@usehercules/convex 0.0.0

package/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2025 Grant Gurvis
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

package/README.md

@@ -0,0 +1,478 @@
+# @usehercules/convex
+
+Convex component for Hercules **managed Access Control**: multi-tenant scopes,
+roles, permissions, and resource-level grants, enforced inside your Convex
+functions. The app reads from a local mirror that Hercules keeps in sync with
+the control plane.
+
+This README and the published `dist/client/index.d.ts` and
+`dist/client/access-admin.d.ts` files are the authoritative public contract.
+Use their TypeScript signatures and your local wrappers. Do not inspect package
+or component implementation internals to infer behavior. Public REST payloads
+are documented at https://docs-cloud.hercules.app.
+
+## Setup
+
+Call `createAccessControl` once in `convex/hercules.ts` and re-export the
+builders. Use these builders instead of the raw `./_generated/server` ones for
+anything permissioned.
+
+```ts
+import { createAccessControl } from "@usehercules/convex";
+import { components } from "./_generated/api";
+import { action, mutation, query } from "./_generated/server";
+
+export const {
+  publicQuery,
+  publicMutation,
+  publicAction,
+  authenticatedQuery,
+  authenticatedMutation,
+  authenticatedAction,
+  accessQuery,
+  accessMutation,
+  accessAction,
+  hasPermission,
+  requirePermission,
+  requireAnyPermission,
+  getEffectivePermissions,
+  getCurrentHerculesAuthUserId,
+  listMyMemberships,
+  listMyRoles,
+  listScopeMembers,
+  listScopeMemberDirectory,
+  getScopeMemberDirectoryEntry,
+  listScopeRoles,
+  listScopePermissions,
+  listDirectSubjectsForResource,
+} = createAccessControl({ query, mutation, action, components });
+
+export {
+  scopeFromArg,
+  scopeFromDefaultParentResource,
+  scopeFromDefaultResource,
+  scopeFromParentResource,
+  scopeFromResource,
+} from "@usehercules/convex";
+```
+
+## IAM catalog
+
+`hercules/iam.jsonc` is the only writer for reusable permissions, reusable
+roles, base role permissions, and `orgAdminGrantablePermissions`. Runtime APIs
+manage members, invitations, groups, organization roles, overrides,
+exceptions, and resource access.
+
+```jsonc
+{
+  "$schema": "https://schemas.hercules.app/iam/v1.json",
+  "version": "v1",
+  "permissions": {
+    "app.documents:read": { "name": "Read documents" },
+    "app.documents:update": { "name": "Update documents" },
+    "app.documents:manage_members": { "name": "Share documents" },
+  },
+  "orgAdminGrantablePermissions": [
+    "app.documents:read",
+    "app.documents:update",
+  ],
+  "roles": {
+    "owner": { "type": "built_in" },
+    "admin": { "type": "built_in" },
+    "member": { "type": "built_in" },
+    "reviewer": { "type": "custom", "name": "Reviewer" },
+  },
+  "rolePermissions": {
+    "member": ["app.documents:read"],
+    "reviewer": ["app.documents:read"],
+  },
+}
+```
+
+- Permission keys are `app.<resource>:<action>`.
+- Check concrete actions at runtime. Do not check `manage` or `*`.
+- Declare `owner` and `admin`, but do not add app-authored base permissions to
+  them.
+- A resource role that may share its resource needs the exact
+  `<resourceType>:manage_members` permission.
+- A failed IAM apply means the build failed, even if TypeScript and Vite passed.
+
+## Enforcing access
+
+`accessQuery` / `accessMutation` / `accessAction` take a `permission` and a
+`scope`. Choose the scope helper from the app shape:
+
+| App shape           | Create/list    | Existing row               | Child create                     |
+| ------------------- | -------------- | -------------------------- | -------------------------------- |
+| Default app scope   | omit `scope`   | `scopeFromDefaultResource` | `scopeFromDefaultParentResource` |
+| Organization scopes | `scopeFromArg` | `scopeFromResource`        | `scopeFromParentResource`        |
+
+The default-scope resource helpers load the referenced row but do not require a
+scope id column. Organization helpers read or accept the organization scope.
+Gate **every** protected read and write; `authenticatedQuery` only proves
+sign-in.
+
+```ts
+import { v } from "convex/values";
+import {
+  accessQuery,
+  accessMutation,
+  scopeFromArg,
+  scopeFromResource,
+} from "./hercules";
+
+// Read: scope from an arg. "view" is a real permission; grant it to every role
+// that should see the data, including a read-only role.
+export const listProjects = accessQuery({
+  permission: "app.project:view",
+  scope: scopeFromArg("orgScopeId"),
+  args: { orgScopeId: v.string() },
+  handler: async (ctx, args) =>
+    ctx.db
+      .query("projects")
+      .withIndex("by_org", (q) => q.eq("orgScopeId", args.orgScopeId))
+      .collect(),
+});
+
+// Write on a specific row: scope from the resource, so the caller cannot pair
+// their scope with another org's row.
+export const archiveProject = accessMutation({
+  permission: "app.project:archive",
+  scope: scopeFromResource("projects", "projectId"),
+  args: { projectId: v.id("projects") },
+  handler: async (ctx, args) =>
+    ctx.db.patch(args.projectId, { status: "archived" }),
+});
+```
+
+### Resource-level (per-resource) permissions
+
+`scopeFromResource` names the specific resource, so a resource grant on that
+resource is applied on top of the scope check. `hasPermission` and
+`getEffectivePermissions` also accept a `{ resource }` ref for per-resource UI
+gating.
+
+Declare trusted parent resources for child authorization. The target and
+ancestors are evaluated together with the child permission, so any applicable
+deny wins. Parent access applies only when its binding uses
+`appliesTo: "self_and_descendants"`.
+
+```ts
+export const updateTask = accessMutation({
+  permission: "app.tasks:update",
+  scope: scopeFromResource("tasks", "taskId", {
+    authorizeAgainst: (task) => [
+      { type: "app.projects", id: String(task.projectId) },
+    ],
+  }),
+  args: { taskId: v.id("tasks"), title: v.string() },
+  handler: async (ctx, args) =>
+    ctx.db.patch(args.taskId, { title: args.title }),
+});
+
+export const createTask = accessMutation({
+  permission: "app.tasks:create",
+  scope: scopeFromParentResource("projects", "projectId", {
+    parentResourceType: "app.projects",
+    authorizeAgainst: (project) => [
+      { type: "app.workspaces", id: String(project.workspaceId) },
+    ],
+  }),
+  args: { projectId: v.id("projects"), title: v.string() },
+  handler: async (ctx, args) => {
+    const project = await ctx.db.get(args.projectId);
+    if (!project) throw new Error("Project not found");
+    return await ctx.db.insert("tasks", {
+      orgScopeId: project.orgScopeId,
+      projectId: args.projectId,
+      title: args.title,
+    });
+  },
+});
+```
+
+Keep the requested permission on the child. The helper loads the trusted parent
+row, adds that parent first, then appends `authorizeAgainst` ancestors. Use the
+default-scope variants for the same recipe without an org scope column.
+
+> **Matching note:** a self-only binding targets the permission resource type.
+> A descendant-enabled binding targets the parent resource type while keeping
+> the child permission key. Table names are only used to load rows. Explicit
+> resource references must use canonical `app.*` types.
+
+For a default-scope app, use the matching helpers without adding a persisted
+scope id to each row:
+
+```ts
+scope: scopeFromDefaultResource("tasks", "taskId", {
+  authorizeAgainst: (task) => [
+    { type: "app.projects", id: String(task.projectId) },
+  ],
+});
+
+scope: scopeFromDefaultParentResource("projects", "projectId", {
+  parentResourceType: "app.projects",
+});
+```
+
+## Identity and app relationships
+
+Use `getCurrentHerculesAuthUserId` for the stable Hercules Auth user id. It
+returns the verified OIDC `sub`; never parse `tokenIdentifier`.
+
+```ts
+export const getMyProfile = accessQuery({
+  permission: "app.profiles:read",
+  args: {},
+  handler: async (ctx) => {
+    const herculesAuthUserId = await getCurrentHerculesAuthUserId(ctx);
+    if (!herculesAuthUserId) throw new Error("Authentication required");
+    return await ctx.db
+      .query("profiles")
+      .withIndex("by_auth_user", (q) =>
+        q.eq("herculesAuthUserId", herculesAuthUserId),
+      )
+      .unique();
+  },
+});
+```
+
+Application tables own product relationships such as owner, assignee,
+attending user, or linked profile. Access Control owns capabilities. Enforce
+both:
+
+1. Gate the function with a concrete Access Control permission.
+2. Load the trusted application row.
+3. Apply any relationship-based row or field restriction.
+
+A relationship may narrow an authorized result; it must not grant a capability
+by itself. Use a managed resource grant when the relationship should confer
+additional access.
+
+## In-app admin screens
+
+Read the scope's members, roles, and catalog with the `listScope*` helpers.
+Each self-gates on the matching `system.*:read` permission and returns `[]`
+when the caller lacks it (`owner`/`admin` hold these automatically).
+
+For member-facing pickers, use `listScopeMemberDirectory`. It is gated by
+`app.members:read` and returns bounded pages of active users with only their
+principal id, Hercules Auth user id, name, email, optional image, and
+authoritative effective scope-role keys.
+
+```ts
+export const teamMembers = authenticatedQuery({
+  args: { scopeId: v.string() },
+  handler: async (ctx, args) => {
+    const page = await listScopeMemberDirectory(ctx, { scopeId: args.scopeId, limit: 50 });
+    return {
+      ...page,
+      members: page.members.filter((member) => member.roleKeys.includes("reviewer")),
+    };
+  },
+});
+```
+
+`roleKeys` comes from managed scope-role bindings, including active group
+membership. Do not copy it into an app-owned role table.
+
+### Authority matrix
+
+| Surface                                                                          | Convex exposure                  | Authority                                                                       |
+| -------------------------------------------------------------------------------- | -------------------------------- | ------------------------------------------------------------------------------- |
+| `createAccessAdminActions`, `createAccessInvitation`, `createResourceInvitation` | Internal only                    | Service via `HERCULES_API_KEY`                                                  |
+| `createAccessUserActions`                                                        | Public `authenticatedAction`     | Signed-in app user via `idToken`; the control plane applies runtime role checks |
+| `createAccessScopeAction`                                                        | Public `authenticatedAction`     | Authenticated creator after `canCreateScope`; the creator becomes Owner         |
+| `createAccessScope`                                                              | App-owned authenticated function | Authenticated creator from `ctx`; the app supplies its own product-policy gate  |
+| `createResourceCreatorBootstrapAction`                                           | Public `authenticatedAction`     | Trusted resource creator; one fixed initial resource role                       |
+| `acceptAccessInvitation`                                                         | App-owned authenticated function | Invitee identified by the invitation token and `idToken`                        |
+
+Never call generated `internal.accessAdmin.*` actions from an exported public,
+authenticated, or access builder, directly or through a helper. Service
+authority is only for trusted internal workflows.
+
+```ts
+"use node";
+import { createAccessAdminActions } from "@usehercules/convex/access-admin";
+import { internalAction } from "./_generated/server";
+
+export const { assignRole, removeRole, createInvitation } =
+  createAccessAdminActions({ internalAction });
+```
+
+Use `createAccessUserActions` for user-initiated administration.
+
+```ts
+"use node";
+import { createAccessUserActions } from "@usehercules/convex/access-admin";
+import { authenticatedAction } from "./hercules";
+
+export const {
+  assignRole,
+  replaceMemberRoles,
+  listGrantableRoles,
+  createResourceGrant,
+  replaceResourceGrants,
+  revokeResourceGrant,
+  setResourcePermissionRules,
+  listResourceInvitations,
+  revokeInvitation,
+} = createAccessUserActions({ authenticatedAction });
+```
+
+`idToken` authenticates the actor only. In trusted Convex code, load the
+resource row to derive its scope and resource id, use its canonical `app.*`
+resource type, and resolve a selected `herculesAuthUserId` with
+`getScopeMemberDirectoryEntry`; pass the returned `principalId` as the
+recipient. Do not trust a browser-supplied principal or scope/resource pair.
+
+Use `listGrantableRoles` for role pickers. It returns only roles the current
+actor may confer at the exact scope or resource target. Set `subjectType` to
+match the intended user or group recipient:
+
+```ts
+await ctx.runAction(api.accessUser.listGrantableRoles, {
+  scopeId,
+  subjectType: "user",
+  target: {
+    type: "resource",
+    resourceType: "app.documents",
+    resourceId: String(documentId),
+    appliesTo: "self",
+  },
+  idToken,
+});
+```
+
+Do not use `listScopeRoles` for a write picker. It is the complete mirrored
+catalog for administrators and may include roles the current actor cannot
+assign at that target. The write still reauthorizes after a picker result.
+
+Common public action calls:
+
+```ts
+await ctx.runAction(api.accessUser.replaceMemberRoles, {
+  scopeId,
+  herculesAuthUserId,
+  roleKeys: ["reviewer"],
+  idToken,
+});
+
+await ctx.runAction(api.accessUser.createInvitation, {
+  scopeId,
+  email,
+  roleKeys: ["member"],
+  idToken,
+});
+
+await ctx.runAction(api.accessUser.replaceResourceGrants, {
+  scopeId,
+  resourceType: "app.documents",
+  resourceId: String(documentId),
+  subjects: [{ principalId, grants: [{ roleKey: "reviewer" }] }],
+  idToken,
+});
+```
+
+### Give a resource creator its initial manager role
+
+When creating a resource should make its creator the resource manager, use
+`createResourceCreatorBootstrapAction`. It is deliberately narrower than a
+normal grant action:
+
+- the browser passes only the resource id;
+- trusted app data supplies the creator and scope;
+- the resource type, role, and descendant behavior are fixed in code;
+- the caller must still be an active member of the scope; and
+- an active resource is never bootstrapped again, so revoked access is not
+  silently restored.
+
+Create the app row as `provisioning`, record its creator with
+`getCurrentHerculesAuthUserId`, and exclude provisioning rows from normal
+queries. Then expose one action:
+
+```ts
+// convex/accessUser.ts
+"use node";
+
+import { createResourceCreatorBootstrapAction } from "@usehercules/convex/access-admin";
+import type { Id } from "./_generated/dataModel";
+import { internal } from "./_generated/api";
+import { authenticatedAction, listMyMemberships } from "./hercules";
+
+export const bootstrapProjectCreator =
+  createResourceCreatorBootstrapAction({
+    authenticatedAction,
+    resourceType: "app.projects",
+    managerRoleKey: "project_manager",
+    appliesTo: "self_and_descendants",
+    listMyMemberships,
+    getBootstrapTarget: async (ctx, { resourceId }) =>
+      await ctx.runQuery(internal.projects.getCreatorBootstrapTarget, {
+        projectId: resourceId as Id<"projects">,
+      }),
+    activateResource: async (
+      ctx,
+      { resourceId, creatorHerculesAuthUserId },
+    ) => {
+      await ctx.runMutation(internal.projects.activateCreatorBootstrap, {
+        projectId: resourceId as Id<"projects">,
+        creatorHerculesAuthUserId,
+      });
+    },
+  });
+```
+
+The internal query returns only `{ scopeId, resourceId,
+creatorHerculesAuthUserId, state }`. The activation mutation must re-read the
+row and require the same creator plus `state === "provisioning"` before
+changing it to `active`. If activation fails after the grant, retry the action;
+the managed grant write is idempotent.
+
+Do not accept a browser-supplied scope, role, resource type, or recipient, and
+do not expose a raw service-authority action. If every scope Admin should
+already manage every resource, skip creator bootstrap entirely: the built-in
+Admin role already covers ordinary `app.*` permissions.
+
+For a browser-selected user, resolve active scope membership before writing:
+
+```ts
+const recipient = await getScopeMemberDirectoryEntry(ctx, {
+  scopeId,
+  herculesAuthUserId,
+});
+if (!recipient) throw new Error("Active member not found");
+```
+
+Grant `app.members:read` to roles that may use a member-facing directory.
+Access-administration screens should use `listScopeMembers`, which requires
+`system.members:read`.
+
+Use `replaceMemberRoles` to atomically replace up to 500 direct scope roles for
+one member.
+Use `replaceResourceGrants` to atomically replace direct grants for each listed
+subject; `grants: []` clears that subject. Each request must include 1-100
+subjects and may involve at most 500 distinct existing or desired grants. Split
+larger edits by subjects, never by one subject's complete grant set.
+`createResourceGrant` requires one exact `resourceId`. For one grant, use its
+returned `grantId` or
+`listDirectSubjectsForResource`, then call `revokeResourceGrant`. Use
+`listResourceInvitations` and `revokeInvitation` for pending resource
+invitations. `setResourcePermissionRules` atomically applies a rule batch;
+`effect: "clear"` removes a listed rule.
+
+Create organization scopes with `createAccessScopeAction` or
+`createAccessScope`. The authenticated creator is sent as the scope Owner
+automatically; do not create a second self-grant.
+
+## Notes
+
+- Reads come from the local mirror, which lags the control plane by a short
+  projection-sync window after any change. Treat `undefined` query results and
+  a just-changed-but-not-yet-synced state as "loading", not "denied".
+- Run `hercules-convex-access-check convex` (the `./checker` export) in lint to
+  catch deterministic source patterns. It is static and does not prove runtime
+  role decisions or control-plane writes are authorized.
+- Before claiming completion, exercise at least one intended allow, one denied
+  operation, one cross-row or cross-scope isolation case, and each sensitive
+  field-redaction path with real non-Owner identities.

package/dist/_generated/component.d.ts

@@ -0,0 +1,184 @@
+/**
+ * Generated `ComponentApi` utility.
+ *
+ * THIS CODE MATCHES THE CONVEX-GENERATED COMPONENT API SHAPE.
+ *
+ * To regenerate, run `npx convex dev`.
+ * @module
+ */
+import type { FunctionReference } from "convex/server";
+import type { AccessProjectionSyncPayload, ScopeKind, SyncResponse } from "../shared/sync";
+type AuthorizationArgs = {
+    tokenIdentifier?: string;
+    scopeId?: string;
+    permission?: string;
+    resourceType?: string;
+    resourceId?: string;
+    ancestors?: AuthorizationAncestor[];
+};
+type AuthorizationAncestor = {
+    resourceType: string;
+    resourceId: string;
+};
+type AuthorizationDecision = {
+    allowed: boolean;
+    reasonCode: string;
+    explicitDeny: boolean;
+    sourceVersion?: number;
+    principalId?: string;
+    effectiveRoleIds: string[];
+};
+type ListMyMembershipsArgs = {
+    tokenIdentifier?: string;
+};
+type GetDeploymentEntryStatusArgs = {
+    tokenIdentifier?: string;
+};
+type ListMyRolesArgs = {
+    tokenIdentifier?: string;
+    scopeId: string;
+};
+type GetEffectivePermissionsArgs = {
+    tokenIdentifier?: string;
+    scopeId: string;
+    resourceType?: string;
+    resourceId?: string;
+    ancestors?: AuthorizationAncestor[];
+};
+type ListScopeArgs = {
+    tokenIdentifier?: string;
+    scopeId: string;
+};
+type ListScopeMemberDirectoryArgs = ListScopeArgs & {
+    cursor?: string;
+    limit?: number;
+};
+type ListDirectSubjectsArgs = {
+    tokenIdentifier?: string;
+    scopeId: string;
+    resourceType: string;
+    resourceId: string;
+    permission: string;
+};
+type RoleSummary = {
+    roleId: string;
+    roleKey: string;
+    roleName: string;
+    roleKind: "system" | "custom";
+};
+type ScopeMember = {
+    principalId: string;
+    type: "user" | "group";
+    herculesAuthUserId?: string;
+    status: "active" | "blocked" | "suspended" | "pending_approval" | "removed";
+    joinedAt: number;
+    name?: string;
+    email?: string;
+    image?: string;
+    roles: RoleSummary[];
+};
+type ScopeMemberDirectoryEntry = {
+    principalId: string;
+    herculesAuthUserId: string;
+    name: string;
+    email: string;
+    image?: string;
+    roleKeys: string[];
+};
+type ScopeMemberDirectoryPage = {
+    members: ScopeMemberDirectoryEntry[];
+    cursor?: string;
+};
+type ScopeRoleSummary = RoleSummary & {
+    shared: boolean;
+};
+type ScopePermissionSummary = {
+    permissionId: string;
+    key: string;
+    resourceType: string;
+    action: string;
+    classification: "delegable" | "owner_only";
+    tenantAssignable: boolean;
+};
+type DirectResourceSubject = {
+    grantId: string;
+    principalId: string;
+    type: "user" | "group";
+    herculesAuthUserId?: string;
+    status: "active" | "blocked" | "suspended" | "pending_approval" | "removed";
+    name?: string;
+    email?: string;
+    image?: string;
+    effect: "allow" | "deny";
+    appliesTo: "self" | "self_and_descendants";
+    expiresAt?: number;
+    roleId?: string;
+    roleKey?: string;
+    roleName?: string;
+    permissionId?: string;
+    permissionKey?: string;
+};
+type Membership = {
+    scopeId: string;
+    scopeName: string;
+    kind: ScopeKind;
+    roles: RoleSummary[];
+    joinedAt: number;
+    status: "active" | "blocked" | "suspended" | "pending_approval" | "removed";
+};
+type DeploymentEntryStatus = {
+    kind: "principal";
+    principalId: string;
+    status: "active" | "blocked" | "suspended" | "pending_approval" | "removed";
+    stateVersion: number;
+} | {
+    kind: "fallback";
+    reason: "identity_missing" | "identity_invalid" | "unexpected_issuer" | "mirror_not_ready" | "default_scope_missing" | "principal_missing";
+    stateVersion?: number;
+};
+type EffectivePermissionsResult = {
+    allowed: boolean;
+    reasonCode: string;
+    sourceVersion?: number;
+    scopeId?: string;
+    principalId?: string;
+    effectiveRoleIds: string[];
+    wildcard: "none" | "immutable" | "default";
+    permissions: string[];
+};
+/**
+ * A utility for referencing the Hercules Access Control component's exposed API.
+ *
+ * Useful when expecting a parameter like `components.hercules`.
+ */
+export type ComponentApi<Name extends string | undefined = string | undefined> = {
+    checks: {
+        authorize: FunctionReference<"query", "public", AuthorizationArgs, AuthorizationDecision, Name>;
+        authorizeMany: FunctionReference<"query", "public", {
+            tokenIdentifier?: string;
+            checks: Array<Omit<AuthorizationArgs, "tokenIdentifier"> & {
+                permission: string;
+            }>;
+        }, AuthorizationDecision[], Name>;
+    };
+    queries: {
+        getDeploymentEntryStatus: FunctionReference<"query", "public", GetDeploymentEntryStatusArgs, DeploymentEntryStatus, Name>;
+        listMyMemberships: FunctionReference<"query", "public", ListMyMembershipsArgs, Membership[], Name>;
+        listMyRoles: FunctionReference<"query", "public", ListMyRolesArgs, RoleSummary[], Name>;
+        getEffectivePermissions: FunctionReference<"query", "public", GetEffectivePermissionsArgs, EffectivePermissionsResult, Name>;
+        listScopeMemberDirectory: FunctionReference<"query", "public", ListScopeMemberDirectoryArgs, ScopeMemberDirectoryPage, Name>;
+        getScopeMemberDirectoryEntry: FunctionReference<"query", "public", ListScopeArgs & {
+            principalId?: string;
+            herculesAuthUserId?: string;
+        }, ScopeMemberDirectoryEntry | null, Name>;
+        listScopeMembers: FunctionReference<"query", "public", ListScopeArgs, ScopeMember[], Name>;
+        listScopeRoles: FunctionReference<"query", "public", ListScopeArgs, ScopeRoleSummary[], Name>;
+        listScopePermissions: FunctionReference<"query", "public", ListScopeArgs, ScopePermissionSummary[], Name>;
+        listDirectSubjectsForResource: FunctionReference<"query", "public", ListDirectSubjectsArgs, DirectResourceSubject[], Name>;
+    };
+    sync: {
+        applySync: FunctionReference<"mutation", "public", AccessProjectionSyncPayload, SyncResponse, Name>;
+    };
+};
+export {};
+//# sourceMappingURL=component.d.ts.map

package/dist/_generated/component.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"component.d.ts","sourceRoot":"","sources":["../../src/_generated/component.ts"],"names":[],"mappings":"AACA;;;;;;;GAOG;AAEH,OAAO,KAAK,EAAE,iBAAiB,EAAE,MAAM,eAAe,CAAC;AACvD,OAAO,KAAK,EAAE,2BAA2B,EAAE,SAAS,EAAE,YAAY,EAAE,MAAM,gBAAgB,CAAC;AAE3F,KAAK,iBAAiB,GAAG;IACvB,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,UAAU,CAAC,EAAE,MAAM,CAAC;IAIpB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,qBAAqB,EAAE,CAAC;CACrC,CAAC;AAEF,KAAK,qBAAqB,GAAG;IAC3B,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,KAAK,qBAAqB,GAAG;IAC3B,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,YAAY,EAAE,OAAO,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,EAAE,CAAC;CAC5B,CAAC;AAEF,KAAK,qBAAqB,GAAG;IAAE,eAAe,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AAC1D,KAAK,4BAA4B,GAAG;IAAE,eAAe,CAAC,EAAE,MAAM,CAAA;CAAE,CAAC;AACjE,KAAK,eAAe,GAAG;IAAE,eAAe,CAAC,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AACrE,KAAK,2BAA2B,GAAG;IACjC,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,SAAS,CAAC,EAAE,qBAAqB,EAAE,CAAC;CACrC,CAAC;AACF,KAAK,aAAa,GAAG;IAAE,eAAe,CAAC,EAAE,MAAM,CAAC;IAAC,OAAO,EAAE,MAAM,CAAA;CAAE,CAAC;AACnE,KAAK,4BAA4B,GAAG,aAAa,GAAG;IAClD,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC;AACF,KAAK,sBAAsB,GAAG;IAC5B,eAAe,CAAC,EAAE,MAAM,CAAC;IACzB,OAAO,EAAE,MAAM,CAAC;IAChB,YAAY,EAAE,MAAM,CAAC;IACrB,UAAU,EAAE,MAAM,CAAC;IACnB,UAAU,EAAE,MAAM,CAAC;CACpB,CAAC;AAEF,KAAK,WAAW,GAAG;IACjB,MAAM,EAAE,MAAM,CAAC;IACf,OAAO,EAAE,MAAM,CAAC;IAChB,QAAQ,EAAE,MAAM,CAAC;IACjB,QAAQ,EAAE,QAAQ,GAAG,QAAQ,CAAC;CAC/B,CAAC;AAEF,KAAK,WAAW,GAAG;IACjB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;IACvB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,MAAM,EAAE,QAAQ,GAAG,SAAS,GAAG,WAAW,GAAG,kBAAkB,GAAG,SAAS,CAAC;IAC5E,QAAQ,EAAE,MAAM,CAAC;IACjB,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,EAAE,WAAW,EAAE,CAAC;CACtB,CAAC;AAEF,KAAK,yBAAyB,GAAG;IAC/B,WAAW,EAAE,MAAM,CAAC;IACpB,kBAAkB,EAAE,MAAM,CAAC;IAC3B,IAAI,EAAE,MAAM,CAAC;IACb,KAAK,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,QAAQ,EAAE,MAAM,EAAE,CAAC;CACpB,CAAC;AAEF,KAAK,wBAAwB,GAAG;IAC9B,OAAO,EAAE,yBAAyB,EAAE,CAAC;IACrC,MAAM,CAAC,EAAE,MAAM,CAAC;CACjB,CAAC;AAEF,KAAK,gBAAgB,GAAG,WAAW,GAAG;IAAE,MAAM,EAAE,OAAO,CAAA;CAAE,CAAC;AAE1D,KAAK,sBAAsB,GAAG;IAC5B,YAAY,EAAE,MAAM,CAAC;IACrB,GAAG,EAAE,MAAM,CAAC;IACZ,YAAY,EAAE,MAAM,CAAC;IACrB,MAAM,EAAE,MAAM,CAAC;IACf,cAAc,EAAE,WAAW,GAAG,YAAY,CAAC;IAC3C,gBAAgB,EAAE,OAAO,CAAC;CAC3B,CAAC;AAEF,KAAK,qBAAqB,GAAG;IAC3B,OAAO,EAAE,MAAM,CAAC;IAChB,WAAW,EAAE,MAAM,CAAC;IACpB,IAAI,EAAE,MAAM,GAAG,OAAO,CAAC;IACvB,kBAAkB,CAAC,EAAE,MAAM,CAAC;IAC5B,MAAM,EAAE,QAAQ,GAAG,SAAS,GAAG,WAAW,GAAG,kBAAkB,GAAG,SAAS,CAAC;IAC5E,IAAI,CAAC,EAAE,MAAM,CAAC;IACd,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,KAAK,CAAC,EAAE,MAAM,CAAC;IACf,MAAM,EAAE,OAAO,GAAG,MAAM,CAAC;IACzB,SAAS,EAAE,MAAM,GAAG,sBAAsB,CAAC;IAC3C,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,QAAQ,CAAC,EAAE,MAAM,CAAC;IAClB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,aAAa,CAAC,EAAE,MAAM,CAAC;CACxB,CAAC;AAEF,KAAK,UAAU,GAAG;IAChB,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;IAClB,IAAI,EAAE,SAAS,CAAC;IAChB,KAAK,EAAE,WAAW,EAAE,CAAC;IACrB,QAAQ,EAAE,MAAM,CAAC;IACjB,MAAM,EAAE,QAAQ,GAAG,SAAS,GAAG,WAAW,GAAG,kBAAkB,GAAG,SAAS,CAAC;CAC7E,CAAC;AAEF,KAAK,qBAAqB,GACtB;IACE,IAAI,EAAE,WAAW,CAAC;IAClB,WAAW,EAAE,MAAM,CAAC;IACpB,MAAM,EAAE,QAAQ,GAAG,SAAS,GAAG,WAAW,GAAG,kBAAkB,GAAG,SAAS,CAAC;IAC5E,YAAY,EAAE,MAAM,CAAC;CACtB,GACD;IACE,IAAI,EAAE,UAAU,CAAC;IACjB,MAAM,EACF,kBAAkB,GAClB,kBAAkB,GAClB,mBAAmB,GACnB,kBAAkB,GAClB,uBAAuB,GACvB,mBAAmB,CAAC;IACxB,YAAY,CAAC,EAAE,MAAM,CAAC;CACvB,CAAC;AAEN,KAAK,0BAA0B,GAAG;IAChC,OAAO,EAAE,OAAO,CAAC;IACjB,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,CAAC,EAAE,MAAM,CAAC;IACvB,OAAO,CAAC,EAAE,MAAM,CAAC;IACjB,WAAW,CAAC,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,MAAM,EAAE,CAAC;IAK3B,QAAQ,EAAE,MAAM,GAAG,WAAW,GAAG,SAAS,CAAC;IAC3C,WAAW,EAAE,MAAM,EAAE,CAAC;CACvB,CAAC;AAEF;;;;GAIG;AACH,MAAM,MAAM,YAAY,CAAC,IAAI,SAAS,MAAM,GAAG,SAAS,GAAG,MAAM,GAAG,SAAS,IAAI;IAC/E,MAAM,EAAE;QACN,SAAS,EAAE,iBAAiB,CAAC,OAAO,EAAE,QAAQ,EAAE,iBAAiB,EAAE,qBAAqB,EAAE,IAAI,CAAC,CAAC;QAChG,aAAa,EAAE,iBAAiB,CAC9B,OAAO,EACP,QAAQ,EACR;YACE,eAAe,CAAC,EAAE,MAAM,CAAC;YACzB,MAAM,EAAE,KAAK,CAAC,IAAI,CAAC,iBAAiB,EAAE,iBAAiB,CAAC,GAAG;gBAAE,UAAU,EAAE,MAAM,CAAA;aAAE,CAAC,CAAC;SACpF,EACD,qBAAqB,EAAE,EACvB,IAAI,CACL,CAAC;KACH,CAAC;IACF,OAAO,EAAE;QACP,wBAAwB,EAAE,iBAAiB,CACzC,OAAO,EACP,QAAQ,EACR,4BAA4B,EAC5B,qBAAqB,EACrB,IAAI,CACL,CAAC;QACF,iBAAiB,EAAE,iBAAiB,CAClC,OAAO,EACP,QAAQ,EACR,qBAAqB,EACrB,UAAU,EAAE,EACZ,IAAI,CACL,CAAC;QACF,WAAW,EAAE,iBAAiB,CAAC,OAAO,EAAE,QAAQ,EAAE,eAAe,EAAE,WAAW,EAAE,EAAE,IAAI,CAAC,CAAC;QACxF,uBAAuB,EAAE,iBAAiB,CACxC,OAAO,EACP,QAAQ,EACR,2BAA2B,EAC3B,0BAA0B,EAC1B,IAAI,CACL,CAAC;QACF,wBAAwB,EAAE,iBAAiB,CACzC,OAAO,EACP,QAAQ,EACR,4BAA4B,EAC5B,wBAAwB,EACxB,IAAI,CACL,CAAC;QACF,4BAA4B,EAAE,iBAAiB,CAC7C,OAAO,EACP,QAAQ,EACR,aAAa,GAAG;YAAE,WAAW,CAAC,EAAE,MAAM,CAAC;YAAC,kBAAkB,CAAC,EAAE,MAAM,CAAA;SAAE,EACrE,yBAAyB,GAAG,IAAI,EAChC,IAAI,CACL,CAAC;QACF,gBAAgB,EAAE,iBAAiB,CAAC,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,WAAW,EAAE,EAAE,IAAI,CAAC,CAAC;QAC3F,cAAc,EAAE,iBAAiB,CAAC,OAAO,EAAE,QAAQ,EAAE,aAAa,EAAE,gBAAgB,EAAE,EAAE,IAAI,CAAC,CAAC;QAC9F,oBAAoB,EAAE,iBAAiB,CACrC,OAAO,EACP,QAAQ,EACR,aAAa,EACb,sBAAsB,EAAE,EACxB,IAAI,CACL,CAAC;QACF,6BAA6B,EAAE,iBAAiB,CAC9C,OAAO,EACP,QAAQ,EACR,sBAAsB,EACtB,qBAAqB,EAAE,EACvB,IAAI,CACL,CAAC;KACH,CAAC;IACF,IAAI,EAAE;QACJ,SAAS,EAAE,iBAAiB,CAC1B,UAAU,EACV,QAAQ,EACR,2BAA2B,EAC3B,YAAY,EACZ,IAAI,CACL,CAAC;KACH,CAAC;CACH,CAAC"}