npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.22 → 0.0.4-preview.24 - Mend

@robelest/convex-auth 0.0.4-preview.22 → 0.0.4-preview.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (314) hide show

package/README.md +10 -11
package/dist/authorization/index.d.ts +1 -1
package/dist/authorization/index.js +1 -1
package/dist/authorization/index.js.map +1 -1
package/dist/client/index.d.ts +1 -2
package/dist/client/index.d.ts.map +1 -1
package/dist/client/index.js +36 -39
package/dist/client/index.js.map +1 -1
package/dist/component/client/index.d.ts +1 -2
package/dist/component/index.js +2 -2
package/dist/component/model.d.ts +9 -9
package/dist/component/model.d.ts.map +1 -1
package/dist/component/public/enterprise/audit.d.ts.map +1 -1
package/dist/component/public/enterprise/audit.js.map +1 -1
package/dist/component/public/enterprise/core.d.ts.map +1 -1
package/dist/component/public/enterprise/core.js.map +1 -1
package/dist/component/public/enterprise/domains.d.ts.map +1 -1
package/dist/component/public/enterprise/domains.js.map +1 -1
package/dist/component/public/enterprise/scim.d.ts.map +1 -1
package/dist/component/public/enterprise/scim.js.map +1 -1
package/dist/component/public/enterprise/secrets.d.ts.map +1 -1
package/dist/component/public/enterprise/secrets.js.map +1 -1
package/dist/component/public/enterprise/webhooks.d.ts.map +1 -1
package/dist/component/public/enterprise/webhooks.js.map +1 -1
package/dist/component/public/factors/devices.d.ts.map +1 -1
package/dist/component/public/factors/devices.js.map +1 -1
package/dist/component/public/factors/passkeys.d.ts.map +1 -1
package/dist/component/public/factors/passkeys.js.map +1 -1
package/dist/component/public/factors/totp.d.ts.map +1 -1
package/dist/component/public/factors/totp.js.map +1 -1
package/dist/component/public/groups/core.js.map +1 -1
package/dist/component/public/groups/invites.d.ts.map +1 -1
package/dist/component/public/groups/invites.js.map +1 -1
package/dist/component/public/groups/members.d.ts.map +1 -1
package/dist/component/public/groups/members.js.map +1 -1
package/dist/component/public/identity/accounts.d.ts.map +1 -1
package/dist/component/public/identity/accounts.js.map +1 -1
package/dist/component/public/identity/codes.d.ts.map +1 -1
package/dist/component/public/identity/codes.js.map +1 -1
package/dist/component/public/identity/sessions.d.ts.map +1 -1
package/dist/component/public/identity/sessions.js.map +1 -1
package/dist/component/public/identity/tokens.d.ts.map +1 -1
package/dist/component/public/identity/tokens.js.map +1 -1
package/dist/component/public/identity/users.d.ts.map +1 -1
package/dist/component/public/identity/users.js.map +1 -1
package/dist/component/public/identity/verifiers.d.ts.map +1 -1
package/dist/component/public/identity/verifiers.js.map +1 -1
package/dist/component/public/security/keys.d.ts.map +1 -1
package/dist/component/public/security/keys.js.map +1 -1
package/dist/component/public/security/limits.d.ts.map +1 -1
package/dist/component/public/security/limits.js.map +1 -1
package/dist/component/schema.d.ts +41 -41
package/dist/component/server/auth.d.ts +127 -130
package/dist/component/server/auth.d.ts.map +1 -1
package/dist/component/server/auth.js +100 -64
package/dist/component/server/auth.js.map +1 -1
package/dist/component/server/context.js +53 -0
package/dist/component/server/context.js.map +1 -0
package/dist/component/server/core.js +113 -250
package/dist/component/server/core.js.map +1 -1
package/dist/component/server/crypto.js +25 -7
package/dist/component/server/crypto.js.map +1 -1
package/dist/component/server/device.js +59 -16
package/dist/component/server/device.js.map +1 -1
package/dist/component/server/enterprise/domain.js +148 -59
package/dist/component/server/enterprise/domain.js.map +1 -1
package/dist/component/server/enterprise/http.js +36 -15
package/dist/component/server/enterprise/http.js.map +1 -1
package/dist/component/server/enterprise/oidc.js +1 -1
package/dist/component/server/http.d.ts +85 -0
package/dist/component/server/http.d.ts.map +1 -0
package/dist/component/server/http.js +85 -22
package/dist/component/server/http.js.map +1 -1
package/dist/component/server/identity.js +5 -2
package/dist/component/server/identity.js.map +1 -1
package/dist/component/server/limits.js +21 -30
package/dist/component/server/limits.js.map +1 -1
package/dist/component/server/mutations/account.js +12 -10
package/dist/component/server/mutations/account.js.map +1 -1
package/dist/component/server/mutations/code.js +5 -2
package/dist/component/server/mutations/code.js.map +1 -1
package/dist/component/server/mutations/invalidate.js +1 -1
package/dist/component/server/mutations/invalidate.js.map +1 -1
package/dist/component/server/mutations/oauth.js +10 -4
package/dist/component/server/mutations/oauth.js.map +1 -1
package/dist/component/server/mutations/refresh.js +2 -2
package/dist/component/server/mutations/refresh.js.map +1 -1
package/dist/component/server/mutations/register.js +46 -42
package/dist/component/server/mutations/register.js.map +1 -1
package/dist/component/server/mutations/retrieve.js +21 -25
package/dist/component/server/mutations/retrieve.js.map +1 -1
package/dist/component/server/mutations/signature.js +10 -4
package/dist/component/server/mutations/signature.js.map +1 -1
package/dist/component/server/mutations/signout.js.map +1 -1
package/dist/component/server/mutations/store.js +9 -24
package/dist/component/server/mutations/store.js.map +1 -1
package/dist/component/server/mutations/verifier.js.map +1 -1
package/dist/component/server/mutations/verify.js +1 -1
package/dist/component/server/mutations/verify.js.map +1 -1
package/dist/component/server/oauth.js +53 -16
package/dist/component/server/oauth.js.map +1 -1
package/dist/component/server/passkey.js +115 -31
package/dist/component/server/passkey.js.map +1 -1
package/dist/component/server/redirects.js +9 -3
package/dist/component/server/redirects.js.map +1 -1
package/dist/component/server/refresh.js +10 -7
package/dist/component/server/refresh.js.map +1 -1
package/dist/component/server/runtime.d.ts +5 -5
package/dist/component/server/runtime.js +156 -113
package/dist/component/server/runtime.js.map +1 -1
package/dist/component/server/signin.js +34 -10
package/dist/component/server/signin.js.map +1 -1
package/dist/component/server/totp.js +79 -19
package/dist/component/server/totp.js.map +1 -1
package/dist/component/server/types.d.ts +12 -20
package/dist/component/server/types.d.ts.map +1 -1
package/dist/component/server/types.js.map +1 -1
package/dist/component/server/users.js +6 -3
package/dist/component/server/users.js.map +1 -1
package/dist/component/server/utils.js +10 -4
package/dist/component/server/utils.js.map +1 -1
package/dist/core/types.d.ts +14 -22
package/dist/core/types.d.ts.map +1 -1
package/dist/factors/device.js +8 -9
package/dist/factors/device.js.map +1 -1
package/dist/factors/passkey.js +18 -21
package/dist/factors/passkey.js.map +1 -1
package/dist/providers/password.js +66 -81
package/dist/providers/password.js.map +1 -1
package/dist/runtime/invite.js +2 -8
package/dist/runtime/invite.js.map +1 -1
package/dist/server/auth.d.ts +127 -130
package/dist/server/auth.d.ts.map +1 -1
package/dist/server/auth.js +100 -64
package/dist/server/auth.js.map +1 -1
package/dist/server/context.d.ts +1 -0
package/dist/server/context.js +53 -0
package/dist/server/context.js.map +1 -0
package/dist/server/core.d.ts +74 -195
package/dist/server/core.d.ts.map +1 -1
package/dist/server/core.js +113 -250
package/dist/server/core.js.map +1 -1
package/dist/server/crypto.d.ts.map +1 -1
package/dist/server/crypto.js +25 -7
package/dist/server/crypto.js.map +1 -1
package/dist/server/device.js +59 -16
package/dist/server/device.js.map +1 -1
package/dist/server/enterprise/domain.d.ts +0 -8
package/dist/server/enterprise/domain.d.ts.map +1 -1
package/dist/server/enterprise/domain.js +148 -59
package/dist/server/enterprise/domain.js.map +1 -1
package/dist/server/enterprise/http.d.ts.map +1 -1
package/dist/server/enterprise/http.js +35 -14
package/dist/server/enterprise/http.js.map +1 -1
package/dist/server/http.d.ts +81 -3
package/dist/server/http.d.ts.map +1 -1
package/dist/server/http.js +84 -21
package/dist/server/http.js.map +1 -1
package/dist/server/identity.js +5 -2
package/dist/server/identity.js.map +1 -1
package/dist/server/index.d.ts +3 -2
package/dist/server/index.js +2 -2
package/dist/server/limits.js +21 -30
package/dist/server/limits.js.map +1 -1
package/dist/server/mounts.d.ts +25 -63
package/dist/server/mounts.d.ts.map +1 -1
package/dist/server/mounts.js +46 -107
package/dist/server/mounts.js.map +1 -1
package/dist/server/mutations/account.d.ts +8 -9
package/dist/server/mutations/account.d.ts.map +1 -1
package/dist/server/mutations/account.js +11 -9
package/dist/server/mutations/account.js.map +1 -1
package/dist/server/mutations/code.d.ts +12 -12
package/dist/server/mutations/code.d.ts.map +1 -1
package/dist/server/mutations/code.js +5 -2
package/dist/server/mutations/code.js.map +1 -1
package/dist/server/mutations/invalidate.d.ts +4 -4
package/dist/server/mutations/invalidate.d.ts.map +1 -1
package/dist/server/mutations/invalidate.js.map +1 -1
package/dist/server/mutations/oauth.d.ts +14 -12
package/dist/server/mutations/oauth.d.ts.map +1 -1
package/dist/server/mutations/oauth.js +9 -3
package/dist/server/mutations/oauth.js.map +1 -1
package/dist/server/mutations/refresh.d.ts +3 -3
package/dist/server/mutations/refresh.d.ts.map +1 -1
package/dist/server/mutations/refresh.js +1 -1
package/dist/server/mutations/refresh.js.map +1 -1
package/dist/server/mutations/register.d.ts +11 -11
package/dist/server/mutations/register.d.ts.map +1 -1
package/dist/server/mutations/register.js +45 -41
package/dist/server/mutations/register.js.map +1 -1
package/dist/server/mutations/retrieve.d.ts +6 -6
package/dist/server/mutations/retrieve.d.ts.map +1 -1
package/dist/server/mutations/retrieve.js +20 -24
package/dist/server/mutations/retrieve.js.map +1 -1
package/dist/server/mutations/signature.d.ts +6 -7
package/dist/server/mutations/signature.d.ts.map +1 -1
package/dist/server/mutations/signature.js +9 -3
package/dist/server/mutations/signature.js.map +1 -1
package/dist/server/mutations/signin.d.ts +5 -5
package/dist/server/mutations/signout.js.map +1 -1
package/dist/server/mutations/store.d.ts +83 -83
package/dist/server/mutations/store.js +8 -23
package/dist/server/mutations/store.js.map +1 -1
package/dist/server/mutations/verifier.js.map +1 -1
package/dist/server/mutations/verify.d.ts +7 -7
package/dist/server/mutations/verify.d.ts.map +1 -1
package/dist/server/mutations/verify.js.map +1 -1
package/dist/server/oauth.js +53 -16
package/dist/server/oauth.js.map +1 -1
package/dist/server/passkey.d.ts +2 -2
package/dist/server/passkey.d.ts.map +1 -1
package/dist/server/passkey.js +114 -30
package/dist/server/passkey.js.map +1 -1
package/dist/server/redirects.js +9 -3
package/dist/server/redirects.js.map +1 -1
package/dist/server/refresh.js +10 -7
package/dist/server/refresh.js.map +1 -1
package/dist/server/runtime.d.ts +11 -11
package/dist/server/runtime.js +155 -112
package/dist/server/runtime.js.map +1 -1
package/dist/server/signin.js +34 -10
package/dist/server/signin.js.map +1 -1
package/dist/server/ssr.d.ts.map +1 -1
package/dist/server/ssr.js +175 -184
package/dist/server/ssr.js.map +1 -1
package/dist/server/totp.js +78 -18
package/dist/server/totp.js.map +1 -1
package/dist/server/types.d.ts +13 -21
package/dist/server/types.d.ts.map +1 -1
package/dist/server/types.js.map +1 -1
package/dist/server/users.js +6 -3
package/dist/server/users.js.map +1 -1
package/dist/server/utils.js +10 -4
package/dist/server/utils.js.map +1 -1
package/package.json +1 -5
package/src/authorization/index.ts +1 -1
package/src/client/core/types.ts +14 -14
package/src/client/factors/device.ts +10 -12
package/src/client/factors/passkey.ts +23 -26
package/src/client/index.ts +54 -64
package/src/client/runtime/invite.ts +5 -7
package/src/component/index.ts +9 -3
package/src/component/public/enterprise/audit.ts +6 -1
package/src/component/public/enterprise/core.ts +1 -0
package/src/component/public/enterprise/domains.ts +5 -1
package/src/component/public/enterprise/scim.ts +1 -0
package/src/component/public/enterprise/secrets.ts +1 -0
package/src/component/public/enterprise/webhooks.ts +1 -0
package/src/component/public/factors/devices.ts +1 -0
package/src/component/public/factors/passkeys.ts +1 -0
package/src/component/public/factors/totp.ts +1 -0
package/src/component/public/groups/core.ts +1 -1
package/src/component/public/groups/invites.ts +7 -1
package/src/component/public/groups/members.ts +1 -0
package/src/component/public/identity/accounts.ts +1 -0
package/src/component/public/identity/codes.ts +1 -0
package/src/component/public/identity/sessions.ts +1 -0
package/src/component/public/identity/tokens.ts +1 -0
package/src/component/public/identity/users.ts +1 -0
package/src/component/public/identity/verifiers.ts +1 -0
package/src/component/public/security/keys.ts +1 -0
package/src/component/public/security/limits.ts +1 -0
package/src/providers/password.ts +89 -110
package/src/server/auth.ts +240 -182
package/src/server/context.ts +90 -0
package/src/server/core.ts +195 -286
package/src/server/crypto.ts +31 -29
package/src/server/device.ts +65 -32
package/src/server/enterprise/domain.ts +158 -170
package/src/server/enterprise/http.ts +46 -39
package/src/server/http.ts +289 -30
package/src/server/identity.ts +5 -5
package/src/server/index.ts +9 -3
package/src/server/limits.ts +53 -80
package/src/server/mounts.ts +56 -80
package/src/server/mutations/account.ts +22 -36
package/src/server/mutations/code.ts +6 -6
package/src/server/mutations/invalidate.ts +1 -1
package/src/server/mutations/oauth.ts +14 -8
package/src/server/mutations/refresh.ts +5 -4
package/src/server/mutations/register.ts +87 -132
package/src/server/mutations/retrieve.ts +44 -44
package/src/server/mutations/signature.ts +13 -6
package/src/server/mutations/signout.ts +1 -1
package/src/server/mutations/store.ts +16 -31
package/src/server/mutations/verifier.ts +1 -1
package/src/server/mutations/verify.ts +3 -5
package/src/server/oauth.ts +60 -69
package/src/server/passkey.ts +567 -517
package/src/server/redirects.ts +10 -6
package/src/server/refresh.ts +14 -18
package/src/server/runtime.ts +340 -302
package/src/server/signin.ts +44 -37
package/src/server/ssr.ts +390 -407
package/src/server/totp.ts +85 -35
package/src/server/types.ts +19 -22
package/src/server/users.ts +7 -6
package/src/server/utils.ts +10 -12
package/dist/component/server/authError.js +0 -34
package/dist/component/server/authError.js.map +0 -1
package/dist/component/server/errors.d.ts +0 -1
package/dist/component/server/errors.js +0 -137
package/dist/component/server/errors.js.map +0 -1
package/dist/server/authError.d.ts +0 -46
package/dist/server/authError.d.ts.map +0 -1
package/dist/server/authError.js +0 -34
package/dist/server/authError.js.map +0 -1
package/dist/server/errors.d.ts +0 -177
package/dist/server/errors.d.ts.map +0 -1
package/dist/server/errors.js +0 -212
package/dist/server/errors.js.map +0 -1
package/src/server/authError.ts +0 -44
package/src/server/errors.ts +0 -290

package/dist/component/server/core.js CHANGED Viewed

@@ -1,7 +1,9 @@
+import { getSessionUserId } from "./context.js";
+import { materializeProvider } from "./config.js";
 import { TOKEN_SUB_CLAIM_DIVIDER, generateRandomString, sha256 } from "./utils.js";
 import { buildScopeChecker, checkKeyRateLimit, generateApiKey, hashApiKey } from "./keys.js";
-import { materializeProvider } from "./config.js";
 import { signInImpl } from "./signin.js";
+import { Cv } from "@robelest/fx/convex";
 //#region src/server/core.ts
 /**
@@ -26,14 +28,12 @@ function createCoreDomains(deps) {
 	const normalizeRoleIds = (roleIds) => {
 		const normalized = Array.from(new Set(roleIds ?? []));
 		const invalid = normalized.filter((id) => getRoleDefinition(id) === null);
-		if (invalid.length > 0) return {
-			ok: false,
+		if (invalid.length > 0) throw Cv.error({
+			code: "INVALID_ROLE_IDS",
+			message: "One or more role IDs are invalid.",
 			invalidRoleIds: invalid
-		};
-		return {
-			ok: true,
-			roleIds: normalized
-		};
+		});
+		return normalized;
 	};
 	const listAllKeysByUser = async (ctx, userId) => {
 		const items = [];
@@ -81,23 +81,6 @@ function createCoreDomains(deps) {
 		return ctx[AUTH_CACHE];
 	}
 	const user = {
-		id: async (ctx, request) => {
-			const identity = await ctx.auth.getUserIdentity();
-			if (identity !== null) {
-				const [userId] = identity.subject.split(TOKEN_SUB_CLAIM_DIVIDER);
-				return userId;
-			}
-			if (request !== void 0 && "runMutation" in ctx && ctx.runMutation) {
-				const authHeader = request.headers.get("Authorization");
-				if (authHeader?.startsWith("Bearer sk_")) {
-					const rawKey = authHeader.slice(7);
-					const result = await getAuth().key.verify(ctx, rawKey);
-					if (result.ok) return result.userId;
-					return null;
-				}
-			}
-			return null;
-		},
 		get: async (ctx, userId) => {
 			const c = cache(ctx);
 			if (c.users.has(userId)) return c.users.get(userId);
@@ -109,7 +92,7 @@ function createCoreDomains(deps) {
 			return await ctx.runQuery(config.component.public.userList, opts);
 		},
 		viewer: async (ctx) => {
-			const userId = await user.id(ctx);
+			const userId = await getSessionUserId(ctx);
 			if (userId === null) return null;
 			return await user.get(ctx, userId);
 		},
@@ -118,10 +101,7 @@ function createCoreDomains(deps) {
 				userId,
 				data
 			});
-			return {
-				ok: true,
-				userId
-			};
+			return { userId };
 		},
 		setActiveGroup: async (ctx, opts) => {
 			const doc = await user.get(ctx, opts.userId);
@@ -130,7 +110,6 @@ function createCoreDomains(deps) {
 				const { lastActiveGroup: _omit, ...rest } = existingExtend;
 				await user.update(ctx, opts.userId, { extend: rest });
 				return {
-					ok: true,
 					userId: opts.userId,
 					groupId: null
 				};
@@ -140,7 +119,6 @@ function createCoreDomains(deps) {
 				lastActiveGroup: opts.groupId
 			} });
 			return {
-				ok: true,
 				userId: opts.userId,
 				groupId: opts.groupId
 			};
@@ -164,10 +142,10 @@ function createCoreDomains(deps) {
 				ctx.runQuery(config.component.public.totpListByUserId, { userId })
 			]);
 			const totalLinked = sessions.length + accounts.length + keys.length + members.length + passkeys.length + totps.length;
-			if (!cascade && totalLinked > 0) return {
-				ok: false,
-				code: "INVALID_PARAMETERS"
-			};
+			if (!cascade && totalLinked > 0) throw Cv.error({
+				code: "INVALID_PARAMETERS",
+				message: "The provided parameters are invalid."
+			});
 			const deletions = [];
 			for (const s of sessions) deletions.push(ctx.runMutation(config.component.public.sessionDelete, { sessionId: s._id }));
 			for (const a of accounts) deletions.push(ctx.runMutation(config.component.public.accountDelete, { accountId: a._id }));
@@ -177,10 +155,7 @@ function createCoreDomains(deps) {
 			for (const t of totps) deletions.push(ctx.runMutation(config.component.public.totpDelete, { totpId: t._id }));
 			await Promise.all(deletions);
 			await ctx.runMutation(config.component.public.userDelete, { userId });
-			return {
-				ok: true,
-				userId
-			};
+			return { userId };
 		}
 	};
 	const session = {
@@ -193,7 +168,6 @@ function createCoreDomains(deps) {
 		invalidate: async (ctx, args) => {
 			await callInvalidateSessions(ctx, args);
 			return {
-				ok: true,
 				userId: args.userId,
 				except: args.except ?? []
 			};
@@ -207,10 +181,7 @@ function createCoreDomains(deps) {
 	};
 	const account = {
 		create: async (ctx, args) => {
-			return {
-				ok: true,
-				...await callCreateAccountFromCredentials(ctx, args)
-			};
+			return { ...await callCreateAccountFromCredentials(ctx, args) };
 		},
 		get: async (ctx, args) => {
 			const result = await callRetrieveAccountWithCredentials(ctx, args);
@@ -219,26 +190,20 @@ function createCoreDomains(deps) {
 		},
 		update: async (ctx, args) => {
 			await callModifyAccount(ctx, args);
-			return {
-				ok: true,
-				accountId: args.account.id
-			};
+			return { accountId: args.account.id };
 		},
 		delete: async (ctx, accountId) => {
 			const doc = await ctx.runQuery(config.component.public.accountGetById, { accountId });
-			if (doc === null) return {
-				ok: false,
-				code: "ACCOUNT_NOT_FOUND"
-			};
-			if ((await ctx.runQuery(config.component.public.accountListByUser, { userId: doc.userId })).length <= 1) return {
-				ok: false,
-				code: "INVALID_PARAMETERS"
-			};
+			if (doc === null) throw Cv.error({
+				code: "ACCOUNT_NOT_FOUND",
+				message: "Account not found."
+			});
+			if ((await ctx.runQuery(config.component.public.accountListByUser, { userId: doc.userId })).length <= 1) throw Cv.error({
+				code: "INVALID_PARAMETERS",
+				message: "The provided parameters are invalid."
+			});
 			await ctx.runMutation(config.component.public.accountDelete, { accountId });
-			return {
-				ok: true,
-				accountId
-			};
+			return { accountId };
 		},
 		listPasskeys: async (ctx, opts) => {
 			return await ctx.runQuery(config.component.public.passkeyListByUserId, opts);
@@ -248,27 +213,18 @@ function createCoreDomains(deps) {
 				passkeyId,
 				data: { name }
 			});
-			return {
-				ok: true,
-				passkeyId
-			};
+			return { passkeyId };
 		},
 		deletePasskey: async (ctx, passkeyId) => {
 			await ctx.runMutation(config.component.public.passkeyDelete, { passkeyId });
-			return {
-				ok: true,
-				passkeyId
-			};
+			return { passkeyId };
 		},
 		listTotps: async (ctx, opts) => {
 			return await ctx.runQuery(config.component.public.totpListByUserId, opts);
 		},
 		deleteTotp: async (ctx, totpId) => {
 			await ctx.runMutation(config.component.public.totpDelete, { totpId });
-			return {
-				ok: true,
-				totpId
-			};
+			return { totpId };
 		}
 	};
 	const provider = { signIn: async (ctx, providerConfig, args) => {
@@ -283,10 +239,7 @@ function createCoreDomains(deps) {
 	} };
 	const group = {
 		create: async (ctx, data) => {
-			return {
-				ok: true,
-				groupId: await ctx.runMutation(config.component.public.groupCreate, data)
-			};
+			return { groupId: await ctx.runMutation(config.component.public.groupCreate, data) };
 		},
 		get: async (ctx, groupId) => {
 			const c = cache(ctx);
@@ -309,17 +262,11 @@ function createCoreDomains(deps) {
 				groupId,
 				data
 			});
-			return {
-				ok: true,
-				groupId
-			};
+			return { groupId };
 		},
 		delete: async (ctx, groupId) => {
 			await ctx.runMutation(config.component.public.groupDelete, { groupId });
-			return {
-				ok: true,
-				groupId
-			};
+			return { groupId };
 		},
 		ancestors: async (ctx, opts) => {
 			const maxDepth = Math.max(0, Math.floor(opts.maxDepth ?? 32));
@@ -362,19 +309,11 @@ function createCoreDomains(deps) {
 	};
 	const member = {
 		create: async (ctx, data) => {
-			const normalized = normalizeRoleIds(data.roleIds);
-			if (!normalized.ok) return {
-				ok: false,
-				code: "INVALID_ROLE_IDS",
-				invalidRoleIds: normalized.invalidRoleIds
-			};
-			return {
-				ok: true,
-				memberId: await ctx.runMutation(config.component.public.memberAdd, {
-					...data,
-					roleIds: normalized.roleIds
-				})
-			};
+			const roleIds = normalizeRoleIds(data.roleIds);
+			return { memberId: await ctx.runMutation(config.component.public.memberAdd, {
+				...data,
+				roleIds
+			}) };
 		},
 		get: async (ctx, memberId) => {
 			return await ctx.runQuery(config.component.public.memberGet, { memberId });
@@ -390,137 +329,84 @@ function createCoreDomains(deps) {
 		},
 		delete: async (ctx, memberId) => {
 			await ctx.runMutation(config.component.public.memberRemove, { memberId });
-			return {
-				ok: true,
-				memberId
-			};
+			return { memberId };
 		},
 		update: async (ctx, memberId, data) => {
 			const nextData = { ...data };
-			if ("roleIds" in nextData) {
-				const normalized = normalizeRoleIds(Array.isArray(nextData.roleIds) ? nextData.roleIds : void 0);
-				if (!normalized.ok) return {
-					ok: false,
-					code: "INVALID_ROLE_IDS",
-					invalidRoleIds: normalized.invalidRoleIds
-				};
-				nextData.roleIds = normalized.roleIds;
-			}
+			if ("roleIds" in nextData) nextData.roleIds = normalizeRoleIds(Array.isArray(nextData.roleIds) ? nextData.roleIds : void 0);
 			await ctx.runMutation(config.component.public.memberUpdate, {
 				memberId,
 				data: nextData
 			});
-			return {
-				ok: true,
-				memberId
-			};
+			return { memberId };
 		},
-		resolve: async (ctx, opts) => {
-			const normalized = normalizeRoleIds(opts.roleIds);
-			if (!normalized.ok) return {
-				ok: false,
-				membership: null,
-				matchedGroupId: null,
-				roleIds: [],
-				grants: [],
-				missingGrants: Array.from(new Set(opts.grants ?? [])),
-				depth: null,
-				isDirect: false,
-				isInherited: false,
-				traversedGroupIds: [],
-				code: "INVALID_ROLE_IDS",
-				invalidRoleIds: normalized.invalidRoleIds
-			};
-			const requestedRoleIds = normalized.roleIds;
-			const roleFilter = requestedRoleIds.length > 0 ? new Set(requestedRoleIds) : null;
-			const requiredGrants = Array.from(new Set(opts.grants ?? []));
+		inspect: async (ctx, opts) => {
 			const useAncestry = opts.ancestry === true;
 			let membership = null;
-			let matchedGroupId = null;
-			let depth = null;
-			let isDirect = false;
-			let isInherited = false;
-			let traversedGroupIds = [];
 			if (useAncestry) {
 				const maxDepth = Math.max(0, Math.floor(opts.maxDepth ?? 32));
-				const result = await ctx.runQuery(config.component.public.memberResolve, {
+				membership = (await ctx.runQuery(config.component.public.memberResolve, {
 					userId: opts.userId,
 					groupId: opts.groupId,
 					maxDepth,
 					ancestry: true
-				});
-				membership = result.membership;
-				matchedGroupId = result.matchedGroupId;
-				depth = result.depth;
-				isDirect = result.isDirect;
-				isInherited = result.isInherited;
-				traversedGroupIds = result.traversedGroupIds ?? [];
-			} else {
-				const doc = await ctx.runQuery(config.component.public.memberGetByGroupAndUser, {
-					userId: opts.userId,
-					groupId: opts.groupId
-				});
-				membership = doc;
-				matchedGroupId = doc ? opts.groupId : null;
-				depth = doc ? 0 : null;
-				isDirect = doc !== null;
-			}
+				})).membership;
+			} else membership = await ctx.runQuery(config.component.public.memberGetByGroupAndUser, {
+				userId: opts.userId,
+				groupId: opts.groupId
+			});
 			if (membership === null) return {
-				ok: false,
 				membership: null,
-				matchedGroupId: null,
 				roleIds: [],
-				grants: [],
-				missingGrants: requiredGrants,
-				depth: null,
-				isDirect: false,
-				isInherited: false,
-				traversedGroupIds
+				grants: []
 			};
 			const membershipRoleIds = membership.roleIds ?? [];
 			const membershipGrants = resolveGrantedPermissions(membershipRoleIds);
-			if (roleFilter !== null && !membershipRoleIds.some((roleId) => roleFilter.has(roleId))) return {
-				ok: false,
-				membership: null,
-				matchedGroupId: null,
-				roleIds: [],
-				grants: [],
-				missingGrants: requiredGrants,
-				depth: null,
-				isDirect: false,
-				isInherited: false,
-				traversedGroupIds
-			};
-			const missingGrants = requiredGrants.filter((grant) => !membershipGrants.includes(grant));
 			return {
-				ok: missingGrants.length === 0,
 				membership,
-				matchedGroupId,
 				roleIds: membershipRoleIds,
-				grants: membershipGrants,
-				missingGrants,
-				depth,
-				isDirect,
-				isInherited,
-				traversedGroupIds
+				grants: membershipGrants
 			};
+		},
+		require: async (ctx, opts) => {
+			const validatedRoleIds = normalizeRoleIds(opts.roleIds);
+			const requiredGrants = Array.from(new Set(opts.grants ?? []));
+			const roleFilter = validatedRoleIds.length > 0 ? new Set(validatedRoleIds) : null;
+			const result = await member.inspect(ctx, {
+				userId: opts.userId,
+				groupId: opts.groupId,
+				ancestry: opts.ancestry,
+				maxDepth: opts.maxDepth
+			});
+			if (result.membership === null) throw Cv.error({
+				code: "NOT_A_MEMBER",
+				message: "User is not a member of this group.",
+				groupId: opts.groupId
+			});
+			if (roleFilter !== null && !result.roleIds.some((roleId) => roleFilter.has(roleId))) throw Cv.error({
+				code: "NOT_A_MEMBER",
+				message: "User is not a member of this group.",
+				groupId: opts.groupId
+			});
+			const missingGrants = requiredGrants.filter((grant) => !result.grants.includes(grant));
+			if (missingGrants.length > 0) throw Cv.error({
+				code: "MISSING_GRANTS",
+				message: "User is missing required grants.",
+				groupId: opts.groupId,
+				missingGrants
+			});
+			return result;
 		}
 	};
 	const invite = {
 		create: async (ctx, data) => {
-			const normalized = normalizeRoleIds(data.roleIds);
-			if (!normalized.ok) return {
-				ok: false,
-				code: "INVALID_ROLE_IDS",
-				invalidRoleIds: normalized.invalidRoleIds
-			};
+			const roleIds = normalizeRoleIds(data.roleIds);
 			const token = generateRandomString(inviteTokenLength, inviteTokenAlphabet);
 			const tokenHash = await sha256(token);
 			return {
-				ok: true,
 				inviteId: await ctx.runMutation(config.component.public.inviteCreate, {
 					...data,
-					roleIds: normalized.roleIds,
+					roleIds,
 					tokenHash,
 					status: "pending"
 				}),
@@ -537,13 +423,10 @@ function createCoreDomains(deps) {
 			},
 			accept: async (ctx, args) => {
 				const tokenHash = await sha256(args.token);
-				return {
-					ok: true,
-					...await ctx.runMutation(config.component.public.inviteAcceptByToken, {
-						tokenHash,
-						acceptedByUserId: args.acceptedByUserId
-					})
-				};
+				return { ...await ctx.runMutation(config.component.public.inviteAcceptByToken, {
+					tokenHash,
+					acceptedByUserId: args.acceptedByUserId
+				}) };
 			}
 		},
 		list: async (ctx, opts) => {
@@ -561,24 +444,19 @@ function createCoreDomains(deps) {
 				...acceptedByUserId ? { acceptedByUserId } : {}
 			});
 			return {
-				ok: true,
 				inviteId,
 				acceptedByUserId: acceptedByUserId ?? null
 			};
 		},
 		revoke: async (ctx, inviteId) => {
 			await ctx.runMutation(config.component.public.inviteRevoke, { inviteId });
-			return {
-				ok: true,
-				inviteId
-			};
+			return { inviteId };
 		}
 	};
 	const key = {
 		create: async (ctx, opts) => {
 			const { raw, hashedKey, displayPrefix } = await generateApiKey("sk_");
 			return {
-				ok: true,
 				keyId: await ctx.runMutation(config.component.public.keyInsert, {
 					userId: opts.userId,
 					prefix: displayPrefix,
@@ -595,26 +473,26 @@ function createCoreDomains(deps) {
 		verify: async (ctx, rawKey) => {
 			const hashedKey = await hashApiKey(rawKey);
 			const doc = await ctx.runQuery(config.component.public.keyGetByHashedKey, { hashedKey });
-			if (!doc) return {
-				ok: false,
-				code: "INVALID_API_KEY"
-			};
+			if (!doc) throw Cv.error({
+				code: "INVALID_API_KEY",
+				message: "Invalid API key."
+			});
 			const k = doc;
-			if (k.revoked) return {
-				ok: false,
-				code: "API_KEY_REVOKED"
-			};
-			if (k.expiresAt && k.expiresAt < Date.now()) return {
-				ok: false,
-				code: "API_KEY_EXPIRED"
-			};
+			if (k.revoked) throw Cv.error({
+				code: "API_KEY_REVOKED",
+				message: "This API key has been revoked."
+			});
+			if (k.expiresAt && k.expiresAt < Date.now()) throw Cv.error({
+				code: "API_KEY_EXPIRED",
+				message: "This API key has expired."
+			});
 			const patchData = { lastUsedAt: Date.now() };
 			if (k.rateLimit) {
 				const { limited, newState } = checkKeyRateLimit(k.rateLimit, k.rateLimitState ?? void 0);
-				if (limited) return {
-					ok: false,
-					code: "API_KEY_RATE_LIMITED"
-				};
+				if (limited) throw Cv.error({
+					code: "API_KEY_RATE_LIMITED",
+					message: "API key rate limit exceeded. Please try again later."
+				});
 				patchData.rateLimitState = newState;
 			}
 			await ctx.runMutation(config.component.public.keyPatch, {
@@ -622,7 +500,6 @@ function createCoreDomains(deps) {
 				data: patchData
 			});
 			return {
-				ok: true,
 				userId: k.userId,
 				keyId: k._id,
 				scopes: buildScopeChecker(k.scopes)
@@ -638,50 +515,36 @@ function createCoreDomains(deps) {
 			});
 		},
 		get: async (ctx, keyId) => {
-			const doc = await ctx.runQuery(config.component.public.keyGetById, { keyId });
-			if (!doc) return { ok: false };
-			return {
-				ok: true,
-				key: doc
-			};
+			return await ctx.runQuery(config.component.public.keyGetById, { keyId }) ?? null;
 		},
 		update: async (ctx, keyId, data) => {
 			await ctx.runMutation(config.component.public.keyPatch, {
 				keyId,
 				data
 			});
-			return {
-				ok: true,
-				keyId
-			};
+			return { keyId };
 		},
 		revoke: async (ctx, keyId) => {
 			await ctx.runMutation(config.component.public.keyPatch, {
 				keyId,
 				data: { revoked: true }
 			});
-			return {
-				ok: true,
-				keyId
-			};
+			return { keyId };
 		},
 		delete: async (ctx, keyId) => {
 			await ctx.runMutation(config.component.public.keyDelete, { keyId });
-			return {
-				ok: true,
-				keyId
-			};
+			return { keyId };
 		},
 		rotate: async (ctx, keyId, opts) => {
 			const existing = await ctx.runQuery(config.component.public.keyGetById, { keyId });
-			if (!existing) return {
-				ok: false,
-				code: "INVALID_PARAMETERS"
-			};
-			if (existing.revoked === true) return {
-				ok: false,
-				code: "API_KEY_REVOKED"
-			};
+			if (!existing) throw Cv.error({
+				code: "INVALID_PARAMETERS",
+				message: "The provided parameters are invalid."
+			});
+			if (existing.revoked === true) throw Cv.error({
+				code: "API_KEY_REVOKED",
+				message: "This API key has been revoked."
+			});
 			await ctx.runMutation(config.component.public.keyPatch, {
 				keyId,
 				data: { revoked: true }