@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

package/dist/component/schema.js

@@ -1,3 +1,4 @@
+import { vApiKeyRateLimit, vApiKeyRateLimitState, vApiKeyScope, vAuditActorType, vAuditStatus, vDeviceStatus, vEnterprisePolicy, vEnterpriseSecretKind, vEnterpriseStatus, vInviteStatus, vScimResourceType, vScimStatus, vTag, vWebhookDeliveryStatus, vWebhookEndpointStatus } from "./model.js";
 import { defineSchema, defineTable } from "convex/server";
 import { v } from "convex/values";
 
@@ -10,7 +11,7 @@ import { v } from "convex/values";
 * management (groups, members, invites).
 */
 var schema_default = defineSchema({
-	user: defineTable({
+	User: defineTable({
 		name: v.optional(v.string()),
 		image: v.optional(v.string()),
 		email: v.optional(v.string()),
@@ -19,40 +20,41 @@ var schema_default = defineSchema({
 		phoneVerificationTime: v.optional(v.number()),
 		isAnonymous: v.optional(v.boolean()),
 		extend: v.optional(v.any())
-	}).index("email", ["email"]).index("phone", ["phone"]),
-	session: defineTable({
-		userId: v.id("user"),
+	}).index("email", ["email"]).index("email_verified", ["email", "emailVerificationTime"]).index("phone", ["phone"]).index("phone_verified", ["phone", "phoneVerificationTime"]),
+	Session: defineTable({
+		userId: v.id("User"),
 		expirationTime: v.number()
-	}).index("userId", ["userId"]),
-	account: defineTable({
-		userId: v.id("user"),
+	}).index("user_id", ["userId"]),
+	Account: defineTable({
+		userId: v.id("User"),
 		provider: v.string(),
 		providerAccountId: v.string(),
 		secret: v.optional(v.string()),
 		emailVerified: v.optional(v.string()),
-		phoneVerified: v.optional(v.string())
-	}).index("userIdAndProvider", ["userId", "provider"]).index("providerAndAccountId", ["provider", "providerAccountId"]),
-	token: defineTable({
-		sessionId: v.id("session"),
+		phoneVerified: v.optional(v.string()),
+		extend: v.optional(v.any())
+	}).index("user_id_provider", ["userId", "provider"]).index("provider_account_id", ["provider", "providerAccountId"]),
+	RefreshToken: defineTable({
+		sessionId: v.id("Session"),
 		expirationTime: v.number(),
 		firstUsedTime: v.optional(v.number()),
-		parentRefreshTokenId: v.optional(v.id("token"))
-	}).index("sessionId", ["sessionId"]).index("sessionIdAndParentRefreshTokenId", ["sessionId", "parentRefreshTokenId"]),
-	verification: defineTable({
-		accountId: v.id("account"),
+		parentRefreshTokenId: v.optional(v.id("RefreshToken"))
+	}).index("session_id", ["sessionId"]).index("session_id_first_used", ["sessionId", "firstUsedTime"]).index("session_id_parent_refresh_token_id", ["sessionId", "parentRefreshTokenId"]),
+	VerificationCode: defineTable({
+		accountId: v.id("Account"),
 		provider: v.string(),
 		code: v.string(),
 		expirationTime: v.number(),
 		verifier: v.optional(v.string()),
 		emailVerified: v.optional(v.string()),
 		phoneVerified: v.optional(v.string())
-	}).index("accountId", ["accountId"]).index("code", ["code"]),
-	verifier: defineTable({
-		sessionId: v.optional(v.id("session")),
+	}).index("account_id", ["accountId"]).index("code", ["code"]),
+	AuthVerifier: defineTable({
+		sessionId: v.optional(v.id("Session")),
 		signature: v.optional(v.string())
 	}).index("signature", ["signature"]),
-	passkey: defineTable({
-		userId: v.id("user"),
+	Passkey: defineTable({
+		userId: v.id("User"),
 		credentialId: v.string(),
 		publicKey: v.bytes(),
 		algorithm: v.number(),
@@ -63,9 +65,9 @@ var schema_default = defineSchema({
 		name: v.optional(v.string()),
 		createdAt: v.number(),
 		lastUsedAt: v.optional(v.number())
-	}).index("userId", ["userId"]).index("credentialId", ["credentialId"]),
-	totp: defineTable({
-		userId: v.id("user"),
+	}).index("user_id", ["userId"]).index("credential_id", ["credentialId"]),
+	TotpFactor: defineTable({
+		userId: v.id("User"),
 		secret: v.bytes(),
 		digits: v.number(),
 		period: v.number(),
@@ -73,83 +75,170 @@ var schema_default = defineSchema({
 		name: v.optional(v.string()),
 		createdAt: v.number(),
 		lastUsedAt: v.optional(v.number())
-	}).index("userId", ["userId"]),
-	device: defineTable({
+	}).index("user_id", ["userId"]).index("user_id_verified", ["userId", "verified"]),
+	DeviceCode: defineTable({
 		deviceCodeHash: v.string(),
 		userCode: v.string(),
 		expiresAt: v.number(),
 		interval: v.number(),
-		status: v.union(v.literal("pending"), v.literal("authorized"), v.literal("denied")),
-		userId: v.optional(v.id("user")),
-		sessionId: v.optional(v.id("session")),
+		status: vDeviceStatus,
+		userId: v.optional(v.id("User")),
+		sessionId: v.optional(v.id("Session")),
 		lastPolledAt: v.optional(v.number())
-	}).index("deviceCodeHash", ["deviceCodeHash"]).index("userCode", ["userCode", "status"]),
-	limit: defineTable({
+	}).index("device_code_hash", ["deviceCodeHash"]).index("user_code_status", ["userCode", "status"]),
+	RateLimit: defineTable({
 		identifier: v.string(),
-		lastAttemptTime: v.number(),
-		attemptsLeft: v.number()
-	}).index("identifier", ["identifier"]),
-	group: defineTable({
+		last_attempt_time: v.number(),
+		attempts_left: v.number()
+	}).index("by_identifier", ["identifier"]),
+	Group: defineTable({
 		name: v.string(),
 		slug: v.optional(v.string()),
 		type: v.optional(v.string()),
-		parentGroupId: v.optional(v.id("group")),
-		tags: v.optional(v.array(v.object({
-			key: v.string(),
-			value: v.string()
-		}))),
+		parentGroupId: v.optional(v.id("Group")),
+		rootGroupId: v.optional(v.id("Group")),
+		isRoot: v.optional(v.boolean()),
+		tags: v.optional(v.array(vTag)),
 		extend: v.optional(v.any())
-	}).index("slug", ["slug"]).index("parentGroupId", ["parentGroupId"]).index("type", ["type"]).index("typeAndParentGroupId", ["type", "parentGroupId"]),
-	groupTag: defineTable({
-		groupId: v.id("group"),
+	}).index("slug", ["slug"]).index("parent_group_id", ["parentGroupId"]).index("root_group_id", ["rootGroupId"]).index("is_root", ["isRoot"]).index("type", ["type"]).index("type_parent_group_id", ["type", "parentGroupId"]),
+	GroupTag: defineTable({
+		group_id: v.id("Group"),
 		key: v.string(),
 		value: v.string()
-	}).index("by_group", ["groupId"]).index("by_key_value", ["key", "value"]).index("by_key", ["key"]),
-	member: defineTable({
-		groupId: v.id("group"),
-		userId: v.id("user"),
+	}).index("by_group", ["group_id"]).index("by_key_value", ["key", "value"]).index("by_key", ["key"]),
+	GroupMember: defineTable({
+		groupId: v.id("Group"),
+		userId: v.id("User"),
 		role: v.optional(v.string()),
+		roleIds: v.optional(v.array(v.string())),
 		status: v.optional(v.string()),
 		extend: v.optional(v.any())
-	}).index("groupId", ["groupId"]).index("groupIdAndUserId", ["groupId", "userId"]).index("userId", ["userId"]),
-	invite: defineTable({
-		groupId: v.optional(v.id("group")),
-		invitedByUserId: v.optional(v.id("user")),
+	}).index("group_id", ["groupId"]).index("group_id_user_id", ["groupId", "userId"]).index("group_id_status", ["groupId", "status"]).index("user_id", ["userId"]),
+	GroupInvite: defineTable({
+		groupId: v.optional(v.id("Group")),
+		invitedByUserId: v.optional(v.id("User")),
 		email: v.optional(v.string()),
 		tokenHash: v.string(),
 		role: v.optional(v.string()),
-		status: v.union(v.literal("pending"), v.literal("accepted"), v.literal("revoked"), v.literal("expired")),
+		roleIds: v.optional(v.array(v.string())),
+		status: vInviteStatus,
 		expiresTime: v.optional(v.number()),
-		acceptedByUserId: v.optional(v.id("user")),
+		acceptedByUserId: v.optional(v.id("User")),
 		acceptedTime: v.optional(v.number()),
 		extend: v.optional(v.any())
-	}).index("tokenHash", ["tokenHash"]).index("status", ["status"]).index("emailAndStatus", ["email", "status"]).index("invitedByUserIdAndStatus", ["invitedByUserId", "status"]).index("groupId", ["groupId"]).index("groupIdAndStatus", ["groupId", "status"]).index("roleAndStatusAndAcceptedByUserId", [
-		"role",
-		"status",
-		"acceptedByUserId"
-	]),
-	key: defineTable({
-		userId: v.id("user"),
+	}).index("token_hash", ["tokenHash"]).index("status", ["status"]).index("email_status", ["email", "status"]).index("invited_by_user_id_status", ["invitedByUserId", "status"]).index("group_id", ["groupId"]).index("group_id_status", ["groupId", "status"]),
+	Enterprise: defineTable({
+		groupId: v.id("Group"),
+		slug: v.optional(v.string()),
+		name: v.optional(v.string()),
+		status: vEnterpriseStatus,
+		policy: v.optional(vEnterprisePolicy),
+		config: v.optional(v.any()),
+		extend: v.optional(v.any())
+	}).index("group_id", ["groupId"]).index("slug", ["slug"]).index("status", ["status"]),
+	EnterpriseDomain: defineTable({
+		enterpriseId: v.id("Enterprise"),
+		groupId: v.id("Group"),
+		domain: v.string(),
+		isPrimary: v.boolean(),
+		verifiedAt: v.optional(v.number())
+	}).index("enterprise_id", ["enterpriseId"]).index("group_id", ["groupId"]).index("domain", ["domain"]),
+	EnterpriseDomainVerification: defineTable({
+		enterpriseId: v.id("Enterprise"),
+		groupId: v.id("Group"),
+		domainId: v.id("EnterpriseDomain"),
+		domain: v.string(),
+		recordName: v.string(),
+		token: v.string(),
+		tokenHash: v.string(),
+		requestedAt: v.number(),
+		expiresAt: v.number()
+	}).index("enterprise_id", ["enterpriseId"]).index("domain_id", ["domainId"]).index("token_hash", ["tokenHash"]),
+	EnterpriseSecret: defineTable({
+		enterpriseId: v.id("Enterprise"),
+		groupId: v.id("Group"),
+		kind: vEnterpriseSecretKind,
+		ciphertext: v.string(),
+		updatedAt: v.number()
+	}).index("enterprise_id", ["enterpriseId"]).index("enterprise_id_kind", ["enterpriseId", "kind"]).index("group_id", ["groupId"]),
+	EnterpriseScimConfig: defineTable({
+		enterpriseId: v.id("Enterprise"),
+		groupId: v.id("Group"),
+		status: vScimStatus,
+		basePath: v.string(),
+		tokenHash: v.string(),
+		lastRotatedAt: v.optional(v.number()),
+		extend: v.optional(v.any())
+	}).index("enterprise_id", ["enterpriseId"]).index("group_id", ["groupId"]).index("token_hash", ["tokenHash"]).index("status", ["status"]),
+	EnterpriseScimIdentity: defineTable({
+		enterpriseId: v.id("Enterprise"),
+		groupId: v.id("Group"),
+		resourceType: vScimResourceType,
+		externalId: v.string(),
+		userId: v.optional(v.id("User")),
+		mappedGroupId: v.optional(v.id("Group")),
+		lastProvisionedAt: v.optional(v.number()),
+		active: v.optional(v.boolean()),
+		raw: v.optional(v.any())
+	}).index("enterprise_id", ["enterpriseId"]).index("group_id", ["groupId"]).index("enterprise_id_resource_type_external_id", [
+		"enterpriseId",
+		"resourceType",
+		"externalId"
+	]).index("enterprise_id_user_id", ["enterpriseId", "userId"]).index("user_id", ["userId"]).index("mapped_group_id", ["mappedGroupId"]),
+	EnterpriseAuditEvent: defineTable({
+		enterpriseId: v.id("Enterprise"),
+		groupId: v.id("Group"),
+		eventType: v.string(),
+		actorType: vAuditActorType,
+		actorId: v.optional(v.string()),
+		subjectType: v.string(),
+		subjectId: v.optional(v.string()),
+		status: vAuditStatus,
+		occurredAt: v.number(),
+		requestId: v.optional(v.string()),
+		ip: v.optional(v.string()),
+		metadata: v.optional(v.any())
+	}).index("enterprise_id_occurred_at", ["enterpriseId", "occurredAt"]).index("group_id_occurred_at", ["groupId", "occurredAt"]).index("event_type_occurred_at", ["eventType", "occurredAt"]),
+	EnterpriseWebhookEndpoint: defineTable({
+		enterpriseId: v.id("Enterprise"),
+		groupId: v.id("Group"),
+		url: v.string(),
+		status: vWebhookEndpointStatus,
+		secretHash: v.string(),
+		subscriptions: v.array(v.string()),
+		createdByUserId: v.optional(v.id("User")),
+		lastSuccessAt: v.optional(v.number()),
+		lastFailureAt: v.optional(v.number()),
+		failureCount: v.number(),
+		extend: v.optional(v.any())
+	}).index("enterprise_id", ["enterpriseId"]).index("group_id", ["groupId"]).index("status", ["status"]),
+	EnterpriseWebhookDelivery: defineTable({
+		enterpriseId: v.id("Enterprise"),
+		endpointId: v.id("EnterpriseWebhookEndpoint"),
+		auditEventId: v.optional(v.id("EnterpriseAuditEvent")),
+		eventType: v.string(),
+		status: vWebhookDeliveryStatus,
+		attemptCount: v.number(),
+		nextAttemptAt: v.number(),
+		lastAttemptAt: v.optional(v.number()),
+		lastResponseStatus: v.optional(v.number()),
+		lastError: v.optional(v.string()),
+		payload: v.any()
+	}).index("enterprise_id", ["enterpriseId"]).index("status_next_attempt_at", ["status", "nextAttemptAt"]).index("endpoint_id_status", ["endpointId", "status"]).index("audit_event_id", ["auditEventId"]),
+	ApiKey: defineTable({
+		userId: v.id("User"),
 		prefix: v.string(),
 		hashedKey: v.string(),
 		name: v.string(),
-		scopes: v.array(v.object({
-			resource: v.string(),
-			actions: v.array(v.string())
-		})),
-		rateLimit: v.optional(v.object({
-			maxRequests: v.number(),
-			windowMs: v.number()
-		})),
-		rateLimitState: v.optional(v.object({
-			attemptsLeft: v.number(),
-			lastAttemptTime: v.number()
-		})),
+		scopes: v.array(vApiKeyScope),
+		rateLimit: v.optional(vApiKeyRateLimit),
+		rateLimitState: v.optional(vApiKeyRateLimitState),
 		expiresAt: v.optional(v.number()),
 		lastUsedAt: v.optional(v.number()),
 		createdAt: v.number(),
-		revoked: v.boolean()
-	}).index("userId", ["userId"]).index("hashedKey", ["hashedKey"])
+		revoked: v.boolean(),
+		metadata: v.optional(v.any())
+	}).index("user_id", ["userId"]).index("hashed_key", ["hashedKey"])
 });
 
 //#endregion

package/dist/component/schema.js.map

@@ -1 +1 @@
-{"version":3,"file":"schema.js","names":[],"sources":["../../src/component/schema.ts"],"sourcesContent":["import { defineSchema, defineTable } from \"convex/server\";\nimport { v } from \"convex/values\";\n\n/**\n * Schema for the auth component.\n *\n * Contains tables for core authentication (users, sessions, accounts, tokens,\n * verification codes, PKCE verifiers, rate limits) and hierarchical group\n * management (groups, members, invites).\n */\nexport default defineSchema({\n  /**\n   * Authenticated users. A user may have multiple linked accounts\n   * and multiple concurrent sessions.\n   */\n  user: defineTable({\n    name: v.optional(v.string()),\n    image: v.optional(v.string()),\n    email: v.optional(v.string()),\n    emailVerificationTime: v.optional(v.number()),\n    phone: v.optional(v.string()),\n    phoneVerificationTime: v.optional(v.number()),\n    isAnonymous: v.optional(v.boolean()),\n    extend: v.optional(v.any()),\n  })\n    .index(\"email\", [\"email\"])\n    .index(\"phone\", [\"phone\"]),\n\n  /**\n   * Active sessions. A single user can have multiple concurrent sessions\n   * across different devices or browsers. Sessions expire after a\n   * configurable duration.\n   */\n  session: defineTable({\n    userId: v.id(\"user\"),\n    expirationTime: v.number(),\n  }).index(\"userId\", [\"userId\"]),\n\n  /**\n   * Authentication accounts. Each account links a user to a single\n   * authentication provider (e.g. Google OAuth, email/password).\n   * A user can have multiple accounts linked.\n   */\n  account: defineTable({\n    userId: v.id(\"user\"),\n    provider: v.string(),\n    providerAccountId: v.string(),\n    secret: v.optional(v.string()),\n    emailVerified: v.optional(v.string()),\n    phoneVerified: v.optional(v.string()),\n  })\n    .index(\"userIdAndProvider\", [\"userId\", \"provider\"])\n    .index(\"providerAndAccountId\", [\"provider\", \"providerAccountId\"]),\n\n  /**\n   * Refresh tokens for session continuity. Tokens are single-use and form\n   * a chain — each token references the one it was exchanged from.\n   *\n   * The active refresh token is the most recently created token that has not\n   * been used yet. A 10-second reuse window allows for concurrent requests.\n   * Any invalid use of a token invalidates the entire chain.\n   */\n  token: defineTable({\n    sessionId: v.id(\"session\"),\n    expirationTime: v.number(),\n    firstUsedTime: v.optional(v.number()),\n    parentRefreshTokenId: v.optional(v.id(\"token\")),\n  })\n    .index(\"sessionId\", [\"sessionId\"])\n    .index(\"sessionIdAndParentRefreshTokenId\", [\n      \"sessionId\",\n      \"parentRefreshTokenId\",\n    ]),\n\n  /**\n   * Verification codes for OTP tokens, magic link tokens, and OAuth codes.\n   */\n  verification: defineTable({\n    accountId: v.id(\"account\"),\n    provider: v.string(),\n    code: v.string(),\n    expirationTime: v.number(),\n    verifier: v.optional(v.string()),\n    emailVerified: v.optional(v.string()),\n    phoneVerified: v.optional(v.string()),\n  })\n    .index(\"accountId\", [\"accountId\"])\n    .index(\"code\", [\"code\"]),\n\n  /**\n   * PKCE verifiers for OAuth flows. Stores the cryptographic verifier\n   * used to prove the authorization request originated from this client.\n   */\n  verifier: defineTable({\n    sessionId: v.optional(v.id(\"session\")),\n    signature: v.optional(v.string()),\n  }).index(\"signature\", [\"signature\"]),\n\n  /**\n   * WebAuthn passkey credentials. Each credential links a user to a\n   * registered authenticator (Touch ID, Face ID, security key, etc.).\n   * A user can have multiple passkeys across different devices.\n   */\n  passkey: defineTable({\n    userId: v.id(\"user\"),\n    /** Base64url-encoded credential ID from the authenticator. */\n    credentialId: v.string(),\n    /** Public key bytes (SEC1 uncompressed for EC, SPKI for RSA). */\n    publicKey: v.bytes(),\n    /** COSE algorithm identifier (-7 for ES256, -257 for RS256, -8 for EdDSA). */\n    algorithm: v.number(),\n    /** Signature counter for clone detection. Many authenticators return 0. */\n    counter: v.number(),\n    /** Authenticator transport hints (e.g. \"internal\", \"hybrid\", \"usb\", \"ble\", \"nfc\"). */\n    transports: v.optional(v.array(v.string())),\n    /** Whether this is a single-device or multi-device (synced) credential. */\n    deviceType: v.string(),\n    /** Whether the credential is backed up (synced passkey). */\n    backedUp: v.boolean(),\n    /** User-assigned friendly name (e.g. \"MacBook Touch ID\"). */\n    name: v.optional(v.string()),\n    createdAt: v.number(),\n    lastUsedAt: v.optional(v.number()),\n  })\n    .index(\"userId\", [\"userId\"])\n    .index(\"credentialId\", [\"credentialId\"]),\n\n  /**\n   * TOTP two-factor authentication secrets. Each record links a user to\n   * an authenticator app. A user can have multiple TOTP enrollments\n   * (e.g. different authenticator apps) but typically has one.\n   *\n   * The `verified` flag indicates whether the user has completed setup\n   * by successfully entering a code from their authenticator app.\n   * Unverified enrollments are in-progress setup that can be discarded.\n   */\n  totp: defineTable({\n    userId: v.id(\"user\"),\n    /** Raw TOTP secret key bytes. */\n    secret: v.bytes(),\n    /** Number of digits in each code (typically 6). */\n    digits: v.number(),\n    /** Time period in seconds for code rotation (typically 30). */\n    period: v.number(),\n    /** Whether setup has been confirmed with a valid code. */\n    verified: v.boolean(),\n    /** User-assigned friendly name (e.g. \"Google Authenticator\"). */\n    name: v.optional(v.string()),\n    createdAt: v.number(),\n    lastUsedAt: v.optional(v.number()),\n  })\n    .index(\"userId\", [\"userId\"]),\n\n  /**\n   * Device authorization codes (RFC 8628). Each record tracks a pending\n   * device auth session — the device polls with `deviceCode` while the\n   * user authorizes via `userCode` on a secondary device.\n   */\n  device: defineTable({\n    /** High-entropy code used by the device for polling. Stored as SHA-256 hash. */\n    deviceCodeHash: v.string(),\n    /** Short human-readable code the user enters (e.g. \"WDJB-MJHT\"). */\n    userCode: v.string(),\n    /** Expiration timestamp (ms since epoch). */\n    expiresAt: v.number(),\n    /** Minimum polling interval in seconds. */\n    interval: v.number(),\n    /** Current status of this device authorization session. */\n    status: v.union(\n      v.literal(\"pending\"),\n      v.literal(\"authorized\"),\n      v.literal(\"denied\"),\n    ),\n    /** Set when the user authorizes — links to the authorizing user. */\n    userId: v.optional(v.id(\"user\")),\n    /** Set when the user authorizes — the session created for the device. */\n    sessionId: v.optional(v.id(\"session\")),\n    /** Timestamp of the last poll request (for slow_down enforcement). */\n    lastPolledAt: v.optional(v.number()),\n  })\n    .index(\"deviceCodeHash\", [\"deviceCodeHash\"])\n    .index(\"userCode\", [\"userCode\", \"status\"]),\n\n  /**\n   * Rate limit tracking for OTP and password sign-in attempts.\n   */\n  limit: defineTable({\n    identifier: v.string(),\n    lastAttemptTime: v.number(),\n    attemptsLeft: v.number(),\n  }).index(\"identifier\", [\"identifier\"]),\n\n  /**\n   * Hierarchical groups. A group with no `parentGroupId` is a root group.\n   * Groups can nest arbitrarily deep via `parentGroupId` for modeling\n   * organizations, teams, departments, or any tree structure.\n   */\n  group: defineTable({\n    name: v.string(),\n    slug: v.optional(v.string()),\n    type: v.optional(v.string()),\n    parentGroupId: v.optional(v.id(\"group\")),\n    /** Faceted classification tags. Normalized at write time (trimmed, lowercased). */\n    tags: v.optional(\n      v.array(v.object({ key: v.string(), value: v.string() })),\n    ),\n    extend: v.optional(v.any()),\n  })\n    .index(\"slug\", [\"slug\"])\n    .index(\"parentGroupId\", [\"parentGroupId\"])\n    .index(\"type\", [\"type\"])\n    .index(\"typeAndParentGroupId\", [\"type\", \"parentGroupId\"]),\n\n  /**\n   * Denormalized group-tag index table for efficient tag-based filtering.\n   * Each row maps one `(key, value)` pair to a group. Kept in sync by\n   * `groupCreate`, `groupUpdate`, and `groupDelete`.\n   */\n  groupTag: defineTable({\n    groupId: v.id(\"group\"),\n    key: v.string(),\n    value: v.string(),\n  })\n    .index(\"by_group\", [\"groupId\"])\n    .index(\"by_key_value\", [\"key\", \"value\"])\n    .index(\"by_key\", [\"key\"]),\n\n  /**\n   * Group membership. Links a user to a group with an application-defined\n   * role (e.g. \"owner\", \"admin\", \"member\", \"viewer\"). A user can be a\n   * member of multiple groups with different roles in each.\n   */\n  member: defineTable({\n    groupId: v.id(\"group\"),\n    userId: v.id(\"user\"),\n    role: v.optional(v.string()),\n    status: v.optional(v.string()),\n    extend: v.optional(v.any()),\n  })\n    .index(\"groupId\", [\"groupId\"])\n    .index(\"groupIdAndUserId\", [\"groupId\", \"userId\"])\n    .index(\"userId\", [\"userId\"]),\n\n  /**\n   * Invitations. Tracks pending, accepted, revoked, and expired\n   * invitations. Optionally scoped to a group via `groupId`, or\n   * platform-level when `groupId` is omitted.\n   *\n   * `email` and `invitedByUserId` are optional to support CLI-generated\n   * invite links where neither is known upfront.\n   */\n  invite: defineTable({\n    groupId: v.optional(v.id(\"group\")),\n    invitedByUserId: v.optional(v.id(\"user\")),\n    email: v.optional(v.string()),\n    tokenHash: v.string(),\n    role: v.optional(v.string()),\n    status: v.union(\n      v.literal(\"pending\"),\n      v.literal(\"accepted\"),\n      v.literal(\"revoked\"),\n      v.literal(\"expired\"),\n    ),\n    expiresTime: v.optional(v.number()),\n    acceptedByUserId: v.optional(v.id(\"user\")),\n    acceptedTime: v.optional(v.number()),\n    extend: v.optional(v.any()),\n  })\n    .index(\"tokenHash\", [\"tokenHash\"])\n    .index(\"status\", [\"status\"])\n    .index(\"emailAndStatus\", [\"email\", \"status\"])\n    .index(\"invitedByUserIdAndStatus\", [\"invitedByUserId\", \"status\"])\n    .index(\"groupId\", [\"groupId\"])\n    .index(\"groupIdAndStatus\", [\"groupId\", \"status\"])\n    .index(\"roleAndStatusAndAcceptedByUserId\", [\n      \"role\",\n      \"status\",\n      \"acceptedByUserId\",\n    ]),\n\n  /**\n   * API keys for programmatic access. Each key links a user to a set of\n   * scoped permissions and optional per-key rate limiting.\n   *\n   * The raw key is never stored — only a SHA-256 hash. A short prefix\n   * (e.g. \"sk_live_abc1...\") is kept for display in admin interfaces.\n   *\n   * Keys support:\n   * - **Scoped permissions**: resource:action pairs (e.g. users:read)\n   * - **Per-key rate limiting**: token-bucket with configurable window\n   * - **Expiration**: optional TTL\n   * - **Soft revocation**: `revoked` flag preserves audit trail\n   */\n  key: defineTable({\n    userId: v.id(\"user\"),\n    /** First chars of the key for display (e.g. \"sk_live_abc1...\"). */\n    prefix: v.string(),\n    /** SHA-256 hex hash of the full raw key. */\n    hashedKey: v.string(),\n    /** User-assigned name (e.g. \"CI Pipeline\", \"Production API\"). */\n    name: v.string(),\n    /** Scoped permissions: [{ resource: \"users\", actions: [\"read\", \"list\"] }]. */\n    scopes: v.array(\n      v.object({\n        resource: v.string(),\n        actions: v.array(v.string()),\n      }),\n    ),\n    /** Optional per-key rate limit configuration. */\n    rateLimit: v.optional(\n      v.object({\n        maxRequests: v.number(),\n        windowMs: v.number(),\n      }),\n    ),\n    /** Rate limit state tracking (token-bucket). */\n    rateLimitState: v.optional(\n      v.object({\n        attemptsLeft: v.number(),\n        lastAttemptTime: v.number(),\n      }),\n    ),\n    /** Expiration timestamp. Null/undefined = never expires. */\n    expiresAt: v.optional(v.number()),\n    lastUsedAt: v.optional(v.number()),\n    createdAt: v.number(),\n    /** Soft-revoke flag. Revoked keys are kept for audit trail. */\n    revoked: v.boolean(),\n  })\n    .index(\"userId\", [\"userId\"])\n    .index(\"hashedKey\", [\"hashedKey\"]),\n});\n"],"mappings":";;;;;;;;;;;AAUA,qBAAe,aAAa;CAK1B,MAAM,YAAY;EAChB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7B,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7B,uBAAuB,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7C,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7B,uBAAuB,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7C,aAAa,EAAE,SAAS,EAAE,SAAS,CAAC;EACpC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,SAAS,CAAC,QAAQ,CAAC,CACzB,MAAM,SAAS,CAAC,QAAQ,CAAC;CAO5B,SAAS,YAAY;EACnB,QAAQ,EAAE,GAAG,OAAO;EACpB,gBAAgB,EAAE,QAAQ;EAC3B,CAAC,CAAC,MAAM,UAAU,CAAC,SAAS,CAAC;CAO9B,SAAS,YAAY;EACnB,QAAQ,EAAE,GAAG,OAAO;EACpB,UAAU,EAAE,QAAQ;EACpB,mBAAmB,EAAE,QAAQ;EAC7B,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC9B,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACtC,CAAC,CACC,MAAM,qBAAqB,CAAC,UAAU,WAAW,CAAC,CAClD,MAAM,wBAAwB,CAAC,YAAY,oBAAoB,CAAC;CAUnE,OAAO,YAAY;EACjB,WAAW,EAAE,GAAG,UAAU;EAC1B,gBAAgB,EAAE,QAAQ;EAC1B,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,sBAAsB,EAAE,SAAS,EAAE,GAAG,QAAQ,CAAC;EAChD,CAAC,CACC,MAAM,aAAa,CAAC,YAAY,CAAC,CACjC,MAAM,oCAAoC,CACzC,aACA,uBACD,CAAC;CAKJ,cAAc,YAAY;EACxB,WAAW,EAAE,GAAG,UAAU;EAC1B,UAAU,EAAE,QAAQ;EACpB,MAAM,EAAE,QAAQ;EAChB,gBAAgB,EAAE,QAAQ;EAC1B,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;EAChC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACtC,CAAC,CACC,MAAM,aAAa,CAAC,YAAY,CAAC,CACjC,MAAM,QAAQ,CAAC,OAAO,CAAC;CAM1B,UAAU,YAAY;EACpB,WAAW,EAAE,SAAS,EAAE,GAAG,UAAU,CAAC;EACtC,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;EAClC,CAAC,CAAC,MAAM,aAAa,CAAC,YAAY,CAAC;CAOpC,SAAS,YAAY;EACnB,QAAQ,EAAE,GAAG,OAAO;EAEpB,cAAc,EAAE,QAAQ;EAExB,WAAW,EAAE,OAAO;EAEpB,WAAW,EAAE,QAAQ;EAErB,SAAS,EAAE,QAAQ;EAEnB,YAAY,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;EAE3C,YAAY,EAAE,QAAQ;EAEtB,UAAU,EAAE,SAAS;EAErB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,WAAW,EAAE,QAAQ;EACrB,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;EACnC,CAAC,CACC,MAAM,UAAU,CAAC,SAAS,CAAC,CAC3B,MAAM,gBAAgB,CAAC,eAAe,CAAC;CAW1C,MAAM,YAAY;EAChB,QAAQ,EAAE,GAAG,OAAO;EAEpB,QAAQ,EAAE,OAAO;EAEjB,QAAQ,EAAE,QAAQ;EAElB,QAAQ,EAAE,QAAQ;EAElB,UAAU,EAAE,SAAS;EAErB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,WAAW,EAAE,QAAQ;EACrB,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;EACnC,CAAC,CACC,MAAM,UAAU,CAAC,SAAS,CAAC;CAO9B,QAAQ,YAAY;EAElB,gBAAgB,EAAE,QAAQ;EAE1B,UAAU,EAAE,QAAQ;EAEpB,WAAW,EAAE,QAAQ;EAErB,UAAU,EAAE,QAAQ;EAEpB,QAAQ,EAAE,MACR,EAAE,QAAQ,UAAU,EACpB,EAAE,QAAQ,aAAa,EACvB,EAAE,QAAQ,SAAS,CACpB;EAED,QAAQ,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;EAEhC,WAAW,EAAE,SAAS,EAAE,GAAG,UAAU,CAAC;EAEtC,cAAc,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,CAAC,CACC,MAAM,kBAAkB,CAAC,iBAAiB,CAAC,CAC3C,MAAM,YAAY,CAAC,YAAY,SAAS,CAAC;CAK5C,OAAO,YAAY;EACjB,YAAY,EAAE,QAAQ;EACtB,iBAAiB,EAAE,QAAQ;EAC3B,cAAc,EAAE,QAAQ;EACzB,CAAC,CAAC,MAAM,cAAc,CAAC,aAAa,CAAC;CAOtC,OAAO,YAAY;EACjB,MAAM,EAAE,QAAQ;EAChB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,eAAe,EAAE,SAAS,EAAE,GAAG,QAAQ,CAAC;EAExC,MAAM,EAAE,SACN,EAAE,MAAM,EAAE,OAAO;GAAE,KAAK,EAAE,QAAQ;GAAE,OAAO,EAAE,QAAQ;GAAE,CAAC,CAAC,CAC1D;EACD,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,QAAQ,CAAC,OAAO,CAAC,CACvB,MAAM,iBAAiB,CAAC,gBAAgB,CAAC,CACzC,MAAM,QAAQ,CAAC,OAAO,CAAC,CACvB,MAAM,wBAAwB,CAAC,QAAQ,gBAAgB,CAAC;CAO3D,UAAU,YAAY;EACpB,SAAS,EAAE,GAAG,QAAQ;EACtB,KAAK,EAAE,QAAQ;EACf,OAAO,EAAE,QAAQ;EAClB,CAAC,CACC,MAAM,YAAY,CAAC,UAAU,CAAC,CAC9B,MAAM,gBAAgB,CAAC,OAAO,QAAQ,CAAC,CACvC,MAAM,UAAU,CAAC,MAAM,CAAC;CAO3B,QAAQ,YAAY;EAClB,SAAS,EAAE,GAAG,QAAQ;EACtB,QAAQ,EAAE,GAAG,OAAO;EACpB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC9B,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,WAAW,CAAC,UAAU,CAAC,CAC7B,MAAM,oBAAoB,CAAC,WAAW,SAAS,CAAC,CAChD,MAAM,UAAU,CAAC,SAAS,CAAC;CAU9B,QAAQ,YAAY;EAClB,SAAS,EAAE,SAAS,EAAE,GAAG,QAAQ,CAAC;EAClC,iBAAiB,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;EACzC,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7B,WAAW,EAAE,QAAQ;EACrB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,QAAQ,EAAE,MACR,EAAE,QAAQ,UAAU,EACpB,EAAE,QAAQ,WAAW,EACrB,EAAE,QAAQ,UAAU,EACpB,EAAE,QAAQ,UAAU,CACrB;EACD,aAAa,EAAE,SAAS,EAAE,QAAQ,CAAC;EACnC,kBAAkB,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;EAC1C,cAAc,EAAE,SAAS,EAAE,QAAQ,CAAC;EACpC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,aAAa,CAAC,YAAY,CAAC,CACjC,MAAM,UAAU,CAAC,SAAS,CAAC,CAC3B,MAAM,kBAAkB,CAAC,SAAS,SAAS,CAAC,CAC5C,MAAM,4BAA4B,CAAC,mBAAmB,SAAS,CAAC,CAChE,MAAM,WAAW,CAAC,UAAU,CAAC,CAC7B,MAAM,oBAAoB,CAAC,WAAW,SAAS,CAAC,CAChD,MAAM,oCAAoC;EACzC;EACA;EACA;EACD,CAAC;CAeJ,KAAK,YAAY;EACf,QAAQ,EAAE,GAAG,OAAO;EAEpB,QAAQ,EAAE,QAAQ;EAElB,WAAW,EAAE,QAAQ;EAErB,MAAM,EAAE,QAAQ;EAEhB,QAAQ,EAAE,MACR,EAAE,OAAO;GACP,UAAU,EAAE,QAAQ;GACpB,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC;GAC7B,CAAC,CACH;EAED,WAAW,EAAE,SACX,EAAE,OAAO;GACP,aAAa,EAAE,QAAQ;GACvB,UAAU,EAAE,QAAQ;GACrB,CAAC,CACH;EAED,gBAAgB,EAAE,SAChB,EAAE,OAAO;GACP,cAAc,EAAE,QAAQ;GACxB,iBAAiB,EAAE,QAAQ;GAC5B,CAAC,CACH;EAED,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;EACjC,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;EAClC,WAAW,EAAE,QAAQ;EAErB,SAAS,EAAE,SAAS;EACrB,CAAC,CACC,MAAM,UAAU,CAAC,SAAS,CAAC,CAC3B,MAAM,aAAa,CAAC,YAAY,CAAC;CACrC,CAAC"}
+{"version":3,"file":"schema.js","names":[],"sources":["../../src/component/schema.ts"],"sourcesContent":["import { defineSchema, defineTable } from \"convex/server\";\nimport { v } from \"convex/values\";\n\nimport {\n  vApiKeyRateLimit,\n  vApiKeyRateLimitState,\n  vApiKeyScope,\n  vAuditActorType,\n  vAuditStatus,\n  vDeviceStatus,\n  vEnterprisePolicy,\n  vEnterpriseSecretKind,\n  vEnterpriseStatus,\n  vInviteStatus,\n  vScimResourceType,\n  vScimStatus,\n  vTag,\n  vWebhookDeliveryStatus,\n  vWebhookEndpointStatus,\n} from \"./model\";\n\n/**\n * Schema for the auth component.\n *\n * Contains tables for core authentication (users, sessions, accounts, tokens,\n * verification codes, PKCE verifiers, rate limits) and hierarchical group\n * management (groups, members, invites).\n */\nexport default defineSchema({\n  /**\n   * Authenticated users. A user may have multiple linked accounts\n   * and multiple concurrent sessions.\n   */\n  User: defineTable({\n    name: v.optional(v.string()),\n    image: v.optional(v.string()),\n    email: v.optional(v.string()),\n    emailVerificationTime: v.optional(v.number()),\n    phone: v.optional(v.string()),\n    phoneVerificationTime: v.optional(v.number()),\n    isAnonymous: v.optional(v.boolean()),\n    extend: v.optional(v.any()),\n  })\n    .index(\"email\", [\"email\"])\n    .index(\"email_verified\", [\"email\", \"emailVerificationTime\"])\n    .index(\"phone\", [\"phone\"])\n    .index(\"phone_verified\", [\"phone\", \"phoneVerificationTime\"]),\n\n  /**\n   * Active sessions. A single user can have multiple concurrent sessions\n   * across different devices or browsers. Sessions expire after a\n   * configurable duration.\n   */\n  Session: defineTable({\n    userId: v.id(\"User\"),\n    expirationTime: v.number(),\n  }).index(\"user_id\", [\"userId\"]),\n\n  /**\n   * Authentication accounts. Each account links a user to a single\n   * authentication provider (e.g. Google OAuth, email/password).\n   * A user can have multiple accounts linked.\n   */\n  Account: defineTable({\n    userId: v.id(\"User\"),\n    provider: v.string(),\n    providerAccountId: v.string(),\n    secret: v.optional(v.string()),\n    emailVerified: v.optional(v.string()),\n    phoneVerified: v.optional(v.string()),\n    extend: v.optional(v.any()),\n  })\n    .index(\"user_id_provider\", [\"userId\", \"provider\"])\n    .index(\"provider_account_id\", [\"provider\", \"providerAccountId\"]),\n\n  /**\n   * Refresh tokens for session continuity. Tokens are single-use and form\n   * a chain — each token references the one it was exchanged from.\n   *\n   * The active refresh token is the most recently created token that has not\n   * been used yet. A 10-second reuse window allows for concurrent requests.\n   * Any invalid use of a token invalidates the entire chain.\n   */\n  RefreshToken: defineTable({\n    sessionId: v.id(\"Session\"),\n    expirationTime: v.number(),\n    firstUsedTime: v.optional(v.number()),\n    parentRefreshTokenId: v.optional(v.id(\"RefreshToken\")),\n  })\n    .index(\"session_id\", [\"sessionId\"])\n    .index(\"session_id_first_used\", [\"sessionId\", \"firstUsedTime\"])\n    .index(\"session_id_parent_refresh_token_id\", [\n      \"sessionId\",\n      \"parentRefreshTokenId\",\n    ]),\n\n  /**\n   * Verification codes for OTP tokens, magic link tokens, and OAuth codes.\n   */\n  VerificationCode: defineTable({\n    accountId: v.id(\"Account\"),\n    provider: v.string(),\n    code: v.string(),\n    expirationTime: v.number(),\n    verifier: v.optional(v.string()),\n    emailVerified: v.optional(v.string()),\n    phoneVerified: v.optional(v.string()),\n  })\n    .index(\"account_id\", [\"accountId\"])\n    .index(\"code\", [\"code\"]),\n\n  /**\n   * PKCE verifiers for OAuth flows. Stores the cryptographic verifier\n   * used to prove the authorization request originated from this client.\n   */\n  AuthVerifier: defineTable({\n    sessionId: v.optional(v.id(\"Session\")),\n    signature: v.optional(v.string()),\n  }).index(\"signature\", [\"signature\"]),\n\n  /**\n   * WebAuthn passkey credentials. Each credential links a user to a\n   * registered authenticator (Touch ID, Face ID, security key, etc.).\n   * A user can have multiple passkeys across different devices.\n   */\n  Passkey: defineTable({\n    userId: v.id(\"User\"),\n    /** Base64url-encoded credential ID from the authenticator. */\n    credentialId: v.string(),\n    /** Public key bytes (SEC1 uncompressed for EC, SPKI for RSA). */\n    publicKey: v.bytes(),\n    /** COSE algorithm identifier (-7 for ES256, -257 for RS256, -8 for EdDSA). */\n    algorithm: v.number(),\n    /** Signature counter for clone detection. Many authenticators return 0. */\n    counter: v.number(),\n    /** Authenticator transport hints (e.g. \"internal\", \"hybrid\", \"usb\", \"ble\", \"nfc\"). */\n    transports: v.optional(v.array(v.string())),\n    /** Whether this is a single-device or multi-device (synced) credential. */\n    deviceType: v.string(),\n    /** Whether the credential is backed up (synced passkey). */\n    backedUp: v.boolean(),\n    /** User-assigned friendly name (e.g. \"MacBook Touch ID\"). */\n    name: v.optional(v.string()),\n    createdAt: v.number(),\n    lastUsedAt: v.optional(v.number()),\n  })\n    .index(\"user_id\", [\"userId\"])\n    .index(\"credential_id\", [\"credentialId\"]),\n\n  /**\n   * TOTP two-factor authentication secrets. Each record links a user to\n   * an authenticator app. A user can have multiple TOTP enrollments\n   * (e.g. different authenticator apps) but typically has one.\n   *\n   * The `verified` flag indicates whether the user has completed setup\n   * by successfully entering a code from their authenticator app.\n   * Unverified enrollments are in-progress setup that can be discarded.\n   */\n  TotpFactor: defineTable({\n    userId: v.id(\"User\"),\n    /** Raw TOTP secret key bytes. */\n    secret: v.bytes(),\n    /** Number of digits in each code (typically 6). */\n    digits: v.number(),\n    /** Time period in seconds for code rotation (typically 30). */\n    period: v.number(),\n    /** Whether setup has been confirmed with a valid code. */\n    verified: v.boolean(),\n    /** User-assigned friendly name (e.g. \"Google Authenticator\"). */\n    name: v.optional(v.string()),\n    createdAt: v.number(),\n    lastUsedAt: v.optional(v.number()),\n  })\n    .index(\"user_id\", [\"userId\"])\n    .index(\"user_id_verified\", [\"userId\", \"verified\"]),\n\n  /**\n   * Device authorization codes (RFC 8628). Each record tracks a pending\n   * device auth session — the device polls with `deviceCode` while the\n   * user authorizes via `userCode` on a secondary device.\n   */\n  DeviceCode: defineTable({\n    /** High-entropy code used by the device for polling. Stored as SHA-256 hash. */\n    deviceCodeHash: v.string(),\n    /** Short human-readable code the user enters (e.g. \"WDJB-MJHT\"). */\n    userCode: v.string(),\n    /** Expiration timestamp (ms since epoch). */\n    expiresAt: v.number(),\n    /** Minimum polling interval in seconds. */\n    interval: v.number(),\n    /** Current status of this device authorization session. */\n    status: vDeviceStatus,\n    /** Set when the user authorizes — links to the authorizing user. */\n    userId: v.optional(v.id(\"User\")),\n    /** Set when the user authorizes — the session created for the device. */\n    sessionId: v.optional(v.id(\"Session\")),\n    /** Timestamp of the last poll request (for slow_down enforcement). */\n    lastPolledAt: v.optional(v.number()),\n  })\n    .index(\"device_code_hash\", [\"deviceCodeHash\"])\n    .index(\"user_code_status\", [\"userCode\", \"status\"]),\n\n  /**\n   * Rate limit tracking for OTP and password sign-in attempts.\n   */\n  RateLimit: defineTable({\n    identifier: v.string(),\n    last_attempt_time: v.number(),\n    attempts_left: v.number(),\n  }).index(\"by_identifier\", [\"identifier\"]),\n\n  /**\n   * Hierarchical groups. A group with no `parentGroupId` is a root group.\n   * Groups can nest arbitrarily deep via `parentGroupId` for modeling\n   * organizations, teams, departments, or any tree structure.\n   */\n  Group: defineTable({\n    name: v.string(),\n    slug: v.optional(v.string()),\n    type: v.optional(v.string()),\n    parentGroupId: v.optional(v.id(\"Group\")),\n    /** Denormalized root group ID. Self-referencing for root groups. */\n    rootGroupId: v.optional(v.id(\"Group\")),\n    /** Denormalized flag: `true` when `parentGroupId` is absent. */\n    isRoot: v.optional(v.boolean()),\n    /** Faceted classification tags. Normalized at write time (trimmed, lowercased). */\n    tags: v.optional(v.array(vTag)),\n    extend: v.optional(v.any()),\n  })\n    .index(\"slug\", [\"slug\"])\n    .index(\"parent_group_id\", [\"parentGroupId\"])\n    .index(\"root_group_id\", [\"rootGroupId\"])\n    .index(\"is_root\", [\"isRoot\"])\n    .index(\"type\", [\"type\"])\n    .index(\"type_parent_group_id\", [\"type\", \"parentGroupId\"]),\n\n  /**\n   * Denormalized group-tag index table for efficient tag-based filtering.\n   * Each row maps one `(key, value)` pair to a group. Kept in sync by\n   * `groupCreate`, `groupUpdate`, and `groupDelete`.\n   */\n  GroupTag: defineTable({\n    group_id: v.id(\"Group\"),\n    key: v.string(),\n    value: v.string(),\n  })\n    .index(\"by_group\", [\"group_id\"])\n    .index(\"by_key_value\", [\"key\", \"value\"])\n    .index(\"by_key\", [\"key\"]),\n\n  /**\n   * Group membership. Links a user to a group with an application-defined\n   * role (e.g. \"owner\", \"admin\", \"member\", \"viewer\"). A user can be a\n   * member of multiple groups with different roles in each.\n   */\n  GroupMember: defineTable({\n    groupId: v.id(\"Group\"),\n    userId: v.id(\"User\"),\n    role: v.optional(v.string()),\n    roleIds: v.optional(v.array(v.string())),\n    status: v.optional(v.string()),\n    extend: v.optional(v.any()),\n  })\n    .index(\"group_id\", [\"groupId\"])\n    .index(\"group_id_user_id\", [\"groupId\", \"userId\"])\n    .index(\"group_id_status\", [\"groupId\", \"status\"])\n    .index(\"user_id\", [\"userId\"]),\n\n  /**\n   * Invitations. Tracks pending, accepted, revoked, and expired\n   * invitations. Optionally scoped to a group via `groupId`, or\n   * platform-level when `groupId` is omitted.\n   *\n   * `email` and `invitedByUserId` are optional to support CLI-generated\n   * invite links where neither is known upfront.\n   */\n  GroupInvite: defineTable({\n    groupId: v.optional(v.id(\"Group\")),\n    invitedByUserId: v.optional(v.id(\"User\")),\n    email: v.optional(v.string()),\n    tokenHash: v.string(),\n    role: v.optional(v.string()),\n    roleIds: v.optional(v.array(v.string())),\n    status: vInviteStatus,\n    expiresTime: v.optional(v.number()),\n    acceptedByUserId: v.optional(v.id(\"User\")),\n    acceptedTime: v.optional(v.number()),\n    extend: v.optional(v.any()),\n  })\n    .index(\"token_hash\", [\"tokenHash\"])\n    .index(\"status\", [\"status\"])\n    .index(\"email_status\", [\"email\", \"status\"])\n    .index(\"invited_by_user_id_status\", [\"invitedByUserId\", \"status\"])\n    .index(\"group_id\", [\"groupId\"])\n    .index(\"group_id_status\", [\"groupId\", \"status\"]),\n\n  /**\n   * Enterprise configuration attached to a root group/organization.\n   *\n   * The `config` payload intentionally stays flexible so the headless enterprise\n   * SDK can evolve without forcing schema churn for every protocol-specific\n   * field addition.\n   */\n  Enterprise: defineTable({\n    groupId: v.id(\"Group\"),\n    slug: v.optional(v.string()),\n    name: v.optional(v.string()),\n    status: vEnterpriseStatus,\n    policy: v.optional(vEnterprisePolicy),\n    config: v.optional(v.any()),\n    extend: v.optional(v.any()),\n  })\n    .index(\"group_id\", [\"groupId\"])\n    .index(\"slug\", [\"slug\"])\n    .index(\"status\", [\"status\"]),\n\n  /**\n   * Verified or pending domains linked to an enterprise record.\n   */\n  EnterpriseDomain: defineTable({\n    enterpriseId: v.id(\"Enterprise\"),\n    groupId: v.id(\"Group\"),\n    domain: v.string(),\n    isPrimary: v.boolean(),\n    verifiedAt: v.optional(v.number()),\n  })\n    .index(\"enterprise_id\", [\"enterpriseId\"])\n    .index(\"group_id\", [\"groupId\"])\n    .index(\"domain\", [\"domain\"]),\n\n  /**\n   * Pending DNS TXT verification challenges for enterprise domains.\n   */\n  EnterpriseDomainVerification: defineTable({\n    enterpriseId: v.id(\"Enterprise\"),\n    groupId: v.id(\"Group\"),\n    domainId: v.id(\"EnterpriseDomain\"),\n    domain: v.string(),\n    recordName: v.string(),\n    token: v.string(),\n    tokenHash: v.string(),\n    requestedAt: v.number(),\n    expiresAt: v.number(),\n  })\n    .index(\"enterprise_id\", [\"enterpriseId\"])\n    .index(\"domain_id\", [\"domainId\"])\n    .index(\"token_hash\", [\"tokenHash\"]),\n\n  /**\n   * Encrypted enterprise secrets stored separately from protocol config.\n   */\n  EnterpriseSecret: defineTable({\n    enterpriseId: v.id(\"Enterprise\"),\n    groupId: v.id(\"Group\"),\n    kind: vEnterpriseSecretKind,\n    ciphertext: v.string(),\n    updatedAt: v.number(),\n  })\n    .index(\"enterprise_id\", [\"enterpriseId\"])\n    .index(\"enterprise_id_kind\", [\"enterpriseId\", \"kind\"])\n    .index(\"group_id\", [\"groupId\"]),\n\n  /**\n   * SCIM configuration for an enterprise tenant.\n   */\n  EnterpriseScimConfig: defineTable({\n    enterpriseId: v.id(\"Enterprise\"),\n    groupId: v.id(\"Group\"),\n    status: vScimStatus,\n    basePath: v.string(),\n    tokenHash: v.string(),\n    lastRotatedAt: v.optional(v.number()),\n    extend: v.optional(v.any()),\n  })\n    .index(\"enterprise_id\", [\"enterpriseId\"])\n    .index(\"group_id\", [\"groupId\"])\n    .index(\"token_hash\", [\"tokenHash\"])\n    .index(\"status\", [\"status\"]),\n\n  /**\n   * External SCIM identities mapped into local users/groups.\n   */\n  EnterpriseScimIdentity: defineTable({\n    enterpriseId: v.id(\"Enterprise\"),\n    groupId: v.id(\"Group\"),\n    resourceType: vScimResourceType,\n    externalId: v.string(),\n    userId: v.optional(v.id(\"User\")),\n    mappedGroupId: v.optional(v.id(\"Group\")),\n    lastProvisionedAt: v.optional(v.number()),\n    active: v.optional(v.boolean()),\n    raw: v.optional(v.any()),\n  })\n    .index(\"enterprise_id\", [\"enterpriseId\"])\n    .index(\"group_id\", [\"groupId\"])\n    .index(\"enterprise_id_resource_type_external_id\", [\n      \"enterpriseId\",\n      \"resourceType\",\n      \"externalId\",\n    ])\n    .index(\"enterprise_id_user_id\", [\"enterpriseId\", \"userId\"])\n    .index(\"user_id\", [\"userId\"])\n    .index(\"mapped_group_id\", [\"mappedGroupId\"]),\n\n  /**\n   * Immutable audit trail for enterprise operations.\n   */\n  EnterpriseAuditEvent: defineTable({\n    enterpriseId: v.id(\"Enterprise\"),\n    groupId: v.id(\"Group\"),\n    eventType: v.string(),\n    actorType: vAuditActorType,\n    actorId: v.optional(v.string()),\n    subjectType: v.string(),\n    subjectId: v.optional(v.string()),\n    status: vAuditStatus,\n    occurredAt: v.number(),\n    requestId: v.optional(v.string()),\n    ip: v.optional(v.string()),\n    metadata: v.optional(v.any()),\n  })\n    .index(\"enterprise_id_occurred_at\", [\"enterpriseId\", \"occurredAt\"])\n    .index(\"group_id_occurred_at\", [\"groupId\", \"occurredAt\"])\n    .index(\"event_type_occurred_at\", [\"eventType\", \"occurredAt\"]),\n\n  /**\n   * Webhook endpoints subscribed to enterprise audit and lifecycle events.\n   */\n  EnterpriseWebhookEndpoint: defineTable({\n    enterpriseId: v.id(\"Enterprise\"),\n    groupId: v.id(\"Group\"),\n    url: v.string(),\n    status: vWebhookEndpointStatus,\n    secretHash: v.string(),\n    subscriptions: v.array(v.string()),\n    createdByUserId: v.optional(v.id(\"User\")),\n    lastSuccessAt: v.optional(v.number()),\n    lastFailureAt: v.optional(v.number()),\n    failureCount: v.number(),\n    extend: v.optional(v.any()),\n  })\n    .index(\"enterprise_id\", [\"enterpriseId\"])\n    .index(\"group_id\", [\"groupId\"])\n    .index(\"status\", [\"status\"]),\n\n  /**\n   * Delivery queue for outbound enterprise webhooks.\n   */\n  EnterpriseWebhookDelivery: defineTable({\n    enterpriseId: v.id(\"Enterprise\"),\n    endpointId: v.id(\"EnterpriseWebhookEndpoint\"),\n    auditEventId: v.optional(v.id(\"EnterpriseAuditEvent\")),\n    eventType: v.string(),\n    status: vWebhookDeliveryStatus,\n    attemptCount: v.number(),\n    nextAttemptAt: v.number(),\n    lastAttemptAt: v.optional(v.number()),\n    lastResponseStatus: v.optional(v.number()),\n    lastError: v.optional(v.string()),\n    payload: v.any(),\n  })\n    .index(\"enterprise_id\", [\"enterpriseId\"])\n    .index(\"status_next_attempt_at\", [\"status\", \"nextAttemptAt\"])\n    .index(\"endpoint_id_status\", [\"endpointId\", \"status\"])\n    .index(\"audit_event_id\", [\"auditEventId\"]),\n\n  /**\n   * API keys for programmatic access. Each key links a user to a set of\n   * scoped permissions and optional per-key rate limiting.\n   *\n   * The raw key is never stored — only a SHA-256 hash. A short prefix\n   * (e.g. \"sk_abc1...\") is kept for display in admin interfaces.\n   *\n   * Keys support:\n   * - **Scoped permissions**: resource:action pairs (e.g. users:read)\n   * - **Per-key rate limiting**: token-bucket with configurable window\n   * - **Expiration**: optional TTL\n   * - **Soft revocation**: `revoked` flag preserves audit trail\n   */\n  ApiKey: defineTable({\n    userId: v.id(\"User\"),\n    /** First chars of the key for display (e.g. \"sk_abc1...\"). */\n    prefix: v.string(),\n    /** SHA-256 hex hash of the full raw key. */\n    hashedKey: v.string(),\n    /** User-assigned name (e.g. \"CI Pipeline\", \"Production API\"). */\n    name: v.string(),\n    /** Scoped permissions: [{ resource: \"users\", actions: [\"read\", \"list\"] }]. */\n    scopes: v.array(vApiKeyScope),\n    /** Optional per-key rate limit configuration. */\n    rateLimit: v.optional(vApiKeyRateLimit),\n    /** Rate limit state tracking (token-bucket). */\n    rateLimitState: v.optional(vApiKeyRateLimitState),\n    /** Expiration timestamp. Null/undefined = never expires. */\n    expiresAt: v.optional(v.number()),\n    lastUsedAt: v.optional(v.number()),\n    createdAt: v.number(),\n    /** Soft-revoke flag. Revoked keys are kept for audit trail. */\n    revoked: v.boolean(),\n    /** Arbitrary app-specific metadata attached to the key. */\n    metadata: v.optional(v.any()),\n  })\n    .index(\"user_id\", [\"userId\"])\n    .index(\"hashed_key\", [\"hashedKey\"]),\n});\n"],"mappings":";;;;;;;;;;;;AA4BA,qBAAe,aAAa;CAK1B,MAAM,YAAY;EAChB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7B,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7B,uBAAuB,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7C,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7B,uBAAuB,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7C,aAAa,EAAE,SAAS,EAAE,SAAS,CAAC;EACpC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,SAAS,CAAC,QAAQ,CAAC,CACzB,MAAM,kBAAkB,CAAC,SAAS,wBAAwB,CAAC,CAC3D,MAAM,SAAS,CAAC,QAAQ,CAAC,CACzB,MAAM,kBAAkB,CAAC,SAAS,wBAAwB,CAAC;CAO9D,SAAS,YAAY;EACnB,QAAQ,EAAE,GAAG,OAAO;EACpB,gBAAgB,EAAE,QAAQ;EAC3B,CAAC,CAAC,MAAM,WAAW,CAAC,SAAS,CAAC;CAO/B,SAAS,YAAY;EACnB,QAAQ,EAAE,GAAG,OAAO;EACpB,UAAU,EAAE,QAAQ;EACpB,mBAAmB,EAAE,QAAQ;EAC7B,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC9B,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,oBAAoB,CAAC,UAAU,WAAW,CAAC,CACjD,MAAM,uBAAuB,CAAC,YAAY,oBAAoB,CAAC;CAUlE,cAAc,YAAY;EACxB,WAAW,EAAE,GAAG,UAAU;EAC1B,gBAAgB,EAAE,QAAQ;EAC1B,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,sBAAsB,EAAE,SAAS,EAAE,GAAG,eAAe,CAAC;EACvD,CAAC,CACC,MAAM,cAAc,CAAC,YAAY,CAAC,CAClC,MAAM,yBAAyB,CAAC,aAAa,gBAAgB,CAAC,CAC9D,MAAM,sCAAsC,CAC3C,aACA,uBACD,CAAC;CAKJ,kBAAkB,YAAY;EAC5B,WAAW,EAAE,GAAG,UAAU;EAC1B,UAAU,EAAE,QAAQ;EACpB,MAAM,EAAE,QAAQ;EAChB,gBAAgB,EAAE,QAAQ;EAC1B,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;EAChC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACtC,CAAC,CACC,MAAM,cAAc,CAAC,YAAY,CAAC,CAClC,MAAM,QAAQ,CAAC,OAAO,CAAC;CAM1B,cAAc,YAAY;EACxB,WAAW,EAAE,SAAS,EAAE,GAAG,UAAU,CAAC;EACtC,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;EAClC,CAAC,CAAC,MAAM,aAAa,CAAC,YAAY,CAAC;CAOpC,SAAS,YAAY;EACnB,QAAQ,EAAE,GAAG,OAAO;EAEpB,cAAc,EAAE,QAAQ;EAExB,WAAW,EAAE,OAAO;EAEpB,WAAW,EAAE,QAAQ;EAErB,SAAS,EAAE,QAAQ;EAEnB,YAAY,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;EAE3C,YAAY,EAAE,QAAQ;EAEtB,UAAU,EAAE,SAAS;EAErB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,WAAW,EAAE,QAAQ;EACrB,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;EACnC,CAAC,CACC,MAAM,WAAW,CAAC,SAAS,CAAC,CAC5B,MAAM,iBAAiB,CAAC,eAAe,CAAC;CAW3C,YAAY,YAAY;EACtB,QAAQ,EAAE,GAAG,OAAO;EAEpB,QAAQ,EAAE,OAAO;EAEjB,QAAQ,EAAE,QAAQ;EAElB,QAAQ,EAAE,QAAQ;EAElB,UAAU,EAAE,SAAS;EAErB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,WAAW,EAAE,QAAQ;EACrB,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;EACnC,CAAC,CACC,MAAM,WAAW,CAAC,SAAS,CAAC,CAC5B,MAAM,oBAAoB,CAAC,UAAU,WAAW,CAAC;CAOpD,YAAY,YAAY;EAEtB,gBAAgB,EAAE,QAAQ;EAE1B,UAAU,EAAE,QAAQ;EAEpB,WAAW,EAAE,QAAQ;EAErB,UAAU,EAAE,QAAQ;EAEpB,QAAQ;EAER,QAAQ,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;EAEhC,WAAW,EAAE,SAAS,EAAE,GAAG,UAAU,CAAC;EAEtC,cAAc,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,CAAC,CACC,MAAM,oBAAoB,CAAC,iBAAiB,CAAC,CAC7C,MAAM,oBAAoB,CAAC,YAAY,SAAS,CAAC;CAKpD,WAAW,YAAY;EACrB,YAAY,EAAE,QAAQ;EACtB,mBAAmB,EAAE,QAAQ;EAC7B,eAAe,EAAE,QAAQ;EAC1B,CAAC,CAAC,MAAM,iBAAiB,CAAC,aAAa,CAAC;CAOzC,OAAO,YAAY;EACjB,MAAM,EAAE,QAAQ;EAChB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,eAAe,EAAE,SAAS,EAAE,GAAG,QAAQ,CAAC;EAExC,aAAa,EAAE,SAAS,EAAE,GAAG,QAAQ,CAAC;EAEtC,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC;EAE/B,MAAM,EAAE,SAAS,EAAE,MAAM,KAAK,CAAC;EAC/B,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,QAAQ,CAAC,OAAO,CAAC,CACvB,MAAM,mBAAmB,CAAC,gBAAgB,CAAC,CAC3C,MAAM,iBAAiB,CAAC,cAAc,CAAC,CACvC,MAAM,WAAW,CAAC,SAAS,CAAC,CAC5B,MAAM,QAAQ,CAAC,OAAO,CAAC,CACvB,MAAM,wBAAwB,CAAC,QAAQ,gBAAgB,CAAC;CAO3D,UAAU,YAAY;EACpB,UAAU,EAAE,GAAG,QAAQ;EACvB,KAAK,EAAE,QAAQ;EACf,OAAO,EAAE,QAAQ;EAClB,CAAC,CACC,MAAM,YAAY,CAAC,WAAW,CAAC,CAC/B,MAAM,gBAAgB,CAAC,OAAO,QAAQ,CAAC,CACvC,MAAM,UAAU,CAAC,MAAM,CAAC;CAO3B,aAAa,YAAY;EACvB,SAAS,EAAE,GAAG,QAAQ;EACtB,QAAQ,EAAE,GAAG,OAAO;EACpB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;EACxC,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC9B,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,YAAY,CAAC,UAAU,CAAC,CAC9B,MAAM,oBAAoB,CAAC,WAAW,SAAS,CAAC,CAChD,MAAM,mBAAmB,CAAC,WAAW,SAAS,CAAC,CAC/C,MAAM,WAAW,CAAC,SAAS,CAAC;CAU/B,aAAa,YAAY;EACvB,SAAS,EAAE,SAAS,EAAE,GAAG,QAAQ,CAAC;EAClC,iBAAiB,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;EACzC,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7B,WAAW,EAAE,QAAQ;EACrB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;EACxC,QAAQ;EACR,aAAa,EAAE,SAAS,EAAE,QAAQ,CAAC;EACnC,kBAAkB,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;EAC1C,cAAc,EAAE,SAAS,EAAE,QAAQ,CAAC;EACpC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,cAAc,CAAC,YAAY,CAAC,CAClC,MAAM,UAAU,CAAC,SAAS,CAAC,CAC3B,MAAM,gBAAgB,CAAC,SAAS,SAAS,CAAC,CAC1C,MAAM,6BAA6B,CAAC,mBAAmB,SAAS,CAAC,CACjE,MAAM,YAAY,CAAC,UAAU,CAAC,CAC9B,MAAM,mBAAmB,CAAC,WAAW,SAAS,CAAC;CASlD,YAAY,YAAY;EACtB,SAAS,EAAE,GAAG,QAAQ;EACtB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC5B,QAAQ;EACR,QAAQ,EAAE,SAAS,kBAAkB;EACrC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC3B,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,YAAY,CAAC,UAAU,CAAC,CAC9B,MAAM,QAAQ,CAAC,OAAO,CAAC,CACvB,MAAM,UAAU,CAAC,SAAS,CAAC;CAK9B,kBAAkB,YAAY;EAC5B,cAAc,EAAE,GAAG,aAAa;EAChC,SAAS,EAAE,GAAG,QAAQ;EACtB,QAAQ,EAAE,QAAQ;EAClB,WAAW,EAAE,SAAS;EACtB,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;EACnC,CAAC,CACC,MAAM,iBAAiB,CAAC,eAAe,CAAC,CACxC,MAAM,YAAY,CAAC,UAAU,CAAC,CAC9B,MAAM,UAAU,CAAC,SAAS,CAAC;CAK9B,8BAA8B,YAAY;EACxC,cAAc,EAAE,GAAG,aAAa;EAChC,SAAS,EAAE,GAAG,QAAQ;EACtB,UAAU,EAAE,GAAG,mBAAmB;EAClC,QAAQ,EAAE,QAAQ;EAClB,YAAY,EAAE,QAAQ;EACtB,OAAO,EAAE,QAAQ;EACjB,WAAW,EAAE,QAAQ;EACrB,aAAa,EAAE,QAAQ;EACvB,WAAW,EAAE,QAAQ;EACtB,CAAC,CACC,MAAM,iBAAiB,CAAC,eAAe,CAAC,CACxC,MAAM,aAAa,CAAC,WAAW,CAAC,CAChC,MAAM,cAAc,CAAC,YAAY,CAAC;CAKrC,kBAAkB,YAAY;EAC5B,cAAc,EAAE,GAAG,aAAa;EAChC,SAAS,EAAE,GAAG,QAAQ;EACtB,MAAM;EACN,YAAY,EAAE,QAAQ;EACtB,WAAW,EAAE,QAAQ;EACtB,CAAC,CACC,MAAM,iBAAiB,CAAC,eAAe,CAAC,CACxC,MAAM,sBAAsB,CAAC,gBAAgB,OAAO,CAAC,CACrD,MAAM,YAAY,CAAC,UAAU,CAAC;CAKjC,sBAAsB,YAAY;EAChC,cAAc,EAAE,GAAG,aAAa;EAChC,SAAS,EAAE,GAAG,QAAQ;EACtB,QAAQ;EACR,UAAU,EAAE,QAAQ;EACpB,WAAW,EAAE,QAAQ;EACrB,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,iBAAiB,CAAC,eAAe,CAAC,CACxC,MAAM,YAAY,CAAC,UAAU,CAAC,CAC9B,MAAM,cAAc,CAAC,YAAY,CAAC,CAClC,MAAM,UAAU,CAAC,SAAS,CAAC;CAK9B,wBAAwB,YAAY;EAClC,cAAc,EAAE,GAAG,aAAa;EAChC,SAAS,EAAE,GAAG,QAAQ;EACtB,cAAc;EACd,YAAY,EAAE,QAAQ;EACtB,QAAQ,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;EAChC,eAAe,EAAE,SAAS,EAAE,GAAG,QAAQ,CAAC;EACxC,mBAAmB,EAAE,SAAS,EAAE,QAAQ,CAAC;EACzC,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC;EAC/B,KAAK,EAAE,SAAS,EAAE,KAAK,CAAC;EACzB,CAAC,CACC,MAAM,iBAAiB,CAAC,eAAe,CAAC,CACxC,MAAM,YAAY,CAAC,UAAU,CAAC,CAC9B,MAAM,2CAA2C;EAChD;EACA;EACA;EACD,CAAC,CACD,MAAM,yBAAyB,CAAC,gBAAgB,SAAS,CAAC,CAC1D,MAAM,WAAW,CAAC,SAAS,CAAC,CAC5B,MAAM,mBAAmB,CAAC,gBAAgB,CAAC;CAK9C,sBAAsB,YAAY;EAChC,cAAc,EAAE,GAAG,aAAa;EAChC,SAAS,EAAE,GAAG,QAAQ;EACtB,WAAW,EAAE,QAAQ;EACrB,WAAW;EACX,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC/B,aAAa,EAAE,QAAQ;EACvB,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;EACjC,QAAQ;EACR,YAAY,EAAE,QAAQ;EACtB,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;EACjC,IAAI,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC1B,UAAU,EAAE,SAAS,EAAE,KAAK,CAAC;EAC9B,CAAC,CACC,MAAM,6BAA6B,CAAC,gBAAgB,aAAa,CAAC,CAClE,MAAM,wBAAwB,CAAC,WAAW,aAAa,CAAC,CACxD,MAAM,0BAA0B,CAAC,aAAa,aAAa,CAAC;CAK/D,2BAA2B,YAAY;EACrC,cAAc,EAAE,GAAG,aAAa;EAChC,SAAS,EAAE,GAAG,QAAQ;EACtB,KAAK,EAAE,QAAQ;EACf,QAAQ;EACR,YAAY,EAAE,QAAQ;EACtB,eAAe,EAAE,MAAM,EAAE,QAAQ,CAAC;EAClC,iBAAiB,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;EACzC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,cAAc,EAAE,QAAQ;EACxB,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;EAC5B,CAAC,CACC,MAAM,iBAAiB,CAAC,eAAe,CAAC,CACxC,MAAM,YAAY,CAAC,UAAU,CAAC,CAC9B,MAAM,UAAU,CAAC,SAAS,CAAC;CAK9B,2BAA2B,YAAY;EACrC,cAAc,EAAE,GAAG,aAAa;EAChC,YAAY,EAAE,GAAG,4BAA4B;EAC7C,cAAc,EAAE,SAAS,EAAE,GAAG,uBAAuB,CAAC;EACtD,WAAW,EAAE,QAAQ;EACrB,QAAQ;EACR,cAAc,EAAE,QAAQ;EACxB,eAAe,EAAE,QAAQ;EACzB,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;EACrC,oBAAoB,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC1C,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;EACjC,SAAS,EAAE,KAAK;EACjB,CAAC,CACC,MAAM,iBAAiB,CAAC,eAAe,CAAC,CACxC,MAAM,0BAA0B,CAAC,UAAU,gBAAgB,CAAC,CAC5D,MAAM,sBAAsB,CAAC,cAAc,SAAS,CAAC,CACrD,MAAM,kBAAkB,CAAC,eAAe,CAAC;CAe5C,QAAQ,YAAY;EAClB,QAAQ,EAAE,GAAG,OAAO;EAEpB,QAAQ,EAAE,QAAQ;EAElB,WAAW,EAAE,QAAQ;EAErB,MAAM,EAAE,QAAQ;EAEhB,QAAQ,EAAE,MAAM,aAAa;EAE7B,WAAW,EAAE,SAAS,iBAAiB;EAEvC,gBAAgB,EAAE,SAAS,sBAAsB;EAEjD,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;EACjC,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;EAClC,WAAW,EAAE,QAAQ;EAErB,SAAS,EAAE,SAAS;EAEpB,UAAU,EAAE,SAAS,EAAE,KAAK,CAAC;EAC9B,CAAC,CACC,MAAM,WAAW,CAAC,SAAS,CAAC,CAC5B,MAAM,cAAc,CAAC,YAAY,CAAC;CACtC,CAAC"}