@robelest/convex-auth 0.0.4-preview.27 → 0.0.4-preview.28

package/dist/providers/password.js

@@ -1,5 +1,4 @@
 import { credentials } from "./credentials.js";
-import { Effect, Match } from "effect";
 import { scryptAsync } from "@noble/hashes/scrypt.js";
 import { bytesToHex } from "@noble/hashes/utils.js";
 
@@ -80,11 +79,8 @@ function password(config = {}) {
 				}
 				validateDefaultPasswordRequirements(password);
 			};
-			await Effect.runPromise(Match.value(flowDispatch).pipe(Match.when({ tag: "signUp" }, () => Effect.sync(() => {
-				validatePasswordRequirements(params.password);
-			})), Match.when({ tag: "resetVerification" }, () => Effect.sync(() => {
-				validatePasswordRequirements(params.newPassword);
-			})), Match.orElse(() => Effect.void)));
+			if (flowDispatch.tag === "signUp") validatePasswordRequirements(params.password);
+			else if (flowDispatch.tag === "resetVerification") validatePasswordRequirements(params.newPassword);
 			const profile = config.profile?.(params, ctx) ?? defaultProfile(params);
 			const { email } = profile;
 			const requirePasswordParam = (value, flow) => {
@@ -98,11 +94,7 @@ function password(config = {}) {
 				});
 				return { userId: user._id };
 			};
-			const tryPasswordFlow = (try_) => Effect.tryPromise({
-				try: try_,
-				catch: (error) => error instanceof Error ? error : new Error(String(error))
-			});
-			return await Effect.runPromise(Match.value(flowDispatch).pipe(Match.when({ tag: "signUp" }, () => tryPasswordFlow(async () => {
+			if (flowDispatch.tag === "signUp") {
 				const secret = requirePasswordParam(params.password, "signUp");
 				const created = await ctx.auth.account.create(ctx, {
 					provider,
@@ -115,7 +107,7 @@ function password(config = {}) {
 					shouldLinkViaPhone: false
 				});
 				return await finalizeCredentialsResult(created.account, created.user);
-			})), Match.when({ tag: "signIn" }, () => tryPasswordFlow(async () => {
+			} else if (flowDispatch.tag === "signIn") {
 				const secret = requirePasswordParam(params.password, "signIn");
 				const retrieved = await ctx.auth.account.get(ctx, {
 					provider,
@@ -126,7 +118,7 @@ function password(config = {}) {
 				});
 				if (retrieved === null) throw new Error("Invalid credentials");
 				return await finalizeCredentialsResult(retrieved.account, retrieved.user);
-			})), Match.when({ tag: "reset" }, () => tryPasswordFlow(async () => {
+			} else if (flowDispatch.tag === "reset") {
 				if (!resetProvider) throw new Error(`Password reset is not enabled for ${provider}`);
 				const { account } = await ctx.auth.account.get(ctx, {
 					provider,
@@ -136,7 +128,7 @@ function password(config = {}) {
 					accountId: account._id,
 					params
 				});
-			})), Match.when({ tag: "resetVerification" }, () => tryPasswordFlow(async () => {
+			} else if (flowDispatch.tag === "resetVerification") {
 				if (!resetProvider) throw new Error(`Password reset is not enabled for ${provider}`);
 				if (params.newPassword === void 0) throw new Error("Missing `newPassword` param for `reset-verification` flow");
 				const result = await ctx.auth.provider.signIn(ctx, resetProvider, { params });
@@ -158,7 +150,7 @@ function password(config = {}) {
 					userId,
 					sessionId
 				};
-			})), Match.when({ tag: "emailVerification" }, () => tryPasswordFlow(async () => {
+			} else if (flowDispatch.tag === "emailVerification") {
 				if (!verifyProvider) throw new Error(`Email verification is not enabled for ${provider}`);
 				const { account } = await ctx.auth.account.get(ctx, {
 					provider,
@@ -168,7 +160,7 @@ function password(config = {}) {
 					accountId: account._id,
 					params
 				});
-			})), Match.when({ tag: "invalid" }, () => Effect.die(/* @__PURE__ */ new Error("Missing `flow` param, it must be one of \"signUp\", \"signIn\", \"reset\", \"reset-verification\" or \"email-verification\"!"))), Match.exhaustive));
+			} else throw new Error("Missing `flow` param, it must be one of \"signUp\", \"signIn\", \"reset\", \"reset-verification\" or \"email-verification\"!");
 		},
 		crypto: config.crypto ?? {
 			async hashSecret(password) {

package/dist/providers/phone.js

@@ -1,12 +1,5 @@
-import { Effect, Match } from "effect";
-
 //#region src/providers/phone.ts
 /**
-* Phone / SMS authentication provider.
-*
-* @module
-*/
-/**
 * Create a phone or SMS verification provider.
 *
 * @param config - SMS delivery hook and optional provider settings.
@@ -29,8 +22,8 @@ function phone(config) {
 		type: "phone",
 		maxAge: config.maxAge ?? 1200,
 		authorize: async (params, account) => {
-			const dispatch = typeof params.phone !== "string" ? { tag: "missingPhone" } : account.providerAccountId !== params.phone ? { tag: "mismatch" } : { tag: "ok" };
-			return await Effect.runPromise(Match.value(dispatch).pipe(Match.when({ tag: "missingPhone" }, () => Effect.die(/* @__PURE__ */ new Error("Token verification requires a `phone` in params of `signIn`."))), Match.when({ tag: "mismatch" }, () => Effect.die(/* @__PURE__ */ new Error("Short verification code requires a matching `phone` in params of `signIn`."))), Match.when({ tag: "ok" }, () => Effect.succeed(void 0)), Match.exhaustive));
+			if (typeof params.phone !== "string") throw new Error("Token verification requires a `phone` in params of `signIn`.");
+			if (account.providerAccountId !== params.phone) throw new Error("Short verification code requires a matching `phone` in params of `signIn`.");
 		},
 		sendVerificationRequest: config.send,
 		options: {}

package/dist/server/auth-context.d.ts

@@ -0,0 +1,204 @@
+import { ConvexAuthConfig, Doc } from "./types.js";
+import { GenericId } from "convex/values";
+import { UserIdentity } from "convex/server";
+
+//#region src/server/auth-context.d.ts
+/**
+ * Config for auth setup. Extends the standard auth config
+ * minus `component` (which is passed as the first constructor argument).
+ */
+type AuthConfig = Omit<ConvexAuthConfig, "component">;
+/** Canonical user document type exposed by Convex Auth. */
+type UserDoc = Doc<"User">;
+type AuthIdentityCtx = {
+  auth: {
+    getUserIdentity: () => Promise<UserIdentity | null>;
+  };
+};
+type AuthQueryCtx = {
+  runQuery: (...args: never[]) => Promise<unknown>;
+};
+type CustomFunctionInputResult<TAuth extends Record<string, unknown>> = Promise<{
+  ctx: {
+    auth: TAuth;
+  };
+}>;
+/**
+ * Current request auth context injected into `ctx.auth` by `auth.ctx()`. This
+ * is the authenticated auth shape returned by {@link createAuth().context}.
+ * Optional context builders may still surface nullable fields when
+ * `optional: true` is used.
+ *
+ * - `groupId` is `null` when the user has no active group set.
+ * - `role` is `null` when no active group or no membership is resolved.
+ * - `grants` is `[]` when no active group or no membership is resolved.
+ *
+ * @example
+ * ```ts
+ * import type { AuthContext } from "@robelest/convex-auth/server";
+ *
+ * const mockAuth: AuthContext = {
+ *   userId: "user123" as Id<"User">,
+ *   user: { _id: "user123", email: "test@example.com" },
+ *   groupId: "group456",
+ *   role: "admin",
+ *   grants: ["read", "write"],
+ * };
+ * ```
+ */
+type AuthContext = {
+  /** The authenticated user's document ID. */userId: GenericId<"User">; /** The authenticated user's full document. */
+  user: UserDoc; /** The user's active group ID, or `null` if none set. */
+  groupId: string | null; /** The user's primary role in the active group, or `null`. */
+  role: string | null; /** Resolved grant strings from the user's role definitions. */
+  grants: string[];
+};
+/**
+ * Nullable auth context returned by `auth.context(ctx, { optional: true })`
+ * and injected by `auth.ctx({ optional: true })`.
+ *
+ * Use this when callers may be unauthenticated but you still want a stable
+ * auth-shaped object.
+ *
+ * - `userId` and `user` are `null` when unauthenticated.
+ * - `groupId` and `role` are `null` when no active group is resolved.
+ * - `grants` is `[]` when no membership is resolved.
+ *
+ * @example
+ * ```ts
+ * const authContext = await auth.context(ctx, { optional: true });
+ * if (authContext.userId === null) {
+ *   return null;
+ * }
+ * ```
+ */
+type OptionalAuthContext = {
+  /** The authenticated user's document ID, or `null` when unauthenticated. */userId: GenericId<"User"> | null; /** The authenticated user's full document, or `null` when unauthenticated. */
+  user: UserDoc | null; /** The user's active group ID, or `null` if none is set. */
+  groupId: string | null; /** The user's primary role in the active group, or `null`. */
+  role: string | null; /** Resolved grant strings for the active membership, or `[]`. */
+  grants: string[];
+};
+type AuthContextBase = {
+  getUserIdentity: () => Promise<UserIdentity | null>;
+};
+type RequiredAuthContextState = AuthContextBase & AuthContext;
+type OptionalAuthContextState = AuthContextBase & OptionalAuthContext;
+type ResolvedAuthContext<TResolve> = AuthContext & TResolve;
+type ResolvedOptionalAuthContext<TResolve> = OptionalAuthContext & TResolve;
+type AuthResolverCtx = AuthIdentityCtx & AuthQueryCtx;
+type PublicAuthContextConfig<TResolve extends Record<string, unknown>, TCtx> = AuthContextConfig<TResolve, TCtx & AuthResolverCtx>;
+type AuthContextResolver = {
+  <TCtx, TResolve extends Record<string, unknown> = Record<string, never>>(ctx: TCtx, config: PublicAuthContextConfig<TResolve, TCtx> & {
+    optional: true;
+  }): Promise<ResolvedOptionalAuthContext<TResolve>>;
+  <TCtx, TResolve extends Record<string, unknown> = Record<string, never>>(ctx: TCtx, config?: PublicAuthContextConfig<TResolve, TCtx>): Promise<ResolvedAuthContext<TResolve>>;
+};
+type AuthContextCustomization<TAuth> = {
+  args: {};
+  input: (ctx: AuthResolverCtx, _args: Record<string, never>, _extra?: unknown) => Promise<{
+    ctx: {
+      auth: TAuth;
+    };
+    args: {};
+  }>;
+};
+type AuthContextFactory = {
+  <TResolve extends Record<string, unknown> = Record<string, never>>(config: AuthContextConfig<TResolve> & {
+    optional: true;
+  }): AuthContextCustomization<OptionalAuthContextState & TResolve>;
+  <TResolve extends Record<string, unknown> = Record<string, never>>(config?: AuthContextConfig<TResolve>): AuthContextCustomization<RequiredAuthContextState & TResolve>;
+};
+/**
+ * Minimal auth helper surface required by the context resolvers.
+ *
+ * This stays exported because `auth.ts` re-exports it for compatibility with
+ * existing consumers that reference the low-level context helpers.
+ */
+/**
+ * Configuration for {@link createAuth().ctx} context enrichment.
+ *
+ * The same config shape is also used by {@link createAuth().context}.
+ *
+ * @typeParam TResolve - Extra fields returned from `resolve()` and merged into
+ *   the resulting `ctx.auth` object.
+ *
+ * @example
+ * ```ts
+ * const authContext = await auth.context(ctx, {
+ *   resolve: async (_ctx, user, authState) => ({
+ *     email: user.email,
+ *     canWrite: authState.grants.includes("posts.write"),
+ *   }),
+ * });
+ * ```
+ */
+type AuthContextConfig<TResolve extends Record<string, unknown> = Record<string, never>, TCtx extends AuthIdentityCtx = AuthIdentityCtx> = {
+  /**
+   * Allow unauthenticated callers and return a null-shaped auth object instead
+   * of throwing `NOT_SIGNED_IN`.
+   */
+  optional?: boolean;
+  /**
+   * Attach additional derived fields to the auth context after the base auth
+   * context is resolved.
+   *
+   * This callback runs only when a user is authenticated.
+   */
+  resolve?: (ctx: TCtx, user: UserDoc, auth: AuthContext) => Promise<TResolve> | TResolve;
+  /**
+   * Override or wrap the base auth resolution used by {@link createAuth().ctx}.
+   *
+   * Return `undefined` to fall back to the built-in resolver,
+   * `null` for an explicit unauthenticated state, or an
+   * {@link AuthContext} object to provide a pre-resolved auth state.
+   * This is useful for tests, proxy auth, impersonation flows, or any
+   * environment that needs to inject auth without depending on the standard
+   * Convex auth tables.
+   *
+   * @param ctx - The Convex function context.
+   * @param fallback - The built-in auth resolver used by {@link createAuth().ctx}.
+   * @returns Resolved auth state, `null`, or `undefined` to use the fallback.
+   *
+   * @example
+   * ```ts
+   * const authCtx = auth.ctx({
+   *   authResolve: async (ctx, fallback) => {
+   *     const injected = getInjectedAuth(ctx);
+   *     return injected ?? (await fallback());
+   *   },
+   * });
+   * ```
+   */
+  authResolve?: (ctx: TCtx, fallback: () => Promise<AuthContext | null>) => Promise<AuthContext | null | undefined> | AuthContext | null | undefined;
+};
+/**
+ * Extract the resolved `auth` context type from an `auth.ctx()` customization.
+ *
+ * Use this to type function parameters or variables that receive the
+ * enriched auth context produced by `auth.ctx()`. The inferred type includes
+ * `userId`, `user`, `groupId`, `role`, `grants`, `getUserIdentity`, and any
+ * additional fields added by the `resolve` callback. This is the generic
+ * utility for reusing the enriched auth shape without manually duplicating
+ * conditional auth types.
+ *
+ * @typeParam T - An `auth.ctx()` return value (must have an `input` method
+ *   that returns `{ ctx: { auth: ... } }`).
+ *
+ * @example
+ * ```ts
+ * const authCtx = auth.ctx({
+ *   resolve: async (ctx, user) => ({ orgId: user.orgId }),
+ * });
+ * type Auth = InferAuth<typeof authCtx>;
+ * // Auth = { userId: Id<"User">; user: UserDoc; getUserIdentity: ...; orgId: string }
+ * ```
+ *
+ * @see {@link createAuth}
+ */
+type InferAuth<T extends {
+  input: (...args: never[]) => CustomFunctionInputResult<Record<string, unknown>>;
+}> = Awaited<ReturnType<T["input"]>>["ctx"]["auth"];
+//#endregion
+export { AuthConfig, AuthContext, AuthContextConfig, AuthContextFactory, AuthContextResolver, InferAuth, OptionalAuthContext, UserDoc };
+//# sourceMappingURL=auth-context.d.ts.map

package/dist/server/auth-context.js

@@ -0,0 +1,76 @@
+import { createUnauthenticatedAuthContext, getAuthContext } from "./context.js";
+import { ConvexError } from "convex/values";
+
+//#region src/server/auth-context.ts
+async function resolveConfiguredAuthContext(auth, ctx, config) {
+	const fallback = () => getAuthContext(auth, ctx);
+	const authOverride = config?.authResolve ? await config.authResolve(ctx, fallback) : void 0;
+	return authOverride === void 0 ? await fallback() : authOverride;
+}
+function createNotSignedInError() {
+	return new ConvexError({
+		code: "NOT_SIGNED_IN",
+		message: "Authentication required."
+	});
+}
+function assertAuthResolverContext(ctx) {
+	const candidate = ctx;
+	if (candidate === null || typeof candidate !== "object" || candidate.auth === void 0 || candidate.auth === null || typeof candidate.auth !== "object" || typeof candidate.auth.getUserIdentity !== "function" || typeof candidate.runQuery !== "function") throw new TypeError("auth.context(ctx) requires a Convex function context with auth.getUserIdentity() and runQuery().");
+}
+/**
+* Resolve the public auth context for a Convex handler context.
+*
+* This low-level helper underpins `auth.context(...)` and remains exported for
+* compatibility with existing consumers using the server entrypoint.
+*/
+async function createPublicAuthContext(auth, ctx, config) {
+	const resolved = await resolveConfiguredAuthContext(auth, ctx, config);
+	if (resolved === null) {
+		if (config?.optional !== true) throw createNotSignedInError();
+		return createUnauthenticatedAuthContext();
+	}
+	const extra = config?.resolve ? await config.resolve(ctx, resolved.user, resolved) : {};
+	return {
+		...resolved,
+		...extra
+	};
+}
+/**
+* Create a convex-helpers customization that injects `ctx.auth`.
+*
+* This low-level helper underpins `auth.ctx(...)` and remains exported for
+* compatibility with existing consumers using the server entrypoint.
+*/
+function createAuthContextCustomization(auth, config) {
+	return {
+		args: {},
+		input: async (ctx, _args, _extra) => {
+			const nativeAuth = ctx.auth;
+			const getUserIdentity = nativeAuth.getUserIdentity.bind(nativeAuth);
+			const resolved = await resolveConfiguredAuthContext(auth, ctx, config);
+			if (resolved === null) {
+				if (config?.optional !== true) throw createNotSignedInError();
+				return {
+					ctx: { auth: {
+						getUserIdentity,
+						...createUnauthenticatedAuthContext()
+					} },
+					args: {}
+				};
+			}
+			const extra = config?.resolve ? await config.resolve(ctx, resolved.user, resolved) : {};
+			return {
+				ctx: { auth: {
+					getUserIdentity,
+					...resolved,
+					...extra
+				} },
+				args: {}
+			};
+		}
+	};
+}
+
+//#endregion
+export { assertAuthResolverContext, createAuthContextCustomization, createPublicAuthContext };
+//# sourceMappingURL=auth-context.js.map

package/dist/server/auth.d.ts

@@ -1,31 +1,12 @@
 import { AuthApiRefs } from "../client/core/types.js";
 import "../client/index.js";
-import { AuthAuthorizationConfig, AuthGrant, AuthProviderConfig, AuthRoleId, ConvexAuthConfig, Doc, HasDeviceProvider, HasPasskeyProvider, HasSSO, HasTotpProvider } from "./types.js";
+import { AuthAuthorizationConfig, AuthGrant, AuthProviderConfig, AuthRoleId, ConvexAuthConfig, HasDeviceProvider, HasPasskeyProvider, HasSSO, HasTotpProvider } from "./types.js";
+import { AuthConfig, AuthContext, AuthContextConfig, AuthContextFactory as AuthContextFactory$1, AuthContextResolver as AuthContextResolver$1, InferAuth, OptionalAuthContext, UserDoc } from "./auth-context.js";
 import { Auth } from "./runtime.js";
-import { GenericId } from "convex/values";
-import { UserIdentity } from "convex/server";
 
 //#region src/server/auth.d.ts
-/**
- * Config for auth setup. Extends the standard auth config
- * minus `component` (which is passed as the first constructor argument).
- */
-type AuthConfig = Omit<ConvexAuthConfig, "component">;
-/** Canonical user document type exposed by Convex Auth. */
-type UserDoc = Doc<"User">;
-type AuthIdentityCtx = {
-  auth: {
-    getUserIdentity: () => Promise<UserIdentity | null>;
-  };
-};
-type AuthQueryCtx = {
-  runQuery: (...args: never[]) => Promise<unknown>;
-};
-type CustomFunctionInputResult<TAuth extends Record<string, unknown>> = Promise<{
-  ctx: {
-    auth: TAuth;
-  };
-}>;
+type AuthContextResolver = AuthContextResolver$1;
+type AuthContextFactory = AuthContextFactory$1;
 type MemberApiWithAuthorization<TAuthorization extends AuthAuthorizationConfig | undefined> = Omit<ReturnType<typeof Auth>["auth"]["member"], "create" | "list" | "update" | "inspect" | "require"> & {
   create: (ctx: Parameters<ReturnType<typeof Auth>["auth"]["member"]["create"]>[0], data: {
     groupId: string;
@@ -171,91 +152,6 @@ type AuthApiBase<TAuthorization extends AuthAuthorizationConfig | undefined = un
    */
   ctx: AuthContextFactory;
 };
-/**
- * Current request auth context injected into `ctx.auth` by `auth.ctx()`. This
- * is the authenticated auth shape returned by {@link createAuth().context}.
- * Optional context builders may still surface nullable fields when
- * `optional: true` is used.
- *
- * - `groupId` is `null` when the user has no active group set.
- * - `role` is `null` when no active group or no membership is resolved.
- * - `grants` is `[]` when no active group or no membership is resolved.
- *
- * @example
- * ```ts
- * import type { AuthContext } from "@robelest/convex-auth/server";
- *
- * const mockAuth: AuthContext = {
- *   userId: "user123" as Id<"User">,
- *   user: { _id: "user123", email: "test@example.com" },
- *   groupId: "group456",
- *   role: "admin",
- *   grants: ["read", "write"],
- * };
- * ```
- */
-type AuthContext = {
-  /** The authenticated user's document ID. */userId: GenericId<"User">; /** The authenticated user's full document. */
-  user: UserDoc; /** The user's active group ID, or `null` if none set. */
-  groupId: string | null; /** The user's primary role in the active group, or `null`. */
-  role: string | null; /** Resolved grant strings from the user's role definitions. */
-  grants: string[];
-};
-/**
- * Nullable auth context returned by `auth.context(ctx, { optional: true })`
- * and injected by `auth.ctx({ optional: true })`.
- *
- * Use this when callers may be unauthenticated but you still want a stable
- * auth-shaped object.
- *
- * - `userId` and `user` are `null` when unauthenticated.
- * - `groupId` and `role` are `null` when no active group is resolved.
- * - `grants` is `[]` when no membership is resolved.
- *
- * @example
- * ```ts
- * const authContext = await auth.context(ctx, { optional: true });
- * if (authContext.userId === null) {
- *   return null;
- * }
- * ```
- */
-type OptionalAuthContext = {
-  /** The authenticated user's document ID, or `null` when unauthenticated. */userId: GenericId<"User"> | null; /** The authenticated user's full document, or `null` when unauthenticated. */
-  user: UserDoc | null; /** The user's active group ID, or `null` if none is set. */
-  groupId: string | null; /** The user's primary role in the active group, or `null`. */
-  role: string | null; /** Resolved grant strings for the active membership, or `[]`. */
-  grants: string[];
-};
-type AuthContextBase = {
-  getUserIdentity: () => Promise<UserIdentity | null>;
-};
-type RequiredAuthContextState = AuthContextBase & AuthContext;
-type OptionalAuthContextState = AuthContextBase & OptionalAuthContext;
-type ResolvedAuthContext<TResolve> = AuthContext & TResolve;
-type ResolvedOptionalAuthContext<TResolve> = OptionalAuthContext & TResolve;
-type AuthResolverCtx = AuthIdentityCtx & AuthQueryCtx;
-type AuthContextResolver = {
-  <TResolve extends Record<string, unknown> = Record<string, never>>(ctx: AuthResolverCtx, config: AuthContextConfig<TResolve> & {
-    optional: true;
-  }): Promise<ResolvedOptionalAuthContext<TResolve>>;
-  <TResolve extends Record<string, unknown> = Record<string, never>>(ctx: AuthResolverCtx, config?: AuthContextConfig<TResolve>): Promise<ResolvedAuthContext<TResolve>>;
-};
-type AuthContextCustomization<TAuth> = {
-  args: {};
-  input: (ctx: AuthResolverCtx, _args: Record<string, never>, _extra?: unknown) => Promise<{
-    ctx: {
-      auth: TAuth;
-    };
-    args: {};
-  }>;
-};
-type AuthContextFactory = {
-  <TResolve extends Record<string, unknown> = Record<string, never>>(config: AuthContextConfig<TResolve> & {
-    optional: true;
-  }): AuthContextCustomization<OptionalAuthContextState & TResolve>;
-  <TResolve extends Record<string, unknown> = Record<string, never>>(config?: AuthContextConfig<TResolve>): AuthContextCustomization<RequiredAuthContextState & TResolve>;
-};
 type InternalSsoApi = ReturnType<typeof Auth>["auth"]["sso"];
 type PublicGroupSsoApi = {
   signIn: (ctx: Parameters<InternalSsoApi["connection"]["create"]>[0], data: {
@@ -390,94 +286,36 @@ type ConvexAuthResult<P extends AuthProviderConfig[], TAuthorization extends Aut
  * @typeParam T - A ConvexAuthResult to extract the client API from.
  */
 type InferClientApi<T> = T extends ConvexAuthResult<infer P> ? AuthApiRefs<HasPasskeyProvider<P>, HasTotpProvider<P>, HasDeviceProvider<P>> : AuthApiRefs;
-declare function createAuth<P extends AuthProviderConfig[], TAuthorization extends AuthAuthorizationConfig | undefined = undefined>(component: ConvexAuthConfig["component"], config: Omit<AuthConfig, "providers" | "authorization"> & {
-  providers: P;
-  authorization?: TAuthorization;
-}): ConvexAuthResult<P, TAuthorization>;
 /**
- * Configuration for {@link createAuth().ctx} context enrichment.
+ * Create an auth API object.
  *
- * The same config shape is also used by {@link createAuth().context}.
+ * When `sso()` is included in providers, `auth.group.sso` is available
+ * on the returned object. Without it, that namespace is absent and
+ * accessing it is a TypeScript compile error.
  *
- * @typeParam TResolve - Extra fields returned from `resolve()` and merged into
- *   the resulting `ctx.auth` object.
+ * @param component - The installed auth component reference from
+ *   `components.auth` in your Convex app definition.
+ * @param config - Auth configuration including `providers` and optional
+ *   `authorization`. All fields from {@link AuthConfig} are accepted
+ *   except `component` (passed as the first argument).
+ * @returns A {@link ConvexAuthResult} object — either {@link AuthApi}
+ *   (with `group.sso`) or {@link AuthApiBase}, depending on whether
+ *   an SSO provider is present.
  *
  * @example
  * ```ts
- * const authContext = await auth.context(ctx, {
- *   resolve: async (_ctx, user, authState) => ({
- *     email: user.email,
- *     canWrite: authState.grants.includes("posts.write"),
- *   }),
+ * export const auth = createAuth(components.auth, {
+ *   providers: [password(), google()],
+ *   authorization: { roles },
  * });
  * ```
- */
-type AuthContextConfig<TResolve extends Record<string, unknown> = Record<string, never>, TCtx extends AuthIdentityCtx = AuthIdentityCtx> = {
-  /**
-   * Allow unauthenticated callers and return a null-shaped auth object instead
-   * of throwing `NOT_SIGNED_IN`.
-   */
-  optional?: boolean;
-  /**
-   * Attach additional derived fields to the auth context after the base auth
-   * context is resolved.
-   *
-   * This callback runs only when a user is authenticated.
-   */
-  resolve?: (ctx: TCtx, user: UserDoc, auth: AuthContext) => Promise<TResolve> | TResolve;
-  /**
-   * Override or wrap the base auth resolution used by {@link createAuth().ctx}.
-   *
-   * Return `undefined` to fall back to the built-in resolver,
-   * `null` for an explicit unauthenticated state, or an
-   * {@link AuthContext} object to provide a pre-resolved auth state.
-   * This is useful for tests, proxy auth, impersonation flows, or any
-   * environment that needs to inject auth without depending on the standard
-   * Convex auth tables.
-   *
-   * @param ctx - The Convex function context.
-   * @param fallback - The built-in auth resolver used by {@link createAuth().ctx}.
-   * @returns Resolved auth state, `null`, or `undefined` to use the fallback.
-   *
-   * @example
-   * ```ts
-   * const authCtx = auth.ctx({
-   *   authResolve: async (ctx, fallback) => {
-   *     const injected = getInjectedAuth(ctx);
-   *     return injected ?? (await fallback());
-   *   },
-   * });
-   * ```
-   */
-  authResolve?: (ctx: TCtx, fallback: () => Promise<AuthContext | null>) => Promise<AuthContext | null | undefined> | AuthContext | null | undefined;
-};
-/**
- * Extract the resolved `auth` context type from an `auth.ctx()` customization.
  *
- * Use this to type function parameters or variables that receive the
- * enriched auth context produced by `auth.ctx()`. The inferred type includes
- * `userId`, `user`, `groupId`, `role`, `grants`, `getUserIdentity`, and any
- * additional fields added by the `resolve` callback. This is the generic
- * utility for reusing the enriched auth shape without manually duplicating
- * conditional auth types.
- *
- * @typeParam T - An `auth.ctx()` return value (must have an `input` method
- *   that returns `{ ctx: { auth: ... } }`).
- *
- * @example
- * ```ts
- * const authCtx = auth.ctx({
- *   resolve: async (ctx, user) => ({ orgId: user.orgId }),
- * });
- * type Auth = InferAuth<typeof authCtx>;
- * // Auth = { userId: Id<"User">; user: UserDoc; getUserIdentity: ...; orgId: string }
- * ```
- *
- * @see {@link createAuth}
+ * @see {@link AuthContextConfig}
  */
-type InferAuth<T extends {
-  input: (...args: never[]) => CustomFunctionInputResult<Record<string, unknown>>;
-}> = Awaited<ReturnType<T["input"]>>["ctx"]["auth"];
+declare function createAuth<P extends AuthProviderConfig[], TAuthorization extends AuthAuthorizationConfig | undefined = undefined>(component: ConvexAuthConfig["component"], config: Omit<AuthConfig, "providers" | "authorization"> & {
+  providers: P;
+  authorization?: TAuthorization;
+}): ConvexAuthResult<P, TAuthorization>;
 //#endregion
-export { AuthApi, AuthApiBase, AuthConfig, AuthContext, AuthContextConfig, ConvexAuthResult, InferAuth, InferClientApi, OptionalAuthContext, UserDoc, createAuth };
+export { AuthApi, AuthApiBase, ConvexAuthResult, InferClientApi, createAuth };
 //# sourceMappingURL=auth.d.ts.map