npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.2 → 0.0.4-preview.21 - Mend

@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (798) hide show

package/README.md +67 -26
package/dist/authorization/index.d.ts +63 -0
package/dist/authorization/index.d.ts.map +1 -0
package/dist/authorization/index.js +63 -0
package/dist/authorization/index.js.map +1 -0
package/dist/bin.js +6185 -0
package/dist/client/core/types.d.ts +20 -0
package/dist/client/core/types.d.ts.map +1 -0
package/dist/client/index.d.ts +2 -299
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +407 -534
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/api.d.ts +42 -0
package/dist/component/_generated/api.d.ts.map +1 -1
package/dist/component/_generated/api.js.map +1 -1
package/dist/component/_generated/component.d.ts +2546 -90
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/client/core/types.d.ts +2 -0
package/dist/component/client/index.d.ts +2 -0
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/functions.d.ts +11 -9
package/dist/component/functions.d.ts.map +1 -1
package/dist/component/functions.js.map +1 -1
package/dist/component/index.d.ts +7 -11
package/dist/component/index.js +2 -3
package/dist/component/model.d.ts +153 -0
package/dist/component/model.d.ts.map +1 -0
package/dist/component/model.js +349 -0
package/dist/component/model.js.map +1 -0
package/dist/component/providers/anonymous.d.ts +54 -0
package/dist/component/providers/anonymous.d.ts.map +1 -0
package/dist/component/providers/credentials.d.ts +5 -5
package/dist/component/providers/credentials.d.ts.map +1 -1
package/dist/component/providers/device.d.ts +67 -0
package/dist/component/providers/device.d.ts.map +1 -0
package/dist/component/providers/email.d.ts +62 -0
package/dist/component/providers/email.d.ts.map +1 -0
package/dist/component/providers/oauth.d.ts.map +1 -1
package/dist/component/providers/oauth.js.map +1 -1
package/dist/component/providers/passkey.d.ts +57 -0
package/dist/component/providers/passkey.d.ts.map +1 -0
package/dist/component/providers/password.d.ts +88 -0
package/dist/component/providers/password.d.ts.map +1 -0
package/dist/component/providers/phone.d.ts +48 -0
package/dist/component/providers/phone.d.ts.map +1 -0
package/dist/component/providers/sso.d.ts +50 -0
package/dist/component/providers/sso.d.ts.map +1 -0
package/dist/component/providers/totp.d.ts +45 -0
package/dist/component/providers/totp.d.ts.map +1 -0
package/dist/component/public/enterprise/audit.d.ts +73 -0
package/dist/component/public/enterprise/audit.d.ts.map +1 -0
package/dist/component/public/enterprise/audit.js +108 -0
package/dist/component/public/enterprise/audit.js.map +1 -0
package/dist/component/public/enterprise/core.d.ts +176 -0
package/dist/component/public/enterprise/core.d.ts.map +1 -0
package/dist/component/public/enterprise/core.js +292 -0
package/dist/component/public/enterprise/core.js.map +1 -0
package/dist/component/public/enterprise/domains.d.ts +174 -0
package/dist/component/public/enterprise/domains.d.ts.map +1 -0
package/dist/component/public/enterprise/domains.js +271 -0
package/dist/component/public/enterprise/domains.js.map +1 -0
package/dist/component/public/enterprise/scim.d.ts +245 -0
package/dist/component/public/enterprise/scim.d.ts.map +1 -0
package/dist/component/public/enterprise/scim.js +344 -0
package/dist/component/public/enterprise/scim.js.map +1 -0
package/dist/component/public/enterprise/secrets.d.ts +78 -0
package/dist/component/public/enterprise/secrets.d.ts.map +1 -0
package/dist/component/public/enterprise/secrets.js +118 -0
package/dist/component/public/enterprise/secrets.js.map +1 -0
package/dist/component/public/enterprise/webhooks.d.ts +211 -0
package/dist/component/public/enterprise/webhooks.d.ts.map +1 -0
package/dist/component/public/enterprise/webhooks.js +300 -0
package/dist/component/public/enterprise/webhooks.js.map +1 -0
package/dist/component/public/factors/devices.d.ts +157 -0
package/dist/component/public/factors/devices.d.ts.map +1 -0
package/dist/component/public/factors/devices.js +216 -0
package/dist/component/public/factors/devices.js.map +1 -0
package/dist/component/public/factors/passkeys.d.ts +175 -0
package/dist/component/public/factors/passkeys.d.ts.map +1 -0
package/dist/component/public/factors/passkeys.js +238 -0
package/dist/component/public/factors/passkeys.js.map +1 -0
package/dist/component/public/factors/totp.d.ts +189 -0
package/dist/component/public/factors/totp.d.ts.map +1 -0
package/dist/component/public/factors/totp.js +254 -0
package/dist/component/public/factors/totp.js.map +1 -0
package/dist/component/public/groups/core.d.ts +137 -0
package/dist/component/public/groups/core.d.ts.map +1 -0
package/dist/component/public/groups/core.js +321 -0
package/dist/component/public/groups/core.js.map +1 -0
package/dist/component/public/groups/invites.d.ts +217 -0
package/dist/component/public/groups/invites.d.ts.map +1 -0
package/dist/component/public/groups/invites.js +457 -0
package/dist/component/public/groups/invites.js.map +1 -0
package/dist/component/public/groups/members.d.ts +204 -0
package/dist/component/public/groups/members.d.ts.map +1 -0
package/dist/component/public/groups/members.js +355 -0
package/dist/component/public/groups/members.js.map +1 -0
package/dist/component/public/identity/accounts.d.ts +147 -0
package/dist/component/public/identity/accounts.d.ts.map +1 -0
package/dist/component/public/identity/accounts.js +200 -0
package/dist/component/public/identity/accounts.js.map +1 -0
package/dist/component/public/identity/codes.d.ts +104 -0
package/dist/component/public/identity/codes.d.ts.map +1 -0
package/dist/component/public/identity/codes.js +140 -0
package/dist/component/public/identity/codes.js.map +1 -0
package/dist/component/public/identity/sessions.d.ts +128 -0
package/dist/component/public/identity/sessions.d.ts.map +1 -0
package/dist/component/public/identity/sessions.js +192 -0
package/dist/component/public/identity/sessions.js.map +1 -0
package/dist/component/public/identity/tokens.d.ts +169 -0
package/dist/component/public/identity/tokens.d.ts.map +1 -0
package/dist/component/public/identity/tokens.js +227 -0
package/dist/component/public/identity/tokens.js.map +1 -0
package/dist/component/public/identity/users.d.ts +212 -0
package/dist/component/public/identity/users.d.ts.map +1 -0
package/dist/component/public/identity/users.js +311 -0
package/dist/component/public/identity/users.js.map +1 -0
package/dist/component/public/identity/verifiers.d.ts +116 -0
package/dist/component/public/identity/verifiers.d.ts.map +1 -0
package/dist/component/public/identity/verifiers.js +154 -0
package/dist/component/public/identity/verifiers.js.map +1 -0
package/dist/component/public/security/keys.d.ts +209 -0
package/dist/component/public/security/keys.d.ts.map +1 -0
package/dist/component/public/security/keys.js +319 -0
package/dist/component/public/security/keys.js.map +1 -0
package/dist/component/public/security/limits.d.ts +114 -0
package/dist/component/public/security/limits.d.ts.map +1 -0
package/dist/component/public/security/limits.js +169 -0
package/dist/component/public/security/limits.js.map +1 -0
package/dist/component/public.d.ts +24 -271
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +21 -1229
package/dist/component/schema.d.ts +473 -110
package/dist/component/schema.js +162 -73
package/dist/component/schema.js.map +1 -1
package/dist/component/server/auth.d.ts +318 -373
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +204 -123
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/authError.js +34 -0
package/dist/component/server/authError.js.map +1 -0
package/dist/component/server/{providers.js → config.js} +43 -12
package/dist/component/server/config.js.map +1 -0
package/dist/component/server/cookies.js +3 -0
package/dist/component/server/cookies.js.map +1 -1
package/dist/component/server/core.js +713 -0
package/dist/component/server/core.js.map +1 -0
package/dist/component/server/crypto.js +38 -0
package/dist/component/server/crypto.js.map +1 -0
package/dist/component/server/{implementation/db.js → db.js} +2 -1
package/dist/component/server/db.js.map +1 -0
package/dist/component/server/device.js +109 -0
package/dist/component/server/device.js.map +1 -0
package/dist/component/server/enterprise/config.js +46 -0
package/dist/component/server/enterprise/config.js.map +1 -0
package/dist/component/server/enterprise/domain.js +885 -0
package/dist/component/server/enterprise/domain.js.map +1 -0
package/dist/component/server/enterprise/http.js +766 -0
package/dist/component/server/enterprise/http.js.map +1 -0
package/dist/component/server/enterprise/oidc.js +248 -0
package/dist/component/server/enterprise/oidc.js.map +1 -0
package/dist/component/server/enterprise/policy.js +85 -0
package/dist/component/server/enterprise/policy.js.map +1 -0
package/dist/component/server/enterprise/saml.js +338 -0
package/dist/component/server/enterprise/saml.js.map +1 -0
package/dist/component/server/enterprise/scim.js +97 -0
package/dist/component/server/enterprise/scim.js.map +1 -0
package/dist/component/server/enterprise/shared.js +51 -0
package/dist/component/server/enterprise/shared.js.map +1 -0
package/dist/component/server/errors.d.ts +1 -0
package/dist/component/server/errors.js +24 -16
package/dist/component/server/errors.js.map +1 -1
package/dist/component/server/http.js +288 -0
package/dist/component/server/http.js.map +1 -0
package/dist/component/server/identity.js +13 -0
package/dist/component/server/identity.js.map +1 -0
package/dist/{server/implementation → component/server}/keys.js +9 -31
package/dist/component/server/keys.js.map +1 -0
package/dist/component/server/limits.js +61 -0
package/dist/component/server/limits.js.map +1 -0
package/dist/component/server/mutations/account.js +44 -0
package/dist/component/server/mutations/account.js.map +1 -0
package/dist/component/server/{implementation/mutations → mutations}/code.js +7 -4
package/dist/component/server/mutations/code.js.map +1 -0
package/dist/component/server/mutations/invalidate.js +32 -0
package/dist/component/server/mutations/invalidate.js.map +1 -0
package/dist/component/server/mutations/oauth.js +110 -0
package/dist/component/server/mutations/oauth.js.map +1 -0
package/dist/component/server/mutations/refresh.js +119 -0
package/dist/component/server/mutations/refresh.js.map +1 -0
package/dist/component/server/mutations/register.js +83 -0
package/dist/component/server/mutations/register.js.map +1 -0
package/dist/component/server/mutations/retrieve.js +65 -0
package/dist/component/server/mutations/retrieve.js.map +1 -0
package/dist/component/server/mutations/signature.js +32 -0
package/dist/component/server/mutations/signature.js.map +1 -0
package/dist/component/server/{implementation/mutations → mutations}/signin.js +2 -2
package/dist/component/server/mutations/signin.js.map +1 -0
package/dist/component/server/mutations/signout.js +27 -0
package/dist/component/server/mutations/signout.js.map +1 -0
package/dist/component/server/mutations/store/refs.js +15 -0
package/dist/component/server/mutations/store/refs.js.map +1 -0
package/dist/component/server/mutations/store.js +85 -0
package/dist/component/server/mutations/store.js.map +1 -0
package/dist/component/server/mutations/verifier.js +18 -0
package/dist/component/server/mutations/verifier.js.map +1 -0
package/dist/component/server/mutations/verify.js +98 -0
package/dist/component/server/mutations/verify.js.map +1 -0
package/dist/component/server/oauth.js +106 -60
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +328 -0
package/dist/component/server/passkey.js.map +1 -0
package/dist/{server/implementation → component/server}/redirects.js +13 -11
package/dist/component/server/redirects.js.map +1 -0
package/dist/component/server/refresh.js +96 -0
package/dist/component/server/refresh.js.map +1 -0
package/dist/component/server/runtime.d.ts +136 -0
package/dist/component/server/runtime.d.ts.map +1 -0
package/dist/component/server/runtime.js +413 -0
package/dist/component/server/runtime.js.map +1 -0
package/dist/{server/implementation → component/server}/sessions.js +14 -8
package/dist/component/server/sessions.js.map +1 -0
package/dist/component/server/signin.js +201 -0
package/dist/component/server/signin.js.map +1 -0
package/dist/component/server/tokens.js +17 -0
package/dist/component/server/tokens.js.map +1 -0
package/dist/component/server/totp.js +148 -0
package/dist/component/server/totp.js.map +1 -0
package/dist/component/server/types.d.ts +387 -298
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/{implementation/types.js → types.js} +1 -1
package/dist/component/server/types.js.map +1 -0
package/dist/component/server/{implementation/users.js → users.js} +54 -35
package/dist/component/server/users.js.map +1 -0
package/dist/component/server/utils.js +110 -4
package/dist/component/server/utils.js.map +1 -1
package/dist/core/types.d.ts +369 -0
package/dist/core/types.d.ts.map +1 -0
package/dist/factors/device.js +105 -0
package/dist/factors/device.js.map +1 -0
package/dist/factors/passkey.js +181 -0
package/dist/factors/passkey.js.map +1 -0
package/dist/factors/totp.js +122 -0
package/dist/factors/totp.js.map +1 -0
package/dist/providers/anonymous.d.ts +3 -9
package/dist/providers/anonymous.d.ts.map +1 -1
package/dist/providers/anonymous.js +1 -18
package/dist/providers/anonymous.js.map +1 -1
package/dist/providers/credentials.d.ts +8 -10
package/dist/providers/credentials.d.ts.map +1 -1
package/dist/providers/credentials.js +3 -5
package/dist/providers/credentials.js.map +1 -1
package/dist/providers/device.d.ts +18 -10
package/dist/providers/device.d.ts.map +1 -1
package/dist/providers/device.js +4 -8
package/dist/providers/device.js.map +1 -1
package/dist/providers/email.d.ts +50 -23
package/dist/providers/email.d.ts.map +1 -1
package/dist/providers/email.js +58 -34
package/dist/providers/email.js.map +1 -1
package/dist/providers/index.d.ts +7 -3
package/dist/providers/index.js +4 -1
package/dist/providers/oauth.d.ts.map +1 -1
package/dist/providers/oauth.js.map +1 -1
package/dist/providers/passkey.d.ts +12 -9
package/dist/providers/passkey.d.ts.map +1 -1
package/dist/providers/passkey.js +1 -7
package/dist/providers/passkey.js.map +1 -1
package/dist/providers/password.d.ts +6 -12
package/dist/providers/password.d.ts.map +1 -1
package/dist/providers/password.js +189 -89
package/dist/providers/password.js.map +1 -1
package/dist/providers/phone.d.ts +40 -11
package/dist/providers/phone.d.ts.map +1 -1
package/dist/providers/phone.js +52 -21
package/dist/providers/phone.js.map +1 -1
package/dist/providers/sso.d.ts +50 -0
package/dist/providers/sso.d.ts.map +1 -0
package/dist/providers/sso.js +34 -0
package/dist/providers/sso.js.map +1 -0
package/dist/providers/totp.d.ts +12 -9
package/dist/providers/totp.d.ts.map +1 -1
package/dist/providers/totp.js +1 -7
package/dist/providers/totp.js.map +1 -1
package/dist/runtime/browser.js +68 -0
package/dist/runtime/browser.js.map +1 -0
package/dist/runtime/invite.js +51 -0
package/dist/runtime/invite.js.map +1 -0
package/dist/runtime/proxy.js +70 -0
package/dist/runtime/proxy.js.map +1 -0
package/dist/runtime/storage.js +37 -0
package/dist/runtime/storage.js.map +1 -0
package/dist/server/auth.d.ts +335 -370
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +204 -123
package/dist/server/auth.js.map +1 -1
package/dist/server/authError.d.ts +46 -0
package/dist/server/authError.d.ts.map +1 -0
package/dist/server/authError.js +34 -0
package/dist/server/authError.js.map +1 -0
package/dist/server/config.d.ts +1 -0
package/dist/server/{providers.js → config.js} +43 -12
package/dist/server/config.js.map +1 -0
package/dist/server/cookies.d.ts +1 -38
package/dist/server/cookies.js +3 -0
package/dist/server/cookies.js.map +1 -1
package/dist/server/core.d.ts +1436 -0
package/dist/server/core.d.ts.map +1 -0
package/dist/server/core.js +713 -0
package/dist/server/core.js.map +1 -0
package/dist/server/crypto.d.ts +8 -0
package/dist/server/crypto.d.ts.map +1 -0
package/dist/server/crypto.js +38 -0
package/dist/server/crypto.js.map +1 -0
package/dist/server/db.d.ts +1 -0
package/dist/server/{implementation/db.js → db.js} +2 -1
package/dist/server/db.js.map +1 -0
package/dist/server/device.d.ts +1 -0
package/dist/server/device.js +109 -0
package/dist/server/device.js.map +1 -0
package/dist/server/enterprise/config.d.ts +1 -0
package/dist/server/enterprise/config.js +46 -0
package/dist/server/enterprise/config.js.map +1 -0
package/dist/server/enterprise/domain.d.ts +409 -0
package/dist/server/enterprise/domain.d.ts.map +1 -0
package/dist/server/enterprise/domain.js +885 -0
package/dist/server/enterprise/domain.js.map +1 -0
package/dist/server/enterprise/http.d.ts +26 -0
package/dist/server/enterprise/http.d.ts.map +1 -0
package/dist/server/enterprise/http.js +766 -0
package/dist/server/enterprise/http.js.map +1 -0
package/dist/server/enterprise/oidc.d.ts +1 -0
package/dist/server/enterprise/oidc.js +248 -0
package/dist/server/enterprise/oidc.js.map +1 -0
package/dist/server/enterprise/policy.d.ts +1 -0
package/dist/server/enterprise/policy.js +85 -0
package/dist/server/enterprise/policy.js.map +1 -0
package/dist/server/enterprise/saml.d.ts +1 -0
package/dist/server/enterprise/saml.js +338 -0
package/dist/server/enterprise/saml.js.map +1 -0
package/dist/server/enterprise/scim.d.ts +1 -0
package/dist/server/enterprise/scim.js +97 -0
package/dist/server/enterprise/scim.js.map +1 -0
package/dist/server/enterprise/shared.d.ts +5 -0
package/dist/server/enterprise/shared.d.ts.map +1 -0
package/dist/server/enterprise/shared.js +51 -0
package/dist/server/enterprise/shared.js.map +1 -0
package/dist/server/enterprise/validators.d.ts +1 -0
package/dist/server/enterprise/validators.js +60 -0
package/dist/server/enterprise/validators.js.map +1 -0
package/dist/server/errors.d.ts +33 -1
package/dist/server/errors.d.ts.map +1 -1
package/dist/server/errors.js +44 -1
package/dist/server/errors.js.map +1 -1
package/dist/server/http.d.ts +59 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +288 -0
package/dist/server/http.js.map +1 -0
package/dist/server/identity.d.ts +1 -0
package/dist/server/identity.js +13 -0
package/dist/server/identity.js.map +1 -0
package/dist/server/index.d.ts +4 -182
package/dist/server/index.js +4 -376
package/dist/server/keys.d.ts +1 -0
package/dist/{component/server/implementation → server}/keys.js +9 -31
package/dist/server/keys.js.map +1 -0
package/dist/server/limits.d.ts +1 -0
package/dist/server/limits.js +61 -0
package/dist/server/limits.js.map +1 -0
package/dist/server/mounts.d.ts +647 -0
package/dist/server/mounts.d.ts.map +1 -0
package/dist/server/mounts.js +643 -0
package/dist/server/mounts.js.map +1 -0
package/dist/server/mutations/account.d.ts +30 -0
package/dist/server/mutations/account.d.ts.map +1 -0
package/dist/server/mutations/account.js +44 -0
package/dist/server/mutations/account.js.map +1 -0
package/dist/server/mutations/code.d.ts +30 -0
package/dist/server/mutations/code.d.ts.map +1 -0
package/dist/server/{implementation/mutations → mutations}/code.js +7 -4
package/dist/server/mutations/code.js.map +1 -0
package/dist/server/mutations/index.d.ts +14 -0
package/dist/server/mutations/index.js +15 -0
package/dist/server/mutations/invalidate.d.ts +20 -0
package/dist/server/mutations/invalidate.d.ts.map +1 -0
package/dist/server/mutations/invalidate.js +32 -0
package/dist/server/mutations/invalidate.js.map +1 -0
package/dist/server/mutations/oauth.d.ts +28 -0
package/dist/server/mutations/oauth.d.ts.map +1 -0
package/dist/server/mutations/oauth.js +110 -0
package/dist/server/mutations/oauth.js.map +1 -0
package/dist/server/mutations/refresh.d.ts +21 -0
package/dist/server/mutations/refresh.d.ts.map +1 -0
package/dist/server/mutations/refresh.js +119 -0
package/dist/server/mutations/refresh.js.map +1 -0
package/dist/server/mutations/register.d.ts +38 -0
package/dist/server/mutations/register.d.ts.map +1 -0
package/dist/server/mutations/register.js +83 -0
package/dist/server/mutations/register.js.map +1 -0
package/dist/server/mutations/retrieve.d.ts +33 -0
package/dist/server/mutations/retrieve.d.ts.map +1 -0
package/dist/server/mutations/retrieve.js +65 -0
package/dist/server/mutations/retrieve.js.map +1 -0
package/dist/server/mutations/signature.d.ts +22 -0
package/dist/server/mutations/signature.d.ts.map +1 -0
package/dist/server/mutations/signature.js +32 -0
package/dist/server/mutations/signature.js.map +1 -0
package/dist/server/mutations/signin.d.ts +22 -0
package/dist/server/mutations/signin.d.ts.map +1 -0
package/dist/server/{implementation/mutations → mutations}/signin.js +2 -2
package/dist/server/mutations/signin.js.map +1 -0
package/dist/server/mutations/signout.d.ts +16 -0
package/dist/server/mutations/signout.d.ts.map +1 -0
package/dist/server/mutations/signout.js +27 -0
package/dist/server/mutations/signout.js.map +1 -0
package/dist/server/mutations/store/refs.d.ts +12 -0
package/dist/server/mutations/store/refs.d.ts.map +1 -0
package/dist/server/mutations/store/refs.js +15 -0
package/dist/server/mutations/store/refs.js.map +1 -0
package/dist/server/mutations/store.d.ts +306 -0
package/dist/server/mutations/store.d.ts.map +1 -0
package/dist/server/mutations/store.js +85 -0
package/dist/server/mutations/store.js.map +1 -0
package/dist/server/mutations/verifier.d.ts +13 -0
package/dist/server/mutations/verifier.d.ts.map +1 -0
package/dist/server/mutations/verifier.js +18 -0
package/dist/server/mutations/verifier.js.map +1 -0
package/dist/server/mutations/verify.d.ts +26 -0
package/dist/server/mutations/verify.d.ts.map +1 -0
package/dist/server/mutations/verify.js +98 -0
package/dist/server/mutations/verify.js.map +1 -0
package/dist/server/oauth.d.ts +1 -48
package/dist/server/oauth.js +107 -64
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts +27 -0
package/dist/server/passkey.d.ts.map +1 -0
package/dist/server/passkey.js +328 -0
package/dist/server/passkey.js.map +1 -0
package/dist/server/redirects.d.ts +1 -0
package/dist/{component/server/implementation → server}/redirects.js +13 -11
package/dist/server/redirects.js.map +1 -0
package/dist/server/refresh.d.ts +1 -0
package/dist/server/refresh.js +96 -0
package/dist/server/refresh.js.map +1 -0
package/dist/server/runtime.d.ts +136 -0
package/dist/server/runtime.d.ts.map +1 -0
package/dist/server/runtime.js +413 -0
package/dist/server/runtime.js.map +1 -0
package/dist/server/sessions.d.ts +1 -0
package/dist/{component/server/implementation → server}/sessions.js +14 -8
package/dist/server/sessions.js.map +1 -0
package/dist/server/signin.d.ts +1 -0
package/dist/server/signin.js +201 -0
package/dist/server/signin.js.map +1 -0
package/dist/server/ssr.d.ts +226 -0
package/dist/server/ssr.d.ts.map +1 -0
package/dist/server/ssr.js +786 -0
package/dist/server/ssr.js.map +1 -0
package/dist/server/templates.d.ts +1 -21
package/dist/server/templates.js +2 -1
package/dist/server/templates.js.map +1 -1
package/dist/server/tokens.d.ts +1 -0
package/dist/server/tokens.js +17 -0
package/dist/server/tokens.js.map +1 -0
package/dist/server/totp.d.ts +1 -0
package/dist/server/totp.js +148 -0
package/dist/server/totp.js.map +1 -0
package/dist/server/types.d.ts +498 -306
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js +108 -1
package/dist/server/types.js.map +1 -0
package/dist/server/users.d.ts +1 -0
package/dist/server/{implementation/users.js → users.js} +54 -35
package/dist/server/users.js.map +1 -0
package/dist/server/utils.d.ts +1 -6
package/dist/server/utils.js +110 -4
package/dist/server/utils.js.map +1 -1
package/package.json +49 -46
package/src/authorization/index.ts +83 -0
package/src/cli/bin.ts +5 -0
package/src/cli/command.ts +6 -5
package/src/cli/index.ts +456 -248
package/src/cli/keys.ts +3 -0
package/src/client/core/types.ts +437 -0
package/src/client/factors/device.ts +160 -0
package/src/client/factors/passkey.ts +282 -0
package/src/client/factors/totp.ts +150 -0
package/src/client/index.ts +745 -989
package/src/client/runtime/browser.ts +112 -0
package/src/client/runtime/invite.ts +65 -0
package/src/client/runtime/proxy.ts +111 -0
package/src/client/runtime/storage.ts +79 -0
package/src/component/_generated/api.ts +42 -0
package/src/component/_generated/component.ts +3123 -102
package/src/component/functions.ts +38 -22
package/src/component/index.ts +10 -20
package/src/component/model.ts +449 -0
package/src/component/public/enterprise/audit.ts +120 -0
package/src/component/public/enterprise/core.ts +354 -0
package/src/component/public/enterprise/domains.ts +323 -0
package/src/component/public/enterprise/scim.ts +396 -0
package/src/component/public/enterprise/secrets.ts +132 -0
package/src/component/public/enterprise/webhooks.ts +306 -0
package/src/component/public/factors/devices.ts +223 -0
package/src/component/public/factors/passkeys.ts +242 -0
package/src/component/public/factors/totp.ts +258 -0
package/src/component/public/groups/core.ts +481 -0
package/src/component/public/groups/invites.ts +602 -0
package/src/component/public/groups/members.ts +409 -0
package/src/component/public/identity/accounts.ts +206 -0
package/src/component/public/identity/codes.ts +148 -0
package/src/component/public/identity/sessions.ts +209 -0
package/src/component/public/identity/tokens.ts +250 -0
package/src/component/public/identity/users.ts +354 -0
package/src/component/public/identity/verifiers.ts +157 -0
package/src/component/public/security/keys.ts +365 -0
package/src/component/public/security/limits.ts +173 -0
package/src/component/public.ts +26 -1766
package/src/component/schema.ts +273 -100
package/src/providers/anonymous.ts +10 -20
package/src/providers/credentials.ts +14 -22
package/src/providers/device.ts +3 -14
package/src/providers/email.ts +83 -47
package/src/providers/index.ts +7 -0
package/src/providers/oauth.ts +5 -3
package/src/providers/passkey.ts +0 -13
package/src/providers/password.ts +307 -130
package/src/providers/phone.ts +81 -37
package/src/providers/sso.ts +54 -0
package/src/providers/totp.ts +0 -13
package/src/samlify.d.ts +53 -0
package/src/server/auth.ts +701 -247
package/src/server/authError.ts +44 -0
package/src/server/{providers.ts → config.ts} +84 -15
package/src/server/cookies.ts +8 -1
package/src/server/core.ts +2095 -0
package/src/server/crypto.ts +88 -0
package/src/server/{implementation/db.ts → db.ts} +90 -15
package/src/server/device.ts +221 -0
package/src/server/enterprise/config.ts +51 -0
package/src/server/enterprise/domain.ts +1751 -0
package/src/server/enterprise/http.ts +1324 -0
package/src/server/enterprise/oidc.ts +500 -0
package/src/server/enterprise/policy.ts +128 -0
package/src/server/enterprise/saml.ts +578 -0
package/src/server/enterprise/scim.ts +135 -0
package/src/server/enterprise/shared.ts +134 -0
package/src/server/enterprise/validators.ts +93 -0
package/src/server/errors.ts +130 -119
package/src/server/http.ts +531 -0
package/src/server/identity.ts +18 -0
package/src/server/index.ts +32 -650
package/src/server/{implementation/keys.ts → keys.ts} +16 -44
package/src/server/limits.ts +134 -0
package/src/server/mounts.ts +948 -0
package/src/server/mutations/account.ts +76 -0
package/src/server/{implementation/mutations → mutations}/code.ts +22 -11
package/src/server/mutations/index.ts +13 -0
package/src/server/mutations/invalidate.ts +50 -0
package/src/server/mutations/oauth.ts +237 -0
package/src/server/mutations/refresh.ts +298 -0
package/src/server/mutations/register.ts +200 -0
package/src/server/mutations/retrieve.ts +109 -0
package/src/server/mutations/signature.ts +50 -0
package/src/server/{implementation/mutations → mutations}/signin.ts +9 -7
package/src/server/mutations/signout.ts +43 -0
package/src/server/mutations/store/refs.ts +10 -0
package/src/server/mutations/store.ts +138 -0
package/src/server/mutations/verifier.ts +34 -0
package/src/server/mutations/verify.ts +202 -0
package/src/server/oauth.ts +243 -131
package/src/server/passkey.ts +784 -0
package/src/server/{implementation/redirects.ts → redirects.ts} +21 -16
package/src/server/refresh.ts +222 -0
package/src/server/runtime.ts +880 -0
package/src/server/{implementation/sessions.ts → sessions.ts} +33 -25
package/src/server/signin.ts +438 -0
package/src/server/ssr.ts +1764 -0
package/src/server/templates.ts +8 -3
package/src/server/{implementation/tokens.ts → tokens.ts} +11 -5
package/src/server/totp.ts +349 -0
package/src/server/types.ts +972 -207
package/src/server/{implementation/users.ts → users.ts} +129 -75
package/src/server/utils.ts +192 -5
package/src/test.ts +28 -4
package/dist/bin.cjs +0 -27757
package/dist/component/providers/email.js +0 -47
package/dist/component/providers/email.js.map +0 -1
package/dist/component/public.js.map +0 -1
package/dist/component/server/implementation/db.js.map +0 -1
package/dist/component/server/implementation/device.js +0 -135
package/dist/component/server/implementation/device.js.map +0 -1
package/dist/component/server/implementation/index.d.ts +0 -870
package/dist/component/server/implementation/index.d.ts.map +0 -1
package/dist/component/server/implementation/index.js +0 -610
package/dist/component/server/implementation/index.js.map +0 -1
package/dist/component/server/implementation/keys.js.map +0 -1
package/dist/component/server/implementation/mutations/account.js +0 -39
package/dist/component/server/implementation/mutations/account.js.map +0 -1
package/dist/component/server/implementation/mutations/code.js.map +0 -1
package/dist/component/server/implementation/mutations/index.js +0 -70
package/dist/component/server/implementation/mutations/index.js.map +0 -1
package/dist/component/server/implementation/mutations/invalidate.js +0 -29
package/dist/component/server/implementation/mutations/invalidate.js.map +0 -1
package/dist/component/server/implementation/mutations/oauth.js +0 -51
package/dist/component/server/implementation/mutations/oauth.js.map +0 -1
package/dist/component/server/implementation/mutations/refresh.js +0 -85
package/dist/component/server/implementation/mutations/refresh.js.map +0 -1
package/dist/component/server/implementation/mutations/register.js +0 -65
package/dist/component/server/implementation/mutations/register.js.map +0 -1
package/dist/component/server/implementation/mutations/retrieve.js +0 -50
package/dist/component/server/implementation/mutations/retrieve.js.map +0 -1
package/dist/component/server/implementation/mutations/signature.js +0 -27
package/dist/component/server/implementation/mutations/signature.js.map +0 -1
package/dist/component/server/implementation/mutations/signin.js.map +0 -1
package/dist/component/server/implementation/mutations/signout.js +0 -27
package/dist/component/server/implementation/mutations/signout.js.map +0 -1
package/dist/component/server/implementation/mutations/store.js +0 -12
package/dist/component/server/implementation/mutations/store.js.map +0 -1
package/dist/component/server/implementation/mutations/verifier.js +0 -16
package/dist/component/server/implementation/mutations/verifier.js.map +0 -1
package/dist/component/server/implementation/mutations/verify.js +0 -105
package/dist/component/server/implementation/mutations/verify.js.map +0 -1
package/dist/component/server/implementation/passkey.js +0 -307
package/dist/component/server/implementation/passkey.js.map +0 -1
package/dist/component/server/implementation/provider.js +0 -19
package/dist/component/server/implementation/provider.js.map +0 -1
package/dist/component/server/implementation/ratelimit.js +0 -48
package/dist/component/server/implementation/ratelimit.js.map +0 -1
package/dist/component/server/implementation/redirects.js.map +0 -1
package/dist/component/server/implementation/refresh.js +0 -109
package/dist/component/server/implementation/refresh.js.map +0 -1
package/dist/component/server/implementation/sessions.js.map +0 -1
package/dist/component/server/implementation/signin.js +0 -148
package/dist/component/server/implementation/signin.js.map +0 -1
package/dist/component/server/implementation/tokens.js +0 -15
package/dist/component/server/implementation/tokens.js.map +0 -1
package/dist/component/server/implementation/totp.js +0 -142
package/dist/component/server/implementation/totp.js.map +0 -1
package/dist/component/server/implementation/types.d.ts +0 -42
package/dist/component/server/implementation/types.d.ts.map +0 -1
package/dist/component/server/implementation/types.js.map +0 -1
package/dist/component/server/implementation/users.js.map +0 -1
package/dist/component/server/implementation/utils.js +0 -56
package/dist/component/server/implementation/utils.js.map +0 -1
package/dist/component/server/providers.js.map +0 -1
package/dist/component/server/templates.js +0 -84
package/dist/component/server/templates.js.map +0 -1
package/dist/server/cookies.d.ts.map +0 -1
package/dist/server/implementation/db.d.ts +0 -86
package/dist/server/implementation/db.d.ts.map +0 -1
package/dist/server/implementation/db.js.map +0 -1
package/dist/server/implementation/device.d.ts +0 -30
package/dist/server/implementation/device.d.ts.map +0 -1
package/dist/server/implementation/device.js +0 -135
package/dist/server/implementation/device.js.map +0 -1
package/dist/server/implementation/index.d.ts +0 -870
package/dist/server/implementation/index.d.ts.map +0 -1
package/dist/server/implementation/index.js +0 -610
package/dist/server/implementation/index.js.map +0 -1
package/dist/server/implementation/keys.d.ts +0 -66
package/dist/server/implementation/keys.d.ts.map +0 -1
package/dist/server/implementation/keys.js.map +0 -1
package/dist/server/implementation/mutations/account.d.ts +0 -27
package/dist/server/implementation/mutations/account.d.ts.map +0 -1
package/dist/server/implementation/mutations/account.js +0 -39
package/dist/server/implementation/mutations/account.js.map +0 -1
package/dist/server/implementation/mutations/code.d.ts +0 -29
package/dist/server/implementation/mutations/code.d.ts.map +0 -1
package/dist/server/implementation/mutations/code.js.map +0 -1
package/dist/server/implementation/mutations/index.d.ts +0 -310
package/dist/server/implementation/mutations/index.d.ts.map +0 -1
package/dist/server/implementation/mutations/index.js +0 -70
package/dist/server/implementation/mutations/index.js.map +0 -1
package/dist/server/implementation/mutations/invalidate.d.ts +0 -18
package/dist/server/implementation/mutations/invalidate.d.ts.map +0 -1
package/dist/server/implementation/mutations/invalidate.js +0 -29
package/dist/server/implementation/mutations/invalidate.js.map +0 -1
package/dist/server/implementation/mutations/oauth.d.ts +0 -23
package/dist/server/implementation/mutations/oauth.d.ts.map +0 -1
package/dist/server/implementation/mutations/oauth.js +0 -51
package/dist/server/implementation/mutations/oauth.js.map +0 -1
package/dist/server/implementation/mutations/refresh.d.ts +0 -20
package/dist/server/implementation/mutations/refresh.d.ts.map +0 -1
package/dist/server/implementation/mutations/refresh.js +0 -85
package/dist/server/implementation/mutations/refresh.js.map +0 -1
package/dist/server/implementation/mutations/register.d.ts +0 -37
package/dist/server/implementation/mutations/register.d.ts.map +0 -1
package/dist/server/implementation/mutations/register.js +0 -65
package/dist/server/implementation/mutations/register.js.map +0 -1
package/dist/server/implementation/mutations/retrieve.d.ts +0 -31
package/dist/server/implementation/mutations/retrieve.d.ts.map +0 -1
package/dist/server/implementation/mutations/retrieve.js +0 -50
package/dist/server/implementation/mutations/retrieve.js.map +0 -1
package/dist/server/implementation/mutations/signature.d.ts +0 -19
package/dist/server/implementation/mutations/signature.d.ts.map +0 -1
package/dist/server/implementation/mutations/signature.js +0 -27
package/dist/server/implementation/mutations/signature.js.map +0 -1
package/dist/server/implementation/mutations/signin.d.ts +0 -21
package/dist/server/implementation/mutations/signin.d.ts.map +0 -1
package/dist/server/implementation/mutations/signin.js.map +0 -1
package/dist/server/implementation/mutations/signout.d.ts +0 -14
package/dist/server/implementation/mutations/signout.d.ts.map +0 -1
package/dist/server/implementation/mutations/signout.js +0 -27
package/dist/server/implementation/mutations/signout.js.map +0 -1
package/dist/server/implementation/mutations/store.d.ts +0 -11
package/dist/server/implementation/mutations/store.d.ts.map +0 -1
package/dist/server/implementation/mutations/store.js +0 -12
package/dist/server/implementation/mutations/store.js.map +0 -1
package/dist/server/implementation/mutations/verifier.d.ts +0 -11
package/dist/server/implementation/mutations/verifier.d.ts.map +0 -1
package/dist/server/implementation/mutations/verifier.js +0 -16
package/dist/server/implementation/mutations/verifier.js.map +0 -1
package/dist/server/implementation/mutations/verify.d.ts +0 -25
package/dist/server/implementation/mutations/verify.d.ts.map +0 -1
package/dist/server/implementation/mutations/verify.js +0 -105
package/dist/server/implementation/mutations/verify.js.map +0 -1
package/dist/server/implementation/passkey.d.ts +0 -24
package/dist/server/implementation/passkey.d.ts.map +0 -1
package/dist/server/implementation/passkey.js +0 -307
package/dist/server/implementation/passkey.js.map +0 -1
package/dist/server/implementation/provider.d.ts +0 -10
package/dist/server/implementation/provider.d.ts.map +0 -1
package/dist/server/implementation/provider.js +0 -19
package/dist/server/implementation/provider.js.map +0 -1
package/dist/server/implementation/ratelimit.d.ts +0 -10
package/dist/server/implementation/ratelimit.d.ts.map +0 -1
package/dist/server/implementation/ratelimit.js +0 -48
package/dist/server/implementation/ratelimit.js.map +0 -1
package/dist/server/implementation/redirects.d.ts +0 -10
package/dist/server/implementation/redirects.d.ts.map +0 -1
package/dist/server/implementation/redirects.js.map +0 -1
package/dist/server/implementation/refresh.d.ts +0 -37
package/dist/server/implementation/refresh.d.ts.map +0 -1
package/dist/server/implementation/refresh.js +0 -109
package/dist/server/implementation/refresh.js.map +0 -1
package/dist/server/implementation/sessions.d.ts +0 -29
package/dist/server/implementation/sessions.d.ts.map +0 -1
package/dist/server/implementation/sessions.js.map +0 -1
package/dist/server/implementation/signin.d.ts +0 -55
package/dist/server/implementation/signin.d.ts.map +0 -1
package/dist/server/implementation/signin.js +0 -148
package/dist/server/implementation/signin.js.map +0 -1
package/dist/server/implementation/tokens.d.ts +0 -11
package/dist/server/implementation/tokens.d.ts.map +0 -1
package/dist/server/implementation/tokens.js +0 -15
package/dist/server/implementation/tokens.js.map +0 -1
package/dist/server/implementation/totp.d.ts +0 -31
package/dist/server/implementation/totp.d.ts.map +0 -1
package/dist/server/implementation/totp.js +0 -142
package/dist/server/implementation/totp.js.map +0 -1
package/dist/server/implementation/types.d.ts +0 -189
package/dist/server/implementation/types.d.ts.map +0 -1
package/dist/server/implementation/types.js +0 -97
package/dist/server/implementation/types.js.map +0 -1
package/dist/server/implementation/users.d.ts +0 -30
package/dist/server/implementation/users.d.ts.map +0 -1
package/dist/server/implementation/users.js.map +0 -1
package/dist/server/implementation/utils.d.ts +0 -19
package/dist/server/implementation/utils.d.ts.map +0 -1
package/dist/server/implementation/utils.js +0 -56
package/dist/server/implementation/utils.js.map +0 -1
package/dist/server/index.d.ts.map +0 -1
package/dist/server/index.js.map +0 -1
package/dist/server/oauth.d.ts.map +0 -1
package/dist/server/providers.d.ts +0 -72
package/dist/server/providers.d.ts.map +0 -1
package/dist/server/providers.js.map +0 -1
package/dist/server/templates.d.ts.map +0 -1
package/dist/server/utils.d.ts.map +0 -1
package/dist/server/version.d.ts +0 -5
package/dist/server/version.d.ts.map +0 -1
package/dist/server/version.js +0 -6
package/dist/server/version.js.map +0 -1
package/src/cli/utils.ts +0 -248
package/src/server/implementation/device.ts +0 -307
package/src/server/implementation/index.ts +0 -1583
package/src/server/implementation/mutations/account.ts +0 -50
package/src/server/implementation/mutations/index.ts +0 -157
package/src/server/implementation/mutations/invalidate.ts +0 -42
package/src/server/implementation/mutations/oauth.ts +0 -73
package/src/server/implementation/mutations/refresh.ts +0 -175
package/src/server/implementation/mutations/register.ts +0 -100
package/src/server/implementation/mutations/retrieve.ts +0 -79
package/src/server/implementation/mutations/signature.ts +0 -39
package/src/server/implementation/mutations/signout.ts +0 -35
package/src/server/implementation/mutations/store.ts +0 -7
package/src/server/implementation/mutations/verifier.ts +0 -24
package/src/server/implementation/mutations/verify.ts +0 -194
package/src/server/implementation/passkey.ts +0 -620
package/src/server/implementation/provider.ts +0 -36
package/src/server/implementation/ratelimit.ts +0 -79
package/src/server/implementation/refresh.ts +0 -172
package/src/server/implementation/signin.ts +0 -296
package/src/server/implementation/totp.ts +0 -342
package/src/server/implementation/types.ts +0 -444
package/src/server/implementation/utils.ts +0 -91
package/src/server/version.ts +0 -2

package/src/server/mounts.ts ADDED Viewed

@@ -0,0 +1,948 @@
+import { actionGeneric, mutationGeneric, queryGeneric } from "convex/server";
+import { ConvexError, v } from "convex/values";
+import type { AuthApi } from "./auth";
+import {
+  enterpriseConnectionWhereValidator,
+  enterpriseDomainInputValidator,
+  enterpriseDomainVerificationInputValidator,
+  enterprisePolicyPatchValidator,
+  enterpriseSamlAttributeMappingValidator,
+  enterpriseSamlSpValidator,
+  enterpriseStatusValidator,
+} from "./enterprise/validators";
+import type { AuthAuthorizationConfig, AuthRoleId } from "./types";
+/**
+ * Permission identifiers used by mounted enterprise admin APIs.
+ *
+ * These permission strings are passed to your {@link EnterpriseAuthorizer}
+ * callback so app code can decide whether the current user may perform a
+ * specific SSO or SCIM management operation.
+ *
+ * @example
+ * ```ts
+ * const authorized: EnterpriseAuthorizer = async (ctx, input) => {
+ *   if (input.permission === "sso.connection.create") {
+ *     // Only org admins may create SSO connections
+ *   }
+ * };
+ * ```
+ */
+export type EnterpriseAdminPermission =
+  | "sso.connection.create"
+  | "sso.connection.read"
+  | "sso.connection.manage"
+  | "sso.domain.manage"
+  | "sso.protocol.manage"
+  | "sso.policy.manage"
+  | "sso.audit.read"
+  | "sso.webhook.manage"
+  | "scim.manage";
+/**
+ * Input passed to an {@link EnterpriseAuthorizer}.
+ *
+ * Contains the acting user, the requested permission, and the resolved
+ * enterprise/group scope for the operation being authorized.
+ */
+export type EnterpriseAdminAuthorizationInput = {
+  /** The signed-in user's ID performing the admin action. */
+  userId: string;
+  /** The {@link EnterpriseAdminPermission} being requested. */
+  permission: EnterpriseAdminPermission;
+  /** Enterprise document ID, if the operation targets a specific enterprise. */
+  enterpriseId?: string;
+  /** Group document ID, if explicitly provided by the caller. */
+  groupId?: string;
+  /** Resolved group ID from the enterprise record, or `null` when no enterprise context. */
+  resolvedGroupId: string | null;
+};
+/**
+ * App-defined authorization hook for mounted enterprise admin APIs.
+ *
+ * Return `void` (or resolve) to allow the operation, or `{ ok: false }` to deny it.
+ *
+ * @param ctx - Convex context with `ctx.auth` for identity checks.
+ * @param input - The {@link EnterpriseAdminAuthorizationInput} describing who is doing what.
+ * @returns `void` to allow, `{ ok: false }` to deny.
+ *
+ * @example
+ * ```ts
+ * import { EnterpriseAuthorizer } from "@robelest/convex-auth/server";
+ *
+ * const authorized: EnterpriseAuthorizer = async (ctx, input) => {
+ *   const identity = await ctx.auth.getUserIdentity();
+ *   if (!identity) return { ok: false };
+ *   // Allow all admin ops for the org owner
+ * };
+ * ```
+ */
+export type EnterpriseAuthorizer = (
+  ctx: { auth: import("convex/server").Auth },
+  input: EnterpriseAdminAuthorizationInput,
+) => Promise<void | { ok: false }>;
+type RoleRef<TRoleId extends string> = { id: TRoleId };
+type MountedEnterpriseOptions<TRoleId extends string = string> = {
+  admin?: {
+    authorized?: EnterpriseAuthorizer;
+    roles?: Array<TRoleId | RoleRef<TRoleId>>;
+  };
+};
+/**
+ * Configuration for {@link enterprise}, {@link sso}, and {@link scim}
+ * mounted admin APIs.
+ *
+ * @typeParam TRoleId - Role IDs that may be assigned to enterprise creators.
+ *
+ * @example
+ * ```ts
+ * import { enterprise, EnterpriseMountOptions } from "@robelest/convex-auth/server";
+ *
+ * const options: EnterpriseMountOptions = {
+ *   admin: {
+ *     authorized: async (ctx, input) => {
+ *       // Verify the user has permission for `input.permission`
+ *     },
+ *     roles: ["admin", "owner"],
+ *   },
+ * };
+ * ```
+ */
+export type EnterpriseMountOptions<TRoleId extends string = string> = {
+  admin: {
+    authorized: EnterpriseAuthorizer;
+    roles?: Array<TRoleId | RoleRef<TRoleId>>;
+  };
+};
+type MountedEnterpriseTarget = {
+  enterpriseId?: string;
+  groupId?: string;
+  domain?: string;
+};
+function requireSignedInUser(auth: Pick<AuthApi, "user">) {
+  return async (ctx: {
+    auth: import("convex/server").Auth;
+  }): Promise<string | null> => {
+    return await auth.user.id(ctx as never);
+  };
+}
+function normalizeCreatorRoleIds<TRoleId extends string>(
+  roles?: Array<TRoleId | RoleRef<TRoleId>>,
+) {
+  return roles?.map((role) => (typeof role === "string" ? role : role.id));
+}
+async function resolveMountedEnterpriseTarget(
+  auth: Pick<AuthApi, "sso">,
+  ctx: { auth: import("convex/server").Auth },
+  target: MountedEnterpriseTarget,
+) {
+  if (target.groupId !== undefined) {
+    return {
+      enterpriseId: target.enterpriseId,
+      groupId: target.groupId,
+      resolvedGroupId: target.groupId,
+    };
+  }
+  if (target.enterpriseId !== undefined) {
+    const enterprise = await auth.sso.admin.connection.get(
+      ctx as never,
+      target.enterpriseId,
+    );
+    if (enterprise === null) {
+      throw new ConvexError({
+        code: "INVALID_PARAMETERS",
+        message: "Enterprise not found.",
+      });
+    }
+    return {
+      enterpriseId: enterprise._id,
+      groupId: enterprise.groupId,
+      resolvedGroupId: enterprise.groupId,
+    };
+  }
+  if (target.domain !== undefined) {
+    const resolved = await auth.sso.admin.connection.getByDomain(
+      ctx as never,
+      target.domain,
+    );
+    if (resolved?.enterprise === undefined) {
+      throw new ConvexError({
+        code: "INVALID_PARAMETERS",
+        message: "Enterprise not found.",
+      });
+    }
+    return {
+      enterpriseId: resolved.enterprise._id,
+      groupId: resolved.enterprise.groupId,
+      resolvedGroupId: resolved.enterprise.groupId,
+    };
+  }
+  return {
+    enterpriseId: undefined,
+    groupId: undefined,
+    resolvedGroupId: null,
+  };
+}
+function createMountedAdminAuthorizer(
+  auth: Pick<AuthApi, "sso" | "user">,
+  options?: MountedEnterpriseOptions,
+) {
+  const requireUserId = requireSignedInUser(auth);
+  return async (
+    ctx: { auth: import("convex/server").Auth },
+    permission: EnterpriseAdminPermission,
+    target: MountedEnterpriseTarget = {},
+  ) => {
+    const userId = await requireUserId(ctx);
+    if (userId === null) {
+      return { ok: false as const, code: "NOT_SIGNED_IN" as const };
+    }
+    if (!options?.admin?.authorized) {
+      return { ok: false as const, code: "FORBIDDEN" as const };
+    }
+    const resolved = await resolveMountedEnterpriseTarget(auth, ctx, target);
+    const authResult = await options.admin.authorized(ctx, {
+      userId,
+      permission,
+      enterpriseId: resolved.enterpriseId,
+      groupId: resolved.groupId,
+      resolvedGroupId: resolved.resolvedGroupId,
+    });
+    if (authResult && !authResult.ok) {
+      return { ok: false as const, code: "FORBIDDEN" as const };
+    }
+    return { ok: true as const, userId, ...resolved };
+  };
+}
+/**
+ * Build optional public SSO management actions that apps can mount under
+ * `convex/auth/sso/**` when they want client-callable enterprise APIs.
+ *
+ * `admin` is for tenant-admin control-plane operations and should be mounted
+ * with an explicit authorization policy. `client` is for end-user sign-in
+ * helpers and does not require tenant-admin authorization.
+ *
+ * @param auth - Auth API subset providing `group`, `member`, `sso`, and `user` namespaces.
+ * @param options - Optional admin authorization config. See {@link EnterpriseMountOptions}.
+ * @typeParam TAuthorization - Optional authorization config for typed role IDs.
+ * @returns An object with `admin` (connection CRUD, OIDC/SAML protocol config, policy,
+ *   audit, webhooks, domain management) and `client` (signIn, metadata) namespaces.
+ *
+ * @example
+ * ```ts
+ * // convex/auth/sso.ts
+ * import { sso } from "@robelest/convex-auth/server";
+ * import { auth } from "../auth";
+ *
+ * const mounted = sso(auth, {
+ *   admin: {
+ *     authorized: async (ctx, input) => { /* check permissions *\/ },
+ *   },
+ * });
+ *
+ * export const createConnection = mounted.admin.connection.create;
+ * export const signIn = mounted.client.signIn;
+ * ```
+ *
+ * @see {@link scim}
+ * @see {@link enterprise}
+ */
+export function sso<
+  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,
+>(
+  auth: Pick<AuthApi<TAuthorization>, "group" | "member" | "sso" | "user">,
+  options?: MountedEnterpriseOptions<AuthRoleId<TAuthorization>>,
+) {
+  const authorize = createMountedAdminAuthorizer(auth, options);
+  const adminRoleIds = normalizeCreatorRoleIds(options?.admin?.roles);
+  return {
+    admin: {
+      connection: {
+        create: mutationGeneric({
+          args: {
+            groupId: v.optional(v.string()),
+            name: v.optional(v.string()),
+            slug: v.optional(v.string()),
+            status: v.optional(enterpriseStatusValidator),
+            domain: v.optional(v.string()),
+          },
+          handler: async (ctx, args) => {
+            const authResult = await authorize(ctx, "sso.connection.create", {
+              groupId: args.groupId,
+            });
+            if (!authResult.ok)
+              return { ok: false as const, code: authResult.code };
+            const { userId } = authResult;
+            const createsGroup = args.groupId === undefined;
+            const groupId =
+              args.groupId ??
+              (
+                await auth.group.create(ctx as never, {
+                  name: args.name?.trim() || args.slug?.trim() || "Enterprise",
+                  slug: args.slug,
+                  type: "enterprise",
+                })
+              ).groupId;
+            if (createsGroup) {
+              await auth.member.create(ctx as never, {
+                groupId,
+                userId,
+                roleIds: adminRoleIds,
+              });
+            }
+            const created = await auth.sso.admin.connection.create(
+              ctx as never,
+              {
+                groupId,
+                name: args.name,
+                slug: args.slug,
+                status: args.status,
+              },
+            );
+            if (args.domain) {
+              await auth.sso.admin.connection.domain.set(
+                ctx as never,
+                created.enterpriseId,
+                [{ domain: args.domain, isPrimary: true }],
+              );
+            }
+            return {
+              ...created,
+              groupId,
+              createdGroup: createsGroup,
+            };
+          },
+        }),
+        get: queryGeneric({
+          args: { enterpriseId: v.string() },
+          handler: async (ctx, args) => {
+            const _auth = await authorize(ctx, "sso.connection.read", {
+              enterpriseId: args.enterpriseId,
+            });
+            if (!_auth.ok) return null;
+            return await auth.sso.admin.connection.get(
+              ctx as never,
+              args.enterpriseId,
+            );
+          },
+        }),
+        getByGroup: queryGeneric({
+          args: { groupId: v.string() },
+          handler: async (ctx, args) => {
+            const _auth = await authorize(ctx, "sso.connection.read", {
+              groupId: args.groupId,
+            });
+            if (!_auth.ok) return null;
+            return await auth.sso.admin.connection.getByGroup(
+              ctx as never,
+              args.groupId,
+            );
+          },
+        }),
+        getByDomain: queryGeneric({
+          args: { domain: v.string() },
+          handler: async (ctx, args) => {
+            const _auth = await authorize(ctx, "sso.connection.read", {
+              domain: args.domain,
+            });
+            if (!_auth.ok) return null;
+            return await auth.sso.admin.connection.getByDomain(
+              ctx as never,
+              args.domain,
+            );
+          },
+        }),
+        list: queryGeneric({
+          args: {
+            where: v.optional(enterpriseConnectionWhereValidator),
+            limit: v.optional(v.number()),
+            cursor: v.optional(v.union(v.string(), v.null())),
+            orderBy: v.optional(v.string()),
+            order: v.optional(v.union(v.literal("asc"), v.literal("desc"))),
+          },
+          handler: async (ctx, args) => {
+            const _auth = await authorize(ctx, "sso.connection.read", {
+              groupId: args.where?.groupId,
+            });
+            if (!_auth.ok) return null;
+            return await auth.sso.admin.connection.list(
+              ctx as never,
+              args as never,
+            );
+          },
+        }),
+        update: mutationGeneric({
+          args: {
+            enterpriseId: v.string(),
+            data: v.object({
+              name: v.optional(v.string()),
+              slug: v.optional(v.string()),
+              status: v.optional(enterpriseStatusValidator),
+            }),
+          },
+          handler: async (ctx, args) => {
+            const _auth = await authorize(ctx, "sso.connection.manage", {
+              enterpriseId: args.enterpriseId,
+            });
+            if (!_auth.ok) return { ok: false as const, code: _auth.code };
+            await auth.sso.admin.connection.update(
+              ctx as never,
+              args.enterpriseId,
+              args.data,
+            );
+            return { ok: true as const, enterpriseId: args.enterpriseId };
+          },
+        }),
+        delete: mutationGeneric({
+          args: { enterpriseId: v.string() },
+          handler: async (ctx, args) => {
+            const _auth = await authorize(ctx, "sso.connection.manage", {
+              enterpriseId: args.enterpriseId,
+            });
+            if (!_auth.ok) return { ok: false as const, code: _auth.code };
+            return await auth.sso.admin.connection.delete(
+              ctx as never,
+              args.enterpriseId,
+            );
+          },
+        }),
+        status: queryGeneric({
+          args: { enterpriseId: v.string() },
+          handler: async (ctx, args) => {
+            const _auth = await authorize(ctx, "sso.connection.read", {
+              enterpriseId: args.enterpriseId,
+            });
+            if (!_auth.ok) return null;
+            return await auth.sso.admin.connection.status(
+              ctx as never,
+              args.enterpriseId,
+            );
+          },
+        }),
+        domain: {
+          list: queryGeneric({
+            args: { enterpriseId: v.string() },
+            handler: async (ctx, args) => {
+              const _auth = await authorize(ctx, "sso.connection.read", {
+                enterpriseId: args.enterpriseId,
+              });
+              if (!_auth.ok) return null;
+              return await auth.sso.admin.connection.domain.list(
+                ctx as never,
+                args.enterpriseId,
+              );
+            },
+          }),
+          validate: queryGeneric({
+            args: { enterpriseId: v.string() },
+            handler: async (ctx, args) => {
+              const _auth = await authorize(ctx, "sso.domain.manage", {
+                enterpriseId: args.enterpriseId,
+              });
+              if (!_auth.ok) return null;
+              return await auth.sso.admin.connection.domain.validate(
+                ctx as never,
+                args.enterpriseId,
+              );
+            },
+          }),
+          set: mutationGeneric({
+            args: {
+              enterpriseId: v.string(),
+              domains: v.array(enterpriseDomainInputValidator),
+            },
+            handler: async (ctx, args) => {
+              const _auth = await authorize(ctx, "sso.domain.manage", {
+                enterpriseId: args.enterpriseId,
+              });
+              if (!_auth.ok) return { ok: false as const, code: _auth.code };
+              return await auth.sso.admin.connection.domain.set(
+                ctx as never,
+                args.enterpriseId,
+                args.domains,
+              );
+            },
+          }),
+          verification: {
+            request: mutationGeneric({
+              args: enterpriseDomainVerificationInputValidator,
+              handler: async (ctx, args) => {
+                const _auth = await authorize(ctx, "sso.domain.manage", {
+                  enterpriseId: args.enterpriseId,
+                });
+                if (!_auth.ok) return { ok: false as const, code: _auth.code };
+                return await auth.sso.admin.connection.domain.verification.request(
+                  ctx as never,
+                  args,
+                );
+              },
+            }),
+            confirm: actionGeneric({
+              args: enterpriseDomainVerificationInputValidator,
+              handler: async (ctx, args) => {
+                const _auth = await authorize(ctx, "sso.domain.manage", {
+                  enterpriseId: args.enterpriseId,
+                });
+                if (!_auth.ok) return { ok: false as const, code: _auth.code };
+                return await auth.sso.admin.connection.domain.verification.confirm(
+                  ctx as never,
+                  args,
+                );
+              },
+            }),
+          },
+        },
+      },
+      oidc: {
+        configure: mutationGeneric({
+          args: {
+            enterpriseId: v.string(),
+            issuer: v.optional(v.string()),
+            discoveryUrl: v.optional(v.string()),
+            clientId: v.string(),
+            clientSecret: v.optional(v.string()),
+            scopes: v.optional(v.array(v.string())),
+            authorizationParams: v.optional(v.record(v.string(), v.string())),
+            clockToleranceSeconds: v.optional(v.number()),
+            strictIssuer: v.optional(v.boolean()),
+            extraFields: v.optional(v.record(v.string(), v.string())),
+          },
+          handler: async (ctx, args) => {
+            const _auth = await authorize(ctx, "sso.protocol.manage", {
+              enterpriseId: args.enterpriseId,
+            });
+            if (!_auth.ok) return { ok: false as const, code: _auth.code };
+            return await auth.sso.admin.oidc.configure(ctx as never, args);
+          },
+        }),
+        get: queryGeneric({
+          args: { enterpriseId: v.string() },
+          handler: async (ctx, args) => {
+            const _auth = await authorize(ctx, "sso.connection.read", {
+              enterpriseId: args.enterpriseId,
+            });
+            if (!_auth.ok) return null;
+            return await auth.sso.admin.oidc.get(
+              ctx as never,
+              args.enterpriseId,
+            );
+          },
+        }),
+        validate: actionGeneric({
+          args: { enterpriseId: v.string() },
+          handler: async (ctx, args) => {
+            const _auth = await authorize(ctx, "sso.protocol.manage", {
+              enterpriseId: args.enterpriseId,
+            });
+            if (!_auth.ok) return { ok: false as const, code: _auth.code };
+            return await auth.sso.admin.oidc.validate(
+              ctx as never,
+              args.enterpriseId,
+            );
+          },
+        }),
+      },
+      saml: {
+        configure: actionGeneric({
+          args: {
+            enterpriseId: v.string(),
+            metadataXml: v.optional(v.string()),
+            metadataUrl: v.optional(v.string()),
+            domains: v.optional(v.array(v.string())),
+            signAuthnRequests: v.optional(v.boolean()),
+            attributeMapping: v.optional(
+              enterpriseSamlAttributeMappingValidator,
+            ),
+            sp: v.optional(enterpriseSamlSpValidator),
+          },
+          handler: async (ctx, args) => {
+            const _auth = await authorize(ctx, "sso.protocol.manage", {
+              enterpriseId: args.enterpriseId,
+            });
+            if (!_auth.ok) return { ok: false as const, code: _auth.code };
+            return await auth.sso.admin.saml.configure(ctx as never, args);
+          },
+        }),
+        validate: queryGeneric({
+          args: { enterpriseId: v.string() },
+          handler: async (ctx, args) => {
+            const _auth = await authorize(ctx, "sso.protocol.manage", {
+              enterpriseId: args.enterpriseId,
+            });
+            if (!_auth.ok) return null;
+            return await auth.sso.admin.saml.validate(
+              ctx as never,
+              args.enterpriseId,
+            );
+          },
+        }),
+      },
+      policy: {
+        get: queryGeneric({
+          args: { enterpriseId: v.string() },
+          handler: async (ctx, args) => {
+            const _auth = await authorize(ctx, "sso.connection.read", {
+              enterpriseId: args.enterpriseId,
+            });
+            if (!_auth.ok) return null;
+            return await auth.sso.admin.policy.get(
+              ctx as never,
+              args.enterpriseId,
+            );
+          },
+        }),
+        update: mutationGeneric({
+          args: {
+            enterpriseId: v.string(),
+            patch: enterprisePolicyPatchValidator,
+          },
+          handler: async (ctx, args) => {
+            const _auth = await authorize(ctx, "sso.policy.manage", {
+              enterpriseId: args.enterpriseId,
+            });
+            if (!_auth.ok) return { ok: false as const, code: _auth.code };
+            return await auth.sso.admin.policy.update(
+              ctx as never,
+              args.enterpriseId,
+              args.patch,
+            );
+          },
+        }),
+        validate: queryGeneric({
+          args: { enterpriseId: v.string() },
+          handler: async (ctx, args) => {
+            const _auth = await authorize(ctx, "sso.policy.manage", {
+              enterpriseId: args.enterpriseId,
+            });
+            if (!_auth.ok) return null;
+            return await auth.sso.admin.policy.validate(
+              ctx as never,
+              args.enterpriseId,
+            );
+          },
+        }),
+      },
+      audit: {
+        list: queryGeneric({
+          args: {
+            enterpriseId: v.optional(v.string()),
+            groupId: v.optional(v.string()),
+            limit: v.optional(v.number()),
+          },
+          handler: async (ctx, args) => {
+            const _auth = await authorize(ctx, "sso.audit.read", {
+              enterpriseId: args.enterpriseId,
+              groupId: args.groupId,
+            });
+            if (!_auth.ok) return null;
+            return await auth.sso.admin.audit.list(ctx as never, args);
+          },
+        }),
+      },
+      webhook: {
+        delivery: {
+          list: queryGeneric({
+            args: {
+              enterpriseId: v.string(),
+              limit: v.optional(v.number()),
+            },
+            handler: async (ctx, args) => {
+              const _auth = await authorize(ctx, "sso.webhook.manage", {
+                enterpriseId: args.enterpriseId,
+              });
+              if (!_auth.ok) return null;
+              return await (auth.sso.admin.webhook as any).delivery.list(
+                ctx as never,
+                args,
+              );
+            },
+          }),
+        },
+        endpoint: {
+          create: mutationGeneric({
+            args: {
+              enterpriseId: v.string(),
+              url: v.string(),
+              secret: v.string(),
+              subscriptions: v.array(v.string()),
+              createdByUserId: v.optional(v.string()),
+            },
+            handler: async (ctx, args) => {
+              const authResult = await authorize(ctx, "sso.webhook.manage", {
+                enterpriseId: args.enterpriseId,
+              });
+              if (!authResult.ok)
+                return { ok: false as const, code: authResult.code };
+              const { userId } = authResult;
+              const result = await auth.sso.admin.webhook.endpoint.create(
+                ctx as never,
+                {
+                  ...args,
+                  createdByUserId: args.createdByUserId ?? userId,
+                },
+              );
+              return {
+                _id: result.endpointId,
+                enterpriseId: args.enterpriseId,
+                url: args.url,
+                subscriptions: args.subscriptions,
+                createdByUserId: args.createdByUserId ?? userId,
+                status: "active",
+                failureCount: 0,
+              };
+            },
+          }),
+          list: queryGeneric({
+            args: { enterpriseId: v.string() },
+            handler: async (ctx, args) => {
+              const _auth = await authorize(ctx, "sso.webhook.manage", {
+                enterpriseId: args.enterpriseId,
+              });
+              if (!_auth.ok) return null;
+              const endpoints = await auth.sso.admin.webhook.endpoint.list(
+                ctx as never,
+                args.enterpriseId,
+              );
+              return endpoints.map((endpoint: Record<string, unknown>) => {
+                const { secretHash: _secretHash, ...rest } = endpoint;
+                return rest;
+              });
+            },
+          }),
+          disable: mutationGeneric({
+            args: { endpointId: v.string() },
+            handler: async (ctx, args) => {
+              const endpoint = await auth.sso.admin.webhook.endpoint.get(
+                ctx as never,
+                args.endpointId,
+              );
+              if (!endpoint) {
+                return {
+                  ok: false as const,
+                  code: "INVALID_PARAMETERS" as const,
+                };
+              }
+              const _auth = await authorize(ctx, "sso.webhook.manage", {
+                enterpriseId: endpoint.enterpriseId,
+                groupId: endpoint.groupId,
+              });
+              if (!_auth.ok) return { ok: false as const, code: _auth.code };
+              return await auth.sso.admin.webhook.endpoint.disable(
+                ctx as never,
+                args.endpointId,
+              );
+            },
+          }),
+        },
+      },
+    },
+    client: {
+      signIn: queryGeneric({
+        args: {
+          enterpriseId: v.optional(v.string()),
+          email: v.optional(v.string()),
+          domain: v.optional(v.string()),
+          redirectTo: v.optional(v.string()),
+        },
+        handler: async (ctx, args) => {
+          return await auth.sso.client.signIn(ctx as never, args);
+        },
+      }),
+      metadata: queryGeneric({
+        args: {
+          enterpriseId: v.string(),
+          entityId: v.optional(v.string()),
+          acsUrl: v.optional(v.string()),
+          sloUrl: v.optional(v.string()),
+        },
+        handler: async (ctx, args) => {
+          return await auth.sso.client.metadata(ctx as never, args);
+        },
+      }),
+    },
+  };
+}
+/**
+ * Build optional public SCIM management actions that apps can mount under
+ * `convex/auth/scim/**` when they want client-callable enterprise admin APIs.
+ *
+ * @param auth - Auth API subset providing `scim`, `sso`, and `user` namespaces.
+ * @param options - Optional admin authorization config. See {@link EnterpriseMountOptions}.
+ * @typeParam TAuthorization - Optional authorization config for typed role IDs.
+ * @returns An object with `admin.configure`, `admin.get`, and `admin.validate` actions.
+ *
+ * @example
+ * ```ts
+ * // convex/auth/scim.ts
+ * import { scim } from "@robelest/convex-auth/server";
+ * import { auth } from "../auth";
+ *
+ * const mounted = scim(auth, {
+ *   admin: {
+ *     authorized: async (ctx, input) => { /* check permissions *\/ },
+ *   },
+ * });
+ *
+ * export const configure = mounted.admin.configure;
+ * export const get = mounted.admin.get;
+ * export const validate = mounted.admin.validate;
+ * ```
+ *
+ * @see {@link sso}
+ * @see {@link enterprise}
+ */
+export function scim<
+  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,
+>(
+  auth: Pick<AuthApi<TAuthorization>, "scim" | "sso" | "user">,
+  options?: MountedEnterpriseOptions<AuthRoleId<TAuthorization>>,
+) {
+  const authorize = createMountedAdminAuthorizer(auth, options);
+  return {
+    admin: {
+      configure: mutationGeneric({
+        args: {
+          enterpriseId: v.string(),
+          basePath: v.optional(v.string()),
+          status: v.optional(enterpriseStatusValidator),
+        },
+        handler: async (ctx, args) => {
+          const _auth = await authorize(ctx, "scim.manage", {
+            enterpriseId: args.enterpriseId,
+          });
+          if (!_auth.ok) return { ok: false as const, code: _auth.code };
+          return await auth.scim.admin.configure(ctx as never, args);
+        },
+      }),
+      get: queryGeneric({
+        args: { enterpriseId: v.string() },
+        handler: async (ctx, args) => {
+          const _auth = await authorize(ctx, "scim.manage", {
+            enterpriseId: args.enterpriseId,
+          });
+          if (!_auth.ok) return null;
+          return await auth.scim.admin.get(ctx as never, args.enterpriseId);
+        },
+      }),
+      validate: queryGeneric({
+        args: { enterpriseId: v.string() },
+        handler: async (ctx, args) => {
+          const _auth = await authorize(ctx, "scim.manage", {
+            enterpriseId: args.enterpriseId,
+          });
+          if (!_auth.ok) return null;
+          return await auth.scim.admin.validate(
+            ctx as never,
+            args.enterpriseId,
+          );
+        },
+      }),
+    },
+  };
+}
+/**
+ * Build a flat mounted enterprise API surface for app-owned Convex exports.
+ *
+ * Combines {@link sso} and {@link scim} into a single flat object with
+ * all SSO connection, protocol, policy, audit, webhook, and SCIM
+ * management functions plus end-user sign-in helpers. The `authorized`
+ * callback is required for all admin operations.
+ *
+ * @param auth - Auth API subset providing `group`, `member`, `scim`, `sso`, and `user` namespaces.
+ * @param options - Required {@link EnterpriseMountOptions} with an `admin.authorized` callback.
+ * @typeParam TAuthorization - Optional authorization config for typed role IDs.
+ * @returns A flat object with all enterprise management functions (e.g. `createConnection`,
+ *   `configureOidc`, `configureScim`, `signIn`, etc.).
+ *
+ * @example
+ * ```ts
+ * // convex/auth/enterprise.ts
+ * import { enterprise } from "@robelest/convex-auth/server";
+ * import { auth } from "../auth";
+ *
+ * const api = enterprise(auth, {
+ *   admin: {
+ *     authorized: async (ctx, input) => { /* check permissions *\/ },
+ *     roles: ["admin"],
+ *   },
+ * });
+ *
+ * export const createConnection = api.createConnection;
+ * export const configureOidc = api.configureOidc;
+ * export const signIn = api.signIn;
+ * ```
+ *
+ * @see {@link sso}
+ * @see {@link scim}
+ */
+export function enterprise<
+  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,
+>(
+  auth: Pick<
+    AuthApi<TAuthorization>,
+    "group" | "member" | "scim" | "sso" | "user"
+  >,
+  options: EnterpriseMountOptions<AuthRoleId<TAuthorization>>,
+) {
+  const mountedSso = sso(auth, {
+    admin: options.admin,
+  });
+  const mountedScim = scim(auth, {
+    admin: { authorized: options.admin.authorized },
+  });
+  return {
+    createConnection: mountedSso.admin.connection.create,
+    getConnection: mountedSso.admin.connection.get,
+    getConnectionByGroup: mountedSso.admin.connection.getByGroup,
+    getConnectionByDomain: mountedSso.admin.connection.getByDomain,
+    listConnections: mountedSso.admin.connection.list,
+    updateConnection: mountedSso.admin.connection.update,
+    deleteConnection: mountedSso.admin.connection.delete,
+    getConnectionStatus: mountedSso.admin.connection.status,
+    listDomains: mountedSso.admin.connection.domain.list,
+    validateDomains: mountedSso.admin.connection.domain.validate,
+    setDomains: mountedSso.admin.connection.domain.set,
+    requestDomainVerification:
+      mountedSso.admin.connection.domain.verification.request,
+    confirmDomainVerification:
+      mountedSso.admin.connection.domain.verification.confirm,
+    configureOidc: mountedSso.admin.oidc.configure,
+    getOidc: mountedSso.admin.oidc.get,
+    validateOidc: mountedSso.admin.oidc.validate,
+    configureSaml: mountedSso.admin.saml.configure,
+    validateSaml: mountedSso.admin.saml.validate,
+    getPolicy: mountedSso.admin.policy.get,
+    updatePolicy: mountedSso.admin.policy.update,
+    validatePolicy: mountedSso.admin.policy.validate,
+    listAudit: mountedSso.admin.audit.list,
+    createWebhookEndpoint: mountedSso.admin.webhook.endpoint.create,
+    listWebhookEndpoints: mountedSso.admin.webhook.endpoint.list,
+    listWebhookDeliveries: mountedSso.admin.webhook.delivery.list,
+    disableWebhookEndpoint: mountedSso.admin.webhook.endpoint.disable,
+    configureScim: mountedScim.admin.configure,
+    getScim: mountedScim.admin.get,
+    validateScim: mountedScim.admin.validate,
+    signIn: mountedSso.client.signIn,
+    metadata: mountedSso.client.metadata,
+  };
+}