npm - @robelest/convex-auth - Versions diffs - 0.0.4-preview.25 → 0.0.4-preview.28 - Mend

@robelest/convex-auth 0.0.4-preview.25 → 0.0.4-preview.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (666) hide show

package/README.md +43 -36
package/dist/bin.js +5765 -4880
package/dist/browser/index.d.ts +30 -0
package/dist/browser/index.js +93 -0
package/dist/browser/locks.js +11 -0
package/dist/browser/navigation.js +14 -0
package/dist/{factors → browser}/passkey.js +23 -32
package/dist/browser/runtime.js +92 -0
package/dist/client/core/types.d.ts +452 -5
package/dist/client/core/types.js +17 -0
package/dist/client/errors.js +19 -0
package/dist/client/factors/device.js +94 -0
package/dist/{factors → client/factors}/totp.js +12 -4
package/dist/client/index.d.ts +47 -1
package/dist/client/index.js +269 -232
package/dist/client/runtime/mutex.js +24 -0
package/dist/client/runtime/proxy.js +30 -0
package/dist/client/runtime/storage.js +45 -0
package/dist/client/services/adapters.js +7 -0
package/dist/client/services/http.js +6 -0
package/dist/client/services/resolve.js +13 -0
package/dist/client/services/runtime.js +6 -0
package/dist/component/_generated/component.d.ts +1355 -1399
package/dist/component/convex.config.d.ts +2 -2
package/dist/component/index.d.ts +4 -26
package/dist/component/index.js +1 -1
package/dist/component/model.d.ts +26 -112
package/dist/component/model.js +76 -54
package/dist/component/modules.js +38 -0
package/dist/component/public/factors/devices.js +1 -1
package/dist/component/public/factors/passkeys.js +1 -1
package/dist/component/public/factors/totp.js +1 -1
package/dist/component/public/groups/core.js +2 -2
package/dist/component/public/groups/invites.js +1 -1
package/dist/component/public/groups/members.js +1 -1
package/dist/component/public/identity/accounts.js +1 -1
package/dist/component/public/identity/codes.js +1 -1
package/dist/component/public/identity/sessions.js +39 -2
package/dist/component/public/identity/tokens.js +82 -4
package/dist/component/public/identity/users.js +1 -1
package/dist/component/public/identity/verifiers.js +10 -4
package/dist/component/public/security/keys.js +1 -1
package/dist/component/public/security/limits.js +1 -1
package/dist/component/public/{enterprise → sso}/audit.js +26 -26
package/dist/component/public/sso/core.js +263 -0
package/dist/component/public/sso/domains.js +280 -0
package/dist/component/public/{enterprise → sso}/scim.js +87 -87
package/dist/component/public/sso/secrets.js +125 -0
package/dist/component/public/{enterprise → sso}/webhooks.js +59 -59
package/dist/component/public.js +9 -9
package/dist/component/schema.d.ts +472 -393
package/dist/component/schema.js +36 -35
package/dist/core/index.d.ts +380 -0
package/dist/core/index.js +83 -0
package/dist/otel.d.ts +69 -0
package/dist/otel.js +82 -0
package/dist/providers/anonymous.d.ts +15 -34
package/dist/providers/anonymous.js +27 -35
package/dist/providers/apple.d.ts +59 -0
package/dist/providers/apple.js +58 -0
package/dist/providers/credentials.d.ts +18 -34
package/dist/providers/credentials.js +16 -27
package/dist/providers/custom.d.ts +94 -0
package/dist/providers/custom.js +119 -0
package/dist/providers/device.d.ts +15 -49
package/dist/providers/device.js +17 -34
package/dist/providers/email.d.ts +21 -38
package/dist/providers/email.js +36 -55
package/dist/providers/github.d.ts +54 -0
package/dist/providers/github.js +75 -0
package/dist/providers/google.d.ts +54 -0
package/dist/providers/google.js +61 -0
package/dist/providers/index.d.ts +16 -12
package/dist/providers/index.js +15 -11
package/dist/providers/microsoft.d.ts +57 -0
package/dist/providers/microsoft.js +101 -0
package/dist/providers/passkey.d.ts +19 -35
package/dist/providers/passkey.js +20 -30
package/dist/providers/password.d.ts +17 -18
package/dist/providers/password.js +121 -143
package/dist/providers/phone.d.ts +13 -28
package/dist/providers/phone.js +21 -46
package/dist/providers/sso.d.ts +16 -36
package/dist/providers/sso.js +21 -22
package/dist/providers/totp.d.ts +13 -29
package/dist/providers/totp.js +17 -27
package/dist/server/auth-context.d.ts +204 -0
package/dist/server/auth-context.js +76 -0
package/dist/server/auth.d.ts +99 -244
package/dist/server/auth.js +56 -152
package/dist/server/componentContext.d.ts +12 -0
package/dist/server/componentContext.js +1 -0
package/dist/server/config.js +6 -67
package/dist/server/constants.js +6 -0
package/dist/server/contract.d.ts +105 -0
package/dist/server/contract.js +43 -0
package/dist/server/cookies.js +3 -2
package/dist/server/core.js +31 -36
package/dist/server/crypto.js +34 -44
package/dist/server/db.js +6 -1
package/dist/server/device.js +96 -130
package/dist/server/env.js +48 -0
package/dist/server/errors.js +20 -0
package/dist/server/http.d.ts +15 -59
package/dist/server/http.js +136 -120
package/dist/server/identity.js +2 -2
package/dist/server/index.d.ts +5 -4
package/dist/server/index.js +3 -3
package/dist/server/keys.js +10 -1
package/dist/server/limits.js +26 -26
package/dist/server/log.js +28 -0
package/dist/server/mounts.d.ts +1107 -296
package/dist/server/mounts.js +315 -196
package/dist/server/mutations/account.js +11 -14
package/dist/server/mutations/code.js +6 -5
package/dist/server/mutations/invalidate.js +9 -11
package/dist/server/mutations/oauth.js +112 -73
package/dist/server/mutations/refresh.js +47 -97
package/dist/server/mutations/register.js +37 -35
package/dist/server/mutations/retrieve.js +16 -16
package/dist/server/mutations/signature.js +15 -18
package/dist/server/mutations/signin.js +10 -5
package/dist/server/mutations/signout.js +11 -14
package/dist/server/mutations/store.js +25 -18
package/dist/server/mutations/verifier.js +11 -8
package/dist/server/mutations/verify.js +53 -41
package/dist/server/oauth/factory.js +44 -0
package/dist/server/oauth/index.js +12 -0
package/dist/server/oauth/runtime.js +248 -0
package/dist/server/passkey.js +331 -365
package/dist/server/payloads.d.ts +16 -0
package/dist/server/payloads.js +30 -0
package/dist/server/{ssr.d.ts → prefetch.d.ts} +2 -2
package/dist/server/prefetch.js +635 -0
package/dist/server/random.js +19 -0
package/dist/server/redirects.js +10 -5
package/dist/server/refresh.js +14 -86
package/dist/server/runtime.d.ts +531 -31
package/dist/server/runtime.js +106 -267
package/dist/server/secret.js +44 -0
package/dist/server/services/config.js +10 -0
package/dist/server/services/group.js +211 -0
package/dist/server/services/logger.js +8 -0
package/dist/server/services/providers.js +22 -0
package/dist/server/services/refresh.js +8 -0
package/dist/server/services/resolve.js +27 -0
package/dist/server/services/signin.js +8 -0
package/dist/server/sessions.js +35 -34
package/dist/server/signin.js +229 -140
package/dist/server/{enterprise → sso}/config.js +10 -3
package/dist/server/sso/domain.d.ts +614 -0
package/dist/server/sso/domain.js +1175 -0
package/dist/server/sso/http.js +1060 -0
package/dist/server/sso/oidc.js +324 -0
package/dist/server/sso/policies.js +59 -0
package/dist/server/sso/policy.js +139 -0
package/dist/server/sso/profile.js +22 -0
package/dist/server/sso/provision.js +179 -0
package/dist/{component/server/enterprise → server/sso}/saml.js +142 -56
package/dist/{component/server/enterprise → server/sso}/scim.js +13 -7
package/dist/server/sso/shared.js +74 -0
package/dist/server/sso/validators.js +88 -0
package/dist/server/sso/webhook.js +94 -0
package/dist/server/tokens.js +16 -4
package/dist/server/totp.js +155 -164
package/dist/server/types.d.ts +306 -296
package/dist/server/types.js +1 -30
package/dist/server/url.js +32 -0
package/dist/server/users.js +74 -40
package/dist/server/utils/cache.js +51 -0
package/dist/server/utils/dispatch.js +36 -0
package/dist/server/utils/retry.js +24 -0
package/dist/server/utils/span.js +32 -0
package/dist/shared/errors.js +19 -0
package/dist/shared/log.js +45 -0
package/{src/test.ts → dist/test.d.ts} +21 -22
package/dist/test.js +51 -0
package/package.json +70 -42
package/dist/authorization/index.d.ts.map +0 -1
package/dist/authorization/index.js.map +0 -1
package/dist/client/core/types.d.ts.map +0 -1
package/dist/client/index.d.ts.map +0 -1
package/dist/client/index.js.map +0 -1
package/dist/component/_generated/api.d.ts +0 -75
package/dist/component/_generated/api.d.ts.map +0 -1
package/dist/component/_generated/api.js.map +0 -1
package/dist/component/_generated/component.d.ts.map +0 -1
package/dist/component/_generated/dataModel.d.ts +0 -42
package/dist/component/_generated/dataModel.d.ts.map +0 -1
package/dist/component/_generated/server.d.ts +0 -117
package/dist/component/_generated/server.d.ts.map +0 -1
package/dist/component/_generated/server.js.map +0 -1
package/dist/component/_virtual/rolldown_runtime.js +0 -18
package/dist/component/client/core/types.d.ts +0 -2
package/dist/component/client/index.d.ts +0 -1
package/dist/component/convex.config.d.ts.map +0 -1
package/dist/component/convex.config.js.map +0 -1
package/dist/component/functions.d.ts +0 -25
package/dist/component/functions.d.ts.map +0 -1
package/dist/component/functions.js.map +0 -1
package/dist/component/index.d.ts.map +0 -1
package/dist/component/model.d.ts.map +0 -1
package/dist/component/model.js.map +0 -1
package/dist/component/providers/anonymous.d.ts +0 -54
package/dist/component/providers/anonymous.d.ts.map +0 -1
package/dist/component/providers/credentials.d.ts +0 -38
package/dist/component/providers/credentials.d.ts.map +0 -1
package/dist/component/providers/device.d.ts +0 -67
package/dist/component/providers/device.d.ts.map +0 -1
package/dist/component/providers/email.d.ts +0 -62
package/dist/component/providers/email.d.ts.map +0 -1
package/dist/component/providers/oauth.d.ts +0 -25
package/dist/component/providers/oauth.d.ts.map +0 -1
package/dist/component/providers/oauth.js +0 -13
package/dist/component/providers/oauth.js.map +0 -1
package/dist/component/providers/passkey.d.ts +0 -57
package/dist/component/providers/passkey.d.ts.map +0 -1
package/dist/component/providers/password.d.ts +0 -88
package/dist/component/providers/password.d.ts.map +0 -1
package/dist/component/providers/phone.d.ts +0 -48
package/dist/component/providers/phone.d.ts.map +0 -1
package/dist/component/providers/sso.d.ts +0 -50
package/dist/component/providers/sso.d.ts.map +0 -1
package/dist/component/providers/totp.d.ts +0 -45
package/dist/component/providers/totp.d.ts.map +0 -1
package/dist/component/public/enterprise/audit.d.ts +0 -73
package/dist/component/public/enterprise/audit.d.ts.map +0 -1
package/dist/component/public/enterprise/audit.js.map +0 -1
package/dist/component/public/enterprise/core.d.ts +0 -176
package/dist/component/public/enterprise/core.d.ts.map +0 -1
package/dist/component/public/enterprise/core.js +0 -292
package/dist/component/public/enterprise/core.js.map +0 -1
package/dist/component/public/enterprise/domains.d.ts +0 -174
package/dist/component/public/enterprise/domains.d.ts.map +0 -1
package/dist/component/public/enterprise/domains.js +0 -271
package/dist/component/public/enterprise/domains.js.map +0 -1
package/dist/component/public/enterprise/scim.d.ts +0 -245
package/dist/component/public/enterprise/scim.d.ts.map +0 -1
package/dist/component/public/enterprise/scim.js.map +0 -1
package/dist/component/public/enterprise/secrets.d.ts +0 -78
package/dist/component/public/enterprise/secrets.d.ts.map +0 -1
package/dist/component/public/enterprise/secrets.js +0 -118
package/dist/component/public/enterprise/secrets.js.map +0 -1
package/dist/component/public/enterprise/webhooks.d.ts +0 -211
package/dist/component/public/enterprise/webhooks.d.ts.map +0 -1
package/dist/component/public/enterprise/webhooks.js.map +0 -1
package/dist/component/public/factors/devices.d.ts +0 -157
package/dist/component/public/factors/devices.d.ts.map +0 -1
package/dist/component/public/factors/devices.js.map +0 -1
package/dist/component/public/factors/passkeys.d.ts +0 -175
package/dist/component/public/factors/passkeys.d.ts.map +0 -1
package/dist/component/public/factors/passkeys.js.map +0 -1
package/dist/component/public/factors/totp.d.ts +0 -189
package/dist/component/public/factors/totp.d.ts.map +0 -1
package/dist/component/public/factors/totp.js.map +0 -1
package/dist/component/public/groups/core.d.ts +0 -137
package/dist/component/public/groups/core.d.ts.map +0 -1
package/dist/component/public/groups/core.js.map +0 -1
package/dist/component/public/groups/invites.d.ts +0 -217
package/dist/component/public/groups/invites.d.ts.map +0 -1
package/dist/component/public/groups/invites.js.map +0 -1
package/dist/component/public/groups/members.d.ts +0 -204
package/dist/component/public/groups/members.d.ts.map +0 -1
package/dist/component/public/groups/members.js.map +0 -1
package/dist/component/public/identity/accounts.d.ts +0 -147
package/dist/component/public/identity/accounts.d.ts.map +0 -1
package/dist/component/public/identity/accounts.js.map +0 -1
package/dist/component/public/identity/codes.d.ts +0 -104
package/dist/component/public/identity/codes.d.ts.map +0 -1
package/dist/component/public/identity/codes.js.map +0 -1
package/dist/component/public/identity/sessions.d.ts +0 -128
package/dist/component/public/identity/sessions.d.ts.map +0 -1
package/dist/component/public/identity/sessions.js.map +0 -1
package/dist/component/public/identity/tokens.d.ts +0 -169
package/dist/component/public/identity/tokens.d.ts.map +0 -1
package/dist/component/public/identity/tokens.js.map +0 -1
package/dist/component/public/identity/users.d.ts +0 -212
package/dist/component/public/identity/users.d.ts.map +0 -1
package/dist/component/public/identity/users.js.map +0 -1
package/dist/component/public/identity/verifiers.d.ts +0 -116
package/dist/component/public/identity/verifiers.d.ts.map +0 -1
package/dist/component/public/identity/verifiers.js.map +0 -1
package/dist/component/public/security/keys.d.ts +0 -209
package/dist/component/public/security/keys.d.ts.map +0 -1
package/dist/component/public/security/keys.js.map +0 -1
package/dist/component/public/security/limits.d.ts +0 -114
package/dist/component/public/security/limits.d.ts.map +0 -1
package/dist/component/public/security/limits.js.map +0 -1
package/dist/component/public.d.ts +0 -28
package/dist/component/public.d.ts.map +0 -1
package/dist/component/schema.d.ts.map +0 -1
package/dist/component/schema.js.map +0 -1
package/dist/component/server/auth.d.ts +0 -447
package/dist/component/server/auth.d.ts.map +0 -1
package/dist/component/server/auth.js +0 -254
package/dist/component/server/auth.js.map +0 -1
package/dist/component/server/config.js +0 -121
package/dist/component/server/config.js.map +0 -1
package/dist/component/server/context.js +0 -53
package/dist/component/server/context.js.map +0 -1
package/dist/component/server/cookies.js +0 -47
package/dist/component/server/cookies.js.map +0 -1
package/dist/component/server/core.js +0 -576
package/dist/component/server/core.js.map +0 -1
package/dist/component/server/crypto.js +0 -56
package/dist/component/server/crypto.js.map +0 -1
package/dist/component/server/db.js +0 -87
package/dist/component/server/db.js.map +0 -1
package/dist/component/server/device.js +0 -152
package/dist/component/server/device.js.map +0 -1
package/dist/component/server/enterprise/config.js +0 -46
package/dist/component/server/enterprise/config.js.map +0 -1
package/dist/component/server/enterprise/domain.js +0 -974
package/dist/component/server/enterprise/domain.js.map +0 -1
package/dist/component/server/enterprise/http.js +0 -787
package/dist/component/server/enterprise/http.js.map +0 -1
package/dist/component/server/enterprise/oidc.js +0 -248
package/dist/component/server/enterprise/oidc.js.map +0 -1
package/dist/component/server/enterprise/policy.js +0 -85
package/dist/component/server/enterprise/policy.js.map +0 -1
package/dist/component/server/enterprise/saml.js.map +0 -1
package/dist/component/server/enterprise/scim.js.map +0 -1
package/dist/component/server/enterprise/shared.js +0 -51
package/dist/component/server/enterprise/shared.js.map +0 -1
package/dist/component/server/http.d.ts +0 -85
package/dist/component/server/http.d.ts.map +0 -1
package/dist/component/server/http.js +0 -351
package/dist/component/server/http.js.map +0 -1
package/dist/component/server/identity.js +0 -16
package/dist/component/server/identity.js.map +0 -1
package/dist/component/server/keys.js +0 -96
package/dist/component/server/keys.js.map +0 -1
package/dist/component/server/limits.js +0 -52
package/dist/component/server/limits.js.map +0 -1
package/dist/component/server/mutations/account.js +0 -46
package/dist/component/server/mutations/account.js.map +0 -1
package/dist/component/server/mutations/code.js +0 -68
package/dist/component/server/mutations/code.js.map +0 -1
package/dist/component/server/mutations/invalidate.js +0 -32
package/dist/component/server/mutations/invalidate.js.map +0 -1
package/dist/component/server/mutations/oauth.js +0 -116
package/dist/component/server/mutations/oauth.js.map +0 -1
package/dist/component/server/mutations/refresh.js +0 -119
package/dist/component/server/mutations/refresh.js.map +0 -1
package/dist/component/server/mutations/register.js +0 -87
package/dist/component/server/mutations/register.js.map +0 -1
package/dist/component/server/mutations/retrieve.js +0 -61
package/dist/component/server/mutations/retrieve.js.map +0 -1
package/dist/component/server/mutations/signature.js +0 -38
package/dist/component/server/mutations/signature.js.map +0 -1
package/dist/component/server/mutations/signin.js +0 -27
package/dist/component/server/mutations/signin.js.map +0 -1
package/dist/component/server/mutations/signout.js +0 -27
package/dist/component/server/mutations/signout.js.map +0 -1
package/dist/component/server/mutations/store/refs.js +0 -15
package/dist/component/server/mutations/store/refs.js.map +0 -1
package/dist/component/server/mutations/store.js +0 -70
package/dist/component/server/mutations/store.js.map +0 -1
package/dist/component/server/mutations/verifier.js +0 -18
package/dist/component/server/mutations/verifier.js.map +0 -1
package/dist/component/server/mutations/verify.js +0 -98
package/dist/component/server/mutations/verify.js.map +0 -1
package/dist/component/server/oauth.js +0 -242
package/dist/component/server/oauth.js.map +0 -1
package/dist/component/server/passkey.js +0 -415
package/dist/component/server/passkey.js.map +0 -1
package/dist/component/server/redirects.js +0 -40
package/dist/component/server/redirects.js.map +0 -1
package/dist/component/server/refresh.js +0 -99
package/dist/component/server/refresh.js.map +0 -1
package/dist/component/server/runtime.d.ts +0 -136
package/dist/component/server/runtime.d.ts.map +0 -1
package/dist/component/server/runtime.js +0 -456
package/dist/component/server/runtime.js.map +0 -1
package/dist/component/server/sessions.js +0 -71
package/dist/component/server/sessions.js.map +0 -1
package/dist/component/server/signin.js +0 -225
package/dist/component/server/signin.js.map +0 -1
package/dist/component/server/tokens.js +0 -17
package/dist/component/server/tokens.js.map +0 -1
package/dist/component/server/totp.js +0 -208
package/dist/component/server/totp.js.map +0 -1
package/dist/component/server/types.d.ts +0 -949
package/dist/component/server/types.d.ts.map +0 -1
package/dist/component/server/types.js +0 -79
package/dist/component/server/types.js.map +0 -1
package/dist/component/server/users.js +0 -123
package/dist/component/server/users.js.map +0 -1
package/dist/component/server/utils.js +0 -140
package/dist/component/server/utils.js.map +0 -1
package/dist/core/types.d.ts +0 -361
package/dist/core/types.d.ts.map +0 -1
package/dist/factors/device.js +0 -104
package/dist/factors/device.js.map +0 -1
package/dist/factors/passkey.js.map +0 -1
package/dist/factors/totp.js.map +0 -1
package/dist/providers/anonymous.d.ts.map +0 -1
package/dist/providers/anonymous.js.map +0 -1
package/dist/providers/credentials.d.ts.map +0 -1
package/dist/providers/credentials.js.map +0 -1
package/dist/providers/device.d.ts.map +0 -1
package/dist/providers/device.js.map +0 -1
package/dist/providers/email.d.ts.map +0 -1
package/dist/providers/email.js.map +0 -1
package/dist/providers/oauth.d.ts +0 -69
package/dist/providers/oauth.d.ts.map +0 -1
package/dist/providers/oauth.js +0 -43
package/dist/providers/oauth.js.map +0 -1
package/dist/providers/passkey.d.ts.map +0 -1
package/dist/providers/passkey.js.map +0 -1
package/dist/providers/password.d.ts.map +0 -1
package/dist/providers/password.js.map +0 -1
package/dist/providers/phone.d.ts.map +0 -1
package/dist/providers/phone.js.map +0 -1
package/dist/providers/sso.d.ts.map +0 -1
package/dist/providers/sso.js.map +0 -1
package/dist/providers/totp.d.ts.map +0 -1
package/dist/providers/totp.js.map +0 -1
package/dist/runtime/browser.js +0 -68
package/dist/runtime/browser.js.map +0 -1
package/dist/runtime/invite.js.map +0 -1
package/dist/runtime/proxy.js +0 -70
package/dist/runtime/proxy.js.map +0 -1
package/dist/runtime/storage.js +0 -37
package/dist/runtime/storage.js.map +0 -1
package/dist/server/auth.d.ts.map +0 -1
package/dist/server/auth.js.map +0 -1
package/dist/server/config.d.ts +0 -1
package/dist/server/config.js.map +0 -1
package/dist/server/context.d.ts +0 -1
package/dist/server/context.js.map +0 -1
package/dist/server/cookies.d.ts +0 -1
package/dist/server/cookies.js.map +0 -1
package/dist/server/core.d.ts +0 -1315
package/dist/server/core.d.ts.map +0 -1
package/dist/server/core.js.map +0 -1
package/dist/server/crypto.d.ts +0 -8
package/dist/server/crypto.d.ts.map +0 -1
package/dist/server/crypto.js.map +0 -1
package/dist/server/db.d.ts +0 -1
package/dist/server/db.js.map +0 -1
package/dist/server/device.d.ts +0 -1
package/dist/server/device.js.map +0 -1
package/dist/server/enterprise/config.d.ts +0 -1
package/dist/server/enterprise/config.js.map +0 -1
package/dist/server/enterprise/domain.d.ts +0 -401
package/dist/server/enterprise/domain.d.ts.map +0 -1
package/dist/server/enterprise/domain.js +0 -974
package/dist/server/enterprise/domain.js.map +0 -1
package/dist/server/enterprise/http.d.ts +0 -26
package/dist/server/enterprise/http.d.ts.map +0 -1
package/dist/server/enterprise/http.js +0 -787
package/dist/server/enterprise/http.js.map +0 -1
package/dist/server/enterprise/oidc.d.ts +0 -1
package/dist/server/enterprise/oidc.js +0 -248
package/dist/server/enterprise/oidc.js.map +0 -1
package/dist/server/enterprise/policy.d.ts +0 -1
package/dist/server/enterprise/policy.js +0 -85
package/dist/server/enterprise/policy.js.map +0 -1
package/dist/server/enterprise/saml.d.ts +0 -1
package/dist/server/enterprise/saml.js +0 -338
package/dist/server/enterprise/saml.js.map +0 -1
package/dist/server/enterprise/scim.d.ts +0 -1
package/dist/server/enterprise/scim.js +0 -97
package/dist/server/enterprise/scim.js.map +0 -1
package/dist/server/enterprise/shared.d.ts +0 -5
package/dist/server/enterprise/shared.d.ts.map +0 -1
package/dist/server/enterprise/shared.js +0 -51
package/dist/server/enterprise/shared.js.map +0 -1
package/dist/server/enterprise/validators.d.ts +0 -1
package/dist/server/enterprise/validators.js +0 -60
package/dist/server/enterprise/validators.js.map +0 -1
package/dist/server/http.d.ts.map +0 -1
package/dist/server/http.js.map +0 -1
package/dist/server/identity.d.ts +0 -1
package/dist/server/identity.js.map +0 -1
package/dist/server/keys.d.ts +0 -1
package/dist/server/keys.js.map +0 -1
package/dist/server/limits.d.ts +0 -1
package/dist/server/limits.js.map +0 -1
package/dist/server/mounts.d.ts.map +0 -1
package/dist/server/mounts.js.map +0 -1
package/dist/server/mutations/account.d.ts +0 -29
package/dist/server/mutations/account.d.ts.map +0 -1
package/dist/server/mutations/account.js.map +0 -1
package/dist/server/mutations/code.d.ts +0 -30
package/dist/server/mutations/code.d.ts.map +0 -1
package/dist/server/mutations/code.js.map +0 -1
package/dist/server/mutations/index.d.ts +0 -14
package/dist/server/mutations/invalidate.d.ts +0 -20
package/dist/server/mutations/invalidate.d.ts.map +0 -1
package/dist/server/mutations/invalidate.js.map +0 -1
package/dist/server/mutations/oauth.d.ts +0 -30
package/dist/server/mutations/oauth.d.ts.map +0 -1
package/dist/server/mutations/oauth.js.map +0 -1
package/dist/server/mutations/refresh.d.ts +0 -21
package/dist/server/mutations/refresh.d.ts.map +0 -1
package/dist/server/mutations/refresh.js.map +0 -1
package/dist/server/mutations/register.d.ts +0 -38
package/dist/server/mutations/register.d.ts.map +0 -1
package/dist/server/mutations/register.js.map +0 -1
package/dist/server/mutations/retrieve.d.ts +0 -33
package/dist/server/mutations/retrieve.d.ts.map +0 -1
package/dist/server/mutations/retrieve.js.map +0 -1
package/dist/server/mutations/signature.d.ts +0 -21
package/dist/server/mutations/signature.d.ts.map +0 -1
package/dist/server/mutations/signature.js.map +0 -1
package/dist/server/mutations/signin.d.ts +0 -22
package/dist/server/mutations/signin.d.ts.map +0 -1
package/dist/server/mutations/signin.js.map +0 -1
package/dist/server/mutations/signout.d.ts +0 -16
package/dist/server/mutations/signout.d.ts.map +0 -1
package/dist/server/mutations/signout.js.map +0 -1
package/dist/server/mutations/store/refs.d.ts +0 -12
package/dist/server/mutations/store/refs.d.ts.map +0 -1
package/dist/server/mutations/store/refs.js.map +0 -1
package/dist/server/mutations/store.d.ts +0 -306
package/dist/server/mutations/store.d.ts.map +0 -1
package/dist/server/mutations/store.js.map +0 -1
package/dist/server/mutations/verifier.d.ts +0 -13
package/dist/server/mutations/verifier.d.ts.map +0 -1
package/dist/server/mutations/verifier.js.map +0 -1
package/dist/server/mutations/verify.d.ts +0 -26
package/dist/server/mutations/verify.d.ts.map +0 -1
package/dist/server/mutations/verify.js.map +0 -1
package/dist/server/oauth.d.ts +0 -1
package/dist/server/oauth.js +0 -242
package/dist/server/oauth.js.map +0 -1
package/dist/server/passkey.d.ts +0 -27
package/dist/server/passkey.d.ts.map +0 -1
package/dist/server/passkey.js.map +0 -1
package/dist/server/redirects.d.ts +0 -1
package/dist/server/redirects.js.map +0 -1
package/dist/server/refresh.d.ts +0 -1
package/dist/server/refresh.js.map +0 -1
package/dist/server/runtime.d.ts.map +0 -1
package/dist/server/runtime.js.map +0 -1
package/dist/server/sessions.d.ts +0 -1
package/dist/server/sessions.js.map +0 -1
package/dist/server/signin.d.ts +0 -1
package/dist/server/signin.js.map +0 -1
package/dist/server/ssr.d.ts.map +0 -1
package/dist/server/ssr.js +0 -777
package/dist/server/ssr.js.map +0 -1
package/dist/server/templates.d.ts +0 -1
package/dist/server/templates.js.map +0 -1
package/dist/server/tokens.d.ts +0 -1
package/dist/server/tokens.js.map +0 -1
package/dist/server/totp.d.ts +0 -1
package/dist/server/totp.js.map +0 -1
package/dist/server/types.d.ts.map +0 -1
package/dist/server/types.js.map +0 -1
package/dist/server/users.d.ts +0 -1
package/dist/server/users.js.map +0 -1
package/dist/server/utils.d.ts +0 -1
package/dist/server/utils.js +0 -140
package/dist/server/utils.js.map +0 -1
package/src/authorization/index.ts +0 -83
package/src/cli/bin.ts +0 -5
package/src/cli/command.ts +0 -70
package/src/cli/index.ts +0 -1112
package/src/cli/keys.ts +0 -23
package/src/client/core/types.ts +0 -437
package/src/client/factors/device.ts +0 -158
package/src/client/factors/passkey.ts +0 -279
package/src/client/factors/totp.ts +0 -150
package/src/client/index.ts +0 -1124
package/src/client/runtime/browser.ts +0 -112
package/src/client/runtime/invite.ts +0 -63
package/src/client/runtime/proxy.ts +0 -111
package/src/client/runtime/storage.ts +0 -79
package/src/component/_generated/api.ts +0 -96
package/src/component/_generated/component.ts +0 -3774
package/src/component/_generated/dataModel.ts +0 -60
package/src/component/_generated/server.ts +0 -156
package/src/component/convex.config.ts +0 -5
package/src/component/functions.ts +0 -104
package/src/component/index.ts +0 -42
package/src/component/model.ts +0 -449
package/src/component/public/enterprise/audit.ts +0 -125
package/src/component/public/enterprise/core.ts +0 -355
package/src/component/public/enterprise/domains.ts +0 -327
package/src/component/public/enterprise/scim.ts +0 -397
package/src/component/public/enterprise/secrets.ts +0 -133
package/src/component/public/enterprise/webhooks.ts +0 -307
package/src/component/public/factors/devices.ts +0 -224
package/src/component/public/factors/passkeys.ts +0 -243
package/src/component/public/factors/totp.ts +0 -259
package/src/component/public/groups/core.ts +0 -481
package/src/component/public/groups/invites.ts +0 -608
package/src/component/public/groups/members.ts +0 -410
package/src/component/public/identity/accounts.ts +0 -207
package/src/component/public/identity/codes.ts +0 -149
package/src/component/public/identity/sessions.ts +0 -210
package/src/component/public/identity/tokens.ts +0 -251
package/src/component/public/identity/users.ts +0 -355
package/src/component/public/identity/verifiers.ts +0 -158
package/src/component/public/security/keys.ts +0 -366
package/src/component/public/security/limits.ts +0 -174
package/src/component/public.ts +0 -27
package/src/component/schema.ts +0 -505
package/src/providers/anonymous.ts +0 -99
package/src/providers/credentials.ts +0 -102
package/src/providers/device.ts +0 -87
package/src/providers/email.ts +0 -99
package/src/providers/index.ts +0 -31
package/src/providers/oauth.ts +0 -117
package/src/providers/passkey.ts +0 -77
package/src/providers/password.ts +0 -441
package/src/providers/phone.ts +0 -93
package/src/providers/sso.ts +0 -54
package/src/providers/totp.ts +0 -62
package/src/samlify.d.ts +0 -53
package/src/server/auth.ts +0 -949
package/src/server/config.ts +0 -200
package/src/server/context.ts +0 -90
package/src/server/cookies.ts +0 -49
package/src/server/core.ts +0 -2004
package/src/server/crypto.ts +0 -90
package/src/server/db.ts +0 -203
package/src/server/device.ts +0 -254
package/src/server/enterprise/config.ts +0 -51
package/src/server/enterprise/domain.ts +0 -1739
package/src/server/enterprise/http.ts +0 -1331
package/src/server/enterprise/oidc.ts +0 -500
package/src/server/enterprise/policy.ts +0 -128
package/src/server/enterprise/saml.ts +0 -578
package/src/server/enterprise/scim.ts +0 -135
package/src/server/enterprise/shared.ts +0 -134
package/src/server/enterprise/validators.ts +0 -93
package/src/server/http.ts +0 -790
package/src/server/identity.ts +0 -18
package/src/server/index.ts +0 -40
package/src/server/keys.ts +0 -158
package/src/server/limits.ts +0 -107
package/src/server/mounts.ts +0 -924
package/src/server/mutations/account.ts +0 -62
package/src/server/mutations/code.ts +0 -119
package/src/server/mutations/index.ts +0 -13
package/src/server/mutations/invalidate.ts +0 -50
package/src/server/mutations/oauth.ts +0 -243
package/src/server/mutations/refresh.ts +0 -299
package/src/server/mutations/register.ts +0 -155
package/src/server/mutations/retrieve.ts +0 -109
package/src/server/mutations/signature.ts +0 -57
package/src/server/mutations/signin.ts +0 -54
package/src/server/mutations/signout.ts +0 -43
package/src/server/mutations/store/refs.ts +0 -10
package/src/server/mutations/store.ts +0 -123
package/src/server/mutations/verifier.ts +0 -34
package/src/server/mutations/verify.ts +0 -200
package/src/server/oauth.ts +0 -418
package/src/server/passkey.ts +0 -838
package/src/server/redirects.ts +0 -59
package/src/server/refresh.ts +0 -218
package/src/server/runtime.ts +0 -918
package/src/server/sessions.ts +0 -132
package/src/server/signin.ts +0 -445
package/src/server/ssr.ts +0 -1747
package/src/server/templates.ts +0 -82
package/src/server/tokens.ts +0 -35
package/src/server/totp.ts +0 -399
package/src/server/types.ts +0 -1942
package/src/server/users.ts +0 -291
package/src/server/utils.ts +0 -220
/package/dist/{runtime → client/runtime}/invite.js +0 -0

package/dist/server/sso/domain.js ADDED Viewed

@@ -0,0 +1,1175 @@
+import { log } from "../log.js";
+import { addConnectionDomain, createGroupConnection, deleteConnectionDomain, deleteConnectionDomainVerification, deleteGroupConnection, getConnectionDomainVerification, getGroupConnection, getGroupConnectionByDomain, getScimConfigByConnection, listAuditEvents, listConnectionDomains, listGroupConnections, updateGroupConnection, upsertConnectionDomainVerification, upsertGroupConnectionSecret, verifyConnectionDomain } from "../contract.js";
+import { retryWithBackoff } from "../utils/retry.js";
+import { getGroupOidcUrls, getGroupSamlUrls, groupOidcProviderId, groupSamlProviderId, normalizeDomain } from "./shared.js";
+import { getOidcConfig, getPublicOidcConfig, getSamlConfig, upsertProtocolConfig, withOidcSecretState } from "./config.js";
+import { createGroupPolicyDomain } from "./policies.js";
+import { createGroupScimDomain } from "./provision.js";
+import { createServiceProviderMetadata, getSamlServiceProviderOptions, parseSamlIdpMetadataChecked } from "./saml.js";
+import { createGroupWebhookDomain } from "./webhook.js";
+import { ConvexError } from "convex/values";
+//#region src/server/sso/domain.ts
+const convexError = (data) => new ConvexError(data);
+/**
+* Build the connection and SSO management domain.
+*/
+function createGroupConnectionDomain(deps) {
+	const { config, getGroupConnectionSecret, loadConnectionOrThrow, validateGroupConnectionPolicy, recordGroupAuditEvent, emitGroupWebhookDeliveries, connectionNotFoundError, GROUP_CONNECTION_OIDC_CLIENT_SECRET_KIND, requireEnv, generateRandomString, INVITE_TOKEN_ALPHABET, sha256, encryptSecret, loadGroupPolicyOrThrow } = deps;
+	const webhook = createGroupWebhookDomain({
+		config,
+		sha256,
+		loadConnectionOrThrow,
+		recordGroupAuditEvent,
+		emitGroupWebhookDeliveries
+	});
+	const scim = createGroupScimDomain({
+		config,
+		requireEnv,
+		generateRandomString,
+		INVITE_TOKEN_ALPHABET,
+		sha256,
+		loadGroupPolicyOrThrow,
+		recordGroupAuditEvent,
+		emitGroupWebhookDeliveries
+	});
+	const policy = createGroupPolicyDomain({
+		config,
+		loadGroupPolicyOrThrow,
+		validateGroupConnectionPolicy,
+		recordGroupAuditEvent
+	});
+	const resolveGroupConnectionProtocol = (connection) => {
+		if (connection.protocol === "oidc") return "oidc";
+		if (connection.protocol === "saml") return "saml";
+		throw convexError({
+			code: "PROVIDER_NOT_CONFIGURED",
+			message: "Group connection protocol is not configured."
+		});
+	};
+	const GROUP_CONNECTION_DOMAIN_VERIFICATION_PREFIX = "_convex-auth-verification";
+	const GROUP_CONNECTION_DOMAIN_VERIFICATION_TTL_MS = 1e3 * 60 * 60 * 24 * 7;
+	const toDomainSummary = (domain) => ({
+		domainId: domain._id,
+		domain: domain.domain,
+		isPrimary: domain.isPrimary,
+		verified: domain.verifiedAt !== void 0,
+		verifiedAt: domain.verifiedAt ?? null
+	});
+	const getDomainVerificationRecordName = (domain) => `${GROUP_CONNECTION_DOMAIN_VERIFICATION_PREFIX}.${normalizeDomain(domain)}`;
+	const parseTxtAnswer = (value) => {
+		const quoted = [...value.matchAll(/"([^"]*)"/g)].map((match) => match[1]);
+		if (quoted.length > 0) return quoted.join("");
+		return value.replace(/^"|"$/g, "").trim();
+	};
+	const resolveTxtValues = async (recordName) => {
+		const url = new URL("https://dns.google/resolve");
+		url.searchParams.set("name", recordName);
+		url.searchParams.set("type", "TXT");
+		const response = await fetch(url, { headers: { accept: "application/json" } });
+		if (!response.ok) throw new Error(`DNS TXT lookup failed with status ${response.status}.`);
+		return ((await response.json()).Answer ?? []).map((answer) => typeof answer.data === "string" ? parseTxtAnswer(answer.data) : null).filter((value) => value !== null && value.length > 0);
+	};
+	return {
+		connection: {
+			create: async (ctx, data) => {
+				return {
+					connectionId: await createGroupConnection(ctx, config.component.public, data),
+					groupId: data.groupId
+				};
+			},
+			get: async (ctx, connectionId) => {
+				return await getGroupConnection(ctx, config.component.public, connectionId);
+			},
+			getByDomain: async (ctx, domain) => {
+				return await getGroupConnectionByDomain(ctx, config.component.public, normalizeDomain(domain));
+			},
+			list: async (ctx, opts) => {
+				return await listGroupConnections(ctx, config.component.public, {
+					where: opts?.where,
+					limit: opts?.limit,
+					cursor: opts?.cursor,
+					orderBy: opts?.orderBy,
+					order: opts?.order
+				});
+			},
+			update: async (ctx, connectionId, data) => {
+				await updateGroupConnection(ctx, config.component.public, {
+					connectionId,
+					data
+				});
+				return { connectionId };
+			},
+			delete: async (ctx, connectionId) => {
+				await deleteGroupConnection(ctx, config.component.public, connectionId);
+				return { connectionId };
+			},
+			status: async (ctx, connectionId) => {
+				const connection = await getGroupConnection(ctx, config.component.public, connectionId);
+				if (!connection) throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: connectionNotFoundError
+				});
+				const policy$1 = await loadGroupPolicyOrThrow(ctx, connection.groupId);
+				const oidcConfig = getOidcConfig(connection.config);
+				const oidcSecret = await getGroupConnectionSecret(ctx, connection._id, GROUP_CONNECTION_OIDC_CLIENT_SECRET_KIND);
+				const samlConfig = getSamlConfig(connection.config);
+				const scimConfig = await getScimConfigByConnection(ctx, config.component.public, connectionId);
+				const domains = await listConnectionDomains(ctx, config.component.public, connectionId);
+				const oidcReady = oidcConfig?.enabled === true && typeof oidcConfig?.client?.id === "string" && oidcConfig.client.id.length > 0 && oidcSecret !== null && (typeof oidcConfig?.discovery?.issuer === "string" || typeof oidcConfig?.discovery?.discoveryUrl === "string");
+				const samlReady = samlConfig?.enabled === true && typeof samlConfig?.idp?.entityId === "string";
+				const scimReady = scimConfig?.status === "active";
+				const ready = connection.status === "active" && (connection.protocol === "oidc" ? oidcReady : samlReady);
+				return {
+					connectionId: connection._id,
+					status: connection.status,
+					ready,
+					domainCount: domains.length,
+					protocols: {
+						oidc: {
+							configured: connection.protocol === "oidc" ? oidcReady : false,
+							ready: connection.protocol === "oidc" ? oidcReady : false,
+							clientId: oidcConfig?.client?.id ?? null,
+							issuer: oidcConfig?.discovery?.issuer ?? oidcConfig?.discovery?.discoveryUrl ?? null
+						},
+						saml: {
+							configured: connection.protocol === "saml" ? samlReady : false,
+							ready: connection.protocol === "saml" ? samlReady : false,
+							entityId: samlConfig?.idp?.entityId ?? samlConfig?.idp?.issuer ?? null
+						},
+						scim: {
+							configured: scimReady,
+							ready: scimReady,
+							basePath: scimConfig?.basePath ?? null,
+							deprovisionMode: policy$1.provisioning.deprovision.mode
+						}
+					}
+				};
+			}
+		},
+		domain: {
+			add: async (ctx, data) => {
+				return await addConnectionDomain(ctx, config.component.public, {
+					...data,
+					domain: normalizeDomain(data.domain)
+				});
+			},
+			list: async (ctx, connectionId) => {
+				return await listConnectionDomains(ctx, config.component.public, connectionId);
+			},
+			validate: async (ctx, connectionId) => {
+				const connection = await getGroupConnection(ctx, config.component.public, connectionId);
+				if (connection === null) throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: connectionNotFoundError
+				});
+				const domains = await listConnectionDomains(ctx, config.component.public, connectionId);
+				const primaryDomains = domains.filter((domain) => domain.isPrimary);
+				const verifiedDomains = domains.filter((domain) => domain.verifiedAt !== void 0);
+				const warnings = [];
+				if (domains.length === 0) warnings.push("No domains configured.");
+				if (primaryDomains.length === 0 && domains.length > 0) warnings.push("No primary domain configured.");
+				if (primaryDomains.length > 1) warnings.push("Multiple primary domains configured.");
+				if (verifiedDomains.length === 0 && domains.length > 0) warnings.push("No verified domains yet.");
+				return {
+					connectionId,
+					ready: connection.status === "active" && domains.length > 0 && primaryDomains.length === 1 && verifiedDomains.length > 0,
+					summary: {
+						domainCount: domains.length,
+						primaryCount: primaryDomains.length,
+						verifiedCount: verifiedDomains.length
+					},
+					domains: domains.map((domain) => toDomainSummary(domain)),
+					warnings
+				};
+			},
+			status: async (ctx, connectionId) => {
+				const connection = await getGroupConnection(ctx, config.component.public, connectionId);
+				if (connection === null) throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: connectionNotFoundError
+				});
+				const domains = await listConnectionDomains(ctx, config.component.public, connectionId);
+				const primaryDomain = domains.find((domain) => domain.isPrimary) ?? null;
+				const verifiedDomains = domains.filter((domain) => domain.verifiedAt !== void 0);
+				const pendingChallenges = (await Promise.all(domains.map(async (domain) => {
+					const verification = await getConnectionDomainVerification(ctx, config.component.public, domain._id);
+					if (!verification || verification.expiresAt < Date.now()) return null;
+					return {
+						domain: domain.domain,
+						recordName: verification.recordName,
+						expiresAt: verification.expiresAt
+					};
+				}))).filter((challenge) => challenge !== null);
+				const warnings = [];
+				const nextSteps = [];
+				if (domains.length === 0) {
+					warnings.push("No domains configured.");
+					nextSteps.push("Attach at least one domain to this connection.");
+				}
+				if (primaryDomain === null && domains.length > 0) {
+					warnings.push("No primary domain configured.");
+					nextSteps.push("Mark one attached domain as the primary domain.");
+				}
+				if (verifiedDomains.length === 0 && domains.length > 0) {
+					warnings.push("No verified domains yet.");
+					nextSteps.push("Request a TXT challenge and confirm verification for at least one domain.");
+				}
+				if (primaryDomain !== null && primaryDomain.verifiedAt === void 0 && domains.length > 0) nextSteps.push(`Verify the primary domain ${primaryDomain.domain} to establish trusted ownership.`);
+				if (pendingChallenges.length > 0) nextSteps.push("If DNS is already updated, confirm the pending TXT challenge to complete verification.");
+				const primaryDomainVerified = primaryDomain?.verifiedAt !== void 0;
+				return {
+					connectionId,
+					ready: connection.status === "active" && domains.length > 0 && primaryDomain !== null && verifiedDomains.length > 0,
+					primaryDomain: primaryDomain === null ? null : {
+						domainId: primaryDomain._id,
+						domain: primaryDomain.domain,
+						isPrimary: true,
+						verified: primaryDomain.verifiedAt !== void 0,
+						verifiedAt: primaryDomain.verifiedAt ?? null
+					},
+					trustedDomains: verifiedDomains.map((domain) => ({
+						domainId: domain._id,
+						domain: domain.domain,
+						isPrimary: Boolean(domain.isPrimary),
+						verified: true,
+						verifiedAt: domain.verifiedAt ?? null
+					})),
+					pendingChallenges,
+					trust: {
+						domainDiscoveryReady: verifiedDomains.length > 0,
+						primaryDomainVerified,
+						automaticLinkingEligible: primaryDomainVerified && connection.status === "active" && verifiedDomains.length > 0
+					},
+					warnings,
+					nextSteps
+				};
+			},
+			remove: async (ctx, domainId) => {
+				await deleteConnectionDomain(ctx, config.component.public, domainId);
+			},
+			verification: {
+				request: async (ctx, args) => {
+					const connection = await loadConnectionOrThrow(ctx, args.connectionId);
+					const normalizedDomain = normalizeDomain(args.domain);
+					const domain = (await listConnectionDomains(ctx, config.component.public, connection._id)).find((entry) => entry.domain === normalizedDomain);
+					if (!domain) throw convexError({
+						code: "INVALID_PARAMETERS",
+						message: "Domain is not attached to this connection."
+					});
+					const requestedAt = Date.now();
+					const expiresAt = requestedAt + GROUP_CONNECTION_DOMAIN_VERIFICATION_TTL_MS;
+					const token = generateRandomString(32, INVITE_TOKEN_ALPHABET);
+					const tokenHash = await sha256(token);
+					const recordName = getDomainVerificationRecordName(normalizedDomain);
+					await upsertConnectionDomainVerification(ctx, config.component.public, {
+						connectionId: connection._id,
+						groupId: connection.groupId,
+						domainId: domain._id,
+						domain: normalizedDomain,
+						recordName,
+						token,
+						tokenHash,
+						requestedAt,
+						expiresAt
+					});
+					await recordGroupAuditEvent(ctx, {
+						connectionId: connection._id,
+						groupId: connection.groupId,
+						eventType: "group.sso.domain.verification_requested",
+						actorType: "system",
+						subjectType: "group_connection_domain",
+						subjectId: domain._id,
+						ok: true,
+						metadata: {
+							domain: normalizedDomain,
+							recordName,
+							expiresAt
+						}
+					});
+					return {
+						connectionId: connection._id,
+						domain: normalizedDomain,
+						requestedAt,
+						expiresAt,
+						challenge: {
+							recordType: "TXT",
+							recordName,
+							recordValue: token
+						}
+					};
+				},
+				confirm: async (ctx, args) => {
+					const connection = await loadConnectionOrThrow(ctx, args.connectionId);
+					const normalizedDomain = normalizeDomain(args.domain);
+					const domain = (await listConnectionDomains(ctx, config.component.public, connection._id)).find((entry) => entry.domain === normalizedDomain);
+					if (!domain) throw convexError({
+						code: "INVALID_PARAMETERS",
+						message: "Domain is not attached to this connection."
+					});
+					if (domain.verifiedAt !== void 0) return {
+						connectionId: connection._id,
+						domain: normalizedDomain,
+						verifiedAt: domain.verifiedAt,
+						checks: [{
+							name: "domain_verified",
+							ok: true,
+							message: "Domain is already verified."
+						}]
+					};
+					const verification = await getConnectionDomainVerification(ctx, config.component.public, domain._id);
+					const checks = [];
+					if (!verification) {
+						checks.push({
+							name: "verification_requested",
+							ok: false,
+							message: "No active domain verification challenge exists."
+						});
+						return {
+							connectionId: connection._id,
+							domain: normalizedDomain,
+							checks
+						};
+					}
+					checks.push({
+						name: "verification_requested",
+						ok: true
+					});
+					if (verification.expiresAt < Date.now()) {
+						await deleteConnectionDomainVerification(ctx, config.component.public, domain._id);
+						checks.push({
+							name: "challenge_active",
+							ok: false,
+							message: "The verification challenge expired. Request a new one."
+						});
+						return {
+							connectionId: connection._id,
+							domain: normalizedDomain,
+							checks
+						};
+					}
+					checks.push({
+						name: "challenge_active",
+						ok: true
+					});
+					let txtValues;
+					try {
+						txtValues = await resolveTxtValues(verification.recordName);
+					} catch (error) {
+						throw convexError({
+							code: "INTERNAL_ERROR",
+							message: error instanceof Error ? error.message : "Failed to resolve DNS TXT records."
+						});
+					}
+					checks.push({
+						name: "dns_record_present",
+						ok: txtValues.length > 0,
+						message: txtValues.length > 0 ? void 0 : `No TXT records found at ${verification.recordName}.`
+					});
+					const matches = txtValues.includes(verification.token);
+					checks.push({
+						name: "dns_record_matches",
+						ok: matches,
+						message: matches ? void 0 : `TXT record at ${verification.recordName} does not match the expected value.`
+					});
+					if (!checks.every((check) => check.ok)) return {
+						connectionId: connection._id,
+						domain: normalizedDomain,
+						checks
+					};
+					const verifiedAt = Date.now();
+					await verifyConnectionDomain(ctx, config.component.public, {
+						domainId: domain._id,
+						verifiedAt
+					});
+					await recordGroupAuditEvent(ctx, {
+						connectionId: connection._id,
+						groupId: connection.groupId,
+						eventType: "group.sso.domain.verified",
+						actorType: "system",
+						subjectType: "group_connection_domain",
+						subjectId: domain._id,
+						ok: true,
+						metadata: {
+							domain: normalizedDomain,
+							verifiedAt
+						}
+					});
+					return {
+						connectionId: connection._id,
+						domain: normalizedDomain,
+						verifiedAt,
+						checks
+					};
+				}
+			}
+		},
+		saml: {
+			configure: async (ctx, data) => {
+				let connection;
+				try {
+					connection = await getGroupConnection(ctx, config.component.public, data.connectionId);
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to load connection."
+					});
+				}
+				if (connection === null) throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: connectionNotFoundError
+				});
+				if (connection.protocol !== "saml") throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: "This connection is not a SAML connection."
+				});
+				const metadataUrl = typeof data.metadata.url === "string" && data.metadata.url.length > 0 ? data.metadata.url : void 0;
+				let metadataXml;
+				if (metadataUrl) try {
+					metadataXml = await retryWithBackoff(async () => {
+						const response = await fetch(metadataUrl, { signal: AbortSignal.timeout(1e4) });
+						if (!response.ok) throw new Error(`Failed to fetch SAML metadata: ${response.status}`);
+						return await response.text();
+					});
+				} catch (error) {
+					throw convexError({
+						code: "INVALID_PARAMETERS",
+						message: error instanceof Error ? error.message : "Failed to fetch SAML metadata"
+					});
+				}
+				else if (data.metadata.xml) metadataXml = data.metadata.xml;
+				else throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: "SAML registration requires metadataXml or metadataUrl."
+				});
+				let parsed;
+				try {
+					parsed = parseSamlIdpMetadataChecked({
+						metadataXml,
+						config: { protocols: { saml: { security: data.security } } }
+					});
+				} catch (error) {
+					throw convexError({
+						code: "INVALID_PARAMETERS",
+						message: error instanceof Error ? `Failed to parse SAML metadata: ${error.message}` : "Failed to parse SAML metadata."
+					});
+				}
+				log("DEBUG", "[group-sso] saml:configure:parsed", {
+					connectionId: data.connectionId,
+					metadataUrl,
+					entityId: parsed.entityId,
+					issuer: parsed.issuer
+				});
+				const baseConfig = upsertProtocolConfig(connection.config, "saml", {
+					enabled: true,
+					idp: {
+						metadataUrl,
+						metadataXml,
+						...parsed
+					},
+					serviceProvider: data.serviceProvider,
+					request: {
+						signAuthnRequests: data.request?.signAuthnRequests ?? parsed.wantsSignedAuthnRequests,
+						nameIdFormat: data.request?.nameIdFormat,
+						forceAuthn: data.request?.forceAuthn,
+						authnContextClassRefs: data.request?.authnContextClassRefs
+					},
+					profile: {
+						mapping: data.profile?.mapping,
+						extraFields: data.profile?.extraFields
+					},
+					security: data.security
+				});
+				const normalizedDomains = data.domains?.map(normalizeDomain);
+				const nextConfig = normalizedDomains ? {
+					...baseConfig,
+					domains: normalizedDomains
+				} : baseConfig;
+				const nextSamlConfig = nextConfig.protocols?.saml ?? void 0;
+				log("DEBUG", "[group-sso] saml:configure:nextConfig", {
+					connectionId: data.connectionId,
+					entityId: nextSamlConfig?.idp?.entityId ?? null,
+					issuer: nextSamlConfig?.idp?.issuer ?? null,
+					metadataUrl: nextSamlConfig?.idp?.metadataUrl ?? null,
+					hasMetadataXml: typeof nextSamlConfig?.idp?.metadataXml === "string"
+				});
+				try {
+					await updateGroupConnection(ctx, config.component.public, {
+						connectionId: connection._id,
+						data: {
+							status: "active",
+							config: nextConfig
+						}
+					});
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to persist SAML registration."
+					});
+				}
+				if (normalizedDomains) for (const [index, domain] of normalizedDomains.entries()) try {
+					await addConnectionDomain(ctx, config.component.public, {
+						connectionId: connection._id,
+						groupId: connection.groupId,
+						domain,
+						isPrimary: index === 0
+					});
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to persist connection domain."
+					});
+				}
+				try {
+					await recordGroupAuditEvent(ctx, {
+						connectionId: connection._id,
+						groupId: connection.groupId,
+						eventType: "group.sso.saml.registered",
+						actorType: "system",
+						subjectType: "group_connection_saml",
+						subjectId: connection._id,
+						ok: true,
+						metadata: {
+							metadataUrl,
+							domains: normalizedDomains
+						}
+					});
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to record SAML registration audit event."
+					});
+				}
+				return {
+					connectionId: connection._id,
+					groupId: connection.groupId
+				};
+			},
+			refresh: async (ctx, data) => {
+				let connection;
+				try {
+					connection = await getGroupConnection(ctx, config.component.public, data.connectionId);
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to load connection."
+					});
+				}
+				if (connection === null) throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: connectionNotFoundError
+				});
+				const samlConfig = connection.config?.protocols?.saml;
+				if (connection.protocol !== "saml") throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: "This connection is not a SAML connection."
+				});
+				if (typeof samlConfig?.idp?.metadataUrl !== "string") throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: "SAML metadataUrl is not configured."
+				});
+				const metadataUrl = samlConfig.idp.metadataUrl;
+				let metadataXml;
+				try {
+					metadataXml = await retryWithBackoff(async () => {
+						const response = await fetch(metadataUrl, { signal: AbortSignal.timeout(1e4) });
+						if (!response.ok) throw new Error(`Failed to fetch SAML metadata: ${response.status}`);
+						return await response.text();
+					});
+				} catch (error) {
+					throw convexError({
+						code: "INVALID_PARAMETERS",
+						message: error instanceof Error ? error.message : "Failed to fetch SAML metadata"
+					});
+				}
+				let parsed;
+				try {
+					parsed = parseSamlIdpMetadataChecked({
+						metadataXml,
+						config: connection.config
+					});
+				} catch (error) {
+					throw convexError({
+						code: "INVALID_PARAMETERS",
+						message: error instanceof Error ? `Failed to parse SAML metadata: ${error.message}` : "Failed to parse SAML metadata."
+					});
+				}
+				const nextConfig = upsertProtocolConfig(connection.config, "saml", {
+					enabled: true,
+					idp: {
+						metadataUrl,
+						metadataXml,
+						...parsed
+					},
+					serviceProvider: samlConfig.serviceProvider,
+					request: samlConfig.request,
+					profile: samlConfig.profile,
+					security: samlConfig.security
+				});
+				try {
+					await updateGroupConnection(ctx, config.component.public, {
+						connectionId: connection._id,
+						data: {
+							status: connection.status,
+							config: nextConfig
+						}
+					});
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to persist refreshed SAML metadata."
+					});
+				}
+				try {
+					await recordGroupAuditEvent(ctx, {
+						connectionId: connection._id,
+						groupId: connection.groupId,
+						eventType: "group.sso.saml.refreshed",
+						actorType: "system",
+						subjectType: "group_connection_saml",
+						subjectId: connection._id,
+						ok: true,
+						metadata: { metadataUrl }
+					});
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to record SAML refresh audit event."
+					});
+				}
+				return {
+					connectionId: connection._id,
+					groupId: connection.groupId
+				};
+			},
+			get: async (ctx, connectionId) => {
+				let connection;
+				try {
+					connection = await getGroupConnection(ctx, config.component.public, connectionId);
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to load connection."
+					});
+				}
+				if (connection === null) throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: connectionNotFoundError
+				});
+				return getSamlConfig(connection.config);
+			},
+			status: (ctx, connectionId) => {
+				return getGroupConnection(ctx, config.component.public, connectionId).then((connection) => {
+					if (!connection) throw convexError({
+						code: "INVALID_PARAMETERS",
+						message: connectionNotFoundError
+					});
+					const currentConfig = getSamlConfig(connection.config);
+					const configured = currentConfig.enabled === true;
+					return {
+						connectionId,
+						configured,
+						ready: configured && typeof currentConfig.idp?.entityId === "string",
+						config: currentConfig,
+						checks: [{
+							name: "saml_configured",
+							ok: configured,
+							message: configured ? void 0 : "SAML is not configured."
+						}]
+					};
+				});
+			},
+			metadata: async (ctx, opts) => {
+				const connection = await getGroupConnection(ctx, config.component.public, opts.connectionId);
+				if (!connection) throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: "Connection not found."
+				});
+				return createServiceProviderMetadata(getSamlServiceProviderOptions({
+					rootUrl: requireEnv("CONVEX_SITE_URL"),
+					source: {
+						kind: "connection",
+						id: connection._id
+					},
+					config: connection.config,
+					overrides: {
+						entityId: opts.entityId,
+						acsUrl: opts.acsUrl,
+						sloUrl: opts.sloUrl
+					}
+				}));
+			},
+			validate: async (ctx, connectionId) => {
+				const checks = [];
+				const connection = await getGroupConnection(ctx, config.component.public, connectionId);
+				if (!connection) return {
+					ok: false,
+					connectionId,
+					checks: [{
+						name: "group_connection_exists",
+						ok: false,
+						message: "Connection not found."
+					}]
+				};
+				const samlConfig = connection.config?.protocols?.saml;
+				const samlConfigured = samlConfig?.enabled === true && typeof samlConfig?.idp?.metadataXml === "string";
+				checks.push({
+					name: "saml_configured",
+					ok: samlConfigured,
+					message: samlConfigured ? void 0 : "SAML is not configured."
+				});
+				const hasIdpMetadata = typeof samlConfig?.idp?.metadataXml === "string" && samlConfig.idp.metadataXml.length > 0;
+				checks.push({
+					name: "idp_metadata_present",
+					ok: hasIdpMetadata,
+					message: hasIdpMetadata ? void 0 : "IdP metadata XML is missing."
+				});
+				const reparsedIdp = hasIdpMetadata && typeof samlConfig?.idp?.metadataXml === "string" ? (() => {
+					try {
+						return parseSamlIdpMetadataChecked({
+							metadataXml: samlConfig.idp.metadataXml,
+							config: connection.config
+						});
+					} catch {
+						return null;
+					}
+				})() : null;
+				log("DEBUG", "[group-sso] saml:validate:idp", {
+					connectionId,
+					entityId: samlConfig?.idp?.entityId ?? null,
+					issuer: samlConfig?.idp?.issuer ?? null,
+					metadataUrl: samlConfig?.idp?.metadataUrl ?? null,
+					reparsedEntityId: reparsedIdp?.entityId ?? null,
+					reparsedIssuer: reparsedIdp?.issuer ?? null
+				});
+				const hasEntityId = typeof samlConfig?.idp?.entityId === "string" && samlConfig.idp.entityId.length > 0 || typeof samlConfig?.idp?.issuer === "string" && samlConfig.idp.issuer.length > 0 || typeof reparsedIdp?.entityId === "string" && reparsedIdp.entityId.length > 0 || typeof reparsedIdp?.issuer === "string" && reparsedIdp.issuer.length > 0;
+				checks.push({
+					name: "idp_entity_id",
+					ok: hasEntityId,
+					message: hasEntityId ? void 0 : "IdP entityId could not be parsed from metadata."
+				});
+				let spMetadataOk = false;
+				let spMetadataMessage;
+				if (samlConfigured) try {
+					createServiceProviderMetadata(getSamlServiceProviderOptions({
+						rootUrl: requireEnv("CONVEX_SITE_URL"),
+						source: {
+							kind: "connection",
+							id: connection._id
+						},
+						config: connection.config,
+						overrides: {}
+					}));
+					spMetadataOk = true;
+				} catch (e) {
+					spMetadataMessage = e instanceof Error ? e.message : "SP metadata generation failed.";
+				}
+				else spMetadataMessage = "Skipped — SAML not configured.";
+				checks.push({
+					name: "sp_metadata_generates",
+					ok: spMetadataOk,
+					message: spMetadataMessage
+				});
+				const requiresSignedAssertions = samlConfig?.security?.requireSignedAssertions === true;
+				const hasSigningCert = reparsedIdp?.signingCert !== null;
+				checks.push({
+					name: "signed_assertions_compatible",
+					ok: !requiresSignedAssertions || hasSigningCert,
+					message: !requiresSignedAssertions || hasSigningCert ? void 0 : "Signed assertions are required but the IdP metadata has no signing certificate."
+				});
+				const signAuthnRequests = samlConfig?.request?.signAuthnRequests === true;
+				const hasSpPrivateKey = typeof samlConfig?.serviceProvider?.privateKey === "string";
+				checks.push({
+					name: "authn_request_signing_compatible",
+					ok: !signAuthnRequests || hasSpPrivateKey,
+					message: !signAuthnRequests || hasSpPrivateKey ? void 0 : "signAuthnRequests is enabled but no SP privateKey is configured."
+				});
+				checks.push({
+					name: "timestamp_validation_configured",
+					ok: true,
+					message: samlConfig?.security?.requireTimestamps === true ? `Timestamp validation enabled with clock skew ${samlConfig.security.clockSkewSeconds ?? 300} seconds.` : "Timestamp validation uses compatibility defaults."
+				});
+				return {
+					ok: checks.every((c) => c.ok),
+					connectionId: connection._id,
+					checks
+				};
+			}
+		},
+		policy,
+		oidc: {
+			configure: async (ctx, data) => {
+				if (data.discovery.issuer === void 0 && data.discovery.discoveryUrl === void 0) throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: "OIDC registration requires issuer or discoveryUrl."
+				});
+				let connection;
+				try {
+					connection = await getGroupConnection(ctx, config.component.public, data.connectionId);
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to load connection."
+					});
+				}
+				if (connection === null) throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: connectionNotFoundError
+				});
+				if (connection.protocol !== "oidc") throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: "This connection is not an OIDC connection."
+				});
+				const nextConfig = upsertProtocolConfig(connection.config, "oidc", {
+					enabled: true,
+					discovery: {
+						issuer: data.discovery.issuer,
+						discoveryUrl: data.discovery.discoveryUrl,
+						jwksUri: data.discovery.jwksUri,
+						audience: data.discovery.audience
+					},
+					client: {
+						id: data.client.id,
+						authMethod: data.client.authMethod
+					},
+					request: {
+						scopes: data.request?.scopes ?? [
+							"openid",
+							"profile",
+							"email"
+						],
+						loginHint: data.request?.loginHint,
+						authorizationParams: data.request?.authorizationParams
+					},
+					security: {
+						clockToleranceSeconds: data.security?.clockToleranceSeconds,
+						strictIssuer: data.security?.strictIssuer
+					},
+					profile: {
+						mapping: data.profile?.mapping,
+						extraFields: data.profile?.extraFields
+					}
+				});
+				try {
+					await updateGroupConnection(ctx, config.component.public, {
+						connectionId: data.connectionId,
+						data: { config: nextConfig }
+					});
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to persist OIDC registration."
+					});
+				}
+				if (data.client.secret !== void 0) {
+					let ciphertext;
+					try {
+						ciphertext = await encryptSecret(data.client.secret);
+					} catch {
+						throw convexError({
+							code: "INTERNAL_ERROR",
+							message: "Failed to encrypt OIDC client secret."
+						});
+					}
+					try {
+						await upsertGroupConnectionSecret(ctx, config.component.public, {
+							connectionId: data.connectionId,
+							groupId: connection.groupId,
+							kind: GROUP_CONNECTION_OIDC_CLIENT_SECRET_KIND,
+							ciphertext,
+							updatedAt: Date.now()
+						});
+					} catch {
+						throw convexError({
+							code: "INTERNAL_ERROR",
+							message: "Failed to persist OIDC client secret."
+						});
+					}
+				}
+				try {
+					await recordGroupAuditEvent(ctx, {
+						connectionId: data.connectionId,
+						groupId: connection.groupId,
+						eventType: "group.sso.oidc.registered",
+						actorType: "system",
+						subjectType: "group_connection_oidc",
+						subjectId: data.connectionId,
+						ok: true,
+						metadata: {
+							issuer: data.discovery.issuer,
+							discoveryUrl: data.discovery.discoveryUrl,
+							jwksUri: data.discovery.jwksUri,
+							audience: data.discovery.audience,
+							tokenEndpointAuthMethod: data.client.authMethod
+						}
+					});
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to record OIDC registration audit event."
+					});
+				}
+				let secret;
+				try {
+					secret = await getGroupConnectionSecret(ctx, data.connectionId, GROUP_CONNECTION_OIDC_CLIENT_SECRET_KIND);
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to load OIDC secret metadata."
+					});
+				}
+				return withOidcSecretState(getPublicOidcConfig(nextConfig), secret !== null);
+			},
+			get: async (ctx, connectionId) => {
+				let connection;
+				try {
+					connection = await getGroupConnection(ctx, config.component.public, connectionId);
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to load connection."
+					});
+				}
+				if (connection === null) throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: connectionNotFoundError
+				});
+				let secret;
+				try {
+					secret = await getGroupConnectionSecret(ctx, connection._id, GROUP_CONNECTION_OIDC_CLIENT_SECRET_KIND);
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to load OIDC secret metadata."
+					});
+				}
+				return withOidcSecretState(getPublicOidcConfig(connection.config), secret !== null);
+			},
+			status: (ctx, connectionId) => {
+				return Promise.all([getGroupConnection(ctx, config.component.public, connectionId), getGroupConnectionSecret(ctx, connectionId, GROUP_CONNECTION_OIDC_CLIENT_SECRET_KIND)]).then(([connection, secret]) => {
+					if (!connection) throw convexError({
+						code: "INVALID_PARAMETERS",
+						message: connectionNotFoundError
+					});
+					const currentConfig = getPublicOidcConfig(connection.config);
+					const oidcConfig = getOidcConfig(connection.config);
+					const configured = currentConfig.enabled === true && typeof oidcConfig.client?.id === "string" && (typeof oidcConfig.discovery?.issuer === "string" || typeof oidcConfig.discovery?.discoveryUrl === "string");
+					return {
+						connectionId,
+						configured,
+						ready: configured && secret !== null,
+						config: withOidcSecretState(currentConfig, secret !== null),
+						checks: [{
+							name: "oidc_configured",
+							ok: configured,
+							message: configured ? void 0 : "OIDC is not configured."
+						}, {
+							name: "client_secret_stored",
+							ok: secret !== null,
+							message: secret !== null ? void 0 : "OIDC client secret is missing."
+						}]
+					};
+				});
+			},
+			signIn: async (ctx, data) => {
+				log("DEBUG", "[group-sso] resolver:start", {
+					connectionId: data.connectionId,
+					email: data.email,
+					domain: data.domain,
+					redirectTo: data.redirectTo
+				});
+				let connection;
+				if (data.connectionId !== void 0) {
+					try {
+						connection = await getGroupConnection(ctx, config.component.public, data.connectionId);
+					} catch {
+						throw convexError({
+							code: "INTERNAL_ERROR",
+							message: "Failed to load connection."
+						});
+					}
+					if (connection === null) throw convexError({
+						code: "INVALID_PARAMETERS",
+						message: connectionNotFoundError
+					});
+				} else if (data.domain !== void 0 || data.email !== void 0) {
+					let result;
+					try {
+						result = await getGroupConnectionByDomain(ctx, config.component.public, normalizeDomain(data.domain ?? String(data.email).split("@").pop() ?? ""));
+					} catch {
+						throw convexError({
+							code: "INTERNAL_ERROR",
+							message: "Failed to resolve connection by domain."
+						});
+					}
+					log("DEBUG", "[group-sso] resolver:domainLookup", result);
+					if (result?.connection && result.domain?.verifiedAt !== void 0) connection = result.connection;
+					else throw convexError({
+						code: "INVALID_PARAMETERS",
+						message: "No group connection matched the provided input."
+					});
+				} else throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: "No group connection matched the provided input."
+				});
+				if (connection.status !== "active") throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: "Group connection is not active."
+				});
+				const protocol = resolveGroupConnectionProtocol(connection);
+				log("DEBUG", "[group-sso] resolver:connection", {
+					connectionId: connection._id,
+					status: connection.status,
+					protocol
+				});
+				const { signInPath, callbackPath, providerId } = protocol === "oidc" ? (() => {
+					const urls = getGroupOidcUrls({
+						rootUrl: requireEnv("CONVEX_SITE_URL"),
+						connectionId: connection._id,
+						sharedRedirectURI: deps.sharedOidcRedirectURI
+					});
+					return {
+						signInPath: urls.signInUrl,
+						callbackPath: urls.callbackUrl,
+						providerId: groupOidcProviderId(connection._id)
+					};
+				})() : (() => {
+					const urls = getGroupSamlUrls({
+						rootUrl: requireEnv("CONVEX_SITE_URL"),
+						source: {
+							kind: "connection",
+							id: connection._id
+						}
+					});
+					return {
+						signInPath: `${requireEnv("CONVEX_SITE_URL")}/api/auth/connections/${connection._id}/saml/signin`,
+						callbackPath: urls.acsUrl,
+						providerId: groupSamlProviderId(connection._id)
+					};
+				})();
+				log("DEBUG", "[group-sso] resolver:paths", {
+					connectionId: connection._id,
+					signInPath,
+					callbackPath
+				});
+				return {
+					connectionId: connection._id,
+					protocol,
+					providerId,
+					signInPath: protocol === "oidc" && typeof data.loginHint === "string" ? (() => {
+						const signInUrl = new URL(signInPath);
+						signInUrl.searchParams.set("loginHint", data.loginHint);
+						return signInUrl.toString();
+					})() : signInPath,
+					callbackPath,
+					redirectTo: data.redirectTo
+				};
+			},
+			validate: async (ctx, connectionId) => {
+				const checks = [];
+				const connection = await getGroupConnection(ctx, config.component.public, connectionId);
+				if (!connection) return {
+					ok: false,
+					connectionId,
+					checks: [{
+						name: "group_connection_exists",
+						ok: false,
+						message: "Connection not found."
+					}]
+				};
+				const oidc = getOidcConfig(connection.config);
+				const secret = await getGroupConnectionSecret(ctx, connection._id, GROUP_CONNECTION_OIDC_CLIENT_SECRET_KIND);
+				const oidcConfigured = oidc.enabled === true && typeof oidc.client?.id === "string" && oidc.client.id.length > 0;
+				checks.push({
+					name: "oidc_configured",
+					ok: oidcConfigured,
+					message: oidcConfigured ? void 0 : "OIDC is not configured."
+				});
+				const hasClientId = typeof oidc.client?.id === "string" && oidc.client.id.length > 0;
+				checks.push({
+					name: "client_id_present",
+					ok: hasClientId,
+					message: hasClientId ? void 0 : "clientId is missing."
+				});
+				checks.push({
+					name: "client_secret_stored",
+					ok: secret !== null,
+					message: secret !== null ? void 0 : "OIDC client secret is missing."
+				});
+				const discoveryConfig = typeof oidc.discovery === "object" && oidc.discovery !== null ? oidc.discovery : {};
+				const clientConfig = typeof oidc.client === "object" && oidc.client !== null ? oidc.client : {};
+				const discoveryTarget = discoveryConfig.discoveryUrl ?? discoveryConfig.issuer;
+				const hasDiscovery = typeof discoveryTarget === "string" && discoveryTarget.length > 0;
+				checks.push({
+					name: "issuer_or_discovery_url_present",
+					ok: hasDiscovery,
+					message: hasDiscovery ? void 0 : "issuer or discoveryUrl is missing."
+				});
+				let discoveryOk = false;
+				let discoveryMessage;
+				if (hasDiscovery) {
+					const discoveryUrl = typeof discoveryConfig.discoveryUrl === "string" && discoveryConfig.discoveryUrl.length > 0 ? discoveryConfig.discoveryUrl : `${String(discoveryConfig.issuer)}/.well-known/openid-configuration`;
+					try {
+						const res = await fetch(discoveryUrl, {
+							headers: { Accept: "application/json" },
+							signal: AbortSignal.timeout(8e3)
+						});
+						if (!res.ok) discoveryMessage = `Discovery endpoint returned ${res.status}.`;
+						else {
+							const json = await res.json();
+							if (typeof json.issuer !== "string") discoveryMessage = "Discovery document is missing issuer field.";
+							else if (typeof json.authorization_endpoint !== "string") discoveryMessage = "Discovery document is missing authorization_endpoint.";
+							else if (typeof json.token_endpoint !== "string") discoveryMessage = "Discovery document is missing token_endpoint.";
+							else if (discoveryConfig.jwksUri === void 0 && typeof json.jwks_uri !== "string") discoveryMessage = "Discovery document is missing jwks_uri and no jwksUri override is configured.";
+							else discoveryOk = true;
+						}
+					} catch (e) {
+						discoveryMessage = e instanceof Error ? `Discovery fetch failed: ${e.message}` : "Discovery fetch failed.";
+					}
+				} else discoveryMessage = "Skipped — issuer or discoveryUrl not set.";
+				checks.push({
+					name: "discovery_reachable",
+					ok: discoveryOk,
+					message: discoveryMessage
+				});
+				const hasValidTokenAuthMethod = clientConfig.authMethod === void 0 || clientConfig.authMethod === "client_secret_post" || clientConfig.authMethod === "client_secret_basic";
+				checks.push({
+					name: "token_endpoint_auth_method_supported",
+					ok: hasValidTokenAuthMethod,
+					message: hasValidTokenAuthMethod ? void 0 : "tokenEndpointAuthMethod must be client_secret_post or client_secret_basic."
+				});
+				const hasJwksUri = discoveryConfig.jwksUri === void 0 || typeof discoveryConfig.jwksUri === "string" && discoveryConfig.jwksUri.length > 0;
+				checks.push({
+					name: "jwks_uri_present",
+					ok: hasJwksUri,
+					message: hasJwksUri ? void 0 : "jwksUri is empty."
+				});
+				const hasAudience = discoveryConfig.audience === void 0 || typeof discoveryConfig.audience === "string" || Array.isArray(discoveryConfig.audience) && discoveryConfig.audience.every((value) => typeof value === "string");
+				checks.push({
+					name: "audience_valid",
+					ok: hasAudience,
+					message: hasAudience ? void 0 : "audience must be a string or string array."
+				});
+				return {
+					ok: checks.every((c) => c.ok),
+					connectionId: connection._id,
+					checks
+				};
+			}
+		},
+		scim,
+		audit: {
+			record: async (ctx, data) => {
+				return await recordGroupAuditEvent(ctx, data);
+			},
+			list: async (ctx, data) => {
+				return await listAuditEvents(ctx, config.component.public, data);
+			}
+		},
+		webhook
+	};
+}
+//#endregion
+export { createGroupConnectionDomain };
+//# sourceMappingURL=domain.js.map