@robelest/convex-auth 0.0.4-preview.21 → 0.0.4-preview.22

package/dist/server/auth.js

@@ -1,6 +1,5 @@
 import { AuthError } from "./authError.js";
 import { Auth } from "./runtime.js";
-import { Fx } from "@robelest/fx";
 
 //#region src/server/auth.ts
 /**
@@ -186,39 +185,26 @@ function AuthCtx(auth, config) {
 		args: {},
 		input: async (ctx, _args, _extra) => {
 			const nativeAuth = ctx.auth;
-			const modeDispatch = config?.optional === true ? { mode: "optional" } : { mode: "required" };
-			const userContext = await Fx.run(Fx.match(modeDispatch, modeDispatch.mode, {
-				optional: async () => {
-					const userId = await auth.user.id(ctx);
-					if (!userId) return null;
-					return {
-						userId,
-						user: await auth.user.get(ctx, userId)
-					};
-				},
-				required: async () => {
-					const userId = await auth.user.id(ctx);
-					if (!userId) return null;
-					return {
-						userId,
-						user: await auth.user.get(ctx, userId)
-					};
-				}
-			}));
-			if (userContext === null) return {
+			const getUserIdentity = nativeAuth.getUserIdentity.bind(nativeAuth);
+			const fallback = () => resolveAuthContext(auth, ctx);
+			const authOverride = config?.authResolve ? await config.authResolve(ctx, fallback) : void 0;
+			const resolved = authOverride === void 0 ? await fallback() : authOverride;
+			if (resolved === null) return {
 				ctx: { auth: {
-					getUserIdentity: nativeAuth.getUserIdentity.bind(nativeAuth),
+					getUserIdentity,
 					userId: null,
-					user: null
+					user: null,
+					groupId: null,
+					role: null,
+					grants: []
 				} },
 				args: {}
 			};
-			const extra = config?.resolve ? await config.resolve(ctx, userContext.user) : {};
+			const extra = config?.resolve ? await config.resolve(ctx, resolved.user, resolved) : {};
 			return {
 				ctx: { auth: {
-					getUserIdentity: nativeAuth.getUserIdentity.bind(nativeAuth),
-					userId: userContext.userId,
-					user: userContext.user,
+					getUserIdentity,
+					...resolved,
 					...extra
 				} },
 				args: {}

package/dist/server/auth.js.map

@@ -1 +1 @@
-{"version":3,"file":"auth.js","names":["AuthFactory"],"sources":["../../src/server/auth.ts"],"sourcesContent":["/**\n * Auth configuration helpers for Convex Auth.\n *\n * @module\n */\n\nimport type { UserIdentity } from \"convex/server\";\nimport type { GenericId } from \"convex/values\";\n\nimport type { AuthApiRefs } from \"../client/index\";\nimport { Auth as AuthFactory } from \"./runtime\";\nimport { Fx } from \"@robelest/fx\";\nimport { AuthError } from \"./authError\";\nimport type { Doc } from \"./types\";\nimport type {\n  AuthAuthorizationConfig,\n  AuthGrant,\n  AuthProviderConfig,\n  AuthRoleDefinition,\n  AuthRoleId,\n  ConvexAuthConfig,\n  HasDeviceProvider,\n  HasPasskeyProvider,\n  HasSSO,\n  HasTotpProvider,\n} from \"./types\";\n\n// ============================================================================\n// Types\n// ============================================================================\n\n/**\n * Config for auth setup. Extends the standard auth config\n * minus `component` (which is passed as the first constructor argument).\n */\nexport type AuthConfig = Omit<ConvexAuthConfig, \"component\">;\n\ntype MemberApiWithAuthorization<\n  TAuthorization extends AuthAuthorizationConfig | undefined,\n> = Omit<\n  ReturnType<typeof AuthFactory>[\"auth\"][\"member\"],\n  \"create\" | \"list\" | \"update\" | \"resolve\"\n> & {\n  create: (\n    ctx: Parameters<\n      ReturnType<typeof AuthFactory>[\"auth\"][\"member\"][\"create\"]\n    >[0],\n    data: {\n      groupId: string;\n      userId: string;\n      roleIds?: AuthRoleId<TAuthorization>[];\n      status?: string;\n      extend?: Record<string, unknown>;\n    },\n  ) => Promise<{ ok: true; memberId: string }>;\n  list: (\n    ctx: Parameters<\n      ReturnType<typeof AuthFactory>[\"auth\"][\"member\"][\"list\"]\n    >[0],\n    opts?: {\n      where?: {\n        groupId?: string;\n        userId?: string;\n        roleId?: AuthRoleId<TAuthorization>;\n        status?: string;\n      };\n      limit?: number;\n      cursor?: string | null;\n      orderBy?: \"_creationTime\" | \"status\";\n      order?: \"asc\" | \"desc\";\n    },\n  ) => ReturnType<ReturnType<typeof AuthFactory>[\"auth\"][\"member\"][\"list\"]>;\n  update: (\n    ctx: Parameters<\n      ReturnType<typeof AuthFactory>[\"auth\"][\"member\"][\"update\"]\n    >[0],\n    memberId: string,\n    data: Record<string, unknown> & { roleIds?: AuthRoleId<TAuthorization>[] },\n  ) => Promise<{ ok: true; memberId: string }>;\n  resolve: (\n    ctx: Parameters<\n      ReturnType<typeof AuthFactory>[\"auth\"][\"member\"][\"resolve\"]\n    >[0],\n    opts: {\n      userId: string;\n      groupId: string;\n      ancestry?: boolean;\n      roleIds?: AuthRoleId<TAuthorization>[];\n      grants?: AuthGrant<TAuthorization>[];\n      maxDepth?: number;\n    },\n  ) => ReturnType<ReturnType<typeof AuthFactory>[\"auth\"][\"member\"][\"resolve\"]>;\n};\n\n\n/**\n * The base auth API surface returned by {@link createAuth}.\n *\n * Provides core namespaces — `signIn`, `signOut`, `user`, `session`,\n * `member`, `invite`, `group`, `key`, and `http` — that are\n * always available regardless of which providers are configured.\n * Enterprise namespaces (`sso`, `scim`) are added conditionally by\n * {@link AuthApi} when an SSO provider is present.\n *\n * Use this type when you want to describe code that only depends on the\n * standard auth surface and should not assume enterprise features exist.\n *\n * @typeParam TAuthorization - The authorization config, used to narrow\n *   role IDs and grant strings on the `member` API.\n */\nexport type AuthApiBase<\n  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,\n> = {\n  signIn: ReturnType<typeof AuthFactory>[\"signIn\"];\n  signOut: ReturnType<typeof AuthFactory>[\"signOut\"];\n  store: ReturnType<typeof AuthFactory>[\"store\"];\n  user: ReturnType<typeof AuthFactory>[\"auth\"][\"user\"];\n  session: ReturnType<typeof AuthFactory>[\"auth\"][\"session\"];\n  provider: ReturnType<typeof AuthFactory>[\"auth\"][\"provider\"];\n  account: ReturnType<typeof AuthFactory>[\"auth\"][\"account\"];\n  group: ReturnType<typeof AuthFactory>[\"auth\"][\"group\"];\n  member: MemberApiWithAuthorization<TAuthorization>;\n  invite: ReturnType<typeof AuthFactory>[\"auth\"][\"invite\"];\n  key: ReturnType<typeof AuthFactory>[\"auth\"][\"key\"];\n  http: ReturnType<typeof AuthFactory>[\"auth\"][\"http\"];\n  /**\n   * Resolve the current user's auth context. Framework-agnostic — use\n   * this in fluent-convex middleware, custom wrappers, or anywhere you\n   * need the resolved `{ userId, user, groupId, role, grants }` object.\n   *\n   * Returns `null` when unauthenticated. Does not throw.\n   *\n   * @param ctx - Convex query, mutation, or action context.\n   * @returns The resolved auth context, or `null`.\n   *\n   * @example fluent-convex middleware\n   * ```ts\n   * const withAuth = convex.createMiddleware(async (ctx, next) => {\n   *   return next({ ...ctx, auth: await auth.resolve(ctx) });\n   * });\n   * ```\n   *\n   * @example Direct usage in a handler\n   * ```ts\n   * const resolved = await auth.resolve(ctx);\n   * if (!resolved) return { ok: false, code: \"NOT_SIGNED_IN\" };\n   * const { userId, grants } = resolved;\n   * ```\n   */\n  resolve: (ctx: any) => Promise<AuthResolvedContext | null>;\n  /**\n   * Context enrichment for convex-helpers `customQuery` / `customMutation` /\n   * `customAction`.\n   *\n   * Resolves the current user's identity, active group, membership role,\n   * and grants, then attaches them to `ctx.auth`. Returns a `Customization`\n   * object compatible with convex-helpers' custom function builders.\n   *\n   * `ctx.auth` is `{ userId, user, groupId, role, grants }` when\n   * authenticated, `null` when unauthenticated. No throwing — your\n   * handler decides how to respond.\n   *\n   * @returns A convex-helpers `Customization` object.\n   *\n   * @example One-time setup in `convex/functions.ts`\n   * ```ts\n   * import { query, mutation, action } from \"./_generated/server\";\n   * import { customQuery, customMutation, customAction } from \"convex-helpers/server/customFunctions\";\n   * import { auth } from \"./auth\";\n   *\n   * export const authQuery = customQuery(query, auth.ctx());\n   * export const authMutation = customMutation(mutation, auth.ctx());\n   * export const authAction = customAction(action, auth.ctx());\n   * ```\n   *\n   * @example Per-function usage\n   * ```ts\n   * import { authQuery } from \"./functions\";\n   *\n   * export const list = authQuery({\n   *   args: { workspaceId: v.string() },\n   *   handler: async (ctx, args) => {\n   *     if (!ctx.auth) return [];\n   *     const { userId, groupId, grants } = ctx.auth;\n   *     // business logic\n   *   },\n   * });\n   * ```\n   */\n  ctx: () => {\n    args: Record<string, never>;\n    input: (ctx: any) => Promise<{\n      ctx: { auth: AuthResolvedContext | null };\n      args: Record<string, never>;\n    }>;\n  };\n};\n\n/**\n * Resolved auth context injected into `ctx.auth` by `auth.ctx()`.\n *\n * - `null` when unauthenticated.\n * - `groupId` is `null` when the user has no active group set.\n * - `role` / `grants` are `null` / `[]` when no active group or no membership.\n */\nexport type AuthResolvedContext = {\n  /** The authenticated user's document ID. */\n  userId: string;\n  /** The authenticated user's full document. */\n  user: any;\n  /** The user's active group ID, or `null` if none set. */\n  groupId: string | null;\n  /** The user's primary role in the active group, or `null`. */\n  role: string | null;\n  /** Resolved grant strings from the user's role definitions. */\n  grants: string[];\n};\n\ntype InternalSsoApi = ReturnType<typeof AuthFactory>[\"auth\"][\"sso\"];\n\ntype PublicSsoAdminApi = {\n  connection: InternalSsoApi[\"connection\"] & {\n    domain: {\n      list: InternalSsoApi[\"domain\"][\"list\"];\n      validate: InternalSsoApi[\"domain\"][\"validate\"];\n      set: (\n        ctx: Parameters<InternalSsoApi[\"connection\"][\"create\"]>[0],\n        enterpriseId: string,\n        domains: Array<{\n          domain: string;\n          isPrimary?: boolean;\n        }>,\n      ) => Promise<{\n        ok: true;\n        enterpriseId: string;\n        domains: Array<{\n          domainId: string;\n          domain: string;\n          isPrimary: boolean;\n          verified: boolean;\n          verifiedAt: number | null;\n        }>;\n      }>;\n      verification: {\n        request: (\n          ctx: Parameters<InternalSsoApi[\"connection\"][\"create\"]>[0],\n          args: { enterpriseId: string; domain: string },\n        ) => Promise<{\n          ok: true;\n          enterpriseId: string;\n          domain: string;\n          requestedAt: number;\n          expiresAt: number;\n          challenge: {\n            recordType: \"TXT\";\n            recordName: string;\n            recordValue: string;\n          };\n        }>;\n        confirm: (\n          ctx: Parameters<InternalSsoApi[\"connection\"][\"create\"]>[0],\n          args: { enterpriseId: string; domain: string },\n        ) => Promise<{\n          ok: boolean;\n          enterpriseId: string;\n          domain: string;\n          verifiedAt?: number;\n          checks: Array<{ name: string; ok: boolean; message?: string }>;\n        }>;\n      };\n    };\n  };\n  oidc: Omit<InternalSsoApi[\"oidc\"], \"signIn\">;\n  saml: Omit<InternalSsoApi[\"saml\"], \"metadata\">;\n  policy: InternalSsoApi[\"policy\"];\n  audit: {\n    list: InternalSsoApi[\"audit\"][\"list\"];\n  };\n  webhook: {\n    endpoint: InternalSsoApi[\"webhook\"][\"endpoint\"];\n    delivery: {\n      list: InternalSsoApi[\"webhook\"][\"delivery\"][\"list\"];\n    };\n  };\n};\n\ntype PublicSsoClientApi = {\n  signIn: InternalSsoApi[\"oidc\"][\"signIn\"];\n  metadata: InternalSsoApi[\"saml\"][\"metadata\"];\n};\n\ntype PublicSsoApi = {\n  admin: PublicSsoAdminApi;\n  client: PublicSsoClientApi;\n};\n\ntype PublicScimApi = {\n  admin: Omit<InternalSsoApi[\"scim\"], \"getConfigByToken\" | \"identity\">;\n};\n\n/**\n * Extended auth API that includes enterprise SSO and SCIM namespaces.\n *\n * This type is the union of {@link AuthApiBase} plus `sso` (SSO connection\n * management, OIDC/SAML, domain verification, policies, audit, webhooks)\n * and `scim` (SCIM provisioning configuration). It is returned by\n * {@link createAuth} only when `new SSO()` is included in the providers\n * array; otherwise the narrower {@link AuthApiBase} is returned instead.\n * Attempting to access `auth.sso` or `auth.scim` without an SSO provider\n * produces a compile-time error because the return type narrows back to\n * {@link AuthApiBase}.\n *\n * @typeParam TAuthorization - The authorization config, forwarded to\n *   {@link AuthApiBase} for typed role IDs and grant strings.\n */\nexport type AuthApi<\n  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,\n> = AuthApiBase<TAuthorization> & {\n  sso: PublicSsoApi;\n  scim: PublicScimApi;\n};\n\n/**\n * The return type of {@link createAuth}.\n *\n * Resolves to {@link AuthApi} (with `sso` and `scim` namespaces) when\n * `new SSO()` is present in the providers array, or to the narrower\n * {@link AuthApiBase} otherwise. This conditional type ensures that\n * enterprise-only APIs are only accessible when the SSO provider is\n * configured, producing a compile-time error if you try to access\n * `auth.sso` without it.\n * This lets application code keep a single `createAuth()` call while still\n * getting provider-aware typing on the resulting API object.\n *\n * @typeParam P - The tuple of provider configs passed to `createAuth`.\n * @typeParam TAuthorization - Optional authorization config for typed roles/grants.\n */\nexport type ConvexAuthResult<\n  P extends AuthProviderConfig[],\n  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,\n> =\n  HasSSO<P> extends true\n    ? AuthApi<TAuthorization>\n    : AuthApiBase<TAuthorization>;\n\n/**\n * Infer the typed `AuthApiRefs` for the client SDK from a `createAuth` call.\n *\n * Use this as the generic parameter for `client()` on the frontend:\n *\n * ```ts\n * // convex/auth.ts\n * export const auth = createAuth(components.auth, { providers: [...] });\n *\n * // Frontend\n * import type { auth } from \"../convex/auth\";\n * import type { InferClientApi } from \"@robelest/convex-auth/server\";\n * const c = client<InferClientApi<typeof auth>>({ convex, api: api.auth });\n * ```\n *\n * @typeParam T - A ConvexAuthResult to extract the client API from.\n */\nexport type InferClientApi<T> =\n  T extends ConvexAuthResult<infer P>\n    ? AuthApiRefs<\n        HasPasskeyProvider<P>,\n        HasTotpProvider<P>,\n        HasDeviceProvider<P>\n      >\n    : AuthApiRefs;\n\n/** @internal */\nexport type AuthLike = Pick<AuthApiBase, \"user\">;\n\n// ============================================================================\n// Auth setup APIs\n// ============================================================================\n\n/**\n * Create an auth API object.\n *\n * When `new SSO()` is included in providers, `auth.sso` and `auth.scim`\n * are available on the returned object. Without it, those namespaces are\n * absent and accessing them is a TypeScript compile error.\n *\n * @param component - The installed auth component reference from\n *   `components.auth` in your Convex app definition.\n * @param config - Auth configuration including `providers` and optional\n *   `authorization`. All fields from {@link AuthConfig} are accepted\n *   except `component` (passed as the first argument).\n * @returns A {@link ConvexAuthResult} object — either {@link AuthApi}\n *   (with `sso`/`scim`) or {@link AuthApiBase}, depending on whether\n *   an SSO provider is present.\n *\n * @example\n * ```ts\n * export const auth = createAuth(components.auth, {\n *   providers: [password(), google()],\n *   authorization: { roles },\n * });\n * ```\n *\n * @see {@link AuthCtx}\n */\n\n// ---------------------------------------------------------------------------\n// Function builders — shared auth resolution logic\n// ---------------------------------------------------------------------------\n\n/**\n * Resolve auth context for the current user. Returns the enriched\n * `ctx.auth` object or `null` when unauthenticated.\n *\n * Resolution flow:\n * 1. `user.id(ctx)` → userId or null (exit early)\n * 2. `user.get(ctx, userId)` → user doc (cached per-execution)\n * 3. `user.getActiveGroup(ctx, { userId })` → groupId or null\n * 4. If groupId → `member.resolve(ctx, { userId, groupId })` → role + grants\n */\nasync function resolveAuthContext(auth: any, ctx: any) {\n  const userId = await auth.user.id(ctx);\n  if (!userId) return null;\n  const user = await auth.user.get(ctx, userId);\n  const groupId = await auth.user.getActiveGroup(ctx, { userId });\n  let role: string | null = null;\n  let grants: string[] = [];\n  if (groupId) {\n    const resolved = await auth.member.resolve(ctx, { userId, groupId });\n    if (resolved.membership) {\n      role = resolved.roleIds[0] ?? null;\n      grants = resolved.grants;\n    }\n  }\n  return { userId, user, groupId, role, grants };\n}\n\nexport function createAuth<\n  P extends AuthProviderConfig[],\n  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,\n>(\n  component: ConvexAuthConfig[\"component\"],\n  config: Omit<AuthConfig, \"providers\" | \"authorization\"> & {\n    providers: P;\n    authorization?: TAuthorization;\n  },\n): ConvexAuthResult<P, TAuthorization> {\n  const authResult = AuthFactory({\n    ...config,\n    component,\n    providers: [...config.providers],\n  });\n  const {\n    domain: domainApi,\n    scim: scimApi,\n    connection: connectionApi,\n    audit: auditApi,\n    webhook: webhookApi,\n    oidc: oidcApi,\n    saml: samlApi,\n    ...restSso\n  } = authResult.auth.sso as InternalSsoApi;\n\n  type SetEnterpriseDomains = PublicSsoAdminApi[\"connection\"][\"domain\"][\"set\"];\n  type EnterpriseDomainInput = Array<{\n    domain: string;\n    isPrimary?: boolean;\n  }>;\n  const setEnterpriseDomains: PublicSsoAdminApi[\"connection\"][\"domain\"][\"set\"] =\n    async (\n      ctx: Parameters<SetEnterpriseDomains>[0],\n      enterpriseId: Parameters<SetEnterpriseDomains>[1],\n      domains: EnterpriseDomainInput,\n    ) => {\n      const enterprise = await connectionApi.get(ctx, enterpriseId);\n      if (enterprise === null) {\n        throw new AuthError(\n          \"INVALID_PARAMETERS\",\n          \"Enterprise not found.\",\n        ).toConvexError();\n      }\n\n      const normalized = domains.map((entry: (typeof domains)[number]) => ({\n        ...entry,\n        domain: entry.domain.trim().toLowerCase(),\n      }));\n      const deduped = new Map<string, (typeof normalized)[number]>();\n      for (const entry of normalized) {\n        if (entry.domain.length === 0) {\n          throw new AuthError(\n            \"INVALID_PARAMETERS\",\n            \"Domain must not be empty.\",\n          ).toConvexError();\n        }\n        if (deduped.has(entry.domain)) {\n          throw new AuthError(\n            \"INVALID_PARAMETERS\",\n            `Duplicate domain: ${entry.domain}`,\n          ).toConvexError();\n        }\n        deduped.set(entry.domain, entry);\n      }\n\n      const nextDomains = [...deduped.values()];\n      const primaryCount = nextDomains.filter(\n        (entry) => entry.isPrimary,\n      ).length;\n      if (primaryCount > 1) {\n        throw new AuthError(\n          \"INVALID_PARAMETERS\",\n          \"Only one primary domain may be set.\",\n        ).toConvexError();\n      }\n      if (nextDomains.length > 0 && primaryCount === 0) {\n        nextDomains[0] = { ...nextDomains[0], isPrimary: true };\n      }\n\n      const currentDomains = await domainApi.list(ctx, enterpriseId);\n      const currentByDomain = new Map<string, (typeof currentDomains)[number]>(\n        currentDomains.map((entry: (typeof currentDomains)[number]) => [\n          entry.domain.toLowerCase(),\n          entry,\n        ]),\n      );\n\n      for (const existing of currentDomains) {\n        if (!deduped.has(existing.domain.toLowerCase())) {\n          await domainApi.remove(ctx, existing._id);\n        }\n      }\n\n      for (const nextDomain of nextDomains) {\n        const current = currentByDomain.get(nextDomain.domain);\n        if (current && current.isPrimary === Boolean(nextDomain.isPrimary)) {\n          continue;\n        }\n        if (current) {\n          await domainApi.remove(ctx, current._id);\n        }\n        const domainId = await domainApi.add(ctx, {\n          enterpriseId: enterprise._id,\n          groupId: enterprise.groupId,\n          domain: nextDomain.domain,\n          isPrimary: nextDomain.isPrimary,\n        });\n        if (current?.verifiedAt !== undefined) {\n          await (ctx as any).runMutation(\n            component.public.enterpriseDomainVerify,\n            {\n              domainId,\n              verifiedAt: current.verifiedAt,\n            },\n          );\n        }\n      }\n\n      const updatedDomains = await domainApi.list(ctx, enterpriseId);\n      return {\n        ok: true as const,\n        enterpriseId,\n        domains: updatedDomains.map(\n          (domain: (typeof updatedDomains)[number]) => ({\n            domainId: domain._id,\n            domain: domain.domain,\n            isPrimary: domain.isPrimary,\n            verified: domain.verifiedAt !== undefined,\n            verifiedAt: domain.verifiedAt ?? null,\n          }),\n        ),\n      };\n    };\n\n  const publicSso: PublicSsoApi = {\n    admin: {\n      ...restSso,\n      oidc: {\n        ...oidcApi,\n      },\n      saml: {\n        ...samlApi,\n      },\n      connection: {\n        ...connectionApi,\n        domain: {\n          list: domainApi.list,\n          validate: domainApi.validate,\n          set: setEnterpriseDomains,\n          verification: {\n            request: domainApi.verification.request,\n            confirm: domainApi.verification.confirm,\n          },\n        },\n      },\n      policy: restSso.policy,\n      audit: {\n        list: auditApi.list,\n      },\n      webhook: {\n        endpoint: webhookApi.endpoint,\n        delivery: {\n          list: webhookApi.delivery.list,\n        },\n      },\n    },\n    client: {\n      signIn: oidcApi.signIn,\n      metadata: samlApi.metadata,\n    },\n  };\n\n  return {\n    signIn: authResult.signIn,\n    signOut: authResult.signOut,\n    store: authResult.store,\n    user: authResult.auth.user,\n    session: authResult.auth.session,\n    provider: authResult.auth.provider,\n    account: authResult.auth.account,\n    group: authResult.auth.group,\n    member: authResult.auth.member,\n    invite: authResult.auth.invite,\n    key: authResult.auth.key,\n    sso: publicSso,\n    scim: {\n      admin: {\n        configure: scimApi.configure,\n        get: scimApi.get,\n        validate: scimApi.validate,\n      },\n    },\n    http: authResult.auth.http,\n\n    resolve: (ctx: any) => resolveAuthContext(authResult.auth, ctx),\n\n    ctx: () => ({\n      args: {},\n      input: async (ctx: any) => {\n        const authCtx = await resolveAuthContext(authResult.auth, ctx);\n        return { ctx: { auth: authCtx }, args: {} };\n      },\n    }),\n  } as unknown as ConvexAuthResult<P, TAuthorization>;\n}\n\n// ============================================================================\n// AuthCtx — ctx enrichment for customQuery / customMutation\n// ============================================================================\n\n/** Canonical user document type exposed by Convex Auth. */\nexport type UserDoc = Doc<\"User\">;\n\n/**\n * Configuration for {@link AuthCtx} context enrichment.\n *\n * @typeParam TResolve - Extra fields returned from `resolve()` and merged into\n *   the resulting `ctx.auth` object.\n */\nexport type AuthCtxConfig<\n  TResolve extends Record<string, unknown> = Record<string, never>,\n> = {\n  /** Allow unauthenticated callers and return `userId: null` / `user: null`. */\n  optional?: boolean;\n  /**\n   * Attach additional derived fields to the auth context after the user is resolved.\n   */\n  resolve?: (ctx: any, user: UserDoc) => Promise<TResolve> | TResolve;\n};\n\n/**\n * Create a context enrichment for `customQuery` / `customMutation` — optional auth.\n *\n * When `optional: true` is set, unauthenticated requests are allowed.\n * The enriched `ctx.auth` will have `userId: null` and `user: null`\n * for unauthenticated callers.\n *\n * @param auth - The auth API object returned by {@link createAuth}.\n * @param config - Configuration with `optional: true` and an optional\n *   `resolve` callback for attaching extra fields to the auth context.\n * @returns An object with `args` and `input` compatible with Convex\n *   custom function builders.\n *\n * @example\n * ```ts\n * const authCtx = AuthCtx(auth, {\n *   optional: true,\n *   resolve: async (_ctx, user) => ({ plan: user?.extend?.plan ?? null }),\n * });\n * ```\n *\n * @see {@link createAuth}\n */\nexport function AuthCtx<\n  TResolve extends Record<string, unknown> = Record<string, never>,\n>(\n  auth: AuthLike,\n  config: AuthCtxConfig<TResolve> & { optional: true },\n): {\n  args: {};\n  input: (\n    ctx: any,\n    _args: any,\n    _extra?: any,\n  ) => Promise<{\n    ctx: {\n      auth: {\n        getUserIdentity: () => Promise<UserIdentity | null>;\n        userId: GenericId<\"User\"> | null;\n        user: UserDoc | null;\n      } & TResolve;\n    };\n    args: {};\n  }>;\n};\n/**\n * Create a context enrichment for `customQuery` / `customMutation` — required auth (default).\n *\n * When `optional` is omitted or `false`, the inferred type is the authenticated\n * auth shape. At runtime this helper still resolves instead of throwing, so if\n * no user is signed in the returned `ctx.auth.userId` and `ctx.auth.user` are\n * `null`.\n *\n * @param auth - The auth API object returned by {@link createAuth}.\n * @param config - Optional configuration with a `resolve` callback\n *   for attaching extra fields to the auth context.\n * @returns An object with `args` and `input` compatible with Convex\n *   custom function builders.\n *\n * @example\n * ```ts\n * const authCtx = AuthCtx(auth, {\n *   resolve: async (_ctx, user) => ({ email: user.email }),\n * });\n * ```\n *\n * @see {@link createAuth}\n */\nexport function AuthCtx<\n  TResolve extends Record<string, unknown> = Record<string, never>,\n>(\n  auth: AuthLike,\n  config?: AuthCtxConfig<TResolve>,\n): {\n  args: {};\n  input: (\n    ctx: any,\n    _args: any,\n    _extra?: any,\n  ) => Promise<{\n    ctx: {\n      auth: {\n        getUserIdentity: () => Promise<UserIdentity | null>;\n        userId: GenericId<\"User\">;\n        user: UserDoc;\n      } & TResolve;\n    };\n    args: {};\n  }>;\n};\n// Implementation\nexport function AuthCtx(auth: AuthLike, config?: AuthCtxConfig<any>) {\n  return {\n    args: {},\n    input: async (ctx: any, _args: any, _extra?: any) => {\n      const nativeAuth = ctx.auth;\n      const modeDispatch =\n        config?.optional === true\n          ? { mode: \"optional\" as const }\n          : { mode: \"required\" as const };\n\n      const userContext = await Fx.run(\n        Fx.match(modeDispatch, modeDispatch.mode, {\n          optional: async () => {\n            const userId = await auth.user.id(ctx);\n            if (!userId) {\n              return null;\n            }\n            const user = await auth.user.get(ctx, userId);\n            return { userId, user };\n          },\n          required: async () => {\n            const userId = await auth.user.id(ctx);\n            if (!userId) {\n              return null;\n            }\n            const user = await auth.user.get(ctx, userId);\n            return { userId, user };\n          },\n        }),\n      );\n\n      if (userContext === null) {\n        return {\n          ctx: {\n            auth: {\n              getUserIdentity: nativeAuth.getUserIdentity.bind(nativeAuth),\n              userId: null,\n              user: null,\n            },\n          },\n          args: {},\n        };\n      }\n\n      const extra = config?.resolve\n        ? await config.resolve(ctx, userContext.user)\n        : {};\n\n      return {\n        ctx: {\n          auth: {\n            getUserIdentity: nativeAuth.getUserIdentity.bind(nativeAuth),\n            userId: userContext.userId,\n            user: userContext.user,\n            ...extra,\n          },\n        },\n        args: {},\n      };\n    },\n  };\n}\n\n/**\n * Extract the resolved `auth` context type from an {@link AuthCtx} instance.\n *\n * Use this to type function parameters or variables that receive the\n * enriched auth context produced by `AuthCtx`. The inferred type includes\n * `userId`, `user`, `getUserIdentity`, and any additional fields added\n * by the `resolve` callback. This is the generic utility for reusing the\n * enriched auth shape without manually duplicating conditional auth types.\n *\n * @typeParam T - An `AuthCtx` return value (must have an `input` method\n *   that returns `{ ctx: { auth: ... } }`).\n *\n * @example\n * ```ts\n * const authCtx = AuthCtx(auth, {\n *   resolve: async (ctx, user) => ({ orgId: user.orgId }),\n * });\n * type Auth = InferAuth<typeof authCtx>;\n * // Auth = { userId: Id<\"User\">; user: UserDoc; getUserIdentity: ...; orgId: string }\n * ```\n *\n * @see {@link createAuth}\n */\nexport type InferAuth<\n  T extends { input: (...args: any[]) => Promise<{ ctx: { auth: any } }> },\n> = Awaited<ReturnType<T[\"input\"]>>[\"ctx\"][\"auth\"];\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAmaA,eAAe,mBAAmB,MAAW,KAAU;CACrD,MAAM,SAAS,MAAM,KAAK,KAAK,GAAG,IAAI;AACtC,KAAI,CAAC,OAAQ,QAAO;CACpB,MAAM,OAAO,MAAM,KAAK,KAAK,IAAI,KAAK,OAAO;CAC7C,MAAM,UAAU,MAAM,KAAK,KAAK,eAAe,KAAK,EAAE,QAAQ,CAAC;CAC/D,IAAI,OAAsB;CAC1B,IAAI,SAAmB,EAAE;AACzB,KAAI,SAAS;EACX,MAAM,WAAW,MAAM,KAAK,OAAO,QAAQ,KAAK;GAAE;GAAQ;GAAS,CAAC;AACpE,MAAI,SAAS,YAAY;AACvB,UAAO,SAAS,QAAQ,MAAM;AAC9B,YAAS,SAAS;;;AAGtB,QAAO;EAAE;EAAQ;EAAM;EAAS;EAAM;EAAQ;;AAGhD,SAAgB,WAId,WACA,QAIqC;CACrC,MAAM,aAAaA,KAAY;EAC7B,GAAG;EACH;EACA,WAAW,CAAC,GAAG,OAAO,UAAU;EACjC,CAAC;CACF,MAAM,EACJ,QAAQ,WACR,MAAM,SACN,YAAY,eACZ,OAAO,UACP,SAAS,YACT,MAAM,SACN,MAAM,SACN,GAAG,YACD,WAAW,KAAK;CAOpB,MAAM,uBACJ,OACE,KACA,cACA,YACG;EACH,MAAM,aAAa,MAAM,cAAc,IAAI,KAAK,aAAa;AAC7D,MAAI,eAAe,KACjB,OAAM,IAAI,UACR,sBACA,wBACD,CAAC,eAAe;EAGnB,MAAM,aAAa,QAAQ,KAAK,WAAqC;GACnE,GAAG;GACH,QAAQ,MAAM,OAAO,MAAM,CAAC,aAAa;GAC1C,EAAE;EACH,MAAM,0BAAU,IAAI,KAA0C;AAC9D,OAAK,MAAM,SAAS,YAAY;AAC9B,OAAI,MAAM,OAAO,WAAW,EAC1B,OAAM,IAAI,UACR,sBACA,4BACD,CAAC,eAAe;AAEnB,OAAI,QAAQ,IAAI,MAAM,OAAO,CAC3B,OAAM,IAAI,UACR,sBACA,qBAAqB,MAAM,SAC5B,CAAC,eAAe;AAEnB,WAAQ,IAAI,MAAM,QAAQ,MAAM;;EAGlC,MAAM,cAAc,CAAC,GAAG,QAAQ,QAAQ,CAAC;EACzC,MAAM,eAAe,YAAY,QAC9B,UAAU,MAAM,UAClB,CAAC;AACF,MAAI,eAAe,EACjB,OAAM,IAAI,UACR,sBACA,sCACD,CAAC,eAAe;AAEnB,MAAI,YAAY,SAAS,KAAK,iBAAiB,EAC7C,aAAY,KAAK;GAAE,GAAG,YAAY;GAAI,WAAW;GAAM;EAGzD,MAAM,iBAAiB,MAAM,UAAU,KAAK,KAAK,aAAa;EAC9D,MAAM,kBAAkB,IAAI,IAC1B,eAAe,KAAK,UAA2C,CAC7D,MAAM,OAAO,aAAa,EAC1B,MACD,CAAC,CACH;AAED,OAAK,MAAM,YAAY,eACrB,KAAI,CAAC,QAAQ,IAAI,SAAS,OAAO,aAAa,CAAC,CAC7C,OAAM,UAAU,OAAO,KAAK,SAAS,IAAI;AAI7C,OAAK,MAAM,cAAc,aAAa;GACpC,MAAM,UAAU,gBAAgB,IAAI,WAAW,OAAO;AACtD,OAAI,WAAW,QAAQ,cAAc,QAAQ,WAAW,UAAU,CAChE;AAEF,OAAI,QACF,OAAM,UAAU,OAAO,KAAK,QAAQ,IAAI;GAE1C,MAAM,WAAW,MAAM,UAAU,IAAI,KAAK;IACxC,cAAc,WAAW;IACzB,SAAS,WAAW;IACpB,QAAQ,WAAW;IACnB,WAAW,WAAW;IACvB,CAAC;AACF,OAAI,SAAS,eAAe,OAC1B,OAAO,IAAY,YACjB,UAAU,OAAO,wBACjB;IACE;IACA,YAAY,QAAQ;IACrB,CACF;;AAKL,SAAO;GACL,IAAI;GACJ;GACA,UAJqB,MAAM,UAAU,KAAK,KAAK,aAAa,EAIpC,KACrB,YAA6C;IAC5C,UAAU,OAAO;IACjB,QAAQ,OAAO;IACf,WAAW,OAAO;IAClB,UAAU,OAAO,eAAe;IAChC,YAAY,OAAO,cAAc;IAClC,EACF;GACF;;CAGL,MAAM,YAA0B;EAC9B,OAAO;GACL,GAAG;GACH,MAAM,EACJ,GAAG,SACJ;GACD,MAAM,EACJ,GAAG,SACJ;GACD,YAAY;IACV,GAAG;IACH,QAAQ;KACN,MAAM,UAAU;KAChB,UAAU,UAAU;KACpB,KAAK;KACL,cAAc;MACZ,SAAS,UAAU,aAAa;MAChC,SAAS,UAAU,aAAa;MACjC;KACF;IACF;GACD,QAAQ,QAAQ;GAChB,OAAO,EACL,MAAM,SAAS,MAChB;GACD,SAAS;IACP,UAAU,WAAW;IACrB,UAAU,EACR,MAAM,WAAW,SAAS,MAC3B;IACF;GACF;EACD,QAAQ;GACN,QAAQ,QAAQ;GAChB,UAAU,QAAQ;GACnB;EACF;AAED,QAAO;EACL,QAAQ,WAAW;EACnB,SAAS,WAAW;EACpB,OAAO,WAAW;EAClB,MAAM,WAAW,KAAK;EACtB,SAAS,WAAW,KAAK;EACzB,UAAU,WAAW,KAAK;EAC1B,SAAS,WAAW,KAAK;EACzB,OAAO,WAAW,KAAK;EACvB,QAAQ,WAAW,KAAK;EACxB,QAAQ,WAAW,KAAK;EACxB,KAAK,WAAW,KAAK;EACrB,KAAK;EACL,MAAM,EACJ,OAAO;GACL,WAAW,QAAQ;GACnB,KAAK,QAAQ;GACb,UAAU,QAAQ;GACnB,EACF;EACD,MAAM,WAAW,KAAK;EAEtB,UAAU,QAAa,mBAAmB,WAAW,MAAM,IAAI;EAE/D,YAAY;GACV,MAAM,EAAE;GACR,OAAO,OAAO,QAAa;AAEzB,WAAO;KAAE,KAAK,EAAE,MADA,MAAM,mBAAmB,WAAW,MAAM,IAAI,EAC/B;KAAE,MAAM,EAAE;KAAE;;GAE9C;EACF;;AAsHH,SAAgB,QAAQ,MAAgB,QAA6B;AACnE,QAAO;EACL,MAAM,EAAE;EACR,OAAO,OAAO,KAAU,OAAY,WAAiB;GACnD,MAAM,aAAa,IAAI;GACvB,MAAM,eACJ,QAAQ,aAAa,OACjB,EAAE,MAAM,YAAqB,GAC7B,EAAE,MAAM,YAAqB;GAEnC,MAAM,cAAc,MAAM,GAAG,IAC3B,GAAG,MAAM,cAAc,aAAa,MAAM;IACxC,UAAU,YAAY;KACpB,MAAM,SAAS,MAAM,KAAK,KAAK,GAAG,IAAI;AACtC,SAAI,CAAC,OACH,QAAO;AAGT,YAAO;MAAE;MAAQ,MADJ,MAAM,KAAK,KAAK,IAAI,KAAK,OAAO;MACtB;;IAEzB,UAAU,YAAY;KACpB,MAAM,SAAS,MAAM,KAAK,KAAK,GAAG,IAAI;AACtC,SAAI,CAAC,OACH,QAAO;AAGT,YAAO;MAAE;MAAQ,MADJ,MAAM,KAAK,KAAK,IAAI,KAAK,OAAO;MACtB;;IAE1B,CAAC,CACH;AAED,OAAI,gBAAgB,KAClB,QAAO;IACL,KAAK,EACH,MAAM;KACJ,iBAAiB,WAAW,gBAAgB,KAAK,WAAW;KAC5D,QAAQ;KACR,MAAM;KACP,EACF;IACD,MAAM,EAAE;IACT;GAGH,MAAM,QAAQ,QAAQ,UAClB,MAAM,OAAO,QAAQ,KAAK,YAAY,KAAK,GAC3C,EAAE;AAEN,UAAO;IACL,KAAK,EACH,MAAM;KACJ,iBAAiB,WAAW,gBAAgB,KAAK,WAAW;KAC5D,QAAQ,YAAY;KACpB,MAAM,YAAY;KAClB,GAAG;KACJ,EACF;IACD,MAAM,EAAE;IACT;;EAEJ"}
+{"version":3,"file":"auth.js","names":["AuthFactory"],"sources":["../../src/server/auth.ts"],"sourcesContent":["/**\n * Auth configuration helpers for Convex Auth.\n *\n * @module\n */\n\nimport type { UserIdentity } from \"convex/server\";\nimport type { GenericId } from \"convex/values\";\n\nimport type { AuthApiRefs } from \"../client/index\";\nimport { Auth as AuthFactory } from \"./runtime\";\nimport { AuthError } from \"./authError\";\nimport type { Doc } from \"./types\";\nimport type {\n  AuthAuthorizationConfig,\n  AuthGrant,\n  AuthProviderConfig,\n  AuthRoleDefinition,\n  AuthRoleId,\n  ConvexAuthConfig,\n  HasDeviceProvider,\n  HasPasskeyProvider,\n  HasSSO,\n  HasTotpProvider,\n} from \"./types\";\n\n// ============================================================================\n// Types\n// ============================================================================\n\n/**\n * Config for auth setup. Extends the standard auth config\n * minus `component` (which is passed as the first constructor argument).\n */\nexport type AuthConfig = Omit<ConvexAuthConfig, \"component\">;\n\n/** Canonical user document type exposed by Convex Auth. */\nexport type UserDoc = Doc<\"User\">;\n\ntype MemberApiWithAuthorization<\n  TAuthorization extends AuthAuthorizationConfig | undefined,\n> = Omit<\n  ReturnType<typeof AuthFactory>[\"auth\"][\"member\"],\n  \"create\" | \"list\" | \"update\" | \"resolve\"\n> & {\n  create: (\n    ctx: Parameters<\n      ReturnType<typeof AuthFactory>[\"auth\"][\"member\"][\"create\"]\n    >[0],\n    data: {\n      groupId: string;\n      userId: string;\n      roleIds?: AuthRoleId<TAuthorization>[];\n      status?: string;\n      extend?: Record<string, unknown>;\n    },\n  ) => Promise<{ ok: true; memberId: string }>;\n  list: (\n    ctx: Parameters<\n      ReturnType<typeof AuthFactory>[\"auth\"][\"member\"][\"list\"]\n    >[0],\n    opts?: {\n      where?: {\n        groupId?: string;\n        userId?: string;\n        roleId?: AuthRoleId<TAuthorization>;\n        status?: string;\n      };\n      limit?: number;\n      cursor?: string | null;\n      orderBy?: \"_creationTime\" | \"status\";\n      order?: \"asc\" | \"desc\";\n    },\n  ) => ReturnType<ReturnType<typeof AuthFactory>[\"auth\"][\"member\"][\"list\"]>;\n  update: (\n    ctx: Parameters<\n      ReturnType<typeof AuthFactory>[\"auth\"][\"member\"][\"update\"]\n    >[0],\n    memberId: string,\n    data: Record<string, unknown> & { roleIds?: AuthRoleId<TAuthorization>[] },\n  ) => Promise<{ ok: true; memberId: string }>;\n  resolve: (\n    ctx: Parameters<\n      ReturnType<typeof AuthFactory>[\"auth\"][\"member\"][\"resolve\"]\n    >[0],\n    opts: {\n      userId: string;\n      groupId: string;\n      ancestry?: boolean;\n      roleIds?: AuthRoleId<TAuthorization>[];\n      grants?: AuthGrant<TAuthorization>[];\n      maxDepth?: number;\n    },\n  ) => ReturnType<ReturnType<typeof AuthFactory>[\"auth\"][\"member\"][\"resolve\"]>;\n};\n\n\n/**\n * The base auth API surface returned by {@link createAuth}.\n *\n * Provides core namespaces — `signIn`, `signOut`, `user`, `session`,\n * `member`, `invite`, `group`, `key`, and `http` — that are\n * always available regardless of which providers are configured.\n * Enterprise namespaces (`sso`, `scim`) are added conditionally by\n * {@link AuthApi} when an SSO provider is present.\n *\n * Use this type when you want to describe code that only depends on the\n * standard auth surface and should not assume enterprise features exist.\n *\n * @typeParam TAuthorization - The authorization config, used to narrow\n *   role IDs and grant strings on the `member` API.\n */\nexport type AuthApiBase<\n  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,\n> = {\n  signIn: ReturnType<typeof AuthFactory>[\"signIn\"];\n  signOut: ReturnType<typeof AuthFactory>[\"signOut\"];\n  store: ReturnType<typeof AuthFactory>[\"store\"];\n  user: ReturnType<typeof AuthFactory>[\"auth\"][\"user\"];\n  session: ReturnType<typeof AuthFactory>[\"auth\"][\"session\"];\n  provider: ReturnType<typeof AuthFactory>[\"auth\"][\"provider\"];\n  account: ReturnType<typeof AuthFactory>[\"auth\"][\"account\"];\n  group: ReturnType<typeof AuthFactory>[\"auth\"][\"group\"];\n  member: MemberApiWithAuthorization<TAuthorization>;\n  invite: ReturnType<typeof AuthFactory>[\"auth\"][\"invite\"];\n  key: ReturnType<typeof AuthFactory>[\"auth\"][\"key\"];\n  http: ReturnType<typeof AuthFactory>[\"auth\"][\"http\"];\n  /**\n   * Resolve the current user's auth context. Framework-agnostic — use\n   * this in fluent-convex middleware, custom wrappers, or anywhere you\n   * need the resolved `{ userId, user, groupId, role, grants }` object.\n   *\n   * Returns `null` when unauthenticated. Does not throw.\n   *\n   * @param ctx - Convex query, mutation, or action context.\n   * @returns The resolved auth context, or `null`.\n   *\n   * @example fluent-convex middleware\n   * ```ts\n   * const withAuth = convex.createMiddleware(async (ctx, next) => {\n   *   return next({ ...ctx, auth: await auth.resolve(ctx) });\n   * });\n   * ```\n   *\n   * @example Direct usage in a handler\n   * ```ts\n   * const resolved = await auth.resolve(ctx);\n   * if (!resolved) return { ok: false, code: \"NOT_SIGNED_IN\" };\n   * const { userId, grants } = resolved;\n   * ```\n   */\n  resolve: (ctx: any) => Promise<AuthResolvedContext | null>;\n  /**\n   * Context enrichment for convex-helpers `customQuery` / `customMutation` /\n   * `customAction`.\n   *\n   * Resolves the current user's identity, active group, membership role,\n   * and grants, then attaches them to `ctx.auth`. Returns a `Customization`\n   * object compatible with convex-helpers' custom function builders.\n   *\n   * `ctx.auth` is `{ userId, user, groupId, role, grants }` when\n   * authenticated, `null` when unauthenticated. No throwing — your\n   * handler decides how to respond.\n   *\n   * @returns A convex-helpers `Customization` object.\n   *\n   * @example One-time setup in `convex/functions.ts`\n   * ```ts\n   * import { query, mutation, action } from \"./_generated/server\";\n   * import { customQuery, customMutation, customAction } from \"convex-helpers/server/customFunctions\";\n   * import { auth } from \"./auth\";\n   *\n   * export const authQuery = customQuery(query, auth.ctx());\n   * export const authMutation = customMutation(mutation, auth.ctx());\n   * export const authAction = customAction(action, auth.ctx());\n   * ```\n   *\n   * @example Per-function usage\n   * ```ts\n   * import { authQuery } from \"./functions\";\n   *\n   * export const list = authQuery({\n   *   args: { workspaceId: v.string() },\n   *   handler: async (ctx, args) => {\n   *     if (!ctx.auth) return [];\n   *     const { userId, groupId, grants } = ctx.auth;\n   *     // business logic\n   *   },\n   * });\n   * ```\n   */\n  ctx: () => {\n    args: Record<string, never>;\n    input: (ctx: any) => Promise<{\n      ctx: { auth: AuthResolvedContext | null };\n      args: Record<string, never>;\n    }>;\n  };\n};\n\n/**\n * Resolved auth context injected into `ctx.auth` by `auth.ctx()` and\n * {@link AuthCtx}. Also the expected return shape for custom\n * {@link AuthCtxConfig.authResolve | authResolve} hooks.\n *\n * - `null` when unauthenticated.\n * - `groupId` is `null` when the user has no active group set.\n * - `role` / `grants` are `null` / `[]` when no active group or no membership.\n *\n * @example\n * ```ts\n * import type { AuthResolvedContext } from \"@robelest/convex-auth/server\";\n *\n * const mockAuth: AuthResolvedContext = {\n *   userId: \"user123\" as Id<\"User\">,\n *   user: { _id: \"user123\", email: \"test@example.com\" },\n *   groupId: \"group456\",\n *   role: \"admin\",\n *   grants: [\"read\", \"write\"],\n * };\n * ```\n */\nexport type AuthResolvedContext = {\n  /** The authenticated user's document ID. */\n  userId: GenericId<\"User\">;\n  /** The authenticated user's full document. */\n  user: UserDoc;\n  /** The user's active group ID, or `null` if none set. */\n  groupId: string | null;\n  /** The user's primary role in the active group, or `null`. */\n  role: string | null;\n  /** Resolved grant strings from the user's role definitions. */\n  grants: string[];\n};\n\ntype AuthCtxBase = {\n  getUserIdentity: () => Promise<UserIdentity | null>;\n};\n\ntype RequiredAuthCtxState = AuthCtxBase & AuthResolvedContext;\n\ntype OptionalAuthCtxState = AuthCtxBase & {\n  userId: GenericId<\"User\"> | null;\n  user: UserDoc | null;\n  groupId: string | null;\n  role: string | null;\n  grants: string[];\n};\n\ntype InternalSsoApi = ReturnType<typeof AuthFactory>[\"auth\"][\"sso\"];\n\ntype PublicSsoAdminApi = {\n  connection: InternalSsoApi[\"connection\"] & {\n    domain: {\n      list: InternalSsoApi[\"domain\"][\"list\"];\n      validate: InternalSsoApi[\"domain\"][\"validate\"];\n      set: (\n        ctx: Parameters<InternalSsoApi[\"connection\"][\"create\"]>[0],\n        enterpriseId: string,\n        domains: Array<{\n          domain: string;\n          isPrimary?: boolean;\n        }>,\n      ) => Promise<{\n        ok: true;\n        enterpriseId: string;\n        domains: Array<{\n          domainId: string;\n          domain: string;\n          isPrimary: boolean;\n          verified: boolean;\n          verifiedAt: number | null;\n        }>;\n      }>;\n      verification: {\n        request: (\n          ctx: Parameters<InternalSsoApi[\"connection\"][\"create\"]>[0],\n          args: { enterpriseId: string; domain: string },\n        ) => Promise<{\n          ok: true;\n          enterpriseId: string;\n          domain: string;\n          requestedAt: number;\n          expiresAt: number;\n          challenge: {\n            recordType: \"TXT\";\n            recordName: string;\n            recordValue: string;\n          };\n        }>;\n        confirm: (\n          ctx: Parameters<InternalSsoApi[\"connection\"][\"create\"]>[0],\n          args: { enterpriseId: string; domain: string },\n        ) => Promise<{\n          ok: boolean;\n          enterpriseId: string;\n          domain: string;\n          verifiedAt?: number;\n          checks: Array<{ name: string; ok: boolean; message?: string }>;\n        }>;\n      };\n    };\n  };\n  oidc: Omit<InternalSsoApi[\"oidc\"], \"signIn\">;\n  saml: Omit<InternalSsoApi[\"saml\"], \"metadata\">;\n  policy: InternalSsoApi[\"policy\"];\n  audit: {\n    list: InternalSsoApi[\"audit\"][\"list\"];\n  };\n  webhook: {\n    endpoint: InternalSsoApi[\"webhook\"][\"endpoint\"];\n    delivery: {\n      list: InternalSsoApi[\"webhook\"][\"delivery\"][\"list\"];\n    };\n  };\n};\n\ntype PublicSsoClientApi = {\n  signIn: InternalSsoApi[\"oidc\"][\"signIn\"];\n  metadata: InternalSsoApi[\"saml\"][\"metadata\"];\n};\n\ntype PublicSsoApi = {\n  admin: PublicSsoAdminApi;\n  client: PublicSsoClientApi;\n};\n\ntype PublicScimApi = {\n  admin: Omit<InternalSsoApi[\"scim\"], \"getConfigByToken\" | \"identity\">;\n};\n\n/**\n * Extended auth API that includes enterprise SSO and SCIM namespaces.\n *\n * This type is the union of {@link AuthApiBase} plus `sso` (SSO connection\n * management, OIDC/SAML, domain verification, policies, audit, webhooks)\n * and `scim` (SCIM provisioning configuration). It is returned by\n * {@link createAuth} only when `new SSO()` is included in the providers\n * array; otherwise the narrower {@link AuthApiBase} is returned instead.\n * Attempting to access `auth.sso` or `auth.scim` without an SSO provider\n * produces a compile-time error because the return type narrows back to\n * {@link AuthApiBase}.\n *\n * @typeParam TAuthorization - The authorization config, forwarded to\n *   {@link AuthApiBase} for typed role IDs and grant strings.\n */\nexport type AuthApi<\n  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,\n> = AuthApiBase<TAuthorization> & {\n  sso: PublicSsoApi;\n  scim: PublicScimApi;\n};\n\n/**\n * The return type of {@link createAuth}.\n *\n * Resolves to {@link AuthApi} (with `sso` and `scim` namespaces) when\n * `new SSO()` is present in the providers array, or to the narrower\n * {@link AuthApiBase} otherwise. This conditional type ensures that\n * enterprise-only APIs are only accessible when the SSO provider is\n * configured, producing a compile-time error if you try to access\n * `auth.sso` without it.\n * This lets application code keep a single `createAuth()` call while still\n * getting provider-aware typing on the resulting API object.\n *\n * @typeParam P - The tuple of provider configs passed to `createAuth`.\n * @typeParam TAuthorization - Optional authorization config for typed roles/grants.\n */\nexport type ConvexAuthResult<\n  P extends AuthProviderConfig[],\n  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,\n> =\n  HasSSO<P> extends true\n    ? AuthApi<TAuthorization>\n    : AuthApiBase<TAuthorization>;\n\n/**\n * Infer the typed `AuthApiRefs` for the client SDK from a `createAuth` call.\n *\n * Use this as the generic parameter for `client()` on the frontend:\n *\n * ```ts\n * // convex/auth.ts\n * export const auth = createAuth(components.auth, { providers: [...] });\n *\n * // Frontend\n * import type { auth } from \"../convex/auth\";\n * import type { InferClientApi } from \"@robelest/convex-auth/server\";\n * const c = client<InferClientApi<typeof auth>>({ convex, api: api.auth });\n * ```\n *\n * @typeParam T - A ConvexAuthResult to extract the client API from.\n */\nexport type InferClientApi<T> =\n  T extends ConvexAuthResult<infer P>\n    ? AuthApiRefs<\n        HasPasskeyProvider<P>,\n        HasTotpProvider<P>,\n        HasDeviceProvider<P>\n      >\n    : AuthApiRefs;\n\n/** @internal */\nexport type AuthLike = Pick<AuthApiBase, \"user\" | \"member\">;\n\n// ============================================================================\n// Auth setup APIs\n// ============================================================================\n\n/**\n * Create an auth API object.\n *\n * When `new SSO()` is included in providers, `auth.sso` and `auth.scim`\n * are available on the returned object. Without it, those namespaces are\n * absent and accessing them is a TypeScript compile error.\n *\n * @param component - The installed auth component reference from\n *   `components.auth` in your Convex app definition.\n * @param config - Auth configuration including `providers` and optional\n *   `authorization`. All fields from {@link AuthConfig} are accepted\n *   except `component` (passed as the first argument).\n * @returns A {@link ConvexAuthResult} object — either {@link AuthApi}\n *   (with `sso`/`scim`) or {@link AuthApiBase}, depending on whether\n *   an SSO provider is present.\n *\n * @example\n * ```ts\n * export const auth = createAuth(components.auth, {\n *   providers: [password(), google()],\n *   authorization: { roles },\n * });\n * ```\n *\n * @see {@link AuthCtx}\n */\n\n// ---------------------------------------------------------------------------\n// Function builders — shared auth resolution logic\n// ---------------------------------------------------------------------------\n\n/**\n * Resolve auth context for the current user. Returns the enriched\n * `ctx.auth` object or `null` when unauthenticated.\n *\n * Resolution flow:\n * 1. `user.id(ctx)` → userId or null (exit early)\n * 2. `user.get(ctx, userId)` → user doc (cached per-execution)\n * 3. `user.getActiveGroup(ctx, { userId })` → groupId or null\n * 4. If groupId → `member.resolve(ctx, { userId, groupId })` → role + grants\n */\nasync function resolveAuthContext(auth: AuthLike, ctx: any) {\n  const userId = await auth.user.id(ctx);\n  if (!userId) return null;\n  const user = await auth.user.get(ctx, userId);\n  const groupId = await auth.user.getActiveGroup(ctx, { userId });\n  let role: string | null = null;\n  let grants: string[] = [];\n  if (groupId) {\n    const resolved = await auth.member.resolve(ctx, { userId, groupId });\n    if (resolved.membership) {\n      role = resolved.roleIds[0] ?? null;\n      grants = resolved.grants;\n    }\n  }\n  return { userId, user, groupId, role, grants };\n}\n\nexport function createAuth<\n  P extends AuthProviderConfig[],\n  TAuthorization extends AuthAuthorizationConfig | undefined = undefined,\n>(\n  component: ConvexAuthConfig[\"component\"],\n  config: Omit<AuthConfig, \"providers\" | \"authorization\"> & {\n    providers: P;\n    authorization?: TAuthorization;\n  },\n): ConvexAuthResult<P, TAuthorization> {\n  const authResult = AuthFactory({\n    ...config,\n    component,\n    providers: [...config.providers],\n  });\n  const {\n    domain: domainApi,\n    scim: scimApi,\n    connection: connectionApi,\n    audit: auditApi,\n    webhook: webhookApi,\n    oidc: oidcApi,\n    saml: samlApi,\n    ...restSso\n  } = authResult.auth.sso as InternalSsoApi;\n\n  type SetEnterpriseDomains = PublicSsoAdminApi[\"connection\"][\"domain\"][\"set\"];\n  type EnterpriseDomainInput = Array<{\n    domain: string;\n    isPrimary?: boolean;\n  }>;\n  const setEnterpriseDomains: PublicSsoAdminApi[\"connection\"][\"domain\"][\"set\"] =\n    async (\n      ctx: Parameters<SetEnterpriseDomains>[0],\n      enterpriseId: Parameters<SetEnterpriseDomains>[1],\n      domains: EnterpriseDomainInput,\n    ) => {\n      const enterprise = await connectionApi.get(ctx, enterpriseId);\n      if (enterprise === null) {\n        throw new AuthError(\n          \"INVALID_PARAMETERS\",\n          \"Enterprise not found.\",\n        ).toConvexError();\n      }\n\n      const normalized = domains.map((entry: (typeof domains)[number]) => ({\n        ...entry,\n        domain: entry.domain.trim().toLowerCase(),\n      }));\n      const deduped = new Map<string, (typeof normalized)[number]>();\n      for (const entry of normalized) {\n        if (entry.domain.length === 0) {\n          throw new AuthError(\n            \"INVALID_PARAMETERS\",\n            \"Domain must not be empty.\",\n          ).toConvexError();\n        }\n        if (deduped.has(entry.domain)) {\n          throw new AuthError(\n            \"INVALID_PARAMETERS\",\n            `Duplicate domain: ${entry.domain}`,\n          ).toConvexError();\n        }\n        deduped.set(entry.domain, entry);\n      }\n\n      const nextDomains = [...deduped.values()];\n      const primaryCount = nextDomains.filter(\n        (entry) => entry.isPrimary,\n      ).length;\n      if (primaryCount > 1) {\n        throw new AuthError(\n          \"INVALID_PARAMETERS\",\n          \"Only one primary domain may be set.\",\n        ).toConvexError();\n      }\n      if (nextDomains.length > 0 && primaryCount === 0) {\n        nextDomains[0] = { ...nextDomains[0], isPrimary: true };\n      }\n\n      const currentDomains = await domainApi.list(ctx, enterpriseId);\n      const currentByDomain = new Map<string, (typeof currentDomains)[number]>(\n        currentDomains.map((entry: (typeof currentDomains)[number]) => [\n          entry.domain.toLowerCase(),\n          entry,\n        ]),\n      );\n\n      for (const existing of currentDomains) {\n        if (!deduped.has(existing.domain.toLowerCase())) {\n          await domainApi.remove(ctx, existing._id);\n        }\n      }\n\n      for (const nextDomain of nextDomains) {\n        const current = currentByDomain.get(nextDomain.domain);\n        if (current && current.isPrimary === Boolean(nextDomain.isPrimary)) {\n          continue;\n        }\n        if (current) {\n          await domainApi.remove(ctx, current._id);\n        }\n        const domainId = await domainApi.add(ctx, {\n          enterpriseId: enterprise._id,\n          groupId: enterprise.groupId,\n          domain: nextDomain.domain,\n          isPrimary: nextDomain.isPrimary,\n        });\n        if (current?.verifiedAt !== undefined) {\n          await (ctx as any).runMutation(\n            component.public.enterpriseDomainVerify,\n            {\n              domainId,\n              verifiedAt: current.verifiedAt,\n            },\n          );\n        }\n      }\n\n      const updatedDomains = await domainApi.list(ctx, enterpriseId);\n      return {\n        ok: true as const,\n        enterpriseId,\n        domains: updatedDomains.map(\n          (domain: (typeof updatedDomains)[number]) => ({\n            domainId: domain._id,\n            domain: domain.domain,\n            isPrimary: domain.isPrimary,\n            verified: domain.verifiedAt !== undefined,\n            verifiedAt: domain.verifiedAt ?? null,\n          }),\n        ),\n      };\n    };\n\n  const publicSso: PublicSsoApi = {\n    admin: {\n      ...restSso,\n      oidc: {\n        ...oidcApi,\n      },\n      saml: {\n        ...samlApi,\n      },\n      connection: {\n        ...connectionApi,\n        domain: {\n          list: domainApi.list,\n          validate: domainApi.validate,\n          set: setEnterpriseDomains,\n          verification: {\n            request: domainApi.verification.request,\n            confirm: domainApi.verification.confirm,\n          },\n        },\n      },\n      policy: restSso.policy,\n      audit: {\n        list: auditApi.list,\n      },\n      webhook: {\n        endpoint: webhookApi.endpoint,\n        delivery: {\n          list: webhookApi.delivery.list,\n        },\n      },\n    },\n    client: {\n      signIn: oidcApi.signIn,\n      metadata: samlApi.metadata,\n    },\n  };\n\n  return {\n    signIn: authResult.signIn,\n    signOut: authResult.signOut,\n    store: authResult.store,\n    user: authResult.auth.user,\n    session: authResult.auth.session,\n    provider: authResult.auth.provider,\n    account: authResult.auth.account,\n    group: authResult.auth.group,\n    member: authResult.auth.member,\n    invite: authResult.auth.invite,\n    key: authResult.auth.key,\n    sso: publicSso,\n    scim: {\n      admin: {\n        configure: scimApi.configure,\n        get: scimApi.get,\n        validate: scimApi.validate,\n      },\n    },\n    http: authResult.auth.http,\n\n    resolve: (ctx: any) => resolveAuthContext(authResult.auth, ctx),\n\n    ctx: () => ({\n      args: {},\n      input: async (ctx: any) => {\n        const authCtx = await resolveAuthContext(authResult.auth, ctx);\n        return { ctx: { auth: authCtx }, args: {} };\n      },\n    }),\n  } as unknown as ConvexAuthResult<P, TAuthorization>;\n}\n\n// ============================================================================\n// AuthCtx — ctx enrichment for customQuery / customMutation\n// ============================================================================\n\n/**\n * Configuration for {@link AuthCtx} context enrichment.\n *\n * @typeParam TResolve - Extra fields returned from `resolve()` and merged into\n *   the resulting `ctx.auth` object.\n */\nexport type AuthCtxConfig<\n  TResolve extends Record<string, unknown> = Record<string, never>,\n> = {\n  /** Allow unauthenticated callers and return `userId: null` / `user: null`. */\n  optional?: boolean;\n  /**\n   * Attach additional derived fields to the auth context after the base auth\n   * context is resolved.\n   */\n  resolve?: (\n    ctx: any,\n    user: UserDoc,\n    auth: AuthResolvedContext,\n  ) => Promise<TResolve> | TResolve;\n  /**\n   * Override or wrap the base auth resolution used by {@link AuthCtx}.\n   *\n   * Return `undefined` to fall back to the built-in resolver,\n   * `null` for an explicit unauthenticated state, or an\n   * {@link AuthResolvedContext} object to provide a pre-resolved auth state.\n   * This is useful for tests, proxy auth, impersonation flows, or any\n   * environment that needs to inject auth without depending on the standard\n   * Convex auth tables.\n   *\n   * @param ctx - The Convex function context.\n   * @param fallback - The built-in auth resolver used by {@link AuthCtx}.\n   * @returns Resolved auth state, `null`, or `undefined` to use the fallback.\n   *\n   * @example\n   * ```ts\n   * const authCtx = AuthCtx(auth, {\n   *   authResolve: async (ctx, fallback) => {\n   *     const injected = getInjectedAuth(ctx);\n   *     return injected ?? (await fallback());\n   *   },\n   * });\n   * ```\n   */\n  authResolve?: (\n    ctx: any,\n    fallback: () => Promise<AuthResolvedContext | null>,\n  ) =>\n    | Promise<AuthResolvedContext | null | undefined>\n    | AuthResolvedContext\n    | null\n    | undefined;\n};\n\n/**\n * Create a context enrichment for `customQuery` / `customMutation` — optional auth.\n *\n * When `optional: true` is set, unauthenticated requests are allowed.\n * The enriched `ctx.auth` will have `userId: null`, `user: null`,\n * `groupId: null`, `role: null`, and `grants: []` for unauthenticated callers.\n *\n * @param auth - The auth API object returned by {@link createAuth}.\n * @param config - Configuration with `optional: true` and an optional\n *   `resolve` callback for attaching extra fields to the auth context.\n * @returns An object with `args` and `input` compatible with Convex\n *   custom function builders.\n *\n * @example\n * ```ts\n * const authCtx = AuthCtx(auth, {\n *   optional: true,\n *   resolve: async (_ctx, user) => ({ plan: user?.extend?.plan ?? null }),\n * });\n * ```\n *\n * @see {@link createAuth}\n */\nexport function AuthCtx<\n  TResolve extends Record<string, unknown> = Record<string, never>,\n>(\n  auth: AuthLike,\n  config: AuthCtxConfig<TResolve> & { optional: true },\n): {\n  args: {};\n  input: (\n    ctx: any,\n    _args: any,\n    _extra?: any,\n  ) => Promise<{\n    ctx: {\n      auth: OptionalAuthCtxState & TResolve;\n    };\n    args: {};\n  }>;\n};\n/**\n * Create a context enrichment for `customQuery` / `customMutation` — required auth (default).\n *\n * When `optional` is omitted or `false`, the inferred type is the authenticated\n * auth shape. At runtime this helper still resolves instead of throwing, so if\n * no user is signed in the returned `ctx.auth.userId` / `ctx.auth.user` are\n * `null`, `ctx.auth.groupId` / `ctx.auth.role` are `null`, and\n * `ctx.auth.grants` is `[]`.\n *\n * @param auth - The auth API object returned by {@link createAuth}.\n * @param config - Optional configuration with a `resolve` callback\n *   for attaching extra fields to the auth context.\n * @returns An object with `args` and `input` compatible with Convex\n *   custom function builders.\n *\n * @example\n * ```ts\n * const authCtx = AuthCtx(auth, {\n *   resolve: async (_ctx, user) => ({ email: user.email }),\n * });\n * ```\n *\n * @see {@link createAuth}\n */\nexport function AuthCtx<\n  TResolve extends Record<string, unknown> = Record<string, never>,\n>(\n  auth: AuthLike,\n  config?: AuthCtxConfig<TResolve>,\n): {\n  args: {};\n  input: (\n    ctx: any,\n    _args: any,\n    _extra?: any,\n  ) => Promise<{\n    ctx: {\n      auth: RequiredAuthCtxState & TResolve;\n    };\n    args: {};\n  }>;\n};\n// Implementation\nexport function AuthCtx(auth: AuthLike, config?: AuthCtxConfig<any>) {\n  return {\n    args: {},\n    input: async (ctx: any, _args: any, _extra?: any) => {\n      const nativeAuth = ctx.auth;\n      const getUserIdentity = nativeAuth.getUserIdentity.bind(nativeAuth);\n      const fallback = () => resolveAuthContext(auth, ctx);\n\n      const authOverride = config?.authResolve\n        ? await config.authResolve(ctx, fallback)\n        : undefined;\n      const resolved =\n        authOverride === undefined ? await fallback() : authOverride;\n\n      if (resolved === null) {\n        return {\n          ctx: {\n            auth: {\n              getUserIdentity,\n              userId: null,\n              user: null,\n              groupId: null,\n              role: null,\n              grants: [],\n            },\n          },\n          args: {},\n        };\n      }\n\n      const extra = config?.resolve\n        ? await config.resolve(ctx, resolved.user, resolved)\n        : {};\n\n      return {\n        ctx: {\n          auth: {\n            getUserIdentity,\n            ...resolved,\n            ...extra,\n          },\n        },\n        args: {},\n      };\n    },\n  };\n}\n\n/**\n * Extract the resolved `auth` context type from an {@link AuthCtx} instance.\n *\n * Use this to type function parameters or variables that receive the\n * enriched auth context produced by `AuthCtx`. The inferred type includes\n * `userId`, `user`, `groupId`, `role`, `grants`, `getUserIdentity`, and any\n * additional fields added by the `resolve` callback. This is the generic\n * utility for reusing the enriched auth shape without manually duplicating\n * conditional auth types.\n *\n * @typeParam T - An `AuthCtx` return value (must have an `input` method\n *   that returns `{ ctx: { auth: ... } }`).\n *\n * @example\n * ```ts\n * const authCtx = AuthCtx(auth, {\n *   resolve: async (ctx, user) => ({ orgId: user.orgId }),\n * });\n * type Auth = InferAuth<typeof authCtx>;\n * // Auth = { userId: Id<\"User\">; user: UserDoc; getUserIdentity: ...; orgId: string }\n * ```\n *\n * @see {@link createAuth}\n */\nexport type InferAuth<\n  T extends { input: (...args: any[]) => Promise<{ ctx: { auth: any } }> },\n> = Awaited<ReturnType<T[\"input\"]>>[\"ctx\"][\"auth\"];\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkcA,eAAe,mBAAmB,MAAgB,KAAU;CAC1D,MAAM,SAAS,MAAM,KAAK,KAAK,GAAG,IAAI;AACtC,KAAI,CAAC,OAAQ,QAAO;CACpB,MAAM,OAAO,MAAM,KAAK,KAAK,IAAI,KAAK,OAAO;CAC7C,MAAM,UAAU,MAAM,KAAK,KAAK,eAAe,KAAK,EAAE,QAAQ,CAAC;CAC/D,IAAI,OAAsB;CAC1B,IAAI,SAAmB,EAAE;AACzB,KAAI,SAAS;EACX,MAAM,WAAW,MAAM,KAAK,OAAO,QAAQ,KAAK;GAAE;GAAQ;GAAS,CAAC;AACpE,MAAI,SAAS,YAAY;AACvB,UAAO,SAAS,QAAQ,MAAM;AAC9B,YAAS,SAAS;;;AAGtB,QAAO;EAAE;EAAQ;EAAM;EAAS;EAAM;EAAQ;;AAGhD,SAAgB,WAId,WACA,QAIqC;CACrC,MAAM,aAAaA,KAAY;EAC7B,GAAG;EACH;EACA,WAAW,CAAC,GAAG,OAAO,UAAU;EACjC,CAAC;CACF,MAAM,EACJ,QAAQ,WACR,MAAM,SACN,YAAY,eACZ,OAAO,UACP,SAAS,YACT,MAAM,SACN,MAAM,SACN,GAAG,YACD,WAAW,KAAK;CAOpB,MAAM,uBACJ,OACE,KACA,cACA,YACG;EACH,MAAM,aAAa,MAAM,cAAc,IAAI,KAAK,aAAa;AAC7D,MAAI,eAAe,KACjB,OAAM,IAAI,UACR,sBACA,wBACD,CAAC,eAAe;EAGnB,MAAM,aAAa,QAAQ,KAAK,WAAqC;GACnE,GAAG;GACH,QAAQ,MAAM,OAAO,MAAM,CAAC,aAAa;GAC1C,EAAE;EACH,MAAM,0BAAU,IAAI,KAA0C;AAC9D,OAAK,MAAM,SAAS,YAAY;AAC9B,OAAI,MAAM,OAAO,WAAW,EAC1B,OAAM,IAAI,UACR,sBACA,4BACD,CAAC,eAAe;AAEnB,OAAI,QAAQ,IAAI,MAAM,OAAO,CAC3B,OAAM,IAAI,UACR,sBACA,qBAAqB,MAAM,SAC5B,CAAC,eAAe;AAEnB,WAAQ,IAAI,MAAM,QAAQ,MAAM;;EAGlC,MAAM,cAAc,CAAC,GAAG,QAAQ,QAAQ,CAAC;EACzC,MAAM,eAAe,YAAY,QAC9B,UAAU,MAAM,UAClB,CAAC;AACF,MAAI,eAAe,EACjB,OAAM,IAAI,UACR,sBACA,sCACD,CAAC,eAAe;AAEnB,MAAI,YAAY,SAAS,KAAK,iBAAiB,EAC7C,aAAY,KAAK;GAAE,GAAG,YAAY;GAAI,WAAW;GAAM;EAGzD,MAAM,iBAAiB,MAAM,UAAU,KAAK,KAAK,aAAa;EAC9D,MAAM,kBAAkB,IAAI,IAC1B,eAAe,KAAK,UAA2C,CAC7D,MAAM,OAAO,aAAa,EAC1B,MACD,CAAC,CACH;AAED,OAAK,MAAM,YAAY,eACrB,KAAI,CAAC,QAAQ,IAAI,SAAS,OAAO,aAAa,CAAC,CAC7C,OAAM,UAAU,OAAO,KAAK,SAAS,IAAI;AAI7C,OAAK,MAAM,cAAc,aAAa;GACpC,MAAM,UAAU,gBAAgB,IAAI,WAAW,OAAO;AACtD,OAAI,WAAW,QAAQ,cAAc,QAAQ,WAAW,UAAU,CAChE;AAEF,OAAI,QACF,OAAM,UAAU,OAAO,KAAK,QAAQ,IAAI;GAE1C,MAAM,WAAW,MAAM,UAAU,IAAI,KAAK;IACxC,cAAc,WAAW;IACzB,SAAS,WAAW;IACpB,QAAQ,WAAW;IACnB,WAAW,WAAW;IACvB,CAAC;AACF,OAAI,SAAS,eAAe,OAC1B,OAAO,IAAY,YACjB,UAAU,OAAO,wBACjB;IACE;IACA,YAAY,QAAQ;IACrB,CACF;;AAKL,SAAO;GACL,IAAI;GACJ;GACA,UAJqB,MAAM,UAAU,KAAK,KAAK,aAAa,EAIpC,KACrB,YAA6C;IAC5C,UAAU,OAAO;IACjB,QAAQ,OAAO;IACf,WAAW,OAAO;IAClB,UAAU,OAAO,eAAe;IAChC,YAAY,OAAO,cAAc;IAClC,EACF;GACF;;CAGL,MAAM,YAA0B;EAC9B,OAAO;GACL,GAAG;GACH,MAAM,EACJ,GAAG,SACJ;GACD,MAAM,EACJ,GAAG,SACJ;GACD,YAAY;IACV,GAAG;IACH,QAAQ;KACN,MAAM,UAAU;KAChB,UAAU,UAAU;KACpB,KAAK;KACL,cAAc;MACZ,SAAS,UAAU,aAAa;MAChC,SAAS,UAAU,aAAa;MACjC;KACF;IACF;GACD,QAAQ,QAAQ;GAChB,OAAO,EACL,MAAM,SAAS,MAChB;GACD,SAAS;IACP,UAAU,WAAW;IACrB,UAAU,EACR,MAAM,WAAW,SAAS,MAC3B;IACF;GACF;EACD,QAAQ;GACN,QAAQ,QAAQ;GAChB,UAAU,QAAQ;GACnB;EACF;AAED,QAAO;EACL,QAAQ,WAAW;EACnB,SAAS,WAAW;EACpB,OAAO,WAAW;EAClB,MAAM,WAAW,KAAK;EACtB,SAAS,WAAW,KAAK;EACzB,UAAU,WAAW,KAAK;EAC1B,SAAS,WAAW,KAAK;EACzB,OAAO,WAAW,KAAK;EACvB,QAAQ,WAAW,KAAK;EACxB,QAAQ,WAAW,KAAK;EACxB,KAAK,WAAW,KAAK;EACrB,KAAK;EACL,MAAM,EACJ,OAAO;GACL,WAAW,QAAQ;GACnB,KAAK,QAAQ;GACb,UAAU,QAAQ;GACnB,EACF;EACD,MAAM,WAAW,KAAK;EAEtB,UAAU,QAAa,mBAAmB,WAAW,MAAM,IAAI;EAE/D,YAAY;GACV,MAAM,EAAE;GACR,OAAO,OAAO,QAAa;AAEzB,WAAO;KAAE,KAAK,EAAE,MADA,MAAM,mBAAmB,WAAW,MAAM,IAAI,EAC/B;KAAE,MAAM,EAAE;KAAE;;GAE9C;EACF;;AAiJH,SAAgB,QAAQ,MAAgB,QAA6B;AACnE,QAAO;EACL,MAAM,EAAE;EACR,OAAO,OAAO,KAAU,OAAY,WAAiB;GACnD,MAAM,aAAa,IAAI;GACvB,MAAM,kBAAkB,WAAW,gBAAgB,KAAK,WAAW;GACnE,MAAM,iBAAiB,mBAAmB,MAAM,IAAI;GAEpD,MAAM,eAAe,QAAQ,cACzB,MAAM,OAAO,YAAY,KAAK,SAAS,GACvC;GACJ,MAAM,WACJ,iBAAiB,SAAY,MAAM,UAAU,GAAG;AAElD,OAAI,aAAa,KACf,QAAO;IACL,KAAK,EACH,MAAM;KACJ;KACA,QAAQ;KACR,MAAM;KACN,SAAS;KACT,MAAM;KACN,QAAQ,EAAE;KACX,EACF;IACD,MAAM,EAAE;IACT;GAGH,MAAM,QAAQ,QAAQ,UAClB,MAAM,OAAO,QAAQ,KAAK,SAAS,MAAM,SAAS,GAClD,EAAE;AAEN,UAAO;IACL,KAAK,EACH,MAAM;KACJ;KACA,GAAG;KACH,GAAG;KACJ,EACF;IACD,MAAM,EAAE;IACT;;EAEJ"}

package/dist/server/index.d.ts

@@ -1,4 +1,4 @@
-import { AuthApi, AuthApiBase, AuthConfig, AuthCtx, ConvexAuthResult, InferAuth, InferClientApi, UserDoc, createAuth } from "./auth.js";
+import { AuthApi, AuthApiBase, AuthConfig, AuthCtx, AuthCtxConfig, AuthResolvedContext, ConvexAuthResult, InferAuth, InferClientApi, UserDoc, createAuth } from "./auth.js";
 import { EnterpriseAdminAuthorizationInput, EnterpriseAdminPermission, EnterpriseAuthorizer, EnterpriseMountOptions, enterprise, scim, sso } from "./mounts.js";
 import { AuthCookie, AuthCookieConfig, AuthCookies, RefreshResult, ServerOptions, authCookieNames, parseAuthCookies, serializeAuthCookies, server, shouldProxyAuthAction, structuredAuthCookies } from "./ssr.js";
-export { type AuthApi, type AuthApiBase, type AuthConfig, type AuthCookie, type AuthCookieConfig, type AuthCookies, AuthCtx, type ConvexAuthResult, type EnterpriseAdminAuthorizationInput, type EnterpriseAdminPermission, type EnterpriseAuthorizer, type EnterpriseMountOptions, type InferAuth, type InferClientApi, type RefreshResult, type ServerOptions, type UserDoc, authCookieNames, createAuth, enterprise, parseAuthCookies, scim, serializeAuthCookies, server, shouldProxyAuthAction, sso, structuredAuthCookies };
+export { type AuthApi, type AuthApiBase, type AuthConfig, type AuthCookie, type AuthCookieConfig, type AuthCookies, AuthCtx, type AuthCtxConfig, type AuthResolvedContext, type ConvexAuthResult, type EnterpriseAdminAuthorizationInput, type EnterpriseAdminPermission, type EnterpriseAuthorizer, type EnterpriseMountOptions, type InferAuth, type InferClientApi, type RefreshResult, type ServerOptions, type UserDoc, authCookieNames, createAuth, enterprise, parseAuthCookies, scim, serializeAuthCookies, server, shouldProxyAuthAction, sso, structuredAuthCookies };

package/dist/server/mounts.d.ts

@@ -130,9 +130,9 @@ declare function sso<TAuthorization extends AuthAuthorizationConfig | undefined
   admin: {
     connection: {
       create: convex_server0.RegisteredMutation<"public", {
-        status?: "draft" | "active" | "disabled" | undefined;
         name?: string | undefined;
         slug?: string | undefined;
+        status?: "draft" | "active" | "disabled" | undefined;
         groupId?: string | undefined;
         domain?: string | undefined;
       }, Promise<any>>;
@@ -147,8 +147,8 @@ declare function sso<TAuthorization extends AuthAuthorizationConfig | undefined
       }, Promise<any>>;
       list: convex_server0.RegisteredQuery<"public", {
         where?: {
-          status?: "draft" | "active" | "disabled" | undefined;
           slug?: string | undefined;
+          status?: "draft" | "active" | "disabled" | undefined;
           groupId?: string | undefined;
         } | undefined;
         limit?: number | undefined;
@@ -159,9 +159,9 @@ declare function sso<TAuthorization extends AuthAuthorizationConfig | undefined
       update: convex_server0.RegisteredMutation<"public", {
         enterpriseId: string;
         data: {
-          status?: "draft" | "active" | "disabled" | undefined;
           name?: string | undefined;
           slug?: string | undefined;
+          status?: "draft" | "active" | "disabled" | undefined;
         };
       }, Promise<{
         ok: false;
@@ -263,8 +263,8 @@ declare function sso<TAuthorization extends AuthAuthorizationConfig | undefined
         patch: {
           identity?: {
             accountLinking?: {
-              oidc?: "verifiedEmail" | "none" | undefined;
               saml?: "verifiedEmail" | "none" | undefined;
+              oidc?: "verifiedEmail" | "none" | undefined;
             } | undefined;
           } | undefined;
           provisioning?: {
@@ -287,8 +287,8 @@ declare function sso<TAuthorization extends AuthAuthorizationConfig | undefined
     };
     audit: {
       list: convex_server0.RegisteredQuery<"public", {
-        groupId?: string | undefined;
         enterpriseId?: string | undefined;
+        groupId?: string | undefined;
         limit?: number | undefined;
       }, Promise<any>>;
     };
@@ -302,8 +302,8 @@ declare function sso<TAuthorization extends AuthAuthorizationConfig | undefined
       endpoint: {
         create: convex_server0.RegisteredMutation<"public", {
           createdByUserId?: string | undefined;
-          secret: string;
           enterpriseId: string;
+          secret: string;
           url: string;
           subscriptions: string[];
         }, Promise<{
@@ -432,9 +432,9 @@ declare function scim<TAuthorization extends AuthAuthorizationConfig | undefined
  */
 declare function enterprise<TAuthorization extends AuthAuthorizationConfig | undefined = undefined>(auth: Pick<AuthApi<TAuthorization>, "group" | "member" | "scim" | "sso" | "user">, options: EnterpriseMountOptions<AuthRoleId<TAuthorization>>): {
   createConnection: convex_server0.RegisteredMutation<"public", {
-    status?: "draft" | "active" | "disabled" | undefined;
     name?: string | undefined;
     slug?: string | undefined;
+    status?: "draft" | "active" | "disabled" | undefined;
     groupId?: string | undefined;
     domain?: string | undefined;
   }, Promise<any>>;
@@ -449,8 +449,8 @@ declare function enterprise<TAuthorization extends AuthAuthorizationConfig | und
   }, Promise<any>>;
   listConnections: convex_server0.RegisteredQuery<"public", {
     where?: {
-      status?: "draft" | "active" | "disabled" | undefined;
       slug?: string | undefined;
+      status?: "draft" | "active" | "disabled" | undefined;
       groupId?: string | undefined;
     } | undefined;
     limit?: number | undefined;
@@ -461,9 +461,9 @@ declare function enterprise<TAuthorization extends AuthAuthorizationConfig | und
   updateConnection: convex_server0.RegisteredMutation<"public", {
     enterpriseId: string;
     data: {
-      status?: "draft" | "active" | "disabled" | undefined;
       name?: string | undefined;
       slug?: string | undefined;
+      status?: "draft" | "active" | "disabled" | undefined;
     };
   }, Promise<{
     ok: false;
@@ -555,8 +555,8 @@ declare function enterprise<TAuthorization extends AuthAuthorizationConfig | und
     patch: {
       identity?: {
         accountLinking?: {
-          oidc?: "verifiedEmail" | "none" | undefined;
           saml?: "verifiedEmail" | "none" | undefined;
+          oidc?: "verifiedEmail" | "none" | undefined;
         } | undefined;
       } | undefined;
       provisioning?: {
@@ -577,14 +577,14 @@ declare function enterprise<TAuthorization extends AuthAuthorizationConfig | und
     enterpriseId: string;
   }, Promise<any>>;
   listAudit: convex_server0.RegisteredQuery<"public", {
-    groupId?: string | undefined;
     enterpriseId?: string | undefined;
+    groupId?: string | undefined;
     limit?: number | undefined;
   }, Promise<any>>;
   createWebhookEndpoint: convex_server0.RegisteredMutation<"public", {
     createdByUserId?: string | undefined;
-    secret: string;
     enterpriseId: string;
+    secret: string;
     url: string;
     subscriptions: string[];
   }, Promise<{

package/dist/server/mutations/account.d.ts

@@ -3,24 +3,24 @@ import { AuthError } from "../authError.js";
 import { Config, GetProviderOrThrowFunc } from "../crypto.js";
 import { Fx } from "@robelest/fx";
 import { GenericActionCtx, GenericDataModel } from "convex/server";
-import * as convex_values3 from "convex/values";
+import * as convex_values15 from "convex/values";
 import { Infer } from "convex/values";
 
 //#region src/server/mutations/account.d.ts
-declare const modifyAccountArgs: convex_values3.VObject<{
+declare const modifyAccountArgs: convex_values15.VObject<{
   provider: string;
   account: {
     id: string;
     secret: string;
   };
 }, {
-  provider: convex_values3.VString<string, "required">;
-  account: convex_values3.VObject<{
+  provider: convex_values15.VString<string, "required">;
+  account: convex_values15.VObject<{
     id: string;
     secret: string;
   }, {
-    id: convex_values3.VString<string, "required">;
-    secret: convex_values3.VString<string, "required">;
+    id: convex_values15.VString<string, "required">;
+    secret: convex_values15.VString<string, "required">;
   }, "required", "id" | "secret">;
 }, "required", "provider" | "account" | "account.id" | "account.secret">;
 declare function modifyAccountImpl(ctx: MutationCtx, args: Infer<typeof modifyAccountArgs>, getProviderOrThrow: GetProviderOrThrowFunc, config: Config): Fx<void, AuthError>;

package/dist/server/mutations/account.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"account.d.ts","names":[],"sources":["../../../src/server/mutations/account.ts"],"mappings":";;;;;;;;;cAYa,iBAAA,iBAAiB,OAAA;;;;;;;YAG5B,cAAA,CAAA,OAAA;;;;;;;;;iBAEc,iBAAA,CACd,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,iBAAA,GACnB,kBAAA,EAAoB,sBAAA,EACpB,MAAA,EAAQ,MAAA,GACP,EAAA,OAAS,SAAA;AAAA,cA2CC,iBAAA,qBAA6C,gBAAA,EACxD,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,iBAAA,MAClB,OAAA"}
+{"version":3,"file":"account.d.ts","names":[],"sources":["../../../src/server/mutations/account.ts"],"mappings":";;;;;;;;;cAYa,iBAAA,kBAAiB,OAAA;;;;;;;YAG5B,eAAA,CAAA,OAAA;;;;;;;;;iBAEc,iBAAA,CACd,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,iBAAA,GACnB,kBAAA,EAAoB,sBAAA,EACpB,MAAA,EAAQ,MAAA,GACP,EAAA,OAAS,SAAA;AAAA,cA2CC,iBAAA,qBAA6C,gBAAA,EACxD,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,iBAAA,MAClB,OAAA"}

package/dist/server/mutations/code.d.ts

@@ -1,27 +1,27 @@
 import { MutationCtx } from "../types.js";
 import { Config, GetProviderOrThrowFunc } from "../crypto.js";
 import { GenericActionCtx, GenericDataModel } from "convex/server";
-import * as convex_values8 from "convex/values";
+import * as convex_values7 from "convex/values";
 import { Infer } from "convex/values";
 
 //#region src/server/mutations/code.d.ts
-declare const createVerificationCodeArgs: convex_values8.VObject<{
+declare const createVerificationCodeArgs: convex_values7.VObject<{
+  phone?: string | undefined;
   email?: string | undefined;
   accountId?: string | undefined;
-  phone?: string | undefined;
-  provider: string;
   code: string;
-  expirationTime: number;
+  provider: string;
   allowExtraProviders: boolean;
+  expirationTime: number;
 }, {
-  accountId: convex_values8.VString<string | undefined, "optional">;
-  provider: convex_values8.VString<string, "required">;
-  email: convex_values8.VString<string | undefined, "optional">;
-  phone: convex_values8.VString<string | undefined, "optional">;
-  code: convex_values8.VString<string, "required">;
-  expirationTime: convex_values8.VFloat64<number, "required">;
-  allowExtraProviders: convex_values8.VBoolean<boolean, "required">;
-}, "required", "email" | "provider" | "code" | "accountId" | "phone" | "expirationTime" | "allowExtraProviders">;
+  accountId: convex_values7.VString<string | undefined, "optional">;
+  provider: convex_values7.VString<string, "required">;
+  email: convex_values7.VString<string | undefined, "optional">;
+  phone: convex_values7.VString<string | undefined, "optional">;
+  code: convex_values7.VString<string, "required">;
+  expirationTime: convex_values7.VFloat64<number, "required">;
+  allowExtraProviders: convex_values7.VBoolean<boolean, "required">;
+}, "required", "phone" | "email" | "code" | "provider" | "allowExtraProviders" | "accountId" | "expirationTime">;
 type ReturnType = string;
 declare function createVerificationCodeImpl(ctx: MutationCtx, args: Infer<typeof createVerificationCodeArgs>, getProviderOrThrow: GetProviderOrThrowFunc, config: Config): Promise<ReturnType>;
 declare const callCreateVerificationCode: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: Infer<typeof createVerificationCodeArgs>) => Promise<ReturnType>;

package/dist/server/mutations/invalidate.d.ts

@@ -2,16 +2,16 @@ import { MutationCtx } from "../types.js";
 import { Config } from "../crypto.js";
 import { Fx } from "@robelest/fx";
 import { GenericActionCtx, GenericDataModel } from "convex/server";
-import * as convex_values0 from "convex/values";
+import * as convex_values22 from "convex/values";
 import { Infer } from "convex/values";
 
 //#region src/server/mutations/invalidate.d.ts
-declare const invalidateSessionsArgs: convex_values0.VObject<{
+declare const invalidateSessionsArgs: convex_values22.VObject<{
   except?: string[] | undefined;
   userId: string;
 }, {
-  userId: convex_values0.VString<string, "required">;
-  except: convex_values0.VArray<string[] | undefined, convex_values0.VString<string, "required">, "optional">;
+  userId: convex_values22.VString<string, "required">;
+  except: convex_values22.VArray<string[] | undefined, convex_values22.VString<string, "required">, "optional">;
 }, "required", "userId" | "except">;
 declare const callInvalidateSessions: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: Infer<typeof invalidateSessionsArgs>) => Promise<void>;
 declare function invalidateSessionsImpl(ctx: MutationCtx, args: Infer<typeof invalidateSessionsArgs>, config: Config): Fx<void, never>;

package/dist/server/mutations/invalidate.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"invalidate.d.ts","names":[],"sources":["../../../src/server/mutations/invalidate.ts"],"mappings":";;;;;;;;cAWa,sBAAA,iBAAsB,OAAA;;;;UAGjC,cAAA,CAAA,OAAA;;;cAEW,sBAAA,qBACO,gBAAA,EAElB,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,sBAAA,MAClB,OAAA;AAAA,iBASa,sBAAA,CACd,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,sBAAA,GACnB,MAAA,EAAQ,MAAA,GACP,EAAA"}
+{"version":3,"file":"invalidate.d.ts","names":[],"sources":["../../../src/server/mutations/invalidate.ts"],"mappings":";;;;;;;;cAWa,sBAAA,kBAAsB,OAAA;;;;UAGjC,eAAA,CAAA,OAAA;;;cAEW,sBAAA,qBACO,gBAAA,EAElB,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,sBAAA,MAClB,OAAA;AAAA,iBASa,sBAAA,CACd,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,sBAAA,GACnB,MAAA,EAAQ,MAAA,GACP,EAAA"}

package/dist/server/mutations/oauth.d.ts

@@ -3,23 +3,23 @@ import { AuthError } from "../authError.js";
 import { Config, GetProviderOrThrowFunc } from "../crypto.js";
 import { Fx } from "@robelest/fx";
 import { GenericActionCtx, GenericDataModel } from "convex/server";
-import * as convex_values89 from "convex/values";
+import * as convex_values1 from "convex/values";
 import { Infer } from "convex/values";
 
 //#region src/server/mutations/oauth.d.ts
-declare const userOAuthArgs: convex_values89.VObject<{
+declare const userOAuthArgs: convex_values1.VObject<{
   accountExtend?: any;
+  profile: any;
   provider: string;
   signature: string;
   providerAccountId: string;
-  profile: any;
 }, {
-  provider: convex_values89.VString<string, "required">;
-  providerAccountId: convex_values89.VString<string, "required">;
-  profile: convex_values89.VAny<any, "required", string>;
-  signature: convex_values89.VString<string, "required">;
-  accountExtend: convex_values89.VAny<any, "optional", string>;
-}, "required", "provider" | "signature" | "providerAccountId" | "profile" | "accountExtend" | `profile.${string}` | `accountExtend.${string}`>;
+  provider: convex_values1.VString<string, "required">;
+  providerAccountId: convex_values1.VString<string, "required">;
+  profile: convex_values1.VAny<any, "required", string>;
+  signature: convex_values1.VString<string, "required">;
+  accountExtend: convex_values1.VAny<any, "optional", string>;
+}, "required", "profile" | "provider" | "signature" | "providerAccountId" | "accountExtend" | `profile.${string}` | `accountExtend.${string}`>;
 type ReturnType = string;
 declare function userOAuthImpl(ctx: MutationCtx, args: Infer<typeof userOAuthArgs>, getProviderOrThrow: GetProviderOrThrowFunc, config: Config): Fx<ReturnType, AuthError>;
 declare const callUserOAuth: <DataModel extends GenericDataModel>(ctx: GenericActionCtx<DataModel>, args: Infer<typeof userOAuthArgs>) => Promise<ReturnType>;

package/dist/server/mutations/oauth.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"oauth.d.ts","names":[],"sources":["../../../src/server/mutations/oauth.ts"],"mappings":";;;;;;;;;cAwBa,aAAA,kBAAa,OAAA;;;;;;;YAMxB,eAAA,CAAA,OAAA;;;;;;KA8CG,UAAA;AAAA,iBAEW,aAAA,CACd,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,aAAA,GACnB,kBAAA,EAAoB,sBAAA,EACpB,MAAA,EAAQ,MAAA,GACP,EAAA,CAAG,UAAA,EAAY,SAAA;AAAA,cA+IL,aAAA,qBAAyC,gBAAA,EACpD,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,aAAA,MAClB,OAAA,CAAQ,UAAA"}
+{"version":3,"file":"oauth.d.ts","names":[],"sources":["../../../src/server/mutations/oauth.ts"],"mappings":";;;;;;;;;cAwBa,aAAA,iBAAa,OAAA;;;;;;;YAMxB,cAAA,CAAA,OAAA;;;;;;KA8CG,UAAA;AAAA,iBAEW,aAAA,CACd,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,aAAA,GACnB,kBAAA,EAAoB,sBAAA,EACpB,MAAA,EAAQ,MAAA,GACP,EAAA,CAAG,UAAA,EAAY,SAAA;AAAA,cA+IL,aAAA,qBAAyC,gBAAA,EACpD,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,aAAA,MAClB,OAAA,CAAQ,UAAA"}

package/dist/server/mutations/refresh.d.ts

@@ -1,14 +1,14 @@
 import { MutationCtx } from "../types.js";
 import { Config, GetProviderOrThrowFunc } from "../crypto.js";
 import { GenericActionCtx, GenericDataModel } from "convex/server";
-import * as convex_values109 from "convex/values";
+import * as convex_values0 from "convex/values";
 import { Infer } from "convex/values";
 
 //#region src/server/mutations/refresh.d.ts
-declare const refreshSessionArgs: convex_values109.VObject<{
+declare const refreshSessionArgs: convex_values0.VObject<{
   refreshToken: string;
 }, {
-  refreshToken: convex_values109.VString<string, "required">;
+  refreshToken: convex_values0.VString<string, "required">;
 }, "required", "refreshToken">;
 type RefreshResult = null | {
   token: string;

package/dist/server/mutations/refresh.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"refresh.d.ts","names":[],"sources":["../../../src/server/mutations/refresh.ts"],"mappings":";;;;;;;cAkBa,kBAAA,EAEX,gBAAA,CAF6B,OAAA;;;gBAE7B,gBAAA,CAAA,OAAA;AAAA;AAAA,KAEG,aAAA;EACH,KAAA;EACA,YAAA;AAAA;AAAA,iBAiBoB,kBAAA,CACpB,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,kBAAA,GACnB,mBAAA,EAAqB,sBAAA,EACrB,MAAA,EAAQ,MAAA,GACP,OAAA,CAAQ,aAAA;AAAA,cAiPE,kBAAA,qBAA8C,gBAAA,EACzD,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,kBAAA,MAClB,OAAA,CAAQ,aAAA"}
+{"version":3,"file":"refresh.d.ts","names":[],"sources":["../../../src/server/mutations/refresh.ts"],"mappings":";;;;;;;cAkBa,kBAAA,EAEX,cAAA,CAF6B,OAAA;;;gBAE7B,cAAA,CAAA,OAAA;AAAA;AAAA,KAEG,aAAA;EACH,KAAA;EACA,YAAA;AAAA;AAAA,iBAiBoB,kBAAA,CACpB,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,kBAAA,GACnB,mBAAA,EAAqB,sBAAA,EACrB,MAAA,EAAQ,MAAA,GACP,OAAA,CAAQ,aAAA;AAAA,cAiPE,kBAAA,qBAA8C,gBAAA,EACzD,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,kBAAA,MAClB,OAAA,CAAQ,aAAA"}

package/dist/server/mutations/register.d.ts

@@ -1,32 +1,32 @@
 import { Doc, MutationCtx } from "../types.js";
 import { Config, GetProviderOrThrowFunc } from "../crypto.js";
 import { GenericActionCtx, GenericDataModel } from "convex/server";
-import * as convex_values101 from "convex/values";
+import * as convex_values113 from "convex/values";
 import { Infer } from "convex/values";
 
 //#region src/server/mutations/register.d.ts
-declare const createAccountFromCredentialsArgs: convex_values101.VObject<{
+declare const createAccountFromCredentialsArgs: convex_values113.VObject<{
   shouldLinkViaEmail?: boolean | undefined;
   shouldLinkViaPhone?: boolean | undefined;
+  profile: any;
   provider: string;
   account: {
     secret?: string | undefined;
     id: string;
   };
-  profile: any;
 }, {
-  provider: convex_values101.VString<string, "required">;
-  account: convex_values101.VObject<{
+  provider: convex_values113.VString<string, "required">;
+  account: convex_values113.VObject<{
     secret?: string | undefined;
     id: string;
   }, {
-    id: convex_values101.VString<string, "required">;
-    secret: convex_values101.VString<string | undefined, "optional">;
+    id: convex_values113.VString<string, "required">;
+    secret: convex_values113.VString<string | undefined, "optional">;
   }, "required", "id" | "secret">;
-  profile: convex_values101.VAny<any, "required", string>;
-  shouldLinkViaEmail: convex_values101.VBoolean<boolean | undefined, "optional">;
-  shouldLinkViaPhone: convex_values101.VBoolean<boolean | undefined, "optional">;
-}, "required", "provider" | "account" | "account.id" | "account.secret" | "profile" | `profile.${string}` | "shouldLinkViaEmail" | "shouldLinkViaPhone">;
+  profile: convex_values113.VAny<any, "required", string>;
+  shouldLinkViaEmail: convex_values113.VBoolean<boolean | undefined, "optional">;
+  shouldLinkViaPhone: convex_values113.VBoolean<boolean | undefined, "optional">;
+}, "required", "profile" | "provider" | `profile.${string}` | "account" | "shouldLinkViaEmail" | "shouldLinkViaPhone" | "account.id" | "account.secret">;
 type ReturnType = {
   account: Doc<"Account">;
   user: Doc<"User">;

package/dist/server/mutations/retrieve.d.ts

@@ -2,24 +2,24 @@ import { Doc, MutationCtx } from "../types.js";
 import { Config, GetProviderOrThrowFunc } from "../crypto.js";
 import { Fx } from "@robelest/fx";
 import { GenericActionCtx, GenericDataModel } from "convex/server";
-import * as convex_values116 from "convex/values";
+import * as convex_values36 from "convex/values";
 import { Infer } from "convex/values";
 
 //#region src/server/mutations/retrieve.d.ts
-declare const retrieveAccountWithCredentialsArgs: convex_values116.VObject<{
+declare const retrieveAccountWithCredentialsArgs: convex_values36.VObject<{
   provider: string;
   account: {
     secret?: string | undefined;
     id: string;
   };
 }, {
-  provider: convex_values116.VString<string, "required">;
-  account: convex_values116.VObject<{
+  provider: convex_values36.VString<string, "required">;
+  account: convex_values36.VObject<{
     secret?: string | undefined;
     id: string;
   }, {
-    id: convex_values116.VString<string, "required">;
-    secret: convex_values116.VString<string | undefined, "optional">;
+    id: convex_values36.VString<string, "required">;
+    secret: convex_values36.VString<string | undefined, "optional">;
   }, "required", "id" | "secret">;
 }, "required", "provider" | "account" | "account.id" | "account.secret">;
 type ReturnType = "InvalidAccountId" | "TooManyFailedAttempts" | "InvalidSecret" | {

package/dist/server/mutations/retrieve.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"retrieve.d.ts","names":[],"sources":["../../../src/server/mutations/retrieve.ts"],"mappings":";;;;;;;;cAgBa,kCAAA,mBAAkC,OAAA;;;;;;;YAG7C,gBAAA,CAAA,OAAA;;;;;;;;;KAEG,UAAA;EAIC,OAAA,EAAS,GAAA;EAAgB,IAAA,EAAM,GAAA;AAAA;AAAA,iBAErB,kCAAA,CACd,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,kCAAA,GACnB,kBAAA,EAAoB,sBAAA,EACpB,MAAA,EAAQ,MAAA,GACP,EAAA,CAAG,UAAA;AAAA,cAgEO,kCAAA,qBACO,gBAAA,EAElB,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,kCAAA,MAClB,OAAA,CAAQ,UAAA"}
+{"version":3,"file":"retrieve.d.ts","names":[],"sources":["../../../src/server/mutations/retrieve.ts"],"mappings":";;;;;;;;cAgBa,kCAAA,kBAAkC,OAAA;;;;;;;YAG7C,eAAA,CAAA,OAAA;;;;;;;;;KAEG,UAAA;EAIC,OAAA,EAAS,GAAA;EAAgB,IAAA,EAAM,GAAA;AAAA;AAAA,iBAErB,kCAAA,CACd,GAAA,EAAK,WAAA,EACL,IAAA,EAAM,KAAA,QAAa,kCAAA,GACnB,kBAAA,EAAoB,sBAAA,EACpB,MAAA,EAAQ,MAAA,GACP,EAAA,CAAG,UAAA;AAAA,cAgEO,kCAAA,qBACO,gBAAA,EAElB,GAAA,EAAK,gBAAA,CAAiB,SAAA,GACtB,IAAA,EAAM,KAAA,QAAa,kCAAA,MAClB,OAAA,CAAQ,UAAA"}