@usehercules/convex 0.0.0

package/dist/component/schema.d.ts

@@ -0,0 +1,258 @@
+declare const _default: import("convex/server").SchemaDefinition<{
+    sync_state: import("convex/server").TableDefinition<import("convex/values").VObject<{
+        lastEventId?: string | undefined;
+        lastError?: string | undefined;
+        sourceVersion: number;
+        expectedIssuer: string;
+        lastSyncedAt: number;
+    }, {
+        sourceVersion: import("convex/values").VFloat64<number, "required">;
+        expectedIssuer: import("convex/values").VString<string, "required">;
+        lastEventId: import("convex/values").VString<string | undefined, "optional">;
+        lastSyncedAt: import("convex/values").VFloat64<number, "required">;
+        lastError: import("convex/values").VString<string | undefined, "optional">;
+    }, "required", "sourceVersion" | "expectedIssuer" | "lastEventId" | "lastSyncedAt" | "lastError">, {}, {}, {}>;
+    users: import("convex/server").TableDefinition<import("convex/values").VObject<{
+        image?: string | undefined;
+        phone?: string | undefined;
+        herculesAuthUserId: string;
+        name: string;
+        email: string;
+        emailVerified: boolean;
+        phoneVerified: boolean;
+        updatedAt: number;
+    }, {
+        herculesAuthUserId: import("convex/values").VString<string, "required">;
+        name: import("convex/values").VString<string, "required">;
+        email: import("convex/values").VString<string, "required">;
+        emailVerified: import("convex/values").VBoolean<boolean, "required">;
+        image: import("convex/values").VString<string | undefined, "optional">;
+        phone: import("convex/values").VString<string | undefined, "optional">;
+        phoneVerified: import("convex/values").VBoolean<boolean, "required">;
+        updatedAt: import("convex/values").VFloat64<number, "required">;
+    }, "required", "herculesAuthUserId" | "name" | "email" | "emailVerified" | "image" | "phone" | "phoneVerified" | "updatedAt">, {
+        by_auth_user_id: ["herculesAuthUserId", "_creationTime"];
+    }, {}, {}>;
+    scopes: import("convex/server").TableDefinition<import("convex/values").VObject<{
+        name: string;
+        updatedAt: number;
+        accessScopeId: string;
+        kind: "default" | "org" | "suite";
+        status: "active" | "disabled";
+        accountEntryMode: "open" | "allowlisted_only" | "invite_only" | "approval_required";
+        defaultRoleId: string;
+    }, {
+        accessScopeId: import("convex/values").VString<string, "required">;
+        name: import("convex/values").VString<string, "required">;
+        kind: import("convex/values").VUnion<"default" | "org" | "suite", [import("convex/values").VLiteral<"default", "required">, import("convex/values").VLiteral<"org", "required">, import("convex/values").VLiteral<"suite", "required">], "required", never>;
+        status: import("convex/values").VUnion<"active" | "disabled", [import("convex/values").VLiteral<"active", "required">, import("convex/values").VLiteral<"disabled", "required">], "required", never>;
+        accountEntryMode: import("convex/values").VUnion<"open" | "allowlisted_only" | "invite_only" | "approval_required", [import("convex/values").VLiteral<"open", "required">, import("convex/values").VLiteral<"allowlisted_only", "required">, import("convex/values").VLiteral<"invite_only", "required">, import("convex/values").VLiteral<"approval_required", "required">], "required", never>;
+        defaultRoleId: import("convex/values").VString<string, "required">;
+        updatedAt: import("convex/values").VFloat64<number, "required">;
+    }, "required", "name" | "updatedAt" | "accessScopeId" | "kind" | "status" | "accountEntryMode" | "defaultRoleId">, {
+        by_scope_id: ["accessScopeId", "_creationTime"];
+        by_kind: ["kind", "_creationTime"];
+    }, {}, {}>;
+    organizations: import("convex/server").TableDefinition<import("convex/values").VObject<{
+        name: string;
+        updatedAt: number;
+        accessScopeId: string;
+        status: "active" | "disabled";
+        accountEntryMode: "open" | "allowlisted_only" | "invite_only" | "approval_required";
+    }, {
+        accessScopeId: import("convex/values").VString<string, "required">;
+        name: import("convex/values").VString<string, "required">;
+        status: import("convex/values").VUnion<"active" | "disabled", [import("convex/values").VLiteral<"active", "required">, import("convex/values").VLiteral<"disabled", "required">], "required", never>;
+        accountEntryMode: import("convex/values").VUnion<"open" | "allowlisted_only" | "invite_only" | "approval_required", [import("convex/values").VLiteral<"open", "required">, import("convex/values").VLiteral<"allowlisted_only", "required">, import("convex/values").VLiteral<"invite_only", "required">, import("convex/values").VLiteral<"approval_required", "required">], "required", never>;
+        updatedAt: import("convex/values").VFloat64<number, "required">;
+    }, "required", "name" | "updatedAt" | "accessScopeId" | "status" | "accountEntryMode">, {
+        by_scope_id: ["accessScopeId", "_creationTime"];
+    }, {}, {}>;
+    principals: import("convex/server").TableDefinition<import("convex/values").VObject<{
+        herculesAuthUserId?: string | undefined;
+        name?: string | undefined;
+        type: "user" | "group";
+        updatedAt: number;
+        accessScopeId: string;
+        status: "active" | "blocked" | "suspended" | "pending_approval" | "removed";
+        principalId: string;
+        joinedAt: number;
+    }, {
+        accessScopeId: import("convex/values").VString<string, "required">;
+        principalId: import("convex/values").VString<string, "required">;
+        type: import("convex/values").VUnion<"user" | "group", [import("convex/values").VLiteral<"user", "required">, import("convex/values").VLiteral<"group", "required">], "required", never>;
+        herculesAuthUserId: import("convex/values").VString<string | undefined, "optional">;
+        name: import("convex/values").VString<string | undefined, "optional">;
+        status: import("convex/values").VUnion<"active" | "blocked" | "suspended" | "pending_approval" | "removed", [import("convex/values").VLiteral<"active", "required">, import("convex/values").VLiteral<"blocked", "required">, import("convex/values").VLiteral<"suspended", "required">, import("convex/values").VLiteral<"pending_approval", "required">, import("convex/values").VLiteral<"removed", "required">], "required", never>;
+        joinedAt: import("convex/values").VFloat64<number, "required">;
+        updatedAt: import("convex/values").VFloat64<number, "required">;
+    }, "required", "type" | "herculesAuthUserId" | "name" | "updatedAt" | "accessScopeId" | "status" | "principalId" | "joinedAt">, {
+        by_principal_id: ["principalId", "_creationTime"];
+        by_scope: ["accessScopeId", "_creationTime"];
+        by_scope_auth_user: ["accessScopeId", "herculesAuthUserId", "_creationTime"];
+        by_auth_user: ["herculesAuthUserId", "_creationTime"];
+        by_scope_type: ["accessScopeId", "type", "_creationTime"];
+        by_scope_status: ["accessScopeId", "status", "_creationTime"];
+        by_scope_status_type: ["accessScopeId", "status", "type", "_creationTime"];
+    }, {}, {}>;
+    principal_memberships: import("convex/server").TableDefinition<import("convex/values").VObject<{
+        updatedAt: number;
+        accessScopeId: string;
+        groupPrincipalId: string;
+        memberPrincipalId: string;
+    }, {
+        accessScopeId: import("convex/values").VString<string, "required">;
+        groupPrincipalId: import("convex/values").VString<string, "required">;
+        memberPrincipalId: import("convex/values").VString<string, "required">;
+        updatedAt: import("convex/values").VFloat64<number, "required">;
+    }, "required", "updatedAt" | "accessScopeId" | "groupPrincipalId" | "memberPrincipalId">, {
+        by_scope: ["accessScopeId", "_creationTime"];
+        by_group: ["accessScopeId", "groupPrincipalId", "_creationTime"];
+        by_member: ["accessScopeId", "memberPrincipalId", "_creationTime"];
+        by_group_member: ["accessScopeId", "groupPrincipalId", "memberPrincipalId", "_creationTime"];
+    }, {}, {}>;
+    roles: import("convex/server").TableDefinition<import("convex/values").VObject<{
+        accessScopeId?: string | undefined;
+        name: string;
+        updatedAt: number;
+        roleId: string;
+        key: string;
+        source: "system" | "iam" | "tenant";
+        baseWildcard: "none" | "immutable" | "default";
+    }, {
+        roleId: import("convex/values").VString<string, "required">;
+        key: import("convex/values").VString<string, "required">;
+        source: import("convex/values").VUnion<"system" | "iam" | "tenant", [import("convex/values").VLiteral<"system", "required">, import("convex/values").VLiteral<"iam", "required">, import("convex/values").VLiteral<"tenant", "required">], "required", never>;
+        name: import("convex/values").VString<string, "required">;
+        baseWildcard: import("convex/values").VUnion<"none" | "immutable" | "default", [import("convex/values").VLiteral<"none", "required">, import("convex/values").VLiteral<"immutable", "required">, import("convex/values").VLiteral<"default", "required">], "required", never>;
+        accessScopeId: import("convex/values").VString<string | undefined, "optional">;
+        updatedAt: import("convex/values").VFloat64<number, "required">;
+    }, "required", "name" | "updatedAt" | "roleId" | "key" | "source" | "baseWildcard" | "accessScopeId">, {
+        by_role_id: ["roleId", "_creationTime"];
+        by_scope: ["accessScopeId", "_creationTime"];
+        by_scope_key: ["accessScopeId", "key", "_creationTime"];
+        by_source: ["source", "_creationTime"];
+    }, {}, {}>;
+    permissions: import("convex/server").TableDefinition<import("convex/values").VObject<{
+        updatedAt: number;
+        key: string;
+        permissionId: string;
+        resourceType: string;
+        action: string;
+        classification: "delegable" | "owner_only";
+        tenantAssignable: boolean;
+        accessScopeId: string;
+    }, {
+        accessScopeId: import("convex/values").VString<string, "required">;
+        permissionId: import("convex/values").VString<string, "required">;
+        key: import("convex/values").VString<string, "required">;
+        resourceType: import("convex/values").VString<string, "required">;
+        action: import("convex/values").VString<string, "required">;
+        classification: import("convex/values").VUnion<"delegable" | "owner_only", [import("convex/values").VLiteral<"delegable", "required">, import("convex/values").VLiteral<"owner_only", "required">], "required", never>;
+        tenantAssignable: import("convex/values").VBoolean<boolean, "required">;
+        updatedAt: import("convex/values").VFloat64<number, "required">;
+    }, "required", "updatedAt" | "key" | "permissionId" | "resourceType" | "action" | "classification" | "tenantAssignable" | "accessScopeId">, {
+        by_permission_id: ["permissionId", "_creationTime"];
+        by_scope: ["accessScopeId", "_creationTime"];
+        by_scope_key: ["accessScopeId", "key", "_creationTime"];
+        by_scope_resource_action: ["accessScopeId", "resourceType", "action", "_creationTime"];
+    }, {}, {}>;
+    role_permissions: import("convex/server").TableDefinition<import("convex/values").VObject<{
+        updatedAt: number;
+        roleId: string;
+        permissionId: string;
+        effect: "allow" | "deny";
+    }, {
+        roleId: import("convex/values").VString<string, "required">;
+        permissionId: import("convex/values").VString<string, "required">;
+        effect: import("convex/values").VUnion<"allow" | "deny", [import("convex/values").VLiteral<"allow", "required">, import("convex/values").VLiteral<"deny", "required">], "required", never>;
+        updatedAt: import("convex/values").VFloat64<number, "required">;
+    }, "required", "updatedAt" | "roleId" | "permissionId" | "effect">, {
+        by_role: ["roleId", "_creationTime"];
+        by_permission: ["permissionId", "_creationTime"];
+        by_role_permission: ["roleId", "permissionId", "_creationTime"];
+    }, {}, {}>;
+    role_permission_overrides: import("convex/server").TableDefinition<import("convex/values").VObject<{
+        updatedAt: number;
+        roleId: string;
+        permissionId: string;
+        effect: "allow" | "deny";
+        accessScopeId: string;
+    }, {
+        accessScopeId: import("convex/values").VString<string, "required">;
+        roleId: import("convex/values").VString<string, "required">;
+        permissionId: import("convex/values").VString<string, "required">;
+        effect: import("convex/values").VUnion<"allow" | "deny", [import("convex/values").VLiteral<"allow", "required">, import("convex/values").VLiteral<"deny", "required">], "required", never>;
+        updatedAt: import("convex/values").VFloat64<number, "required">;
+    }, "required", "updatedAt" | "roleId" | "permissionId" | "effect" | "accessScopeId">, {
+        by_scope: ["accessScopeId", "_creationTime"];
+        by_scope_role: ["accessScopeId", "roleId", "_creationTime"];
+        by_permission: ["permissionId", "_creationTime"];
+        by_role: ["roleId", "_creationTime"];
+        by_scope_role_permission: ["accessScopeId", "roleId", "permissionId", "_creationTime"];
+    }, {}, {}>;
+    role_bindings: import("convex/server").TableDefinition<import("convex/values").VObject<{
+        resourceType?: string | undefined;
+        resourceId?: string | undefined;
+        expiresAt?: number | undefined;
+        updatedAt: number;
+        roleId: string;
+        accessScopeId: string;
+        bindingId: string;
+        subjectPrincipalId: string;
+        appliesTo: "self" | "self_and_descendants";
+    }, {
+        bindingId: import("convex/values").VString<string, "required">;
+        subjectPrincipalId: import("convex/values").VString<string, "required">;
+        roleId: import("convex/values").VString<string, "required">;
+        accessScopeId: import("convex/values").VString<string, "required">;
+        resourceType: import("convex/values").VString<string | undefined, "optional">;
+        resourceId: import("convex/values").VString<string | undefined, "optional">;
+        appliesTo: import("convex/values").VUnion<"self" | "self_and_descendants", [import("convex/values").VLiteral<"self", "required">, import("convex/values").VLiteral<"self_and_descendants", "required">], "required", never>;
+        expiresAt: import("convex/values").VFloat64<number | undefined, "optional">;
+        updatedAt: import("convex/values").VFloat64<number, "required">;
+    }, "required", "updatedAt" | "roleId" | "resourceType" | "accessScopeId" | "bindingId" | "subjectPrincipalId" | "resourceId" | "appliesTo" | "expiresAt">, {
+        by_binding_id: ["bindingId", "_creationTime"];
+        by_scope: ["accessScopeId", "_creationTime"];
+        by_subject_scope_resource: ["subjectPrincipalId", "accessScopeId", "resourceType", "resourceId", "_creationTime"];
+        by_scope_resource: ["accessScopeId", "resourceType", "resourceId", "_creationTime"];
+        by_role: ["roleId", "_creationTime"];
+        by_subject_principal: ["subjectPrincipalId", "_creationTime"];
+    }, {}, {}>;
+    permission_bindings: import("convex/server").TableDefinition<import("convex/values").VObject<{
+        resourceType?: string | undefined;
+        subjectPrincipalId?: string | undefined;
+        resourceId?: string | undefined;
+        expiresAt?: number | undefined;
+        subjectRoleId?: string | undefined;
+        updatedAt: number;
+        permissionId: string;
+        effect: "allow" | "deny";
+        accessScopeId: string;
+        bindingId: string;
+        appliesTo: "self" | "self_and_descendants";
+    }, {
+        bindingId: import("convex/values").VString<string, "required">;
+        subjectPrincipalId: import("convex/values").VString<string | undefined, "optional">;
+        subjectRoleId: import("convex/values").VString<string | undefined, "optional">;
+        permissionId: import("convex/values").VString<string, "required">;
+        effect: import("convex/values").VUnion<"allow" | "deny", [import("convex/values").VLiteral<"allow", "required">, import("convex/values").VLiteral<"deny", "required">], "required", never>;
+        accessScopeId: import("convex/values").VString<string, "required">;
+        resourceType: import("convex/values").VString<string | undefined, "optional">;
+        resourceId: import("convex/values").VString<string | undefined, "optional">;
+        appliesTo: import("convex/values").VUnion<"self" | "self_and_descendants", [import("convex/values").VLiteral<"self", "required">, import("convex/values").VLiteral<"self_and_descendants", "required">], "required", never>;
+        expiresAt: import("convex/values").VFloat64<number | undefined, "optional">;
+        updatedAt: import("convex/values").VFloat64<number, "required">;
+    }, "required", "updatedAt" | "permissionId" | "resourceType" | "effect" | "accessScopeId" | "bindingId" | "subjectPrincipalId" | "resourceId" | "appliesTo" | "expiresAt" | "subjectRoleId">, {
+        by_binding_id: ["bindingId", "_creationTime"];
+        by_scope: ["accessScopeId", "_creationTime"];
+        by_subject_principal_scope_resource: ["subjectPrincipalId", "accessScopeId", "resourceType", "resourceId", "_creationTime"];
+        by_subject_role_scope_resource: ["subjectRoleId", "accessScopeId", "resourceType", "resourceId", "_creationTime"];
+        by_scope_resource: ["accessScopeId", "resourceType", "resourceId", "_creationTime"];
+        by_permission: ["permissionId", "_creationTime"];
+        by_subject_principal: ["subjectPrincipalId", "_creationTime"];
+        by_subject_role: ["subjectRoleId", "_creationTime"];
+    }, {}, {}>;
+}, true>;
+export default _default;
+//# sourceMappingURL=schema.d.ts.map

package/dist/component/schema.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../../src/component/schema.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkCA,wBAsNG"}

package/dist/component/schema.js

@@ -0,0 +1,222 @@
+import { defineSchema, defineTable } from "convex/server";
+import { v } from "convex/values";
+// Access Control projection mirror — v3 deployment-scoped storage.
+//
+// The deployment-wide catalog (reusable roles, permissions, base role
+// permissions) and deployment-wide users are stored ONCE (never duplicated per
+// scope). Each scope owns its runtime state: principals, memberships, tenant
+// roles, per-scope role-permission overrides, role bindings, and permission
+// bindings. The old polymorphic `grants` table is split into `role_bindings`
+// (role membership) and `permission_bindings` (direct permission authority).
+const effectValidator = v.union(v.literal("allow"), v.literal("deny"));
+const bindingAppliesToValidator = v.union(v.literal("self"), v.literal("self_and_descendants"));
+const wildcardValidator = v.union(v.literal("none"), v.literal("immutable"), v.literal("default"));
+const scopeKindValidator = v.union(v.literal("default"), v.literal("org"), v.literal("suite"));
+const scopeStatusValidator = v.union(v.literal("active"), v.literal("disabled"));
+const accountEntryModeValidator = v.union(v.literal("open"), v.literal("allowlisted_only"), v.literal("invite_only"), v.literal("approval_required"));
+const principalStatusValidator = v.union(v.literal("active"), v.literal("blocked"), v.literal("suspended"), v.literal("pending_approval"), v.literal("removed"));
+export default defineSchema({
+    // Single-row version/ack state for the signed sync channel. PRESERVED from v2.
+    sync_state: defineTable({
+        sourceVersion: v.number(),
+        expectedIssuer: v.string(),
+        lastEventId: v.optional(v.string()),
+        lastSyncedAt: v.number(),
+        lastError: v.optional(v.string()),
+    }),
+    // Deployment-wide user identity/profile (ProjectionUser). Populated from the
+    // top-level `users[]` snapshot array / `users` event delta — NOT per scope.
+    users: defineTable({
+        herculesAuthUserId: v.string(),
+        name: v.string(),
+        email: v.string(),
+        emailVerified: v.boolean(),
+        image: v.optional(v.string()),
+        phone: v.optional(v.string()),
+        phoneVerified: v.boolean(),
+        updatedAt: v.number(),
+    }).index("by_auth_user_id", ["herculesAuthUserId"]),
+    scopes: defineTable({
+        accessScopeId: v.string(),
+        name: v.string(),
+        kind: scopeKindValidator,
+        status: scopeStatusValidator,
+        accountEntryMode: accountEntryModeValidator,
+        defaultRoleId: v.string(),
+        updatedAt: v.number(),
+    })
+        .index("by_scope_id", ["accessScopeId"])
+        .index("by_kind", ["kind"]),
+    // Product-facing organization rows derived from org/suite scopes.
+    organizations: defineTable({
+        accessScopeId: v.string(),
+        name: v.string(),
+        status: scopeStatusValidator,
+        accountEntryMode: accountEntryModeValidator,
+        updatedAt: v.number(),
+    }).index("by_scope_id", ["accessScopeId"]),
+    principals: defineTable({
+        accessScopeId: v.string(),
+        principalId: v.string(),
+        type: v.union(v.literal("user"), v.literal("group")),
+        herculesAuthUserId: v.optional(v.string()),
+        // Display name for a `group` principal. A user principal's display name
+        // comes from the deployment-wide `users` table, never from this row.
+        name: v.optional(v.string()),
+        status: principalStatusValidator,
+        joinedAt: v.number(),
+        updatedAt: v.number(),
+    })
+        .index("by_principal_id", ["principalId"])
+        .index("by_scope", ["accessScopeId"])
+        .index("by_scope_auth_user", ["accessScopeId", "herculesAuthUserId"])
+        .index("by_auth_user", ["herculesAuthUserId"])
+        .index("by_scope_type", ["accessScopeId", "type"])
+        .index("by_scope_status", ["accessScopeId", "status"])
+        .index("by_scope_status_type", ["accessScopeId", "status", "type"]),
+    principal_memberships: defineTable({
+        accessScopeId: v.string(),
+        groupPrincipalId: v.string(),
+        memberPrincipalId: v.string(),
+        updatedAt: v.number(),
+    })
+        .index("by_scope", ["accessScopeId"])
+        .index("by_group", ["accessScopeId", "groupPrincipalId"])
+        .index("by_member", ["accessScopeId", "memberPrincipalId"])
+        .index("by_group_member", ["accessScopeId", "groupPrincipalId", "memberPrincipalId"]),
+    // Unified role table holding BOTH deployment-wide catalog roles (source
+    // system|iam, accessScopeId undefined) and per-scope tenant roles (source
+    // tenant, accessScopeId set). `baseWildcard` is the role's INTRINSIC wildcard
+    // mode (Owner=immutable, Admin=default, everything else=none). The EFFECTIVE
+    // wildcard is DERIVED per scope at evaluation time (base role-permissions
+    // UNION that scope's overrides) — never stored here.
+    roles: defineTable({
+        roleId: v.string(),
+        key: v.string(),
+        source: v.union(v.literal("system"), v.literal("iam"), v.literal("tenant")),
+        name: v.string(),
+        baseWildcard: wildcardValidator,
+        // Undefined for catalog (reusable) roles; the owning org/suite scope for
+        // tenant roles. Catalog roles are NEVER per-scope duplicated.
+        accessScopeId: v.optional(v.string()),
+        updatedAt: v.number(),
+    })
+        .index("by_role_id", ["roleId"])
+        .index("by_scope", ["accessScopeId"])
+        .index("by_scope_key", ["accessScopeId", "key"])
+        .index("by_source", ["source"]),
+    // Deployment-owned permission catalog (ProjectionCatalogPermission). Lives at
+    // the top level (no per-scope duplication). `accessScopeId` is retained and
+    // pinned to the default scope id so the existing default-scope lookups
+    // (by_scope / by_scope_key) keep working without re-plumbing every reader.
+    permissions: defineTable({
+        accessScopeId: v.string(),
+        permissionId: v.string(),
+        key: v.string(),
+        resourceType: v.string(),
+        action: v.string(),
+        classification: v.union(v.literal("delegable"), v.literal("owner_only")),
+        // tenantAssignable=false hides this permission from org-admin role editors.
+        tenantAssignable: v.boolean(),
+        updatedAt: v.number(),
+    })
+        .index("by_permission_id", ["permissionId"])
+        .index("by_scope", ["accessScopeId"])
+        .index("by_scope_key", ["accessScopeId", "key"])
+        .index("by_scope_resource_action", ["accessScopeId", "resourceType", "action"]),
+    // BASE role->permission map (deployment-wide; the catalog definition).
+    // Identity is (roleId, permissionId) — effect is MUTABLE and is NOT part of
+    // the identity (an allow<->deny flip is an upsert of the same row).
+    role_permissions: defineTable({
+        roleId: v.string(),
+        permissionId: v.string(),
+        effect: effectValidator,
+        updatedAt: v.number(),
+    })
+        .index("by_role", ["roleId"])
+        .index("by_permission", ["permissionId"])
+        .index("by_role_permission", ["roleId", "permissionId"]),
+    // One scope's override of a reusable role's base mapping. Identity is
+    // (accessScopeId, roleId, permissionId); effect is mutable (not in identity).
+    // Layered over the base map during evaluation.
+    role_permission_overrides: defineTable({
+        accessScopeId: v.string(),
+        roleId: v.string(),
+        permissionId: v.string(),
+        effect: effectValidator,
+        updatedAt: v.number(),
+    })
+        .index("by_scope", ["accessScopeId"])
+        .index("by_scope_role", ["accessScopeId", "roleId"])
+        .index("by_permission", ["permissionId"])
+        .index("by_role", ["roleId"])
+        .index("by_scope_role_permission", ["accessScopeId", "roleId", "permissionId"]),
+    // Role assigned to a principal (the role half of the old `grants`). The
+    // (resourceType, resourceId) target tuple replaces the old object addressing:
+    //   (undefined, undefined) = the scope, (type, undefined) = every resource of
+    //   a type, (type, id) = one exact resource.
+    role_bindings: defineTable({
+        bindingId: v.string(),
+        subjectPrincipalId: v.string(),
+        roleId: v.string(),
+        accessScopeId: v.string(),
+        resourceType: v.optional(v.string()),
+        resourceId: v.optional(v.string()),
+        appliesTo: bindingAppliesToValidator,
+        expiresAt: v.optional(v.number()),
+        updatedAt: v.number(),
+    })
+        .index("by_binding_id", ["bindingId"])
+        .index("by_scope", ["accessScopeId"])
+        // Scope-object role lookup (resourceType undefined): who has which role on a
+        // scope. Used by collectGrantContributions + collectPrincipalScopeRoles.
+        .index("by_subject_scope_resource", [
+        "subjectPrincipalId",
+        "accessScopeId",
+        "resourceType",
+        "resourceId",
+    ])
+        // Reverse: "who has a direct role binding on this resource" (membership UIs).
+        .index("by_scope_resource", ["accessScopeId", "resourceType", "resourceId"])
+        .index("by_role", ["roleId"])
+        .index("by_subject_principal", ["subjectPrincipalId"]),
+    // Direct permission authority (the direct-permission half of the old
+    // `grants`). Exactly one subject: subjectPrincipalId XOR subjectRoleId. Same
+    // nullable (resourceType, resourceId) target shape as role_bindings.
+    permission_bindings: defineTable({
+        bindingId: v.string(),
+        subjectPrincipalId: v.optional(v.string()),
+        subjectRoleId: v.optional(v.string()),
+        permissionId: v.string(),
+        effect: effectValidator,
+        accessScopeId: v.string(),
+        resourceType: v.optional(v.string()),
+        resourceId: v.optional(v.string()),
+        appliesTo: bindingAppliesToValidator,
+        expiresAt: v.optional(v.number()),
+        updatedAt: v.number(),
+    })
+        .index("by_binding_id", ["bindingId"])
+        .index("by_scope", ["accessScopeId"])
+        // Principal-subject scope/resource lookups.
+        .index("by_subject_principal_scope_resource", [
+        "subjectPrincipalId",
+        "accessScopeId",
+        "resourceType",
+        "resourceId",
+    ])
+        // Role-subject scope/resource lookups (a rule applying to every holder of a
+        // role).
+        .index("by_subject_role_scope_resource", [
+        "subjectRoleId",
+        "accessScopeId",
+        "resourceType",
+        "resourceId",
+    ])
+        // Reverse: "who has a direct permission binding on this resource".
+        .index("by_scope_resource", ["accessScopeId", "resourceType", "resourceId"])
+        .index("by_permission", ["permissionId"])
+        .index("by_subject_principal", ["subjectPrincipalId"])
+        .index("by_subject_role", ["subjectRoleId"]),
+});
+//# sourceMappingURL=schema.js.map

package/dist/component/schema.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"schema.js","sourceRoot":"","sources":["../../src/component/schema.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,YAAY,EAAE,WAAW,EAAE,MAAM,eAAe,CAAC;AAC1D,OAAO,EAAE,CAAC,EAAE,MAAM,eAAe,CAAC;AAElC,mEAAmE;AACnE,EAAE;AACF,sEAAsE;AACtE,+EAA+E;AAC/E,6EAA6E;AAC7E,4EAA4E;AAC5E,6EAA6E;AAC7E,6EAA6E;AAE7E,MAAM,eAAe,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC;AACvE,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CACvC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,EACjB,CAAC,CAAC,OAAO,CAAC,sBAAsB,CAAC,CAClC,CAAC;AACF,MAAM,iBAAiB,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CAAC,CAAC;AACnG,MAAM,kBAAkB,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC,CAAC;AAC/F,MAAM,oBAAoB,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,UAAU,CAAC,CAAC,CAAC;AACjF,MAAM,yBAAyB,GAAG,CAAC,CAAC,KAAK,CACvC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,EACjB,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAC7B,CAAC,CAAC,OAAO,CAAC,aAAa,CAAC,EACxB,CAAC,CAAC,OAAO,CAAC,mBAAmB,CAAC,CAC/B,CAAC;AACF,MAAM,wBAAwB,GAAG,CAAC,CAAC,KAAK,CACtC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,EACnB,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,EACpB,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,EACtB,CAAC,CAAC,OAAO,CAAC,kBAAkB,CAAC,EAC7B,CAAC,CAAC,OAAO,CAAC,SAAS,CAAC,CACrB,CAAC;AAEF,eAAe,YAAY,CAAC;IAC1B,+EAA+E;IAC/E,UAAU,EAAE,WAAW,CAAC;QACtB,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE;QACzB,cAAc,EAAE,CAAC,CAAC,MAAM,EAAE;QAC1B,WAAW,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACnC,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;QACxB,SAAS,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;KAClC,CAAC;IAEF,6EAA6E;IAC7E,4EAA4E;IAC5E,KAAK,EAAE,WAAW,CAAC;QACjB,kBAAkB,EAAE,CAAC,CAAC,MAAM,EAAE;QAC9B,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,KAAK,EAAE,CAAC,CAAC,MAAM,EAAE;QACjB,aAAa,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1B,KAAK,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAC7B,KAAK,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAC7B,aAAa,EAAE,CAAC,CAAC,OAAO,EAAE;QAC1B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;KACtB,CAAC,CAAC,KAAK,CAAC,iBAAiB,EAAE,CAAC,oBAAoB,CAAC,CAAC;IAEnD,MAAM,EAAE,WAAW,CAAC;QAClB,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE;QACzB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,IAAI,EAAE,kBAAkB;QACxB,MAAM,EAAE,oBAAoB;QAC5B,gBAAgB,EAAE,yBAAyB;QAC3C,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE;QACzB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;KACtB,CAAC;SACC,KAAK,CAAC,aAAa,EAAE,CAAC,eAAe,CAAC,CAAC;SACvC,KAAK,CAAC,SAAS,EAAE,CAAC,MAAM,CAAC,CAAC;IAE7B,kEAAkE;IAClE,aAAa,EAAE,WAAW,CAAC;QACzB,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE;QACzB,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,MAAM,EAAE,oBAAoB;QAC5B,gBAAgB,EAAE,yBAAyB;QAC3C,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;KACtB,CAAC,CAAC,KAAK,CAAC,aAAa,EAAE,CAAC,eAAe,CAAC,CAAC;IAE1C,UAAU,EAAE,WAAW,CAAC;QACtB,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE;QACzB,WAAW,EAAE,CAAC,CAAC,MAAM,EAAE;QACvB,IAAI,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,OAAO,CAAC,CAAC;QACpD,kBAAkB,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAC1C,wEAAwE;QACxE,qEAAqE;QACrE,IAAI,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAC5B,MAAM,EAAE,wBAAwB;QAChC,QAAQ,EAAE,CAAC,CAAC,MAAM,EAAE;QACpB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;KACtB,CAAC;SACC,KAAK,CAAC,iBAAiB,EAAE,CAAC,aAAa,CAAC,CAAC;SACzC,KAAK,CAAC,UAAU,EAAE,CAAC,eAAe,CAAC,CAAC;SACpC,KAAK,CAAC,oBAAoB,EAAE,CAAC,eAAe,EAAE,oBAAoB,CAAC,CAAC;SACpE,KAAK,CAAC,cAAc,EAAE,CAAC,oBAAoB,CAAC,CAAC;SAC7C,KAAK,CAAC,eAAe,EAAE,CAAC,eAAe,EAAE,MAAM,CAAC,CAAC;SACjD,KAAK,CAAC,iBAAiB,EAAE,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;SACrD,KAAK,CAAC,sBAAsB,EAAE,CAAC,eAAe,EAAE,QAAQ,EAAE,MAAM,CAAC,CAAC;IAErE,qBAAqB,EAAE,WAAW,CAAC;QACjC,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE;QACzB,gBAAgB,EAAE,CAAC,CAAC,MAAM,EAAE;QAC5B,iBAAiB,EAAE,CAAC,CAAC,MAAM,EAAE;QAC7B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;KACtB,CAAC;SACC,KAAK,CAAC,UAAU,EAAE,CAAC,eAAe,CAAC,CAAC;SACpC,KAAK,CAAC,UAAU,EAAE,CAAC,eAAe,EAAE,kBAAkB,CAAC,CAAC;SACxD,KAAK,CAAC,WAAW,EAAE,CAAC,eAAe,EAAE,mBAAmB,CAAC,CAAC;SAC1D,KAAK,CAAC,iBAAiB,EAAE,CAAC,eAAe,EAAE,kBAAkB,EAAE,mBAAmB,CAAC,CAAC;IAEvF,wEAAwE;IACxE,0EAA0E;IAC1E,8EAA8E;IAC9E,6EAA6E;IAC7E,0EAA0E;IAC1E,qDAAqD;IACrD,KAAK,EAAE,WAAW,CAAC;QACjB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;QAClB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;QACf,MAAM,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QAC3E,IAAI,EAAE,CAAC,CAAC,MAAM,EAAE;QAChB,YAAY,EAAE,iBAAiB;QAC/B,yEAAyE;QACzE,8DAA8D;QAC9D,aAAa,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACrC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;KACtB,CAAC;SACC,KAAK,CAAC,YAAY,EAAE,CAAC,QAAQ,CAAC,CAAC;SAC/B,KAAK,CAAC,UAAU,EAAE,CAAC,eAAe,CAAC,CAAC;SACpC,KAAK,CAAC,cAAc,EAAE,CAAC,eAAe,EAAE,KAAK,CAAC,CAAC;SAC/C,KAAK,CAAC,WAAW,EAAE,CAAC,QAAQ,CAAC,CAAC;IAEjC,8EAA8E;IAC9E,4EAA4E;IAC5E,uEAAuE;IACvE,2EAA2E;IAC3E,WAAW,EAAE,WAAW,CAAC;QACvB,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE;QACzB,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;QACxB,GAAG,EAAE,CAAC,CAAC,MAAM,EAAE;QACf,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;QACxB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;QAClB,cAAc,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,OAAO,CAAC,WAAW,CAAC,EAAE,CAAC,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;QACxE,4EAA4E;QAC5E,gBAAgB,EAAE,CAAC,CAAC,OAAO,EAAE;QAC7B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;KACtB,CAAC;SACC,KAAK,CAAC,kBAAkB,EAAE,CAAC,cAAc,CAAC,CAAC;SAC3C,KAAK,CAAC,UAAU,EAAE,CAAC,eAAe,CAAC,CAAC;SACpC,KAAK,CAAC,cAAc,EAAE,CAAC,eAAe,EAAE,KAAK,CAAC,CAAC;SAC/C,KAAK,CAAC,0BAA0B,EAAE,CAAC,eAAe,EAAE,cAAc,EAAE,QAAQ,CAAC,CAAC;IAEjF,uEAAuE;IACvE,4EAA4E;IAC5E,oEAAoE;IACpE,gBAAgB,EAAE,WAAW,CAAC;QAC5B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;QAClB,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;QACxB,MAAM,EAAE,eAAe;QACvB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;KACtB,CAAC;SACC,KAAK,CAAC,SAAS,EAAE,CAAC,QAAQ,CAAC,CAAC;SAC5B,KAAK,CAAC,eAAe,EAAE,CAAC,cAAc,CAAC,CAAC;SACxC,KAAK,CAAC,oBAAoB,EAAE,CAAC,QAAQ,EAAE,cAAc,CAAC,CAAC;IAE1D,sEAAsE;IACtE,8EAA8E;IAC9E,+CAA+C;IAC/C,yBAAyB,EAAE,WAAW,CAAC;QACrC,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE;QACzB,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;QAClB,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;QACxB,MAAM,EAAE,eAAe;QACvB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;KACtB,CAAC;SACC,KAAK,CAAC,UAAU,EAAE,CAAC,eAAe,CAAC,CAAC;SACpC,KAAK,CAAC,eAAe,EAAE,CAAC,eAAe,EAAE,QAAQ,CAAC,CAAC;SACnD,KAAK,CAAC,eAAe,EAAE,CAAC,cAAc,CAAC,CAAC;SACxC,KAAK,CAAC,SAAS,EAAE,CAAC,QAAQ,CAAC,CAAC;SAC5B,KAAK,CAAC,0BAA0B,EAAE,CAAC,eAAe,EAAE,QAAQ,EAAE,cAAc,CAAC,CAAC;IAEjF,wEAAwE;IACxE,8EAA8E;IAC9E,8EAA8E;IAC9E,6CAA6C;IAC7C,aAAa,EAAE,WAAW,CAAC;QACzB,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;QACrB,kBAAkB,EAAE,CAAC,CAAC,MAAM,EAAE;QAC9B,MAAM,EAAE,CAAC,CAAC,MAAM,EAAE;QAClB,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE;QACzB,YAAY,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACpC,UAAU,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAClC,SAAS,EAAE,yBAAyB;QACpC,SAAS,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACjC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;KACtB,CAAC;SACC,KAAK,CAAC,eAAe,EAAE,CAAC,WAAW,CAAC,CAAC;SACrC,KAAK,CAAC,UAAU,EAAE,CAAC,eAAe,CAAC,CAAC;QACrC,6EAA6E;QAC7E,yEAAyE;SACxE,KAAK,CAAC,2BAA2B,EAAE;QAClC,oBAAoB;QACpB,eAAe;QACf,cAAc;QACd,YAAY;KACb,CAAC;QACF,8EAA8E;SAC7E,KAAK,CAAC,mBAAmB,EAAE,CAAC,eAAe,EAAE,cAAc,EAAE,YAAY,CAAC,CAAC;SAC3E,KAAK,CAAC,SAAS,EAAE,CAAC,QAAQ,CAAC,CAAC;SAC5B,KAAK,CAAC,sBAAsB,EAAE,CAAC,oBAAoB,CAAC,CAAC;IAExD,qEAAqE;IACrE,6EAA6E;IAC7E,qEAAqE;IACrE,mBAAmB,EAAE,WAAW,CAAC;QAC/B,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;QACrB,kBAAkB,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAC1C,aAAa,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACrC,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;QACxB,MAAM,EAAE,eAAe;QACvB,aAAa,EAAE,CAAC,CAAC,MAAM,EAAE;QACzB,YAAY,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACpC,UAAU,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QAClC,SAAS,EAAE,yBAAyB;QACpC,SAAS,EAAE,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,MAAM,EAAE,CAAC;QACjC,SAAS,EAAE,CAAC,CAAC,MAAM,EAAE;KACtB,CAAC;SACC,KAAK,CAAC,eAAe,EAAE,CAAC,WAAW,CAAC,CAAC;SACrC,KAAK,CAAC,UAAU,EAAE,CAAC,eAAe,CAAC,CAAC;QACrC,4CAA4C;SAC3C,KAAK,CAAC,qCAAqC,EAAE;QAC5C,oBAAoB;QACpB,eAAe;QACf,cAAc;QACd,YAAY;KACb,CAAC;QACF,4EAA4E;QAC5E,SAAS;SACR,KAAK,CAAC,gCAAgC,EAAE;QACvC,eAAe;QACf,eAAe;QACf,cAAc;QACd,YAAY;KACb,CAAC;QACF,mEAAmE;SAClE,KAAK,CAAC,mBAAmB,EAAE,CAAC,eAAe,EAAE,cAAc,EAAE,YAAY,CAAC,CAAC;SAC3E,KAAK,CAAC,eAAe,EAAE,CAAC,cAAc,CAAC,CAAC;SACxC,KAAK,CAAC,sBAAsB,EAAE,CAAC,oBAAoB,CAAC,CAAC;SACrD,KAAK,CAAC,iBAAiB,EAAE,CAAC,eAAe,CAAC,CAAC;CAC/C,CAAC,CAAC"}

package/dist/component/sync.d.ts

@@ -0,0 +1,85 @@
+export declare const applySync: import("convex/server").RegisteredMutation<"public", {
+    mode?: "initialize" | "reset" | undefined;
+    expectedIssuer?: string | undefined;
+    catalog?: any;
+    users?: any;
+    scopes?: any[] | undefined;
+    type: "access.projection.snapshot" | "access.projection.event";
+    schemaVersion: number;
+    eventId: string;
+    sourceVersion: number;
+}, Promise<{
+    ok: false;
+    status: "unsupported_schema";
+    acknowledgedVersion?: undefined;
+    currentVersion?: undefined;
+    expectedVersion?: undefined;
+    receivedVersion?: undefined;
+} | {
+    ok: false;
+    status: "default_scope_required";
+    acknowledgedVersion?: undefined;
+    currentVersion?: undefined;
+    expectedVersion?: undefined;
+    receivedVersion?: undefined;
+} | {
+    ok: false;
+    status: "invalid_payload";
+    acknowledgedVersion?: undefined;
+    currentVersion?: undefined;
+    expectedVersion?: undefined;
+    receivedVersion?: undefined;
+} | {
+    ok: true;
+    status: "duplicate";
+    acknowledgedVersion: number;
+    currentVersion?: undefined;
+    expectedVersion?: undefined;
+    receivedVersion?: undefined;
+} | {
+    ok: false;
+    status: "not_ready";
+    currentVersion: number;
+    acknowledgedVersion?: undefined;
+    expectedVersion?: undefined;
+    receivedVersion?: undefined;
+} | {
+    ok: false;
+    status: "version_gap";
+    currentVersion: number;
+    expectedVersion: number;
+    receivedVersion: number;
+    acknowledgedVersion?: undefined;
+} | {
+    ok: false;
+    status: "reset_required";
+    currentVersion: number;
+    acknowledgedVersion?: undefined;
+    expectedVersion?: undefined;
+    receivedVersion?: undefined;
+} | {
+    ok: false;
+    status: "issuer_mismatch";
+    acknowledgedVersion?: undefined;
+    currentVersion?: undefined;
+    expectedVersion?: undefined;
+    receivedVersion?: undefined;
+} | {
+    ok: true;
+    status: "applied";
+    acknowledgedVersion: number;
+    currentVersion?: undefined;
+    expectedVersion?: undefined;
+    receivedVersion?: undefined;
+}>>;
+export declare const expireRoleBinding: import("convex/server").RegisteredMutation<"internal", {
+    updatedAt: number;
+    bindingId: string;
+    expiresAt: number;
+}, Promise<void>>;
+export declare const expirePermissionBinding: import("convex/server").RegisteredMutation<"internal", {
+    updatedAt: number;
+    bindingId: string;
+    expiresAt: number;
+}, Promise<void>>;
+//# sourceMappingURL=sync.d.ts.map

package/dist/component/sync.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"sync.d.ts","sourceRoot":"","sources":["../../src/component/sync.ts"],"names":[],"mappings":"AAqEA,eAAO,MAAM,SAAS;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAy4BpB,CAAC;AAEH,eAAO,MAAM,iBAAiB;;;;iBAgB5B,CAAC;AAEH,eAAO,MAAM,uBAAuB;;;;iBAgBlC,CAAC"}