@robelest/convex-auth 0.0.4-preview.27 → 0.0.4-preview.28

package/dist/server/signin.js

@@ -1,21 +1,20 @@
-import { envOptionalString, readConfigSync, requireEnv } from "./env.js";
 import { generateRandomString } from "./random.js";
-import { authFlowError } from "../shared/errors.js";
-import { toConvexError } from "./errors.js";
+import { envOptionalString, readConfigSync, requireEnv } from "./env.js";
 import { log } from "./log.js";
 import { callCreateVerificationCode } from "./mutations/code.js";
+import { withSpan } from "./utils/span.js";
 import { callRefreshSession } from "./mutations/refresh.js";
-import { callVerifierSignature } from "./mutations/signature.js";
 import { callSignIn } from "./mutations/signin.js";
 import { callVerifier } from "./mutations/verifier.js";
 import { callVerifyCodeAndSignIn } from "./mutations/verify.js";
+import { redirectAbsoluteUrl, setURLSearchParam } from "./redirects.js";
+import { authFlowError } from "../shared/errors.js";
+import { toConvexError } from "./errors.js";
 import { queryTotpVerifiedByUserId } from "./types.js";
 import { handleDevice } from "./device.js";
 import { handlePasskeyFx } from "./passkey.js";
-import { redirectAbsoluteUrl, setURLSearchParam } from "./redirects.js";
 import { handleTotp } from "./totp.js";
 import { ConvexError } from "convex/values";
-import { Effect, Match } from "effect";
 
 //#region src/server/signin.ts
 const DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S = 3600 * 24;
@@ -46,15 +45,16 @@ const asCredentialsError = (error) => {
 	return toConvexError(authFlowError("INTERNAL_ERROR", "Failed to authorize credentials."));
 };
 async function signInImpl(ctx, provider, args, options) {
-	return Effect.runPromise(signInFx(ctx, provider, args, options));
+	return signInFx(ctx, provider, args, options);
 }
-function signInFx(ctx, provider, args, options) {
-	return Effect.gen(function* () {
-		if (provider === null && args.refreshToken) {
-			const tokens = yield* Effect.tryPromise({
-				try: () => callRefreshSession(ctx, { refreshToken: args.refreshToken }),
-				catch: (error) => asConvexError(error, "INTERNAL_ERROR", "Failed to refresh session.")
-			});
+async function signInFx(ctx, provider, args, options) {
+	return withSpan("convex-auth.signin", {
+		hasProvider: provider !== null,
+		hasCode: args.params?.code !== void 0,
+		hasRefreshToken: args.refreshToken !== void 0
+	}, async () => {
+		if (provider === null && args.refreshToken) try {
+			const tokens = await callRefreshSession(ctx, { refreshToken: args.refreshToken });
 			if (tokens === null) return {
 				kind: "signedIn",
 				signedIn: null
@@ -63,171 +63,201 @@ function signInFx(ctx, provider, args, options) {
 				kind: "refreshTokens",
 				signedIn: { tokens }
 			};
+		} catch (error) {
+			throw asConvexError(error, "INTERNAL_ERROR", "Failed to refresh session.");
 		}
-		if (provider === null && args.params?.code !== void 0) return {
-			kind: "signedIn",
-			signedIn: yield* Effect.tryPromise({
-				try: () => callVerifyCodeAndSignIn(ctx, {
+		if (provider === null && args.params?.code !== void 0) try {
+			return {
+				kind: "signedIn",
+				signedIn: await callVerifyCodeAndSignIn(ctx, {
 					params: args.params,
 					verifier: args.verifier,
 					generateTokens: true,
 					allowExtraProviders: options.allowExtraProviders
-				}),
-				catch: (error) => asConvexError(error, "INTERNAL_ERROR", "Failed to verify sign-in code.")
-			})
-		};
+				})
+			};
+		} catch (error) {
+			throw asConvexError(error, "INTERNAL_ERROR", "Failed to verify sign-in code.");
+		}
 		const resolvedProvider = provider;
-		if (resolvedProvider === null) return yield* Effect.fail(toConvexError(authFlowError("SIGN_IN_MISSING_PARAMS", "Cannot sign in: missing provider, code, or refresh token.")));
-		return yield* Match.value(resolvedProvider).pipe(Match.when({ type: "email" }, (provider$1) => handleEmailAndPhoneProviderFx(ctx, provider$1, args, options)), Match.when({ type: "phone" }, (provider$1) => handleEmailAndPhoneProviderFx(ctx, provider$1, args, options)), Match.when({ type: "credentials" }, (provider$1) => handleCredentialsFx(ctx, provider$1, args, options)), Match.when({ type: "oauth" }, (provider$1) => handleOAuthProviderFx(ctx, provider$1, args, options)), Match.when({ type: "passkey" }, (provider$1) => handlePasskeyFx(ctx, provider$1, args)), Match.when({ type: "totp" }, (provider$1) => handleTotp(ctx, provider$1, args)), Match.when({ type: "device" }, (provider$1) => handleDevice(ctx, provider$1, args)), Match.when({ type: "sso" }, () => handleSsoProviderFx(ctx, args, options)), Match.exhaustive);
-	}).pipe(Effect.withSpan("convex-auth.signin", { attributes: {
-		hasProvider: provider !== null,
-		hasCode: args.params?.code !== void 0,
-		hasRefreshToken: args.refreshToken !== void 0
-	} }));
+		if (resolvedProvider === null) throw toConvexError(authFlowError("SIGN_IN_MISSING_PARAMS", "Cannot sign in: missing provider, code, or refresh token."));
+		const handler = {
+			email: () => handleEmailAndPhoneProviderFx(ctx, resolvedProvider, args, options),
+			phone: () => handleEmailAndPhoneProviderFx(ctx, resolvedProvider, args, options),
+			credentials: () => handleCredentialsFx(ctx, resolvedProvider, args, options),
+			oauth: () => handleOAuthProviderFx(ctx, resolvedProvider, args, options),
+			passkey: () => handlePasskeyFx(ctx, resolvedProvider, args),
+			totp: () => handleTotp(ctx, resolvedProvider, args),
+			device: () => handleDevice(ctx, resolvedProvider, args),
+			sso: () => handleSsoProviderFx(ctx, args, options)
+		}[resolvedProvider.type];
+		if (!handler) throw toConvexError(authFlowError("SIGN_IN_MISSING_PARAMS", `Unknown provider type: ${resolvedProvider.type}`));
+		return handler();
+	});
 }
-function handleEmailAndPhoneProviderFx(ctx, provider, args, options) {
-	return Effect.gen(function* () {
+async function handleEmailAndPhoneProviderFx(ctx, provider, args, options) {
+	return withSpan(`convex-auth.signin.${provider.type}`, {}, async () => {
 		const normalizedParams = normalizeVerificationParams(args.params);
 		if (args.params?.code !== void 0) {
-			const result = yield* Effect.tryPromise({
-				try: () => callVerifyCodeAndSignIn(ctx, {
+			let result;
+			try {
+				result = await callVerifyCodeAndSignIn(ctx, {
 					params: args.params,
 					provider: provider.id,
 					generateTokens: options.generateTokens,
 					allowExtraProviders: options.allowExtraProviders
-				}),
-				catch: (error) => asConvexError(error, "INTERNAL_ERROR", "Failed to verify email or phone code.")
-			});
-			if (result === null) return yield* Effect.fail(toConvexError(authFlowError("INVALID_VERIFICATION_CODE", "Invalid or expired verification code.")));
+				});
+			} catch (error) {
+				throw asConvexError(error, "INTERNAL_ERROR", "Failed to verify email or phone code.");
+			}
+			if (result === null) throw toConvexError(authFlowError("INVALID_VERIFICATION_CODE", "Invalid or expired verification code."));
 			return {
 				kind: "signedIn",
 				signedIn: result
 			};
 		}
-		const code = provider.generateVerificationToken ? yield* Effect.tryPromise({
-			try: async () => provider.generateVerificationToken(),
-			catch: () => toConvexError(authFlowError("INTERNAL_ERROR", "Failed to generate verification token"))
-		}) : generateRandomString(32, "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz");
+		const alphabet = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
+		let code;
+		if (provider.generateVerificationToken) try {
+			code = await provider.generateVerificationToken();
+		} catch {
+			throw toConvexError(authFlowError("INTERNAL_ERROR", "Failed to generate verification token"));
+		}
+		else code = generateRandomString(32, alphabet);
 		const expirationTime = Date.now() + (provider.maxAge ?? DEFAULT_EMAIL_VERIFICATION_CODE_DURATION_S) * 1e3;
+		let identifier;
+		try {
+			identifier = await callCreateVerificationCode(ctx, {
+				provider: provider.id,
+				accountId: args.accountId,
+				email: normalizedParams.email,
+				phone: normalizedParams.phone,
+				code,
+				expirationTime,
+				allowExtraProviders: options.allowExtraProviders
+			});
+		} catch (error) {
+			throw asConvexError(error, "INTERNAL_ERROR", "Failed to create verification code.");
+		}
+		let destination;
+		try {
+			destination = await redirectAbsoluteUrl(ctx.auth.config, args.params ?? {});
+		} catch (error) {
+			throw asConvexError(error, "INVALID_REDIRECT", "Failed to resolve redirect URL.");
+		}
 		const verificationArgs = {
-			identifier: yield* Effect.tryPromise({
-				try: () => callCreateVerificationCode(ctx, {
-					provider: provider.id,
-					accountId: args.accountId,
-					email: normalizedParams.email,
-					phone: normalizedParams.phone,
-					code,
-					expirationTime,
-					allowExtraProviders: options.allowExtraProviders
-				}),
-				catch: (error) => asConvexError(error, "INTERNAL_ERROR", "Failed to create verification code.")
-			}),
-			url: setURLSearchParam(yield* Effect.tryPromise({
-				try: () => redirectAbsoluteUrl(ctx.auth.config, args.params ?? {}),
-				catch: (error) => asConvexError(error, "INVALID_REDIRECT", "Failed to resolve redirect URL.")
-			}), "code", code),
+			identifier,
+			url: setURLSearchParam(destination, "code", code),
 			token: code,
 			expires: new Date(expirationTime)
 		};
-		yield* Match.value(provider).pipe(Match.when({ type: "email" }, (provider$1) => Effect.tryPromise({
-			try: async () => {
-				await provider$1.sendVerificationRequest({
-					...verificationArgs,
-					provider: provider$1,
-					request: new Request("http://localhost")
-				}, ctx);
-			},
-			catch: () => toConvexError(authFlowError("INTERNAL_ERROR", "Failed to send email code"))
-		})), Match.when({ type: "phone" }, (provider$1) => Effect.tryPromise({
-			try: async () => {
-				await provider$1.sendVerificationRequest({
-					...verificationArgs,
-					provider: provider$1
-				}, ctx);
-			},
-			catch: () => toConvexError(authFlowError("INTERNAL_ERROR", "Failed to send phone code"))
-		})), Match.exhaustive);
+		if (provider.type === "email") try {
+			await provider.sendVerificationRequest({
+				...verificationArgs,
+				provider,
+				request: new Request("http://localhost")
+			}, ctx);
+		} catch {
+			throw toConvexError(authFlowError("INTERNAL_ERROR", "Failed to send email code"));
+		}
+		else try {
+			await provider.sendVerificationRequest({
+				...verificationArgs,
+				provider
+			}, ctx);
+		} catch {
+			throw toConvexError(authFlowError("INTERNAL_ERROR", "Failed to send phone code"));
+		}
 		return {
 			kind: "started",
 			started: true
 		};
-	}).pipe(Effect.withSpan(`convex-auth.signin.${provider.type}`));
+	});
 }
-function handleCredentialsFx(ctx, provider, args, options) {
-	return Effect.gen(function* () {
-		const result = yield* Effect.tryPromise({
-			try: () => provider.authorize(args.params ?? {}, ctx),
-			catch: (error) => asCredentialsError(error)
-		});
+async function handleCredentialsFx(ctx, provider, args, options) {
+	return withSpan("convex-auth.signin.credentials", {}, async () => {
+		let result;
+		try {
+			result = await provider.authorize(args.params ?? {}, ctx);
+		} catch (error) {
+			throw asCredentialsError(error);
+		}
 		if (result === null) return {
 			kind: "signedIn",
 			signedIn: null
 		};
-		if (yield* Effect.tryPromise({
-			try: async () => {
-				return await queryTotpVerifiedByUserId(ctx, result.userId) !== null;
-			},
-			catch: (error) => asConvexError(error, "INTERNAL_ERROR", "Failed to load TOTP enrollment.")
-		})) {
-			yield* Effect.tryPromise({
-				try: () => callSignIn(ctx, {
+		let hasTotpEnrolled;
+		try {
+			hasTotpEnrolled = await queryTotpVerifiedByUserId(ctx, result.userId) !== null;
+		} catch (error) {
+			throw asConvexError(error, "INTERNAL_ERROR", "Failed to load TOTP enrollment.");
+		}
+		if (hasTotpEnrolled) {
+			try {
+				await callSignIn(ctx, {
 					userId: result.userId,
 					sessionId: result.sessionId,
 					generateTokens: false
-				}),
-				catch: (error) => asConvexError(error, "INTERNAL_ERROR", "Failed to start TOTP sign-in.")
-			});
-			const verifier = yield* Effect.tryPromise({
-				try: () => callVerifier(ctx),
-				catch: (error) => asConvexError(error, "INTERNAL_ERROR", "Failed to create verifier.")
-			});
-			yield* Effect.tryPromise({
-				try: () => callVerifierSignature(ctx, {
-					verifier,
-					signature: JSON.stringify({ userId: result.userId })
-				}),
-				catch: (error) => asConvexError(error, "INTERNAL_ERROR", "Failed to store verifier signature.")
-			});
+				});
+			} catch (error) {
+				throw asConvexError(error, "INTERNAL_ERROR", "Failed to start TOTP sign-in.");
+			}
+			let verifier;
+			try {
+				verifier = await callVerifier(ctx, JSON.stringify({ userId: result.userId }));
+			} catch (error) {
+				throw asConvexError(error, "INTERNAL_ERROR", "Failed to create verifier.");
+			}
 			return {
 				kind: "totpRequired",
 				verifier
 			};
 		}
+		let idsAndTokens;
+		try {
+			idsAndTokens = await callSignIn(ctx, {
+				userId: result.userId,
+				sessionId: result.sessionId,
+				generateTokens: options.generateTokens
+			});
+		} catch (error) {
+			throw asConvexError(error, "INTERNAL_ERROR", "Failed to complete sign-in.");
+		}
 		return {
 			kind: "signedIn",
-			signedIn: yield* Effect.tryPromise({
-				try: () => callSignIn(ctx, {
-					userId: result.userId,
-					sessionId: result.sessionId,
-					generateTokens: options.generateTokens
-				}),
-				catch: (error) => asConvexError(error, "INTERNAL_ERROR", "Failed to complete sign-in.")
-			})
+			signedIn: idsAndTokens
 		};
-	}).pipe(Effect.withSpan("convex-auth.signin.credentials"));
+	});
 }
-function handleOAuthProviderFx(ctx, provider, args, options) {
-	return Effect.gen(function* () {
-		if (args.params?.code !== void 0) return {
-			kind: "signedIn",
-			signedIn: yield* Effect.tryPromise({
-				try: () => callVerifyCodeAndSignIn(ctx, {
+async function handleOAuthProviderFx(ctx, provider, args, options) {
+	return withSpan(`convex-auth.signin.oauth`, { provider: provider.id }, async () => {
+		if (args.params?.code !== void 0) {
+			let result;
+			try {
+				result = await callVerifyCodeAndSignIn(ctx, {
 					params: args.params,
 					verifier: args.verifier,
 					generateTokens: true,
 					allowExtraProviders: options.allowExtraProviders
-				}),
-				catch: (error) => asConvexError(error, "INTERNAL_ERROR", "Failed to verify OAuth sign-in.")
-			})
-		};
+				});
+			} catch (error) {
+				throw asConvexError(error, "INTERNAL_ERROR", "Failed to verify OAuth sign-in.");
+			}
+			return {
+				kind: "signedIn",
+				signedIn: result
+			};
+		}
 		const redirect = new URL((readConfigSync(envOptionalString("CUSTOM_AUTH_SITE_URL")) ?? requireEnv("CONVEX_SITE_URL")) + `/api/auth/signin/${provider.id}`);
-		const verifier = yield* Effect.tryPromise({
-			try: () => callVerifier(ctx),
-			catch: (error) => asConvexError(error, "INTERNAL_ERROR", "Failed to create verifier.")
-		});
+		let verifier;
+		try {
+			verifier = await callVerifier(ctx);
+		} catch (error) {
+			throw asConvexError(error, "INTERNAL_ERROR", "Failed to create verifier.");
+		}
 		redirect.searchParams.set("code", verifier);
 		if (args.params?.redirectTo !== void 0) {
-			if (typeof args.params.redirectTo !== "string") return yield* Effect.fail(toConvexError(authFlowError("INVALID_REDIRECT", `Expected \`redirectTo\` to be a string, got ${describeUnknown(args.params.redirectTo)}`)));
+			if (typeof args.params.redirectTo !== "string") throw toConvexError(authFlowError("INVALID_REDIRECT", `Expected \`redirectTo\` to be a string, got ${describeUnknown(args.params.redirectTo)}`));
 			redirect.searchParams.set("redirectTo", args.params.redirectTo);
 		}
 		return {
@@ -235,27 +265,32 @@ function handleOAuthProviderFx(ctx, provider, args, options) {
 			redirect: redirect.toString(),
 			verifier
 		};
-	}).pipe(Effect.withSpan(`convex-auth.signin.oauth`, { attributes: { provider: provider.id } }));
+	});
 }
-function handleSsoProviderFx(ctx, args, options) {
-	return Effect.gen(function* () {
+async function handleSsoProviderFx(ctx, args, options) {
+	return withSpan("convex-auth.signin.sso", {}, async () => {
 		const normalizedParams = normalizeVerificationParams(args.params);
 		const connectionId = normalizedParams.connectionId;
-		if (!connectionId || typeof connectionId !== "string") return yield* Effect.fail(toConvexError(authFlowError("SIGN_IN_MISSING_PARAMS", "connectionId is required for SSO sign-in.")));
-		const protocol = (normalizedParams.protocol === "oidc" || normalizedParams.protocol === "saml" ? normalizedParams.protocol : void 0) ?? (options.resolveSsoProtocol ? yield* Effect.tryPromise({
-			try: () => options.resolveSsoProtocol(ctx, connectionId),
-			catch: (error) => asConvexError(error, "INTERNAL_ERROR", "Failed to resolve SSO protocol.")
-		}) : "oidc");
+		if (!connectionId || typeof connectionId !== "string") throw toConvexError(authFlowError("SIGN_IN_MISSING_PARAMS", "connectionId is required for SSO sign-in."));
+		let protocol = (normalizedParams.protocol === "oidc" || normalizedParams.protocol === "saml" ? normalizedParams.protocol : void 0) ?? (options.resolveSsoProtocol ? await (async () => {
+			try {
+				return await options.resolveSsoProtocol(ctx, connectionId);
+			} catch (error) {
+				throw asConvexError(error, "INTERNAL_ERROR", "Failed to resolve SSO protocol.");
+			}
+		})() : "oidc");
 		log("DEBUG", "[group-sso] signin:resolved", {
 			connectionId,
 			protocol,
 			redirectTo: typeof args.params?.redirectTo === "string" ? args.params.redirectTo : void 0
 		});
-		if (protocol !== "oidc" && protocol !== "saml") return yield* Effect.fail(toConvexError(authFlowError("SIGN_IN_MISSING_PARAMS", `Invalid SSO protocol: ${protocol}. Expected "oidc" or "saml".`)));
-		const verifier = yield* Effect.tryPromise({
-			try: () => callVerifier(ctx),
-			catch: (error) => asConvexError(error, "INTERNAL_ERROR", "Failed to create verifier.")
-		});
+		if (protocol !== "oidc" && protocol !== "saml") throw toConvexError(authFlowError("SIGN_IN_MISSING_PARAMS", `Invalid SSO protocol: ${protocol}. Expected "oidc" or "saml".`));
+		let verifier;
+		try {
+			verifier = await callVerifier(ctx);
+		} catch (error) {
+			throw asConvexError(error, "INTERNAL_ERROR", "Failed to create verifier.");
+		}
 		const siteUrl = readConfigSync(envOptionalString("CUSTOM_AUTH_SITE_URL")) ?? requireEnv("CONVEX_SITE_URL");
 		const redirect = new URL(`${siteUrl}/api/auth/connections/${connectionId}/${protocol}/signin`);
 		redirect.searchParams.set("code", verifier);
@@ -271,7 +306,7 @@ function handleSsoProviderFx(ctx, args, options) {
 			redirect: redirect.toString(),
 			verifier
 		};
-	}).pipe(Effect.withSpan("convex-auth.signin.sso"));
+	});
 }
 
 //#endregion

package/dist/server/sso/domain.d.ts

@@ -1,11 +1,9 @@
+import { ComponentCtx, ComponentReadCtx } from "../componentContext.js";
 import { ConvexAuthMaterializedConfig, GroupConnectionDeprovisionMode, GroupConnectionPolicy, GroupConnectionPolicyPatch, OIDCClaimMapping } from "../types.js";
 import { AuditEventRecord, ConnectionDomainRecord, GroupConnectionDomainLookupRecord, GroupConnectionListResult, GroupConnectionRecord, ScimConfigRecord, ScimIdentityRecord, WebhookDeliveryRecord, WebhookEndpointRecord } from "../contract.js";
-import * as convex_server320 from "convex/server";
 import { GenericActionCtx, GenericDataModel } from "convex/server";
 
 //#region src/server/sso/domain.d.ts
-type ComponentCtx = Pick<GenericActionCtx<GenericDataModel>, "runQuery" | "runMutation">;
-type ComponentReadCtx = Pick<GenericActionCtx<GenericDataModel>, "runQuery">;
 type DomainDeps = {
   config: ConvexAuthMaterializedConfig & {
     extraProviders?: unknown[];
@@ -309,16 +307,9 @@ declare function createGroupConnectionDomain<TDeps extends DomainDeps>(deps: TDe
     }>;
   };
   policy: {
-    get: (ctx: {
-      runQuery: <Query extends convex_server320.FunctionReference<"query", "public" | "internal">>(query: Query, ...args: convex_server320.OptionalRestArgs<Query>) => Promise<convex_server320.FunctionReturnType<Query>>;
-    }, groupId: string) => Promise<GroupConnectionPolicy>;
-    update: (ctx: {
-      runQuery: <Query extends convex_server320.FunctionReference<"query", "public" | "internal">>(query: Query, ...args: convex_server320.OptionalRestArgs<Query>) => Promise<convex_server320.FunctionReturnType<Query>>;
-      runMutation: <Mutation extends convex_server320.FunctionReference<"mutation", "public" | "internal">>(mutation: Mutation, ...args: convex_server320.OptionalRestArgs<Mutation>) => Promise<convex_server320.FunctionReturnType<Mutation>>;
-    }, groupId: string, patch: GroupConnectionPolicyPatch) => Promise<GroupConnectionPolicy>;
-    validate: (ctx: {
-      runQuery: <Query extends convex_server320.FunctionReference<"query", "public" | "internal">>(query: Query, ...args: convex_server320.OptionalRestArgs<Query>) => Promise<convex_server320.FunctionReturnType<Query>>;
-    }, groupId: string) => Promise<{
+    get: (ctx: ComponentReadCtx, groupId: string) => Promise<GroupConnectionPolicy>;
+    update: (ctx: ComponentCtx, groupId: string, patch: GroupConnectionPolicyPatch) => Promise<GroupConnectionPolicy>;
+    validate: (ctx: ComponentReadCtx, groupId: string) => Promise<{
       ok: boolean;
       groupId: string;
       checks: {
@@ -429,10 +420,7 @@ declare function createGroupConnectionDomain<TDeps extends DomainDeps>(deps: TDe
     }>;
   };
   scim: {
-    configure: (ctx: {
-      runQuery: <Query extends convex_server320.FunctionReference<"query", "public" | "internal">>(query: Query, ...args: convex_server320.OptionalRestArgs<Query>) => Promise<convex_server320.FunctionReturnType<Query>>;
-      runMutation: <Mutation extends convex_server320.FunctionReference<"mutation", "public" | "internal">>(mutation: Mutation, ...args: convex_server320.OptionalRestArgs<Mutation>) => Promise<convex_server320.FunctionReturnType<Mutation>>;
-    }, data: {
+    configure: (ctx: ComponentCtx, data: {
       connectionId: string;
       status?: "draft" | "active" | "disabled";
       security?: {
@@ -459,9 +447,7 @@ declare function createGroupConnectionDomain<TDeps extends DomainDeps>(deps: TDe
       basePath: string;
       token: string;
     }>;
-    get: (ctx: {
-      runQuery: <Query extends convex_server320.FunctionReference<"query", "public" | "internal">>(query: Query, ...args: convex_server320.OptionalRestArgs<Query>) => Promise<convex_server320.FunctionReturnType<Query>>;
-    }, connectionId: string) => Promise<{
+    get: (ctx: ComponentReadCtx, connectionId: string) => Promise<{
       security: {
         maxRequestSize?: number;
       } | undefined;
@@ -490,9 +476,7 @@ declare function createGroupConnectionDomain<TDeps extends DomainDeps>(deps: TDe
       lastRotatedAt?: number;
       extend?: unknown;
     } | null>;
-    status: (ctx: {
-      runQuery: <Query extends convex_server320.FunctionReference<"query", "public" | "internal">>(query: Query, ...args: convex_server320.OptionalRestArgs<Query>) => Promise<convex_server320.FunctionReturnType<Query>>;
-    }, connectionId: string) => Promise<{
+    status: (ctx: ComponentReadCtx, connectionId: string) => Promise<{
       connectionId: string;
       configured: boolean;
       ready: boolean;
@@ -516,12 +500,8 @@ declare function createGroupConnectionDomain<TDeps extends DomainDeps>(deps: TDe
         etag: boolean;
       } | undefined;
     }>;
-    getConfigByToken: (ctx: {
-      runQuery: <Query extends convex_server320.FunctionReference<"query", "public" | "internal">>(query: Query, ...args: convex_server320.OptionalRestArgs<Query>) => Promise<convex_server320.FunctionReturnType<Query>>;
-    }, token: string) => Promise<ScimConfigRecord | null>;
-    validate: (ctx: {
-      runQuery: <Query extends convex_server320.FunctionReference<"query", "public" | "internal">>(query: Query, ...args: convex_server320.OptionalRestArgs<Query>) => Promise<convex_server320.FunctionReturnType<Query>>;
-    }, connectionId: string) => Promise<{
+    getConfigByToken: (ctx: ComponentReadCtx, token: string) => Promise<ScimConfigRecord | null>;
+    validate: (ctx: ComponentReadCtx, connectionId: string) => Promise<{
       ok: boolean;
       connectionId: string;
       checks: {
@@ -553,17 +533,12 @@ declare function createGroupConnectionDomain<TDeps extends DomainDeps>(deps: TDe
       }[];
     }>;
     identity: {
-      get: (ctx: {
-        runQuery: <Query extends convex_server320.FunctionReference<"query", "public" | "internal">>(query: Query, ...args: convex_server320.OptionalRestArgs<Query>) => Promise<convex_server320.FunctionReturnType<Query>>;
-      }, data: {
+      get: (ctx: ComponentReadCtx, data: {
         connectionId: string;
         resourceType: "user" | "group";
         externalId: string;
       }) => Promise<ScimIdentityRecord | null>;
-      upsert: (ctx: {
-        runQuery: <Query extends convex_server320.FunctionReference<"query", "public" | "internal">>(query: Query, ...args: convex_server320.OptionalRestArgs<Query>) => Promise<convex_server320.FunctionReturnType<Query>>;
-        runMutation: <Mutation extends convex_server320.FunctionReference<"mutation", "public" | "internal">>(mutation: Mutation, ...args: convex_server320.OptionalRestArgs<Mutation>) => Promise<convex_server320.FunctionReturnType<Mutation>>;
-      }, data: {
+      upsert: (ctx: ComponentCtx, data: {
         connectionId: string;
         groupId: string;
         resourceType: "user" | "group";
@@ -597,13 +572,8 @@ declare function createGroupConnectionDomain<TDeps extends DomainDeps>(deps: TDe
   };
   webhook: {
     endpoint: {
-      get: (ctx: {
-        runQuery: <Query extends convex_server320.FunctionReference<"query", "public" | "internal">>(query: Query, ...args: convex_server320.OptionalRestArgs<Query>) => Promise<convex_server320.FunctionReturnType<Query>>;
-      }, endpointId: string) => Promise<WebhookEndpointRecord | null>;
-      create: (ctx: {
-        runQuery: <Query extends convex_server320.FunctionReference<"query", "public" | "internal">>(query: Query, ...args: convex_server320.OptionalRestArgs<Query>) => Promise<convex_server320.FunctionReturnType<Query>>;
-        runMutation: <Mutation extends convex_server320.FunctionReference<"mutation", "public" | "internal">>(mutation: Mutation, ...args: convex_server320.OptionalRestArgs<Mutation>) => Promise<convex_server320.FunctionReturnType<Mutation>>;
-      }, data: {
+      get: (ctx: ComponentReadCtx, endpointId: string) => Promise<WebhookEndpointRecord | null>;
+      create: (ctx: ComponentCtx, data: {
         connectionId: string;
         url: string;
         secret: string;
@@ -612,43 +582,25 @@ declare function createGroupConnectionDomain<TDeps extends DomainDeps>(deps: TDe
       }) => Promise<{
         endpointId: string;
       }>;
-      list: (ctx: {
-        runQuery: <Query extends convex_server320.FunctionReference<"query", "public" | "internal">>(query: Query, ...args: convex_server320.OptionalRestArgs<Query>) => Promise<convex_server320.FunctionReturnType<Query>>;
-      }, connectionId: string) => Promise<WebhookEndpointRecord[]>;
-      disable: (ctx: {
-        runQuery: <Query extends convex_server320.FunctionReference<"query", "public" | "internal">>(query: Query, ...args: convex_server320.OptionalRestArgs<Query>) => Promise<convex_server320.FunctionReturnType<Query>>;
-        runMutation: <Mutation extends convex_server320.FunctionReference<"mutation", "public" | "internal">>(mutation: Mutation, ...args: convex_server320.OptionalRestArgs<Mutation>) => Promise<convex_server320.FunctionReturnType<Mutation>>;
-      }, endpointId: string) => Promise<{
+      list: (ctx: ComponentReadCtx, connectionId: string) => Promise<WebhookEndpointRecord[]>;
+      disable: (ctx: ComponentCtx, endpointId: string) => Promise<{
         endpointId: string;
       }>;
     };
-    emit: (ctx: {
-      runQuery: <Query extends convex_server320.FunctionReference<"query", "public" | "internal">>(query: Query, ...args: convex_server320.OptionalRestArgs<Query>) => Promise<convex_server320.FunctionReturnType<Query>>;
-      runMutation: <Mutation extends convex_server320.FunctionReference<"mutation", "public" | "internal">>(mutation: Mutation, ...args: convex_server320.OptionalRestArgs<Mutation>) => Promise<convex_server320.FunctionReturnType<Mutation>>;
-    }, data: {
+    emit: (ctx: ComponentCtx, data: {
       connectionId: string;
       eventType: string;
       payload: Record<string, unknown>;
       auditEventId?: string;
     }) => Promise<void>;
     delivery: {
-      list: (ctx: {
-        runQuery: <Query extends convex_server320.FunctionReference<"query", "public" | "internal">>(query: Query, ...args: convex_server320.OptionalRestArgs<Query>) => Promise<convex_server320.FunctionReturnType<Query>>;
-      }, data: {
+      list: (ctx: ComponentReadCtx, data: {
         connectionId: string;
         limit?: number;
       }) => Promise<WebhookDeliveryRecord[]>;
-      listReady: (ctx: {
-        runQuery: <Query extends convex_server320.FunctionReference<"query", "public" | "internal">>(query: Query, ...args: convex_server320.OptionalRestArgs<Query>) => Promise<convex_server320.FunctionReturnType<Query>>;
-      }, limit?: number) => Promise<WebhookDeliveryRecord[]>;
-      markDelivered: (ctx: {
-        runQuery: <Query extends convex_server320.FunctionReference<"query", "public" | "internal">>(query: Query, ...args: convex_server320.OptionalRestArgs<Query>) => Promise<convex_server320.FunctionReturnType<Query>>;
-        runMutation: <Mutation extends convex_server320.FunctionReference<"mutation", "public" | "internal">>(mutation: Mutation, ...args: convex_server320.OptionalRestArgs<Mutation>) => Promise<convex_server320.FunctionReturnType<Mutation>>;
-      }, deliveryId: string, responseStatus?: number) => Promise<void>;
-      markFailed: (ctx: {
-        runQuery: <Query extends convex_server320.FunctionReference<"query", "public" | "internal">>(query: Query, ...args: convex_server320.OptionalRestArgs<Query>) => Promise<convex_server320.FunctionReturnType<Query>>;
-        runMutation: <Mutation extends convex_server320.FunctionReference<"mutation", "public" | "internal">>(mutation: Mutation, ...args: convex_server320.OptionalRestArgs<Mutation>) => Promise<convex_server320.FunctionReturnType<Mutation>>;
-      }, deliveryId: string, data: {
+      listReady: (ctx: ComponentReadCtx, limit?: number) => Promise<WebhookDeliveryRecord[]>;
+      markDelivered: (ctx: ComponentCtx, deliveryId: string, responseStatus?: number) => Promise<void>;
+      markFailed: (ctx: ComponentCtx, deliveryId: string, data: {
         attemptCount: number;
         responseStatus?: number;
         error?: string;