@robelest/convex-auth 0.0.4-preview.25 → 0.0.4-preview.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (666) hide show
  1. package/README.md +43 -36
  2. package/dist/bin.js +5765 -4880
  3. package/dist/browser/index.d.ts +30 -0
  4. package/dist/browser/index.js +93 -0
  5. package/dist/browser/locks.js +11 -0
  6. package/dist/browser/navigation.js +14 -0
  7. package/dist/{factors → browser}/passkey.js +23 -32
  8. package/dist/browser/runtime.js +92 -0
  9. package/dist/client/core/types.d.ts +452 -5
  10. package/dist/client/core/types.js +17 -0
  11. package/dist/client/errors.js +19 -0
  12. package/dist/client/factors/device.js +94 -0
  13. package/dist/{factors → client/factors}/totp.js +12 -4
  14. package/dist/client/index.d.ts +47 -1
  15. package/dist/client/index.js +269 -232
  16. package/dist/client/runtime/mutex.js +24 -0
  17. package/dist/client/runtime/proxy.js +30 -0
  18. package/dist/client/runtime/storage.js +45 -0
  19. package/dist/client/services/adapters.js +7 -0
  20. package/dist/client/services/http.js +6 -0
  21. package/dist/client/services/resolve.js +13 -0
  22. package/dist/client/services/runtime.js +6 -0
  23. package/dist/component/_generated/component.d.ts +1355 -1399
  24. package/dist/component/convex.config.d.ts +2 -2
  25. package/dist/component/index.d.ts +4 -26
  26. package/dist/component/index.js +1 -1
  27. package/dist/component/model.d.ts +26 -112
  28. package/dist/component/model.js +76 -54
  29. package/dist/component/modules.js +38 -0
  30. package/dist/component/public/factors/devices.js +1 -1
  31. package/dist/component/public/factors/passkeys.js +1 -1
  32. package/dist/component/public/factors/totp.js +1 -1
  33. package/dist/component/public/groups/core.js +2 -2
  34. package/dist/component/public/groups/invites.js +1 -1
  35. package/dist/component/public/groups/members.js +1 -1
  36. package/dist/component/public/identity/accounts.js +1 -1
  37. package/dist/component/public/identity/codes.js +1 -1
  38. package/dist/component/public/identity/sessions.js +39 -2
  39. package/dist/component/public/identity/tokens.js +82 -4
  40. package/dist/component/public/identity/users.js +1 -1
  41. package/dist/component/public/identity/verifiers.js +10 -4
  42. package/dist/component/public/security/keys.js +1 -1
  43. package/dist/component/public/security/limits.js +1 -1
  44. package/dist/component/public/{enterprise → sso}/audit.js +26 -26
  45. package/dist/component/public/sso/core.js +263 -0
  46. package/dist/component/public/sso/domains.js +280 -0
  47. package/dist/component/public/{enterprise → sso}/scim.js +87 -87
  48. package/dist/component/public/sso/secrets.js +125 -0
  49. package/dist/component/public/{enterprise → sso}/webhooks.js +59 -59
  50. package/dist/component/public.js +9 -9
  51. package/dist/component/schema.d.ts +472 -393
  52. package/dist/component/schema.js +36 -35
  53. package/dist/core/index.d.ts +380 -0
  54. package/dist/core/index.js +83 -0
  55. package/dist/otel.d.ts +69 -0
  56. package/dist/otel.js +82 -0
  57. package/dist/providers/anonymous.d.ts +15 -34
  58. package/dist/providers/anonymous.js +27 -35
  59. package/dist/providers/apple.d.ts +59 -0
  60. package/dist/providers/apple.js +58 -0
  61. package/dist/providers/credentials.d.ts +18 -34
  62. package/dist/providers/credentials.js +16 -27
  63. package/dist/providers/custom.d.ts +94 -0
  64. package/dist/providers/custom.js +119 -0
  65. package/dist/providers/device.d.ts +15 -49
  66. package/dist/providers/device.js +17 -34
  67. package/dist/providers/email.d.ts +21 -38
  68. package/dist/providers/email.js +36 -55
  69. package/dist/providers/github.d.ts +54 -0
  70. package/dist/providers/github.js +75 -0
  71. package/dist/providers/google.d.ts +54 -0
  72. package/dist/providers/google.js +61 -0
  73. package/dist/providers/index.d.ts +16 -12
  74. package/dist/providers/index.js +15 -11
  75. package/dist/providers/microsoft.d.ts +57 -0
  76. package/dist/providers/microsoft.js +101 -0
  77. package/dist/providers/passkey.d.ts +19 -35
  78. package/dist/providers/passkey.js +20 -30
  79. package/dist/providers/password.d.ts +17 -18
  80. package/dist/providers/password.js +121 -143
  81. package/dist/providers/phone.d.ts +13 -28
  82. package/dist/providers/phone.js +21 -46
  83. package/dist/providers/sso.d.ts +16 -36
  84. package/dist/providers/sso.js +21 -22
  85. package/dist/providers/totp.d.ts +13 -29
  86. package/dist/providers/totp.js +17 -27
  87. package/dist/server/auth-context.d.ts +204 -0
  88. package/dist/server/auth-context.js +76 -0
  89. package/dist/server/auth.d.ts +99 -244
  90. package/dist/server/auth.js +56 -152
  91. package/dist/server/componentContext.d.ts +12 -0
  92. package/dist/server/componentContext.js +1 -0
  93. package/dist/server/config.js +6 -67
  94. package/dist/server/constants.js +6 -0
  95. package/dist/server/contract.d.ts +105 -0
  96. package/dist/server/contract.js +43 -0
  97. package/dist/server/cookies.js +3 -2
  98. package/dist/server/core.js +31 -36
  99. package/dist/server/crypto.js +34 -44
  100. package/dist/server/db.js +6 -1
  101. package/dist/server/device.js +96 -130
  102. package/dist/server/env.js +48 -0
  103. package/dist/server/errors.js +20 -0
  104. package/dist/server/http.d.ts +15 -59
  105. package/dist/server/http.js +136 -120
  106. package/dist/server/identity.js +2 -2
  107. package/dist/server/index.d.ts +5 -4
  108. package/dist/server/index.js +3 -3
  109. package/dist/server/keys.js +10 -1
  110. package/dist/server/limits.js +26 -26
  111. package/dist/server/log.js +28 -0
  112. package/dist/server/mounts.d.ts +1107 -296
  113. package/dist/server/mounts.js +315 -196
  114. package/dist/server/mutations/account.js +11 -14
  115. package/dist/server/mutations/code.js +6 -5
  116. package/dist/server/mutations/invalidate.js +9 -11
  117. package/dist/server/mutations/oauth.js +112 -73
  118. package/dist/server/mutations/refresh.js +47 -97
  119. package/dist/server/mutations/register.js +37 -35
  120. package/dist/server/mutations/retrieve.js +16 -16
  121. package/dist/server/mutations/signature.js +15 -18
  122. package/dist/server/mutations/signin.js +10 -5
  123. package/dist/server/mutations/signout.js +11 -14
  124. package/dist/server/mutations/store.js +25 -18
  125. package/dist/server/mutations/verifier.js +11 -8
  126. package/dist/server/mutations/verify.js +53 -41
  127. package/dist/server/oauth/factory.js +44 -0
  128. package/dist/server/oauth/index.js +12 -0
  129. package/dist/server/oauth/runtime.js +248 -0
  130. package/dist/server/passkey.js +331 -365
  131. package/dist/server/payloads.d.ts +16 -0
  132. package/dist/server/payloads.js +30 -0
  133. package/dist/server/{ssr.d.ts → prefetch.d.ts} +2 -2
  134. package/dist/server/prefetch.js +635 -0
  135. package/dist/server/random.js +19 -0
  136. package/dist/server/redirects.js +10 -5
  137. package/dist/server/refresh.js +14 -86
  138. package/dist/server/runtime.d.ts +531 -31
  139. package/dist/server/runtime.js +106 -267
  140. package/dist/server/secret.js +44 -0
  141. package/dist/server/services/config.js +10 -0
  142. package/dist/server/services/group.js +211 -0
  143. package/dist/server/services/logger.js +8 -0
  144. package/dist/server/services/providers.js +22 -0
  145. package/dist/server/services/refresh.js +8 -0
  146. package/dist/server/services/resolve.js +27 -0
  147. package/dist/server/services/signin.js +8 -0
  148. package/dist/server/sessions.js +35 -34
  149. package/dist/server/signin.js +229 -140
  150. package/dist/server/{enterprise → sso}/config.js +10 -3
  151. package/dist/server/sso/domain.d.ts +614 -0
  152. package/dist/server/sso/domain.js +1175 -0
  153. package/dist/server/sso/http.js +1060 -0
  154. package/dist/server/sso/oidc.js +324 -0
  155. package/dist/server/sso/policies.js +59 -0
  156. package/dist/server/sso/policy.js +139 -0
  157. package/dist/server/sso/profile.js +22 -0
  158. package/dist/server/sso/provision.js +179 -0
  159. package/dist/{component/server/enterprise → server/sso}/saml.js +142 -56
  160. package/dist/{component/server/enterprise → server/sso}/scim.js +13 -7
  161. package/dist/server/sso/shared.js +74 -0
  162. package/dist/server/sso/validators.js +88 -0
  163. package/dist/server/sso/webhook.js +94 -0
  164. package/dist/server/tokens.js +16 -4
  165. package/dist/server/totp.js +155 -164
  166. package/dist/server/types.d.ts +306 -296
  167. package/dist/server/types.js +1 -30
  168. package/dist/server/url.js +32 -0
  169. package/dist/server/users.js +74 -40
  170. package/dist/server/utils/cache.js +51 -0
  171. package/dist/server/utils/dispatch.js +36 -0
  172. package/dist/server/utils/retry.js +24 -0
  173. package/dist/server/utils/span.js +32 -0
  174. package/dist/shared/errors.js +19 -0
  175. package/dist/shared/log.js +45 -0
  176. package/{src/test.ts → dist/test.d.ts} +21 -22
  177. package/dist/test.js +51 -0
  178. package/package.json +70 -42
  179. package/dist/authorization/index.d.ts.map +0 -1
  180. package/dist/authorization/index.js.map +0 -1
  181. package/dist/client/core/types.d.ts.map +0 -1
  182. package/dist/client/index.d.ts.map +0 -1
  183. package/dist/client/index.js.map +0 -1
  184. package/dist/component/_generated/api.d.ts +0 -75
  185. package/dist/component/_generated/api.d.ts.map +0 -1
  186. package/dist/component/_generated/api.js.map +0 -1
  187. package/dist/component/_generated/component.d.ts.map +0 -1
  188. package/dist/component/_generated/dataModel.d.ts +0 -42
  189. package/dist/component/_generated/dataModel.d.ts.map +0 -1
  190. package/dist/component/_generated/server.d.ts +0 -117
  191. package/dist/component/_generated/server.d.ts.map +0 -1
  192. package/dist/component/_generated/server.js.map +0 -1
  193. package/dist/component/_virtual/rolldown_runtime.js +0 -18
  194. package/dist/component/client/core/types.d.ts +0 -2
  195. package/dist/component/client/index.d.ts +0 -1
  196. package/dist/component/convex.config.d.ts.map +0 -1
  197. package/dist/component/convex.config.js.map +0 -1
  198. package/dist/component/functions.d.ts +0 -25
  199. package/dist/component/functions.d.ts.map +0 -1
  200. package/dist/component/functions.js.map +0 -1
  201. package/dist/component/index.d.ts.map +0 -1
  202. package/dist/component/model.d.ts.map +0 -1
  203. package/dist/component/model.js.map +0 -1
  204. package/dist/component/providers/anonymous.d.ts +0 -54
  205. package/dist/component/providers/anonymous.d.ts.map +0 -1
  206. package/dist/component/providers/credentials.d.ts +0 -38
  207. package/dist/component/providers/credentials.d.ts.map +0 -1
  208. package/dist/component/providers/device.d.ts +0 -67
  209. package/dist/component/providers/device.d.ts.map +0 -1
  210. package/dist/component/providers/email.d.ts +0 -62
  211. package/dist/component/providers/email.d.ts.map +0 -1
  212. package/dist/component/providers/oauth.d.ts +0 -25
  213. package/dist/component/providers/oauth.d.ts.map +0 -1
  214. package/dist/component/providers/oauth.js +0 -13
  215. package/dist/component/providers/oauth.js.map +0 -1
  216. package/dist/component/providers/passkey.d.ts +0 -57
  217. package/dist/component/providers/passkey.d.ts.map +0 -1
  218. package/dist/component/providers/password.d.ts +0 -88
  219. package/dist/component/providers/password.d.ts.map +0 -1
  220. package/dist/component/providers/phone.d.ts +0 -48
  221. package/dist/component/providers/phone.d.ts.map +0 -1
  222. package/dist/component/providers/sso.d.ts +0 -50
  223. package/dist/component/providers/sso.d.ts.map +0 -1
  224. package/dist/component/providers/totp.d.ts +0 -45
  225. package/dist/component/providers/totp.d.ts.map +0 -1
  226. package/dist/component/public/enterprise/audit.d.ts +0 -73
  227. package/dist/component/public/enterprise/audit.d.ts.map +0 -1
  228. package/dist/component/public/enterprise/audit.js.map +0 -1
  229. package/dist/component/public/enterprise/core.d.ts +0 -176
  230. package/dist/component/public/enterprise/core.d.ts.map +0 -1
  231. package/dist/component/public/enterprise/core.js +0 -292
  232. package/dist/component/public/enterprise/core.js.map +0 -1
  233. package/dist/component/public/enterprise/domains.d.ts +0 -174
  234. package/dist/component/public/enterprise/domains.d.ts.map +0 -1
  235. package/dist/component/public/enterprise/domains.js +0 -271
  236. package/dist/component/public/enterprise/domains.js.map +0 -1
  237. package/dist/component/public/enterprise/scim.d.ts +0 -245
  238. package/dist/component/public/enterprise/scim.d.ts.map +0 -1
  239. package/dist/component/public/enterprise/scim.js.map +0 -1
  240. package/dist/component/public/enterprise/secrets.d.ts +0 -78
  241. package/dist/component/public/enterprise/secrets.d.ts.map +0 -1
  242. package/dist/component/public/enterprise/secrets.js +0 -118
  243. package/dist/component/public/enterprise/secrets.js.map +0 -1
  244. package/dist/component/public/enterprise/webhooks.d.ts +0 -211
  245. package/dist/component/public/enterprise/webhooks.d.ts.map +0 -1
  246. package/dist/component/public/enterprise/webhooks.js.map +0 -1
  247. package/dist/component/public/factors/devices.d.ts +0 -157
  248. package/dist/component/public/factors/devices.d.ts.map +0 -1
  249. package/dist/component/public/factors/devices.js.map +0 -1
  250. package/dist/component/public/factors/passkeys.d.ts +0 -175
  251. package/dist/component/public/factors/passkeys.d.ts.map +0 -1
  252. package/dist/component/public/factors/passkeys.js.map +0 -1
  253. package/dist/component/public/factors/totp.d.ts +0 -189
  254. package/dist/component/public/factors/totp.d.ts.map +0 -1
  255. package/dist/component/public/factors/totp.js.map +0 -1
  256. package/dist/component/public/groups/core.d.ts +0 -137
  257. package/dist/component/public/groups/core.d.ts.map +0 -1
  258. package/dist/component/public/groups/core.js.map +0 -1
  259. package/dist/component/public/groups/invites.d.ts +0 -217
  260. package/dist/component/public/groups/invites.d.ts.map +0 -1
  261. package/dist/component/public/groups/invites.js.map +0 -1
  262. package/dist/component/public/groups/members.d.ts +0 -204
  263. package/dist/component/public/groups/members.d.ts.map +0 -1
  264. package/dist/component/public/groups/members.js.map +0 -1
  265. package/dist/component/public/identity/accounts.d.ts +0 -147
  266. package/dist/component/public/identity/accounts.d.ts.map +0 -1
  267. package/dist/component/public/identity/accounts.js.map +0 -1
  268. package/dist/component/public/identity/codes.d.ts +0 -104
  269. package/dist/component/public/identity/codes.d.ts.map +0 -1
  270. package/dist/component/public/identity/codes.js.map +0 -1
  271. package/dist/component/public/identity/sessions.d.ts +0 -128
  272. package/dist/component/public/identity/sessions.d.ts.map +0 -1
  273. package/dist/component/public/identity/sessions.js.map +0 -1
  274. package/dist/component/public/identity/tokens.d.ts +0 -169
  275. package/dist/component/public/identity/tokens.d.ts.map +0 -1
  276. package/dist/component/public/identity/tokens.js.map +0 -1
  277. package/dist/component/public/identity/users.d.ts +0 -212
  278. package/dist/component/public/identity/users.d.ts.map +0 -1
  279. package/dist/component/public/identity/users.js.map +0 -1
  280. package/dist/component/public/identity/verifiers.d.ts +0 -116
  281. package/dist/component/public/identity/verifiers.d.ts.map +0 -1
  282. package/dist/component/public/identity/verifiers.js.map +0 -1
  283. package/dist/component/public/security/keys.d.ts +0 -209
  284. package/dist/component/public/security/keys.d.ts.map +0 -1
  285. package/dist/component/public/security/keys.js.map +0 -1
  286. package/dist/component/public/security/limits.d.ts +0 -114
  287. package/dist/component/public/security/limits.d.ts.map +0 -1
  288. package/dist/component/public/security/limits.js.map +0 -1
  289. package/dist/component/public.d.ts +0 -28
  290. package/dist/component/public.d.ts.map +0 -1
  291. package/dist/component/schema.d.ts.map +0 -1
  292. package/dist/component/schema.js.map +0 -1
  293. package/dist/component/server/auth.d.ts +0 -447
  294. package/dist/component/server/auth.d.ts.map +0 -1
  295. package/dist/component/server/auth.js +0 -254
  296. package/dist/component/server/auth.js.map +0 -1
  297. package/dist/component/server/config.js +0 -121
  298. package/dist/component/server/config.js.map +0 -1
  299. package/dist/component/server/context.js +0 -53
  300. package/dist/component/server/context.js.map +0 -1
  301. package/dist/component/server/cookies.js +0 -47
  302. package/dist/component/server/cookies.js.map +0 -1
  303. package/dist/component/server/core.js +0 -576
  304. package/dist/component/server/core.js.map +0 -1
  305. package/dist/component/server/crypto.js +0 -56
  306. package/dist/component/server/crypto.js.map +0 -1
  307. package/dist/component/server/db.js +0 -87
  308. package/dist/component/server/db.js.map +0 -1
  309. package/dist/component/server/device.js +0 -152
  310. package/dist/component/server/device.js.map +0 -1
  311. package/dist/component/server/enterprise/config.js +0 -46
  312. package/dist/component/server/enterprise/config.js.map +0 -1
  313. package/dist/component/server/enterprise/domain.js +0 -974
  314. package/dist/component/server/enterprise/domain.js.map +0 -1
  315. package/dist/component/server/enterprise/http.js +0 -787
  316. package/dist/component/server/enterprise/http.js.map +0 -1
  317. package/dist/component/server/enterprise/oidc.js +0 -248
  318. package/dist/component/server/enterprise/oidc.js.map +0 -1
  319. package/dist/component/server/enterprise/policy.js +0 -85
  320. package/dist/component/server/enterprise/policy.js.map +0 -1
  321. package/dist/component/server/enterprise/saml.js.map +0 -1
  322. package/dist/component/server/enterprise/scim.js.map +0 -1
  323. package/dist/component/server/enterprise/shared.js +0 -51
  324. package/dist/component/server/enterprise/shared.js.map +0 -1
  325. package/dist/component/server/http.d.ts +0 -85
  326. package/dist/component/server/http.d.ts.map +0 -1
  327. package/dist/component/server/http.js +0 -351
  328. package/dist/component/server/http.js.map +0 -1
  329. package/dist/component/server/identity.js +0 -16
  330. package/dist/component/server/identity.js.map +0 -1
  331. package/dist/component/server/keys.js +0 -96
  332. package/dist/component/server/keys.js.map +0 -1
  333. package/dist/component/server/limits.js +0 -52
  334. package/dist/component/server/limits.js.map +0 -1
  335. package/dist/component/server/mutations/account.js +0 -46
  336. package/dist/component/server/mutations/account.js.map +0 -1
  337. package/dist/component/server/mutations/code.js +0 -68
  338. package/dist/component/server/mutations/code.js.map +0 -1
  339. package/dist/component/server/mutations/invalidate.js +0 -32
  340. package/dist/component/server/mutations/invalidate.js.map +0 -1
  341. package/dist/component/server/mutations/oauth.js +0 -116
  342. package/dist/component/server/mutations/oauth.js.map +0 -1
  343. package/dist/component/server/mutations/refresh.js +0 -119
  344. package/dist/component/server/mutations/refresh.js.map +0 -1
  345. package/dist/component/server/mutations/register.js +0 -87
  346. package/dist/component/server/mutations/register.js.map +0 -1
  347. package/dist/component/server/mutations/retrieve.js +0 -61
  348. package/dist/component/server/mutations/retrieve.js.map +0 -1
  349. package/dist/component/server/mutations/signature.js +0 -38
  350. package/dist/component/server/mutations/signature.js.map +0 -1
  351. package/dist/component/server/mutations/signin.js +0 -27
  352. package/dist/component/server/mutations/signin.js.map +0 -1
  353. package/dist/component/server/mutations/signout.js +0 -27
  354. package/dist/component/server/mutations/signout.js.map +0 -1
  355. package/dist/component/server/mutations/store/refs.js +0 -15
  356. package/dist/component/server/mutations/store/refs.js.map +0 -1
  357. package/dist/component/server/mutations/store.js +0 -70
  358. package/dist/component/server/mutations/store.js.map +0 -1
  359. package/dist/component/server/mutations/verifier.js +0 -18
  360. package/dist/component/server/mutations/verifier.js.map +0 -1
  361. package/dist/component/server/mutations/verify.js +0 -98
  362. package/dist/component/server/mutations/verify.js.map +0 -1
  363. package/dist/component/server/oauth.js +0 -242
  364. package/dist/component/server/oauth.js.map +0 -1
  365. package/dist/component/server/passkey.js +0 -415
  366. package/dist/component/server/passkey.js.map +0 -1
  367. package/dist/component/server/redirects.js +0 -40
  368. package/dist/component/server/redirects.js.map +0 -1
  369. package/dist/component/server/refresh.js +0 -99
  370. package/dist/component/server/refresh.js.map +0 -1
  371. package/dist/component/server/runtime.d.ts +0 -136
  372. package/dist/component/server/runtime.d.ts.map +0 -1
  373. package/dist/component/server/runtime.js +0 -456
  374. package/dist/component/server/runtime.js.map +0 -1
  375. package/dist/component/server/sessions.js +0 -71
  376. package/dist/component/server/sessions.js.map +0 -1
  377. package/dist/component/server/signin.js +0 -225
  378. package/dist/component/server/signin.js.map +0 -1
  379. package/dist/component/server/tokens.js +0 -17
  380. package/dist/component/server/tokens.js.map +0 -1
  381. package/dist/component/server/totp.js +0 -208
  382. package/dist/component/server/totp.js.map +0 -1
  383. package/dist/component/server/types.d.ts +0 -949
  384. package/dist/component/server/types.d.ts.map +0 -1
  385. package/dist/component/server/types.js +0 -79
  386. package/dist/component/server/types.js.map +0 -1
  387. package/dist/component/server/users.js +0 -123
  388. package/dist/component/server/users.js.map +0 -1
  389. package/dist/component/server/utils.js +0 -140
  390. package/dist/component/server/utils.js.map +0 -1
  391. package/dist/core/types.d.ts +0 -361
  392. package/dist/core/types.d.ts.map +0 -1
  393. package/dist/factors/device.js +0 -104
  394. package/dist/factors/device.js.map +0 -1
  395. package/dist/factors/passkey.js.map +0 -1
  396. package/dist/factors/totp.js.map +0 -1
  397. package/dist/providers/anonymous.d.ts.map +0 -1
  398. package/dist/providers/anonymous.js.map +0 -1
  399. package/dist/providers/credentials.d.ts.map +0 -1
  400. package/dist/providers/credentials.js.map +0 -1
  401. package/dist/providers/device.d.ts.map +0 -1
  402. package/dist/providers/device.js.map +0 -1
  403. package/dist/providers/email.d.ts.map +0 -1
  404. package/dist/providers/email.js.map +0 -1
  405. package/dist/providers/oauth.d.ts +0 -69
  406. package/dist/providers/oauth.d.ts.map +0 -1
  407. package/dist/providers/oauth.js +0 -43
  408. package/dist/providers/oauth.js.map +0 -1
  409. package/dist/providers/passkey.d.ts.map +0 -1
  410. package/dist/providers/passkey.js.map +0 -1
  411. package/dist/providers/password.d.ts.map +0 -1
  412. package/dist/providers/password.js.map +0 -1
  413. package/dist/providers/phone.d.ts.map +0 -1
  414. package/dist/providers/phone.js.map +0 -1
  415. package/dist/providers/sso.d.ts.map +0 -1
  416. package/dist/providers/sso.js.map +0 -1
  417. package/dist/providers/totp.d.ts.map +0 -1
  418. package/dist/providers/totp.js.map +0 -1
  419. package/dist/runtime/browser.js +0 -68
  420. package/dist/runtime/browser.js.map +0 -1
  421. package/dist/runtime/invite.js.map +0 -1
  422. package/dist/runtime/proxy.js +0 -70
  423. package/dist/runtime/proxy.js.map +0 -1
  424. package/dist/runtime/storage.js +0 -37
  425. package/dist/runtime/storage.js.map +0 -1
  426. package/dist/server/auth.d.ts.map +0 -1
  427. package/dist/server/auth.js.map +0 -1
  428. package/dist/server/config.d.ts +0 -1
  429. package/dist/server/config.js.map +0 -1
  430. package/dist/server/context.d.ts +0 -1
  431. package/dist/server/context.js.map +0 -1
  432. package/dist/server/cookies.d.ts +0 -1
  433. package/dist/server/cookies.js.map +0 -1
  434. package/dist/server/core.d.ts +0 -1315
  435. package/dist/server/core.d.ts.map +0 -1
  436. package/dist/server/core.js.map +0 -1
  437. package/dist/server/crypto.d.ts +0 -8
  438. package/dist/server/crypto.d.ts.map +0 -1
  439. package/dist/server/crypto.js.map +0 -1
  440. package/dist/server/db.d.ts +0 -1
  441. package/dist/server/db.js.map +0 -1
  442. package/dist/server/device.d.ts +0 -1
  443. package/dist/server/device.js.map +0 -1
  444. package/dist/server/enterprise/config.d.ts +0 -1
  445. package/dist/server/enterprise/config.js.map +0 -1
  446. package/dist/server/enterprise/domain.d.ts +0 -401
  447. package/dist/server/enterprise/domain.d.ts.map +0 -1
  448. package/dist/server/enterprise/domain.js +0 -974
  449. package/dist/server/enterprise/domain.js.map +0 -1
  450. package/dist/server/enterprise/http.d.ts +0 -26
  451. package/dist/server/enterprise/http.d.ts.map +0 -1
  452. package/dist/server/enterprise/http.js +0 -787
  453. package/dist/server/enterprise/http.js.map +0 -1
  454. package/dist/server/enterprise/oidc.d.ts +0 -1
  455. package/dist/server/enterprise/oidc.js +0 -248
  456. package/dist/server/enterprise/oidc.js.map +0 -1
  457. package/dist/server/enterprise/policy.d.ts +0 -1
  458. package/dist/server/enterprise/policy.js +0 -85
  459. package/dist/server/enterprise/policy.js.map +0 -1
  460. package/dist/server/enterprise/saml.d.ts +0 -1
  461. package/dist/server/enterprise/saml.js +0 -338
  462. package/dist/server/enterprise/saml.js.map +0 -1
  463. package/dist/server/enterprise/scim.d.ts +0 -1
  464. package/dist/server/enterprise/scim.js +0 -97
  465. package/dist/server/enterprise/scim.js.map +0 -1
  466. package/dist/server/enterprise/shared.d.ts +0 -5
  467. package/dist/server/enterprise/shared.d.ts.map +0 -1
  468. package/dist/server/enterprise/shared.js +0 -51
  469. package/dist/server/enterprise/shared.js.map +0 -1
  470. package/dist/server/enterprise/validators.d.ts +0 -1
  471. package/dist/server/enterprise/validators.js +0 -60
  472. package/dist/server/enterprise/validators.js.map +0 -1
  473. package/dist/server/http.d.ts.map +0 -1
  474. package/dist/server/http.js.map +0 -1
  475. package/dist/server/identity.d.ts +0 -1
  476. package/dist/server/identity.js.map +0 -1
  477. package/dist/server/keys.d.ts +0 -1
  478. package/dist/server/keys.js.map +0 -1
  479. package/dist/server/limits.d.ts +0 -1
  480. package/dist/server/limits.js.map +0 -1
  481. package/dist/server/mounts.d.ts.map +0 -1
  482. package/dist/server/mounts.js.map +0 -1
  483. package/dist/server/mutations/account.d.ts +0 -29
  484. package/dist/server/mutations/account.d.ts.map +0 -1
  485. package/dist/server/mutations/account.js.map +0 -1
  486. package/dist/server/mutations/code.d.ts +0 -30
  487. package/dist/server/mutations/code.d.ts.map +0 -1
  488. package/dist/server/mutations/code.js.map +0 -1
  489. package/dist/server/mutations/index.d.ts +0 -14
  490. package/dist/server/mutations/invalidate.d.ts +0 -20
  491. package/dist/server/mutations/invalidate.d.ts.map +0 -1
  492. package/dist/server/mutations/invalidate.js.map +0 -1
  493. package/dist/server/mutations/oauth.d.ts +0 -30
  494. package/dist/server/mutations/oauth.d.ts.map +0 -1
  495. package/dist/server/mutations/oauth.js.map +0 -1
  496. package/dist/server/mutations/refresh.d.ts +0 -21
  497. package/dist/server/mutations/refresh.d.ts.map +0 -1
  498. package/dist/server/mutations/refresh.js.map +0 -1
  499. package/dist/server/mutations/register.d.ts +0 -38
  500. package/dist/server/mutations/register.d.ts.map +0 -1
  501. package/dist/server/mutations/register.js.map +0 -1
  502. package/dist/server/mutations/retrieve.d.ts +0 -33
  503. package/dist/server/mutations/retrieve.d.ts.map +0 -1
  504. package/dist/server/mutations/retrieve.js.map +0 -1
  505. package/dist/server/mutations/signature.d.ts +0 -21
  506. package/dist/server/mutations/signature.d.ts.map +0 -1
  507. package/dist/server/mutations/signature.js.map +0 -1
  508. package/dist/server/mutations/signin.d.ts +0 -22
  509. package/dist/server/mutations/signin.d.ts.map +0 -1
  510. package/dist/server/mutations/signin.js.map +0 -1
  511. package/dist/server/mutations/signout.d.ts +0 -16
  512. package/dist/server/mutations/signout.d.ts.map +0 -1
  513. package/dist/server/mutations/signout.js.map +0 -1
  514. package/dist/server/mutations/store/refs.d.ts +0 -12
  515. package/dist/server/mutations/store/refs.d.ts.map +0 -1
  516. package/dist/server/mutations/store/refs.js.map +0 -1
  517. package/dist/server/mutations/store.d.ts +0 -306
  518. package/dist/server/mutations/store.d.ts.map +0 -1
  519. package/dist/server/mutations/store.js.map +0 -1
  520. package/dist/server/mutations/verifier.d.ts +0 -13
  521. package/dist/server/mutations/verifier.d.ts.map +0 -1
  522. package/dist/server/mutations/verifier.js.map +0 -1
  523. package/dist/server/mutations/verify.d.ts +0 -26
  524. package/dist/server/mutations/verify.d.ts.map +0 -1
  525. package/dist/server/mutations/verify.js.map +0 -1
  526. package/dist/server/oauth.d.ts +0 -1
  527. package/dist/server/oauth.js +0 -242
  528. package/dist/server/oauth.js.map +0 -1
  529. package/dist/server/passkey.d.ts +0 -27
  530. package/dist/server/passkey.d.ts.map +0 -1
  531. package/dist/server/passkey.js.map +0 -1
  532. package/dist/server/redirects.d.ts +0 -1
  533. package/dist/server/redirects.js.map +0 -1
  534. package/dist/server/refresh.d.ts +0 -1
  535. package/dist/server/refresh.js.map +0 -1
  536. package/dist/server/runtime.d.ts.map +0 -1
  537. package/dist/server/runtime.js.map +0 -1
  538. package/dist/server/sessions.d.ts +0 -1
  539. package/dist/server/sessions.js.map +0 -1
  540. package/dist/server/signin.d.ts +0 -1
  541. package/dist/server/signin.js.map +0 -1
  542. package/dist/server/ssr.d.ts.map +0 -1
  543. package/dist/server/ssr.js +0 -777
  544. package/dist/server/ssr.js.map +0 -1
  545. package/dist/server/templates.d.ts +0 -1
  546. package/dist/server/templates.js.map +0 -1
  547. package/dist/server/tokens.d.ts +0 -1
  548. package/dist/server/tokens.js.map +0 -1
  549. package/dist/server/totp.d.ts +0 -1
  550. package/dist/server/totp.js.map +0 -1
  551. package/dist/server/types.d.ts.map +0 -1
  552. package/dist/server/types.js.map +0 -1
  553. package/dist/server/users.d.ts +0 -1
  554. package/dist/server/users.js.map +0 -1
  555. package/dist/server/utils.d.ts +0 -1
  556. package/dist/server/utils.js +0 -140
  557. package/dist/server/utils.js.map +0 -1
  558. package/src/authorization/index.ts +0 -83
  559. package/src/cli/bin.ts +0 -5
  560. package/src/cli/command.ts +0 -70
  561. package/src/cli/index.ts +0 -1112
  562. package/src/cli/keys.ts +0 -23
  563. package/src/client/core/types.ts +0 -437
  564. package/src/client/factors/device.ts +0 -158
  565. package/src/client/factors/passkey.ts +0 -279
  566. package/src/client/factors/totp.ts +0 -150
  567. package/src/client/index.ts +0 -1124
  568. package/src/client/runtime/browser.ts +0 -112
  569. package/src/client/runtime/invite.ts +0 -63
  570. package/src/client/runtime/proxy.ts +0 -111
  571. package/src/client/runtime/storage.ts +0 -79
  572. package/src/component/_generated/api.ts +0 -96
  573. package/src/component/_generated/component.ts +0 -3774
  574. package/src/component/_generated/dataModel.ts +0 -60
  575. package/src/component/_generated/server.ts +0 -156
  576. package/src/component/convex.config.ts +0 -5
  577. package/src/component/functions.ts +0 -104
  578. package/src/component/index.ts +0 -42
  579. package/src/component/model.ts +0 -449
  580. package/src/component/public/enterprise/audit.ts +0 -125
  581. package/src/component/public/enterprise/core.ts +0 -355
  582. package/src/component/public/enterprise/domains.ts +0 -327
  583. package/src/component/public/enterprise/scim.ts +0 -397
  584. package/src/component/public/enterprise/secrets.ts +0 -133
  585. package/src/component/public/enterprise/webhooks.ts +0 -307
  586. package/src/component/public/factors/devices.ts +0 -224
  587. package/src/component/public/factors/passkeys.ts +0 -243
  588. package/src/component/public/factors/totp.ts +0 -259
  589. package/src/component/public/groups/core.ts +0 -481
  590. package/src/component/public/groups/invites.ts +0 -608
  591. package/src/component/public/groups/members.ts +0 -410
  592. package/src/component/public/identity/accounts.ts +0 -207
  593. package/src/component/public/identity/codes.ts +0 -149
  594. package/src/component/public/identity/sessions.ts +0 -210
  595. package/src/component/public/identity/tokens.ts +0 -251
  596. package/src/component/public/identity/users.ts +0 -355
  597. package/src/component/public/identity/verifiers.ts +0 -158
  598. package/src/component/public/security/keys.ts +0 -366
  599. package/src/component/public/security/limits.ts +0 -174
  600. package/src/component/public.ts +0 -27
  601. package/src/component/schema.ts +0 -505
  602. package/src/providers/anonymous.ts +0 -99
  603. package/src/providers/credentials.ts +0 -102
  604. package/src/providers/device.ts +0 -87
  605. package/src/providers/email.ts +0 -99
  606. package/src/providers/index.ts +0 -31
  607. package/src/providers/oauth.ts +0 -117
  608. package/src/providers/passkey.ts +0 -77
  609. package/src/providers/password.ts +0 -441
  610. package/src/providers/phone.ts +0 -93
  611. package/src/providers/sso.ts +0 -54
  612. package/src/providers/totp.ts +0 -62
  613. package/src/samlify.d.ts +0 -53
  614. package/src/server/auth.ts +0 -949
  615. package/src/server/config.ts +0 -200
  616. package/src/server/context.ts +0 -90
  617. package/src/server/cookies.ts +0 -49
  618. package/src/server/core.ts +0 -2004
  619. package/src/server/crypto.ts +0 -90
  620. package/src/server/db.ts +0 -203
  621. package/src/server/device.ts +0 -254
  622. package/src/server/enterprise/config.ts +0 -51
  623. package/src/server/enterprise/domain.ts +0 -1739
  624. package/src/server/enterprise/http.ts +0 -1331
  625. package/src/server/enterprise/oidc.ts +0 -500
  626. package/src/server/enterprise/policy.ts +0 -128
  627. package/src/server/enterprise/saml.ts +0 -578
  628. package/src/server/enterprise/scim.ts +0 -135
  629. package/src/server/enterprise/shared.ts +0 -134
  630. package/src/server/enterprise/validators.ts +0 -93
  631. package/src/server/http.ts +0 -790
  632. package/src/server/identity.ts +0 -18
  633. package/src/server/index.ts +0 -40
  634. package/src/server/keys.ts +0 -158
  635. package/src/server/limits.ts +0 -107
  636. package/src/server/mounts.ts +0 -924
  637. package/src/server/mutations/account.ts +0 -62
  638. package/src/server/mutations/code.ts +0 -119
  639. package/src/server/mutations/index.ts +0 -13
  640. package/src/server/mutations/invalidate.ts +0 -50
  641. package/src/server/mutations/oauth.ts +0 -243
  642. package/src/server/mutations/refresh.ts +0 -299
  643. package/src/server/mutations/register.ts +0 -155
  644. package/src/server/mutations/retrieve.ts +0 -109
  645. package/src/server/mutations/signature.ts +0 -57
  646. package/src/server/mutations/signin.ts +0 -54
  647. package/src/server/mutations/signout.ts +0 -43
  648. package/src/server/mutations/store/refs.ts +0 -10
  649. package/src/server/mutations/store.ts +0 -123
  650. package/src/server/mutations/verifier.ts +0 -34
  651. package/src/server/mutations/verify.ts +0 -200
  652. package/src/server/oauth.ts +0 -418
  653. package/src/server/passkey.ts +0 -838
  654. package/src/server/redirects.ts +0 -59
  655. package/src/server/refresh.ts +0 -218
  656. package/src/server/runtime.ts +0 -918
  657. package/src/server/sessions.ts +0 -132
  658. package/src/server/signin.ts +0 -445
  659. package/src/server/ssr.ts +0 -1747
  660. package/src/server/templates.ts +0 -82
  661. package/src/server/tokens.ts +0 -35
  662. package/src/server/totp.ts +0 -399
  663. package/src/server/types.ts +0 -1942
  664. package/src/server/users.ts +0 -291
  665. package/src/server/utils.ts +0 -220
  666. /package/dist/{runtime → client/runtime}/invite.js +0 -0
@@ -1,107 +1,193 @@
1
- import { AuthAuthorizationConfig, AuthRoleId } from "./types.js";
1
+ import { AuthAuthorizationConfig, GroupConnectionDeprovisionMode, GroupConnectionPolicy } from "./types.js";
2
+ import { AuditEventRecord, ConnectionDomainRecord, GroupConnectionDomainLookupRecord, GroupConnectionListResult, GroupConnectionRecord, ScimConfigRecord } from "./contract.js";
2
3
  import { AuthApi } from "./auth.js";
3
- import * as convex_server2 from "convex/server";
4
+ import * as convex_server7 from "convex/server";
4
5
 
5
6
  //#region src/server/mounts.d.ts
6
7
  /**
7
- * Permission identifiers used by mounted enterprise admin APIs.
8
+ * Permission identifiers used by mounted group SSO admin APIs.
8
9
  *
9
- * These permission strings are passed to your {@link EnterpriseAuthorizer}
10
+ * These permission strings are passed to your {@link GroupSsoAccessHandler}
10
11
  * callback so app code can decide whether the current user may perform a
11
12
  * specific SSO or SCIM management operation.
12
13
  *
13
14
  * @example
14
15
  * ```ts
15
- * const authorized: EnterpriseAuthorizer = async (ctx, input) => {
16
+ * const access: GroupSsoAccessHandler = async (ctx, input) => {
16
17
  * if (input.permission === "sso.connection.create") {
17
18
  * // Only org admins may create SSO connections
18
19
  * }
19
20
  * };
20
21
  * ```
21
22
  */
22
- type EnterpriseAdminPermission = "sso.connection.create" | "sso.connection.read" | "sso.connection.manage" | "sso.domain.manage" | "sso.protocol.manage" | "sso.policy.manage" | "sso.audit.read" | "sso.webhook.manage" | "scim.manage";
23
+ type GroupSsoPermission = "sso.connection.create" | "sso.connection.read" | "sso.connection.manage" | "sso.domain.manage" | "sso.protocol.manage" | "sso.policy.manage" | "sso.audit.read" | "sso.webhook.manage" | "scim.manage";
23
24
  /**
24
- * Input passed to an {@link EnterpriseAuthorizer}.
25
+ * Input passed to a mounted Group SSO access check.
25
26
  *
26
27
  * Contains the acting user, the requested permission, and the resolved
27
- * enterprise/group scope for the operation being authorized.
28
+ * group connection/group scope for the operation being authorized.
28
29
  */
29
- type EnterpriseAdminAuthorizationInput = {
30
- /** The signed-in user's ID performing the admin action. */userId: string; /** The {@link EnterpriseAdminPermission} being requested. */
31
- permission: EnterpriseAdminPermission; /** Enterprise document ID, if the operation targets a specific enterprise. */
32
- enterpriseId?: string; /** Group document ID, if explicitly provided by the caller. */
33
- groupId?: string; /** Resolved group ID from the enterprise record, or `null` when no enterprise context. */
34
- resolvedGroupId: string | null;
30
+ type GroupSsoAccessInput = {
31
+ /** The signed-in user's ID performing the admin action. */userId: string; /** The {@link GroupSsoPermission} being requested. */
32
+ permission: GroupSsoPermission; /** Connection document ID, if the operation targets a specific SSO connection. */
33
+ connectionId?: string; /** Resolved group document ID, when the operation has group scope. */
34
+ groupId?: string;
35
35
  };
36
36
  /**
37
- * App-defined authorization hook for mounted enterprise admin APIs.
37
+ * App-defined access hook for mounted group SSO admin APIs.
38
38
  *
39
39
  * Return `void` (or resolve) to allow the operation, or throw to deny it.
40
40
  *
41
41
  * @param ctx - Convex context with `ctx.auth` for identity checks.
42
- * @param input - The {@link EnterpriseAdminAuthorizationInput} describing who is doing what.
42
+ * @param input - The {@link GroupSsoAccessInput} describing who is doing what.
43
43
  * @returns `void` to allow; throw to deny.
44
44
  *
45
45
  * @example
46
46
  * ```ts
47
- * import { EnterpriseAuthorizer } from "@robelest/convex-auth/server";
47
+ * import { GroupSsoAccessHandler } from "@robelest/convex-auth/server";
48
48
  *
49
- * const authorized: EnterpriseAuthorizer = async (ctx, input) => {
49
+ * const access: GroupSsoAccessHandler = async (ctx, input) => {
50
50
  * const identity = await ctx.auth.getUserIdentity();
51
51
  * if (!identity) throw new Error("Forbidden");
52
52
  * // Allow all admin ops for the org owner
53
53
  * };
54
54
  * ```
55
55
  */
56
- type EnterpriseAuthorizer = (ctx: {
57
- auth: convex_server2.Auth;
58
- }, input: EnterpriseAdminAuthorizationInput) => Promise<void>;
59
- type RoleRef<TRoleId extends string> = {
60
- id: TRoleId;
61
- };
62
- type MountedEnterpriseOptions<TRoleId extends string = string> = {
63
- admin?: {
64
- authorized?: EnterpriseAuthorizer;
65
- roles?: Array<TRoleId | RoleRef<TRoleId>>;
56
+ type GroupSsoAccessHandler = (ctx: {
57
+ auth: convex_server7.Auth;
58
+ }, input: GroupSsoAccessInput) => Promise<void>;
59
+ /**
60
+ * Declarative requirement map for mounted Group SSO admin permissions.
61
+ *
62
+ * Use `require` at any subtree to define the default requirements for all
63
+ * descendant operations. Child entries override that inherited default when
64
+ * present. This lets apps describe coarse defaults with narrower overrides for
65
+ * specific admin operations.
66
+ *
67
+ * @typeParam TRequirement - App-defined requirement values passed back to
68
+ * {@link GroupSsoResolvedAccessHandler}. These can be role refs, grant
69
+ * strings, or any other policy tokens your app understands.
70
+ *
71
+ * @example
72
+ * ```ts
73
+ * const permissions: GroupSsoAccessPermissions<string> = {
74
+ * sso: {
75
+ * require: ["workspace.sso.read"],
76
+ * connection: {
77
+ * create: ["workspace.sso.manage"],
78
+ * manage: ["workspace.sso.manage"],
79
+ * },
80
+ * },
81
+ * scim: {
82
+ * require: ["workspace.scim.manage"],
83
+ * },
84
+ * };
85
+ * ```
86
+ */
87
+ type GroupSsoAccessPermissions<TRequirement> = {
88
+ sso?: {
89
+ require?: readonly TRequirement[];
90
+ connection?: {
91
+ create?: readonly TRequirement[];
92
+ read?: readonly TRequirement[];
93
+ manage?: readonly TRequirement[];
94
+ };
95
+ domain?: {
96
+ manage?: readonly TRequirement[];
97
+ };
98
+ protocol?: {
99
+ manage?: readonly TRequirement[];
100
+ };
101
+ policy?: {
102
+ manage?: readonly TRequirement[];
103
+ };
104
+ audit?: {
105
+ read?: readonly TRequirement[];
106
+ };
107
+ webhook?: {
108
+ manage?: readonly TRequirement[];
109
+ };
110
+ };
111
+ scim?: {
112
+ require?: readonly TRequirement[];
113
+ manage?: readonly TRequirement[];
66
114
  };
67
115
  };
68
116
  /**
69
- * Configuration for {@link enterprise}, {@link sso}, and {@link scim}
70
- * mounted admin APIs.
117
+ * App-defined access hook for declarative mounted Group SSO permissions.
118
+ *
119
+ * The mounted API resolves the requirements for the current
120
+ * {@link GroupSsoPermission} from {@link GroupSsoAccessPermissions} and passes
121
+ * them to this callback. Throw to deny the operation, or resolve to allow it.
71
122
  *
72
- * @typeParam TRoleId - Role IDs that may be assigned to enterprise creators.
123
+ * @typeParam TRequirement - App-defined requirement values resolved from the
124
+ * configured permission tree.
125
+ * @param ctx - Convex context with `ctx.auth` for identity checks.
126
+ * @param input - The normalized mounted access input.
127
+ * @param required - The resolved requirement values for the current operation.
128
+ * @returns `void` to allow; throw to deny.
73
129
  *
74
130
  * @example
75
131
  * ```ts
76
- * import { enterprise, EnterpriseMountOptions } from "@robelest/convex-auth/server";
132
+ * const access: GroupSsoResolvedAccessHandler<string> = async (
133
+ * ctx,
134
+ * input,
135
+ * required,
136
+ * ) => {
137
+ * if (!input.groupId) {
138
+ * throw new Error("Group scope required");
139
+ * }
77
140
  *
78
- * const options: EnterpriseMountOptions = {
79
- * admin: {
80
- * authorized: async (ctx, input) => {
81
- * // Verify the user has permission for `input.permission`
82
- * },
83
- * roles: ["admin", "owner"],
141
+ * await auth.member.require(ctx, {
142
+ * userId: input.userId,
143
+ * groupId: input.groupId,
144
+ * grants: [...required],
145
+ * });
146
+ * };
147
+ * ```
148
+ */
149
+ type GroupSsoResolvedAccessHandler<TRequirement> = (ctx: {
150
+ auth: convex_server7.Auth;
151
+ }, input: GroupSsoAccessInput, required: readonly TRequirement[]) => Promise<void>;
152
+ /**
153
+ * Configuration for {@link createAuthGroupSso}, {@link sso}, and {@link scim}
154
+ * mounted admin APIs.
155
+ *
156
+ * @example
157
+ * ```ts
158
+ * import { createAuthGroupSso, CreateAuthGroupSsoOptions } from "@robelest/convex-auth/server";
159
+ *
160
+ * const options: CreateAuthGroupSsoOptions<string> = {
161
+ * permissions: {
162
+ * sso: { require: ["workspace.sso.manage"] },
163
+ * scim: { require: ["workspace.scim.manage"] },
164
+ * },
165
+ * access: async (_ctx, _input, _required) => {
166
+ * // Verify the current user satisfies the resolved requirements.
84
167
  * },
85
168
  * };
86
169
  * ```
87
170
  */
88
- type EnterpriseMountOptions<TRoleId extends string = string> = {
89
- admin: {
90
- authorized: EnterpriseAuthorizer;
91
- roles?: Array<TRoleId | RoleRef<TRoleId>>;
92
- };
171
+ type CreateAuthGroupSsoOptions<TRequirement = unknown> = {
172
+ access: GroupSsoAccessHandler;
173
+ permissions?: undefined;
174
+ } | {
175
+ permissions: GroupSsoAccessPermissions<TRequirement>;
176
+ access: GroupSsoResolvedAccessHandler<TRequirement>;
93
177
  };
94
178
  /**
95
179
  * Build optional public SSO management actions that apps can mount under
96
- * `convex/auth/sso/**` when they want client-callable enterprise APIs.
180
+ * `convex/auth/sso/**` when they want client-callable group SSO APIs.
97
181
  *
98
182
  * `admin` is for tenant-admin control-plane operations and should be mounted
99
- * with an explicit authorization policy. `client` is for end-user sign-in
183
+ * with an explicit access policy. `client` is for end-user sign-in
100
184
  * helpers and does not require tenant-admin authorization.
101
185
  *
102
186
  * @param auth - Auth API subset providing `group`, `member`, `sso`, and `user` namespaces.
103
- * @param options - Optional admin authorization config. See {@link EnterpriseMountOptions}.
187
+ * @param options - Optional admin access config. See {@link CreateAuthGroupSsoOptions}.
104
188
  * @typeParam TAuthorization - Optional authorization config for typed role IDs.
189
+ * @typeParam TRequirement - App-defined requirement values used by declarative
190
+ * `permissions` configs.
105
191
  * @returns An object with `admin` (connection CRUD, OIDC/SAML protocol config, policy,
106
192
  * audit, webhooks, domain management) and `client` (signIn, metadata) namespaces.
107
193
  *
@@ -112,9 +198,10 @@ type EnterpriseMountOptions<TRoleId extends string = string> = {
112
198
  * import { auth } from "../auth";
113
199
  *
114
200
  * const mounted = sso(auth, {
115
- * admin: {
116
- * authorized: async (ctx, input) => { /* check permissions *\/ },
201
+ * permissions: {
202
+ * sso: { require: ["workspace.sso.manage"] },
117
203
  * },
204
+ * access: async (_ctx, _input, _required) => {},
118
205
  * });
119
206
  *
120
207
  * export const createConnection = mounted.admin.connection.create;
@@ -122,114 +209,284 @@ type EnterpriseMountOptions<TRoleId extends string = string> = {
122
209
  * ```
123
210
  *
124
211
  * @see {@link scim}
125
- * @see {@link enterprise}
212
+ * @see {@link createAuthGroupSso}
126
213
  */
127
- declare function sso<TAuthorization extends AuthAuthorizationConfig | undefined = undefined>(auth: Pick<AuthApi<TAuthorization>, "context" | "group" | "member" | "sso">, options?: MountedEnterpriseOptions<AuthRoleId<TAuthorization>>): {
214
+ declare function sso<TAuthorization extends AuthAuthorizationConfig | undefined = undefined, TRequirement = unknown>(auth: Pick<AuthApi<TAuthorization>, "context" | "group" | "member">, options?: CreateAuthGroupSsoOptions<TRequirement>): {
128
215
  admin: {
129
216
  connection: {
130
- create: convex_server2.RegisteredMutation<"public", {
217
+ create: convex_server7.RegisteredMutation<"public", {
131
218
  name?: string | undefined;
132
219
  slug?: string | undefined;
133
220
  status?: "draft" | "active" | "disabled" | undefined;
134
- groupId?: string | undefined;
135
221
  domain?: string | undefined;
136
- }, Promise<any>>;
137
- get: convex_server2.RegisteredQuery<"public", {
138
- enterpriseId: string;
139
- }, Promise<any>>;
140
- getByGroup: convex_server2.RegisteredQuery<"public", {
222
+ protocol: "oidc" | "saml";
141
223
  groupId: string;
142
- }, Promise<any>>;
143
- getByDomain: convex_server2.RegisteredQuery<"public", {
224
+ }, Promise<{
225
+ groupId: string;
226
+ connectionId: string;
227
+ }>>;
228
+ get: convex_server7.RegisteredQuery<"public", {
229
+ connectionId: string;
230
+ }, Promise<GroupConnectionRecord | null>>;
231
+ getByDomain: convex_server7.RegisteredQuery<"public", {
144
232
  domain: string;
145
- }, Promise<any>>;
146
- list: convex_server2.RegisteredQuery<"public", {
233
+ }, Promise<GroupConnectionDomainLookupRecord | null>>;
234
+ list: convex_server7.RegisteredQuery<"public", {
235
+ limit?: number | undefined;
147
236
  where?: {
148
237
  slug?: string | undefined;
149
238
  status?: "draft" | "active" | "disabled" | undefined;
150
239
  groupId?: string | undefined;
151
240
  } | undefined;
152
- limit?: number | undefined;
153
241
  cursor?: string | null | undefined;
154
242
  orderBy?: string | undefined;
155
243
  order?: "asc" | "desc" | undefined;
156
- }, Promise<any>>;
157
- update: convex_server2.RegisteredMutation<"public", {
158
- enterpriseId: string;
244
+ }, Promise<GroupConnectionListResult>>;
245
+ update: convex_server7.RegisteredMutation<"public", {
246
+ connectionId: string;
159
247
  data: {
160
248
  name?: string | undefined;
161
249
  slug?: string | undefined;
162
250
  status?: "draft" | "active" | "disabled" | undefined;
163
251
  };
164
252
  }, Promise<{
165
- enterpriseId: string;
253
+ connectionId: string;
254
+ }>>;
255
+ delete: convex_server7.RegisteredMutation<"public", {
256
+ connectionId: string;
257
+ }, Promise<{
258
+ connectionId: string;
259
+ }>>;
260
+ status: convex_server7.RegisteredQuery<"public", {
261
+ connectionId: string;
262
+ }, Promise<{
263
+ connectionId: string;
264
+ status: "draft" | "active" | "disabled";
265
+ ready: boolean;
266
+ domainCount: number;
267
+ protocols: {
268
+ oidc: {
269
+ configured: boolean;
270
+ ready: boolean;
271
+ clientId: string | null;
272
+ issuer: string | null;
273
+ };
274
+ saml: {
275
+ configured: boolean;
276
+ ready: boolean;
277
+ entityId: string | null;
278
+ };
279
+ scim: {
280
+ configured: boolean;
281
+ ready: boolean;
282
+ basePath: string | null;
283
+ deprovisionMode: GroupConnectionDeprovisionMode;
284
+ };
285
+ };
166
286
  }>>;
167
- delete: convex_server2.RegisteredMutation<"public", {
168
- enterpriseId: string;
169
- }, Promise<any>>;
170
- status: convex_server2.RegisteredQuery<"public", {
171
- enterpriseId: string;
172
- }, Promise<any>>;
173
287
  domain: {
174
- list: convex_server2.RegisteredQuery<"public", {
175
- enterpriseId: string;
176
- }, Promise<any>>;
177
- validate: convex_server2.RegisteredQuery<"public", {
178
- enterpriseId: string;
179
- }, Promise<any>>;
180
- set: convex_server2.RegisteredMutation<"public", {
181
- enterpriseId: string;
288
+ list: convex_server7.RegisteredQuery<"public", {
289
+ connectionId: string;
290
+ }, Promise<ConnectionDomainRecord[]>>;
291
+ status: convex_server7.RegisteredQuery<"public", {
292
+ connectionId: string;
293
+ }, Promise<{
294
+ connectionId: string;
295
+ ready: boolean;
296
+ primaryDomain: {
297
+ domainId: string;
298
+ domain: string;
299
+ isPrimary: boolean;
300
+ verified: boolean;
301
+ verifiedAt: number | null;
302
+ } | null;
303
+ trustedDomains: {
304
+ domainId: string;
305
+ domain: string;
306
+ isPrimary: boolean;
307
+ verified: boolean;
308
+ verifiedAt: number | null;
309
+ }[];
310
+ pendingChallenges: {
311
+ domain: string;
312
+ recordName: string;
313
+ expiresAt: number;
314
+ }[];
315
+ trust: {
316
+ domainDiscoveryReady: boolean;
317
+ primaryDomainVerified: boolean;
318
+ automaticLinkingEligible: boolean;
319
+ };
320
+ warnings: string[];
321
+ nextSteps: string[];
322
+ }>>;
323
+ validate: convex_server7.RegisteredQuery<"public", {
324
+ connectionId: string;
325
+ }, Promise<{
326
+ connectionId: string;
327
+ ready: boolean;
328
+ summary: {
329
+ domainCount: number;
330
+ primaryCount: number;
331
+ verifiedCount: number;
332
+ };
333
+ domains: {
334
+ domainId: string;
335
+ domain: string;
336
+ isPrimary: boolean;
337
+ verified: boolean;
338
+ verifiedAt: number | null;
339
+ }[];
340
+ warnings: string[];
341
+ }>>;
342
+ set: convex_server7.RegisteredMutation<"public", {
343
+ connectionId: string;
182
344
  domains: {
183
345
  isPrimary?: boolean | undefined;
184
346
  domain: string;
185
347
  }[];
186
- }, Promise<any>>;
348
+ }, Promise<{
349
+ connectionId: string;
350
+ domains: Array<{
351
+ domainId: string;
352
+ domain: string;
353
+ isPrimary: boolean;
354
+ verified: boolean;
355
+ verifiedAt: number | null;
356
+ }>;
357
+ }>>;
187
358
  verification: {
188
- request: convex_server2.RegisteredMutation<"public", {
189
- enterpriseId: string;
359
+ request: convex_server7.RegisteredMutation<"public", {
360
+ connectionId: string;
361
+ domain: string;
362
+ }, Promise<{
363
+ connectionId: string;
364
+ domain: string;
365
+ requestedAt: number;
366
+ expiresAt: number;
367
+ challenge: {
368
+ recordType: "TXT";
369
+ recordName: string;
370
+ recordValue: string;
371
+ };
372
+ }>>;
373
+ confirm: convex_server7.RegisteredAction<"public", {
374
+ connectionId: string;
190
375
  domain: string;
191
- }, Promise<any>>;
192
- confirm: convex_server2.RegisteredAction<"public", {
193
- enterpriseId: string;
376
+ }, Promise<{
377
+ connectionId: string;
194
378
  domain: string;
195
- }, Promise<any>>;
379
+ verifiedAt?: number;
380
+ checks: Array<{
381
+ name: string;
382
+ ok: boolean;
383
+ message?: string;
384
+ }>;
385
+ }>>;
196
386
  };
197
387
  };
198
388
  };
199
389
  oidc: {
200
- configure: convex_server2.RegisteredMutation<"public", {
201
- scopes?: string[] | undefined;
202
- issuer?: string | undefined;
203
- discoveryUrl?: string | undefined;
204
- clientSecret?: string | undefined;
205
- authorizationParams?: Record<string, string> | undefined;
206
- clockToleranceSeconds?: number | undefined;
207
- strictIssuer?: boolean | undefined;
208
- extraFields?: Record<string, string> | undefined;
209
- enterpriseId: string;
210
- clientId: string;
211
- }, Promise<any>>;
212
- get: convex_server2.RegisteredQuery<"public", {
213
- enterpriseId: string;
214
- }, Promise<any>>;
215
- validate: convex_server2.RegisteredAction<"public", {
216
- enterpriseId: string;
217
- }, Promise<any>>;
390
+ configure: convex_server7.RegisteredMutation<"public", {
391
+ profile?: {
392
+ mapping?: {
393
+ email?: string | undefined;
394
+ emailVerified?: string | undefined;
395
+ name?: string | undefined;
396
+ image?: string | undefined;
397
+ groups?: string | undefined;
398
+ roles?: string | undefined;
399
+ subject?: string | undefined;
400
+ } | undefined;
401
+ extraFields?: Record<string, string> | undefined;
402
+ } | undefined;
403
+ request?: {
404
+ scopes?: string[] | undefined;
405
+ loginHint?: string | undefined;
406
+ authorizationParams?: Record<string, string> | undefined;
407
+ } | undefined;
408
+ security?: {
409
+ clockToleranceSeconds?: number | undefined;
410
+ strictIssuer?: boolean | undefined;
411
+ } | undefined;
412
+ connectionId: string;
413
+ discovery: {
414
+ issuer?: string | undefined;
415
+ discoveryUrl?: string | undefined;
416
+ jwksUri?: string | undefined;
417
+ audience?: string | string[] | undefined;
418
+ };
419
+ client: {
420
+ secret?: string | undefined;
421
+ authMethod?: "client_secret_post" | "client_secret_basic" | undefined;
422
+ id: string;
423
+ };
424
+ }, Promise<{
425
+ hasClientSecret: boolean;
426
+ }>>;
427
+ get: convex_server7.RegisteredQuery<"public", {
428
+ connectionId: string;
429
+ }, Promise<{
430
+ hasClientSecret: boolean;
431
+ }>>;
432
+ validate: convex_server7.RegisteredAction<"public", {
433
+ connectionId: string;
434
+ }, Promise<{
435
+ ok: boolean;
436
+ connectionId: string;
437
+ checks: {
438
+ name: string;
439
+ ok: boolean;
440
+ message?: string;
441
+ }[];
442
+ }>>;
443
+ status: convex_server7.RegisteredQuery<"public", {
444
+ connectionId: string;
445
+ }, Promise<{
446
+ connectionId: string;
447
+ configured: boolean;
448
+ ready: boolean;
449
+ config: {
450
+ hasClientSecret: boolean;
451
+ };
452
+ checks: {
453
+ name: string;
454
+ ok: boolean;
455
+ message: string | undefined;
456
+ }[];
457
+ }>>;
218
458
  };
219
459
  saml: {
220
- configure: convex_server2.RegisteredAction<"public", {
460
+ configure: convex_server7.RegisteredAction<"public", {
461
+ profile?: {
462
+ mapping?: {
463
+ email?: string | undefined;
464
+ name?: string | undefined;
465
+ image?: string | undefined;
466
+ groups?: string | undefined;
467
+ roles?: string | undefined;
468
+ subject?: string | undefined;
469
+ firstName?: string | undefined;
470
+ lastName?: string | undefined;
471
+ } | undefined;
472
+ extraFields?: Record<string, string> | undefined;
473
+ } | undefined;
221
474
  domains?: string[] | undefined;
222
- metadataXml?: string | undefined;
223
- metadataUrl?: string | undefined;
224
- signAuthnRequests?: boolean | undefined;
225
- attributeMapping?: {
226
- name?: string | undefined;
227
- email?: string | undefined;
228
- subject?: string | undefined;
229
- firstName?: string | undefined;
230
- lastName?: string | undefined;
475
+ request?: {
476
+ signAuthnRequests?: boolean | undefined;
477
+ nameIdFormat?: string | undefined;
478
+ forceAuthn?: boolean | undefined;
479
+ authnContextClassRefs?: string[] | undefined;
480
+ } | undefined;
481
+ security?: {
482
+ requireSignedAssertions?: boolean | undefined;
483
+ requireTimestamps?: boolean | undefined;
484
+ clockSkewSeconds?: number | undefined;
485
+ weakAlgorithmHandling?: "warn" | "reject" | undefined;
486
+ maxMetadataSize?: number | undefined;
487
+ maxResponseSize?: number | undefined;
231
488
  } | undefined;
232
- sp?: {
489
+ serviceProvider?: {
233
490
  entityId?: string | undefined;
234
491
  acsUrl?: string | undefined;
235
492
  sloUrl?: string | undefined;
@@ -240,18 +497,55 @@ declare function sso<TAuthorization extends AuthAuthorizationConfig | undefined
240
497
  encPrivateKey?: string | undefined;
241
498
  encPrivateKeyPass?: string | undefined;
242
499
  } | undefined;
243
- enterpriseId: string;
244
- }, Promise<any>>;
245
- validate: convex_server2.RegisteredQuery<"public", {
246
- enterpriseId: string;
247
- }, Promise<any>>;
500
+ metadata: {
501
+ url?: string | undefined;
502
+ xml?: string | undefined;
503
+ };
504
+ connectionId: string;
505
+ }, Promise<{
506
+ connectionId: string;
507
+ groupId: string;
508
+ }>>;
509
+ validate: convex_server7.RegisteredQuery<"public", {
510
+ connectionId: string;
511
+ }, Promise<{
512
+ ok: boolean;
513
+ connectionId: string;
514
+ checks: {
515
+ name: string;
516
+ ok: boolean;
517
+ message?: string;
518
+ }[];
519
+ }>>;
520
+ get: convex_server7.RegisteredQuery<"public", {
521
+ connectionId: string;
522
+ }, Promise<Record<string, unknown>>>;
523
+ status: convex_server7.RegisteredQuery<"public", {
524
+ connectionId: string;
525
+ }, Promise<{
526
+ connectionId: string;
527
+ configured: boolean;
528
+ ready: boolean;
529
+ config: Record<string, unknown>;
530
+ checks: {
531
+ name: string;
532
+ ok: boolean;
533
+ message: string | undefined;
534
+ }[];
535
+ }>>;
536
+ refresh: convex_server7.RegisteredAction<"public", {
537
+ connectionId: string;
538
+ }, Promise<{
539
+ connectionId: string;
540
+ groupId: string;
541
+ }>>;
248
542
  };
249
543
  policy: {
250
- get: convex_server2.RegisteredQuery<"public", {
251
- enterpriseId: string;
252
- }, Promise<any>>;
253
- update: convex_server2.RegisteredMutation<"public", {
254
- enterpriseId: string;
544
+ get: convex_server7.RegisteredQuery<"public", {
545
+ groupId: string;
546
+ }, Promise<GroupConnectionPolicy>>;
547
+ update: convex_server7.RegisteredMutation<"public", {
548
+ groupId: string;
255
549
  patch: {
256
550
  identity?: {
257
551
  accountLinking?: {
@@ -260,6 +554,12 @@ declare function sso<TAuthorization extends AuthAuthorizationConfig | undefined
260
554
  } | undefined;
261
555
  } | undefined;
262
556
  provisioning?: {
557
+ user?: {
558
+ createOnSignIn?: boolean | undefined;
559
+ updateProfileOnLogin?: "never" | "missing" | "always" | undefined;
560
+ updateProfileFromScim?: "never" | "missing" | "always" | undefined;
561
+ authority?: "app" | "sso" | "scim" | undefined;
562
+ } | undefined;
263
563
  scimReuse?: {
264
564
  user?: "none" | "externalId" | undefined;
265
565
  } | undefined;
@@ -270,86 +570,129 @@ declare function sso<TAuthorization extends AuthAuthorizationConfig | undefined
270
570
  deprovision?: {
271
571
  mode?: "soft" | "hard" | undefined;
272
572
  } | undefined;
573
+ groups?: {
574
+ mode?: "ignore" | "sync" | undefined;
575
+ source?: "protocol" | undefined;
576
+ mapping?: Record<string, string[]> | undefined;
577
+ } | undefined;
578
+ roles?: {
579
+ mode?: "map" | "ignore" | undefined;
580
+ source?: "protocol" | undefined;
581
+ mapping?: Record<string, string[]> | undefined;
582
+ } | undefined;
273
583
  } | undefined;
274
584
  };
275
- }, Promise<any>>;
276
- validate: convex_server2.RegisteredQuery<"public", {
277
- enterpriseId: string;
278
- }, Promise<any>>;
585
+ }, Promise<GroupConnectionPolicy>>;
586
+ validate: convex_server7.RegisteredQuery<"public", {
587
+ groupId: string;
588
+ }, Promise<{
589
+ ok: boolean;
590
+ groupId: string;
591
+ checks: {
592
+ name: string;
593
+ ok: boolean;
594
+ message: string;
595
+ }[];
596
+ policy?: undefined;
597
+ } | {
598
+ ok: boolean;
599
+ groupId: string;
600
+ policy: GroupConnectionPolicy;
601
+ checks: {
602
+ name: string;
603
+ ok: boolean;
604
+ message?: string;
605
+ }[];
606
+ }>>;
279
607
  };
280
608
  audit: {
281
- list: convex_server2.RegisteredQuery<"public", {
282
- limit?: number | undefined;
609
+ list: convex_server7.RegisteredQuery<"public", {
283
610
  groupId?: string | undefined;
284
- enterpriseId?: string | undefined;
285
- }, Promise<any>>;
611
+ connectionId?: string | undefined;
612
+ limit?: number | undefined;
613
+ }, Promise<AuditEventRecord[]>>;
286
614
  };
287
615
  webhook: {
288
616
  delivery: {
289
- list: convex_server2.RegisteredQuery<"public", {
617
+ list: convex_server7.RegisteredQuery<"public", {
290
618
  limit?: number | undefined;
291
- enterpriseId: string;
292
- }, Promise<any>>;
619
+ connectionId: string;
620
+ }, Promise<unknown>>;
293
621
  };
294
622
  endpoint: {
295
- create: convex_server2.RegisteredMutation<"public", {
623
+ create: convex_server7.RegisteredMutation<"public", {
296
624
  createdByUserId?: string | undefined;
297
625
  secret: string;
298
- enterpriseId: string;
626
+ connectionId: string;
299
627
  url: string;
300
628
  subscriptions: string[];
301
629
  }, Promise<{
302
- _id: any;
303
- enterpriseId: string;
630
+ _id: string;
631
+ connectionId: string;
304
632
  url: string;
305
633
  subscriptions: string[];
306
634
  createdByUserId: string;
307
635
  status: string;
308
636
  failureCount: number;
309
637
  }>>;
310
- list: convex_server2.RegisteredQuery<"public", {
311
- enterpriseId: string;
312
- }, Promise<any>>;
313
- disable: convex_server2.RegisteredMutation<"public", {
638
+ list: convex_server7.RegisteredQuery<"public", {
639
+ connectionId: string;
640
+ }, Promise<{
641
+ [x: string]: unknown;
642
+ }[]>>;
643
+ disable: convex_server7.RegisteredMutation<"public", {
644
+ endpointId: string;
645
+ }, Promise<{
314
646
  endpointId: string;
315
- }, Promise<any>>;
647
+ }>>;
316
648
  };
317
649
  };
318
650
  };
319
651
  client: {
320
- signIn: convex_server2.RegisteredQuery<"public", {
652
+ signIn: convex_server7.RegisteredQuery<"public", {
321
653
  email?: string | undefined;
322
- enterpriseId?: string | undefined;
654
+ connectionId?: string | undefined;
323
655
  domain?: string | undefined;
656
+ loginHint?: string | undefined;
324
657
  redirectTo?: string | undefined;
325
- }, Promise<any>>;
326
- metadata: convex_server2.RegisteredQuery<"public", {
658
+ }, Promise<{
659
+ connectionId: string;
660
+ protocol: "oidc" | "saml";
661
+ providerId: string;
662
+ signInPath: string;
663
+ callbackPath: string;
664
+ redirectTo?: string;
665
+ }>>;
666
+ metadata: convex_server7.RegisteredQuery<"public", {
327
667
  entityId?: string | undefined;
328
668
  acsUrl?: string | undefined;
329
669
  sloUrl?: string | undefined;
330
- enterpriseId: string;
331
- }, Promise<any>>;
670
+ connectionId: string;
671
+ }, Promise<string>>;
332
672
  };
333
673
  };
334
674
  /**
335
675
  * Build optional public SCIM management actions that apps can mount under
336
- * `convex/auth/scim/**` when they want client-callable enterprise admin APIs.
676
+ * `convex/auth/group/**` when they want client-callable group SSO admin APIs.
337
677
  *
338
- * @param auth - Auth API subset providing `scim`, `sso`, and `user` namespaces.
339
- * @param options - Optional admin authorization config. See {@link EnterpriseMountOptions}.
678
+ * @param auth - Auth API subset providing `group` and `context` namespaces.
679
+ * @param options - Optional admin access config. See {@link CreateAuthGroupSsoOptions}.
340
680
  * @typeParam TAuthorization - Optional authorization config for typed role IDs.
681
+ * @typeParam TRequirement - App-defined requirement values used by declarative
682
+ * `permissions` configs.
341
683
  * @returns An object with `admin.configure`, `admin.get`, and `admin.validate` actions.
342
684
  *
343
685
  * @example
344
686
  * ```ts
345
- * // convex/auth/scim.ts
687
+ * // convex/auth/group.ts
346
688
  * import { scim } from "@robelest/convex-auth/server";
347
689
  * import { auth } from "../auth";
348
690
  *
349
691
  * const mounted = scim(auth, {
350
- * admin: {
351
- * authorized: async (ctx, input) => { /* check permissions *\/ },
692
+ * permissions: {
693
+ * scim: { require: ["workspace.scim.manage"] },
352
694
  * },
695
+ * access: async (_ctx, _input, _required) => {},
353
696
  * });
354
697
  *
355
698
  * export const configure = mounted.admin.configure;
@@ -358,48 +701,157 @@ declare function sso<TAuthorization extends AuthAuthorizationConfig | undefined
358
701
  * ```
359
702
  *
360
703
  * @see {@link sso}
361
- * @see {@link enterprise}
704
+ * @see {@link createAuthGroupSso}
362
705
  */
363
- declare function scim<TAuthorization extends AuthAuthorizationConfig | undefined = undefined>(auth: Pick<AuthApi<TAuthorization>, "context" | "scim" | "sso">, options?: MountedEnterpriseOptions<AuthRoleId<TAuthorization>>): {
706
+ declare function scim<TAuthorization extends AuthAuthorizationConfig | undefined = undefined, TRequirement = unknown>(auth: Pick<AuthApi<TAuthorization>, "context" | "group">, options?: CreateAuthGroupSsoOptions<TRequirement>): {
364
707
  admin: {
365
- configure: convex_server2.RegisteredMutation<"public", {
708
+ configure: convex_server7.RegisteredMutation<"public", {
709
+ profile?: {
710
+ mapping?: {
711
+ email?: string | undefined;
712
+ name?: string | undefined;
713
+ phone?: string | undefined;
714
+ externalId?: string | undefined;
715
+ groups?: string | undefined;
716
+ roles?: string | undefined;
717
+ active?: string | undefined;
718
+ subject?: string | undefined;
719
+ firstName?: string | undefined;
720
+ lastName?: string | undefined;
721
+ } | undefined;
722
+ extraFields?: Record<string, string> | undefined;
723
+ } | undefined;
366
724
  status?: "draft" | "active" | "disabled" | undefined;
367
- basePath?: string | undefined;
368
- enterpriseId: string;
369
- }, Promise<any>>;
370
- get: convex_server2.RegisteredQuery<"public", {
371
- enterpriseId: string;
372
- }, Promise<any>>;
373
- validate: convex_server2.RegisteredQuery<"public", {
374
- enterpriseId: string;
375
- }, Promise<any>>;
725
+ security?: {
726
+ maxRequestSize?: number | undefined;
727
+ } | undefined;
728
+ connectionId: string;
729
+ }, Promise<{
730
+ connectionId: string;
731
+ configId: string;
732
+ basePath: string;
733
+ token: string;
734
+ }>>;
735
+ get: convex_server7.RegisteredQuery<"public", {
736
+ connectionId: string;
737
+ }, Promise<{
738
+ security: {
739
+ maxRequestSize?: number;
740
+ } | undefined;
741
+ profile: {
742
+ mapping?: {
743
+ subject?: string;
744
+ externalId?: string;
745
+ email?: string;
746
+ firstName?: string;
747
+ lastName?: string;
748
+ name?: string;
749
+ phone?: string;
750
+ active?: string;
751
+ groups?: string;
752
+ roles?: string;
753
+ };
754
+ extraFields?: Record<string, string>;
755
+ } | undefined;
756
+ _id: string;
757
+ _creationTime: number;
758
+ connectionId: string;
759
+ groupId: string;
760
+ status: string;
761
+ basePath: string;
762
+ tokenHash: string;
763
+ lastRotatedAt?: number;
764
+ extend?: unknown;
765
+ } | null>>;
766
+ status: convex_server7.RegisteredQuery<"public", {
767
+ connectionId: string;
768
+ }, Promise<{
769
+ connectionId: string;
770
+ configured: boolean;
771
+ ready: boolean;
772
+ config: ScimConfigRecord | null;
773
+ checks: {
774
+ name: string;
775
+ ok: boolean;
776
+ message?: string;
777
+ }[] | {
778
+ name: string;
779
+ ok: boolean;
780
+ message: string;
781
+ }[];
782
+ capabilities: {
783
+ users: boolean;
784
+ groups: boolean;
785
+ patch: boolean;
786
+ put: boolean;
787
+ filters: string[];
788
+ bulk: boolean;
789
+ etag: boolean;
790
+ } | undefined;
791
+ }>>;
792
+ validate: convex_server7.RegisteredQuery<"public", {
793
+ connectionId: string;
794
+ }, Promise<{
795
+ ok: boolean;
796
+ connectionId: string;
797
+ checks: {
798
+ name: string;
799
+ ok: boolean;
800
+ message: string;
801
+ }[];
802
+ basePath?: undefined;
803
+ deprovisionMode?: undefined;
804
+ capabilities?: undefined;
805
+ } | {
806
+ ok: boolean;
807
+ connectionId: string;
808
+ basePath: string;
809
+ deprovisionMode: GroupConnectionDeprovisionMode;
810
+ capabilities: {
811
+ users: boolean;
812
+ groups: boolean;
813
+ patch: boolean;
814
+ put: boolean;
815
+ filters: string[];
816
+ bulk: boolean;
817
+ etag: boolean;
818
+ };
819
+ checks: {
820
+ name: string;
821
+ ok: boolean;
822
+ message?: string;
823
+ }[];
824
+ }>>;
376
825
  };
377
826
  };
378
827
  /**
379
- * Build a flat mounted enterprise API surface for app-owned Convex exports.
828
+ * Build a flat mounted group SSO API surface for app-owned Convex exports.
380
829
  *
381
830
  * Combines {@link sso} and {@link scim} into a single flat object with
382
831
  * all SSO connection, protocol, policy, audit, webhook, and SCIM
383
- * management functions plus end-user sign-in helpers. The `authorized`
384
- * callback is required for all admin operations.
832
+ * management functions plus end-user sign-in helpers. The `access`
833
+ * config is required for all admin operations.
385
834
  *
386
- * @param auth - Auth API subset providing `group`, `member`, `scim`, `sso`, and `user` namespaces.
387
- * @param options - Required {@link EnterpriseMountOptions} with an `admin.authorized` callback.
835
+ * @param auth - Auth API subset providing `group`, `member`, and `context` namespaces.
836
+ * @param options - Required {@link CreateAuthGroupSsoOptions} with an `access` policy.
388
837
  * @typeParam TAuthorization - Optional authorization config for typed role IDs.
389
- * @returns A flat object with all enterprise management functions (e.g. `createConnection`,
838
+ * @typeParam TRequirement - App-defined requirement values used by declarative
839
+ * `permissions` configs.
840
+ * @returns A flat object with all group connection management functions (e.g. `createConnection`,
390
841
  * `configureOidc`, `configureScim`, `signIn`, etc.).
391
842
  *
392
843
  * @example
393
844
  * ```ts
394
- * // convex/auth/enterprise.ts
395
- * import { enterprise } from "@robelest/convex-auth/server";
845
+ * // convex/auth/group.ts
846
+ * import { createAuthGroupSso } from "@robelest/convex-auth/server";
396
847
  * import { auth } from "../auth";
397
848
  *
398
- * const api = enterprise(auth, {
399
- * admin: {
400
- * authorized: async (ctx, input) => { /* check permissions *\/ },
401
- * roles: ["admin"],
849
+ * const api = createAuthGroupSso(auth, {
850
+ * permissions: {
851
+ * sso: { require: ["workspace.sso.manage"] },
852
+ * scim: { require: ["workspace.scim.manage"] },
402
853
  * },
854
+ * access: async (_ctx, _input, _required) => {},
403
855
  * });
404
856
  *
405
857
  * export const createConnection = api.createConnection;
@@ -410,102 +862,272 @@ declare function scim<TAuthorization extends AuthAuthorizationConfig | undefined
410
862
  * @see {@link sso}
411
863
  * @see {@link scim}
412
864
  */
413
- declare function enterprise<TAuthorization extends AuthAuthorizationConfig | undefined = undefined>(auth: Pick<AuthApi<TAuthorization>, "context" | "group" | "member" | "scim" | "sso">, options: EnterpriseMountOptions<AuthRoleId<TAuthorization>>): {
414
- createConnection: convex_server2.RegisteredMutation<"public", {
865
+ declare function createAuthGroupSso<TAuthorization extends AuthAuthorizationConfig | undefined = undefined, TRequirement = unknown>(auth: Pick<AuthApi<TAuthorization>, "context" | "group" | "member">, options: CreateAuthGroupSsoOptions<TRequirement>): {
866
+ createConnection: convex_server7.RegisteredMutation<"public", {
415
867
  name?: string | undefined;
416
868
  slug?: string | undefined;
417
869
  status?: "draft" | "active" | "disabled" | undefined;
418
- groupId?: string | undefined;
419
870
  domain?: string | undefined;
420
- }, Promise<any>>;
421
- getConnection: convex_server2.RegisteredQuery<"public", {
422
- enterpriseId: string;
423
- }, Promise<any>>;
424
- getConnectionByGroup: convex_server2.RegisteredQuery<"public", {
871
+ protocol: "oidc" | "saml";
425
872
  groupId: string;
426
- }, Promise<any>>;
427
- getConnectionByDomain: convex_server2.RegisteredQuery<"public", {
873
+ }, Promise<{
874
+ groupId: string;
875
+ connectionId: string;
876
+ }>>;
877
+ getConnection: convex_server7.RegisteredQuery<"public", {
878
+ connectionId: string;
879
+ }, Promise<GroupConnectionRecord | null>>;
880
+ getConnectionByDomain: convex_server7.RegisteredQuery<"public", {
428
881
  domain: string;
429
- }, Promise<any>>;
430
- listConnections: convex_server2.RegisteredQuery<"public", {
882
+ }, Promise<GroupConnectionDomainLookupRecord | null>>;
883
+ listConnections: convex_server7.RegisteredQuery<"public", {
884
+ limit?: number | undefined;
431
885
  where?: {
432
886
  slug?: string | undefined;
433
887
  status?: "draft" | "active" | "disabled" | undefined;
434
888
  groupId?: string | undefined;
435
889
  } | undefined;
436
- limit?: number | undefined;
437
890
  cursor?: string | null | undefined;
438
891
  orderBy?: string | undefined;
439
892
  order?: "asc" | "desc" | undefined;
440
- }, Promise<any>>;
441
- updateConnection: convex_server2.RegisteredMutation<"public", {
442
- enterpriseId: string;
893
+ }, Promise<GroupConnectionListResult>>;
894
+ updateConnection: convex_server7.RegisteredMutation<"public", {
895
+ connectionId: string;
443
896
  data: {
444
897
  name?: string | undefined;
445
898
  slug?: string | undefined;
446
899
  status?: "draft" | "active" | "disabled" | undefined;
447
900
  };
448
901
  }, Promise<{
449
- enterpriseId: string;
902
+ connectionId: string;
903
+ }>>;
904
+ deleteConnection: convex_server7.RegisteredMutation<"public", {
905
+ connectionId: string;
906
+ }, Promise<{
907
+ connectionId: string;
908
+ }>>;
909
+ getConnectionStatus: convex_server7.RegisteredQuery<"public", {
910
+ connectionId: string;
911
+ }, Promise<{
912
+ connectionId: string;
913
+ status: "draft" | "active" | "disabled";
914
+ ready: boolean;
915
+ domainCount: number;
916
+ protocols: {
917
+ oidc: {
918
+ configured: boolean;
919
+ ready: boolean;
920
+ clientId: string | null;
921
+ issuer: string | null;
922
+ };
923
+ saml: {
924
+ configured: boolean;
925
+ ready: boolean;
926
+ entityId: string | null;
927
+ };
928
+ scim: {
929
+ configured: boolean;
930
+ ready: boolean;
931
+ basePath: string | null;
932
+ deprovisionMode: GroupConnectionDeprovisionMode;
933
+ };
934
+ };
935
+ }>>;
936
+ listDomains: convex_server7.RegisteredQuery<"public", {
937
+ connectionId: string;
938
+ }, Promise<ConnectionDomainRecord[]>>;
939
+ getDomainStatus: convex_server7.RegisteredQuery<"public", {
940
+ connectionId: string;
941
+ }, Promise<{
942
+ connectionId: string;
943
+ ready: boolean;
944
+ primaryDomain: {
945
+ domainId: string;
946
+ domain: string;
947
+ isPrimary: boolean;
948
+ verified: boolean;
949
+ verifiedAt: number | null;
950
+ } | null;
951
+ trustedDomains: {
952
+ domainId: string;
953
+ domain: string;
954
+ isPrimary: boolean;
955
+ verified: boolean;
956
+ verifiedAt: number | null;
957
+ }[];
958
+ pendingChallenges: {
959
+ domain: string;
960
+ recordName: string;
961
+ expiresAt: number;
962
+ }[];
963
+ trust: {
964
+ domainDiscoveryReady: boolean;
965
+ primaryDomainVerified: boolean;
966
+ automaticLinkingEligible: boolean;
967
+ };
968
+ warnings: string[];
969
+ nextSteps: string[];
970
+ }>>;
971
+ validateDomains: convex_server7.RegisteredQuery<"public", {
972
+ connectionId: string;
973
+ }, Promise<{
974
+ connectionId: string;
975
+ ready: boolean;
976
+ summary: {
977
+ domainCount: number;
978
+ primaryCount: number;
979
+ verifiedCount: number;
980
+ };
981
+ domains: {
982
+ domainId: string;
983
+ domain: string;
984
+ isPrimary: boolean;
985
+ verified: boolean;
986
+ verifiedAt: number | null;
987
+ }[];
988
+ warnings: string[];
450
989
  }>>;
451
- deleteConnection: convex_server2.RegisteredMutation<"public", {
452
- enterpriseId: string;
453
- }, Promise<any>>;
454
- getConnectionStatus: convex_server2.RegisteredQuery<"public", {
455
- enterpriseId: string;
456
- }, Promise<any>>;
457
- listDomains: convex_server2.RegisteredQuery<"public", {
458
- enterpriseId: string;
459
- }, Promise<any>>;
460
- validateDomains: convex_server2.RegisteredQuery<"public", {
461
- enterpriseId: string;
462
- }, Promise<any>>;
463
- setDomains: convex_server2.RegisteredMutation<"public", {
464
- enterpriseId: string;
990
+ setDomains: convex_server7.RegisteredMutation<"public", {
991
+ connectionId: string;
465
992
  domains: {
466
993
  isPrimary?: boolean | undefined;
467
994
  domain: string;
468
995
  }[];
469
- }, Promise<any>>;
470
- requestDomainVerification: convex_server2.RegisteredMutation<"public", {
471
- enterpriseId: string;
996
+ }, Promise<{
997
+ connectionId: string;
998
+ domains: Array<{
999
+ domainId: string;
1000
+ domain: string;
1001
+ isPrimary: boolean;
1002
+ verified: boolean;
1003
+ verifiedAt: number | null;
1004
+ }>;
1005
+ }>>;
1006
+ requestDomainVerification: convex_server7.RegisteredMutation<"public", {
1007
+ connectionId: string;
1008
+ domain: string;
1009
+ }, Promise<{
1010
+ connectionId: string;
1011
+ domain: string;
1012
+ requestedAt: number;
1013
+ expiresAt: number;
1014
+ challenge: {
1015
+ recordType: "TXT";
1016
+ recordName: string;
1017
+ recordValue: string;
1018
+ };
1019
+ }>>;
1020
+ confirmDomainVerification: convex_server7.RegisteredAction<"public", {
1021
+ connectionId: string;
472
1022
  domain: string;
473
- }, Promise<any>>;
474
- confirmDomainVerification: convex_server2.RegisteredAction<"public", {
475
- enterpriseId: string;
1023
+ }, Promise<{
1024
+ connectionId: string;
476
1025
  domain: string;
477
- }, Promise<any>>;
478
- configureOidc: convex_server2.RegisteredMutation<"public", {
479
- scopes?: string[] | undefined;
480
- issuer?: string | undefined;
481
- discoveryUrl?: string | undefined;
482
- clientSecret?: string | undefined;
483
- authorizationParams?: Record<string, string> | undefined;
484
- clockToleranceSeconds?: number | undefined;
485
- strictIssuer?: boolean | undefined;
486
- extraFields?: Record<string, string> | undefined;
487
- enterpriseId: string;
488
- clientId: string;
489
- }, Promise<any>>;
490
- getOidc: convex_server2.RegisteredQuery<"public", {
491
- enterpriseId: string;
492
- }, Promise<any>>;
493
- validateOidc: convex_server2.RegisteredAction<"public", {
494
- enterpriseId: string;
495
- }, Promise<any>>;
496
- configureSaml: convex_server2.RegisteredAction<"public", {
1026
+ verifiedAt?: number;
1027
+ checks: Array<{
1028
+ name: string;
1029
+ ok: boolean;
1030
+ message?: string;
1031
+ }>;
1032
+ }>>;
1033
+ configureOidc: convex_server7.RegisteredMutation<"public", {
1034
+ profile?: {
1035
+ mapping?: {
1036
+ email?: string | undefined;
1037
+ emailVerified?: string | undefined;
1038
+ name?: string | undefined;
1039
+ image?: string | undefined;
1040
+ groups?: string | undefined;
1041
+ roles?: string | undefined;
1042
+ subject?: string | undefined;
1043
+ } | undefined;
1044
+ extraFields?: Record<string, string> | undefined;
1045
+ } | undefined;
1046
+ request?: {
1047
+ scopes?: string[] | undefined;
1048
+ loginHint?: string | undefined;
1049
+ authorizationParams?: Record<string, string> | undefined;
1050
+ } | undefined;
1051
+ security?: {
1052
+ clockToleranceSeconds?: number | undefined;
1053
+ strictIssuer?: boolean | undefined;
1054
+ } | undefined;
1055
+ connectionId: string;
1056
+ discovery: {
1057
+ issuer?: string | undefined;
1058
+ discoveryUrl?: string | undefined;
1059
+ jwksUri?: string | undefined;
1060
+ audience?: string | string[] | undefined;
1061
+ };
1062
+ client: {
1063
+ secret?: string | undefined;
1064
+ authMethod?: "client_secret_post" | "client_secret_basic" | undefined;
1065
+ id: string;
1066
+ };
1067
+ }, Promise<{
1068
+ hasClientSecret: boolean;
1069
+ }>>;
1070
+ getOidc: convex_server7.RegisteredQuery<"public", {
1071
+ connectionId: string;
1072
+ }, Promise<{
1073
+ hasClientSecret: boolean;
1074
+ }>>;
1075
+ getOidcStatus: convex_server7.RegisteredQuery<"public", {
1076
+ connectionId: string;
1077
+ }, Promise<{
1078
+ connectionId: string;
1079
+ configured: boolean;
1080
+ ready: boolean;
1081
+ config: {
1082
+ hasClientSecret: boolean;
1083
+ };
1084
+ checks: {
1085
+ name: string;
1086
+ ok: boolean;
1087
+ message: string | undefined;
1088
+ }[];
1089
+ }>>;
1090
+ validateOidc: convex_server7.RegisteredAction<"public", {
1091
+ connectionId: string;
1092
+ }, Promise<{
1093
+ ok: boolean;
1094
+ connectionId: string;
1095
+ checks: {
1096
+ name: string;
1097
+ ok: boolean;
1098
+ message?: string;
1099
+ }[];
1100
+ }>>;
1101
+ configureSaml: convex_server7.RegisteredAction<"public", {
1102
+ profile?: {
1103
+ mapping?: {
1104
+ email?: string | undefined;
1105
+ name?: string | undefined;
1106
+ image?: string | undefined;
1107
+ groups?: string | undefined;
1108
+ roles?: string | undefined;
1109
+ subject?: string | undefined;
1110
+ firstName?: string | undefined;
1111
+ lastName?: string | undefined;
1112
+ } | undefined;
1113
+ extraFields?: Record<string, string> | undefined;
1114
+ } | undefined;
497
1115
  domains?: string[] | undefined;
498
- metadataXml?: string | undefined;
499
- metadataUrl?: string | undefined;
500
- signAuthnRequests?: boolean | undefined;
501
- attributeMapping?: {
502
- name?: string | undefined;
503
- email?: string | undefined;
504
- subject?: string | undefined;
505
- firstName?: string | undefined;
506
- lastName?: string | undefined;
1116
+ request?: {
1117
+ signAuthnRequests?: boolean | undefined;
1118
+ nameIdFormat?: string | undefined;
1119
+ forceAuthn?: boolean | undefined;
1120
+ authnContextClassRefs?: string[] | undefined;
507
1121
  } | undefined;
508
- sp?: {
1122
+ security?: {
1123
+ requireSignedAssertions?: boolean | undefined;
1124
+ requireTimestamps?: boolean | undefined;
1125
+ clockSkewSeconds?: number | undefined;
1126
+ weakAlgorithmHandling?: "warn" | "reject" | undefined;
1127
+ maxMetadataSize?: number | undefined;
1128
+ maxResponseSize?: number | undefined;
1129
+ } | undefined;
1130
+ serviceProvider?: {
509
1131
  entityId?: string | undefined;
510
1132
  acsUrl?: string | undefined;
511
1133
  sloUrl?: string | undefined;
@@ -516,16 +1138,53 @@ declare function enterprise<TAuthorization extends AuthAuthorizationConfig | und
516
1138
  encPrivateKey?: string | undefined;
517
1139
  encPrivateKeyPass?: string | undefined;
518
1140
  } | undefined;
519
- enterpriseId: string;
520
- }, Promise<any>>;
521
- validateSaml: convex_server2.RegisteredQuery<"public", {
522
- enterpriseId: string;
523
- }, Promise<any>>;
524
- getPolicy: convex_server2.RegisteredQuery<"public", {
525
- enterpriseId: string;
526
- }, Promise<any>>;
527
- updatePolicy: convex_server2.RegisteredMutation<"public", {
528
- enterpriseId: string;
1141
+ metadata: {
1142
+ url?: string | undefined;
1143
+ xml?: string | undefined;
1144
+ };
1145
+ connectionId: string;
1146
+ }, Promise<{
1147
+ connectionId: string;
1148
+ groupId: string;
1149
+ }>>;
1150
+ getSaml: convex_server7.RegisteredQuery<"public", {
1151
+ connectionId: string;
1152
+ }, Promise<Record<string, unknown>>>;
1153
+ getSamlStatus: convex_server7.RegisteredQuery<"public", {
1154
+ connectionId: string;
1155
+ }, Promise<{
1156
+ connectionId: string;
1157
+ configured: boolean;
1158
+ ready: boolean;
1159
+ config: Record<string, unknown>;
1160
+ checks: {
1161
+ name: string;
1162
+ ok: boolean;
1163
+ message: string | undefined;
1164
+ }[];
1165
+ }>>;
1166
+ validateSaml: convex_server7.RegisteredQuery<"public", {
1167
+ connectionId: string;
1168
+ }, Promise<{
1169
+ ok: boolean;
1170
+ connectionId: string;
1171
+ checks: {
1172
+ name: string;
1173
+ ok: boolean;
1174
+ message?: string;
1175
+ }[];
1176
+ }>>;
1177
+ refreshSaml: convex_server7.RegisteredAction<"public", {
1178
+ connectionId: string;
1179
+ }, Promise<{
1180
+ connectionId: string;
1181
+ groupId: string;
1182
+ }>>;
1183
+ getPolicy: convex_server7.RegisteredQuery<"public", {
1184
+ groupId: string;
1185
+ }, Promise<GroupConnectionPolicy>>;
1186
+ updatePolicy: convex_server7.RegisteredMutation<"public", {
1187
+ groupId: string;
529
1188
  patch: {
530
1189
  identity?: {
531
1190
  accountLinking?: {
@@ -534,6 +1193,12 @@ declare function enterprise<TAuthorization extends AuthAuthorizationConfig | und
534
1193
  } | undefined;
535
1194
  } | undefined;
536
1195
  provisioning?: {
1196
+ user?: {
1197
+ createOnSignIn?: boolean | undefined;
1198
+ updateProfileOnLogin?: "never" | "missing" | "always" | undefined;
1199
+ updateProfileFromScim?: "never" | "missing" | "always" | undefined;
1200
+ authority?: "app" | "sso" | "scim" | undefined;
1201
+ } | undefined;
537
1202
  scimReuse?: {
538
1203
  user?: "none" | "externalId" | undefined;
539
1204
  } | undefined;
@@ -544,66 +1209,212 @@ declare function enterprise<TAuthorization extends AuthAuthorizationConfig | und
544
1209
  deprovision?: {
545
1210
  mode?: "soft" | "hard" | undefined;
546
1211
  } | undefined;
1212
+ groups?: {
1213
+ mode?: "ignore" | "sync" | undefined;
1214
+ source?: "protocol" | undefined;
1215
+ mapping?: Record<string, string[]> | undefined;
1216
+ } | undefined;
1217
+ roles?: {
1218
+ mode?: "map" | "ignore" | undefined;
1219
+ source?: "protocol" | undefined;
1220
+ mapping?: Record<string, string[]> | undefined;
1221
+ } | undefined;
547
1222
  } | undefined;
548
1223
  };
549
- }, Promise<any>>;
550
- validatePolicy: convex_server2.RegisteredQuery<"public", {
551
- enterpriseId: string;
552
- }, Promise<any>>;
553
- listAudit: convex_server2.RegisteredQuery<"public", {
554
- limit?: number | undefined;
1224
+ }, Promise<GroupConnectionPolicy>>;
1225
+ validatePolicy: convex_server7.RegisteredQuery<"public", {
1226
+ groupId: string;
1227
+ }, Promise<{
1228
+ ok: boolean;
1229
+ groupId: string;
1230
+ checks: {
1231
+ name: string;
1232
+ ok: boolean;
1233
+ message: string;
1234
+ }[];
1235
+ policy?: undefined;
1236
+ } | {
1237
+ ok: boolean;
1238
+ groupId: string;
1239
+ policy: GroupConnectionPolicy;
1240
+ checks: {
1241
+ name: string;
1242
+ ok: boolean;
1243
+ message?: string;
1244
+ }[];
1245
+ }>>;
1246
+ listAudit: convex_server7.RegisteredQuery<"public", {
555
1247
  groupId?: string | undefined;
556
- enterpriseId?: string | undefined;
557
- }, Promise<any>>;
558
- createWebhookEndpoint: convex_server2.RegisteredMutation<"public", {
1248
+ connectionId?: string | undefined;
1249
+ limit?: number | undefined;
1250
+ }, Promise<AuditEventRecord[]>>;
1251
+ createWebhookEndpoint: convex_server7.RegisteredMutation<"public", {
559
1252
  createdByUserId?: string | undefined;
560
1253
  secret: string;
561
- enterpriseId: string;
1254
+ connectionId: string;
562
1255
  url: string;
563
1256
  subscriptions: string[];
564
1257
  }, Promise<{
565
- _id: any;
566
- enterpriseId: string;
1258
+ _id: string;
1259
+ connectionId: string;
567
1260
  url: string;
568
1261
  subscriptions: string[];
569
1262
  createdByUserId: string;
570
1263
  status: string;
571
1264
  failureCount: number;
572
1265
  }>>;
573
- listWebhookEndpoints: convex_server2.RegisteredQuery<"public", {
574
- enterpriseId: string;
575
- }, Promise<any>>;
576
- listWebhookDeliveries: convex_server2.RegisteredQuery<"public", {
1266
+ listWebhookEndpoints: convex_server7.RegisteredQuery<"public", {
1267
+ connectionId: string;
1268
+ }, Promise<{
1269
+ [x: string]: unknown;
1270
+ }[]>>;
1271
+ listWebhookDeliveries: convex_server7.RegisteredQuery<"public", {
577
1272
  limit?: number | undefined;
578
- enterpriseId: string;
579
- }, Promise<any>>;
580
- disableWebhookEndpoint: convex_server2.RegisteredMutation<"public", {
1273
+ connectionId: string;
1274
+ }, Promise<unknown>>;
1275
+ disableWebhookEndpoint: convex_server7.RegisteredMutation<"public", {
581
1276
  endpointId: string;
582
- }, Promise<any>>;
583
- configureScim: convex_server2.RegisteredMutation<"public", {
1277
+ }, Promise<{
1278
+ endpointId: string;
1279
+ }>>;
1280
+ configureScim: convex_server7.RegisteredMutation<"public", {
1281
+ profile?: {
1282
+ mapping?: {
1283
+ email?: string | undefined;
1284
+ name?: string | undefined;
1285
+ phone?: string | undefined;
1286
+ externalId?: string | undefined;
1287
+ groups?: string | undefined;
1288
+ roles?: string | undefined;
1289
+ active?: string | undefined;
1290
+ subject?: string | undefined;
1291
+ firstName?: string | undefined;
1292
+ lastName?: string | undefined;
1293
+ } | undefined;
1294
+ extraFields?: Record<string, string> | undefined;
1295
+ } | undefined;
584
1296
  status?: "draft" | "active" | "disabled" | undefined;
585
- basePath?: string | undefined;
586
- enterpriseId: string;
587
- }, Promise<any>>;
588
- getScim: convex_server2.RegisteredQuery<"public", {
589
- enterpriseId: string;
590
- }, Promise<any>>;
591
- validateScim: convex_server2.RegisteredQuery<"public", {
592
- enterpriseId: string;
593
- }, Promise<any>>;
594
- signIn: convex_server2.RegisteredQuery<"public", {
1297
+ security?: {
1298
+ maxRequestSize?: number | undefined;
1299
+ } | undefined;
1300
+ connectionId: string;
1301
+ }, Promise<{
1302
+ connectionId: string;
1303
+ configId: string;
1304
+ basePath: string;
1305
+ token: string;
1306
+ }>>;
1307
+ getScim: convex_server7.RegisteredQuery<"public", {
1308
+ connectionId: string;
1309
+ }, Promise<{
1310
+ security: {
1311
+ maxRequestSize?: number;
1312
+ } | undefined;
1313
+ profile: {
1314
+ mapping?: {
1315
+ subject?: string;
1316
+ externalId?: string;
1317
+ email?: string;
1318
+ firstName?: string;
1319
+ lastName?: string;
1320
+ name?: string;
1321
+ phone?: string;
1322
+ active?: string;
1323
+ groups?: string;
1324
+ roles?: string;
1325
+ };
1326
+ extraFields?: Record<string, string>;
1327
+ } | undefined;
1328
+ _id: string;
1329
+ _creationTime: number;
1330
+ connectionId: string;
1331
+ groupId: string;
1332
+ status: string;
1333
+ basePath: string;
1334
+ tokenHash: string;
1335
+ lastRotatedAt?: number;
1336
+ extend?: unknown;
1337
+ } | null>>;
1338
+ getScimStatus: convex_server7.RegisteredQuery<"public", {
1339
+ connectionId: string;
1340
+ }, Promise<{
1341
+ connectionId: string;
1342
+ configured: boolean;
1343
+ ready: boolean;
1344
+ config: ScimConfigRecord | null;
1345
+ checks: {
1346
+ name: string;
1347
+ ok: boolean;
1348
+ message?: string;
1349
+ }[] | {
1350
+ name: string;
1351
+ ok: boolean;
1352
+ message: string;
1353
+ }[];
1354
+ capabilities: {
1355
+ users: boolean;
1356
+ groups: boolean;
1357
+ patch: boolean;
1358
+ put: boolean;
1359
+ filters: string[];
1360
+ bulk: boolean;
1361
+ etag: boolean;
1362
+ } | undefined;
1363
+ }>>;
1364
+ validateScim: convex_server7.RegisteredQuery<"public", {
1365
+ connectionId: string;
1366
+ }, Promise<{
1367
+ ok: boolean;
1368
+ connectionId: string;
1369
+ checks: {
1370
+ name: string;
1371
+ ok: boolean;
1372
+ message: string;
1373
+ }[];
1374
+ basePath?: undefined;
1375
+ deprovisionMode?: undefined;
1376
+ capabilities?: undefined;
1377
+ } | {
1378
+ ok: boolean;
1379
+ connectionId: string;
1380
+ basePath: string;
1381
+ deprovisionMode: GroupConnectionDeprovisionMode;
1382
+ capabilities: {
1383
+ users: boolean;
1384
+ groups: boolean;
1385
+ patch: boolean;
1386
+ put: boolean;
1387
+ filters: string[];
1388
+ bulk: boolean;
1389
+ etag: boolean;
1390
+ };
1391
+ checks: {
1392
+ name: string;
1393
+ ok: boolean;
1394
+ message?: string;
1395
+ }[];
1396
+ }>>;
1397
+ signIn: convex_server7.RegisteredQuery<"public", {
595
1398
  email?: string | undefined;
596
- enterpriseId?: string | undefined;
1399
+ connectionId?: string | undefined;
597
1400
  domain?: string | undefined;
1401
+ loginHint?: string | undefined;
598
1402
  redirectTo?: string | undefined;
599
- }, Promise<any>>;
600
- metadata: convex_server2.RegisteredQuery<"public", {
1403
+ }, Promise<{
1404
+ connectionId: string;
1405
+ protocol: "oidc" | "saml";
1406
+ providerId: string;
1407
+ signInPath: string;
1408
+ callbackPath: string;
1409
+ redirectTo?: string;
1410
+ }>>;
1411
+ metadata: convex_server7.RegisteredQuery<"public", {
601
1412
  entityId?: string | undefined;
602
1413
  acsUrl?: string | undefined;
603
1414
  sloUrl?: string | undefined;
604
- enterpriseId: string;
605
- }, Promise<any>>;
1415
+ connectionId: string;
1416
+ }, Promise<string>>;
606
1417
  };
607
1418
  //#endregion
608
- export { EnterpriseAdminAuthorizationInput, EnterpriseAdminPermission, EnterpriseAuthorizer, EnterpriseMountOptions, enterprise, scim, sso };
1419
+ export { CreateAuthGroupSsoOptions, GroupSsoAccessHandler, GroupSsoAccessInput, GroupSsoAccessPermissions, GroupSsoPermission, GroupSsoResolvedAccessHandler, createAuthGroupSso, scim, sso };
609
1420
  //# sourceMappingURL=mounts.d.ts.map