@robelest/convex-auth 0.0.4-preview.2 → 0.0.4-preview.21

package/dist/component/model.js

@@ -0,0 +1,349 @@
+import { v } from "convex/values";
+
+//#region src/component/model.ts
+const TABLES = {
+	User: "User",
+	Session: "Session",
+	Account: "Account",
+	AuthVerifier: "AuthVerifier",
+	VerificationCode: "VerificationCode",
+	RefreshToken: "RefreshToken",
+	Passkey: "Passkey",
+	TotpFactor: "TotpFactor",
+	RateLimit: "RateLimit",
+	Group: "Group",
+	GroupTag: "GroupTag",
+	GroupMember: "GroupMember",
+	GroupInvite: "GroupInvite",
+	Enterprise: "Enterprise",
+	EnterpriseDomain: "EnterpriseDomain",
+	EnterpriseDomainVerification: "EnterpriseDomainVerification",
+	EnterpriseSecret: "EnterpriseSecret",
+	EnterpriseScimConfig: "EnterpriseScimConfig",
+	EnterpriseScimIdentity: "EnterpriseScimIdentity",
+	EnterpriseAuditEvent: "EnterpriseAuditEvent",
+	EnterpriseWebhookEndpoint: "EnterpriseWebhookEndpoint",
+	EnterpriseWebhookDelivery: "EnterpriseWebhookDelivery",
+	ApiKey: "ApiKey",
+	DeviceCode: "DeviceCode"
+};
+const vTag = v.object({
+	key: v.string(),
+	value: v.string()
+});
+const vPaginated = (item) => v.object({
+	items: v.array(item),
+	nextCursor: v.union(v.string(), v.null())
+});
+const vInviteStatus = v.union(v.literal("pending"), v.literal("accepted"), v.literal("revoked"), v.literal("expired"));
+const vDeviceStatus = v.union(v.literal("pending"), v.literal("authorized"), v.literal("denied"));
+const vEnterpriseAccountLinkingPolicy = v.union(v.literal("verifiedEmail"), v.literal("none"));
+const vEnterpriseScimReuseUserPolicy = v.union(v.literal("externalId"), v.literal("none"));
+const vEnterpriseJitProvisioningMode = v.union(v.literal("off"), v.literal("createUser"), v.literal("createUserAndMembership"));
+const vEnterpriseDeprovisionMode = v.union(v.literal("soft"), v.literal("hard"));
+const vEnterpriseStatus = v.union(v.literal("draft"), v.literal("active"), v.literal("disabled"));
+const vEnterprisePolicy = v.object({
+	version: v.literal(1),
+	identity: v.object({ accountLinking: v.object({
+		oidc: vEnterpriseAccountLinkingPolicy,
+		saml: vEnterpriseAccountLinkingPolicy
+	}) }),
+	provisioning: v.object({
+		scimReuse: v.object({ user: vEnterpriseScimReuseUserPolicy }),
+		jit: v.object({
+			mode: vEnterpriseJitProvisioningMode,
+			defaultRole: v.optional(v.string()),
+			defaultRoleIds: v.optional(v.array(v.string()))
+		}),
+		deprovision: v.object({ mode: vEnterpriseDeprovisionMode })
+	}),
+	extend: v.optional(v.any())
+});
+const vScimStatus = v.union(v.literal("draft"), v.literal("active"), v.literal("disabled"));
+const vScimResourceType = v.union(v.literal("user"), v.literal("group"));
+const vAuditActorType = v.union(v.literal("user"), v.literal("system"), v.literal("scim"), v.literal("api_key"), v.literal("webhook"));
+const vAuditStatus = v.union(v.literal("success"), v.literal("failure"));
+const vWebhookEndpointStatus = v.union(v.literal("active"), v.literal("disabled"));
+const vWebhookDeliveryStatus = v.union(v.literal("pending"), v.literal("processing"), v.literal("delivered"), v.literal("failed"));
+const vInviteTokenAcceptStatus = v.union(v.literal("accepted"), v.literal("already_accepted"));
+const vMembershipStatus = v.union(v.literal("joined"), v.literal("already_joined"), v.literal("not_applicable"));
+const vApiKeyScope = v.object({
+	resource: v.string(),
+	actions: v.array(v.string())
+});
+const vApiKeyRateLimit = v.object({
+	maxRequests: v.number(),
+	windowMs: v.number()
+});
+const vApiKeyRateLimitState = v.object({
+	attemptsLeft: v.number(),
+	lastAttemptTime: v.number()
+});
+const vEnterpriseSecretKind = v.union(v.literal("oidc_client_secret"));
+function vDocMeta(tableName) {
+	return {
+		_id: v.id(tableName),
+		_creationTime: v.number()
+	};
+}
+const vUserDoc = v.object({
+	...vDocMeta(TABLES.User),
+	name: v.optional(v.string()),
+	image: v.optional(v.string()),
+	email: v.optional(v.string()),
+	emailVerificationTime: v.optional(v.number()),
+	phone: v.optional(v.string()),
+	phoneVerificationTime: v.optional(v.number()),
+	isAnonymous: v.optional(v.boolean()),
+	extend: v.optional(v.any())
+});
+const vSessionDoc = v.object({
+	...vDocMeta(TABLES.Session),
+	userId: v.id(TABLES.User),
+	expirationTime: v.number()
+});
+const vAccountDoc = v.object({
+	...vDocMeta(TABLES.Account),
+	userId: v.id(TABLES.User),
+	provider: v.string(),
+	providerAccountId: v.string(),
+	secret: v.optional(v.string()),
+	emailVerified: v.optional(v.string()),
+	phoneVerified: v.optional(v.string()),
+	extend: v.optional(v.any())
+});
+const vAuthVerifierDoc = v.object({
+	...vDocMeta(TABLES.AuthVerifier),
+	sessionId: v.optional(v.id(TABLES.Session)),
+	signature: v.optional(v.string())
+});
+const vVerificationCodeDoc = v.object({
+	...vDocMeta(TABLES.VerificationCode),
+	accountId: v.id(TABLES.Account),
+	provider: v.string(),
+	code: v.string(),
+	expirationTime: v.number(),
+	verifier: v.optional(v.string()),
+	emailVerified: v.optional(v.string()),
+	phoneVerified: v.optional(v.string())
+});
+const vRefreshTokenDoc = v.object({
+	...vDocMeta(TABLES.RefreshToken),
+	sessionId: v.id(TABLES.Session),
+	expirationTime: v.number(),
+	firstUsedTime: v.optional(v.number()),
+	parentRefreshTokenId: v.optional(v.id(TABLES.RefreshToken))
+});
+const vPasskeyDoc = v.object({
+	...vDocMeta(TABLES.Passkey),
+	userId: v.id(TABLES.User),
+	credentialId: v.string(),
+	publicKey: v.bytes(),
+	algorithm: v.number(),
+	counter: v.number(),
+	transports: v.optional(v.array(v.string())),
+	deviceType: v.string(),
+	backedUp: v.boolean(),
+	name: v.optional(v.string()),
+	createdAt: v.number(),
+	lastUsedAt: v.optional(v.number())
+});
+const vTotpFactorDoc = v.object({
+	...vDocMeta(TABLES.TotpFactor),
+	userId: v.id(TABLES.User),
+	secret: v.bytes(),
+	digits: v.number(),
+	period: v.number(),
+	verified: v.boolean(),
+	name: v.optional(v.string()),
+	createdAt: v.number(),
+	lastUsedAt: v.optional(v.number())
+});
+const vRateLimitDoc = v.object({
+	...vDocMeta(TABLES.RateLimit),
+	identifier: v.string(),
+	last_attempt_time: v.number(),
+	attempts_left: v.number()
+});
+const vGroupDoc = v.object({
+	...vDocMeta(TABLES.Group),
+	name: v.string(),
+	slug: v.optional(v.string()),
+	type: v.optional(v.string()),
+	parentGroupId: v.optional(v.id(TABLES.Group)),
+	rootGroupId: v.optional(v.id(TABLES.Group)),
+	isRoot: v.optional(v.boolean()),
+	tags: v.optional(v.array(vTag)),
+	extend: v.optional(v.any())
+});
+const vGroupMemberDoc = v.object({
+	...vDocMeta(TABLES.GroupMember),
+	groupId: v.id(TABLES.Group),
+	userId: v.id(TABLES.User),
+	role: v.optional(v.string()),
+	roleIds: v.optional(v.array(v.string())),
+	status: v.optional(v.string()),
+	extend: v.optional(v.any())
+});
+const vGroupInviteDoc = v.object({
+	...vDocMeta(TABLES.GroupInvite),
+	groupId: v.optional(v.id(TABLES.Group)),
+	invitedByUserId: v.optional(v.id(TABLES.User)),
+	email: v.optional(v.string()),
+	tokenHash: v.string(),
+	role: v.optional(v.string()),
+	roleIds: v.optional(v.array(v.string())),
+	status: vInviteStatus,
+	expiresTime: v.optional(v.number()),
+	acceptedByUserId: v.optional(v.id(TABLES.User)),
+	acceptedTime: v.optional(v.number()),
+	extend: v.optional(v.any())
+});
+const vApiKeyDoc = v.object({
+	...vDocMeta(TABLES.ApiKey),
+	userId: v.id(TABLES.User),
+	prefix: v.string(),
+	hashedKey: v.string(),
+	name: v.string(),
+	scopes: v.array(vApiKeyScope),
+	rateLimit: v.optional(vApiKeyRateLimit),
+	rateLimitState: v.optional(vApiKeyRateLimitState),
+	expiresAt: v.optional(v.number()),
+	lastUsedAt: v.optional(v.number()),
+	createdAt: v.number(),
+	revoked: v.boolean(),
+	metadata: v.optional(v.any())
+});
+const vDeviceCodeDoc = v.object({
+	...vDocMeta(TABLES.DeviceCode),
+	deviceCodeHash: v.string(),
+	userCode: v.string(),
+	expiresAt: v.number(),
+	interval: v.number(),
+	status: vDeviceStatus,
+	userId: v.optional(v.id(TABLES.User)),
+	sessionId: v.optional(v.id(TABLES.Session)),
+	lastPolledAt: v.optional(v.number())
+});
+const vEnterpriseDoc = v.object({
+	...vDocMeta(TABLES.Enterprise),
+	groupId: v.id(TABLES.Group),
+	slug: v.optional(v.string()),
+	name: v.optional(v.string()),
+	status: vEnterpriseStatus,
+	policy: v.optional(vEnterprisePolicy),
+	config: v.optional(v.any()),
+	extend: v.optional(v.any())
+});
+const vEnterpriseDomainDoc = v.object({
+	...vDocMeta(TABLES.EnterpriseDomain),
+	enterpriseId: v.id(TABLES.Enterprise),
+	groupId: v.id(TABLES.Group),
+	domain: v.string(),
+	isPrimary: v.boolean(),
+	verifiedAt: v.optional(v.number())
+});
+const vEnterpriseDomainVerificationDoc = v.object({
+	...vDocMeta(TABLES.EnterpriseDomainVerification),
+	enterpriseId: v.id(TABLES.Enterprise),
+	groupId: v.id(TABLES.Group),
+	domainId: v.id(TABLES.EnterpriseDomain),
+	domain: v.string(),
+	recordName: v.string(),
+	token: v.string(),
+	tokenHash: v.string(),
+	requestedAt: v.number(),
+	expiresAt: v.number()
+});
+const vEnterpriseSecretDoc = v.object({
+	...vDocMeta(TABLES.EnterpriseSecret),
+	enterpriseId: v.id(TABLES.Enterprise),
+	groupId: v.id(TABLES.Group),
+	kind: vEnterpriseSecretKind,
+	ciphertext: v.string(),
+	updatedAt: v.number()
+});
+const vEnterpriseScimConfigDoc = v.object({
+	...vDocMeta(TABLES.EnterpriseScimConfig),
+	enterpriseId: v.id(TABLES.Enterprise),
+	groupId: v.id(TABLES.Group),
+	status: vScimStatus,
+	basePath: v.string(),
+	tokenHash: v.string(),
+	lastRotatedAt: v.optional(v.number()),
+	extend: v.optional(v.any())
+});
+const vEnterpriseScimIdentityDoc = v.object({
+	...vDocMeta(TABLES.EnterpriseScimIdentity),
+	enterpriseId: v.id(TABLES.Enterprise),
+	groupId: v.id(TABLES.Group),
+	resourceType: vScimResourceType,
+	externalId: v.string(),
+	userId: v.optional(v.id(TABLES.User)),
+	mappedGroupId: v.optional(v.id(TABLES.Group)),
+	lastProvisionedAt: v.optional(v.number()),
+	active: v.optional(v.boolean()),
+	raw: v.optional(v.any())
+});
+const vEnterpriseAuditEventDoc = v.object({
+	...vDocMeta(TABLES.EnterpriseAuditEvent),
+	enterpriseId: v.id(TABLES.Enterprise),
+	groupId: v.id(TABLES.Group),
+	eventType: v.string(),
+	actorType: vAuditActorType,
+	actorId: v.optional(v.string()),
+	subjectType: v.string(),
+	subjectId: v.optional(v.string()),
+	status: vAuditStatus,
+	occurredAt: v.number(),
+	requestId: v.optional(v.string()),
+	ip: v.optional(v.string()),
+	metadata: v.optional(v.any())
+});
+const vEnterpriseWebhookEndpointDoc = v.object({
+	...vDocMeta(TABLES.EnterpriseWebhookEndpoint),
+	enterpriseId: v.id(TABLES.Enterprise),
+	groupId: v.id(TABLES.Group),
+	url: v.string(),
+	status: vWebhookEndpointStatus,
+	secretHash: v.string(),
+	subscriptions: v.array(v.string()),
+	createdByUserId: v.optional(v.id(TABLES.User)),
+	lastSuccessAt: v.optional(v.number()),
+	lastFailureAt: v.optional(v.number()),
+	failureCount: v.number(),
+	extend: v.optional(v.any())
+});
+const vEnterpriseWebhookDeliveryDoc = v.object({
+	...vDocMeta(TABLES.EnterpriseWebhookDelivery),
+	enterpriseId: v.id(TABLES.Enterprise),
+	endpointId: v.id(TABLES.EnterpriseWebhookEndpoint),
+	auditEventId: v.optional(v.id(TABLES.EnterpriseAuditEvent)),
+	eventType: v.string(),
+	status: vWebhookDeliveryStatus,
+	attemptCount: v.number(),
+	nextAttemptAt: v.number(),
+	lastAttemptAt: v.optional(v.number()),
+	lastResponseStatus: v.optional(v.number()),
+	lastError: v.optional(v.string()),
+	payload: v.any()
+});
+const vRateLimitResult = v.object({
+	...vDocMeta(TABLES.RateLimit),
+	identifier: v.string(),
+	last_attempt_time: v.number(),
+	attempts_left: v.number(),
+	attemptsLeft: v.number(),
+	lastAttemptTime: v.number()
+});
+const vInviteAcceptByTokenResult = v.object({
+	inviteId: v.id(TABLES.GroupInvite),
+	groupId: v.union(v.id(TABLES.Group), v.null()),
+	memberId: v.optional(v.id(TABLES.GroupMember)),
+	inviteStatus: vInviteTokenAcceptStatus,
+	membershipStatus: vMembershipStatus
+});
+
+//#endregion
+export { TABLES, vAccountDoc, vApiKeyDoc, vApiKeyRateLimit, vApiKeyRateLimitState, vApiKeyScope, vAuditActorType, vAuditStatus, vAuthVerifierDoc, vDeviceCodeDoc, vDeviceStatus, vEnterpriseAccountLinkingPolicy, vEnterpriseAuditEventDoc, vEnterpriseDeprovisionMode, vEnterpriseDoc, vEnterpriseDomainDoc, vEnterpriseDomainVerificationDoc, vEnterpriseJitProvisioningMode, vEnterprisePolicy, vEnterpriseScimConfigDoc, vEnterpriseScimIdentityDoc, vEnterpriseScimReuseUserPolicy, vEnterpriseSecretDoc, vEnterpriseSecretKind, vEnterpriseStatus, vEnterpriseWebhookDeliveryDoc, vEnterpriseWebhookEndpointDoc, vGroupDoc, vGroupInviteDoc, vGroupMemberDoc, vInviteAcceptByTokenResult, vInviteStatus, vInviteTokenAcceptStatus, vMembershipStatus, vPaginated, vPasskeyDoc, vRateLimitDoc, vRateLimitResult, vRefreshTokenDoc, vScimResourceType, vScimStatus, vSessionDoc, vTag, vTotpFactorDoc, vUserDoc, vVerificationCodeDoc, vWebhookDeliveryStatus, vWebhookEndpointStatus };
+//# sourceMappingURL=model.js.map

package/dist/component/model.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"model.js","names":[],"sources":["../../src/component/model.ts"],"sourcesContent":["import { v } from \"convex/values\";\n\nexport const TABLES = {\n  User: \"User\",\n  Session: \"Session\",\n  Account: \"Account\",\n  AuthVerifier: \"AuthVerifier\",\n  VerificationCode: \"VerificationCode\",\n  RefreshToken: \"RefreshToken\",\n  Passkey: \"Passkey\",\n  TotpFactor: \"TotpFactor\",\n  RateLimit: \"RateLimit\",\n  Group: \"Group\",\n  GroupTag: \"GroupTag\",\n  GroupMember: \"GroupMember\",\n  GroupInvite: \"GroupInvite\",\n  Enterprise: \"Enterprise\",\n  EnterpriseDomain: \"EnterpriseDomain\",\n  EnterpriseDomainVerification: \"EnterpriseDomainVerification\",\n  EnterpriseSecret: \"EnterpriseSecret\",\n  EnterpriseScimConfig: \"EnterpriseScimConfig\",\n  EnterpriseScimIdentity: \"EnterpriseScimIdentity\",\n  EnterpriseAuditEvent: \"EnterpriseAuditEvent\",\n  EnterpriseWebhookEndpoint: \"EnterpriseWebhookEndpoint\",\n  EnterpriseWebhookDelivery: \"EnterpriseWebhookDelivery\",\n  ApiKey: \"ApiKey\",\n  DeviceCode: \"DeviceCode\",\n} as const;\n\nexport const vTag = v.object({ key: v.string(), value: v.string() });\n\nexport const vPaginated = (item: any) =>\n  v.object({\n    items: v.array(item),\n    nextCursor: v.union(v.string(), v.null()),\n  });\n\nexport const vInviteStatus = v.union(\n  v.literal(\"pending\"),\n  v.literal(\"accepted\"),\n  v.literal(\"revoked\"),\n  v.literal(\"expired\"),\n);\n\nexport const vDeviceStatus = v.union(\n  v.literal(\"pending\"),\n  v.literal(\"authorized\"),\n  v.literal(\"denied\"),\n);\n\nexport const vEnterpriseAccountLinkingPolicy = v.union(\n  v.literal(\"verifiedEmail\"),\n  v.literal(\"none\"),\n);\n\nexport const vEnterpriseScimReuseUserPolicy = v.union(\n  v.literal(\"externalId\"),\n  v.literal(\"none\"),\n);\n\nexport const vEnterpriseJitProvisioningMode = v.union(\n  v.literal(\"off\"),\n  v.literal(\"createUser\"),\n  v.literal(\"createUserAndMembership\"),\n);\n\nexport const vEnterpriseDeprovisionMode = v.union(\n  v.literal(\"soft\"),\n  v.literal(\"hard\"),\n);\n\nexport const vEnterpriseStatus = v.union(\n  v.literal(\"draft\"),\n  v.literal(\"active\"),\n  v.literal(\"disabled\"),\n);\n\nexport const vEnterprisePolicy = v.object({\n  version: v.literal(1),\n  identity: v.object({\n    accountLinking: v.object({\n      oidc: vEnterpriseAccountLinkingPolicy,\n      saml: vEnterpriseAccountLinkingPolicy,\n    }),\n  }),\n  provisioning: v.object({\n    scimReuse: v.object({\n      user: vEnterpriseScimReuseUserPolicy,\n    }),\n    jit: v.object({\n      mode: vEnterpriseJitProvisioningMode,\n      defaultRole: v.optional(v.string()),\n      defaultRoleIds: v.optional(v.array(v.string())),\n    }),\n    deprovision: v.object({\n      mode: vEnterpriseDeprovisionMode,\n    }),\n  }),\n  extend: v.optional(v.any()),\n});\n\nexport const vScimStatus = v.union(\n  v.literal(\"draft\"),\n  v.literal(\"active\"),\n  v.literal(\"disabled\"),\n);\n\nexport const vScimResourceType = v.union(v.literal(\"user\"), v.literal(\"group\"));\n\nexport const vAuditActorType = v.union(\n  v.literal(\"user\"),\n  v.literal(\"system\"),\n  v.literal(\"scim\"),\n  v.literal(\"api_key\"),\n  v.literal(\"webhook\"),\n);\n\nexport const vAuditStatus = v.union(v.literal(\"success\"), v.literal(\"failure\"));\n\nexport const vWebhookEndpointStatus = v.union(\n  v.literal(\"active\"),\n  v.literal(\"disabled\"),\n);\n\nexport const vWebhookDeliveryStatus = v.union(\n  v.literal(\"pending\"),\n  v.literal(\"processing\"),\n  v.literal(\"delivered\"),\n  v.literal(\"failed\"),\n);\n\nexport const vInviteTokenAcceptStatus = v.union(\n  v.literal(\"accepted\"),\n  v.literal(\"already_accepted\"),\n);\n\nexport const vMembershipStatus = v.union(\n  v.literal(\"joined\"),\n  v.literal(\"already_joined\"),\n  v.literal(\"not_applicable\"),\n);\n\nexport const vApiKeyScope = v.object({\n  resource: v.string(),\n  actions: v.array(v.string()),\n});\n\nexport const vApiKeyRateLimit = v.object({\n  maxRequests: v.number(),\n  windowMs: v.number(),\n});\n\nexport const vApiKeyRateLimitState = v.object({\n  attemptsLeft: v.number(),\n  lastAttemptTime: v.number(),\n});\n\nexport const vEnterpriseSecretKind = v.union(v.literal(\"oidc_client_secret\"));\n\nfunction vDocMeta<T extends (typeof TABLES)[keyof typeof TABLES]>(\n  tableName: T,\n) {\n  return {\n    _id: v.id(tableName),\n    _creationTime: v.number(),\n  };\n}\n\nexport const vUserDoc = v.object({\n  ...vDocMeta(TABLES.User),\n  name: v.optional(v.string()),\n  image: v.optional(v.string()),\n  email: v.optional(v.string()),\n  emailVerificationTime: v.optional(v.number()),\n  phone: v.optional(v.string()),\n  phoneVerificationTime: v.optional(v.number()),\n  isAnonymous: v.optional(v.boolean()),\n  extend: v.optional(v.any()),\n});\n\nexport const vSessionDoc = v.object({\n  ...vDocMeta(TABLES.Session),\n  userId: v.id(TABLES.User),\n  expirationTime: v.number(),\n});\n\nexport const vAccountDoc = v.object({\n  ...vDocMeta(TABLES.Account),\n  userId: v.id(TABLES.User),\n  provider: v.string(),\n  providerAccountId: v.string(),\n  secret: v.optional(v.string()),\n  emailVerified: v.optional(v.string()),\n  phoneVerified: v.optional(v.string()),\n  extend: v.optional(v.any()),\n});\n\nexport const vAuthVerifierDoc = v.object({\n  ...vDocMeta(TABLES.AuthVerifier),\n  sessionId: v.optional(v.id(TABLES.Session)),\n  signature: v.optional(v.string()),\n});\n\nexport const vVerificationCodeDoc = v.object({\n  ...vDocMeta(TABLES.VerificationCode),\n  accountId: v.id(TABLES.Account),\n  provider: v.string(),\n  code: v.string(),\n  expirationTime: v.number(),\n  verifier: v.optional(v.string()),\n  emailVerified: v.optional(v.string()),\n  phoneVerified: v.optional(v.string()),\n});\n\nexport const vRefreshTokenDoc = v.object({\n  ...vDocMeta(TABLES.RefreshToken),\n  sessionId: v.id(TABLES.Session),\n  expirationTime: v.number(),\n  firstUsedTime: v.optional(v.number()),\n  parentRefreshTokenId: v.optional(v.id(TABLES.RefreshToken)),\n});\n\nexport const vPasskeyDoc = v.object({\n  ...vDocMeta(TABLES.Passkey),\n  userId: v.id(TABLES.User),\n  credentialId: v.string(),\n  publicKey: v.bytes(),\n  algorithm: v.number(),\n  counter: v.number(),\n  transports: v.optional(v.array(v.string())),\n  deviceType: v.string(),\n  backedUp: v.boolean(),\n  name: v.optional(v.string()),\n  createdAt: v.number(),\n  lastUsedAt: v.optional(v.number()),\n});\n\nexport const vTotpFactorDoc = v.object({\n  ...vDocMeta(TABLES.TotpFactor),\n  userId: v.id(TABLES.User),\n  secret: v.bytes(),\n  digits: v.number(),\n  period: v.number(),\n  verified: v.boolean(),\n  name: v.optional(v.string()),\n  createdAt: v.number(),\n  lastUsedAt: v.optional(v.number()),\n});\n\nexport const vRateLimitDoc = v.object({\n  ...vDocMeta(TABLES.RateLimit),\n  identifier: v.string(),\n  last_attempt_time: v.number(),\n  attempts_left: v.number(),\n});\n\nexport const vGroupDoc = v.object({\n  ...vDocMeta(TABLES.Group),\n  name: v.string(),\n  slug: v.optional(v.string()),\n  type: v.optional(v.string()),\n  parentGroupId: v.optional(v.id(TABLES.Group)),\n  rootGroupId: v.optional(v.id(TABLES.Group)),\n  isRoot: v.optional(v.boolean()),\n  tags: v.optional(v.array(vTag)),\n  extend: v.optional(v.any()),\n});\n\nexport const vGroupMemberDoc = v.object({\n  ...vDocMeta(TABLES.GroupMember),\n  groupId: v.id(TABLES.Group),\n  userId: v.id(TABLES.User),\n  role: v.optional(v.string()),\n  roleIds: v.optional(v.array(v.string())),\n  status: v.optional(v.string()),\n  extend: v.optional(v.any()),\n});\n\nexport const vGroupInviteDoc = v.object({\n  ...vDocMeta(TABLES.GroupInvite),\n  groupId: v.optional(v.id(TABLES.Group)),\n  invitedByUserId: v.optional(v.id(TABLES.User)),\n  email: v.optional(v.string()),\n  tokenHash: v.string(),\n  role: v.optional(v.string()),\n  roleIds: v.optional(v.array(v.string())),\n  status: vInviteStatus,\n  expiresTime: v.optional(v.number()),\n  acceptedByUserId: v.optional(v.id(TABLES.User)),\n  acceptedTime: v.optional(v.number()),\n  extend: v.optional(v.any()),\n});\n\nexport const vApiKeyDoc = v.object({\n  ...vDocMeta(TABLES.ApiKey),\n  userId: v.id(TABLES.User),\n  prefix: v.string(),\n  hashedKey: v.string(),\n  name: v.string(),\n  scopes: v.array(vApiKeyScope),\n  rateLimit: v.optional(vApiKeyRateLimit),\n  rateLimitState: v.optional(vApiKeyRateLimitState),\n  expiresAt: v.optional(v.number()),\n  lastUsedAt: v.optional(v.number()),\n  createdAt: v.number(),\n  revoked: v.boolean(),\n  metadata: v.optional(v.any()),\n});\n\nexport const vDeviceCodeDoc = v.object({\n  ...vDocMeta(TABLES.DeviceCode),\n  deviceCodeHash: v.string(),\n  userCode: v.string(),\n  expiresAt: v.number(),\n  interval: v.number(),\n  status: vDeviceStatus,\n  userId: v.optional(v.id(TABLES.User)),\n  sessionId: v.optional(v.id(TABLES.Session)),\n  lastPolledAt: v.optional(v.number()),\n});\n\nexport const vEnterpriseDoc = v.object({\n  ...vDocMeta(TABLES.Enterprise),\n  groupId: v.id(TABLES.Group),\n  slug: v.optional(v.string()),\n  name: v.optional(v.string()),\n  status: vEnterpriseStatus,\n  policy: v.optional(vEnterprisePolicy),\n  config: v.optional(v.any()),\n  extend: v.optional(v.any()),\n});\n\nexport const vEnterpriseDomainDoc = v.object({\n  ...vDocMeta(TABLES.EnterpriseDomain),\n  enterpriseId: v.id(TABLES.Enterprise),\n  groupId: v.id(TABLES.Group),\n  domain: v.string(),\n  isPrimary: v.boolean(),\n  verifiedAt: v.optional(v.number()),\n});\n\nexport const vEnterpriseDomainVerificationDoc = v.object({\n  ...vDocMeta(TABLES.EnterpriseDomainVerification),\n  enterpriseId: v.id(TABLES.Enterprise),\n  groupId: v.id(TABLES.Group),\n  domainId: v.id(TABLES.EnterpriseDomain),\n  domain: v.string(),\n  recordName: v.string(),\n  token: v.string(),\n  tokenHash: v.string(),\n  requestedAt: v.number(),\n  expiresAt: v.number(),\n});\n\nexport const vEnterpriseSecretDoc = v.object({\n  ...vDocMeta(TABLES.EnterpriseSecret),\n  enterpriseId: v.id(TABLES.Enterprise),\n  groupId: v.id(TABLES.Group),\n  kind: vEnterpriseSecretKind,\n  ciphertext: v.string(),\n  updatedAt: v.number(),\n});\n\nexport const vEnterpriseScimConfigDoc = v.object({\n  ...vDocMeta(TABLES.EnterpriseScimConfig),\n  enterpriseId: v.id(TABLES.Enterprise),\n  groupId: v.id(TABLES.Group),\n  status: vScimStatus,\n  basePath: v.string(),\n  tokenHash: v.string(),\n  lastRotatedAt: v.optional(v.number()),\n  extend: v.optional(v.any()),\n});\n\nexport const vEnterpriseScimIdentityDoc = v.object({\n  ...vDocMeta(TABLES.EnterpriseScimIdentity),\n  enterpriseId: v.id(TABLES.Enterprise),\n  groupId: v.id(TABLES.Group),\n  resourceType: vScimResourceType,\n  externalId: v.string(),\n  userId: v.optional(v.id(TABLES.User)),\n  mappedGroupId: v.optional(v.id(TABLES.Group)),\n  lastProvisionedAt: v.optional(v.number()),\n  active: v.optional(v.boolean()),\n  raw: v.optional(v.any()),\n});\n\nexport const vEnterpriseAuditEventDoc = v.object({\n  ...vDocMeta(TABLES.EnterpriseAuditEvent),\n  enterpriseId: v.id(TABLES.Enterprise),\n  groupId: v.id(TABLES.Group),\n  eventType: v.string(),\n  actorType: vAuditActorType,\n  actorId: v.optional(v.string()),\n  subjectType: v.string(),\n  subjectId: v.optional(v.string()),\n  status: vAuditStatus,\n  occurredAt: v.number(),\n  requestId: v.optional(v.string()),\n  ip: v.optional(v.string()),\n  metadata: v.optional(v.any()),\n});\n\nexport const vEnterpriseWebhookEndpointDoc = v.object({\n  ...vDocMeta(TABLES.EnterpriseWebhookEndpoint),\n  enterpriseId: v.id(TABLES.Enterprise),\n  groupId: v.id(TABLES.Group),\n  url: v.string(),\n  status: vWebhookEndpointStatus,\n  secretHash: v.string(),\n  subscriptions: v.array(v.string()),\n  createdByUserId: v.optional(v.id(TABLES.User)),\n  lastSuccessAt: v.optional(v.number()),\n  lastFailureAt: v.optional(v.number()),\n  failureCount: v.number(),\n  extend: v.optional(v.any()),\n});\n\nexport const vEnterpriseWebhookDeliveryDoc = v.object({\n  ...vDocMeta(TABLES.EnterpriseWebhookDelivery),\n  enterpriseId: v.id(TABLES.Enterprise),\n  endpointId: v.id(TABLES.EnterpriseWebhookEndpoint),\n  auditEventId: v.optional(v.id(TABLES.EnterpriseAuditEvent)),\n  eventType: v.string(),\n  status: vWebhookDeliveryStatus,\n  attemptCount: v.number(),\n  nextAttemptAt: v.number(),\n  lastAttemptAt: v.optional(v.number()),\n  lastResponseStatus: v.optional(v.number()),\n  lastError: v.optional(v.string()),\n  payload: v.any(),\n});\n\nexport const vRateLimitResult = v.object({\n  ...vDocMeta(TABLES.RateLimit),\n  identifier: v.string(),\n  last_attempt_time: v.number(),\n  attempts_left: v.number(),\n  attemptsLeft: v.number(),\n  lastAttemptTime: v.number(),\n});\n\nexport const vInviteAcceptByTokenResult = v.object({\n  inviteId: v.id(TABLES.GroupInvite),\n  groupId: v.union(v.id(TABLES.Group), v.null()),\n  memberId: v.optional(v.id(TABLES.GroupMember)),\n  inviteStatus: vInviteTokenAcceptStatus,\n  membershipStatus: vMembershipStatus,\n});\n"],"mappings":";;;AAEA,MAAa,SAAS;CACpB,MAAM;CACN,SAAS;CACT,SAAS;CACT,cAAc;CACd,kBAAkB;CAClB,cAAc;CACd,SAAS;CACT,YAAY;CACZ,WAAW;CACX,OAAO;CACP,UAAU;CACV,aAAa;CACb,aAAa;CACb,YAAY;CACZ,kBAAkB;CAClB,8BAA8B;CAC9B,kBAAkB;CAClB,sBAAsB;CACtB,wBAAwB;CACxB,sBAAsB;CACtB,2BAA2B;CAC3B,2BAA2B;CAC3B,QAAQ;CACR,YAAY;CACb;AAED,MAAa,OAAO,EAAE,OAAO;CAAE,KAAK,EAAE,QAAQ;CAAE,OAAO,EAAE,QAAQ;CAAE,CAAC;AAEpE,MAAa,cAAc,SACzB,EAAE,OAAO;CACP,OAAO,EAAE,MAAM,KAAK;CACpB,YAAY,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,MAAM,CAAC;CAC1C,CAAC;AAEJ,MAAa,gBAAgB,EAAE,MAC7B,EAAE,QAAQ,UAAU,EACpB,EAAE,QAAQ,WAAW,EACrB,EAAE,QAAQ,UAAU,EACpB,EAAE,QAAQ,UAAU,CACrB;AAED,MAAa,gBAAgB,EAAE,MAC7B,EAAE,QAAQ,UAAU,EACpB,EAAE,QAAQ,aAAa,EACvB,EAAE,QAAQ,SAAS,CACpB;AAED,MAAa,kCAAkC,EAAE,MAC/C,EAAE,QAAQ,gBAAgB,EAC1B,EAAE,QAAQ,OAAO,CAClB;AAED,MAAa,iCAAiC,EAAE,MAC9C,EAAE,QAAQ,aAAa,EACvB,EAAE,QAAQ,OAAO,CAClB;AAED,MAAa,iCAAiC,EAAE,MAC9C,EAAE,QAAQ,MAAM,EAChB,EAAE,QAAQ,aAAa,EACvB,EAAE,QAAQ,0BAA0B,CACrC;AAED,MAAa,6BAA6B,EAAE,MAC1C,EAAE,QAAQ,OAAO,EACjB,EAAE,QAAQ,OAAO,CAClB;AAED,MAAa,oBAAoB,EAAE,MACjC,EAAE,QAAQ,QAAQ,EAClB,EAAE,QAAQ,SAAS,EACnB,EAAE,QAAQ,WAAW,CACtB;AAED,MAAa,oBAAoB,EAAE,OAAO;CACxC,SAAS,EAAE,QAAQ,EAAE;CACrB,UAAU,EAAE,OAAO,EACjB,gBAAgB,EAAE,OAAO;EACvB,MAAM;EACN,MAAM;EACP,CAAC,EACH,CAAC;CACF,cAAc,EAAE,OAAO;EACrB,WAAW,EAAE,OAAO,EAClB,MAAM,gCACP,CAAC;EACF,KAAK,EAAE,OAAO;GACZ,MAAM;GACN,aAAa,EAAE,SAAS,EAAE,QAAQ,CAAC;GACnC,gBAAgB,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;GAChD,CAAC;EACF,aAAa,EAAE,OAAO,EACpB,MAAM,4BACP,CAAC;EACH,CAAC;CACF,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;CAC5B,CAAC;AAEF,MAAa,cAAc,EAAE,MAC3B,EAAE,QAAQ,QAAQ,EAClB,EAAE,QAAQ,SAAS,EACnB,EAAE,QAAQ,WAAW,CACtB;AAED,MAAa,oBAAoB,EAAE,MAAM,EAAE,QAAQ,OAAO,EAAE,EAAE,QAAQ,QAAQ,CAAC;AAE/E,MAAa,kBAAkB,EAAE,MAC/B,EAAE,QAAQ,OAAO,EACjB,EAAE,QAAQ,SAAS,EACnB,EAAE,QAAQ,OAAO,EACjB,EAAE,QAAQ,UAAU,EACpB,EAAE,QAAQ,UAAU,CACrB;AAED,MAAa,eAAe,EAAE,MAAM,EAAE,QAAQ,UAAU,EAAE,EAAE,QAAQ,UAAU,CAAC;AAE/E,MAAa,yBAAyB,EAAE,MACtC,EAAE,QAAQ,SAAS,EACnB,EAAE,QAAQ,WAAW,CACtB;AAED,MAAa,yBAAyB,EAAE,MACtC,EAAE,QAAQ,UAAU,EACpB,EAAE,QAAQ,aAAa,EACvB,EAAE,QAAQ,YAAY,EACtB,EAAE,QAAQ,SAAS,CACpB;AAED,MAAa,2BAA2B,EAAE,MACxC,EAAE,QAAQ,WAAW,EACrB,EAAE,QAAQ,mBAAmB,CAC9B;AAED,MAAa,oBAAoB,EAAE,MACjC,EAAE,QAAQ,SAAS,EACnB,EAAE,QAAQ,iBAAiB,EAC3B,EAAE,QAAQ,iBAAiB,CAC5B;AAED,MAAa,eAAe,EAAE,OAAO;CACnC,UAAU,EAAE,QAAQ;CACpB,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC;CAC7B,CAAC;AAEF,MAAa,mBAAmB,EAAE,OAAO;CACvC,aAAa,EAAE,QAAQ;CACvB,UAAU,EAAE,QAAQ;CACrB,CAAC;AAEF,MAAa,wBAAwB,EAAE,OAAO;CAC5C,cAAc,EAAE,QAAQ;CACxB,iBAAiB,EAAE,QAAQ;CAC5B,CAAC;AAEF,MAAa,wBAAwB,EAAE,MAAM,EAAE,QAAQ,qBAAqB,CAAC;AAE7E,SAAS,SACP,WACA;AACA,QAAO;EACL,KAAK,EAAE,GAAG,UAAU;EACpB,eAAe,EAAE,QAAQ;EAC1B;;AAGH,MAAa,WAAW,EAAE,OAAO;CAC/B,GAAG,SAAS,OAAO,KAAK;CACxB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC5B,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC7B,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC7B,uBAAuB,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC7C,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC7B,uBAAuB,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC7C,aAAa,EAAE,SAAS,EAAE,SAAS,CAAC;CACpC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;CAC5B,CAAC;AAEF,MAAa,cAAc,EAAE,OAAO;CAClC,GAAG,SAAS,OAAO,QAAQ;CAC3B,QAAQ,EAAE,GAAG,OAAO,KAAK;CACzB,gBAAgB,EAAE,QAAQ;CAC3B,CAAC;AAEF,MAAa,cAAc,EAAE,OAAO;CAClC,GAAG,SAAS,OAAO,QAAQ;CAC3B,QAAQ,EAAE,GAAG,OAAO,KAAK;CACzB,UAAU,EAAE,QAAQ;CACpB,mBAAmB,EAAE,QAAQ;CAC7B,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC9B,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;CACrC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;CACrC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;CAC5B,CAAC;AAEF,MAAa,mBAAmB,EAAE,OAAO;CACvC,GAAG,SAAS,OAAO,aAAa;CAChC,WAAW,EAAE,SAAS,EAAE,GAAG,OAAO,QAAQ,CAAC;CAC3C,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;CAClC,CAAC;AAEF,MAAa,uBAAuB,EAAE,OAAO;CAC3C,GAAG,SAAS,OAAO,iBAAiB;CACpC,WAAW,EAAE,GAAG,OAAO,QAAQ;CAC/B,UAAU,EAAE,QAAQ;CACpB,MAAM,EAAE,QAAQ;CAChB,gBAAgB,EAAE,QAAQ;CAC1B,UAAU,EAAE,SAAS,EAAE,QAAQ,CAAC;CAChC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;CACrC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;CACtC,CAAC;AAEF,MAAa,mBAAmB,EAAE,OAAO;CACvC,GAAG,SAAS,OAAO,aAAa;CAChC,WAAW,EAAE,GAAG,OAAO,QAAQ;CAC/B,gBAAgB,EAAE,QAAQ;CAC1B,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;CACrC,sBAAsB,EAAE,SAAS,EAAE,GAAG,OAAO,aAAa,CAAC;CAC5D,CAAC;AAEF,MAAa,cAAc,EAAE,OAAO;CAClC,GAAG,SAAS,OAAO,QAAQ;CAC3B,QAAQ,EAAE,GAAG,OAAO,KAAK;CACzB,cAAc,EAAE,QAAQ;CACxB,WAAW,EAAE,OAAO;CACpB,WAAW,EAAE,QAAQ;CACrB,SAAS,EAAE,QAAQ;CACnB,YAAY,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;CAC3C,YAAY,EAAE,QAAQ;CACtB,UAAU,EAAE,SAAS;CACrB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC5B,WAAW,EAAE,QAAQ;CACrB,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;CACnC,CAAC;AAEF,MAAa,iBAAiB,EAAE,OAAO;CACrC,GAAG,SAAS,OAAO,WAAW;CAC9B,QAAQ,EAAE,GAAG,OAAO,KAAK;CACzB,QAAQ,EAAE,OAAO;CACjB,QAAQ,EAAE,QAAQ;CAClB,QAAQ,EAAE,QAAQ;CAClB,UAAU,EAAE,SAAS;CACrB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC5B,WAAW,EAAE,QAAQ;CACrB,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;CACnC,CAAC;AAEF,MAAa,gBAAgB,EAAE,OAAO;CACpC,GAAG,SAAS,OAAO,UAAU;CAC7B,YAAY,EAAE,QAAQ;CACtB,mBAAmB,EAAE,QAAQ;CAC7B,eAAe,EAAE,QAAQ;CAC1B,CAAC;AAEF,MAAa,YAAY,EAAE,OAAO;CAChC,GAAG,SAAS,OAAO,MAAM;CACzB,MAAM,EAAE,QAAQ;CAChB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC5B,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC5B,eAAe,EAAE,SAAS,EAAE,GAAG,OAAO,MAAM,CAAC;CAC7C,aAAa,EAAE,SAAS,EAAE,GAAG,OAAO,MAAM,CAAC;CAC3C,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC;CAC/B,MAAM,EAAE,SAAS,EAAE,MAAM,KAAK,CAAC;CAC/B,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;CAC5B,CAAC;AAEF,MAAa,kBAAkB,EAAE,OAAO;CACtC,GAAG,SAAS,OAAO,YAAY;CAC/B,SAAS,EAAE,GAAG,OAAO,MAAM;CAC3B,QAAQ,EAAE,GAAG,OAAO,KAAK;CACzB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC5B,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;CACxC,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC9B,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;CAC5B,CAAC;AAEF,MAAa,kBAAkB,EAAE,OAAO;CACtC,GAAG,SAAS,OAAO,YAAY;CAC/B,SAAS,EAAE,SAAS,EAAE,GAAG,OAAO,MAAM,CAAC;CACvC,iBAAiB,EAAE,SAAS,EAAE,GAAG,OAAO,KAAK,CAAC;CAC9C,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC7B,WAAW,EAAE,QAAQ;CACrB,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC5B,SAAS,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC,CAAC;CACxC,QAAQ;CACR,aAAa,EAAE,SAAS,EAAE,QAAQ,CAAC;CACnC,kBAAkB,EAAE,SAAS,EAAE,GAAG,OAAO,KAAK,CAAC;CAC/C,cAAc,EAAE,SAAS,EAAE,QAAQ,CAAC;CACpC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;CAC5B,CAAC;AAEF,MAAa,aAAa,EAAE,OAAO;CACjC,GAAG,SAAS,OAAO,OAAO;CAC1B,QAAQ,EAAE,GAAG,OAAO,KAAK;CACzB,QAAQ,EAAE,QAAQ;CAClB,WAAW,EAAE,QAAQ;CACrB,MAAM,EAAE,QAAQ;CAChB,QAAQ,EAAE,MAAM,aAAa;CAC7B,WAAW,EAAE,SAAS,iBAAiB;CACvC,gBAAgB,EAAE,SAAS,sBAAsB;CACjD,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;CACjC,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;CAClC,WAAW,EAAE,QAAQ;CACrB,SAAS,EAAE,SAAS;CACpB,UAAU,EAAE,SAAS,EAAE,KAAK,CAAC;CAC9B,CAAC;AAEF,MAAa,iBAAiB,EAAE,OAAO;CACrC,GAAG,SAAS,OAAO,WAAW;CAC9B,gBAAgB,EAAE,QAAQ;CAC1B,UAAU,EAAE,QAAQ;CACpB,WAAW,EAAE,QAAQ;CACrB,UAAU,EAAE,QAAQ;CACpB,QAAQ;CACR,QAAQ,EAAE,SAAS,EAAE,GAAG,OAAO,KAAK,CAAC;CACrC,WAAW,EAAE,SAAS,EAAE,GAAG,OAAO,QAAQ,CAAC;CAC3C,cAAc,EAAE,SAAS,EAAE,QAAQ,CAAC;CACrC,CAAC;AAEF,MAAa,iBAAiB,EAAE,OAAO;CACrC,GAAG,SAAS,OAAO,WAAW;CAC9B,SAAS,EAAE,GAAG,OAAO,MAAM;CAC3B,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC5B,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC5B,QAAQ;CACR,QAAQ,EAAE,SAAS,kBAAkB;CACrC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;CAC3B,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;CAC5B,CAAC;AAEF,MAAa,uBAAuB,EAAE,OAAO;CAC3C,GAAG,SAAS,OAAO,iBAAiB;CACpC,cAAc,EAAE,GAAG,OAAO,WAAW;CACrC,SAAS,EAAE,GAAG,OAAO,MAAM;CAC3B,QAAQ,EAAE,QAAQ;CAClB,WAAW,EAAE,SAAS;CACtB,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;CACnC,CAAC;AAEF,MAAa,mCAAmC,EAAE,OAAO;CACvD,GAAG,SAAS,OAAO,6BAA6B;CAChD,cAAc,EAAE,GAAG,OAAO,WAAW;CACrC,SAAS,EAAE,GAAG,OAAO,MAAM;CAC3B,UAAU,EAAE,GAAG,OAAO,iBAAiB;CACvC,QAAQ,EAAE,QAAQ;CAClB,YAAY,EAAE,QAAQ;CACtB,OAAO,EAAE,QAAQ;CACjB,WAAW,EAAE,QAAQ;CACrB,aAAa,EAAE,QAAQ;CACvB,WAAW,EAAE,QAAQ;CACtB,CAAC;AAEF,MAAa,uBAAuB,EAAE,OAAO;CAC3C,GAAG,SAAS,OAAO,iBAAiB;CACpC,cAAc,EAAE,GAAG,OAAO,WAAW;CACrC,SAAS,EAAE,GAAG,OAAO,MAAM;CAC3B,MAAM;CACN,YAAY,EAAE,QAAQ;CACtB,WAAW,EAAE,QAAQ;CACtB,CAAC;AAEF,MAAa,2BAA2B,EAAE,OAAO;CAC/C,GAAG,SAAS,OAAO,qBAAqB;CACxC,cAAc,EAAE,GAAG,OAAO,WAAW;CACrC,SAAS,EAAE,GAAG,OAAO,MAAM;CAC3B,QAAQ;CACR,UAAU,EAAE,QAAQ;CACpB,WAAW,EAAE,QAAQ;CACrB,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;CACrC,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;CAC5B,CAAC;AAEF,MAAa,6BAA6B,EAAE,OAAO;CACjD,GAAG,SAAS,OAAO,uBAAuB;CAC1C,cAAc,EAAE,GAAG,OAAO,WAAW;CACrC,SAAS,EAAE,GAAG,OAAO,MAAM;CAC3B,cAAc;CACd,YAAY,EAAE,QAAQ;CACtB,QAAQ,EAAE,SAAS,EAAE,GAAG,OAAO,KAAK,CAAC;CACrC,eAAe,EAAE,SAAS,EAAE,GAAG,OAAO,MAAM,CAAC;CAC7C,mBAAmB,EAAE,SAAS,EAAE,QAAQ,CAAC;CACzC,QAAQ,EAAE,SAAS,EAAE,SAAS,CAAC;CAC/B,KAAK,EAAE,SAAS,EAAE,KAAK,CAAC;CACzB,CAAC;AAEF,MAAa,2BAA2B,EAAE,OAAO;CAC/C,GAAG,SAAS,OAAO,qBAAqB;CACxC,cAAc,EAAE,GAAG,OAAO,WAAW;CACrC,SAAS,EAAE,GAAG,OAAO,MAAM;CAC3B,WAAW,EAAE,QAAQ;CACrB,WAAW;CACX,SAAS,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC/B,aAAa,EAAE,QAAQ;CACvB,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;CACjC,QAAQ;CACR,YAAY,EAAE,QAAQ;CACtB,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;CACjC,IAAI,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC1B,UAAU,EAAE,SAAS,EAAE,KAAK,CAAC;CAC9B,CAAC;AAEF,MAAa,gCAAgC,EAAE,OAAO;CACpD,GAAG,SAAS,OAAO,0BAA0B;CAC7C,cAAc,EAAE,GAAG,OAAO,WAAW;CACrC,SAAS,EAAE,GAAG,OAAO,MAAM;CAC3B,KAAK,EAAE,QAAQ;CACf,QAAQ;CACR,YAAY,EAAE,QAAQ;CACtB,eAAe,EAAE,MAAM,EAAE,QAAQ,CAAC;CAClC,iBAAiB,EAAE,SAAS,EAAE,GAAG,OAAO,KAAK,CAAC;CAC9C,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;CACrC,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;CACrC,cAAc,EAAE,QAAQ;CACxB,QAAQ,EAAE,SAAS,EAAE,KAAK,CAAC;CAC5B,CAAC;AAEF,MAAa,gCAAgC,EAAE,OAAO;CACpD,GAAG,SAAS,OAAO,0BAA0B;CAC7C,cAAc,EAAE,GAAG,OAAO,WAAW;CACrC,YAAY,EAAE,GAAG,OAAO,0BAA0B;CAClD,cAAc,EAAE,SAAS,EAAE,GAAG,OAAO,qBAAqB,CAAC;CAC3D,WAAW,EAAE,QAAQ;CACrB,QAAQ;CACR,cAAc,EAAE,QAAQ;CACxB,eAAe,EAAE,QAAQ;CACzB,eAAe,EAAE,SAAS,EAAE,QAAQ,CAAC;CACrC,oBAAoB,EAAE,SAAS,EAAE,QAAQ,CAAC;CAC1C,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;CACjC,SAAS,EAAE,KAAK;CACjB,CAAC;AAEF,MAAa,mBAAmB,EAAE,OAAO;CACvC,GAAG,SAAS,OAAO,UAAU;CAC7B,YAAY,EAAE,QAAQ;CACtB,mBAAmB,EAAE,QAAQ;CAC7B,eAAe,EAAE,QAAQ;CACzB,cAAc,EAAE,QAAQ;CACxB,iBAAiB,EAAE,QAAQ;CAC5B,CAAC;AAEF,MAAa,6BAA6B,EAAE,OAAO;CACjD,UAAU,EAAE,GAAG,OAAO,YAAY;CAClC,SAAS,EAAE,MAAM,EAAE,GAAG,OAAO,MAAM,EAAE,EAAE,MAAM,CAAC;CAC9C,UAAU,EAAE,SAAS,EAAE,GAAG,OAAO,YAAY,CAAC;CAC9C,cAAc;CACd,kBAAkB;CACnB,CAAC"}

package/dist/component/providers/anonymous.d.ts

@@ -0,0 +1,54 @@
+import { GenericActionCtxWithAuthConfig } from "../server/types.js";
+import { DocumentByName, GenericDataModel, WithoutSystemFields } from "convex/server";
+import { Value } from "convex/values";
+
+//#region src/providers/anonymous.d.ts
+/**
+ * The available options to an {@link Anonymous} provider for Convex Auth.
+ */
+interface AnonymousConfig<DataModel extends GenericDataModel> {
+  /**
+   * Uniquely identifies the provider, allowing to use
+   * multiple different {@link Anonymous} providers.
+   */
+  id?: string;
+  /**
+   * Perform checks on provided params and customize the user
+   * information stored after sign in.
+   */
+  profile?: (
+  /**
+   * The values passed to the `signIn` function.
+   */
+  params: Record<string, Value | undefined>,
+  /**
+   * Convex ActionCtx in case you want to read from or write to
+   * the database.
+   */
+  ctx: GenericActionCtxWithAuthConfig<DataModel>) => WithoutSystemFields<DocumentByName<DataModel, "User">> & {
+    isAnonymous: true;
+  };
+}
+/**
+ * Anonymous authentication provider.
+ *
+ * Creates a new anonymous user account without requiring any
+ * user-provided information. Useful for guest access or
+ * progressive profiling.
+ *
+ * @example
+ * ```ts
+ * import { Anonymous } from "@robelest/convex-auth/providers";
+ *
+ * new Anonymous()
+ * ```
+ */
+declare class Anonymous<DataModel extends GenericDataModel = GenericDataModel> {
+  readonly id: string;
+  readonly type: "credentials";
+  readonly config: AnonymousConfig<DataModel>;
+  constructor(config?: AnonymousConfig<DataModel>);
+}
+//#endregion
+export { Anonymous };
+//# sourceMappingURL=anonymous.d.ts.map

package/dist/component/providers/anonymous.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"anonymous.d.ts","names":[],"sources":["../../../src/providers/anonymous.ts"],"mappings":";;;;;;;;UA4BiB,eAAA,mBAAkC,gBAAA;EAAlB;;;;EAK/B,EAAA;EASyB;;;;EAJzB,OAAA;EAUK;;;EANH,MAAA,EAAQ,MAAA,SAAe,KAAA;EAOZ;;AAkBf;;EApBI,GAAA,EAAK,8BAAA,CAA+B,SAAA,MACjC,mBAAA,CAAoB,cAAA,CAAe,SAAA;IACtC,WAAA;EAAA;AAAA;;;;;;;;;;;;;;;cAkBS,SAAA,mBAA4B,gBAAA,GAAmB,gBAAA;EAAA,SACjD,EAAA;EAAA,SACA,IAAA;EAAA,SACA,MAAA,EAAQ,eAAA,CAAgB,SAAA;cAG/B,MAAA,GAAQ,eAAA,CAAgB,SAAA;AAAA"}

package/dist/component/providers/credentials.d.ts

@@ -1,11 +1,12 @@
 import { AuthProviderConfig, GenericActionCtxWithAuthConfig } from "../server/types.js";
-import "../index.js";
 import { GenericDataModel } from "convex/server";
 import { GenericId, Value } from "convex/values";
 
 //#region src/providers/credentials.d.ts
 /**
  * Configuration for the Credentials provider.
+ *
+ * @typeParam DataModel - The Convex data model.
  */
 interface CredentialsConfig<DataModel extends GenericDataModel = GenericDataModel> {
   /** Uniquely identifies the provider. Defaults to `"credentials"`. */
@@ -16,8 +17,8 @@ interface CredentialsConfig<DataModel extends GenericDataModel = GenericDataMode
    * @returns A user ID for successful login, or `null` to reject.
    */
   authorize: (credentials: Partial<Record<string, Value | undefined>>, ctx: GenericActionCtxWithAuthConfig<DataModel>) => Promise<{
-    userId: GenericId<"user">;
-    sessionId?: GenericId<"session">;
+    userId: GenericId<"User">;
+    sessionId?: GenericId<"Session">;
   } | null>;
   /**
    * Provide hashing and verification functions for account secrets.
@@ -32,7 +33,6 @@ interface CredentialsConfig<DataModel extends GenericDataModel = GenericDataMode
    */
   extraProviders?: (AuthProviderConfig | undefined)[];
 }
-type CredentialsUserConfig<DataModel extends GenericDataModel = GenericDataModel> = CredentialsConfig<DataModel>;
 //#endregion
-export { CredentialsUserConfig };
+export { CredentialsConfig };
 //# sourceMappingURL=credentials.d.ts.map

package/dist/component/providers/credentials.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"credentials.d.ts","names":[],"sources":["../../../src/providers/credentials.ts"],"mappings":";;;;;;;;;UA2BiB,iBAAA,mBACG,gBAAA,GAAmB,gBAAA;EA2BD;EAxBpC,EAAA;EAHA;;;;;EASA,SAAA,GACE,WAAA,EAAa,OAAA,CAAQ,MAAA,SAAe,KAAA,gBACpC,GAAA,EAAK,8BAAA,CAA+B,SAAA,MACjC,OAAA;IACH,MAAA,EAAQ,SAAA;IACR,SAAA,GAAY,SAAA;EAAA;EAHP;;;EAQP,MAAA;IACE,UAAA,GAAa,MAAA,aAAmB,OAAA;IAChC,YAAA,GAAe,MAAA,UAAgB,IAAA,aAAiB,OAAA;EAAA;EAPpC;;;;EAad,cAAA,IAAkB,kBAAA;AAAA;AAAA,KAoDR,qBAAA,mBACQ,gBAAA,GAAmB,gBAAA,IACnC,iBAAA,CAAkB,SAAA"}
+{"version":3,"file":"credentials.d.ts","names":[],"sources":["../../../src/providers/credentials.ts"],"mappings":";;;;;;;;;;UA8BiB,iBAAA,mBACG,gBAAA,GAAmB,gBAAA;EAAnB;EAGlB,EAAA;EAAA;;;;;EAMA,SAAA,GACE,WAAA,EAAa,OAAA,CAAQ,MAAA,SAAe,KAAA,gBACpC,GAAA,EAAK,8BAAA,CAA+B,SAAA,MACjC,OAAA;IACH,MAAA,EAAQ,SAAA;IACR,SAAA,GAAY,SAAA;EAAA;EAFT;;;EAOL,MAAA;IACE,UAAA,GAAa,MAAA,aAAmB,OAAA;IAChC,YAAA,GAAe,MAAA,UAAgB,IAAA,aAAiB,OAAA;EAAA;EADnC;;;;EAOf,cAAA,IAAkB,kBAAA;AAAA"}

package/dist/component/providers/device.d.ts

@@ -0,0 +1,67 @@
+//#region src/providers/device.d.ts
+/**
+ * Device authorization provider (RFC 8628).
+ *
+ * Enables input-constrained devices (CLIs, TVs, IoT) to authenticate
+ * by displaying a short code that the user enters on a secondary device.
+ *
+ * ```ts
+ * import { Device } from "@robelest/convex-auth/providers";
+ *
+ * new Device()
+ * ```
+ *
+ * @module
+ */
+/**
+ * Configuration for the Device authorization provider.
+ */
+interface DeviceConfig {
+  /**
+   * User code character set.
+   * Default: `"BCDFGHJKLMNPQRSTVWXZ"` (base-20, no vowels per RFC 8628 §6.1).
+   */
+  charset?: string;
+  /** User code length (before formatting). Default: 8. */
+  userCodeLength?: number;
+  /** Device code + user code lifetime in seconds. Default: 900 (15 min). */
+  expiresIn?: number;
+  /** Minimum polling interval in seconds. Default: 5. */
+  interval?: number;
+  /**
+   * Base URL for the verification page where users enter the device code.
+   *
+   * Example: `"http://localhost:3000/device"` or `"https://myapp.com/device"`.
+   *
+   * If not provided, falls back to `SITE_URL + "/device"`.
+   */
+  verificationUri?: string;
+}
+/**
+ * Device authorization provider (RFC 8628).
+ *
+ * Enables input-constrained devices (CLIs, TVs, IoT) to authenticate
+ * by displaying a short user code. The user visits a verification page
+ * on a secondary device, signs in with any existing provider, and
+ * enters the code to authorize the device.
+ *
+ * @example
+ * ```ts
+ * import { createAuth } from "@robelest/convex-auth/component";
+ * import { Device } from "@robelest/convex-auth/providers";
+ * import { components } from "./_generated/api";
+ *
+ * const auth = createAuth(components.auth, {
+ *   providers: [new Device()],
+ * });
+ * ```
+ */
+declare class Device {
+  readonly id: string;
+  readonly type: "device";
+  readonly config: DeviceConfig;
+  constructor(config?: DeviceConfig);
+}
+//#endregion
+export { Device };
+//# sourceMappingURL=device.d.ts.map

package/dist/component/providers/device.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"device.d.ts","names":[],"sources":["../../../src/providers/device.ts"],"mappings":";;AAoBA;;;;;;;;;;;AA4CA;;;;;UA5CiB,YAAA;EA+CN;;;;EA1CT,OAAA;EA4CqC;EA1CrC,cAAA;;EAEA,SAAA;;EAEA,QAAA;;;;;;;;EAQA,eAAA;AAAA;;;;;;;;;;;;;;;;;;;;cAyBW,MAAA;EAAA,SACF,EAAA;EAAA,SACA,IAAA;EAAA,SACA,MAAA,EAAQ,YAAA;cAEL,MAAA,GAAQ,YAAA;AAAA"}

package/dist/component/providers/email.d.ts

@@ -0,0 +1,62 @@
+//#region src/providers/email.d.ts
+/**
+ * Email (magic link / OTP) authentication provider.
+ *
+ * @module
+ */
+/**
+ * User-facing configuration for the {@link Email} provider.
+ *
+ * Use this to wire your email delivery service into Convex Auth's magic-link
+ * or OTP flow.
+ */
+interface EmailProviderConfig {
+  /** Sender address (e.g. "My App <noreply@example.com>"). */
+  from: string;
+  /** Send the verification email. Receives the Convex action context. */
+  send: (ctx: any, opts: {
+    from: string;
+    to: string;
+    subject: string;
+    html: string;
+  }) => Promise<void>;
+  /** Override to generate a custom verification token. */
+  generateVerificationToken?: () => Promise<string>;
+  /** Provider ID override. Defaults to "email". */
+  id?: string;
+  /** Token expiration in seconds. Defaults to 86400 (24 hours). */
+  maxAge?: number;
+}
+/**
+ * Email provider for magic-link or one-time-code sign-in.
+ *
+ * Sends verification emails through your `send()` implementation and converts
+ * the result into Convex Auth's internal email-provider runtime shape.
+ *
+ * @example
+ * ```ts
+ * import { Email } from "@robelest/convex-auth/providers";
+ *
+ * const email = new Email({
+ *   from: "My App <noreply@example.com>",
+ *   send: async (_ctx, { to, subject, html }) => {
+ *     await resend.emails.send({ from: "noreply@example.com", to, subject, html });
+ *   },
+ * });
+ * ```
+ */
+declare class Email {
+  readonly config: EmailProviderConfig;
+  readonly id: string;
+  readonly type: "email";
+  /**
+   * Create an email provider instance.
+   *
+   * @param config - Email transport and provider settings.
+   * @throws {Error} When `config.from` is empty or whitespace-only.
+   */
+  constructor(config: EmailProviderConfig);
+}
+//#endregion
+export { Email };
+//# sourceMappingURL=email.d.ts.map

package/dist/component/providers/email.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"email.d.ts","names":[],"sources":["../../../src/providers/email.ts"],"mappings":";;AAeA;;;;;;;;;;UAAiB,mBAAA;EAMb;EAJF,IAAA;EAOA;EALA,IAAA,GACE,GAAA,OACA,IAAA;IAAQ,IAAA;IAAc,EAAA;IAAY,OAAA;IAAiB,IAAA;EAAA,MAChD,OAAA;EA2BW;EAzBhB,yBAAA,SAAkC,OAAA;EAmCqB;EAjCvD,EAAA;EAiCoC;EA/BpC,MAAA;AAAA;;;;;;;;;;;;;;;;;;;cAqBW,KAAA;EAAA,SAUiB,MAAA,EAAQ,mBAAA;EAAA,SAT3B,EAAA;EAAA,SACA,IAAA;;;;;;;cAQmB,MAAA,EAAQ,mBAAA;AAAA"}

package/dist/component/providers/oauth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth.d.ts","names":[],"sources":["../../../src/providers/oauth.ts"],"mappings":";;;;;cAuCa,kBAAA;;;;;;UAOI,qBAAA;EAAA,SACN,IAAA,SAAa,kBAAA;;WAEb,EAAA;;WAEA,QAAA;;WAEA,MAAA;;WAEA,OAAA,IAAW,MAAA,EAAQ,YAAA,KAAiB,OAAA,CAAQ,YAAA;AAAA"}
+{"version":3,"file":"oauth.d.ts","names":[],"sources":["../../../src/providers/oauth.ts"],"mappings":";;;;;cAwCa,kBAAA;;;;;;UAOI,qBAAA;EAAA,SACN,IAAA,SAAa,kBAAA;;WAEb,EAAA;;WAEA,QAAA;;WAEA,MAAA;;WAEA,OAAA,IAAW,MAAA,EAAQ,YAAA,KAAiB,OAAA,CAAQ,YAAA;AAAA"}

package/dist/component/providers/oauth.js.map

@@ -1 +1 @@
-{"version":3,"file":"oauth.js","names":[],"sources":["../../../src/providers/oauth.ts"],"sourcesContent":["/**\n * OAuth provider factory for wrapping Arctic provider instances.\n *\n * ```ts\n * import { Google, GitHub } from \"arctic\";\n * import { OAuth } from \"@robelest/convex-auth/providers\";\n *\n * OAuth(new Google(clientId, clientSecret, redirectURI), {\n *   scopes: [\"openid\", \"profile\", \"email\"],\n * })\n * ```\n *\n * @module\n */\n\nimport type { OAuth2Tokens } from \"arctic\";\nimport type { OAuthProfile } from \"../server/types\";\n\n/**\n * Configuration for an OAuth provider.\n */\nexport interface OAuthConfig {\n  /** OAuth scopes to request during authorization. */\n  scopes?: string[];\n  /**\n   * Extract user profile from tokens.\n   *\n   * Required for non-OIDC providers (e.g. GitHub) that don't return an ID token.\n   * For OIDC providers, defaults to decoding the ID token claims.\n   */\n  profile?: (tokens: OAuth2Tokens) => Promise<OAuthProfile>;\n  /**\n   * Override the provider ID derived from the class name.\n   * Used for route matching (`/api/auth/signin/{id}`).\n   */\n  id?: string;\n}\n\n/** The internal tag for identifying OAuth provider configs. */\nexport const OAUTH_PROVIDER_TAG = \"__convex_oauth\" as const;\n\n/**\n * An OAuth provider instance with config attached.\n *\n * Created by the `OAuth()` factory. The runtime detects these via the `_tag` field.\n */\nexport interface OAuthProviderInstance {\n  readonly _tag: typeof OAUTH_PROVIDER_TAG;\n  /** The provider ID (e.g. \"google\", \"github\"). */\n  readonly id: string;\n  /** The Arctic provider instance. */\n  readonly provider: any;\n  /** OAuth scopes. */\n  readonly scopes: string[];\n  /** Optional profile extraction callback. */\n  readonly profile?: (tokens: OAuth2Tokens) => Promise<OAuthProfile>;\n}\n\n/**\n * Wrap an Arctic provider instance with scopes and profile config.\n *\n * The provider ID is derived from `provider.constructor.name.toLowerCase()`\n * unless overridden via `config.id`.\n *\n * @param provider - An Arctic provider instance (e.g. `new Google(...)`)\n * @param config - Optional scopes, profile callback, and ID override\n * @returns A tagged OAuth provider config for the `providers` array\n *\n * @example\n * ```ts\n * import { Google } from \"arctic\";\n * import { OAuth } from \"@robelest/convex-auth/providers\";\n *\n * OAuth(new Google(clientId, clientSecret, redirectURI), {\n *   scopes: [\"openid\", \"profile\", \"email\"],\n * })\n * ```\n */\nexport function OAuth(\n  provider: any,\n  config?: OAuthConfig,\n): OAuthProviderInstance {\n  if (\n    !provider ||\n    typeof provider.createAuthorizationURL !== \"function\" ||\n    typeof provider.validateAuthorizationCode !== \"function\"\n  ) {\n    throw new Error(\n      \"OAuth() expects an Arctic provider instance with createAuthorizationURL and validateAuthorizationCode methods.\",\n    );\n  }\n\n  const id =\n    config?.id ?? provider.constructor?.name?.toLowerCase() ?? \"oauth\";\n\n  return {\n    _tag: OAUTH_PROVIDER_TAG,\n    id,\n    provider,\n    scopes: config?.scopes ?? [],\n    profile: config?.profile,\n  };\n}\n\n/**\n * Type guard to check if a provider config is an OAuth provider.\n */\nexport function isOAuthProvider(value: unknown): value is OAuthProviderInstance {\n  return (\n    typeof value === \"object\" &&\n    value !== null &&\n    \"_tag\" in value &&\n    (value as any)._tag === OAUTH_PROVIDER_TAG\n  );\n}\n"],"mappings":";;AAuCA,MAAa,qBAAqB;;;;AAoElC,SAAgB,gBAAgB,OAAgD;AAC9E,QACE,OAAO,UAAU,YACjB,UAAU,QACV,UAAU,SACT,MAAc,SAAS"}
+{"version":3,"file":"oauth.js","names":[],"sources":["../../../src/providers/oauth.ts"],"sourcesContent":["/**\n * OAuth provider factory for wrapping Arctic provider instances.\n *\n * ```ts\n * import { Google, GitHub } from \"arctic\";\n * import { OAuth } from \"@robelest/convex-auth/providers\";\n *\n * OAuth(new Google(clientId, clientSecret, redirectURI), {\n *   scopes: [\"openid\", \"profile\", \"email\"],\n * })\n * ```\n *\n * @module\n */\n\nimport type { OAuth2Tokens } from \"arctic\";\n\nimport type { OAuthProfile } from \"../server/types\";\n\n/**\n * Configuration for an OAuth provider.\n */\nexport interface OAuthConfig {\n  /** OAuth scopes to request during authorization. */\n  scopes?: string[];\n  /**\n   * Extract user profile from tokens.\n   *\n   * Required for non-OIDC providers (e.g. GitHub) that don't return an ID token.\n   * For OIDC providers, defaults to decoding the ID token claims.\n   */\n  profile?: (tokens: OAuth2Tokens) => Promise<OAuthProfile>;\n  /**\n   * Override the provider ID derived from the class name.\n   * Used for route matching (`/api/auth/signin/{id}`).\n   */\n  id?: string;\n}\n\n/** The internal tag for identifying OAuth provider configs. */\nexport const OAUTH_PROVIDER_TAG = \"__convex_oauth\" as const;\n\n/**\n * An OAuth provider instance with config attached.\n *\n * Created by the `OAuth()` factory. The runtime detects these via the `_tag` field.\n */\nexport interface OAuthProviderInstance {\n  readonly _tag: typeof OAUTH_PROVIDER_TAG;\n  /** The provider ID (e.g. \"google\", \"github\"). */\n  readonly id: string;\n  /** The Arctic provider instance. */\n  readonly provider: any;\n  /** OAuth scopes. */\n  readonly scopes: string[];\n  /** Optional profile extraction callback. */\n  readonly profile?: (tokens: OAuth2Tokens) => Promise<OAuthProfile>;\n}\n\n/**\n * Wrap an Arctic provider instance with scopes and profile config.\n *\n * The provider ID is derived from `provider.constructor.name.toLowerCase()`\n * unless overridden via `config.id`.\n *\n * @param provider - An Arctic provider instance (e.g. `new Google(...)`)\n * @param config - Optional scopes, profile callback, and ID override\n * @returns A tagged OAuth provider config for the `providers` array\n *\n * @example\n * ```ts\n * import { Google } from \"arctic\";\n * import { OAuth } from \"@robelest/convex-auth/providers\";\n *\n * OAuth(new Google(clientId, clientSecret, redirectURI), {\n *   scopes: [\"openid\", \"profile\", \"email\"],\n * })\n * ```\n */\nexport function OAuth(\n  provider: any,\n  config?: OAuthConfig,\n): OAuthProviderInstance {\n  if (\n    !provider ||\n    typeof provider.createAuthorizationURL !== \"function\" ||\n    typeof provider.validateAuthorizationCode !== \"function\"\n  ) {\n    throw new Error(\n      \"OAuth() expects an Arctic provider instance with createAuthorizationURL and validateAuthorizationCode methods.\",\n    );\n  }\n\n  const id = config?.id ?? provider.constructor?.name?.toLowerCase() ?? \"oauth\";\n\n  return {\n    _tag: OAUTH_PROVIDER_TAG,\n    id,\n    provider,\n    scopes: config?.scopes ?? [],\n    profile: config?.profile,\n  };\n}\n\n/**\n * Type guard to check if a provider config is an OAuth provider.\n */\nexport function isOAuthProvider(\n  value: unknown,\n): value is OAuthProviderInstance {\n  return (\n    typeof value === \"object\" &&\n    value !== null &&\n    \"_tag\" in value &&\n    (value as any)._tag === OAUTH_PROVIDER_TAG\n  );\n}\n"],"mappings":";;AAwCA,MAAa,qBAAqB;;;;AAmElC,SAAgB,gBACd,OACgC;AAChC,QACE,OAAO,UAAU,YACjB,UAAU,QACV,UAAU,SACT,MAAc,SAAS"}