@robelest/convex-auth 0.0.4-preview.27 → 0.0.4-preview.28

package/dist/server/sso/domain.js

@@ -1,5 +1,6 @@
 import { log } from "../log.js";
 import { addConnectionDomain, createGroupConnection, deleteConnectionDomain, deleteConnectionDomainVerification, deleteGroupConnection, getConnectionDomainVerification, getGroupConnection, getGroupConnectionByDomain, getScimConfigByConnection, listAuditEvents, listConnectionDomains, listGroupConnections, updateGroupConnection, upsertConnectionDomainVerification, upsertGroupConnectionSecret, verifyConnectionDomain } from "../contract.js";
+import { retryWithBackoff } from "../utils/retry.js";
 import { getGroupOidcUrls, getGroupSamlUrls, groupOidcProviderId, groupSamlProviderId, normalizeDomain } from "./shared.js";
 import { getOidcConfig, getPublicOidcConfig, getSamlConfig, upsertProtocolConfig, withOidcSecretState } from "./config.js";
 import { createGroupPolicyDomain } from "./policies.js";
@@ -7,17 +8,9 @@ import { createGroupScimDomain } from "./provision.js";
 import { createServiceProviderMetadata, getSamlServiceProviderOptions, parseSamlIdpMetadataChecked } from "./saml.js";
 import { createGroupWebhookDomain } from "./webhook.js";
 import { ConvexError } from "convex/values";
-import { Effect, Schedule } from "effect";
 
 //#region src/server/sso/domain.ts
-const NETWORK_RETRY_SCHEDULE = Schedule.both(Schedule.jittered(Schedule.exponential("200 millis")), Schedule.recurs(2));
 const convexError = (data) => new ConvexError(data);
-const toSsoError = (error) => error instanceof ConvexError ? error : typeof error === "object" && error !== null && "code" in error && "message" in error ? convexError(error) : error;
-const tryPromise = (options) => Effect.tryPromise({
-	try: async () => options.try(),
-	catch: (error) => toSsoError(options.catch(error))
-});
-const runSsoBoundary = (effect) => Effect.runPromise(effect);
 /**
 * Build the connection and SSO management domain.
 */
@@ -412,239 +405,258 @@ function createGroupConnectionDomain(deps) {
 			}
 		},
 		saml: {
-			configure: (ctx, data) => {
-				return runSsoBoundary(Effect.gen(function* () {
-					const connection = yield* tryPromise({
-						try: () => getGroupConnection(ctx, config.component.public, data.connectionId),
-						catch: () => ({
-							code: "INTERNAL_ERROR",
-							message: "Failed to load connection."
-						})
-					}).pipe(Effect.flatMap((connection$1) => connection$1 === null ? Effect.fail(convexError({
-						code: "INVALID_PARAMETERS",
-						message: connectionNotFoundError
-					})) : Effect.succeed(connection$1)));
-					if (connection.protocol !== "saml") return yield* Effect.fail(convexError({
+			configure: async (ctx, data) => {
+				let connection;
+				try {
+					connection = await getGroupConnection(ctx, config.component.public, data.connectionId);
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to load connection."
+					});
+				}
+				if (connection === null) throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: connectionNotFoundError
+				});
+				if (connection.protocol !== "saml") throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: "This connection is not a SAML connection."
+				});
+				const metadataUrl = typeof data.metadata.url === "string" && data.metadata.url.length > 0 ? data.metadata.url : void 0;
+				let metadataXml;
+				if (metadataUrl) try {
+					metadataXml = await retryWithBackoff(async () => {
+						const response = await fetch(metadataUrl, { signal: AbortSignal.timeout(1e4) });
+						if (!response.ok) throw new Error(`Failed to fetch SAML metadata: ${response.status}`);
+						return await response.text();
+					});
+				} catch (error) {
+					throw convexError({
 						code: "INVALID_PARAMETERS",
-						message: "This connection is not a SAML connection."
-					}));
-					const metadataUrl = typeof data.metadata.url === "string" && data.metadata.url.length > 0 ? data.metadata.url : void 0;
-					const metadataXml = metadataUrl ? yield* tryPromise({
-						try: async () => {
-							const response = await fetch(metadataUrl, { signal: AbortSignal.timeout(1e4) });
-							if (!response.ok) throw new Error(`Failed to fetch SAML metadata: ${response.status}`);
-							return await response.text();
-						},
-						catch: (error) => ({
-							code: "INVALID_PARAMETERS",
-							message: error instanceof Error ? error.message : "Failed to fetch SAML metadata"
-						})
-					}).pipe(Effect.retry({ schedule: NETWORK_RETRY_SCHEDULE })) : data.metadata.xml ? data.metadata.xml : yield* Effect.fail(convexError({
+						message: error instanceof Error ? error.message : "Failed to fetch SAML metadata"
+					});
+				}
+				else if (data.metadata.xml) metadataXml = data.metadata.xml;
+				else throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: "SAML registration requires metadataXml or metadataUrl."
+				});
+				let parsed;
+				try {
+					parsed = parseSamlIdpMetadataChecked({
+						metadataXml,
+						config: { protocols: { saml: { security: data.security } } }
+					});
+				} catch (error) {
+					throw convexError({
 						code: "INVALID_PARAMETERS",
-						message: "SAML registration requires metadataXml or metadataUrl."
-					}));
-					const parsed = yield* tryPromise({
-						try: () => parseSamlIdpMetadataChecked({
-							metadataXml,
-							config: { protocols: { saml: { security: data.security } } }
-						}),
-						catch: (error) => ({
-							code: "INVALID_PARAMETERS",
-							message: error instanceof Error ? `Failed to parse SAML metadata: ${error.message}` : "Failed to parse SAML metadata."
-						})
+						message: error instanceof Error ? `Failed to parse SAML metadata: ${error.message}` : "Failed to parse SAML metadata."
 					});
-					log("DEBUG", "[group-sso] saml:configure:parsed", {
-						connectionId: data.connectionId,
+				}
+				log("DEBUG", "[group-sso] saml:configure:parsed", {
+					connectionId: data.connectionId,
+					metadataUrl,
+					entityId: parsed.entityId,
+					issuer: parsed.issuer
+				});
+				const baseConfig = upsertProtocolConfig(connection.config, "saml", {
+					enabled: true,
+					idp: {
 						metadataUrl,
-						entityId: parsed.entityId,
-						issuer: parsed.issuer
+						metadataXml,
+						...parsed
+					},
+					serviceProvider: data.serviceProvider,
+					request: {
+						signAuthnRequests: data.request?.signAuthnRequests ?? parsed.wantsSignedAuthnRequests,
+						nameIdFormat: data.request?.nameIdFormat,
+						forceAuthn: data.request?.forceAuthn,
+						authnContextClassRefs: data.request?.authnContextClassRefs
+					},
+					profile: {
+						mapping: data.profile?.mapping,
+						extraFields: data.profile?.extraFields
+					},
+					security: data.security
+				});
+				const normalizedDomains = data.domains?.map(normalizeDomain);
+				const nextConfig = normalizedDomains ? {
+					...baseConfig,
+					domains: normalizedDomains
+				} : baseConfig;
+				const nextSamlConfig = nextConfig.protocols?.saml ?? void 0;
+				log("DEBUG", "[group-sso] saml:configure:nextConfig", {
+					connectionId: data.connectionId,
+					entityId: nextSamlConfig?.idp?.entityId ?? null,
+					issuer: nextSamlConfig?.idp?.issuer ?? null,
+					metadataUrl: nextSamlConfig?.idp?.metadataUrl ?? null,
+					hasMetadataXml: typeof nextSamlConfig?.idp?.metadataXml === "string"
+				});
+				try {
+					await updateGroupConnection(ctx, config.component.public, {
+						connectionId: connection._id,
+						data: {
+							status: "active",
+							config: nextConfig
+						}
 					});
-					const baseConfig = upsertProtocolConfig(connection.config, "saml", {
-						enabled: true,
-						idp: {
-							metadataUrl,
-							metadataXml,
-							...parsed
-						},
-						serviceProvider: data.serviceProvider,
-						request: {
-							signAuthnRequests: data.request?.signAuthnRequests ?? parsed.wantsSignedAuthnRequests,
-							nameIdFormat: data.request?.nameIdFormat,
-							forceAuthn: data.request?.forceAuthn,
-							authnContextClassRefs: data.request?.authnContextClassRefs
-						},
-						profile: {
-							mapping: data.profile?.mapping,
-							extraFields: data.profile?.extraFields
-						},
-						security: data.security
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to persist SAML registration."
 					});
-					const normalizedDomains = data.domains?.map(normalizeDomain);
-					const nextConfig = normalizedDomains ? {
-						...baseConfig,
-						domains: normalizedDomains
-					} : baseConfig;
-					const nextSamlConfig = nextConfig.protocols?.saml ?? void 0;
-					log("DEBUG", "[group-sso] saml:configure:nextConfig", {
-						connectionId: data.connectionId,
-						entityId: nextSamlConfig?.idp?.entityId ?? null,
-						issuer: nextSamlConfig?.idp?.issuer ?? null,
-						metadataUrl: nextSamlConfig?.idp?.metadataUrl ?? null,
-						hasMetadataXml: typeof nextSamlConfig?.idp?.metadataXml === "string"
+				}
+				if (normalizedDomains) for (const [index, domain] of normalizedDomains.entries()) try {
+					await addConnectionDomain(ctx, config.component.public, {
+						connectionId: connection._id,
+						groupId: connection.groupId,
+						domain,
+						isPrimary: index === 0
 					});
-					yield* tryPromise({
-						try: () => updateGroupConnection(ctx, config.component.public, {
-							connectionId: connection._id,
-							data: {
-								status: "active",
-								config: nextConfig
-							}
-						}),
-						catch: () => ({
-							code: "INTERNAL_ERROR",
-							message: "Failed to persist SAML registration."
-						})
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to persist connection domain."
 					});
-					if (normalizedDomains) for (const [index, domain] of normalizedDomains.entries()) yield* tryPromise({
-						try: () => addConnectionDomain(ctx, config.component.public, {
-							connectionId: connection._id,
-							groupId: connection.groupId,
-							domain,
-							isPrimary: index === 0
-						}),
-						catch: () => ({
-							code: "INTERNAL_ERROR",
-							message: "Failed to persist connection domain."
-						})
+				}
+				try {
+					await recordGroupAuditEvent(ctx, {
+						connectionId: connection._id,
+						groupId: connection.groupId,
+						eventType: "group.sso.saml.registered",
+						actorType: "system",
+						subjectType: "group_connection_saml",
+						subjectId: connection._id,
+						ok: true,
+						metadata: {
+							metadataUrl,
+							domains: normalizedDomains
+						}
 					});
-					yield* tryPromise({
-						try: () => recordGroupAuditEvent(ctx, {
-							connectionId: connection._id,
-							groupId: connection.groupId,
-							eventType: "group.sso.saml.registered",
-							actorType: "system",
-							subjectType: "group_connection_saml",
-							subjectId: connection._id,
-							ok: true,
-							metadata: {
-								metadataUrl,
-								domains: normalizedDomains
-							}
-						}),
-						catch: () => ({
-							code: "INTERNAL_ERROR",
-							message: "Failed to record SAML registration audit event."
-						})
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to record SAML registration audit event."
 					});
-					return {
-						connectionId: connection._id,
-						groupId: connection.groupId
-					};
-				}));
+				}
+				return {
+					connectionId: connection._id,
+					groupId: connection.groupId
+				};
 			},
-			refresh: (ctx, data) => {
-				return runSsoBoundary(Effect.gen(function* () {
-					const connection = yield* tryPromise({
-						try: () => getGroupConnection(ctx, config.component.public, data.connectionId),
-						catch: () => ({
-							code: "INTERNAL_ERROR",
-							message: "Failed to load connection."
-						})
-					}).pipe(Effect.flatMap((connection$1) => connection$1 === null ? Effect.fail(convexError({
-						code: "INVALID_PARAMETERS",
-						message: connectionNotFoundError
-					})) : Effect.succeed(connection$1)));
-					const samlConfig = connection.config?.protocols?.saml;
-					if (connection.protocol !== "saml") return yield* Effect.fail(convexError({
-						code: "INVALID_PARAMETERS",
-						message: "This connection is not a SAML connection."
-					}));
-					if (typeof samlConfig?.idp?.metadataUrl !== "string") return yield* Effect.fail(convexError({
+			refresh: async (ctx, data) => {
+				let connection;
+				try {
+					connection = await getGroupConnection(ctx, config.component.public, data.connectionId);
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to load connection."
+					});
+				}
+				if (connection === null) throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: connectionNotFoundError
+				});
+				const samlConfig = connection.config?.protocols?.saml;
+				if (connection.protocol !== "saml") throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: "This connection is not a SAML connection."
+				});
+				if (typeof samlConfig?.idp?.metadataUrl !== "string") throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: "SAML metadataUrl is not configured."
+				});
+				const metadataUrl = samlConfig.idp.metadataUrl;
+				let metadataXml;
+				try {
+					metadataXml = await retryWithBackoff(async () => {
+						const response = await fetch(metadataUrl, { signal: AbortSignal.timeout(1e4) });
+						if (!response.ok) throw new Error(`Failed to fetch SAML metadata: ${response.status}`);
+						return await response.text();
+					});
+				} catch (error) {
+					throw convexError({
 						code: "INVALID_PARAMETERS",
-						message: "SAML metadataUrl is not configured."
-					}));
-					const metadataUrl = samlConfig.idp.metadataUrl;
-					const response = yield* tryPromise({
-						try: async () => {
-							const response$1 = await fetch(metadataUrl, { signal: AbortSignal.timeout(1e4) });
-							if (!response$1.ok) throw new Error(`Failed to fetch SAML metadata: ${response$1.status}`);
-							return await response$1.text();
-						},
-						catch: (error) => ({
-							code: "INVALID_PARAMETERS",
-							message: error instanceof Error ? error.message : "Failed to fetch SAML metadata"
-						})
-					}).pipe(Effect.retry({ schedule: NETWORK_RETRY_SCHEDULE }));
-					const parsed = yield* tryPromise({
-						try: () => parseSamlIdpMetadataChecked({
-							metadataXml: response,
-							config: connection.config
-						}),
-						catch: (error) => ({
-							code: "INVALID_PARAMETERS",
-							message: error instanceof Error ? `Failed to parse SAML metadata: ${error.message}` : "Failed to parse SAML metadata."
-						})
+						message: error instanceof Error ? error.message : "Failed to fetch SAML metadata"
 					});
-					const nextConfig = upsertProtocolConfig(connection.config, "saml", {
-						enabled: true,
-						idp: {
-							metadataUrl,
-							metadataXml: response,
-							...parsed
-						},
-						serviceProvider: samlConfig.serviceProvider,
-						request: samlConfig.request,
-						profile: samlConfig.profile,
-						security: samlConfig.security
+				}
+				let parsed;
+				try {
+					parsed = parseSamlIdpMetadataChecked({
+						metadataXml,
+						config: connection.config
 					});
-					yield* tryPromise({
-						try: () => updateGroupConnection(ctx, config.component.public, {
-							connectionId: connection._id,
-							data: {
-								status: connection.status,
-								config: nextConfig
-							}
-						}),
-						catch: () => ({
-							code: "INTERNAL_ERROR",
-							message: "Failed to persist refreshed SAML metadata."
-						})
+				} catch (error) {
+					throw convexError({
+						code: "INVALID_PARAMETERS",
+						message: error instanceof Error ? `Failed to parse SAML metadata: ${error.message}` : "Failed to parse SAML metadata."
 					});
-					yield* tryPromise({
-						try: () => recordGroupAuditEvent(ctx, {
-							connectionId: connection._id,
-							groupId: connection.groupId,
-							eventType: "group.sso.saml.refreshed",
-							actorType: "system",
-							subjectType: "group_connection_saml",
-							subjectId: connection._id,
-							ok: true,
-							metadata: { metadataUrl }
-						}),
-						catch: () => ({
-							code: "INTERNAL_ERROR",
-							message: "Failed to record SAML refresh audit event."
-						})
+				}
+				const nextConfig = upsertProtocolConfig(connection.config, "saml", {
+					enabled: true,
+					idp: {
+						metadataUrl,
+						metadataXml,
+						...parsed
+					},
+					serviceProvider: samlConfig.serviceProvider,
+					request: samlConfig.request,
+					profile: samlConfig.profile,
+					security: samlConfig.security
+				});
+				try {
+					await updateGroupConnection(ctx, config.component.public, {
+						connectionId: connection._id,
+						data: {
+							status: connection.status,
+							config: nextConfig
+						}
 					});
-					return {
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to persist refreshed SAML metadata."
+					});
+				}
+				try {
+					await recordGroupAuditEvent(ctx, {
 						connectionId: connection._id,
-						groupId: connection.groupId
-					};
-				}));
+						groupId: connection.groupId,
+						eventType: "group.sso.saml.refreshed",
+						actorType: "system",
+						subjectType: "group_connection_saml",
+						subjectId: connection._id,
+						ok: true,
+						metadata: { metadataUrl }
+					});
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to record SAML refresh audit event."
+					});
+				}
+				return {
+					connectionId: connection._id,
+					groupId: connection.groupId
+				};
 			},
-			get: (ctx, connectionId) => {
-				return runSsoBoundary(Effect.gen(function* () {
-					return getSamlConfig((yield* tryPromise({
-						try: () => getGroupConnection(ctx, config.component.public, connectionId),
-						catch: () => ({
-							code: "INTERNAL_ERROR",
-							message: "Failed to load connection."
-						})
-					}).pipe(Effect.flatMap((connection) => connection === null ? Effect.fail(convexError({
-						code: "INVALID_PARAMETERS",
-						message: connectionNotFoundError
-					})) : Effect.succeed(connection)))).config);
-				}));
+			get: async (ctx, connectionId) => {
+				let connection;
+				try {
+					connection = await getGroupConnection(ctx, config.component.public, connectionId);
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to load connection."
+					});
+				}
+				if (connection === null) throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: connectionNotFoundError
+				});
+				return getSamlConfig(connection.config);
 			},
 			status: (ctx, connectionId) => {
 				return getGroupConnection(ctx, config.component.public, connectionId).then((connection) => {
@@ -786,141 +798,152 @@ function createGroupConnectionDomain(deps) {
 		},
 		policy,
 		oidc: {
-			configure: (ctx, data) => {
-				return runSsoBoundary(Effect.gen(function* () {
-					if (data.discovery.issuer === void 0 && data.discovery.discoveryUrl === void 0) return yield* Effect.fail(convexError({
-						code: "INVALID_PARAMETERS",
-						message: "OIDC registration requires issuer or discoveryUrl."
-					}));
-					const connection = yield* tryPromise({
-						try: () => getGroupConnection(ctx, config.component.public, data.connectionId),
-						catch: () => ({
-							code: "INTERNAL_ERROR",
-							message: "Failed to load connection."
-						})
-					}).pipe(Effect.flatMap((connection$1) => connection$1 === null ? Effect.fail(convexError({
-						code: "INVALID_PARAMETERS",
-						message: connectionNotFoundError
-					})) : Effect.succeed(connection$1)));
-					if (connection.protocol !== "oidc") return yield* Effect.fail(convexError({
-						code: "INVALID_PARAMETERS",
-						message: "This connection is not an OIDC connection."
-					}));
-					const nextConfig = upsertProtocolConfig(connection.config, "oidc", {
-						enabled: true,
-						discovery: {
-							issuer: data.discovery.issuer,
-							discoveryUrl: data.discovery.discoveryUrl,
-							jwksUri: data.discovery.jwksUri,
-							audience: data.discovery.audience
-						},
-						client: {
-							id: data.client.id,
-							authMethod: data.client.authMethod
-						},
-						request: {
-							scopes: data.request?.scopes ?? [
-								"openid",
-								"profile",
-								"email"
-							],
-							loginHint: data.request?.loginHint,
-							authorizationParams: data.request?.authorizationParams
-						},
-						security: {
-							clockToleranceSeconds: data.security?.clockToleranceSeconds,
-							strictIssuer: data.security?.strictIssuer
-						},
-						profile: {
-							mapping: data.profile?.mapping,
-							extraFields: data.profile?.extraFields
-						}
+			configure: async (ctx, data) => {
+				if (data.discovery.issuer === void 0 && data.discovery.discoveryUrl === void 0) throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: "OIDC registration requires issuer or discoveryUrl."
+				});
+				let connection;
+				try {
+					connection = await getGroupConnection(ctx, config.component.public, data.connectionId);
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to load connection."
 					});
-					yield* tryPromise({
-						try: () => updateGroupConnection(ctx, config.component.public, {
-							connectionId: data.connectionId,
-							data: { config: nextConfig }
-						}),
-						catch: () => ({
-							code: "INTERNAL_ERROR",
-							message: "Failed to persist OIDC registration."
-						})
+				}
+				if (connection === null) throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: connectionNotFoundError
+				});
+				if (connection.protocol !== "oidc") throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: "This connection is not an OIDC connection."
+				});
+				const nextConfig = upsertProtocolConfig(connection.config, "oidc", {
+					enabled: true,
+					discovery: {
+						issuer: data.discovery.issuer,
+						discoveryUrl: data.discovery.discoveryUrl,
+						jwksUri: data.discovery.jwksUri,
+						audience: data.discovery.audience
+					},
+					client: {
+						id: data.client.id,
+						authMethod: data.client.authMethod
+					},
+					request: {
+						scopes: data.request?.scopes ?? [
+							"openid",
+							"profile",
+							"email"
+						],
+						loginHint: data.request?.loginHint,
+						authorizationParams: data.request?.authorizationParams
+					},
+					security: {
+						clockToleranceSeconds: data.security?.clockToleranceSeconds,
+						strictIssuer: data.security?.strictIssuer
+					},
+					profile: {
+						mapping: data.profile?.mapping,
+						extraFields: data.profile?.extraFields
+					}
+				});
+				try {
+					await updateGroupConnection(ctx, config.component.public, {
+						connectionId: data.connectionId,
+						data: { config: nextConfig }
 					});
-					if (data.client.secret !== void 0) {
-						const ciphertext = yield* tryPromise({
-							try: () => encryptSecret(data.client.secret),
-							catch: () => ({
-								code: "INTERNAL_ERROR",
-								message: "Failed to encrypt OIDC client secret."
-							})
-						});
-						yield* tryPromise({
-							try: () => upsertGroupConnectionSecret(ctx, config.component.public, {
-								connectionId: data.connectionId,
-								groupId: connection.groupId,
-								kind: GROUP_CONNECTION_OIDC_CLIENT_SECRET_KIND,
-								ciphertext,
-								updatedAt: Date.now()
-							}),
-							catch: () => ({
-								code: "INTERNAL_ERROR",
-								message: "Failed to persist OIDC client secret."
-							})
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to persist OIDC registration."
+					});
+				}
+				if (data.client.secret !== void 0) {
+					let ciphertext;
+					try {
+						ciphertext = await encryptSecret(data.client.secret);
+					} catch {
+						throw convexError({
+							code: "INTERNAL_ERROR",
+							message: "Failed to encrypt OIDC client secret."
 						});
 					}
-					yield* tryPromise({
-						try: () => recordGroupAuditEvent(ctx, {
+					try {
+						await upsertGroupConnectionSecret(ctx, config.component.public, {
 							connectionId: data.connectionId,
 							groupId: connection.groupId,
-							eventType: "group.sso.oidc.registered",
-							actorType: "system",
-							subjectType: "group_connection_oidc",
-							subjectId: data.connectionId,
-							ok: true,
-							metadata: {
-								issuer: data.discovery.issuer,
-								discoveryUrl: data.discovery.discoveryUrl,
-								jwksUri: data.discovery.jwksUri,
-								audience: data.discovery.audience,
-								tokenEndpointAuthMethod: data.client.authMethod
-							}
-						}),
-						catch: () => ({
+							kind: GROUP_CONNECTION_OIDC_CLIENT_SECRET_KIND,
+							ciphertext,
+							updatedAt: Date.now()
+						});
+					} catch {
+						throw convexError({
 							code: "INTERNAL_ERROR",
-							message: "Failed to record OIDC registration audit event."
-						})
+							message: "Failed to persist OIDC client secret."
+						});
+					}
+				}
+				try {
+					await recordGroupAuditEvent(ctx, {
+						connectionId: data.connectionId,
+						groupId: connection.groupId,
+						eventType: "group.sso.oidc.registered",
+						actorType: "system",
+						subjectType: "group_connection_oidc",
+						subjectId: data.connectionId,
+						ok: true,
+						metadata: {
+							issuer: data.discovery.issuer,
+							discoveryUrl: data.discovery.discoveryUrl,
+							jwksUri: data.discovery.jwksUri,
+							audience: data.discovery.audience,
+							tokenEndpointAuthMethod: data.client.authMethod
+						}
 					});
-					const secret = yield* tryPromise({
-						try: () => getGroupConnectionSecret(ctx, data.connectionId, GROUP_CONNECTION_OIDC_CLIENT_SECRET_KIND),
-						catch: () => ({
-							code: "INTERNAL_ERROR",
-							message: "Failed to load OIDC secret metadata."
-						})
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to record OIDC registration audit event."
 					});
-					return withOidcSecretState(getPublicOidcConfig(nextConfig), secret !== null);
-				}));
+				}
+				let secret;
+				try {
+					secret = await getGroupConnectionSecret(ctx, data.connectionId, GROUP_CONNECTION_OIDC_CLIENT_SECRET_KIND);
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to load OIDC secret metadata."
+					});
+				}
+				return withOidcSecretState(getPublicOidcConfig(nextConfig), secret !== null);
 			},
-			get: (ctx, connectionId) => {
-				return runSsoBoundary(Effect.gen(function* () {
-					const connection = yield* tryPromise({
-						try: () => getGroupConnection(ctx, config.component.public, connectionId),
-						catch: () => ({
-							code: "INTERNAL_ERROR",
-							message: "Failed to load connection."
-						})
-					}).pipe(Effect.flatMap((connection$1) => connection$1 === null ? Effect.fail(convexError({
-						code: "INVALID_PARAMETERS",
-						message: connectionNotFoundError
-					})) : Effect.succeed(connection$1)));
-					const secret = yield* tryPromise({
-						try: () => getGroupConnectionSecret(ctx, connection._id, GROUP_CONNECTION_OIDC_CLIENT_SECRET_KIND),
-						catch: () => ({
-							code: "INTERNAL_ERROR",
-							message: "Failed to load OIDC secret metadata."
-						})
+			get: async (ctx, connectionId) => {
+				let connection;
+				try {
+					connection = await getGroupConnection(ctx, config.component.public, connectionId);
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to load connection."
 					});
-					return withOidcSecretState(getPublicOidcConfig(connection.config), secret !== null);
-				}));
+				}
+				if (connection === null) throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: connectionNotFoundError
+				});
+				let secret;
+				try {
+					secret = await getGroupConnectionSecret(ctx, connection._id, GROUP_CONNECTION_OIDC_CLIENT_SECRET_KIND);
+				} catch {
+					throw convexError({
+						code: "INTERNAL_ERROR",
+						message: "Failed to load OIDC secret metadata."
+					});
+				}
+				return withOidcSecretState(getPublicOidcConfig(connection.config), secret !== null);
 			},
 			status: (ctx, connectionId) => {
 				return Promise.all([getGroupConnection(ctx, config.component.public, connectionId), getGroupConnectionSecret(ctx, connectionId, GROUP_CONNECTION_OIDC_CLIENT_SECRET_KIND)]).then(([connection, secret]) => {
@@ -948,91 +971,99 @@ function createGroupConnectionDomain(deps) {
 					};
 				});
 			},
-			signIn: (ctx, data) => {
+			signIn: async (ctx, data) => {
 				log("DEBUG", "[group-sso] resolver:start", {
 					connectionId: data.connectionId,
 					email: data.email,
 					domain: data.domain,
 					redirectTo: data.redirectTo
 				});
-				return runSsoBoundary(Effect.gen(function* () {
-					const connection = data.connectionId !== void 0 ? yield* tryPromise({
-						try: () => getGroupConnection(ctx, config.component.public, data.connectionId),
-						catch: () => ({
+				let connection;
+				if (data.connectionId !== void 0) {
+					try {
+						connection = await getGroupConnection(ctx, config.component.public, data.connectionId);
+					} catch {
+						throw convexError({
 							code: "INTERNAL_ERROR",
 							message: "Failed to load connection."
-						})
-					}).pipe(Effect.flatMap((connection$1) => connection$1 === null ? Effect.fail(convexError({
+						});
+					}
+					if (connection === null) throw convexError({
 						code: "INVALID_PARAMETERS",
 						message: connectionNotFoundError
-					})) : Effect.succeed(connection$1))) : data.domain !== void 0 || data.email !== void 0 ? yield* tryPromise({
-						try: () => getGroupConnectionByDomain(ctx, config.component.public, normalizeDomain(data.domain ?? String(data.email).split("@").pop() ?? "")),
-						catch: () => ({
+					});
+				} else if (data.domain !== void 0 || data.email !== void 0) {
+					let result;
+					try {
+						result = await getGroupConnectionByDomain(ctx, config.component.public, normalizeDomain(data.domain ?? String(data.email).split("@").pop() ?? ""));
+					} catch {
+						throw convexError({
 							code: "INTERNAL_ERROR",
 							message: "Failed to resolve connection by domain."
-						})
-					}).pipe(Effect.tap((result) => Effect.sync(() => {
-						log("DEBUG", "[group-sso] resolver:domainLookup", result);
-					})), Effect.flatMap((result) => result?.connection && result.domain?.verifiedAt !== void 0 ? Effect.succeed(result.connection) : Effect.fail(convexError({
-						code: "INVALID_PARAMETERS",
-						message: "No group connection matched the provided input."
-					})))) : yield* Effect.fail(convexError({
+						});
+					}
+					log("DEBUG", "[group-sso] resolver:domainLookup", result);
+					if (result?.connection && result.domain?.verifiedAt !== void 0) connection = result.connection;
+					else throw convexError({
 						code: "INVALID_PARAMETERS",
 						message: "No group connection matched the provided input."
-					}));
-					if (connection.status !== "active") return yield* Effect.fail(convexError({
-						code: "INVALID_PARAMETERS",
-						message: "Group connection is not active."
-					}));
-					const protocol = resolveGroupConnectionProtocol(connection);
-					log("DEBUG", "[group-sso] resolver:connection", {
-						connectionId: connection._id,
-						status: connection.status,
-						protocol
 					});
-					const { signInPath, callbackPath, providerId } = protocol === "oidc" ? (() => {
-						const urls = getGroupOidcUrls({
-							rootUrl: requireEnv("CONVEX_SITE_URL"),
-							connectionId: connection._id,
-							sharedRedirectURI: deps.sharedOidcRedirectURI
-						});
-						return {
-							signInPath: urls.signInUrl,
-							callbackPath: urls.callbackUrl,
-							providerId: groupOidcProviderId(connection._id)
-						};
-					})() : (() => {
-						const urls = getGroupSamlUrls({
-							rootUrl: requireEnv("CONVEX_SITE_URL"),
-							source: {
-								kind: "connection",
-								id: connection._id
-							}
-						});
-						return {
-							signInPath: `${requireEnv("CONVEX_SITE_URL")}/api/auth/connections/${connection._id}/saml/signin`,
-							callbackPath: urls.acsUrl,
-							providerId: groupSamlProviderId(connection._id)
-						};
-					})();
-					log("DEBUG", "[group-sso] resolver:paths", {
+				} else throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: "No group connection matched the provided input."
+				});
+				if (connection.status !== "active") throw convexError({
+					code: "INVALID_PARAMETERS",
+					message: "Group connection is not active."
+				});
+				const protocol = resolveGroupConnectionProtocol(connection);
+				log("DEBUG", "[group-sso] resolver:connection", {
+					connectionId: connection._id,
+					status: connection.status,
+					protocol
+				});
+				const { signInPath, callbackPath, providerId } = protocol === "oidc" ? (() => {
+					const urls = getGroupOidcUrls({
+						rootUrl: requireEnv("CONVEX_SITE_URL"),
 						connectionId: connection._id,
-						signInPath,
-						callbackPath
+						sharedRedirectURI: deps.sharedOidcRedirectURI
 					});
 					return {
-						connectionId: connection._id,
-						protocol,
-						providerId,
-						signInPath: protocol === "oidc" && typeof data.loginHint === "string" ? (() => {
-							const signInUrl = new URL(signInPath);
-							signInUrl.searchParams.set("loginHint", data.loginHint);
-							return signInUrl.toString();
-						})() : signInPath,
-						callbackPath,
-						redirectTo: data.redirectTo
+						signInPath: urls.signInUrl,
+						callbackPath: urls.callbackUrl,
+						providerId: groupOidcProviderId(connection._id)
 					};
-				}));
+				})() : (() => {
+					const urls = getGroupSamlUrls({
+						rootUrl: requireEnv("CONVEX_SITE_URL"),
+						source: {
+							kind: "connection",
+							id: connection._id
+						}
+					});
+					return {
+						signInPath: `${requireEnv("CONVEX_SITE_URL")}/api/auth/connections/${connection._id}/saml/signin`,
+						callbackPath: urls.acsUrl,
+						providerId: groupSamlProviderId(connection._id)
+					};
+				})();
+				log("DEBUG", "[group-sso] resolver:paths", {
+					connectionId: connection._id,
+					signInPath,
+					callbackPath
+				});
+				return {
+					connectionId: connection._id,
+					protocol,
+					providerId,
+					signInPath: protocol === "oidc" && typeof data.loginHint === "string" ? (() => {
+						const signInUrl = new URL(signInPath);
+						signInUrl.searchParams.set("loginHint", data.loginHint);
+						return signInUrl.toString();
+					})() : signInPath,
+					callbackPath,
+					redirectTo: data.redirectTo
+				};
 			},
 			validate: async (ctx, connectionId) => {
 				const checks = [];