@vantageos/convex-doc-forge 0.1.2 → 0.1.4

package/CHANGELOG.md

@@ -2,6 +2,50 @@
 
 All notable changes to this package follow [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) + [SemVer](https://semver.org/spec/v2.0.0.html).
 
+## [0.1.4] - 2026-06-20
+
+### Added
+
+- **`doc_forge_tenant_tokens` table** — dynamic tenant token registry (schema.ts). Stores `token_hash` (sha256 hex of the bearer token — NEVER the raw token), `org_id`, `role`, `createdAt`, `revokedAt`. Index: `by_token_hash`. Security invariant: raw bearer token never stored or logged.
+- **`resolve_tenant_token({ token_hash })`** query (queries.ts) — returns `{ org_id, role }` or `null`. Returns `null` for unknown hashes and for revoked tokens (`revokedAt` set). Uses `by_token_hash` index for O(1) lookup.
+- **`issue_tenant_token({ token_hash, org_id, role })`** mutation (mutations.ts) — inserts a token row with `createdAt = now()`. Idempotent: skips insert if an active row with the same hash already exists.
+- **`revoke_tenant_token({ token_hash })`** mutation (mutations.ts) — patches `revokedAt`; row kept for audit. No-op if hash not found (idempotent).
+- All three are exported from `index.ts` via barrel so host apps can wire them as `api.docForge.issueTenantToken` / `api.docForge.revokeTenantToken` / `api.docForge.resolveTenantToken`.
+
+### Changed
+
+- **docs: clarify no component-side JSON-Schema validation (Eta advisory #3).** Inline comments on `input_schema` (templates table) and `context` (render_jobs table) in `schema.ts` previously implied runtime validation. Comments now state the truth: the component stores both fields as-is, performs NO ajv / JSON-Schema validation, and delegates conformance checks upstream (MCP-server Zod layer) and to the Python renderer. Option B chosen — correct comments, do not add ajv (V1 scope; gold-plating risk; renderer fails cleanly on non-conforming context).
+
+### Tests
+
+- `src/__tests__/tokens.test.ts` — 13 tests covering full lifecycle: issue → resolve → revoke → resolve(null), idempotency, empty-field validation, no-op revoke.
+- `mutations.test.ts`: added `validation-boundary contract (Eta advisory #3)` describe block (2 regression tests) documenting that `queue_render` accepts both conforming and non-conforming context without throwing — encoding the delegated-validation contract so the comment cannot silently drift.
+
+### Notes
+
+- Non-breaking migration: adds a 4th table, no existing table changes.
+- tsc: 0 errors. biome: 0 errors. Test ratio: 45/45 PASS (4 test files).
+- Relates to: VantagePeers task k174ctwng. Layers on / supersedes PR #23's static `MCP_TENANT_TOKENS` env-map (which is implemented as a fallback in the MCP server — see mcp-server CHANGELOG for full resolution chain).
+
+---
+
+## [0.1.3] - 2026-06-19
+
+### Fixed
+
+- **GAP 1 (data)** `input_schema` changed from `v.any()` to `v.string()` in `schema.ts`, `mutations.ts` (arg + handler type), and `queries.ts` (returns validators for both `list_templates` and `get_template`). JSON Schemas containing `$schema`/`$ref`/`$defs` keys (which start with `$`, reserved by Convex) now round-trip correctly — callers `JSON.stringify()` before upsert, `JSON.parse()` after retrieval. No handler logic change; store-as-is.
+- **GAP 2 (BLOCKER)** `render_now` no longer reads `process.env.CONVEX_DOC_FORGE_RENDERER_URL` / `CONVEX_DOC_FORGE_RENDERER_KEY`. Convex components cannot access the host deployment's env vars (`convex env set` has no `--component` flag). Config is now passed as args: `renderer_url: v.string()` + `renderer_key: v.string()`. The host app reads its own env and threads these values when calling `ctx.runAction(components.docForge.actions.render_now, { ..., renderer_url, renderer_key })`.
+
+### Tests
+
+- `actions.test.ts`: removed `process.env.*RENDERER*` setup/teardown; all `renderNowHandler` calls now pass `renderer_url`/`renderer_key` as args; guard tests updated accordingly; added `$schema` round-trip test.
+- `mutations.test.ts`: `baseArgs.input_schema` changed to `JSON.stringify(...)` throughout; added `$schema`/`$ref`/`$defs` round-trip test.
+
+### Notes
+
+- tsc: 0 errors. V8-pure: zero `"use node"` or `node:*` in src/. `peerDependencies.convex` unchanged (`>=1.17.0`).
+- Breaking change for callers of `render_now`: must now pass `renderer_url` + `renderer_key` as args. See README + `scripts/smoke-render.md` for updated call pattern.
+
 ## [0.1.2] - 2026-06-19
 
 ### Added

package/README.md

@@ -13,16 +13,37 @@ Consumer (vantage-immo / vCRM / MCP server)
         │
         ▼  ctx.runAction(components.docForge.actions.render_now, {...})
 @vantageos/convex-doc-forge (this package)
-  - templates table    ← template metadata + asset_storage_id
-  - render_jobs table  ← job status machine (queued → rendering → done|failed)
-  - render_audit table ← immutable audit log per render
-  - render_now action  → HTTP POST /v1/render  →  Railway renderer sidecar
+  - doc_forge_tenant_tokens table ← dynamic API token registry (sha256 hashes only)
+  - templates table               ← template metadata + asset_storage_id
+  - render_jobs table             ← job status machine (queued → rendering → done|failed)
+  - render_audit table            ← immutable audit log per render
+  - render_now action             → HTTP POST /v1/render  →  Railway renderer sidecar
         │
         ▼
 vantage-doc-forge-renderer (Python Railway)
   docxtpl + python-pptx + LibreOffice headless
 ```
 
+### Token management (v0.1.4+)
+
+The `doc_forge_tenant_tokens` table enables dynamic self-service API key issuance. The dashboard team writes tokens via:
+
+```ts
+// In host app — wrap component mutations as api.docForge.*
+await ctx.runMutation(components.docForge.mutations.issue_tenant_token, {
+  token_hash: sha256hex(rawBearerToken), // NEVER store the raw token
+  org_id: "org_clerk_xxx",
+  role: "admin", // or "readonly"
+});
+
+// Revoke
+await ctx.runMutation(components.docForge.mutations.revoke_tenant_token, {
+  token_hash: sha256hex(rawBearerToken),
+});
+```
+
+The MCP server resolves tokens against this table on every authenticated request (primary). The `MCP_TENANT_TOKENS` env JSON map is a static fallback for dev/bootstrap.
+
 ---
 
 ## Install
@@ -44,7 +65,19 @@ export default app;
 
 ---
 
-## Required env vars (set in Convex dashboard)
+## Renderer config (passed as args by the host app)
+
+`render_now` does **not** read env vars from the Convex dashboard — Convex components cannot access the host deployment's env vars (`convex env set` has no `--component` flag). The host app reads its own env and passes config as args on every call:
+
+```ts
+const result = await ctx.runAction(components.docForge.actions.render_now, {
+  // ...
+  renderer_url: process.env.CONVEX_DOC_FORGE_RENDERER_URL!,
+  renderer_key: process.env.CONVEX_DOC_FORGE_RENDERER_KEY!,
+});
+```
+
+Set these in the **host** deployment's Convex dashboard (not inside the component):
 
 | Variable | Description |
 |---|---|
@@ -64,7 +97,7 @@ export default app;
 | `tenant_id` | string | Clerk org ID |
 | `template_type` | `"doc-binary"` | Always `doc-binary` (V1) |
 | `renderer_kind` | `"docxtpl" \| "python-pptx" \| "jinja2-html"` | Which renderer to use |
-| `input_schema` | object | JSON Schema for context validation |
+| `input_schema` | string | JSON Schema serialized as a JSON string (`JSON.stringify(schema)`) — avoids Convex `$`-key rejection |
 | `asset_storage_id` | Id<"_storage"> | Convex file storage reference to the .docx/.pptx asset |
 | `output_formats` | string[] | e.g. `["docx", "pdf"]` |
 | `version` | string | SemVer |
@@ -115,7 +148,9 @@ docForge.mutations.queue_render({ template_id, context, output_format, createdBy
 docForge.actions.render_now({
   template_id, context, output_format,
   actor,           // Clerk subject
-  source?          // "manual" | "workflow" | "agent"  (default "manual")
+  source?,         // "manual" | "workflow" | "agent"  (default "manual")
+  renderer_url,    // host app reads from its own env (e.g. process.env.CONVEX_DOC_FORGE_RENDERER_URL)
+  renderer_key,    // host app reads from its own env (e.g. process.env.CONVEX_DOC_FORGE_RENDERER_KEY)
 })
 // → { output_url, render_job_id, duration_ms, pages? }
 ```
@@ -159,7 +194,8 @@ const templateId = await ctx.runMutation(
     team: "iris-rh",
     tenant_id: "org_clerk_abc",
     renderer_kind: "docxtpl",
-    input_schema: { type: "object", properties: { client_name: { type: "string" } } },
+    // input_schema must be a JSON-stringified string — Convex rejects $-prefixed keys (e.g. $schema, $ref)
+    input_schema: JSON.stringify({ type: "object", properties: { client_name: { type: "string" } } }),
     asset_storage_id: storageId,   // from step 2
     output_formats: ["pdf", "docx"],
     version: "1.0.0",
@@ -168,12 +204,15 @@ const templateId = await ctx.runMutation(
 );
 
 // Now render_now works end-to-end:
+// renderer_url + renderer_key are read from the host app's env and passed as args
 const result = await ctx.runAction(components.docForge.actions.render_now, {
   template_id: templateId,
   context: { client_name: "Iris RH" },
   output_format: "pdf",
   actor: "clerk_user_id",
   source: "manual",
+  renderer_url: process.env.CONVEX_DOC_FORGE_RENDERER_URL!,
+  renderer_key: process.env.CONVEX_DOC_FORGE_RENDERER_KEY!,
 });
 // → { output_url, render_job_id, duration_ms }
 ```

package/dist/actions.d.ts

@@ -4,6 +4,8 @@ export declare function renderNowHandler(ctx: any, args: {
     output_format: string;
     actor: string;
     source?: "manual" | "workflow" | "agent";
+    renderer_url: string;
+    renderer_key: string;
 }): Promise<{
     output_url: string;
     render_job_id: string;
@@ -16,5 +18,7 @@ export declare const render_now: import("convex/server").RegisteredAction<"publi
     context: any;
     output_format: string;
     actor: string;
+    renderer_url: string;
+    renderer_key: string;
 }, any>;
 //# sourceMappingURL=actions.d.ts.map

package/dist/actions.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"actions.d.ts","sourceRoot":"","sources":["../src/actions.ts"],"names":[],"mappings":"AAiCA,wBAAsB,gBAAgB,CAEpC,GAAG,EAAE,GAAG,EACR,IAAI,EAAE;IACJ,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,OAAO,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,QAAQ,GAAG,UAAU,GAAG,OAAO,CAAC;CAC1C,GACA,OAAO,CAAC;IACT,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC,CAoID;AAMD,eAAO,MAAM,UAAU;;;;;;OAsBrB,CAAC"}
+{"version":3,"file":"actions.d.ts","sourceRoot":"","sources":["../src/actions.ts"],"names":[],"mappings":"AAiCA,wBAAsB,gBAAgB,CAEpC,GAAG,EAAE,GAAG,EACR,IAAI,EAAE;IACJ,WAAW,EAAE,MAAM,CAAC;IACpB,OAAO,EAAE,OAAO,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,CAAC,EAAE,QAAQ,GAAG,UAAU,GAAG,OAAO,CAAC;IACzC,YAAY,EAAE,MAAM,CAAC;IACrB,YAAY,EAAE,MAAM,CAAC;CACtB,GACA,OAAO,CAAC;IACT,UAAU,EAAE,MAAM,CAAC;IACnB,aAAa,EAAE,MAAM,CAAC;IACtB,WAAW,EAAE,MAAM,CAAC;IACpB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB,CAAC,CAoID;AAMD,eAAO,MAAM,UAAU;;;;;;;;OAwBrB,CAAC"}

package/dist/actions.js

@@ -18,12 +18,12 @@ const SIGNED_URL_TTL_MS = 7 * 24 * 60 * 60 * 1000;
 export async function renderNowHandler(
 // eslint-disable-next-line @typescript-eslint/no-explicit-any
 ctx, args) {
-    const rendererUrl = process.env.CONVEX_DOC_FORGE_RENDERER_URL;
-    const rendererKey = process.env.CONVEX_DOC_FORGE_RENDERER_KEY;
+    const rendererUrl = args.renderer_url;
+    const rendererKey = args.renderer_key;
     if (!rendererUrl)
-        throw new Error("CONVEX_DOC_FORGE_RENDERER_URL not set");
+        throw new Error("renderer_url arg is required");
     if (!rendererKey)
-        throw new Error("CONVEX_DOC_FORGE_RENDERER_KEY not set");
+        throw new Error("renderer_key arg is required");
     // 1. Load template
     const template = await ctx.runQuery(internal.queries.get_template, {
         template_id: args.template_id,
@@ -149,6 +149,8 @@ export const render_now = action({
         output_format: v.string(),
         actor: v.string(),
         source: v.optional(v.union(v.literal("manual"), v.literal("workflow"), v.literal("agent"))),
+        renderer_url: v.string(),
+        renderer_key: v.string(),
     },
     returns: v.object({
         output_url: v.string(),

package/dist/mutations.d.ts

@@ -1,11 +1,19 @@
 import type { Id } from "./_generated/dataModel";
+export declare function issueTenantTokenHandler(ctx: AnyCtx, args: {
+    token_hash: string;
+    org_id: string;
+    role: "admin" | "readonly";
+}): Promise<void>;
+export declare function revokeTenantTokenHandler(ctx: AnyCtx, args: {
+    token_hash: string;
+}): Promise<void>;
 type AnyCtx = any;
 export declare function upsertTemplateHandler(ctx: AnyCtx, args: {
     name: string;
     team: string;
     tenant_id: string;
     renderer_kind: "docxtpl" | "python-pptx" | "jinja2-html";
-    input_schema: unknown;
+    input_schema: string;
     asset_storage_id: Id<"_storage">;
     output_formats: string[];
     metadata?: Record<string, string>;
@@ -47,7 +55,7 @@ export declare const upsert_template: import("convex/server").RegisteredMutation
     team: string;
     tenant_id: string;
     renderer_kind: "docxtpl" | "python-pptx" | "jinja2-html";
-    input_schema: unknown;
+    input_schema: string;
     asset_storage_id: Id<"_storage">;
     output_formats: string[];
     metadata?: Record<string, string>;
@@ -82,5 +90,24 @@ export declare const _write_audit: import("convex/server").RegisteredMutation<"i
     actor: string;
     source: "manual" | "workflow" | "agent";
 }, Promise<Id<"render_audit">>>;
+/**
+ * Issue a new tenant token.  The dashboard team calls this via their host
+ * app's api.docForge.issueTenantToken wrapper.
+ *
+ * Security: only `token_hash` (sha256 hex of the raw bearer) is persisted —
+ * the raw bearer must NEVER be passed to or stored in Convex.
+ */
+export declare const issue_tenant_token: import("convex/server").RegisteredMutation<"public", {
+    token_hash: string;
+    org_id: string;
+    role: "admin" | "readonly";
+}, Promise<null>>;
+/**
+ * Revoke a tenant token by its hash.  Sets `revokedAt`; the row is kept for
+ * audit purposes.  After revocation `resolve_tenant_token` returns null.
+ */
+export declare const revoke_tenant_token: import("convex/server").RegisteredMutation<"public", {
+    token_hash: string;
+}, Promise<null>>;
 export {};
 //# sourceMappingURL=mutations.d.ts.map

package/dist/mutations.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mutations.d.ts","sourceRoot":"","sources":["../src/mutations.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,wBAAwB,CAAC;AAIjD,KAAK,MAAM,GAAG,GAAG,CAAC;AAMlB,wBAAsB,qBAAqB,CACzC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IACJ,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,SAAS,GAAG,aAAa,GAAG,aAAa,CAAC;IACzD,YAAY,EAAE,OAAO,CAAC;IACtB,gBAAgB,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;IACjC,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CACnB,GACA,OAAO,CAAC,EAAE,CAAC,WAAW,CAAC,CAAC,CA2C1B;AAED,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IACJ,WAAW,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;CACnB,GACA,OAAO,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC,CAoB5B;AAED,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,MAAM,EAAE,EAAE,CAAC,aAAa,CAAC,CAAA;CAAE,GAClC,OAAO,CAAC,IAAI,CAAC,CAKf;AAED,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,MAAM,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC;IAAC,iBAAiB,EAAE,EAAE,CAAC,UAAU,CAAC,CAAA;CAAE,GACrE,OAAO,CAAC,IAAI,CAAC,CASf;AAED,wBAAsB,oBAAoB,CACxC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,MAAM,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GACjD,OAAO,CAAC,IAAI,CAAC,CASf;AAED,wBAAsB,wBAAwB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAE3E;AAED,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IACJ,aAAa,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC;IAC7B,gBAAgB,EAAE,MAAM,CAAC;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,QAAQ,GAAG,UAAU,GAAG,OAAO,CAAC;CACzC,GACA,OAAO,CAAC,EAAE,CAAC,cAAc,CAAC,CAAC,CAK7B;AAMD,eAAO,MAAM,mBAAmB,2EAI9B,CAAC;AAEH,eAAO,MAAM,eAAe;UA9JlB,MAAM;UACN,MAAM;eACD,MAAM;mBACF,SAAS,GAAG,aAAa,GAAG,aAAa;kBAC1C,OAAO;sBACH,EAAE,CAAC,UAAU,CAAC;oBAChB,MAAM,EAAE;eACb,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;aACxB,MAAM;eACJ,MAAM;4BAwKnB,CAAC;AAEH,eAAO,MAAM,YAAY;iBAxHR,EAAE,CAAC,WAAW,CAAC;aACnB,OAAO;mBACD,MAAM;eACV,MAAM;8BA8HnB,CAAC;AAEH,eAAO,MAAM,kBAAkB;YAtGb,EAAE,CAAC,aAAa,CAAC;iBA0GjC,CAAC;AAEH,eAAO,MAAM,oBAAoB;YAlGf,EAAE,CAAC,aAAa,CAAC;uBAAqB,EAAE,CAAC,UAAU,CAAC;iBAyGpE,CAAC;AAEH,eAAO,MAAM,gBAAgB;YA7FX,EAAE,CAAC,aAAa,CAAC;WAAS,MAAM;iBAoGhD,CAAC;AAEH,eAAO,MAAM,YAAY;mBAnFN,EAAE,CAAC,aAAa,CAAC;eACrB,MAAM;iBACJ,EAAE,CAAC,WAAW,CAAC;sBACV,MAAM;kBACV,MAAM;uBACD,MAAM;gBACb,MAAM;WACX,MAAM;YACL,QAAQ,GAAG,UAAU,GAAG,OAAO;+BA6FzC,CAAC"}
+{"version":3,"file":"mutations.d.ts","sourceRoot":"","sources":["../src/mutations.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,wBAAwB,CAAC;AAMjD,wBAAsB,uBAAuB,CAC3C,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IACJ,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,OAAO,GAAG,UAAU,CAAC;CAC5B,GACA,OAAO,CAAC,IAAI,CAAC,CAsBf;AAED,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,UAAU,EAAE,MAAM,CAAA;CAAE,GAC3B,OAAO,CAAC,IAAI,CAAC,CAYf;AAID,KAAK,MAAM,GAAG,GAAG,CAAC;AAMlB,wBAAsB,qBAAqB,CACzC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IACJ,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,SAAS,GAAG,aAAa,GAAG,aAAa,CAAC;IACzD,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;IACjC,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CACnB,GACA,OAAO,CAAC,EAAE,CAAC,WAAW,CAAC,CAAC,CA2C1B;AAED,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IACJ,WAAW,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;CACnB,GACA,OAAO,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC,CAoB5B;AAED,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,MAAM,EAAE,EAAE,CAAC,aAAa,CAAC,CAAA;CAAE,GAClC,OAAO,CAAC,IAAI,CAAC,CAKf;AAED,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,MAAM,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC;IAAC,iBAAiB,EAAE,EAAE,CAAC,UAAU,CAAC,CAAA;CAAE,GACrE,OAAO,CAAC,IAAI,CAAC,CASf;AAED,wBAAsB,oBAAoB,CACxC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,MAAM,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GACjD,OAAO,CAAC,IAAI,CAAC,CASf;AAED,wBAAsB,wBAAwB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAE3E;AAED,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IACJ,aAAa,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC;IAC7B,gBAAgB,EAAE,MAAM,CAAC;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,QAAQ,GAAG,UAAU,GAAG,OAAO,CAAC;CACzC,GACA,OAAO,CAAC,EAAE,CAAC,cAAc,CAAC,CAAC,CAK7B;AAMD,eAAO,MAAM,mBAAmB,2EAI9B,CAAC;AAEH,eAAO,MAAM,eAAe;UA9JlB,MAAM;UACN,MAAM;eACD,MAAM;mBACF,SAAS,GAAG,aAAa,GAAG,aAAa;kBAC1C,MAAM;sBACF,EAAE,CAAC,UAAU,CAAC;oBAChB,MAAM,EAAE;eACb,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;aACxB,MAAM;eACJ,MAAM;4BAwKnB,CAAC;AAEH,eAAO,MAAM,YAAY;iBAxHR,EAAE,CAAC,WAAW,CAAC;aACnB,OAAO;mBACD,MAAM;eACV,MAAM;8BA8HnB,CAAC;AAEH,eAAO,MAAM,kBAAkB;YAtGb,EAAE,CAAC,aAAa,CAAC;iBA0GjC,CAAC;AAEH,eAAO,MAAM,oBAAoB;YAlGf,EAAE,CAAC,aAAa,CAAC;uBAAqB,EAAE,CAAC,UAAU,CAAC;iBAyGpE,CAAC;AAEH,eAAO,MAAM,gBAAgB;YA7FX,EAAE,CAAC,aAAa,CAAC;WAAS,MAAM;iBAoGhD,CAAC;AAEH,eAAO,MAAM,YAAY;mBAnFN,EAAE,CAAC,aAAa,CAAC;eACrB,MAAM;iBACJ,EAAE,CAAC,WAAW,CAAC;sBACV,MAAM;kBACV,MAAM;uBACD,MAAM;gBACb,MAAM;WACX,MAAM;YACL,QAAQ,GAAG,UAAU,GAAG,OAAO;+BA6FzC,CAAC;AAMH;;;;;;GAMG;AACH,eAAO,MAAM,kBAAkB;;;;iBAW7B,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,mBAAmB;;iBAO9B,CAAC"}

package/dist/mutations.js

@@ -2,6 +2,42 @@
 import { v } from "convex/values";
 import { mutation, internalMutation } from "./_generated/server";
 // ---------------------------------------------------------------------------
+// issue_tenant_token / revoke_tenant_token — dynamic token lifecycle
+// ---------------------------------------------------------------------------
+export async function issueTenantTokenHandler(ctx, args) {
+    if (!args.token_hash)
+        throw new Error("token_hash is required");
+    if (!args.org_id)
+        throw new Error("org_id is required");
+    // Idempotency guard: if an active (non-revoked) token with the same hash
+    // already exists for this org, skip the insert to avoid duplicates.
+    const existing = await ctx.db
+        .query("doc_forge_tenant_tokens")
+        .withIndex("by_token_hash", (q) => q.eq("token_hash", args.token_hash))
+        .first();
+    if (existing !== null && existing.revokedAt === undefined) {
+        // Already active — nothing to do (idempotent)
+        return;
+    }
+    await ctx.db.insert("doc_forge_tenant_tokens", {
+        token_hash: args.token_hash,
+        org_id: args.org_id,
+        role: args.role,
+        createdAt: Date.now(),
+    });
+}
+export async function revokeTenantTokenHandler(ctx, args) {
+    const row = await ctx.db
+        .query("doc_forge_tenant_tokens")
+        .withIndex("by_token_hash", (q) => q.eq("token_hash", args.token_hash))
+        .first();
+    if (row === null) {
+        // Nothing to revoke — treat as no-op (idempotent)
+        return;
+    }
+    await ctx.db.patch(row._id, { revokedAt: Date.now() });
+}
+// ---------------------------------------------------------------------------
 // Handler functions — exported separately for unit testing
 // ---------------------------------------------------------------------------
 export async function upsertTemplateHandler(ctx, args) {
@@ -116,7 +152,7 @@ export const upsert_template = mutation({
         team: v.string(),
         tenant_id: v.string(),
         renderer_kind: v.union(v.literal("docxtpl"), v.literal("python-pptx"), v.literal("jinja2-html")),
-        input_schema: v.any(),
+        input_schema: v.string(),
         asset_storage_id: v.id("_storage"),
         output_formats: v.array(v.string()),
         metadata: v.optional(v.record(v.string(), v.string())),
@@ -172,3 +208,37 @@ export const _write_audit = internalMutation({
     returns: v.id("render_audit"),
     handler: writeAuditHandler,
 });
+// ---------------------------------------------------------------------------
+// Token lifecycle — Convex registrations (public; called by host app wrapper)
+// ---------------------------------------------------------------------------
+/**
+ * Issue a new tenant token.  The dashboard team calls this via their host
+ * app's api.docForge.issueTenantToken wrapper.
+ *
+ * Security: only `token_hash` (sha256 hex of the raw bearer) is persisted —
+ * the raw bearer must NEVER be passed to or stored in Convex.
+ */
+export const issue_tenant_token = mutation({
+    args: {
+        token_hash: v.string(),
+        org_id: v.string(),
+        role: v.union(v.literal("admin"), v.literal("readonly")),
+    },
+    returns: v.null(),
+    handler: async (ctx, args) => {
+        await issueTenantTokenHandler(ctx, args);
+        return null;
+    },
+});
+/**
+ * Revoke a tenant token by its hash.  Sets `revokedAt`; the row is kept for
+ * audit purposes.  After revocation `resolve_tenant_token` returns null.
+ */
+export const revoke_tenant_token = mutation({
+    args: { token_hash: v.string() },
+    returns: v.null(),
+    handler: async (ctx, args) => {
+        await revokeTenantTokenHandler(ctx, args);
+        return null;
+    },
+});

package/dist/queries.d.ts

@@ -1,4 +1,10 @@
 import type { Id } from "./_generated/dataModel";
+export declare function resolveTenantTokenHandler(ctx: AnyCtx, args: {
+    token_hash: string;
+}): Promise<{
+    org_id: string;
+    role: "admin" | "readonly";
+} | null>;
 type AnyCtx = any;
 export declare function listTemplatesHandler(ctx: AnyCtx, args: {
     tenant_id: string;
@@ -26,5 +32,11 @@ export declare const list_render_history: import("convex/server").RegisteredQuer
     template_id?: Id<"templates">;
     since?: number;
 }, Promise<any[]>>;
+export declare const resolve_tenant_token: import("convex/server").RegisteredQuery<"public", {
+    token_hash: string;
+}, Promise<{
+    org_id: string;
+    role: "admin" | "readonly";
+} | null>>;
 export {};
 //# sourceMappingURL=queries.d.ts.map

package/dist/queries.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"queries.d.ts","sourceRoot":"","sources":["../src/queries.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,wBAAwB,CAAC;AAGjD,KAAK,MAAM,GAAG,GAAG,CAAC;AAMlB,wBAAsB,oBAAoB,CACxC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,YAAY,CAAA;CAAE,kBAsBhE;AAED,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,WAAW,EAAE,EAAE,CAAC,WAAW,CAAC,CAAA;CAAE,gBAGvC;AAED,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,WAAW,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,kBA0B3E;AAMD,eAAO,MAAM,cAAc;eAjEN,MAAM;WAAS,MAAM;WAAS,YAAY;kBA8F7D,CAAC;AAEH,eAAO,MAAM,YAAY;iBAtEF,EAAE,CAAC,WAAW,CAAC;gBAgGpC,CAAC;AAEH,eAAO,MAAM,mBAAmB;eA3FX,MAAM;kBAAgB,EAAE,CAAC,WAAW,CAAC;YAAU,MAAM;kBAsHxE,CAAC"}
+{"version":3,"file":"queries.d.ts","sourceRoot":"","sources":["../src/queries.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,wBAAwB,CAAC;AAMjD,wBAAsB,yBAAyB,CAC7C,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,UAAU,EAAE,MAAM,CAAA;CAAE,GAC3B,OAAO,CAAC;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,OAAO,GAAG,UAAU,CAAA;CAAE,GAAG,IAAI,CAAC,CAUhE;AAID,KAAK,MAAM,GAAG,GAAG,CAAC;AAMlB,wBAAsB,oBAAoB,CACxC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,YAAY,CAAA;CAAE,kBAsBhE;AAED,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,WAAW,EAAE,EAAE,CAAC,WAAW,CAAC,CAAA;CAAE,gBAGvC;AAED,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,WAAW,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,kBA0B3E;AAMD,eAAO,MAAM,cAAc;eAjEN,MAAM;WAAS,MAAM;WAAS,YAAY;kBA8F7D,CAAC;AAEH,eAAO,MAAM,YAAY;iBAtEF,EAAE,CAAC,WAAW,CAAC;gBAgGpC,CAAC;AAEH,eAAO,MAAM,mBAAmB;eA3FX,MAAM;kBAAgB,EAAE,CAAC,WAAW,CAAC;YAAU,MAAM;kBAsHxE,CAAC;AAMH,eAAO,MAAM,oBAAoB;gBApLX,MAAM;;YACP,MAAM;UAAQ,OAAO,GAAG,UAAU;UA6LrD,CAAC"}

package/dist/queries.js

@@ -2,6 +2,19 @@
 import { v } from "convex/values";
 import { query } from "./_generated/server";
 // ---------------------------------------------------------------------------
+// resolve_tenant_token — dynamic token table primary lookup
+// ---------------------------------------------------------------------------
+export async function resolveTenantTokenHandler(ctx, args) {
+    const row = await ctx.db
+        .query("doc_forge_tenant_tokens")
+        .withIndex("by_token_hash", (q) => q.eq("token_hash", args.token_hash))
+        .first();
+    // No row found OR row has been revoked → return null (token rejected)
+    if (row === null || row.revokedAt !== undefined)
+        return null;
+    return { org_id: row.org_id, role: row.role };
+}
+// ---------------------------------------------------------------------------
 // Handler functions — exported separately for unit testing
 // ---------------------------------------------------------------------------
 export async function listTemplatesHandler(ctx, args) {
@@ -63,7 +76,7 @@ export const list_templates = query({
         tenant_id: v.string(),
         template_type: v.literal("doc-binary"),
         renderer_kind: v.union(v.literal("docxtpl"), v.literal("python-pptx"), v.literal("jinja2-html")),
-        input_schema: v.any(),
+        input_schema: v.string(),
         asset_storage_id: v.id("_storage"),
         output_formats: v.array(v.string()),
         metadata: v.optional(v.record(v.string(), v.string())),
@@ -83,7 +96,7 @@ export const get_template = query({
         tenant_id: v.string(),
         template_type: v.literal("doc-binary"),
         renderer_kind: v.union(v.literal("docxtpl"), v.literal("python-pptx"), v.literal("jinja2-html")),
-        input_schema: v.any(),
+        input_schema: v.string(),
         asset_storage_id: v.id("_storage"),
         output_formats: v.array(v.string()),
         metadata: v.optional(v.record(v.string(), v.string())),
@@ -115,3 +128,14 @@ export const list_render_history = query({
     })),
     handler: listRenderHistoryHandler,
 });
+// ---------------------------------------------------------------------------
+// resolve_tenant_token — Convex registration
+// ---------------------------------------------------------------------------
+export const resolve_tenant_token = query({
+    args: { token_hash: v.string() },
+    returns: v.union(v.object({
+        org_id: v.string(),
+        role: v.union(v.literal("admin"), v.literal("readonly")),
+    }), v.null()),
+    handler: resolveTenantTokenHandler,
+});

package/dist/schema.d.ts

@@ -1,24 +1,48 @@
 /**
  * Internal schema for the @vantageos/convex-doc-forge component.
  *
- * Three tables:
- *  - templates   : template metadata + asset reference
- *  - render_jobs : per-render job tracking (status machine)
- *  - render_audit: immutable audit log (who/when/what)
+ * Four tables:
+ *  - templates             : template metadata + asset reference
+ *  - render_jobs           : per-render job tracking (status machine)
+ *  - render_audit          : immutable audit log (who/when/what)
+ *  - doc_forge_tenant_tokens: dynamic tenant token registry (sha256 hashes only,
+ *                             NEVER the raw bearer token).  Written by the dashboard
+ *                             team via the host app's api.docForge.* wrapper;
+ *                             read by the MCP server's auth layer.
  */
 declare const _default: import("convex/server").SchemaDefinition<{
+    /**
+     * Tenant API token registry.
+     * Security invariant: token_hash is a sha256 hex digest of the raw bearer.
+     * The raw bearer is NEVER stored here or logged anywhere.
+     */
+    doc_forge_tenant_tokens: import("convex/server").TableDefinition<import("convex/values").VObject<{
+        revokedAt?: number | undefined;
+        token_hash: string;
+        org_id: string;
+        role: "admin" | "readonly";
+        createdAt: number;
+    }, {
+        token_hash: import("convex/values").VString<string, "required">;
+        org_id: import("convex/values").VString<string, "required">;
+        role: import("convex/values").VUnion<"admin" | "readonly", [import("convex/values").VLiteral<"admin", "required">, import("convex/values").VLiteral<"readonly", "required">], "required", never>;
+        createdAt: import("convex/values").VFloat64<number, "required">;
+        revokedAt: import("convex/values").VFloat64<number | undefined, "optional">;
+    }, "required", "token_hash" | "org_id" | "role" | "createdAt" | "revokedAt">, {
+        by_token_hash: ["token_hash", "_creationTime"];
+    }, {}, {}>;
     templates: import("convex/server").TableDefinition<import("convex/values").VObject<{
         metadata?: Record<string, string> | undefined;
+        createdAt: number;
         name: string;
         team: string;
         tenant_id: string;
         template_type: "doc-binary";
         renderer_kind: "docxtpl" | "python-pptx" | "jinja2-html";
-        input_schema: any;
+        input_schema: string;
         asset_storage_id: import("convex/values").GenericId<"_storage">;
         output_formats: string[];
         version: string;
-        createdAt: number;
         updatedAt: number;
     }, {
         name: import("convex/values").VString<string, "required">;
@@ -26,14 +50,14 @@ declare const _default: import("convex/server").SchemaDefinition<{
         tenant_id: import("convex/values").VString<string, "required">;
         template_type: import("convex/values").VLiteral<"doc-binary", "required">;
         renderer_kind: import("convex/values").VUnion<"docxtpl" | "python-pptx" | "jinja2-html", [import("convex/values").VLiteral<"docxtpl", "required">, import("convex/values").VLiteral<"python-pptx", "required">, import("convex/values").VLiteral<"jinja2-html", "required">], "required", never>;
-        input_schema: import("convex/values").VAny<any, "required", string>;
+        input_schema: import("convex/values").VString<string, "required">;
         asset_storage_id: import("convex/values").VId<import("convex/values").GenericId<"_storage">, "required">;
         output_formats: import("convex/values").VArray<string[], import("convex/values").VString<string, "required">, "required">;
         metadata: import("convex/values").VRecord<Record<string, string> | undefined, import("convex/values").VString<string, "required">, import("convex/values").VString<string, "required">, "optional", string>;
         version: import("convex/values").VString<string, "required">;
         createdAt: import("convex/values").VFloat64<number, "required">;
         updatedAt: import("convex/values").VFloat64<number, "required">;
-    }, "required", "name" | "team" | "tenant_id" | "template_type" | "renderer_kind" | "input_schema" | "asset_storage_id" | "output_formats" | "metadata" | "version" | "createdAt" | "updatedAt" | `input_schema.${string}` | `metadata.${string}`>, {
+    }, "required", "createdAt" | "name" | "team" | "tenant_id" | "template_type" | "renderer_kind" | "input_schema" | "asset_storage_id" | "output_formats" | "metadata" | "version" | "updatedAt" | `metadata.${string}`>, {
         by_tenant: ["tenant_id", "_creationTime"];
         by_tenant_team: ["tenant_id", "team", "_creationTime"];
         by_tenant_type: ["tenant_id", "template_type", "_creationTime"];
@@ -42,8 +66,8 @@ declare const _default: import("convex/server").SchemaDefinition<{
         output_storage_id?: import("convex/values").GenericId<"_storage"> | undefined;
         error?: string | undefined;
         completedAt?: number | undefined;
-        tenant_id: string;
         createdAt: number;
+        tenant_id: string;
         template_id: import("convex/values").GenericId<"templates">;
         context: any;
         output_format: string;
@@ -60,14 +84,14 @@ declare const _default: import("convex/server").SchemaDefinition<{
         createdAt: import("convex/values").VFloat64<number, "required">;
         completedAt: import("convex/values").VFloat64<number | undefined, "optional">;
         createdBy: import("convex/values").VString<string, "required">;
-    }, "required", "tenant_id" | "createdAt" | "template_id" | "context" | "output_format" | "status" | "output_storage_id" | "error" | "completedAt" | "createdBy" | `context.${string}`>, {
+    }, "required", "createdAt" | "tenant_id" | "template_id" | "context" | "output_format" | "status" | "output_storage_id" | "error" | "completedAt" | "createdBy" | `context.${string}`>, {
         by_tenant: ["tenant_id", "_creationTime"];
         by_template: ["template_id", "createdAt", "_creationTime"];
         by_tenant_status: ["tenant_id", "status", "_creationTime"];
     }, {}, {}>;
     render_audit: import("convex/server").TableDefinition<import("convex/values").VObject<{
-        tenant_id: string;
         createdAt: number;
+        tenant_id: string;
         template_id: import("convex/values").GenericId<"templates">;
         render_job_id: import("convex/values").GenericId<"render_jobs">;
         template_version: string;
@@ -87,7 +111,7 @@ declare const _default: import("convex/server").SchemaDefinition<{
         actor: import("convex/values").VString<string, "required">;
         source: import("convex/values").VUnion<"manual" | "workflow" | "agent", [import("convex/values").VLiteral<"manual", "required">, import("convex/values").VLiteral<"workflow", "required">, import("convex/values").VLiteral<"agent", "required">], "required", never>;
         createdAt: import("convex/values").VFloat64<number, "required">;
-    }, "required", "tenant_id" | "createdAt" | "template_id" | "render_job_id" | "template_version" | "context_hash" | "output_signed_url" | "expires_at" | "actor" | "source">, {
+    }, "required", "createdAt" | "tenant_id" | "template_id" | "render_job_id" | "template_version" | "context_hash" | "output_signed_url" | "expires_at" | "actor" | "source">, {
         by_tenant: ["tenant_id", "_creationTime"];
         by_template: ["template_id", "createdAt", "_creationTime"];
         by_job: ["render_job_id", "_creationTime"];

package/dist/schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../src/schema.ts"],"names":[],"mappings":"AAGA;;;;;;;GAOG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AACH,wBA+DG"}
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../src/schema.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;GAWG;;IAEF;;;;OAIG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AALJ,wBA4EG"}

package/dist/schema.js

@@ -3,19 +3,35 @@ import { v } from "convex/values";
 /**
  * Internal schema for the @vantageos/convex-doc-forge component.
  *
- * Three tables:
- *  - templates   : template metadata + asset reference
- *  - render_jobs : per-render job tracking (status machine)
- *  - render_audit: immutable audit log (who/when/what)
+ * Four tables:
+ *  - templates             : template metadata + asset reference
+ *  - render_jobs           : per-render job tracking (status machine)
+ *  - render_audit          : immutable audit log (who/when/what)
+ *  - doc_forge_tenant_tokens: dynamic tenant token registry (sha256 hashes only,
+ *                             NEVER the raw bearer token).  Written by the dashboard
+ *                             team via the host app's api.docForge.* wrapper;
+ *                             read by the MCP server's auth layer.
  */
 export default defineSchema({
+    /**
+     * Tenant API token registry.
+     * Security invariant: token_hash is a sha256 hex digest of the raw bearer.
+     * The raw bearer is NEVER stored here or logged anywhere.
+     */
+    doc_forge_tenant_tokens: defineTable({
+        token_hash: v.string(), // sha256 hex of the bearer token — NEVER the raw token
+        org_id: v.string(), // canonical tenant id (== Clerk org_id)
+        role: v.union(v.literal("admin"), v.literal("readonly")),
+        createdAt: v.number(),
+        revokedAt: v.optional(v.number()), // set on revoke; presence means the token is dead
+    }).index("by_token_hash", ["token_hash"]),
     templates: defineTable({
         name: v.string(),
         team: v.string(),
         tenant_id: v.string(), // Clerk org ID
         template_type: v.literal("doc-binary"),
         renderer_kind: v.union(v.literal("docxtpl"), v.literal("python-pptx"), v.literal("jinja2-html")),
-        input_schema: v.any(), // JSON Schema object — validated at runtime
+        input_schema: v.string(), // JSON Schema serialized as a JSON string (avoids $-key rejection). The component stores this value as-is — NO runtime JSON-Schema validation is performed here. Conformance of caller-supplied context against this schema is delegated upstream (MCP-server Zod layer) and enforced by the renderer, which rejects malformed context.
         asset_storage_id: v.id("_storage"),
         output_formats: v.array(v.string()),
         metadata: v.optional(v.record(v.string(), v.string())),
@@ -29,7 +45,7 @@ export default defineSchema({
     render_jobs: defineTable({
         template_id: v.id("templates"),
         tenant_id: v.string(),
-        context: v.any(), // Caller-supplied JSON matching template.input_schema
+        context: v.any(), // Caller-supplied render context (any JSON value). The component does NOT validate this against template.input_schema at the Convex layer — validation boundary is the upstream MCP-server Zod schema and the Python renderer.
         output_format: v.string(),
         status: v.union(v.literal("queued"), v.literal("rendering"), v.literal("done"), v.literal("failed")),
         output_storage_id: v.optional(v.id("_storage")),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vantageos/convex-doc-forge",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "description": "Convex component — data layer for VantageDocForge (templates, render jobs, audit)",
   "type": "module",
   "main": "./dist/index.js",