@robelest/convex-auth 0.0.4-preview.21 → 0.0.4-preview.23

package/dist/component/public/identity/verifiers.js.map

@@ -1 +1 @@
-{"version":3,"file":"verifiers.js","names":[],"sources":["../../../../src/component/public/identity/verifiers.ts"],"sourcesContent":["import { v } from \"convex/values\";\nimport { mutation, query } from \"../../functions\";\nimport { vAuthVerifierDoc } from \"../../model\";\n\n/**\n * Create a new PKCE verifier, optionally linked to a session.\n *\n * Inserts a document into the `AuthVerifier` table. Verifiers are used during\n * OAuth/OIDC flows to implement the PKCE (Proof Key for Code Exchange) pattern,\n * preventing authorization code interception attacks. The verifier can optionally\n * be linked to an existing session for session-aware flows.\n *\n * @param args.sessionId - An optional session document ID to associate with the verifier.\n *   When provided, the verifier is scoped to the given session.\n * @returns The document ID of the newly created verifier.\n *\n * @example\n * ```ts\n * const verifierId = await ctx.runMutation(\n *   component.identity.verifiers.verifierCreate,\n *   { sessionId: session._id },\n * );\n * ```\n */\nexport const verifierCreate = mutation({\n  args: { sessionId: v.optional(v.id(\"Session\")) },\n  returns: v.id(\"AuthVerifier\"),\n  handler: async (ctx, { sessionId }) => {\n    return await ctx.db.insert(\"AuthVerifier\", { sessionId: sessionId as any });\n  },\n});\n\n/**\n * Retrieve a single verifier by its Convex document ID.\n *\n * Performs a direct point lookup on the `AuthVerifier` table. Returns `null` if\n * the verifier has been deleted or never existed.\n *\n * @param args.verifierId - The Convex document ID (`Id<\"AuthVerifier\">`) of the verifier to retrieve.\n * @returns The verifier document if it exists, or `null` otherwise.\n *\n * @example\n * ```ts\n * const verifier = await ctx.runQuery(\n *   component.identity.verifiers.verifierGetById,\n *   { verifierId: storedVerifierId },\n * );\n * if (verifier !== null) {\n *   console.log(`Verifier signature: ${verifier.signature}`);\n * }\n * ```\n */\nexport const verifierGetById = query({\n  args: { verifierId: v.id(\"AuthVerifier\") },\n  returns: v.union(vAuthVerifierDoc, v.null()),\n  handler: async (ctx, { verifierId }) => {\n    return await ctx.db.get(\"AuthVerifier\", verifierId);\n  },\n});\n\n/**\n * Look up a verifier by its cryptographic signature.\n *\n * Queries the `AuthVerifier` table using the `signature` index to find the\n * unique verifier matching the given signature string. This is the primary\n * lookup used during the OAuth callback phase to correlate the incoming\n * authorization response with the original PKCE challenge.\n *\n * @param args.signature - The cryptographic signature string to search for (exact match).\n * @returns The matching verifier document, or `null` if no verifier has the given signature.\n *\n * @example\n * ```ts\n * const verifier = await ctx.runQuery(\n *   component.identity.verifiers.verifierGetBySignature,\n *   { signature: incomingStateParam },\n * );\n * if (verifier === null) {\n *   throw new Error(\"Invalid or expired OAuth state\");\n * }\n * ```\n */\nexport const verifierGetBySignature = query({\n  args: { signature: v.string() },\n  returns: v.union(vAuthVerifierDoc, v.null()),\n  handler: async (ctx, { signature }) => {\n    return await ctx.db\n      .query(\"AuthVerifier\")\n      .withIndex(\"signature\", (q) => q.eq(\"signature\", signature))\n      .unique();\n  },\n});\n\n/**\n * Patch a verifier document with partial data.\n *\n * Merges the provided fields into the existing verifier document. This is\n * typically used to set the `signature` field after the verifier is initially\n * created, or to associate a `sessionId` with an existing verifier.\n *\n * @param args.verifierId - The document ID of the verifier to update.\n * @param args.data - A partial object containing the fields to merge into the verifier document\n *   (e.g. `{ signature: string }` or `{ sessionId: Id<\"Session\"> }`).\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Set the PKCE signature on the verifier\n * await ctx.runMutation(\n *   component.identity.verifiers.verifierPatch,\n *   {\n *     verifierId: verifier._id,\n *     data: { signature: generatedSignature },\n *   },\n * );\n * ```\n */\nexport const verifierPatch = mutation({\n  args: { verifierId: v.id(\"AuthVerifier\"), data: v.any() },\n  returns: v.null(),\n  handler: async (ctx, { verifierId, data }) => {\n    await ctx.db.patch(\"AuthVerifier\", verifierId, data);\n    return null;\n  },\n});\n\n/**\n * Delete a verifier document permanently.\n *\n * Removes the verifier from the `AuthVerifier` table. This is typically called\n * after a successful OAuth callback to clean up the consumed PKCE state, or\n * to expire stale verifiers that were never completed.\n *\n * @param args.verifierId - The document ID of the verifier to delete.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Clean up the verifier after a successful OAuth exchange\n * await ctx.runMutation(\n *   component.identity.verifiers.verifierDelete,\n *   { verifierId: verifier._id },\n * );\n * ```\n */\nexport const verifierDelete = mutation({\n  args: { verifierId: v.id(\"AuthVerifier\") },\n  returns: v.null(),\n  handler: async (ctx, { verifierId }) => {\n    await ctx.db.delete(\"AuthVerifier\", verifierId);\n    return null;\n  },\n});\n\n// ============================================================================\n// Verification Codes\n// ============================================================================\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAwBA,MAAa,iBAAiB,SAAS;CACrC,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,GAAG,UAAU,CAAC,EAAE;CAChD,SAAS,EAAE,GAAG,eAAe;CAC7B,SAAS,OAAO,KAAK,EAAE,gBAAgB;AACrC,SAAO,MAAM,IAAI,GAAG,OAAO,gBAAgB,EAAa,WAAkB,CAAC;;CAE9E,CAAC;;;;;;;;;;;;;;;;;;;;;AAsBF,MAAa,kBAAkB,MAAM;CACnC,MAAM,EAAE,YAAY,EAAE,GAAG,eAAe,EAAE;CAC1C,SAAS,EAAE,MAAM,kBAAkB,EAAE,MAAM,CAAC;CAC5C,SAAS,OAAO,KAAK,EAAE,iBAAiB;AACtC,SAAO,MAAM,IAAI,GAAG,IAAI,gBAAgB,WAAW;;CAEtD,CAAC;;;;;;;;;;;;;;;;;;;;;;;AAwBF,MAAa,yBAAyB,MAAM;CAC1C,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE;CAC/B,SAAS,EAAE,MAAM,kBAAkB,EAAE,MAAM,CAAC;CAC5C,SAAS,OAAO,KAAK,EAAE,gBAAgB;AACrC,SAAO,MAAM,IAAI,GACd,MAAM,eAAe,CACrB,UAAU,cAAc,MAAM,EAAE,GAAG,aAAa,UAAU,CAAC,CAC3D,QAAQ;;CAEd,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;AA0BF,MAAa,gBAAgB,SAAS;CACpC,MAAM;EAAE,YAAY,EAAE,GAAG,eAAe;EAAE,MAAM,EAAE,KAAK;EAAE;CACzD,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,YAAY,WAAW;AAC5C,QAAM,IAAI,GAAG,MAAM,gBAAgB,YAAY,KAAK;AACpD,SAAO;;CAEV,CAAC;;;;;;;;;;;;;;;;;;;;AAqBF,MAAa,iBAAiB,SAAS;CACrC,MAAM,EAAE,YAAY,EAAE,GAAG,eAAe,EAAE;CAC1C,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,iBAAiB;AACtC,QAAM,IAAI,GAAG,OAAO,gBAAgB,WAAW;AAC/C,SAAO;;CAEV,CAAC"}
+{"version":3,"file":"verifiers.js","names":[],"sources":["../../../../src/component/public/identity/verifiers.ts"],"sourcesContent":["import { v } from \"convex/values\";\n\nimport { mutation, query } from \"../../functions\";\nimport { vAuthVerifierDoc } from \"../../model\";\n\n/**\n * Create a new PKCE verifier, optionally linked to a session.\n *\n * Inserts a document into the `AuthVerifier` table. Verifiers are used during\n * OAuth/OIDC flows to implement the PKCE (Proof Key for Code Exchange) pattern,\n * preventing authorization code interception attacks. The verifier can optionally\n * be linked to an existing session for session-aware flows.\n *\n * @param args.sessionId - An optional session document ID to associate with the verifier.\n *   When provided, the verifier is scoped to the given session.\n * @returns The document ID of the newly created verifier.\n *\n * @example\n * ```ts\n * const verifierId = await ctx.runMutation(\n *   component.identity.verifiers.verifierCreate,\n *   { sessionId: session._id },\n * );\n * ```\n */\nexport const verifierCreate = mutation({\n  args: { sessionId: v.optional(v.id(\"Session\")) },\n  returns: v.id(\"AuthVerifier\"),\n  handler: async (ctx, { sessionId }) => {\n    return await ctx.db.insert(\"AuthVerifier\", { sessionId: sessionId as any });\n  },\n});\n\n/**\n * Retrieve a single verifier by its Convex document ID.\n *\n * Performs a direct point lookup on the `AuthVerifier` table. Returns `null` if\n * the verifier has been deleted or never existed.\n *\n * @param args.verifierId - The Convex document ID (`Id<\"AuthVerifier\">`) of the verifier to retrieve.\n * @returns The verifier document if it exists, or `null` otherwise.\n *\n * @example\n * ```ts\n * const verifier = await ctx.runQuery(\n *   component.identity.verifiers.verifierGetById,\n *   { verifierId: storedVerifierId },\n * );\n * if (verifier !== null) {\n *   console.log(`Verifier signature: ${verifier.signature}`);\n * }\n * ```\n */\nexport const verifierGetById = query({\n  args: { verifierId: v.id(\"AuthVerifier\") },\n  returns: v.union(vAuthVerifierDoc, v.null()),\n  handler: async (ctx, { verifierId }) => {\n    return await ctx.db.get(\"AuthVerifier\", verifierId);\n  },\n});\n\n/**\n * Look up a verifier by its cryptographic signature.\n *\n * Queries the `AuthVerifier` table using the `signature` index to find the\n * unique verifier matching the given signature string. This is the primary\n * lookup used during the OAuth callback phase to correlate the incoming\n * authorization response with the original PKCE challenge.\n *\n * @param args.signature - The cryptographic signature string to search for (exact match).\n * @returns The matching verifier document, or `null` if no verifier has the given signature.\n *\n * @example\n * ```ts\n * const verifier = await ctx.runQuery(\n *   component.identity.verifiers.verifierGetBySignature,\n *   { signature: incomingStateParam },\n * );\n * if (verifier === null) {\n *   throw new Error(\"Invalid or expired OAuth state\");\n * }\n * ```\n */\nexport const verifierGetBySignature = query({\n  args: { signature: v.string() },\n  returns: v.union(vAuthVerifierDoc, v.null()),\n  handler: async (ctx, { signature }) => {\n    return await ctx.db\n      .query(\"AuthVerifier\")\n      .withIndex(\"signature\", (q) => q.eq(\"signature\", signature))\n      .unique();\n  },\n});\n\n/**\n * Patch a verifier document with partial data.\n *\n * Merges the provided fields into the existing verifier document. This is\n * typically used to set the `signature` field after the verifier is initially\n * created, or to associate a `sessionId` with an existing verifier.\n *\n * @param args.verifierId - The document ID of the verifier to update.\n * @param args.data - A partial object containing the fields to merge into the verifier document\n *   (e.g. `{ signature: string }` or `{ sessionId: Id<\"Session\"> }`).\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Set the PKCE signature on the verifier\n * await ctx.runMutation(\n *   component.identity.verifiers.verifierPatch,\n *   {\n *     verifierId: verifier._id,\n *     data: { signature: generatedSignature },\n *   },\n * );\n * ```\n */\nexport const verifierPatch = mutation({\n  args: { verifierId: v.id(\"AuthVerifier\"), data: v.any() },\n  returns: v.null(),\n  handler: async (ctx, { verifierId, data }) => {\n    await ctx.db.patch(\"AuthVerifier\", verifierId, data);\n    return null;\n  },\n});\n\n/**\n * Delete a verifier document permanently.\n *\n * Removes the verifier from the `AuthVerifier` table. This is typically called\n * after a successful OAuth callback to clean up the consumed PKCE state, or\n * to expire stale verifiers that were never completed.\n *\n * @param args.verifierId - The document ID of the verifier to delete.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Clean up the verifier after a successful OAuth exchange\n * await ctx.runMutation(\n *   component.identity.verifiers.verifierDelete,\n *   { verifierId: verifier._id },\n * );\n * ```\n */\nexport const verifierDelete = mutation({\n  args: { verifierId: v.id(\"AuthVerifier\") },\n  returns: v.null(),\n  handler: async (ctx, { verifierId }) => {\n    await ctx.db.delete(\"AuthVerifier\", verifierId);\n    return null;\n  },\n});\n\n// ============================================================================\n// Verification Codes\n// ============================================================================\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;AAyBA,MAAa,iBAAiB,SAAS;CACrC,MAAM,EAAE,WAAW,EAAE,SAAS,EAAE,GAAG,UAAU,CAAC,EAAE;CAChD,SAAS,EAAE,GAAG,eAAe;CAC7B,SAAS,OAAO,KAAK,EAAE,gBAAgB;AACrC,SAAO,MAAM,IAAI,GAAG,OAAO,gBAAgB,EAAa,WAAkB,CAAC;;CAE9E,CAAC;;;;;;;;;;;;;;;;;;;;;AAsBF,MAAa,kBAAkB,MAAM;CACnC,MAAM,EAAE,YAAY,EAAE,GAAG,eAAe,EAAE;CAC1C,SAAS,EAAE,MAAM,kBAAkB,EAAE,MAAM,CAAC;CAC5C,SAAS,OAAO,KAAK,EAAE,iBAAiB;AACtC,SAAO,MAAM,IAAI,GAAG,IAAI,gBAAgB,WAAW;;CAEtD,CAAC;;;;;;;;;;;;;;;;;;;;;;;AAwBF,MAAa,yBAAyB,MAAM;CAC1C,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE;CAC/B,SAAS,EAAE,MAAM,kBAAkB,EAAE,MAAM,CAAC;CAC5C,SAAS,OAAO,KAAK,EAAE,gBAAgB;AACrC,SAAO,MAAM,IAAI,GACd,MAAM,eAAe,CACrB,UAAU,cAAc,MAAM,EAAE,GAAG,aAAa,UAAU,CAAC,CAC3D,QAAQ;;CAEd,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;AA0BF,MAAa,gBAAgB,SAAS;CACpC,MAAM;EAAE,YAAY,EAAE,GAAG,eAAe;EAAE,MAAM,EAAE,KAAK;EAAE;CACzD,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,YAAY,WAAW;AAC5C,QAAM,IAAI,GAAG,MAAM,gBAAgB,YAAY,KAAK;AACpD,SAAO;;CAEV,CAAC;;;;;;;;;;;;;;;;;;;;AAqBF,MAAa,iBAAiB,SAAS;CACrC,MAAM,EAAE,YAAY,EAAE,GAAG,eAAe,EAAE;CAC1C,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,iBAAiB;AACtC,QAAM,IAAI,GAAG,OAAO,gBAAgB,WAAW;AAC/C,SAAO;;CAEV,CAAC"}

package/dist/component/public/security/keys.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"keys.d.ts","names":[],"sources":["../../../../src/component/public/security/keys.ts"],"mappings":";;;;;;;;;;;;;;AAqDA;;;;;AAmDA;;;;;AAyDA;;;;;AAwFA;;;;;AAsDA;;;;;AA8CA;;;cAxSa,SAAA;;;;;;;;;;;;;;;;;;;;;;;;;;cAmDA,iBAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAyDA,OAAA;;;;;;;;;;;;;;;;;;;;;;;cAwFA,UAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAsDA,QAAA;;;;;;;;;;;;;;;;;;;;cA8CA,SAAA"}
+{"version":3,"file":"keys.d.ts","names":[],"sources":["../../../../src/component/public/security/keys.ts"],"mappings":";;;;;;;;;;;;;;AAsDA;;;;;AAmDA;;;;;AAyDA;;;;;AAwFA;;;;;AAsDA;;;;;AA8CA;;;cAxSa,SAAA;;;;;;;;;;;;;;;;;;;;;;;;;;cAmDA,iBAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAyDA,OAAA;;;;;;;;;;;;;;;;;;;;;;;cAwFA,UAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAsDA,QAAA;;;;;;;;;;;;;;;;;;;;cA8CA,SAAA"}

package/dist/component/public/security/keys.js.map

@@ -1 +1 @@
-{"version":3,"file":"keys.js","names":[],"sources":["../../../../src/component/public/security/keys.ts"],"sourcesContent":["import { ConvexError, v } from \"convex/values\";\nimport { mutation, query } from \"../../functions\";\nimport {\n  vApiKeyDoc,\n  vApiKeyRateLimit,\n  vApiKeyRateLimitState,\n  vApiKeyScope,\n  vPaginated,\n} from \"../../model\";\n\n// ============================================================================\n// API Keys\n// ============================================================================\n\n/**\n * Insert a new API key record into the `ApiKey` table.\n *\n * Creates an API key entry with the given metadata and scopes. The caller\n * is responsible for generating and hashing the raw key before passing it\n * here -- this function only stores the hash, never the plaintext key.\n * The `createdAt` timestamp and `revoked: false` flag are set automatically.\n *\n * @param userId - The `_id` of the `User` who owns this API key.\n * @param prefix - A short, visible prefix for the key (e.g. `\"sk_live_\"`)\n *   that helps users identify which key was used without exposing the secret.\n * @param hashedKey - SHA-256 hash of the full API key string. Used for\n *   constant-time lookup during Bearer token verification.\n * @param name - Human-readable name for the key (e.g. `\"Production Backend\"`).\n * @param scopes - Array of permission scopes, each containing a `resource`\n *   name and an array of allowed `actions` (e.g.\n *   `[{ resource: \"messages\", actions: [\"read\", \"write\"] }]`).\n * @param rateLimit - Optional rate limit configuration to apply per-key\n *   (e.g. max requests per window).\n * @param expiresAt - Optional Unix timestamp (in milliseconds) after which\n *   the key is no longer valid. Omit for non-expiring keys.\n * @param metadata - Optional arbitrary metadata to attach to the key record.\n * @returns The `_id` of the newly created `ApiKey` document.\n *\n * @example\n * ```ts\n * const keyId = await ctx.runMutation(\n *   components.auth.security.keys.keyInsert,\n *   {\n *     userId: user._id,\n *     prefix: \"sk_live_\",\n *     hashedKey: await sha256(rawKey),\n *     name: \"Production Backend\",\n *     scopes: [{ resource: \"messages\", actions: [\"read\", \"write\"] }],\n *     expiresAt: Date.now() + 90 * 24 * 60 * 60 * 1000,\n *   },\n * );\n * ```\n */\nexport const keyInsert = mutation({\n  args: {\n    userId: v.id(\"User\"),\n    prefix: v.string(),\n    hashedKey: v.string(),\n    name: v.string(),\n    scopes: v.array(\n      v.object({\n        resource: v.string(),\n        actions: v.array(v.string()),\n      }),\n    ),\n    rateLimit: v.optional(vApiKeyRateLimit),\n    expiresAt: v.optional(v.number()),\n    metadata: v.optional(v.any()),\n  },\n  returns: v.id(\"ApiKey\"),\n  handler: async (ctx, args) => {\n    return await ctx.db.insert(\"ApiKey\", {\n      ...args,\n      createdAt: Date.now(),\n      revoked: false,\n    });\n  },\n});\n\n/**\n * Look up an API key by its SHA-256 hash.\n *\n * Queries the `ApiKey` table using the `hashed_key` index. This is the\n * primary lookup path during Bearer token verification: the incoming\n * token is hashed and matched against stored hashes in constant time.\n * Returns the full key record including scopes, rate limit state, and\n * revocation status so the caller can perform authorization checks.\n *\n * @param hashedKey - SHA-256 hash of the API key string extracted from\n *   the `Authorization: Bearer <token>` header.\n * @returns The matching `ApiKey` document (including rate limit state),\n *   or `null` if no key matches the given hash.\n *\n * @example\n * ```ts\n * const apiKey = await ctx.runQuery(\n *   components.auth.security.keys.keyGetByHashedKey,\n *   { hashedKey: await sha256(bearerToken) },\n * );\n * if (apiKey === null || apiKey.revoked) {\n *   throw new Error(\"Invalid or revoked API key\");\n * }\n * ```\n */\nexport const keyGetByHashedKey = query({\n  args: { hashedKey: v.string() },\n  returns: v.union(vApiKeyDoc, v.null()),\n  handler: async (ctx, { hashedKey }) => {\n    return await ctx.db\n      .query(\"ApiKey\")\n      .withIndex(\"hashed_key\", (q) => q.eq(\"hashedKey\", hashedKey))\n      .first();\n  },\n});\n\n/**\n * List API keys with optional filtering, sorting, and cursor-based pagination.\n *\n * Returns a paginated result `{ items, nextCursor }` from the `ApiKey`\n * table. Supports filtering by `userId`, `revoked` status, `name`, and\n * `prefix`. The page size is clamped between 1 and 100 (default 50).\n * Pass the returned `nextCursor` as `cursor` in a subsequent call to\n * fetch the next page.\n *\n * @param where - Optional filter object. All specified fields are\n *   combined with AND logic:\n *   - `userId` -- restrict to keys owned by this user.\n *   - `revoked` -- `true` for revoked keys, `false` for active keys.\n *   - `name` -- exact match on the key's human-readable name.\n *   - `prefix` -- exact match on the key prefix string.\n * @param limit - Maximum number of items to return per page (1--100,\n *   default `50`).\n * @param cursor - Opaque cursor string (an `ApiKey` document `_id`)\n *   returned from a previous call. Pass `null` or omit for the first page.\n * @param orderBy - Field to sort by. One of `\"_creationTime\"`, `\"name\"`,\n *   `\"lastUsedAt\"`, `\"expiresAt\"`, or `\"revoked\"`. Defaults to\n *   `\"_creationTime\"`.\n * @param order - Sort direction, `\"asc\"` or `\"desc\"` (default `\"desc\"`).\n * @returns An object with `items` (array of `ApiKey` documents) and\n *   `nextCursor` (string ID of the last item, or `null` if no more pages).\n *\n * @example\n * ```ts\n * // Fetch the first page of active keys for a user\n * const page = await ctx.runQuery(\n *   components.auth.security.keys.keyList,\n *   {\n *     where: { userId: user._id, revoked: false },\n *     limit: 20,\n *     order: \"desc\",\n *   },\n * );\n * // Fetch the next page\n * if (page.nextCursor) {\n *   const page2 = await ctx.runQuery(\n *     components.auth.security.keys.keyList,\n *     { where: { userId: user._id, revoked: false }, cursor: page.nextCursor },\n *   );\n * }\n * ```\n */\nexport const keyList = query({\n  args: {\n    where: v.optional(\n      v.object({\n        userId: v.optional(v.id(\"User\")),\n        revoked: v.optional(v.boolean()),\n        name: v.optional(v.string()),\n        prefix: v.optional(v.string()),\n      }),\n    ),\n    limit: v.optional(v.number()),\n    cursor: v.optional(v.union(v.string(), v.null())),\n    orderBy: v.optional(\n      v.union(\n        v.literal(\"_creationTime\"),\n        v.literal(\"name\"),\n        v.literal(\"lastUsedAt\"),\n        v.literal(\"expiresAt\"),\n        v.literal(\"revoked\"),\n      ),\n    ),\n    order: v.optional(v.union(v.literal(\"asc\"), v.literal(\"desc\"))),\n  },\n  returns: vPaginated(vApiKeyDoc),\n  handler: async (ctx, args) => {\n    const where = args.where ?? {};\n    const limit = Math.min(Math.max(args.limit ?? 50, 1), 100);\n    const order = args.order ?? \"desc\";\n\n    let q;\n    if (where.userId !== undefined) {\n      q = ctx.db\n        .query(\"ApiKey\")\n        .withIndex(\"user_id\", (idx) => idx.eq(\"userId\", where.userId!));\n    } else {\n      q = ctx.db.query(\"ApiKey\");\n    }\n\n    if (where.revoked !== undefined) {\n      q = q.filter((f) => f.eq(f.field(\"revoked\"), where.revoked!));\n    }\n    if (where.name !== undefined) {\n      q = q.filter((f) => f.eq(f.field(\"name\"), where.name!));\n    }\n    if (where.prefix !== undefined) {\n      q = q.filter((f) => f.eq(f.field(\"prefix\"), where.prefix!));\n    }\n\n    q = q.order(order);\n\n    const all = await q.collect();\n    let startIdx = 0;\n    if (args.cursor) {\n      const cursorIdx = all.findIndex((doc) => doc._id === args.cursor);\n      if (cursorIdx !== -1) {\n        startIdx = cursorIdx + 1;\n      }\n    }\n    const page = all.slice(startIdx, startIdx + limit + 1);\n    const hasMore = page.length > limit;\n    const items = hasMore ? page.slice(0, limit) : page;\n    const nextCursor = hasMore ? items[items.length - 1]._id : null;\n    return { items, nextCursor };\n  },\n});\n\n/**\n * Get a single API key by its document ID.\n *\n * Performs a direct document lookup on the `ApiKey` table. Useful when\n * you already have the key's `_id` (e.g. from a list query or a stored\n * reference) and need to retrieve its full details.\n *\n * @param keyId - The `_id` of the `ApiKey` document to retrieve.\n * @returns The `ApiKey` document, or `null` if no key exists with the\n *   given ID.\n *\n * @example\n * ```ts\n * const apiKey = await ctx.runQuery(\n *   components.auth.security.keys.keyGetById,\n *   { keyId: storedKeyId },\n * );\n * if (apiKey !== null) {\n *   console.log(apiKey.name, apiKey.scopes);\n * }\n * ```\n */\nexport const keyGetById = query({\n  args: { keyId: v.id(\"ApiKey\") },\n  returns: v.union(vApiKeyDoc, v.null()),\n  handler: async (ctx, { keyId }) => {\n    return await ctx.db.get(\"ApiKey\", keyId);\n  },\n});\n\n/**\n * Patch an API key record with partial updates.\n *\n * Performs a partial update on the `ApiKey` document. Supports modifying\n * the key's name, scopes, rate limit configuration, rate limit state,\n * revocation flag, and last-used timestamp. Throws a `ConvexError` with\n * code `\"KEY_NOT_FOUND\"` if the key does not exist.\n *\n * @param keyId - The `_id` of the `ApiKey` document to update.\n * @param data - An object containing the fields to patch. All fields are\n *   optional:\n *   - `name` -- Updated human-readable name.\n *   - `scopes` -- Replacement array of permission scopes.\n *   - `rateLimit` -- Updated rate limit configuration.\n *   - `rateLimitState` -- Updated rate limit tracking state (token\n *     count, last refill time).\n *   - `revoked` -- Set to `true` to revoke the key, `false` to\n *     reinstate it.\n *   - `lastUsedAt` -- Unix timestamp (in milliseconds) of the most\n *     recent API call using this key.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Revoke an API key\n * await ctx.runMutation(\n *   components.auth.security.keys.keyPatch,\n *   {\n *     keyId: apiKey._id,\n *     data: { revoked: true },\n *   },\n * );\n *\n * // Rename and update scopes\n * await ctx.runMutation(\n *   components.auth.security.keys.keyPatch,\n *   {\n *     keyId: apiKey._id,\n *     data: {\n *       name: \"Read-Only Key\",\n *       scopes: [{ resource: \"messages\", actions: [\"read\"] }],\n *     },\n *   },\n * );\n * ```\n */\nexport const keyPatch = mutation({\n  args: {\n    keyId: v.id(\"ApiKey\"),\n    data: v.object({\n      name: v.optional(v.string()),\n      scopes: v.optional(v.array(vApiKeyScope)),\n      rateLimit: v.optional(vApiKeyRateLimit),\n      rateLimitState: v.optional(vApiKeyRateLimitState),\n      revoked: v.optional(v.boolean()),\n      lastUsedAt: v.optional(v.number()),\n    }),\n  },\n  returns: v.null(),\n  handler: async (ctx, { keyId, data }) => {\n    const key = await ctx.db.get(\"ApiKey\", keyId);\n    if (key === null) {\n      throw new ConvexError({\n        code: \"KEY_NOT_FOUND\",\n        message: \"API key not found\",\n        keyId,\n      });\n    }\n    await ctx.db.patch(\"ApiKey\", keyId, data);\n    return null;\n  },\n});\n\n/**\n * Hard-delete an API key record from the `ApiKey` table.\n *\n * Permanently removes the API key document. Unlike revocation (which\n * keeps the record for audit purposes), this is an irreversible\n * deletion. Throws a `ConvexError` with code `\"KEY_NOT_FOUND\"` if the\n * key does not exist.\n *\n * @param keyId - The `_id` of the `ApiKey` document to delete.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * await ctx.runMutation(\n *   components.auth.security.keys.keyDelete,\n *   { keyId: apiKey._id },\n * );\n * ```\n */\nexport const keyDelete = mutation({\n  args: { keyId: v.id(\"ApiKey\") },\n  returns: v.null(),\n  handler: async (ctx, { keyId }) => {\n    const key = await ctx.db.get(\"ApiKey\", keyId);\n    if (key === null) {\n      throw new ConvexError({\n        code: \"KEY_NOT_FOUND\",\n        message: \"API key not found\",\n        keyId,\n      });\n    }\n    await ctx.db.delete(\"ApiKey\", keyId);\n    return null;\n  },\n});\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAqDA,MAAa,YAAY,SAAS;CAChC,MAAM;EACJ,QAAQ,EAAE,GAAG,OAAO;EACpB,QAAQ,EAAE,QAAQ;EAClB,WAAW,EAAE,QAAQ;EACrB,MAAM,EAAE,QAAQ;EAChB,QAAQ,EAAE,MACR,EAAE,OAAO;GACP,UAAU,EAAE,QAAQ;GACpB,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC;GAC7B,CAAC,CACH;EACD,WAAW,EAAE,SAAS,iBAAiB;EACvC,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;EACjC,UAAU,EAAE,SAAS,EAAE,KAAK,CAAC;EAC9B;CACD,SAAS,EAAE,GAAG,SAAS;CACvB,SAAS,OAAO,KAAK,SAAS;AAC5B,SAAO,MAAM,IAAI,GAAG,OAAO,UAAU;GACnC,GAAG;GACH,WAAW,KAAK,KAAK;GACrB,SAAS;GACV,CAAC;;CAEL,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;AA2BF,MAAa,oBAAoB,MAAM;CACrC,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE;CAC/B,SAAS,EAAE,MAAM,YAAY,EAAE,MAAM,CAAC;CACtC,SAAS,OAAO,KAAK,EAAE,gBAAgB;AACrC,SAAO,MAAM,IAAI,GACd,MAAM,SAAS,CACf,UAAU,eAAe,MAAM,EAAE,GAAG,aAAa,UAAU,CAAC,CAC5D,OAAO;;CAEb,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgDF,MAAa,UAAU,MAAM;CAC3B,MAAM;EACJ,OAAO,EAAE,SACP,EAAE,OAAO;GACP,QAAQ,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;GAChC,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC;GAChC,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;GAC5B,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;GAC/B,CAAC,CACH;EACD,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7B,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,MAAM,CAAC,CAAC;EACjD,SAAS,EAAE,SACT,EAAE,MACA,EAAE,QAAQ,gBAAgB,EAC1B,EAAE,QAAQ,OAAO,EACjB,EAAE,QAAQ,aAAa,EACvB,EAAE,QAAQ,YAAY,EACtB,EAAE,QAAQ,UAAU,CACrB,CACF;EACD,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,MAAM,EAAE,EAAE,QAAQ,OAAO,CAAC,CAAC;EAChE;CACD,SAAS,WAAW,WAAW;CAC/B,SAAS,OAAO,KAAK,SAAS;EAC5B,MAAM,QAAQ,KAAK,SAAS,EAAE;EAC9B,MAAM,QAAQ,KAAK,IAAI,KAAK,IAAI,KAAK,SAAS,IAAI,EAAE,EAAE,IAAI;EAC1D,MAAM,QAAQ,KAAK,SAAS;EAE5B,IAAI;AACJ,MAAI,MAAM,WAAW,OACnB,KAAI,IAAI,GACL,MAAM,SAAS,CACf,UAAU,YAAY,QAAQ,IAAI,GAAG,UAAU,MAAM,OAAQ,CAAC;MAEjE,KAAI,IAAI,GAAG,MAAM,SAAS;AAG5B,MAAI,MAAM,YAAY,OACpB,KAAI,EAAE,QAAQ,MAAM,EAAE,GAAG,EAAE,MAAM,UAAU,EAAE,MAAM,QAAS,CAAC;AAE/D,MAAI,MAAM,SAAS,OACjB,KAAI,EAAE,QAAQ,MAAM,EAAE,GAAG,EAAE,MAAM,OAAO,EAAE,MAAM,KAAM,CAAC;AAEzD,MAAI,MAAM,WAAW,OACnB,KAAI,EAAE,QAAQ,MAAM,EAAE,GAAG,EAAE,MAAM,SAAS,EAAE,MAAM,OAAQ,CAAC;AAG7D,MAAI,EAAE,MAAM,MAAM;EAElB,MAAM,MAAM,MAAM,EAAE,SAAS;EAC7B,IAAI,WAAW;AACf,MAAI,KAAK,QAAQ;GACf,MAAM,YAAY,IAAI,WAAW,QAAQ,IAAI,QAAQ,KAAK,OAAO;AACjE,OAAI,cAAc,GAChB,YAAW,YAAY;;EAG3B,MAAM,OAAO,IAAI,MAAM,UAAU,WAAW,QAAQ,EAAE;EACtD,MAAM,UAAU,KAAK,SAAS;EAC9B,MAAM,QAAQ,UAAU,KAAK,MAAM,GAAG,MAAM,GAAG;AAE/C,SAAO;GAAE;GAAO,YADG,UAAU,MAAM,MAAM,SAAS,GAAG,MAAM;GAC/B;;CAE/B,CAAC;;;;;;;;;;;;;;;;;;;;;;;AAwBF,MAAa,aAAa,MAAM;CAC9B,MAAM,EAAE,OAAO,EAAE,GAAG,SAAS,EAAE;CAC/B,SAAS,EAAE,MAAM,YAAY,EAAE,MAAM,CAAC;CACtC,SAAS,OAAO,KAAK,EAAE,YAAY;AACjC,SAAO,MAAM,IAAI,GAAG,IAAI,UAAU,MAAM;;CAE3C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgDF,MAAa,WAAW,SAAS;CAC/B,MAAM;EACJ,OAAO,EAAE,GAAG,SAAS;EACrB,MAAM,EAAE,OAAO;GACb,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;GAC5B,QAAQ,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;GACzC,WAAW,EAAE,SAAS,iBAAiB;GACvC,gBAAgB,EAAE,SAAS,sBAAsB;GACjD,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC;GAChC,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;GACnC,CAAC;EACH;CACD,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,OAAO,WAAW;AAEvC,MADY,MAAM,IAAI,GAAG,IAAI,UAAU,MAAM,KACjC,KACV,OAAM,IAAI,YAAY;GACpB,MAAM;GACN,SAAS;GACT;GACD,CAAC;AAEJ,QAAM,IAAI,GAAG,MAAM,UAAU,OAAO,KAAK;AACzC,SAAO;;CAEV,CAAC;;;;;;;;;;;;;;;;;;;;AAqBF,MAAa,YAAY,SAAS;CAChC,MAAM,EAAE,OAAO,EAAE,GAAG,SAAS,EAAE;CAC/B,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,YAAY;AAEjC,MADY,MAAM,IAAI,GAAG,IAAI,UAAU,MAAM,KACjC,KACV,OAAM,IAAI,YAAY;GACpB,MAAM;GACN,SAAS;GACT;GACD,CAAC;AAEJ,QAAM,IAAI,GAAG,OAAO,UAAU,MAAM;AACpC,SAAO;;CAEV,CAAC"}
+{"version":3,"file":"keys.js","names":[],"sources":["../../../../src/component/public/security/keys.ts"],"sourcesContent":["import { ConvexError, v } from \"convex/values\";\n\nimport { mutation, query } from \"../../functions\";\nimport {\n  vApiKeyDoc,\n  vApiKeyRateLimit,\n  vApiKeyRateLimitState,\n  vApiKeyScope,\n  vPaginated,\n} from \"../../model\";\n\n// ============================================================================\n// API Keys\n// ============================================================================\n\n/**\n * Insert a new API key record into the `ApiKey` table.\n *\n * Creates an API key entry with the given metadata and scopes. The caller\n * is responsible for generating and hashing the raw key before passing it\n * here -- this function only stores the hash, never the plaintext key.\n * The `createdAt` timestamp and `revoked: false` flag are set automatically.\n *\n * @param userId - The `_id` of the `User` who owns this API key.\n * @param prefix - A short, visible prefix for the key (e.g. `\"sk_live_\"`)\n *   that helps users identify which key was used without exposing the secret.\n * @param hashedKey - SHA-256 hash of the full API key string. Used for\n *   constant-time lookup during Bearer token verification.\n * @param name - Human-readable name for the key (e.g. `\"Production Backend\"`).\n * @param scopes - Array of permission scopes, each containing a `resource`\n *   name and an array of allowed `actions` (e.g.\n *   `[{ resource: \"messages\", actions: [\"read\", \"write\"] }]`).\n * @param rateLimit - Optional rate limit configuration to apply per-key\n *   (e.g. max requests per window).\n * @param expiresAt - Optional Unix timestamp (in milliseconds) after which\n *   the key is no longer valid. Omit for non-expiring keys.\n * @param metadata - Optional arbitrary metadata to attach to the key record.\n * @returns The `_id` of the newly created `ApiKey` document.\n *\n * @example\n * ```ts\n * const keyId = await ctx.runMutation(\n *   components.auth.security.keys.keyInsert,\n *   {\n *     userId: user._id,\n *     prefix: \"sk_live_\",\n *     hashedKey: await sha256(rawKey),\n *     name: \"Production Backend\",\n *     scopes: [{ resource: \"messages\", actions: [\"read\", \"write\"] }],\n *     expiresAt: Date.now() + 90 * 24 * 60 * 60 * 1000,\n *   },\n * );\n * ```\n */\nexport const keyInsert = mutation({\n  args: {\n    userId: v.id(\"User\"),\n    prefix: v.string(),\n    hashedKey: v.string(),\n    name: v.string(),\n    scopes: v.array(\n      v.object({\n        resource: v.string(),\n        actions: v.array(v.string()),\n      }),\n    ),\n    rateLimit: v.optional(vApiKeyRateLimit),\n    expiresAt: v.optional(v.number()),\n    metadata: v.optional(v.any()),\n  },\n  returns: v.id(\"ApiKey\"),\n  handler: async (ctx, args) => {\n    return await ctx.db.insert(\"ApiKey\", {\n      ...args,\n      createdAt: Date.now(),\n      revoked: false,\n    });\n  },\n});\n\n/**\n * Look up an API key by its SHA-256 hash.\n *\n * Queries the `ApiKey` table using the `hashed_key` index. This is the\n * primary lookup path during Bearer token verification: the incoming\n * token is hashed and matched against stored hashes in constant time.\n * Returns the full key record including scopes, rate limit state, and\n * revocation status so the caller can perform authorization checks.\n *\n * @param hashedKey - SHA-256 hash of the API key string extracted from\n *   the `Authorization: Bearer <token>` header.\n * @returns The matching `ApiKey` document (including rate limit state),\n *   or `null` if no key matches the given hash.\n *\n * @example\n * ```ts\n * const apiKey = await ctx.runQuery(\n *   components.auth.security.keys.keyGetByHashedKey,\n *   { hashedKey: await sha256(bearerToken) },\n * );\n * if (apiKey === null || apiKey.revoked) {\n *   throw new Error(\"Invalid or revoked API key\");\n * }\n * ```\n */\nexport const keyGetByHashedKey = query({\n  args: { hashedKey: v.string() },\n  returns: v.union(vApiKeyDoc, v.null()),\n  handler: async (ctx, { hashedKey }) => {\n    return await ctx.db\n      .query(\"ApiKey\")\n      .withIndex(\"hashed_key\", (q) => q.eq(\"hashedKey\", hashedKey))\n      .first();\n  },\n});\n\n/**\n * List API keys with optional filtering, sorting, and cursor-based pagination.\n *\n * Returns a paginated result `{ items, nextCursor }` from the `ApiKey`\n * table. Supports filtering by `userId`, `revoked` status, `name`, and\n * `prefix`. The page size is clamped between 1 and 100 (default 50).\n * Pass the returned `nextCursor` as `cursor` in a subsequent call to\n * fetch the next page.\n *\n * @param where - Optional filter object. All specified fields are\n *   combined with AND logic:\n *   - `userId` -- restrict to keys owned by this user.\n *   - `revoked` -- `true` for revoked keys, `false` for active keys.\n *   - `name` -- exact match on the key's human-readable name.\n *   - `prefix` -- exact match on the key prefix string.\n * @param limit - Maximum number of items to return per page (1--100,\n *   default `50`).\n * @param cursor - Opaque cursor string (an `ApiKey` document `_id`)\n *   returned from a previous call. Pass `null` or omit for the first page.\n * @param orderBy - Field to sort by. One of `\"_creationTime\"`, `\"name\"`,\n *   `\"lastUsedAt\"`, `\"expiresAt\"`, or `\"revoked\"`. Defaults to\n *   `\"_creationTime\"`.\n * @param order - Sort direction, `\"asc\"` or `\"desc\"` (default `\"desc\"`).\n * @returns An object with `items` (array of `ApiKey` documents) and\n *   `nextCursor` (string ID of the last item, or `null` if no more pages).\n *\n * @example\n * ```ts\n * // Fetch the first page of active keys for a user\n * const page = await ctx.runQuery(\n *   components.auth.security.keys.keyList,\n *   {\n *     where: { userId: user._id, revoked: false },\n *     limit: 20,\n *     order: \"desc\",\n *   },\n * );\n * // Fetch the next page\n * if (page.nextCursor) {\n *   const page2 = await ctx.runQuery(\n *     components.auth.security.keys.keyList,\n *     { where: { userId: user._id, revoked: false }, cursor: page.nextCursor },\n *   );\n * }\n * ```\n */\nexport const keyList = query({\n  args: {\n    where: v.optional(\n      v.object({\n        userId: v.optional(v.id(\"User\")),\n        revoked: v.optional(v.boolean()),\n        name: v.optional(v.string()),\n        prefix: v.optional(v.string()),\n      }),\n    ),\n    limit: v.optional(v.number()),\n    cursor: v.optional(v.union(v.string(), v.null())),\n    orderBy: v.optional(\n      v.union(\n        v.literal(\"_creationTime\"),\n        v.literal(\"name\"),\n        v.literal(\"lastUsedAt\"),\n        v.literal(\"expiresAt\"),\n        v.literal(\"revoked\"),\n      ),\n    ),\n    order: v.optional(v.union(v.literal(\"asc\"), v.literal(\"desc\"))),\n  },\n  returns: vPaginated(vApiKeyDoc),\n  handler: async (ctx, args) => {\n    const where = args.where ?? {};\n    const limit = Math.min(Math.max(args.limit ?? 50, 1), 100);\n    const order = args.order ?? \"desc\";\n\n    let q;\n    if (where.userId !== undefined) {\n      q = ctx.db\n        .query(\"ApiKey\")\n        .withIndex(\"user_id\", (idx) => idx.eq(\"userId\", where.userId!));\n    } else {\n      q = ctx.db.query(\"ApiKey\");\n    }\n\n    if (where.revoked !== undefined) {\n      q = q.filter((f) => f.eq(f.field(\"revoked\"), where.revoked!));\n    }\n    if (where.name !== undefined) {\n      q = q.filter((f) => f.eq(f.field(\"name\"), where.name!));\n    }\n    if (where.prefix !== undefined) {\n      q = q.filter((f) => f.eq(f.field(\"prefix\"), where.prefix!));\n    }\n\n    q = q.order(order);\n\n    const all = await q.collect();\n    let startIdx = 0;\n    if (args.cursor) {\n      const cursorIdx = all.findIndex((doc) => doc._id === args.cursor);\n      if (cursorIdx !== -1) {\n        startIdx = cursorIdx + 1;\n      }\n    }\n    const page = all.slice(startIdx, startIdx + limit + 1);\n    const hasMore = page.length > limit;\n    const items = hasMore ? page.slice(0, limit) : page;\n    const nextCursor = hasMore ? items[items.length - 1]._id : null;\n    return { items, nextCursor };\n  },\n});\n\n/**\n * Get a single API key by its document ID.\n *\n * Performs a direct document lookup on the `ApiKey` table. Useful when\n * you already have the key's `_id` (e.g. from a list query or a stored\n * reference) and need to retrieve its full details.\n *\n * @param keyId - The `_id` of the `ApiKey` document to retrieve.\n * @returns The `ApiKey` document, or `null` if no key exists with the\n *   given ID.\n *\n * @example\n * ```ts\n * const apiKey = await ctx.runQuery(\n *   components.auth.security.keys.keyGetById,\n *   { keyId: storedKeyId },\n * );\n * if (apiKey !== null) {\n *   console.log(apiKey.name, apiKey.scopes);\n * }\n * ```\n */\nexport const keyGetById = query({\n  args: { keyId: v.id(\"ApiKey\") },\n  returns: v.union(vApiKeyDoc, v.null()),\n  handler: async (ctx, { keyId }) => {\n    return await ctx.db.get(\"ApiKey\", keyId);\n  },\n});\n\n/**\n * Patch an API key record with partial updates.\n *\n * Performs a partial update on the `ApiKey` document. Supports modifying\n * the key's name, scopes, rate limit configuration, rate limit state,\n * revocation flag, and last-used timestamp. Throws a `ConvexError` with\n * code `\"KEY_NOT_FOUND\"` if the key does not exist.\n *\n * @param keyId - The `_id` of the `ApiKey` document to update.\n * @param data - An object containing the fields to patch. All fields are\n *   optional:\n *   - `name` -- Updated human-readable name.\n *   - `scopes` -- Replacement array of permission scopes.\n *   - `rateLimit` -- Updated rate limit configuration.\n *   - `rateLimitState` -- Updated rate limit tracking state (token\n *     count, last refill time).\n *   - `revoked` -- Set to `true` to revoke the key, `false` to\n *     reinstate it.\n *   - `lastUsedAt` -- Unix timestamp (in milliseconds) of the most\n *     recent API call using this key.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Revoke an API key\n * await ctx.runMutation(\n *   components.auth.security.keys.keyPatch,\n *   {\n *     keyId: apiKey._id,\n *     data: { revoked: true },\n *   },\n * );\n *\n * // Rename and update scopes\n * await ctx.runMutation(\n *   components.auth.security.keys.keyPatch,\n *   {\n *     keyId: apiKey._id,\n *     data: {\n *       name: \"Read-Only Key\",\n *       scopes: [{ resource: \"messages\", actions: [\"read\"] }],\n *     },\n *   },\n * );\n * ```\n */\nexport const keyPatch = mutation({\n  args: {\n    keyId: v.id(\"ApiKey\"),\n    data: v.object({\n      name: v.optional(v.string()),\n      scopes: v.optional(v.array(vApiKeyScope)),\n      rateLimit: v.optional(vApiKeyRateLimit),\n      rateLimitState: v.optional(vApiKeyRateLimitState),\n      revoked: v.optional(v.boolean()),\n      lastUsedAt: v.optional(v.number()),\n    }),\n  },\n  returns: v.null(),\n  handler: async (ctx, { keyId, data }) => {\n    const key = await ctx.db.get(\"ApiKey\", keyId);\n    if (key === null) {\n      throw new ConvexError({\n        code: \"KEY_NOT_FOUND\",\n        message: \"API key not found\",\n        keyId,\n      });\n    }\n    await ctx.db.patch(\"ApiKey\", keyId, data);\n    return null;\n  },\n});\n\n/**\n * Hard-delete an API key record from the `ApiKey` table.\n *\n * Permanently removes the API key document. Unlike revocation (which\n * keeps the record for audit purposes), this is an irreversible\n * deletion. Throws a `ConvexError` with code `\"KEY_NOT_FOUND\"` if the\n * key does not exist.\n *\n * @param keyId - The `_id` of the `ApiKey` document to delete.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * await ctx.runMutation(\n *   components.auth.security.keys.keyDelete,\n *   { keyId: apiKey._id },\n * );\n * ```\n */\nexport const keyDelete = mutation({\n  args: { keyId: v.id(\"ApiKey\") },\n  returns: v.null(),\n  handler: async (ctx, { keyId }) => {\n    const key = await ctx.db.get(\"ApiKey\", keyId);\n    if (key === null) {\n      throw new ConvexError({\n        code: \"KEY_NOT_FOUND\",\n        message: \"API key not found\",\n        keyId,\n      });\n    }\n    await ctx.db.delete(\"ApiKey\", keyId);\n    return null;\n  },\n});\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAsDA,MAAa,YAAY,SAAS;CAChC,MAAM;EACJ,QAAQ,EAAE,GAAG,OAAO;EACpB,QAAQ,EAAE,QAAQ;EAClB,WAAW,EAAE,QAAQ;EACrB,MAAM,EAAE,QAAQ;EAChB,QAAQ,EAAE,MACR,EAAE,OAAO;GACP,UAAU,EAAE,QAAQ;GACpB,SAAS,EAAE,MAAM,EAAE,QAAQ,CAAC;GAC7B,CAAC,CACH;EACD,WAAW,EAAE,SAAS,iBAAiB;EACvC,WAAW,EAAE,SAAS,EAAE,QAAQ,CAAC;EACjC,UAAU,EAAE,SAAS,EAAE,KAAK,CAAC;EAC9B;CACD,SAAS,EAAE,GAAG,SAAS;CACvB,SAAS,OAAO,KAAK,SAAS;AAC5B,SAAO,MAAM,IAAI,GAAG,OAAO,UAAU;GACnC,GAAG;GACH,WAAW,KAAK,KAAK;GACrB,SAAS;GACV,CAAC;;CAEL,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;AA2BF,MAAa,oBAAoB,MAAM;CACrC,MAAM,EAAE,WAAW,EAAE,QAAQ,EAAE;CAC/B,SAAS,EAAE,MAAM,YAAY,EAAE,MAAM,CAAC;CACtC,SAAS,OAAO,KAAK,EAAE,gBAAgB;AACrC,SAAO,MAAM,IAAI,GACd,MAAM,SAAS,CACf,UAAU,eAAe,MAAM,EAAE,GAAG,aAAa,UAAU,CAAC,CAC5D,OAAO;;CAEb,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgDF,MAAa,UAAU,MAAM;CAC3B,MAAM;EACJ,OAAO,EAAE,SACP,EAAE,OAAO;GACP,QAAQ,EAAE,SAAS,EAAE,GAAG,OAAO,CAAC;GAChC,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC;GAChC,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;GAC5B,QAAQ,EAAE,SAAS,EAAE,QAAQ,CAAC;GAC/B,CAAC,CACH;EACD,OAAO,EAAE,SAAS,EAAE,QAAQ,CAAC;EAC7B,QAAQ,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,EAAE,EAAE,MAAM,CAAC,CAAC;EACjD,SAAS,EAAE,SACT,EAAE,MACA,EAAE,QAAQ,gBAAgB,EAC1B,EAAE,QAAQ,OAAO,EACjB,EAAE,QAAQ,aAAa,EACvB,EAAE,QAAQ,YAAY,EACtB,EAAE,QAAQ,UAAU,CACrB,CACF;EACD,OAAO,EAAE,SAAS,EAAE,MAAM,EAAE,QAAQ,MAAM,EAAE,EAAE,QAAQ,OAAO,CAAC,CAAC;EAChE;CACD,SAAS,WAAW,WAAW;CAC/B,SAAS,OAAO,KAAK,SAAS;EAC5B,MAAM,QAAQ,KAAK,SAAS,EAAE;EAC9B,MAAM,QAAQ,KAAK,IAAI,KAAK,IAAI,KAAK,SAAS,IAAI,EAAE,EAAE,IAAI;EAC1D,MAAM,QAAQ,KAAK,SAAS;EAE5B,IAAI;AACJ,MAAI,MAAM,WAAW,OACnB,KAAI,IAAI,GACL,MAAM,SAAS,CACf,UAAU,YAAY,QAAQ,IAAI,GAAG,UAAU,MAAM,OAAQ,CAAC;MAEjE,KAAI,IAAI,GAAG,MAAM,SAAS;AAG5B,MAAI,MAAM,YAAY,OACpB,KAAI,EAAE,QAAQ,MAAM,EAAE,GAAG,EAAE,MAAM,UAAU,EAAE,MAAM,QAAS,CAAC;AAE/D,MAAI,MAAM,SAAS,OACjB,KAAI,EAAE,QAAQ,MAAM,EAAE,GAAG,EAAE,MAAM,OAAO,EAAE,MAAM,KAAM,CAAC;AAEzD,MAAI,MAAM,WAAW,OACnB,KAAI,EAAE,QAAQ,MAAM,EAAE,GAAG,EAAE,MAAM,SAAS,EAAE,MAAM,OAAQ,CAAC;AAG7D,MAAI,EAAE,MAAM,MAAM;EAElB,MAAM,MAAM,MAAM,EAAE,SAAS;EAC7B,IAAI,WAAW;AACf,MAAI,KAAK,QAAQ;GACf,MAAM,YAAY,IAAI,WAAW,QAAQ,IAAI,QAAQ,KAAK,OAAO;AACjE,OAAI,cAAc,GAChB,YAAW,YAAY;;EAG3B,MAAM,OAAO,IAAI,MAAM,UAAU,WAAW,QAAQ,EAAE;EACtD,MAAM,UAAU,KAAK,SAAS;EAC9B,MAAM,QAAQ,UAAU,KAAK,MAAM,GAAG,MAAM,GAAG;AAE/C,SAAO;GAAE;GAAO,YADG,UAAU,MAAM,MAAM,SAAS,GAAG,MAAM;GAC/B;;CAE/B,CAAC;;;;;;;;;;;;;;;;;;;;;;;AAwBF,MAAa,aAAa,MAAM;CAC9B,MAAM,EAAE,OAAO,EAAE,GAAG,SAAS,EAAE;CAC/B,SAAS,EAAE,MAAM,YAAY,EAAE,MAAM,CAAC;CACtC,SAAS,OAAO,KAAK,EAAE,YAAY;AACjC,SAAO,MAAM,IAAI,GAAG,IAAI,UAAU,MAAM;;CAE3C,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAgDF,MAAa,WAAW,SAAS;CAC/B,MAAM;EACJ,OAAO,EAAE,GAAG,SAAS;EACrB,MAAM,EAAE,OAAO;GACb,MAAM,EAAE,SAAS,EAAE,QAAQ,CAAC;GAC5B,QAAQ,EAAE,SAAS,EAAE,MAAM,aAAa,CAAC;GACzC,WAAW,EAAE,SAAS,iBAAiB;GACvC,gBAAgB,EAAE,SAAS,sBAAsB;GACjD,SAAS,EAAE,SAAS,EAAE,SAAS,CAAC;GAChC,YAAY,EAAE,SAAS,EAAE,QAAQ,CAAC;GACnC,CAAC;EACH;CACD,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,OAAO,WAAW;AAEvC,MADY,MAAM,IAAI,GAAG,IAAI,UAAU,MAAM,KACjC,KACV,OAAM,IAAI,YAAY;GACpB,MAAM;GACN,SAAS;GACT;GACD,CAAC;AAEJ,QAAM,IAAI,GAAG,MAAM,UAAU,OAAO,KAAK;AACzC,SAAO;;CAEV,CAAC;;;;;;;;;;;;;;;;;;;;AAqBF,MAAa,YAAY,SAAS;CAChC,MAAM,EAAE,OAAO,EAAE,GAAG,SAAS,EAAE;CAC/B,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,YAAY;AAEjC,MADY,MAAM,IAAI,GAAG,IAAI,UAAU,MAAM,KACjC,KACV,OAAM,IAAI,YAAY;GACpB,MAAM;GACN,SAAS;GACT;GACD,CAAC;AAEJ,QAAM,IAAI,GAAG,OAAO,UAAU,MAAM;AACpC,SAAO;;CAEV,CAAC"}

package/dist/component/public/security/limits.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"limits.d.ts","names":[],"sources":["../../../../src/component/public/security/limits.ts"],"mappings":";;;;;;;;;;;;AA4BA;;;;;AAgDA;;;;;AA+CA;;;;;cA/Fa,YAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAgDA,eAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cA+CA,cAAA;;;;;;;;;;;;;;;;;;;;;cAsCA,eAAA"}
+{"version":3,"file":"limits.d.ts","names":[],"sources":["../../../../src/component/public/security/limits.ts"],"mappings":";;;;;;;;;;;;AA6BA;;;;;AAgDA;;;;;AA+CA;;;;;cA/Fa,YAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cAgDA,eAAA;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;cA+CA,cAAA;;;;;;;;;;;;;;;;;;;;;cAsCA,eAAA"}

package/dist/component/public/security/limits.js.map

@@ -1 +1 @@
-{"version":3,"file":"limits.js","names":[],"sources":["../../../../src/component/public/security/limits.ts"],"sourcesContent":["import { v } from \"convex/values\";\nimport { mutation, query } from \"../../functions\";\nimport { vRateLimitResult } from \"../../model\";\n\n/**\n * Look up a rate limit entry by its string identifier.\n *\n * Queries the `RateLimit` table using the `by_identifier` unique index.\n * Returns the rate limit state with camelCase field names (`attemptsLeft`,\n * `lastAttemptTime`) mapped from the snake_case storage format. Used to\n * check whether an action should be allowed or throttled.\n *\n * @param identifier - Unique string identifying the rate limit bucket\n *   (e.g. `\"login:user@example.com\"` or `\"api:sk_live_abc123\"`).\n * @returns The rate limit state object (including `attemptsLeft` and\n *   `lastAttemptTime`), or `null` if no entry exists for the identifier.\n *\n * @example\n * ```ts\n * const limit = await ctx.runQuery(\n *   components.auth.security.limits.rateLimitGet,\n *   { identifier: `login:${email}` },\n * );\n * if (limit !== null && limit.attemptsLeft <= 0) {\n *   throw new Error(\"Too many login attempts. Please try again later.\");\n * }\n * ```\n */\nexport const rateLimitGet = query({\n  args: { identifier: v.string() },\n  returns: v.union(vRateLimitResult, v.null()),\n  handler: async (ctx, { identifier }) => {\n    const row = await ctx.db\n      .query(\"RateLimit\")\n      .withIndex(\"by_identifier\", (q) => q.eq(\"identifier\", identifier))\n      .unique();\n    if (row === null) {\n      return null;\n    }\n    return {\n      ...row,\n      attemptsLeft: row.attempts_left,\n      lastAttemptTime: row.last_attempt_time,\n    };\n  },\n});\n\n/**\n * Create a new rate limit entry in the `RateLimit` table.\n *\n * Initializes a rate limit bucket for a given identifier. The entry\n * tracks remaining attempts and the timestamp of the last attempt,\n * storing them in snake_case format internally. Call this when the\n * first rate-limited action occurs for an identifier that does not\n * yet have an entry.\n *\n * @param identifier - Unique string identifying the rate limit bucket\n *   (e.g. `\"login:user@example.com\"` or `\"otp:+15551234567\"`).\n * @param attemptsLeft - Number of remaining attempts before the action\n *   is throttled.\n * @param lastAttemptTime - Unix timestamp (in milliseconds) of the\n *   initial attempt.\n * @returns The `_id` of the newly created `RateLimit` document.\n *\n * @example\n * ```ts\n * const rateLimitId = await ctx.runMutation(\n *   components.auth.security.limits.rateLimitCreate,\n *   {\n *     identifier: `login:${email}`,\n *     attemptsLeft: 4, // 5 max minus this attempt\n *     lastAttemptTime: Date.now(),\n *   },\n * );\n * ```\n */\nexport const rateLimitCreate = mutation({\n  args: {\n    identifier: v.string(),\n    attemptsLeft: v.number(),\n    lastAttemptTime: v.number(),\n  },\n  returns: v.id(\"RateLimit\"),\n  handler: async (ctx, { identifier, attemptsLeft, lastAttemptTime }) => {\n    return await ctx.db.insert(\"RateLimit\", {\n      identifier,\n      attempts_left: attemptsLeft,\n      last_attempt_time: lastAttemptTime,\n    });\n  },\n});\n\n/**\n * Patch a rate limit entry with partial data.\n *\n * Updates an existing `RateLimit` document with the provided fields.\n * Automatically maps camelCase field names (`attemptsLeft`,\n * `lastAttemptTime`) to the snake_case storage format before writing.\n * Typically called to decrement remaining attempts or to reset the\n * bucket after a cooldown window has elapsed.\n *\n * @param rateLimitId - The `_id` of the `RateLimit` document to update.\n * @param data - An object containing the fields to patch. Supports\n *   camelCase names which are transparently converted:\n *   - `attemptsLeft` -- Updated number of remaining attempts.\n *   - `lastAttemptTime` -- Updated timestamp of the most recent attempt.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Decrement attempts after a failed login\n * await ctx.runMutation(\n *   components.auth.security.limits.rateLimitPatch,\n *   {\n *     rateLimitId: limit._id,\n *     data: {\n *       attemptsLeft: limit.attemptsLeft - 1,\n *       lastAttemptTime: Date.now(),\n *     },\n *   },\n * );\n * ```\n */\nexport const rateLimitPatch = mutation({\n  args: { rateLimitId: v.id(\"RateLimit\"), data: v.any() },\n  returns: v.null(),\n  handler: async (ctx, { rateLimitId, data }) => {\n    const nextData: Record<string, unknown> = { ...data };\n    if (nextData.attemptsLeft !== undefined) {\n      nextData.attempts_left = nextData.attemptsLeft;\n      delete nextData.attemptsLeft;\n    }\n    if (nextData.lastAttemptTime !== undefined) {\n      nextData.last_attempt_time = nextData.lastAttemptTime;\n      delete nextData.lastAttemptTime;\n    }\n    await ctx.db.patch(\"RateLimit\", rateLimitId, nextData);\n    return null;\n  },\n});\n\n/**\n * Delete a rate limit entry from the `RateLimit` table.\n *\n * Permanently removes the rate limit bucket. This effectively resets\n * rate limiting for the associated identifier, allowing the next\n * action to proceed without throttling. Useful for administrative\n * resets or cleanup of expired buckets.\n *\n * @param rateLimitId - The `_id` of the `RateLimit` document to delete.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Admin resets a user's login rate limit\n * await ctx.runMutation(\n *   components.auth.security.limits.rateLimitDelete,\n *   { rateLimitId: limit._id },\n * );\n * ```\n */\nexport const rateLimitDelete = mutation({\n  args: { rateLimitId: v.id(\"RateLimit\") },\n  returns: v.null(),\n  handler: async (ctx, { rateLimitId }) => {\n    await ctx.db.delete(\"RateLimit\", rateLimitId);\n    return null;\n  },\n});\n\n// ============================================================================\n// Device Authorization (RFC 8628)\n// ============================================================================\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA4BA,MAAa,eAAe,MAAM;CAChC,MAAM,EAAE,YAAY,EAAE,QAAQ,EAAE;CAChC,SAAS,EAAE,MAAM,kBAAkB,EAAE,MAAM,CAAC;CAC5C,SAAS,OAAO,KAAK,EAAE,iBAAiB;EACtC,MAAM,MAAM,MAAM,IAAI,GACnB,MAAM,YAAY,CAClB,UAAU,kBAAkB,MAAM,EAAE,GAAG,cAAc,WAAW,CAAC,CACjE,QAAQ;AACX,MAAI,QAAQ,KACV,QAAO;AAET,SAAO;GACL,GAAG;GACH,cAAc,IAAI;GAClB,iBAAiB,IAAI;GACtB;;CAEJ,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+BF,MAAa,kBAAkB,SAAS;CACtC,MAAM;EACJ,YAAY,EAAE,QAAQ;EACtB,cAAc,EAAE,QAAQ;EACxB,iBAAiB,EAAE,QAAQ;EAC5B;CACD,SAAS,EAAE,GAAG,YAAY;CAC1B,SAAS,OAAO,KAAK,EAAE,YAAY,cAAc,sBAAsB;AACrE,SAAO,MAAM,IAAI,GAAG,OAAO,aAAa;GACtC;GACA,eAAe;GACf,mBAAmB;GACpB,CAAC;;CAEL,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiCF,MAAa,iBAAiB,SAAS;CACrC,MAAM;EAAE,aAAa,EAAE,GAAG,YAAY;EAAE,MAAM,EAAE,KAAK;EAAE;CACvD,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,aAAa,WAAW;EAC7C,MAAM,WAAoC,EAAE,GAAG,MAAM;AACrD,MAAI,SAAS,iBAAiB,QAAW;AACvC,YAAS,gBAAgB,SAAS;AAClC,UAAO,SAAS;;AAElB,MAAI,SAAS,oBAAoB,QAAW;AAC1C,YAAS,oBAAoB,SAAS;AACtC,UAAO,SAAS;;AAElB,QAAM,IAAI,GAAG,MAAM,aAAa,aAAa,SAAS;AACtD,SAAO;;CAEV,CAAC;;;;;;;;;;;;;;;;;;;;;AAsBF,MAAa,kBAAkB,SAAS;CACtC,MAAM,EAAE,aAAa,EAAE,GAAG,YAAY,EAAE;CACxC,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,kBAAkB;AACvC,QAAM,IAAI,GAAG,OAAO,aAAa,YAAY;AAC7C,SAAO;;CAEV,CAAC"}
+{"version":3,"file":"limits.js","names":[],"sources":["../../../../src/component/public/security/limits.ts"],"sourcesContent":["import { v } from \"convex/values\";\n\nimport { mutation, query } from \"../../functions\";\nimport { vRateLimitResult } from \"../../model\";\n\n/**\n * Look up a rate limit entry by its string identifier.\n *\n * Queries the `RateLimit` table using the `by_identifier` unique index.\n * Returns the rate limit state with camelCase field names (`attemptsLeft`,\n * `lastAttemptTime`) mapped from the snake_case storage format. Used to\n * check whether an action should be allowed or throttled.\n *\n * @param identifier - Unique string identifying the rate limit bucket\n *   (e.g. `\"login:user@example.com\"` or `\"api:sk_live_abc123\"`).\n * @returns The rate limit state object (including `attemptsLeft` and\n *   `lastAttemptTime`), or `null` if no entry exists for the identifier.\n *\n * @example\n * ```ts\n * const limit = await ctx.runQuery(\n *   components.auth.security.limits.rateLimitGet,\n *   { identifier: `login:${email}` },\n * );\n * if (limit !== null && limit.attemptsLeft <= 0) {\n *   throw new Error(\"Too many login attempts. Please try again later.\");\n * }\n * ```\n */\nexport const rateLimitGet = query({\n  args: { identifier: v.string() },\n  returns: v.union(vRateLimitResult, v.null()),\n  handler: async (ctx, { identifier }) => {\n    const row = await ctx.db\n      .query(\"RateLimit\")\n      .withIndex(\"by_identifier\", (q) => q.eq(\"identifier\", identifier))\n      .unique();\n    if (row === null) {\n      return null;\n    }\n    return {\n      ...row,\n      attemptsLeft: row.attempts_left,\n      lastAttemptTime: row.last_attempt_time,\n    };\n  },\n});\n\n/**\n * Create a new rate limit entry in the `RateLimit` table.\n *\n * Initializes a rate limit bucket for a given identifier. The entry\n * tracks remaining attempts and the timestamp of the last attempt,\n * storing them in snake_case format internally. Call this when the\n * first rate-limited action occurs for an identifier that does not\n * yet have an entry.\n *\n * @param identifier - Unique string identifying the rate limit bucket\n *   (e.g. `\"login:user@example.com\"` or `\"otp:+15551234567\"`).\n * @param attemptsLeft - Number of remaining attempts before the action\n *   is throttled.\n * @param lastAttemptTime - Unix timestamp (in milliseconds) of the\n *   initial attempt.\n * @returns The `_id` of the newly created `RateLimit` document.\n *\n * @example\n * ```ts\n * const rateLimitId = await ctx.runMutation(\n *   components.auth.security.limits.rateLimitCreate,\n *   {\n *     identifier: `login:${email}`,\n *     attemptsLeft: 4, // 5 max minus this attempt\n *     lastAttemptTime: Date.now(),\n *   },\n * );\n * ```\n */\nexport const rateLimitCreate = mutation({\n  args: {\n    identifier: v.string(),\n    attemptsLeft: v.number(),\n    lastAttemptTime: v.number(),\n  },\n  returns: v.id(\"RateLimit\"),\n  handler: async (ctx, { identifier, attemptsLeft, lastAttemptTime }) => {\n    return await ctx.db.insert(\"RateLimit\", {\n      identifier,\n      attempts_left: attemptsLeft,\n      last_attempt_time: lastAttemptTime,\n    });\n  },\n});\n\n/**\n * Patch a rate limit entry with partial data.\n *\n * Updates an existing `RateLimit` document with the provided fields.\n * Automatically maps camelCase field names (`attemptsLeft`,\n * `lastAttemptTime`) to the snake_case storage format before writing.\n * Typically called to decrement remaining attempts or to reset the\n * bucket after a cooldown window has elapsed.\n *\n * @param rateLimitId - The `_id` of the `RateLimit` document to update.\n * @param data - An object containing the fields to patch. Supports\n *   camelCase names which are transparently converted:\n *   - `attemptsLeft` -- Updated number of remaining attempts.\n *   - `lastAttemptTime` -- Updated timestamp of the most recent attempt.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Decrement attempts after a failed login\n * await ctx.runMutation(\n *   components.auth.security.limits.rateLimitPatch,\n *   {\n *     rateLimitId: limit._id,\n *     data: {\n *       attemptsLeft: limit.attemptsLeft - 1,\n *       lastAttemptTime: Date.now(),\n *     },\n *   },\n * );\n * ```\n */\nexport const rateLimitPatch = mutation({\n  args: { rateLimitId: v.id(\"RateLimit\"), data: v.any() },\n  returns: v.null(),\n  handler: async (ctx, { rateLimitId, data }) => {\n    const nextData: Record<string, unknown> = { ...data };\n    if (nextData.attemptsLeft !== undefined) {\n      nextData.attempts_left = nextData.attemptsLeft;\n      delete nextData.attemptsLeft;\n    }\n    if (nextData.lastAttemptTime !== undefined) {\n      nextData.last_attempt_time = nextData.lastAttemptTime;\n      delete nextData.lastAttemptTime;\n    }\n    await ctx.db.patch(\"RateLimit\", rateLimitId, nextData);\n    return null;\n  },\n});\n\n/**\n * Delete a rate limit entry from the `RateLimit` table.\n *\n * Permanently removes the rate limit bucket. This effectively resets\n * rate limiting for the associated identifier, allowing the next\n * action to proceed without throttling. Useful for administrative\n * resets or cleanup of expired buckets.\n *\n * @param rateLimitId - The `_id` of the `RateLimit` document to delete.\n * @returns `null` on success.\n *\n * @example\n * ```ts\n * // Admin resets a user's login rate limit\n * await ctx.runMutation(\n *   components.auth.security.limits.rateLimitDelete,\n *   { rateLimitId: limit._id },\n * );\n * ```\n */\nexport const rateLimitDelete = mutation({\n  args: { rateLimitId: v.id(\"RateLimit\") },\n  returns: v.null(),\n  handler: async (ctx, { rateLimitId }) => {\n    await ctx.db.delete(\"RateLimit\", rateLimitId);\n    return null;\n  },\n});\n\n// ============================================================================\n// Device Authorization (RFC 8628)\n// ============================================================================\n"],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA6BA,MAAa,eAAe,MAAM;CAChC,MAAM,EAAE,YAAY,EAAE,QAAQ,EAAE;CAChC,SAAS,EAAE,MAAM,kBAAkB,EAAE,MAAM,CAAC;CAC5C,SAAS,OAAO,KAAK,EAAE,iBAAiB;EACtC,MAAM,MAAM,MAAM,IAAI,GACnB,MAAM,YAAY,CAClB,UAAU,kBAAkB,MAAM,EAAE,GAAG,cAAc,WAAW,CAAC,CACjE,QAAQ;AACX,MAAI,QAAQ,KACV,QAAO;AAET,SAAO;GACL,GAAG;GACH,cAAc,IAAI;GAClB,iBAAiB,IAAI;GACtB;;CAEJ,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AA+BF,MAAa,kBAAkB,SAAS;CACtC,MAAM;EACJ,YAAY,EAAE,QAAQ;EACtB,cAAc,EAAE,QAAQ;EACxB,iBAAiB,EAAE,QAAQ;EAC5B;CACD,SAAS,EAAE,GAAG,YAAY;CAC1B,SAAS,OAAO,KAAK,EAAE,YAAY,cAAc,sBAAsB;AACrE,SAAO,MAAM,IAAI,GAAG,OAAO,aAAa;GACtC;GACA,eAAe;GACf,mBAAmB;GACpB,CAAC;;CAEL,CAAC;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAiCF,MAAa,iBAAiB,SAAS;CACrC,MAAM;EAAE,aAAa,EAAE,GAAG,YAAY;EAAE,MAAM,EAAE,KAAK;EAAE;CACvD,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,aAAa,WAAW;EAC7C,MAAM,WAAoC,EAAE,GAAG,MAAM;AACrD,MAAI,SAAS,iBAAiB,QAAW;AACvC,YAAS,gBAAgB,SAAS;AAClC,UAAO,SAAS;;AAElB,MAAI,SAAS,oBAAoB,QAAW;AAC1C,YAAS,oBAAoB,SAAS;AACtC,UAAO,SAAS;;AAElB,QAAM,IAAI,GAAG,MAAM,aAAa,aAAa,SAAS;AACtD,SAAO;;CAEV,CAAC;;;;;;;;;;;;;;;;;;;;;AAsBF,MAAa,kBAAkB,SAAS;CACtC,MAAM,EAAE,aAAa,EAAE,GAAG,YAAY,EAAE;CACxC,SAAS,EAAE,MAAM;CACjB,SAAS,OAAO,KAAK,EAAE,kBAAkB;AACvC,QAAM,IAAI,GAAG,OAAO,aAAa,YAAY;AAC7C,SAAO;;CAEV,CAAC"}

package/dist/component/schema.d.ts

@@ -15,10 +15,10 @@ declare const _default: convex_server66.SchemaDefinition<{
    * and multiple concurrent sessions.
    */
   User: convex_server66.TableDefinition<convex_values121.VObject<{
-    email?: string | undefined;
-    extend?: any;
     phone?: string | undefined;
+    extend?: any;
     name?: string | undefined;
+    email?: string | undefined;
     image?: string | undefined;
     emailVerificationTime?: number | undefined;
     phoneVerificationTime?: number | undefined;
@@ -32,7 +32,7 @@ declare const _default: convex_server66.SchemaDefinition<{
     phoneVerificationTime: convex_values121.VFloat64<number | undefined, "optional">;
     isAnonymous: convex_values121.VBoolean<boolean | undefined, "optional">;
     extend: convex_values121.VAny<any, "optional", string>;
-  }, "required", "email" | "extend" | "phone" | "name" | "image" | "emailVerificationTime" | "phoneVerificationTime" | "isAnonymous" | `extend.${string}`>, {
+  }, "required", "phone" | "extend" | "name" | "email" | "image" | "emailVerificationTime" | "phoneVerificationTime" | "isAnonymous" | `extend.${string}`>, {
     email: ["email", "_creationTime"];
     email_verified: ["email", "emailVerificationTime", "_creationTime"];
     phone: ["phone", "_creationTime"];
@@ -62,8 +62,8 @@ declare const _default: convex_server66.SchemaDefinition<{
     secret?: string | undefined;
     emailVerified?: string | undefined;
     phoneVerified?: string | undefined;
-    userId: convex_values121.GenericId<"User">;
     provider: string;
+    userId: convex_values121.GenericId<"User">;
     providerAccountId: string;
   }, {
     userId: convex_values121.VId<convex_values121.GenericId<"User">, "required">;
@@ -73,7 +73,7 @@ declare const _default: convex_server66.SchemaDefinition<{
     emailVerified: convex_values121.VString<string | undefined, "optional">;
     phoneVerified: convex_values121.VString<string | undefined, "optional">;
     extend: convex_values121.VAny<any, "optional", string>;
-  }, "required", "userId" | "extend" | "provider" | "secret" | "providerAccountId" | `extend.${string}` | "emailVerified" | "phoneVerified">, {
+  }, "required", "extend" | "provider" | "userId" | "providerAccountId" | "secret" | `extend.${string}` | "emailVerified" | "phoneVerified">, {
     user_id_provider: ["userId", "provider", "_creationTime"];
     provider_account_id: ["provider", "providerAccountId", "_creationTime"];
   }, {}, {}>;
@@ -88,14 +88,14 @@ declare const _default: convex_server66.SchemaDefinition<{
   RefreshToken: convex_server66.TableDefinition<convex_values121.VObject<{
     firstUsedTime?: number | undefined;
     parentRefreshTokenId?: convex_values121.GenericId<"RefreshToken"> | undefined;
-    expirationTime: number;
     sessionId: convex_values121.GenericId<"Session">;
+    expirationTime: number;
   }, {
     sessionId: convex_values121.VId<convex_values121.GenericId<"Session">, "required">;
     expirationTime: convex_values121.VFloat64<number, "required">;
     firstUsedTime: convex_values121.VFloat64<number | undefined, "optional">;
     parentRefreshTokenId: convex_values121.VId<convex_values121.GenericId<"RefreshToken"> | undefined, "optional">;
-  }, "required", "expirationTime" | "sessionId" | "firstUsedTime" | "parentRefreshTokenId">, {
+  }, "required", "sessionId" | "expirationTime" | "firstUsedTime" | "parentRefreshTokenId">, {
     session_id: ["sessionId", "_creationTime"];
     session_id_first_used: ["sessionId", "firstUsedTime", "_creationTime"];
     session_id_parent_refresh_token_id: ["sessionId", "parentRefreshTokenId", "_creationTime"];
@@ -108,8 +108,8 @@ declare const _default: convex_server66.SchemaDefinition<{
     emailVerified?: string | undefined;
     phoneVerified?: string | undefined;
     provider: string;
-    code: string;
     accountId: convex_values121.GenericId<"Account">;
+    code: string;
     expirationTime: number;
   }, {
     accountId: convex_values121.VId<convex_values121.GenericId<"Account">, "required">;
@@ -119,7 +119,7 @@ declare const _default: convex_server66.SchemaDefinition<{
     verifier: convex_values121.VString<string | undefined, "optional">;
     emailVerified: convex_values121.VString<string | undefined, "optional">;
     phoneVerified: convex_values121.VString<string | undefined, "optional">;
-  }, "required", "provider" | "code" | "accountId" | "expirationTime" | "verifier" | "emailVerified" | "phoneVerified">, {
+  }, "required", "provider" | "verifier" | "accountId" | "code" | "expirationTime" | "emailVerified" | "phoneVerified">, {
     account_id: ["accountId", "_creationTime"];
     code: ["code", "_creationTime"];
   }, {}, {}>;
@@ -165,7 +165,7 @@ declare const _default: convex_server66.SchemaDefinition<{
     name: convex_values121.VString<string | undefined, "optional">;
     createdAt: convex_values121.VFloat64<number, "required">;
     lastUsedAt: convex_values121.VFloat64<number | undefined, "optional">;
-  }, "required", "userId" | "name" | "credentialId" | "publicKey" | "algorithm" | "counter" | "transports" | "deviceType" | "backedUp" | "createdAt" | "lastUsedAt">, {
+  }, "required", "name" | "userId" | "credentialId" | "publicKey" | "algorithm" | "counter" | "transports" | "deviceType" | "backedUp" | "createdAt" | "lastUsedAt">, {
     user_id: ["userId", "_creationTime"];
     credential_id: ["credentialId", "_creationTime"];
   }, {}, {}>;
@@ -196,7 +196,7 @@ declare const _default: convex_server66.SchemaDefinition<{
     name: convex_values121.VString<string | undefined, "optional">;
     createdAt: convex_values121.VFloat64<number, "required">;
     lastUsedAt: convex_values121.VFloat64<number | undefined, "optional">;
-  }, "required", "userId" | "secret" | "name" | "createdAt" | "lastUsedAt" | "digits" | "period" | "verified">, {
+  }, "required", "name" | "userId" | "secret" | "createdAt" | "lastUsedAt" | "digits" | "period" | "verified">, {
     user_id: ["userId", "_creationTime"];
     user_id_verified: ["userId", "verified", "_creationTime"];
   }, {}, {}>;
@@ -223,7 +223,7 @@ declare const _default: convex_server66.SchemaDefinition<{
     userId: convex_values121.VId<convex_values121.GenericId<"User"> | undefined, "optional">; /** Set when the user authorizes — the session created for the device. */
     sessionId: convex_values121.VId<convex_values121.GenericId<"Session"> | undefined, "optional">; /** Timestamp of the last poll request (for slow_down enforcement). */
     lastPolledAt: convex_values121.VFloat64<number | undefined, "optional">;
-  }, "required", "userId" | "status" | "sessionId" | "deviceCodeHash" | "userCode" | "expiresAt" | "interval" | "lastPolledAt">, {
+  }, "required", "status" | "userId" | "sessionId" | "deviceCodeHash" | "userCode" | "expiresAt" | "interval" | "lastPolledAt">, {
     device_code_hash: ["deviceCodeHash", "_creationTime"];
     user_code_status: ["userCode", "status", "_creationTime"];
   }, {}, {}>;
@@ -276,7 +276,7 @@ declare const _default: convex_server66.SchemaDefinition<{
       value: convex_values121.VString<string, "required">;
     }, "required", "value" | "key">, "optional">;
     extend: convex_values121.VAny<any, "optional", string>;
-  }, "required", "type" | "extend" | "name" | `extend.${string}` | "slug" | "parentGroupId" | "rootGroupId" | "isRoot" | "tags">, {
+  }, "required", "type" | "extend" | "name" | "slug" | `extend.${string}` | "parentGroupId" | "rootGroupId" | "isRoot" | "tags">, {
     slug: ["slug", "_creationTime"];
     parent_group_id: ["parentGroupId", "_creationTime"];
     root_group_id: ["rootGroupId", "_creationTime"];
@@ -312,8 +312,8 @@ declare const _default: convex_server66.SchemaDefinition<{
     status?: string | undefined;
     role?: string | undefined;
     roleIds?: string[] | undefined;
-    userId: convex_values121.GenericId<"User">;
     groupId: convex_values121.GenericId<"Group">;
+    userId: convex_values121.GenericId<"User">;
   }, {
     groupId: convex_values121.VId<convex_values121.GenericId<"Group">, "required">;
     userId: convex_values121.VId<convex_values121.GenericId<"User">, "required">;
@@ -321,7 +321,7 @@ declare const _default: convex_server66.SchemaDefinition<{
     roleIds: convex_values121.VArray<string[] | undefined, convex_values121.VString<string, "required">, "optional">;
     status: convex_values121.VString<string | undefined, "optional">;
     extend: convex_values121.VAny<any, "optional", string>;
-  }, "required", "userId" | "extend" | "status" | `extend.${string}` | "groupId" | "role" | "roleIds">, {
+  }, "required", "groupId" | "extend" | "status" | "userId" | `extend.${string}` | "role" | "roleIds">, {
     group_id: ["groupId", "_creationTime"];
     group_id_user_id: ["groupId", "userId", "_creationTime"];
     group_id_status: ["groupId", "status", "_creationTime"];
@@ -336,9 +336,9 @@ declare const _default: convex_server66.SchemaDefinition<{
    * invite links where neither is known upfront.
    */
   GroupInvite: convex_server66.TableDefinition<convex_values121.VObject<{
-    email?: string | undefined;
-    extend?: any;
     groupId?: convex_values121.GenericId<"Group"> | undefined;
+    extend?: any;
+    email?: string | undefined;
     role?: string | undefined;
     roleIds?: string[] | undefined;
     invitedByUserId?: convex_values121.GenericId<"User"> | undefined;
@@ -359,7 +359,7 @@ declare const _default: convex_server66.SchemaDefinition<{
     acceptedByUserId: convex_values121.VId<convex_values121.GenericId<"User"> | undefined, "optional">;
     acceptedTime: convex_values121.VFloat64<number | undefined, "optional">;
     extend: convex_values121.VAny<any, "optional", string>;
-  }, "required", "email" | "extend" | "status" | `extend.${string}` | "groupId" | "role" | "roleIds" | "invitedByUserId" | "tokenHash" | "expiresTime" | "acceptedByUserId" | "acceptedTime">, {
+  }, "required", "groupId" | "extend" | "status" | "email" | `extend.${string}` | "role" | "roleIds" | "invitedByUserId" | "tokenHash" | "expiresTime" | "acceptedByUserId" | "acceptedTime">, {
     token_hash: ["tokenHash", "_creationTime"];
     status: ["status", "_creationTime"];
     email_status: ["email", "status", "_creationTime"];
@@ -402,8 +402,8 @@ declare const _default: convex_server66.SchemaDefinition<{
       };
     } | undefined;
     config?: any;
-    status: "draft" | "active" | "disabled";
     groupId: convex_values121.GenericId<"Group">;
+    status: "draft" | "active" | "disabled";
   }, {
     groupId: convex_values121.VId<convex_values121.GenericId<"Group">, "required">;
     slug: convex_values121.VString<string | undefined, "optional">;
@@ -484,7 +484,7 @@ declare const _default: convex_server66.SchemaDefinition<{
     }, "optional", "extend" | `extend.${string}` | "version" | "identity" | "provisioning" | "identity.accountLinking" | "identity.accountLinking.oidc" | "identity.accountLinking.saml" | "provisioning.scimReuse" | "provisioning.jit" | "provisioning.deprovision" | "provisioning.scimReuse.user" | "provisioning.jit.mode" | "provisioning.jit.defaultRole" | "provisioning.jit.defaultRoleIds" | "provisioning.deprovision.mode">;
     config: convex_values121.VAny<any, "optional", string>;
     extend: convex_values121.VAny<any, "optional", string>;
-  }, "required", "extend" | "status" | "name" | `extend.${string}` | "slug" | "groupId" | "policy" | "config" | "policy.extend" | `policy.extend.${string}` | "policy.version" | "policy.identity" | "policy.provisioning" | "policy.identity.accountLinking" | "policy.identity.accountLinking.oidc" | "policy.identity.accountLinking.saml" | "policy.provisioning.scimReuse" | "policy.provisioning.jit" | "policy.provisioning.deprovision" | "policy.provisioning.scimReuse.user" | "policy.provisioning.jit.mode" | "policy.provisioning.jit.defaultRole" | "policy.provisioning.jit.defaultRoleIds" | "policy.provisioning.deprovision.mode" | `config.${string}`>, {
+  }, "required", "groupId" | "extend" | "name" | "slug" | "status" | `extend.${string}` | "policy" | "config" | "policy.extend" | `policy.extend.${string}` | "policy.version" | "policy.identity" | "policy.provisioning" | "policy.identity.accountLinking" | "policy.identity.accountLinking.oidc" | "policy.identity.accountLinking.saml" | "policy.provisioning.scimReuse" | "policy.provisioning.jit" | "policy.provisioning.deprovision" | "policy.provisioning.scimReuse.user" | "policy.provisioning.jit.mode" | "policy.provisioning.jit.defaultRole" | "policy.provisioning.jit.defaultRoleIds" | "policy.provisioning.deprovision.mode" | `config.${string}`>, {
     group_id: ["groupId", "_creationTime"];
     slug: ["slug", "_creationTime"];
     status: ["status", "_creationTime"];
@@ -495,8 +495,8 @@ declare const _default: convex_server66.SchemaDefinition<{
   EnterpriseDomain: convex_server66.TableDefinition<convex_values121.VObject<{
     verifiedAt?: number | undefined;
     groupId: convex_values121.GenericId<"Group">;
-    enterpriseId: convex_values121.GenericId<"Enterprise">;
     domain: string;
+    enterpriseId: convex_values121.GenericId<"Enterprise">;
     isPrimary: boolean;
   }, {
     enterpriseId: convex_values121.VId<convex_values121.GenericId<"Enterprise">, "required">;
@@ -504,7 +504,7 @@ declare const _default: convex_server66.SchemaDefinition<{
     domain: convex_values121.VString<string, "required">;
     isPrimary: convex_values121.VBoolean<boolean, "required">;
     verifiedAt: convex_values121.VFloat64<number | undefined, "optional">;
-  }, "required", "groupId" | "enterpriseId" | "domain" | "isPrimary" | "verifiedAt">, {
+  }, "required", "groupId" | "domain" | "enterpriseId" | "isPrimary" | "verifiedAt">, {
     enterprise_id: ["enterpriseId", "_creationTime"];
     group_id: ["groupId", "_creationTime"];
     domain: ["domain", "_creationTime"];
@@ -513,11 +513,11 @@ declare const _default: convex_server66.SchemaDefinition<{
    * Pending DNS TXT verification challenges for enterprise domains.
    */
   EnterpriseDomainVerification: convex_server66.TableDefinition<convex_values121.VObject<{
-    expiresAt: number;
     groupId: convex_values121.GenericId<"Group">;
+    domain: string;
+    expiresAt: number;
     tokenHash: string;
     enterpriseId: convex_values121.GenericId<"Enterprise">;
-    domain: string;
     domainId: convex_values121.GenericId<"EnterpriseDomain">;
     recordName: string;
     token: string;
@@ -532,7 +532,7 @@ declare const _default: convex_server66.SchemaDefinition<{
     tokenHash: convex_values121.VString<string, "required">;
     requestedAt: convex_values121.VFloat64<number, "required">;
     expiresAt: convex_values121.VFloat64<number, "required">;
-  }, "required", "expiresAt" | "groupId" | "tokenHash" | "enterpriseId" | "domain" | "domainId" | "recordName" | "token" | "requestedAt">, {
+  }, "required", "groupId" | "domain" | "expiresAt" | "tokenHash" | "enterpriseId" | "domainId" | "recordName" | "token" | "requestedAt">, {
     enterprise_id: ["enterpriseId", "_creationTime"];
     domain_id: ["domainId", "_creationTime"];
     token_hash: ["tokenHash", "_creationTime"];
@@ -542,17 +542,17 @@ declare const _default: convex_server66.SchemaDefinition<{
    */
   EnterpriseSecret: convex_server66.TableDefinition<convex_values121.VObject<{
     groupId: convex_values121.GenericId<"Group">;
+    kind: "oidc_client_secret";
     enterpriseId: convex_values121.GenericId<"Enterprise">;
     ciphertext: string;
     updatedAt: number;
-    kind: "oidc_client_secret";
   }, {
     enterpriseId: convex_values121.VId<convex_values121.GenericId<"Enterprise">, "required">;
     groupId: convex_values121.VId<convex_values121.GenericId<"Group">, "required">;
     kind: convex_values121.VUnion<"oidc_client_secret", [convex_values121.VLiteral<"oidc_client_secret", "required">], "required", never>;
     ciphertext: convex_values121.VString<string, "required">;
     updatedAt: convex_values121.VFloat64<number, "required">;
-  }, "required", "groupId" | "enterpriseId" | "ciphertext" | "updatedAt" | "kind">, {
+  }, "required", "groupId" | "kind" | "enterpriseId" | "ciphertext" | "updatedAt">, {
     enterprise_id: ["enterpriseId", "_creationTime"];
     enterprise_id_kind: ["enterpriseId", "kind", "_creationTime"];
     group_id: ["groupId", "_creationTime"];
@@ -563,8 +563,8 @@ declare const _default: convex_server66.SchemaDefinition<{
   EnterpriseScimConfig: convex_server66.TableDefinition<convex_values121.VObject<{
     extend?: any;
     lastRotatedAt?: number | undefined;
-    status: "draft" | "active" | "disabled";
     groupId: convex_values121.GenericId<"Group">;
+    status: "draft" | "active" | "disabled";
     tokenHash: string;
     enterpriseId: convex_values121.GenericId<"Enterprise">;
     basePath: string;
@@ -576,7 +576,7 @@ declare const _default: convex_server66.SchemaDefinition<{
     tokenHash: convex_values121.VString<string, "required">;
     lastRotatedAt: convex_values121.VFloat64<number | undefined, "optional">;
     extend: convex_values121.VAny<any, "optional", string>;
-  }, "required", "extend" | "status" | `extend.${string}` | "groupId" | "tokenHash" | "enterpriseId" | "basePath" | "lastRotatedAt">, {
+  }, "required", "groupId" | "extend" | "status" | `extend.${string}` | "tokenHash" | "enterpriseId" | "basePath" | "lastRotatedAt">, {
     enterprise_id: ["enterpriseId", "_creationTime"];
     group_id: ["groupId", "_creationTime"];
     token_hash: ["tokenHash", "_creationTime"];
@@ -586,26 +586,26 @@ declare const _default: convex_server66.SchemaDefinition<{
    * External SCIM identities mapped into local users/groups.
    */
   EnterpriseScimIdentity: convex_server66.TableDefinition<convex_values121.VObject<{
-    userId?: convex_values121.GenericId<"User"> | undefined;
     active?: boolean | undefined;
+    userId?: convex_values121.GenericId<"User"> | undefined;
     mappedGroupId?: convex_values121.GenericId<"Group"> | undefined;
     lastProvisionedAt?: number | undefined;
     raw?: any;
     groupId: convex_values121.GenericId<"Group">;
     externalId: string;
     enterpriseId: convex_values121.GenericId<"Enterprise">;
-    resourceType: "user" | "group";
+    resourceType: "group" | "user";
   }, {
     enterpriseId: convex_values121.VId<convex_values121.GenericId<"Enterprise">, "required">;
     groupId: convex_values121.VId<convex_values121.GenericId<"Group">, "required">;
-    resourceType: convex_values121.VUnion<"user" | "group", [convex_values121.VLiteral<"user", "required">, convex_values121.VLiteral<"group", "required">], "required", never>;
+    resourceType: convex_values121.VUnion<"group" | "user", [convex_values121.VLiteral<"user", "required">, convex_values121.VLiteral<"group", "required">], "required", never>;
     externalId: convex_values121.VString<string, "required">;
     userId: convex_values121.VId<convex_values121.GenericId<"User"> | undefined, "optional">;
     mappedGroupId: convex_values121.VId<convex_values121.GenericId<"Group"> | undefined, "optional">;
     lastProvisionedAt: convex_values121.VFloat64<number | undefined, "optional">;
     active: convex_values121.VBoolean<boolean | undefined, "optional">;
     raw: convex_values121.VAny<any, "optional", string>;
-  }, "required", "userId" | "groupId" | "active" | "externalId" | "enterpriseId" | "resourceType" | "mappedGroupId" | "lastProvisionedAt" | "raw" | `raw.${string}`>, {
+  }, "required", "groupId" | "active" | "userId" | "externalId" | "enterpriseId" | "resourceType" | "mappedGroupId" | "lastProvisionedAt" | "raw" | `raw.${string}`>, {
     enterprise_id: ["enterpriseId", "_creationTime"];
     group_id: ["groupId", "_creationTime"];
     enterprise_id_resource_type_external_id: ["enterpriseId", "resourceType", "externalId", "_creationTime"];
@@ -622,8 +622,8 @@ declare const _default: convex_server66.SchemaDefinition<{
     requestId?: string | undefined;
     ip?: string | undefined;
     metadata?: any;
-    status: "success" | "failure";
     groupId: convex_values121.GenericId<"Group">;
+    status: "success" | "failure";
     enterpriseId: convex_values121.GenericId<"Enterprise">;
     actorType: "user" | "system" | "scim" | "api_key" | "webhook";
     eventType: string;
@@ -642,7 +642,7 @@ declare const _default: convex_server66.SchemaDefinition<{
     requestId: convex_values121.VString<string | undefined, "optional">;
     ip: convex_values121.VString<string | undefined, "optional">;
     metadata: convex_values121.VAny<any, "optional", string>;
-  }, "required", "status" | "groupId" | "enterpriseId" | "actorType" | "eventType" | "actorId" | "subjectType" | "subjectId" | "occurredAt" | "requestId" | "ip" | "metadata" | `metadata.${string}`>, {
+  }, "required", "groupId" | "status" | "enterpriseId" | "actorType" | "eventType" | "actorId" | "subjectType" | "subjectId" | "occurredAt" | "requestId" | "ip" | "metadata" | `metadata.${string}`>, {
     enterprise_id_occurred_at: ["enterpriseId", "occurredAt", "_creationTime"];
     group_id_occurred_at: ["groupId", "occurredAt", "_creationTime"];
     event_type_occurred_at: ["eventType", "occurredAt", "_creationTime"];
@@ -655,8 +655,8 @@ declare const _default: convex_server66.SchemaDefinition<{
     createdByUserId?: convex_values121.GenericId<"User"> | undefined;
     lastSuccessAt?: number | undefined;
     lastFailureAt?: number | undefined;
-    status: "active" | "disabled";
     groupId: convex_values121.GenericId<"Group">;
+    status: "active" | "disabled";
     enterpriseId: convex_values121.GenericId<"Enterprise">;
     url: string;
     secretHash: string;
@@ -674,7 +674,7 @@ declare const _default: convex_server66.SchemaDefinition<{
     lastFailureAt: convex_values121.VFloat64<number | undefined, "optional">;
     failureCount: convex_values121.VFloat64<number, "required">;
     extend: convex_values121.VAny<any, "optional", string>;
-  }, "required", "extend" | "status" | `extend.${string}` | "groupId" | "enterpriseId" | "url" | "secretHash" | "subscriptions" | "createdByUserId" | "lastSuccessAt" | "lastFailureAt" | "failureCount">, {
+  }, "required", "groupId" | "extend" | "status" | `extend.${string}` | "enterpriseId" | "url" | "secretHash" | "subscriptions" | "createdByUserId" | "lastSuccessAt" | "lastFailureAt" | "failureCount">, {
     enterprise_id: ["enterpriseId", "_creationTime"];
     group_id: ["groupId", "_creationTime"];
     status: ["status", "_creationTime"];
@@ -737,8 +737,8 @@ declare const _default: convex_server66.SchemaDefinition<{
       attemptsLeft: number;
       lastAttemptTime: number;
     } | undefined;
-    userId: convex_values121.GenericId<"User">;
     name: string;
+    userId: convex_values121.GenericId<"User">;
     createdAt: number;
     revoked: boolean;
     prefix: string;
@@ -781,7 +781,7 @@ declare const _default: convex_server66.SchemaDefinition<{
     createdAt: convex_values121.VFloat64<number, "required">; /** Soft-revoke flag. Revoked keys are kept for audit trail. */
     revoked: convex_values121.VBoolean<boolean, "required">; /** Arbitrary app-specific metadata attached to the key. */
     metadata: convex_values121.VAny<any, "optional", string>;
-  }, "required", "userId" | "name" | "createdAt" | "lastUsedAt" | "expiresAt" | "revoked" | "metadata" | `metadata.${string}` | "prefix" | "hashedKey" | "scopes" | "rateLimit" | "rateLimitState" | "rateLimit.maxRequests" | "rateLimit.windowMs" | "rateLimitState.attemptsLeft" | "rateLimitState.lastAttemptTime">, {
+  }, "required", "name" | "userId" | "createdAt" | "lastUsedAt" | "expiresAt" | "revoked" | "metadata" | `metadata.${string}` | "prefix" | "hashedKey" | "scopes" | "rateLimit" | "rateLimitState" | "rateLimit.maxRequests" | "rateLimit.windowMs" | "rateLimitState.attemptsLeft" | "rateLimitState.lastAttemptTime">, {
     user_id: ["userId", "_creationTime"];
     hashed_key: ["hashedKey", "_creationTime"];
   }, {}, {}>;