/db.js +1 -0
package/dist/server/db.js.map +1 -1
package/dist/server/device.d.ts +1 -24
package/dist/server/device.js +3 -1
package/dist/server/device.js.map +1 -1
package/dist/server/domains/core.d.ts +434 -0
package/dist/server/domains/core.d.ts.map +1 -0
package/dist/server/domains/core.js +629 -0
package/dist/server/domains/core.js.map +1 -0
package/dist/server/domains/sso.d.ts +409 -0
package/dist/server/domains/sso.d.ts.map +1 -0
package/dist/server/domains/sso.js +884 -0
package/dist/server/domains/sso.js.map +1 -0
package/dist/server/enterpriseValidators.d.ts +1 -0
package/dist/server/enterpriseValidators.js +60 -0
package/dist/server/enterpriseValidators.js.map +1 -0
package/dist/server/factory.d.ts +136 -0
package/dist/server/factory.d.ts.map +1 -0
package/dist/server/factory.js +1134 -0
package/dist/server/factory.js.map +1 -0
package/dist/server/fx.d.ts +1 -16
package/dist/server/fx.d.ts.map +1 -1
package/dist/server/fx.js +1 -0
package/dist/server/fx.js.map +1 -1
package/dist/server/http.d.ts +59 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +287 -0
package/dist/server/http.js.map +1 -0
package/dist/server/identity.d.ts +1 -0
package/dist/server/identity.js +13 -0
package/dist/server/identity.js.map +1 -0
package/dist/server/index.d.ts +468 -1
package/dist/server/index.d.ts.map +1 -1
package/dist/server/index.js +530 -36
package/dist/server/index.js.map +1 -1
package/dist/server/keys.d.ts +1 -57
package/dist/server/keys.js +4 -0
package/dist/server/keys.js.map +1 -1
package/dist/server/mutations/account.d.ts +7 -7
package/dist/server/mutations/account.d.ts.map +1 -1
package/dist/server/mutations/code.d.ts +13 -13
package/dist/server/mutations/code.d.ts.map +1 -1
package/dist/server/mutations/index.d.ts +107 -107
package/dist/server/mutations/index.d.ts.map +1 -1
package/dist/server/mutations/index.js +1 -1
package/dist/server/mutations/index.js.map +1 -1
package/dist/server/mutations/invalidate.d.ts +5 -5
package/dist/server/mutations/invalidate.d.ts.map +1 -1
package/dist/server/mutations/oauth.d.ts +10 -10
package/dist/server/mutations/oauth.d.ts.map +1 -1
package/dist/server/mutations/oauth.js +9 -6
package/dist/server/mutations/oauth.js.map +1 -1
package/dist/server/mutations/refresh.d.ts +4 -4
package/dist/server/mutations/register.d.ts +12 -12
package/dist/server/mutations/register.d.ts.map +1 -1
package/dist/server/mutations/retrieve.d.ts +7 -7
package/dist/server/mutations/signature.d.ts +5 -5
package/dist/server/mutations/signin.d.ts +6 -6
package/dist/server/mutations/signin.d.ts.map +1 -1
package/dist/server/mutations/signout.d.ts +1 -1
package/dist/server/mutations/store.d.ts +3 -2
package/dist/server/mutations/store.d.ts.map +1 -1
package/dist/server/mutations/store.js +6 -3
package/dist/server/mutations/store.js.map +1 -1
package/dist/server/mutations/verifier.d.ts +1 -1
package/dist/server/mutations/verify.d.ts +11 -11
package/dist/server/mutations/verify.d.ts.map +1 -1
package/dist/server/oauth.d.ts +1 -59
package/dist/server/oauth.js +3 -0
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts.map +1 -1
package/dist/server/passkey.js +3 -2
package/dist/server/passkey.js.map +1 -1
package/dist/server/provider.d.ts +1 -14
package/dist/server/provider.d.ts.map +1 -1
package/dist/server/provider.js +2 -0
package/dist/server/provider.js.map +1 -1
package/dist/server/providers.js +10 -0
package/dist/server/providers.js.map +1 -1
package/dist/server/ratelimit.d.ts +1 -22
package/dist/server/ratelimit.js +3 -0
package/dist/server/ratelimit.js.map +1 -1
package/dist/server/redirects.d.ts +1 -10
package/dist/server/redirects.js +2 -0
package/dist/server/redirects.js.map +1 -1
package/dist/server/refresh.d.ts +1 -37
package/dist/server/refresh.js +5 -0
package/dist/server/refresh.js.map +1 -1
package/dist/server/sessions.d.ts +1 -28
package/dist/server/sessions.js +5 -0
package/dist/server/sessions.js.map +1 -1
package/dist/server/signin.d.ts +1 -55
package/dist/server/signin.js +2 -1
package/dist/server/signin.js.map +1 -1
package/dist/server/sso.d.ts +1 -348
package/dist/server/sso.js +165 -18
package/dist/server/sso.js.map +1 -1
package/dist/server/templates.d.ts +1 -21
package/dist/server/templates.js +1 -0
package/dist/server/templates.js.map +1 -1
package/dist/server/tokens.d.ts +1 -11
package/dist/server/tokens.js +1 -0
package/dist/server/tokens.js.map +1 -1
package/dist/server/totp.d.ts +1 -23
package/dist/server/totp.js +4 -2
package/dist/server/totp.js.map +1 -1
package/dist/server/types.d.ts +114 -77
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js.map +1 -1
package/dist/server/users.d.ts +1 -31
package/dist/server/users.js +1 -0
package/dist/server/users.js.map +1 -1
package/dist/server/utils.d.ts +1 -27
package/dist/server/utils.js +44 -2
package/dist/server/utils.js.map +1 -1
package/dist/server/version.d.ts +1 -1
package/dist/server/version.js +1 -1
package/dist/server/version.js.map +1 -1
package/package.json +4 -5
package/src/cli/bin.ts +5 -0
package/src/cli/index.ts +22 -9
package/src/cli/keys.ts +3 -0
package/src/client/index.ts +36 -37
package/src/component/_generated/api.ts +14 -0
package/src/component/_generated/component.ts +2106 -9
package/src/component/index.ts +3 -1
package/src/component/model.ts +441 -0
package/src/component/public/enterprise.ts +753 -0
package/src/component/public/factors.ts +332 -0
package/src/component/public/groups.ts +932 -0
package/src/component/public/identity.ts +566 -0
package/src/component/public/keys.ts +209 -0
package/src/component/public/shared.ts +119 -0
package/src/component/public.ts +5 -2965
package/src/component/schema.ts +68 -63
package/src/providers/sso.ts +1 -1
package/src/server/auth.ts +413 -18
package/src/server/cookies.ts +3 -0
package/src/server/db.ts +3 -0
package/src/server/device.ts +3 -1
package/src/server/domains/core.ts +1071 -0
package/src/server/domains/sso.ts +1749 -0
package/src/server/enterpriseValidators.ts +93 -0
package/src/server/factory.ts +2181 -0
package/src/server/fx.ts +1 -0
package/src/server/http.ts +529 -0
package/src/server/identity.ts +18 -0
package/src/server/index.ts +806 -40
package/src/server/keys.ts +4 -0
package/src/server/mutations/index.ts +1 -1
package/src/server/mutations/oauth.ts +36 -8
package/src/server/mutations/store.ts +6 -3
package/src/server/oauth.ts +6 -0
package/src/server/passkey.ts +3 -2
package/src/server/provider.ts +2 -0
package/src/server/providers.ts +20 -0
package/src/server/ratelimit.ts +3 -0
package/src/server/redirects.ts +2 -0
package/src/server/refresh.ts +5 -0
package/src/server/sessions.ts +5 -0
package/src/server/signin.ts +1 -0
package/src/server/sso.ts +259 -17
package/src/server/templates.ts +1 -0
package/src/server/tokens.ts +1 -0
package/src/server/totp.ts +4 -2
package/src/server/types.ts +178 -83
package/src/server/users.ts +1 -0
package/src/server/utils.ts +71 -1
package/src/server/version.ts +1 -1
package/dist/component/public.js.map +0 -1
package/dist/component/server/implementation.d.ts +0 -1264
package/dist/component/server/implementation.d.ts.map +0 -1
package/dist/component/server/implementation.js +0 -2365
package/dist/component/server/implementation.js.map +0 -1
package/dist/server/cookies.d.ts.map +0 -1
package/dist/server/db.d.ts.map +0 -1
package/dist/server/device.d.ts.map +0 -1
package/dist/server/implementation.d.ts +0 -1264
package/dist/server/implementation.d.ts.map +0 -1
package/dist/server/implementation.js +0 -2365
package/dist/server/implementation.js.map +0 -1
package/dist/server/keys.d.ts.map +0 -1
package/dist/server/oauth.d.ts.map +0 -1
package/dist/server/ratelimit.d.ts.map +0 -1
package/dist/server/redirects.d.ts.map +0 -1
package/dist/server/refresh.d.ts.map +0 -1
package/dist/server/sessions.d.ts.map +0 -1
package/dist/server/signin.d.ts.map +0 -1
package/dist/server/sso.d.ts.map +0 -1
package/dist/server/templates.d.ts.map +0 -1
package/dist/server/tokens.d.ts.map +0 -1
package/dist/server/totp.d.ts.map +0 -1
package/dist/server/users.d.ts.map +0 -1
package/dist/server/utils.d.ts.map +0 -1
package/src/server/implementation.ts +0 -5336

package/dist/server/implementation.js DELETED Viewed

@@ -1,2365 +0,0 @@
-import { isAuthError } from "./errors.js";
-import { AuthError, Fx } from "./fx.js";
-import { LOG_LEVELS, TOKEN_SUB_CLAIM_DIVIDER, generateRandomString, logError, logWithLevel, requireEnv, sha256 } from "./utils.js";
-import { redirectToParamCookie, useRedirectToParam } from "./cookies.js";
-import { buildScopeChecker, checkKeyRateLimit, generateApiKey, hashApiKey } from "./keys.js";
-import { callModifyAccount } from "./mutations/account.js";
-import { callInvalidateSessions } from "./mutations/invalidate.js";
-import { SCIM_GROUP_SCHEMA_ID, SCIM_USER_SCHEMA_ID, createEnterpriseOidcRuntime, createEnterpriseSamlMetadataXml, createEnterpriseSamlSignInRequest, createSamlPostBindingResponse, createServiceProviderMetadata, encodeEnterpriseSamlRelayState, enterpriseOidcProviderId, enterpriseSamlProviderId, getEnterpriseOidcUrls, getOidcConfig, getSamlConfig, getSamlServiceProviderOptions, isEnterpriseSamlSourceActive, normalizeDomain, parseEnterpriseSamlLoginResponse, parseEnterpriseSamlLogoutMessage, parseSamlIdpMetadata, parseScimListRequest, parseScimPath, profileFromSamlExtract, scimError, scimJson, serializeScimGroup, serializeScimUser, upsertProtocolConfig, validateEnterpriseSamlLoginRelayState } from "./sso.js";
-import { callUserOAuth } from "./mutations/oauth.js";
-import { callCreateAccountFromCredentials } from "./mutations/register.js";
-import { callRetrieveAccountWithCredentials } from "./mutations/retrieve.js";
-import { callVerifierSignature } from "./mutations/signature.js";
-import { callSignOut } from "./mutations/signout.js";
-import { storeArgs, storeImpl } from "./mutations/index.js";
-import { createOAuthAuthorizationURL, handleOAuthCallback } from "./oauth.js";
-import { configDefaults, listAvailableProviders, materializeProvider } from "./providers.js";
-import { redirectAbsoluteUrl, setURLSearchParam } from "./redirects.js";
-import { signInImpl } from "./signin.js";
-import { ConvexError, v } from "convex/values";
-import { actionGeneric, httpActionGeneric, internalMutationGeneric } from "convex/server";
-import { parse, serialize } from "cookie";
-//#region src/server/implementation.ts
-/**
-* Configure the Convex Auth library. Returns an object with
-* functions and `auth` helper. You must export the functions
-* from `convex/auth.ts` to make them callable:
-*
-* ```ts filename="convex/auth.ts"
-* import { createAuth } from "@robelest/convex-auth/component";
-* import { components } from "./_generated/api";
-*
-* export const auth = createAuth(components.auth, {
-*   providers: [],
-* });
-* export const { signIn, signOut, store } = auth;
-* ```
-*
-* @returns An object with fields you should reexport from your
-*          `convex/auth.ts` file.
-*/
-function Auth(config_) {
-	const config = configDefaults(config_);
-	const hasOAuth = config.providers.some((provider) => provider.type === "oauth");
-	const hasSSO = config.providers.some((provider) => provider.type === "sso");
-	const getProviderOrThrow = (id, allowExtraProviders = false) => {
-		const provider = config.providers.find((configuredProvider) => configuredProvider.id === id) ?? (allowExtraProviders ? config.extraProviders.find((configuredProvider) => configuredProvider.id === id) : void 0);
-		if (provider === void 0) {
-			const detail = `Provider \`${id}\` is not configured, available providers are ${listAvailableProviders(config, allowExtraProviders)}.`;
-			logWithLevel(LOG_LEVELS.ERROR, detail);
-			throw new AuthError("PROVIDER_NOT_CONFIGURED", detail, { provider: id }).toConvexError();
-		}
-		return provider;
-	};
-	const INVITE_TOKEN_ALPHABET = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
-	const INVITE_TOKEN_LENGTH = 48;
-	const enterpriseNotFoundError = "Enterprise not found.";
-	const ENTERPRISE_CONTROL_ROUTE_BASE = "/api/auth/sso";
-	const recordEnterpriseAuditEvent = async (ctx, data) => {
-		const { ok, ...rest } = data;
-		return await ctx.runMutation(config.component.public.enterpriseAuditEventCreate, {
-			...rest,
-			status: ok ? "success" : "failure",
-			occurredAt: Date.now()
-		});
-	};
-	const emitEnterpriseWebhookDeliveries = async (ctx, data) => {
-		const endpoints = await ctx.runQuery(config.component.public.enterpriseWebhookEndpointList, { enterpriseId: data.enterpriseId });
-		for (const endpoint of endpoints) {
-			if (endpoint.status !== "active" || !endpoint.subscriptions.includes(data.eventType)) continue;
-			await ctx.runMutation(config.component.public.enterpriseWebhookDeliveryEnqueue, {
-				enterpriseId: data.enterpriseId,
-				endpointId: endpoint._id,
-				auditEventId: data.auditEventId,
-				eventType: data.eventType,
-				payload: data.payload,
-				nextAttemptAt: Date.now()
-			});
-		}
-	};
-	const getEnterpriseScimContext = async (ctx, request) => {
-		const authHeader = request.headers.get("Authorization");
-		if (!authHeader?.startsWith("Bearer ")) throw new AuthError("MISSING_BEARER_TOKEN").toConvexError();
-		const token = authHeader.slice(7);
-		const scimConfig = await ctx.runQuery(config.component.public.enterpriseScimConfigGetByTokenHash, { tokenHash: await sha256(token) });
-		if (!scimConfig || scimConfig.status !== "active") throw new AuthError("INVALID_API_KEY", "Invalid SCIM token.").toConvexError();
-		const parsedPath = parseScimPath(new URL(request.url).pathname);
-		if (parsedPath.enterpriseId !== scimConfig.enterpriseId) throw new AuthError("INVALID_API_KEY", "SCIM token/tenant mismatch.").toConvexError();
-		const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: scimConfig.enterpriseId });
-		if (enterprise === null) throw new AuthError("INVALID_PARAMETERS", "Enterprise not found.").toConvexError();
-		return {
-			scimConfig,
-			enterprise,
-			parsedPath
-		};
-	};
-	const SCIM_SCHEMAS = [{
-		id: SCIM_USER_SCHEMA_ID,
-		name: "User",
-		description: "User Account",
-		attributes: [
-			{
-				name: "userName",
-				type: "string",
-				required: true
-			},
-			{
-				name: "displayName",
-				type: "string"
-			},
-			{
-				name: "active",
-				type: "boolean"
-			},
-			{
-				name: "emails",
-				type: "complex",
-				multiValued: true
-			}
-		]
-	}, {
-		id: SCIM_GROUP_SCHEMA_ID,
-		name: "Group",
-		description: "Group",
-		attributes: [{
-			name: "displayName",
-			type: "string",
-			required: true
-		}, {
-			name: "members",
-			type: "complex",
-			multiValued: true
-		}]
-	}];
-	const SCIM_RESOURCE_TYPES = [{
-		id: "User",
-		name: "User",
-		endpoint: "/Users",
-		schema: SCIM_USER_SCHEMA_ID
-	}, {
-		id: "Group",
-		name: "Group",
-		endpoint: "/Groups",
-		schema: SCIM_GROUP_SCHEMA_ID
-	}];
-	const handleStaticScimCollection = (items, resourceId, opts) => {
-		if (resourceId !== void 0) {
-			const item = items.find((entry) => entry[opts.by] === decodeURIComponent(resourceId));
-			return item ? scimJson(item) : scimError(404, "notFound", opts.notFound);
-		}
-		return scimJson({
-			schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
-			Resources: items,
-			totalResults: items.length,
-			startIndex: 1,
-			itemsPerPage: items.length
-		});
-	};
-	const filterScimCollection = (items, filter, filters) => {
-		if (!filter) return items;
-		const predicate = filters[filter.attribute];
-		if (!predicate) throw new Error("Unsupported SCIM filter.");
-		return items.filter((item) => predicate(item, filter.value));
-	};
-	const paginateScimCollection = (items, listRequest) => {
-		const start = listRequest.startIndex - 1;
-		return items.slice(start, start + listRequest.count);
-	};
-	const requireScimResourceId = (resourceId, label) => {
-		if (!resourceId) return scimError(400, "invalidPath", `${label} resource ID is required.`);
-		return null;
-	};
-	const readScimJson = async (request) => await request.json();
-	const auth = {
-		user: {
-			current: async (ctx, request) => {
-				const identity = await ctx.auth.getUserIdentity();
-				if (identity !== null) {
-					const [userId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);
-					return userId;
-				}
-				if (request !== void 0 && "runMutation" in ctx && ctx.runMutation) {
-					const authHeader = request.headers.get("Authorization");
-					if (authHeader?.startsWith("Bearer sk_")) {
-						const rawKey = authHeader.slice(7);
-						try {
-							return (await auth.key.verify(ctx, rawKey)).userId;
-						} catch {
-							return null;
-						}
-					}
-				}
-				return null;
-			},
-			require: async (ctx, request) => {
-				const userId = await auth.user.current(ctx, request);
-				if (userId === null) throw new AuthError("NOT_SIGNED_IN").toConvexError();
-				return userId;
-			},
-			get: async (ctx, userId) => {
-				return await ctx.runQuery(config.component.public.userGetById, { userId });
-			},
-			list: async (ctx, opts = {}) => {
-				return await ctx.runQuery(config.component.public.userList, opts);
-			},
-			viewer: async (ctx) => {
-				const userId = await auth.user.current(ctx);
-				if (userId === null) return null;
-				return await ctx.runQuery(config.component.public.userGetById, { userId });
-			},
-			patch: async (ctx, userId, data) => {
-				await ctx.runMutation(config.component.public.userPatch, {
-					userId,
-					data
-				});
-			},
-			setActiveGroup: async (ctx, opts) => {
-				const user = await auth.user.get(ctx, opts.userId);
-				const existingExtend = user !== null && user.extend !== null && typeof user.extend === "object" && !Array.isArray(user.extend) ? { ...user.extend } : {};
-				if (opts.groupId === null) {
-					const { lastActiveGroup: _omit, ...rest } = existingExtend;
-					await auth.user.patch(ctx, opts.userId, { extend: rest });
-					return;
-				}
-				await auth.user.patch(ctx, opts.userId, { extend: {
-					...existingExtend,
-					lastActiveGroup: opts.groupId
-				} });
-			},
-			getActiveGroup: async (ctx, opts) => {
-				const user = await auth.user.get(ctx, opts.userId);
-				if (user !== null && user.extend !== null && typeof user.extend === "object" && !Array.isArray(user.extend)) {
-					const val = user.extend.lastActiveGroup;
-					if (typeof val === "string") return val;
-				}
-				return null;
-			},
-			remove: async (ctx, userId, opts) => {
-				const cascade = opts?.cascade !== false;
-				const [sessions, accounts, keys, members, passkeys, totps] = await Promise.all([
-					ctx.runQuery(config.component.public.sessionListByUser, { userId }),
-					ctx.runQuery(config.component.public.accountListByUser, { userId }),
-					ctx.runQuery(config.component.public.keyListByUserId, { userId }),
-					ctx.runQuery(config.component.public.memberListByUser, { userId }),
-					ctx.runQuery(config.component.public.passkeyListByUserId, { userId }),
-					ctx.runQuery(config.component.public.totpListByUserId, { userId })
-				]);
-				const totalLinked = sessions.length + accounts.length + keys.length + members.length + passkeys.length + totps.length;
-				if (!cascade && totalLinked > 0) throw new AuthError("INVALID_PARAMETERS", `Cannot delete user with ${totalLinked} linked records. Pass { cascade: true } to delete all linked records, or remove them manually first.`).toConvexError();
-				const deletions = [];
-				for (const s of sessions) deletions.push(ctx.runMutation(config.component.public.sessionDelete, { sessionId: s._id }));
-				for (const a of accounts) deletions.push(ctx.runMutation(config.component.public.accountDelete, { accountId: a._id }));
-				for (const k of keys) deletions.push(ctx.runMutation(config.component.public.keyDelete, { keyId: k._id }));
-				for (const m of members) deletions.push(ctx.runMutation(config.component.public.memberRemove, { memberId: m._id }));
-				for (const p of passkeys) deletions.push(ctx.runMutation(config.component.public.passkeyDelete, { passkeyId: p._id }));
-				for (const t of totps) deletions.push(ctx.runMutation(config.component.public.totpDelete, { totpId: t._id }));
-				await Promise.all(deletions);
-				await ctx.runMutation(config.component.public.userDelete, { userId });
-			}
-		},
-		session: {
-			current: async (ctx) => {
-				const identity = await ctx.auth.getUserIdentity();
-				if (identity === null) return null;
-				const [, sessionId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);
-				return sessionId;
-			},
-			invalidate: async (ctx, args) => {
-				return await callInvalidateSessions(ctx, args);
-			},
-			get: async (ctx, sessionId) => {
-				return await ctx.runQuery(config.component.public.sessionGetById, { sessionId });
-			},
-			list: async (ctx, opts) => {
-				return await ctx.runQuery(config.component.public.sessionListByUser, { userId: opts.userId });
-			}
-		},
-		account: {
-			create: async (ctx, args) => {
-				return await callCreateAccountFromCredentials(ctx, args);
-			},
-			get: async (ctx, args) => {
-				const result = await callRetrieveAccountWithCredentials(ctx, args);
-				if (typeof result === "string") throw new AuthError("ACCOUNT_NOT_FOUND", result).toConvexError();
-				return result;
-			},
-			update: async (ctx, args) => {
-				return await callModifyAccount(ctx, args);
-			},
-			remove: async (ctx, accountId) => {
-				const account = await ctx.runQuery(config.component.public.accountGetById, { accountId });
-				if (account === null) throw new AuthError("ACCOUNT_NOT_FOUND", "Account not found.").toConvexError();
-				if ((await ctx.runQuery(config.component.public.accountListByUser, { userId: account.userId })).length <= 1) throw new AuthError("INVALID_PARAMETERS", "Cannot unlink the user's only account. This would lock them out.").toConvexError();
-				await ctx.runMutation(config.component.public.accountDelete, { accountId });
-			},
-			listPasskeys: async (ctx, opts) => {
-				return await ctx.runQuery(config.component.public.passkeyListByUserId, opts);
-			},
-			renamePasskey: async (ctx, passkeyId, name) => {
-				await ctx.runMutation(config.component.public.passkeyUpdateMeta, {
-					passkeyId,
-					data: { name }
-				});
-			},
-			removePasskey: async (ctx, passkeyId) => {
-				await ctx.runMutation(config.component.public.passkeyDelete, { passkeyId });
-			},
-			listTotps: async (ctx, opts) => {
-				return await ctx.runQuery(config.component.public.totpListByUserId, opts);
-			},
-			removeTotp: async (ctx, totpId) => {
-				await ctx.runMutation(config.component.public.totpDelete, { totpId });
-			}
-		},
-		provider: { signIn: async (ctx, provider, args) => {
-			const result = await signInImpl(enrichCtx(ctx), materializeProvider(provider), args, {
-				generateTokens: false,
-				allowExtraProviders: true
-			});
-			return result.kind === "signedIn" ? result.signedIn !== null ? {
-				userId: result.signedIn.userId,
-				sessionId: result.signedIn.sessionId
-			} : null : null;
-		} },
-		group: {
-			create: async (ctx, data) => {
-				return await ctx.runMutation(config.component.public.groupCreate, data);
-			},
-			get: async (ctx, groupId) => {
-				return await ctx.runQuery(config.component.public.groupGet, { groupId });
-			},
-			list: async (ctx, opts) => {
-				return await ctx.runQuery(config.component.public.groupList, {
-					where: opts?.where,
-					limit: opts?.limit,
-					cursor: opts?.cursor,
-					orderBy: opts?.orderBy,
-					order: opts?.order
-				});
-			},
-			update: async (ctx, groupId, data) => {
-				await ctx.runMutation(config.component.public.groupUpdate, {
-					groupId,
-					data
-				});
-			},
-			delete: async (ctx, groupId) => {
-				await ctx.runMutation(config.component.public.groupDelete, { groupId });
-			},
-			ancestors: async (ctx, opts) => {
-				const maxDepth = Math.max(0, Math.floor(opts.maxDepth ?? 32));
-				const visited = /* @__PURE__ */ new Set();
-				const ancestors = [];
-				let cycleDetected = false;
-				let maxDepthReached = false;
-				let currentGroupId = opts.groupId;
-				let depth = 0;
-				let isFirst = true;
-				while (currentGroupId !== void 0) {
-					if (depth > maxDepth) {
-						maxDepthReached = true;
-						break;
-					}
-					if (visited.has(currentGroupId)) {
-						cycleDetected = true;
-						break;
-					}
-					visited.add(currentGroupId);
-					const group = await auth.group.get(ctx, currentGroupId);
-					if (group === null) break;
-					if (isFirst) {
-						isFirst = false;
-						if (opts.includeSelf) ancestors.push(group);
-						currentGroupId = group.parentGroupId;
-						depth += 1;
-						continue;
-					}
-					ancestors.push(group);
-					currentGroupId = group.parentGroupId;
-					depth += 1;
-				}
-				return {
-					ancestors,
-					cycleDetected,
-					maxDepthReached
-				};
-			}
-		},
-		member: {
-			add: async (ctx, data) => {
-				return await ctx.runMutation(config.component.public.memberAdd, data);
-			},
-			get: async (ctx, memberId) => {
-				return await ctx.runQuery(config.component.public.memberGet, { memberId });
-			},
-			getByUserAndGroup: async (ctx, opts) => {
-				return await ctx.runQuery(config.component.public.memberGetByGroupAndUser, opts);
-			},
-			list: async (ctx, opts) => {
-				return await ctx.runQuery(config.component.public.memberList, {
-					where: opts?.where,
-					limit: opts?.limit,
-					cursor: opts?.cursor,
-					orderBy: opts?.orderBy,
-					order: opts?.order
-				});
-			},
-			remove: async (ctx, memberId) => {
-				await ctx.runMutation(config.component.public.memberRemove, { memberId });
-			},
-			update: async (ctx, memberId, data) => {
-				await ctx.runMutation(config.component.public.memberUpdate, {
-					memberId,
-					data
-				});
-			},
-			inherit: async (ctx, opts) => {
-				const roleFilter = opts.roles !== void 0 && opts.roles.length > 0 ? new Set(opts.roles) : null;
-				const maxDepth = Math.max(0, Math.floor(opts.maxDepth ?? 32));
-				const visited = /* @__PURE__ */ new Set();
-				const traversedGroupIds = [];
-				let currentGroupId = opts.groupId;
-				let depth = 0;
-				let cycleDetected = false;
-				let maxDepthReached = false;
-				while (currentGroupId !== void 0) {
-					if (depth > maxDepth) {
-						maxDepthReached = true;
-						break;
-					}
-					if (visited.has(currentGroupId)) {
-						cycleDetected = true;
-						break;
-					}
-					visited.add(currentGroupId);
-					traversedGroupIds.push(currentGroupId);
-					const membership = await auth.member.getByUserAndGroup(ctx, {
-						userId: opts.userId,
-						groupId: currentGroupId
-					});
-					if (membership !== null && (roleFilter === null || roleFilter.has(membership.role))) return {
-						requestedGroupId: opts.groupId,
-						matchedGroupId: currentGroupId,
-						membership,
-						depth,
-						isDirect: depth === 0,
-						isInherited: depth > 0,
-						traversedGroupIds,
-						cycleDetected: false,
-						maxDepthReached: false
-					};
-					const group = await auth.group.get(ctx, currentGroupId);
-					if (group === null || group.parentGroupId === void 0) break;
-					currentGroupId = group.parentGroupId;
-					depth += 1;
-				}
-				return {
-					requestedGroupId: opts.groupId,
-					matchedGroupId: null,
-					membership: null,
-					depth: null,
-					isDirect: false,
-					isInherited: false,
-					traversedGroupIds,
-					cycleDetected,
-					maxDepthReached
-				};
-			},
-			require: async (ctx, opts) => {
-				const result = await auth.member.inherit(ctx, opts);
-				if (result.membership === null) throw new AuthError("FORBIDDEN", `User ${opts.userId} has no membership on group ${opts.groupId} or its ancestors.`).toConvexError();
-				return {
-					membership: result.membership,
-					matchedGroupId: result.matchedGroupId,
-					isDirect: result.isDirect,
-					isInherited: result.isInherited,
-					depth: result.depth
-				};
-			}
-		},
-		invite: {
-			create: async (ctx, data) => {
-				const token = generateRandomString(INVITE_TOKEN_LENGTH, INVITE_TOKEN_ALPHABET);
-				const tokenHash = await sha256(token);
-				return {
-					inviteId: await ctx.runMutation(config.component.public.inviteCreate, {
-						...data,
-						tokenHash,
-						status: "pending"
-					}),
-					token
-				};
-			},
-			get: async (ctx, inviteId) => {
-				return await ctx.runQuery(config.component.public.inviteGet, { inviteId });
-			},
-			token: {
-				get: async (ctx, token) => {
-					const tokenHash = await sha256(token);
-					return await ctx.runQuery(config.component.public.inviteGetByTokenHash, { tokenHash });
-				},
-				accept: async (ctx, args) => {
-					const tokenHash = await sha256(args.token);
-					return await ctx.runMutation(config.component.public.inviteAcceptByToken, {
-						tokenHash,
-						acceptedByUserId: args.acceptedByUserId
-					});
-				}
-			},
-			list: async (ctx, opts) => {
-				return await ctx.runQuery(config.component.public.inviteList, {
-					where: opts?.where,
-					limit: opts?.limit,
-					cursor: opts?.cursor,
-					orderBy: opts?.orderBy,
-					order: opts?.order
-				});
-			},
-			accept: async (ctx, inviteId, acceptedByUserId) => {
-				await ctx.runMutation(config.component.public.inviteAccept, {
-					inviteId,
-					...acceptedByUserId ? { acceptedByUserId } : {}
-				});
-			},
-			revoke: async (ctx, inviteId) => {
-				await ctx.runMutation(config.component.public.inviteRevoke, { inviteId });
-			}
-		},
-		key: {
-			create: async (ctx, opts) => {
-				const { raw, hashedKey, displayPrefix } = await generateApiKey("sk_");
-				return {
-					keyId: await ctx.runMutation(config.component.public.keyInsert, {
-						userId: opts.userId,
-						prefix: displayPrefix,
-						hashedKey,
-						name: opts.name,
-						scopes: opts.scopes,
-						rateLimit: opts.rateLimit,
-						expiresAt: opts.expiresAt,
-						metadata: opts.metadata
-					}),
-					raw
-				};
-			},
-			verify: async (ctx, rawKey) => {
-				const hashedKey = await hashApiKey(rawKey);
-				const key = await ctx.runQuery(config.component.public.keyGetByHashedKey, { hashedKey });
-				return Fx.run(Fx.gen(function* () {
-					yield* Fx.guard(!key, Fx.fail(new AuthError("INVALID_API_KEY")));
-					const k = key;
-					yield* Fx.guard(k.revoked, Fx.fail(new AuthError("API_KEY_REVOKED")));
-					yield* Fx.guard(!!(k.expiresAt && k.expiresAt < Date.now()), Fx.fail(new AuthError("API_KEY_EXPIRED")));
-					const patchData = { lastUsedAt: Date.now() };
-					if (k.rateLimit) {
-						const { limited, newState } = checkKeyRateLimit(k.rateLimit, k.rateLimitState ?? void 0);
-						yield* Fx.guard(limited, Fx.fail(new AuthError("API_KEY_RATE_LIMITED")));
-						patchData.rateLimitState = newState;
-					}
-					yield* Fx.promise(() => ctx.runMutation(config.component.public.keyPatch, {
-						keyId: k._id,
-						data: patchData
-					}));
-					return {
-						userId: k.userId,
-						keyId: k._id,
-						scopes: buildScopeChecker(k.scopes)
-					};
-				}).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))));
-			},
-			list: async (ctx, opts) => {
-				return await ctx.runQuery(config.component.public.keyList, {
-					where: opts?.where,
-					limit: opts?.limit,
-					cursor: opts?.cursor,
-					orderBy: opts?.orderBy,
-					order: opts?.order
-				});
-			},
-			get: async (ctx, keyId) => {
-				return await ctx.runQuery(config.component.public.keyGetById, { keyId });
-			},
-			update: async (ctx, keyId, data) => {
-				await ctx.runMutation(config.component.public.keyPatch, {
-					keyId,
-					data
-				});
-			},
-			revoke: async (ctx, keyId) => {
-				await ctx.runMutation(config.component.public.keyPatch, {
-					keyId,
-					data: { revoked: true }
-				});
-			},
-			remove: async (ctx, keyId) => {
-				await ctx.runMutation(config.component.public.keyDelete, { keyId });
-			},
-			rotate: async (ctx, keyId, opts) => {
-				const existing = await ctx.runQuery(config.component.public.keyGetById, { keyId });
-				if (!existing) throw new AuthError("INVALID_PARAMETERS", "API key not found.").toConvexError();
-				if (existing.revoked === true) throw new AuthError("API_KEY_REVOKED", "Cannot rotate a key that is already revoked.").toConvexError();
-				await ctx.runMutation(config.component.public.keyPatch, {
-					keyId,
-					data: { revoked: true }
-				});
-				return await auth.key.create(ctx, {
-					userId: existing.userId,
-					name: opts?.name ?? existing.name,
-					scopes: existing.scopes ?? [],
-					rateLimit: existing.rateLimit,
-					expiresAt: opts?.expiresAt,
-					metadata: existing.metadata
-				});
-			}
-		},
-		sso: {
-			connection: {
-				create: async (ctx, data) => {
-					return await ctx.runMutation(config.component.public.enterpriseCreate, data);
-				},
-				get: async (ctx, enterpriseId) => {
-					return await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
-				},
-				getByGroup: async (ctx, groupId) => {
-					return await ctx.runQuery(config.component.public.enterpriseGetByGroup, { groupId });
-				},
-				getByDomain: async (ctx, domain) => {
-					return await ctx.runQuery(config.component.public.enterpriseGetByDomain, { domain: normalizeDomain(domain) });
-				},
-				list: async (ctx, opts) => {
-					return await ctx.runQuery(config.component.public.enterpriseList, {
-						where: opts?.where,
-						limit: opts?.limit,
-						cursor: opts?.cursor,
-						orderBy: opts?.orderBy,
-						order: opts?.order
-					});
-				},
-				update: async (ctx, enterpriseId, data) => {
-					await ctx.runMutation(config.component.public.enterpriseUpdate, {
-						enterpriseId,
-						data
-					});
-				},
-				remove: async (ctx, enterpriseId) => {
-					await ctx.runMutation(config.component.public.enterpriseDelete, { enterpriseId });
-				},
-				status: async (ctx, enterpriseId) => {
-					const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
-					if (!enterprise) throw new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError).toConvexError();
-					const protocols = enterprise.config?.protocols ?? {};
-					const oidcConfig = protocols.oidc;
-					const samlConfig = protocols.saml;
-					const scimConfig = await ctx.runQuery(config.component.public.enterpriseScimConfigGetByEnterprise, { enterpriseId });
-					const domains = await ctx.runQuery(config.component.public.enterpriseDomainList, { enterpriseId });
-					const oidcReady = oidcConfig?.enabled === true && typeof oidcConfig?.clientId === "string" && oidcConfig.clientId.length > 0 && (typeof oidcConfig?.issuer === "string" || typeof oidcConfig?.discoveryUrl === "string");
-					const samlReady = samlConfig?.enabled === true && typeof samlConfig?.idp?.entityId === "string";
-					const scimReady = scimConfig !== null && scimConfig !== void 0 && scimConfig.status === "active";
-					const ready = enterprise.status === "active" && (oidcReady || samlReady);
-					return {
-						enterpriseId: enterprise._id,
-						status: enterprise.status,
-						ready,
-						domainCount: domains.length,
-						protocols: {
-							oidc: {
-								configured: oidcReady,
-								ready: oidcReady,
-								clientId: oidcConfig?.clientId ?? null,
-								issuer: oidcConfig?.issuer ?? oidcConfig?.discoveryUrl ?? null
-							},
-							saml: {
-								configured: samlReady,
-								ready: samlReady,
-								entityId: samlConfig?.idp?.entityId ?? null
-							},
-							scim: {
-								configured: scimReady,
-								ready: scimReady,
-								basePath: scimConfig?.basePath ?? null,
-								deprovisionMode: scimConfig?.deprovisionMode ?? null
-							}
-						}
-					};
-				}
-			},
-			domain: {
-				add: async (ctx, data) => {
-					return await ctx.runMutation(config.component.public.enterpriseDomainAdd, {
-						...data,
-						domain: normalizeDomain(data.domain)
-					});
-				},
-				list: async (ctx, enterpriseId) => {
-					return await ctx.runQuery(config.component.public.enterpriseDomainList, { enterpriseId });
-				},
-				remove: async (ctx, domainId) => {
-					await ctx.runMutation(config.component.public.enterpriseDomainDelete, { domainId });
-				}
-			},
-			saml: {
-				configure: async (ctx, data) => {
-					return await Fx.run(Fx.gen(function* () {
-						const enterprise = yield* Fx.from({
-							ok: () => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId }),
-							err: () => new AuthError("INTERNAL_ERROR", "Failed to load enterprise.")
-						}).pipe(Fx.chain((ent) => ent === null ? Fx.fail(new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError)) : Fx.succeed(ent)));
-						const metadataXml = yield* data.metadataXml ? Fx.succeed(data.metadataXml) : data.metadataUrl ? Fx.defer(() => Fx.from({
-							ok: async () => {
-								const response = await fetch(data.metadataUrl);
-								if (!response.ok) throw new Error(`Failed to fetch SAML metadata: ${response.status}`);
-								return await response.text();
-							},
-							err: (error) => new AuthError("INVALID_PARAMETERS", error instanceof Error ? error.message : "Failed to fetch SAML metadata")
-						})).pipe(Fx.timeout(1e4), Fx.retry(Fx.retry.compose(Fx.retry.jittered(Fx.retry.exponential(200)), Fx.retry.recurs(2))), Fx.recover((error) => Fx.fail(new AuthError("INVALID_PARAMETERS", error instanceof Error ? error.message : "Failed to fetch SAML metadata")))) : Fx.fail(new AuthError("INVALID_PARAMETERS", "SAML registration requires metadataXml or metadataUrl."));
-						const parsed = yield* Fx.from({
-							ok: () => parseSamlIdpMetadata(metadataXml),
-							err: () => new AuthError("INVALID_PARAMETERS", "Failed to parse SAML metadata.")
-						});
-						const baseConfig = upsertProtocolConfig(enterprise.config, "saml", {
-							enabled: true,
-							idp: {
-								metadataXml,
-								...parsed
-							},
-							sp: data.sp,
-							signAuthnRequests: data.signAuthnRequests ?? parsed.wantsSignedAuthnRequests,
-							attributeMapping: data.attributeMapping,
-							accountLinking: "verifiedEmail",
-							reuseScimUserBy: "externalId"
-						});
-						const normalizedDomains = data.domains?.map(normalizeDomain);
-						const nextConfig = normalizedDomains ? {
-							...baseConfig,
-							domains: normalizedDomains
-						} : baseConfig;
-						yield* Fx.from({
-							ok: () => ctx.runMutation(config.component.public.enterpriseUpdate, {
-								enterpriseId: enterprise._id,
-								data: {
-									status: "active",
-									config: nextConfig
-								}
-							}),
-							err: () => new AuthError("INTERNAL_ERROR", "Failed to persist SAML registration.")
-						});
-						if (normalizedDomains) for (const [index, domain] of normalizedDomains.entries()) yield* Fx.from({
-							ok: () => ctx.runMutation(config.component.public.enterpriseDomainAdd, {
-								enterpriseId: enterprise._id,
-								groupId: enterprise.groupId,
-								domain,
-								isPrimary: index === 0
-							}),
-							err: () => new AuthError("INTERNAL_ERROR", "Failed to persist enterprise domain.")
-						});
-						yield* Fx.from({
-							ok: () => recordEnterpriseAuditEvent(ctx, {
-								enterpriseId: enterprise._id,
-								groupId: enterprise.groupId,
-								eventType: "enterprise.saml.registered",
-								actorType: "system",
-								subjectType: "enterprise_saml",
-								subjectId: enterprise._id,
-								ok: true,
-								metadata: {
-									metadataUrl: data.metadataUrl,
-									domains: normalizedDomains
-								}
-							}),
-							err: () => new AuthError("INTERNAL_ERROR", "Failed to record SAML registration audit event.")
-						});
-						return {
-							enterpriseId: enterprise._id,
-							groupId: enterprise.groupId
-						};
-					}).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))));
-				},
-				metadata: async (ctx, opts) => {
-					const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: opts.enterpriseId });
-					if (!enterprise) throw new AuthError("INVALID_PARAMETERS", "Enterprise not found.").toConvexError();
-					return createServiceProviderMetadata(getSamlServiceProviderOptions({
-						rootUrl: requireEnv("CONVEX_SITE_URL"),
-						source: {
-							kind: "enterprise",
-							id: enterprise._id
-						},
-						config: enterprise.config,
-						overrides: {
-							entityId: opts.entityId,
-							acsUrl: opts.acsUrl,
-							sloUrl: opts.sloUrl
-						}
-					}));
-				},
-				validate: async (ctx, enterpriseId) => {
-					const checks = [];
-					const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
-					if (!enterprise) return {
-						ok: false,
-						enterpriseId,
-						checks: [{
-							name: "enterprise_exists",
-							ok: false,
-							message: "Enterprise not found."
-						}]
-					};
-					const samlConfig = enterprise.config?.protocols?.saml;
-					const samlConfigured = samlConfig?.enabled === true && typeof samlConfig?.idp?.metadataXml === "string";
-					checks.push({
-						name: "saml_configured",
-						ok: samlConfigured,
-						message: samlConfigured ? void 0 : "SAML is not configured."
-					});
-					const hasIdpMetadata = typeof samlConfig?.idp?.metadataXml === "string" && samlConfig.idp.metadataXml.length > 0;
-					checks.push({
-						name: "idp_metadata_present",
-						ok: hasIdpMetadata,
-						message: hasIdpMetadata ? void 0 : "IdP metadata XML is missing."
-					});
-					const hasEntityId = typeof samlConfig?.idp?.entityId === "string" && samlConfig.idp.entityId.length > 0;
-					checks.push({
-						name: "idp_entity_id",
-						ok: hasEntityId,
-						message: hasEntityId ? void 0 : "IdP entityId could not be parsed from metadata."
-					});
-					let spMetadataOk = false;
-					let spMetadataMessage;
-					if (samlConfigured) try {
-						createServiceProviderMetadata(getSamlServiceProviderOptions({
-							rootUrl: requireEnv("CONVEX_SITE_URL"),
-							source: {
-								kind: "enterprise",
-								id: enterprise._id
-							},
-							config: enterprise.config,
-							overrides: {}
-						}));
-						spMetadataOk = true;
-					} catch (e) {
-						spMetadataMessage = e instanceof Error ? e.message : "SP metadata generation failed.";
-					}
-					else spMetadataMessage = "Skipped — SAML not configured.";
-					checks.push({
-						name: "sp_metadata_generates",
-						ok: spMetadataOk,
-						message: spMetadataMessage
-					});
-					return {
-						ok: checks.every((c) => c.ok),
-						enterpriseId: enterprise._id,
-						checks
-					};
-				}
-			},
-			oidc: {
-				configure: async (ctx, data) => {
-					return await Fx.run(Fx.gen(function* () {
-						yield* Fx.guard(data.issuer === void 0 && data.discoveryUrl === void 0, Fx.fail(new AuthError("INVALID_PARAMETERS", "OIDC registration requires issuer or discoveryUrl.")));
-						const enterprise = yield* Fx.from({
-							ok: () => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId }),
-							err: () => new AuthError("INTERNAL_ERROR", "Failed to load enterprise.")
-						}).pipe(Fx.chain((ent) => ent === null ? Fx.fail(new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError)) : Fx.succeed(ent)));
-						const nextConfig = upsertProtocolConfig(enterprise.config, "oidc", {
-							enabled: true,
-							issuer: data.issuer,
-							discoveryUrl: data.discoveryUrl,
-							clientId: data.clientId,
-							clientSecret: data.clientSecret,
-							scopes: data.scopes ?? [
-								"openid",
-								"profile",
-								"email"
-							],
-							authorizationParams: data.authorizationParams,
-							accountLinking: "verifiedEmail",
-							reuseScimUserBy: "externalId",
-							clockToleranceSeconds: data.clockToleranceSeconds,
-							strictIssuer: data.strictIssuer,
-							extraFields: data.extraFields
-						});
-						yield* Fx.from({
-							ok: () => ctx.runMutation(config.component.public.enterpriseUpdate, {
-								enterpriseId: data.enterpriseId,
-								data: { config: nextConfig }
-							}),
-							err: () => new AuthError("INTERNAL_ERROR", "Failed to persist OIDC registration.")
-						});
-						yield* Fx.from({
-							ok: () => recordEnterpriseAuditEvent(ctx, {
-								enterpriseId: data.enterpriseId,
-								groupId: enterprise.groupId,
-								eventType: "enterprise.oidc.registered",
-								actorType: "system",
-								subjectType: "enterprise_oidc",
-								subjectId: data.enterpriseId,
-								ok: true,
-								metadata: {
-									issuer: data.issuer,
-									discoveryUrl: data.discoveryUrl
-								}
-							}),
-							err: () => new AuthError("INTERNAL_ERROR", "Failed to record OIDC registration audit event.")
-						});
-						return getOidcConfig(nextConfig);
-					}).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))));
-				},
-				get: async (ctx, enterpriseId) => {
-					return await Fx.run(Fx.from({
-						ok: () => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId }),
-						err: () => new AuthError("INTERNAL_ERROR", "Failed to load enterprise.")
-					}).pipe(Fx.chain((ent) => ent === null ? Fx.fail(new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError)) : Fx.succeed(ent)), Fx.map((enterprise) => getOidcConfig(enterprise.config)), Fx.recover((e) => Fx.fatal(e.toConvexError()))));
-				},
-				resolveSignIn: async (ctx, data) => {
-					return await Fx.run(Fx.gen(function* () {
-						const enterprise = data.enterpriseId !== void 0 ? yield* Fx.from({
-							ok: () => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId }),
-							err: () => new AuthError("INTERNAL_ERROR", "Failed to load enterprise.")
-						}).pipe(Fx.chain((ent) => ent === null ? Fx.fail(new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError)) : Fx.succeed(ent))) : data.domain !== void 0 || data.email !== void 0 ? yield* Fx.from({
-							ok: () => ctx.runQuery(config.component.public.enterpriseGetByDomain, { domain: normalizeDomain(data.domain ?? String(data.email).split("@").at(-1) ?? "") }),
-							err: () => new AuthError("INTERNAL_ERROR", "Failed to resolve enterprise by domain.")
-						}).pipe(Fx.chain((result) => result?.enterprise ? Fx.succeed(result.enterprise) : Fx.fail(new AuthError("INVALID_PARAMETERS", "No enterprise OIDC connection matched the provided input.")))) : yield* Fx.fail(new AuthError("INVALID_PARAMETERS", "No enterprise OIDC connection matched the provided input."));
-						yield* Fx.guard(enterprise.status !== "active", Fx.fail(new AuthError("INVALID_PARAMETERS", "Enterprise connection is not active.")));
-						const oidc = getOidcConfig(enterprise.config);
-						yield* Fx.guard(oidc.enabled !== true, Fx.fail(new AuthError("PROVIDER_NOT_CONFIGURED", "OIDC is not configured for this enterprise.")));
-						const urls = getEnterpriseOidcUrls({
-							rootUrl: requireEnv("CONVEX_SITE_URL"),
-							enterpriseId: enterprise._id
-						});
-						return {
-							enterpriseId: enterprise._id,
-							providerId: enterpriseOidcProviderId(enterprise._id),
-							signInPath: urls.signInUrl,
-							callbackPath: urls.callbackUrl,
-							redirectTo: data.redirectTo
-						};
-					}).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))));
-				},
-				validate: async (ctx, enterpriseId) => {
-					const checks = [];
-					const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
-					if (!enterprise) return {
-						ok: false,
-						enterpriseId,
-						checks: [{
-							name: "enterprise_exists",
-							ok: false,
-							message: "Enterprise not found."
-						}]
-					};
-					const oidc = getOidcConfig(enterprise.config);
-					const oidcConfigured = oidc.enabled === true && typeof oidc.clientId === "string" && oidc.clientId.length > 0;
-					checks.push({
-						name: "oidc_configured",
-						ok: oidcConfigured,
-						message: oidcConfigured ? void 0 : "OIDC is not configured."
-					});
-					const hasClientId = typeof oidc.clientId === "string" && oidc.clientId.length > 0;
-					checks.push({
-						name: "client_id_present",
-						ok: hasClientId,
-						message: hasClientId ? void 0 : "clientId is missing."
-					});
-					const discoveryTarget = oidc.discoveryUrl ?? oidc.issuer;
-					const hasDiscovery = typeof discoveryTarget === "string" && discoveryTarget.length > 0;
-					checks.push({
-						name: "issuer_or_discovery_url_present",
-						ok: hasDiscovery,
-						message: hasDiscovery ? void 0 : "issuer or discoveryUrl is missing."
-					});
-					let discoveryOk = false;
-					let discoveryMessage;
-					if (hasDiscovery) {
-						const discoveryUrl = oidc.discoveryUrl?.length ? oidc.discoveryUrl : `${oidc.issuer}/.well-known/openid-configuration`;
-						try {
-							const res = await fetch(discoveryUrl, {
-								headers: { Accept: "application/json" },
-								signal: AbortSignal.timeout(8e3)
-							});
-							if (!res.ok) discoveryMessage = `Discovery endpoint returned ${res.status}.`;
-							else {
-								const json = await res.json();
-								if (typeof json.issuer !== "string") discoveryMessage = "Discovery document is missing issuer field.";
-								else if (typeof json.authorization_endpoint !== "string") discoveryMessage = "Discovery document is missing authorization_endpoint.";
-								else discoveryOk = true;
-							}
-						} catch (e) {
-							discoveryMessage = e instanceof Error ? `Discovery fetch failed: ${e.message}` : "Discovery fetch failed.";
-						}
-					} else discoveryMessage = "Skipped — issuer or discoveryUrl not set.";
-					checks.push({
-						name: "discovery_reachable",
-						ok: discoveryOk,
-						message: discoveryMessage
-					});
-					return {
-						ok: checks.every((c) => c.ok),
-						enterpriseId: enterprise._id,
-						checks
-					};
-				}
-			},
-			scim: {
-				configure: async (ctx, data) => {
-					const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId });
-					if (enterprise === null) throw new AuthError("INVALID_PARAMETERS", "Enterprise not found.").toConvexError();
-					const rawToken = generateRandomString(48, INVITE_TOKEN_ALPHABET);
-					const tokenHash = await sha256(rawToken);
-					const configId = await ctx.runMutation(config.component.public.enterpriseScimConfigUpsert, {
-						enterpriseId: enterprise._id,
-						groupId: enterprise.groupId,
-						status: data.status ?? "active",
-						basePath: data.basePath ?? `${requireEnv("CONVEX_SITE_URL")}/api/auth/sso/${enterprise._id}/scim/v2`,
-						tokenHash,
-						lastRotatedAt: Date.now(),
-						deprovisionMode: data.deprovisionMode ?? "soft"
-					});
-					const auditEventId = await recordEnterpriseAuditEvent(ctx, {
-						enterpriseId: enterprise._id,
-						groupId: enterprise.groupId,
-						eventType: "enterprise.scim.configured",
-						actorType: "system",
-						subjectType: "enterprise_scim",
-						subjectId: configId,
-						ok: true
-					});
-					await emitEnterpriseWebhookDeliveries(ctx, {
-						enterpriseId: enterprise._id,
-						eventType: "enterprise.scim.configured",
-						auditEventId,
-						payload: {
-							enterpriseId: enterprise._id,
-							scimConfigId: configId
-						}
-					});
-					return {
-						token: rawToken,
-						configId
-					};
-				},
-				get: async (ctx, enterpriseId) => {
-					return await ctx.runQuery(config.component.public.enterpriseScimConfigGetByEnterprise, { enterpriseId });
-				},
-				getConfigByToken: async (ctx, token) => {
-					return await ctx.runQuery(config.component.public.enterpriseScimConfigGetByTokenHash, { tokenHash: await sha256(token) });
-				},
-				validate: async (ctx, enterpriseId) => {
-					const checks = [];
-					const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
-					if (!enterprise) return {
-						ok: false,
-						enterpriseId,
-						checks: [{
-							name: "enterprise_exists",
-							ok: false,
-							message: "Enterprise not found."
-						}]
-					};
-					const scimConfig = await ctx.runQuery(config.component.public.enterpriseScimConfigGetByEnterprise, { enterpriseId });
-					const hasConfig = scimConfig !== null && scimConfig !== void 0;
-					checks.push({
-						name: "scim_config_exists",
-						ok: hasConfig,
-						message: hasConfig ? void 0 : "SCIM has not been configured."
-					});
-					const isActive = hasConfig && scimConfig.status === "active";
-					checks.push({
-						name: "scim_config_active",
-						ok: isActive,
-						message: isActive ? void 0 : `SCIM config status is ${hasConfig ? scimConfig.status : "unknown"}.`
-					});
-					const hasToken = hasConfig && typeof scimConfig.tokenHash === "string" && scimConfig.tokenHash.length > 0;
-					checks.push({
-						name: "token_hash_set",
-						ok: hasToken,
-						message: hasToken ? void 0 : "SCIM bearer token has not been set."
-					});
-					const hasBasePath = hasConfig && typeof scimConfig.basePath === "string" && scimConfig.basePath.length > 0;
-					checks.push({
-						name: "base_path_set",
-						ok: hasBasePath,
-						message: hasBasePath ? void 0 : "SCIM basePath is missing."
-					});
-					return {
-						ok: checks.every((c) => c.ok),
-						enterpriseId: enterprise._id,
-						basePath: hasBasePath ? scimConfig.basePath : null,
-						deprovisionMode: hasConfig ? scimConfig.deprovisionMode : null,
-						checks
-					};
-				},
-				identity: {
-					get: async (ctx, data) => {
-						return await ctx.runQuery(config.component.public.enterpriseScimIdentityGet, data);
-					},
-					upsert: async (ctx, data) => {
-						return await ctx.runMutation(config.component.public.enterpriseScimIdentityUpsert, {
-							...data,
-							lastProvisionedAt: Date.now()
-						});
-					}
-				}
-			},
-			audit: {
-				record: async (ctx, data) => {
-					return await recordEnterpriseAuditEvent(ctx, data);
-				},
-				list: async (ctx, data) => {
-					return await ctx.runQuery(config.component.public.enterpriseAuditEventList, data);
-				}
-			},
-			webhook: {
-				endpoint: {
-					create: async (ctx, data) => {
-						const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId });
-						if (enterprise === null) throw new AuthError("INVALID_PARAMETERS", "Enterprise not found.").toConvexError();
-						const secretHash = await sha256(data.secret);
-						const endpointId = await ctx.runMutation(config.component.public.enterpriseWebhookEndpointCreate, {
-							enterpriseId: enterprise._id,
-							groupId: enterprise.groupId,
-							url: data.url,
-							secretHash,
-							subscriptions: data.subscriptions,
-							createdByUserId: data.createdByUserId
-						});
-						await recordEnterpriseAuditEvent(ctx, {
-							enterpriseId: enterprise._id,
-							groupId: enterprise.groupId,
-							eventType: "enterprise.webhook.endpoint.created",
-							actorType: data.createdByUserId ? "user" : "system",
-							actorId: data.createdByUserId,
-							subjectType: "enterprise_webhook_endpoint",
-							subjectId: endpointId,
-							ok: true
-						});
-						return { endpointId };
-					},
-					list: async (ctx, enterpriseId) => {
-						return await ctx.runQuery(config.component.public.enterpriseWebhookEndpointList, { enterpriseId });
-					},
-					disable: async (ctx, endpointId) => {
-						await ctx.runMutation(config.component.public.enterpriseWebhookEndpointUpdate, {
-							endpointId,
-							data: { status: "disabled" }
-						});
-					}
-				},
-				emit: async (ctx, data) => {
-					await emitEnterpriseWebhookDeliveries(ctx, data);
-				},
-				delivery: {
-					list: async (ctx, data) => {
-						return await ctx.runQuery(config.component.public.enterpriseWebhookDeliveryList, data);
-					},
-					listReady: async (ctx, limit) => {
-						return await ctx.runQuery(config.component.public.enterpriseWebhookDeliveryListReady, {
-							now: Date.now(),
-							limit
-						});
-					},
-					markDelivered: async (ctx, deliveryId, responseStatus) => {
-						await ctx.runMutation(config.component.public.enterpriseWebhookDeliveryPatch, {
-							deliveryId,
-							data: {
-								status: "delivered",
-								attemptCount: 1,
-								lastAttemptAt: Date.now(),
-								lastResponseStatus: responseStatus
-							}
-						});
-					},
-					markFailed: async (ctx, deliveryId, data) => {
-						await ctx.runMutation(config.component.public.enterpriseWebhookDeliveryPatch, {
-							deliveryId,
-							data: {
-								status: data.retryAt ? "pending" : "failed",
-								attemptCount: data.attemptCount,
-								lastAttemptAt: Date.now(),
-								lastResponseStatus: data.responseStatus,
-								lastError: data.error,
-								nextAttemptAt: data.retryAt ?? Date.now()
-							}
-						});
-					}
-				}
-			}
-		},
-		http: {
-			add: (http) => {
-				http.route({
-					path: "/.well-known/openid-configuration",
-					method: "GET",
-					handler: httpActionGeneric(async () => {
-						return new Response(JSON.stringify({
-							issuer: requireEnv("CONVEX_SITE_URL"),
-							jwks_uri: requireEnv("CONVEX_SITE_URL") + "/.well-known/jwks.json",
-							authorization_endpoint: requireEnv("CONVEX_SITE_URL") + "/oauth/authorize"
-						}), {
-							status: 200,
-							headers: {
-								"Content-Type": "application/json",
-								"Cache-Control": "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400"
-							}
-						});
-					})
-				});
-				http.route({
-					path: "/.well-known/jwks.json",
-					method: "GET",
-					handler: httpActionGeneric(async () => {
-						return new Response(requireEnv("JWKS"), {
-							status: 200,
-							headers: {
-								"Content-Type": "application/json",
-								"Cache-Control": "public, max-age=15, stale-while-revalidate=15, stale-if-error=86400"
-							}
-						});
-					})
-				});
-				if (hasSSO) {
-					http.route({
-						pathPrefix: `${ENTERPRISE_CONTROL_ROUTE_BASE}/`,
-						method: "GET",
-						handler: httpActionGeneric(convertErrorsToResponse(400, async (ctx, request) => {
-							const runtimePathname = new URL(request.url).pathname;
-							const runtimePrefix = `${ENTERPRISE_CONTROL_ROUTE_BASE}/`;
-							const [runtimeEnterpriseId, protocol, ...rest] = runtimePathname.startsWith(runtimePrefix) ? runtimePathname.slice(runtimePrefix.length).split("/").filter(Boolean) : [];
-							const runtimeRoute = runtimeEnterpriseId !== void 0 && (protocol === "oidc" || protocol === "saml" || protocol === "scim") && rest.length > 0 ? {
-								enterpriseId: runtimeEnterpriseId,
-								protocol,
-								rest
-							} : null;
-							if (!runtimeRoute) throw new AuthError("INVALID_PARAMETERS", "Invalid enterprise runtime path.").toConvexError();
-							if (runtimeRoute.protocol === "saml" && runtimeRoute.rest.length === 1 && runtimeRoute.rest[0] === "metadata") {
-								const enterpriseDoc = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: runtimeRoute.enterpriseId });
-								if (enterpriseDoc === null) throw new AuthError("INVALID_PARAMETERS", "Enterprise not found.").toConvexError();
-								const loaded = {
-									source: {
-										kind: "enterprise",
-										id: runtimeRoute.enterpriseId
-									},
-									config: enterpriseDoc.config,
-									status: enterpriseDoc.status
-								};
-								if (!isEnterpriseSamlSourceActive(loaded)) throw new AuthError("INVALID_PARAMETERS", "Enterprise connection is not active.").toConvexError();
-								if (!getSamlConfig(loaded.config).idp?.metadataXml) throw new AuthError("PROVIDER_NOT_CONFIGURED", "SAML is not configured for this enterprise.").toConvexError();
-								return new Response(createEnterpriseSamlMetadataXml({
-									rootUrl: requireEnv("CONVEX_SITE_URL"),
-									source: loaded.source,
-									config: loaded.config
-								}), {
-									status: 200,
-									headers: { "Content-Type": "application/xml" }
-								});
-							}
-							if (runtimeRoute.protocol === "saml" && runtimeRoute.rest.length === 1 && runtimeRoute.rest[0] === "signin") {
-								const url = new URL(request.url);
-								const verifier = url.searchParams.get("code");
-								if (!verifier) throw new AuthError("OAUTH_MISSING_VERIFIER").toConvexError();
-								const enterpriseDoc = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: runtimeRoute.enterpriseId });
-								if (enterpriseDoc === null) throw new AuthError("INVALID_PARAMETERS", "Enterprise not found.").toConvexError();
-								const loaded = {
-									source: {
-										kind: "enterprise",
-										id: runtimeRoute.enterpriseId
-									},
-									config: enterpriseDoc.config,
-									status: enterpriseDoc.status,
-									enterprise: enterpriseDoc
-								};
-								if (!isEnterpriseSamlSourceActive(loaded)) throw new AuthError("INVALID_PARAMETERS", "Enterprise connection is not active.").toConvexError();
-								if (!getSamlConfig(loaded.config).idp?.metadataXml) throw new AuthError("PROVIDER_NOT_CONFIGURED", "SAML is not configured for this enterprise.").toConvexError();
-								const enterprise = loaded.enterprise;
-								const state = generateRandomString(24, INVITE_TOKEN_ALPHABET);
-								const signInRequest = createEnterpriseSamlSignInRequest({
-									rootUrl: requireEnv("CONVEX_SITE_URL"),
-									source: {
-										kind: "enterprise",
-										id: enterprise._id
-									},
-									config: loaded.config,
-									state,
-									signature: `saml ${enterprise._id} pending ${state}`,
-									redirectTo: url.searchParams.get("redirectTo") ?? void 0
-								});
-								const signature = `saml ${enterprise._id} ${signInRequest.requestId} ${state}`;
-								await callVerifierSignature(ctx, {
-									verifier,
-									signature
-								});
-								const redirectTo = url.searchParams.get("redirectTo");
-								const redirectCookies = redirectTo !== null ? [redirectToParamCookie(enterpriseSamlProviderId(enterprise._id), redirectTo)] : [];
-								const relayState = encodeEnterpriseSamlRelayState({
-									source: {
-										kind: "enterprise",
-										id: enterprise._id
-									},
-									signature,
-									requestId: signInRequest.requestId,
-									state,
-									redirectTo: url.searchParams.get("redirectTo") ?? void 0
-								});
-								if (signInRequest.binding === "redirect" && signInRequest.redirectUrl) {
-									const redirectUrl = new URL(signInRequest.redirectUrl);
-									redirectUrl.searchParams.set("RelayState", relayState);
-									const headers = new Headers({ Location: redirectUrl.toString() });
-									for (const { name, value, options } of redirectCookies) headers.append("Set-Cookie", serialize(name, value, options));
-									return new Response(null, {
-										status: 302,
-										headers
-									});
-								}
-								const response = createSamlPostBindingResponse({
-									endpoint: signInRequest.post.endpoint,
-									parameter: "SAMLRequest",
-									value: signInRequest.post.value,
-									relayState
-								});
-								for (const { name, value, options } of redirectCookies) response.headers.append("Set-Cookie", serialize(name, value, options));
-								return response;
-							}
-							if (runtimeRoute.protocol === "saml" && runtimeRoute.rest.length === 1 && runtimeRoute.rest[0] === "acs") return await samlAcsHandler(ctx, request);
-							if (runtimeRoute.protocol === "saml" && runtimeRoute.rest.length === 1 && runtimeRoute.rest[0] === "slo") return await samlSloHandler(ctx, request);
-							if (runtimeRoute.protocol === "oidc" && runtimeRoute.rest.length === 1 && runtimeRoute.rest[0] === "signin") {
-								const url = new URL(request.url);
-								const verifier = url.searchParams.get("code");
-								if (!verifier) throw new AuthError("OAUTH_MISSING_VERIFIER").toConvexError();
-								const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: runtimeRoute.enterpriseId });
-								if (enterprise === null) throw new AuthError("INVALID_PARAMETERS", "Enterprise not found.").toConvexError();
-								if (enterprise.status !== "active") throw new AuthError("INVALID_PARAMETERS", "Enterprise connection is not active.").toConvexError();
-								if (getOidcConfig(enterprise.config).enabled !== true) throw new AuthError("PROVIDER_NOT_CONFIGURED", "OIDC is not configured for this enterprise.").toConvexError();
-								const { providerId, provider, oauthConfig } = await createEnterpriseOidcRuntime({
-									rootUrl: requireEnv("CONVEX_SITE_URL"),
-									enterpriseId: enterprise._id,
-									config: enterprise.config
-								});
-								const { redirect, cookies, signature } = await createOAuthAuthorizationURL(providerId, provider, oauthConfig);
-								await callVerifierSignature(ctx, {
-									verifier,
-									signature
-								});
-								const redirectTo = url.searchParams.get("redirectTo");
-								const headers_ = new Headers({ Location: redirect });
-								for (const { name, value, options } of [...cookies, ...redirectTo !== null ? [redirectToParamCookie(providerId, redirectTo)] : []]) headers_.append("Set-Cookie", serialize(name, value, options));
-								return new Response(null, {
-									status: 302,
-									headers: headers_
-								});
-							}
-							if (runtimeRoute.protocol === "oidc" && runtimeRoute.rest.length === 1 && runtimeRoute.rest[0] === "callback") {
-								const url = new URL(request.url);
-								const enterpriseId = runtimeRoute.enterpriseId;
-								const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
-								if (enterprise === null) throw new AuthError("INVALID_PARAMETERS", "Enterprise not found.").toConvexError();
-								const oidc = getOidcConfig(enterprise.config);
-								const { providerId, provider, oauthConfig } = await createEnterpriseOidcRuntime({
-									rootUrl: requireEnv("CONVEX_SITE_URL"),
-									enterpriseId: enterprise._id,
-									config: enterprise.config
-								});
-								const cookies = getCookies(request);
-								const maybeRedirectTo = useRedirectToParam(providerId, cookies);
-								const destinationUrl = await redirectAbsoluteUrl(config, { redirectTo: maybeRedirectTo?.redirectTo });
-								const params = url.searchParams;
-								const result = await Fx.run(handleOAuthCallback(providerId, provider, oauthConfig, Object.fromEntries(params.entries()), cookies));
-								const extraFields = oidc.extraFields;
-								let profile = result.profile;
-								if (extraFields && typeof profile === "object" && profile) {
-									const extend = {};
-									for (const [claimName, fieldName] of Object.entries(extraFields)) if (claimName in profile) extend[fieldName] = profile[claimName];
-									if (Object.keys(extend).length > 0) profile = {
-										...profile,
-										extend
-									};
-								}
-								const verificationCode = await callUserOAuth(ctx, {
-									provider: providerId,
-									providerAccountId: result.providerAccountId,
-									profile,
-									signature: result.signature,
-									accountExtend: { identity: {
-										protocol: "oidc",
-										enterpriseId: enterprise._id,
-										subject: result.providerAccountId,
-										issuer: typeof oidc.issuer === "string" ? oidc.issuer : void 0,
-										discoveryUrl: typeof oidc.discoveryUrl === "string" ? oidc.discoveryUrl : void 0
-									} }
-								});
-								const headers = new Headers({ Location: setURLSearchParam(destinationUrl, "code", verificationCode) });
-								for (const { name, value, options } of result.cookies) headers.append("Set-Cookie", serialize(name, value, options));
-								if (maybeRedirectTo) headers.append("Set-Cookie", serialize(maybeRedirectTo.updatedCookie.name, maybeRedirectTo.updatedCookie.value, maybeRedirectTo.updatedCookie.options));
-								return new Response(null, {
-									status: 302,
-									headers
-								});
-							}
-							if (runtimeRoute.protocol === "scim" && runtimeRoute.rest[0] === "v2") return await enterpriseScimHandler(ctx, request);
-							throw new AuthError("INVALID_PARAMETERS", "Invalid enterprise runtime path.").toConvexError();
-						}))
-					});
-					http.route({
-						pathPrefix: `${ENTERPRISE_CONTROL_ROUTE_BASE}/`,
-						method: "POST",
-						handler: httpActionGeneric(convertErrorsToResponse(400, async (ctx, request) => {
-							const runtimePathname = new URL(request.url).pathname;
-							const runtimePrefix = `${ENTERPRISE_CONTROL_ROUTE_BASE}/`;
-							const [runtimeEnterpriseId, protocol, ...rest] = runtimePathname.startsWith(runtimePrefix) ? runtimePathname.slice(runtimePrefix.length).split("/").filter(Boolean) : [];
-							const runtimeRoute = runtimeEnterpriseId !== void 0 && (protocol === "oidc" || protocol === "saml" || protocol === "scim") && rest.length > 0 ? {
-								pathname: runtimePathname,
-								enterpriseId: runtimeEnterpriseId,
-								protocol,
-								rest
-							} : null;
-							if (runtimeRoute) {
-								if (runtimeRoute.protocol === "saml" && runtimeRoute.rest.length === 1 && runtimeRoute.rest[0] === "acs") return await samlAcsHandler(ctx, request);
-								if (runtimeRoute.protocol === "saml" && runtimeRoute.rest.length === 1 && runtimeRoute.rest[0] === "slo") return await samlSloHandler(ctx, request);
-								if (runtimeRoute.protocol === "scim" && runtimeRoute.rest[0] === "v2") return await enterpriseScimHandler(ctx, request);
-								throw new AuthError("INVALID_PARAMETERS", "Invalid enterprise runtime path.").toConvexError();
-							}
-							throw new AuthError("INVALID_PARAMETERS", "Invalid enterprise runtime path.").toConvexError();
-						}))
-					});
-					http.route({
-						pathPrefix: `${ENTERPRISE_CONTROL_ROUTE_BASE}/`,
-						method: "PUT",
-						handler: httpActionGeneric(convertErrorsToResponse(400, async (ctx, request) => {
-							const runtimePathname = new URL(request.url).pathname;
-							const runtimePrefix = `${ENTERPRISE_CONTROL_ROUTE_BASE}/`;
-							const [runtimeEnterpriseId, protocol, ...rest] = runtimePathname.startsWith(runtimePrefix) ? runtimePathname.slice(runtimePrefix.length).split("/").filter(Boolean) : [];
-							const runtimeRoute = runtimeEnterpriseId !== void 0 && (protocol === "oidc" || protocol === "saml" || protocol === "scim") && rest.length > 0 ? {
-								pathname: runtimePathname,
-								enterpriseId: runtimeEnterpriseId,
-								protocol,
-								rest
-							} : null;
-							if (runtimeRoute) {
-								if (runtimeRoute.protocol === "scim" && runtimeRoute.rest[0] === "v2") return await enterpriseScimHandler(ctx, request);
-								throw new AuthError("INVALID_PARAMETERS", "Invalid enterprise runtime path.").toConvexError();
-							}
-							throw new AuthError("INVALID_PARAMETERS", "Invalid enterprise runtime path.").toConvexError();
-						}))
-					});
-					const samlAcsHandler = convertErrorsToResponse(400, async (ctx, request) => Fx.run(Fx.gen(function* () {
-						const runtimePathname = new URL(request.url).pathname;
-						const runtimePrefix = `${ENTERPRISE_CONTROL_ROUTE_BASE}/`;
-						const [runtimeEnterpriseId, protocol, ...rest] = runtimePathname.startsWith(runtimePrefix) ? runtimePathname.slice(runtimePrefix.length).split("/").filter(Boolean) : [];
-						const runtimeRoute = runtimeEnterpriseId !== void 0 && (protocol === "oidc" || protocol === "saml" || protocol === "scim") && rest.length > 0 ? {
-							pathname: runtimePathname,
-							enterpriseId: runtimeEnterpriseId,
-							protocol,
-							rest
-						} : null;
-						yield* Fx.guard(!runtimeRoute || runtimeRoute.protocol !== "saml" || runtimeRoute.rest.length !== 1 || runtimeRoute.rest[0] !== "acs", Fx.fail(new AuthError("INVALID_PARAMETERS", "Invalid enterprise runtime path.").toConvexError()));
-						const enterpriseId = runtimeRoute.enterpriseId;
-						const { loaded, saml } = yield* Fx.from({
-							ok: async () => {
-								const enterprise$1 = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
-								if (enterprise$1 === null) throw new AuthError("INVALID_PARAMETERS", "Enterprise not found.").toConvexError();
-								const loaded$1 = {
-									source: {
-										kind: "enterprise",
-										id: enterpriseId
-									},
-									config: enterprise$1.config,
-									status: enterprise$1.status,
-									enterprise: enterprise$1
-								};
-								if (!isEnterpriseSamlSourceActive(loaded$1)) throw new AuthError("INVALID_PARAMETERS", "Enterprise connection is not active.").toConvexError();
-								const saml$1 = getSamlConfig(loaded$1.config);
-								if (!saml$1.idp?.metadataXml) throw new AuthError("PROVIDER_NOT_CONFIGURED", "SAML is not configured for this enterprise.").toConvexError();
-								return {
-									loaded: loaded$1,
-									saml: saml$1
-								};
-							},
-							err: (e) => e
-						});
-						const enterprise = loaded.enterprise;
-						const parsedResponse = yield* Fx.from({
-							ok: () => parseEnterpriseSamlLoginResponse({
-								request,
-								rootUrl: requireEnv("CONVEX_SITE_URL"),
-								source: {
-									kind: "enterprise",
-									id: enterprise._id
-								},
-								config: loaded.config
-							}),
-							err: (e) => new AuthError("OAUTH_PROVIDER_ERROR", `SAML response parse failed: ${e instanceof Error ? e.message : String(e)}`).toConvexError()
-						});
-						yield* Fx.from({
-							ok: () => {
-								validateEnterpriseSamlLoginRelayState({
-									relayState: parsedResponse.relayState,
-									source: {
-										kind: "enterprise",
-										id: enterprise._id
-									},
-									inResponseTo: parsedResponse.parsed.extract?.response?.inResponseTo
-								});
-								return Promise.resolve();
-							},
-							err: () => new AuthError("OAUTH_INVALID_STATE", "SAML RelayState did not match the pending login request.").toConvexError()
-						});
-						const { samlAttributes, samlSessionIndex, ...userProfile } = profileFromSamlExtract(parsedResponse.parsed.extract, saml.attributeMapping);
-						const profile = userProfile;
-						const maybeRedirectTo = useRedirectToParam(enterpriseSamlProviderId(enterprise._id), getCookies(request));
-						const verificationCode = yield* Fx.from({
-							ok: () => callUserOAuth(ctx, {
-								provider: enterpriseSamlProviderId(enterprise._id),
-								providerAccountId: profile.id,
-								profile,
-								signature: parsedResponse.relayState.signature,
-								accountExtend: {
-									identity: {
-										protocol: "saml",
-										enterpriseId: enterprise._id,
-										subject: profile.id,
-										entityId: typeof saml.entityId === "string" ? saml.entityId : void 0
-									},
-									saml: {
-										attributes: samlAttributes,
-										sessionIndex: samlSessionIndex
-									}
-								}
-							}),
-							err: (e) => e
-						});
-						const vurl = setURLSearchParam(yield* Fx.from({
-							ok: () => redirectAbsoluteUrl(config, { redirectTo: maybeRedirectTo?.redirectTo ?? (typeof parsedResponse.relayState.redirectTo === "string" ? parsedResponse.relayState.redirectTo : void 0) }),
-							err: (e) => e
-						}), "code", verificationCode);
-						const vheaders = new Headers({ Location: vurl });
-						vheaders.set("Cache-Control", "must-revalidate");
-						for (const { name, value, options } of maybeRedirectTo !== null ? [maybeRedirectTo.updatedCookie] : []) vheaders.append("Set-Cookie", serialize(name, value, options));
-						return new Response(null, {
-							status: 302,
-							headers: vheaders
-						});
-					}).pipe(Fx.recover((e) => Fx.fatal(e)))));
-					const samlSloHandler = convertErrorsToResponse(400, async (ctx, request) => {
-						const runtimePathname = new URL(request.url).pathname;
-						const runtimePrefix = `${ENTERPRISE_CONTROL_ROUTE_BASE}/`;
-						const [runtimeEnterpriseId, protocol, ...rest] = runtimePathname.startsWith(runtimePrefix) ? runtimePathname.slice(runtimePrefix.length).split("/").filter(Boolean) : [];
-						const runtimeRoute = runtimeEnterpriseId !== void 0 && (protocol === "oidc" || protocol === "saml" || protocol === "scim") && rest.length > 0 ? {
-							pathname: runtimePathname,
-							enterpriseId: runtimeEnterpriseId,
-							protocol,
-							rest
-						} : null;
-						if (!runtimeRoute || runtimeRoute.protocol !== "saml" || runtimeRoute.rest.length !== 1 || runtimeRoute.rest[0] !== "slo") throw new AuthError("INVALID_PARAMETERS", "Invalid enterprise runtime path.").toConvexError();
-						const enterpriseId = runtimeRoute.enterpriseId;
-						const enterpriseDoc = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
-						if (enterpriseDoc === null) throw new AuthError("INVALID_PARAMETERS", "Enterprise not found.").toConvexError();
-						const loaded = {
-							source: {
-								kind: "enterprise",
-								id: enterpriseId
-							},
-							config: enterpriseDoc.config,
-							status: enterpriseDoc.status,
-							enterprise: enterpriseDoc
-						};
-						if (!isEnterpriseSamlSourceActive(loaded)) throw new AuthError("INVALID_PARAMETERS", "Enterprise connection is not active.").toConvexError();
-						if (!getSamlConfig(loaded.config).idp?.metadataXml) throw new AuthError("PROVIDER_NOT_CONFIGURED", "SAML is not configured for this enterprise.").toConvexError();
-						const enterprise = loaded.enterprise;
-						const parsedMessage = await parseEnterpriseSamlLogoutMessage({
-							request,
-							rootUrl: requireEnv("CONVEX_SITE_URL"),
-							source: {
-								kind: "enterprise",
-								id: enterprise._id
-							},
-							config: loaded.config
-						});
-						if (parsedMessage.hasSamlRequest && parsedMessage.parsedRequest) {
-							const responseContext = parsedMessage.runtime.sp.createLogoutResponse(parsedMessage.runtime.idp, parsedMessage.parsedRequest.extract, parsedMessage.binding, parsedMessage.relayState ?? "");
-							if (parsedMessage.binding === "redirect") return new Response(null, {
-								status: 302,
-								headers: { Location: responseContext.context }
-							});
-							return createSamlPostBindingResponse({
-								endpoint: responseContext.entityEndpoint,
-								parameter: "SAMLResponse",
-								value: responseContext.context,
-								relayState: parsedMessage.relayState
-							});
-						}
-						if (parsedMessage.hasSamlResponse) return new Response(null, { status: 204 });
-						throw new AuthError("INVALID_PARAMETERS", "Missing SAML logout payload.").toConvexError();
-					});
-					const enterpriseScimHandler = async (ctx, request) => {
-						try {
-							const { scimConfig, enterprise, parsedPath } = await getEnterpriseScimContext(ctx, request);
-							const state = {
-								ctx,
-								request,
-								url: new URL(request.url),
-								parsedPath,
-								enterprise,
-								scimConfig,
-								recordScimEvent: async (eventType, ok, subjectType, subjectId, metadata) => {
-									const auditEventId = await recordEnterpriseAuditEvent(ctx, {
-										enterpriseId: enterprise._id,
-										groupId: enterprise.groupId,
-										eventType,
-										actorType: "scim",
-										subjectType,
-										subjectId,
-										ok,
-										metadata
-									});
-									await emitEnterpriseWebhookDeliveries(ctx, {
-										enterpriseId: enterprise._id,
-										eventType,
-										auditEventId,
-										payload: {
-											enterpriseId: enterprise._id,
-											subjectId,
-											metadata
-										}
-									});
-								}
-							};
-							const handleUsersGet = async (state$1) => {
-								const members = await auth.member.list(state$1.ctx, {
-									where: { groupId: state$1.enterprise.groupId },
-									limit: 100
-								});
-								const identities = await state$1.ctx.runQuery(config.component.public.enterpriseScimIdentityListByEnterprise, { enterpriseId: state$1.enterprise._id });
-								const identityByUserId = new Map(identities.filter((identity) => identity.userId !== void 0).map((identity) => [identity.userId, identity]));
-								const users = (await Promise.all(members.items.map(async (member) => {
-									const user = await auth.user.get(state$1.ctx, member.userId);
-									return user ? {
-										user,
-										member,
-										identity: identityByUserId.get(user._id)
-									} : null;
-								}))).filter(Boolean);
-								const listRequest = parseScimListRequest(state$1.url);
-								const filtered = filterScimCollection(users, listRequest.filter, {
-									id: (item, value) => item.user._id === value,
-									externalId: (item, value) => item.identity?.externalId === value,
-									userName: (item, value) => item.user.email === value,
-									"emails.value": (item, value) => item.user.email === value,
-									active: (item, value) => String(item.identity?.active ?? item.member.status === "active") === value
-								});
-								if (state$1.parsedPath.resourceId) {
-									const resource = filtered.find(({ user }) => user._id === state$1.parsedPath.resourceId);
-									return resource ? scimJson(serializeScimUser({
-										id: resource.user._id,
-										user: resource.user,
-										externalId: resource.identity?.externalId,
-										location: `${state$1.url.origin}${state$1.url.pathname.replace(/\/[^/]+$/, "")}/${resource.user._id}`,
-										active: resource.identity?.active ?? resource.member.status === "active"
-									}), 200, { Location: `${state$1.url.origin}${state$1.url.pathname.replace(/\/[^/]+$/, "")}/${resource.user._id}` }) : scimError(404, "notFound", "User not found.");
-								}
-								const paged = paginateScimCollection(filtered, listRequest);
-								await state$1.recordScimEvent("enterprise.scim.read", true, "enterprise_scim", state$1.scimConfig._id);
-								return scimJson({
-									schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
-									Resources: paged.map(({ user, identity, member }) => serializeScimUser({
-										id: user._id,
-										user,
-										externalId: identity?.externalId,
-										location: `${state$1.url.origin}${state$1.url.pathname}/${user._id}`,
-										active: identity?.active ?? member.status === "active"
-									})),
-									totalResults: filtered.length,
-									startIndex: listRequest.startIndex,
-									itemsPerPage: paged.length
-								});
-							};
-							const handleUsersPost = async (state$1) => {
-								const body = await readScimJson(state$1.request);
-								const primaryEmail = Array.isArray(body.emails) ? body.emails.find((entry) => entry.primary === true)?.value ?? body.emails[0]?.value : void 0;
-								const phone = Array.isArray(body.phoneNumbers) ? body.phoneNumbers[0]?.value : void 0;
-								const userId = await state$1.ctx.runMutation(config.component.public.userInsert, { data: {
-									name: body.displayName ?? body.name?.formatted,
-									email: primaryEmail ?? body.userName,
-									...typeof (primaryEmail ?? body.userName) === "string" ? { emailVerificationTime: Date.now() } : {},
-									phone,
-									...typeof phone === "string" ? { phoneVerificationTime: Date.now() } : {}
-								} });
-								try {
-									await auth.member.add(state$1.ctx, {
-										groupId: state$1.enterprise.groupId,
-										userId,
-										role: "member",
-										status: body.active === false ? "inactive" : "active"
-									});
-								} catch {}
-								await state$1.ctx.runMutation(config.component.public.enterpriseScimIdentityUpsert, {
-									enterpriseId: state$1.enterprise._id,
-									groupId: state$1.enterprise.groupId,
-									resourceType: "user",
-									externalId: typeof body.externalId === "string" ? body.externalId : void 0,
-									userId,
-									active: body.active !== false,
-									raw: body,
-									lastProvisionedAt: Date.now()
-								});
-								await state$1.recordScimEvent("enterprise.scim.user.created", true, "user", userId);
-								const createdUser = await auth.user.get(state$1.ctx, userId);
-								const location = `${state$1.url.origin}${state$1.url.pathname}/${userId}`;
-								return scimJson(serializeScimUser({
-									id: userId,
-									user: createdUser ?? {},
-									externalId: body.externalId,
-									location,
-									active: body.active !== false
-								}), 201, { Location: location });
-							};
-							const handleUsersUpsert = async (state$1) => {
-								const missing = requireScimResourceId(state$1.parsedPath.resourceId, "User");
-								if (missing) return missing;
-								const userId = state$1.parsedPath.resourceId;
-								const existingUser = await auth.user.get(state$1.ctx, userId);
-								if (!existingUser) return scimError(404, "notFound", "User not found.");
-								const body = await readScimJson(state$1.request);
-								const patchData = {};
-								let nextActive;
-								if (state$1.request.method === "PUT") {
-									patchData.name = body.displayName ?? body.name?.formatted;
-									patchData.email = body.userName ?? (Array.isArray(body.emails) ? body.emails[0]?.value : void 0);
-									patchData.phone = Array.isArray(body.phoneNumbers) ? body.phoneNumbers[0]?.value : void 0;
-									if (typeof patchData.email === "string") patchData.emailVerificationTime = Date.now();
-									if (typeof patchData.phone === "string") patchData.phoneVerificationTime = Date.now();
-								} else for (const operation of Array.isArray(body.Operations) ? body.Operations : []) {
-									if (operation.path === "active") nextActive = operation.value;
-									if (operation.path === "displayName" || operation.path === "name.formatted") patchData.name = operation.value;
-									if (operation.path === "userName" || operation.path === "emails.value") {
-										patchData.email = operation.value;
-										if (typeof operation.value === "string") patchData.emailVerificationTime = Date.now();
-									}
-									if (operation.path === "phoneNumbers.value") {
-										patchData.phone = operation.value;
-										if (typeof operation.value === "string") patchData.phoneVerificationTime = Date.now();
-									}
-								}
-								await state$1.ctx.runMutation(config.component.public.userPatch, {
-									userId,
-									data: patchData
-								});
-								const membership = await auth.member.getByUserAndGroup(state$1.ctx, {
-									groupId: state$1.enterprise.groupId,
-									userId
-								});
-								if (membership) await auth.member.update(state$1.ctx, membership._id, { status: body.active === false || nextActive === false ? "inactive" : "active" });
-								await state$1.ctx.runMutation(config.component.public.enterpriseScimIdentityUpsert, {
-									enterpriseId: state$1.enterprise._id,
-									groupId: state$1.enterprise.groupId,
-									resourceType: "user",
-									externalId: typeof body.externalId === "string" ? body.externalId : void 0,
-									userId,
-									active: body.active !== false && nextActive !== false,
-									raw: body,
-									lastProvisionedAt: Date.now()
-								});
-								await state$1.recordScimEvent("enterprise.scim.user.updated", true, "user", userId);
-								const updatedUser = await auth.user.get(state$1.ctx, userId);
-								const location = `${state$1.url.origin}${state$1.url.pathname}`;
-								return scimJson(serializeScimUser({
-									id: userId,
-									user: updatedUser ?? existingUser,
-									externalId: typeof body.externalId === "string" ? body.externalId : void 0,
-									location,
-									active: body.active !== false && nextActive !== false
-								}), 200, { Location: location });
-							};
-							const handleUsersDelete = async (state$1) => {
-								const missing = requireScimResourceId(state$1.parsedPath.resourceId, "User");
-								if (missing) return missing;
-								const userId = state$1.parsedPath.resourceId;
-								const membership = await auth.member.getByUserAndGroup(state$1.ctx, {
-									groupId: state$1.enterprise.groupId,
-									userId
-								});
-								if (membership) await auth.member.remove(state$1.ctx, membership._id);
-								const identity = await state$1.ctx.runQuery(config.component.public.enterpriseScimIdentityGetByUser, { userId });
-								if (identity) if (state$1.scimConfig.deprovisionMode === "hard") await state$1.ctx.runMutation(config.component.public.enterpriseScimIdentityDelete, { identityId: identity._id });
-								else await state$1.ctx.runMutation(config.component.public.enterpriseScimIdentityUpsert, {
-									enterpriseId: identity.enterpriseId,
-									groupId: identity.groupId,
-									resourceType: identity.resourceType,
-									externalId: identity.externalId,
-									userId: identity.userId,
-									mappedGroupId: identity.mappedGroupId,
-									active: false,
-									raw: identity.raw,
-									lastProvisionedAt: Date.now()
-								});
-								await state$1.recordScimEvent("enterprise.scim.user.deleted", true, "user", userId);
-								return new Response(null, { status: 204 });
-							};
-							const handleGroupsGet = async (state$1) => {
-								const groupsList = await auth.group.list(state$1.ctx, {
-									where: { parentGroupId: state$1.enterprise.groupId },
-									limit: 100
-								});
-								const identities = await state$1.ctx.runQuery(config.component.public.enterpriseScimIdentityListByEnterprise, { enterpriseId: state$1.enterprise._id });
-								const identityByGroupId = new Map(identities.filter((identity) => identity.mappedGroupId !== void 0).map((identity) => [identity.mappedGroupId, identity]));
-								const groups = groupsList.items.map((group) => ({
-									group,
-									identity: identityByGroupId.get(group._id)
-								}));
-								const listRequest = parseScimListRequest(state$1.url);
-								const filtered = filterScimCollection(groups, listRequest.filter, {
-									id: (item, value) => item.group._id === value,
-									externalId: (item, value) => item.identity?.externalId === value,
-									displayName: (item, value) => item.group.name === value
-								});
-								if (state$1.parsedPath.resourceId) {
-									const resource = filtered.find(({ group }) => group._id === state$1.parsedPath.resourceId);
-									if (!resource) return scimError(404, "notFound", "Group not found.");
-									const members = (await auth.member.list(state$1.ctx, {
-										where: {
-											groupId: resource.group._id,
-											status: "active"
-										},
-										limit: 100
-									})).items.map((member) => ({ value: member.userId }));
-									const location = `${state$1.url.origin}${state$1.url.pathname.replace(/\/[^/]+$/, "")}/${resource.group._id}`;
-									return scimJson(serializeScimGroup({
-										id: resource.group._id,
-										group: resource.group,
-										externalId: resource.identity?.externalId,
-										location,
-										members
-									}), 200, { Location: location });
-								}
-								const paged = paginateScimCollection(filtered, listRequest);
-								return scimJson({
-									schemas: ["urn:ietf:params:scim:api:messages:2.0:ListResponse"],
-									Resources: paged.map(({ group, identity }) => serializeScimGroup({
-										id: group._id,
-										group,
-										externalId: identity?.externalId,
-										location: `${state$1.url.origin}${state$1.url.pathname}/${group._id}`
-									})),
-									totalResults: filtered.length,
-									startIndex: listRequest.startIndex,
-									itemsPerPage: paged.length
-								});
-							};
-							const handleGroupsPost = async (state$1) => {
-								const body = await readScimJson(state$1.request);
-								const groupId = await auth.group.create(state$1.ctx, {
-									name: String(body.displayName ?? "Group"),
-									parentGroupId: state$1.enterprise.groupId,
-									type: "organization"
-								});
-								await state$1.ctx.runMutation(config.component.public.enterpriseScimIdentityUpsert, {
-									enterpriseId: state$1.enterprise._id,
-									groupId: state$1.enterprise.groupId,
-									resourceType: "group",
-									externalId: body.externalId ?? groupId,
-									mappedGroupId: groupId,
-									active: true,
-									raw: body,
-									lastProvisionedAt: Date.now()
-								});
-								for (const member of Array.isArray(body.members) ? body.members : []) try {
-									await auth.member.add(state$1.ctx, {
-										groupId,
-										userId: String(member.value),
-										role: "member",
-										status: "active"
-									});
-								} catch {}
-								await state$1.recordScimEvent("enterprise.scim.group.created", true, "group", groupId);
-								const group = await auth.group.get(state$1.ctx, groupId);
-								const location = `${state$1.url.origin}${state$1.url.pathname}/${groupId}`;
-								return scimJson(serializeScimGroup({
-									id: groupId,
-									group: group ?? {},
-									externalId: body.externalId,
-									location,
-									members: (await auth.member.list(state$1.ctx, {
-										where: {
-											groupId,
-											status: "active"
-										},
-										limit: 100
-									})).items.map((member) => ({ value: member.userId }))
-								}), 201, { Location: location });
-							};
-							const handleGroupsPatch = async (state$1) => {
-								const missing = requireScimResourceId(state$1.parsedPath.resourceId, "Group");
-								if (missing) return missing;
-								const groupId = state$1.parsedPath.resourceId;
-								const body = await readScimJson(state$1.request);
-								for (const operation of Array.isArray(body.Operations) ? body.Operations : []) {
-									if (operation.path === "displayName") await auth.group.update(state$1.ctx, groupId, { name: operation.value });
-									if (operation.path === "members" && operation.op === "add") for (const member of Array.isArray(operation.value) ? operation.value : []) try {
-										await auth.member.add(state$1.ctx, {
-											groupId,
-											userId: String(member.value),
-											role: "member",
-											status: "active"
-										});
-									} catch {}
-									if (operation.path === "members" && operation.op === "replace") {
-										const currentMembers = (await auth.member.list(state$1.ctx, {
-											where: {
-												groupId,
-												status: "active"
-											},
-											limit: 100
-										})).items;
-										const currentUserIds = new Set(currentMembers.map((member) => member.userId));
-										const nextUserIds = new Set((Array.isArray(operation.value) ? operation.value : []).map((member) => String(member.value)));
-										for (const member of currentMembers) if (!nextUserIds.has(member.userId)) await auth.member.remove(state$1.ctx, member._id);
-										for (const userId of nextUserIds.values()) if (!currentUserIds.has(userId)) try {
-											await auth.member.add(state$1.ctx, {
-												groupId,
-												userId,
-												role: "member",
-												status: "active"
-											});
-										} catch {}
-									}
-									if (typeof operation.path === "string" && operation.op === "remove" && operation.path.startsWith("members[")) {
-										const userId = operation.path.match(/^members\[value eq "([^"]+)"\]$/)?.[1];
-										if (userId) {
-											const membership = await auth.member.getByUserAndGroup(state$1.ctx, {
-												groupId,
-												userId
-											});
-											if (membership) await auth.member.remove(state$1.ctx, membership._id);
-										}
-									}
-								}
-								await state$1.recordScimEvent("enterprise.scim.group.updated", true, "group", groupId);
-								const group = await auth.group.get(state$1.ctx, groupId);
-								const location = `${state$1.url.origin}${state$1.url.pathname}`;
-								const members = (await auth.member.list(state$1.ctx, {
-									where: {
-										groupId,
-										status: "active"
-									},
-									limit: 100
-								})).items;
-								return scimJson(serializeScimGroup({
-									id: groupId,
-									group: group ?? {},
-									location,
-									members: members.map((member) => ({ value: member.userId }))
-								}), 200, { Location: location });
-							};
-							const handleGroupsDelete = async (state$1) => {
-								const missing = requireScimResourceId(state$1.parsedPath.resourceId, "Group");
-								if (missing) return missing;
-								const groupId = state$1.parsedPath.resourceId;
-								await auth.group.delete(state$1.ctx, groupId);
-								const identity = await state$1.ctx.runQuery(config.component.public.enterpriseScimIdentityGetByMappedGroup, { mappedGroupId: groupId });
-								if (identity) await state$1.ctx.runMutation(config.component.public.enterpriseScimIdentityDelete, { identityId: identity._id });
-								await state$1.recordScimEvent("enterprise.scim.group.deleted", true, "group", groupId);
-								return new Response(null, { status: 204 });
-							};
-							const handler = {
-								ServiceProviderConfig: { GET: async () => scimJson({
-									schemas: ["urn:ietf:params:scim:schemas:core:2.0:ServiceProviderConfig"],
-									patch: { supported: true },
-									bulk: {
-										supported: false,
-										maxOperations: 0,
-										maxPayloadSize: 0
-									},
-									filter: {
-										supported: true,
-										maxResults: 100
-									},
-									changePassword: { supported: false },
-									sort: { supported: false },
-									etag: { supported: false },
-									authenticationSchemes: [{
-										type: "oauthbearertoken",
-										name: "Bearer Token",
-										description: "Use the SCIM token generated by Convex Auth enterprise."
-									}]
-								}) },
-								Schemas: { GET: async (state$1) => handleStaticScimCollection(SCIM_SCHEMAS, state$1.parsedPath.resourceId, {
-									by: "id",
-									notFound: "Schema not found."
-								}) },
-								ResourceTypes: { GET: async (state$1) => handleStaticScimCollection(SCIM_RESOURCE_TYPES, state$1.parsedPath.resourceId, {
-									by: "name",
-									notFound: "Resource type not found."
-								}) },
-								Users: {
-									GET: handleUsersGet,
-									POST: handleUsersPost,
-									PATCH: handleUsersUpsert,
-									PUT: handleUsersUpsert,
-									DELETE: handleUsersDelete
-								},
-								Groups: {
-									GET: handleGroupsGet,
-									POST: handleGroupsPost,
-									PATCH: handleGroupsPatch,
-									DELETE: handleGroupsDelete
-								}
-							}[state.parsedPath.resource]?.[state.request.method];
-							return handler ? await handler(state) : scimError(404, "notFound", "SCIM resource not found.");
-						} catch (error) {
-							if (error instanceof Error && error.message === "Unsupported SCIM filter.") return scimError(400, "invalidFilter", error.message);
-							if (isAuthError(error)) {
-								const code = error.data.code;
-								return scimError(code === "MISSING_BEARER_TOKEN" || code === "INVALID_API_KEY" ? 401 : 400, code, error.data.message);
-							}
-							throw error;
-						}
-					};
-					for (const method of ["PATCH", "DELETE"]) http.route({
-						pathPrefix: "/api/auth/sso/",
-						method,
-						handler: httpActionGeneric(async (ctx, request) => {
-							const runtimePathname = new URL(request.url).pathname;
-							const runtimePrefix = `${ENTERPRISE_CONTROL_ROUTE_BASE}/`;
-							const [runtimeEnterpriseId, protocol, ...rest] = runtimePathname.startsWith(runtimePrefix) ? runtimePathname.slice(runtimePrefix.length).split("/").filter(Boolean) : [];
-							const runtimeRoute = runtimeEnterpriseId !== void 0 && (protocol === "oidc" || protocol === "saml" || protocol === "scim") && rest.length > 0 ? {
-								pathname: runtimePathname,
-								enterpriseId: runtimeEnterpriseId,
-								protocol,
-								rest
-							} : null;
-							if (!runtimeRoute || runtimeRoute.protocol !== "scim" || runtimeRoute.rest[0] !== "v2") return scimError(404, "notFound", "SCIM resource not found.");
-							return await enterpriseScimHandler(ctx, request);
-						})
-					});
-				}
-				if (hasOAuth) {
-					http.route({
-						pathPrefix: "/api/auth/signin/",
-						method: "GET",
-						handler: httpActionGeneric(convertErrorsToResponse(400, async (ctx, request) => {
-							const url = new URL(request.url);
-							const providerId = url.pathname.split("/").at(-1);
-							if (providerId === null) throw new AuthError("OAUTH_MISSING_PROVIDER").toConvexError();
-							const verifier = url.searchParams.get("code");
-							if (verifier === null) throw new AuthError("OAUTH_MISSING_VERIFIER").toConvexError();
-							const oauthConfig = getProviderOrThrow(providerId);
-							const { redirect, cookies, signature } = await createOAuthAuthorizationURL(providerId, oauthConfig.provider, oauthConfig);
-							await callVerifierSignature(ctx, {
-								verifier,
-								signature
-							});
-							const redirectTo = url.searchParams.get("redirectTo");
-							if (redirectTo !== null) cookies.push(redirectToParamCookie(providerId, redirectTo));
-							const headers = new Headers({ Location: redirect });
-							for (const { name, value, options } of cookies) headers.append("Set-Cookie", serialize(name, value, options));
-							return new Response(null, {
-								status: 302,
-								headers
-							});
-						}))
-					});
-					const callbackAction = httpActionGeneric(async (ctx, request) => {
-						const url = new URL(request.url);
-						const providerId = new URL(request.url).pathname.split("/").at(-1);
-						if (!providerId) throw new AuthError("OAUTH_MISSING_PROVIDER").toConvexError();
-						logWithLevel(LOG_LEVELS.DEBUG, "Handling OAuth callback for provider:", providerId);
-						const provider = getProviderOrThrow(providerId);
-						const cookies = getCookies(request);
-						const maybeRedirectTo = useRedirectToParam(provider.id, cookies);
-						const destinationUrl = await redirectAbsoluteUrl(config, { redirectTo: maybeRedirectTo?.redirectTo });
-						const params = url.searchParams;
-						if (request.headers.get("Content-Type") === "application/x-www-form-urlencoded") (await request.formData()).forEach((value, key) => {
-							if (typeof value === "string") params.append(key, value);
-						});
-						return Fx.run(Fx.from({
-							ok: async () => {
-								const oauthConfig = provider;
-								const result = await Fx.run(handleOAuthCallback(providerId, oauthConfig.provider, oauthConfig, Object.fromEntries(params.entries()), cookies));
-								const oauthCookies = result.cookies;
-								const { id: profileId, ...profileData } = result.profile;
-								const { signature } = result;
-								const redirUrl = setURLSearchParam(destinationUrl, "code", await callUserOAuth(ctx, {
-									provider: providerId,
-									providerAccountId: profileId,
-									profile: profileData,
-									signature
-								}));
-								const redirHeaders = new Headers({ Location: redirUrl });
-								redirHeaders.set("Cache-Control", "must-revalidate");
-								for (const { name, value, options } of [...oauthCookies, ...maybeRedirectTo !== null ? [maybeRedirectTo.updatedCookie] : []]) redirHeaders.append("Set-Cookie", serialize(name, value, options));
-								return new Response(null, {
-									status: 302,
-									headers: redirHeaders
-								});
-							},
-							err: (error) => error
-						}).pipe(Fx.recover((error) => {
-							logError(error);
-							const respHeaders = new Headers({ Location: destinationUrl });
-							for (const { name, value, options } of maybeRedirectTo !== null ? [maybeRedirectTo.updatedCookie] : []) respHeaders.append("Set-Cookie", serialize(name, value, options));
-							return Fx.succeed(new Response(null, {
-								status: 302,
-								headers: respHeaders
-							}));
-						})));
-					});
-					http.route({
-						pathPrefix: "/api/auth/callback/",
-						method: "GET",
-						handler: callbackAction
-					});
-					http.route({
-						pathPrefix: "/api/auth/callback/",
-						method: "POST",
-						handler: callbackAction
-					});
-				}
-			},
-			action: (handler, options) => {
-				const corsConfig = options?.cors ?? {};
-				const corsHeaders = {
-					"Access-Control-Allow-Origin": corsConfig.origin ?? "*",
-					"Access-Control-Allow-Methods": corsConfig.methods ?? "GET,POST,PUT,PATCH,DELETE,OPTIONS",
-					"Access-Control-Allow-Headers": corsConfig.headers ?? "Content-Type,Authorization"
-				};
-				return httpActionGeneric(async (genericCtx, request) => {
-					return Fx.run(Fx.from({
-						ok: async () => {
-							const authHeader = request.headers.get("Authorization");
-							if (!authHeader?.startsWith("Bearer ")) return new Response(JSON.stringify({
-								error: "Missing or malformed Authorization: Bearer header.",
-								code: "MISSING_BEARER_TOKEN"
-							}), {
-								status: 401,
-								headers: {
-									...corsHeaders,
-									"Content-Type": "application/json"
-								}
-							});
-							const rawKey = authHeader.slice(7);
-							const keyResult = await Fx.run(Fx.from({
-								ok: () => auth.key.verify(genericCtx, rawKey),
-								err: (error) => error
-							}).pipe(Fx.fold({
-								ok: (result$1) => ({
-									ok: true,
-									value: result$1
-								}),
-								err: (error) => ({
-									ok: false,
-									error
-								})
-							})));
-							if (!keyResult.ok) {
-								if (isAuthError(keyResult.error)) {
-									const { code, message } = keyResult.error.data;
-									return new Response(JSON.stringify({
-										error: message,
-										code
-									}), {
-										status: 403,
-										headers: {
-											...corsHeaders,
-											"Content-Type": "application/json"
-										}
-									});
-								}
-								throw keyResult.error;
-							}
-							if (options?.scope) {
-								if (!keyResult.value.scopes.can(options.scope.resource, options.scope.action)) return new Response(JSON.stringify({
-									error: "This API key does not have the required permissions.",
-									code: "SCOPE_CHECK_FAILED"
-								}), {
-									status: 403,
-									headers: {
-										...corsHeaders,
-										"Content-Type": "application/json"
-									}
-								});
-							}
-							const result = await handler(Object.assign(genericCtx, { key: {
-								userId: keyResult.value.userId,
-								keyId: keyResult.value.keyId,
-								scopes: keyResult.value.scopes
-							} }), request);
-							if (result instanceof Response) {
-								const headers = new Headers(result.headers);
-								for (const [k, val] of Object.entries(corsHeaders)) if (!headers.has(k)) headers.set(k, val);
-								return new Response(result.body, {
-									status: result.status,
-									statusText: result.statusText,
-									headers
-								});
-							}
-							return new Response(JSON.stringify(result), {
-								status: 200,
-								headers: {
-									...corsHeaders,
-									"Content-Type": "application/json"
-								}
-							});
-						},
-						err: (error) => error
-					}).pipe(Fx.recover((error) => {
-						logError(error);
-						return Fx.succeed(new Response(JSON.stringify({
-							error: "An unexpected error occurred.",
-							code: "INTERNAL_ERROR"
-						}), {
-							status: 500,
-							headers: {
-								...corsHeaders,
-								"Content-Type": "application/json"
-							}
-						}));
-					})));
-				});
-			},
-			route: (http, routeConfig) => {
-				const corsConfig = routeConfig.cors ?? {};
-				const corsHeaders = {
-					"Access-Control-Allow-Origin": corsConfig.origin ?? "*",
-					"Access-Control-Allow-Methods": corsConfig.methods ?? "GET,POST,PUT,PATCH,DELETE,OPTIONS",
-					"Access-Control-Allow-Headers": corsConfig.headers ?? "Content-Type,Authorization"
-				};
-				http.route({
-					path: routeConfig.path,
-					method: "OPTIONS",
-					handler: httpActionGeneric(async () => {
-						return new Response(null, {
-							status: 204,
-							headers: corsHeaders
-						});
-					})
-				});
-				http.route({
-					path: routeConfig.path,
-					method: routeConfig.method,
-					handler: auth.http.action(routeConfig.handler, {
-						scope: routeConfig.scope,
-						cors: routeConfig.cors
-					})
-				});
-			}
-		}
-	};
-	const enrichCtx = (ctx) => ({
-		...ctx,
-		auth: {
-			...ctx.auth,
-			config,
-			account: auth.account,
-			session: auth.session,
-			provider: auth.provider
-		}
-	});
-	return {
-		auth,
-		signIn: actionGeneric({
-			args: {
-				provider: v.optional(v.string()),
-				params: v.optional(v.any()),
-				verifier: v.optional(v.string()),
-				refreshToken: v.optional(v.string()),
-				calledBy: v.optional(v.string())
-			},
-			handler: async (ctx, args) => {
-				if (args.calledBy !== void 0) logWithLevel("INFO", `\`auth/session:start\` called by ${args.calledBy}`);
-				const provider = args.provider !== void 0 ? getProviderOrThrow(args.provider) : null;
-				const result = await signInImpl(enrichCtx(ctx), provider, args, {
-					generateTokens: true,
-					allowExtraProviders: false
-				});
-				return Fx.run(Fx.match(result, result.kind, {
-					redirect: (r) => Fx.succeed({
-						kind: "redirect",
-						redirect: r.redirect,
-						verifier: r.verifier
-					}),
-					signedIn: (r) => Fx.succeed({
-						kind: "signedIn",
-						tokens: r.signedIn?.tokens ?? null
-					}),
-					refreshTokens: (r) => Fx.succeed({
-						kind: "signedIn",
-						tokens: r.signedIn?.tokens ?? null
-					}),
-					started: () => Fx.succeed({ kind: "started" }),
-					passkeyOptions: (r) => Fx.succeed({
-						kind: "passkeyOptions",
-						options: r.options,
-						verifier: r.verifier
-					}),
-					totpRequired: (r) => Fx.succeed({
-						kind: "totpRequired",
-						verifier: r.verifier
-					}),
-					totpSetup: (r) => Fx.succeed({
-						kind: "totpSetup",
-						totpSetup: {
-							uri: r.uri,
-							secret: r.secret,
-							totpId: r.totpId
-						},
-						verifier: r.verifier
-					}),
-					deviceCode: (r) => Fx.succeed({
-						kind: "deviceCode",
-						deviceCode: {
-							deviceCode: r.deviceCode,
-							userCode: r.userCode,
-							verificationUri: r.verificationUri,
-							verificationUriComplete: r.verificationUriComplete,
-							expiresIn: r.expiresIn,
-							interval: r.interval
-						}
-					})
-				}));
-			}
-		}),
-		signOut: actionGeneric({
-			args: {},
-			handler: async (ctx) => {
-				await callSignOut(ctx);
-			}
-		}),
-		store: internalMutationGeneric({
-			args: storeArgs,
-			handler: async (ctx, args) => {
-				return storeImpl(ctx, args, getProviderOrThrow, config);
-			}
-		})
-	};
-}
-function convertErrorsToResponse(errorStatusCode, action) {
-	return async (ctx, request) => {
-		return Fx.run(Fx.from({
-			ok: () => action(ctx, request),
-			err: (error) => error
-		}).pipe(Fx.recover((error) => {
-			if (isAuthError(error)) return Fx.succeed(new Response(JSON.stringify({
-				code: error.data.code,
-				message: error.data.message
-			}), {
-				status: errorStatusCode,
-				headers: { "Content-Type": "application/json" }
-			}));
-			else if (error instanceof ConvexError) return Fx.succeed(new Response(null, {
-				status: errorStatusCode,
-				statusText: typeof error.data === "string" ? error.data : "Error"
-			}));
-			else {
-				logError(error);
-				return Fx.succeed(new Response(null, {
-					status: 500,
-					statusText: "Internal Server Error"
-				}));
-			}
-		})));
-	};
-}
-function getCookies(request) {
-	return parse(request.headers.get("Cookie") ?? "");
-}
-//#endregion
-export { Auth };
-//# sourceMappingURL=implementation.js.map