@usehercules/convex 0.0.0

package/dist/client/access-admin.d.ts

@@ -0,0 +1,818 @@
+import type { ActionBuilder, GenericActionCtx, GenericDataModel } from "convex/server";
+import type { AccessDeploymentEntryMirrorResult, Membership, ScopeRoleSummary } from "./index";
+declare const DEFAULT_API_VERSION = "2025-12-09";
+type WriteResult = Record<string, unknown>;
+export type AccessBindingAppliesTo = "self" | "self_and_descendants";
+export type AccessResourceGrantWriteResult = {
+    accessScopeId: string;
+    grantId: string;
+    changed: boolean;
+    sourceVersion: number;
+    projectionIds: string[];
+};
+export type AccessResourceGrantsReplaceResult = {
+    accessScopeId: string;
+    resourceType: string;
+    resourceId: string;
+    subjects: Array<{
+        principalId: string;
+        grants: Array<{
+            grantId: string;
+            roleId: string | null;
+            permissionId: string | null;
+            appliesTo: AccessBindingAppliesTo;
+            expiresAt: string | null;
+        }>;
+    }>;
+    changed: boolean;
+    sourceVersion: number;
+    projectionIds: string[];
+};
+export type AccessMemberRolesReplaceResult = {
+    accessScopeId: string;
+    principalId: string;
+    roleIds: string[];
+    changed: boolean;
+    sourceVersion: number;
+    projectionIds: string[];
+};
+export type AccessGrantableRoleTarget = {
+    type: "scope";
+} | {
+    type: "resource";
+    resourceType: string;
+    resourceId: string;
+    appliesTo?: AccessBindingAppliesTo;
+};
+export type AccessGrantableRoleListResult = {
+    accessScopeId: string;
+    roles: ScopeRoleSummary[];
+};
+export type AccessScopeCreateResult = {
+    accessScopeId: string;
+    created?: boolean;
+    sourceVersion: number;
+    projectionIds: string[];
+};
+export type AccessInvitationCreateResult = {
+    accessScopeId: string;
+    invitationId: string;
+    email: string;
+    roleIds: string[];
+    token: string;
+    acceptUrl: string;
+    expiresAt: string;
+    sourceVersion: number;
+    projectionIds: string[];
+};
+export type AccessInvitationAcceptResult = {
+    accessScopeId: string;
+    invitationId: string;
+    principalId: string;
+    roleIds: string[];
+    changed?: boolean;
+    sourceVersion: number;
+    projectionIds: string[];
+};
+export type AccessDeploymentEntryResult = {
+    allowed: boolean;
+    reason: string;
+    principalId?: string;
+    status?: "active" | "blocked" | "suspended" | "pending_approval" | "removed";
+    stateVersion: number;
+    changed: boolean;
+};
+export type AccessGroupListResult = {
+    accessScopeId: string;
+    groups: Array<{
+        groupPrincipalId: string;
+        name: string | null;
+        memberCount: number;
+        archived: boolean;
+        archivedAt: string | null;
+        createdAt: string;
+        updatedAt: string;
+    }>;
+};
+export type AccessGroupWriteResult = {
+    accessScopeId: string;
+    groupPrincipalId: string;
+    changed?: boolean;
+    sourceVersion: number;
+    projectionIds: string[];
+};
+export type AccessGroupMemberWriteResult = AccessGroupWriteResult & {
+    memberPrincipalId: string;
+    membershipId?: string;
+};
+export type AccessResourceInvitationListResult = {
+    accessScopeId: string;
+    invitations: Array<{
+        invitationId: string;
+        email: string;
+        resourceType: string;
+        resourceId: string;
+        conferralType: "role" | "permission" | null;
+        roleId: string | null;
+        permissionId: string | null;
+        appliesTo: AccessBindingAppliesTo;
+        expiresAt: string;
+        createdAt: string;
+        updatedAt: string;
+    }>;
+};
+export type AccessRoleOverridesResult = {
+    accessScopeId: string;
+    roleId: string;
+    overrides: Array<{
+        permissionId: string;
+        permissionKey: string;
+        effect: "allow" | "deny";
+    }>;
+};
+export type AccessUserExceptionsResult = {
+    accessScopeId: string;
+    principalId: string;
+    exceptions: Array<{
+        permissionId: string;
+        permissionKey: string;
+        effect: "allow" | "deny";
+        expiresAt: string | null;
+    }>;
+};
+export type AccessAdminSdkClient = {
+    post<T>(path: string, options: {
+        body: Record<string, unknown>;
+    }): Promise<T>;
+};
+type AccessAdminApiOptions = {
+    apiKey?: string;
+    apiKeyEnvVar?: string;
+    apiVersion?: typeof DEFAULT_API_VERSION;
+    client?: AccessAdminSdkClient;
+};
+export type CreateAccessAdminActionsOptions<DataModel extends GenericDataModel> = AccessAdminApiOptions & {
+    internalAction: ActionBuilder<DataModel, "internal">;
+};
+export type CreateAccessUserActionsOptions<DataModel extends GenericDataModel> = AccessAdminApiOptions & {
+    authenticatedAction: ActionBuilder<DataModel, "public">;
+    getDeploymentEntryStatus?: (ctx: GenericActionCtx<DataModel>) => Promise<AccessDeploymentEntryMirrorResult>;
+};
+export type AccessAccountEntryMode = "open" | "allowlisted_only" | "invite_only" | "approval_required";
+export type CreateAccessScopeArgs = {
+    name: string;
+    defaultRoleKey?: string;
+    accountEntryMode?: AccessAccountEntryMode;
+};
+export type CreateAccessInvitationArgs = {
+    scopeId: string;
+    email: string;
+    roleIds?: string[];
+    roleKeys?: string[];
+    expiresInDays?: number;
+};
+export type CreateResourceInvitationArgs = {
+    scopeId: string;
+    email: string;
+    resourceType: string;
+    resourceId: string;
+    /** Conferred grant — exactly one of these. A custom role or a single permission. */
+    roleKey?: string;
+    permissionKey?: string;
+    appliesTo?: AccessBindingAppliesTo;
+    expiresInDays?: number;
+};
+export type AcceptAccessInvitationArgs = {
+    token: string;
+    /**
+     * The signed-in user's OIDC ID token (`user.id_token`): a JWT with three
+     * dot-separated segments. Never pass a user or subject id (for example
+     * `user.profile.sub`); the control plane verifies the token signature, so a
+     * bare id is rejected.
+     */
+    idToken: string;
+};
+export type CreateAccessScopeContext = {
+    auth: {
+        getUserIdentity(): Promise<{
+            tokenIdentifier?: string | null;
+        } | null>;
+    };
+};
+export type CreateAccessScopeActionOptions<DataModel extends GenericDataModel> = AccessAdminApiOptions & {
+    authenticatedAction: ActionBuilder<DataModel, "public">;
+    canCreateScope: (ctx: CreateAccessScopeContext, args: CreateAccessScopeArgs) => boolean | Promise<boolean>;
+};
+export type ResourceCreatorBootstrapTarget = {
+    scopeId: string;
+    resourceId: string;
+    creatorHerculesAuthUserId: string;
+    state: "provisioning" | "active";
+};
+export type ResourceCreatorBootstrapResult = {
+    resourceId: string;
+    state: "active";
+    bootstrapped: false;
+} | {
+    resourceId: string;
+    state: "active";
+    bootstrapped: true;
+    grant: AccessResourceGrantWriteResult;
+};
+export type CreateResourceCreatorBootstrapActionOptions<DataModel extends GenericDataModel> = AccessAdminApiOptions & {
+    authenticatedAction: ActionBuilder<DataModel, "public">;
+    resourceType: string;
+    managerRoleKey: string;
+    appliesTo: AccessBindingAppliesTo;
+    getBootstrapTarget: (ctx: GenericActionCtx<DataModel>, args: {
+        resourceId: string;
+    }) => Promise<ResourceCreatorBootstrapTarget | null>;
+    listMyMemberships: (ctx: GenericActionCtx<DataModel>) => Promise<Membership[]>;
+    activateResource: (ctx: GenericActionCtx<DataModel>, args: {
+        resourceId: string;
+        creatorHerculesAuthUserId: string;
+        grant: AccessResourceGrantWriteResult;
+    }) => Promise<void>;
+};
+/**
+ * Builds the managed Access Control write actions (assign/remove roles,
+ * invite, create org custom roles, resource grants, overrides, expiries,
+ * member lifecycle, admission rules, entry mode, and groups) plus the raw
+ * reads backing them (group/resource-invitation lists, role overrides, user
+ * exceptions). Each one calls the Hercules control plane, so it needs the
+ * `HERCULES_API_KEY` secret. Wire it once in `convex/accessAdmin.ts` and
+ * re-export the actions you use.
+ *
+ * These are internal service-authority actions. Do not re-export them as public
+ * Convex actions. Use {@link createAccessUserActions} for public resource
+ * management by signed-in app users.
+ */
+export declare function createAccessAdminActions<DataModel extends GenericDataModel>(options: CreateAccessAdminActionsOptions<DataModel>): {
+    archiveScope: import("convex/server").RegisteredAction<"internal", {
+        scopeId: string;
+    }, Promise<WriteResult>>;
+    setDefaultRole: import("convex/server").RegisteredAction<"internal", {
+        roleId?: string | undefined;
+        roleKey?: string | undefined;
+        scopeId: string;
+    }, Promise<WriteResult>>;
+    createInvitation: import("convex/server").RegisteredAction<"internal", {
+        roleIds?: string[] | undefined;
+        roleKeys?: string[] | undefined;
+        expiresInDays?: number | undefined;
+        email: string;
+        scopeId: string;
+    }, Promise<AccessInvitationCreateResult>>;
+    revokeInvitation: import("convex/server").RegisteredAction<"internal", {
+        scopeId: string;
+        invitationId: string;
+    }, Promise<WriteResult>>;
+    assignRole: import("convex/server").RegisteredAction<"internal", {
+        herculesAuthUserId?: string | undefined;
+        roleId?: string | undefined;
+        principalId?: string | undefined;
+        roleKey?: string | undefined;
+        scopeId: string;
+    }, Promise<WriteResult>>;
+    removeRole: import("convex/server").RegisteredAction<"internal", {
+        herculesAuthUserId?: string | undefined;
+        roleId?: string | undefined;
+        principalId?: string | undefined;
+        roleKey?: string | undefined;
+        scopeId: string;
+    }, Promise<WriteResult>>;
+    createOrgCustomRole: import("convex/server").RegisteredAction<"internal", {
+        key?: string | undefined;
+        description?: string | undefined;
+        name: string;
+        scopeId: string;
+        permissionKeys: string[];
+    }, Promise<WriteResult>>;
+    updateRolePermissions: import("convex/server").RegisteredAction<"internal", {
+        roleId?: string | undefined;
+        roleKey?: string | undefined;
+        scopeId: string;
+        permissionKeys: string[];
+    }, Promise<WriteResult>>;
+    setUserExceptions: import("convex/server").RegisteredAction<"internal", {
+        herculesAuthUserId?: string | undefined;
+        principalId?: string | undefined;
+        allow: string[];
+        deny: string[];
+        scopeId: string;
+    }, Promise<WriteResult>>;
+    createResourceGrant: import("convex/server").RegisteredAction<"internal", {
+        herculesAuthUserId?: string | undefined;
+        principalId?: string | undefined;
+        appliesTo?: "self" | "self_and_descendants" | undefined;
+        expiresAt?: string | null | undefined;
+        permissionKey?: string | undefined;
+        roleKey?: string | undefined;
+        resourceType: string;
+        resourceId: string;
+        scopeId: string;
+    }, Promise<AccessResourceGrantWriteResult>>;
+    replaceResourceGrants: import("convex/server").RegisteredAction<"internal", {
+        resourceType: string;
+        resourceId: string;
+        scopeId: string;
+        subjects: {
+            herculesAuthUserId?: string | undefined;
+            principalId?: string | undefined;
+            grants: {
+                appliesTo?: "self" | "self_and_descendants" | undefined;
+                expiresAt?: string | null | undefined;
+                permissionKey?: string | undefined;
+                roleKey?: string | undefined;
+            }[];
+        }[];
+    }, Promise<AccessResourceGrantsReplaceResult>>;
+    replaceMemberRoles: import("convex/server").RegisteredAction<"internal", {
+        herculesAuthUserId?: string | undefined;
+        principalId?: string | undefined;
+        scopeId: string;
+        roleKeys: string[];
+    }, Promise<AccessMemberRolesReplaceResult>>;
+    createResourceInvitation: import("convex/server").RegisteredAction<"internal", {
+        appliesTo?: "self" | "self_and_descendants" | undefined;
+        permissionKey?: string | undefined;
+        roleKey?: string | undefined;
+        expiresInDays?: number | undefined;
+        email: string;
+        resourceType: string;
+        resourceId: string;
+        scopeId: string;
+    }, Promise<AccessInvitationCreateResult>>;
+    setResourcePermissionRule: import("convex/server").RegisteredAction<"internal", {
+        appliesTo?: "self" | "self_and_descendants" | undefined;
+        expiresAt?: string | null | undefined;
+        resourceType: string;
+        effect: "allow" | "deny";
+        scopeId: string;
+        permissionKey: string;
+        target: {
+            mode: "all";
+        } | {
+            resourceId: string;
+            mode: "specific";
+        };
+        subject: {
+            type: "principal";
+            principalId: string;
+        } | {
+            type: "role";
+            roleKey: string;
+        };
+    }, Promise<WriteResult>>;
+    setResourcePermissionRules: import("convex/server").RegisteredAction<"internal", {
+        appliesTo?: "self" | "self_and_descendants" | undefined;
+        resourceType: string;
+        scopeId: string;
+        target: {
+            mode: "all";
+        } | {
+            resourceId: string;
+            mode: "specific";
+        };
+        subject: {
+            type: "principal";
+            principalId: string;
+        } | {
+            type: "role";
+            roleKey: string;
+        };
+        rules: {
+            expiresAt?: string | null | undefined;
+            effect: "allow" | "deny" | "clear";
+            permissionKey: string;
+        }[];
+    }, Promise<WriteResult>>;
+    revokeResourceGrant: import("convex/server").RegisteredAction<"internal", {
+        scopeId: string;
+        grantId: string;
+    }, Promise<AccessResourceGrantWriteResult>>;
+    setGrantExpiry: import("convex/server").RegisteredAction<"internal", {
+        expiresAt: string | null;
+        scopeId: string;
+        grantId: string;
+    }, Promise<AccessResourceGrantWriteResult>>;
+    setRoleOverride: import("convex/server").RegisteredAction<"internal", {
+        allow: string[];
+        deny: string[];
+        scopeId: string;
+        roleKey: string;
+    }, Promise<WriteResult>>;
+    addMember: import("convex/server").RegisteredAction<"internal", {
+        roleId?: string | undefined;
+        roleKey?: string | undefined;
+        herculesAuthUserId: string;
+        scopeId: string;
+    }, Promise<WriteResult>>;
+    setMemberStatus: import("convex/server").RegisteredAction<"internal", {
+        status: "active" | "suspended";
+        principalId: string;
+        scopeId: string;
+    }, Promise<WriteResult>>;
+    removeMember: import("convex/server").RegisteredAction<"internal", {
+        principalId: string;
+        scopeId: string;
+    }, Promise<WriteResult>>;
+    approveMember: import("convex/server").RegisteredAction<"internal", {
+        principalId: string;
+        scopeId: string;
+    }, Promise<WriteResult>>;
+    upsertAdmissionRule: import("convex/server").RegisteredAction<"internal", {
+        reason?: string | null | undefined;
+        effect: "allow" | "deny";
+        scopeId: string;
+        subjectType: "email" | "domain";
+        subjectValue: string;
+    }, Promise<WriteResult>>;
+    archiveAdmissionRule: import("convex/server").RegisteredAction<"internal", {
+        scopeId: string;
+        ruleId: string;
+    }, Promise<WriteResult>>;
+    setAccountEntryMode: import("convex/server").RegisteredAction<"internal", {
+        accountEntryMode: "open" | "allowlisted_only" | "invite_only" | "approval_required";
+        scopeId: string;
+    }, Promise<WriteResult>>;
+    createGroup: import("convex/server").RegisteredAction<"internal", {
+        name: string;
+        scopeId: string;
+    }, Promise<AccessGroupWriteResult>>;
+    renameGroup: import("convex/server").RegisteredAction<"internal", {
+        name: string;
+        groupPrincipalId: string;
+        scopeId: string;
+    }, Promise<AccessGroupWriteResult>>;
+    archiveGroup: import("convex/server").RegisteredAction<"internal", {
+        groupPrincipalId: string;
+        scopeId: string;
+    }, Promise<AccessGroupWriteResult>>;
+    listGroups: import("convex/server").RegisteredAction<"internal", {
+        includeArchived?: boolean | undefined;
+        scopeId: string;
+    }, Promise<AccessGroupListResult>>;
+    addGroupMember: import("convex/server").RegisteredAction<"internal", {
+        groupPrincipalId: string;
+        memberPrincipalId: string;
+        scopeId: string;
+    }, Promise<AccessGroupMemberWriteResult>>;
+    removeGroupMember: import("convex/server").RegisteredAction<"internal", {
+        groupPrincipalId: string;
+        memberPrincipalId: string;
+        scopeId: string;
+    }, Promise<AccessGroupMemberWriteResult>>;
+    listResourceInvitations: import("convex/server").RegisteredAction<"internal", {
+        scopeId: string;
+    }, Promise<AccessResourceInvitationListResult>>;
+    getRoleOverrides: import("convex/server").RegisteredAction<"internal", {
+        roleId?: string | undefined;
+        roleKey?: string | undefined;
+        scopeId: string;
+    }, Promise<AccessRoleOverridesResult>>;
+    getUserExceptions: import("convex/server").RegisteredAction<"internal", {
+        herculesAuthUserId?: string | undefined;
+        principalId?: string | undefined;
+        scopeId: string;
+    }, Promise<AccessUserExceptionsResult>>;
+};
+/**
+ * Builds authenticated public actions for end-user access management. The
+ * control plane verifies the supplied ID token and applies the operation's
+ * scope, Owner, or resource-level RBAC gate.
+ *
+ * Every action's `idToken` argument must be the signed-in user's OIDC ID token
+ * (`user.id_token`): a JWT with three dot-separated segments. Never pass a user
+ * or subject id (for example `user.profile.sub`); the SDK rejects values that
+ * are not JWT-shaped before calling the API.
+ */
+export declare function createAccessUserActions<DataModel extends GenericDataModel>(options: CreateAccessUserActionsOptions<DataModel>): {
+    enterDeployment: import("convex/server").RegisteredAction<"public", {
+        idToken: string;
+    }, Promise<AccessDeploymentEntryResult>>;
+    setDefaultRole: import("convex/server").RegisteredAction<"public", {
+        roleId?: string | undefined;
+        roleKey?: string | undefined;
+        scopeId: string;
+        idToken: string;
+    }, Promise<WriteResult>>;
+    createInvitation: import("convex/server").RegisteredAction<"public", {
+        roleIds?: string[] | undefined;
+        roleKeys?: string[] | undefined;
+        expiresInDays?: number | undefined;
+        email: string;
+        scopeId: string;
+        idToken: string;
+    }, Promise<AccessInvitationCreateResult>>;
+    revokeInvitation: import("convex/server").RegisteredAction<"public", {
+        scopeId: string;
+        invitationId: string;
+        idToken: string;
+    }, Promise<WriteResult>>;
+    /**
+     * Lists only roles the signed-in actor may assign at the exact target.
+     * Use this for role pickers; `listScopeRoles` is the complete mirrored
+     * catalog and can include roles the actor is not authorized to confer.
+     * `subjectType` must match the intended user or group recipient.
+     */
+    listGrantableRoles: import("convex/server").RegisteredAction<"public", {
+        scopeId: string;
+        target: {
+            type: "scope";
+        } | {
+            appliesTo?: "self" | "self_and_descendants" | undefined;
+            type: "resource";
+            resourceType: string;
+            resourceId: string;
+        };
+        subjectType: "user" | "group";
+        idToken: string;
+    }, Promise<AccessGrantableRoleListResult>>;
+    assignRole: import("convex/server").RegisteredAction<"public", {
+        herculesAuthUserId?: string | undefined;
+        roleId?: string | undefined;
+        principalId?: string | undefined;
+        roleKey?: string | undefined;
+        scopeId: string;
+        idToken: string;
+    }, Promise<WriteResult>>;
+    removeRole: import("convex/server").RegisteredAction<"public", {
+        herculesAuthUserId?: string | undefined;
+        roleId?: string | undefined;
+        principalId?: string | undefined;
+        roleKey?: string | undefined;
+        scopeId: string;
+        idToken: string;
+    }, Promise<WriteResult>>;
+    createOrgCustomRole: import("convex/server").RegisteredAction<"public", {
+        key?: string | undefined;
+        description?: string | undefined;
+        name: string;
+        scopeId: string;
+        permissionKeys: string[];
+        idToken: string;
+    }, Promise<WriteResult>>;
+    updateRolePermissions: import("convex/server").RegisteredAction<"public", {
+        roleId?: string | undefined;
+        roleKey?: string | undefined;
+        scopeId: string;
+        permissionKeys: string[];
+        idToken: string;
+    }, Promise<WriteResult>>;
+    setUserExceptions: import("convex/server").RegisteredAction<"public", {
+        herculesAuthUserId?: string | undefined;
+        principalId?: string | undefined;
+        allow: string[];
+        deny: string[];
+        scopeId: string;
+        idToken: string;
+    }, Promise<WriteResult>>;
+    createResourceGrant: import("convex/server").RegisteredAction<"public", {
+        herculesAuthUserId?: string | undefined;
+        principalId?: string | undefined;
+        appliesTo?: "self" | "self_and_descendants" | undefined;
+        expiresAt?: string | null | undefined;
+        permissionKey?: string | undefined;
+        roleKey?: string | undefined;
+        resourceType: string;
+        resourceId: string;
+        scopeId: string;
+        idToken: string;
+    }, Promise<AccessResourceGrantWriteResult>>;
+    replaceResourceGrants: import("convex/server").RegisteredAction<"public", {
+        resourceType: string;
+        resourceId: string;
+        scopeId: string;
+        subjects: {
+            herculesAuthUserId?: string | undefined;
+            principalId?: string | undefined;
+            grants: {
+                appliesTo?: "self" | "self_and_descendants" | undefined;
+                expiresAt?: string | null | undefined;
+                permissionKey?: string | undefined;
+                roleKey?: string | undefined;
+            }[];
+        }[];
+        idToken: string;
+    }, Promise<AccessResourceGrantsReplaceResult>>;
+    replaceMemberRoles: import("convex/server").RegisteredAction<"public", {
+        herculesAuthUserId?: string | undefined;
+        principalId?: string | undefined;
+        scopeId: string;
+        roleKeys: string[];
+        idToken: string;
+    }, Promise<AccessMemberRolesReplaceResult>>;
+    createResourceInvitation: import("convex/server").RegisteredAction<"public", {
+        appliesTo?: "self" | "self_and_descendants" | undefined;
+        permissionKey?: string | undefined;
+        roleKey?: string | undefined;
+        expiresInDays?: number | undefined;
+        email: string;
+        resourceType: string;
+        resourceId: string;
+        scopeId: string;
+        idToken: string;
+    }, Promise<AccessInvitationCreateResult>>;
+    setResourcePermissionRule: import("convex/server").RegisteredAction<"public", {
+        appliesTo?: "self" | "self_and_descendants" | undefined;
+        expiresAt?: string | null | undefined;
+        resourceType: string;
+        effect: "allow" | "deny";
+        scopeId: string;
+        permissionKey: string;
+        target: {
+            mode: "all";
+        } | {
+            resourceId: string;
+            mode: "specific";
+        };
+        subject: {
+            type: "principal";
+            principalId: string;
+        } | {
+            type: "role";
+            roleKey: string;
+        };
+        idToken: string;
+    }, Promise<WriteResult>>;
+    setResourcePermissionRules: import("convex/server").RegisteredAction<"public", {
+        appliesTo?: "self" | "self_and_descendants" | undefined;
+        resourceType: string;
+        scopeId: string;
+        target: {
+            mode: "all";
+        } | {
+            resourceId: string;
+            mode: "specific";
+        };
+        subject: {
+            type: "principal";
+            principalId: string;
+        } | {
+            type: "role";
+            roleKey: string;
+        };
+        rules: {
+            expiresAt?: string | null | undefined;
+            effect: "allow" | "deny" | "clear";
+            permissionKey: string;
+        }[];
+        idToken: string;
+    }, Promise<WriteResult>>;
+    revokeResourceGrant: import("convex/server").RegisteredAction<"public", {
+        scopeId: string;
+        grantId: string;
+        idToken: string;
+    }, Promise<AccessResourceGrantWriteResult>>;
+    setGrantExpiry: import("convex/server").RegisteredAction<"public", {
+        expiresAt: string | null;
+        scopeId: string;
+        grantId: string;
+        idToken: string;
+    }, Promise<AccessResourceGrantWriteResult>>;
+    setRoleOverride: import("convex/server").RegisteredAction<"public", {
+        allow: string[];
+        deny: string[];
+        scopeId: string;
+        roleKey: string;
+        idToken: string;
+    }, Promise<WriteResult>>;
+    addMember: import("convex/server").RegisteredAction<"public", {
+        roleId?: string | undefined;
+        roleKey?: string | undefined;
+        herculesAuthUserId: string;
+        scopeId: string;
+        idToken: string;
+    }, Promise<WriteResult>>;
+    setMemberStatus: import("convex/server").RegisteredAction<"public", {
+        status: "active" | "suspended";
+        principalId: string;
+        scopeId: string;
+        idToken: string;
+    }, Promise<WriteResult>>;
+    removeMember: import("convex/server").RegisteredAction<"public", {
+        principalId: string;
+        scopeId: string;
+        idToken: string;
+    }, Promise<WriteResult>>;
+    approveMember: import("convex/server").RegisteredAction<"public", {
+        principalId: string;
+        scopeId: string;
+        idToken: string;
+    }, Promise<WriteResult>>;
+    upsertAdmissionRule: import("convex/server").RegisteredAction<"public", {
+        reason?: string | null | undefined;
+        effect: "allow" | "deny";
+        scopeId: string;
+        subjectType: "email" | "domain";
+        subjectValue: string;
+        idToken: string;
+    }, Promise<WriteResult>>;
+    archiveAdmissionRule: import("convex/server").RegisteredAction<"public", {
+        scopeId: string;
+        ruleId: string;
+        idToken: string;
+    }, Promise<WriteResult>>;
+    setAccountEntryMode: import("convex/server").RegisteredAction<"public", {
+        accountEntryMode: "open" | "allowlisted_only" | "invite_only" | "approval_required";
+        scopeId: string;
+        idToken: string;
+    }, Promise<WriteResult>>;
+    createGroup: import("convex/server").RegisteredAction<"public", {
+        name: string;
+        scopeId: string;
+        idToken: string;
+    }, Promise<AccessGroupWriteResult>>;
+    renameGroup: import("convex/server").RegisteredAction<"public", {
+        name: string;
+        groupPrincipalId: string;
+        scopeId: string;
+        idToken: string;
+    }, Promise<AccessGroupWriteResult>>;
+    archiveGroup: import("convex/server").RegisteredAction<"public", {
+        groupPrincipalId: string;
+        scopeId: string;
+        idToken: string;
+    }, Promise<AccessGroupWriteResult>>;
+    listGroups: import("convex/server").RegisteredAction<"public", {
+        includeArchived?: boolean | undefined;
+        scopeId: string;
+        idToken: string;
+    }, Promise<AccessGroupListResult>>;
+    addGroupMember: import("convex/server").RegisteredAction<"public", {
+        groupPrincipalId: string;
+        memberPrincipalId: string;
+        scopeId: string;
+        idToken: string;
+    }, Promise<AccessGroupMemberWriteResult>>;
+    removeGroupMember: import("convex/server").RegisteredAction<"public", {
+        groupPrincipalId: string;
+        memberPrincipalId: string;
+        scopeId: string;
+        idToken: string;
+    }, Promise<AccessGroupMemberWriteResult>>;
+    listResourceInvitations: import("convex/server").RegisteredAction<"public", {
+        scopeId: string;
+        idToken: string;
+    }, Promise<AccessResourceInvitationListResult>>;
+    getRoleOverrides: import("convex/server").RegisteredAction<"public", {
+        roleId?: string | undefined;
+        roleKey?: string | undefined;
+        scopeId: string;
+        idToken: string;
+    }, Promise<AccessRoleOverridesResult>>;
+    getUserExceptions: import("convex/server").RegisteredAction<"public", {
+        herculesAuthUserId?: string | undefined;
+        principalId?: string | undefined;
+        scopeId: string;
+        idToken: string;
+    }, Promise<AccessUserExceptionsResult>>;
+};
+/**
+ * Builds a public authenticated action for creating an organization scope.
+ * `canCreateScope` is the app's product-policy gate. The authenticated caller
+ * becomes the new scope's Owner automatically; do not add a separate self
+ * role or resource grant.
+ */
+export declare function createAccessScopeAction<DataModel extends GenericDataModel>(options: CreateAccessScopeActionOptions<DataModel>): import("convex/server").RegisteredAction<"public", {
+    accountEntryMode?: "open" | "allowlisted_only" | "invite_only" | "approval_required" | undefined;
+    defaultRoleKey?: string | undefined;
+    name: string;
+}, Promise<AccessScopeCreateResult>>;
+/**
+ * Builds a public action that gives a newly created app resource's trusted
+ * creator one fixed manager role, then marks the app row active.
+ *
+ * The browser supplies only `resourceId`. App-owned callbacks must load the
+ * trusted creator and scope from the database and activate the same
+ * provisioning row. The resource type, role, and descendant behavior are
+ * static factory configuration, so callers cannot turn this into arbitrary
+ * self-grant.
+ *
+ * Keep the resource unavailable while it is `provisioning`. If activation
+ * fails after the grant, retrying is safe because the control-plane grant
+ * write is idempotent. Once active, this action never recreates a removed
+ * manager grant.
+ */
+export declare function createResourceCreatorBootstrapAction<DataModel extends GenericDataModel>(options: CreateResourceCreatorBootstrapActionOptions<DataModel>): import("convex/server").RegisteredAction<"public", {
+    resourceId: string;
+}, Promise<ResourceCreatorBootstrapResult>>;
+/**
+ * Creates an organization scope for the authenticated caller. Hercules derives
+ * the caller from the Convex identity and makes that user Owner of the new
+ * scope. The app should persist the returned `accessScopeId` on its
+ * organization metadata row.
+ */
+export declare function createAccessScope(ctx: CreateAccessScopeContext, args: CreateAccessScopeArgs, options?: AccessAdminApiOptions): Promise<AccessScopeCreateResult>;
+export declare function createAccessInvitation(args: CreateAccessInvitationArgs, options?: AccessAdminApiOptions): Promise<AccessInvitationCreateResult>;
+/**
+ * Invite an email to a single resource, conferring a custom role or a single
+ * permission scoped to that resource (not the whole scope). Pass exactly one of
+ * `roleKey` / `permissionKey`. This helper always acts as the internal service.
+ * Public app-user invitations are exposed by {@link createAccessUserActions}.
+ */
+export declare function createResourceInvitation(args: CreateResourceInvitationArgs, options?: AccessAdminApiOptions): Promise<AccessInvitationCreateResult>;
+export declare function acceptAccessInvitation(ctx: CreateAccessScopeContext, args: AcceptAccessInvitationArgs, options?: AccessAdminApiOptions): Promise<AccessInvitationAcceptResult>;
+export {};
+//# sourceMappingURL=access-admin.d.ts.map