npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.2 → 0.0.4-preview.21 - Mend

@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (798) hide show

package/README.md +67 -26
package/dist/authorization/index.d.ts +63 -0
package/dist/authorization/index.d.ts.map +1 -0
package/dist/authorization/index.js +63 -0
package/dist/authorization/index.js.map +1 -0
package/dist/bin.js +6185 -0
package/dist/client/core/types.d.ts +20 -0
package/dist/client/core/types.d.ts.map +1 -0
package/dist/client/index.d.ts +2 -299
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +407 -534
package/dist/client/index.js.map +1 -1
package/dist/component/_generated/api.d.ts +42 -0
package/dist/component/_generated/api.d.ts.map +1 -1
package/dist/component/_generated/api.js.map +1 -1
package/dist/component/_generated/component.d.ts +2546 -90
package/dist/component/_generated/component.d.ts.map +1 -1
package/dist/component/client/core/types.d.ts +2 -0
package/dist/component/client/index.d.ts +2 -0
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/functions.d.ts +11 -9
package/dist/component/functions.d.ts.map +1 -1
package/dist/component/functions.js.map +1 -1
package/dist/component/index.d.ts +7 -11
package/dist/component/index.js +2 -3
package/dist/component/model.d.ts +153 -0
package/dist/component/model.d.ts.map +1 -0
package/dist/component/model.js +349 -0
package/dist/component/model.js.map +1 -0
package/dist/component/providers/anonymous.d.ts +54 -0
package/dist/component/providers/anonymous.d.ts.map +1 -0
package/dist/component/providers/credentials.d.ts +5 -5
package/dist/component/providers/credentials.d.ts.map +1 -1
package/dist/component/providers/device.d.ts +67 -0
package/dist/component/providers/device.d.ts.map +1 -0
package/dist/component/providers/email.d.ts +62 -0
package/dist/component/providers/email.d.ts.map +1 -0
package/dist/component/providers/oauth.d.ts.map +1 -1
package/dist/component/providers/oauth.js.map +1 -1
package/dist/component/providers/passkey.d.ts +57 -0
package/dist/component/providers/passkey.d.ts.map +1 -0
package/dist/component/providers/password.d.ts +88 -0
package/dist/component/providers/password.d.ts.map +1 -0
package/dist/component/providers/phone.d.ts +48 -0
package/dist/component/providers/phone.d.ts.map +1 -0
package/dist/component/providers/sso.d.ts +50 -0
package/dist/component/providers/sso.d.ts.map +1 -0
package/dist/component/providers/totp.d.ts +45 -0
package/dist/component/providers/totp.d.ts.map +1 -0
package/dist/component/public/enterprise/audit.d.ts +73 -0
package/dist/component/public/enterprise/audit.d.ts.map +1 -0
package/dist/component/public/enterprise/audit.js +108 -0
package/dist/component/public/enterprise/audit.js.map +1 -0
package/dist/component/public/enterprise/core.d.ts +176 -0
package/dist/component/public/enterprise/core.d.ts.map +1 -0
package/dist/component/public/enterprise/core.js +292 -0
package/dist/component/public/enterprise/core.js.map +1 -0
package/dist/component/public/enterprise/domains.d.ts +174 -0
package/dist/component/public/enterprise/domains.d.ts.map +1 -0
package/dist/component/public/enterprise/domains.js +271 -0
package/dist/component/public/enterprise/domains.js.map +1 -0
package/dist/component/public/enterprise/scim.d.ts +245 -0
package/dist/component/public/enterprise/scim.d.ts.map +1 -0
package/dist/component/public/enterprise/scim.js +344 -0
package/dist/component/public/enterprise/scim.js.map +1 -0
package/dist/component/public/enterprise/secrets.d.ts +78 -0
package/dist/component/public/enterprise/secrets.d.ts.map +1 -0
package/dist/component/public/enterprise/secrets.js +118 -0
package/dist/component/public/enterprise/secrets.js.map +1 -0
package/dist/component/public/enterprise/webhooks.d.ts +211 -0
package/dist/component/public/enterprise/webhooks.d.ts.map +1 -0
package/dist/component/public/enterprise/webhooks.js +300 -0
package/dist/component/public/enterprise/webhooks.js.map +1 -0
package/dist/component/public/factors/devices.d.ts +157 -0
package/dist/component/public/factors/devices.d.ts.map +1 -0
package/dist/component/public/factors/devices.js +216 -0
package/dist/component/public/factors/devices.js.map +1 -0
package/dist/component/public/factors/passkeys.d.ts +175 -0
package/dist/component/public/factors/passkeys.d.ts.map +1 -0
package/dist/component/public/factors/passkeys.js +238 -0
package/dist/component/public/factors/passkeys.js.map +1 -0
package/dist/component/public/factors/totp.d.ts +189 -0
package/dist/component/public/factors/totp.d.ts.map +1 -0
package/dist/component/public/factors/totp.js +254 -0
package/dist/component/public/factors/totp.js.map +1 -0
package/dist/component/public/groups/core.d.ts +137 -0
package/dist/component/public/groups/core.d.ts.map +1 -0
package/dist/component/public/groups/core.js +321 -0
package/dist/component/public/groups/core.js.map +1 -0
package/dist/component/public/groups/invites.d.ts +217 -0
package/dist/component/public/groups/invites.d.ts.map +1 -0
package/dist/component/public/groups/invites.js +457 -0
package/dist/component/public/groups/invites.js.map +1 -0
package/dist/component/public/groups/members.d.ts +204 -0
package/dist/component/public/groups/members.d.ts.map +1 -0
package/dist/component/public/groups/members.js +355 -0
package/dist/component/public/groups/members.js.map +1 -0
package/dist/component/public/identity/accounts.d.ts +147 -0
package/dist/component/public/identity/accounts.d.ts.map +1 -0
package/dist/component/public/identity/accounts.js +200 -0
package/dist/component/public/identity/accounts.js.map +1 -0
package/dist/component/public/identity/codes.d.ts +104 -0
package/dist/component/public/identity/codes.d.ts.map +1 -0
package/dist/component/public/identity/codes.js +140 -0
package/dist/component/public/identity/codes.js.map +1 -0
package/dist/component/public/identity/sessions.d.ts +128 -0
package/dist/component/public/identity/sessions.d.ts.map +1 -0
package/dist/component/public/identity/sessions.js +192 -0
package/dist/component/public/identity/sessions.js.map +1 -0
package/dist/component/public/identity/tokens.d.ts +169 -0
package/dist/component/public/identity/tokens.d.ts.map +1 -0
package/dist/component/public/identity/tokens.js +227 -0
package/dist/component/public/identity/tokens.js.map +1 -0
package/dist/component/public/identity/users.d.ts +212 -0
package/dist/component/public/identity/users.d.ts.map +1 -0
package/dist/component/public/identity/users.js +311 -0
package/dist/component/public/identity/users.js.map +1 -0
package/dist/component/public/identity/verifiers.d.ts +116 -0
package/dist/component/public/identity/verifiers.d.ts.map +1 -0
package/dist/component/public/identity/verifiers.js +154 -0
package/dist/component/public/identity/verifiers.js.map +1 -0
package/dist/component/public/security/keys.d.ts +209 -0
package/dist/component/public/security/keys.d.ts.map +1 -0
package/dist/component/public/security/keys.js +319 -0
package/dist/component/public/security/keys.js.map +1 -0
package/dist/component/public/security/limits.d.ts +114 -0
package/dist/component/public/security/limits.d.ts.map +1 -0
package/dist/component/public/security/limits.js +169 -0
package/dist/component/public/security/limits.js.map +1 -0
package/dist/component/public.d.ts +24 -271
package/dist/component/public.d.ts.map +1 -1
package/dist/component/public.js +21 -1229
package/dist/component/schema.d.ts +473 -110
package/dist/component/schema.js +162 -73
package/dist/component/schema.js.map +1 -1
package/dist/component/server/auth.d.ts +318 -373
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +204 -123
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/authError.js +34 -0
package/dist/component/server/authError.js.map +1 -0
package/dist/component/server/{providers.js → config.js} +43 -12
package/dist/component/server/config.js.map +1 -0
package/dist/component/server/cookies.js +3 -0
package/dist/component/server/cookies.js.map +1 -1
package/dist/component/server/core.js +713 -0
package/dist/component/server/core.js.map +1 -0
package/dist/component/server/crypto.js +38 -0
package/dist/component/server/crypto.js.map +1 -0
package/dist/component/server/{implementation/db.js → db.js} +2 -1
package/dist/component/server/db.js.map +1 -0
package/dist/component/server/device.js +109 -0
package/dist/component/server/device.js.map +1 -0
package/dist/component/server/enterprise/config.js +46 -0
package/dist/component/server/enterprise/config.js.map +1 -0
package/dist/component/server/enterprise/domain.js +885 -0
package/dist/component/server/enterprise/domain.js.map +1 -0
package/dist/component/server/enterprise/http.js +766 -0
package/dist/component/server/enterprise/http.js.map +1 -0
package/dist/component/server/enterprise/oidc.js +248 -0
package/dist/component/server/enterprise/oidc.js.map +1 -0
package/dist/component/server/enterprise/policy.js +85 -0
package/dist/component/server/enterprise/policy.js.map +1 -0
package/dist/component/server/enterprise/saml.js +338 -0
package/dist/component/server/enterprise/saml.js.map +1 -0
package/dist/component/server/enterprise/scim.js +97 -0
package/dist/component/server/enterprise/scim.js.map +1 -0
package/dist/component/server/enterprise/shared.js +51 -0
package/dist/component/server/enterprise/shared.js.map +1 -0
package/dist/component/server/errors.d.ts +1 -0
package/dist/component/server/errors.js +24 -16
package/dist/component/server/errors.js.map +1 -1
package/dist/component/server/http.js +288 -0
package/dist/component/server/http.js.map +1 -0
package/dist/component/server/identity.js +13 -0
package/dist/component/server/identity.js.map +1 -0
package/dist/{server/implementation → component/server}/keys.js +9 -31
package/dist/component/server/keys.js.map +1 -0
package/dist/component/server/limits.js +61 -0
package/dist/component/server/limits.js.map +1 -0
package/dist/component/server/mutations/account.js +44 -0
package/dist/component/server/mutations/account.js.map +1 -0
package/dist/component/server/{implementation/mutations → mutations}/code.js +7 -4
package/dist/component/server/mutations/code.js.map +1 -0
package/dist/component/server/mutations/invalidate.js +32 -0
package/dist/component/server/mutations/invalidate.js.map +1 -0
package/dist/component/server/mutations/oauth.js +110 -0
package/dist/component/server/mutations/oauth.js.map +1 -0
package/dist/component/server/mutations/refresh.js +119 -0
package/dist/component/server/mutations/refresh.js.map +1 -0
package/dist/component/server/mutations/register.js +83 -0
package/dist/component/server/mutations/register.js.map +1 -0
package/dist/component/server/mutations/retrieve.js +65 -0
package/dist/component/server/mutations/retrieve.js.map +1 -0
package/dist/component/server/mutations/signature.js +32 -0
package/dist/component/server/mutations/signature.js.map +1 -0
package/dist/component/server/{implementation/mutations → mutations}/signin.js +2 -2
package/dist/component/server/mutations/signin.js.map +1 -0
package/dist/component/server/mutations/signout.js +27 -0
package/dist/component/server/mutations/signout.js.map +1 -0
package/dist/component/server/mutations/store/refs.js +15 -0
package/dist/component/server/mutations/store/refs.js.map +1 -0
package/dist/component/server/mutations/store.js +85 -0
package/dist/component/server/mutations/store.js.map +1 -0
package/dist/component/server/mutations/verifier.js +18 -0
package/dist/component/server/mutations/verifier.js.map +1 -0
package/dist/component/server/mutations/verify.js +98 -0
package/dist/component/server/mutations/verify.js.map +1 -0
package/dist/component/server/oauth.js +106 -60
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +328 -0
package/dist/component/server/passkey.js.map +1 -0
package/dist/{server/implementation → component/server}/redirects.js +13 -11
package/dist/component/server/redirects.js.map +1 -0
package/dist/component/server/refresh.js +96 -0
package/dist/component/server/refresh.js.map +1 -0
package/dist/component/server/runtime.d.ts +136 -0
package/dist/component/server/runtime.d.ts.map +1 -0
package/dist/component/server/runtime.js +413 -0
package/dist/component/server/runtime.js.map +1 -0
package/dist/{server/implementation → component/server}/sessions.js +14 -8
package/dist/component/server/sessions.js.map +1 -0
package/dist/component/server/signin.js +201 -0
package/dist/component/server/signin.js.map +1 -0
package/dist/component/server/tokens.js +17 -0
package/dist/component/server/tokens.js.map +1 -0
package/dist/component/server/totp.js +148 -0
package/dist/component/server/totp.js.map +1 -0
package/dist/component/server/types.d.ts +387 -298
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/{implementation/types.js → types.js} +1 -1
package/dist/component/server/types.js.map +1 -0
package/dist/component/server/{implementation/users.js → users.js} +54 -35
package/dist/component/server/users.js.map +1 -0
package/dist/component/server/utils.js +110 -4
package/dist/component/server/utils.js.map +1 -1
package/dist/core/types.d.ts +369 -0
package/dist/core/types.d.ts.map +1 -0
package/dist/factors/device.js +105 -0
package/dist/factors/device.js.map +1 -0
package/dist/factors/passkey.js +181 -0
package/dist/factors/passkey.js.map +1 -0
package/dist/factors/totp.js +122 -0
package/dist/factors/totp.js.map +1 -0
package/dist/providers/anonymous.d.ts +3 -9
package/dist/providers/anonymous.d.ts.map +1 -1
package/dist/providers/anonymous.js +1 -18
package/dist/providers/anonymous.js.map +1 -1
package/dist/providers/credentials.d.ts +8 -10
package/dist/providers/credentials.d.ts.map +1 -1
package/dist/providers/credentials.js +3 -5
package/dist/providers/credentials.js.map +1 -1
package/dist/providers/device.d.ts +18 -10
package/dist/providers/device.d.ts.map +1 -1
package/dist/providers/device.js +4 -8
package/dist/providers/device.js.map +1 -1
package/dist/providers/email.d.ts +50 -23
package/dist/providers/email.d.ts.map +1 -1
package/dist/providers/email.js +58 -34
package/dist/providers/email.js.map +1 -1
package/dist/providers/index.d.ts +7 -3
package/dist/providers/index.js +4 -1
package/dist/providers/oauth.d.ts.map +1 -1
package/dist/providers/oauth.js.map +1 -1
package/dist/providers/passkey.d.ts +12 -9
package/dist/providers/passkey.d.ts.map +1 -1
package/dist/providers/passkey.js +1 -7
package/dist/providers/passkey.js.map +1 -1
package/dist/providers/password.d.ts +6 -12
package/dist/providers/password.d.ts.map +1 -1
package/dist/providers/password.js +189 -89
package/dist/providers/password.js.map +1 -1
package/dist/providers/phone.d.ts +40 -11
package/dist/providers/phone.d.ts.map +1 -1
package/dist/providers/phone.js +52 -21
package/dist/providers/phone.js.map +1 -1
package/dist/providers/sso.d.ts +50 -0
package/dist/providers/sso.d.ts.map +1 -0
package/dist/providers/sso.js +34 -0
package/dist/providers/sso.js.map +1 -0
package/dist/providers/totp.d.ts +12 -9
package/dist/providers/totp.d.ts.map +1 -1
package/dist/providers/totp.js +1 -7
package/dist/providers/totp.js.map +1 -1
package/dist/runtime/browser.js +68 -0
package/dist/runtime/browser.js.map +1 -0
package/dist/runtime/invite.js +51 -0
package/dist/runtime/invite.js.map +1 -0
package/dist/runtime/proxy.js +70 -0
package/dist/runtime/proxy.js.map +1 -0
package/dist/runtime/storage.js +37 -0
package/dist/runtime/storage.js.map +1 -0
package/dist/server/auth.d.ts +335 -370
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +204 -123
package/dist/server/auth.js.map +1 -1
package/dist/server/authError.d.ts +46 -0
package/dist/server/authError.d.ts.map +1 -0
package/dist/server/authError.js +34 -0
package/dist/server/authError.js.map +1 -0
package/dist/server/config.d.ts +1 -0
package/dist/server/{providers.js → config.js} +43 -12
package/dist/server/config.js.map +1 -0
package/dist/server/cookies.d.ts +1 -38
package/dist/server/cookies.js +3 -0
package/dist/server/cookies.js.map +1 -1
package/dist/server/core.d.ts +1436 -0
package/dist/server/core.d.ts.map +1 -0
package/dist/server/core.js +713 -0
package/dist/server/core.js.map +1 -0
package/dist/server/crypto.d.ts +8 -0
package/dist/server/crypto.d.ts.map +1 -0
package/dist/server/crypto.js +38 -0
package/dist/server/crypto.js.map +1 -0
package/dist/server/db.d.ts +1 -0
package/dist/server/{implementation/db.js → db.js} +2 -1
package/dist/server/db.js.map +1 -0
package/dist/server/device.d.ts +1 -0
package/dist/server/device.js +109 -0
package/dist/server/device.js.map +1 -0
package/dist/server/enterprise/config.d.ts +1 -0
package/dist/server/enterprise/config.js +46 -0
package/dist/server/enterprise/config.js.map +1 -0
package/dist/server/enterprise/domain.d.ts +409 -0
package/dist/server/enterprise/domain.d.ts.map +1 -0
package/dist/server/enterprise/domain.js +885 -0
package/dist/server/enterprise/domain.js.map +1 -0
package/dist/server/enterprise/http.d.ts +26 -0
package/dist/server/enterprise/http.d.ts.map +1 -0
package/dist/server/enterprise/http.js +766 -0
package/dist/server/enterprise/http.js.map +1 -0
package/dist/server/enterprise/oidc.d.ts +1 -0
package/dist/server/enterprise/oidc.js +248 -0
package/dist/server/enterprise/oidc.js.map +1 -0
package/dist/server/enterprise/policy.d.ts +1 -0
package/dist/server/enterprise/policy.js +85 -0
package/dist/server/enterprise/policy.js.map +1 -0
package/dist/server/enterprise/saml.d.ts +1 -0
package/dist/server/enterprise/saml.js +338 -0
package/dist/server/enterprise/saml.js.map +1 -0
package/dist/server/enterprise/scim.d.ts +1 -0
package/dist/server/enterprise/scim.js +97 -0
package/dist/server/enterprise/scim.js.map +1 -0
package/dist/server/enterprise/shared.d.ts +5 -0
package/dist/server/enterprise/shared.d.ts.map +1 -0
package/dist/server/enterprise/shared.js +51 -0
package/dist/server/enterprise/shared.js.map +1 -0
package/dist/server/enterprise/validators.d.ts +1 -0
package/dist/server/enterprise/validators.js +60 -0
package/dist/server/enterprise/validators.js.map +1 -0
package/dist/server/errors.d.ts +33 -1
package/dist/server/errors.d.ts.map +1 -1
package/dist/server/errors.js +44 -1
package/dist/server/errors.js.map +1 -1
package/dist/server/http.d.ts +59 -0
package/dist/server/http.d.ts.map +1 -0
package/dist/server/http.js +288 -0
package/dist/server/http.js.map +1 -0
package/dist/server/identity.d.ts +1 -0
package/dist/server/identity.js +13 -0
package/dist/server/identity.js.map +1 -0
package/dist/server/index.d.ts +4 -182
package/dist/server/index.js +4 -376
package/dist/server/keys.d.ts +1 -0
package/dist/{component/server/implementation → server}/keys.js +9 -31
package/dist/server/keys.js.map +1 -0
package/dist/server/limits.d.ts +1 -0
package/dist/server/limits.js +61 -0
package/dist/server/limits.js.map +1 -0
package/dist/server/mounts.d.ts +647 -0
package/dist/server/mounts.d.ts.map +1 -0
package/dist/server/mounts.js +643 -0
package/dist/server/mounts.js.map +1 -0
package/dist/server/mutations/account.d.ts +30 -0
package/dist/server/mutations/account.d.ts.map +1 -0
package/dist/server/mutations/account.js +44 -0
package/dist/server/mutations/account.js.map +1 -0
package/dist/server/mutations/code.d.ts +30 -0
package/dist/server/mutations/code.d.ts.map +1 -0
package/dist/server/{implementation/mutations → mutations}/code.js +7 -4
package/dist/server/mutations/code.js.map +1 -0
package/dist/server/mutations/index.d.ts +14 -0
package/dist/server/mutations/index.js +15 -0
package/dist/server/mutations/invalidate.d.ts +20 -0
package/dist/server/mutations/invalidate.d.ts.map +1 -0
package/dist/server/mutations/invalidate.js +32 -0
package/dist/server/mutations/invalidate.js.map +1 -0
package/dist/server/mutations/oauth.d.ts +28 -0
package/dist/server/mutations/oauth.d.ts.map +1 -0
package/dist/server/mutations/oauth.js +110 -0
package/dist/server/mutations/oauth.js.map +1 -0
package/dist/server/mutations/refresh.d.ts +21 -0
package/dist/server/mutations/refresh.d.ts.map +1 -0
package/dist/server/mutations/refresh.js +119 -0
package/dist/server/mutations/refresh.js.map +1 -0
package/dist/server/mutations/register.d.ts +38 -0
package/dist/server/mutations/register.d.ts.map +1 -0
package/dist/server/mutations/register.js +83 -0
package/dist/server/mutations/register.js.map +1 -0
package/dist/server/mutations/retrieve.d.ts +33 -0
package/dist/server/mutations/retrieve.d.ts.map +1 -0
package/dist/server/mutations/retrieve.js +65 -0
package/dist/server/mutations/retrieve.js.map +1 -0
package/dist/server/mutations/signature.d.ts +22 -0
package/dist/server/mutations/signature.d.ts.map +1 -0
package/dist/server/mutations/signature.js +32 -0
package/dist/server/mutations/signature.js.map +1 -0
package/dist/server/mutations/signin.d.ts +22 -0
package/dist/server/mutations/signin.d.ts.map +1 -0
package/dist/server/{implementation/mutations → mutations}/signin.js +2 -2
package/dist/server/mutations/signin.js.map +1 -0
package/dist/server/mutations/signout.d.ts +16 -0
package/dist/server/mutations/signout.d.ts.map +1 -0
package/dist/server/mutations/signout.js +27 -0
package/dist/server/mutations/signout.js.map +1 -0
package/dist/server/mutations/store/refs.d.ts +12 -0
package/dist/server/mutations/store/refs.d.ts.map +1 -0
package/dist/server/mutations/store/refs.js +15 -0
package/dist/server/mutations/store/refs.js.map +1 -0
package/dist/server/mutations/store.d.ts +306 -0
package/dist/server/mutations/store.d.ts.map +1 -0
package/dist/server/mutations/store.js +85 -0
package/dist/server/mutations/store.js.map +1 -0
package/dist/server/mutations/verifier.d.ts +13 -0
package/dist/server/mutations/verifier.d.ts.map +1 -0
package/dist/server/mutations/verifier.js +18 -0
package/dist/server/mutations/verifier.js.map +1 -0
package/dist/server/mutations/verify.d.ts +26 -0
package/dist/server/mutations/verify.d.ts.map +1 -0
package/dist/server/mutations/verify.js +98 -0
package/dist/server/mutations/verify.js.map +1 -0
package/dist/server/oauth.d.ts +1 -48
package/dist/server/oauth.js +107 -64
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts +27 -0
package/dist/server/passkey.d.ts.map +1 -0
package/dist/server/passkey.js +328 -0
package/dist/server/passkey.js.map +1 -0
package/dist/server/redirects.d.ts +1 -0
package/dist/{component/server/implementation → server}/redirects.js +13 -11
package/dist/server/redirects.js.map +1 -0
package/dist/server/refresh.d.ts +1 -0
package/dist/server/refresh.js +96 -0
package/dist/server/refresh.js.map +1 -0
package/dist/server/runtime.d.ts +136 -0
package/dist/server/runtime.d.ts.map +1 -0
package/dist/server/runtime.js +413 -0
package/dist/server/runtime.js.map +1 -0
package/dist/server/sessions.d.ts +1 -0
package/dist/{component/server/implementation → server}/sessions.js +14 -8
package/dist/server/sessions.js.map +1 -0
package/dist/server/signin.d.ts +1 -0
package/dist/server/signin.js +201 -0
package/dist/server/signin.js.map +1 -0
package/dist/server/ssr.d.ts +226 -0
package/dist/server/ssr.d.ts.map +1 -0
package/dist/server/ssr.js +786 -0
package/dist/server/ssr.js.map +1 -0
package/dist/server/templates.d.ts +1 -21
package/dist/server/templates.js +2 -1
package/dist/server/templates.js.map +1 -1
package/dist/server/tokens.d.ts +1 -0
package/dist/server/tokens.js +17 -0
package/dist/server/tokens.js.map +1 -0
package/dist/server/totp.d.ts +1 -0
package/dist/server/totp.js +148 -0
package/dist/server/totp.js.map +1 -0
package/dist/server/types.d.ts +498 -306
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js +108 -1
package/dist/server/types.js.map +1 -0
package/dist/server/users.d.ts +1 -0
package/dist/server/{implementation/users.js → users.js} +54 -35
package/dist/server/users.js.map +1 -0
package/dist/server/utils.d.ts +1 -6
package/dist/server/utils.js +110 -4
package/dist/server/utils.js.map +1 -1
package/package.json +49 -46
package/src/authorization/index.ts +83 -0
package/src/cli/bin.ts +5 -0
package/src/cli/command.ts +6 -5
package/src/cli/index.ts +456 -248
package/src/cli/keys.ts +3 -0
package/src/client/core/types.ts +437 -0
package/src/client/factors/device.ts +160 -0
package/src/client/factors/passkey.ts +282 -0
package/src/client/factors/totp.ts +150 -0
package/src/client/index.ts +745 -989
package/src/client/runtime/browser.ts +112 -0
package/src/client/runtime/invite.ts +65 -0
package/src/client/runtime/proxy.ts +111 -0
package/src/client/runtime/storage.ts +79 -0
package/src/component/_generated/api.ts +42 -0
package/src/component/_generated/component.ts +3123 -102
package/src/component/functions.ts +38 -22
package/src/component/index.ts +10 -20
package/src/component/model.ts +449 -0
package/src/component/public/enterprise/audit.ts +120 -0
package/src/component/public/enterprise/core.ts +354 -0
package/src/component/public/enterprise/domains.ts +323 -0
package/src/component/public/enterprise/scim.ts +396 -0
package/src/component/public/enterprise/secrets.ts +132 -0
package/src/component/public/enterprise/webhooks.ts +306 -0
package/src/component/public/factors/devices.ts +223 -0
package/src/component/public/factors/passkeys.ts +242 -0
package/src/component/public/factors/totp.ts +258 -0
package/src/component/public/groups/core.ts +481 -0
package/src/component/public/groups/invites.ts +602 -0
package/src/component/public/groups/members.ts +409 -0
package/src/component/public/identity/accounts.ts +206 -0
package/src/component/public/identity/codes.ts +148 -0
package/src/component/public/identity/sessions.ts +209 -0
package/src/component/public/identity/tokens.ts +250 -0
package/src/component/public/identity/users.ts +354 -0
package/src/component/public/identity/verifiers.ts +157 -0
package/src/component/public/security/keys.ts +365 -0
package/src/component/public/security/limits.ts +173 -0
package/src/component/public.ts +26 -1766
package/src/component/schema.ts +273 -100
package/src/providers/anonymous.ts +10 -20
package/src/providers/credentials.ts +14 -22
package/src/providers/device.ts +3 -14
package/src/providers/email.ts +83 -47
package/src/providers/index.ts +7 -0
package/src/providers/oauth.ts +5 -3
package/src/providers/passkey.ts +0 -13
package/src/providers/password.ts +307 -130
package/src/providers/phone.ts +81 -37
package/src/providers/sso.ts +54 -0
package/src/providers/totp.ts +0 -13
package/src/samlify.d.ts +53 -0
package/src/server/auth.ts +701 -247
package/src/server/authError.ts +44 -0
package/src/server/{providers.ts → config.ts} +84 -15
package/src/server/cookies.ts +8 -1
package/src/server/core.ts +2095 -0
package/src/server/crypto.ts +88 -0
package/src/server/{implementation/db.ts → db.ts} +90 -15
package/src/server/device.ts +221 -0
package/src/server/enterprise/config.ts +51 -0
package/src/server/enterprise/domain.ts +1751 -0
package/src/server/enterprise/http.ts +1324 -0
package/src/server/enterprise/oidc.ts +500 -0
package/src/server/enterprise/policy.ts +128 -0
package/src/server/enterprise/saml.ts +578 -0
package/src/server/enterprise/scim.ts +135 -0
package/src/server/enterprise/shared.ts +134 -0
package/src/server/enterprise/validators.ts +93 -0
package/src/server/errors.ts +130 -119
package/src/server/http.ts +531 -0
package/src/server/identity.ts +18 -0
package/src/server/index.ts +32 -650
package/src/server/{implementation/keys.ts → keys.ts} +16 -44
package/src/server/limits.ts +134 -0
package/src/server/mounts.ts +948 -0
package/src/server/mutations/account.ts +76 -0
package/src/server/{implementation/mutations → mutations}/code.ts +22 -11
package/src/server/mutations/index.ts +13 -0
package/src/server/mutations/invalidate.ts +50 -0
package/src/server/mutations/oauth.ts +237 -0
package/src/server/mutations/refresh.ts +298 -0
package/src/server/mutations/register.ts +200 -0
package/src/server/mutations/retrieve.ts +109 -0
package/src/server/mutations/signature.ts +50 -0
package/src/server/{implementation/mutations → mutations}/signin.ts +9 -7
package/src/server/mutations/signout.ts +43 -0
package/src/server/mutations/store/refs.ts +10 -0
package/src/server/mutations/store.ts +138 -0
package/src/server/mutations/verifier.ts +34 -0
package/src/server/mutations/verify.ts +202 -0
package/src/server/oauth.ts +243 -131
package/src/server/passkey.ts +784 -0
package/src/server/{implementation/redirects.ts → redirects.ts} +21 -16
package/src/server/refresh.ts +222 -0
package/src/server/runtime.ts +880 -0
package/src/server/{implementation/sessions.ts → sessions.ts} +33 -25
package/src/server/signin.ts +438 -0
package/src/server/ssr.ts +1764 -0
package/src/server/templates.ts +8 -3
package/src/server/{implementation/tokens.ts → tokens.ts} +11 -5
package/src/server/totp.ts +349 -0
package/src/server/types.ts +972 -207
package/src/server/{implementation/users.ts → users.ts} +129 -75
package/src/server/utils.ts +192 -5
package/src/test.ts +28 -4
package/dist/bin.cjs +0 -27757
package/dist/component/providers/email.js +0 -47
package/dist/component/providers/email.js.map +0 -1
package/dist/component/public.js.map +0 -1
package/dist/component/server/implementation/db.js.map +0 -1
package/dist/component/server/implementation/device.js +0 -135
package/dist/component/server/implementation/device.js.map +0 -1
package/dist/component/server/implementation/index.d.ts +0 -870
package/dist/component/server/implementation/index.d.ts.map +0 -1
package/dist/component/server/implementation/index.js +0 -610
package/dist/component/server/implementation/index.js.map +0 -1
package/dist/component/server/implementation/keys.js.map +0 -1
package/dist/component/server/implementation/mutations/account.js +0 -39
package/dist/component/server/implementation/mutations/account.js.map +0 -1
package/dist/component/server/implementation/mutations/code.js.map +0 -1
package/dist/component/server/implementation/mutations/index.js +0 -70
package/dist/component/server/implementation/mutations/index.js.map +0 -1
package/dist/component/server/implementation/mutations/invalidate.js +0 -29
package/dist/component/server/implementation/mutations/invalidate.js.map +0 -1
package/dist/component/server/implementation/mutations/oauth.js +0 -51
package/dist/component/server/implementation/mutations/oauth.js.map +0 -1
package/dist/component/server/implementation/mutations/refresh.js +0 -85
package/dist/component/server/implementation/mutations/refresh.js.map +0 -1
package/dist/component/server/implementation/mutations/register.js +0 -65
package/dist/component/server/implementation/mutations/register.js.map +0 -1
package/dist/component/server/implementation/mutations/retrieve.js +0 -50
package/dist/component/server/implementation/mutations/retrieve.js.map +0 -1
package/dist/component/server/implementation/mutations/signature.js +0 -27
package/dist/component/server/implementation/mutations/signature.js.map +0 -1
package/dist/component/server/implementation/mutations/signin.js.map +0 -1
package/dist/component/server/implementation/mutations/signout.js +0 -27
package/dist/component/server/implementation/mutations/signout.js.map +0 -1
package/dist/component/server/implementation/mutations/store.js +0 -12
package/dist/component/server/implementation/mutations/store.js.map +0 -1
package/dist/component/server/implementation/mutations/verifier.js +0 -16
package/dist/component/server/implementation/mutations/verifier.js.map +0 -1
package/dist/component/server/implementation/mutations/verify.js +0 -105
package/dist/component/server/implementation/mutations/verify.js.map +0 -1
package/dist/component/server/implementation/passkey.js +0 -307
package/dist/component/server/implementation/passkey.js.map +0 -1
package/dist/component/server/implementation/provider.js +0 -19
package/dist/component/server/implementation/provider.js.map +0 -1
package/dist/component/server/implementation/ratelimit.js +0 -48
package/dist/component/server/implementation/ratelimit.js.map +0 -1
package/dist/component/server/implementation/redirects.js.map +0 -1
package/dist/component/server/implementation/refresh.js +0 -109
package/dist/component/server/implementation/refresh.js.map +0 -1
package/dist/component/server/implementation/sessions.js.map +0 -1
package/dist/component/server/implementation/signin.js +0 -148
package/dist/component/server/implementation/signin.js.map +0 -1
package/dist/component/server/implementation/tokens.js +0 -15
package/dist/component/server/implementation/tokens.js.map +0 -1
package/dist/component/server/implementation/totp.js +0 -142
package/dist/component/server/implementation/totp.js.map +0 -1
package/dist/component/server/implementation/types.d.ts +0 -42
package/dist/component/server/implementation/types.d.ts.map +0 -1
package/dist/component/server/implementation/types.js.map +0 -1
package/dist/component/server/implementation/users.js.map +0 -1
package/dist/component/server/implementation/utils.js +0 -56
package/dist/component/server/implementation/utils.js.map +0 -1
package/dist/component/server/providers.js.map +0 -1
package/dist/component/server/templates.js +0 -84
package/dist/component/server/templates.js.map +0 -1
package/dist/server/cookies.d.ts.map +0 -1
package/dist/server/implementation/db.d.ts +0 -86
package/dist/server/implementation/db.d.ts.map +0 -1
package/dist/server/implementation/db.js.map +0 -1
package/dist/server/implementation/device.d.ts +0 -30
package/dist/server/implementation/device.d.ts.map +0 -1
package/dist/server/implementation/device.js +0 -135
package/dist/server/implementation/device.js.map +0 -1
package/dist/server/implementation/index.d.ts +0 -870
package/dist/server/implementation/index.d.ts.map +0 -1
package/dist/server/implementation/index.js +0 -610
package/dist/server/implementation/index.js.map +0 -1
package/dist/server/implementation/keys.d.ts +0 -66
package/dist/server/implementation/keys.d.ts.map +0 -1
package/dist/server/implementation/keys.js.map +0 -1
package/dist/server/implementation/mutations/account.d.ts +0 -27
package/dist/server/implementation/mutations/account.d.ts.map +0 -1
package/dist/server/implementation/mutations/account.js +0 -39
package/dist/server/implementation/mutations/account.js.map +0 -1
package/dist/server/implementation/mutations/code.d.ts +0 -29
package/dist/server/implementation/mutations/code.d.ts.map +0 -1
package/dist/server/implementation/mutations/code.js.map +0 -1
package/dist/server/implementation/mutations/index.d.ts +0 -310
package/dist/server/implementation/mutations/index.d.ts.map +0 -1
package/dist/server/implementation/mutations/index.js +0 -70
package/dist/server/implementation/mutations/index.js.map +0 -1
package/dist/server/implementation/mutations/invalidate.d.ts +0 -18
package/dist/server/implementation/mutations/invalidate.d.ts.map +0 -1
package/dist/server/implementation/mutations/invalidate.js +0 -29
package/dist/server/implementation/mutations/invalidate.js.map +0 -1
package/dist/server/implementation/mutations/oauth.d.ts +0 -23
package/dist/server/implementation/mutations/oauth.d.ts.map +0 -1
package/dist/server/implementation/mutations/oauth.js +0 -51
package/dist/server/implementation/mutations/oauth.js.map +0 -1
package/dist/server/implementation/mutations/refresh.d.ts +0 -20
package/dist/server/implementation/mutations/refresh.d.ts.map +0 -1
package/dist/server/implementation/mutations/refresh.js +0 -85
package/dist/server/implementation/mutations/refresh.js.map +0 -1
package/dist/server/implementation/mutations/register.d.ts +0 -37
package/dist/server/implementation/mutations/register.d.ts.map +0 -1
package/dist/server/implementation/mutations/register.js +0 -65
package/dist/server/implementation/mutations/register.js.map +0 -1
package/dist/server/implementation/mutations/retrieve.d.ts +0 -31
package/dist/server/implementation/mutations/retrieve.d.ts.map +0 -1
package/dist/server/implementation/mutations/retrieve.js +0 -50
package/dist/server/implementation/mutations/retrieve.js.map +0 -1
package/dist/server/implementation/mutations/signature.d.ts +0 -19
package/dist/server/implementation/mutations/signature.d.ts.map +0 -1
package/dist/server/implementation/mutations/signature.js +0 -27
package/dist/server/implementation/mutations/signature.js.map +0 -1
package/dist/server/implementation/mutations/signin.d.ts +0 -21
package/dist/server/implementation/mutations/signin.d.ts.map +0 -1
package/dist/server/implementation/mutations/signin.js.map +0 -1
package/dist/server/implementation/mutations/signout.d.ts +0 -14
package/dist/server/implementation/mutations/signout.d.ts.map +0 -1
package/dist/server/implementation/mutations/signout.js +0 -27
package/dist/server/implementation/mutations/signout.js.map +0 -1
package/dist/server/implementation/mutations/store.d.ts +0 -11
package/dist/server/implementation/mutations/store.d.ts.map +0 -1
package/dist/server/implementation/mutations/store.js +0 -12
package/dist/server/implementation/mutations/store.js.map +0 -1
package/dist/server/implementation/mutations/verifier.d.ts +0 -11
package/dist/server/implementation/mutations/verifier.d.ts.map +0 -1
package/dist/server/implementation/mutations/verifier.js +0 -16
package/dist/server/implementation/mutations/verifier.js.map +0 -1
package/dist/server/implementation/mutations/verify.d.ts +0 -25
package/dist/server/implementation/mutations/verify.d.ts.map +0 -1
package/dist/server/implementation/mutations/verify.js +0 -105
package/dist/server/implementation/mutations/verify.js.map +0 -1
package/dist/server/implementation/passkey.d.ts +0 -24
package/dist/server/implementation/passkey.d.ts.map +0 -1
package/dist/server/implementation/passkey.js +0 -307
package/dist/server/implementation/passkey.js.map +0 -1
package/dist/server/implementation/provider.d.ts +0 -10
package/dist/server/implementation/provider.d.ts.map +0 -1
package/dist/server/implementation/provider.js +0 -19
package/dist/server/implementation/provider.js.map +0 -1
package/dist/server/implementation/ratelimit.d.ts +0 -10
package/dist/server/implementation/ratelimit.d.ts.map +0 -1
package/dist/server/implementation/ratelimit.js +0 -48
package/dist/server/implementation/ratelimit.js.map +0 -1
package/dist/server/implementation/redirects.d.ts +0 -10
package/dist/server/implementation/redirects.d.ts.map +0 -1
package/dist/server/implementation/redirects.js.map +0 -1
package/dist/server/implementation/refresh.d.ts +0 -37
package/dist/server/implementation/refresh.d.ts.map +0 -1
package/dist/server/implementation/refresh.js +0 -109
package/dist/server/implementation/refresh.js.map +0 -1
package/dist/server/implementation/sessions.d.ts +0 -29
package/dist/server/implementation/sessions.d.ts.map +0 -1
package/dist/server/implementation/sessions.js.map +0 -1
package/dist/server/implementation/signin.d.ts +0 -55
package/dist/server/implementation/signin.d.ts.map +0 -1
package/dist/server/implementation/signin.js +0 -148
package/dist/server/implementation/signin.js.map +0 -1
package/dist/server/implementation/tokens.d.ts +0 -11
package/dist/server/implementation/tokens.d.ts.map +0 -1
package/dist/server/implementation/tokens.js +0 -15
package/dist/server/implementation/tokens.js.map +0 -1
package/dist/server/implementation/totp.d.ts +0 -31
package/dist/server/implementation/totp.d.ts.map +0 -1
package/dist/server/implementation/totp.js +0 -142
package/dist/server/implementation/totp.js.map +0 -1
package/dist/server/implementation/types.d.ts +0 -189
package/dist/server/implementation/types.d.ts.map +0 -1
package/dist/server/implementation/types.js +0 -97
package/dist/server/implementation/types.js.map +0 -1
package/dist/server/implementation/users.d.ts +0 -30
package/dist/server/implementation/users.d.ts.map +0 -1
package/dist/server/implementation/users.js.map +0 -1
package/dist/server/implementation/utils.d.ts +0 -19
package/dist/server/implementation/utils.d.ts.map +0 -1
package/dist/server/implementation/utils.js +0 -56
package/dist/server/implementation/utils.js.map +0 -1
package/dist/server/index.d.ts.map +0 -1
package/dist/server/index.js.map +0 -1
package/dist/server/oauth.d.ts.map +0 -1
package/dist/server/providers.d.ts +0 -72
package/dist/server/providers.d.ts.map +0 -1
package/dist/server/providers.js.map +0 -1
package/dist/server/templates.d.ts.map +0 -1
package/dist/server/utils.d.ts.map +0 -1
package/dist/server/version.d.ts +0 -5
package/dist/server/version.d.ts.map +0 -1
package/dist/server/version.js +0 -6
package/dist/server/version.js.map +0 -1
package/src/cli/utils.ts +0 -248
package/src/server/implementation/device.ts +0 -307
package/src/server/implementation/index.ts +0 -1583
package/src/server/implementation/mutations/account.ts +0 -50
package/src/server/implementation/mutations/index.ts +0 -157
package/src/server/implementation/mutations/invalidate.ts +0 -42
package/src/server/implementation/mutations/oauth.ts +0 -73
package/src/server/implementation/mutations/refresh.ts +0 -175
package/src/server/implementation/mutations/register.ts +0 -100
package/src/server/implementation/mutations/retrieve.ts +0 -79
package/src/server/implementation/mutations/signature.ts +0 -39
package/src/server/implementation/mutations/signout.ts +0 -35
package/src/server/implementation/mutations/store.ts +0 -7
package/src/server/implementation/mutations/verifier.ts +0 -24
package/src/server/implementation/mutations/verify.ts +0 -194
package/src/server/implementation/passkey.ts +0 -620
package/src/server/implementation/provider.ts +0 -36
package/src/server/implementation/ratelimit.ts +0 -79
package/src/server/implementation/refresh.ts +0 -172
package/src/server/implementation/signin.ts +0 -296
package/src/server/implementation/totp.ts +0 -342
package/src/server/implementation/types.ts +0 -444
package/src/server/implementation/utils.ts +0 -91
package/src/server/version.ts +0 -2

package/dist/server/enterprise/domain.js ADDED Viewed

@@ -0,0 +1,885 @@
+import { AuthError } from "../authError.js";
+import { Fx } from "@robelest/fx";
+//#region src/server/enterprise/domain.ts
+/**
+* Build the enterprise and SSO management domain.
+*/
+function createEnterpriseDomain(deps) {
+	const { config, normalizeEnterprisePolicy, normalizeDomain, getEnterpriseSecret, loadEnterpriseOrThrow, validateEnterprisePolicy, recordEnterpriseAuditEvent, emitEnterpriseWebhookDeliveries, enterpriseNotFoundError, ENTERPRISE_OIDC_CLIENT_SECRET_KIND, requireEnv, generateRandomString, INVITE_TOKEN_ALPHABET, sha256, encryptSecret, upsertProtocolConfig, parseSamlIdpMetadata, createServiceProviderMetadata, getSamlServiceProviderOptions, getPublicOidcConfig, withOidcSecretState, getOidcConfig, getEnterpriseOidcUrls, enterpriseOidcProviderId, getPolicyFromEnterprise, patchEnterprisePolicy } = deps;
+	const ENTERPRISE_DOMAIN_VERIFICATION_PREFIX = "_convex-auth-verification";
+	const ENTERPRISE_DOMAIN_VERIFICATION_TTL_MS = 1e3 * 60 * 60 * 24 * 7;
+	const toDomainSummary = (domain) => ({
+		domainId: domain._id,
+		domain: domain.domain,
+		isPrimary: domain.isPrimary,
+		verified: domain.verifiedAt !== void 0,
+		verifiedAt: domain.verifiedAt ?? null
+	});
+	const getDomainVerificationRecordName = (domain) => `${ENTERPRISE_DOMAIN_VERIFICATION_PREFIX}.${normalizeDomain(domain)}`;
+	const parseTxtAnswer = (value) => {
+		const quoted = [...value.matchAll(/"([^"]*)"/g)].map((match) => match[1]);
+		if (quoted.length > 0) return quoted.join("");
+		return value.replace(/^"|"$/g, "").trim();
+	};
+	const resolveTxtValues = async (recordName) => {
+		const url = new URL("https://dns.google/resolve");
+		url.searchParams.set("name", recordName);
+		url.searchParams.set("type", "TXT");
+		const response = await fetch(url, { headers: { accept: "application/json" } });
+		if (!response.ok) throw new Error(`DNS TXT lookup failed with status ${response.status}.`);
+		return ((await response.json()).Answer ?? []).map((answer) => typeof answer.data === "string" ? parseTxtAnswer(answer.data) : null).filter((value) => value !== null && value.length > 0);
+	};
+	return {
+		connection: {
+			create: async (ctx, data) => {
+				return {
+					ok: true,
+					enterpriseId: await ctx.runMutation(config.component.public.enterpriseCreate, {
+						...data,
+						policy: normalizeEnterprisePolicy(data.policy)
+					}),
+					groupId: data.groupId
+				};
+			},
+			get: async (ctx, enterpriseId) => {
+				return await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
+			},
+			getByGroup: async (ctx, groupId) => {
+				return await ctx.runQuery(config.component.public.enterpriseGetByGroup, { groupId });
+			},
+			getByDomain: async (ctx, domain) => {
+				return await ctx.runQuery(config.component.public.enterpriseGetByDomain, { domain: normalizeDomain(domain) });
+			},
+			list: async (ctx, opts) => {
+				return await ctx.runQuery(config.component.public.enterpriseList, {
+					where: opts?.where,
+					limit: opts?.limit,
+					cursor: opts?.cursor,
+					orderBy: opts?.orderBy,
+					order: opts?.order
+				});
+			},
+			update: async (ctx, enterpriseId, data) => {
+				await ctx.runMutation(config.component.public.enterpriseUpdate, {
+					enterpriseId,
+					data
+				});
+				return {
+					ok: true,
+					enterpriseId
+				};
+			},
+			delete: async (ctx, enterpriseId) => {
+				await ctx.runMutation(config.component.public.enterpriseDelete, { enterpriseId });
+				return {
+					ok: true,
+					enterpriseId
+				};
+			},
+			status: async (ctx, enterpriseId) => {
+				const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
+				if (!enterprise) throw new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError).toConvexError();
+				const policy = getPolicyFromEnterprise(enterprise);
+				const protocols = enterprise.config?.protocols ?? {};
+				const oidcConfig = protocols.oidc;
+				const oidcSecret = await getEnterpriseSecret(ctx, enterprise._id, ENTERPRISE_OIDC_CLIENT_SECRET_KIND);
+				const samlConfig = protocols.saml;
+				const scimConfig = await ctx.runQuery(config.component.public.enterpriseScimConfigGetByEnterprise, { enterpriseId });
+				const domains = await ctx.runQuery(config.component.public.enterpriseDomainList, { enterpriseId });
+				const oidcReady = oidcConfig?.enabled === true && typeof oidcConfig?.clientId === "string" && oidcConfig.clientId.length > 0 && oidcSecret !== null && (typeof oidcConfig?.issuer === "string" || typeof oidcConfig?.discoveryUrl === "string");
+				const samlReady = samlConfig?.enabled === true && typeof samlConfig?.idp?.entityId === "string";
+				const scimReady = scimConfig !== null && scimConfig !== void 0 && scimConfig.status === "active";
+				const ready = enterprise.status === "active" && (oidcReady || samlReady);
+				return {
+					enterpriseId: enterprise._id,
+					status: enterprise.status,
+					ready,
+					domainCount: domains.length,
+					protocols: {
+						oidc: {
+							configured: oidcReady,
+							ready: oidcReady,
+							clientId: oidcConfig?.clientId ?? null,
+							issuer: oidcConfig?.issuer ?? oidcConfig?.discoveryUrl ?? null
+						},
+						saml: {
+							configured: samlReady,
+							ready: samlReady,
+							entityId: samlConfig?.idp?.entityId ?? null
+						},
+						scim: {
+							configured: scimReady,
+							ready: scimReady,
+							basePath: scimConfig?.basePath ?? null,
+							deprovisionMode: policy.provisioning.deprovision.mode
+						}
+					}
+				};
+			}
+		},
+		domain: {
+			add: async (ctx, data) => {
+				return await ctx.runMutation(config.component.public.enterpriseDomainAdd, {
+					...data,
+					domain: normalizeDomain(data.domain)
+				});
+			},
+			list: async (ctx, enterpriseId) => {
+				return await ctx.runQuery(config.component.public.enterpriseDomainList, { enterpriseId });
+			},
+			validate: async (ctx, enterpriseId) => {
+				const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
+				if (enterprise === null) throw new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError).toConvexError();
+				const domains = await ctx.runQuery(config.component.public.enterpriseDomainList, { enterpriseId });
+				const primaryDomains = domains.filter((domain) => domain.isPrimary);
+				const verifiedDomains = domains.filter((domain) => domain.verifiedAt !== void 0);
+				const warnings = [];
+				if (domains.length === 0) warnings.push("No domains configured.");
+				if (primaryDomains.length === 0 && domains.length > 0) warnings.push("No primary domain configured.");
+				if (primaryDomains.length > 1) warnings.push("Multiple primary domains configured.");
+				if (verifiedDomains.length === 0 && domains.length > 0) warnings.push("No verified domains yet.");
+				return {
+					enterpriseId,
+					ready: enterprise.status === "active" && domains.length > 0 && primaryDomains.length === 1 && verifiedDomains.length > 0,
+					summary: {
+						domainCount: domains.length,
+						primaryCount: primaryDomains.length,
+						verifiedCount: verifiedDomains.length
+					},
+					domains: domains.map((domain) => toDomainSummary(domain)),
+					warnings
+				};
+			},
+			remove: async (ctx, domainId) => {
+				await ctx.runMutation(config.component.public.enterpriseDomainDelete, { domainId });
+			},
+			verification: {
+				request: async (ctx, args) => {
+					const enterprise = await loadEnterpriseOrThrow(ctx, args.enterpriseId);
+					const normalizedDomain = normalizeDomain(args.domain);
+					const domain = (await ctx.runQuery(config.component.public.enterpriseDomainList, { enterpriseId: enterprise._id })).find((entry) => entry.domain === normalizedDomain);
+					if (!domain) throw new AuthError("INVALID_PARAMETERS", "Domain is not attached to this enterprise.").toConvexError();
+					const requestedAt = Date.now();
+					const expiresAt = requestedAt + ENTERPRISE_DOMAIN_VERIFICATION_TTL_MS;
+					const token = generateRandomString(32, INVITE_TOKEN_ALPHABET);
+					const tokenHash = await sha256(token);
+					const recordName = getDomainVerificationRecordName(normalizedDomain);
+					await ctx.runMutation(config.component.public.enterpriseDomainVerificationUpsert, {
+						enterpriseId: enterprise._id,
+						groupId: enterprise.groupId,
+						domainId: domain._id,
+						domain: normalizedDomain,
+						recordName,
+						token,
+						tokenHash,
+						requestedAt,
+						expiresAt
+					});
+					await recordEnterpriseAuditEvent(ctx, {
+						enterpriseId: enterprise._id,
+						groupId: enterprise.groupId,
+						eventType: "enterprise.domain.verification_requested",
+						actorType: "system",
+						subjectType: "enterprise_domain",
+						subjectId: domain._id,
+						ok: true,
+						metadata: {
+							domain: normalizedDomain,
+							recordName,
+							expiresAt
+						}
+					});
+					return {
+						ok: true,
+						enterpriseId: enterprise._id,
+						domain: normalizedDomain,
+						requestedAt,
+						expiresAt,
+						challenge: {
+							recordType: "TXT",
+							recordName,
+							recordValue: token
+						}
+					};
+				},
+				confirm: async (ctx, args) => {
+					const enterprise = await loadEnterpriseOrThrow(ctx, args.enterpriseId);
+					const normalizedDomain = normalizeDomain(args.domain);
+					const domain = (await ctx.runQuery(config.component.public.enterpriseDomainList, { enterpriseId: enterprise._id })).find((entry) => entry.domain === normalizedDomain);
+					if (!domain) throw new AuthError("INVALID_PARAMETERS", "Domain is not attached to this enterprise.").toConvexError();
+					if (domain.verifiedAt !== void 0) return {
+						ok: true,
+						enterpriseId: enterprise._id,
+						domain: normalizedDomain,
+						verifiedAt: domain.verifiedAt,
+						checks: [{
+							name: "domain_verified",
+							ok: true,
+							message: "Domain is already verified."
+						}]
+					};
+					const verification = await ctx.runQuery(config.component.public.enterpriseDomainVerificationGet, { domainId: domain._id });
+					const checks = [];
+					if (!verification) {
+						checks.push({
+							name: "verification_requested",
+							ok: false,
+							message: "No active domain verification challenge exists."
+						});
+						return {
+							ok: false,
+							enterpriseId: enterprise._id,
+							domain: normalizedDomain,
+							checks
+						};
+					}
+					checks.push({
+						name: "verification_requested",
+						ok: true
+					});
+					if (verification.expiresAt < Date.now()) {
+						await ctx.runMutation(config.component.public.enterpriseDomainVerificationDelete, { domainId: domain._id });
+						checks.push({
+							name: "challenge_active",
+							ok: false,
+							message: "The verification challenge expired. Request a new one."
+						});
+						return {
+							ok: false,
+							enterpriseId: enterprise._id,
+							domain: normalizedDomain,
+							checks
+						};
+					}
+					checks.push({
+						name: "challenge_active",
+						ok: true
+					});
+					let txtValues;
+					try {
+						txtValues = await resolveTxtValues(verification.recordName);
+					} catch (error) {
+						throw new AuthError("INTERNAL_ERROR", error instanceof Error ? error.message : "Failed to resolve DNS TXT records.").toConvexError();
+					}
+					checks.push({
+						name: "dns_record_present",
+						ok: txtValues.length > 0,
+						message: txtValues.length > 0 ? void 0 : `No TXT records found at ${verification.recordName}.`
+					});
+					const matches = txtValues.includes(verification.token);
+					checks.push({
+						name: "dns_record_matches",
+						ok: matches,
+						message: matches ? void 0 : `TXT record at ${verification.recordName} does not match the expected value.`
+					});
+					if (!checks.every((check) => check.ok)) return {
+						ok: false,
+						enterpriseId: enterprise._id,
+						domain: normalizedDomain,
+						checks
+					};
+					const verifiedAt = Date.now();
+					await ctx.runMutation(config.component.public.enterpriseDomainVerify, {
+						domainId: domain._id,
+						verifiedAt
+					});
+					await recordEnterpriseAuditEvent(ctx, {
+						enterpriseId: enterprise._id,
+						groupId: enterprise.groupId,
+						eventType: "enterprise.domain.verified",
+						actorType: "system",
+						subjectType: "enterprise_domain",
+						subjectId: domain._id,
+						ok: true,
+						metadata: {
+							domain: normalizedDomain,
+							verifiedAt
+						}
+					});
+					return {
+						ok: true,
+						enterpriseId: enterprise._id,
+						domain: normalizedDomain,
+						verifiedAt,
+						checks
+					};
+				}
+			}
+		},
+		saml: {
+			configure: async (ctx, data) => {
+				return await Fx.run(Fx.gen(function* () {
+					const enterprise = yield* Fx.from({
+						ok: () => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId }),
+						err: () => new AuthError("INTERNAL_ERROR", "Failed to load enterprise.")
+					}).pipe(Fx.chain((ent) => ent === null ? Fx.fail(new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError)) : Fx.succeed(ent)));
+					const metadataXml = yield* data.metadataXml ? Fx.succeed(data.metadataXml) : data.metadataUrl ? Fx.defer(() => Fx.from({
+						ok: async () => {
+							const response = await fetch(data.metadataUrl);
+							if (!response.ok) throw new Error(`Failed to fetch SAML metadata: ${response.status}`);
+							return await response.text();
+						},
+						err: (error) => new AuthError("INVALID_PARAMETERS", error instanceof Error ? error.message : "Failed to fetch SAML metadata")
+					})).pipe(Fx.timeout(1e4), Fx.retry(Fx.retry.compose(Fx.retry.jittered(Fx.retry.exponential(200)), Fx.retry.recurs(2))), Fx.recover((error) => Fx.fail(new AuthError("INVALID_PARAMETERS", error instanceof Error ? error.message : "Failed to fetch SAML metadata")))) : Fx.fail(new AuthError("INVALID_PARAMETERS", "SAML registration requires metadataXml or metadataUrl."));
+					const parsed = yield* Fx.from({
+						ok: () => parseSamlIdpMetadata(metadataXml),
+						err: () => new AuthError("INVALID_PARAMETERS", "Failed to parse SAML metadata.")
+					});
+					const baseConfig = upsertProtocolConfig(enterprise.config, "saml", {
+						enabled: true,
+						idp: {
+							metadataXml,
+							...parsed
+						},
+						sp: data.sp,
+						signAuthnRequests: data.signAuthnRequests ?? parsed.wantsSignedAuthnRequests,
+						attributeMapping: data.attributeMapping
+					});
+					const normalizedDomains = data.domains?.map(normalizeDomain);
+					const nextConfig = normalizedDomains ? {
+						...baseConfig,
+						domains: normalizedDomains
+					} : baseConfig;
+					yield* Fx.from({
+						ok: () => ctx.runMutation(config.component.public.enterpriseUpdate, {
+							enterpriseId: enterprise._id,
+							data: {
+								status: "active",
+								config: nextConfig
+							}
+						}),
+						err: () => new AuthError("INTERNAL_ERROR", "Failed to persist SAML registration.")
+					});
+					if (normalizedDomains) for (const [index, domain] of normalizedDomains.entries()) yield* Fx.from({
+						ok: () => ctx.runMutation(config.component.public.enterpriseDomainAdd, {
+							enterpriseId: enterprise._id,
+							groupId: enterprise.groupId,
+							domain,
+							isPrimary: index === 0
+						}),
+						err: () => new AuthError("INTERNAL_ERROR", "Failed to persist enterprise domain.")
+					});
+					yield* Fx.from({
+						ok: () => recordEnterpriseAuditEvent(ctx, {
+							enterpriseId: enterprise._id,
+							groupId: enterprise.groupId,
+							eventType: "enterprise.saml.registered",
+							actorType: "system",
+							subjectType: "enterprise_saml",
+							subjectId: enterprise._id,
+							ok: true,
+							metadata: {
+								metadataUrl: data.metadataUrl,
+								domains: normalizedDomains
+							}
+						}),
+						err: () => new AuthError("INTERNAL_ERROR", "Failed to record SAML registration audit event.")
+					});
+					return {
+						ok: true,
+						enterpriseId: enterprise._id,
+						groupId: enterprise.groupId
+					};
+				}).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))));
+			},
+			metadata: async (ctx, opts) => {
+				const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: opts.enterpriseId });
+				if (!enterprise) throw new AuthError("INVALID_PARAMETERS", "Enterprise not found.").toConvexError();
+				return createServiceProviderMetadata(getSamlServiceProviderOptions({
+					rootUrl: requireEnv("CONVEX_SITE_URL"),
+					source: {
+						kind: "enterprise",
+						id: enterprise._id
+					},
+					config: enterprise.config,
+					overrides: {
+						entityId: opts.entityId,
+						acsUrl: opts.acsUrl,
+						sloUrl: opts.sloUrl
+					}
+				}));
+			},
+			validate: async (ctx, enterpriseId) => {
+				const checks = [];
+				const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
+				if (!enterprise) return {
+					ok: false,
+					enterpriseId,
+					checks: [{
+						name: "enterprise_exists",
+						ok: false,
+						message: "Enterprise not found."
+					}]
+				};
+				const samlConfig = enterprise.config?.protocols?.saml;
+				const samlConfigured = samlConfig?.enabled === true && typeof samlConfig?.idp?.metadataXml === "string";
+				checks.push({
+					name: "saml_configured",
+					ok: samlConfigured,
+					message: samlConfigured ? void 0 : "SAML is not configured."
+				});
+				const hasIdpMetadata = typeof samlConfig?.idp?.metadataXml === "string" && samlConfig.idp.metadataXml.length > 0;
+				checks.push({
+					name: "idp_metadata_present",
+					ok: hasIdpMetadata,
+					message: hasIdpMetadata ? void 0 : "IdP metadata XML is missing."
+				});
+				const hasEntityId = typeof samlConfig?.idp?.entityId === "string" && samlConfig.idp.entityId.length > 0;
+				checks.push({
+					name: "idp_entity_id",
+					ok: hasEntityId,
+					message: hasEntityId ? void 0 : "IdP entityId could not be parsed from metadata."
+				});
+				let spMetadataOk = false;
+				let spMetadataMessage;
+				if (samlConfigured) try {
+					createServiceProviderMetadata(getSamlServiceProviderOptions({
+						rootUrl: requireEnv("CONVEX_SITE_URL"),
+						source: {
+							kind: "enterprise",
+							id: enterprise._id
+						},
+						config: enterprise.config,
+						overrides: {}
+					}));
+					spMetadataOk = true;
+				} catch (e) {
+					spMetadataMessage = e instanceof Error ? e.message : "SP metadata generation failed.";
+				}
+				else spMetadataMessage = "Skipped — SAML not configured.";
+				checks.push({
+					name: "sp_metadata_generates",
+					ok: spMetadataOk,
+					message: spMetadataMessage
+				});
+				return {
+					ok: checks.every((c) => c.ok),
+					enterpriseId: enterprise._id,
+					checks
+				};
+			}
+		},
+		policy: {
+			get: async (ctx, enterpriseId) => {
+				return getPolicyFromEnterprise(await loadEnterpriseOrThrow(ctx, enterpriseId));
+			},
+			update: async (ctx, enterpriseId, patch) => {
+				const enterprise = await loadEnterpriseOrThrow(ctx, enterpriseId);
+				const policy = patchEnterprisePolicy(enterprise.policy, patch);
+				await ctx.runMutation(config.component.public.enterpriseUpdate, {
+					enterpriseId,
+					data: { policy }
+				});
+				await recordEnterpriseAuditEvent(ctx, {
+					enterpriseId: enterprise._id,
+					groupId: enterprise.groupId,
+					eventType: "enterprise.policy.updated",
+					actorType: "system",
+					subjectType: "enterprise_policy",
+					subjectId: enterprise._id,
+					ok: true,
+					metadata: { version: policy.version }
+				});
+				return policy;
+			},
+			validate: async (ctx, enterpriseId) => {
+				const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
+				if (!enterprise) return {
+					ok: false,
+					enterpriseId,
+					checks: [{
+						name: "enterprise_exists",
+						ok: false,
+						message: enterpriseNotFoundError
+					}]
+				};
+				const policy = getPolicyFromEnterprise(enterprise);
+				const checks = validateEnterprisePolicy(policy);
+				return {
+					ok: checks.every((check) => check.ok),
+					enterpriseId,
+					policy,
+					checks
+				};
+			}
+		},
+		oidc: {
+			configure: async (ctx, data) => {
+				return await Fx.run(Fx.gen(function* () {
+					yield* Fx.guard(data.issuer === void 0 && data.discoveryUrl === void 0, Fx.fail(new AuthError("INVALID_PARAMETERS", "OIDC registration requires issuer or discoveryUrl.")));
+					const enterprise = yield* Fx.from({
+						ok: () => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId }),
+						err: () => new AuthError("INTERNAL_ERROR", "Failed to load enterprise.")
+					}).pipe(Fx.chain((ent) => ent === null ? Fx.fail(new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError)) : Fx.succeed(ent)));
+					const nextConfig = upsertProtocolConfig(enterprise.config, "oidc", {
+						enabled: true,
+						issuer: data.issuer,
+						discoveryUrl: data.discoveryUrl,
+						clientId: data.clientId,
+						scopes: data.scopes ?? [
+							"openid",
+							"profile",
+							"email"
+						],
+						authorizationParams: data.authorizationParams,
+						clockToleranceSeconds: data.clockToleranceSeconds,
+						strictIssuer: data.strictIssuer,
+						extraFields: data.extraFields
+					});
+					yield* Fx.from({
+						ok: () => ctx.runMutation(config.component.public.enterpriseUpdate, {
+							enterpriseId: data.enterpriseId,
+							data: { config: nextConfig }
+						}),
+						err: () => new AuthError("INTERNAL_ERROR", "Failed to persist OIDC registration.")
+					});
+					if (data.clientSecret !== void 0) {
+						const ciphertext = yield* Fx.from({
+							ok: () => encryptSecret(data.clientSecret),
+							err: () => new AuthError("INTERNAL_ERROR", "Failed to encrypt OIDC client secret.")
+						});
+						yield* Fx.from({
+							ok: () => ctx.runMutation(config.component.public.enterpriseSecretUpsert, {
+								enterpriseId: data.enterpriseId,
+								groupId: enterprise.groupId,
+								kind: ENTERPRISE_OIDC_CLIENT_SECRET_KIND,
+								ciphertext,
+								updatedAt: Date.now()
+							}),
+							err: () => new AuthError("INTERNAL_ERROR", "Failed to persist OIDC client secret.")
+						});
+					}
+					yield* Fx.from({
+						ok: () => recordEnterpriseAuditEvent(ctx, {
+							enterpriseId: data.enterpriseId,
+							groupId: enterprise.groupId,
+							eventType: "enterprise.oidc.registered",
+							actorType: "system",
+							subjectType: "enterprise_oidc",
+							subjectId: data.enterpriseId,
+							ok: true,
+							metadata: {
+								issuer: data.issuer,
+								discoveryUrl: data.discoveryUrl
+							}
+						}),
+						err: () => new AuthError("INTERNAL_ERROR", "Failed to record OIDC registration audit event.")
+					});
+					const secret = yield* Fx.from({
+						ok: () => getEnterpriseSecret(ctx, data.enterpriseId, ENTERPRISE_OIDC_CLIENT_SECRET_KIND),
+						err: () => new AuthError("INTERNAL_ERROR", "Failed to load OIDC secret metadata.")
+					});
+					return withOidcSecretState(getPublicOidcConfig(nextConfig), secret !== null);
+				}).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))));
+			},
+			get: async (ctx, enterpriseId) => {
+				return await Fx.run(Fx.from({
+					ok: () => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId }),
+					err: () => new AuthError("INTERNAL_ERROR", "Failed to load enterprise.")
+				}).pipe(Fx.chain((ent) => ent === null ? Fx.fail(new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError)) : Fx.succeed(ent)), Fx.chain((enterprise) => Fx.from({
+					ok: async () => {
+						const secret = await getEnterpriseSecret(ctx, enterprise._id, ENTERPRISE_OIDC_CLIENT_SECRET_KIND);
+						return withOidcSecretState(getPublicOidcConfig(enterprise.config), secret !== null);
+					},
+					err: () => new AuthError("INTERNAL_ERROR", "Failed to load OIDC secret metadata.")
+				})), Fx.recover((e) => Fx.fatal(e.toConvexError()))));
+			},
+			signIn: async (ctx, data) => {
+				return await Fx.run(Fx.gen(function* () {
+					const enterprise = data.enterpriseId !== void 0 ? yield* Fx.from({
+						ok: () => ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId }),
+						err: () => new AuthError("INTERNAL_ERROR", "Failed to load enterprise.")
+					}).pipe(Fx.chain((ent) => ent === null ? Fx.fail(new AuthError("INVALID_PARAMETERS", enterpriseNotFoundError)) : Fx.succeed(ent))) : data.domain !== void 0 || data.email !== void 0 ? yield* Fx.from({
+						ok: () => ctx.runQuery(config.component.public.enterpriseGetByDomain, { domain: normalizeDomain(data.domain ?? String(data.email).split("@").at(-1) ?? "") }),
+						err: () => new AuthError("INTERNAL_ERROR", "Failed to resolve enterprise by domain.")
+					}).pipe(Fx.chain((result) => result?.enterprise && result.domain?.verifiedAt !== void 0 ? Fx.succeed(result.enterprise) : Fx.fail(new AuthError("INVALID_PARAMETERS", "No enterprise OIDC connection matched the provided input.")))) : yield* Fx.fail(new AuthError("INVALID_PARAMETERS", "No enterprise OIDC connection matched the provided input."));
+					yield* Fx.guard(enterprise.status !== "active", Fx.fail(new AuthError("INVALID_PARAMETERS", "Enterprise connection is not active.")));
+					const oidc = getOidcConfig(enterprise.config);
+					yield* Fx.guard(oidc.enabled !== true, Fx.fail(new AuthError("PROVIDER_NOT_CONFIGURED", "OIDC is not configured for this enterprise.")));
+					const urls = getEnterpriseOidcUrls({
+						rootUrl: requireEnv("CONVEX_SITE_URL"),
+						enterpriseId: enterprise._id
+					});
+					return {
+						enterpriseId: enterprise._id,
+						providerId: enterpriseOidcProviderId(enterprise._id),
+						signInPath: urls.signInUrl,
+						callbackPath: urls.callbackUrl,
+						redirectTo: data.redirectTo
+					};
+				}).pipe(Fx.recover((e) => Fx.fatal(e.toConvexError()))));
+			},
+			validate: async (ctx, enterpriseId) => {
+				const checks = [];
+				const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
+				if (!enterprise) return {
+					ok: false,
+					enterpriseId,
+					checks: [{
+						name: "enterprise_exists",
+						ok: false,
+						message: "Enterprise not found."
+					}]
+				};
+				const oidc = getOidcConfig(enterprise.config);
+				const secret = await getEnterpriseSecret(ctx, enterprise._id, ENTERPRISE_OIDC_CLIENT_SECRET_KIND);
+				const oidcConfigured = oidc.enabled === true && typeof oidc.clientId === "string" && oidc.clientId.length > 0;
+				checks.push({
+					name: "oidc_configured",
+					ok: oidcConfigured,
+					message: oidcConfigured ? void 0 : "OIDC is not configured."
+				});
+				const hasClientId = typeof oidc.clientId === "string" && oidc.clientId.length > 0;
+				checks.push({
+					name: "client_id_present",
+					ok: hasClientId,
+					message: hasClientId ? void 0 : "clientId is missing."
+				});
+				checks.push({
+					name: "client_secret_stored",
+					ok: secret !== null,
+					message: secret !== null ? void 0 : "OIDC client secret is missing."
+				});
+				const discoveryTarget = oidc.discoveryUrl ?? oidc.issuer;
+				const hasDiscovery = typeof discoveryTarget === "string" && discoveryTarget.length > 0;
+				checks.push({
+					name: "issuer_or_discovery_url_present",
+					ok: hasDiscovery,
+					message: hasDiscovery ? void 0 : "issuer or discoveryUrl is missing."
+				});
+				let discoveryOk = false;
+				let discoveryMessage;
+				if (hasDiscovery) {
+					const discoveryUrl = oidc.discoveryUrl?.length ? oidc.discoveryUrl : `${oidc.issuer}/.well-known/openid-configuration`;
+					try {
+						const res = await fetch(discoveryUrl, {
+							headers: { Accept: "application/json" },
+							signal: AbortSignal.timeout(8e3)
+						});
+						if (!res.ok) discoveryMessage = `Discovery endpoint returned ${res.status}.`;
+						else {
+							const json = await res.json();
+							if (typeof json.issuer !== "string") discoveryMessage = "Discovery document is missing issuer field.";
+							else if (typeof json.authorization_endpoint !== "string") discoveryMessage = "Discovery document is missing authorization_endpoint.";
+							else discoveryOk = true;
+						}
+					} catch (e) {
+						discoveryMessage = e instanceof Error ? `Discovery fetch failed: ${e.message}` : "Discovery fetch failed.";
+					}
+				} else discoveryMessage = "Skipped — issuer or discoveryUrl not set.";
+				checks.push({
+					name: "discovery_reachable",
+					ok: discoveryOk,
+					message: discoveryMessage
+				});
+				return {
+					ok: checks.every((c) => c.ok),
+					enterpriseId: enterprise._id,
+					checks
+				};
+			}
+		},
+		scim: {
+			configure: async (ctx, data) => {
+				const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId });
+				if (enterprise === null) throw new AuthError("INVALID_PARAMETERS", "Enterprise not found.").toConvexError();
+				const rawToken = generateRandomString(48, INVITE_TOKEN_ALPHABET);
+				const tokenHash = await sha256(rawToken);
+				const configId = await ctx.runMutation(config.component.public.enterpriseScimConfigUpsert, {
+					enterpriseId: enterprise._id,
+					groupId: enterprise.groupId,
+					status: data.status ?? "active",
+					basePath: data.basePath ?? `${requireEnv("CONVEX_SITE_URL")}/api/auth/sso/${enterprise._id}/scim/v2`,
+					tokenHash,
+					lastRotatedAt: Date.now()
+				});
+				const auditEventId = await recordEnterpriseAuditEvent(ctx, {
+					enterpriseId: enterprise._id,
+					groupId: enterprise.groupId,
+					eventType: "enterprise.scim.configured",
+					actorType: "system",
+					subjectType: "enterprise_scim",
+					subjectId: configId,
+					ok: true
+				});
+				await emitEnterpriseWebhookDeliveries(ctx, {
+					enterpriseId: enterprise._id,
+					eventType: "enterprise.scim.configured",
+					auditEventId,
+					payload: {
+						enterpriseId: enterprise._id,
+						scimConfigId: configId
+					}
+				});
+				return {
+					ok: true,
+					enterpriseId: enterprise._id,
+					configId,
+					basePath: data.basePath ?? `${requireEnv("CONVEX_SITE_URL")}/api/auth/sso/${enterprise._id}/scim/v2`,
+					token: rawToken
+				};
+			},
+			get: async (ctx, enterpriseId) => {
+				return await ctx.runQuery(config.component.public.enterpriseScimConfigGetByEnterprise, { enterpriseId });
+			},
+			getConfigByToken: async (ctx, token) => {
+				return await ctx.runQuery(config.component.public.enterpriseScimConfigGetByTokenHash, { tokenHash: await sha256(token) });
+			},
+			validate: async (ctx, enterpriseId) => {
+				const checks = [];
+				const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId });
+				if (!enterprise) return {
+					ok: false,
+					enterpriseId,
+					checks: [{
+						name: "enterprise_exists",
+						ok: false,
+						message: "Enterprise not found."
+					}]
+				};
+				const policy = getPolicyFromEnterprise(enterprise);
+				const scimConfig = await ctx.runQuery(config.component.public.enterpriseScimConfigGetByEnterprise, { enterpriseId });
+				const hasConfig = scimConfig !== null && scimConfig !== void 0;
+				checks.push({
+					name: "scim_config_exists",
+					ok: hasConfig,
+					message: hasConfig ? void 0 : "SCIM has not been configured."
+				});
+				const isActive = hasConfig && scimConfig.status === "active";
+				checks.push({
+					name: "scim_config_active",
+					ok: isActive,
+					message: isActive ? void 0 : `SCIM config status is ${hasConfig ? scimConfig.status : "unknown"}.`
+				});
+				const hasToken = hasConfig && typeof scimConfig.tokenHash === "string" && scimConfig.tokenHash.length > 0;
+				checks.push({
+					name: "token_hash_set",
+					ok: hasToken,
+					message: hasToken ? void 0 : "SCIM bearer token has not been set."
+				});
+				const hasBasePath = hasConfig && typeof scimConfig.basePath === "string" && scimConfig.basePath.length > 0;
+				checks.push({
+					name: "base_path_set",
+					ok: hasBasePath,
+					message: hasBasePath ? void 0 : "SCIM basePath is missing."
+				});
+				return {
+					ok: checks.every((c) => c.ok),
+					enterpriseId: enterprise._id,
+					basePath: hasBasePath ? scimConfig.basePath : null,
+					deprovisionMode: policy.provisioning.deprovision.mode,
+					checks
+				};
+			},
+			identity: {
+				get: async (ctx, data) => {
+					return await ctx.runQuery(config.component.public.enterpriseScimIdentityGet, data);
+				},
+				upsert: async (ctx, data) => {
+					return await ctx.runMutation(config.component.public.enterpriseScimIdentityUpsert, {
+						...data,
+						lastProvisionedAt: Date.now()
+					});
+				}
+			}
+		},
+		audit: {
+			record: async (ctx, data) => {
+				return await recordEnterpriseAuditEvent(ctx, data);
+			},
+			list: async (ctx, data) => {
+				return await ctx.runQuery(config.component.public.enterpriseAuditEventList, data);
+			}
+		},
+		webhook: {
+			endpoint: {
+				get: async (ctx, endpointId) => {
+					return await ctx.runQuery(config.component.public.enterpriseWebhookEndpointGet, { endpointId });
+				},
+				create: async (ctx, data) => {
+					const enterprise = await ctx.runQuery(config.component.public.enterpriseGet, { enterpriseId: data.enterpriseId });
+					if (enterprise === null) throw new AuthError("INVALID_PARAMETERS", "Enterprise not found.").toConvexError();
+					const secretHash = await sha256(data.secret);
+					const endpointId = await ctx.runMutation(config.component.public.enterpriseWebhookEndpointCreate, {
+						enterpriseId: enterprise._id,
+						groupId: enterprise.groupId,
+						url: data.url,
+						secretHash,
+						subscriptions: data.subscriptions,
+						createdByUserId: data.createdByUserId
+					});
+					await recordEnterpriseAuditEvent(ctx, {
+						enterpriseId: enterprise._id,
+						groupId: enterprise.groupId,
+						eventType: "enterprise.webhook.endpoint.created",
+						actorType: data.createdByUserId ? "user" : "system",
+						actorId: data.createdByUserId,
+						subjectType: "enterprise_webhook_endpoint",
+						subjectId: endpointId,
+						ok: true
+					});
+					return {
+						ok: true,
+						endpointId
+					};
+				},
+				list: async (ctx, enterpriseId) => {
+					return await ctx.runQuery(config.component.public.enterpriseWebhookEndpointList, { enterpriseId });
+				},
+				disable: async (ctx, endpointId) => {
+					await ctx.runMutation(config.component.public.enterpriseWebhookEndpointUpdate, {
+						endpointId,
+						data: { status: "disabled" }
+					});
+					return {
+						ok: true,
+						endpointId
+					};
+				}
+			},
+			emit: async (ctx, data) => {
+				await emitEnterpriseWebhookDeliveries(ctx, data);
+			},
+			delivery: {
+				list: async (ctx, data) => {
+					return await ctx.runQuery(config.component.public.enterpriseWebhookDeliveryList, data);
+				},
+				listReady: async (ctx, limit) => {
+					return await ctx.runQuery(config.component.public.enterpriseWebhookDeliveryListReady, {
+						now: Date.now(),
+						limit
+					});
+				},
+				markDelivered: async (ctx, deliveryId, responseStatus) => {
+					await ctx.runMutation(config.component.public.enterpriseWebhookDeliveryPatch, {
+						deliveryId,
+						data: {
+							status: "delivered",
+							attemptCount: 1,
+							lastAttemptAt: Date.now(),
+							lastResponseStatus: responseStatus
+						}
+					});
+				},
+				markFailed: async (ctx, deliveryId, data) => {
+					await ctx.runMutation(config.component.public.enterpriseWebhookDeliveryPatch, {
+						deliveryId,
+						data: {
+							status: data.retryAt ? "pending" : "failed",
+							attemptCount: data.attemptCount,
+							lastAttemptAt: Date.now(),
+							lastResponseStatus: data.responseStatus,
+							lastError: data.error,
+							nextAttemptAt: data.retryAt ?? Date.now()
+						}
+					});
+				}
+			}
+		}
+	};
+}
+//#endregion
+export { createEnterpriseDomain };
+//# sourceMappingURL=domain.js.map