@robelest/convex-auth 0.0.4-preview.27 → 0.0.4-preview.28

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (88) hide show
  1. package/README.md +3 -5
  2. package/dist/bin.js +6488 -1571
  3. package/dist/browser/index.js +10 -7
  4. package/dist/browser/locks.js +3 -5
  5. package/dist/browser/navigation.js +7 -10
  6. package/dist/browser/runtime.js +35 -33
  7. package/dist/client/core/types.js +17 -0
  8. package/dist/client/factors/device.js +26 -19
  9. package/dist/client/index.js +151 -163
  10. package/dist/client/runtime/proxy.js +6 -6
  11. package/dist/client/services/adapters.js +3 -7
  12. package/dist/client/services/http.js +2 -5
  13. package/dist/client/services/resolve.js +5 -11
  14. package/dist/client/services/runtime.js +2 -5
  15. package/dist/component/_generated/component.d.ts +46 -0
  16. package/dist/component/index.d.ts +3 -3
  17. package/dist/component/model.d.ts +25 -25
  18. package/dist/component/public/identity/sessions.js +38 -1
  19. package/dist/component/public/identity/tokens.js +81 -3
  20. package/dist/component/public/identity/verifiers.js +9 -3
  21. package/dist/component/public.js +3 -3
  22. package/dist/component/schema.d.ts +320 -320
  23. package/dist/core/index.d.ts +380 -0
  24. package/dist/core/index.js +83 -0
  25. package/dist/otel.d.ts +13 -17
  26. package/dist/otel.js +39 -49
  27. package/dist/providers/email.d.ts +2 -2
  28. package/dist/providers/password.js +8 -16
  29. package/dist/providers/phone.js +2 -9
  30. package/dist/server/auth-context.d.ts +204 -0
  31. package/dist/server/auth-context.js +76 -0
  32. package/dist/server/auth.d.ts +25 -187
  33. package/dist/server/auth.js +5 -96
  34. package/dist/server/componentContext.d.ts +12 -0
  35. package/dist/server/componentContext.js +1 -0
  36. package/dist/server/config.js +1 -12
  37. package/dist/server/constants.js +6 -0
  38. package/dist/server/contract.d.ts +1 -1
  39. package/dist/server/core.js +5 -14
  40. package/dist/server/crypto.js +26 -18
  41. package/dist/server/db.js +6 -1
  42. package/dist/server/device.js +88 -78
  43. package/dist/server/http.d.ts +4 -3
  44. package/dist/server/http.js +74 -86
  45. package/dist/server/index.d.ts +2 -1
  46. package/dist/server/limits.js +22 -15
  47. package/dist/server/mounts.d.ts +103 -103
  48. package/dist/server/mutations/account.js +6 -4
  49. package/dist/server/mutations/invalidate.js +3 -6
  50. package/dist/server/mutations/oauth.js +86 -88
  51. package/dist/server/mutations/refresh.js +45 -87
  52. package/dist/server/mutations/register.js +19 -19
  53. package/dist/server/mutations/retrieve.js +17 -15
  54. package/dist/server/mutations/signature.js +9 -13
  55. package/dist/server/mutations/signin.js +7 -3
  56. package/dist/server/mutations/signout.js +10 -15
  57. package/dist/server/mutations/store.js +22 -12
  58. package/dist/server/mutations/verifier.js +11 -6
  59. package/dist/server/mutations/verify.js +55 -46
  60. package/dist/server/oauth/runtime.js +27 -25
  61. package/dist/server/passkey.js +299 -250
  62. package/dist/server/prefetch.js +283 -281
  63. package/dist/server/refresh.js +7 -60
  64. package/dist/server/runtime.d.ts +82 -206
  65. package/dist/server/runtime.js +63 -56
  66. package/dist/server/services/config.js +5 -3
  67. package/dist/server/services/logger.js +2 -4
  68. package/dist/server/services/providers.js +2 -4
  69. package/dist/server/services/refresh.js +2 -4
  70. package/dist/server/services/resolve.js +15 -14
  71. package/dist/server/services/signin.js +2 -4
  72. package/dist/server/sessions.js +32 -33
  73. package/dist/server/signin.js +177 -142
  74. package/dist/server/sso/domain.d.ts +20 -68
  75. package/dist/server/sso/domain.js +444 -413
  76. package/dist/server/sso/http.js +53 -59
  77. package/dist/server/sso/oidc.js +94 -80
  78. package/dist/server/tokens.js +13 -3
  79. package/dist/server/totp.js +153 -116
  80. package/dist/server/types.d.ts +2 -2
  81. package/dist/server/users.js +18 -23
  82. package/dist/server/utils/cache.js +51 -0
  83. package/dist/server/utils/dispatch.js +36 -0
  84. package/dist/server/utils/retry.js +24 -0
  85. package/dist/server/utils/span.js +32 -0
  86. package/dist/shared/errors.js +9 -3
  87. package/dist/shared/log.js +20 -22
  88. package/package.json +41 -33
@@ -1,5 +1,5 @@
1
- import * as convex_values0 from "convex/values";
2
- import * as convex_server75 from "convex/server";
1
+ import * as convex_values87 from "convex/values";
2
+ import * as convex_server81 from "convex/server";
3
3
 
4
4
  //#region src/component/schema.d.ts
5
5
  /**
@@ -9,30 +9,30 @@ import * as convex_server75 from "convex/server";
9
9
  * verification codes, PKCE verifiers, rate limits) and hierarchical group
10
10
  * management (groups, members, invites).
11
11
  */
12
- declare const _default: convex_server75.SchemaDefinition<{
12
+ declare const _default: convex_server81.SchemaDefinition<{
13
13
  /**
14
14
  * Authenticated users. A user may have multiple linked accounts
15
15
  * and multiple concurrent sessions.
16
16
  */
17
- User: convex_server75.TableDefinition<convex_values0.VObject<{
17
+ User: convex_server81.TableDefinition<convex_values87.VObject<{
18
18
  email?: string | undefined;
19
19
  name?: string | undefined;
20
20
  image?: string | undefined;
21
- extend?: any;
22
21
  phone?: string | undefined;
22
+ extend?: any;
23
23
  emailVerificationTime?: number | undefined;
24
24
  phoneVerificationTime?: number | undefined;
25
25
  isAnonymous?: boolean | undefined;
26
26
  }, {
27
- name: convex_values0.VString<string | undefined, "optional">;
28
- image: convex_values0.VString<string | undefined, "optional">;
29
- email: convex_values0.VString<string | undefined, "optional">;
30
- emailVerificationTime: convex_values0.VFloat64<number | undefined, "optional">;
31
- phone: convex_values0.VString<string | undefined, "optional">;
32
- phoneVerificationTime: convex_values0.VFloat64<number | undefined, "optional">;
33
- isAnonymous: convex_values0.VBoolean<boolean | undefined, "optional">;
34
- extend: convex_values0.VAny<any, "optional", string>;
35
- }, "required", "email" | "name" | "image" | "extend" | "phone" | "emailVerificationTime" | "phoneVerificationTime" | "isAnonymous" | `extend.${string}`>, {
27
+ name: convex_values87.VString<string | undefined, "optional">;
28
+ image: convex_values87.VString<string | undefined, "optional">;
29
+ email: convex_values87.VString<string | undefined, "optional">;
30
+ emailVerificationTime: convex_values87.VFloat64<number | undefined, "optional">;
31
+ phone: convex_values87.VString<string | undefined, "optional">;
32
+ phoneVerificationTime: convex_values87.VFloat64<number | undefined, "optional">;
33
+ isAnonymous: convex_values87.VBoolean<boolean | undefined, "optional">;
34
+ extend: convex_values87.VAny<any, "optional", string>;
35
+ }, "required", "email" | "name" | "image" | "phone" | "extend" | "emailVerificationTime" | "phoneVerificationTime" | "isAnonymous" | `extend.${string}`>, {
36
36
  email: ["email", "_creationTime"];
37
37
  email_verified: ["email", "emailVerificationTime", "_creationTime"];
38
38
  phone: ["phone", "_creationTime"];
@@ -43,12 +43,12 @@ declare const _default: convex_server75.SchemaDefinition<{
43
43
  * across different devices or browsers. Sessions expire after a
44
44
  * configurable duration.
45
45
  */
46
- Session: convex_server75.TableDefinition<convex_values0.VObject<{
47
- userId: convex_values0.GenericId<"User">;
46
+ Session: convex_server81.TableDefinition<convex_values87.VObject<{
47
+ userId: convex_values87.GenericId<"User">;
48
48
  expirationTime: number;
49
49
  }, {
50
- userId: convex_values0.VId<convex_values0.GenericId<"User">, "required">;
51
- expirationTime: convex_values0.VFloat64<number, "required">;
50
+ userId: convex_values87.VId<convex_values87.GenericId<"User">, "required">;
51
+ expirationTime: convex_values87.VFloat64<number, "required">;
52
52
  }, "required", "userId" | "expirationTime">, {
53
53
  user_id: ["userId", "_creationTime"];
54
54
  }, {}, {}>;
@@ -57,23 +57,23 @@ declare const _default: convex_server75.SchemaDefinition<{
57
57
  * authentication provider (e.g. Google OAuth, email/password).
58
58
  * A user can have multiple accounts linked.
59
59
  */
60
- Account: convex_server75.TableDefinition<convex_values0.VObject<{
60
+ Account: convex_server81.TableDefinition<convex_values87.VObject<{
61
61
  emailVerified?: string | undefined;
62
62
  extend?: any;
63
63
  secret?: string | undefined;
64
64
  phoneVerified?: string | undefined;
65
- userId: convex_values0.GenericId<"User">;
65
+ userId: convex_values87.GenericId<"User">;
66
66
  provider: string;
67
67
  providerAccountId: string;
68
68
  }, {
69
- userId: convex_values0.VId<convex_values0.GenericId<"User">, "required">;
70
- provider: convex_values0.VString<string, "required">;
71
- providerAccountId: convex_values0.VString<string, "required">;
72
- secret: convex_values0.VString<string | undefined, "optional">;
73
- emailVerified: convex_values0.VString<string | undefined, "optional">;
74
- phoneVerified: convex_values0.VString<string | undefined, "optional">;
75
- extend: convex_values0.VAny<any, "optional", string>;
76
- }, "required", "emailVerified" | "extend" | "userId" | "provider" | "providerAccountId" | "secret" | `extend.${string}` | "phoneVerified">, {
69
+ userId: convex_values87.VId<convex_values87.GenericId<"User">, "required">;
70
+ provider: convex_values87.VString<string, "required">;
71
+ providerAccountId: convex_values87.VString<string, "required">;
72
+ secret: convex_values87.VString<string | undefined, "optional">;
73
+ emailVerified: convex_values87.VString<string | undefined, "optional">;
74
+ phoneVerified: convex_values87.VString<string | undefined, "optional">;
75
+ extend: convex_values87.VAny<any, "optional", string>;
76
+ }, "required", "emailVerified" | "userId" | "extend" | `extend.${string}` | "provider" | "providerAccountId" | "secret" | "phoneVerified">, {
77
77
  user_id_provider: ["userId", "provider", "_creationTime"];
78
78
  provider_account_id: ["provider", "providerAccountId", "_creationTime"];
79
79
  }, {}, {}>;
@@ -85,17 +85,17 @@ declare const _default: convex_server75.SchemaDefinition<{
85
85
  * been used yet. A 10-second reuse window allows for concurrent requests.
86
86
  * Any invalid use of a token invalidates the entire chain.
87
87
  */
88
- RefreshToken: convex_server75.TableDefinition<convex_values0.VObject<{
88
+ RefreshToken: convex_server81.TableDefinition<convex_values87.VObject<{
89
89
  firstUsedTime?: number | undefined;
90
- parentRefreshTokenId?: convex_values0.GenericId<"RefreshToken"> | undefined;
91
- sessionId: convex_values0.GenericId<"Session">;
90
+ parentRefreshTokenId?: convex_values87.GenericId<"RefreshToken"> | undefined;
92
91
  expirationTime: number;
92
+ sessionId: convex_values87.GenericId<"Session">;
93
93
  }, {
94
- sessionId: convex_values0.VId<convex_values0.GenericId<"Session">, "required">;
95
- expirationTime: convex_values0.VFloat64<number, "required">;
96
- firstUsedTime: convex_values0.VFloat64<number | undefined, "optional">;
97
- parentRefreshTokenId: convex_values0.VId<convex_values0.GenericId<"RefreshToken"> | undefined, "optional">;
98
- }, "required", "sessionId" | "expirationTime" | "firstUsedTime" | "parentRefreshTokenId">, {
94
+ sessionId: convex_values87.VId<convex_values87.GenericId<"Session">, "required">;
95
+ expirationTime: convex_values87.VFloat64<number, "required">;
96
+ firstUsedTime: convex_values87.VFloat64<number | undefined, "optional">;
97
+ parentRefreshTokenId: convex_values87.VId<convex_values87.GenericId<"RefreshToken"> | undefined, "optional">;
98
+ }, "required", "expirationTime" | "sessionId" | "firstUsedTime" | "parentRefreshTokenId">, {
99
99
  session_id: ["sessionId", "_creationTime"];
100
100
  session_id_first_used: ["sessionId", "firstUsedTime", "_creationTime"];
101
101
  session_id_parent_refresh_token_id: ["sessionId", "parentRefreshTokenId", "_creationTime"];
@@ -103,23 +103,23 @@ declare const _default: convex_server75.SchemaDefinition<{
103
103
  /**
104
104
  * Verification codes for OTP tokens, magic link tokens, and OAuth codes.
105
105
  */
106
- VerificationCode: convex_server75.TableDefinition<convex_values0.VObject<{
106
+ VerificationCode: convex_server81.TableDefinition<convex_values87.VObject<{
107
107
  emailVerified?: string | undefined;
108
- verifier?: string | undefined;
109
108
  phoneVerified?: string | undefined;
110
- code: string;
111
- provider: string;
112
- accountId: convex_values0.GenericId<"Account">;
109
+ verifier?: string | undefined;
113
110
  expirationTime: number;
111
+ provider: string;
112
+ accountId: convex_values87.GenericId<"Account">;
113
+ code: string;
114
114
  }, {
115
- accountId: convex_values0.VId<convex_values0.GenericId<"Account">, "required">;
116
- provider: convex_values0.VString<string, "required">;
117
- code: convex_values0.VString<string, "required">;
118
- expirationTime: convex_values0.VFloat64<number, "required">;
119
- verifier: convex_values0.VString<string | undefined, "optional">;
120
- emailVerified: convex_values0.VString<string | undefined, "optional">;
121
- phoneVerified: convex_values0.VString<string | undefined, "optional">;
122
- }, "required", "emailVerified" | "code" | "provider" | "verifier" | "accountId" | "expirationTime" | "phoneVerified">, {
115
+ accountId: convex_values87.VId<convex_values87.GenericId<"Account">, "required">;
116
+ provider: convex_values87.VString<string, "required">;
117
+ code: convex_values87.VString<string, "required">;
118
+ expirationTime: convex_values87.VFloat64<number, "required">;
119
+ verifier: convex_values87.VString<string | undefined, "optional">;
120
+ emailVerified: convex_values87.VString<string | undefined, "optional">;
121
+ phoneVerified: convex_values87.VString<string | undefined, "optional">;
122
+ }, "required", "emailVerified" | "expirationTime" | "provider" | "phoneVerified" | "accountId" | "code" | "verifier">, {
123
123
  account_id: ["accountId", "_creationTime"];
124
124
  code: ["code", "_creationTime"];
125
125
  }, {}, {}>;
@@ -127,12 +127,12 @@ declare const _default: convex_server75.SchemaDefinition<{
127
127
  * PKCE verifiers for OAuth flows. Stores the cryptographic verifier
128
128
  * used to prove the authorization request originated from this client.
129
129
  */
130
- AuthVerifier: convex_server75.TableDefinition<convex_values0.VObject<{
131
- sessionId?: convex_values0.GenericId<"Session"> | undefined;
130
+ AuthVerifier: convex_server81.TableDefinition<convex_values87.VObject<{
131
+ sessionId?: convex_values87.GenericId<"Session"> | undefined;
132
132
  signature?: string | undefined;
133
133
  }, {
134
- sessionId: convex_values0.VId<convex_values0.GenericId<"Session"> | undefined, "optional">;
135
- signature: convex_values0.VString<string | undefined, "optional">;
134
+ sessionId: convex_values87.VId<convex_values87.GenericId<"Session"> | undefined, "optional">;
135
+ signature: convex_values87.VString<string | undefined, "optional">;
136
136
  }, "required", "sessionId" | "signature">, {
137
137
  signature: ["signature", "_creationTime"];
138
138
  }, {}, {}>;
@@ -141,11 +141,11 @@ declare const _default: convex_server75.SchemaDefinition<{
141
141
  * registered authenticator (Touch ID, Face ID, security key, etc.).
142
142
  * A user can have multiple passkeys across different devices.
143
143
  */
144
- Passkey: convex_server75.TableDefinition<convex_values0.VObject<{
144
+ Passkey: convex_server81.TableDefinition<convex_values87.VObject<{
145
145
  name?: string | undefined;
146
146
  lastUsedAt?: number | undefined;
147
147
  transports?: string[] | undefined;
148
- userId: convex_values0.GenericId<"User">;
148
+ userId: convex_values87.GenericId<"User">;
149
149
  createdAt: number;
150
150
  credentialId: string;
151
151
  publicKey: ArrayBuffer;
@@ -154,17 +154,17 @@ declare const _default: convex_server75.SchemaDefinition<{
154
154
  deviceType: string;
155
155
  backedUp: boolean;
156
156
  }, {
157
- userId: convex_values0.VId<convex_values0.GenericId<"User">, "required">; /** Base64url-encoded credential ID from the authenticator. */
158
- credentialId: convex_values0.VString<string, "required">; /** Public key bytes (SEC1 uncompressed for EC, SPKI for RSA). */
159
- publicKey: convex_values0.VBytes<ArrayBuffer, "required">; /** COSE algorithm identifier (-7 for ES256, -257 for RS256, -8 for EdDSA). */
160
- algorithm: convex_values0.VFloat64<number, "required">; /** Signature counter for clone detection. Many authenticators return 0. */
161
- counter: convex_values0.VFloat64<number, "required">; /** Authenticator transport hints (e.g. "internal", "hybrid", "usb", "ble", "nfc"). */
162
- transports: convex_values0.VArray<string[] | undefined, convex_values0.VString<string, "required">, "optional">; /** Whether this is a single-device or multi-device (synced) credential. */
163
- deviceType: convex_values0.VString<string, "required">; /** Whether the credential is backed up (synced passkey). */
164
- backedUp: convex_values0.VBoolean<boolean, "required">; /** User-assigned friendly name (e.g. "MacBook Touch ID"). */
165
- name: convex_values0.VString<string | undefined, "optional">;
166
- createdAt: convex_values0.VFloat64<number, "required">;
167
- lastUsedAt: convex_values0.VFloat64<number | undefined, "optional">;
157
+ userId: convex_values87.VId<convex_values87.GenericId<"User">, "required">; /** Base64url-encoded credential ID from the authenticator. */
158
+ credentialId: convex_values87.VString<string, "required">; /** Public key bytes (SEC1 uncompressed for EC, SPKI for RSA). */
159
+ publicKey: convex_values87.VBytes<ArrayBuffer, "required">; /** COSE algorithm identifier (-7 for ES256, -257 for RS256, -8 for EdDSA). */
160
+ algorithm: convex_values87.VFloat64<number, "required">; /** Signature counter for clone detection. Many authenticators return 0. */
161
+ counter: convex_values87.VFloat64<number, "required">; /** Authenticator transport hints (e.g. "internal", "hybrid", "usb", "ble", "nfc"). */
162
+ transports: convex_values87.VArray<string[] | undefined, convex_values87.VString<string, "required">, "optional">; /** Whether this is a single-device or multi-device (synced) credential. */
163
+ deviceType: convex_values87.VString<string, "required">; /** Whether the credential is backed up (synced passkey). */
164
+ backedUp: convex_values87.VBoolean<boolean, "required">; /** User-assigned friendly name (e.g. "MacBook Touch ID"). */
165
+ name: convex_values87.VString<string | undefined, "optional">;
166
+ createdAt: convex_values87.VFloat64<number, "required">;
167
+ lastUsedAt: convex_values87.VFloat64<number | undefined, "optional">;
168
168
  }, "required", "name" | "lastUsedAt" | "userId" | "createdAt" | "credentialId" | "publicKey" | "algorithm" | "counter" | "transports" | "deviceType" | "backedUp">, {
169
169
  user_id: ["userId", "_creationTime"];
170
170
  credential_id: ["credentialId", "_creationTime"];
@@ -178,24 +178,24 @@ declare const _default: convex_server75.SchemaDefinition<{
178
178
  * by successfully entering a code from their authenticator app.
179
179
  * Unverified enrollments are in-progress setup that can be discarded.
180
180
  */
181
- TotpFactor: convex_server75.TableDefinition<convex_values0.VObject<{
181
+ TotpFactor: convex_server81.TableDefinition<convex_values87.VObject<{
182
182
  name?: string | undefined;
183
183
  lastUsedAt?: number | undefined;
184
- userId: convex_values0.GenericId<"User">;
184
+ userId: convex_values87.GenericId<"User">;
185
185
  createdAt: number;
186
186
  secret: ArrayBuffer;
187
187
  digits: number;
188
188
  period: number;
189
189
  verified: boolean;
190
190
  }, {
191
- userId: convex_values0.VId<convex_values0.GenericId<"User">, "required">; /** Raw TOTP secret key bytes. */
192
- secret: convex_values0.VBytes<ArrayBuffer, "required">; /** Number of digits in each code (typically 6). */
193
- digits: convex_values0.VFloat64<number, "required">; /** Time period in seconds for code rotation (typically 30). */
194
- period: convex_values0.VFloat64<number, "required">; /** Whether setup has been confirmed with a valid code. */
195
- verified: convex_values0.VBoolean<boolean, "required">; /** User-assigned friendly name (e.g. "Google Authenticator"). */
196
- name: convex_values0.VString<string | undefined, "optional">;
197
- createdAt: convex_values0.VFloat64<number, "required">;
198
- lastUsedAt: convex_values0.VFloat64<number | undefined, "optional">;
191
+ userId: convex_values87.VId<convex_values87.GenericId<"User">, "required">; /** Raw TOTP secret key bytes. */
192
+ secret: convex_values87.VBytes<ArrayBuffer, "required">; /** Number of digits in each code (typically 6). */
193
+ digits: convex_values87.VFloat64<number, "required">; /** Time period in seconds for code rotation (typically 30). */
194
+ period: convex_values87.VFloat64<number, "required">; /** Whether setup has been confirmed with a valid code. */
195
+ verified: convex_values87.VBoolean<boolean, "required">; /** User-assigned friendly name (e.g. "Google Authenticator"). */
196
+ name: convex_values87.VString<string | undefined, "optional">;
197
+ createdAt: convex_values87.VFloat64<number, "required">;
198
+ lastUsedAt: convex_values87.VFloat64<number | undefined, "optional">;
199
199
  }, "required", "name" | "lastUsedAt" | "userId" | "createdAt" | "secret" | "digits" | "period" | "verified">, {
200
200
  user_id: ["userId", "_creationTime"];
201
201
  user_id_verified: ["userId", "verified", "_creationTime"];
@@ -205,9 +205,9 @@ declare const _default: convex_server75.SchemaDefinition<{
205
205
  * device auth session — the device polls with `deviceCode` while the
206
206
  * user authorizes via `userCode` on a secondary device.
207
207
  */
208
- DeviceCode: convex_server75.TableDefinition<convex_values0.VObject<{
209
- userId?: convex_values0.GenericId<"User"> | undefined;
210
- sessionId?: convex_values0.GenericId<"Session"> | undefined;
208
+ DeviceCode: convex_server81.TableDefinition<convex_values87.VObject<{
209
+ userId?: convex_values87.GenericId<"User"> | undefined;
210
+ sessionId?: convex_values87.GenericId<"Session"> | undefined;
211
211
  lastPolledAt?: number | undefined;
212
212
  status: "pending" | "authorized" | "denied";
213
213
  expiresAt: number;
@@ -215,14 +215,14 @@ declare const _default: convex_server75.SchemaDefinition<{
215
215
  userCode: string;
216
216
  interval: number;
217
217
  }, {
218
- /** High-entropy code used by the device for polling. Stored as SHA-256 hash. */deviceCodeHash: convex_values0.VString<string, "required">; /** Short human-readable code the user enters (e.g. "WDJB-MJHT"). */
219
- userCode: convex_values0.VString<string, "required">; /** Expiration timestamp (ms since epoch). */
220
- expiresAt: convex_values0.VFloat64<number, "required">; /** Minimum polling interval in seconds. */
221
- interval: convex_values0.VFloat64<number, "required">; /** Current status of this device authorization session. */
222
- status: convex_values0.VUnion<"pending" | "authorized" | "denied", [convex_values0.VLiteral<"pending", "required">, convex_values0.VLiteral<"authorized", "required">, convex_values0.VLiteral<"denied", "required">], "required", never>; /** Set when the user authorizes — links to the authorizing user. */
223
- userId: convex_values0.VId<convex_values0.GenericId<"User"> | undefined, "optional">; /** Set when the user authorizes — the session created for the device. */
224
- sessionId: convex_values0.VId<convex_values0.GenericId<"Session"> | undefined, "optional">; /** Timestamp of the last poll request (for slow_down enforcement). */
225
- lastPolledAt: convex_values0.VFloat64<number | undefined, "optional">;
218
+ /** High-entropy code used by the device for polling. Stored as SHA-256 hash. */deviceCodeHash: convex_values87.VString<string, "required">; /** Short human-readable code the user enters (e.g. "WDJB-MJHT"). */
219
+ userCode: convex_values87.VString<string, "required">; /** Expiration timestamp (ms since epoch). */
220
+ expiresAt: convex_values87.VFloat64<number, "required">; /** Minimum polling interval in seconds. */
221
+ interval: convex_values87.VFloat64<number, "required">; /** Current status of this device authorization session. */
222
+ status: convex_values87.VUnion<"pending" | "authorized" | "denied", [convex_values87.VLiteral<"pending", "required">, convex_values87.VLiteral<"authorized", "required">, convex_values87.VLiteral<"denied", "required">], "required", never>; /** Set when the user authorizes — links to the authorizing user. */
223
+ userId: convex_values87.VId<convex_values87.GenericId<"User"> | undefined, "optional">; /** Set when the user authorizes — the session created for the device. */
224
+ sessionId: convex_values87.VId<convex_values87.GenericId<"Session"> | undefined, "optional">; /** Timestamp of the last poll request (for slow_down enforcement). */
225
+ lastPolledAt: convex_values87.VFloat64<number | undefined, "optional">;
226
226
  }, "required", "status" | "expiresAt" | "userId" | "sessionId" | "deviceCodeHash" | "userCode" | "interval" | "lastPolledAt">, {
227
227
  device_code_hash: ["deviceCodeHash", "_creationTime"];
228
228
  user_code_status: ["userCode", "status", "_creationTime"];
@@ -230,14 +230,14 @@ declare const _default: convex_server75.SchemaDefinition<{
230
230
  /**
231
231
  * Rate limit tracking for OTP and password sign-in attempts.
232
232
  */
233
- RateLimit: convex_server75.TableDefinition<convex_values0.VObject<{
233
+ RateLimit: convex_server81.TableDefinition<convex_values87.VObject<{
234
234
  identifier: string;
235
235
  last_attempt_time: number;
236
236
  attempts_left: number;
237
237
  }, {
238
- identifier: convex_values0.VString<string, "required">;
239
- last_attempt_time: convex_values0.VFloat64<number, "required">;
240
- attempts_left: convex_values0.VFloat64<number, "required">;
238
+ identifier: convex_values87.VString<string, "required">;
239
+ last_attempt_time: convex_values87.VFloat64<number, "required">;
240
+ attempts_left: convex_values87.VFloat64<number, "required">;
241
241
  }, "required", "identifier" | "last_attempt_time" | "attempts_left">, {
242
242
  by_identifier: ["identifier", "_creationTime"];
243
243
  }, {}, {}>;
@@ -246,32 +246,32 @@ declare const _default: convex_server75.SchemaDefinition<{
246
246
  * Groups can nest arbitrarily deep via `parentGroupId` for modeling
247
247
  * organizations, teams, departments, or any tree structure.
248
248
  */
249
- Group: convex_server75.TableDefinition<convex_values0.VObject<{
249
+ Group: convex_server81.TableDefinition<convex_values87.VObject<{
250
+ slug?: string | undefined;
250
251
  type?: string | undefined;
251
252
  extend?: any;
252
- slug?: string | undefined;
253
- parentGroupId?: convex_values0.GenericId<"Group"> | undefined;
254
- rootGroupId?: convex_values0.GenericId<"Group"> | undefined;
253
+ parentGroupId?: convex_values87.GenericId<"Group"> | undefined;
254
+ rootGroupId?: convex_values87.GenericId<"Group"> | undefined;
255
255
  isRoot?: boolean | undefined;
256
256
  tags?: {
257
- value: string;
258
257
  key: string;
258
+ value: string;
259
259
  }[] | undefined;
260
260
  policy?: {
261
261
  extend?: any;
262
+ version: 1;
262
263
  identity: {
263
264
  accountLinking: {
264
265
  oidc: "verifiedEmail" | "none";
265
266
  saml: "verifiedEmail" | "none";
266
267
  };
267
268
  };
268
- version: 1;
269
269
  provisioning: {
270
270
  user: {
271
271
  createOnSignIn: boolean;
272
272
  updateProfileOnLogin: "never" | "missing" | "always";
273
273
  updateProfileFromScim: "never" | "missing" | "always";
274
- authority: "sso" | "app" | "scim";
274
+ authority: "app" | "sso" | "scim";
275
275
  };
276
276
  scimReuse: {
277
277
  user: "none" | "externalId";
@@ -298,37 +298,37 @@ declare const _default: convex_server75.SchemaDefinition<{
298
298
  } | undefined;
299
299
  name: string;
300
300
  }, {
301
- name: convex_values0.VString<string, "required">;
302
- slug: convex_values0.VString<string | undefined, "optional">;
303
- type: convex_values0.VString<string | undefined, "optional">;
304
- parentGroupId: convex_values0.VId<convex_values0.GenericId<"Group"> | undefined, "optional">; /** Denormalized root group ID. Self-referencing for root groups. */
305
- rootGroupId: convex_values0.VId<convex_values0.GenericId<"Group"> | undefined, "optional">; /** Denormalized flag: `true` when `parentGroupId` is absent. */
306
- isRoot: convex_values0.VBoolean<boolean | undefined, "optional">; /** Faceted classification tags. Normalized at write time (trimmed, lowercased). */
307
- tags: convex_values0.VArray<{
308
- value: string;
301
+ name: convex_values87.VString<string, "required">;
302
+ slug: convex_values87.VString<string | undefined, "optional">;
303
+ type: convex_values87.VString<string | undefined, "optional">;
304
+ parentGroupId: convex_values87.VId<convex_values87.GenericId<"Group"> | undefined, "optional">; /** Denormalized root group ID. Self-referencing for root groups. */
305
+ rootGroupId: convex_values87.VId<convex_values87.GenericId<"Group"> | undefined, "optional">; /** Denormalized flag: `true` when `parentGroupId` is absent. */
306
+ isRoot: convex_values87.VBoolean<boolean | undefined, "optional">; /** Faceted classification tags. Normalized at write time (trimmed, lowercased). */
307
+ tags: convex_values87.VArray<{
309
308
  key: string;
310
- }[] | undefined, convex_values0.VObject<{
311
309
  value: string;
310
+ }[] | undefined, convex_values87.VObject<{
312
311
  key: string;
312
+ value: string;
313
313
  }, {
314
- key: convex_values0.VString<string, "required">;
315
- value: convex_values0.VString<string, "required">;
316
- }, "required", "value" | "key">, "optional">;
317
- policy: convex_values0.VObject<{
314
+ key: convex_values87.VString<string, "required">;
315
+ value: convex_values87.VString<string, "required">;
316
+ }, "required", "key" | "value">, "optional">;
317
+ policy: convex_values87.VObject<{
318
318
  extend?: any;
319
+ version: 1;
319
320
  identity: {
320
321
  accountLinking: {
321
322
  oidc: "verifiedEmail" | "none";
322
323
  saml: "verifiedEmail" | "none";
323
324
  };
324
325
  };
325
- version: 1;
326
326
  provisioning: {
327
327
  user: {
328
328
  createOnSignIn: boolean;
329
329
  updateProfileOnLogin: "never" | "missing" | "always";
330
330
  updateProfileFromScim: "never" | "missing" | "always";
331
- authority: "sso" | "app" | "scim";
331
+ authority: "app" | "sso" | "scim";
332
332
  };
333
333
  scimReuse: {
334
334
  user: "none" | "externalId";
@@ -353,27 +353,27 @@ declare const _default: convex_server75.SchemaDefinition<{
353
353
  };
354
354
  };
355
355
  } | undefined, {
356
- version: convex_values0.VLiteral<1, "required">;
357
- identity: convex_values0.VObject<{
356
+ version: convex_values87.VLiteral<1, "required">;
357
+ identity: convex_values87.VObject<{
358
358
  accountLinking: {
359
359
  oidc: "verifiedEmail" | "none";
360
360
  saml: "verifiedEmail" | "none";
361
361
  };
362
362
  }, {
363
- accountLinking: convex_values0.VObject<{
363
+ accountLinking: convex_values87.VObject<{
364
364
  oidc: "verifiedEmail" | "none";
365
365
  saml: "verifiedEmail" | "none";
366
366
  }, {
367
- oidc: convex_values0.VUnion<"verifiedEmail" | "none", [convex_values0.VLiteral<"verifiedEmail", "required">, convex_values0.VLiteral<"none", "required">], "required", never>;
368
- saml: convex_values0.VUnion<"verifiedEmail" | "none", [convex_values0.VLiteral<"verifiedEmail", "required">, convex_values0.VLiteral<"none", "required">], "required", never>;
367
+ oidc: convex_values87.VUnion<"verifiedEmail" | "none", [convex_values87.VLiteral<"verifiedEmail", "required">, convex_values87.VLiteral<"none", "required">], "required", never>;
368
+ saml: convex_values87.VUnion<"verifiedEmail" | "none", [convex_values87.VLiteral<"verifiedEmail", "required">, convex_values87.VLiteral<"none", "required">], "required", never>;
369
369
  }, "required", "oidc" | "saml">;
370
370
  }, "required", "accountLinking" | "accountLinking.oidc" | "accountLinking.saml">;
371
- provisioning: convex_values0.VObject<{
371
+ provisioning: convex_values87.VObject<{
372
372
  user: {
373
373
  createOnSignIn: boolean;
374
374
  updateProfileOnLogin: "never" | "missing" | "always";
375
375
  updateProfileFromScim: "never" | "missing" | "always";
376
- authority: "sso" | "app" | "scim";
376
+ authority: "app" | "sso" | "scim";
377
377
  };
378
378
  scimReuse: {
379
379
  user: "none" | "externalId";
@@ -397,59 +397,59 @@ declare const _default: convex_server75.SchemaDefinition<{
397
397
  source: "protocol";
398
398
  };
399
399
  }, {
400
- user: convex_values0.VObject<{
400
+ user: convex_values87.VObject<{
401
401
  createOnSignIn: boolean;
402
402
  updateProfileOnLogin: "never" | "missing" | "always";
403
403
  updateProfileFromScim: "never" | "missing" | "always";
404
- authority: "sso" | "app" | "scim";
404
+ authority: "app" | "sso" | "scim";
405
405
  }, {
406
- createOnSignIn: convex_values0.VBoolean<boolean, "required">;
407
- updateProfileOnLogin: convex_values0.VUnion<"never" | "missing" | "always", [convex_values0.VLiteral<"never", "required">, convex_values0.VLiteral<"missing", "required">, convex_values0.VLiteral<"always", "required">], "required", never>;
408
- updateProfileFromScim: convex_values0.VUnion<"never" | "missing" | "always", [convex_values0.VLiteral<"never", "required">, convex_values0.VLiteral<"missing", "required">, convex_values0.VLiteral<"always", "required">], "required", never>;
409
- authority: convex_values0.VUnion<"sso" | "app" | "scim", [convex_values0.VLiteral<"app", "required">, convex_values0.VLiteral<"sso", "required">, convex_values0.VLiteral<"scim", "required">], "required", never>;
406
+ createOnSignIn: convex_values87.VBoolean<boolean, "required">;
407
+ updateProfileOnLogin: convex_values87.VUnion<"never" | "missing" | "always", [convex_values87.VLiteral<"never", "required">, convex_values87.VLiteral<"missing", "required">, convex_values87.VLiteral<"always", "required">], "required", never>;
408
+ updateProfileFromScim: convex_values87.VUnion<"never" | "missing" | "always", [convex_values87.VLiteral<"never", "required">, convex_values87.VLiteral<"missing", "required">, convex_values87.VLiteral<"always", "required">], "required", never>;
409
+ authority: convex_values87.VUnion<"app" | "sso" | "scim", [convex_values87.VLiteral<"app", "required">, convex_values87.VLiteral<"sso", "required">, convex_values87.VLiteral<"scim", "required">], "required", never>;
410
410
  }, "required", "createOnSignIn" | "updateProfileOnLogin" | "updateProfileFromScim" | "authority">;
411
- scimReuse: convex_values0.VObject<{
411
+ scimReuse: convex_values87.VObject<{
412
412
  user: "none" | "externalId";
413
413
  }, {
414
- user: convex_values0.VUnion<"none" | "externalId", [convex_values0.VLiteral<"externalId", "required">, convex_values0.VLiteral<"none", "required">], "required", never>;
414
+ user: convex_values87.VUnion<"none" | "externalId", [convex_values87.VLiteral<"externalId", "required">, convex_values87.VLiteral<"none", "required">], "required", never>;
415
415
  }, "required", "user">;
416
- jit: convex_values0.VObject<{
416
+ jit: convex_values87.VObject<{
417
417
  defaultRole?: string | undefined;
418
418
  defaultRoleIds?: string[] | undefined;
419
419
  mode: "off" | "createUser" | "createUserAndMembership";
420
420
  }, {
421
- mode: convex_values0.VUnion<"off" | "createUser" | "createUserAndMembership", [convex_values0.VLiteral<"off", "required">, convex_values0.VLiteral<"createUser", "required">, convex_values0.VLiteral<"createUserAndMembership", "required">], "required", never>;
422
- defaultRole: convex_values0.VString<string | undefined, "optional">;
423
- defaultRoleIds: convex_values0.VArray<string[] | undefined, convex_values0.VString<string, "required">, "optional">;
421
+ mode: convex_values87.VUnion<"off" | "createUser" | "createUserAndMembership", [convex_values87.VLiteral<"off", "required">, convex_values87.VLiteral<"createUser", "required">, convex_values87.VLiteral<"createUserAndMembership", "required">], "required", never>;
422
+ defaultRole: convex_values87.VString<string | undefined, "optional">;
423
+ defaultRoleIds: convex_values87.VArray<string[] | undefined, convex_values87.VString<string, "required">, "optional">;
424
424
  }, "required", "mode" | "defaultRole" | "defaultRoleIds">;
425
- deprovision: convex_values0.VObject<{
425
+ deprovision: convex_values87.VObject<{
426
426
  mode: "soft" | "hard";
427
427
  }, {
428
- mode: convex_values0.VUnion<"soft" | "hard", [convex_values0.VLiteral<"soft", "required">, convex_values0.VLiteral<"hard", "required">], "required", never>;
428
+ mode: convex_values87.VUnion<"soft" | "hard", [convex_values87.VLiteral<"soft", "required">, convex_values87.VLiteral<"hard", "required">], "required", never>;
429
429
  }, "required", "mode">;
430
- groups: convex_values0.VObject<{
430
+ groups: convex_values87.VObject<{
431
431
  mapping?: Record<string, string[]> | undefined;
432
432
  mode: "ignore" | "sync";
433
433
  source: "protocol";
434
434
  }, {
435
- mode: convex_values0.VUnion<"ignore" | "sync", [convex_values0.VLiteral<"ignore", "required">, convex_values0.VLiteral<"sync", "required">], "required", never>;
436
- source: convex_values0.VLiteral<"protocol", "required">;
437
- mapping: convex_values0.VRecord<Record<string, string[]> | undefined, convex_values0.VString<string, "required">, convex_values0.VArray<string[], convex_values0.VString<string, "required">, "required">, "optional", string>;
435
+ mode: convex_values87.VUnion<"ignore" | "sync", [convex_values87.VLiteral<"ignore", "required">, convex_values87.VLiteral<"sync", "required">], "required", never>;
436
+ source: convex_values87.VLiteral<"protocol", "required">;
437
+ mapping: convex_values87.VRecord<Record<string, string[]> | undefined, convex_values87.VString<string, "required">, convex_values87.VArray<string[], convex_values87.VString<string, "required">, "required">, "optional", string>;
438
438
  }, "required", "mode" | "source" | "mapping" | `mapping.${string}`>;
439
- roles: convex_values0.VObject<{
439
+ roles: convex_values87.VObject<{
440
440
  mapping?: Record<string, string[]> | undefined;
441
441
  mode: "map" | "ignore";
442
442
  source: "protocol";
443
443
  }, {
444
- mode: convex_values0.VUnion<"map" | "ignore", [convex_values0.VLiteral<"ignore", "required">, convex_values0.VLiteral<"map", "required">], "required", never>;
445
- source: convex_values0.VLiteral<"protocol", "required">;
446
- mapping: convex_values0.VRecord<Record<string, string[]> | undefined, convex_values0.VString<string, "required">, convex_values0.VArray<string[], convex_values0.VString<string, "required">, "required">, "optional", string>;
444
+ mode: convex_values87.VUnion<"map" | "ignore", [convex_values87.VLiteral<"ignore", "required">, convex_values87.VLiteral<"map", "required">], "required", never>;
445
+ source: convex_values87.VLiteral<"protocol", "required">;
446
+ mapping: convex_values87.VRecord<Record<string, string[]> | undefined, convex_values87.VString<string, "required">, convex_values87.VArray<string[], convex_values87.VString<string, "required">, "required">, "optional", string>;
447
447
  }, "required", "mode" | "source" | "mapping" | `mapping.${string}`>;
448
448
  }, "required", "user" | "scimReuse" | "jit" | "deprovision" | "groups" | "roles" | "user.createOnSignIn" | "user.updateProfileOnLogin" | "user.updateProfileFromScim" | "user.authority" | "scimReuse.user" | "jit.mode" | "jit.defaultRole" | "jit.defaultRoleIds" | "deprovision.mode" | "groups.mode" | "groups.source" | "groups.mapping" | `groups.mapping.${string}` | "roles.mode" | "roles.source" | "roles.mapping" | `roles.mapping.${string}`>;
449
- extend: convex_values0.VAny<any, "optional", string>;
450
- }, "optional", "extend" | "identity" | `extend.${string}` | "version" | "provisioning" | "identity.accountLinking" | "identity.accountLinking.oidc" | "identity.accountLinking.saml" | "provisioning.user" | "provisioning.scimReuse" | "provisioning.jit" | "provisioning.deprovision" | "provisioning.groups" | "provisioning.roles" | "provisioning.user.createOnSignIn" | "provisioning.user.updateProfileOnLogin" | "provisioning.user.updateProfileFromScim" | "provisioning.user.authority" | "provisioning.scimReuse.user" | "provisioning.jit.mode" | "provisioning.jit.defaultRole" | "provisioning.jit.defaultRoleIds" | "provisioning.deprovision.mode" | "provisioning.groups.mode" | "provisioning.groups.source" | "provisioning.groups.mapping" | `provisioning.groups.mapping.${string}` | "provisioning.roles.mode" | "provisioning.roles.source" | "provisioning.roles.mapping" | `provisioning.roles.mapping.${string}`>;
451
- extend: convex_values0.VAny<any, "optional", string>;
452
- }, "required", "name" | "type" | "extend" | "slug" | `extend.${string}` | "parentGroupId" | "rootGroupId" | "isRoot" | "tags" | "policy" | "policy.extend" | "policy.identity" | `policy.extend.${string}` | "policy.version" | "policy.provisioning" | "policy.identity.accountLinking" | "policy.identity.accountLinking.oidc" | "policy.identity.accountLinking.saml" | "policy.provisioning.user" | "policy.provisioning.scimReuse" | "policy.provisioning.jit" | "policy.provisioning.deprovision" | "policy.provisioning.groups" | "policy.provisioning.roles" | "policy.provisioning.user.createOnSignIn" | "policy.provisioning.user.updateProfileOnLogin" | "policy.provisioning.user.updateProfileFromScim" | "policy.provisioning.user.authority" | "policy.provisioning.scimReuse.user" | "policy.provisioning.jit.mode" | "policy.provisioning.jit.defaultRole" | "policy.provisioning.jit.defaultRoleIds" | "policy.provisioning.deprovision.mode" | "policy.provisioning.groups.mode" | "policy.provisioning.groups.source" | "policy.provisioning.groups.mapping" | `policy.provisioning.groups.mapping.${string}` | "policy.provisioning.roles.mode" | "policy.provisioning.roles.source" | "policy.provisioning.roles.mapping" | `policy.provisioning.roles.mapping.${string}`>, {
449
+ extend: convex_values87.VAny<any, "optional", string>;
450
+ }, "optional", "extend" | `extend.${string}` | "version" | "identity" | "provisioning" | "identity.accountLinking" | "identity.accountLinking.oidc" | "identity.accountLinking.saml" | "provisioning.user" | "provisioning.scimReuse" | "provisioning.jit" | "provisioning.deprovision" | "provisioning.groups" | "provisioning.roles" | "provisioning.user.createOnSignIn" | "provisioning.user.updateProfileOnLogin" | "provisioning.user.updateProfileFromScim" | "provisioning.user.authority" | "provisioning.scimReuse.user" | "provisioning.jit.mode" | "provisioning.jit.defaultRole" | "provisioning.jit.defaultRoleIds" | "provisioning.deprovision.mode" | "provisioning.groups.mode" | "provisioning.groups.source" | "provisioning.groups.mapping" | `provisioning.groups.mapping.${string}` | "provisioning.roles.mode" | "provisioning.roles.source" | "provisioning.roles.mapping" | `provisioning.roles.mapping.${string}`>;
451
+ extend: convex_values87.VAny<any, "optional", string>;
452
+ }, "required", "name" | "slug" | "type" | "extend" | `extend.${string}` | "parentGroupId" | "rootGroupId" | "isRoot" | "tags" | "policy" | "policy.extend" | `policy.extend.${string}` | "policy.version" | "policy.identity" | "policy.provisioning" | "policy.identity.accountLinking" | "policy.identity.accountLinking.oidc" | "policy.identity.accountLinking.saml" | "policy.provisioning.user" | "policy.provisioning.scimReuse" | "policy.provisioning.jit" | "policy.provisioning.deprovision" | "policy.provisioning.groups" | "policy.provisioning.roles" | "policy.provisioning.user.createOnSignIn" | "policy.provisioning.user.updateProfileOnLogin" | "policy.provisioning.user.updateProfileFromScim" | "policy.provisioning.user.authority" | "policy.provisioning.scimReuse.user" | "policy.provisioning.jit.mode" | "policy.provisioning.jit.defaultRole" | "policy.provisioning.jit.defaultRoleIds" | "policy.provisioning.deprovision.mode" | "policy.provisioning.groups.mode" | "policy.provisioning.groups.source" | "policy.provisioning.groups.mapping" | `policy.provisioning.groups.mapping.${string}` | "policy.provisioning.roles.mode" | "policy.provisioning.roles.source" | "policy.provisioning.roles.mapping" | `policy.provisioning.roles.mapping.${string}`>, {
453
453
  slug: ["slug", "_creationTime"];
454
454
  parent_group_id: ["parentGroupId", "_creationTime"];
455
455
  root_group_id: ["rootGroupId", "_creationTime"];
@@ -462,15 +462,15 @@ declare const _default: convex_server75.SchemaDefinition<{
462
462
  * Each row maps one `(key, value)` pair to a group. Kept in sync by
463
463
  * `groupCreate`, `groupUpdate`, and `groupDelete`.
464
464
  */
465
- GroupTag: convex_server75.TableDefinition<convex_values0.VObject<{
466
- value: string;
465
+ GroupTag: convex_server81.TableDefinition<convex_values87.VObject<{
467
466
  key: string;
468
- group_id: convex_values0.GenericId<"Group">;
467
+ value: string;
468
+ group_id: convex_values87.GenericId<"Group">;
469
469
  }, {
470
- group_id: convex_values0.VId<convex_values0.GenericId<"Group">, "required">;
471
- key: convex_values0.VString<string, "required">;
472
- value: convex_values0.VString<string, "required">;
473
- }, "required", "value" | "key" | "group_id">, {
470
+ group_id: convex_values87.VId<convex_values87.GenericId<"Group">, "required">;
471
+ key: convex_values87.VString<string, "required">;
472
+ value: convex_values87.VString<string, "required">;
473
+ }, "required", "key" | "value" | "group_id">, {
474
474
  by_group: ["group_id", "_creationTime"];
475
475
  by_key_value: ["key", "value", "_creationTime"];
476
476
  by_key: ["key", "_creationTime"];
@@ -480,21 +480,21 @@ declare const _default: convex_server75.SchemaDefinition<{
480
480
  * role (e.g. "owner", "admin", "member", "viewer"). A user can be a
481
481
  * member of multiple groups with different roles in each.
482
482
  */
483
- GroupMember: convex_server75.TableDefinition<convex_values0.VObject<{
483
+ GroupMember: convex_server81.TableDefinition<convex_values87.VObject<{
484
484
  status?: string | undefined;
485
485
  extend?: any;
486
486
  role?: string | undefined;
487
487
  roleIds?: string[] | undefined;
488
- groupId: convex_values0.GenericId<"Group">;
489
- userId: convex_values0.GenericId<"User">;
488
+ userId: convex_values87.GenericId<"User">;
489
+ groupId: convex_values87.GenericId<"Group">;
490
490
  }, {
491
- groupId: convex_values0.VId<convex_values0.GenericId<"Group">, "required">;
492
- userId: convex_values0.VId<convex_values0.GenericId<"User">, "required">;
493
- role: convex_values0.VString<string | undefined, "optional">;
494
- roleIds: convex_values0.VArray<string[] | undefined, convex_values0.VString<string, "required">, "optional">;
495
- status: convex_values0.VString<string | undefined, "optional">;
496
- extend: convex_values0.VAny<any, "optional", string>;
497
- }, "required", "status" | "groupId" | "extend" | "userId" | `extend.${string}` | "role" | "roleIds">, {
491
+ groupId: convex_values87.VId<convex_values87.GenericId<"Group">, "required">;
492
+ userId: convex_values87.VId<convex_values87.GenericId<"User">, "required">;
493
+ role: convex_values87.VString<string | undefined, "optional">;
494
+ roleIds: convex_values87.VArray<string[] | undefined, convex_values87.VString<string, "required">, "optional">;
495
+ status: convex_values87.VString<string | undefined, "optional">;
496
+ extend: convex_values87.VAny<any, "optional", string>;
497
+ }, "required", "status" | "userId" | "extend" | `extend.${string}` | "groupId" | "role" | "roleIds">, {
498
498
  group_id: ["groupId", "_creationTime"];
499
499
  group_id_user_id: ["groupId", "userId", "_creationTime"];
500
500
  group_id_status: ["groupId", "status", "_creationTime"];
@@ -508,31 +508,31 @@ declare const _default: convex_server75.SchemaDefinition<{
508
508
  * `email` and `invitedByUserId` are optional to support CLI-generated
509
509
  * invite links where neither is known upfront.
510
510
  */
511
- GroupInvite: convex_server75.TableDefinition<convex_values0.VObject<{
511
+ GroupInvite: convex_server81.TableDefinition<convex_values87.VObject<{
512
512
  email?: string | undefined;
513
- groupId?: convex_values0.GenericId<"Group"> | undefined;
514
- extend?: any;
515
513
  expiresTime?: number | undefined;
516
514
  acceptedTime?: number | undefined;
515
+ extend?: any;
516
+ groupId?: convex_values87.GenericId<"Group"> | undefined;
517
517
  role?: string | undefined;
518
518
  roleIds?: string[] | undefined;
519
- invitedByUserId?: convex_values0.GenericId<"User"> | undefined;
520
- acceptedByUserId?: convex_values0.GenericId<"User"> | undefined;
519
+ invitedByUserId?: convex_values87.GenericId<"User"> | undefined;
520
+ acceptedByUserId?: convex_values87.GenericId<"User"> | undefined;
521
521
  status: "pending" | "accepted" | "revoked" | "expired";
522
522
  tokenHash: string;
523
523
  }, {
524
- groupId: convex_values0.VId<convex_values0.GenericId<"Group"> | undefined, "optional">;
525
- invitedByUserId: convex_values0.VId<convex_values0.GenericId<"User"> | undefined, "optional">;
526
- email: convex_values0.VString<string | undefined, "optional">;
527
- tokenHash: convex_values0.VString<string, "required">;
528
- role: convex_values0.VString<string | undefined, "optional">;
529
- roleIds: convex_values0.VArray<string[] | undefined, convex_values0.VString<string, "required">, "optional">;
530
- status: convex_values0.VUnion<"pending" | "accepted" | "revoked" | "expired", [convex_values0.VLiteral<"pending", "required">, convex_values0.VLiteral<"accepted", "required">, convex_values0.VLiteral<"revoked", "required">, convex_values0.VLiteral<"expired", "required">], "required", never>;
531
- expiresTime: convex_values0.VFloat64<number | undefined, "optional">;
532
- acceptedByUserId: convex_values0.VId<convex_values0.GenericId<"User"> | undefined, "optional">;
533
- acceptedTime: convex_values0.VFloat64<number | undefined, "optional">;
534
- extend: convex_values0.VAny<any, "optional", string>;
535
- }, "required", "email" | "status" | "groupId" | "extend" | "expiresTime" | "acceptedTime" | `extend.${string}` | "role" | "roleIds" | "invitedByUserId" | "tokenHash" | "acceptedByUserId">, {
524
+ groupId: convex_values87.VId<convex_values87.GenericId<"Group"> | undefined, "optional">;
525
+ invitedByUserId: convex_values87.VId<convex_values87.GenericId<"User"> | undefined, "optional">;
526
+ email: convex_values87.VString<string | undefined, "optional">;
527
+ tokenHash: convex_values87.VString<string, "required">;
528
+ role: convex_values87.VString<string | undefined, "optional">;
529
+ roleIds: convex_values87.VArray<string[] | undefined, convex_values87.VString<string, "required">, "optional">;
530
+ status: convex_values87.VUnion<"pending" | "accepted" | "revoked" | "expired", [convex_values87.VLiteral<"pending", "required">, convex_values87.VLiteral<"accepted", "required">, convex_values87.VLiteral<"revoked", "required">, convex_values87.VLiteral<"expired", "required">], "required", never>;
531
+ expiresTime: convex_values87.VFloat64<number | undefined, "optional">;
532
+ acceptedByUserId: convex_values87.VId<convex_values87.GenericId<"User"> | undefined, "optional">;
533
+ acceptedTime: convex_values87.VFloat64<number | undefined, "optional">;
534
+ extend: convex_values87.VAny<any, "optional", string>;
535
+ }, "required", "email" | "status" | "expiresTime" | "acceptedTime" | "extend" | `extend.${string}` | "groupId" | "role" | "roleIds" | "invitedByUserId" | "tokenHash" | "acceptedByUserId">, {
536
536
  token_hash: ["tokenHash", "_creationTime"];
537
537
  status: ["status", "_creationTime"];
538
538
  email_status: ["email", "status", "_creationTime"];
@@ -547,23 +547,23 @@ declare const _default: convex_server75.SchemaDefinition<{
547
547
  * SDK can evolve without forcing schema churn for every protocol-specific
548
548
  * field addition.
549
549
  */
550
- GroupConnection: convex_server75.TableDefinition<convex_values0.VObject<{
550
+ GroupConnection: convex_server81.TableDefinition<convex_values87.VObject<{
551
551
  name?: string | undefined;
552
- extend?: any;
553
552
  slug?: string | undefined;
553
+ extend?: any;
554
554
  config?: any;
555
555
  status: "draft" | "active" | "disabled";
556
- groupId: convex_values0.GenericId<"Group">;
557
556
  protocol: "oidc" | "saml";
557
+ groupId: convex_values87.GenericId<"Group">;
558
558
  }, {
559
- groupId: convex_values0.VId<convex_values0.GenericId<"Group">, "required">;
560
- slug: convex_values0.VString<string | undefined, "optional">;
561
- name: convex_values0.VString<string | undefined, "optional">;
562
- protocol: convex_values0.VUnion<"oidc" | "saml", [convex_values0.VLiteral<"oidc", "required">, convex_values0.VLiteral<"saml", "required">], "required", never>;
563
- status: convex_values0.VUnion<"draft" | "active" | "disabled", [convex_values0.VLiteral<"draft", "required">, convex_values0.VLiteral<"active", "required">, convex_values0.VLiteral<"disabled", "required">], "required", never>;
564
- config: convex_values0.VAny<any, "optional", string>;
565
- extend: convex_values0.VAny<any, "optional", string>;
566
- }, "required", "name" | "status" | "groupId" | "extend" | "slug" | "protocol" | `extend.${string}` | "config" | `config.${string}`>, {
559
+ groupId: convex_values87.VId<convex_values87.GenericId<"Group">, "required">;
560
+ slug: convex_values87.VString<string | undefined, "optional">;
561
+ name: convex_values87.VString<string | undefined, "optional">;
562
+ protocol: convex_values87.VUnion<"oidc" | "saml", [convex_values87.VLiteral<"oidc", "required">, convex_values87.VLiteral<"saml", "required">], "required", never>;
563
+ status: convex_values87.VUnion<"draft" | "active" | "disabled", [convex_values87.VLiteral<"draft", "required">, convex_values87.VLiteral<"active", "required">, convex_values87.VLiteral<"disabled", "required">], "required", never>;
564
+ config: convex_values87.VAny<any, "optional", string>;
565
+ extend: convex_values87.VAny<any, "optional", string>;
566
+ }, "required", "name" | "slug" | "status" | "extend" | `extend.${string}` | "protocol" | "groupId" | "config" | `config.${string}`>, {
567
567
  group_id: ["groupId", "_creationTime"];
568
568
  slug: ["slug", "_creationTime"];
569
569
  status: ["status", "_creationTime"];
@@ -571,19 +571,19 @@ declare const _default: convex_server75.SchemaDefinition<{
571
571
  /**
572
572
  * Verified or pending domains linked to an group connection record.
573
573
  */
574
- GroupConnectionDomain: convex_server75.TableDefinition<convex_values0.VObject<{
574
+ GroupConnectionDomain: convex_server81.TableDefinition<convex_values87.VObject<{
575
575
  verifiedAt?: number | undefined;
576
+ groupId: convex_values87.GenericId<"Group">;
577
+ connectionId: convex_values87.GenericId<"GroupConnection">;
576
578
  domain: string;
577
- groupId: convex_values0.GenericId<"Group">;
578
- connectionId: convex_values0.GenericId<"GroupConnection">;
579
579
  isPrimary: boolean;
580
580
  }, {
581
- connectionId: convex_values0.VId<convex_values0.GenericId<"GroupConnection">, "required">;
582
- groupId: convex_values0.VId<convex_values0.GenericId<"Group">, "required">;
583
- domain: convex_values0.VString<string, "required">;
584
- isPrimary: convex_values0.VBoolean<boolean, "required">;
585
- verifiedAt: convex_values0.VFloat64<number | undefined, "optional">;
586
- }, "required", "domain" | "groupId" | "connectionId" | "isPrimary" | "verifiedAt">, {
581
+ connectionId: convex_values87.VId<convex_values87.GenericId<"GroupConnection">, "required">;
582
+ groupId: convex_values87.VId<convex_values87.GenericId<"Group">, "required">;
583
+ domain: convex_values87.VString<string, "required">;
584
+ isPrimary: convex_values87.VBoolean<boolean, "required">;
585
+ verifiedAt: convex_values87.VFloat64<number | undefined, "optional">;
586
+ }, "required", "groupId" | "connectionId" | "domain" | "isPrimary" | "verifiedAt">, {
587
587
  connection_id: ["connectionId", "_creationTime"];
588
588
  group_id: ["groupId", "_creationTime"];
589
589
  domain: ["domain", "_creationTime"];
@@ -591,27 +591,27 @@ declare const _default: convex_server75.SchemaDefinition<{
591
591
  /**
592
592
  * Pending DNS TXT verification challenges for group connection domains.
593
593
  */
594
- GroupConnectionDomainVerification: convex_server75.TableDefinition<convex_values0.VObject<{
595
- domain: string;
596
- groupId: convex_values0.GenericId<"Group">;
594
+ GroupConnectionDomainVerification: convex_server81.TableDefinition<convex_values87.VObject<{
597
595
  expiresAt: number;
598
- connectionId: convex_values0.GenericId<"GroupConnection">;
596
+ groupId: convex_values87.GenericId<"Group">;
599
597
  tokenHash: string;
600
- domainId: convex_values0.GenericId<"GroupConnectionDomain">;
598
+ connectionId: convex_values87.GenericId<"GroupConnection">;
599
+ domain: string;
600
+ domainId: convex_values87.GenericId<"GroupConnectionDomain">;
601
601
  recordName: string;
602
602
  token: string;
603
603
  requestedAt: number;
604
604
  }, {
605
- connectionId: convex_values0.VId<convex_values0.GenericId<"GroupConnection">, "required">;
606
- groupId: convex_values0.VId<convex_values0.GenericId<"Group">, "required">;
607
- domainId: convex_values0.VId<convex_values0.GenericId<"GroupConnectionDomain">, "required">;
608
- domain: convex_values0.VString<string, "required">;
609
- recordName: convex_values0.VString<string, "required">;
610
- token: convex_values0.VString<string, "required">;
611
- tokenHash: convex_values0.VString<string, "required">;
612
- requestedAt: convex_values0.VFloat64<number, "required">;
613
- expiresAt: convex_values0.VFloat64<number, "required">;
614
- }, "required", "domain" | "groupId" | "expiresAt" | "connectionId" | "tokenHash" | "domainId" | "recordName" | "token" | "requestedAt">, {
605
+ connectionId: convex_values87.VId<convex_values87.GenericId<"GroupConnection">, "required">;
606
+ groupId: convex_values87.VId<convex_values87.GenericId<"Group">, "required">;
607
+ domainId: convex_values87.VId<convex_values87.GenericId<"GroupConnectionDomain">, "required">;
608
+ domain: convex_values87.VString<string, "required">;
609
+ recordName: convex_values87.VString<string, "required">;
610
+ token: convex_values87.VString<string, "required">;
611
+ tokenHash: convex_values87.VString<string, "required">;
612
+ requestedAt: convex_values87.VFloat64<number, "required">;
613
+ expiresAt: convex_values87.VFloat64<number, "required">;
614
+ }, "required", "expiresAt" | "groupId" | "tokenHash" | "connectionId" | "domain" | "domainId" | "recordName" | "token" | "requestedAt">, {
615
615
  connection_id: ["connectionId", "_creationTime"];
616
616
  domain_id: ["domainId", "_creationTime"];
617
617
  token_hash: ["tokenHash", "_creationTime"];
@@ -619,19 +619,19 @@ declare const _default: convex_server75.SchemaDefinition<{
619
619
  /**
620
620
  * Encrypted group connection secrets stored separately from protocol config.
621
621
  */
622
- GroupConnectionSecret: convex_server75.TableDefinition<convex_values0.VObject<{
623
- groupId: convex_values0.GenericId<"Group">;
624
- kind: "oidc_client_secret";
625
- connectionId: convex_values0.GenericId<"GroupConnection">;
622
+ GroupConnectionSecret: convex_server81.TableDefinition<convex_values87.VObject<{
623
+ groupId: convex_values87.GenericId<"Group">;
624
+ connectionId: convex_values87.GenericId<"GroupConnection">;
626
625
  ciphertext: string;
627
626
  updatedAt: number;
627
+ kind: "oidc_client_secret";
628
628
  }, {
629
- connectionId: convex_values0.VId<convex_values0.GenericId<"GroupConnection">, "required">;
630
- groupId: convex_values0.VId<convex_values0.GenericId<"Group">, "required">;
631
- kind: convex_values0.VUnion<"oidc_client_secret", [convex_values0.VLiteral<"oidc_client_secret", "required">], "required", never>;
632
- ciphertext: convex_values0.VString<string, "required">;
633
- updatedAt: convex_values0.VFloat64<number, "required">;
634
- }, "required", "groupId" | "kind" | "connectionId" | "ciphertext" | "updatedAt">, {
629
+ connectionId: convex_values87.VId<convex_values87.GenericId<"GroupConnection">, "required">;
630
+ groupId: convex_values87.VId<convex_values87.GenericId<"Group">, "required">;
631
+ kind: convex_values87.VUnion<"oidc_client_secret", [convex_values87.VLiteral<"oidc_client_secret", "required">], "required", never>;
632
+ ciphertext: convex_values87.VString<string, "required">;
633
+ updatedAt: convex_values87.VFloat64<number, "required">;
634
+ }, "required", "groupId" | "connectionId" | "ciphertext" | "updatedAt" | "kind">, {
635
635
  connection_id: ["connectionId", "_creationTime"];
636
636
  connection_id_kind: ["connectionId", "kind", "_creationTime"];
637
637
  group_id: ["groupId", "_creationTime"];
@@ -639,23 +639,23 @@ declare const _default: convex_server75.SchemaDefinition<{
639
639
  /**
640
640
  * SCIM configuration for an group connection tenant.
641
641
  */
642
- GroupConnectionScimConfig: convex_server75.TableDefinition<convex_values0.VObject<{
642
+ GroupConnectionScimConfig: convex_server81.TableDefinition<convex_values87.VObject<{
643
643
  extend?: any;
644
644
  lastRotatedAt?: number | undefined;
645
645
  status: "draft" | "active" | "disabled";
646
- groupId: convex_values0.GenericId<"Group">;
647
- connectionId: convex_values0.GenericId<"GroupConnection">;
646
+ groupId: convex_values87.GenericId<"Group">;
648
647
  tokenHash: string;
648
+ connectionId: convex_values87.GenericId<"GroupConnection">;
649
649
  basePath: string;
650
650
  }, {
651
- connectionId: convex_values0.VId<convex_values0.GenericId<"GroupConnection">, "required">;
652
- groupId: convex_values0.VId<convex_values0.GenericId<"Group">, "required">;
653
- status: convex_values0.VUnion<"draft" | "active" | "disabled", [convex_values0.VLiteral<"draft", "required">, convex_values0.VLiteral<"active", "required">, convex_values0.VLiteral<"disabled", "required">], "required", never>;
654
- basePath: convex_values0.VString<string, "required">;
655
- tokenHash: convex_values0.VString<string, "required">;
656
- lastRotatedAt: convex_values0.VFloat64<number | undefined, "optional">;
657
- extend: convex_values0.VAny<any, "optional", string>;
658
- }, "required", "status" | "groupId" | "extend" | "connectionId" | `extend.${string}` | "tokenHash" | "basePath" | "lastRotatedAt">, {
651
+ connectionId: convex_values87.VId<convex_values87.GenericId<"GroupConnection">, "required">;
652
+ groupId: convex_values87.VId<convex_values87.GenericId<"Group">, "required">;
653
+ status: convex_values87.VUnion<"draft" | "active" | "disabled", [convex_values87.VLiteral<"draft", "required">, convex_values87.VLiteral<"active", "required">, convex_values87.VLiteral<"disabled", "required">], "required", never>;
654
+ basePath: convex_values87.VString<string, "required">;
655
+ tokenHash: convex_values87.VString<string, "required">;
656
+ lastRotatedAt: convex_values87.VFloat64<number | undefined, "optional">;
657
+ extend: convex_values87.VAny<any, "optional", string>;
658
+ }, "required", "status" | "extend" | `extend.${string}` | "groupId" | "tokenHash" | "connectionId" | "basePath" | "lastRotatedAt">, {
659
659
  group_connection_id: ["connectionId", "_creationTime"];
660
660
  group_id: ["groupId", "_creationTime"];
661
661
  token_hash: ["tokenHash", "_creationTime"];
@@ -664,27 +664,27 @@ declare const _default: convex_server75.SchemaDefinition<{
664
664
  /**
665
665
  * External SCIM identities mapped into local users/groups.
666
666
  */
667
- GroupConnectionScimIdentity: convex_server75.TableDefinition<convex_values0.VObject<{
667
+ GroupConnectionScimIdentity: convex_server81.TableDefinition<convex_values87.VObject<{
668
+ userId?: convex_values87.GenericId<"User"> | undefined;
668
669
  active?: boolean | undefined;
669
- userId?: convex_values0.GenericId<"User"> | undefined;
670
- mappedGroupId?: convex_values0.GenericId<"Group"> | undefined;
670
+ mappedGroupId?: convex_values87.GenericId<"Group"> | undefined;
671
671
  lastProvisionedAt?: number | undefined;
672
672
  raw?: any;
673
- groupId: convex_values0.GenericId<"Group">;
674
- connectionId: convex_values0.GenericId<"GroupConnection">;
675
673
  externalId: string;
676
- resourceType: "group" | "user";
674
+ groupId: convex_values87.GenericId<"Group">;
675
+ connectionId: convex_values87.GenericId<"GroupConnection">;
676
+ resourceType: "user" | "group";
677
677
  }, {
678
- connectionId: convex_values0.VId<convex_values0.GenericId<"GroupConnection">, "required">;
679
- groupId: convex_values0.VId<convex_values0.GenericId<"Group">, "required">;
680
- resourceType: convex_values0.VUnion<"group" | "user", [convex_values0.VLiteral<"user", "required">, convex_values0.VLiteral<"group", "required">], "required", never>;
681
- externalId: convex_values0.VString<string, "required">;
682
- userId: convex_values0.VId<convex_values0.GenericId<"User"> | undefined, "optional">;
683
- mappedGroupId: convex_values0.VId<convex_values0.GenericId<"Group"> | undefined, "optional">;
684
- lastProvisionedAt: convex_values0.VFloat64<number | undefined, "optional">;
685
- active: convex_values0.VBoolean<boolean | undefined, "optional">;
686
- raw: convex_values0.VAny<any, "optional", string>;
687
- }, "required", "groupId" | "active" | "userId" | "connectionId" | "externalId" | "resourceType" | "mappedGroupId" | "lastProvisionedAt" | "raw" | `raw.${string}`>, {
678
+ connectionId: convex_values87.VId<convex_values87.GenericId<"GroupConnection">, "required">;
679
+ groupId: convex_values87.VId<convex_values87.GenericId<"Group">, "required">;
680
+ resourceType: convex_values87.VUnion<"user" | "group", [convex_values87.VLiteral<"user", "required">, convex_values87.VLiteral<"group", "required">], "required", never>;
681
+ externalId: convex_values87.VString<string, "required">;
682
+ userId: convex_values87.VId<convex_values87.GenericId<"User"> | undefined, "optional">;
683
+ mappedGroupId: convex_values87.VId<convex_values87.GenericId<"Group"> | undefined, "optional">;
684
+ lastProvisionedAt: convex_values87.VFloat64<number | undefined, "optional">;
685
+ active: convex_values87.VBoolean<boolean | undefined, "optional">;
686
+ raw: convex_values87.VAny<any, "optional", string>;
687
+ }, "required", "userId" | "externalId" | "groupId" | "active" | "connectionId" | "resourceType" | "mappedGroupId" | "lastProvisionedAt" | "raw" | `raw.${string}`>, {
688
688
  group_connection_id: ["connectionId", "_creationTime"];
689
689
  group_id: ["groupId", "_creationTime"];
690
690
  group_connection_id_resource_type_external_id: ["connectionId", "resourceType", "externalId", "_creationTime"];
@@ -695,33 +695,33 @@ declare const _default: convex_server75.SchemaDefinition<{
695
695
  /**
696
696
  * Immutable audit trail for group connection operations.
697
697
  */
698
- GroupAuditEvent: convex_server75.TableDefinition<convex_values0.VObject<{
698
+ GroupAuditEvent: convex_server81.TableDefinition<convex_values87.VObject<{
699
699
  metadata?: any;
700
- connectionId?: convex_values0.GenericId<"GroupConnection"> | undefined;
700
+ connectionId?: convex_values87.GenericId<"GroupConnection"> | undefined;
701
701
  actorId?: string | undefined;
702
702
  subjectId?: string | undefined;
703
703
  requestId?: string | undefined;
704
704
  ip?: string | undefined;
705
705
  status: "success" | "failure";
706
- groupId: convex_values0.GenericId<"Group">;
706
+ groupId: convex_values87.GenericId<"Group">;
707
707
  actorType: "user" | "scim" | "system" | "api_key" | "webhook";
708
708
  eventType: string;
709
709
  subjectType: string;
710
710
  occurredAt: number;
711
711
  }, {
712
- connectionId: convex_values0.VId<convex_values0.GenericId<"GroupConnection"> | undefined, "optional">;
713
- groupId: convex_values0.VId<convex_values0.GenericId<"Group">, "required">;
714
- eventType: convex_values0.VString<string, "required">;
715
- actorType: convex_values0.VUnion<"user" | "scim" | "system" | "api_key" | "webhook", [convex_values0.VLiteral<"user", "required">, convex_values0.VLiteral<"system", "required">, convex_values0.VLiteral<"scim", "required">, convex_values0.VLiteral<"api_key", "required">, convex_values0.VLiteral<"webhook", "required">], "required", never>;
716
- actorId: convex_values0.VString<string | undefined, "optional">;
717
- subjectType: convex_values0.VString<string, "required">;
718
- subjectId: convex_values0.VString<string | undefined, "optional">;
719
- status: convex_values0.VUnion<"success" | "failure", [convex_values0.VLiteral<"success", "required">, convex_values0.VLiteral<"failure", "required">], "required", never>;
720
- occurredAt: convex_values0.VFloat64<number, "required">;
721
- requestId: convex_values0.VString<string | undefined, "optional">;
722
- ip: convex_values0.VString<string | undefined, "optional">;
723
- metadata: convex_values0.VAny<any, "optional", string>;
724
- }, "required", "status" | "groupId" | "metadata" | `metadata.${string}` | "connectionId" | "actorType" | "eventType" | "actorId" | "subjectType" | "subjectId" | "occurredAt" | "requestId" | "ip">, {
712
+ connectionId: convex_values87.VId<convex_values87.GenericId<"GroupConnection"> | undefined, "optional">;
713
+ groupId: convex_values87.VId<convex_values87.GenericId<"Group">, "required">;
714
+ eventType: convex_values87.VString<string, "required">;
715
+ actorType: convex_values87.VUnion<"user" | "scim" | "system" | "api_key" | "webhook", [convex_values87.VLiteral<"user", "required">, convex_values87.VLiteral<"system", "required">, convex_values87.VLiteral<"scim", "required">, convex_values87.VLiteral<"api_key", "required">, convex_values87.VLiteral<"webhook", "required">], "required", never>;
716
+ actorId: convex_values87.VString<string | undefined, "optional">;
717
+ subjectType: convex_values87.VString<string, "required">;
718
+ subjectId: convex_values87.VString<string | undefined, "optional">;
719
+ status: convex_values87.VUnion<"success" | "failure", [convex_values87.VLiteral<"success", "required">, convex_values87.VLiteral<"failure", "required">], "required", never>;
720
+ occurredAt: convex_values87.VFloat64<number, "required">;
721
+ requestId: convex_values87.VString<string | undefined, "optional">;
722
+ ip: convex_values87.VString<string | undefined, "optional">;
723
+ metadata: convex_values87.VAny<any, "optional", string>;
724
+ }, "required", "status" | "metadata" | `metadata.${string}` | "groupId" | "connectionId" | "actorType" | "eventType" | "actorId" | "subjectType" | "subjectId" | "occurredAt" | "requestId" | "ip">, {
725
725
  group_connection_id_occurred_at: ["connectionId", "occurredAt", "_creationTime"];
726
726
  group_id_occurred_at: ["groupId", "occurredAt", "_creationTime"];
727
727
  event_type_occurred_at: ["eventType", "occurredAt", "_creationTime"];
@@ -729,31 +729,31 @@ declare const _default: convex_server75.SchemaDefinition<{
729
729
  /**
730
730
  * Webhook endpoints subscribed to group audit and lifecycle events.
731
731
  */
732
- GroupWebhookEndpoint: convex_server75.TableDefinition<convex_values0.VObject<{
732
+ GroupWebhookEndpoint: convex_server81.TableDefinition<convex_values87.VObject<{
733
733
  extend?: any;
734
- createdByUserId?: convex_values0.GenericId<"User"> | undefined;
734
+ createdByUserId?: convex_values87.GenericId<"User"> | undefined;
735
735
  lastSuccessAt?: number | undefined;
736
736
  lastFailureAt?: number | undefined;
737
737
  status: "active" | "disabled";
738
- groupId: convex_values0.GenericId<"Group">;
739
- connectionId: convex_values0.GenericId<"GroupConnection">;
738
+ groupId: convex_values87.GenericId<"Group">;
739
+ connectionId: convex_values87.GenericId<"GroupConnection">;
740
740
  url: string;
741
741
  secretHash: string;
742
742
  subscriptions: string[];
743
743
  failureCount: number;
744
744
  }, {
745
- connectionId: convex_values0.VId<convex_values0.GenericId<"GroupConnection">, "required">;
746
- groupId: convex_values0.VId<convex_values0.GenericId<"Group">, "required">;
747
- url: convex_values0.VString<string, "required">;
748
- status: convex_values0.VUnion<"active" | "disabled", [convex_values0.VLiteral<"active", "required">, convex_values0.VLiteral<"disabled", "required">], "required", never>;
749
- secretHash: convex_values0.VString<string, "required">;
750
- subscriptions: convex_values0.VArray<string[], convex_values0.VString<string, "required">, "required">;
751
- createdByUserId: convex_values0.VId<convex_values0.GenericId<"User"> | undefined, "optional">;
752
- lastSuccessAt: convex_values0.VFloat64<number | undefined, "optional">;
753
- lastFailureAt: convex_values0.VFloat64<number | undefined, "optional">;
754
- failureCount: convex_values0.VFloat64<number, "required">;
755
- extend: convex_values0.VAny<any, "optional", string>;
756
- }, "required", "status" | "groupId" | "extend" | "connectionId" | `extend.${string}` | "url" | "secretHash" | "subscriptions" | "createdByUserId" | "lastSuccessAt" | "lastFailureAt" | "failureCount">, {
745
+ connectionId: convex_values87.VId<convex_values87.GenericId<"GroupConnection">, "required">;
746
+ groupId: convex_values87.VId<convex_values87.GenericId<"Group">, "required">;
747
+ url: convex_values87.VString<string, "required">;
748
+ status: convex_values87.VUnion<"active" | "disabled", [convex_values87.VLiteral<"active", "required">, convex_values87.VLiteral<"disabled", "required">], "required", never>;
749
+ secretHash: convex_values87.VString<string, "required">;
750
+ subscriptions: convex_values87.VArray<string[], convex_values87.VString<string, "required">, "required">;
751
+ createdByUserId: convex_values87.VId<convex_values87.GenericId<"User"> | undefined, "optional">;
752
+ lastSuccessAt: convex_values87.VFloat64<number | undefined, "optional">;
753
+ lastFailureAt: convex_values87.VFloat64<number | undefined, "optional">;
754
+ failureCount: convex_values87.VFloat64<number, "required">;
755
+ extend: convex_values87.VAny<any, "optional", string>;
756
+ }, "required", "status" | "extend" | `extend.${string}` | "groupId" | "connectionId" | "url" | "secretHash" | "subscriptions" | "createdByUserId" | "lastSuccessAt" | "lastFailureAt" | "failureCount">, {
757
757
  group_connection_id: ["connectionId", "_creationTime"];
758
758
  group_id: ["groupId", "_creationTime"];
759
759
  status: ["status", "_creationTime"];
@@ -761,30 +761,30 @@ declare const _default: convex_server75.SchemaDefinition<{
761
761
  /**
762
762
  * Delivery queue for outbound group webhooks.
763
763
  */
764
- GroupWebhookDelivery: convex_server75.TableDefinition<convex_values0.VObject<{
765
- auditEventId?: convex_values0.GenericId<"GroupAuditEvent"> | undefined;
764
+ GroupWebhookDelivery: convex_server81.TableDefinition<convex_values87.VObject<{
765
+ auditEventId?: convex_values87.GenericId<"GroupAuditEvent"> | undefined;
766
766
  lastAttemptAt?: number | undefined;
767
767
  lastResponseStatus?: number | undefined;
768
768
  lastError?: string | undefined;
769
769
  status: "pending" | "processing" | "delivered" | "failed";
770
- connectionId: convex_values0.GenericId<"GroupConnection">;
770
+ connectionId: convex_values87.GenericId<"GroupConnection">;
771
771
  eventType: string;
772
- endpointId: convex_values0.GenericId<"GroupWebhookEndpoint">;
772
+ endpointId: convex_values87.GenericId<"GroupWebhookEndpoint">;
773
773
  attemptCount: number;
774
774
  nextAttemptAt: number;
775
775
  payload: any;
776
776
  }, {
777
- connectionId: convex_values0.VId<convex_values0.GenericId<"GroupConnection">, "required">;
778
- endpointId: convex_values0.VId<convex_values0.GenericId<"GroupWebhookEndpoint">, "required">;
779
- auditEventId: convex_values0.VId<convex_values0.GenericId<"GroupAuditEvent"> | undefined, "optional">;
780
- eventType: convex_values0.VString<string, "required">;
781
- status: convex_values0.VUnion<"pending" | "processing" | "delivered" | "failed", [convex_values0.VLiteral<"pending", "required">, convex_values0.VLiteral<"processing", "required">, convex_values0.VLiteral<"delivered", "required">, convex_values0.VLiteral<"failed", "required">], "required", never>;
782
- attemptCount: convex_values0.VFloat64<number, "required">;
783
- nextAttemptAt: convex_values0.VFloat64<number, "required">;
784
- lastAttemptAt: convex_values0.VFloat64<number | undefined, "optional">;
785
- lastResponseStatus: convex_values0.VFloat64<number | undefined, "optional">;
786
- lastError: convex_values0.VString<string | undefined, "optional">;
787
- payload: convex_values0.VAny<any, "required", string>;
777
+ connectionId: convex_values87.VId<convex_values87.GenericId<"GroupConnection">, "required">;
778
+ endpointId: convex_values87.VId<convex_values87.GenericId<"GroupWebhookEndpoint">, "required">;
779
+ auditEventId: convex_values87.VId<convex_values87.GenericId<"GroupAuditEvent"> | undefined, "optional">;
780
+ eventType: convex_values87.VString<string, "required">;
781
+ status: convex_values87.VUnion<"pending" | "processing" | "delivered" | "failed", [convex_values87.VLiteral<"pending", "required">, convex_values87.VLiteral<"processing", "required">, convex_values87.VLiteral<"delivered", "required">, convex_values87.VLiteral<"failed", "required">], "required", never>;
782
+ attemptCount: convex_values87.VFloat64<number, "required">;
783
+ nextAttemptAt: convex_values87.VFloat64<number, "required">;
784
+ lastAttemptAt: convex_values87.VFloat64<number | undefined, "optional">;
785
+ lastResponseStatus: convex_values87.VFloat64<number | undefined, "optional">;
786
+ lastError: convex_values87.VString<string | undefined, "optional">;
787
+ payload: convex_values87.VAny<any, "required", string>;
788
788
  }, "required", "status" | "connectionId" | "eventType" | "endpointId" | "auditEventId" | "attemptCount" | "nextAttemptAt" | "lastAttemptAt" | "lastResponseStatus" | "lastError" | "payload" | `payload.${string}`>, {
789
789
  group_connection_id: ["connectionId", "_creationTime"];
790
790
  status_next_attempt_at: ["status", "nextAttemptAt", "_creationTime"];
@@ -804,7 +804,7 @@ declare const _default: convex_server75.SchemaDefinition<{
804
804
  * - **Expiration**: optional TTL
805
805
  * - **Soft revocation**: `revoked` flag preserves audit trail
806
806
  */
807
- ApiKey: convex_server75.TableDefinition<convex_values0.VObject<{
807
+ ApiKey: convex_server81.TableDefinition<convex_values87.VObject<{
808
808
  lastUsedAt?: number | undefined;
809
809
  expiresAt?: number | undefined;
810
810
  rateLimit?: {
@@ -818,7 +818,7 @@ declare const _default: convex_server75.SchemaDefinition<{
818
818
  metadata?: any;
819
819
  name: string;
820
820
  revoked: boolean;
821
- userId: convex_values0.GenericId<"User">;
821
+ userId: convex_values87.GenericId<"User">;
822
822
  prefix: string;
823
823
  hashedKey: string;
824
824
  scopes: {
@@ -827,39 +827,39 @@ declare const _default: convex_server75.SchemaDefinition<{
827
827
  }[];
828
828
  createdAt: number;
829
829
  }, {
830
- userId: convex_values0.VId<convex_values0.GenericId<"User">, "required">; /** First chars of the key for display (e.g. "sk_abc1..."). */
831
- prefix: convex_values0.VString<string, "required">; /** SHA-256 hex hash of the full raw key. */
832
- hashedKey: convex_values0.VString<string, "required">; /** User-assigned name (e.g. "CI Pipeline", "Production API"). */
833
- name: convex_values0.VString<string, "required">; /** Scoped permissions: [{ resource: "users", actions: ["read", "list"] }]. */
834
- scopes: convex_values0.VArray<{
830
+ userId: convex_values87.VId<convex_values87.GenericId<"User">, "required">; /** First chars of the key for display (e.g. "sk_abc1..."). */
831
+ prefix: convex_values87.VString<string, "required">; /** SHA-256 hex hash of the full raw key. */
832
+ hashedKey: convex_values87.VString<string, "required">; /** User-assigned name (e.g. "CI Pipeline", "Production API"). */
833
+ name: convex_values87.VString<string, "required">; /** Scoped permissions: [{ resource: "users", actions: ["read", "list"] }]. */
834
+ scopes: convex_values87.VArray<{
835
835
  resource: string;
836
836
  actions: string[];
837
- }[], convex_values0.VObject<{
837
+ }[], convex_values87.VObject<{
838
838
  resource: string;
839
839
  actions: string[];
840
840
  }, {
841
- resource: convex_values0.VString<string, "required">;
842
- actions: convex_values0.VArray<string[], convex_values0.VString<string, "required">, "required">;
841
+ resource: convex_values87.VString<string, "required">;
842
+ actions: convex_values87.VArray<string[], convex_values87.VString<string, "required">, "required">;
843
843
  }, "required", "resource" | "actions">, "required">; /** Optional per-key rate limit configuration. */
844
- rateLimit: convex_values0.VObject<{
844
+ rateLimit: convex_values87.VObject<{
845
845
  maxRequests: number;
846
846
  windowMs: number;
847
847
  } | undefined, {
848
- maxRequests: convex_values0.VFloat64<number, "required">;
849
- windowMs: convex_values0.VFloat64<number, "required">;
848
+ maxRequests: convex_values87.VFloat64<number, "required">;
849
+ windowMs: convex_values87.VFloat64<number, "required">;
850
850
  }, "optional", "maxRequests" | "windowMs">; /** Rate limit state tracking (token-bucket). */
851
- rateLimitState: convex_values0.VObject<{
851
+ rateLimitState: convex_values87.VObject<{
852
852
  attemptsLeft: number;
853
853
  lastAttemptTime: number;
854
854
  } | undefined, {
855
- attemptsLeft: convex_values0.VFloat64<number, "required">;
856
- lastAttemptTime: convex_values0.VFloat64<number, "required">;
855
+ attemptsLeft: convex_values87.VFloat64<number, "required">;
856
+ lastAttemptTime: convex_values87.VFloat64<number, "required">;
857
857
  }, "optional", "attemptsLeft" | "lastAttemptTime">; /** Expiration timestamp. Null/undefined = never expires. */
858
- expiresAt: convex_values0.VFloat64<number | undefined, "optional">;
859
- lastUsedAt: convex_values0.VFloat64<number | undefined, "optional">;
860
- createdAt: convex_values0.VFloat64<number, "required">; /** Soft-revoke flag. Revoked keys are kept for audit trail. */
861
- revoked: convex_values0.VBoolean<boolean, "required">; /** Arbitrary app-specific metadata attached to the key. */
862
- metadata: convex_values0.VAny<any, "optional", string>;
858
+ expiresAt: convex_values87.VFloat64<number | undefined, "optional">;
859
+ lastUsedAt: convex_values87.VFloat64<number | undefined, "optional">;
860
+ createdAt: convex_values87.VFloat64<number, "required">; /** Soft-revoke flag. Revoked keys are kept for audit trail. */
861
+ revoked: convex_values87.VBoolean<boolean, "required">; /** Arbitrary app-specific metadata attached to the key. */
862
+ metadata: convex_values87.VAny<any, "optional", string>;
863
863
  }, "required", "name" | "revoked" | "lastUsedAt" | "expiresAt" | "userId" | "prefix" | "hashedKey" | "scopes" | "rateLimit" | "rateLimitState" | "createdAt" | "metadata" | "rateLimit.maxRequests" | "rateLimit.windowMs" | "rateLimitState.attemptsLeft" | "rateLimitState.lastAttemptTime" | `metadata.${string}`>, {
864
864
  user_id: ["userId", "_creationTime"];
865
865
  hashed_key: ["hashedKey", "_creationTime"];