@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

package/dist/component/schema.d.ts

@@ -1,4 +1,4 @@
-import * as convex_server94 from "convex/server";
+import * as convex_server66 from "convex/server";
 import * as convex_values121 from "convex/values";
 
 //#region src/component/schema.d.ts
@@ -9,16 +9,16 @@ import * as convex_values121 from "convex/values";
  * verification codes, PKCE verifiers, rate limits) and hierarchical group
  * management (groups, members, invites).
  */
-declare const _default: convex_server94.SchemaDefinition<{
+declare const _default: convex_server66.SchemaDefinition<{
   /**
    * Authenticated users. A user may have multiple linked accounts
    * and multiple concurrent sessions.
    */
-  user: convex_server94.TableDefinition<convex_values121.VObject<{
-    name?: string | undefined;
+  User: convex_server66.TableDefinition<convex_values121.VObject<{
     email?: string | undefined;
-    phone?: string | undefined;
     extend?: any;
+    phone?: string | undefined;
+    name?: string | undefined;
     image?: string | undefined;
     emailVerificationTime?: number | undefined;
     phoneVerificationTime?: number | undefined;
@@ -32,46 +32,50 @@ declare const _default: convex_server94.SchemaDefinition<{
     phoneVerificationTime: convex_values121.VFloat64<number | undefined, "optional">;
     isAnonymous: convex_values121.VBoolean<boolean | undefined, "optional">;
     extend: convex_values121.VAny<any, "optional", string>;
-  }, "required", "name" | "email" | "phone" | "extend" | "image" | "emailVerificationTime" | "phoneVerificationTime" | "isAnonymous" | `extend.${string}`>, {
+  }, "required", "email" | "extend" | "phone" | "name" | "image" | "emailVerificationTime" | "phoneVerificationTime" | "isAnonymous" | `extend.${string}`>, {
     email: ["email", "_creationTime"];
+    email_verified: ["email", "emailVerificationTime", "_creationTime"];
     phone: ["phone", "_creationTime"];
+    phone_verified: ["phone", "phoneVerificationTime", "_creationTime"];
   }, {}, {}>;
   /**
    * Active sessions. A single user can have multiple concurrent sessions
    * across different devices or browsers. Sessions expire after a
    * configurable duration.
    */
-  session: convex_server94.TableDefinition<convex_values121.VObject<{
-    userId: convex_values121.GenericId<"user">;
+  Session: convex_server66.TableDefinition<convex_values121.VObject<{
+    userId: convex_values121.GenericId<"User">;
     expirationTime: number;
   }, {
-    userId: convex_values121.VId<convex_values121.GenericId<"user">, "required">;
+    userId: convex_values121.VId<convex_values121.GenericId<"User">, "required">;
     expirationTime: convex_values121.VFloat64<number, "required">;
   }, "required", "userId" | "expirationTime">, {
-    userId: ["userId", "_creationTime"];
+    user_id: ["userId", "_creationTime"];
   }, {}, {}>;
   /**
    * Authentication accounts. Each account links a user to a single
    * authentication provider (e.g. Google OAuth, email/password).
    * A user can have multiple accounts linked.
    */
-  account: convex_server94.TableDefinition<convex_values121.VObject<{
+  Account: convex_server66.TableDefinition<convex_values121.VObject<{
+    extend?: any;
     secret?: string | undefined;
     emailVerified?: string | undefined;
     phoneVerified?: string | undefined;
+    userId: convex_values121.GenericId<"User">;
     provider: string;
-    userId: convex_values121.GenericId<"user">;
     providerAccountId: string;
   }, {
-    userId: convex_values121.VId<convex_values121.GenericId<"user">, "required">;
+    userId: convex_values121.VId<convex_values121.GenericId<"User">, "required">;
     provider: convex_values121.VString<string, "required">;
     providerAccountId: convex_values121.VString<string, "required">;
     secret: convex_values121.VString<string | undefined, "optional">;
     emailVerified: convex_values121.VString<string | undefined, "optional">;
     phoneVerified: convex_values121.VString<string | undefined, "optional">;
-  }, "required", "provider" | "userId" | "providerAccountId" | "secret" | "emailVerified" | "phoneVerified">, {
-    userIdAndProvider: ["userId", "provider", "_creationTime"];
-    providerAndAccountId: ["provider", "providerAccountId", "_creationTime"];
+    extend: convex_values121.VAny<any, "optional", string>;
+  }, "required", "userId" | "extend" | "provider" | "secret" | "providerAccountId" | `extend.${string}` | "emailVerified" | "phoneVerified">, {
+    user_id_provider: ["userId", "provider", "_creationTime"];
+    provider_account_id: ["provider", "providerAccountId", "_creationTime"];
   }, {}, {}>;
   /**
    * Refresh tokens for session continuity. Tokens are single-use and form
@@ -81,52 +85,53 @@ declare const _default: convex_server94.SchemaDefinition<{
    * been used yet. A 10-second reuse window allows for concurrent requests.
    * Any invalid use of a token invalidates the entire chain.
    */
-  token: convex_server94.TableDefinition<convex_values121.VObject<{
+  RefreshToken: convex_server66.TableDefinition<convex_values121.VObject<{
     firstUsedTime?: number | undefined;
-    parentRefreshTokenId?: convex_values121.GenericId<"token"> | undefined;
-    sessionId: convex_values121.GenericId<"session">;
+    parentRefreshTokenId?: convex_values121.GenericId<"RefreshToken"> | undefined;
     expirationTime: number;
+    sessionId: convex_values121.GenericId<"Session">;
   }, {
-    sessionId: convex_values121.VId<convex_values121.GenericId<"session">, "required">;
+    sessionId: convex_values121.VId<convex_values121.GenericId<"Session">, "required">;
     expirationTime: convex_values121.VFloat64<number, "required">;
     firstUsedTime: convex_values121.VFloat64<number | undefined, "optional">;
-    parentRefreshTokenId: convex_values121.VId<convex_values121.GenericId<"token"> | undefined, "optional">;
-  }, "required", "sessionId" | "expirationTime" | "firstUsedTime" | "parentRefreshTokenId">, {
-    sessionId: ["sessionId", "_creationTime"];
-    sessionIdAndParentRefreshTokenId: ["sessionId", "parentRefreshTokenId", "_creationTime"];
+    parentRefreshTokenId: convex_values121.VId<convex_values121.GenericId<"RefreshToken"> | undefined, "optional">;
+  }, "required", "expirationTime" | "sessionId" | "firstUsedTime" | "parentRefreshTokenId">, {
+    session_id: ["sessionId", "_creationTime"];
+    session_id_first_used: ["sessionId", "firstUsedTime", "_creationTime"];
+    session_id_parent_refresh_token_id: ["sessionId", "parentRefreshTokenId", "_creationTime"];
   }, {}, {}>;
   /**
    * Verification codes for OTP tokens, magic link tokens, and OAuth codes.
    */
-  verification: convex_server94.TableDefinition<convex_values121.VObject<{
+  VerificationCode: convex_server66.TableDefinition<convex_values121.VObject<{
     verifier?: string | undefined;
     emailVerified?: string | undefined;
     phoneVerified?: string | undefined;
     provider: string;
-    accountId: convex_values121.GenericId<"account">;
     code: string;
+    accountId: convex_values121.GenericId<"Account">;
     expirationTime: number;
   }, {
-    accountId: convex_values121.VId<convex_values121.GenericId<"account">, "required">;
+    accountId: convex_values121.VId<convex_values121.GenericId<"Account">, "required">;
     provider: convex_values121.VString<string, "required">;
     code: convex_values121.VString<string, "required">;
     expirationTime: convex_values121.VFloat64<number, "required">;
     verifier: convex_values121.VString<string | undefined, "optional">;
     emailVerified: convex_values121.VString<string | undefined, "optional">;
     phoneVerified: convex_values121.VString<string | undefined, "optional">;
-  }, "required", "provider" | "verifier" | "accountId" | "code" | "expirationTime" | "emailVerified" | "phoneVerified">, {
-    accountId: ["accountId", "_creationTime"];
+  }, "required", "provider" | "code" | "accountId" | "expirationTime" | "verifier" | "emailVerified" | "phoneVerified">, {
+    account_id: ["accountId", "_creationTime"];
     code: ["code", "_creationTime"];
   }, {}, {}>;
   /**
    * PKCE verifiers for OAuth flows. Stores the cryptographic verifier
    * used to prove the authorization request originated from this client.
    */
-  verifier: convex_server94.TableDefinition<convex_values121.VObject<{
-    sessionId?: convex_values121.GenericId<"session"> | undefined;
+  AuthVerifier: convex_server66.TableDefinition<convex_values121.VObject<{
+    sessionId?: convex_values121.GenericId<"Session"> | undefined;
     signature?: string | undefined;
   }, {
-    sessionId: convex_values121.VId<convex_values121.GenericId<"session"> | undefined, "optional">;
+    sessionId: convex_values121.VId<convex_values121.GenericId<"Session"> | undefined, "optional">;
     signature: convex_values121.VString<string | undefined, "optional">;
   }, "required", "sessionId" | "signature">, {
     signature: ["signature", "_creationTime"];
@@ -136,11 +141,11 @@ declare const _default: convex_server94.SchemaDefinition<{
    * registered authenticator (Touch ID, Face ID, security key, etc.).
    * A user can have multiple passkeys across different devices.
    */
-  passkey: convex_server94.TableDefinition<convex_values121.VObject<{
+  Passkey: convex_server66.TableDefinition<convex_values121.VObject<{
     name?: string | undefined;
-    lastUsedAt?: number | undefined;
     transports?: string[] | undefined;
-    userId: convex_values121.GenericId<"user">;
+    lastUsedAt?: number | undefined;
+    userId: convex_values121.GenericId<"User">;
     credentialId: string;
     publicKey: ArrayBuffer;
     algorithm: number;
@@ -149,7 +154,7 @@ declare const _default: convex_server94.SchemaDefinition<{
     backedUp: boolean;
     createdAt: number;
   }, {
-    userId: convex_values121.VId<convex_values121.GenericId<"user">, "required">; /** Base64url-encoded credential ID from the authenticator. */
+    userId: convex_values121.VId<convex_values121.GenericId<"User">, "required">; /** Base64url-encoded credential ID from the authenticator. */
     credentialId: convex_values121.VString<string, "required">; /** Public key bytes (SEC1 uncompressed for EC, SPKI for RSA). */
     publicKey: convex_values121.VBytes<ArrayBuffer, "required">; /** COSE algorithm identifier (-7 for ES256, -257 for RS256, -8 for EdDSA). */
     algorithm: convex_values121.VFloat64<number, "required">; /** Signature counter for clone detection. Many authenticators return 0. */
@@ -160,9 +165,9 @@ declare const _default: convex_server94.SchemaDefinition<{
     name: convex_values121.VString<string | undefined, "optional">;
     createdAt: convex_values121.VFloat64<number, "required">;
     lastUsedAt: convex_values121.VFloat64<number | undefined, "optional">;
-  }, "required", "name" | "lastUsedAt" | "userId" | "credentialId" | "publicKey" | "algorithm" | "counter" | "transports" | "deviceType" | "backedUp" | "createdAt">, {
-    userId: ["userId", "_creationTime"];
-    credentialId: ["credentialId", "_creationTime"];
+  }, "required", "userId" | "name" | "credentialId" | "publicKey" | "algorithm" | "counter" | "transports" | "deviceType" | "backedUp" | "createdAt" | "lastUsedAt">, {
+    user_id: ["userId", "_creationTime"];
+    credential_id: ["credentialId", "_creationTime"];
   }, {}, {}>;
   /**
    * TOTP two-factor authentication secrets. Each record links a user to
@@ -173,17 +178,17 @@ declare const _default: convex_server94.SchemaDefinition<{
    * by successfully entering a code from their authenticator app.
    * Unverified enrollments are in-progress setup that can be discarded.
    */
-  totp: convex_server94.TableDefinition<convex_values121.VObject<{
+  TotpFactor: convex_server66.TableDefinition<convex_values121.VObject<{
     name?: string | undefined;
     lastUsedAt?: number | undefined;
-    userId: convex_values121.GenericId<"user">;
+    userId: convex_values121.GenericId<"User">;
     secret: ArrayBuffer;
     createdAt: number;
     digits: number;
     period: number;
     verified: boolean;
   }, {
-    userId: convex_values121.VId<convex_values121.GenericId<"user">, "required">; /** Raw TOTP secret key bytes. */
+    userId: convex_values121.VId<convex_values121.GenericId<"User">, "required">; /** Raw TOTP secret key bytes. */
     secret: convex_values121.VBytes<ArrayBuffer, "required">; /** Number of digits in each code (typically 6). */
     digits: convex_values121.VFloat64<number, "required">; /** Time period in seconds for code rotation (typically 30). */
     period: convex_values121.VFloat64<number, "required">; /** Whether setup has been confirmed with a valid code. */
@@ -191,22 +196,23 @@ declare const _default: convex_server94.SchemaDefinition<{
     name: convex_values121.VString<string | undefined, "optional">;
     createdAt: convex_values121.VFloat64<number, "required">;
     lastUsedAt: convex_values121.VFloat64<number | undefined, "optional">;
-  }, "required", "name" | "lastUsedAt" | "userId" | "secret" | "createdAt" | "digits" | "period" | "verified">, {
-    userId: ["userId", "_creationTime"];
+  }, "required", "userId" | "secret" | "name" | "createdAt" | "lastUsedAt" | "digits" | "period" | "verified">, {
+    user_id: ["userId", "_creationTime"];
+    user_id_verified: ["userId", "verified", "_creationTime"];
   }, {}, {}>;
   /**
    * Device authorization codes (RFC 8628). Each record tracks a pending
    * device auth session — the device polls with `deviceCode` while the
    * user authorizes via `userCode` on a secondary device.
    */
-  device: convex_server94.TableDefinition<convex_values121.VObject<{
-    userId?: convex_values121.GenericId<"user"> | undefined;
-    sessionId?: convex_values121.GenericId<"session"> | undefined;
+  DeviceCode: convex_server66.TableDefinition<convex_values121.VObject<{
+    userId?: convex_values121.GenericId<"User"> | undefined;
+    sessionId?: convex_values121.GenericId<"Session"> | undefined;
     lastPolledAt?: number | undefined;
     status: "pending" | "authorized" | "denied";
-    expiresAt: number;
     deviceCodeHash: string;
     userCode: string;
+    expiresAt: number;
     interval: number;
   }, {
     /** High-entropy code used by the device for polling. Stored as SHA-256 hash. */deviceCodeHash: convex_values121.VString<string, "required">; /** Short human-readable code the user enters (e.g. "WDJB-MJHT"). */
@@ -214,37 +220,39 @@ declare const _default: convex_server94.SchemaDefinition<{
     expiresAt: convex_values121.VFloat64<number, "required">; /** Minimum polling interval in seconds. */
     interval: convex_values121.VFloat64<number, "required">; /** Current status of this device authorization session. */
     status: convex_values121.VUnion<"pending" | "authorized" | "denied", [convex_values121.VLiteral<"pending", "required">, convex_values121.VLiteral<"authorized", "required">, convex_values121.VLiteral<"denied", "required">], "required", never>; /** Set when the user authorizes — links to the authorizing user. */
-    userId: convex_values121.VId<convex_values121.GenericId<"user"> | undefined, "optional">; /** Set when the user authorizes — the session created for the device. */
-    sessionId: convex_values121.VId<convex_values121.GenericId<"session"> | undefined, "optional">; /** Timestamp of the last poll request (for slow_down enforcement). */
+    userId: convex_values121.VId<convex_values121.GenericId<"User"> | undefined, "optional">; /** Set when the user authorizes — the session created for the device. */
+    sessionId: convex_values121.VId<convex_values121.GenericId<"Session"> | undefined, "optional">; /** Timestamp of the last poll request (for slow_down enforcement). */
     lastPolledAt: convex_values121.VFloat64<number | undefined, "optional">;
-  }, "required", "status" | "expiresAt" | "userId" | "sessionId" | "deviceCodeHash" | "userCode" | "interval" | "lastPolledAt">, {
-    deviceCodeHash: ["deviceCodeHash", "_creationTime"];
-    userCode: ["userCode", "status", "_creationTime"];
+  }, "required", "userId" | "status" | "sessionId" | "deviceCodeHash" | "userCode" | "expiresAt" | "interval" | "lastPolledAt">, {
+    device_code_hash: ["deviceCodeHash", "_creationTime"];
+    user_code_status: ["userCode", "status", "_creationTime"];
   }, {}, {}>;
   /**
    * Rate limit tracking for OTP and password sign-in attempts.
    */
-  limit: convex_server94.TableDefinition<convex_values121.VObject<{
+  RateLimit: convex_server66.TableDefinition<convex_values121.VObject<{
     identifier: string;
-    lastAttemptTime: number;
-    attemptsLeft: number;
+    last_attempt_time: number;
+    attempts_left: number;
   }, {
     identifier: convex_values121.VString<string, "required">;
-    lastAttemptTime: convex_values121.VFloat64<number, "required">;
-    attemptsLeft: convex_values121.VFloat64<number, "required">;
-  }, "required", "identifier" | "lastAttemptTime" | "attemptsLeft">, {
-    identifier: ["identifier", "_creationTime"];
+    last_attempt_time: convex_values121.VFloat64<number, "required">;
+    attempts_left: convex_values121.VFloat64<number, "required">;
+  }, "required", "identifier" | "last_attempt_time" | "attempts_left">, {
+    by_identifier: ["identifier", "_creationTime"];
   }, {}, {}>;
   /**
    * Hierarchical groups. A group with no `parentGroupId` is a root group.
    * Groups can nest arbitrarily deep via `parentGroupId` for modeling
    * organizations, teams, departments, or any tree structure.
    */
-  group: convex_server94.TableDefinition<convex_values121.VObject<{
-    slug?: string | undefined;
+  Group: convex_server66.TableDefinition<convex_values121.VObject<{
     type?: string | undefined;
     extend?: any;
-    parentGroupId?: convex_values121.GenericId<"group"> | undefined;
+    slug?: string | undefined;
+    parentGroupId?: convex_values121.GenericId<"Group"> | undefined;
+    rootGroupId?: convex_values121.GenericId<"Group"> | undefined;
+    isRoot?: boolean | undefined;
     tags?: {
       value: string;
       key: string;
@@ -254,7 +262,9 @@ declare const _default: convex_server94.SchemaDefinition<{
     name: convex_values121.VString<string, "required">;
     slug: convex_values121.VString<string | undefined, "optional">;
     type: convex_values121.VString<string | undefined, "optional">;
-    parentGroupId: convex_values121.VId<convex_values121.GenericId<"group"> | undefined, "optional">; /** Faceted classification tags. Normalized at write time (trimmed, lowercased). */
+    parentGroupId: convex_values121.VId<convex_values121.GenericId<"Group"> | undefined, "optional">; /** Denormalized root group ID. Self-referencing for root groups. */
+    rootGroupId: convex_values121.VId<convex_values121.GenericId<"Group"> | undefined, "optional">; /** Denormalized flag: `true` when `parentGroupId` is absent. */
+    isRoot: convex_values121.VBoolean<boolean | undefined, "optional">; /** Faceted classification tags. Normalized at write time (trimmed, lowercased). */
     tags: convex_values121.VArray<{
       value: string;
       key: string;
@@ -266,27 +276,29 @@ declare const _default: convex_server94.SchemaDefinition<{
       value: convex_values121.VString<string, "required">;
     }, "required", "value" | "key">, "optional">;
     extend: convex_values121.VAny<any, "optional", string>;
-  }, "required", "name" | "slug" | "type" | "extend" | `extend.${string}` | "parentGroupId" | "tags">, {
+  }, "required", "type" | "extend" | "name" | `extend.${string}` | "slug" | "parentGroupId" | "rootGroupId" | "isRoot" | "tags">, {
     slug: ["slug", "_creationTime"];
-    parentGroupId: ["parentGroupId", "_creationTime"];
+    parent_group_id: ["parentGroupId", "_creationTime"];
+    root_group_id: ["rootGroupId", "_creationTime"];
+    is_root: ["isRoot", "_creationTime"];
     type: ["type", "_creationTime"];
-    typeAndParentGroupId: ["type", "parentGroupId", "_creationTime"];
+    type_parent_group_id: ["type", "parentGroupId", "_creationTime"];
   }, {}, {}>;
   /**
    * Denormalized group-tag index table for efficient tag-based filtering.
    * Each row maps one `(key, value)` pair to a group. Kept in sync by
    * `groupCreate`, `groupUpdate`, and `groupDelete`.
    */
-  groupTag: convex_server94.TableDefinition<convex_values121.VObject<{
+  GroupTag: convex_server66.TableDefinition<convex_values121.VObject<{
     value: string;
     key: string;
-    groupId: convex_values121.GenericId<"group">;
+    group_id: convex_values121.GenericId<"Group">;
   }, {
-    groupId: convex_values121.VId<convex_values121.GenericId<"group">, "required">;
+    group_id: convex_values121.VId<convex_values121.GenericId<"Group">, "required">;
     key: convex_values121.VString<string, "required">;
     value: convex_values121.VString<string, "required">;
-  }, "required", "value" | "key" | "groupId">, {
-    by_group: ["groupId", "_creationTime"];
+  }, "required", "value" | "key" | "group_id">, {
+    by_group: ["group_id", "_creationTime"];
     by_key_value: ["key", "value", "_creationTime"];
     by_key: ["key", "_creationTime"];
   }, {}, {}>;
@@ -295,22 +307,25 @@ declare const _default: convex_server94.SchemaDefinition<{
    * role (e.g. "owner", "admin", "member", "viewer"). A user can be a
    * member of multiple groups with different roles in each.
    */
-  member: convex_server94.TableDefinition<convex_values121.VObject<{
-    role?: string | undefined;
-    status?: string | undefined;
+  GroupMember: convex_server66.TableDefinition<convex_values121.VObject<{
     extend?: any;
-    userId: convex_values121.GenericId<"user">;
-    groupId: convex_values121.GenericId<"group">;
+    status?: string | undefined;
+    role?: string | undefined;
+    roleIds?: string[] | undefined;
+    userId: convex_values121.GenericId<"User">;
+    groupId: convex_values121.GenericId<"Group">;
   }, {
-    groupId: convex_values121.VId<convex_values121.GenericId<"group">, "required">;
-    userId: convex_values121.VId<convex_values121.GenericId<"user">, "required">;
+    groupId: convex_values121.VId<convex_values121.GenericId<"Group">, "required">;
+    userId: convex_values121.VId<convex_values121.GenericId<"User">, "required">;
     role: convex_values121.VString<string | undefined, "optional">;
+    roleIds: convex_values121.VArray<string[] | undefined, convex_values121.VString<string, "required">, "optional">;
     status: convex_values121.VString<string | undefined, "optional">;
     extend: convex_values121.VAny<any, "optional", string>;
-  }, "required", "role" | "status" | "extend" | "userId" | `extend.${string}` | "groupId">, {
-    groupId: ["groupId", "_creationTime"];
-    groupIdAndUserId: ["groupId", "userId", "_creationTime"];
-    userId: ["userId", "_creationTime"];
+  }, "required", "userId" | "extend" | "status" | `extend.${string}` | "groupId" | "role" | "roleIds">, {
+    group_id: ["groupId", "_creationTime"];
+    group_id_user_id: ["groupId", "userId", "_creationTime"];
+    group_id_status: ["groupId", "status", "_creationTime"];
+    user_id: ["userId", "_creationTime"];
   }, {}, {}>;
   /**
    * Invitations. Tracks pending, accepted, revoked, and expired
@@ -320,43 +335,389 @@ declare const _default: convex_server94.SchemaDefinition<{
    * `email` and `invitedByUserId` are optional to support CLI-generated
    * invite links where neither is known upfront.
    */
-  invite: convex_server94.TableDefinition<convex_values121.VObject<{
+  GroupInvite: convex_server66.TableDefinition<convex_values121.VObject<{
     email?: string | undefined;
+    extend?: any;
+    groupId?: convex_values121.GenericId<"Group"> | undefined;
     role?: string | undefined;
+    roleIds?: string[] | undefined;
+    invitedByUserId?: convex_values121.GenericId<"User"> | undefined;
     expiresTime?: number | undefined;
+    acceptedByUserId?: convex_values121.GenericId<"User"> | undefined;
     acceptedTime?: number | undefined;
-    extend?: any;
-    groupId?: convex_values121.GenericId<"group"> | undefined;
-    invitedByUserId?: convex_values121.GenericId<"user"> | undefined;
-    acceptedByUserId?: convex_values121.GenericId<"user"> | undefined;
     status: "pending" | "accepted" | "revoked" | "expired";
     tokenHash: string;
   }, {
-    groupId: convex_values121.VId<convex_values121.GenericId<"group"> | undefined, "optional">;
-    invitedByUserId: convex_values121.VId<convex_values121.GenericId<"user"> | undefined, "optional">;
+    groupId: convex_values121.VId<convex_values121.GenericId<"Group"> | undefined, "optional">;
+    invitedByUserId: convex_values121.VId<convex_values121.GenericId<"User"> | undefined, "optional">;
     email: convex_values121.VString<string | undefined, "optional">;
     tokenHash: convex_values121.VString<string, "required">;
     role: convex_values121.VString<string | undefined, "optional">;
+    roleIds: convex_values121.VArray<string[] | undefined, convex_values121.VString<string, "required">, "optional">;
     status: convex_values121.VUnion<"pending" | "accepted" | "revoked" | "expired", [convex_values121.VLiteral<"pending", "required">, convex_values121.VLiteral<"accepted", "required">, convex_values121.VLiteral<"revoked", "required">, convex_values121.VLiteral<"expired", "required">], "required", never>;
     expiresTime: convex_values121.VFloat64<number | undefined, "optional">;
-    acceptedByUserId: convex_values121.VId<convex_values121.GenericId<"user"> | undefined, "optional">;
+    acceptedByUserId: convex_values121.VId<convex_values121.GenericId<"User"> | undefined, "optional">;
     acceptedTime: convex_values121.VFloat64<number | undefined, "optional">;
     extend: convex_values121.VAny<any, "optional", string>;
-  }, "required", "email" | "role" | "status" | "expiresTime" | "acceptedTime" | "extend" | `extend.${string}` | "groupId" | "invitedByUserId" | "tokenHash" | "acceptedByUserId">, {
-    tokenHash: ["tokenHash", "_creationTime"];
+  }, "required", "email" | "extend" | "status" | `extend.${string}` | "groupId" | "role" | "roleIds" | "invitedByUserId" | "tokenHash" | "expiresTime" | "acceptedByUserId" | "acceptedTime">, {
+    token_hash: ["tokenHash", "_creationTime"];
+    status: ["status", "_creationTime"];
+    email_status: ["email", "status", "_creationTime"];
+    invited_by_user_id_status: ["invitedByUserId", "status", "_creationTime"];
+    group_id: ["groupId", "_creationTime"];
+    group_id_status: ["groupId", "status", "_creationTime"];
+  }, {}, {}>;
+  /**
+   * Enterprise configuration attached to a root group/organization.
+   *
+   * The `config` payload intentionally stays flexible so the headless enterprise
+   * SDK can evolve without forcing schema churn for every protocol-specific
+   * field addition.
+   */
+  Enterprise: convex_server66.TableDefinition<convex_values121.VObject<{
+    extend?: any;
+    name?: string | undefined;
+    slug?: string | undefined;
+    policy?: {
+      extend?: any;
+      version: 1;
+      identity: {
+        accountLinking: {
+          oidc: "verifiedEmail" | "none";
+          saml: "verifiedEmail" | "none";
+        };
+      };
+      provisioning: {
+        scimReuse: {
+          user: "none" | "externalId";
+        };
+        jit: {
+          defaultRole?: string | undefined;
+          defaultRoleIds?: string[] | undefined;
+          mode: "off" | "createUser" | "createUserAndMembership";
+        };
+        deprovision: {
+          mode: "soft" | "hard";
+        };
+      };
+    } | undefined;
+    config?: any;
+    status: "draft" | "active" | "disabled";
+    groupId: convex_values121.GenericId<"Group">;
+  }, {
+    groupId: convex_values121.VId<convex_values121.GenericId<"Group">, "required">;
+    slug: convex_values121.VString<string | undefined, "optional">;
+    name: convex_values121.VString<string | undefined, "optional">;
+    status: convex_values121.VUnion<"draft" | "active" | "disabled", [convex_values121.VLiteral<"draft", "required">, convex_values121.VLiteral<"active", "required">, convex_values121.VLiteral<"disabled", "required">], "required", never>;
+    policy: convex_values121.VObject<{
+      extend?: any;
+      version: 1;
+      identity: {
+        accountLinking: {
+          oidc: "verifiedEmail" | "none";
+          saml: "verifiedEmail" | "none";
+        };
+      };
+      provisioning: {
+        scimReuse: {
+          user: "none" | "externalId";
+        };
+        jit: {
+          defaultRole?: string | undefined;
+          defaultRoleIds?: string[] | undefined;
+          mode: "off" | "createUser" | "createUserAndMembership";
+        };
+        deprovision: {
+          mode: "soft" | "hard";
+        };
+      };
+    } | undefined, {
+      version: convex_values121.VLiteral<1, "required">;
+      identity: convex_values121.VObject<{
+        accountLinking: {
+          oidc: "verifiedEmail" | "none";
+          saml: "verifiedEmail" | "none";
+        };
+      }, {
+        accountLinking: convex_values121.VObject<{
+          oidc: "verifiedEmail" | "none";
+          saml: "verifiedEmail" | "none";
+        }, {
+          oidc: convex_values121.VUnion<"verifiedEmail" | "none", [convex_values121.VLiteral<"verifiedEmail", "required">, convex_values121.VLiteral<"none", "required">], "required", never>;
+          saml: convex_values121.VUnion<"verifiedEmail" | "none", [convex_values121.VLiteral<"verifiedEmail", "required">, convex_values121.VLiteral<"none", "required">], "required", never>;
+        }, "required", "oidc" | "saml">;
+      }, "required", "accountLinking" | "accountLinking.oidc" | "accountLinking.saml">;
+      provisioning: convex_values121.VObject<{
+        scimReuse: {
+          user: "none" | "externalId";
+        };
+        jit: {
+          defaultRole?: string | undefined;
+          defaultRoleIds?: string[] | undefined;
+          mode: "off" | "createUser" | "createUserAndMembership";
+        };
+        deprovision: {
+          mode: "soft" | "hard";
+        };
+      }, {
+        scimReuse: convex_values121.VObject<{
+          user: "none" | "externalId";
+        }, {
+          user: convex_values121.VUnion<"none" | "externalId", [convex_values121.VLiteral<"externalId", "required">, convex_values121.VLiteral<"none", "required">], "required", never>;
+        }, "required", "user">;
+        jit: convex_values121.VObject<{
+          defaultRole?: string | undefined;
+          defaultRoleIds?: string[] | undefined;
+          mode: "off" | "createUser" | "createUserAndMembership";
+        }, {
+          mode: convex_values121.VUnion<"off" | "createUser" | "createUserAndMembership", [convex_values121.VLiteral<"off", "required">, convex_values121.VLiteral<"createUser", "required">, convex_values121.VLiteral<"createUserAndMembership", "required">], "required", never>;
+          defaultRole: convex_values121.VString<string | undefined, "optional">;
+          defaultRoleIds: convex_values121.VArray<string[] | undefined, convex_values121.VString<string, "required">, "optional">;
+        }, "required", "mode" | "defaultRole" | "defaultRoleIds">;
+        deprovision: convex_values121.VObject<{
+          mode: "soft" | "hard";
+        }, {
+          mode: convex_values121.VUnion<"soft" | "hard", [convex_values121.VLiteral<"soft", "required">, convex_values121.VLiteral<"hard", "required">], "required", never>;
+        }, "required", "mode">;
+      }, "required", "scimReuse" | "jit" | "deprovision" | "scimReuse.user" | "jit.mode" | "jit.defaultRole" | "jit.defaultRoleIds" | "deprovision.mode">;
+      extend: convex_values121.VAny<any, "optional", string>;
+    }, "optional", "extend" | `extend.${string}` | "version" | "identity" | "provisioning" | "identity.accountLinking" | "identity.accountLinking.oidc" | "identity.accountLinking.saml" | "provisioning.scimReuse" | "provisioning.jit" | "provisioning.deprovision" | "provisioning.scimReuse.user" | "provisioning.jit.mode" | "provisioning.jit.defaultRole" | "provisioning.jit.defaultRoleIds" | "provisioning.deprovision.mode">;
+    config: convex_values121.VAny<any, "optional", string>;
+    extend: convex_values121.VAny<any, "optional", string>;
+  }, "required", "extend" | "status" | "name" | `extend.${string}` | "slug" | "groupId" | "policy" | "config" | "policy.extend" | `policy.extend.${string}` | "policy.version" | "policy.identity" | "policy.provisioning" | "policy.identity.accountLinking" | "policy.identity.accountLinking.oidc" | "policy.identity.accountLinking.saml" | "policy.provisioning.scimReuse" | "policy.provisioning.jit" | "policy.provisioning.deprovision" | "policy.provisioning.scimReuse.user" | "policy.provisioning.jit.mode" | "policy.provisioning.jit.defaultRole" | "policy.provisioning.jit.defaultRoleIds" | "policy.provisioning.deprovision.mode" | `config.${string}`>, {
+    group_id: ["groupId", "_creationTime"];
+    slug: ["slug", "_creationTime"];
+    status: ["status", "_creationTime"];
+  }, {}, {}>;
+  /**
+   * Verified or pending domains linked to an enterprise record.
+   */
+  EnterpriseDomain: convex_server66.TableDefinition<convex_values121.VObject<{
+    verifiedAt?: number | undefined;
+    groupId: convex_values121.GenericId<"Group">;
+    enterpriseId: convex_values121.GenericId<"Enterprise">;
+    domain: string;
+    isPrimary: boolean;
+  }, {
+    enterpriseId: convex_values121.VId<convex_values121.GenericId<"Enterprise">, "required">;
+    groupId: convex_values121.VId<convex_values121.GenericId<"Group">, "required">;
+    domain: convex_values121.VString<string, "required">;
+    isPrimary: convex_values121.VBoolean<boolean, "required">;
+    verifiedAt: convex_values121.VFloat64<number | undefined, "optional">;
+  }, "required", "groupId" | "enterpriseId" | "domain" | "isPrimary" | "verifiedAt">, {
+    enterprise_id: ["enterpriseId", "_creationTime"];
+    group_id: ["groupId", "_creationTime"];
+    domain: ["domain", "_creationTime"];
+  }, {}, {}>;
+  /**
+   * Pending DNS TXT verification challenges for enterprise domains.
+   */
+  EnterpriseDomainVerification: convex_server66.TableDefinition<convex_values121.VObject<{
+    expiresAt: number;
+    groupId: convex_values121.GenericId<"Group">;
+    tokenHash: string;
+    enterpriseId: convex_values121.GenericId<"Enterprise">;
+    domain: string;
+    domainId: convex_values121.GenericId<"EnterpriseDomain">;
+    recordName: string;
+    token: string;
+    requestedAt: number;
+  }, {
+    enterpriseId: convex_values121.VId<convex_values121.GenericId<"Enterprise">, "required">;
+    groupId: convex_values121.VId<convex_values121.GenericId<"Group">, "required">;
+    domainId: convex_values121.VId<convex_values121.GenericId<"EnterpriseDomain">, "required">;
+    domain: convex_values121.VString<string, "required">;
+    recordName: convex_values121.VString<string, "required">;
+    token: convex_values121.VString<string, "required">;
+    tokenHash: convex_values121.VString<string, "required">;
+    requestedAt: convex_values121.VFloat64<number, "required">;
+    expiresAt: convex_values121.VFloat64<number, "required">;
+  }, "required", "expiresAt" | "groupId" | "tokenHash" | "enterpriseId" | "domain" | "domainId" | "recordName" | "token" | "requestedAt">, {
+    enterprise_id: ["enterpriseId", "_creationTime"];
+    domain_id: ["domainId", "_creationTime"];
+    token_hash: ["tokenHash", "_creationTime"];
+  }, {}, {}>;
+  /**
+   * Encrypted enterprise secrets stored separately from protocol config.
+   */
+  EnterpriseSecret: convex_server66.TableDefinition<convex_values121.VObject<{
+    groupId: convex_values121.GenericId<"Group">;
+    enterpriseId: convex_values121.GenericId<"Enterprise">;
+    ciphertext: string;
+    updatedAt: number;
+    kind: "oidc_client_secret";
+  }, {
+    enterpriseId: convex_values121.VId<convex_values121.GenericId<"Enterprise">, "required">;
+    groupId: convex_values121.VId<convex_values121.GenericId<"Group">, "required">;
+    kind: convex_values121.VUnion<"oidc_client_secret", [convex_values121.VLiteral<"oidc_client_secret", "required">], "required", never>;
+    ciphertext: convex_values121.VString<string, "required">;
+    updatedAt: convex_values121.VFloat64<number, "required">;
+  }, "required", "groupId" | "enterpriseId" | "ciphertext" | "updatedAt" | "kind">, {
+    enterprise_id: ["enterpriseId", "_creationTime"];
+    enterprise_id_kind: ["enterpriseId", "kind", "_creationTime"];
+    group_id: ["groupId", "_creationTime"];
+  }, {}, {}>;
+  /**
+   * SCIM configuration for an enterprise tenant.
+   */
+  EnterpriseScimConfig: convex_server66.TableDefinition<convex_values121.VObject<{
+    extend?: any;
+    lastRotatedAt?: number | undefined;
+    status: "draft" | "active" | "disabled";
+    groupId: convex_values121.GenericId<"Group">;
+    tokenHash: string;
+    enterpriseId: convex_values121.GenericId<"Enterprise">;
+    basePath: string;
+  }, {
+    enterpriseId: convex_values121.VId<convex_values121.GenericId<"Enterprise">, "required">;
+    groupId: convex_values121.VId<convex_values121.GenericId<"Group">, "required">;
+    status: convex_values121.VUnion<"draft" | "active" | "disabled", [convex_values121.VLiteral<"draft", "required">, convex_values121.VLiteral<"active", "required">, convex_values121.VLiteral<"disabled", "required">], "required", never>;
+    basePath: convex_values121.VString<string, "required">;
+    tokenHash: convex_values121.VString<string, "required">;
+    lastRotatedAt: convex_values121.VFloat64<number | undefined, "optional">;
+    extend: convex_values121.VAny<any, "optional", string>;
+  }, "required", "extend" | "status" | `extend.${string}` | "groupId" | "tokenHash" | "enterpriseId" | "basePath" | "lastRotatedAt">, {
+    enterprise_id: ["enterpriseId", "_creationTime"];
+    group_id: ["groupId", "_creationTime"];
+    token_hash: ["tokenHash", "_creationTime"];
     status: ["status", "_creationTime"];
-    emailAndStatus: ["email", "status", "_creationTime"];
-    invitedByUserIdAndStatus: ["invitedByUserId", "status", "_creationTime"];
-    groupId: ["groupId", "_creationTime"];
-    groupIdAndStatus: ["groupId", "status", "_creationTime"];
-    roleAndStatusAndAcceptedByUserId: ["role", "status", "acceptedByUserId", "_creationTime"];
+  }, {}, {}>;
+  /**
+   * External SCIM identities mapped into local users/groups.
+   */
+  EnterpriseScimIdentity: convex_server66.TableDefinition<convex_values121.VObject<{
+    userId?: convex_values121.GenericId<"User"> | undefined;
+    active?: boolean | undefined;
+    mappedGroupId?: convex_values121.GenericId<"Group"> | undefined;
+    lastProvisionedAt?: number | undefined;
+    raw?: any;
+    groupId: convex_values121.GenericId<"Group">;
+    externalId: string;
+    enterpriseId: convex_values121.GenericId<"Enterprise">;
+    resourceType: "user" | "group";
+  }, {
+    enterpriseId: convex_values121.VId<convex_values121.GenericId<"Enterprise">, "required">;
+    groupId: convex_values121.VId<convex_values121.GenericId<"Group">, "required">;
+    resourceType: convex_values121.VUnion<"user" | "group", [convex_values121.VLiteral<"user", "required">, convex_values121.VLiteral<"group", "required">], "required", never>;
+    externalId: convex_values121.VString<string, "required">;
+    userId: convex_values121.VId<convex_values121.GenericId<"User"> | undefined, "optional">;
+    mappedGroupId: convex_values121.VId<convex_values121.GenericId<"Group"> | undefined, "optional">;
+    lastProvisionedAt: convex_values121.VFloat64<number | undefined, "optional">;
+    active: convex_values121.VBoolean<boolean | undefined, "optional">;
+    raw: convex_values121.VAny<any, "optional", string>;
+  }, "required", "userId" | "groupId" | "active" | "externalId" | "enterpriseId" | "resourceType" | "mappedGroupId" | "lastProvisionedAt" | "raw" | `raw.${string}`>, {
+    enterprise_id: ["enterpriseId", "_creationTime"];
+    group_id: ["groupId", "_creationTime"];
+    enterprise_id_resource_type_external_id: ["enterpriseId", "resourceType", "externalId", "_creationTime"];
+    enterprise_id_user_id: ["enterpriseId", "userId", "_creationTime"];
+    user_id: ["userId", "_creationTime"];
+    mapped_group_id: ["mappedGroupId", "_creationTime"];
+  }, {}, {}>;
+  /**
+   * Immutable audit trail for enterprise operations.
+   */
+  EnterpriseAuditEvent: convex_server66.TableDefinition<convex_values121.VObject<{
+    actorId?: string | undefined;
+    subjectId?: string | undefined;
+    requestId?: string | undefined;
+    ip?: string | undefined;
+    metadata?: any;
+    status: "success" | "failure";
+    groupId: convex_values121.GenericId<"Group">;
+    enterpriseId: convex_values121.GenericId<"Enterprise">;
+    actorType: "user" | "system" | "scim" | "api_key" | "webhook";
+    eventType: string;
+    subjectType: string;
+    occurredAt: number;
+  }, {
+    enterpriseId: convex_values121.VId<convex_values121.GenericId<"Enterprise">, "required">;
+    groupId: convex_values121.VId<convex_values121.GenericId<"Group">, "required">;
+    eventType: convex_values121.VString<string, "required">;
+    actorType: convex_values121.VUnion<"user" | "system" | "scim" | "api_key" | "webhook", [convex_values121.VLiteral<"user", "required">, convex_values121.VLiteral<"system", "required">, convex_values121.VLiteral<"scim", "required">, convex_values121.VLiteral<"api_key", "required">, convex_values121.VLiteral<"webhook", "required">], "required", never>;
+    actorId: convex_values121.VString<string | undefined, "optional">;
+    subjectType: convex_values121.VString<string, "required">;
+    subjectId: convex_values121.VString<string | undefined, "optional">;
+    status: convex_values121.VUnion<"success" | "failure", [convex_values121.VLiteral<"success", "required">, convex_values121.VLiteral<"failure", "required">], "required", never>;
+    occurredAt: convex_values121.VFloat64<number, "required">;
+    requestId: convex_values121.VString<string | undefined, "optional">;
+    ip: convex_values121.VString<string | undefined, "optional">;
+    metadata: convex_values121.VAny<any, "optional", string>;
+  }, "required", "status" | "groupId" | "enterpriseId" | "actorType" | "eventType" | "actorId" | "subjectType" | "subjectId" | "occurredAt" | "requestId" | "ip" | "metadata" | `metadata.${string}`>, {
+    enterprise_id_occurred_at: ["enterpriseId", "occurredAt", "_creationTime"];
+    group_id_occurred_at: ["groupId", "occurredAt", "_creationTime"];
+    event_type_occurred_at: ["eventType", "occurredAt", "_creationTime"];
+  }, {}, {}>;
+  /**
+   * Webhook endpoints subscribed to enterprise audit and lifecycle events.
+   */
+  EnterpriseWebhookEndpoint: convex_server66.TableDefinition<convex_values121.VObject<{
+    extend?: any;
+    createdByUserId?: convex_values121.GenericId<"User"> | undefined;
+    lastSuccessAt?: number | undefined;
+    lastFailureAt?: number | undefined;
+    status: "active" | "disabled";
+    groupId: convex_values121.GenericId<"Group">;
+    enterpriseId: convex_values121.GenericId<"Enterprise">;
+    url: string;
+    secretHash: string;
+    subscriptions: string[];
+    failureCount: number;
+  }, {
+    enterpriseId: convex_values121.VId<convex_values121.GenericId<"Enterprise">, "required">;
+    groupId: convex_values121.VId<convex_values121.GenericId<"Group">, "required">;
+    url: convex_values121.VString<string, "required">;
+    status: convex_values121.VUnion<"active" | "disabled", [convex_values121.VLiteral<"active", "required">, convex_values121.VLiteral<"disabled", "required">], "required", never>;
+    secretHash: convex_values121.VString<string, "required">;
+    subscriptions: convex_values121.VArray<string[], convex_values121.VString<string, "required">, "required">;
+    createdByUserId: convex_values121.VId<convex_values121.GenericId<"User"> | undefined, "optional">;
+    lastSuccessAt: convex_values121.VFloat64<number | undefined, "optional">;
+    lastFailureAt: convex_values121.VFloat64<number | undefined, "optional">;
+    failureCount: convex_values121.VFloat64<number, "required">;
+    extend: convex_values121.VAny<any, "optional", string>;
+  }, "required", "extend" | "status" | `extend.${string}` | "groupId" | "enterpriseId" | "url" | "secretHash" | "subscriptions" | "createdByUserId" | "lastSuccessAt" | "lastFailureAt" | "failureCount">, {
+    enterprise_id: ["enterpriseId", "_creationTime"];
+    group_id: ["groupId", "_creationTime"];
+    status: ["status", "_creationTime"];
+  }, {}, {}>;
+  /**
+   * Delivery queue for outbound enterprise webhooks.
+   */
+  EnterpriseWebhookDelivery: convex_server66.TableDefinition<convex_values121.VObject<{
+    auditEventId?: convex_values121.GenericId<"EnterpriseAuditEvent"> | undefined;
+    lastAttemptAt?: number | undefined;
+    lastResponseStatus?: number | undefined;
+    lastError?: string | undefined;
+    status: "pending" | "processing" | "delivered" | "failed";
+    enterpriseId: convex_values121.GenericId<"Enterprise">;
+    eventType: string;
+    endpointId: convex_values121.GenericId<"EnterpriseWebhookEndpoint">;
+    attemptCount: number;
+    nextAttemptAt: number;
+    payload: any;
+  }, {
+    enterpriseId: convex_values121.VId<convex_values121.GenericId<"Enterprise">, "required">;
+    endpointId: convex_values121.VId<convex_values121.GenericId<"EnterpriseWebhookEndpoint">, "required">;
+    auditEventId: convex_values121.VId<convex_values121.GenericId<"EnterpriseAuditEvent"> | undefined, "optional">;
+    eventType: convex_values121.VString<string, "required">;
+    status: convex_values121.VUnion<"pending" | "processing" | "delivered" | "failed", [convex_values121.VLiteral<"pending", "required">, convex_values121.VLiteral<"processing", "required">, convex_values121.VLiteral<"delivered", "required">, convex_values121.VLiteral<"failed", "required">], "required", never>;
+    attemptCount: convex_values121.VFloat64<number, "required">;
+    nextAttemptAt: convex_values121.VFloat64<number, "required">;
+    lastAttemptAt: convex_values121.VFloat64<number | undefined, "optional">;
+    lastResponseStatus: convex_values121.VFloat64<number | undefined, "optional">;
+    lastError: convex_values121.VString<string | undefined, "optional">;
+    payload: convex_values121.VAny<any, "required", string>;
+  }, "required", "status" | "enterpriseId" | "eventType" | "endpointId" | "auditEventId" | "attemptCount" | "nextAttemptAt" | "lastAttemptAt" | "lastResponseStatus" | "lastError" | "payload" | `payload.${string}`>, {
+    enterprise_id: ["enterpriseId", "_creationTime"];
+    status_next_attempt_at: ["status", "nextAttemptAt", "_creationTime"];
+    endpoint_id_status: ["endpointId", "status", "_creationTime"];
+    audit_event_id: ["auditEventId", "_creationTime"];
   }, {}, {}>;
   /**
    * API keys for programmatic access. Each key links a user to a set of
    * scoped permissions and optional per-key rate limiting.
    *
    * The raw key is never stored — only a SHA-256 hash. A short prefix
-   * (e.g. "sk_live_abc1...") is kept for display in admin interfaces.
+   * (e.g. "sk_abc1...") is kept for display in admin interfaces.
    *
    * Keys support:
    * - **Scoped permissions**: resource:action pairs (e.g. users:read)
@@ -364,21 +725,22 @@ declare const _default: convex_server94.SchemaDefinition<{
    * - **Expiration**: optional TTL
    * - **Soft revocation**: `revoked` flag preserves audit trail
    */
-  key: convex_server94.TableDefinition<convex_values121.VObject<{
+  ApiKey: convex_server66.TableDefinition<convex_values121.VObject<{
     lastUsedAt?: number | undefined;
     expiresAt?: number | undefined;
+    metadata?: any;
     rateLimit?: {
       maxRequests: number;
       windowMs: number;
     } | undefined;
     rateLimitState?: {
-      lastAttemptTime: number;
       attemptsLeft: number;
+      lastAttemptTime: number;
     } | undefined;
+    userId: convex_values121.GenericId<"User">;
     name: string;
-    revoked: boolean;
-    userId: convex_values121.GenericId<"user">;
     createdAt: number;
+    revoked: boolean;
     prefix: string;
     hashedKey: string;
     scopes: {
@@ -386,7 +748,7 @@ declare const _default: convex_server94.SchemaDefinition<{
       actions: string[];
     }[];
   }, {
-    userId: convex_values121.VId<convex_values121.GenericId<"user">, "required">; /** First chars of the key for display (e.g. "sk_live_abc1..."). */
+    userId: convex_values121.VId<convex_values121.GenericId<"User">, "required">; /** First chars of the key for display (e.g. "sk_abc1..."). */
     prefix: convex_values121.VString<string, "required">; /** SHA-256 hex hash of the full raw key. */
     hashedKey: convex_values121.VString<string, "required">; /** User-assigned name (e.g. "CI Pipeline", "Production API"). */
     name: convex_values121.VString<string, "required">; /** Scoped permissions: [{ resource: "users", actions: ["read", "list"] }]. */
@@ -408,19 +770,20 @@ declare const _default: convex_server94.SchemaDefinition<{
       windowMs: convex_values121.VFloat64<number, "required">;
     }, "optional", "maxRequests" | "windowMs">; /** Rate limit state tracking (token-bucket). */
     rateLimitState: convex_values121.VObject<{
-      lastAttemptTime: number;
       attemptsLeft: number;
+      lastAttemptTime: number;
     } | undefined, {
       attemptsLeft: convex_values121.VFloat64<number, "required">;
       lastAttemptTime: convex_values121.VFloat64<number, "required">;
-    }, "optional", "lastAttemptTime" | "attemptsLeft">; /** Expiration timestamp. Null/undefined = never expires. */
+    }, "optional", "attemptsLeft" | "lastAttemptTime">; /** Expiration timestamp. Null/undefined = never expires. */
     expiresAt: convex_values121.VFloat64<number | undefined, "optional">;
     lastUsedAt: convex_values121.VFloat64<number | undefined, "optional">;
     createdAt: convex_values121.VFloat64<number, "required">; /** Soft-revoke flag. Revoked keys are kept for audit trail. */
-    revoked: convex_values121.VBoolean<boolean, "required">;
-  }, "required", "name" | "revoked" | "lastUsedAt" | "expiresAt" | "userId" | "createdAt" | "prefix" | "hashedKey" | "scopes" | "rateLimit" | "rateLimitState" | "rateLimit.maxRequests" | "rateLimit.windowMs" | "rateLimitState.lastAttemptTime" | "rateLimitState.attemptsLeft">, {
-    userId: ["userId", "_creationTime"];
-    hashedKey: ["hashedKey", "_creationTime"];
+    revoked: convex_values121.VBoolean<boolean, "required">; /** Arbitrary app-specific metadata attached to the key. */
+    metadata: convex_values121.VAny<any, "optional", string>;
+  }, "required", "userId" | "name" | "createdAt" | "lastUsedAt" | "expiresAt" | "revoked" | "metadata" | `metadata.${string}` | "prefix" | "hashedKey" | "scopes" | "rateLimit" | "rateLimitState" | "rateLimit.maxRequests" | "rateLimit.windowMs" | "rateLimitState.attemptsLeft" | "rateLimitState.lastAttemptTime">, {
+    user_id: ["userId", "_creationTime"];
+    hashed_key: ["hashedKey", "_creationTime"];
   }, {}, {}>;
 }, true>;
 //#endregion