@robelest/convex-auth 0.0.4-preview.32 → 0.0.4-preview.34

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (89) hide show
  1. package/dist/component/_generated/component.d.ts +1611 -2039
  2. package/dist/component/account.js +3 -0
  3. package/dist/component/convex.config.d.ts +2 -2
  4. package/dist/component/factor/device.js +3 -0
  5. package/dist/component/factor/passkey.js +3 -0
  6. package/dist/component/factor/totp.js +3 -0
  7. package/dist/component/group/invite.js +3 -0
  8. package/dist/component/group/member.js +3 -0
  9. package/dist/component/group.js +3 -0
  10. package/dist/component/model.d.ts +342 -30
  11. package/dist/component/model.js +22 -4
  12. package/dist/component/modules.js +24 -21
  13. package/dist/component/public/factors/devices.js +37 -106
  14. package/dist/component/public/factors/passkeys.js +29 -149
  15. package/dist/component/public/factors/totp.js +32 -159
  16. package/dist/component/public/groups/core.js +19 -82
  17. package/dist/component/public/groups/invites.js +15 -104
  18. package/dist/component/public/groups/members.js +26 -149
  19. package/dist/component/public/identity/accounts.js +12 -94
  20. package/dist/component/public/identity/codes.js +13 -73
  21. package/dist/component/public/identity/sessions.js +5 -107
  22. package/dist/component/public/identity/tokens.js +13 -103
  23. package/dist/component/public/identity/users.js +188 -185
  24. package/dist/component/public/identity/verifiers.js +17 -80
  25. package/dist/component/public/security/keys.js +13 -120
  26. package/dist/component/public/security/limits.js +0 -43
  27. package/dist/component/public/sso/audit.js +0 -28
  28. package/dist/component/public/sso/core.js +31 -104
  29. package/dist/component/public/sso/domains.js +0 -71
  30. package/dist/component/public/sso/scim.js +63 -239
  31. package/dist/component/public/sso/secrets.js +0 -30
  32. package/dist/component/public/sso/webhooks.js +23 -128
  33. package/dist/component/rateLimit.js +3 -0
  34. package/dist/component/schema.d.ts +378 -342
  35. package/dist/component/schema.js +11 -1
  36. package/dist/component/session.js +3 -0
  37. package/dist/component/sso/audit.js +3 -0
  38. package/dist/component/sso/connection/domain/verification.js +3 -0
  39. package/dist/component/sso/connection/domain.js +3 -0
  40. package/dist/component/sso/connection/scim/config.js +3 -0
  41. package/dist/component/sso/connection/scim/identity.js +3 -0
  42. package/dist/component/sso/connection/secret.js +3 -0
  43. package/dist/component/sso/connection.js +3 -0
  44. package/dist/component/sso/webhook/delivery.js +3 -0
  45. package/dist/component/sso/webhook/endpoint.js +3 -0
  46. package/dist/component/token/pkce.js +3 -0
  47. package/dist/component/token/refresh.js +3 -0
  48. package/dist/component/token/verification.js +3 -0
  49. package/dist/component/user/email.js +3 -0
  50. package/dist/component/user/key.js +3 -0
  51. package/dist/component/user.js +62 -0
  52. package/dist/core/index.d.ts +131 -28
  53. package/dist/core/index.js +2 -0
  54. package/dist/model.js +391 -0
  55. package/dist/providers/credentials.d.ts +1 -1
  56. package/dist/providers/github.js +6 -0
  57. package/dist/providers/password.js +1 -2
  58. package/dist/server/auth.d.ts +73 -7
  59. package/dist/server/auth.js +4 -1
  60. package/dist/server/context.js +30 -3
  61. package/dist/server/contract.js +42 -42
  62. package/dist/server/core.js +224 -86
  63. package/dist/server/db.js +45 -37
  64. package/dist/server/facade.d.ts +39 -0
  65. package/dist/server/facade.js +16 -0
  66. package/dist/server/index.d.ts +5 -3
  67. package/dist/server/index.js +3 -1
  68. package/dist/server/mounts.d.ts +101 -101
  69. package/dist/server/mutations/credentials/signin.js +3 -7
  70. package/dist/server/mutations/oauth.js +9 -6
  71. package/dist/server/runtime.d.ts +147 -46
  72. package/dist/server/runtime.js +10 -8
  73. package/dist/server/services/group.js +9 -9
  74. package/dist/server/sso/domain.d.ts +1 -1
  75. package/dist/server/sso/domain.js +40 -40
  76. package/dist/server/sso/http.js +18 -18
  77. package/dist/server/sso/oidc.js +1 -1
  78. package/dist/server/sso/policies.js +3 -3
  79. package/dist/server/sso/policy.js +12 -4
  80. package/dist/server/sso/provision.js +9 -9
  81. package/dist/server/sso/validators.js +2 -2
  82. package/dist/server/sso/webhook.js +8 -8
  83. package/dist/server/types.d.ts +185 -124
  84. package/dist/server/types.js +29 -24
  85. package/dist/server/users.js +49 -2
  86. package/dist/server/validators.d.ts +745 -0
  87. package/dist/server/validators.js +60 -0
  88. package/package.json +1 -1
  89. package/dist/component/public.js +0 -22
package/dist/component/schema.d.ts CHANGED
@@ -1,5 +1,5 @@
1
- import * as convex_values50 from "convex/values";
2
- import * as convex_server80 from "convex/server";
1
+ import * as convex_values1267 from "convex/values";
2
+ import * as convex_server93 from "convex/server";
3
3
 
4
4
  //#region src/component/schema.d.ts
5
5
  /**
@@ -9,48 +9,84 @@ import * as convex_server80 from "convex/server";
9
9
  * verification codes, PKCE verifiers, rate limits) and hierarchical group
10
10
  * management (groups, members, invites).
11
11
  */
12
- declare const _default: convex_server80.SchemaDefinition<{
12
+ declare const _default: convex_server93.SchemaDefinition<{
13
13
  /**
14
14
  * Authenticated users. A user may have multiple linked accounts
15
15
  * and multiple concurrent sessions.
16
16
  */
17
- User: convex_server80.TableDefinition<convex_values50.VObject<{
18
- name?: string | undefined;
17
+ User: convex_server93.TableDefinition<convex_values1267.VObject<{
19
18
  email?: string | undefined;
19
+ name?: string | undefined;
20
20
  image?: string | undefined;
21
- phone?: string | undefined;
22
21
  extend?: any;
23
22
  emailVerificationTime?: number | undefined;
23
+ phone?: string | undefined;
24
24
  phoneVerificationTime?: number | undefined;
25
25
  isAnonymous?: boolean | undefined;
26
- hasTotp?: boolean | undefined;
26
+ lastActiveGroup?: convex_values1267.GenericId<"Group"> | undefined;
27
27
  }, {
28
- name: convex_values50.VString<string | undefined, "optional">;
29
- image: convex_values50.VString<string | undefined, "optional">;
30
- email: convex_values50.VString<string | undefined, "optional">;
31
- emailVerificationTime: convex_values50.VFloat64<number | undefined, "optional">;
32
- phone: convex_values50.VString<string | undefined, "optional">;
33
- phoneVerificationTime: convex_values50.VFloat64<number | undefined, "optional">;
34
- isAnonymous: convex_values50.VBoolean<boolean | undefined, "optional">;
35
- hasTotp: convex_values50.VBoolean<boolean | undefined, "optional">;
36
- extend: convex_values50.VAny<any, "optional", string>;
37
- }, "required", "name" | "email" | "image" | "phone" | "extend" | "emailVerificationTime" | "phoneVerificationTime" | "isAnonymous" | "hasTotp" | `extend.${string}`>, {
28
+ name: convex_values1267.VString<string | undefined, "optional">;
29
+ image: convex_values1267.VString<string | undefined, "optional">;
30
+ email: convex_values1267.VString<string | undefined, "optional">;
31
+ emailVerificationTime: convex_values1267.VFloat64<number | undefined, "optional">;
32
+ phone: convex_values1267.VString<string | undefined, "optional">;
33
+ phoneVerificationTime: convex_values1267.VFloat64<number | undefined, "optional">;
34
+ isAnonymous: convex_values1267.VBoolean<boolean | undefined, "optional">;
35
+ lastActiveGroup: convex_values1267.VId<convex_values1267.GenericId<"Group"> | undefined, "optional">;
36
+ extend: convex_values1267.VAny<any, "optional", string>;
37
+ }, "required", "email" | "name" | "image" | "extend" | "emailVerificationTime" | "phone" | "phoneVerificationTime" | "isAnonymous" | "lastActiveGroup" | `extend.${string}`>, {
38
38
  email: ["email", "_creationTime"];
39
39
  email_verified: ["email", "emailVerificationTime", "_creationTime"];
40
40
  phone: ["phone", "_creationTime"];
41
41
  phone_verified: ["phone", "phoneVerificationTime", "_creationTime"];
42
42
  }, {}, {}>;
43
+ /**
44
+ * All emails a user owns, across providers/connections. `User.email`
45
+ * remains the single denormalized primary pointer (the row with
46
+ * `isPrimary: true`); this table is the source of truth for the full
47
+ * set and carries provenance so SSO linking can be connection-scoped.
48
+ *
49
+ * `verificationTime` present ⇔ the email is verified. `source` and
50
+ * `connectionId` record which provider/SSO connection asserted it —
51
+ * email-based account linking for SSO must stay scoped to the same
52
+ * `connectionId` (see server/users.ts) to avoid cross-IdP takeover.
53
+ */
54
+ UserEmail: convex_server93.TableDefinition<convex_values1267.VObject<{
55
+ provider?: string | undefined;
56
+ connectionId?: convex_values1267.GenericId<"GroupConnection"> | undefined;
57
+ verificationTime?: number | undefined;
58
+ accountId?: convex_values1267.GenericId<"Account"> | undefined;
59
+ email: string;
60
+ source: "saml" | "oidc" | "scim" | "password" | "oauth";
61
+ userId: convex_values1267.GenericId<"User">;
62
+ isPrimary: boolean;
63
+ }, {
64
+ userId: convex_values1267.VId<convex_values1267.GenericId<"User">, "required">;
65
+ email: convex_values1267.VString<string, "required">;
66
+ verificationTime: convex_values1267.VFloat64<number | undefined, "optional">;
67
+ isPrimary: convex_values1267.VBoolean<boolean, "required">;
68
+ source: convex_values1267.VUnion<"saml" | "oidc" | "scim" | "password" | "oauth", [convex_values1267.VLiteral<"password", "required">, convex_values1267.VLiteral<"oauth", "required">, convex_values1267.VLiteral<"oidc", "required">, convex_values1267.VLiteral<"saml", "required">, convex_values1267.VLiteral<"scim", "required">], "required", never>;
69
+ accountId: convex_values1267.VId<convex_values1267.GenericId<"Account"> | undefined, "optional">;
70
+ provider: convex_values1267.VString<string | undefined, "optional">;
71
+ connectionId: convex_values1267.VId<convex_values1267.GenericId<"GroupConnection"> | undefined, "optional">;
72
+ }, "required", "email" | "provider" | "connectionId" | "source" | "userId" | "verificationTime" | "isPrimary" | "accountId">, {
73
+ email: ["email", "_creationTime"];
74
+ email_verified: ["email", "verificationTime", "_creationTime"];
75
+ user_id: ["userId", "_creationTime"];
76
+ user_id_primary: ["userId", "isPrimary", "_creationTime"];
77
+ connection_id_email: ["connectionId", "email", "_creationTime"];
78
+ }, {}, {}>;
43
79
  /**
44
80
  * Active sessions. A single user can have multiple concurrent sessions
45
81
  * across different devices or browsers. Sessions expire after a
46
82
  * configurable duration.
47
83
  */
48
- Session: convex_server80.TableDefinition<convex_values50.VObject<{
49
- userId: convex_values50.GenericId<"User">;
84
+ Session: convex_server93.TableDefinition<convex_values1267.VObject<{
85
+ userId: convex_values1267.GenericId<"User">;
50
86
  expirationTime: number;
51
87
  }, {
52
- userId: convex_values50.VId<convex_values50.GenericId<"User">, "required">;
53
- expirationTime: convex_values50.VFloat64<number, "required">;
88
+ userId: convex_values1267.VId<convex_values1267.GenericId<"User">, "required">;
89
+ expirationTime: convex_values1267.VFloat64<number, "required">;
54
90
  }, "required", "userId" | "expirationTime">, {
55
91
  user_id: ["userId", "_creationTime"];
56
92
  }, {}, {}>;
@@ -59,23 +95,23 @@ declare const _default: convex_server80.SchemaDefinition<{
59
95
  * authentication provider (e.g. Google OAuth, email/password).
60
96
  * A user can have multiple accounts linked.
61
97
  */
62
- Account: convex_server80.TableDefinition<convex_values50.VObject<{
98
+ Account: convex_server93.TableDefinition<convex_values1267.VObject<{
63
99
  emailVerified?: string | undefined;
64
100
  extend?: any;
65
101
  secret?: string | undefined;
66
102
  phoneVerified?: string | undefined;
67
- userId: convex_values50.GenericId<"User">;
68
103
  provider: string;
69
104
  providerAccountId: string;
105
+ userId: convex_values1267.GenericId<"User">;
70
106
  }, {
71
- userId: convex_values50.VId<convex_values50.GenericId<"User">, "required">;
72
- provider: convex_values50.VString<string, "required">;
73
- providerAccountId: convex_values50.VString<string, "required">;
74
- secret: convex_values50.VString<string | undefined, "optional">;
75
- emailVerified: convex_values50.VString<string | undefined, "optional">;
76
- phoneVerified: convex_values50.VString<string | undefined, "optional">;
77
- extend: convex_values50.VAny<any, "optional", string>;
78
- }, "required", "emailVerified" | "userId" | "extend" | `extend.${string}` | "provider" | "providerAccountId" | "secret" | "phoneVerified">, {
107
+ userId: convex_values1267.VId<convex_values1267.GenericId<"User">, "required">;
108
+ provider: convex_values1267.VString<string, "required">;
109
+ providerAccountId: convex_values1267.VString<string, "required">;
110
+ secret: convex_values1267.VString<string | undefined, "optional">;
111
+ emailVerified: convex_values1267.VString<string | undefined, "optional">;
112
+ phoneVerified: convex_values1267.VString<string | undefined, "optional">;
113
+ extend: convex_values1267.VAny<any, "optional", string>;
114
+ }, "required", "emailVerified" | "extend" | "provider" | "providerAccountId" | `extend.${string}` | "userId" | "secret" | "phoneVerified">, {
79
115
  user_id_provider: ["userId", "provider", "_creationTime"];
80
116
  provider_account_id: ["provider", "providerAccountId", "_creationTime"];
81
117
  }, {}, {}>;
@@ -87,16 +123,16 @@ declare const _default: convex_server80.SchemaDefinition<{
87
123
  * been used yet. A 10-second reuse window allows for concurrent requests.
88
124
  * Any invalid use of a token invalidates the entire chain.
89
125
  */
90
- RefreshToken: convex_server80.TableDefinition<convex_values50.VObject<{
126
+ RefreshToken: convex_server93.TableDefinition<convex_values1267.VObject<{
91
127
  firstUsedTime?: number | undefined;
92
- parentRefreshTokenId?: convex_values50.GenericId<"RefreshToken"> | undefined;
128
+ parentRefreshTokenId?: convex_values1267.GenericId<"RefreshToken"> | undefined;
93
129
  expirationTime: number;
94
- sessionId: convex_values50.GenericId<"Session">;
130
+ sessionId: convex_values1267.GenericId<"Session">;
95
131
  }, {
96
- sessionId: convex_values50.VId<convex_values50.GenericId<"Session">, "required">;
97
- expirationTime: convex_values50.VFloat64<number, "required">;
98
- firstUsedTime: convex_values50.VFloat64<number | undefined, "optional">;
99
- parentRefreshTokenId: convex_values50.VId<convex_values50.GenericId<"RefreshToken"> | undefined, "optional">;
132
+ sessionId: convex_values1267.VId<convex_values1267.GenericId<"Session">, "required">;
133
+ expirationTime: convex_values1267.VFloat64<number, "required">;
134
+ firstUsedTime: convex_values1267.VFloat64<number | undefined, "optional">;
135
+ parentRefreshTokenId: convex_values1267.VId<convex_values1267.GenericId<"RefreshToken"> | undefined, "optional">;
100
136
  }, "required", "expirationTime" | "sessionId" | "firstUsedTime" | "parentRefreshTokenId">, {
101
137
  session_id: ["sessionId", "_creationTime"];
102
138
  session_id_first_used: ["sessionId", "firstUsedTime", "_creationTime"];
@@ -105,23 +141,23 @@ declare const _default: convex_server80.SchemaDefinition<{
105
141
  /**
106
142
  * Verification codes for OTP tokens, magic link tokens, and OAuth codes.
107
143
  */
108
- VerificationCode: convex_server80.TableDefinition<convex_values50.VObject<{
144
+ VerificationCode: convex_server93.TableDefinition<convex_values1267.VObject<{
109
145
  emailVerified?: string | undefined;
110
146
  phoneVerified?: string | undefined;
111
147
  verifier?: string | undefined;
112
- expirationTime: number;
113
148
  provider: string;
114
- accountId: convex_values50.GenericId<"Account">;
149
+ accountId: convex_values1267.GenericId<"Account">;
150
+ expirationTime: number;
115
151
  code: string;
116
152
  }, {
117
- accountId: convex_values50.VId<convex_values50.GenericId<"Account">, "required">;
118
- provider: convex_values50.VString<string, "required">;
119
- code: convex_values50.VString<string, "required">;
120
- expirationTime: convex_values50.VFloat64<number, "required">;
121
- verifier: convex_values50.VString<string | undefined, "optional">;
122
- emailVerified: convex_values50.VString<string | undefined, "optional">;
123
- phoneVerified: convex_values50.VString<string | undefined, "optional">;
124
- }, "required", "emailVerified" | "expirationTime" | "provider" | "phoneVerified" | "accountId" | "code" | "verifier">, {
153
+ accountId: convex_values1267.VId<convex_values1267.GenericId<"Account">, "required">;
154
+ provider: convex_values1267.VString<string, "required">;
155
+ code: convex_values1267.VString<string, "required">;
156
+ expirationTime: convex_values1267.VFloat64<number, "required">;
157
+ verifier: convex_values1267.VString<string | undefined, "optional">;
158
+ emailVerified: convex_values1267.VString<string | undefined, "optional">;
159
+ phoneVerified: convex_values1267.VString<string | undefined, "optional">;
160
+ }, "required", "emailVerified" | "provider" | "accountId" | "expirationTime" | "phoneVerified" | "code" | "verifier">, {
125
161
  account_id: ["accountId", "_creationTime"];
126
162
  code: ["code", "_creationTime"];
127
163
  }, {}, {}>;
@@ -129,14 +165,14 @@ declare const _default: convex_server80.SchemaDefinition<{
129
165
  * PKCE verifiers for OAuth flows. Stores the cryptographic verifier
130
166
  * used to prove the authorization request originated from this client.
131
167
  */
132
- AuthVerifier: convex_server80.TableDefinition<convex_values50.VObject<{
168
+ AuthVerifier: convex_server93.TableDefinition<convex_values1267.VObject<{
133
169
  expirationTime?: number | undefined;
134
- sessionId?: convex_values50.GenericId<"Session"> | undefined;
170
+ sessionId?: convex_values1267.GenericId<"Session"> | undefined;
135
171
  signature?: string | undefined;
136
172
  }, {
137
- sessionId: convex_values50.VId<convex_values50.GenericId<"Session"> | undefined, "optional">;
138
- signature: convex_values50.VString<string | undefined, "optional">;
139
- expirationTime: convex_values50.VFloat64<number | undefined, "optional">;
173
+ sessionId: convex_values1267.VId<convex_values1267.GenericId<"Session"> | undefined, "optional">;
174
+ signature: convex_values1267.VString<string | undefined, "optional">;
175
+ expirationTime: convex_values1267.VFloat64<number | undefined, "optional">;
140
176
  }, "required", "expirationTime" | "sessionId" | "signature">, {
141
177
  signature: ["signature", "_creationTime"];
142
178
  }, {}, {}>;
@@ -145,31 +181,31 @@ declare const _default: convex_server80.SchemaDefinition<{
145
181
  * registered authenticator (Touch ID, Face ID, security key, etc.).
146
182
  * A user can have multiple passkeys across different devices.
147
183
  */
148
- Passkey: convex_server80.TableDefinition<convex_values50.VObject<{
184
+ Passkey: convex_server93.TableDefinition<convex_values1267.VObject<{
149
185
  name?: string | undefined;
150
- lastUsedAt?: number | undefined;
151
186
  transports?: string[] | undefined;
152
- userId: convex_values50.GenericId<"User">;
153
- createdAt: number;
187
+ lastUsedAt?: number | undefined;
188
+ userId: convex_values1267.GenericId<"User">;
154
189
  credentialId: string;
155
190
  publicKey: ArrayBuffer;
156
191
  algorithm: number;
157
192
  counter: number;
158
193
  deviceType: string;
159
194
  backedUp: boolean;
195
+ createdAt: number;
160
196
  }, {
161
- userId: convex_values50.VId<convex_values50.GenericId<"User">, "required">; /** Base64url-encoded credential ID from the authenticator. */
162
- credentialId: convex_values50.VString<string, "required">; /** Public key bytes (SEC1 uncompressed for EC, SPKI for RSA). */
163
- publicKey: convex_values50.VBytes<ArrayBuffer, "required">; /** COSE algorithm identifier (-7 for ES256, -257 for RS256, -8 for EdDSA). */
164
- algorithm: convex_values50.VFloat64<number, "required">; /** Signature counter for clone detection. Many authenticators return 0. */
165
- counter: convex_values50.VFloat64<number, "required">; /** Authenticator transport hints (e.g. "internal", "hybrid", "usb", "ble", "nfc"). */
166
- transports: convex_values50.VArray<string[] | undefined, convex_values50.VString<string, "required">, "optional">; /** Whether this is a single-device or multi-device (synced) credential. */
167
- deviceType: convex_values50.VString<string, "required">; /** Whether the credential is backed up (synced passkey). */
168
- backedUp: convex_values50.VBoolean<boolean, "required">; /** User-assigned friendly name (e.g. "MacBook Touch ID"). */
169
- name: convex_values50.VString<string | undefined, "optional">;
170
- createdAt: convex_values50.VFloat64<number, "required">;
171
- lastUsedAt: convex_values50.VFloat64<number | undefined, "optional">;
172
- }, "required", "name" | "lastUsedAt" | "userId" | "createdAt" | "credentialId" | "publicKey" | "algorithm" | "counter" | "transports" | "deviceType" | "backedUp">, {
197
+ userId: convex_values1267.VId<convex_values1267.GenericId<"User">, "required">; /** Base64url-encoded credential ID from the authenticator. */
198
+ credentialId: convex_values1267.VString<string, "required">; /** Public key bytes (SEC1 uncompressed for EC, SPKI for RSA). */
199
+ publicKey: convex_values1267.VBytes<ArrayBuffer, "required">; /** COSE algorithm identifier (-7 for ES256, -257 for RS256, -8 for EdDSA). */
200
+ algorithm: convex_values1267.VFloat64<number, "required">; /** Signature counter for clone detection. Many authenticators return 0. */
201
+ counter: convex_values1267.VFloat64<number, "required">; /** Authenticator transport hints (e.g. "internal", "hybrid", "usb", "ble", "nfc"). */
202
+ transports: convex_values1267.VArray<string[] | undefined, convex_values1267.VString<string, "required">, "optional">; /** Whether this is a single-device or multi-device (synced) credential. */
203
+ deviceType: convex_values1267.VString<string, "required">; /** Whether the credential is backed up (synced passkey). */
204
+ backedUp: convex_values1267.VBoolean<boolean, "required">; /** User-assigned friendly name (e.g. "MacBook Touch ID"). */
205
+ name: convex_values1267.VString<string | undefined, "optional">;
206
+ createdAt: convex_values1267.VFloat64<number, "required">;
207
+ lastUsedAt: convex_values1267.VFloat64<number | undefined, "optional">;
208
+ }, "required", "name" | "userId" | "credentialId" | "publicKey" | "algorithm" | "counter" | "transports" | "deviceType" | "backedUp" | "createdAt" | "lastUsedAt">, {
173
209
  user_id: ["userId", "_creationTime"];
174
210
  credential_id: ["credentialId", "_creationTime"];
175
211
  }, {}, {}>;
@@ -182,25 +218,25 @@ declare const _default: convex_server80.SchemaDefinition<{
182
218
  * by successfully entering a code from their authenticator app.
183
219
  * Unverified enrollments are in-progress setup that can be discarded.
184
220
  */
185
- TotpFactor: convex_server80.TableDefinition<convex_values50.VObject<{
221
+ TotpFactor: convex_server93.TableDefinition<convex_values1267.VObject<{
186
222
  name?: string | undefined;
187
223
  lastUsedAt?: number | undefined;
188
- userId: convex_values50.GenericId<"User">;
189
- createdAt: number;
224
+ userId: convex_values1267.GenericId<"User">;
225
+ verified: boolean;
190
226
  secret: ArrayBuffer;
227
+ createdAt: number;
191
228
  digits: number;
192
229
  period: number;
193
- verified: boolean;
194
230
  }, {
195
- userId: convex_values50.VId<convex_values50.GenericId<"User">, "required">; /** Raw TOTP secret key bytes. */
196
- secret: convex_values50.VBytes<ArrayBuffer, "required">; /** Number of digits in each code (typically 6). */
197
- digits: convex_values50.VFloat64<number, "required">; /** Time period in seconds for code rotation (typically 30). */
198
- period: convex_values50.VFloat64<number, "required">; /** Whether setup has been confirmed with a valid code. */
199
- verified: convex_values50.VBoolean<boolean, "required">; /** User-assigned friendly name (e.g. "Google Authenticator"). */
200
- name: convex_values50.VString<string | undefined, "optional">;
201
- createdAt: convex_values50.VFloat64<number, "required">;
202
- lastUsedAt: convex_values50.VFloat64<number | undefined, "optional">;
203
- }, "required", "name" | "lastUsedAt" | "userId" | "createdAt" | "secret" | "digits" | "period" | "verified">, {
231
+ userId: convex_values1267.VId<convex_values1267.GenericId<"User">, "required">; /** Raw TOTP secret key bytes. */
232
+ secret: convex_values1267.VBytes<ArrayBuffer, "required">; /** Number of digits in each code (typically 6). */
233
+ digits: convex_values1267.VFloat64<number, "required">; /** Time period in seconds for code rotation (typically 30). */
234
+ period: convex_values1267.VFloat64<number, "required">; /** Whether setup has been confirmed with a valid code. */
235
+ verified: convex_values1267.VBoolean<boolean, "required">; /** User-assigned friendly name (e.g. "Google Authenticator"). */
236
+ name: convex_values1267.VString<string | undefined, "optional">;
237
+ createdAt: convex_values1267.VFloat64<number, "required">;
238
+ lastUsedAt: convex_values1267.VFloat64<number | undefined, "optional">;
239
+ }, "required", "name" | "userId" | "verified" | "secret" | "createdAt" | "lastUsedAt" | "digits" | "period">, {
204
240
  user_id: ["userId", "_creationTime"];
205
241
  user_id_verified: ["userId", "verified", "_creationTime"];
206
242
  }, {}, {}>;
@@ -209,9 +245,9 @@ declare const _default: convex_server80.SchemaDefinition<{
209
245
  * device auth session — the device polls with `deviceCode` while the
210
246
  * user authorizes via `userCode` on a secondary device.
211
247
  */
212
- DeviceCode: convex_server80.TableDefinition<convex_values50.VObject<{
213
- userId?: convex_values50.GenericId<"User"> | undefined;
214
- sessionId?: convex_values50.GenericId<"Session"> | undefined;
248
+ DeviceCode: convex_server93.TableDefinition<convex_values1267.VObject<{
249
+ userId?: convex_values1267.GenericId<"User"> | undefined;
250
+ sessionId?: convex_values1267.GenericId<"Session"> | undefined;
215
251
  lastPolledAt?: number | undefined;
216
252
  status: "pending" | "authorized" | "denied";
217
253
  expiresAt: number;
@@ -219,29 +255,29 @@ declare const _default: convex_server80.SchemaDefinition<{
219
255
  userCode: string;
220
256
  interval: number;
221
257
  }, {
222
- /** High-entropy code used by the device for polling. Stored as SHA-256 hash. */deviceCodeHash: convex_values50.VString<string, "required">; /** Short human-readable code the user enters (e.g. "WDJB-MJHT"). */
223
- userCode: convex_values50.VString<string, "required">; /** Expiration timestamp (ms since epoch). */
224
- expiresAt: convex_values50.VFloat64<number, "required">; /** Minimum polling interval in seconds. */
225
- interval: convex_values50.VFloat64<number, "required">; /** Current status of this device authorization session. */
226
- status: convex_values50.VUnion<"pending" | "authorized" | "denied", [convex_values50.VLiteral<"pending", "required">, convex_values50.VLiteral<"authorized", "required">, convex_values50.VLiteral<"denied", "required">], "required", never>; /** Set when the user authorizes — links to the authorizing user. */
227
- userId: convex_values50.VId<convex_values50.GenericId<"User"> | undefined, "optional">; /** Set when the user authorizes — the session created for the device. */
228
- sessionId: convex_values50.VId<convex_values50.GenericId<"Session"> | undefined, "optional">; /** Timestamp of the last poll request (for slow_down enforcement). */
229
- lastPolledAt: convex_values50.VFloat64<number | undefined, "optional">;
230
- }, "required", "status" | "expiresAt" | "userId" | "sessionId" | "deviceCodeHash" | "userCode" | "interval" | "lastPolledAt">, {
258
+ /** High-entropy code used by the device for polling. Stored as SHA-256 hash. */deviceCodeHash: convex_values1267.VString<string, "required">; /** Short human-readable code the user enters (e.g. "WDJB-MJHT"). */
259
+ userCode: convex_values1267.VString<string, "required">; /** Expiration timestamp (ms since epoch). */
260
+ expiresAt: convex_values1267.VFloat64<number, "required">; /** Minimum polling interval in seconds. */
261
+ interval: convex_values1267.VFloat64<number, "required">; /** Current status of this device authorization session. */
262
+ status: convex_values1267.VUnion<"pending" | "authorized" | "denied", [convex_values1267.VLiteral<"pending", "required">, convex_values1267.VLiteral<"authorized", "required">, convex_values1267.VLiteral<"denied", "required">], "required", never>; /** Set when the user authorizes — links to the authorizing user. */
263
+ userId: convex_values1267.VId<convex_values1267.GenericId<"User"> | undefined, "optional">; /** Set when the user authorizes — the session created for the device. */
264
+ sessionId: convex_values1267.VId<convex_values1267.GenericId<"Session"> | undefined, "optional">; /** Timestamp of the last poll request (for slow_down enforcement). */
265
+ lastPolledAt: convex_values1267.VFloat64<number | undefined, "optional">;
266
+ }, "required", "userId" | "status" | "sessionId" | "expiresAt" | "deviceCodeHash" | "userCode" | "interval" | "lastPolledAt">, {
231
267
  device_code_hash: ["deviceCodeHash", "_creationTime"];
232
268
  user_code_status: ["userCode", "status", "_creationTime"];
233
269
  }, {}, {}>;
234
270
  /**
235
271
  * Rate limit tracking for OTP and password sign-in attempts.
236
272
  */
237
- RateLimit: convex_server80.TableDefinition<convex_values50.VObject<{
273
+ RateLimit: convex_server93.TableDefinition<convex_values1267.VObject<{
238
274
  identifier: string;
239
275
  last_attempt_time: number;
240
276
  attempts_left: number;
241
277
  }, {
242
- identifier: convex_values50.VString<string, "required">;
243
- last_attempt_time: convex_values50.VFloat64<number, "required">;
244
- attempts_left: convex_values50.VFloat64<number, "required">;
278
+ identifier: convex_values1267.VString<string, "required">;
279
+ last_attempt_time: convex_values1267.VFloat64<number, "required">;
280
+ attempts_left: convex_values1267.VFloat64<number, "required">;
245
281
  }, "required", "identifier" | "last_attempt_time" | "attempts_left">, {
246
282
  by_identifier: ["identifier", "_creationTime"];
247
283
  }, {}, {}>;
@@ -250,26 +286,26 @@ declare const _default: convex_server80.SchemaDefinition<{
250
286
  * Groups can nest arbitrarily deep via `parentGroupId` for modeling
251
287
  * organizations, teams, departments, or any tree structure.
252
288
  */
253
- Group: convex_server80.TableDefinition<convex_values50.VObject<{
254
- slug?: string | undefined;
289
+ Group: convex_server93.TableDefinition<convex_values1267.VObject<{
255
290
  type?: string | undefined;
256
291
  extend?: any;
257
- parentGroupId?: convex_values50.GenericId<"Group"> | undefined;
258
- rootGroupId?: convex_values50.GenericId<"Group"> | undefined;
292
+ slug?: string | undefined;
293
+ parentGroupId?: convex_values1267.GenericId<"Group"> | undefined;
294
+ rootGroupId?: convex_values1267.GenericId<"Group"> | undefined;
259
295
  isRoot?: boolean | undefined;
260
296
  tags?: {
261
- key: string;
262
297
  value: string;
298
+ key: string;
263
299
  }[] | undefined;
264
300
  policy?: {
265
301
  extend?: any;
266
- version: 1;
267
302
  identity: {
268
303
  accountLinking: {
269
- oidc: "verifiedEmail" | "none";
270
- saml: "verifiedEmail" | "none";
304
+ saml: "verifiedEmail" | "none" | "sameConnection";
305
+ oidc: "verifiedEmail" | "none" | "sameConnection";
271
306
  };
272
307
  };
308
+ version: 1;
273
309
  provisioning: {
274
310
  user: {
275
311
  createOnSignIn: boolean;
@@ -302,31 +338,31 @@ declare const _default: convex_server80.SchemaDefinition<{
302
338
  } | undefined;
303
339
  name: string;
304
340
  }, {
305
- name: convex_values50.VString<string, "required">;
306
- slug: convex_values50.VString<string | undefined, "optional">;
307
- type: convex_values50.VString<string | undefined, "optional">;
308
- parentGroupId: convex_values50.VId<convex_values50.GenericId<"Group"> | undefined, "optional">; /** Denormalized root group ID. Self-referencing for root groups. */
309
- rootGroupId: convex_values50.VId<convex_values50.GenericId<"Group"> | undefined, "optional">; /** Denormalized flag: `true` when `parentGroupId` is absent. */
310
- isRoot: convex_values50.VBoolean<boolean | undefined, "optional">; /** Faceted classification tags. Normalized at write time (trimmed, lowercased). */
311
- tags: convex_values50.VArray<{
312
- key: string;
341
+ name: convex_values1267.VString<string, "required">;
342
+ slug: convex_values1267.VString<string | undefined, "optional">;
343
+ type: convex_values1267.VString<string | undefined, "optional">;
344
+ parentGroupId: convex_values1267.VId<convex_values1267.GenericId<"Group"> | undefined, "optional">; /** Denormalized root group ID. Self-referencing for root groups. */
345
+ rootGroupId: convex_values1267.VId<convex_values1267.GenericId<"Group"> | undefined, "optional">; /** Denormalized flag: `true` when `parentGroupId` is absent. */
346
+ isRoot: convex_values1267.VBoolean<boolean | undefined, "optional">; /** Faceted classification tags. Normalized at write time (trimmed, lowercased). */
347
+ tags: convex_values1267.VArray<{
313
348
  value: string;
314
- }[] | undefined, convex_values50.VObject<{
315
349
  key: string;
350
+ }[] | undefined, convex_values1267.VObject<{
316
351
  value: string;
352
+ key: string;
317
353
  }, {
318
- key: convex_values50.VString<string, "required">;
319
- value: convex_values50.VString<string, "required">;
320
- }, "required", "key" | "value">, "optional">;
321
- policy: convex_values50.VObject<{
354
+ key: convex_values1267.VString<string, "required">;
355
+ value: convex_values1267.VString<string, "required">;
356
+ }, "required", "value" | "key">, "optional">;
357
+ policy: convex_values1267.VObject<{
322
358
  extend?: any;
323
- version: 1;
324
359
  identity: {
325
360
  accountLinking: {
326
- oidc: "verifiedEmail" | "none";
327
- saml: "verifiedEmail" | "none";
361
+ saml: "verifiedEmail" | "none" | "sameConnection";
362
+ oidc: "verifiedEmail" | "none" | "sameConnection";
328
363
  };
329
364
  };
365
+ version: 1;
330
366
  provisioning: {
331
367
  user: {
332
368
  createOnSignIn: boolean;
@@ -357,22 +393,22 @@ declare const _default: convex_server80.SchemaDefinition<{
357
393
  };
358
394
  };
359
395
  } | undefined, {
360
- version: convex_values50.VLiteral<1, "required">;
361
- identity: convex_values50.VObject<{
396
+ version: convex_values1267.VLiteral<1, "required">;
397
+ identity: convex_values1267.VObject<{
362
398
  accountLinking: {
363
- oidc: "verifiedEmail" | "none";
364
- saml: "verifiedEmail" | "none";
399
+ saml: "verifiedEmail" | "none" | "sameConnection";
400
+ oidc: "verifiedEmail" | "none" | "sameConnection";
365
401
  };
366
402
  }, {
367
- accountLinking: convex_values50.VObject<{
368
- oidc: "verifiedEmail" | "none";
369
- saml: "verifiedEmail" | "none";
403
+ accountLinking: convex_values1267.VObject<{
404
+ saml: "verifiedEmail" | "none" | "sameConnection";
405
+ oidc: "verifiedEmail" | "none" | "sameConnection";
370
406
  }, {
371
- oidc: convex_values50.VUnion<"verifiedEmail" | "none", [convex_values50.VLiteral<"verifiedEmail", "required">, convex_values50.VLiteral<"none", "required">], "required", never>;
372
- saml: convex_values50.VUnion<"verifiedEmail" | "none", [convex_values50.VLiteral<"verifiedEmail", "required">, convex_values50.VLiteral<"none", "required">], "required", never>;
373
- }, "required", "oidc" | "saml">;
374
- }, "required", "accountLinking" | "accountLinking.oidc" | "accountLinking.saml">;
375
- provisioning: convex_values50.VObject<{
407
+ oidc: convex_values1267.VUnion<"verifiedEmail" | "none" | "sameConnection", [convex_values1267.VLiteral<"verifiedEmail", "required">, convex_values1267.VLiteral<"none", "required">, convex_values1267.VLiteral<"sameConnection", "required">], "required", never>;
408
+ saml: convex_values1267.VUnion<"verifiedEmail" | "none" | "sameConnection", [convex_values1267.VLiteral<"verifiedEmail", "required">, convex_values1267.VLiteral<"none", "required">, convex_values1267.VLiteral<"sameConnection", "required">], "required", never>;
409
+ }, "required", "saml" | "oidc">;
410
+ }, "required", "accountLinking" | "accountLinking.saml" | "accountLinking.oidc">;
411
+ provisioning: convex_values1267.VObject<{
376
412
  user: {
377
413
  createOnSignIn: boolean;
378
414
  updateProfileOnLogin: "never" | "missing" | "always";
@@ -401,59 +437,59 @@ declare const _default: convex_server80.SchemaDefinition<{
401
437
  source: "protocol";
402
438
  };
403
439
  }, {
404
- user: convex_values50.VObject<{
440
+ user: convex_values1267.VObject<{
405
441
  createOnSignIn: boolean;
406
442
  updateProfileOnLogin: "never" | "missing" | "always";
407
443
  updateProfileFromScim: "never" | "missing" | "always";
408
444
  authority: "app" | "sso" | "scim";
409
445
  }, {
410
- createOnSignIn: convex_values50.VBoolean<boolean, "required">;
411
- updateProfileOnLogin: convex_values50.VUnion<"never" | "missing" | "always", [convex_values50.VLiteral<"never", "required">, convex_values50.VLiteral<"missing", "required">, convex_values50.VLiteral<"always", "required">], "required", never>;
412
- updateProfileFromScim: convex_values50.VUnion<"never" | "missing" | "always", [convex_values50.VLiteral<"never", "required">, convex_values50.VLiteral<"missing", "required">, convex_values50.VLiteral<"always", "required">], "required", never>;
413
- authority: convex_values50.VUnion<"app" | "sso" | "scim", [convex_values50.VLiteral<"app", "required">, convex_values50.VLiteral<"sso", "required">, convex_values50.VLiteral<"scim", "required">], "required", never>;
446
+ createOnSignIn: convex_values1267.VBoolean<boolean, "required">;
447
+ updateProfileOnLogin: convex_values1267.VUnion<"never" | "missing" | "always", [convex_values1267.VLiteral<"never", "required">, convex_values1267.VLiteral<"missing", "required">, convex_values1267.VLiteral<"always", "required">], "required", never>;
448
+ updateProfileFromScim: convex_values1267.VUnion<"never" | "missing" | "always", [convex_values1267.VLiteral<"never", "required">, convex_values1267.VLiteral<"missing", "required">, convex_values1267.VLiteral<"always", "required">], "required", never>;
449
+ authority: convex_values1267.VUnion<"app" | "sso" | "scim", [convex_values1267.VLiteral<"app", "required">, convex_values1267.VLiteral<"sso", "required">, convex_values1267.VLiteral<"scim", "required">], "required", never>;
414
450
  }, "required", "createOnSignIn" | "updateProfileOnLogin" | "updateProfileFromScim" | "authority">;
415
- scimReuse: convex_values50.VObject<{
451
+ scimReuse: convex_values1267.VObject<{
416
452
  user: "none" | "externalId";
417
453
  }, {
418
- user: convex_values50.VUnion<"none" | "externalId", [convex_values50.VLiteral<"externalId", "required">, convex_values50.VLiteral<"none", "required">], "required", never>;
454
+ user: convex_values1267.VUnion<"none" | "externalId", [convex_values1267.VLiteral<"externalId", "required">, convex_values1267.VLiteral<"none", "required">], "required", never>;
419
455
  }, "required", "user">;
420
- jit: convex_values50.VObject<{
456
+ jit: convex_values1267.VObject<{
421
457
  defaultRole?: string | undefined;
422
458
  defaultRoleIds?: string[] | undefined;
423
459
  mode: "off" | "createUser" | "createUserAndMembership";
424
460
  }, {
425
- mode: convex_values50.VUnion<"off" | "createUser" | "createUserAndMembership", [convex_values50.VLiteral<"off", "required">, convex_values50.VLiteral<"createUser", "required">, convex_values50.VLiteral<"createUserAndMembership", "required">], "required", never>;
426
- defaultRole: convex_values50.VString<string | undefined, "optional">;
427
- defaultRoleIds: convex_values50.VArray<string[] | undefined, convex_values50.VString<string, "required">, "optional">;
461
+ mode: convex_values1267.VUnion<"off" | "createUser" | "createUserAndMembership", [convex_values1267.VLiteral<"off", "required">, convex_values1267.VLiteral<"createUser", "required">, convex_values1267.VLiteral<"createUserAndMembership", "required">], "required", never>;
462
+ defaultRole: convex_values1267.VString<string | undefined, "optional">;
463
+ defaultRoleIds: convex_values1267.VArray<string[] | undefined, convex_values1267.VString<string, "required">, "optional">;
428
464
  }, "required", "mode" | "defaultRole" | "defaultRoleIds">;
429
- deprovision: convex_values50.VObject<{
465
+ deprovision: convex_values1267.VObject<{
430
466
  mode: "soft" | "hard";
431
467
  }, {
432
- mode: convex_values50.VUnion<"soft" | "hard", [convex_values50.VLiteral<"soft", "required">, convex_values50.VLiteral<"hard", "required">], "required", never>;
468
+ mode: convex_values1267.VUnion<"soft" | "hard", [convex_values1267.VLiteral<"soft", "required">, convex_values1267.VLiteral<"hard", "required">], "required", never>;
433
469
  }, "required", "mode">;
434
- groups: convex_values50.VObject<{
470
+ groups: convex_values1267.VObject<{
435
471
  mapping?: Record<string, string[]> | undefined;
436
472
  mode: "ignore" | "sync";
437
473
  source: "protocol";
438
474
  }, {
439
- mode: convex_values50.VUnion<"ignore" | "sync", [convex_values50.VLiteral<"ignore", "required">, convex_values50.VLiteral<"sync", "required">], "required", never>;
440
- source: convex_values50.VLiteral<"protocol", "required">;
441
- mapping: convex_values50.VRecord<Record<string, string[]> | undefined, convex_values50.VString<string, "required">, convex_values50.VArray<string[], convex_values50.VString<string, "required">, "required">, "optional", string>;
475
+ mode: convex_values1267.VUnion<"ignore" | "sync", [convex_values1267.VLiteral<"ignore", "required">, convex_values1267.VLiteral<"sync", "required">], "required", never>;
476
+ source: convex_values1267.VLiteral<"protocol", "required">;
477
+ mapping: convex_values1267.VRecord<Record<string, string[]> | undefined, convex_values1267.VString<string, "required">, convex_values1267.VArray<string[], convex_values1267.VString<string, "required">, "required">, "optional", string>;
442
478
  }, "required", "mode" | "source" | "mapping" | `mapping.${string}`>;
443
- roles: convex_values50.VObject<{
479
+ roles: convex_values1267.VObject<{
444
480
  mapping?: Record<string, string[]> | undefined;
445
481
  mode: "map" | "ignore";
446
482
  source: "protocol";
447
483
  }, {
448
- mode: convex_values50.VUnion<"map" | "ignore", [convex_values50.VLiteral<"ignore", "required">, convex_values50.VLiteral<"map", "required">], "required", never>;
449
- source: convex_values50.VLiteral<"protocol", "required">;
450
- mapping: convex_values50.VRecord<Record<string, string[]> | undefined, convex_values50.VString<string, "required">, convex_values50.VArray<string[], convex_values50.VString<string, "required">, "required">, "optional", string>;
484
+ mode: convex_values1267.VUnion<"map" | "ignore", [convex_values1267.VLiteral<"ignore", "required">, convex_values1267.VLiteral<"map", "required">], "required", never>;
485
+ source: convex_values1267.VLiteral<"protocol", "required">;
486
+ mapping: convex_values1267.VRecord<Record<string, string[]> | undefined, convex_values1267.VString<string, "required">, convex_values1267.VArray<string[], convex_values1267.VString<string, "required">, "required">, "optional", string>;
451
487
  }, "required", "mode" | "source" | "mapping" | `mapping.${string}`>;
452
488
  }, "required", "user" | "scimReuse" | "jit" | "deprovision" | "groups" | "roles" | "user.createOnSignIn" | "user.updateProfileOnLogin" | "user.updateProfileFromScim" | "user.authority" | "scimReuse.user" | "jit.mode" | "jit.defaultRole" | "jit.defaultRoleIds" | "deprovision.mode" | "groups.mode" | "groups.source" | "groups.mapping" | `groups.mapping.${string}` | "roles.mode" | "roles.source" | "roles.mapping" | `roles.mapping.${string}`>;
453
- extend: convex_values50.VAny<any, "optional", string>;
454
- }, "optional", "extend" | `extend.${string}` | "version" | "identity" | "provisioning" | "identity.accountLinking" | "identity.accountLinking.oidc" | "identity.accountLinking.saml" | "provisioning.user" | "provisioning.scimReuse" | "provisioning.jit" | "provisioning.deprovision" | "provisioning.groups" | "provisioning.roles" | "provisioning.user.createOnSignIn" | "provisioning.user.updateProfileOnLogin" | "provisioning.user.updateProfileFromScim" | "provisioning.user.authority" | "provisioning.scimReuse.user" | "provisioning.jit.mode" | "provisioning.jit.defaultRole" | "provisioning.jit.defaultRoleIds" | "provisioning.deprovision.mode" | "provisioning.groups.mode" | "provisioning.groups.source" | "provisioning.groups.mapping" | `provisioning.groups.mapping.${string}` | "provisioning.roles.mode" | "provisioning.roles.source" | "provisioning.roles.mapping" | `provisioning.roles.mapping.${string}`>;
455
- extend: convex_values50.VAny<any, "optional", string>;
456
- }, "required", "name" | "slug" | "type" | "extend" | `extend.${string}` | "parentGroupId" | "rootGroupId" | "isRoot" | "tags" | "policy" | "policy.extend" | `policy.extend.${string}` | "policy.version" | "policy.identity" | "policy.provisioning" | "policy.identity.accountLinking" | "policy.identity.accountLinking.oidc" | "policy.identity.accountLinking.saml" | "policy.provisioning.user" | "policy.provisioning.scimReuse" | "policy.provisioning.jit" | "policy.provisioning.deprovision" | "policy.provisioning.groups" | "policy.provisioning.roles" | "policy.provisioning.user.createOnSignIn" | "policy.provisioning.user.updateProfileOnLogin" | "policy.provisioning.user.updateProfileFromScim" | "policy.provisioning.user.authority" | "policy.provisioning.scimReuse.user" | "policy.provisioning.jit.mode" | "policy.provisioning.jit.defaultRole" | "policy.provisioning.jit.defaultRoleIds" | "policy.provisioning.deprovision.mode" | "policy.provisioning.groups.mode" | "policy.provisioning.groups.source" | "policy.provisioning.groups.mapping" | `policy.provisioning.groups.mapping.${string}` | "policy.provisioning.roles.mode" | "policy.provisioning.roles.source" | "policy.provisioning.roles.mapping" | `policy.provisioning.roles.mapping.${string}`>, {
489
+ extend: convex_values1267.VAny<any, "optional", string>;
490
+ }, "optional", "identity" | "extend" | `extend.${string}` | "version" | "provisioning" | "identity.accountLinking" | "identity.accountLinking.saml" | "identity.accountLinking.oidc" | "provisioning.user" | "provisioning.scimReuse" | "provisioning.jit" | "provisioning.deprovision" | "provisioning.groups" | "provisioning.roles" | "provisioning.user.createOnSignIn" | "provisioning.user.updateProfileOnLogin" | "provisioning.user.updateProfileFromScim" | "provisioning.user.authority" | "provisioning.scimReuse.user" | "provisioning.jit.mode" | "provisioning.jit.defaultRole" | "provisioning.jit.defaultRoleIds" | "provisioning.deprovision.mode" | "provisioning.groups.mode" | "provisioning.groups.source" | "provisioning.groups.mapping" | `provisioning.groups.mapping.${string}` | "provisioning.roles.mode" | "provisioning.roles.source" | "provisioning.roles.mapping" | `provisioning.roles.mapping.${string}`>;
491
+ extend: convex_values1267.VAny<any, "optional", string>;
492
+ }, "required", "name" | "type" | "extend" | `extend.${string}` | "slug" | "parentGroupId" | "rootGroupId" | "isRoot" | "tags" | "policy" | "policy.identity" | "policy.extend" | `policy.extend.${string}` | "policy.version" | "policy.provisioning" | "policy.identity.accountLinking" | "policy.identity.accountLinking.saml" | "policy.identity.accountLinking.oidc" | "policy.provisioning.user" | "policy.provisioning.scimReuse" | "policy.provisioning.jit" | "policy.provisioning.deprovision" | "policy.provisioning.groups" | "policy.provisioning.roles" | "policy.provisioning.user.createOnSignIn" | "policy.provisioning.user.updateProfileOnLogin" | "policy.provisioning.user.updateProfileFromScim" | "policy.provisioning.user.authority" | "policy.provisioning.scimReuse.user" | "policy.provisioning.jit.mode" | "policy.provisioning.jit.defaultRole" | "policy.provisioning.jit.defaultRoleIds" | "policy.provisioning.deprovision.mode" | "policy.provisioning.groups.mode" | "policy.provisioning.groups.source" | "policy.provisioning.groups.mapping" | `policy.provisioning.groups.mapping.${string}` | "policy.provisioning.roles.mode" | "policy.provisioning.roles.source" | "policy.provisioning.roles.mapping" | `policy.provisioning.roles.mapping.${string}`>, {
457
493
  slug: ["slug", "_creationTime"];
458
494
  parent_group_id: ["parentGroupId", "_creationTime"];
459
495
  root_group_id: ["rootGroupId", "_creationTime"];
@@ -466,15 +502,15 @@ declare const _default: convex_server80.SchemaDefinition<{
466
502
  * Each row maps one `(key, value)` pair to a group. Kept in sync by
467
503
  * `groupCreate`, `groupUpdate`, and `groupDelete`.
468
504
  */
469
- GroupTag: convex_server80.TableDefinition<convex_values50.VObject<{
470
- key: string;
505
+ GroupTag: convex_server93.TableDefinition<convex_values1267.VObject<{
471
506
  value: string;
472
- group_id: convex_values50.GenericId<"Group">;
507
+ key: string;
508
+ group_id: convex_values1267.GenericId<"Group">;
473
509
  }, {
474
- group_id: convex_values50.VId<convex_values50.GenericId<"Group">, "required">;
475
- key: convex_values50.VString<string, "required">;
476
- value: convex_values50.VString<string, "required">;
477
- }, "required", "key" | "value" | "group_id">, {
510
+ group_id: convex_values1267.VId<convex_values1267.GenericId<"Group">, "required">;
511
+ key: convex_values1267.VString<string, "required">;
512
+ value: convex_values1267.VString<string, "required">;
513
+ }, "required", "value" | "key" | "group_id">, {
478
514
  by_group: ["group_id", "_creationTime"];
479
515
  by_key_value: ["key", "value", "_creationTime"];
480
516
  by_key: ["key", "_creationTime"];
@@ -484,21 +520,21 @@ declare const _default: convex_server80.SchemaDefinition<{
484
520
  * role (e.g. "owner", "admin", "member", "viewer"). A user can be a
485
521
  * member of multiple groups with different roles in each.
486
522
  */
487
- GroupMember: convex_server80.TableDefinition<convex_values50.VObject<{
488
- status?: string | undefined;
523
+ GroupMember: convex_server93.TableDefinition<convex_values1267.VObject<{
489
524
  extend?: any;
490
525
  role?: string | undefined;
491
526
  roleIds?: string[] | undefined;
492
- userId: convex_values50.GenericId<"User">;
493
- groupId: convex_values50.GenericId<"Group">;
527
+ status?: string | undefined;
528
+ groupId: convex_values1267.GenericId<"Group">;
529
+ userId: convex_values1267.GenericId<"User">;
494
530
  }, {
495
- groupId: convex_values50.VId<convex_values50.GenericId<"Group">, "required">;
496
- userId: convex_values50.VId<convex_values50.GenericId<"User">, "required">;
497
- role: convex_values50.VString<string | undefined, "optional">;
498
- roleIds: convex_values50.VArray<string[] | undefined, convex_values50.VString<string, "required">, "optional">;
499
- status: convex_values50.VString<string | undefined, "optional">;
500
- extend: convex_values50.VAny<any, "optional", string>;
501
- }, "required", "status" | "userId" | "extend" | `extend.${string}` | "groupId" | "role" | "roleIds">, {
531
+ groupId: convex_values1267.VId<convex_values1267.GenericId<"Group">, "required">;
532
+ userId: convex_values1267.VId<convex_values1267.GenericId<"User">, "required">;
533
+ role: convex_values1267.VString<string | undefined, "optional">;
534
+ roleIds: convex_values1267.VArray<string[] | undefined, convex_values1267.VString<string, "required">, "optional">;
535
+ status: convex_values1267.VString<string | undefined, "optional">;
536
+ extend: convex_values1267.VAny<any, "optional", string>;
537
+ }, "required", "extend" | `extend.${string}` | "groupId" | "userId" | "role" | "roleIds" | "status">, {
502
538
  group_id: ["groupId", "_creationTime"];
503
539
  group_id_user_id: ["groupId", "userId", "_creationTime"];
504
540
  group_id_status: ["groupId", "status", "_creationTime"];
@@ -512,31 +548,31 @@ declare const _default: convex_server80.SchemaDefinition<{
512
548
  * `email` and `invitedByUserId` are optional to support CLI-generated
513
549
  * invite links where neither is known upfront.
514
550
  */
515
- GroupInvite: convex_server80.TableDefinition<convex_values50.VObject<{
551
+ GroupInvite: convex_server93.TableDefinition<convex_values1267.VObject<{
516
552
  email?: string | undefined;
517
- expiresTime?: number | undefined;
518
- acceptedTime?: number | undefined;
519
553
  extend?: any;
520
- groupId?: convex_values50.GenericId<"Group"> | undefined;
554
+ groupId?: convex_values1267.GenericId<"Group"> | undefined;
521
555
  role?: string | undefined;
522
556
  roleIds?: string[] | undefined;
523
- invitedByUserId?: convex_values50.GenericId<"User"> | undefined;
524
- acceptedByUserId?: convex_values50.GenericId<"User"> | undefined;
557
+ invitedByUserId?: convex_values1267.GenericId<"User"> | undefined;
558
+ expiresTime?: number | undefined;
559
+ acceptedByUserId?: convex_values1267.GenericId<"User"> | undefined;
560
+ acceptedTime?: number | undefined;
525
561
  status: "pending" | "accepted" | "revoked" | "expired";
526
562
  tokenHash: string;
527
563
  }, {
528
- groupId: convex_values50.VId<convex_values50.GenericId<"Group"> | undefined, "optional">;
529
- invitedByUserId: convex_values50.VId<convex_values50.GenericId<"User"> | undefined, "optional">;
530
- email: convex_values50.VString<string | undefined, "optional">;
531
- tokenHash: convex_values50.VString<string, "required">;
532
- role: convex_values50.VString<string | undefined, "optional">;
533
- roleIds: convex_values50.VArray<string[] | undefined, convex_values50.VString<string, "required">, "optional">;
534
- status: convex_values50.VUnion<"pending" | "accepted" | "revoked" | "expired", [convex_values50.VLiteral<"pending", "required">, convex_values50.VLiteral<"accepted", "required">, convex_values50.VLiteral<"revoked", "required">, convex_values50.VLiteral<"expired", "required">], "required", never>;
535
- expiresTime: convex_values50.VFloat64<number | undefined, "optional">;
536
- acceptedByUserId: convex_values50.VId<convex_values50.GenericId<"User"> | undefined, "optional">;
537
- acceptedTime: convex_values50.VFloat64<number | undefined, "optional">;
538
- extend: convex_values50.VAny<any, "optional", string>;
539
- }, "required", "email" | "status" | "expiresTime" | "acceptedTime" | "extend" | `extend.${string}` | "groupId" | "role" | "roleIds" | "invitedByUserId" | "tokenHash" | "acceptedByUserId">, {
564
+ groupId: convex_values1267.VId<convex_values1267.GenericId<"Group"> | undefined, "optional">;
565
+ invitedByUserId: convex_values1267.VId<convex_values1267.GenericId<"User"> | undefined, "optional">;
566
+ email: convex_values1267.VString<string | undefined, "optional">;
567
+ tokenHash: convex_values1267.VString<string, "required">;
568
+ role: convex_values1267.VString<string | undefined, "optional">;
569
+ roleIds: convex_values1267.VArray<string[] | undefined, convex_values1267.VString<string, "required">, "optional">;
570
+ status: convex_values1267.VUnion<"pending" | "accepted" | "revoked" | "expired", [convex_values1267.VLiteral<"pending", "required">, convex_values1267.VLiteral<"accepted", "required">, convex_values1267.VLiteral<"revoked", "required">, convex_values1267.VLiteral<"expired", "required">], "required", never>;
571
+ expiresTime: convex_values1267.VFloat64<number | undefined, "optional">;
572
+ acceptedByUserId: convex_values1267.VId<convex_values1267.GenericId<"User"> | undefined, "optional">;
573
+ acceptedTime: convex_values1267.VFloat64<number | undefined, "optional">;
574
+ extend: convex_values1267.VAny<any, "optional", string>;
575
+ }, "required", "email" | "extend" | `extend.${string}` | "groupId" | "role" | "roleIds" | "status" | "invitedByUserId" | "tokenHash" | "expiresTime" | "acceptedByUserId" | "acceptedTime">, {
540
576
  token_hash: ["tokenHash", "_creationTime"];
541
577
  status: ["status", "_creationTime"];
542
578
  email_status: ["email", "status", "_creationTime"];
@@ -551,23 +587,23 @@ declare const _default: convex_server80.SchemaDefinition<{
551
587
  * SDK can evolve without forcing schema churn for every protocol-specific
552
588
  * field addition.
553
589
  */
554
- GroupConnection: convex_server80.TableDefinition<convex_values50.VObject<{
590
+ GroupConnection: convex_server93.TableDefinition<convex_values1267.VObject<{
555
591
  name?: string | undefined;
556
- slug?: string | undefined;
557
592
  extend?: any;
593
+ slug?: string | undefined;
558
594
  config?: any;
595
+ protocol: "saml" | "oidc";
596
+ groupId: convex_values1267.GenericId<"Group">;
559
597
  status: "draft" | "active" | "disabled";
560
- protocol: "oidc" | "saml";
561
- groupId: convex_values50.GenericId<"Group">;
562
598
  }, {
563
- groupId: convex_values50.VId<convex_values50.GenericId<"Group">, "required">;
564
- slug: convex_values50.VString<string | undefined, "optional">;
565
- name: convex_values50.VString<string | undefined, "optional">;
566
- protocol: convex_values50.VUnion<"oidc" | "saml", [convex_values50.VLiteral<"oidc", "required">, convex_values50.VLiteral<"saml", "required">], "required", never>;
567
- status: convex_values50.VUnion<"draft" | "active" | "disabled", [convex_values50.VLiteral<"draft", "required">, convex_values50.VLiteral<"active", "required">, convex_values50.VLiteral<"disabled", "required">], "required", never>;
568
- config: convex_values50.VAny<any, "optional", string>;
569
- extend: convex_values50.VAny<any, "optional", string>;
570
- }, "required", "name" | "slug" | "status" | "extend" | `extend.${string}` | "protocol" | "groupId" | "config" | `config.${string}`>, {
599
+ groupId: convex_values1267.VId<convex_values1267.GenericId<"Group">, "required">;
600
+ slug: convex_values1267.VString<string | undefined, "optional">;
601
+ name: convex_values1267.VString<string | undefined, "optional">;
602
+ protocol: convex_values1267.VUnion<"saml" | "oidc", [convex_values1267.VLiteral<"oidc", "required">, convex_values1267.VLiteral<"saml", "required">], "required", never>;
603
+ status: convex_values1267.VUnion<"draft" | "active" | "disabled", [convex_values1267.VLiteral<"draft", "required">, convex_values1267.VLiteral<"active", "required">, convex_values1267.VLiteral<"disabled", "required">], "required", never>;
604
+ config: convex_values1267.VAny<any, "optional", string>;
605
+ extend: convex_values1267.VAny<any, "optional", string>;
606
+ }, "required", "name" | "extend" | "protocol" | `extend.${string}` | "slug" | "groupId" | "status" | "config" | `config.${string}`>, {
571
607
  group_id: ["groupId", "_creationTime"];
572
608
  slug: ["slug", "_creationTime"];
573
609
  status: ["status", "_creationTime"];
@@ -577,19 +613,19 @@ declare const _default: convex_server80.SchemaDefinition<{
577
613
  /**
578
614
  * Verified or pending domains linked to an group connection record.
579
615
  */
580
- GroupConnectionDomain: convex_server80.TableDefinition<convex_values50.VObject<{
616
+ GroupConnectionDomain: convex_server93.TableDefinition<convex_values1267.VObject<{
581
617
  verifiedAt?: number | undefined;
582
- groupId: convex_values50.GenericId<"Group">;
583
- connectionId: convex_values50.GenericId<"GroupConnection">;
584
- domain: string;
618
+ connectionId: convex_values1267.GenericId<"GroupConnection">;
619
+ groupId: convex_values1267.GenericId<"Group">;
585
620
  isPrimary: boolean;
621
+ domain: string;
586
622
  }, {
587
- connectionId: convex_values50.VId<convex_values50.GenericId<"GroupConnection">, "required">;
588
- groupId: convex_values50.VId<convex_values50.GenericId<"Group">, "required">;
589
- domain: convex_values50.VString<string, "required">;
590
- isPrimary: convex_values50.VBoolean<boolean, "required">;
591
- verifiedAt: convex_values50.VFloat64<number | undefined, "optional">;
592
- }, "required", "groupId" | "connectionId" | "domain" | "isPrimary" | "verifiedAt">, {
623
+ connectionId: convex_values1267.VId<convex_values1267.GenericId<"GroupConnection">, "required">;
624
+ groupId: convex_values1267.VId<convex_values1267.GenericId<"Group">, "required">;
625
+ domain: convex_values1267.VString<string, "required">;
626
+ isPrimary: convex_values1267.VBoolean<boolean, "required">;
627
+ verifiedAt: convex_values1267.VFloat64<number | undefined, "optional">;
628
+ }, "required", "connectionId" | "groupId" | "isPrimary" | "domain" | "verifiedAt">, {
593
629
  connection_id: ["connectionId", "_creationTime"];
594
630
  group_id: ["groupId", "_creationTime"];
595
631
  domain: ["domain", "_creationTime"];
@@ -597,27 +633,27 @@ declare const _default: convex_server80.SchemaDefinition<{
597
633
  /**
598
634
  * Pending DNS TXT verification challenges for group connection domains.
599
635
  */
600
- GroupConnectionDomainVerification: convex_server80.TableDefinition<convex_values50.VObject<{
601
- expiresAt: number;
602
- groupId: convex_values50.GenericId<"Group">;
636
+ GroupConnectionDomainVerification: convex_server93.TableDefinition<convex_values1267.VObject<{
637
+ connectionId: convex_values1267.GenericId<"GroupConnection">;
638
+ groupId: convex_values1267.GenericId<"Group">;
603
639
  tokenHash: string;
604
- connectionId: convex_values50.GenericId<"GroupConnection">;
640
+ expiresAt: number;
605
641
  domain: string;
606
- domainId: convex_values50.GenericId<"GroupConnectionDomain">;
642
+ domainId: convex_values1267.GenericId<"GroupConnectionDomain">;
607
643
  recordName: string;
608
644
  token: string;
609
645
  requestedAt: number;
610
646
  }, {
611
- connectionId: convex_values50.VId<convex_values50.GenericId<"GroupConnection">, "required">;
612
- groupId: convex_values50.VId<convex_values50.GenericId<"Group">, "required">;
613
- domainId: convex_values50.VId<convex_values50.GenericId<"GroupConnectionDomain">, "required">;
614
- domain: convex_values50.VString<string, "required">;
615
- recordName: convex_values50.VString<string, "required">;
616
- token: convex_values50.VString<string, "required">;
617
- tokenHash: convex_values50.VString<string, "required">;
618
- requestedAt: convex_values50.VFloat64<number, "required">;
619
- expiresAt: convex_values50.VFloat64<number, "required">;
620
- }, "required", "expiresAt" | "groupId" | "tokenHash" | "connectionId" | "domain" | "domainId" | "recordName" | "token" | "requestedAt">, {
647
+ connectionId: convex_values1267.VId<convex_values1267.GenericId<"GroupConnection">, "required">;
648
+ groupId: convex_values1267.VId<convex_values1267.GenericId<"Group">, "required">;
649
+ domainId: convex_values1267.VId<convex_values1267.GenericId<"GroupConnectionDomain">, "required">;
650
+ domain: convex_values1267.VString<string, "required">;
651
+ recordName: convex_values1267.VString<string, "required">;
652
+ token: convex_values1267.VString<string, "required">;
653
+ tokenHash: convex_values1267.VString<string, "required">;
654
+ requestedAt: convex_values1267.VFloat64<number, "required">;
655
+ expiresAt: convex_values1267.VFloat64<number, "required">;
656
+ }, "required", "connectionId" | "groupId" | "tokenHash" | "expiresAt" | "domain" | "domainId" | "recordName" | "token" | "requestedAt">, {
621
657
  connection_id: ["connectionId", "_creationTime"];
622
658
  domain_id: ["domainId", "_creationTime"];
623
659
  token_hash: ["tokenHash", "_creationTime"];
@@ -625,19 +661,19 @@ declare const _default: convex_server80.SchemaDefinition<{
625
661
  /**
626
662
  * Encrypted group connection secrets stored separately from protocol config.
627
663
  */
628
- GroupConnectionSecret: convex_server80.TableDefinition<convex_values50.VObject<{
629
- groupId: convex_values50.GenericId<"Group">;
630
- connectionId: convex_values50.GenericId<"GroupConnection">;
664
+ GroupConnectionSecret: convex_server93.TableDefinition<convex_values1267.VObject<{
665
+ connectionId: convex_values1267.GenericId<"GroupConnection">;
666
+ kind: "oidc_client_secret";
667
+ groupId: convex_values1267.GenericId<"Group">;
631
668
  ciphertext: string;
632
669
  updatedAt: number;
633
- kind: "oidc_client_secret";
634
670
  }, {
635
- connectionId: convex_values50.VId<convex_values50.GenericId<"GroupConnection">, "required">;
636
- groupId: convex_values50.VId<convex_values50.GenericId<"Group">, "required">;
637
- kind: convex_values50.VUnion<"oidc_client_secret", [convex_values50.VLiteral<"oidc_client_secret", "required">], "required", never>;
638
- ciphertext: convex_values50.VString<string, "required">;
639
- updatedAt: convex_values50.VFloat64<number, "required">;
640
- }, "required", "groupId" | "connectionId" | "ciphertext" | "updatedAt" | "kind">, {
671
+ connectionId: convex_values1267.VId<convex_values1267.GenericId<"GroupConnection">, "required">;
672
+ groupId: convex_values1267.VId<convex_values1267.GenericId<"Group">, "required">;
673
+ kind: convex_values1267.VUnion<"oidc_client_secret", [convex_values1267.VLiteral<"oidc_client_secret", "required">], "required", never>;
674
+ ciphertext: convex_values1267.VString<string, "required">;
675
+ updatedAt: convex_values1267.VFloat64<number, "required">;
676
+ }, "required", "connectionId" | "kind" | "groupId" | "ciphertext" | "updatedAt">, {
641
677
  connection_id: ["connectionId", "_creationTime"];
642
678
  connection_id_kind: ["connectionId", "kind", "_creationTime"];
643
679
  group_id: ["groupId", "_creationTime"];
@@ -645,23 +681,23 @@ declare const _default: convex_server80.SchemaDefinition<{
645
681
  /**
646
682
  * SCIM configuration for an group connection tenant.
647
683
  */
648
- GroupConnectionScimConfig: convex_server80.TableDefinition<convex_values50.VObject<{
684
+ GroupConnectionScimConfig: convex_server93.TableDefinition<convex_values1267.VObject<{
649
685
  extend?: any;
650
686
  lastRotatedAt?: number | undefined;
687
+ connectionId: convex_values1267.GenericId<"GroupConnection">;
688
+ groupId: convex_values1267.GenericId<"Group">;
651
689
  status: "draft" | "active" | "disabled";
652
- groupId: convex_values50.GenericId<"Group">;
653
690
  tokenHash: string;
654
- connectionId: convex_values50.GenericId<"GroupConnection">;
655
691
  basePath: string;
656
692
  }, {
657
- connectionId: convex_values50.VId<convex_values50.GenericId<"GroupConnection">, "required">;
658
- groupId: convex_values50.VId<convex_values50.GenericId<"Group">, "required">;
659
- status: convex_values50.VUnion<"draft" | "active" | "disabled", [convex_values50.VLiteral<"draft", "required">, convex_values50.VLiteral<"active", "required">, convex_values50.VLiteral<"disabled", "required">], "required", never>;
660
- basePath: convex_values50.VString<string, "required">;
661
- tokenHash: convex_values50.VString<string, "required">;
662
- lastRotatedAt: convex_values50.VFloat64<number | undefined, "optional">;
663
- extend: convex_values50.VAny<any, "optional", string>;
664
- }, "required", "status" | "extend" | `extend.${string}` | "groupId" | "tokenHash" | "connectionId" | "basePath" | "lastRotatedAt">, {
693
+ connectionId: convex_values1267.VId<convex_values1267.GenericId<"GroupConnection">, "required">;
694
+ groupId: convex_values1267.VId<convex_values1267.GenericId<"Group">, "required">;
695
+ status: convex_values1267.VUnion<"draft" | "active" | "disabled", [convex_values1267.VLiteral<"draft", "required">, convex_values1267.VLiteral<"active", "required">, convex_values1267.VLiteral<"disabled", "required">], "required", never>;
696
+ basePath: convex_values1267.VString<string, "required">;
697
+ tokenHash: convex_values1267.VString<string, "required">;
698
+ lastRotatedAt: convex_values1267.VFloat64<number | undefined, "optional">;
699
+ extend: convex_values1267.VAny<any, "optional", string>;
700
+ }, "required", "extend" | "connectionId" | `extend.${string}` | "groupId" | "status" | "tokenHash" | "basePath" | "lastRotatedAt">, {
665
701
  group_connection_id: ["connectionId", "_creationTime"];
666
702
  group_id: ["groupId", "_creationTime"];
667
703
  token_hash: ["tokenHash", "_creationTime"];
@@ -670,27 +706,27 @@ declare const _default: convex_server80.SchemaDefinition<{
670
706
  /**
671
707
  * External SCIM identities mapped into local users/groups.
672
708
  */
673
- GroupConnectionScimIdentity: convex_server80.TableDefinition<convex_values50.VObject<{
674
- userId?: convex_values50.GenericId<"User"> | undefined;
709
+ GroupConnectionScimIdentity: convex_server93.TableDefinition<convex_values1267.VObject<{
710
+ userId?: convex_values1267.GenericId<"User"> | undefined;
675
711
  active?: boolean | undefined;
676
- mappedGroupId?: convex_values50.GenericId<"Group"> | undefined;
712
+ mappedGroupId?: convex_values1267.GenericId<"Group"> | undefined;
677
713
  lastProvisionedAt?: number | undefined;
678
714
  raw?: any;
715
+ connectionId: convex_values1267.GenericId<"GroupConnection">;
679
716
  externalId: string;
680
- groupId: convex_values50.GenericId<"Group">;
681
- connectionId: convex_values50.GenericId<"GroupConnection">;
717
+ groupId: convex_values1267.GenericId<"Group">;
682
718
  resourceType: "user" | "group";
683
719
  }, {
684
- connectionId: convex_values50.VId<convex_values50.GenericId<"GroupConnection">, "required">;
685
- groupId: convex_values50.VId<convex_values50.GenericId<"Group">, "required">;
686
- resourceType: convex_values50.VUnion<"user" | "group", [convex_values50.VLiteral<"user", "required">, convex_values50.VLiteral<"group", "required">], "required", never>;
687
- externalId: convex_values50.VString<string, "required">;
688
- userId: convex_values50.VId<convex_values50.GenericId<"User"> | undefined, "optional">;
689
- mappedGroupId: convex_values50.VId<convex_values50.GenericId<"Group"> | undefined, "optional">;
690
- lastProvisionedAt: convex_values50.VFloat64<number | undefined, "optional">;
691
- active: convex_values50.VBoolean<boolean | undefined, "optional">;
692
- raw: convex_values50.VAny<any, "optional", string>;
693
- }, "required", "userId" | "externalId" | "groupId" | "active" | "connectionId" | "resourceType" | "mappedGroupId" | "lastProvisionedAt" | "raw" | `raw.${string}`>, {
720
+ connectionId: convex_values1267.VId<convex_values1267.GenericId<"GroupConnection">, "required">;
721
+ groupId: convex_values1267.VId<convex_values1267.GenericId<"Group">, "required">;
722
+ resourceType: convex_values1267.VUnion<"user" | "group", [convex_values1267.VLiteral<"user", "required">, convex_values1267.VLiteral<"group", "required">], "required", never>;
723
+ externalId: convex_values1267.VString<string, "required">;
724
+ userId: convex_values1267.VId<convex_values1267.GenericId<"User"> | undefined, "optional">;
725
+ mappedGroupId: convex_values1267.VId<convex_values1267.GenericId<"Group"> | undefined, "optional">;
726
+ lastProvisionedAt: convex_values1267.VFloat64<number | undefined, "optional">;
727
+ active: convex_values1267.VBoolean<boolean | undefined, "optional">;
728
+ raw: convex_values1267.VAny<any, "optional", string>;
729
+ }, "required", "connectionId" | "externalId" | "groupId" | "userId" | "active" | "resourceType" | "mappedGroupId" | "lastProvisionedAt" | "raw" | `raw.${string}`>, {
694
730
  group_connection_id: ["connectionId", "_creationTime"];
695
731
  group_id: ["groupId", "_creationTime"];
696
732
  group_connection_id_resource_type_external_id: ["connectionId", "resourceType", "externalId", "_creationTime"];
@@ -701,33 +737,33 @@ declare const _default: convex_server80.SchemaDefinition<{
701
737
  /**
702
738
  * Immutable audit trail for group connection operations.
703
739
  */
704
- GroupAuditEvent: convex_server80.TableDefinition<convex_values50.VObject<{
740
+ GroupAuditEvent: convex_server93.TableDefinition<convex_values1267.VObject<{
741
+ connectionId?: convex_values1267.GenericId<"GroupConnection"> | undefined;
705
742
  metadata?: any;
706
- connectionId?: convex_values50.GenericId<"GroupConnection"> | undefined;
707
743
  actorId?: string | undefined;
708
744
  subjectId?: string | undefined;
709
745
  requestId?: string | undefined;
710
746
  ip?: string | undefined;
747
+ groupId: convex_values1267.GenericId<"Group">;
711
748
  status: "success" | "failure";
712
- groupId: convex_values50.GenericId<"Group">;
713
- actorType: "user" | "scim" | "system" | "api_key" | "webhook";
714
749
  eventType: string;
750
+ actorType: "user" | "scim" | "system" | "api_key" | "webhook";
715
751
  subjectType: string;
716
752
  occurredAt: number;
717
753
  }, {
718
- connectionId: convex_values50.VId<convex_values50.GenericId<"GroupConnection"> | undefined, "optional">;
719
- groupId: convex_values50.VId<convex_values50.GenericId<"Group">, "required">;
720
- eventType: convex_values50.VString<string, "required">;
721
- actorType: convex_values50.VUnion<"user" | "scim" | "system" | "api_key" | "webhook", [convex_values50.VLiteral<"user", "required">, convex_values50.VLiteral<"system", "required">, convex_values50.VLiteral<"scim", "required">, convex_values50.VLiteral<"api_key", "required">, convex_values50.VLiteral<"webhook", "required">], "required", never>;
722
- actorId: convex_values50.VString<string | undefined, "optional">;
723
- subjectType: convex_values50.VString<string, "required">;
724
- subjectId: convex_values50.VString<string | undefined, "optional">;
725
- status: convex_values50.VUnion<"success" | "failure", [convex_values50.VLiteral<"success", "required">, convex_values50.VLiteral<"failure", "required">], "required", never>;
726
- occurredAt: convex_values50.VFloat64<number, "required">;
727
- requestId: convex_values50.VString<string | undefined, "optional">;
728
- ip: convex_values50.VString<string | undefined, "optional">;
729
- metadata: convex_values50.VAny<any, "optional", string>;
730
- }, "required", "status" | "metadata" | `metadata.${string}` | "groupId" | "connectionId" | "actorType" | "eventType" | "actorId" | "subjectType" | "subjectId" | "occurredAt" | "requestId" | "ip">, {
754
+ connectionId: convex_values1267.VId<convex_values1267.GenericId<"GroupConnection"> | undefined, "optional">;
755
+ groupId: convex_values1267.VId<convex_values1267.GenericId<"Group">, "required">;
756
+ eventType: convex_values1267.VString<string, "required">;
757
+ actorType: convex_values1267.VUnion<"user" | "scim" | "system" | "api_key" | "webhook", [convex_values1267.VLiteral<"user", "required">, convex_values1267.VLiteral<"system", "required">, convex_values1267.VLiteral<"scim", "required">, convex_values1267.VLiteral<"api_key", "required">, convex_values1267.VLiteral<"webhook", "required">], "required", never>;
758
+ actorId: convex_values1267.VString<string | undefined, "optional">;
759
+ subjectType: convex_values1267.VString<string, "required">;
760
+ subjectId: convex_values1267.VString<string | undefined, "optional">;
761
+ status: convex_values1267.VUnion<"success" | "failure", [convex_values1267.VLiteral<"success", "required">, convex_values1267.VLiteral<"failure", "required">], "required", never>;
762
+ occurredAt: convex_values1267.VFloat64<number, "required">;
763
+ requestId: convex_values1267.VString<string | undefined, "optional">;
764
+ ip: convex_values1267.VString<string | undefined, "optional">;
765
+ metadata: convex_values1267.VAny<any, "optional", string>;
766
+ }, "required", "connectionId" | "groupId" | "status" | "metadata" | `metadata.${string}` | "eventType" | "actorType" | "actorId" | "subjectType" | "subjectId" | "occurredAt" | "requestId" | "ip">, {
731
767
  group_connection_id_occurred_at: ["connectionId", "occurredAt", "_creationTime"];
732
768
  group_id_occurred_at: ["groupId", "occurredAt", "_creationTime"];
733
769
  event_type_occurred_at: ["eventType", "occurredAt", "_creationTime"];
@@ -735,31 +771,31 @@ declare const _default: convex_server80.SchemaDefinition<{
735
771
  /**
736
772
  * Webhook endpoints subscribed to group audit and lifecycle events.
737
773
  */
738
- GroupWebhookEndpoint: convex_server80.TableDefinition<convex_values50.VObject<{
774
+ GroupWebhookEndpoint: convex_server93.TableDefinition<convex_values1267.VObject<{
739
775
  extend?: any;
740
- createdByUserId?: convex_values50.GenericId<"User"> | undefined;
776
+ createdByUserId?: convex_values1267.GenericId<"User"> | undefined;
741
777
  lastSuccessAt?: number | undefined;
742
778
  lastFailureAt?: number | undefined;
779
+ connectionId: convex_values1267.GenericId<"GroupConnection">;
780
+ groupId: convex_values1267.GenericId<"Group">;
743
781
  status: "active" | "disabled";
744
- groupId: convex_values50.GenericId<"Group">;
745
- connectionId: convex_values50.GenericId<"GroupConnection">;
746
782
  url: string;
747
783
  secretHash: string;
748
784
  subscriptions: string[];
749
785
  failureCount: number;
750
786
  }, {
751
- connectionId: convex_values50.VId<convex_values50.GenericId<"GroupConnection">, "required">;
752
- groupId: convex_values50.VId<convex_values50.GenericId<"Group">, "required">;
753
- url: convex_values50.VString<string, "required">;
754
- status: convex_values50.VUnion<"active" | "disabled", [convex_values50.VLiteral<"active", "required">, convex_values50.VLiteral<"disabled", "required">], "required", never>;
755
- secretHash: convex_values50.VString<string, "required">;
756
- subscriptions: convex_values50.VArray<string[], convex_values50.VString<string, "required">, "required">;
757
- createdByUserId: convex_values50.VId<convex_values50.GenericId<"User"> | undefined, "optional">;
758
- lastSuccessAt: convex_values50.VFloat64<number | undefined, "optional">;
759
- lastFailureAt: convex_values50.VFloat64<number | undefined, "optional">;
760
- failureCount: convex_values50.VFloat64<number, "required">;
761
- extend: convex_values50.VAny<any, "optional", string>;
762
- }, "required", "status" | "extend" | `extend.${string}` | "groupId" | "connectionId" | "url" | "secretHash" | "subscriptions" | "createdByUserId" | "lastSuccessAt" | "lastFailureAt" | "failureCount">, {
787
+ connectionId: convex_values1267.VId<convex_values1267.GenericId<"GroupConnection">, "required">;
788
+ groupId: convex_values1267.VId<convex_values1267.GenericId<"Group">, "required">;
789
+ url: convex_values1267.VString<string, "required">;
790
+ status: convex_values1267.VUnion<"active" | "disabled", [convex_values1267.VLiteral<"active", "required">, convex_values1267.VLiteral<"disabled", "required">], "required", never>;
791
+ secretHash: convex_values1267.VString<string, "required">;
792
+ subscriptions: convex_values1267.VArray<string[], convex_values1267.VString<string, "required">, "required">;
793
+ createdByUserId: convex_values1267.VId<convex_values1267.GenericId<"User"> | undefined, "optional">;
794
+ lastSuccessAt: convex_values1267.VFloat64<number | undefined, "optional">;
795
+ lastFailureAt: convex_values1267.VFloat64<number | undefined, "optional">;
796
+ failureCount: convex_values1267.VFloat64<number, "required">;
797
+ extend: convex_values1267.VAny<any, "optional", string>;
798
+ }, "required", "extend" | "connectionId" | `extend.${string}` | "groupId" | "status" | "url" | "secretHash" | "subscriptions" | "createdByUserId" | "lastSuccessAt" | "lastFailureAt" | "failureCount">, {
763
799
  group_connection_id: ["connectionId", "_creationTime"];
764
800
  group_id: ["groupId", "_creationTime"];
765
801
  status: ["status", "_creationTime"];
@@ -767,31 +803,31 @@ declare const _default: convex_server80.SchemaDefinition<{
767
803
  /**
768
804
  * Delivery queue for outbound group webhooks.
769
805
  */
770
- GroupWebhookDelivery: convex_server80.TableDefinition<convex_values50.VObject<{
771
- auditEventId?: convex_values50.GenericId<"GroupAuditEvent"> | undefined;
806
+ GroupWebhookDelivery: convex_server93.TableDefinition<convex_values1267.VObject<{
807
+ auditEventId?: convex_values1267.GenericId<"GroupAuditEvent"> | undefined;
772
808
  lastAttemptAt?: number | undefined;
773
809
  lastResponseStatus?: number | undefined;
774
810
  lastError?: string | undefined;
811
+ connectionId: convex_values1267.GenericId<"GroupConnection">;
775
812
  status: "pending" | "processing" | "delivered" | "failed";
776
- connectionId: convex_values50.GenericId<"GroupConnection">;
777
813
  eventType: string;
778
- endpointId: convex_values50.GenericId<"GroupWebhookEndpoint">;
814
+ endpointId: convex_values1267.GenericId<"GroupWebhookEndpoint">;
779
815
  attemptCount: number;
780
816
  nextAttemptAt: number;
781
817
  payload: any;
782
818
  }, {
783
- connectionId: convex_values50.VId<convex_values50.GenericId<"GroupConnection">, "required">;
784
- endpointId: convex_values50.VId<convex_values50.GenericId<"GroupWebhookEndpoint">, "required">;
785
- auditEventId: convex_values50.VId<convex_values50.GenericId<"GroupAuditEvent"> | undefined, "optional">;
786
- eventType: convex_values50.VString<string, "required">;
787
- status: convex_values50.VUnion<"pending" | "processing" | "delivered" | "failed", [convex_values50.VLiteral<"pending", "required">, convex_values50.VLiteral<"processing", "required">, convex_values50.VLiteral<"delivered", "required">, convex_values50.VLiteral<"failed", "required">], "required", never>;
788
- attemptCount: convex_values50.VFloat64<number, "required">;
789
- nextAttemptAt: convex_values50.VFloat64<number, "required">;
790
- lastAttemptAt: convex_values50.VFloat64<number | undefined, "optional">;
791
- lastResponseStatus: convex_values50.VFloat64<number | undefined, "optional">;
792
- lastError: convex_values50.VString<string | undefined, "optional">;
793
- payload: convex_values50.VAny<any, "required", string>;
794
- }, "required", "status" | "connectionId" | "eventType" | "endpointId" | "auditEventId" | "attemptCount" | "nextAttemptAt" | "lastAttemptAt" | "lastResponseStatus" | "lastError" | "payload" | `payload.${string}`>, {
819
+ connectionId: convex_values1267.VId<convex_values1267.GenericId<"GroupConnection">, "required">;
820
+ endpointId: convex_values1267.VId<convex_values1267.GenericId<"GroupWebhookEndpoint">, "required">;
821
+ auditEventId: convex_values1267.VId<convex_values1267.GenericId<"GroupAuditEvent"> | undefined, "optional">;
822
+ eventType: convex_values1267.VString<string, "required">;
823
+ status: convex_values1267.VUnion<"pending" | "processing" | "delivered" | "failed", [convex_values1267.VLiteral<"pending", "required">, convex_values1267.VLiteral<"processing", "required">, convex_values1267.VLiteral<"delivered", "required">, convex_values1267.VLiteral<"failed", "required">], "required", never>;
824
+ attemptCount: convex_values1267.VFloat64<number, "required">;
825
+ nextAttemptAt: convex_values1267.VFloat64<number, "required">;
826
+ lastAttemptAt: convex_values1267.VFloat64<number | undefined, "optional">;
827
+ lastResponseStatus: convex_values1267.VFloat64<number | undefined, "optional">;
828
+ lastError: convex_values1267.VString<string | undefined, "optional">;
829
+ payload: convex_values1267.VAny<any, "required", string>;
830
+ }, "required", "connectionId" | "status" | "eventType" | "endpointId" | "auditEventId" | "attemptCount" | "nextAttemptAt" | "lastAttemptAt" | "lastResponseStatus" | "lastError" | "payload" | `payload.${string}`>, {
795
831
  group_connection_id: ["connectionId", "_creationTime"];
796
832
  status_next_attempt_at: ["status", "nextAttemptAt", "_creationTime"];
797
833
  endpoint_id_status: ["endpointId", "status", "_creationTime"];
@@ -810,9 +846,8 @@ declare const _default: convex_server80.SchemaDefinition<{
810
846
  * - **Expiration**: optional TTL
811
847
  * - **Soft revocation**: `revoked` flag preserves audit trail
812
848
  */
813
- ApiKey: convex_server80.TableDefinition<convex_values50.VObject<{
849
+ ApiKey: convex_server93.TableDefinition<convex_values1267.VObject<{
814
850
  lastUsedAt?: number | undefined;
815
- expiresAt?: number | undefined;
816
851
  rateLimit?: {
817
852
  maxRequests: number;
818
853
  windowMs: number;
@@ -821,52 +856,53 @@ declare const _default: convex_server80.SchemaDefinition<{
821
856
  attemptsLeft: number;
822
857
  lastAttemptTime: number;
823
858
  } | undefined;
859
+ expiresAt?: number | undefined;
824
860
  metadata?: any;
825
861
  name: string;
862
+ userId: convex_values1267.GenericId<"User">;
826
863
  revoked: boolean;
827
- userId: convex_values50.GenericId<"User">;
864
+ createdAt: number;
828
865
  prefix: string;
829
866
  hashedKey: string;
830
867
  scopes: {
831
868
  resource: string;
832
869
  actions: string[];
833
870
  }[];
834
- createdAt: number;
835
871
  }, {
836
- userId: convex_values50.VId<convex_values50.GenericId<"User">, "required">; /** First chars of the key for display (e.g. "sk_abc1..."). */
837
- prefix: convex_values50.VString<string, "required">; /** SHA-256 hex hash of the full raw key. */
838
- hashedKey: convex_values50.VString<string, "required">; /** User-assigned name (e.g. "CI Pipeline", "Production API"). */
839
- name: convex_values50.VString<string, "required">; /** Scoped permissions: [{ resource: "users", actions: ["read", "list"] }]. */
840
- scopes: convex_values50.VArray<{
872
+ userId: convex_values1267.VId<convex_values1267.GenericId<"User">, "required">; /** First chars of the key for display (e.g. "sk_abc1..."). */
873
+ prefix: convex_values1267.VString<string, "required">; /** SHA-256 hex hash of the full raw key. */
874
+ hashedKey: convex_values1267.VString<string, "required">; /** User-assigned name (e.g. "CI Pipeline", "Production API"). */
875
+ name: convex_values1267.VString<string, "required">; /** Scoped permissions: [{ resource: "users", actions: ["read", "list"] }]. */
876
+ scopes: convex_values1267.VArray<{
841
877
  resource: string;
842
878
  actions: string[];
843
- }[], convex_values50.VObject<{
879
+ }[], convex_values1267.VObject<{
844
880
  resource: string;
845
881
  actions: string[];
846
882
  }, {
847
- resource: convex_values50.VString<string, "required">;
848
- actions: convex_values50.VArray<string[], convex_values50.VString<string, "required">, "required">;
883
+ resource: convex_values1267.VString<string, "required">;
884
+ actions: convex_values1267.VArray<string[], convex_values1267.VString<string, "required">, "required">;
849
885
  }, "required", "resource" | "actions">, "required">; /** Optional per-key rate limit configuration. */
850
- rateLimit: convex_values50.VObject<{
886
+ rateLimit: convex_values1267.VObject<{
851
887
  maxRequests: number;
852
888
  windowMs: number;
853
889
  } | undefined, {
854
- maxRequests: convex_values50.VFloat64<number, "required">;
855
- windowMs: convex_values50.VFloat64<number, "required">;
890
+ maxRequests: convex_values1267.VFloat64<number, "required">;
891
+ windowMs: convex_values1267.VFloat64<number, "required">;
856
892
  }, "optional", "maxRequests" | "windowMs">; /** Rate limit state tracking (token-bucket). */
857
- rateLimitState: convex_values50.VObject<{
893
+ rateLimitState: convex_values1267.VObject<{
858
894
  attemptsLeft: number;
859
895
  lastAttemptTime: number;
860
896
  } | undefined, {
861
- attemptsLeft: convex_values50.VFloat64<number, "required">;
862
- lastAttemptTime: convex_values50.VFloat64<number, "required">;
897
+ attemptsLeft: convex_values1267.VFloat64<number, "required">;
898
+ lastAttemptTime: convex_values1267.VFloat64<number, "required">;
863
899
  }, "optional", "attemptsLeft" | "lastAttemptTime">; /** Expiration timestamp. Null/undefined = never expires. */
864
- expiresAt: convex_values50.VFloat64<number | undefined, "optional">;
865
- lastUsedAt: convex_values50.VFloat64<number | undefined, "optional">;
866
- createdAt: convex_values50.VFloat64<number, "required">; /** Soft-revoke flag. Revoked keys are kept for audit trail. */
867
- revoked: convex_values50.VBoolean<boolean, "required">; /** Arbitrary app-specific metadata attached to the key. */
868
- metadata: convex_values50.VAny<any, "optional", string>;
869
- }, "required", "name" | "revoked" | "lastUsedAt" | "expiresAt" | "userId" | "prefix" | "hashedKey" | "scopes" | "rateLimit" | "rateLimitState" | "createdAt" | "metadata" | "rateLimit.maxRequests" | "rateLimit.windowMs" | "rateLimitState.attemptsLeft" | "rateLimitState.lastAttemptTime" | `metadata.${string}`>, {
900
+ expiresAt: convex_values1267.VFloat64<number | undefined, "optional">;
901
+ lastUsedAt: convex_values1267.VFloat64<number | undefined, "optional">;
902
+ createdAt: convex_values1267.VFloat64<number, "required">; /** Soft-revoke flag. Revoked keys are kept for audit trail. */
903
+ revoked: convex_values1267.VBoolean<boolean, "required">; /** Arbitrary app-specific metadata attached to the key. */
904
+ metadata: convex_values1267.VAny<any, "optional", string>;
905
+ }, "required", "name" | "userId" | "revoked" | "createdAt" | "lastUsedAt" | "prefix" | "hashedKey" | "scopes" | "rateLimit" | "rateLimitState" | "expiresAt" | "metadata" | "rateLimit.maxRequests" | "rateLimit.windowMs" | "rateLimitState.attemptsLeft" | "rateLimitState.lastAttemptTime" | `metadata.${string}`>, {
870
906
  user_id: ["userId", "_creationTime"];
871
907
  hashed_key: ["hashedKey", "_creationTime"];
872
908
  }, {}, {}>;