@vantageos/convex-doc-forge 0.1.3 → 0.1.4

package/CHANGELOG.md

@@ -2,6 +2,33 @@
 
 All notable changes to this package follow [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) + [SemVer](https://semver.org/spec/v2.0.0.html).
 
+## [0.1.4] - 2026-06-20
+
+### Added
+
+- **`doc_forge_tenant_tokens` table** — dynamic tenant token registry (schema.ts). Stores `token_hash` (sha256 hex of the bearer token — NEVER the raw token), `org_id`, `role`, `createdAt`, `revokedAt`. Index: `by_token_hash`. Security invariant: raw bearer token never stored or logged.
+- **`resolve_tenant_token({ token_hash })`** query (queries.ts) — returns `{ org_id, role }` or `null`. Returns `null` for unknown hashes and for revoked tokens (`revokedAt` set). Uses `by_token_hash` index for O(1) lookup.
+- **`issue_tenant_token({ token_hash, org_id, role })`** mutation (mutations.ts) — inserts a token row with `createdAt = now()`. Idempotent: skips insert if an active row with the same hash already exists.
+- **`revoke_tenant_token({ token_hash })`** mutation (mutations.ts) — patches `revokedAt`; row kept for audit. No-op if hash not found (idempotent).
+- All three are exported from `index.ts` via barrel so host apps can wire them as `api.docForge.issueTenantToken` / `api.docForge.revokeTenantToken` / `api.docForge.resolveTenantToken`.
+
+### Changed
+
+- **docs: clarify no component-side JSON-Schema validation (Eta advisory #3).** Inline comments on `input_schema` (templates table) and `context` (render_jobs table) in `schema.ts` previously implied runtime validation. Comments now state the truth: the component stores both fields as-is, performs NO ajv / JSON-Schema validation, and delegates conformance checks upstream (MCP-server Zod layer) and to the Python renderer. Option B chosen — correct comments, do not add ajv (V1 scope; gold-plating risk; renderer fails cleanly on non-conforming context).
+
+### Tests
+
+- `src/__tests__/tokens.test.ts` — 13 tests covering full lifecycle: issue → resolve → revoke → resolve(null), idempotency, empty-field validation, no-op revoke.
+- `mutations.test.ts`: added `validation-boundary contract (Eta advisory #3)` describe block (2 regression tests) documenting that `queue_render` accepts both conforming and non-conforming context without throwing — encoding the delegated-validation contract so the comment cannot silently drift.
+
+### Notes
+
+- Non-breaking migration: adds a 4th table, no existing table changes.
+- tsc: 0 errors. biome: 0 errors. Test ratio: 45/45 PASS (4 test files).
+- Relates to: VantagePeers task k174ctwng. Layers on / supersedes PR #23's static `MCP_TENANT_TOKENS` env-map (which is implemented as a fallback in the MCP server — see mcp-server CHANGELOG for full resolution chain).
+
+---
+
 ## [0.1.3] - 2026-06-19
 
 ### Fixed

package/README.md

@@ -13,16 +13,37 @@ Consumer (vantage-immo / vCRM / MCP server)
         │
         ▼  ctx.runAction(components.docForge.actions.render_now, {...})
 @vantageos/convex-doc-forge (this package)
-  - templates table    ← template metadata + asset_storage_id
-  - render_jobs table  ← job status machine (queued → rendering → done|failed)
-  - render_audit table ← immutable audit log per render
-  - render_now action  → HTTP POST /v1/render  →  Railway renderer sidecar
+  - doc_forge_tenant_tokens table ← dynamic API token registry (sha256 hashes only)
+  - templates table               ← template metadata + asset_storage_id
+  - render_jobs table             ← job status machine (queued → rendering → done|failed)
+  - render_audit table            ← immutable audit log per render
+  - render_now action             → HTTP POST /v1/render  →  Railway renderer sidecar
         │
         ▼
 vantage-doc-forge-renderer (Python Railway)
   docxtpl + python-pptx + LibreOffice headless
 ```
 
+### Token management (v0.1.4+)
+
+The `doc_forge_tenant_tokens` table enables dynamic self-service API key issuance. The dashboard team writes tokens via:
+
+```ts
+// In host app — wrap component mutations as api.docForge.*
+await ctx.runMutation(components.docForge.mutations.issue_tenant_token, {
+  token_hash: sha256hex(rawBearerToken), // NEVER store the raw token
+  org_id: "org_clerk_xxx",
+  role: "admin", // or "readonly"
+});
+
+// Revoke
+await ctx.runMutation(components.docForge.mutations.revoke_tenant_token, {
+  token_hash: sha256hex(rawBearerToken),
+});
+```
+
+The MCP server resolves tokens against this table on every authenticated request (primary). The `MCP_TENANT_TOKENS` env JSON map is a static fallback for dev/bootstrap.
+
 ---
 
 ## Install

package/dist/mutations.d.ts

@@ -1,4 +1,12 @@
 import type { Id } from "./_generated/dataModel";
+export declare function issueTenantTokenHandler(ctx: AnyCtx, args: {
+    token_hash: string;
+    org_id: string;
+    role: "admin" | "readonly";
+}): Promise<void>;
+export declare function revokeTenantTokenHandler(ctx: AnyCtx, args: {
+    token_hash: string;
+}): Promise<void>;
 type AnyCtx = any;
 export declare function upsertTemplateHandler(ctx: AnyCtx, args: {
     name: string;
@@ -82,5 +90,24 @@ export declare const _write_audit: import("convex/server").RegisteredMutation<"i
     actor: string;
     source: "manual" | "workflow" | "agent";
 }, Promise<Id<"render_audit">>>;
+/**
+ * Issue a new tenant token.  The dashboard team calls this via their host
+ * app's api.docForge.issueTenantToken wrapper.
+ *
+ * Security: only `token_hash` (sha256 hex of the raw bearer) is persisted —
+ * the raw bearer must NEVER be passed to or stored in Convex.
+ */
+export declare const issue_tenant_token: import("convex/server").RegisteredMutation<"public", {
+    token_hash: string;
+    org_id: string;
+    role: "admin" | "readonly";
+}, Promise<null>>;
+/**
+ * Revoke a tenant token by its hash.  Sets `revokedAt`; the row is kept for
+ * audit purposes.  After revocation `resolve_tenant_token` returns null.
+ */
+export declare const revoke_tenant_token: import("convex/server").RegisteredMutation<"public", {
+    token_hash: string;
+}, Promise<null>>;
 export {};
 //# sourceMappingURL=mutations.d.ts.map

package/dist/mutations.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"mutations.d.ts","sourceRoot":"","sources":["../src/mutations.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,wBAAwB,CAAC;AAIjD,KAAK,MAAM,GAAG,GAAG,CAAC;AAMlB,wBAAsB,qBAAqB,CACzC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IACJ,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,SAAS,GAAG,aAAa,GAAG,aAAa,CAAC;IACzD,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;IACjC,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CACnB,GACA,OAAO,CAAC,EAAE,CAAC,WAAW,CAAC,CAAC,CA2C1B;AAED,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IACJ,WAAW,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;CACnB,GACA,OAAO,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC,CAoB5B;AAED,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,MAAM,EAAE,EAAE,CAAC,aAAa,CAAC,CAAA;CAAE,GAClC,OAAO,CAAC,IAAI,CAAC,CAKf;AAED,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,MAAM,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC;IAAC,iBAAiB,EAAE,EAAE,CAAC,UAAU,CAAC,CAAA;CAAE,GACrE,OAAO,CAAC,IAAI,CAAC,CASf;AAED,wBAAsB,oBAAoB,CACxC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,MAAM,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GACjD,OAAO,CAAC,IAAI,CAAC,CASf;AAED,wBAAsB,wBAAwB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAE3E;AAED,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IACJ,aAAa,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC;IAC7B,gBAAgB,EAAE,MAAM,CAAC;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,QAAQ,GAAG,UAAU,GAAG,OAAO,CAAC;CACzC,GACA,OAAO,CAAC,EAAE,CAAC,cAAc,CAAC,CAAC,CAK7B;AAMD,eAAO,MAAM,mBAAmB,2EAI9B,CAAC;AAEH,eAAO,MAAM,eAAe;UA9JlB,MAAM;UACN,MAAM;eACD,MAAM;mBACF,SAAS,GAAG,aAAa,GAAG,aAAa;kBAC1C,MAAM;sBACF,EAAE,CAAC,UAAU,CAAC;oBAChB,MAAM,EAAE;eACb,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;aACxB,MAAM;eACJ,MAAM;4BAwKnB,CAAC;AAEH,eAAO,MAAM,YAAY;iBAxHR,EAAE,CAAC,WAAW,CAAC;aACnB,OAAO;mBACD,MAAM;eACV,MAAM;8BA8HnB,CAAC;AAEH,eAAO,MAAM,kBAAkB;YAtGb,EAAE,CAAC,aAAa,CAAC;iBA0GjC,CAAC;AAEH,eAAO,MAAM,oBAAoB;YAlGf,EAAE,CAAC,aAAa,CAAC;uBAAqB,EAAE,CAAC,UAAU,CAAC;iBAyGpE,CAAC;AAEH,eAAO,MAAM,gBAAgB;YA7FX,EAAE,CAAC,aAAa,CAAC;WAAS,MAAM;iBAoGhD,CAAC;AAEH,eAAO,MAAM,YAAY;mBAnFN,EAAE,CAAC,aAAa,CAAC;eACrB,MAAM;iBACJ,EAAE,CAAC,WAAW,CAAC;sBACV,MAAM;kBACV,MAAM;uBACD,MAAM;gBACb,MAAM;WACX,MAAM;YACL,QAAQ,GAAG,UAAU,GAAG,OAAO;+BA6FzC,CAAC"}
+{"version":3,"file":"mutations.d.ts","sourceRoot":"","sources":["../src/mutations.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,wBAAwB,CAAC;AAMjD,wBAAsB,uBAAuB,CAC3C,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IACJ,UAAU,EAAE,MAAM,CAAC;IACnB,MAAM,EAAE,MAAM,CAAC;IACf,IAAI,EAAE,OAAO,GAAG,UAAU,CAAC;CAC5B,GACA,OAAO,CAAC,IAAI,CAAC,CAsBf;AAED,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,UAAU,EAAE,MAAM,CAAA;CAAE,GAC3B,OAAO,CAAC,IAAI,CAAC,CAYf;AAID,KAAK,MAAM,GAAG,GAAG,CAAC;AAMlB,wBAAsB,qBAAqB,CACzC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IACJ,IAAI,EAAE,MAAM,CAAC;IACb,IAAI,EAAE,MAAM,CAAC;IACb,SAAS,EAAE,MAAM,CAAC;IAClB,aAAa,EAAE,SAAS,GAAG,aAAa,GAAG,aAAa,CAAC;IACzD,YAAY,EAAE,MAAM,CAAC;IACrB,gBAAgB,EAAE,EAAE,CAAC,UAAU,CAAC,CAAC;IACjC,cAAc,EAAE,MAAM,EAAE,CAAC;IACzB,QAAQ,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IAClC,OAAO,EAAE,MAAM,CAAC;IAChB,SAAS,EAAE,MAAM,CAAC;CACnB,GACA,OAAO,CAAC,EAAE,CAAC,WAAW,CAAC,CAAC,CA2C1B;AAED,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IACJ,WAAW,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC;IAC7B,OAAO,EAAE,OAAO,CAAC;IACjB,aAAa,EAAE,MAAM,CAAC;IACtB,SAAS,EAAE,MAAM,CAAC;CACnB,GACA,OAAO,CAAC,EAAE,CAAC,aAAa,CAAC,CAAC,CAoB5B;AAED,wBAAsB,sBAAsB,CAC1C,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,MAAM,EAAE,EAAE,CAAC,aAAa,CAAC,CAAA;CAAE,GAClC,OAAO,CAAC,IAAI,CAAC,CAKf;AAED,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,MAAM,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC;IAAC,iBAAiB,EAAE,EAAE,CAAC,UAAU,CAAC,CAAA;CAAE,GACrE,OAAO,CAAC,IAAI,CAAC,CASf;AAED,wBAAsB,oBAAoB,CACxC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,MAAM,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC;IAAC,KAAK,EAAE,MAAM,CAAA;CAAE,GACjD,OAAO,CAAC,IAAI,CAAC,CASf;AAED,wBAAsB,wBAAwB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,MAAM,CAAC,CAE3E;AAED,wBAAsB,iBAAiB,CACrC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IACJ,aAAa,EAAE,EAAE,CAAC,aAAa,CAAC,CAAC;IACjC,SAAS,EAAE,MAAM,CAAC;IAClB,WAAW,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC;IAC7B,gBAAgB,EAAE,MAAM,CAAC;IACzB,YAAY,EAAE,MAAM,CAAC;IACrB,iBAAiB,EAAE,MAAM,CAAC;IAC1B,UAAU,EAAE,MAAM,CAAC;IACnB,KAAK,EAAE,MAAM,CAAC;IACd,MAAM,EAAE,QAAQ,GAAG,UAAU,GAAG,OAAO,CAAC;CACzC,GACA,OAAO,CAAC,EAAE,CAAC,cAAc,CAAC,CAAC,CAK7B;AAMD,eAAO,MAAM,mBAAmB,2EAI9B,CAAC;AAEH,eAAO,MAAM,eAAe;UA9JlB,MAAM;UACN,MAAM;eACD,MAAM;mBACF,SAAS,GAAG,aAAa,GAAG,aAAa;kBAC1C,MAAM;sBACF,EAAE,CAAC,UAAU,CAAC;oBAChB,MAAM,EAAE;eACb,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC;aACxB,MAAM;eACJ,MAAM;4BAwKnB,CAAC;AAEH,eAAO,MAAM,YAAY;iBAxHR,EAAE,CAAC,WAAW,CAAC;aACnB,OAAO;mBACD,MAAM;eACV,MAAM;8BA8HnB,CAAC;AAEH,eAAO,MAAM,kBAAkB;YAtGb,EAAE,CAAC,aAAa,CAAC;iBA0GjC,CAAC;AAEH,eAAO,MAAM,oBAAoB;YAlGf,EAAE,CAAC,aAAa,CAAC;uBAAqB,EAAE,CAAC,UAAU,CAAC;iBAyGpE,CAAC;AAEH,eAAO,MAAM,gBAAgB;YA7FX,EAAE,CAAC,aAAa,CAAC;WAAS,MAAM;iBAoGhD,CAAC;AAEH,eAAO,MAAM,YAAY;mBAnFN,EAAE,CAAC,aAAa,CAAC;eACrB,MAAM;iBACJ,EAAE,CAAC,WAAW,CAAC;sBACV,MAAM;kBACV,MAAM;uBACD,MAAM;gBACb,MAAM;WACX,MAAM;YACL,QAAQ,GAAG,UAAU,GAAG,OAAO;+BA6FzC,CAAC;AAMH;;;;;;GAMG;AACH,eAAO,MAAM,kBAAkB;;;;iBAW7B,CAAC;AAEH;;;GAGG;AACH,eAAO,MAAM,mBAAmB;;iBAO9B,CAAC"}

package/dist/mutations.js

@@ -2,6 +2,42 @@
 import { v } from "convex/values";
 import { mutation, internalMutation } from "./_generated/server";
 // ---------------------------------------------------------------------------
+// issue_tenant_token / revoke_tenant_token — dynamic token lifecycle
+// ---------------------------------------------------------------------------
+export async function issueTenantTokenHandler(ctx, args) {
+    if (!args.token_hash)
+        throw new Error("token_hash is required");
+    if (!args.org_id)
+        throw new Error("org_id is required");
+    // Idempotency guard: if an active (non-revoked) token with the same hash
+    // already exists for this org, skip the insert to avoid duplicates.
+    const existing = await ctx.db
+        .query("doc_forge_tenant_tokens")
+        .withIndex("by_token_hash", (q) => q.eq("token_hash", args.token_hash))
+        .first();
+    if (existing !== null && existing.revokedAt === undefined) {
+        // Already active — nothing to do (idempotent)
+        return;
+    }
+    await ctx.db.insert("doc_forge_tenant_tokens", {
+        token_hash: args.token_hash,
+        org_id: args.org_id,
+        role: args.role,
+        createdAt: Date.now(),
+    });
+}
+export async function revokeTenantTokenHandler(ctx, args) {
+    const row = await ctx.db
+        .query("doc_forge_tenant_tokens")
+        .withIndex("by_token_hash", (q) => q.eq("token_hash", args.token_hash))
+        .first();
+    if (row === null) {
+        // Nothing to revoke — treat as no-op (idempotent)
+        return;
+    }
+    await ctx.db.patch(row._id, { revokedAt: Date.now() });
+}
+// ---------------------------------------------------------------------------
 // Handler functions — exported separately for unit testing
 // ---------------------------------------------------------------------------
 export async function upsertTemplateHandler(ctx, args) {
@@ -172,3 +208,37 @@ export const _write_audit = internalMutation({
     returns: v.id("render_audit"),
     handler: writeAuditHandler,
 });
+// ---------------------------------------------------------------------------
+// Token lifecycle — Convex registrations (public; called by host app wrapper)
+// ---------------------------------------------------------------------------
+/**
+ * Issue a new tenant token.  The dashboard team calls this via their host
+ * app's api.docForge.issueTenantToken wrapper.
+ *
+ * Security: only `token_hash` (sha256 hex of the raw bearer) is persisted —
+ * the raw bearer must NEVER be passed to or stored in Convex.
+ */
+export const issue_tenant_token = mutation({
+    args: {
+        token_hash: v.string(),
+        org_id: v.string(),
+        role: v.union(v.literal("admin"), v.literal("readonly")),
+    },
+    returns: v.null(),
+    handler: async (ctx, args) => {
+        await issueTenantTokenHandler(ctx, args);
+        return null;
+    },
+});
+/**
+ * Revoke a tenant token by its hash.  Sets `revokedAt`; the row is kept for
+ * audit purposes.  After revocation `resolve_tenant_token` returns null.
+ */
+export const revoke_tenant_token = mutation({
+    args: { token_hash: v.string() },
+    returns: v.null(),
+    handler: async (ctx, args) => {
+        await revokeTenantTokenHandler(ctx, args);
+        return null;
+    },
+});

package/dist/queries.d.ts

@@ -1,4 +1,10 @@
 import type { Id } from "./_generated/dataModel";
+export declare function resolveTenantTokenHandler(ctx: AnyCtx, args: {
+    token_hash: string;
+}): Promise<{
+    org_id: string;
+    role: "admin" | "readonly";
+} | null>;
 type AnyCtx = any;
 export declare function listTemplatesHandler(ctx: AnyCtx, args: {
     tenant_id: string;
@@ -26,5 +32,11 @@ export declare const list_render_history: import("convex/server").RegisteredQuer
     template_id?: Id<"templates">;
     since?: number;
 }, Promise<any[]>>;
+export declare const resolve_tenant_token: import("convex/server").RegisteredQuery<"public", {
+    token_hash: string;
+}, Promise<{
+    org_id: string;
+    role: "admin" | "readonly";
+} | null>>;
 export {};
 //# sourceMappingURL=queries.d.ts.map

package/dist/queries.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"queries.d.ts","sourceRoot":"","sources":["../src/queries.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,wBAAwB,CAAC;AAGjD,KAAK,MAAM,GAAG,GAAG,CAAC;AAMlB,wBAAsB,oBAAoB,CACxC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,YAAY,CAAA;CAAE,kBAsBhE;AAED,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,WAAW,EAAE,EAAE,CAAC,WAAW,CAAC,CAAA;CAAE,gBAGvC;AAED,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,WAAW,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,kBA0B3E;AAMD,eAAO,MAAM,cAAc;eAjEN,MAAM;WAAS,MAAM;WAAS,YAAY;kBA8F7D,CAAC;AAEH,eAAO,MAAM,YAAY;iBAtEF,EAAE,CAAC,WAAW,CAAC;gBAgGpC,CAAC;AAEH,eAAO,MAAM,mBAAmB;eA3FX,MAAM;kBAAgB,EAAE,CAAC,WAAW,CAAC;YAAU,MAAM;kBAsHxE,CAAC"}
+{"version":3,"file":"queries.d.ts","sourceRoot":"","sources":["../src/queries.ts"],"names":[],"mappings":"AAGA,OAAO,KAAK,EAAE,EAAE,EAAE,MAAM,wBAAwB,CAAC;AAMjD,wBAAsB,yBAAyB,CAC7C,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,UAAU,EAAE,MAAM,CAAA;CAAE,GAC3B,OAAO,CAAC;IAAE,MAAM,EAAE,MAAM,CAAC;IAAC,IAAI,EAAE,OAAO,GAAG,UAAU,CAAA;CAAE,GAAG,IAAI,CAAC,CAUhE;AAID,KAAK,MAAM,GAAG,GAAG,CAAC;AAMlB,wBAAsB,oBAAoB,CACxC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,MAAM,CAAC;IAAC,IAAI,CAAC,EAAE,YAAY,CAAA;CAAE,kBAsBhE;AAED,wBAAsB,kBAAkB,CACtC,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,WAAW,EAAE,EAAE,CAAC,WAAW,CAAC,CAAA;CAAE,gBAGvC;AAED,wBAAsB,wBAAwB,CAC5C,GAAG,EAAE,MAAM,EACX,IAAI,EAAE;IAAE,SAAS,EAAE,MAAM,CAAC;IAAC,WAAW,CAAC,EAAE,EAAE,CAAC,WAAW,CAAC,CAAC;IAAC,KAAK,CAAC,EAAE,MAAM,CAAA;CAAE,kBA0B3E;AAMD,eAAO,MAAM,cAAc;eAjEN,MAAM;WAAS,MAAM;WAAS,YAAY;kBA8F7D,CAAC;AAEH,eAAO,MAAM,YAAY;iBAtEF,EAAE,CAAC,WAAW,CAAC;gBAgGpC,CAAC;AAEH,eAAO,MAAM,mBAAmB;eA3FX,MAAM;kBAAgB,EAAE,CAAC,WAAW,CAAC;YAAU,MAAM;kBAsHxE,CAAC;AAMH,eAAO,MAAM,oBAAoB;gBApLX,MAAM;;YACP,MAAM;UAAQ,OAAO,GAAG,UAAU;UA6LrD,CAAC"}

package/dist/queries.js

@@ -2,6 +2,19 @@
 import { v } from "convex/values";
 import { query } from "./_generated/server";
 // ---------------------------------------------------------------------------
+// resolve_tenant_token — dynamic token table primary lookup
+// ---------------------------------------------------------------------------
+export async function resolveTenantTokenHandler(ctx, args) {
+    const row = await ctx.db
+        .query("doc_forge_tenant_tokens")
+        .withIndex("by_token_hash", (q) => q.eq("token_hash", args.token_hash))
+        .first();
+    // No row found OR row has been revoked → return null (token rejected)
+    if (row === null || row.revokedAt !== undefined)
+        return null;
+    return { org_id: row.org_id, role: row.role };
+}
+// ---------------------------------------------------------------------------
 // Handler functions — exported separately for unit testing
 // ---------------------------------------------------------------------------
 export async function listTemplatesHandler(ctx, args) {
@@ -115,3 +128,14 @@ export const list_render_history = query({
     })),
     handler: listRenderHistoryHandler,
 });
+// ---------------------------------------------------------------------------
+// resolve_tenant_token — Convex registration
+// ---------------------------------------------------------------------------
+export const resolve_tenant_token = query({
+    args: { token_hash: v.string() },
+    returns: v.union(v.object({
+        org_id: v.string(),
+        role: v.union(v.literal("admin"), v.literal("readonly")),
+    }), v.null()),
+    handler: resolveTenantTokenHandler,
+});

package/dist/schema.d.ts

@@ -1,14 +1,39 @@
 /**
  * Internal schema for the @vantageos/convex-doc-forge component.
  *
- * Three tables:
- *  - templates   : template metadata + asset reference
- *  - render_jobs : per-render job tracking (status machine)
- *  - render_audit: immutable audit log (who/when/what)
+ * Four tables:
+ *  - templates             : template metadata + asset reference
+ *  - render_jobs           : per-render job tracking (status machine)
+ *  - render_audit          : immutable audit log (who/when/what)
+ *  - doc_forge_tenant_tokens: dynamic tenant token registry (sha256 hashes only,
+ *                             NEVER the raw bearer token).  Written by the dashboard
+ *                             team via the host app's api.docForge.* wrapper;
+ *                             read by the MCP server's auth layer.
  */
 declare const _default: import("convex/server").SchemaDefinition<{
+    /**
+     * Tenant API token registry.
+     * Security invariant: token_hash is a sha256 hex digest of the raw bearer.
+     * The raw bearer is NEVER stored here or logged anywhere.
+     */
+    doc_forge_tenant_tokens: import("convex/server").TableDefinition<import("convex/values").VObject<{
+        revokedAt?: number | undefined;
+        token_hash: string;
+        org_id: string;
+        role: "admin" | "readonly";
+        createdAt: number;
+    }, {
+        token_hash: import("convex/values").VString<string, "required">;
+        org_id: import("convex/values").VString<string, "required">;
+        role: import("convex/values").VUnion<"admin" | "readonly", [import("convex/values").VLiteral<"admin", "required">, import("convex/values").VLiteral<"readonly", "required">], "required", never>;
+        createdAt: import("convex/values").VFloat64<number, "required">;
+        revokedAt: import("convex/values").VFloat64<number | undefined, "optional">;
+    }, "required", "token_hash" | "org_id" | "role" | "createdAt" | "revokedAt">, {
+        by_token_hash: ["token_hash", "_creationTime"];
+    }, {}, {}>;
     templates: import("convex/server").TableDefinition<import("convex/values").VObject<{
         metadata?: Record<string, string> | undefined;
+        createdAt: number;
         name: string;
         team: string;
         tenant_id: string;
@@ -18,7 +43,6 @@ declare const _default: import("convex/server").SchemaDefinition<{
         asset_storage_id: import("convex/values").GenericId<"_storage">;
         output_formats: string[];
         version: string;
-        createdAt: number;
         updatedAt: number;
     }, {
         name: import("convex/values").VString<string, "required">;
@@ -33,7 +57,7 @@ declare const _default: import("convex/server").SchemaDefinition<{
         version: import("convex/values").VString<string, "required">;
         createdAt: import("convex/values").VFloat64<number, "required">;
         updatedAt: import("convex/values").VFloat64<number, "required">;
-    }, "required", "name" | "team" | "tenant_id" | "template_type" | "renderer_kind" | "input_schema" | "asset_storage_id" | "output_formats" | "metadata" | "version" | "createdAt" | "updatedAt" | `metadata.${string}`>, {
+    }, "required", "createdAt" | "name" | "team" | "tenant_id" | "template_type" | "renderer_kind" | "input_schema" | "asset_storage_id" | "output_formats" | "metadata" | "version" | "updatedAt" | `metadata.${string}`>, {
         by_tenant: ["tenant_id", "_creationTime"];
         by_tenant_team: ["tenant_id", "team", "_creationTime"];
         by_tenant_type: ["tenant_id", "template_type", "_creationTime"];
@@ -42,8 +66,8 @@ declare const _default: import("convex/server").SchemaDefinition<{
         output_storage_id?: import("convex/values").GenericId<"_storage"> | undefined;
         error?: string | undefined;
         completedAt?: number | undefined;
-        tenant_id: string;
         createdAt: number;
+        tenant_id: string;
         template_id: import("convex/values").GenericId<"templates">;
         context: any;
         output_format: string;
@@ -60,14 +84,14 @@ declare const _default: import("convex/server").SchemaDefinition<{
         createdAt: import("convex/values").VFloat64<number, "required">;
         completedAt: import("convex/values").VFloat64<number | undefined, "optional">;
         createdBy: import("convex/values").VString<string, "required">;
-    }, "required", "tenant_id" | "createdAt" | "template_id" | "context" | "output_format" | "status" | "output_storage_id" | "error" | "completedAt" | "createdBy" | `context.${string}`>, {
+    }, "required", "createdAt" | "tenant_id" | "template_id" | "context" | "output_format" | "status" | "output_storage_id" | "error" | "completedAt" | "createdBy" | `context.${string}`>, {
         by_tenant: ["tenant_id", "_creationTime"];
         by_template: ["template_id", "createdAt", "_creationTime"];
         by_tenant_status: ["tenant_id", "status", "_creationTime"];
     }, {}, {}>;
     render_audit: import("convex/server").TableDefinition<import("convex/values").VObject<{
-        tenant_id: string;
         createdAt: number;
+        tenant_id: string;
         template_id: import("convex/values").GenericId<"templates">;
         render_job_id: import("convex/values").GenericId<"render_jobs">;
         template_version: string;
@@ -87,7 +111,7 @@ declare const _default: import("convex/server").SchemaDefinition<{
         actor: import("convex/values").VString<string, "required">;
         source: import("convex/values").VUnion<"manual" | "workflow" | "agent", [import("convex/values").VLiteral<"manual", "required">, import("convex/values").VLiteral<"workflow", "required">, import("convex/values").VLiteral<"agent", "required">], "required", never>;
         createdAt: import("convex/values").VFloat64<number, "required">;
-    }, "required", "tenant_id" | "createdAt" | "template_id" | "render_job_id" | "template_version" | "context_hash" | "output_signed_url" | "expires_at" | "actor" | "source">, {
+    }, "required", "createdAt" | "tenant_id" | "template_id" | "render_job_id" | "template_version" | "context_hash" | "output_signed_url" | "expires_at" | "actor" | "source">, {
         by_tenant: ["tenant_id", "_creationTime"];
         by_template: ["template_id", "createdAt", "_creationTime"];
         by_job: ["render_job_id", "_creationTime"];

package/dist/schema.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../src/schema.ts"],"names":[],"mappings":"AAGA;;;;;;;GAOG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AACH,wBA+DG"}
+{"version":3,"file":"schema.d.ts","sourceRoot":"","sources":["../src/schema.ts"],"names":[],"mappings":"AAGA;;;;;;;;;;;GAWG;;IAEF;;;;OAIG;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AALJ,wBA4EG"}

package/dist/schema.js

@@ -3,19 +3,35 @@ import { v } from "convex/values";
 /**
  * Internal schema for the @vantageos/convex-doc-forge component.
  *
- * Three tables:
- *  - templates   : template metadata + asset reference
- *  - render_jobs : per-render job tracking (status machine)
- *  - render_audit: immutable audit log (who/when/what)
+ * Four tables:
+ *  - templates             : template metadata + asset reference
+ *  - render_jobs           : per-render job tracking (status machine)
+ *  - render_audit          : immutable audit log (who/when/what)
+ *  - doc_forge_tenant_tokens: dynamic tenant token registry (sha256 hashes only,
+ *                             NEVER the raw bearer token).  Written by the dashboard
+ *                             team via the host app's api.docForge.* wrapper;
+ *                             read by the MCP server's auth layer.
  */
 export default defineSchema({
+    /**
+     * Tenant API token registry.
+     * Security invariant: token_hash is a sha256 hex digest of the raw bearer.
+     * The raw bearer is NEVER stored here or logged anywhere.
+     */
+    doc_forge_tenant_tokens: defineTable({
+        token_hash: v.string(), // sha256 hex of the bearer token — NEVER the raw token
+        org_id: v.string(), // canonical tenant id (== Clerk org_id)
+        role: v.union(v.literal("admin"), v.literal("readonly")),
+        createdAt: v.number(),
+        revokedAt: v.optional(v.number()), // set on revoke; presence means the token is dead
+    }).index("by_token_hash", ["token_hash"]),
     templates: defineTable({
         name: v.string(),
         team: v.string(),
         tenant_id: v.string(), // Clerk org ID
         template_type: v.literal("doc-binary"),
         renderer_kind: v.union(v.literal("docxtpl"), v.literal("python-pptx"), v.literal("jinja2-html")),
-        input_schema: v.string(), // JSON Schema serialized as a JSON string (avoids $-key rejection)
+        input_schema: v.string(), // JSON Schema serialized as a JSON string (avoids $-key rejection). The component stores this value as-is — NO runtime JSON-Schema validation is performed here. Conformance of caller-supplied context against this schema is delegated upstream (MCP-server Zod layer) and enforced by the renderer, which rejects malformed context.
         asset_storage_id: v.id("_storage"),
         output_formats: v.array(v.string()),
         metadata: v.optional(v.record(v.string(), v.string())),
@@ -29,7 +45,7 @@ export default defineSchema({
     render_jobs: defineTable({
         template_id: v.id("templates"),
         tenant_id: v.string(),
-        context: v.any(), // Caller-supplied JSON matching template.input_schema
+        context: v.any(), // Caller-supplied render context (any JSON value). The component does NOT validate this against template.input_schema at the Convex layer — validation boundary is the upstream MCP-server Zod schema and the Python renderer.
         output_format: v.string(),
         status: v.union(v.literal("queued"), v.literal("rendering"), v.literal("done"), v.literal("failed")),
         output_storage_id: v.optional(v.id("_storage")),

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@vantageos/convex-doc-forge",
-  "version": "0.1.3",
+  "version": "0.1.4",
   "description": "Convex component — data layer for VantageDocForge (templates, render jobs, audit)",
   "type": "module",
   "main": "./dist/index.js",