From 6858ec2a5793f8982daab349986c71b80666e11e Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 8 Jun 2026 11:10:27 +0530
Subject: [PATCH 01/39] feat(authz): replace bespoke FGA with embedded OpenFGA
 ReBAC engine

Remove the not-yet-rolled-out Resource/Scope/Policy/Permission engine
(#607/#610/#611) and replace it with an OpenFGA-backed ReBAC engine.

- AuthorizationEngine SPI (internal/authorization/engine) with an embedded
  OpenFGA implementation (memory/sqlite/postgres/mysql datastores) plus
  external-mode flag scaffolding.
- GraphQL: admin _fga_write_model/_fga_get_model/_fga_write_tuples/
  _fga_delete_tuples/_fga_read_tuples and runtime fga_check/fga_batch_check/
  fga_list_objects (runtime principal pinned to the token subject).
- required_relations on session/validate_session/validate_jwt_token;
  coarse roles/scope gating unchanged.
- Dashboard FGA admin UI: authorization model editor, relationship tuples,
  access tester.
- Standardize the SQLite driver on modernc.org/sqlite via a local GORM
  dialect so the embedded OpenFGA SQL datastore links without a duplicate
  database/sql "sqlite" registration.

Flags: --authorization-engine, --fga-mode, --fga-store, --fga-store-url,
--fga-external-url.
---
 cmd/root.go                                   |    91 +-
 go.mod                                        |   101 +-
 go.sum                                        |   371 +-
 internal/authorization/cache.go               |    91 -
 internal/authorization/cache_test.go          |    77 -
 internal/authorization/engine/engine.go       |   143 +
 .../engine/openfga/datastore_sql.go           |    71 +
 .../engine/openfga/datastore_sqlite_test.go   |    95 +
 .../authorization/engine/openfga/openfga.go   |   223 +
 .../engine/openfga/openfga_test.go            |   165 +
 .../engine/openfga/operations.go              |   263 +
 internal/authorization/evaluator.go           |   581 -
 internal/authorization/provider.go            |   102 -
 internal/authorization/validators.go          |    22 -
 internal/config/config.go                     |    23 +
 internal/constants/audit_event.go             |    43 +-
 internal/constants/authorization.go           |    38 -
 internal/graph/generated/generated.go         | 16767 ++++++----------
 internal/graph/model/models_gen.go            |   237 +-
 internal/graph/schema.graphqls                |   256 +-
 internal/graph/schema.resolvers.go            |    93 +-
 internal/graphql/authz_add_permission.go      |   176 -
 internal/graphql/authz_add_policy.go          |   122 -
 internal/graphql/authz_add_resource.go        |    69 -
 internal/graphql/authz_add_scope.go           |    69 -
 internal/graphql/authz_delete_permission.go   |    65 -
 internal/graphql/authz_delete_policy.go       |    54 -
 internal/graphql/authz_delete_resource.go     |    52 -
 internal/graphql/authz_delete_scope.go        |    52 -
 internal/graphql/authz_permissions.go         |    97 -
 internal/graphql/authz_policies.go            |    46 -
 internal/graphql/authz_resources.go           |    41 -
 internal/graphql/authz_scopes.go              |    41 -
 internal/graphql/authz_update_permission.go   |   239 -
 internal/graphql/authz_update_policy.go       |   126 -
 internal/graphql/authz_update_resource.go     |    76 -
 internal/graphql/authz_update_scope.go        |    76 -
 internal/graphql/fga_admin.go                 |   226 +
 internal/graphql/fga_relation_check.go        |    49 +
 internal/graphql/fga_runtime.go               |   164 +
 internal/graphql/permission_check.go          |    67 -
 internal/graphql/permissions.go               |    62 -
 internal/graphql/policy_targets.go            |    47 -
 internal/graphql/policy_targets_test.go       |    61 -
 internal/graphql/provider.go                  |    82 +-
 internal/graphql/session.go                   |     7 +-
 internal/graphql/validate_jwt_token.go        |     9 +-
 internal/graphql/validate_session.go          |     7 +-
 internal/http_handlers/graphql.go             |     2 +-
 internal/http_handlers/provider.go            |    10 +-
 .../integration_tests/authorization_test.go   |  1114 -
 .../authz_cache_invalidation_test.go          |   162 -
 .../authz_pagination_test.go                  |   220 -
 internal/integration_tests/fga_test.go        |   350 +
 internal/integration_tests/metrics_test.go    |    29 -
 .../integration_tests/permissions_test.go     |   119 -
 .../required_permissions_test.go              |   276 -
 internal/integration_tests/test_helper.go     |    19 -
 internal/metrics/metrics.go                   |    86 -
 internal/storage/db/arangodb/permission.go    |   363 -
 internal/storage/db/arangodb/policy.go        |   191 -
 internal/storage/db/arangodb/provider.go      |   155 -
 internal/storage/db/arangodb/resource.go      |   155 -
 internal/storage/db/arangodb/scope.go         |   155 -
 internal/storage/db/cassandradb/permission.go |   423 -
 internal/storage/db/cassandradb/policy.go     |   221 -
 internal/storage/db/cassandradb/provider.go   |   104 -
 internal/storage/db/cassandradb/resource.go   |   144 -
 internal/storage/db/cassandradb/scope.go      |   144 -
 internal/storage/db/couchbase/permission.go   |   429 -
 internal/storage/db/couchbase/policy.go       |   223 -
 internal/storage/db/couchbase/provider.go     |    32 -
 internal/storage/db/couchbase/resource.go     |   177 -
 internal/storage/db/couchbase/scope.go        |   177 -
 internal/storage/db/dynamodb/permission.go    |   318 -
 internal/storage/db/dynamodb/policy.go        |   156 -
 internal/storage/db/dynamodb/resource.go      |   122 -
 internal/storage/db/dynamodb/scope.go         |   121 -
 internal/storage/db/dynamodb/tables.go        |    68 -
 internal/storage/db/mongodb/permission.go     |   325 -
 internal/storage/db/mongodb/policy.go         |   153 -
 internal/storage/db/mongodb/provider.go       |    90 -
 internal/storage/db/mongodb/resource.go       |   112 -
 internal/storage/db/mongodb/scope.go          |   112 -
 internal/storage/db/sql/permission.go         |   250 -
 internal/storage/db/sql/policy.go             |   122 -
 internal/storage/db/sql/provider.go           |     4 +-
 internal/storage/db/sql/resource.go           |    93 -
 internal/storage/db/sql/scope.go              |    93 -
 .../storage/db/sql/sqlitedialect/ddlmod.go    |   296 +
 .../storage/db/sql/sqlitedialect/errors.go    |     7 +
 .../storage/db/sql/sqlitedialect/migrator.go  |   406 +
 .../storage/db/sql/sqlitedialect/sqlite.go    |   298 +
 internal/storage/provider.go                  |    95 -
 internal/storage/provider_test.go             |   841 -
 internal/storage/schemas/model.go             |    16 -
 internal/storage/schemas/permission.go        |   112 -
 internal/storage/schemas/policy.go            |    73 -
 internal/storage/schemas/resource.go          |    33 -
 internal/storage/schemas/scope.go             |    33 -
 .../src/components/FgaNotEnabled.tsx          |    26 +
 web/dashboard/src/components/Sidebar.tsx      |   115 +-
 web/dashboard/src/graphql/mutation/index.ts   |   143 +-
 web/dashboard/src/graphql/queries/index.ts    |   142 +-
 web/dashboard/src/lib/utils.ts                |    12 +
 web/dashboard/src/pages/Authorization.tsx     |    68 -
 .../src/pages/authorization/Model.tsx         |   157 +
 .../src/pages/authorization/Permissions.tsx   |   580 -
 .../src/pages/authorization/Policies.tsx      |   506 -
 .../src/pages/authorization/Resources.tsx     |   314 -
 .../src/pages/authorization/Scopes.tsx        |   308 -
 .../src/pages/authorization/Tester.tsx        |   243 +
 .../src/pages/authorization/Tuples.tsx        |   317 +
 web/dashboard/src/routes/index.tsx            |    17 +-
 web/dashboard/src/types.ts                    |    78 +-
 115 files changed, 11028 insertions(+), 23862 deletions(-)
 delete mode 100644 internal/authorization/cache.go
 delete mode 100644 internal/authorization/cache_test.go
 create mode 100644 internal/authorization/engine/engine.go
 create mode 100644 internal/authorization/engine/openfga/datastore_sql.go
 create mode 100644 internal/authorization/engine/openfga/datastore_sqlite_test.go
 create mode 100644 internal/authorization/engine/openfga/openfga.go
 create mode 100644 internal/authorization/engine/openfga/openfga_test.go
 create mode 100644 internal/authorization/engine/openfga/operations.go
 delete mode 100644 internal/authorization/evaluator.go
 delete mode 100644 internal/authorization/provider.go
 delete mode 100644 internal/authorization/validators.go
 delete mode 100644 internal/constants/authorization.go
 delete mode 100644 internal/graphql/authz_add_permission.go
 delete mode 100644 internal/graphql/authz_add_policy.go
 delete mode 100644 internal/graphql/authz_add_resource.go
 delete mode 100644 internal/graphql/authz_add_scope.go
 delete mode 100644 internal/graphql/authz_delete_permission.go
 delete mode 100644 internal/graphql/authz_delete_policy.go
 delete mode 100644 internal/graphql/authz_delete_resource.go
 delete mode 100644 internal/graphql/authz_delete_scope.go
 delete mode 100644 internal/graphql/authz_permissions.go
 delete mode 100644 internal/graphql/authz_policies.go
 delete mode 100644 internal/graphql/authz_resources.go
 delete mode 100644 internal/graphql/authz_scopes.go
 delete mode 100644 internal/graphql/authz_update_permission.go
 delete mode 100644 internal/graphql/authz_update_policy.go
 delete mode 100644 internal/graphql/authz_update_resource.go
 delete mode 100644 internal/graphql/authz_update_scope.go
 create mode 100644 internal/graphql/fga_admin.go
 create mode 100644 internal/graphql/fga_relation_check.go
 create mode 100644 internal/graphql/fga_runtime.go
 delete mode 100644 internal/graphql/permission_check.go
 delete mode 100644 internal/graphql/permissions.go
 delete mode 100644 internal/graphql/policy_targets.go
 delete mode 100644 internal/graphql/policy_targets_test.go
 delete mode 100644 internal/integration_tests/authorization_test.go
 delete mode 100644 internal/integration_tests/authz_cache_invalidation_test.go
 delete mode 100644 internal/integration_tests/authz_pagination_test.go
 create mode 100644 internal/integration_tests/fga_test.go
 delete mode 100644 internal/integration_tests/permissions_test.go
 delete mode 100644 internal/integration_tests/required_permissions_test.go
 delete mode 100644 internal/storage/db/arangodb/permission.go
 delete mode 100644 internal/storage/db/arangodb/policy.go
 delete mode 100644 internal/storage/db/arangodb/resource.go
 delete mode 100644 internal/storage/db/arangodb/scope.go
 delete mode 100644 internal/storage/db/cassandradb/permission.go
 delete mode 100644 internal/storage/db/cassandradb/policy.go
 delete mode 100644 internal/storage/db/cassandradb/resource.go
 delete mode 100644 internal/storage/db/cassandradb/scope.go
 delete mode 100644 internal/storage/db/couchbase/permission.go
 delete mode 100644 internal/storage/db/couchbase/policy.go
 delete mode 100644 internal/storage/db/couchbase/resource.go
 delete mode 100644 internal/storage/db/couchbase/scope.go
 delete mode 100644 internal/storage/db/dynamodb/permission.go
 delete mode 100644 internal/storage/db/dynamodb/policy.go
 delete mode 100644 internal/storage/db/dynamodb/resource.go
 delete mode 100644 internal/storage/db/dynamodb/scope.go
 delete mode 100644 internal/storage/db/mongodb/permission.go
 delete mode 100644 internal/storage/db/mongodb/policy.go
 delete mode 100644 internal/storage/db/mongodb/resource.go
 delete mode 100644 internal/storage/db/mongodb/scope.go
 delete mode 100644 internal/storage/db/sql/permission.go
 delete mode 100644 internal/storage/db/sql/policy.go
 delete mode 100644 internal/storage/db/sql/resource.go
 delete mode 100644 internal/storage/db/sql/scope.go
 create mode 100644 internal/storage/db/sql/sqlitedialect/ddlmod.go
 create mode 100644 internal/storage/db/sql/sqlitedialect/errors.go
 create mode 100644 internal/storage/db/sql/sqlitedialect/migrator.go
 create mode 100644 internal/storage/db/sql/sqlitedialect/sqlite.go
 delete mode 100644 internal/storage/schemas/permission.go
 delete mode 100644 internal/storage/schemas/policy.go
 delete mode 100644 internal/storage/schemas/resource.go
 delete mode 100644 internal/storage/schemas/scope.go
 create mode 100644 web/dashboard/src/components/FgaNotEnabled.tsx
 delete mode 100644 web/dashboard/src/pages/Authorization.tsx
 create mode 100644 web/dashboard/src/pages/authorization/Model.tsx
 delete mode 100644 web/dashboard/src/pages/authorization/Permissions.tsx
 delete mode 100644 web/dashboard/src/pages/authorization/Policies.tsx
 delete mode 100644 web/dashboard/src/pages/authorization/Resources.tsx
 delete mode 100644 web/dashboard/src/pages/authorization/Scopes.tsx
 create mode 100644 web/dashboard/src/pages/authorization/Tester.tsx
 create mode 100644 web/dashboard/src/pages/authorization/Tuples.tsx

diff --git a/cmd/root.go b/cmd/root.go
index c331e09b..3a917167 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -15,12 +15,12 @@ import (
 
 	"github.com/authorizerdev/authorizer/internal/audit"
 	"github.com/authorizerdev/authorizer/internal/authenticators"
-	"github.com/authorizerdev/authorizer/internal/authorization"
+	"github.com/authorizerdev/authorizer/internal/authorization/engine"
+	fgaengine "github.com/authorizerdev/authorizer/internal/authorization/engine/openfga"
 	"github.com/authorizerdev/authorizer/internal/config"
 	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/email"
 	"github.com/authorizerdev/authorizer/internal/events"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/http_handlers"
 	"github.com/authorizerdev/authorizer/internal/memory_store"
 	"github.com/authorizerdev/authorizer/internal/metrics"
@@ -242,6 +242,14 @@ func init() {
 	f.BoolVar(&rootArgs.config.IncludePermissionsInToken, "include-permissions-in-token", false, "Include permissions in JWT access tokens")
 	f.BoolVar(&rootArgs.config.AuthorizationLogAllChecks, "authorization-log-all-checks", false, "Audit log all permission checks, not just denials")
 
+	// OpenFGA / FGA engine flags (Phase 1 — additive; the FGA engine is
+	// selectable but not yet the default)
+	f.StringVar(&rootArgs.config.AuthorizationEngine, "authorization-engine", "policy", "Authorization backend: 'policy' (existing resource/scope/policy engine, default) or 'fga' (OpenFGA ReBAC engine)")
+	f.StringVar(&rootArgs.config.FGAMode, "fga-mode", "embedded", "OpenFGA run mode: 'embedded' (in-process, default) or 'external' (standalone OpenFGA service)")
+	f.StringVar(&rootArgs.config.FGAStore, "fga-store", "memory", "OpenFGA datastore: 'memory' (dev/tests, default), 'sqlite' (single-node), 'postgres' or 'mysql' (HA)")
+	f.StringVar(&rootArgs.config.FGAStoreURL, "fga-store-url", "", "OpenFGA datastore connection URI (file: URI for sqlite, DSN for postgres/mysql)")
+	f.StringVar(&rootArgs.config.FGAExternalURL, "fga-external-url", "", "gRPC URL of an external OpenFGA service (used when --fga-mode=external)")
+
 	// Deprecated flags
 	f.MarkDeprecated("database_url", "use --database-url instead")
 	f.MarkDeprecated("database_type", "use --database-type instead")
@@ -462,34 +470,55 @@ func runRoot(c *cobra.Command, args []string) {
 	}
 	defer rateLimitProvider.Close()
 
-	// Authorization provider
-	authorizationProvider, err := authorization.New(
-		&authorization.Config{
-			CacheTTL: rootArgs.config.AuthorizationCacheTTL,
-		},
-		&authorization.Dependencies{
-			Log:                 &log,
-			StorageProvider:     storageProvider,
-			MemoryStoreProvider: memoryStoreProvider,
-		},
-	)
-	if err != nil {
-		log.Fatal().Err(err).Msg("failed to create authorization provider")
-	}
-
-	// Check once at startup whether any permissions exist. If zero, emit a
-	// loud warn so operators don't lock themselves out in prod. Bounded
-	// context prevents a hung DB at boot from blocking startup indefinitely.
-	probeCtx, probeCancel := context.WithTimeout(context.Background(), 5*time.Second)
-	_, pr, lerr := storageProvider.ListPermissions(probeCtx, &model.Pagination{Limit: 1, Page: 1})
-	probeCancel()
-	switch {
-	case lerr != nil:
-		log.Warn().Err(lerr).Msg("authz: failed to probe permission count at startup; authorization is enforcing")
-	case pr != nil && pr.Total == 0:
-		log.Warn().Msg("authz: 0 permissions configured — all authorization checks will DENY. Seed permissions via the dashboard or admin GraphQL mutations.")
-	default:
-		log.Info().Msg("authz: enforcing; unmatched CheckPermission calls will be DENIED.")
+	// OpenFGA authorization engine (Phase 1 — additive).
+	//
+	// This is constructed only when --authorization-engine=fga. The FGA engine
+	// is selectable but is not yet routed into the request path — later phases
+	// wire it into GraphQL and session/validate.
+	//
+	// Embedded mode runs the OpenFGA server in-process. For single-node/dev
+	// (memory or sqlite) migrations may run on boot; HA/serverless must run
+	// migrations as a separate init job (see FGA_OPENFGA_MIGRATION_PLAN.md §2.1)
+	// and must use an external SQL store.
+	// authzEngine is threaded into the HTTP/GraphQL providers below. It stays nil
+	// unless --authorization-engine=fga (and embedded mode initializes cleanly).
+	// Resolvers fail closed when it is nil.
+	var authzEngine engine.AuthorizationEngine
+	if strings.EqualFold(rootArgs.config.AuthorizationEngine, "fga") {
+		switch strings.ToLower(strings.TrimSpace(rootArgs.config.FGAMode)) {
+		case "", "embedded":
+			// Run migrations on boot only for single-node embedded SQL stores.
+			// memory needs none; postgres/mysql (HA) must migrate out-of-band.
+			runMigrations := strings.EqualFold(rootArgs.config.FGAStore, fgaengine.StoreSQLite)
+			fgaEngine, ferr := fgaengine.New(
+				&fgaengine.Config{
+					Store:         rootArgs.config.FGAStore,
+					StoreURL:      rootArgs.config.FGAStoreURL,
+					StoreName:     rootArgs.config.OrganizationName,
+					RunMigrations: runMigrations,
+				},
+				&fgaengine.Dependencies{Log: &log},
+			)
+			if ferr != nil {
+				log.Fatal().Err(ferr).Msg("failed to create OpenFGA authorization engine")
+			}
+			if closer, ok := fgaEngine.(interface{ Close() }); ok {
+				defer closer.Close()
+			}
+			authzEngine = fgaEngine
+			log.Info().
+				Str("fga_mode", "embedded").
+				Str("fga_store", rootArgs.config.FGAStore).
+				Msg("OpenFGA authorization engine initialized (embedded); routed into GraphQL + session/validate")
+		case "external":
+			// External-mode wiring (gRPC client to a standalone OpenFGA
+			// service) lands in a later phase; the seam and flags exist now.
+			log.Warn().
+				Str("fga_external_url", rootArgs.config.FGAExternalURL).
+				Msg("OpenFGA external mode selected but the external client is not yet wired (Phase 1 implements the embedded engine); no FGA engine started")
+		default:
+			log.Fatal().Str("fga_mode", rootArgs.config.FGAMode).Msg("invalid --fga-mode (want 'embedded' or 'external')")
+		}
 	}
 
 	// SMS provider
@@ -542,7 +571,7 @@ func runRoot(c *cobra.Command, args []string) {
 		TokenProvider:         tokenProvider,
 		OAuthProvider:         oauthProvider,
 		RateLimitProvider:     rateLimitProvider,
-		AuthorizationProvider: authorizationProvider,
+		AuthzEngine:           authzEngine,
 	})
 	if err != nil {
 		log.Fatal().Err(err).Msg("failed to create http provider")
diff --git a/go.mod b/go.mod
index 820533ce..91990ce8 100644
--- a/go.mod
+++ b/go.mod
@@ -16,35 +16,45 @@ require (
 	github.com/couchbase/gocb/v2 v2.6.4
 	github.com/ekristen/gorm-libsql v0.0.0-20231101204708-6e113112bcc2
 	github.com/gin-gonic/gin v1.9.1
-	github.com/glebarez/sqlite v1.10.0
 	github.com/go-jose/go-jose/v4 v4.1.4
 	github.com/gocql/gocql v1.6.0
 	github.com/golang-jwt/jwt/v4 v4.5.2
 	github.com/google/uuid v1.6.0
+	github.com/openfga/api/proto v0.0.0-20260319214821-f153694bfc20
+	github.com/openfga/language/pkg/go v0.2.1
+	github.com/openfga/openfga v1.17.1
 	github.com/pquerna/otp v1.4.0
 	github.com/prometheus/client_golang v1.23.2
 	github.com/redis/go-redis/v9 v9.6.3
 	github.com/robertkrimen/otto v0.2.1
 	github.com/rs/zerolog v1.33.0
-	github.com/spf13/cobra v1.8.1
+	github.com/spf13/cobra v1.10.2
 	github.com/stretchr/testify v1.11.1
 	github.com/twilio/twilio-go v1.14.1
 	github.com/vektah/gqlparser/v2 v2.5.26
 	go.mongodb.org/mongo-driver v1.17.9
 	golang.org/x/crypto v0.52.0
-	golang.org/x/oauth2 v0.30.0
+	golang.org/x/oauth2 v0.36.0
 	golang.org/x/sync v0.20.0
 	golang.org/x/time v0.15.0
+	google.golang.org/protobuf v1.36.11
 	gopkg.in/mail.v2 v2.3.1
 	gorm.io/driver/mysql v1.5.2
 	gorm.io/driver/postgres v1.6.0
 	gorm.io/driver/sqlserver v1.5.2
 	gorm.io/gorm v1.25.10
+	modernc.org/sqlite v1.51.0
 )
 
 require (
+	cel.dev/expr v0.25.1 // indirect
+	filippo.io/edwards25519 v1.2.0 // indirect
+	github.com/IBM/pgxpoolprometheus v1.1.3 // indirect
+	github.com/Masterminds/squirrel v1.5.4 // indirect
+	github.com/Yiling-J/theine-go v0.6.2 // indirect
 	github.com/agnivade/levenshtein v1.2.1 // indirect
 	github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230512164433-5d1fd1a340c9 // indirect
+	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
 	github.com/arangodb/go-velocypack v0.0.0-20200318135517-5af53c29c67e // indirect
 	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 // indirect
@@ -61,62 +71,86 @@ require (
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc // indirect
 	github.com/bytedance/sonic v1.9.1 // indirect
+	github.com/cenkalti/backoff/v4 v4.3.0 // indirect
+	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311 // indirect
 	github.com/couchbase/gocbcore/v10 v10.2.8 // indirect
-	github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/cpuguy83/go-md2man/v2 v2.0.6 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f // indirect
 	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/emirpasic/gods v1.18.1 // indirect
+	github.com/envoyproxy/protoc-gen-validate v1.3.3 // indirect
+	github.com/fsnotify/fsnotify v1.9.0 // indirect
 	github.com/gabriel-vasile/mimetype v1.4.2 // indirect
 	github.com/gin-contrib/sse v0.1.0 // indirect
-	github.com/glebarez/go-sqlite v1.21.2 // indirect
+	github.com/go-logr/logr v1.4.3 // indirect
+	github.com/go-logr/stdr v1.2.2 // indirect
 	github.com/go-playground/locales v0.14.1 // indirect
 	github.com/go-playground/universal-translator v0.18.1 // indirect
 	github.com/go-playground/validator/v10 v10.14.0 // indirect
-	github.com/go-sql-driver/mysql v1.7.0 // indirect
+	github.com/go-sql-driver/mysql v1.10.0 // indirect
 	github.com/go-viper/mapstructure/v2 v2.4.0 // indirect
 	github.com/goccy/go-json v0.10.2 // indirect
 	github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 // indirect
 	github.com/golang-sql/sqlexp v0.1.0 // indirect
 	github.com/golang/mock v1.6.0 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/golang/snappy v0.0.4 // indirect
+	github.com/google/cel-go v0.28.1 // indirect
 	github.com/gorilla/websocket v1.5.0 // indirect
+	github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 // indirect
+	github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3 // indirect
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.29.0 // indirect
 	github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed // indirect
+	github.com/hashicorp/errwrap v1.1.0 // indirect
+	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/golang-lru/v2 v2.0.7 // indirect
 	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jackc/pgpassfile v1.0.0 // indirect
 	github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 // indirect
-	github.com/jackc/pgx/v5 v5.9.2 // indirect
+	github.com/jackc/pgx/v5 v5.10.0 // indirect
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jinzhu/inflection v1.0.0 // indirect
 	github.com/jinzhu/now v1.1.5 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.18.0 // indirect
+	github.com/klauspost/compress v1.18.5 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.4 // indirect
-	github.com/kylelemons/godebug v1.1.0 // indirect
+	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
+	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/leodido/go-urn v1.2.4 // indirect
 	github.com/libsql/libsql-client-go v0.0.0-20231026052543-fce76c0f39a7 // indirect
 	github.com/libsql/sqlite-antlr4-parser v0.0.0-20230802215326-5cb5bb604475 // indirect
 	github.com/mattn/go-colorable v0.1.14 // indirect
-	github.com/mattn/go-isatty v0.0.20 // indirect
-	github.com/microsoft/go-mssqldb v1.6.0 // indirect
+	github.com/mattn/go-isatty v0.0.21 // indirect
+	github.com/mfridman/interpolate v0.0.2 // indirect
+	github.com/microsoft/go-mssqldb v1.9.8 // indirect
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
-	github.com/modern-go/reflect2 v1.0.2 // indirect
+	github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee // indirect
 	github.com/montanaflynn/stats v0.7.1 // indirect
 	github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.8 // indirect
+	github.com/natefinch/wrap v0.2.0 // indirect
+	github.com/ncruces/go-strftime v1.0.0 // indirect
+	github.com/oklog/ulid/v2 v2.1.1 // indirect
+	github.com/pelletier/go-toml/v2 v2.2.4 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/pressly/goose/v3 v3.27.1 // indirect
 	github.com/prometheus/client_model v0.6.2 // indirect
 	github.com/prometheus/common v0.66.1 // indirect
-	github.com/prometheus/procfs v0.16.1 // indirect
+	github.com/prometheus/procfs v0.20.1 // indirect
 	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
-	github.com/rogpeppe/go-internal v1.11.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
+	github.com/sagikazarmark/locafero v0.9.0 // indirect
+	github.com/sethvargo/go-retry v0.3.0 // indirect
+	github.com/shopspring/decimal v1.4.0 // indirect
 	github.com/sosodev/duration v1.3.1 // indirect
-	github.com/spf13/pflag v1.0.5 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/spf13/afero v1.15.0 // indirect
+	github.com/spf13/cast v1.10.0 // indirect
+	github.com/spf13/pflag v1.0.10 // indirect
+	github.com/spf13/viper v1.20.1 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/twitchyliquid64/golang-asm v0.15.1 // indirect
 	github.com/ugorji/go/codec v1.2.11 // indirect
 	github.com/urfave/cli/v2 v2.27.6 // indirect
@@ -125,22 +159,37 @@ require (
 	github.com/xdg-go/stringprep v1.0.4 // indirect
 	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
 	github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 // indirect
-	go.yaml.in/yaml/v2 v2.4.2 // indirect
+	github.com/zeebo/xxh3 v1.0.2 // indirect
+	go.opentelemetry.io/auto/sdk v1.2.1 // indirect
+	go.opentelemetry.io/otel v1.44.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.44.0 // indirect
+	go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.44.0 // indirect
+	go.opentelemetry.io/otel/metric v1.44.0 // indirect
+	go.opentelemetry.io/otel/sdk v1.44.0 // indirect
+	go.opentelemetry.io/otel/trace v1.44.0 // indirect
+	go.opentelemetry.io/proto/otlp v1.10.0 // indirect
+	go.uber.org/mock v0.6.0 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	go.uber.org/zap v1.28.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.3 // indirect
+	go.yaml.in/yaml/v3 v3.0.4 // indirect
 	golang.org/x/arch v0.3.0 // indirect
-	golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e // indirect
+	golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f // indirect
 	golang.org/x/mod v0.35.0 // indirect
 	golang.org/x/net v0.55.0 // indirect
 	golang.org/x/sys v0.45.0 // indirect
 	golang.org/x/text v0.37.0 // indirect
 	golang.org/x/tools v0.44.0 // indirect
-	google.golang.org/protobuf v1.36.8 // indirect
+	gonum.org/v1/gonum v0.17.0 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20260526163538-3dc84a4a5aaa // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20260526163538-3dc84a4a5aaa // indirect
+	google.golang.org/grpc v1.81.1 // indirect
 	gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
 	gopkg.in/sourcemap.v1 v1.0.5 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
-	modernc.org/libc v1.22.5 // indirect
-	modernc.org/mathutil v1.5.0 // indirect
-	modernc.org/memory v1.5.0 // indirect
-	modernc.org/sqlite v1.23.1 // indirect
+	modernc.org/libc v1.72.3 // indirect
+	modernc.org/mathutil v1.7.1 // indirect
+	modernc.org/memory v1.11.0 // indirect
 	nhooyr.io/websocket v1.8.7 // indirect
 )
diff --git a/go.sum b/go.sum
index 0c3a44c6..090a4440 100644
--- a/go.sum
+++ b/go.sum
@@ -1,25 +1,45 @@
+cel.dev/expr v0.25.1 h1:1KrZg61W6TWSxuNZ37Xy49ps13NUovb66QLprthtwi4=
+cel.dev/expr v0.25.1/go.mod h1:hrXvqGP6G6gyx8UAHSHJ5RGk//1Oj5nXQ2NI02Nrsg4=
+cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
+filippo.io/edwards25519 v1.2.0 h1:crnVqOiS4jqYleHd9vaKZ+HKtHfllngJIiOpNpoJsjo=
+filippo.io/edwards25519 v1.2.0/go.mod h1:xzAOLCNug/yB62zG1bQ8uziwrIqIuxhctzJT18Q77mc=
 github.com/99designs/gqlgen v0.17.73 h1:A3Ki+rHWqKbAOlg5fxiZBnz6OjW3nwupDHEG15gEsrg=
 github.com/99designs/gqlgen v0.17.73/go.mod h1:2RyGWjy2k7W9jxrs8MOQthXGkD3L3oGr0jXW3Pu8lGg=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.4.0/go.mod h1:ON4tFdPTwRcgWEaVDrN3584Ef+b7GgSJaXxe5fW9t4M=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.0/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.6.1/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1 h1:/iHxaJhsFr0+xVFfbMr5vxz848jyiWuIEDhYq3y5odY=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.7.1/go.mod h1:bjGvMhVMb+EEm3VRNQawDMUyMMjo+S5ewNjflkep/0Q=
-github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0 h1:vcYCAze6p19qBW7MhZybIsqD8sMV8js0NyQM8JDnVtg=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0 h1:fou+2+WFTib47nS+nz/ozhEBnvU96bKHy6LjRsY4E28=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.21.0/go.mod h1:t76Ruy8AHvUAC8GfMWJMa0ElSbuIcO03NLpynfbgsPA=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.0/go.mod h1:OQeznEEkTZ9OrhHJoDD8ZDq51FHgXjqtP9z6bEwBq9U=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1 h1:Hk5QBxZQC1jb2Fwj6mpzme37xbCDdNTxU7O9eb5+LB4=
+github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.13.1/go.mod h1:IYus9qsFobWIc2YVwe/WPjcnyCkPKtnHAqUYeebc8z0=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.2/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.2.0/go.mod h1:eWRD7oawr1Mu1sLCawqVc0CUiF43ia3qQMxLscsKQ9w=
-github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 h1:sXr+ck84g/ZlZUOZiNELInmMgOsuGwdjjVkEIde0OtY=
 github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0/go.mod h1:okt5dMMTOFjX/aovMlrjvvXoPMBVSPzk9185BT0+eZM=
-github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.0 h1:yfJe15aSwEQ6Oo6J+gdfdulPNoZ3TEhmbhLIoxZcA+U=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2 h1:9iefClla7iYpfYWdzPCRDozdmndjTm8DXdpCzPajMgA=
+github.com/Azure/azure-sdk-for-go/sdk/internal v1.11.2/go.mod h1:XtLgD3ZD34DAaVIIAyG3objl5DynM3CQ/vMcbBNJZGI=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.0.0/go.mod h1:Q28U+75mpCaSCDowNEmhIo/rmgdkqmkmzI7N6TGR4UY=
-github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0 h1:T028gtTPiYt/RMUfs8nVsAL7FDQrfLlrm/NnRG/zcC4=
+github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0 h1:E4MgwLBGeVB5f2MdcIVD3ELVAWpr+WD6MUe1i+tM/PA=
+github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azkeys v1.4.0/go.mod h1:Y2b/1clN4zsAoUd/pgNAQHjLDnTis/6ROkUfyob6psM=
 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v0.8.0/go.mod h1:cw4zVQgBby0Z5f2v0itn6se2dDP17nTjbZFXW5uPyHA=
+github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0 h1:nCYfgcSyHZXJI8J0IWE5MsCGlb2xp9fJiXyxWgmOFg4=
+github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/internal v1.2.0/go.mod h1:ucUjca2JtSZboY8IoUqyQyuuXvwbMBVwFOm0vdQPNhA=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.0.0/go.mod h1:kgDmCTgBzIEPFElEF+FK0SdjAor06dRq2Go927dnQ6o=
-github.com/AzureAD/microsoft-authentication-library-for-go v1.1.0 h1:HCc0+LpPfpCKs6LGGLAhwBARt9632unrVcI6i8s/8os=
 github.com/AzureAD/microsoft-authentication-library-for-go v1.1.0/go.mod h1:wP83P5OoQ5p6ip3ScPr0BAq0BvuPAvacpEuSzyouqAI=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0 h1:XRzhVemXdgvJqCH0sFfrBUTnUJSBrBf7++ypk+twtRs=
+github.com/AzureAD/microsoft-authentication-library-for-go v1.6.0/go.mod h1:HKpQxkWaGLJ+D/5H8QRpyQXA1eKjxkFlOMwck5+33Jk=
+github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
+github.com/IBM/pgxpoolprometheus v1.1.3 h1:LYDekhCpo0I6qBrnfZlCSDqdr8UX/ZJ2C3GwhrTSVcw=
+github.com/IBM/pgxpoolprometheus v1.1.3/go.mod h1:Q/NZpDapcg7VJQSfUfhH+KaGV7wZQk0/bFRoyinkjr8=
+github.com/Masterminds/squirrel v1.5.4 h1:uUcX/aBc8O7Fg9kaISIUsHXdKuqehiXAMQTYX8afzqM=
+github.com/Masterminds/squirrel v1.5.4/go.mod h1:NNaOrjSoIDfDA40n7sr2tPNZRfjzjA400rg+riTZj10=
+github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
+github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=
 github.com/PuerkitoBio/goquery v1.10.3 h1:pFYcNSqHxBD06Fpj/KsbStFRsgRATgnf3LeXiUkhzPo=
 github.com/PuerkitoBio/goquery v1.10.3/go.mod h1:tMUX0zDMHXYlAQk6p35XxQMqMweEKB7iK7iLNd4RH4Y=
+github.com/Yiling-J/theine-go v0.6.2 h1:1GeoXeQ0O0AUkiwj2S9Jc0Mzx+hpqzmqsJ4kIC4M9AY=
+github.com/Yiling-J/theine-go v0.6.2/go.mod h1:08QpMa5JZ2pKN+UJCRrCasWYO1IKCdl54Xa836rpmDU=
 github.com/agnivade/levenshtein v1.2.1 h1:EHBY3UOn1gwdy/VbFwgo4cxecRznFk7fKWN1KOX7eoM=
 github.com/agnivade/levenshtein v1.2.1/go.mod h1:QVVI16kDrtSuwcpd0p1+xMC6Z/VfhtCyDIjcwga4/DU=
 github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883 h1:bvNMNQO63//z+xNgfBlViaCIJKLlCJ6/fmUseuG0wVQ=
@@ -28,6 +48,8 @@ github.com/andybalholm/cascadia v1.3.3 h1:AG2YHrzJIm4BZ19iwJ/DAua6Btl3IwJX+VI4kk
 github.com/andybalholm/cascadia v1.3.3/go.mod h1:xNd9bqTn98Ln4DwST8/nG+H0yuB8Hmgu1YHNnWw0GeA=
 github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230512164433-5d1fd1a340c9 h1:goHVqTbFX3AIo0tzGr14pgfAW2ZfPChKO21Z9MGf/gk=
 github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230512164433-5d1fd1a340c9/go.mod h1:pSwJ0fSY5KhvocuWSx4fz3BA8OrA1bQn+K1Eli3BRwM=
+github.com/antlr4-go/antlr/v4 v4.13.1 h1:SqQKkuVZ+zWkMMNkjy5FZe5mr5WURWnlpmOuzYWrPrQ=
+github.com/antlr4-go/antlr/v4 v4.13.1/go.mod h1:GKmUxMtwp6ZgGwZSva4eWPC5mS6vUAmOABFgjdkM7Nw=
 github.com/arangodb/go-driver v1.6.0 h1:NFWj/idqXZxhFVueihMSI2R9NotNIsgvNfM/xmpekb4=
 github.com/arangodb/go-driver v1.6.0/go.mod h1:HQmdGkvNMVBTE3SIPSQ8T/ZddC6iwNsfMR+dDJQxIsI=
 github.com/arangodb/go-velocypack v0.0.0-20200318135517-5af53c29c67e h1:Xg+hGrY2LcQBbxd0ZFdbGSyRKTYMZCfBbw/pMJFOk1g=
@@ -73,6 +95,7 @@ github.com/aws/aws-sdk-go-v2/service/sts v1.41.10/go.mod h1:60dv0eZJfeVXfbT1tFJi
 github.com/aws/smithy-go v1.24.3 h1:XgOAaUgx+HhVBoP4v8n6HCQoTRDhoMghKqw4LNHsDNg=
 github.com/aws/smithy-go v1.24.3/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
 github.com/beevik/etree v1.1.0/go.mod h1:r8Aw8JqVegEf0w2fDnATrX9VpkMcyFeM0FhwO62wh+A=
+github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/bitly/go-hostpool v0.0.0-20171023180738-a3a6125de932 h1:mXoPYz/Ul5HYEDvkta6I8/rnYM5gSdSV2tJ6XbZuEtY=
@@ -88,11 +111,22 @@ github.com/bsm/gomega v1.27.10/go.mod h1:JyEr/xRbxbtgWNi8tIEVPUYZ5Dzef52k01W3YH0
 github.com/bytedance/sonic v1.5.0/go.mod h1:ED5hyg4y6t3/9Ku1R6dU/4KyJ48DZ4jPhfY1O2AihPM=
 github.com/bytedance/sonic v1.9.1 h1:6iJ6NqdoxCDr6mbY8h18oSO+cShGSMRGCEo7F2h0x8s=
 github.com/bytedance/sonic v1.9.1/go.mod h1:i736AoUSYt75HyZLoJW9ERYxcy6eaN6h4BZXU064P/U=
+github.com/cenkalti/backoff/v4 v4.3.0 h1:MyRJ/UdXutAwSAT+s3wNd7MfTIcy71VQueUuFK343L8=
+github.com/cenkalti/backoff/v4 v4.3.0/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
+github.com/cenkalti/backoff/v5 v5.0.3 h1:ZN+IMa753KfX5hd8vVaMixjnqRZ3y8CuJKRKj1xcsSM=
+github.com/cenkalti/backoff/v5 v5.0.3/go.mod h1:rkhZdG3JZukswDf7f0cwqPNk4K0sa+F97BxZthm/crw=
+github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
 github.com/cespare/xxhash/v2 v2.3.0 h1:UL815xU9SqsFlibzuggzjXhog7bL6oX9BbNZnL2UFvs=
 github.com/cespare/xxhash/v2 v2.3.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/chenzhuoyu/base64x v0.0.0-20211019084208-fb5309c8db06/go.mod h1:DH46F32mSOjUmXrMHnKwZdA8wcEefY7UVqBKYGjpdQY=
 github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311 h1:qSGYFH7+jGhDF8vLC+iwCD4WpbV1EBDSzWkJODFLams=
 github.com/chenzhuoyu/base64x v0.0.0-20221115062448-fe3a3abad311/go.mod h1:b583jCggY9gE99b6G5LEC39OIiVsWj+R97kbl5odCEk=
+github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
+github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
+github.com/containerd/errdefs v1.0.0 h1:tg5yIfIlQIrxYtu9ajqY42W3lpS19XqdxRQeEwYG8PI=
+github.com/containerd/errdefs v1.0.0/go.mod h1:+YBYIdtsnF4Iw6nWZhJcqGSg/dwvV7tyJ/kCkyJ2k+M=
+github.com/containerd/errdefs/pkg v0.3.0 h1:9IKJ06FvyNlexW690DXuQNx2KA2cUJXx151Xdx3ZPPE=
+github.com/containerd/errdefs/pkg v0.3.0/go.mod h1:NJw6s9HwNuRhnjJhM7pylWwMyAkmCQvQ4GpJHEqRLVk=
 github.com/coreos/go-oidc/v3 v3.17.0 h1:hWBGaQfbi0iVviX4ibC7bk8OKT5qNr4klBaCHVNvehc=
 github.com/coreos/go-oidc/v3 v3.17.0/go.mod h1:wqPbKFrVnE90vty060SB40FCJ8fTHTxSwyXJqZH+sI8=
 github.com/coreos/go-systemd/v22 v22.5.0/go.mod h1:Y58oyj3AT4RCenI/lSvhwexgC+NSVTIJ3seZv2GcEnc=
@@ -103,23 +137,43 @@ github.com/couchbase/gocbcore/v10 v10.2.8/go.mod h1:lYQIIk+tzoMcwtwU5GzPbDdqEkwk
 github.com/couchbaselabs/gocaves/client v0.0.0-20230307083111-cc3960c624b1/go.mod h1:AVekAZwIY2stsJOMWLAS/0uA/+qdp7pjO8EHnl61QkY=
 github.com/couchbaselabs/gocaves/client v0.0.0-20230404095311-05e3ba4f0259 h1:2TXy68EGEzIMHOx9UvczR5ApVecwCfQZ0LjkmwMI6g4=
 github.com/couchbaselabs/gocaves/client v0.0.0-20230404095311-05e3ba4f0259/go.mod h1:AVekAZwIY2stsJOMWLAS/0uA/+qdp7pjO8EHnl61QkY=
-github.com/cpuguy83/go-md2man/v2 v2.0.4/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
-github.com/cpuguy83/go-md2man/v2 v2.0.5 h1:ZtcqGrnekaHpVLArFSe4HK5DoKx1T0rq2DwVB0alcyc=
-github.com/cpuguy83/go-md2man/v2 v2.0.5/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/cpuguy83/go-md2man/v2 v2.0.6 h1:XJtiaUW6dEEqVuZiMTn1ldk455QWwEIsMIJlo5vtkx0=
+github.com/cpuguy83/go-md2man/v2 v2.0.6/go.mod h1:oOW0eioCTA6cOiMLiUPZOpcVxMig6NIQQ7OS05n1F4g=
 github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
-github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc h1:U9qPSI2PIWSS1VwoXQT9A3Wy9MM3WgvqSxFWenqJduM=
+github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f h1:lO4WD4F/rVNCu3HqELle0jiPLLBs70cWOduZpkS1E78=
 github.com/dgryski/go-rendezvous v0.0.0-20200823014737-9f7001d12a5f/go.mod h1:cuUVRXasLTGF7a8hSLbxyZXjz+1KgoB3wDUb6vlszIc=
 github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54 h1:SG7nF6SRlWhcT7cNTs5R6Hk4V2lcmLz2NsG2VnInyNo=
 github.com/dgryski/trifles v0.0.0-20230903005119-f50d829f2e54/go.mod h1:if7Fbed8SFyPtHLHbg49SI7NAdJiC5WIA09pe59rfAA=
+github.com/distribution/reference v0.6.0 h1:0IXCQ5g4/QMHHkarYzh5l+u8T3t73zM5QvfrDyIgxBk=
+github.com/distribution/reference v0.6.0/go.mod h1:BbU0aIcezP1/5jX/8MP0YiH4SdvB5Y4f/wlDRiLyi3E=
 github.com/dnaeon/go-vcr v1.1.0/go.mod h1:M7tiix8f0r6mKKJ3Yq/kqU1OYf3MnfmBWVbPx/yU9ko=
 github.com/dnaeon/go-vcr v1.2.0/go.mod h1:R4UdLID7HZT3taECzJs4YgbbH6PIGXB6W/sc5OLb6RQ=
+github.com/docker/go-connections v0.7.0 h1:6SsRfJddP22WMrCkj19x9WKjEDTB+ahsdiGYf0mN39c=
+github.com/docker/go-connections v0.7.0/go.mod h1:no1qkHdjq7kLMGUXYAduOhYPSJxxvgWBh7ogVvptn3Q=
+github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4=
+github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk=
 github.com/dustin/go-humanize v1.0.1 h1:GzkhY7T5VNhEkwH0PVJgjz+fX1rhBrR7pRT3mDkpeCY=
 github.com/dustin/go-humanize v1.0.1/go.mod h1:Mu1zIs6XwVuF/gI1OepvI0qD18qycQx+mFykh5fBlto=
 github.com/ekristen/gorm-libsql v0.0.0-20231101204708-6e113112bcc2 h1:3f6DAUkYKbZSJ1bBM0/RiX5NHVt7YgmB0BWzKWUd45g=
 github.com/ekristen/gorm-libsql v0.0.0-20231101204708-6e113112bcc2/go.mod h1:5g9wSYpR/MvkR6W7SumX9zdha7Yt1iM4nxOAWfRfcPA=
+github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
+github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
+github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
+github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
+github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
+github.com/envoyproxy/protoc-gen-validate v1.3.3 h1:MVQghNeW+LZcmXe7SY1V36Z+WFMDjpqGAGacLe2T0ds=
+github.com/envoyproxy/protoc-gen-validate v1.3.3/go.mod h1:TsndJ/ngyIdQRhMcVVGDDHINPLWB7C82oDArY51KfB0=
+github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
+github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U=
+github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8=
+github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0=
+github.com/fsnotify/fsnotify v1.9.0 h1:2Ml+OJNzbYCTzsxtv8vKSFD9PbJjmhYF14k/jKC7S9k=
+github.com/fsnotify/fsnotify v1.9.0/go.mod h1:8jBTzvmWwFyi3Pb8djgCCO5IBqzKJ/Jwo8TRcHyHii0=
 github.com/gabriel-vasile/mimetype v1.4.2 h1:w5qFW6JKBz9Y393Y4q372O9A7cUSequkh1Q7OhCmWKU=
 github.com/gabriel-vasile/mimetype v1.4.2/go.mod h1:zApsH/mKG4w07erKIaJPFiX0Tsq9BFQgN3qGY5GnNgA=
 github.com/gin-contrib/sse v0.1.0 h1:Y/yl/+YNO8GZSjAhjMsSuLt29uWRFHdHYUb5lYOV9qE=
@@ -127,12 +181,15 @@ github.com/gin-contrib/sse v0.1.0/go.mod h1:RHrZQHXnP2xjPF+u1gW/2HnVO7nvIa9PG3Gm
 github.com/gin-gonic/gin v1.6.3/go.mod h1:75u5sXoLsGZoRN5Sgbi1eraJ4GU3++wFwWzhwvtwp4M=
 github.com/gin-gonic/gin v1.9.1 h1:4idEAncQnU5cB7BeOkPtxjfCSye0AAm1R0RVIqJ+Jmg=
 github.com/gin-gonic/gin v1.9.1/go.mod h1:hPrL7YrpYKXt5YId3A/Tnip5kqbEAP+KLuI3SUcPTeU=
-github.com/glebarez/go-sqlite v1.21.2 h1:3a6LFC4sKahUunAmynQKLZceZCOzUthkRkEAl9gAXWo=
-github.com/glebarez/go-sqlite v1.21.2/go.mod h1:sfxdZyhQjTM2Wry3gVYWaW072Ri1WMdWJi0k6+3382k=
-github.com/glebarez/sqlite v1.10.0 h1:u4gt8y7OND/cCei/NMHmfbLxF6xP2wgKcT/BJf2pYkc=
-github.com/glebarez/sqlite v1.10.0/go.mod h1:IJ+lfSOmiekhQsFTJRx/lHtGYmCdtAiTaf5wI9u5uHA=
 github.com/go-jose/go-jose/v4 v4.1.4 h1:moDMcTHmvE6Groj34emNPLs/qtYXRVcd6S7NHbHz3kA=
 github.com/go-jose/go-jose/v4 v4.1.4/go.mod h1:x4oUasVrzR7071A4TnHLGSPpNOm2a21K9Kf04k1rs08=
+github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
+github.com/go-logfmt/logfmt v0.5.0/go.mod h1:wCYkCAKZfumFQihp8CzCvQ3paCTfi41vtzG1KdI/P7A=
+github.com/go-logr/logr v1.2.2/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
+github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
+github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
+github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
 github.com/go-playground/assert/v2 v2.0.1/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
 github.com/go-playground/assert/v2 v2.2.0 h1:JvknZsQTYeFEAhQwI4qEt9cyV5ONwRHC+lYKSsYSR8s=
 github.com/go-playground/assert/v2 v2.2.0/go.mod h1:VDjEfimB/XKnb+ZQfWdccd7VUvScMdVu0Titje2rxJ4=
@@ -145,8 +202,10 @@ github.com/go-playground/universal-translator v0.18.1/go.mod h1:xekY+UJKNuX9WP91
 github.com/go-playground/validator/v10 v10.2.0/go.mod h1:uOYAAleCW8F/7oMFd6aG0GOhaH6EGOAJShg8Id5JGkI=
 github.com/go-playground/validator/v10 v10.14.0 h1:vgvQWe3XCz3gIeFDm/HnTIbj6UGmg/+t63MyGU2n5js=
 github.com/go-playground/validator/v10 v10.14.0/go.mod h1:9iXMNT7sEkjXb0I+enO7QXmzG6QCsPWY4zveKFVRSyU=
-github.com/go-sql-driver/mysql v1.7.0 h1:ueSltNNllEqE3qcWBTD0iQd3IpL/6U+mJxLkazJ7YPc=
 github.com/go-sql-driver/mysql v1.7.0/go.mod h1:OXbVy3sEdcQ2Doequ6Z5BW6fXNQTmx+9S1MCJN5yJMI=
+github.com/go-sql-driver/mysql v1.10.0 h1:Q+1LV8DkHJvSYAdR83XzuhDaTykuDx0l6fkXxoWCWfw=
+github.com/go-sql-driver/mysql v1.10.0/go.mod h1:M+cqaI7+xxXGG9swrdeUIoPG3Y3KCkF0pZej+SK+nWk=
+github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
 github.com/go-viper/mapstructure/v2 v2.4.0 h1:EBsztssimR/CONLSZZ04E8qAkxNYq4Qp9LvH92wZUgs=
 github.com/go-viper/mapstructure/v2 v2.4.0/go.mod h1:oJDH3BJKyqBA2TXFhDsKDGDTlndYOZ6rGS0BRZIxGhM=
 github.com/gobwas/httphead v0.0.0-20180130184737-2c6c146eadee h1:s+21KNqlpePfkah2I+gwHF8xmJWRjooY+5248k6m4A0=
@@ -160,35 +219,43 @@ github.com/goccy/go-json v0.10.2/go.mod h1:6MelG93GURQebXPDq3khkgXZkazVtN9CRI+MG
 github.com/gocql/gocql v1.6.0 h1:IdFdOTbnpbd0pDhl4REKQDM+Q0SzKXQ1Yh+YZZ8T/qU=
 github.com/gocql/gocql v1.6.0/go.mod h1:3gM2c4D3AnkISwBxGnMMsS8Oy4y2lhbPRsH4xnJrHG8=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
+github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q=
+github.com/gogo/protobuf v1.3.2/go.mod h1:P1XiOD3dCwIKUDQYPy72D8LYyHL2YPYrpS2s69NZV8Q=
 github.com/golang-jwt/jwt v3.2.2+incompatible h1:IfV12K8xAKAnZqdXVzCZ+TOjboZ2keLg81eXfW3O+oY=
 github.com/golang-jwt/jwt v3.2.2+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
 github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang-jwt/jwt/v4 v4.5.2 h1:YtQM7lnr8iZ+j5q71MGKkNw9Mn7AjHM68uc9g5fXeUI=
 github.com/golang-jwt/jwt/v4 v4.5.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/golang-jwt/jwt/v5 v5.0.0 h1:1n1XNM9hk7O9mnQoNBGolZvzebBQ7p93ULHRc28XJUE=
 github.com/golang-jwt/jwt/v5 v5.0.0/go.mod h1:pqrtFR0X4osieyHYxtmOUWsAWrfe1Q5UVIyoH402zdk=
+github.com/golang-jwt/jwt/v5 v5.3.1 h1:kYf81DTWFe7t+1VvL7eS+jKFVWaUnK9cB1qbwn63YCY=
+github.com/golang-jwt/jwt/v5 v5.3.1/go.mod h1:fxCRLWMO43lRc8nhHWY6LGqRcf+1gQWArsqaEUEa5bE=
 github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9 h1:au07oEsX2xN0ktxqI+Sida1w446QrXBRJ0nee3SNZlA=
 github.com/golang-sql/civil v0.0.0-20220223132316-b832511892a9/go.mod h1:8vg3r2VgvsThLBIFL93Qb5yWzgyZWhEmBwUJWevAkK0=
 github.com/golang-sql/sqlexp v0.1.0 h1:ZCD6MBpcuOVfGVqsEmY5/4FtYiKz6tSyUv9LPEDei6A=
 github.com/golang-sql/sqlexp v0.1.0/go.mod h1:J4ad9Vo8ZCWQ2GMrC4UCQy1JpCbwU9m3EOqtpKwwwHI=
+github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
+github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfbm0A=
 github.com/golang/mock v1.6.0 h1:ErTB+efbowRARo13NNdxyJji2egdxLGQhRaY+DUumQc=
 github.com/golang/mock v1.6.0/go.mod h1:p6yTPP+5HYm5mzsMV8JkE6ZKdX+/wYM6Hr+LicevLPs=
+github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.3/go.mod h1:vzj43D7+SQXF/4pzW/hwtAqwc6iTitCiVSaWz5lYuqw=
 github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
-github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
-github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.4 h1:i7eJL8qZTpSEXOPTxNKhASYpMn+8e5Q6AdndVa1dWek=
+github.com/golang/protobuf v1.5.4/go.mod h1:lnTiLA8Wa4RWRcIUkrtSVa5nRhsEGBg48fD6rSs7xps=
 github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
 github.com/golang/snappy v0.0.4 h1:yAGX7huGHXlcLOEtBnF4w7FQwA26wojNCwOYAEhLjQM=
 github.com/golang/snappy v0.0.4/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q=
+github.com/google/cel-go v0.28.1 h1:YWIwi77J4xIsYUwAF/iIuS6haffzIHS8yWI8glSbLWM=
+github.com/google/cel-go v0.28.1/go.mod h1:X0bD6iVNR8pkROSOoHVdgTkzmRcosof7WQqCD6wcMc8=
+github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
-github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/go-cmp v0.7.0 h1:wk8382ETsv4JYUZwIsn6YpYiWiBsYLSJiTsyBybVuN8=
 github.com/google/go-cmp v0.7.0/go.mod h1:pXiqmnSA92OHEEa9HXL2W4E7lf9JzCmGVUdgjX3N/iU=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
-github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26 h1:Xim43kblpZXfIBQsbuBVKCudVG457BR2GZFIz3uw3hQ=
-github.com/google/pprof v0.0.0-20221118152302-e6195bd50e26/go.mod h1:dDKJzRmX4S37WGHujM7tX//fmj1uioxKzKxz3lo4HJo=
+github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e h1:ijClszYn+mADRFY17kjQEVQ1XRhq2/JR1M3sGqeJoxs=
+github.com/google/pprof v0.0.0-20250317173921-a4b03ec1a45e/go.mod h1:boTsfXsheKC2y+lKOCMpSfarhxDeIzfZG1jqGcPl3cA=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.3.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/google/uuid v1.6.0 h1:NIvaJDMOsjHA8n1jAhLSgzrAzy1Hgr+hNrb57e+94F0=
@@ -198,8 +265,23 @@ github.com/gorilla/sessions v1.2.1/go.mod h1:dk2InVEVJ0sfLlnXv9EAgkf6ecYs/i80K/z
 github.com/gorilla/websocket v1.4.1/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
 github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
 github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 h1:UH//fgunKIs4JdUbpDl1VZCDaL56wXCB/5+wF6uHfaI=
+github.com/grpc-ecosystem/go-grpc-middleware v1.4.0/go.mod h1:g5qyo/la0ALbONm6Vbp88Yd8NsDy6rZz+RcrMPxvld8=
+github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3 h1:B+8ClL/kCQkRiU82d9xajRPKYMrB7E0MbtzWVi1K4ns=
+github.com/grpc-ecosystem/go-grpc-middleware/v2 v2.3.3/go.mod h1:NbCUVmiS4foBGBHOYlCT25+YmGpJ32dZPi75pGEUpj4=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.29.0 h1:5VipnvEpbqr2gA2VbM+nYVbkIF28c5ZQfqCBQ5g2xfk=
+github.com/grpc-ecosystem/grpc-gateway/v2 v2.29.0/go.mod h1:Hyl3n6Twe1hvtd9XUXDec4pTvgMSEixRuQKPTMH2bNs=
 github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed h1:5upAirOpQc1Q53c0bnx2ufif5kANL7bfZWcc6VJWJd8=
 github.com/hailocab/go-hostpool v0.0.0-20160125115350-e80d13ce29ed/go.mod h1:tMWxXQ9wFIaZeTI9F+hmhFiGpFmhOHzyShyFUhRm0H4=
+github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/errwrap v1.1.0 h1:OxrOeh75EUXMY8TBjag2fzXGZ40LB6IKw45YeGUDY2I=
+github.com/hashicorp/errwrap v1.1.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4=
+github.com/hashicorp/go-cleanhttp v0.5.2 h1:035FKYIWjmULyFRBKPs8TBQoi0x6d9G4xc9neXJWAZQ=
+github.com/hashicorp/go-cleanhttp v0.5.2/go.mod h1:kO/YDlP8L1346E6Sodw+PrpBSV4/SoxCXGY6BqNFT48=
+github.com/hashicorp/go-multierror v1.1.1 h1:H5DkEtf6CXdFp0N0Em5UCwQpXMWke8IA0+lD48awMYo=
+github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9/fmwbPZ6JB6eMoM=
+github.com/hashicorp/go-retryablehttp v0.7.8 h1:ylXZWnqa7Lhqpk0L1P1LzDtGcCR0rPVUrx/c8Unxc48=
+github.com/hashicorp/go-retryablehttp v0.7.8/go.mod h1:rjiScheydd+CxvumBsIrFKlx3iS0jrZ7LvzFGFmuKbw=
 github.com/hashicorp/go-uuid v1.0.2/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/go-uuid v1.0.3/go.mod h1:6SBZvOh/SIDV7/2o3Jml5SYk/TvGqwFJ/bN7x4byOro=
 github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
@@ -210,8 +292,8 @@ github.com/jackc/pgpassfile v1.0.0 h1:/6Hmqy13Ss2zCq62VdNG8tM1wchn8zjSGOBJ6icpsI
 github.com/jackc/pgpassfile v1.0.0/go.mod h1:CEx0iS5ambNFdcRtxPj5JhEz+xB6uRky5eyVu/W2HEg=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761 h1:iCEnooe7UlwOQYpKFhBabPMi4aNAfoODPEFNiAnClxo=
 github.com/jackc/pgservicefile v0.0.0-20240606120523-5a60cdf6a761/go.mod h1:5TJZWKEWniPve33vlWYSoGYefn3gLQRzjfDlhSJ9ZKM=
-github.com/jackc/pgx/v5 v5.9.2 h1:3ZhOzMWnR4yJ+RW1XImIPsD1aNSz4T4fyP7zlQb56hw=
-github.com/jackc/pgx/v5 v5.9.2/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
+github.com/jackc/pgx/v5 v5.10.0 h1:VhSvgU2jSli8o3AqIEOTJr7rZwAEUVo4E4XhR94Zfr0=
+github.com/jackc/pgx/v5 v5.10.0/go.mod h1:mal1tBGAFfLHvZzaYh77YS/eC6IX9OWbRV1QIIM0Jn4=
 github.com/jackc/puddle/v2 v2.2.2 h1:PR8nw+E/1w0GLuRFSmiioY6UooMp6KJv0/61nB7icHo=
 github.com/jackc/puddle/v2 v2.2.2/go.mod h1:vriiEXHvEE654aYKXXjOvZM39qJ0q+azkZFrfEOc3H4=
 github.com/jcmturner/aescts/v2 v2.0.0/go.mod h1:AiaICIRyfYg35RUkr8yESTqvSy7csK90qZ5xfvvsoNs=
@@ -227,12 +309,15 @@ github.com/jinzhu/now v1.1.5/go.mod h1:d3SSVoowX0Lcu0IBviAWJpolVfI5UJVZZ7cO71lE/
 github.com/json-iterator/go v1.1.9/go.mod h1:KdQUCv79m/52Kvf8AW2vK1V8akMuk1QjK/uOdHXbAo4=
 github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM=
 github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHmT4TnhNGBo=
+github.com/kisielk/errcheck v1.5.0/go.mod h1:pFxgyoBC7bSaBwPgfKdkLd5X25qrDl4LWUI2bnpBCr8=
+github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+oQHNcck=
 github.com/klauspost/compress v1.10.3/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs=
-github.com/klauspost/compress v1.18.0 h1:c/Cqfb0r+Yi+JtIEq73FWXVkRonBlf0CRNYc8Zttxdo=
-github.com/klauspost/compress v1.18.0/go.mod h1:2Pp+KzxcywXVXMr50+X0Q/Lsb43OQHYWRCY2AiWywWQ=
+github.com/klauspost/compress v1.18.5 h1:/h1gH5Ce+VWNLSWqPzOVn6XBO+vJbCNGvjoaGBFW2IE=
+github.com/klauspost/compress v1.18.5/go.mod h1:cwPg85FWrGar70rWktvGQj8/hthj3wpl0PGDogxkrSQ=
 github.com/klauspost/cpuid/v2 v2.0.9/go.mod h1:FInQzS24/EEf25PyTYn52gqo7WaD8xa0213Md/qVLRg=
 github.com/klauspost/cpuid/v2 v2.2.4 h1:acbojRNwl3o09bUq+yDCtZFc1aiwaAAxtcn8YkZXnvk=
 github.com/klauspost/cpuid/v2 v2.2.4/go.mod h1:RVVoqg1df56z8g3pUjL/3lE5UfnlrJX8tyFgg4nqhuY=
+github.com/konsorten/go-windows-terminal-sequences v1.0.1/go.mod h1:T0+1ngSBFLxvqU3pZ+m/2kptfBszLMUkC4ZK/EgS/cQ=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
 github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
@@ -242,6 +327,10 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
+github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 h1:SOEGU9fKiNWd/HOJuq6+3iTQz8KNCLtVX6idSoTLdUw=
+github.com/lann/builder v0.0.0-20180802200727-47ae307949d0/go.mod h1:dXGbAdH5GtBTC4WfIxhKZfyBF/HBFgRZSWwZ9g/He9o=
+github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 h1:P6pPBnrTSX3DEVR4fDembhRWSsG5rVo6hYhAB/ADZrk=
+github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0/go.mod h1:vmVJ0l/dxyfGW6FmdpVm2joNMFikkuWg0EoCKLGUMNw=
 github.com/leodido/go-urn v1.2.0/go.mod h1:+8+nEpDfqqsY+g338gtMEUOtuK+4dEMhiQEgxpxOKII=
 github.com/leodido/go-urn v1.2.4 h1:XlAE/cm/ms7TE/VMVoduSpNBoyc2dOxHs5MZSwAN63Q=
 github.com/leodido/go-urn v1.2.4/go.mod h1:7ZrI8mTSeBSHl/UaRyKQW1qZeMgak41ANeCNaVckg+4=
@@ -257,70 +346,121 @@ github.com/mattn/go-colorable v0.1.14/go.mod h1:6LmQG8QLFO4G5z1gPvYEzlUgJ2wF+stg
 github.com/mattn/go-isatty v0.0.12/go.mod h1:cbi8OIDigv2wuxKPP5vlRcQ1OAZbq2CE4Kysco4FUpU=
 github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM=
 github.com/mattn/go-isatty v0.0.19/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
-github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY=
-github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y=
+github.com/mattn/go-isatty v0.0.21 h1:xYae+lCNBP7QuW4PUnNG61ffM4hVIfm+zUzDuSzYLGs=
+github.com/mattn/go-isatty v0.0.21/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4=
 github.com/mattn/go-sqlite3 v1.14.17 h1:mCRHCLDUBXgpKAqIKsaAaAsrAlbkeomtRFKXh2L6YIM=
 github.com/mattn/go-sqlite3 v1.14.17/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
-github.com/microsoft/go-mssqldb v1.6.0 h1:mM3gYdVwEPFrlg/Dvr2DNVEgYFG7L42l+dGc67NNNpc=
+github.com/mfridman/interpolate v0.0.2 h1:pnuTK7MQIxxFz1Gr+rjSIx9u7qVjf5VOoM/u6BbAxPY=
+github.com/mfridman/interpolate v0.0.2/go.mod h1:p+7uk6oE07mpE/Ik1b8EckO0O4ZXiGAfshKBWLUM9Xg=
 github.com/microsoft/go-mssqldb v1.6.0/go.mod h1:00mDtPbeQCRGC1HwOOR5K/gr30P1NcEG0vx6Kbv2aJU=
+github.com/microsoft/go-mssqldb v1.9.8 h1:d4IFMvF/o+HdpXUqbBfzHvn/NlFA75YGcfHUUvDFJEM=
+github.com/microsoft/go-mssqldb v1.9.8/go.mod h1:eGSRSGAW4hKMy5YcAenhCDjIRm2rhqIdmmwgciMzLus=
+github.com/moby/docker-image-spec v1.3.1 h1:jMKff3w6PgbfSa69GfNg+zN/XLhfXJGnEx3Nl2EsFP0=
+github.com/moby/docker-image-spec v1.3.1/go.mod h1:eKmb5VW8vQEh/BAr2yvVNvuiJuY6UIocYsFu/DxxRpo=
+github.com/moby/moby/api v1.54.2 h1:wiat9QAhnDQjA7wk1kh/TqHz2I1uUA7M7t9SAl/JNXg=
+github.com/moby/moby/api v1.54.2/go.mod h1:+RQ6wluLwtYaTd1WnPLykIDPekkuyD/ROWQClE83pzs=
+github.com/moby/moby/client v0.4.1 h1:DMQgisVoMkmMs7fp3ROSdiBnoAu8+vo3GggFl06M/wY=
+github.com/moby/moby/client v0.4.1/go.mod h1:z52C9O2POPOsnxZAy//WtKcQ32P+jT/NGeXu/7nfjGQ=
 github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd h1:TRLaZ9cD/w8PVh93nsPXa1VrQ6jlwL5oN8l14QlcNfg=
 github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q=
 github.com/modern-go/reflect2 v0.0.0-20180701023420-4b7aa43c6742/go.mod h1:bx2lNnkwVCuqBIxFjflWJWanXIb3RllmbCylyMrvgv0=
-github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9Gz0M=
 github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee h1:W5t00kpgFdJifH4BDsTlE89Zl93FEloxaWZfGcifgq8=
+github.com/modern-go/reflect2 v1.0.3-0.20250322232337-35a7c28c31ee/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk=
 github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5/go.mod h1:caMODM3PzxT8aQXRPkAt8xlV/e7d7w8GM5g0fa5F0D8=
 github.com/montanaflynn/stats v0.7.0/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
 github.com/montanaflynn/stats v0.7.1 h1:etflOAAHORrCC44V+aR6Ftzort912ZU+YLiSTuV8eaE=
 github.com/montanaflynn/stats v0.7.1/go.mod h1:etXPPgVO6n31NxCd9KQUMvCM+ve0ruNzt6R8Bnaayow=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
+github.com/natefinch/wrap v0.2.0 h1:IXzc/pw5KqxJv55gV0lSOcKHYuEZPGbQrOOXr/bamRk=
+github.com/natefinch/wrap v0.2.0/go.mod h1:6gMHlAl12DwYEfKP3TkuykYUfLSEAvHw67itm4/KAS8=
+github.com/ncruces/go-strftime v1.0.0 h1:HMFp8mLCTPp341M/ZnA4qaf7ZlsbTc+miZjCLOFAw7w=
+github.com/ncruces/go-strftime v1.0.0/go.mod h1:Fwc5htZGVVkseilnfgOVb9mKy6w1naJmn9CehxcKcls=
 github.com/niemeyer/pretty v0.0.0-20200227124842-a10e7caefd8e/go.mod h1:zD1mROLANZcx1PVRCS0qkT7pwLkGfwJo4zjcN/Tysno=
-github.com/pelletier/go-toml/v2 v2.0.8 h1:0ctb6s9mE31h0/lhu+J6OPmVeDxJn+kYnJc2jZR9tGQ=
-github.com/pelletier/go-toml/v2 v2.0.8/go.mod h1:vuYfssBdrU2XDZ9bYydBu6t+6a6PYNcZljzZR9VXg+4=
-github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 h1:KoWmjvw+nsYOo29YJK9vDA65RGE3NrOnUtO7a+RF9HU=
+github.com/oklog/ulid/v2 v2.1.1 h1:suPZ4ARWLOJLegGFiZZ1dFAkqzhMjL3J1TzI+5wHz8s=
+github.com/oklog/ulid/v2 v2.1.1/go.mod h1:rcEKHmBBKfef9DhnvX7y1HZBYxjXb0cP5ExxNsTT1QQ=
+github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
+github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
+github.com/opencontainers/image-spec v1.1.1 h1:y0fUlFfIZhPF1W537XOLg0/fcx6zcHCJwooC2xJA040=
+github.com/opencontainers/image-spec v1.1.1/go.mod h1:qpqAh3Dmcf36wStyyWU+kCeDgrGnAve2nCC8+7h8Q0M=
+github.com/openfga/api/proto v0.0.0-20260319214821-f153694bfc20 h1:xdVG0EDz9Z9Uhd7YZ5OMN1F8tkAz/Dpgdjxd0cuTBJo=
+github.com/openfga/api/proto v0.0.0-20260319214821-f153694bfc20/go.mod h1:XDX4qYNBUM2Rsa2AbKPh+oocZc2zgme+EF2fFC6amVU=
+github.com/openfga/language/pkg/go v0.2.1 h1:nmVJTPfjvaJC2EWGcy8HrUyL15KkIfjjnmB3VFVeCts=
+github.com/openfga/language/pkg/go v0.2.1/go.mod h1:wg+EuPmYIaM855F2uPygT1hJoWcoUxAoecgYC5akXsw=
+github.com/openfga/openfga v1.17.1 h1:80sT4P5EYAKaRnbFqr4Wr6Cz5MI1WyT+Ss6kAAh1xD4=
+github.com/openfga/openfga v1.17.1/go.mod h1:ZKAbAaqcijZuOT0AfCVjqtK3FiOFwZZh0pE8nlLuElA=
+github.com/opentracing/opentracing-go v1.1.0/go.mod h1:UkNAQd3GIcIGf0SeVgPpRdFStlNbqXla1AfSYxPUl2o=
+github.com/pborman/getopt v0.0.0-20170112200414-7148bc3a4c30/go.mod h1:85jBQOZwpVEaDAr341tbn15RS4fCAsIst0qp7i8ex1o=
+github.com/pelletier/go-toml/v2 v2.2.4 h1:mye9XuhQ6gvn5h28+VilKrrPoQVanw5PMw/TB0t5Ec4=
+github.com/pelletier/go-toml/v2 v2.2.4/go.mod h1:2gIqNv+qfxSVS7cM2xJQKtLSTLUE9V8t9Stt+h56mCY=
 github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8/go.mod h1:HKlIX3XHQyzLZPlr7++PzdhaXEj94dEiJgZDTsxEqUI=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c h1:+mdjkGKdHQG3305AYmdv1U2eRNDiU2ErMBj1gwrq8eQ=
+github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c/go.mod h1:7rwL4CYBLnjLxUqIJNnCWiEdr3bn6IUYi15bNlnbCCU=
+github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
-github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
+github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pquerna/otp v1.4.0 h1:wZvl1TIVxKRThZIBiwOOHOGP/1+nZyWBil9Y2XNEDzg=
 github.com/pquerna/otp v1.4.0/go.mod h1:dkJfzwRKNiegxyNb54X/3fLwhCynbMspSyWKnvi1AEg=
+github.com/pressly/goose/v3 v3.27.1 h1:6uEvcprBybDmW4hcz3gYujhARhye+GoWKhEWyzD5sh4=
+github.com/pressly/goose/v3 v3.27.1/go.mod h1:maruOxsPnIG2yHHyo8UqKWXYKFcH7Q76csUV7+7KYoM=
 github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
 github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
+github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
 github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
 github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
 github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
 github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
-github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
-github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
+github.com/prometheus/procfs v0.20.1 h1:XwbrGOIplXW/AU3YhIhLODXMJYyC1isLFfYCsTEycfc=
+github.com/prometheus/procfs v0.20.1/go.mod h1:o9EMBZGRyvDrSPH1RqdxhojkuXstoe4UlK79eF5TGGo=
 github.com/redis/go-redis/v9 v9.6.3 h1:8Dr5ygF1QFXRxIH/m3Xg9MMG1rS8YCtAgosrsewT6i0=
 github.com/redis/go-redis/v9 v9.6.3/go.mod h1:0C0c6ycQsdpVNQpxb1njEQIqkx5UcsM8FJCQLgE9+RA=
-github.com/remyoudompheng/bigfft v0.0.0-20200410134404-eec4a21b6bb0/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec h1:W09IVJc94icq4NjY3clb7Lk8O1qJ8BdBEF8z0ibU0rE=
 github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec/go.mod h1:qqbHyh8v60DhA7CoWK5oRCqLrMHRGoxYCSS9EjAz6Eo=
 github.com/robertkrimen/otto v0.2.1 h1:FVP0PJ0AHIjC+N4pKCG9yCDz6LHNPCwi/GKID5pGGF0=
 github.com/robertkrimen/otto v0.2.1/go.mod h1:UPwtJ1Xu7JrLcZjNWN8orJaM5n5YEtqL//farB5FlRY=
-github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M=
-github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA=
+github.com/rogpeppe/go-internal v1.14.1 h1:UQB4HGPB6osV0SQTLymcB4TgvyWu6ZyliaW0tI/otEQ=
+github.com/rogpeppe/go-internal v1.14.1/go.mod h1:MaRKkUm5W0goXpeCfT7UZI6fk/L7L7so1lCWt35ZSgc=
 github.com/rs/xid v1.5.0/go.mod h1:trrq9SKmegXys3aeAKXMUTdJsYXVwGY3RLcfgqegfbg=
 github.com/rs/zerolog v1.33.0 h1:1cU2KZkvPxNyfgEmhHAz/1A9Bz+llsdYzklWFzgp0r8=
 github.com/rs/zerolog v1.33.0/go.mod h1:/7mN4D5sKwJLZQ2b/znpjC3/GQWY/xaDXUM0kKWRHss=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
+github.com/sagikazarmark/locafero v0.9.0 h1:GbgQGNtTrEmddYDSAH9QLRyfAHY12md+8YFTqyMTC9k=
+github.com/sagikazarmark/locafero v0.9.0/go.mod h1:UBUyz37V+EdMS3hDF3QWIiVr/2dPrx49OMO0Bn0hJqk=
 github.com/sergi/go-diff v1.3.1 h1:xkr+Oxo4BOQKmkn/B9eMK0g5Kg/983T9DqqPHwYqD+8=
 github.com/sergi/go-diff v1.3.1/go.mod h1:aMJSSKb2lpPvRNec0+w3fl7LP9IOFzdc9Pa4NFbPK1I=
+github.com/sethvargo/go-retry v0.3.0 h1:EEt31A35QhrcRZtrYFDTBg91cqZVnFL2navjDrah2SE=
+github.com/sethvargo/go-retry v0.3.0/go.mod h1:mNX17F0C/HguQMyMyJxcnU471gOZGxCLyYaFyAZraas=
+github.com/shopspring/decimal v1.4.0 h1:bxl37RwXBklmTi0C79JfXCEBD1cqqHt0bbgBAGFp81k=
+github.com/shopspring/decimal v1.4.0/go.mod h1:gawqmDU56v4yIKSwfBSFip1HdCCXN8/+DMd9qYNcwME=
+github.com/sirupsen/logrus v1.4.2/go.mod h1:tLMulIdttU9McNUspp0xgXVQah82FyeX6MwdIuYE2rE=
 github.com/sosodev/duration v1.3.1 h1:qtHBDMQ6lvMQsL15g4aopM4HEfOaYuhWBw3NPTtlqq4=
 github.com/sosodev/duration v1.3.1/go.mod h1:RQIBBX0+fMLc/D9+Jb/fwvVmo0eZvDDEERAikUR6SDg=
-github.com/spf13/cobra v1.8.1 h1:e5/vxKd/rZsfSJMUX1agtjeTDf+qv1/JdBF8gg5k9ZM=
-github.com/spf13/cobra v1.8.1/go.mod h1:wHxEcudfqmLYa8iTfL+OuZPbBZkmvliBWKIezN3kD9Y=
-github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA=
-github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/sourcegraph/conc v0.3.0 h1:OQTbbt6P72L20UqAkXXuLOj79LfEanQ+YQFNpLA9ySo=
+github.com/sourcegraph/conc v0.3.0/go.mod h1:Sdozi7LEKbFPqYX2/J+iBAM6HpqSLTASQIKqDmF7Mt0=
+github.com/spf13/afero v1.15.0 h1:b/YBCLWAJdFWJTN9cLhiXXcD7mzKn9Dm86dNnfyQw1I=
+github.com/spf13/afero v1.15.0/go.mod h1:NC2ByUVxtQs4b3sIUphxK0NioZnmxgyCrfzeuq8lxMg=
+github.com/spf13/cast v1.10.0 h1:h2x0u2shc1QuLHfxi+cTJvs30+ZAHOGRic8uyGTDWxY=
+github.com/spf13/cast v1.10.0/go.mod h1:jNfB8QC9IA6ZuY2ZjDp0KtFO2LZZlg4S/7bzP6qqeHo=
+github.com/spf13/cobra v1.10.2 h1:DMTTonx5m65Ic0GOoRY2c16WCbHxOOw6xxezuLaBpcU=
+github.com/spf13/cobra v1.10.2/go.mod h1:7C1pvHqHw5A4vrJfjNwvOdzYu0Gml16OCs2GRiTUUS4=
+github.com/spf13/pflag v1.0.9/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/pflag v1.0.10 h1:4EBh2KAYBwaONj6b2Ye1GiHfwjqyROoF4RwYO+vPwFk=
+github.com/spf13/pflag v1.0.10/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg=
+github.com/spf13/viper v1.20.1 h1:ZMi+z/lvLyPSCoNtFCpqjy0S4kPbirhpTMwl8BkW9X4=
+github.com/spf13/viper v1.20.1/go.mod h1:P9Mdzt1zoHIG8m2eZQinpiBjo6kCmZSKBClNNqjJvu4=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
 github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/objx v0.5.2 h1:xuMeJ0Sdp5ZMRXx/aWO6RZxdr3beISkG5/G/aIRr3pY=
 github.com/stretchr/objx v0.5.2/go.mod h1:FRsXN1f5AsAjCGJKqEizvkpNtU+EGNCLh3NxZ/8L+MA=
+github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
@@ -329,10 +469,11 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stretchr/testify v1.8.3/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo=
 github.com/stretchr/testify v1.11.1 h1:7s2iGBzp5EwR7/aIZr8ao5+dra3wiQyKjjFuvgVKu7U=
 github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U=
+github.com/subosito/gotenv v1.6.0 h1:9NlTDc1FTs4qu0DDq7AEtTPNw6SVm7uBMsUCUjABIf8=
+github.com/subosito/gotenv v1.6.0/go.mod h1:Dk4QP5c2W3ibzajGcXpNraDfq2IrhjMIvMSWPKKo0FU=
 github.com/twilio/twilio-go v1.14.1 h1:uyMwNe2naFKwxLpVflAHbKEPiW9iHNI8VF6NWLJJ1Kk=
 github.com/twilio/twilio-go v1.14.1/go.mod h1:tdnfQ5TjbewoAu4lf9bMsGvfuJ/QU9gYuv9yx3TSIXU=
 github.com/twitchyliquid64/golang-asm v0.15.1 h1:SU5vSMR7hnwNxj24w34ZyCi/FmDZTkS4MhqMhdFk5YI=
@@ -355,14 +496,52 @@ github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 h1:gEOO8jv9F4OT7lGC
 github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1/go.mod h1:Ohn+xnUBiLI6FVj/9LpzZWtj1/D6lUovWYBkxHVV3aM=
 github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78 h1:ilQV1hzziu+LLM3zUTJ0trRztfwgjqKnBWNtSRkbmwM=
 github.com/youmark/pkcs8 v0.0.0-20240726163527-a2c0da244d78/go.mod h1:aL8wCCfTfSfmXjznFBSZNN13rSJjlIOI1fUNAtF7rmI=
+github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
+github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74=
 github.com/yuin/goldmark v1.3.5/go.mod h1:mwnBkeHKe2W/ZEtQ+71ViKU8L12m81fl3OWwC1Zlc8k=
 github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY=
+github.com/zeebo/assert v1.3.0 h1:g7C04CbJuIDKNPFHmsk4hwZDO5O+kntRxzaUoNXj+IQ=
+github.com/zeebo/assert v1.3.0/go.mod h1:Pq9JiuJQpG8JLJdtkwrJESF0Foym2/D9XMU5ciN/wJ0=
+github.com/zeebo/xxh3 v1.0.2 h1:xZmwmqxHZA8AI603jOQ0tMqmBr9lPeFwGg6d+xy9DC0=
+github.com/zeebo/xxh3 v1.0.2/go.mod h1:5NWz9Sef7zIDm2JHfFlcQvNekmcEl9ekUZQQKCYaDcA=
 go.mongodb.org/mongo-driver v1.17.9 h1:IexDdCuuNJ3BHrELgBlyaH9p60JXAvdzWR128q+U5tU=
 go.mongodb.org/mongo-driver v1.17.9/go.mod h1:LlOhpH5NUEfhxcAwG0UEkMqwYcc4JU18gtCdGudk/tQ=
+go.opentelemetry.io/auto/sdk v1.2.1 h1:jXsnJ4Lmnqd11kwkBV2LgLoFMZKizbCi5fNZ/ipaZ64=
+go.opentelemetry.io/auto/sdk v1.2.1/go.mod h1:KRTj+aOaElaLi+wW1kO/DZRXwkF4C5xPbEe3ZiIhN7Y=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.69.0 h1:8tvICD4vSTOOsNrsI4Ljf6C+6UKvpTEH5XY3JMoyPoo=
+go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.69.0/go.mod h1:z9+yiacE0IHRqM4qFfkbt/JYlmYXgss8GY/jXoNuPJI=
+go.opentelemetry.io/otel v1.44.0 h1:JjwHmHpA4iZ3wBxluu2fbbE7j4kqlE8jXyAyPXH7HqU=
+go.opentelemetry.io/otel v1.44.0/go.mod h1:BMgjTHL9WPRlRjL2oZCBTL4whCGtXch2H4BhOPIAyYc=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.44.0 h1:4YsVu3B8+3qtWYYrsUYgn0OG78pN0rnNPRGX4SbokQI=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.44.0/go.mod h1:+wnlSn0mD1ADVMe3v9Z/WIaiz6q6gL2J/ejaAmdmv80=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.44.0 h1:qazEJlUOQzhCpzQpFETGby7EdqjI1wsd0W+6Gg1SCTU=
+go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracegrpc v1.44.0/go.mod h1:fOD2Yefuxixkx3ahVNf0O/PERb6r4OlbxfATVnYvzCo=
+go.opentelemetry.io/otel/metric v1.44.0 h1:1w0gILTcHdr3YI+ixLyjemwrVnsMURbTZFrSYCdDdmc=
+go.opentelemetry.io/otel/metric v1.44.0/go.mod h1:8O7hanEPBNgEMmybD3s2VBKcgWOCsA6tzHBPODAiquo=
+go.opentelemetry.io/otel/sdk v1.44.0 h1:nHYwb9lK+fJPU/dnT6s7W7Z8itMWyqrnVfbheVYrZ58=
+go.opentelemetry.io/otel/sdk v1.44.0/go.mod h1:Osuydd3Se74nqjAKxid74N5eC+jfEqfTegHRnq58oK0=
+go.opentelemetry.io/otel/sdk/metric v1.44.0 h1:3LlKgI+VjbVsjNRFZJZAJ30WjXC5VkNRks6si09iEfI=
+go.opentelemetry.io/otel/sdk/metric v1.44.0/go.mod h1:5B5pMARnXxKhltooO4xUuCBorl65a4EpnTalObqOigA=
+go.opentelemetry.io/otel/trace v1.44.0 h1:jxF5CsGYCe74MCRx2X4g7WsY/VBKRqqpNvXlX/6gtIk=
+go.opentelemetry.io/otel/trace v1.44.0/go.mod h1:oLl1jrMQAVo6v3GAggN+1VH9VIz9iUSvW53sW1Q8PIE=
+go.opentelemetry.io/proto/otlp v1.10.0 h1:IQRWgT5srOCYfiWnpqUYz9CVmbO8bFmKcwYxpuCSL2g=
+go.opentelemetry.io/proto/otlp v1.10.0/go.mod h1:/CV4QoCR/S9yaPj8utp3lvQPoqMtxXdzn7ozvvozVqk=
+go.uber.org/atomic v1.7.0/go.mod h1:fEN4uk6kAWBTFdckzkM89CLk9XfWZrxpCo0nPH17wJc=
+go.uber.org/goleak v1.1.10/go.mod h1:8a7PlsEVH3e/a/GLqe5IIrQx6GzcnRmZEufDUTk4A7A=
 go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
-go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
-go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
+go.uber.org/mock v0.6.0 h1:hyF9dfmbgIX5EfOdasqLsWD6xqpNZlXblLB/Dbnwv3Y=
+go.uber.org/mock v0.6.0/go.mod h1:KiVJ4BqZJaMj4svdfmHM0AUx4NJYO8ZNpPnZn1Z+BBU=
+go.uber.org/multierr v1.6.0/go.mod h1:cdWPpRnG4AhwMwsgIHip0KRBQjJy5kYEpYjJxpXp9iU=
+go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
+go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
+go.uber.org/zap v1.18.1/go.mod h1:xg/QME4nWcxGxrpdeYfq7UvYrLh66cuVKdrbD1XF/NI=
+go.uber.org/zap v1.28.0 h1:IZzaP1Fv73/T/pBMLk4VutPl36uNC+OSUh3JLG3FIjo=
+go.uber.org/zap v1.28.0/go.mod h1:rDLpOi171uODNm/mxFcuYWxDsqWSAVkFdX4XojSKg/Q=
+go.yaml.in/yaml/v2 v2.4.3 h1:6gvOSjQoTB3vt1l+CU+tSyi/HOjfOjRLJ4YwYZGwRO0=
+go.yaml.in/yaml/v2 v2.4.3/go.mod h1:zSxWcmIDjOzPXpjlTTbAsKokqkDNAVtZO0WOMiT90s8=
+go.yaml.in/yaml/v3 v3.0.4 h1:tfq32ie2Jv2UxXFdLJdh3jXuOzWiL1fo0bu/FbuKpbc=
+go.yaml.in/yaml/v3 v3.0.4/go.mod h1:DhzuOOF2ATzADvBadXxruRBLzYTpT36CKvDb3+aBEFg=
 golang.org/x/arch v0.0.0-20210923205945-b76863e36670/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8=
 golang.org/x/arch v0.3.0 h1:02VY4/ZcO/gBOH6PUaoiptASxtXU10jazRCP865E97k=
 golang.org/x/arch v0.3.0/go.mod h1:5om86z9Hs0C8fWVUuoMHwpExlXzs5Tkyp9hOrfG7pp8=
@@ -376,17 +555,30 @@ golang.org/x/crypto v0.9.0/go.mod h1:yrmDGqONDYtNj3tH8X9dzUun2m2lzPa9ngI6/RUPGR0
 golang.org/x/crypto v0.12.0/go.mod h1:NF0Gs7EO5K4qLn+Ylc+fih8BSTeIjAP05siRnAh98yw=
 golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988=
 golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc=
-golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e h1:+WEEuIdZHnUeJJmEUjyYC2gfUMj69yZXw17EnHg/otA=
-golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e/go.mod h1:Kr81I6Kryrl9sr8s2FK3vxD90NdsKWRuOIl2O4CvYbA=
+golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
+golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f h1:W3F4c+6OLc6H2lb//N1q4WpJkhzJCK5J6kUi1NTVXfM=
+golang.org/x/exp v0.0.0-20260410095643-746e56fc9e2f/go.mod h1:J1xhfL/vlindoeF/aINzNzt2Bket5bjo9sdOYzOsU80=
+golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
+golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
+golang.org/x/lint v0.0.0-20190313153728-d0100b6bd8b3/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/lint v0.0.0-20190930215403-16217165b5de/go.mod h1:6SW0HCj/g11FgYtHlgUYUwCkIfeOF89ocIRzGO/8vkc=
+golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
+golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.4.2/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
 golang.org/x/mod v0.8.0/go.mod h1:iBbtSCu2XBx23ZKBPSOrRkjjQPZFPuis4dIYUhu/chs=
 golang.org/x/mod v0.35.0 h1:Ww1D637e6Pg+Zb2KrWfHQUnH2dQRLBQyAtpr/haaJeM=
 golang.org/x/mod v0.35.0/go.mod h1:+GwiRhIInF8wPm+4AoT6L0FA1QWAad3OMdTRx4tFYlU=
+golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4=
+golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
+golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20201010224723-4f7140c49acb/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
+golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4/go.mod h1:p54w0d4576C0XHj96bSt6lcn1PtDYWL6XObtHCRCNQM=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
@@ -397,16 +589,23 @@ golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/net v0.14.0/go.mod h1:PpSgVXXLK0OxS0F31C1/tv6XNguvCrnXIDrFMspZIUI=
 golang.org/x/net v0.55.0 h1:bcvxaJn3e1U6InsFWt1JUq1aSjnRxLzT2rtD2KfkDF8=
 golang.org/x/net v0.55.0/go.mod h1:L5U2KuzuOe1lY7Z+aWVIKK6qEeJXnXV9yzGA+WCHJww=
-golang.org/x/oauth2 v0.30.0 h1:dnDm7JmhM45NNpd8FDDeLhK6FwqbOf4MLCM9zb1BOHI=
-golang.org/x/oauth2 v0.30.0/go.mod h1:B++QgG3ZKulg6sRPGD/mqlHQs5rB3Ml9erfeDY7xKlU=
+golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
+golang.org/x/oauth2 v0.36.0 h1:peZ/1z27fi9hUOFCAZaHyrpWG5lwe0RJEEEeH0ThlIs=
+golang.org/x/oauth2 v0.36.0/go.mod h1:YDBUJMTkDnJS+A4BP4eZBjCqtokkg1hODuPjwiGPO7Q=
+golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20210220032951-036812b2e83c/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.20.0 h1:e0PTpb7pjO8GAtTs2dQ6jYa5BWYlMuX047Dco/pItO4=
 golang.org/x/sync v0.20.0/go.mod h1:9xrNwdLfx4jkKbNva9FpL6vEN7evnE43NNNJQ2LF3+0=
+golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190422165155-953cdadca894/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200116001909-b77594299b42/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
@@ -414,6 +613,7 @@ golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210616045830-e2b7044e8c71/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.0.0-20211025201205-69cdffdb9359/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -446,7 +646,14 @@ golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxb
 golang.org/x/time v0.15.0 h1:bbrp8t3bGUeFOx08pvsMYRTCVSMk89u4tKbNOZbp88U=
 golang.org/x/time v0.15.0/go.mod h1:Y4YMaQmXwGQZoFaVFk4YpCt4FLQMYKZe9oeV/f4MSno=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
+golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
+golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs=
+golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q=
+golang.org/x/tools v0.0.0-20191108193012-7d206e10da11/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
+golang.org/x/tools v0.0.0-20200619180055-7c47624df98f/go.mod h1:EkVYQZoAsY45+roYkvgYkIh4xh/qjgUK9TdY2XT94GE=
+golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA=
 golang.org/x/tools v0.1.1/go.mod h1:o0xws9oXOQQZyjljx8fwUC0k7L1pTE6eaCbjGeHmOkk=
 golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc=
 golang.org/x/tools v0.6.0/go.mod h1:Xwgl3UAJ/d3gWutnCtw505GrjyAbvKui8lOU390QaIU=
@@ -456,13 +663,30 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T
 golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
-google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
-google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.36.8 h1:xHScyCOEuuwZEc6UtSOvPbAT4zRh0xcNRYekJwfqyMc=
-google.golang.org/protobuf v1.36.8/go.mod h1:fuxRtAxBytpl4zzqUh6/eyUujkJdNiuEkXntxiD/uRU=
+gonum.org/v1/gonum v0.17.0 h1:VbpOemQlsSMrYmn7T2OUvQ4dqxQXU+ouZFQsZOx50z4=
+gonum.org/v1/gonum v0.17.0/go.mod h1:El3tOrEuMpv2UdMrbNlKEh9vd86bmQ6vqIcDwxEOc1E=
+google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
+google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
+google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
+google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
+google.golang.org/genproto v0.0.0-20200423170343-7949de9c1215/go.mod h1:55QSHmfGQM9UVYDPBsyGGes0y52j32PQ3BqQfXhyH3c=
+google.golang.org/genproto/googleapis/api v0.0.0-20260526163538-3dc84a4a5aaa h1:Kjn0N0tCrDgiAFW+lGO4JZ3ck44CehvJQMAwj9QF0G8=
+google.golang.org/genproto/googleapis/api v0.0.0-20260526163538-3dc84a4a5aaa/go.mod h1:q4lMZS6kskjT5HvCPrnnypcDPVJqT/f4nfxmkE7gryY=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260526163538-3dc84a4a5aaa h1:mZHHdPZl0dbGHCflZgAq/Q468DWVFcU2whhB2KAo8fk=
+google.golang.org/genproto/googleapis/rpc v0.0.0-20260526163538-3dc84a4a5aaa/go.mod h1:4Hqkh8ycfw05ld/3BWL7rJOSfebL2Q+DVDeRgYgxUU8=
+google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
+google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
+google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.29.1/go.mod h1:itym6AZVZYACWQqET3MqgPpjcuV5QH3BxFS3IjizoKk=
+google.golang.org/grpc v1.81.1 h1:VnnIIZ88UzOOKLukQi+ImGz8O1Wdp8nAGGnvOfEIWQQ=
+google.golang.org/grpc v1.81.1/go.mod h1:xGH9GfzOyMTGIOXBJmXt+BX/V0kcdQbdcuwQ/zNw42I=
+google.golang.org/protobuf v1.36.11 h1:fV6ZwhNocDyBLK0dj+fg8ektcVegBBuEolpbTQyBNVE=
+google.golang.org/protobuf v1.36.11/go.mod h1:HTf+CrKn2C3g5S8VImy6tdcUvCska2kB7j23XfzDpco=
 gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc h1:2gGKlE2+asNV9m7xrywl36YYNnBG5ZQ0r/BOOxqPpmk=
 gopkg.in/alexcesaro/quotedprintable.v3 v3.0.0-20150716171945-2caba252f4dc/go.mod h1:m7x9LTH6d71AHyAX77c9yqWCCa3UKHcVEj9y7hAtKDk=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20200227125254-8fa46927fb4f/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
@@ -477,6 +701,7 @@ gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
+gopkg.in/yaml.v3 v3.0.0-20210107192922-496545a6307b/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gorm.io/driver/mysql v1.5.2 h1:QC2HRskSE75wBuOxe0+iCkyJZ+RqpudsQtqkp+IMuXs=
@@ -489,14 +714,36 @@ gorm.io/gorm v1.25.2-0.20230530020048-26663ab9bf55/go.mod h1:L4uxeKpfBml98NYqVqw
 gorm.io/gorm v1.25.2-0.20230610234218-206613868439/go.mod h1:L4uxeKpfBml98NYqVqwAdmV1a2nBtAec/cf3fpucW/k=
 gorm.io/gorm v1.25.10 h1:dQpO+33KalOA+aFYGlK+EfxcI5MbO7EP2yYygwh9h+s=
 gorm.io/gorm v1.25.10/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8=
-modernc.org/libc v1.22.5 h1:91BNch/e5B0uPbJFgqbxXuOnxBQjlS//icfQEGmvyjE=
-modernc.org/libc v1.22.5/go.mod h1:jj+Z7dTNX8fBScMVNRAYZ/jF91K8fdT2hYMThc3YjBY=
-modernc.org/mathutil v1.5.0 h1:rV0Ko/6SfM+8G+yKiyI830l3Wuz1zRutdslNoQ0kfiQ=
-modernc.org/mathutil v1.5.0/go.mod h1:mZW8CKdRPY1v87qxC/wUdX5O1qDzXMP5TH3wjfpga6E=
-modernc.org/memory v1.5.0 h1:N+/8c5rE6EqugZwHii4IFsaJ7MUhoWX07J5tC/iI5Ds=
-modernc.org/memory v1.5.0/go.mod h1:PkUhL0Mugw21sHPeskwZW4D6VscE/GQJOnIpCnW6pSU=
-modernc.org/sqlite v1.23.1 h1:nrSBg4aRQQwq59JpvGEQ15tNxoO5pX/kUjcRNwSAGQM=
-modernc.org/sqlite v1.23.1/go.mod h1:OrDj17Mggn6MhE+iPbBNf7RGKODDE9NFT0f3EwDzJqk=
+honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
+modernc.org/cc/v4 v4.28.2 h1:3tQ0lf2ADtoby2EtSP+J7IE2SHwEJdP8ioR59wx7XpY=
+modernc.org/cc/v4 v4.28.2/go.mod h1:OnovgIhbbMXMu1aISnJ0wvVD1KnW+cAUJkIrAWh+kVI=
+modernc.org/ccgo/v4 v4.34.0 h1:yRLPFZieg532OT4rp4JFNIVcquwalMX26G95WQDqwCQ=
+modernc.org/ccgo/v4 v4.34.0/go.mod h1:AS5WYMyBakQ+fhsHhtP8mWB82KTGPkNNJDGfGQCe0/A=
+modernc.org/fileutil v1.4.0 h1:j6ZzNTftVS054gi281TyLjHPp6CPHr2KCxEXjEbD6SM=
+modernc.org/fileutil v1.4.0/go.mod h1:EqdKFDxiByqxLk8ozOxObDSfcVOv/54xDs/DUHdvCUU=
+modernc.org/gc/v2 v2.6.5 h1:nyqdV8q46KvTpZlsw66kWqwXRHdjIlJOhG6kxiV/9xI=
+modernc.org/gc/v2 v2.6.5/go.mod h1:YgIahr1ypgfe7chRuJi2gD7DBQiKSLMPgBQe9oIiito=
+modernc.org/gc/v3 v3.1.2 h1:ZtDCnhonXSZexk/AYsegNRV1lJGgaNZJuKjJSWKyEqo=
+modernc.org/gc/v3 v3.1.2/go.mod h1:HFK/6AGESC7Ex+EZJhJ2Gni6cTaYpSMmU/cT9RmlfYY=
+modernc.org/goabi0 v0.2.0 h1:HvEowk7LxcPd0eq6mVOAEMai46V+i7Jrj13t4AzuNks=
+modernc.org/goabi0 v0.2.0/go.mod h1:CEFRnnJhKvWT1c1JTI3Avm+tgOWbkOu5oPA8eH8LnMI=
+modernc.org/libc v1.72.3 h1:ZnDF4tXn4NBXFutMMQC4vtbTFSXhhKzR73fv0beZEAU=
+modernc.org/libc v1.72.3/go.mod h1:dn0dZNnnn1clLyvRxLxYExxiKRZIRENOfqQ8XEeg4Qs=
+modernc.org/mathutil v1.7.1 h1:GCZVGXdaN8gTqB1Mf/usp1Y/hSqgI2vAGGP4jZMCxOU=
+modernc.org/mathutil v1.7.1/go.mod h1:4p5IwJITfppl0G4sUEDtCr4DthTaT47/N3aT6MhfgJg=
+modernc.org/memory v1.11.0 h1:o4QC8aMQzmcwCK3t3Ux/ZHmwFPzE6hf2Y5LbkRs+hbI=
+modernc.org/memory v1.11.0/go.mod h1:/JP4VbVC+K5sU2wZi9bHoq2MAkCnrt2r98UGeSK7Mjw=
+modernc.org/opt v0.2.0 h1:tGyef5ApycA7FSEOMraay9SaTk5zmbx7Tu+cJs4QKZg=
+modernc.org/opt v0.2.0/go.mod h1:03fq9lsNfvkYSfxrfUhZCWPk1lm4cq4N+Bh//bEtgns=
+modernc.org/sortutil v1.2.1 h1:+xyoGf15mM3NMlPDnFqrteY07klSFxLElE2PVuWIJ7w=
+modernc.org/sortutil v1.2.1/go.mod h1:7ZI3a3REbai7gzCLcotuw9AC4VZVpYMjDzETGsSMqJE=
+modernc.org/sqlite v1.51.0 h1:aH/MMSoayAIhozZ7uJbVTT9QO/VhzBf0J9tymmmuC/U=
+modernc.org/sqlite v1.51.0/go.mod h1:tcNzv5p84E0skkmJn038y+hWJbLQXQqEnQfeh5r2JLM=
+modernc.org/strutil v1.2.1 h1:UneZBkQA+DX2Rp35KcM69cSsNES9ly8mQWD71HKlOA0=
+modernc.org/strutil v1.2.1/go.mod h1:EHkiggD70koQxjVdSBM3JKM7k6L0FbGE5eymy9i3B9A=
+modernc.org/token v1.1.0 h1:Xl7Ap9dKaEs5kLoOQeQmPWevfnk/DM5qcLcYlA8ys6Y=
+modernc.org/token v1.1.0/go.mod h1:UGzOrNV1mAFSEB63lOFHIpNRUVMvYTc6yu1SMY/XTDM=
 nhooyr.io/websocket v1.8.7 h1:usjR2uOr/zjjkVMy0lW+PPohFok7PCow5sDjLgX4P4g=
 nhooyr.io/websocket v1.8.7/go.mod h1:B70DZP8IakI65RVQ51MsWP/8jndNma26DVA/nFSCgW0=
 rsc.io/pdf v0.1.1/go.mod h1:n8OzWcQ6Sp37PL01nO98y4iUCRdTGarVfzxY20ICaU4=
diff --git a/internal/authorization/cache.go b/internal/authorization/cache.go
deleted file mode 100644
index d10d98f6..00000000
--- a/internal/authorization/cache.go
+++ /dev/null
@@ -1,91 +0,0 @@
-package authorization
-
-import (
-	"sync"
-	"time"
-)
-
-// cache holds in-process membership caches that don't fit the string-only
-// memory_store.Provider API. Decision results (allowed / denied for a
-// (principal, resource, scope)) live in memory_store instead — see
-// evaluator.go.
-//
-// validSets caches the bounded set of known resource and scope names so
-// validateResourceExists / validateScopeExists avoid a storage round-trip
-// on every CheckPermission call. A zero-length set is a valid cached value
-// meaning "DB was reachable and empty".
-type cache struct {
-	ttl       time.Duration
-	validSets sync.Map // cache key -> map[string]struct{}
-	expiryMap sync.Map // cache key -> time.Time
-}
-
-// newCache creates a new local membership cache. If ttlSeconds is 0,
-// caching is disabled and getValidSet always reports miss.
-func newCache(ttlSeconds int64) *cache {
-	return &cache{
-		ttl: time.Duration(ttlSeconds) * time.Second,
-	}
-}
-
-// enabled reports whether caching is active (TTL > 0).
-func (c *cache) enabled() bool {
-	return c.ttl > 0
-}
-
-// getValidSet returns the cached membership set for the given key.
-// The second return value reports whether the cache had an entry at all.
-// Callers must not mutate the returned map.
-func (c *cache) getValidSet(key string) (map[string]struct{}, bool) {
-	if !c.enabled() {
-		return nil, false
-	}
-	expiry, ok := c.expiryMap.Load(key)
-	if !ok {
-		return nil, false
-	}
-	if time.Now().After(expiry.(time.Time)) {
-		c.validSets.Delete(key)
-		c.expiryMap.Delete(key)
-		return nil, false
-	}
-	v, ok := c.validSets.Load(key)
-	if !ok {
-		return nil, false
-	}
-	return v.(map[string]struct{}), true
-}
-
-// setValidSet stores a membership set under the given key with the
-// configured TTL.
-func (c *cache) setValidSet(key string, set map[string]struct{}) {
-	if !c.enabled() {
-		return
-	}
-	c.validSets.Store(key, set)
-	c.expiryMap.Store(key, time.Now().Add(c.ttl))
-}
-
-// invalidateValidSets evicts all cached validSets entries. Called when an
-// admin mutation may have changed the resource or scope catalog. No-op when
-// caching is disabled — symmetric with setValidSet/getValidSet.
-func (c *cache) invalidateValidSets() {
-	if !c.enabled() {
-		return
-	}
-	c.validSets.Range(func(key, _ any) bool {
-		c.validSets.Delete(key)
-		c.expiryMap.Delete(key)
-		return true
-	})
-}
-
-// validResourcesKey returns the cache key for the set of known resource names.
-func validResourcesKey() string {
-	return "authz:valid_resources"
-}
-
-// validScopesKey returns the cache key for the set of known scope names.
-func validScopesKey() string {
-	return "authz:valid_scopes"
-}
diff --git a/internal/authorization/cache_test.go b/internal/authorization/cache_test.go
deleted file mode 100644
index bb619d38..00000000
--- a/internal/authorization/cache_test.go
+++ /dev/null
@@ -1,77 +0,0 @@
-package authorization
-
-import (
-	"testing"
-)
-
-func TestCache_ValidSets(t *testing.T) {
-	t.Run("miss when caching disabled (TTL=0)", func(t *testing.T) {
-		c := newCache(0)
-		_, ok := c.getValidSet("authz:valid_resources")
-		if ok {
-			t.Fatal("expected cache miss when TTL is 0")
-		}
-	})
-
-	t.Run("miss before any set", func(t *testing.T) {
-		c := newCache(60)
-		_, ok := c.getValidSet("authz:valid_resources")
-		if ok {
-			t.Fatal("expected cache miss for unset key")
-		}
-	})
-
-	t.Run("hit after set", func(t *testing.T) {
-		c := newCache(60)
-		set := map[string]struct{}{"orders": {}, "users": {}}
-		c.setValidSet("authz:valid_resources", set)
-
-		got, ok := c.getValidSet("authz:valid_resources")
-		if !ok {
-			t.Fatal("expected cache hit after setValidSet")
-		}
-		if len(got) != 2 {
-			t.Fatalf("expected 2 entries, got %d", len(got))
-		}
-		if _, found := got["orders"]; !found {
-			t.Error("expected 'orders' in cached set")
-		}
-	})
-
-	t.Run("empty set is a valid cache hit", func(t *testing.T) {
-		c := newCache(60)
-		c.setValidSet("authz:valid_resources", map[string]struct{}{})
-
-		got, ok := c.getValidSet("authz:valid_resources")
-		if !ok {
-			t.Fatal("expected cache hit for empty set (DB reachable but empty)")
-		}
-		if len(got) != 0 {
-			t.Fatalf("expected 0 entries, got %d", len(got))
-		}
-	})
-
-	t.Run("invalidateValidSets clears all entries", func(t *testing.T) {
-		c := newCache(60)
-		c.setValidSet(validResourcesKey(), map[string]struct{}{"orders": {}})
-		c.setValidSet(validScopesKey(), map[string]struct{}{"read": {}})
-
-		c.invalidateValidSets()
-
-		if _, ok := c.getValidSet(validResourcesKey()); ok {
-			t.Error("expected resources set to be evicted after invalidateValidSets")
-		}
-		if _, ok := c.getValidSet(validScopesKey()); ok {
-			t.Error("expected scopes set to be evicted after invalidateValidSets")
-		}
-	})
-
-	t.Run("setValidSet is no-op when TTL=0", func(t *testing.T) {
-		c := newCache(0)
-		c.setValidSet(validResourcesKey(), map[string]struct{}{"orders": {}})
-		_, ok := c.getValidSet(validResourcesKey())
-		if ok {
-			t.Fatal("expected no cache storage when TTL is 0")
-		}
-	})
-}
diff --git a/internal/authorization/engine/engine.go b/internal/authorization/engine/engine.go
new file mode 100644
index 00000000..b4bedb74
--- /dev/null
+++ b/internal/authorization/engine/engine.go
@@ -0,0 +1,143 @@
+// Package engine defines the AuthorizationEngine SPI — the abstraction over a
+// relationship-based access control (ReBAC) backend used by Authorizer's
+// fine-grained authorization (FGA) subsystem.
+//
+// The interface is deliberately backend-agnostic. The Phase 1 implementation
+// (internal/authorization/engine/openfga) embeds OpenFGA in-process, but the
+// same contract is intended to also front an external OpenFGA service. The
+// engine speaks the OpenFGA tuple vocabulary: a tuple relates a user (subject)
+// to an object via a relation, e.g. (user:alice, viewer, document:1).
+//
+// This package is additive (Phase 1 of the OpenFGA migration). It does not
+// replace the existing authorization.Provider (resource/scope/policy engine);
+// both coexist behind the --authorization-engine flag.
+package engine
+
+import "context"
+
+// TupleKey identifies a single relationship: the subject (User) is related to
+// the Object via the Relation. Identifiers are expected to be fully qualified
+// in OpenFGA form, e.g. User="user:alice", Relation="viewer",
+// Object="document:1". The User field may also be a userset reference such as
+// "role:admin#assignee".
+type TupleKey struct {
+	// User is the subject of the relationship (e.g. "user:alice" or a userset
+	// like "role:admin#assignee").
+	User string
+	// Relation is the relation name connecting the user to the object (e.g.
+	// "viewer").
+	Relation string
+	// Object is the fully qualified object (e.g. "document:1").
+	Object string
+}
+
+// ContextualTuple is a tuple supplied only for the duration of a single Check
+// or BatchCheck call. It is not persisted; it lets callers evaluate
+// hypothetical or request-scoped relationships (the OpenFGA contextual-tuples
+// feature) without writing to the store.
+type ContextualTuple struct {
+	// User is the subject of the relationship.
+	User string
+	// Relation is the relation name.
+	Relation string
+	// Object is the fully qualified object.
+	Object string
+}
+
+// CheckRequest is a single relationship-check question: "is User related to
+// Object via Relation?". ContextualTuples, if any, are evaluated alongside the
+// persisted tuples for this check only.
+type CheckRequest struct {
+	// User is the subject being checked (e.g. "user:alice").
+	User string
+	// Relation is the relation to evaluate (e.g. "can_view").
+	Relation string
+	// Object is the fully qualified object (e.g. "document:1").
+	Object string
+	// ContextualTuples are request-scoped tuples not persisted to the store.
+	ContextualTuples []ContextualTuple
+}
+
+// CheckResult is the answer to a single CheckRequest.
+type CheckResult struct {
+	// Allowed reports whether the relationship holds.
+	Allowed bool
+}
+
+// ReadTuplesFilter narrows a ReadTuples query. Any field left empty acts as a
+// wildcard for that position. An entirely empty filter reads all tuples (use
+// with pagination; this is an enumeration surface).
+type ReadTuplesFilter struct {
+	// User filters by subject (optional).
+	User string
+	// Relation filters by relation (optional).
+	Relation string
+	// Object filters by object (optional); may be a type prefix like
+	// "document:" depending on backend support.
+	Object string
+	// PageSize caps the number of tuples returned in one page. Zero lets the
+	// backend choose a default.
+	PageSize int32
+	// ContinuationToken resumes a previous ReadTuples call; empty starts from
+	// the beginning.
+	ContinuationToken string
+}
+
+// ReadTuplesResult is one page of tuples plus a continuation token for the
+// next page (empty when exhausted).
+type ReadTuplesResult struct {
+	// Tuples is the page of matching relationships.
+	Tuples []TupleKey
+	// ContinuationToken, when non-empty, can be passed back via
+	// ReadTuplesFilter.ContinuationToken to fetch the next page.
+	ContinuationToken string
+}
+
+// AuthorizationEngine is the SPI for a ReBAC authorization backend.
+//
+// All decision methods (Check, BatchCheck, ListObjects) are fail-closed at the
+// call site: callers must treat a non-nil error as a deny and never as an
+// allow. Identifiers follow OpenFGA conventions ("type:id", relation names,
+// usersets "type:id#relation").
+//
+// Implementations are expected to be safe for concurrent use.
+type AuthorizationEngine interface {
+	// Check reports whether user is related to object via relation. Optional
+	// contextual tuples are evaluated for this call only and are not persisted.
+	// Returns (false, err) on engine error; callers must fail closed.
+	Check(ctx context.Context, user, relation, object string, ctxTuples ...ContextualTuple) (bool, error)
+
+	// BatchCheck evaluates multiple CheckRequests. The returned slice is
+	// positionally aligned with the input: result[i] answers requests[i]. An
+	// error indicates a whole-batch failure; callers must fail closed for every
+	// request in the batch.
+	BatchCheck(ctx context.Context, requests []CheckRequest) ([]CheckResult, error)
+
+	// ListObjects returns the IDs of objects of type objType to which user is
+	// related via relation. This is the RAG/pre-filter primitive and is an
+	// expensive enumeration surface — callers must paginate, cap, and
+	// rate-limit. Returned IDs are fully qualified ("document:1").
+	ListObjects(ctx context.Context, user, relation, objType string) ([]string, error)
+
+	// WriteTuples persists the given relationship tuples. It is additive;
+	// duplicate writes may error depending on the backend.
+	WriteTuples(ctx context.Context, tuples []TupleKey) error
+
+	// DeleteTuples removes the given relationship tuples. Deleting a
+	// non-existent tuple may error depending on the backend.
+	DeleteTuples(ctx context.Context, tuples []TupleKey) error
+
+	// ReadTuples returns a page of persisted tuples matching the filter, plus a
+	// continuation token. It is an enumeration surface — always paginate.
+	ReadTuples(ctx context.Context, filter ReadTuplesFilter) (*ReadTuplesResult, error)
+
+	// WriteModel installs a new authorization model from its DSL form and
+	// returns the backend-assigned model ID. Writing a model is powerful (a
+	// single edit can re-grant broadly) and must be admin-gated, audited, and
+	// staged by callers.
+	WriteModel(ctx context.Context, dsl string) (string, error)
+
+	// ReadModel returns the currently active authorization model rendered as
+	// DSL.
+	ReadModel(ctx context.Context) (string, error)
+}
diff --git a/internal/authorization/engine/openfga/datastore_sql.go b/internal/authorization/engine/openfga/datastore_sql.go
new file mode 100644
index 00000000..17fd6219
--- /dev/null
+++ b/internal/authorization/engine/openfga/datastore_sql.go
@@ -0,0 +1,71 @@
+package openfga
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/openfga/openfga/pkg/storage"
+	"github.com/openfga/openfga/pkg/storage/migrate"
+	"github.com/openfga/openfga/pkg/storage/mysql"
+	"github.com/openfga/openfga/pkg/storage/postgres"
+	"github.com/openfga/openfga/pkg/storage/sqlcommon"
+	"github.com/openfga/openfga/pkg/storage/sqlite"
+	"github.com/rs/zerolog"
+)
+
+// Default timeouts for the migration bootstrap step.
+const (
+	defaultMigrateTimeout     = 30 * time.Second
+	defaultMigratePingTimeout = 5 * time.Second
+)
+
+// newSQLDatastore opens a SQL-backed OpenFGA datastore against an (optionally
+// just-migrated) schema. The SQLite datastore uses modernc.org/sqlite (pure-Go),
+// which is the single registrant of the "sqlite" database/sql driver shared with
+// Authorizer's GORM SQLite path (see internal/storage/db/sql/sqlitedialect).
+func newSQLDatastore(cfg *Config, log *zerolog.Logger) (storage.OpenFGADatastore, error) {
+	if cfg.RunMigrations {
+		if err := runMigrations(cfg, log); err != nil {
+			return nil, err
+		}
+	}
+	sc := sqlcommon.NewConfig()
+	switch cfg.Store {
+	case StoreSQLite:
+		ds, err := sqlite.New(cfg.StoreURL, sc)
+		if err != nil {
+			return nil, fmt.Errorf("openfga.New: sqlite.New: %w", err)
+		}
+		return ds, nil
+	case StorePostgres:
+		ds, err := postgres.New(cfg.StoreURL, sc)
+		if err != nil {
+			return nil, fmt.Errorf("openfga.New: postgres.New: %w", err)
+		}
+		return ds, nil
+	case StoreMySQL:
+		ds, err := mysql.New(cfg.StoreURL, sc)
+		if err != nil {
+			return nil, fmt.Errorf("openfga.New: mysql.New: %w", err)
+		}
+		return ds, nil
+	default:
+		return nil, fmt.Errorf("openfga.New: unsupported sql store %q", cfg.Store)
+	}
+}
+
+// runMigrations runs the OpenFGA datastore migrations (idempotent, embedded).
+// For HA/serverless this must NOT be called on boot — run it as a separate init
+// job (§2.1).
+func runMigrations(cfg *Config, log *zerolog.Logger) error {
+	log.Info().Str("engine", cfg.Store).Msg("running OpenFGA datastore migrations")
+	if err := migrate.RunMigrations(migrate.MigrationConfig{
+		Engine:      cfg.Store,
+		URI:         cfg.StoreURL,
+		Timeout:     defaultMigrateTimeout,
+		PingTimeout: defaultMigratePingTimeout,
+	}); err != nil {
+		return fmt.Errorf("openfga.New: RunMigrations(%s): %w", cfg.Store, err)
+	}
+	return nil
+}
diff --git a/internal/authorization/engine/openfga/datastore_sqlite_test.go b/internal/authorization/engine/openfga/datastore_sqlite_test.go
new file mode 100644
index 00000000..6740e411
--- /dev/null
+++ b/internal/authorization/engine/openfga/datastore_sqlite_test.go
@@ -0,0 +1,95 @@
+package openfga
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"path/filepath"
+	"testing"
+
+	"github.com/rs/zerolog"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	"gorm.io/gorm"
+
+	"github.com/authorizerdev/authorizer/internal/authorization/engine"
+	sqlitedialect "github.com/authorizerdev/authorizer/internal/storage/db/sql/sqlitedialect"
+)
+
+// TestOpenFGAEngine_SQLiteStore_EndToEnd proves that the embedded SQL-backed
+// OpenFGA engine runs in-process against a real on-disk SQLite database — built
+// into the DEFAULT binary (no fga_sql build tag) — alongside Authorizer's GORM
+// SQLite path, without the historical "sql: Register called twice for driver
+// sqlite" panic.
+//
+// Both code paths use modernc.org/sqlite as the single registrant of the
+// "sqlite" database/sql driver: OpenFGA's sqlite datastore opens it directly,
+// and Authorizer's GORM dialect (internal/storage/db/sql/sqlitedialect) targets
+// the same driver. This test exercises both in one process.
+func TestOpenFGAEngine_SQLiteStore_EndToEnd(t *testing.T) {
+	ctx := context.Background()
+	log := zerolog.New(os.Stderr)
+
+	dir := t.TempDir()
+
+	// 1) Open a GORM SQLite DB via Authorizer's local dialect to assert the two
+	//    SQLite consumers coexist in one process (no double-registration panic).
+	gormDBPath := filepath.Join(dir, "authorizer-main.db")
+	gormDB, err := gorm.Open(
+		sqlitedialect.Open(gormDBPath+"?_pragma=busy_timeout(5000)&_pragma=journal_mode(WAL)"),
+		&gorm.Config{},
+	)
+	require.NoError(t, err, "GORM SQLite (modernc) must open without driver conflict")
+	require.NoError(t, gormDB.Exec("CREATE TABLE IF NOT EXISTS probe (id INTEGER PRIMARY KEY)").Error)
+	require.NoError(t, gormDB.Exec("INSERT INTO probe (id) VALUES (1)").Error)
+	var probeCount int64
+	require.NoError(t, gormDB.Raw("SELECT COUNT(*) FROM probe").Scan(&probeCount).Error)
+	assert.Equal(t, int64(1), probeCount, "GORM SQLite path works")
+
+	// 2) Construct the embedded OpenFGA engine against a SQLite file store, with
+	//    migrations run on boot (single-node mode).
+	fgaDBPath := filepath.Join(dir, "openfga.db")
+	fgaURI := fmt.Sprintf("file:%s", fgaDBPath)
+
+	eng, err := New(&Config{
+		Store:         StoreSQLite,
+		StoreURL:      fgaURI,
+		RunMigrations: true,
+	}, &Dependencies{Log: &log})
+	require.NoError(t, err, "embedded OpenFGA SQLite engine must construct (migrations + open)")
+	require.NotNil(t, eng)
+
+	impl, ok := eng.(*engineImpl)
+	require.True(t, ok)
+	t.Cleanup(impl.Close)
+
+	assert.NotEmpty(t, impl.StoreID(), "store ID bootstrapped on the SQLite store")
+
+	// 3) Write a model + tuples and Check — proving the persistent store works.
+	modelID, err := eng.WriteModel(ctx, testModel)
+	require.NoError(t, err)
+	assert.NotEmpty(t, modelID)
+
+	require.NoError(t, eng.WriteTuples(ctx, []engine.TupleKey{
+		{User: "user:alice", Relation: "viewer", Object: "document:1"},
+		{User: "user:erin", Relation: "viewer", Object: "document:1"},
+		{User: "user:erin", Relation: "blocked", Object: "document:1"},
+	}))
+
+	allowed, err := eng.Check(ctx, "user:alice", "can_view", "document:1")
+	require.NoError(t, err)
+	assert.True(t, allowed, "alice is a viewer and not blocked")
+
+	allowed, err = eng.Check(ctx, "user:erin", "can_view", "document:1")
+	require.NoError(t, err)
+	assert.False(t, allowed, "erin is blocked despite being a viewer")
+
+	allowed, err = eng.Check(ctx, "user:bob", "can_view", "document:1")
+	require.NoError(t, err)
+	assert.False(t, allowed, "bob has no grant")
+
+	// 4) Confirm data was actually persisted to the SQLite file on disk.
+	info, statErr := os.Stat(fgaDBPath)
+	require.NoError(t, statErr, "OpenFGA SQLite db file must exist on disk")
+	assert.Positive(t, info.Size(), "OpenFGA SQLite db file must be non-empty")
+}
diff --git a/internal/authorization/engine/openfga/openfga.go b/internal/authorization/engine/openfga/openfga.go
new file mode 100644
index 00000000..be3b836c
--- /dev/null
+++ b/internal/authorization/engine/openfga/openfga.go
@@ -0,0 +1,223 @@
+// Package openfga implements the engine.AuthorizationEngine SPI by embedding
+// the OpenFGA server in-process (openfga v1.17.1). It supports an in-memory
+// datastore (dev/tests) and persistent SQL datastores (SQLite single-node,
+// Postgres/MySQL for HA) per the migration plan's deployment modes (§2.1).
+//
+// This package is additive (Phase 1). It does not replace the existing
+// resource/scope/policy engine; both are selectable behind
+// --authorization-engine. The principal-pinning, admin-gating, audit, and
+// caching policy described in the plan live in the callers of this engine —
+// this package is the thin, fail-closed adapter over OpenFGA.
+package openfga
+
+import (
+	"context"
+	"fmt"
+	"strconv"
+	"sync"
+
+	openfgav1 "github.com/openfga/api/proto/openfga/v1"
+	"github.com/openfga/openfga/pkg/server"
+	"github.com/openfga/openfga/pkg/storage"
+	"github.com/openfga/openfga/pkg/storage/memory"
+	"github.com/rs/zerolog"
+
+	"github.com/authorizerdev/authorizer/internal/authorization/engine"
+)
+
+// Store kinds for the embedded datastore.
+const (
+	// StoreMemory selects the in-memory datastore (dev/tests only; non-durable).
+	StoreMemory = "memory"
+	// StoreSQLite selects the embedded SQLite datastore (single-node/dev).
+	StoreSQLite = "sqlite"
+	// StorePostgres selects an external Postgres datastore (HA).
+	StorePostgres = "postgres"
+	// StoreMySQL selects an external MySQL datastore (HA).
+	StoreMySQL = "mysql"
+)
+
+// Config holds the parameters needed to construct the embedded OpenFGA engine.
+//
+// StoreID and ModelID are the OpenFGA-assigned ULIDs that Authorizer MUST
+// persist itself (config or main DB) and pass back on every call — OpenFGA does
+// not look stores/models up by name across restarts. When they are empty (e.g.
+// memory store on first boot), the caller is expected to bootstrap via
+// CreateStore + WriteModel and then persist the returned IDs.
+type Config struct {
+	// Store selects the datastore kind: memory|sqlite|postgres|mysql.
+	Store string
+	// StoreURL is the datastore connection URI (file: URI for sqlite, DSN for
+	// postgres/mysql). Ignored for the memory store.
+	StoreURL string
+	// StoreName is the OpenFGA store name used when bootstrapping a new store.
+	StoreName string
+	// StoreID, when set, targets an existing OpenFGA store (skips CreateStore).
+	StoreID string
+	// ModelID, when set, targets an existing authorization model (skips the
+	// need to write one before checks).
+	ModelID string
+	// RunMigrations, when true, runs the datastore migrations during Init for
+	// SQL stores. For HA/serverless this MUST be false — migrations run as a
+	// separate init job (§2.1) to avoid races and cold-start latency.
+	RunMigrations bool
+}
+
+// Dependencies carries shared resources for constructing the engine.
+type Dependencies struct {
+	Log *zerolog.Logger
+}
+
+// engineImpl implements engine.AuthorizationEngine over an embedded OpenFGA
+// server. storeID and modelID are mutated under mu when a store/model is
+// bootstrapped at runtime (memory store / first boot).
+type engineImpl struct {
+	log     *zerolog.Logger
+	srv     *server.Server
+	ds      storage.OpenFGADatastore
+	mu      sync.RWMutex
+	storeID string
+	modelID string
+}
+
+// Compile-time interface verification.
+var _ engine.AuthorizationEngine = &engineImpl{}
+
+// New constructs the embedded OpenFGA engine.
+//
+// Migrations are deliberately NOT run unconditionally: they run only when
+// cfg.RunMigrations is true (single-node/dev). HA and serverless deployments
+// must run migrate.RunMigrations as a separate init job and leave
+// RunMigrations=false so engine boot assumes the schema already exists (§2.1).
+//
+// If cfg.StoreID is empty a new store is created and its ID exposed via
+// StoreID(); callers should persist it. If cfg.ModelID is empty, callers must
+// call WriteModel before issuing checks.
+func New(cfg *Config, deps *Dependencies) (engine.AuthorizationEngine, error) {
+	if cfg == nil {
+		return nil, fmt.Errorf("openfga.New: config is required")
+	}
+	if deps == nil || deps.Log == nil {
+		return nil, fmt.Errorf("openfga.New: logger is required")
+	}
+	log := deps.Log.With().Str("component", "fga-engine").Logger()
+
+	ds, err := newDatastore(cfg, &log)
+	if err != nil {
+		return nil, err
+	}
+
+	srv, err := server.NewServerWithOpts(server.WithDatastore(ds))
+	if err != nil {
+		ds.Close()
+		return nil, fmt.Errorf("openfga.New: NewServerWithOpts: %w", err)
+	}
+
+	e := &engineImpl{
+		log:     &log,
+		srv:     srv,
+		ds:      ds,
+		storeID: cfg.StoreID,
+		modelID: cfg.ModelID,
+	}
+
+	// Bootstrap a store if none was provided. The store ID is exposed via
+	// StoreID() so the caller can persist it for subsequent boots.
+	if e.storeID == "" {
+		store, cErr := srv.CreateStore(context.Background(), &openfgav1.CreateStoreRequest{
+			Name: storeNameOrDefault(cfg.StoreName),
+		})
+		if cErr != nil {
+			srv.Close()
+			ds.Close()
+			return nil, fmt.Errorf("openfga.New: CreateStore: %w", cErr)
+		}
+		e.storeID = store.GetId()
+		log.Info().Str("store_id", e.storeID).Msg("created new OpenFGA store; persist this ID")
+	}
+
+	return e, nil
+}
+
+// newDatastore opens the configured datastore.
+//
+// The memory store and all SQL stores (sqlite/postgres/mysql) are compiled into
+// the default binary. OpenFGA's SQLite datastore uses modernc.org/sqlite, the
+// same pure-Go driver that Authorizer's GORM SQLite dialect now targets (see
+// internal/storage/db/sql/sqlitedialect). Because modernc.org/sqlite is the
+// single registrant of the "sqlite" database/sql driver, embedding SQL-backed
+// FGA alongside the GORM SQLite main DB no longer panics at startup with
+// "sql: Register called twice for driver sqlite".
+func newDatastore(cfg *Config, log *zerolog.Logger) (storage.OpenFGADatastore, error) {
+	switch cfg.Store {
+	case "", StoreMemory:
+		return memory.New(), nil
+	case StoreSQLite, StorePostgres, StoreMySQL:
+		if cfg.StoreURL == "" {
+			return nil, fmt.Errorf("openfga.New: --fga-store-url is required for store %q", cfg.Store)
+		}
+		return newSQLDatastore(cfg, log)
+	default:
+		return nil, fmt.Errorf("openfga.New: unsupported fga store %q (want memory|sqlite|postgres|mysql)", cfg.Store)
+	}
+}
+
+func storeNameOrDefault(name string) string {
+	if name == "" {
+		return "authorizer"
+	}
+	return name
+}
+
+// StoreID returns the OpenFGA store ID this engine is bound to. Callers should
+// persist it (config/main DB) so subsequent boots target the same store.
+func (e *engineImpl) StoreID() string {
+	e.mu.RLock()
+	defer e.mu.RUnlock()
+	return e.storeID
+}
+
+// ModelID returns the currently active authorization model ID, or empty if no
+// model has been written yet. Callers should persist it alongside the store ID.
+func (e *engineImpl) ModelID() string {
+	e.mu.RLock()
+	defer e.mu.RUnlock()
+	return e.modelID
+}
+
+// Close releases the embedded server and datastore, flushing any WAL. It should
+// be deferred at the construction site.
+func (e *engineImpl) Close() {
+	if e.srv != nil {
+		e.srv.Close()
+	}
+	if e.ds != nil {
+		e.ds.Close()
+	}
+}
+
+// ids returns the current store and model IDs under the read lock.
+func (e *engineImpl) ids() (storeID, modelID string) {
+	e.mu.RLock()
+	defer e.mu.RUnlock()
+	return e.storeID, e.modelID
+}
+
+// strconvItoa is a tiny helper to build correlation IDs for BatchCheck.
+func strconvItoa(i int) string { return strconv.Itoa(i) }
+
+// toProtoContextual converts engine contextual tuples to the OpenFGA wire type.
+func toProtoContextual(ctxTuples []engine.ContextualTuple) *openfgav1.ContextualTupleKeys {
+	if len(ctxTuples) == 0 {
+		return nil
+	}
+	keys := make([]*openfgav1.TupleKey, 0, len(ctxTuples))
+	for _, t := range ctxTuples {
+		keys = append(keys, &openfgav1.TupleKey{
+			User:     t.User,
+			Relation: t.Relation,
+			Object:   t.Object,
+		})
+	}
+	return &openfgav1.ContextualTupleKeys{TupleKeys: keys}
+}
diff --git a/internal/authorization/engine/openfga/openfga_test.go b/internal/authorization/engine/openfga/openfga_test.go
new file mode 100644
index 00000000..a017a464
--- /dev/null
+++ b/internal/authorization/engine/openfga/openfga_test.go
@@ -0,0 +1,165 @@
+package openfga
+
+import (
+	"context"
+	"os"
+	"testing"
+
+	"github.com/rs/zerolog"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/authorizerdev/authorizer/internal/authorization/engine"
+)
+
+// testModel mirrors the Phase 0 spike: a document with a viewer grant, a
+// blocked exception, and an effective can_view = viewer but not blocked.
+const testModel = `model
+  schema 1.1
+type user
+type document
+  relations
+    define viewer: [user]
+    define blocked: [user]
+    define can_view: viewer but not blocked`
+
+// newTestEngine constructs the embedded OpenFGA engine over the in-memory
+// datastore and returns it along with its concrete type for Close().
+func newTestEngine(t *testing.T) (engine.AuthorizationEngine, *engineImpl) {
+	t.Helper()
+	log := zerolog.New(os.Stderr)
+	eng, err := New(&Config{Store: StoreMemory}, &Dependencies{Log: &log})
+	require.NoError(t, err)
+	require.NotNil(t, eng)
+
+	impl, ok := eng.(*engineImpl)
+	require.True(t, ok, "expected *engineImpl")
+	t.Cleanup(impl.Close)
+	return eng, impl
+}
+
+func TestOpenFGAEngine_MemoryStore_CheckAndListObjects(t *testing.T) {
+	ctx := context.Background()
+	eng, impl := newTestEngine(t)
+
+	// A store must have been bootstrapped automatically.
+	assert.NotEmpty(t, impl.StoreID(), "store ID should be bootstrapped")
+
+	// Write the model.
+	modelID, err := eng.WriteModel(ctx, testModel)
+	require.NoError(t, err)
+	assert.NotEmpty(t, modelID)
+	assert.Equal(t, modelID, impl.ModelID())
+
+	// Write tuples: alice is a viewer; erin is a viewer but also blocked.
+	err = eng.WriteTuples(ctx, []engine.TupleKey{
+		{User: "user:alice", Relation: "viewer", Object: "document:1"},
+		{User: "user:erin", Relation: "viewer", Object: "document:1"},
+		{User: "user:erin", Relation: "blocked", Object: "document:1"},
+	})
+	require.NoError(t, err)
+
+	t.Run("can_view alice is allowed", func(t *testing.T) {
+		allowed, err := eng.Check(ctx, "user:alice", "can_view", "document:1")
+		require.NoError(t, err)
+		assert.True(t, allowed, "alice is a viewer and not blocked")
+	})
+
+	t.Run("can_view erin is denied by blocked exclusion", func(t *testing.T) {
+		allowed, err := eng.Check(ctx, "user:erin", "can_view", "document:1")
+		require.NoError(t, err)
+		assert.False(t, allowed, "erin is blocked despite being a viewer")
+	})
+
+	t.Run("can_view unknown user is denied", func(t *testing.T) {
+		allowed, err := eng.Check(ctx, "user:bob", "can_view", "document:1")
+		require.NoError(t, err)
+		assert.False(t, allowed, "bob has no grant")
+	})
+
+	t.Run("ListObjects returns only document:1 for alice", func(t *testing.T) {
+		objects, err := eng.ListObjects(ctx, "user:alice", "can_view", "document")
+		require.NoError(t, err)
+		assert.Equal(t, []string{"document:1"}, objects)
+	})
+
+	t.Run("ListObjects returns nothing for blocked erin", func(t *testing.T) {
+		objects, err := eng.ListObjects(ctx, "user:erin", "can_view", "document")
+		require.NoError(t, err)
+		assert.Empty(t, objects)
+	})
+}
+
+func TestOpenFGAEngine_BatchCheck(t *testing.T) {
+	ctx := context.Background()
+	eng, _ := newTestEngine(t)
+
+	_, err := eng.WriteModel(ctx, testModel)
+	require.NoError(t, err)
+	require.NoError(t, eng.WriteTuples(ctx, []engine.TupleKey{
+		{User: "user:alice", Relation: "viewer", Object: "document:1"},
+		{User: "user:erin", Relation: "viewer", Object: "document:1"},
+		{User: "user:erin", Relation: "blocked", Object: "document:1"},
+	}))
+
+	results, err := eng.BatchCheck(ctx, []engine.CheckRequest{
+		{User: "user:alice", Relation: "can_view", Object: "document:1"},
+		{User: "user:erin", Relation: "can_view", Object: "document:1"},
+		{User: "user:bob", Relation: "can_view", Object: "document:1"},
+	})
+	require.NoError(t, err)
+	require.Len(t, results, 3)
+	assert.True(t, results[0].Allowed, "alice allowed")
+	assert.False(t, results[1].Allowed, "erin blocked")
+	assert.False(t, results[2].Allowed, "bob no grant")
+}
+
+func TestOpenFGAEngine_ReadWriteDeleteTuples(t *testing.T) {
+	ctx := context.Background()
+	eng, _ := newTestEngine(t)
+
+	_, err := eng.WriteModel(ctx, testModel)
+	require.NoError(t, err)
+
+	require.NoError(t, eng.WriteTuples(ctx, []engine.TupleKey{
+		{User: "user:alice", Relation: "viewer", Object: "document:1"},
+	}))
+
+	// Read back the tuple.
+	res, err := eng.ReadTuples(ctx, engine.ReadTuplesFilter{Object: "document:1"})
+	require.NoError(t, err)
+	require.Len(t, res.Tuples, 1)
+	assert.Equal(t, "user:alice", res.Tuples[0].User)
+	assert.Equal(t, "viewer", res.Tuples[0].Relation)
+	assert.Equal(t, "document:1", res.Tuples[0].Object)
+
+	// Delete it and confirm it is gone.
+	require.NoError(t, eng.DeleteTuples(ctx, []engine.TupleKey{
+		{User: "user:alice", Relation: "viewer", Object: "document:1"},
+	}))
+	res, err = eng.ReadTuples(ctx, engine.ReadTuplesFilter{Object: "document:1"})
+	require.NoError(t, err)
+	assert.Empty(t, res.Tuples)
+}
+
+func TestOpenFGAEngine_ReadModelRoundtrip(t *testing.T) {
+	ctx := context.Background()
+	eng, _ := newTestEngine(t)
+
+	_, err := eng.WriteModel(ctx, testModel)
+	require.NoError(t, err)
+
+	dsl, err := eng.ReadModel(ctx)
+	require.NoError(t, err)
+	assert.Contains(t, dsl, "type document")
+	assert.Contains(t, dsl, "can_view")
+}
+
+func TestOpenFGAEngine_CheckBeforeModelFailsClosed(t *testing.T) {
+	ctx := context.Background()
+	eng, _ := newTestEngine(t)
+
+	allowed, err := eng.Check(ctx, "user:alice", "can_view", "document:1")
+	assert.Error(t, err, "checking before a model is written must error")
+	assert.False(t, allowed, "must fail closed")
+}
diff --git a/internal/authorization/engine/openfga/operations.go b/internal/authorization/engine/openfga/operations.go
new file mode 100644
index 00000000..5e903690
--- /dev/null
+++ b/internal/authorization/engine/openfga/operations.go
@@ -0,0 +1,263 @@
+package openfga
+
+import (
+	"context"
+	"fmt"
+
+	openfgav1 "github.com/openfga/api/proto/openfga/v1"
+	language "github.com/openfga/language/pkg/go/transformer"
+	"google.golang.org/protobuf/encoding/protojson"
+	"google.golang.org/protobuf/types/known/wrapperspb"
+
+	"github.com/authorizerdev/authorizer/internal/authorization/engine"
+)
+
+// Check reports whether user is related to object via relation. It is
+// fail-closed: any engine error returns (false, err) and callers must treat the
+// error as a deny.
+func (e *engineImpl) Check(ctx context.Context, user, relation, object string, ctxTuples ...engine.ContextualTuple) (bool, error) {
+	storeID, modelID := e.ids()
+	if modelID == "" {
+		return false, fmt.Errorf("openfga.Check: no authorization model written yet")
+	}
+	res, err := e.srv.Check(ctx, &openfgav1.CheckRequest{
+		StoreId:              storeID,
+		AuthorizationModelId: modelID,
+		TupleKey: &openfgav1.CheckRequestTupleKey{
+			User:     user,
+			Relation: relation,
+			Object:   object,
+		},
+		ContextualTuples: toProtoContextual(ctxTuples),
+	})
+	if err != nil {
+		return false, fmt.Errorf("openfga.Check: %w", err)
+	}
+	return res.GetAllowed(), nil
+}
+
+// BatchCheck evaluates multiple checks. The returned slice is positionally
+// aligned with the input. OpenFGA returns results keyed by a per-item
+// correlation ID, so we assign the item index as the correlation ID and map
+// back. A whole-batch error fails closed for every request.
+func (e *engineImpl) BatchCheck(ctx context.Context, requests []engine.CheckRequest) ([]engine.CheckResult, error) {
+	if len(requests) == 0 {
+		return nil, nil
+	}
+	storeID, modelID := e.ids()
+	if modelID == "" {
+		return nil, fmt.Errorf("openfga.BatchCheck: no authorization model written yet")
+	}
+
+	items := make([]*openfgav1.BatchCheckItem, 0, len(requests))
+	for i, r := range requests {
+		items = append(items, &openfgav1.BatchCheckItem{
+			TupleKey: &openfgav1.CheckRequestTupleKey{
+				User:     r.User,
+				Relation: r.Relation,
+				Object:   r.Object,
+			},
+			ContextualTuples: toProtoContextual(r.ContextualTuples),
+			CorrelationId:    strconvItoa(i),
+		})
+	}
+
+	res, err := e.srv.BatchCheck(ctx, &openfgav1.BatchCheckRequest{
+		StoreId:              storeID,
+		AuthorizationModelId: modelID,
+		Checks:               items,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("openfga.BatchCheck: %w", err)
+	}
+
+	results := make([]engine.CheckResult, len(requests))
+	resultMap := res.GetResult()
+	for i := range requests {
+		single, ok := resultMap[strconvItoa(i)]
+		if !ok {
+			return nil, fmt.Errorf("openfga.BatchCheck: missing result for check %d", i)
+		}
+		if cerr := single.GetError(); cerr != nil {
+			return nil, fmt.Errorf("openfga.BatchCheck: check %d errored: %s", i, cerr.GetMessage())
+		}
+		results[i] = engine.CheckResult{Allowed: single.GetAllowed()}
+	}
+	return results, nil
+}
+
+// ListObjects returns the IDs of objects of type objType to which user is
+// related via relation. This is an expensive enumeration surface — callers must
+// paginate/cap/rate-limit at the API boundary.
+func (e *engineImpl) ListObjects(ctx context.Context, user, relation, objType string) ([]string, error) {
+	storeID, modelID := e.ids()
+	if modelID == "" {
+		return nil, fmt.Errorf("openfga.ListObjects: no authorization model written yet")
+	}
+	res, err := e.srv.ListObjects(ctx, &openfgav1.ListObjectsRequest{
+		StoreId:              storeID,
+		AuthorizationModelId: modelID,
+		Type:                 objType,
+		Relation:             relation,
+		User:                 user,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("openfga.ListObjects: %w", err)
+	}
+	return res.GetObjects(), nil
+}
+
+// WriteTuples persists the given relationship tuples.
+func (e *engineImpl) WriteTuples(ctx context.Context, tuples []engine.TupleKey) error {
+	if len(tuples) == 0 {
+		return nil
+	}
+	storeID, modelID := e.ids()
+	keys := make([]*openfgav1.TupleKey, 0, len(tuples))
+	for _, t := range tuples {
+		keys = append(keys, &openfgav1.TupleKey{
+			User:     t.User,
+			Relation: t.Relation,
+			Object:   t.Object,
+		})
+	}
+	_, err := e.srv.Write(ctx, &openfgav1.WriteRequest{
+		StoreId:              storeID,
+		AuthorizationModelId: modelID,
+		Writes:               &openfgav1.WriteRequestWrites{TupleKeys: keys},
+	})
+	if err != nil {
+		return fmt.Errorf("openfga.WriteTuples: %w", err)
+	}
+	return nil
+}
+
+// DeleteTuples removes the given relationship tuples.
+func (e *engineImpl) DeleteTuples(ctx context.Context, tuples []engine.TupleKey) error {
+	if len(tuples) == 0 {
+		return nil
+	}
+	storeID, modelID := e.ids()
+	keys := make([]*openfgav1.TupleKeyWithoutCondition, 0, len(tuples))
+	for _, t := range tuples {
+		keys = append(keys, &openfgav1.TupleKeyWithoutCondition{
+			User:     t.User,
+			Relation: t.Relation,
+			Object:   t.Object,
+		})
+	}
+	_, err := e.srv.Write(ctx, &openfgav1.WriteRequest{
+		StoreId:              storeID,
+		AuthorizationModelId: modelID,
+		Deletes:              &openfgav1.WriteRequestDeletes{TupleKeys: keys},
+	})
+	if err != nil {
+		return fmt.Errorf("openfga.DeleteTuples: %w", err)
+	}
+	return nil
+}
+
+// ReadTuples returns a page of persisted tuples matching the filter. An empty
+// filter reads all tuples (paginated). The filter's User/Relation/Object map to
+// the OpenFGA read tuple-key wildcard semantics.
+func (e *engineImpl) ReadTuples(ctx context.Context, filter engine.ReadTuplesFilter) (*engine.ReadTuplesResult, error) {
+	storeID, _ := e.ids()
+
+	req := &openfgav1.ReadRequest{
+		StoreId:           storeID,
+		ContinuationToken: filter.ContinuationToken,
+	}
+	// Only attach a tuple-key filter when at least one field is set; OpenFGA
+	// rejects an empty (all-wildcard) tuple key but allows omitting it to read
+	// everything.
+	if filter.User != "" || filter.Relation != "" || filter.Object != "" {
+		req.TupleKey = &openfgav1.ReadRequestTupleKey{
+			User:     filter.User,
+			Relation: filter.Relation,
+			Object:   filter.Object,
+		}
+	}
+	if filter.PageSize > 0 {
+		req.PageSize = wrapperspb.Int32(filter.PageSize)
+	}
+
+	res, err := e.srv.Read(ctx, req)
+	if err != nil {
+		return nil, fmt.Errorf("openfga.ReadTuples: %w", err)
+	}
+
+	out := &engine.ReadTuplesResult{
+		ContinuationToken: res.GetContinuationToken(),
+		Tuples:            make([]engine.TupleKey, 0, len(res.GetTuples())),
+	}
+	for _, t := range res.GetTuples() {
+		k := t.GetKey()
+		out.Tuples = append(out.Tuples, engine.TupleKey{
+			User:     k.GetUser(),
+			Relation: k.GetRelation(),
+			Object:   k.GetObject(),
+		})
+	}
+	return out, nil
+}
+
+// WriteModel installs a new authorization model from its DSL form and returns
+// the backend-assigned model ID. The new model becomes the active model for
+// subsequent checks. Model writes are powerful and must be admin-gated, audited
+// and staged by the caller.
+func (e *engineImpl) WriteModel(ctx context.Context, dsl string) (string, error) {
+	parsed, err := language.TransformDSLToProto(dsl)
+	if err != nil {
+		return "", fmt.Errorf("openfga.WriteModel: invalid DSL: %w", err)
+	}
+	storeID, _ := e.ids()
+	wm, err := e.srv.WriteAuthorizationModel(ctx, &openfgav1.WriteAuthorizationModelRequest{
+		StoreId:         storeID,
+		TypeDefinitions: parsed.GetTypeDefinitions(),
+		SchemaVersion:   parsed.GetSchemaVersion(),
+		Conditions:      parsed.GetConditions(),
+	})
+	if err != nil {
+		return "", fmt.Errorf("openfga.WriteModel: %w", err)
+	}
+	modelID := wm.GetAuthorizationModelId()
+
+	e.mu.Lock()
+	e.modelID = modelID
+	e.mu.Unlock()
+
+	e.log.Info().Str("model_id", modelID).Msg("wrote OpenFGA authorization model; persist this ID")
+	return modelID, nil
+}
+
+// ReadModel returns the active authorization model rendered as DSL.
+func (e *engineImpl) ReadModel(ctx context.Context) (string, error) {
+	storeID, modelID := e.ids()
+	if modelID == "" {
+		return "", fmt.Errorf("openfga.ReadModel: no authorization model written yet")
+	}
+	res, err := e.srv.ReadAuthorizationModel(ctx, &openfgav1.ReadAuthorizationModelRequest{
+		StoreId: storeID,
+		Id:      modelID,
+	})
+	if err != nil {
+		return "", fmt.Errorf("openfga.ReadModel: %w", err)
+	}
+	// Render via the JSON-string transformer rather than the proto-direct
+	// TransformJSONProtoToDSL: the latter (language v0.2.1) errors on relations
+	// that participate only in a "but not" exclusion (e.g. "not supported by the
+	// OpenFGA DSL syntax yet"). The protojson -> JSONString path handles the
+	// same model correctly.
+	jsonBytes, err := protojson.Marshal(res.GetAuthorizationModel())
+	if err != nil {
+		return "", fmt.Errorf("openfga.ReadModel: marshal model: %w", err)
+	}
+	dsl, err := language.TransformJSONStringToDSL(string(jsonBytes))
+	if err != nil {
+		return "", fmt.Errorf("openfga.ReadModel: render DSL: %w", err)
+	}
+	if dsl == nil {
+		return "", fmt.Errorf("openfga.ReadModel: render DSL returned nil")
+	}
+	return *dsl, nil
+}
diff --git a/internal/authorization/evaluator.go b/internal/authorization/evaluator.go
deleted file mode 100644
index 101e9a87..00000000
--- a/internal/authorization/evaluator.go
+++ /dev/null
@@ -1,581 +0,0 @@
-package authorization
-
-import (
-	"context"
-	"crypto/sha256"
-	"encoding/hex"
-	"fmt"
-	"sort"
-	"strings"
-	"time"
-
-	"github.com/authorizerdev/authorizer/internal/constants"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/metrics"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// MaxPrincipalPermissionEvaluations caps GetPrincipalPermissions at this many
-// resource*scope evaluations per call. Callers hitting the cap receive a sentinel
-// error so they can detect incomplete output.
-const MaxPrincipalPermissionEvaluations = 10000
-
-// Boolean-valued cache entries use these sentinel strings. Any other value
-// stored under an evalKey is a bug — the lookup branch below treats it as a
-// cache miss (returns to the full evaluation path) rather than silently
-// coercing to false.
-//
-// These values are a stable wire format because the cache is now stored in
-// memory_store (Redis or DB-backed), so values written by one process may be
-// read by another at any time, including across rolling restarts. Changing
-// either literal requires a full cache flush; do not edit without coordination.
-const (
-	cacheValTrue  = "true"
-	cacheValFalse = "false"
-)
-
-// policyResult holds the outcome of a single policy evaluation.
-type policyResult struct {
-	denied     bool
-	granted    bool
-	policyName string
-}
-
-// CheckPermission evaluates whether a principal can perform a scope on a resource.
-// It is fail-closed: any missing permission row or unknown (resource, scope) pair
-// results in a deny. It follows this sequence:
-//  1. Validate inputs
-//  2. Check MaxScopes ceiling
-//  3. Check cache
-//  4. Query storage for matching permissions
-//  5. Evaluate policies using decision strategies
-//  6. Cache and return result
-//
-// Every terminal path records exactly one metrics.RecordAuthzCheck call, and
-// AuthzCheckDuration is observed via defer.
-func (p *provider) CheckPermission(ctx context.Context, principal *Principal, resource string, scope string) (result *CheckResult, err error) {
-	start := time.Now()
-	defer func() {
-		metrics.AuthzCheckDuration.Observe(time.Since(start).Seconds())
-	}()
-
-	// Validate inputs.
-	if principal == nil {
-		metrics.RecordAuthzCheck(metrics.AuthzResultError)
-		return nil, fmt.Errorf("principal is required")
-	}
-	if !isValidIdentifier(principal.ID) {
-		metrics.RecordAuthzCheck(metrics.AuthzResultError)
-		return nil, fmt.Errorf("invalid principal ID: %q", principal.ID)
-	}
-	if !isValidIdentifier(resource) {
-		metrics.RecordAuthzCheck(metrics.AuthzResultError)
-		return nil, fmt.Errorf("invalid resource: %q", resource)
-	}
-	if !isValidIdentifier(scope) {
-		metrics.RecordAuthzCheck(metrics.AuthzResultError)
-		return nil, fmt.Errorf("invalid scope: %q", scope)
-	}
-
-	// MaxScopes ceiling.
-	if principal.MaxScopes != nil {
-		scopeStr := resource + ":" + scope
-		found := false
-		for _, ms := range principal.MaxScopes {
-			if ms == scopeStr {
-				found = true
-				break
-			}
-		}
-		if !found {
-			p.log.Debug().
-				Str("principal_id", principal.ID).
-				Str("resource", resource).
-				Str("scope", scope).
-				Msg("denied by MaxScopes ceiling")
-			metrics.RecordAuthzCheck(metrics.AuthzResultDenied)
-			return &CheckResult{Allowed: false}, nil
-		}
-	}
-
-	// Cache lookup. Skip the memory_store round-trip entirely when caching
-	// is disabled (--authorization-cache-ttl=0) — no entry can exist and
-	// the extra IPC is pure latency waste.
-	//
-	// Otherwise memory_store.GetCache returns ("", nil) on miss; treat any
-	// error as a miss so a transient backend issue doesn't fail the request
-	// — we'll re-evaluate against storage. The same value space
-	// ("true"/"false") is used so a negative cached deny avoids a stampede
-	// on repeated probes.
-	cacheKey := evalKey(principal, resource, scope)
-	if p.config.CacheTTL > 0 {
-		cached, cacheErr := p.memoryStore.GetCache(cacheKey)
-		if cacheErr != nil {
-			p.log.Debug().Err(cacheErr).Str("cache_key", cacheKey).
-				Msg("authz: memory_store GetCache failed; treating as miss")
-		}
-		if cached != "" {
-			switch cached {
-			case cacheValTrue:
-				p.log.Debug().
-					Str("principal_id", principal.ID).
-					Str("resource", resource).
-					Str("scope", scope).
-					Bool("allowed", true).
-					Msg("authorization cache hit")
-				metrics.RecordAuthzCheck(metrics.AuthzResultAllowed)
-				return &CheckResult{Allowed: true}, nil
-			case cacheValFalse:
-				p.log.Debug().
-					Str("principal_id", principal.ID).
-					Str("resource", resource).
-					Str("scope", scope).
-					Bool("allowed", false).
-					Msg("authorization cache hit")
-				metrics.RecordAuthzCheck(metrics.AuthzResultDenied)
-				return &CheckResult{Allowed: false}, nil
-			default:
-				p.log.Warn().Str("cache_key", cacheKey).Str("value", cached).
-					Msg("authz: unexpected cached eval value, ignoring")
-			}
-		}
-	}
-
-	// Resource/scope existence. Fail-closed: if the probe itself errors, surface the error to
-	// the caller rather than falling through to handleNoPermission.
-	knownResource, err := p.validateResourceExists(ctx, resource)
-	if err != nil {
-		metrics.RecordAuthzCheck(metrics.AuthzResultError)
-		return nil, err
-	}
-	knownScope := true
-	if knownResource {
-		// Only probe scope when resource is valid; avoids a second lookup on
-		// the unknown-resource path.
-		knownScope, err = p.validateScopeExists(ctx, scope)
-		if err != nil {
-			metrics.RecordAuthzCheck(metrics.AuthzResultError)
-			return nil, err
-		}
-	}
-	if !knownResource || !knownScope {
-		// Unknown identifier — skip counter bumps (DoS guard for attacker-
-		// controlled inputs reaching CheckPermission, e.g. via GraphQL
-		// permissions / required_permissions on authenticated endpoints).
-		return p.handleNoPermission(cacheKey, false /* isKnown */), nil
-	}
-
-	// Permissions.
-	perms, err := p.storageProvider.GetPermissionsForResourceScope(ctx, resource, scope)
-	if err != nil {
-		metrics.RecordAuthzCheck(metrics.AuthzResultError)
-		return nil, fmt.Errorf("failed to query permissions: %w", err)
-	}
-	if len(perms) == 0 {
-		// Known (resource, scope) but no permission row — this is the signal
-		// we DO want to track for rollout.
-		return p.handleNoPermission(cacheKey, true /* isKnown */), nil
-	}
-
-	// Policy evaluation. Track the first non-empty deny attribution so we
-	// can surface it on the deny path for audit/debugging — resolveDecision
-	// returns the denying policy name when an explicit deny fires; empty
-	// strings mean "no policy contributed a verdict."
-	var denyMatchedPolicy string
-	for _, perm := range perms {
-		allowed, matchedPolicy := p.evaluatePermission(principal, perm)
-		if allowed {
-			p.cacheStore(cacheKey, cacheValTrue)
-			p.log.Debug().
-				Str("principal_id", principal.ID).
-				Str("resource", resource).
-				Str("scope", scope).
-				Str("matched_policy", matchedPolicy).
-				Msg("authorization granted")
-			metrics.RecordAuthzCheck(metrics.AuthzResultAllowed)
-			return &CheckResult{Allowed: true, MatchedPolicy: matchedPolicy}, nil
-		}
-		if denyMatchedPolicy == "" && matchedPolicy != "" {
-			denyMatchedPolicy = matchedPolicy
-		}
-	}
-
-	// No permission granted access.
-	p.cacheStore(cacheKey, cacheValFalse)
-	p.log.Debug().
-		Str("principal_id", principal.ID).
-		Str("resource", resource).
-		Str("scope", scope).
-		Str("matched_policy", denyMatchedPolicy).
-		Msg("authorization denied")
-	metrics.RecordAuthzCheck(metrics.AuthzResultDenied)
-	return &CheckResult{Allowed: false, MatchedPolicy: denyMatchedPolicy}, nil
-}
-
-// handleNoPermission returns a deny result for an unmatched (resource, scope)
-// pair, caches it under cacheKey, and conditionally records the unmatched
-// metric. The isKnown parameter reports whether the pair is registered in the
-// DB — the unmatched metric is recorded only for known pairs to prevent
-// unbounded counter growth from attacker-controlled identifiers reaching
-// CheckPermission via authenticated GraphQL (permissions /
-// required_permissions).
-func (p *provider) handleNoPermission(cacheKey string, isKnown bool) *CheckResult {
-	if isKnown {
-		metrics.RecordAuthzUnmatched()
-	}
-	p.cacheStore(cacheKey, cacheValFalse)
-	metrics.RecordAuthzCheck(metrics.AuthzResultUnmatched)
-	return &CheckResult{Allowed: false}
-}
-
-// evaluatePermission evaluates all policies attached to a single permission
-// and combines their results using the permission's decision strategy.
-func (p *provider) evaluatePermission(principal *Principal, perm *schemas.PermissionWithPolicies) (bool, string) {
-	if len(perm.Policies) == 0 {
-		return false, ""
-	}
-
-	results := make([]policyResult, 0, len(perm.Policies))
-	for i := range perm.Policies {
-		policy := &perm.Policies[i]
-		denied, granted := p.evaluatePolicy(principal, policy)
-		results = append(results, policyResult{
-			denied:     denied,
-			granted:    granted,
-			policyName: policy.PolicyName,
-		})
-	}
-
-	return resolveDecision(results, perm.DecisionStrategy)
-}
-
-// evaluatePolicy evaluates a single policy against the principal.
-// It checks whether the principal matches any of the policy's targets,
-// then applies the policy's logic (positive = grant, negative = deny).
-func (p *provider) evaluatePolicy(principal *Principal, policy *schemas.PolicyWithTargets) (denied bool, granted bool) {
-	if len(policy.Targets) == 0 {
-		return false, false
-	}
-
-	var matched bool
-	switch policy.Type {
-	case constants.PolicyTypeRole:
-		matched = evaluateRoleTargets(policy.Targets, principal.Roles, policy.DecisionStrategy)
-	case constants.PolicyTypeUser:
-		matched = evaluateUserTargets(policy.Targets, principal.ID)
-	default:
-		// Unknown policy type -- fail closed.
-		p.log.Warn().
-			Str("policy_type", policy.Type).
-			Str("policy_name", policy.PolicyName).
-			Msg("unknown policy type, denying")
-		return true, false
-	}
-
-	// Apply logic: positive policies grant on match, negative policies deny on match.
-	if policy.Logic == constants.PolicyLogicNegative {
-		return matched, false
-	}
-	return false, matched
-}
-
-// evaluateRoleTargets checks whether any (affirmative) or all (unanimous) of the
-// role targets match the principal's roles.
-func evaluateRoleTargets(targets []schemas.PolicyTargetView, roles []string, strategy string) bool {
-	roleSet := make(map[string]struct{}, len(roles))
-	for _, r := range roles {
-		roleSet[r] = struct{}{}
-	}
-
-	switch strategy {
-	case constants.DecisionStrategyUnanimous:
-		// All role targets must be present in the principal's roles.
-		evaluated := false
-		for _, t := range targets {
-			if t.TargetType != constants.TargetTypeRole {
-				continue
-			}
-			evaluated = true
-			if _, ok := roleSet[t.TargetValue]; !ok {
-				return false
-			}
-		}
-		return evaluated // false if no role targets existed
-	default:
-		// Affirmative (default): any role target match is sufficient.
-		for _, t := range targets {
-			if t.TargetType != constants.TargetTypeRole {
-				continue
-			}
-			if _, ok := roleSet[t.TargetValue]; ok {
-				return true
-			}
-		}
-		return false
-	}
-}
-
-// evaluateUserTargets checks whether any of the user targets match the principal's ID.
-func evaluateUserTargets(targets []schemas.PolicyTargetView, principalID string) bool {
-	for _, t := range targets {
-		if t.TargetType == constants.TargetTypeUser && t.TargetValue == principalID {
-			return true
-		}
-	}
-	return false
-}
-
-// resolveDecision combines multiple policy results using the given strategy.
-// Any explicit deny wins. Otherwise, affirmative grants on any allow, while
-// unanimous requires every policy to grant.
-func resolveDecision(results []policyResult, strategy string) (bool, string) {
-	if len(results) == 0 {
-		return false, ""
-	}
-
-	for _, r := range results {
-		if r.denied {
-			return false, r.policyName
-		}
-	}
-
-	switch strategy {
-	case constants.DecisionStrategyUnanimous:
-		// All policies must grant.
-		for _, r := range results {
-			if !r.granted {
-				return false, ""
-			}
-		}
-		return true, results[0].policyName
-	default:
-		// Affirmative: first grant wins.
-		for _, r := range results {
-			if r.granted {
-				return true, r.policyName
-			}
-		}
-		return false, ""
-	}
-}
-
-// evalKey constructs a cache key for an authorization evaluation result. The
-// effective roles and delegation ceiling are part of the key because the same
-// principal ID can legitimately evaluate to different answers across sessions.
-func evalKey(principal *Principal, resource, scope string) string {
-	fp := principalFingerprint(principal)
-	return fmt.Sprintf("authz:eval:%s:%s:%s:%s", principal.ID, fp, resource, scope)
-}
-
-func principalFingerprint(principal *Principal) string {
-	roles := append([]string(nil), principal.Roles...)
-	sort.Strings(roles)
-	maxScopes := append([]string(nil), principal.MaxScopes...)
-	sort.Strings(maxScopes)
-
-	h := sha256.New()
-	_, _ = h.Write([]byte(principal.Type))
-	_, _ = h.Write([]byte{0})
-	_, _ = h.Write([]byte(strings.Join(roles, "\x00")))
-	_, _ = h.Write([]byte{0})
-	_, _ = h.Write([]byte(strings.Join(maxScopes, "\x00")))
-	return hex.EncodeToString(h.Sum(nil))[:16]
-}
-
-// GetPrincipalPermissions returns all granted resource:scope pairs for a principal.
-// It iterates all known resources and scopes, checking each combination.
-func (p *provider) GetPrincipalPermissions(ctx context.Context, principal *Principal) ([]ResourceScope, error) {
-	if principal == nil {
-		return nil, fmt.Errorf("principal is required")
-	}
-	if !isValidIdentifier(principal.ID) {
-		return nil, fmt.Errorf("invalid principal ID: %q", principal.ID)
-	}
-
-	// Fetch all resources.
-	resources, err := p.fetchAllResources(ctx)
-	if err != nil {
-		return nil, fmt.Errorf("failed to list resources: %w", err)
-	}
-
-	// Fetch all scopes.
-	scopes, err := p.fetchAllScopes(ctx)
-	if err != nil {
-		return nil, fmt.Errorf("failed to list scopes: %w", err)
-	}
-
-	// Hard ceiling: refuse to enumerate O(R*S) permissions beyond the cap.
-	// A tenant with, e.g., 1000 resources * 100 scopes = 100k CheckPermission
-	// calls per request would otherwise saturate the authz subsystem.
-	if int64(len(resources))*int64(len(scopes)) > int64(MaxPrincipalPermissionEvaluations) {
-		return nil, fmt.Errorf("too many permissions to enumerate: %d resources * %d scopes exceeds cap of %d",
-			len(resources), len(scopes), MaxPrincipalPermissionEvaluations)
-	}
-
-	var granted []ResourceScope
-	for _, res := range resources {
-		for _, sc := range scopes {
-			result, err := p.CheckPermission(ctx, principal, res, sc)
-			if err != nil {
-				p.log.Warn().Err(err).
-					Str("resource", res).
-					Str("scope", sc).
-					Msg("error checking permission, skipping")
-				continue
-			}
-			if result.Allowed {
-				granted = append(granted, ResourceScope{
-					Resource: res,
-					Scope:    sc,
-				})
-			}
-		}
-	}
-
-	return granted, nil
-}
-
-// InvalidateCache invalidates cached authorization data matching the given prefix.
-// Both the local membership cache (validSets) and the memory_store decision cache
-// are cleared so stale "allowed" results cannot persist after an admin mutation.
-//
-// When caching is disabled (--authorization-cache-ttl=0), the memory_store
-// delete is skipped — nothing was ever written, so the round-trip would be
-// pure waste. The local validSets clear is still cheap and stays unconditional.
-func (p *provider) InvalidateCache(ctx context.Context, prefix string) {
-	p.cache.invalidateValidSets()
-	if p.config.CacheTTL > 0 {
-		if err := p.memoryStore.DeleteCacheByPrefix(prefix); err != nil {
-			p.log.Warn().Err(err).Str("prefix", prefix).
-				Msg("authz: memory_store DeleteCacheByPrefix failed; stale allow results may persist until TTL")
-		}
-	}
-	p.log.Debug().Str("prefix", prefix).Msg("authorization cache invalidated")
-}
-
-// cacheStore writes a decision result to the memory_store cache. No-op when
-// caching is disabled (CacheTTL <= 0). Errors are logged and swallowed — a
-// failed write means the next read will fall through to a full evaluation,
-// which is correct degradation; a write failure must never turn into a hard
-// error on the request path.
-func (p *provider) cacheStore(cacheKey, value string) {
-	if p.config.CacheTTL <= 0 {
-		return
-	}
-	if err := p.memoryStore.SetCache(cacheKey, value, p.config.CacheTTL); err != nil {
-		p.log.Debug().Err(err).Str("cache_key", cacheKey).
-			Msg("authz: memory_store SetCache failed; cache miss next time")
-	}
-}
-
-// validateResourceExists reports whether the given resource is registered.
-// Returns (true, nil) if known; (false, nil) if definitively unknown;
-// (false, err) if the storage probe itself failed.
-//
-// A probe error must NOT be masked as "unknown" — fail-closed on probe
-// error so a transient DB blip surfaces as an error to the caller rather
-// than falling through to handleNoPermission's deny path (which would
-// look indistinguishable from a legitimate unknown resource).
-func (p *provider) validateResourceExists(ctx context.Context, resource string) (bool, error) {
-	cacheKey := validResourcesKey()
-	if set, ok := p.cache.getValidSet(cacheKey); ok {
-		_, found := set[resource]
-		return found, nil
-	}
-
-	names, err := p.fetchAllResources(ctx)
-	if err != nil {
-		return false, fmt.Errorf("probe resources: %w", err)
-	}
-
-	set := make(map[string]struct{}, len(names))
-	for _, n := range names {
-		set[n] = struct{}{}
-	}
-	p.cache.setValidSet(cacheKey, set)
-
-	_, found := set[resource]
-	return found, nil
-}
-
-// validateScopeExists reports whether the given scope is registered.
-// Returns (true, nil) if known; (false, nil) if definitively unknown;
-// (false, err) if the storage probe itself failed.
-func (p *provider) validateScopeExists(ctx context.Context, scope string) (bool, error) {
-	cacheKey := validScopesKey()
-	if set, ok := p.cache.getValidSet(cacheKey); ok {
-		_, found := set[scope]
-		return found, nil
-	}
-
-	names, err := p.fetchAllScopes(ctx)
-	if err != nil {
-		return false, fmt.Errorf("probe scopes: %w", err)
-	}
-
-	set := make(map[string]struct{}, len(names))
-	for _, n := range names {
-		set[n] = struct{}{}
-	}
-	p.cache.setValidSet(cacheKey, set)
-
-	_, found := set[scope]
-	return found, nil
-}
-
-// fetchAllResources retrieves all resource names from storage using pagination.
-func (p *provider) fetchAllResources(ctx context.Context) ([]string, error) {
-	var names []string
-	page := int64(1)
-	limit := int64(100)
-
-	for {
-		pagination := &model.Pagination{
-			Limit:  limit,
-			Offset: (page - 1) * limit,
-			Page:   page,
-		}
-		resources, paginationResult, err := p.storageProvider.ListResources(ctx, pagination)
-		if err != nil {
-			return nil, err
-		}
-		for _, r := range resources {
-			names = append(names, r.Name)
-		}
-		// If we got fewer results than the limit, or reached the total, we're done.
-		if int64(len(resources)) < limit || (paginationResult != nil && paginationResult.Total <= page*limit) {
-			break
-		}
-		page++
-	}
-
-	return names, nil
-}
-
-// fetchAllScopes retrieves all scope names from storage using pagination.
-func (p *provider) fetchAllScopes(ctx context.Context) ([]string, error) {
-	var names []string
-	page := int64(1)
-	limit := int64(100)
-
-	for {
-		pagination := &model.Pagination{
-			Limit:  limit,
-			Offset: (page - 1) * limit,
-			Page:   page,
-		}
-		scopes, paginationResult, err := p.storageProvider.ListScopes(ctx, pagination)
-		if err != nil {
-			return nil, err
-		}
-		for _, s := range scopes {
-			names = append(names, s.Name)
-		}
-		if int64(len(scopes)) < limit || (paginationResult != nil && paginationResult.Total <= page*limit) {
-			break
-		}
-		page++
-	}
-
-	return names, nil
-}
diff --git a/internal/authorization/provider.go b/internal/authorization/provider.go
deleted file mode 100644
index 911082c3..00000000
--- a/internal/authorization/provider.go
+++ /dev/null
@@ -1,102 +0,0 @@
-package authorization
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/rs/zerolog"
-
-	"github.com/authorizerdev/authorizer/internal/memory_store"
-	"github.com/authorizerdev/authorizer/internal/storage"
-)
-
-// Principal represents the entity requesting access.
-// It is deliberately agnostic -- a Principal can be a human user,
-// a service account (M2M), or an AI agent. The evaluation engine
-// does not care about the origin; it only evaluates policies against
-// the principal's identity and roles.
-type Principal struct {
-	// ID is the unique identifier of the principal (user ID, client ID, agent ID).
-	ID string
-	// Type is the kind of principal: "user", "client", or "agent".
-	Type string
-	// Roles are the roles assigned to this principal.
-	Roles []string
-	// MaxScopes is an optional delegation ceiling. If set, the principal
-	// can never be granted permissions beyond this set, regardless of
-	// what policies say. Format: []string{"resource:scope", ...}.
-	// Nil means no ceiling (full access based on policies).
-	MaxScopes []string
-}
-
-// ResourceScope pairs a resource name with a scope name.
-// Used for returning all permissions a principal has.
-type ResourceScope struct {
-	Resource string `json:"resource"`
-	Scope    string `json:"scope"`
-}
-
-// CheckResult contains the result of a permission check with debugging info.
-type CheckResult struct {
-	// Allowed is true if the principal has the requested permission.
-	Allowed bool
-	// MatchedPolicy is the name of the policy that granted access (empty if denied).
-	MatchedPolicy string
-}
-
-// Provider defines the authorization evaluation engine interface.
-type Provider interface {
-	// CheckPermission evaluates whether a principal can perform a scope on a resource.
-	CheckPermission(ctx context.Context, principal *Principal, resource string, scope string) (*CheckResult, error)
-
-	// GetPrincipalPermissions returns all granted resource:scope pairs for a principal.
-	// Used for JWT embedding and dashboard display.
-	GetPrincipalPermissions(ctx context.Context, principal *Principal) ([]ResourceScope, error)
-
-	// InvalidateCache removes cached authorization data matching the given prefix.
-	// Called by admin mutations when permissions/policies change.
-	InvalidateCache(ctx context.Context, prefix string)
-}
-
-// Dependencies carries shared resources for constructing an authorization Provider.
-type Dependencies struct {
-	Log                 *zerolog.Logger
-	StorageProvider     storage.Provider
-	MemoryStoreProvider memory_store.Provider
-}
-
-// Config holds authorization-specific configuration.
-// This is separate from the main config to avoid circular imports.
-// The values are passed in from cmd/root.go.
-type Config struct {
-	// CacheTTL is the cache time-to-live in seconds. 0 disables caching.
-	CacheTTL int64
-}
-
-// provider implements the Provider interface.
-type provider struct {
-	config          *Config
-	log             *zerolog.Logger
-	storageProvider storage.Provider
-	memoryStore     memory_store.Provider
-	cache           *cache
-}
-
-// New creates a new authorization provider.
-//
-// MemoryStoreProvider is required: the evaluator's decision cache is
-// delegated to it. Missing it would surface as a nil-pointer panic on the
-// first CheckPermission call; we'd rather fail loudly at construction.
-func New(cfg *Config, deps *Dependencies) (Provider, error) {
-	if deps == nil || deps.MemoryStoreProvider == nil {
-		return nil, fmt.Errorf("authorization.New: MemoryStoreProvider is required")
-	}
-	p := &provider{
-		config:          cfg,
-		log:             deps.Log,
-		storageProvider: deps.StorageProvider,
-		memoryStore:     deps.MemoryStoreProvider,
-		cache:           newCache(cfg.CacheTTL),
-	}
-	return p, nil
-}
diff --git a/internal/authorization/validators.go b/internal/authorization/validators.go
deleted file mode 100644
index b91422ce..00000000
--- a/internal/authorization/validators.go
+++ /dev/null
@@ -1,22 +0,0 @@
-package authorization
-
-import (
-	"unicode"
-
-	"github.com/authorizerdev/authorizer/internal/constants"
-)
-
-// isValidIdentifier checks that a string is safe for use in cache keys
-// and database queries. Allows alphanumeric, hyphens, underscores.
-// Max constants.MaxAuthzIdentifierLength characters. Empty strings are invalid.
-func isValidIdentifier(s string) bool {
-	if len(s) == 0 || len(s) > constants.MaxAuthzIdentifierLength {
-		return false
-	}
-	for _, r := range s {
-		if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
-			return false
-		}
-	}
-	return true
-}
diff --git a/internal/config/config.go b/internal/config/config.go
index 213ca073..4f52ef9f 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -327,4 +327,27 @@ type Config struct {
 	// AuthorizationLogAllChecks controls whether all permission checks are audit logged.
 	// When false (default), only denied checks are logged. When true, all checks are logged.
 	AuthorizationLogAllChecks bool
+
+	// OpenFGA / Fine-Grained Authorization engine (Phase 1 — additive)
+	// These configure the OpenFGA-backed AuthorizationEngine. The engine is
+	// selectable but NOT yet the default; existing policy-based authorization is
+	// unchanged when AuthorizationEngine is empty or "policy".
+
+	// AuthorizationEngine selects the authorization backend: "policy" (existing
+	// resource/scope/policy engine, default) or "fga" (OpenFGA ReBAC engine).
+	// Empty is treated as "policy" to preserve existing behavior.
+	AuthorizationEngine string
+	// FGAMode selects how the OpenFGA engine runs: "embedded" (in-process,
+	// default) or "external" (a standalone OpenFGA service). Only relevant when
+	// AuthorizationEngine is "fga".
+	FGAMode string
+	// FGAStore selects the OpenFGA datastore kind: "memory" (dev/tests),
+	// "sqlite" (single-node), "postgres" or "mysql" (HA). Default: "memory".
+	FGAStore string
+	// FGAStoreURL is the OpenFGA datastore connection URI: a file: URI for
+	// sqlite, or a DSN for postgres/mysql. Ignored for the memory store.
+	FGAStoreURL string
+	// FGAExternalURL is the gRPC URL of an external OpenFGA service. Only used
+	// when FGAMode is "external".
+	FGAExternalURL string
 }
diff --git a/internal/constants/audit_event.go b/internal/constants/audit_event.go
index 804b775b..8f636bc3 100644
--- a/internal/constants/audit_event.go
+++ b/internal/constants/audit_event.go
@@ -22,14 +22,10 @@ const (
 	AuditResourceTypeEmailTemplate = "email_template"
 	// AuditResourceTypeToken represents an auth token.
 	AuditResourceTypeToken = "token"
-	// AuditResourceTypeAuthzPermission represents a fine-grained-authorization permission entity.
-	AuditResourceTypeAuthzPermission = "authz_permission"
-	// AuditResourceTypeAuthzPolicy represents a fine-grained-authorization policy entity.
-	AuditResourceTypeAuthzPolicy = "authz_policy"
-	// AuditResourceTypeAuthzResource represents a fine-grained-authorization resource entity.
-	AuditResourceTypeAuthzResource = "authz_resource"
-	// AuditResourceTypeAuthzScope represents a fine-grained-authorization scope entity.
-	AuditResourceTypeAuthzScope = "authz_scope"
+	// AuditResourceTypeFgaModel represents a fine-grained authorization model.
+	AuditResourceTypeFgaModel = "fga_model"
+	// AuditResourceTypeFgaTuple represents a fine-grained authorization tuple.
+	AuditResourceTypeFgaTuple = "fga_tuple"
 )
 
 // Audit event type constants used for structured audit logging.
@@ -102,31 +98,12 @@ const (
 	AuditAdminEmailTemplateUpdatedEvent = "admin.email_template_updated"
 	// AuditAdminEmailTemplateDeletedEvent is logged when an admin deletes an email template.
 	AuditAdminEmailTemplateDeletedEvent = "admin.email_template_deleted"
-
-	// AuditAdminAuthzPermissionCreatedEvent is logged when an admin creates an authz permission.
-	AuditAdminAuthzPermissionCreatedEvent = "admin.authz_permission_created"
-	// AuditAdminAuthzPermissionUpdatedEvent is logged when an admin updates an authz permission.
-	AuditAdminAuthzPermissionUpdatedEvent = "admin.authz_permission_updated"
-	// AuditAdminAuthzPermissionDeletedEvent is logged when an admin deletes an authz permission.
-	AuditAdminAuthzPermissionDeletedEvent = "admin.authz_permission_deleted"
-	// AuditAdminAuthzPolicyCreatedEvent is logged when an admin creates an authz policy.
-	AuditAdminAuthzPolicyCreatedEvent = "admin.authz_policy_created"
-	// AuditAdminAuthzPolicyUpdatedEvent is logged when an admin updates an authz policy.
-	AuditAdminAuthzPolicyUpdatedEvent = "admin.authz_policy_updated"
-	// AuditAdminAuthzPolicyDeletedEvent is logged when an admin deletes an authz policy.
-	AuditAdminAuthzPolicyDeletedEvent = "admin.authz_policy_deleted"
-	// AuditAdminAuthzResourceCreatedEvent is logged when an admin creates an authz resource.
-	AuditAdminAuthzResourceCreatedEvent = "admin.authz_resource_created"
-	// AuditAdminAuthzResourceUpdatedEvent is logged when an admin updates an authz resource.
-	AuditAdminAuthzResourceUpdatedEvent = "admin.authz_resource_updated"
-	// AuditAdminAuthzResourceDeletedEvent is logged when an admin deletes an authz resource.
-	AuditAdminAuthzResourceDeletedEvent = "admin.authz_resource_deleted"
-	// AuditAdminAuthzScopeCreatedEvent is logged when an admin creates an authz scope.
-	AuditAdminAuthzScopeCreatedEvent = "admin.authz_scope_created"
-	// AuditAdminAuthzScopeUpdatedEvent is logged when an admin updates an authz scope.
-	AuditAdminAuthzScopeUpdatedEvent = "admin.authz_scope_updated"
-	// AuditAdminAuthzScopeDeletedEvent is logged when an admin deletes an authz scope.
-	AuditAdminAuthzScopeDeletedEvent = "admin.authz_scope_deleted"
+	// AuditAdminFgaModelWrittenEvent is logged when an admin writes a fine-grained authorization model.
+	AuditAdminFgaModelWrittenEvent = "admin.fga_model_written"
+	// AuditAdminFgaTuplesWrittenEvent is logged when an admin writes fine-grained authorization tuples.
+	AuditAdminFgaTuplesWrittenEvent = "admin.fga_tuples_written"
+	// AuditAdminFgaTuplesDeletedEvent is logged when an admin deletes fine-grained authorization tuples.
+	AuditAdminFgaTuplesDeletedEvent = "admin.fga_tuples_deleted"
 
 	// AuditOAuthLoginInitiatedEvent is logged when an OAuth login flow is started.
 	AuditOAuthLoginInitiatedEvent = "oauth.login_initiated"
diff --git a/internal/constants/authorization.go b/internal/constants/authorization.go
deleted file mode 100644
index b16ad784..00000000
--- a/internal/constants/authorization.go
+++ /dev/null
@@ -1,38 +0,0 @@
-package constants
-
-const (
-	// PolicyTypeRole is the policy type for role-based policies.
-	// A role-based policy grants or denies access based on the principal's roles.
-	PolicyTypeRole = "role"
-	// PolicyTypeUser is the policy type for user-based policies.
-	// A user-based policy grants or denies access to specific user IDs.
-	PolicyTypeUser = "user"
-
-	// PolicyLogicPositive grants access when the policy condition matches.
-	PolicyLogicPositive = "positive"
-	// PolicyLogicNegative denies access when the policy condition matches (blacklist).
-	PolicyLogicNegative = "negative"
-
-	// DecisionStrategyAffirmative grants if ANY policy/target grants (OR logic).
-	DecisionStrategyAffirmative = "affirmative"
-	// DecisionStrategyUnanimous grants only if ALL policies/targets agree (AND logic).
-	DecisionStrategyUnanimous = "unanimous"
-
-	// PrincipalTypeUser identifies a human user principal (from authorization_code grant).
-	PrincipalTypeUser = "user"
-	// PrincipalTypeClient identifies a service/M2M principal (from client_credentials grant).
-	PrincipalTypeClient = "client"
-	// PrincipalTypeAgent identifies an AI agent principal (future use).
-	PrincipalTypeAgent = "agent"
-
-	// TargetTypeRole is a policy target that matches by role name.
-	TargetTypeRole = "role"
-	// TargetTypeUser is a policy target that matches by user ID.
-	TargetTypeUser = "user"
-
-	// MaxAuthzIdentifierLength is the maximum allowed length for
-	// authorization resource names, scope names, policy names, and other
-	// FGA identifiers. The limit keeps caches bounded and ensures identifiers
-	// fit within reasonable index / column sizes across all storage providers.
-	MaxAuthzIdentifierLength = 100
-)
diff --git a/internal/graph/generated/generated.go b/internal/graph/generated/generated.go
index e25d9fc6..cdf463d1 100644
--- a/internal/graph/generated/generated.go
+++ b/internal/graph/generated/generated.go
@@ -80,72 +80,6 @@ type ComplexityRoot struct {
 		User                       func(childComplexity int) int
 	}
 
-	AuthzPermission struct {
-		CreatedAt        func(childComplexity int) int
-		DecisionStrategy func(childComplexity int) int
-		Description      func(childComplexity int) int
-		ID               func(childComplexity int) int
-		Name             func(childComplexity int) int
-		Policies         func(childComplexity int) int
-		Resource         func(childComplexity int) int
-		Scopes           func(childComplexity int) int
-		UpdatedAt        func(childComplexity int) int
-	}
-
-	AuthzPermissions struct {
-		Pagination  func(childComplexity int) int
-		Permissions func(childComplexity int) int
-	}
-
-	AuthzPolicies struct {
-		Pagination func(childComplexity int) int
-		Policies   func(childComplexity int) int
-	}
-
-	AuthzPolicy struct {
-		CreatedAt        func(childComplexity int) int
-		DecisionStrategy func(childComplexity int) int
-		Description      func(childComplexity int) int
-		ID               func(childComplexity int) int
-		Logic            func(childComplexity int) int
-		Name             func(childComplexity int) int
-		Targets          func(childComplexity int) int
-		Type             func(childComplexity int) int
-		UpdatedAt        func(childComplexity int) int
-	}
-
-	AuthzPolicyTarget struct {
-		ID          func(childComplexity int) int
-		TargetType  func(childComplexity int) int
-		TargetValue func(childComplexity int) int
-	}
-
-	AuthzResource struct {
-		CreatedAt   func(childComplexity int) int
-		Description func(childComplexity int) int
-		ID          func(childComplexity int) int
-		Name        func(childComplexity int) int
-		UpdatedAt   func(childComplexity int) int
-	}
-
-	AuthzResources struct {
-		Pagination func(childComplexity int) int
-		Resources  func(childComplexity int) int
-	}
-
-	AuthzScope struct {
-		CreatedAt   func(childComplexity int) int
-		Description func(childComplexity int) int
-		ID          func(childComplexity int) int
-		Name        func(childComplexity int) int
-		UpdatedAt   func(childComplexity int) int
-	}
-
-	AuthzScopes struct {
-		Pagination func(childComplexity int) int
-		Scopes     func(childComplexity int) int
-	}
-
 	EmailTemplate struct {
 		CreatedAt func(childComplexity int) int
 		Design    func(childComplexity int) int
@@ -240,6 +174,34 @@ type ComplexityRoot struct {
 		Reason  func(childComplexity int) int
 	}
 
+	FgaBatchCheckResponse struct {
+		Results func(childComplexity int) int
+	}
+
+	FgaCheckResponse struct {
+		Allowed func(childComplexity int) int
+	}
+
+	FgaListObjectsResponse struct {
+		Objects func(childComplexity int) int
+	}
+
+	FgaModel struct {
+		Dsl func(childComplexity int) int
+		ID  func(childComplexity int) int
+	}
+
+	FgaTuple struct {
+		Object   func(childComplexity int) int
+		Relation func(childComplexity int) int
+		User     func(childComplexity int) int
+	}
+
+	FgaTuples struct {
+		ContinuationToken func(childComplexity int) int
+		Tuples            func(childComplexity int) int
+	}
+
 	ForgotPasswordResponse struct {
 		Message                   func(childComplexity int) int
 		ShouldShowMobileOtpScreen func(childComplexity int) int
@@ -280,50 +242,41 @@ type ComplexityRoot struct {
 	}
 
 	Mutation struct {
-		AddEmailTemplate      func(childComplexity int, params model.AddEmailTemplateRequest) int
-		AddWebhook            func(childComplexity int, params model.AddWebhookRequest) int
-		AdminLogin            func(childComplexity int, params model.AdminLoginRequest) int
-		AdminLogout           func(childComplexity int) int
-		AdminSignup           func(childComplexity int, params model.AdminSignupRequest) int
-		AuthzAddPermission    func(childComplexity int, params model.AddPermissionInput) int
-		AuthzAddPolicy        func(childComplexity int, params model.AddPolicyInput) int
-		AuthzAddResource      func(childComplexity int, params model.AddResourceInput) int
-		AuthzAddScope         func(childComplexity int, params model.AddScopeInput) int
-		AuthzDeletePermission func(childComplexity int, id string) int
-		AuthzDeletePolicy     func(childComplexity int, id string) int
-		AuthzDeleteResource   func(childComplexity int, id string) int
-		AuthzDeleteScope      func(childComplexity int, id string) int
-		AuthzUpdatePermission func(childComplexity int, params model.UpdatePermissionInput) int
-		AuthzUpdatePolicy     func(childComplexity int, params model.UpdatePolicyInput) int
-		AuthzUpdateResource   func(childComplexity int, params model.UpdateResourceInput) int
-		AuthzUpdateScope      func(childComplexity int, params model.UpdateScopeInput) int
-		DeactivateAccount     func(childComplexity int) int
-		DeleteEmailTemplate   func(childComplexity int, params model.DeleteEmailTemplateRequest) int
-		DeleteUser            func(childComplexity int, params model.DeleteUserRequest) int
-		DeleteWebhook         func(childComplexity int, params model.WebhookRequest) int
-		EnableAccess          func(childComplexity int, param model.UpdateAccessRequest) int
-		ForgotPassword        func(childComplexity int, params model.ForgotPasswordRequest) int
-		GenerateJwtKeys       func(childComplexity int, params model.GenerateJWTKeysRequest) int
-		InviteMembers         func(childComplexity int, params model.InviteMemberRequest) int
-		Login                 func(childComplexity int, params model.LoginRequest) int
-		Logout                func(childComplexity int) int
-		MagicLinkLogin        func(childComplexity int, params model.MagicLinkLoginRequest) int
-		MobileLogin           func(childComplexity int, params model.MobileLoginRequest) int
-		MobileSignup          func(childComplexity int, params *model.MobileSignUpRequest) int
-		ResendOtp             func(childComplexity int, params model.ResendOTPRequest) int
-		ResendVerifyEmail     func(childComplexity int, params model.ResendVerifyEmailRequest) int
-		ResetPassword         func(childComplexity int, params model.ResetPasswordRequest) int
-		Revoke                func(childComplexity int, params model.OAuthRevokeRequest) int
-		RevokeAccess          func(childComplexity int, param model.UpdateAccessRequest) int
-		Signup                func(childComplexity int, params model.SignUpRequest) int
-		TestEndpoint          func(childComplexity int, params model.TestEndpointRequest) int
-		UpdateEmailTemplate   func(childComplexity int, params model.UpdateEmailTemplateRequest) int
-		UpdateEnv             func(childComplexity int, params model.UpdateEnvRequest) int
-		UpdateProfile         func(childComplexity int, params model.UpdateProfileRequest) int
-		UpdateUser            func(childComplexity int, params model.UpdateUserRequest) int
-		UpdateWebhook         func(childComplexity int, params model.UpdateWebhookRequest) int
-		VerifyEmail           func(childComplexity int, params model.VerifyEmailRequest) int
-		VerifyOtp             func(childComplexity int, params model.VerifyOTPRequest) int
+		AddEmailTemplate    func(childComplexity int, params model.AddEmailTemplateRequest) int
+		AddWebhook          func(childComplexity int, params model.AddWebhookRequest) int
+		AdminLogin          func(childComplexity int, params model.AdminLoginRequest) int
+		AdminLogout         func(childComplexity int) int
+		AdminSignup         func(childComplexity int, params model.AdminSignupRequest) int
+		DeactivateAccount   func(childComplexity int) int
+		DeleteEmailTemplate func(childComplexity int, params model.DeleteEmailTemplateRequest) int
+		DeleteUser          func(childComplexity int, params model.DeleteUserRequest) int
+		DeleteWebhook       func(childComplexity int, params model.WebhookRequest) int
+		EnableAccess        func(childComplexity int, param model.UpdateAccessRequest) int
+		FgaDeleteTuples     func(childComplexity int, params model.FgaWriteTuplesInput) int
+		FgaWriteModel       func(childComplexity int, params model.FgaWriteModelInput) int
+		FgaWriteTuples      func(childComplexity int, params model.FgaWriteTuplesInput) int
+		ForgotPassword      func(childComplexity int, params model.ForgotPasswordRequest) int
+		GenerateJwtKeys     func(childComplexity int, params model.GenerateJWTKeysRequest) int
+		InviteMembers       func(childComplexity int, params model.InviteMemberRequest) int
+		Login               func(childComplexity int, params model.LoginRequest) int
+		Logout              func(childComplexity int) int
+		MagicLinkLogin      func(childComplexity int, params model.MagicLinkLoginRequest) int
+		MobileLogin         func(childComplexity int, params model.MobileLoginRequest) int
+		MobileSignup        func(childComplexity int, params *model.MobileSignUpRequest) int
+		ResendOtp           func(childComplexity int, params model.ResendOTPRequest) int
+		ResendVerifyEmail   func(childComplexity int, params model.ResendVerifyEmailRequest) int
+		ResetPassword       func(childComplexity int, params model.ResetPasswordRequest) int
+		Revoke              func(childComplexity int, params model.OAuthRevokeRequest) int
+		RevokeAccess        func(childComplexity int, param model.UpdateAccessRequest) int
+		Signup              func(childComplexity int, params model.SignUpRequest) int
+		TestEndpoint        func(childComplexity int, params model.TestEndpointRequest) int
+		UpdateEmailTemplate func(childComplexity int, params model.UpdateEmailTemplateRequest) int
+		UpdateEnv           func(childComplexity int, params model.UpdateEnvRequest) int
+		UpdateProfile       func(childComplexity int, params model.UpdateProfileRequest) int
+		UpdateUser          func(childComplexity int, params model.UpdateUserRequest) int
+		UpdateWebhook       func(childComplexity int, params model.UpdateWebhookRequest) int
+		VerifyEmail         func(childComplexity int, params model.VerifyEmailRequest) int
+		VerifyOtp           func(childComplexity int, params model.VerifyOTPRequest) int
 	}
 
 	Pagination struct {
@@ -333,22 +286,17 @@ type ComplexityRoot struct {
 		Total  func(childComplexity int) int
 	}
 
-	Permission struct {
-		Resource func(childComplexity int) int
-		Scope    func(childComplexity int) int
-	}
-
 	Query struct {
 		AdminSession         func(childComplexity int) int
 		AuditLogs            func(childComplexity int, params *model.ListAuditLogRequest) int
-		AuthzPermissions     func(childComplexity int, params *model.PaginatedRequest) int
-		AuthzPolicies        func(childComplexity int, params *model.PaginatedRequest) int
-		AuthzResources       func(childComplexity int, params *model.PaginatedRequest) int
-		AuthzScopes          func(childComplexity int, params *model.PaginatedRequest) int
 		EmailTemplates       func(childComplexity int, params *model.PaginatedRequest) int
 		Env                  func(childComplexity int) int
+		FgaBatchCheck        func(childComplexity int, params model.FgaBatchCheckInput) int
+		FgaCheck             func(childComplexity int, params model.FgaCheckInput) int
+		FgaGetModel          func(childComplexity int) int
+		FgaListObjects       func(childComplexity int, params model.FgaListObjectsInput) int
+		FgaReadTuples        func(childComplexity int, params model.FgaReadTuplesInput) int
 		Meta                 func(childComplexity int) int
-		Permissions          func(childComplexity int) int
 		Profile              func(childComplexity int) int
 		Session              func(childComplexity int, params *model.SessionQueryRequest) int
 		User                 func(childComplexity int, params model.GetUserRequest) int
@@ -490,18 +438,9 @@ type MutationResolver interface {
 	AddEmailTemplate(ctx context.Context, params model.AddEmailTemplateRequest) (*model.Response, error)
 	UpdateEmailTemplate(ctx context.Context, params model.UpdateEmailTemplateRequest) (*model.Response, error)
 	DeleteEmailTemplate(ctx context.Context, params model.DeleteEmailTemplateRequest) (*model.Response, error)
-	AuthzAddResource(ctx context.Context, params model.AddResourceInput) (*model.AuthzResource, error)
-	AuthzUpdateResource(ctx context.Context, params model.UpdateResourceInput) (*model.AuthzResource, error)
-	AuthzDeleteResource(ctx context.Context, id string) (*model.Response, error)
-	AuthzAddScope(ctx context.Context, params model.AddScopeInput) (*model.AuthzScope, error)
-	AuthzUpdateScope(ctx context.Context, params model.UpdateScopeInput) (*model.AuthzScope, error)
-	AuthzDeleteScope(ctx context.Context, id string) (*model.Response, error)
-	AuthzAddPolicy(ctx context.Context, params model.AddPolicyInput) (*model.AuthzPolicy, error)
-	AuthzUpdatePolicy(ctx context.Context, params model.UpdatePolicyInput) (*model.AuthzPolicy, error)
-	AuthzDeletePolicy(ctx context.Context, id string) (*model.Response, error)
-	AuthzAddPermission(ctx context.Context, params model.AddPermissionInput) (*model.AuthzPermission, error)
-	AuthzUpdatePermission(ctx context.Context, params model.UpdatePermissionInput) (*model.AuthzPermission, error)
-	AuthzDeletePermission(ctx context.Context, id string) (*model.Response, error)
+	FgaWriteModel(ctx context.Context, params model.FgaWriteModelInput) (*model.FgaModel, error)
+	FgaWriteTuples(ctx context.Context, params model.FgaWriteTuplesInput) (*model.Response, error)
+	FgaDeleteTuples(ctx context.Context, params model.FgaWriteTuplesInput) (*model.Response, error)
 }
 type QueryResolver interface {
 	Meta(ctx context.Context) (*model.Meta, error)
@@ -519,11 +458,11 @@ type QueryResolver interface {
 	WebhookLogs(ctx context.Context, params *model.ListWebhookLogRequest) (*model.WebhookLogs, error)
 	EmailTemplates(ctx context.Context, params *model.PaginatedRequest) (*model.EmailTemplates, error)
 	AuditLogs(ctx context.Context, params *model.ListAuditLogRequest) (*model.AuditLogs, error)
-	AuthzResources(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzResources, error)
-	AuthzScopes(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzScopes, error)
-	AuthzPolicies(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzPolicies, error)
-	AuthzPermissions(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzPermissions, error)
-	Permissions(ctx context.Context) ([]*model.Permission, error)
+	FgaGetModel(ctx context.Context) (*model.FgaModel, error)
+	FgaReadTuples(ctx context.Context, params model.FgaReadTuplesInput) (*model.FgaTuples, error)
+	FgaCheck(ctx context.Context, params model.FgaCheckInput) (*model.FgaCheckResponse, error)
+	FgaBatchCheck(ctx context.Context, params model.FgaBatchCheckInput) (*model.FgaBatchCheckResponse, error)
+	FgaListObjects(ctx context.Context, params model.FgaListObjectsInput) (*model.FgaListObjectsResponse, error)
 }
 
 type executableSchema struct {
@@ -720,279 +659,6 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.AuthResponse.User(childComplexity), true
 
-	case "AuthzPermission.created_at":
-		if e.complexity.AuthzPermission.CreatedAt == nil {
-			break
-		}
-
-		return e.complexity.AuthzPermission.CreatedAt(childComplexity), true
-
-	case "AuthzPermission.decision_strategy":
-		if e.complexity.AuthzPermission.DecisionStrategy == nil {
-			break
-		}
-
-		return e.complexity.AuthzPermission.DecisionStrategy(childComplexity), true
-
-	case "AuthzPermission.description":
-		if e.complexity.AuthzPermission.Description == nil {
-			break
-		}
-
-		return e.complexity.AuthzPermission.Description(childComplexity), true
-
-	case "AuthzPermission.id":
-		if e.complexity.AuthzPermission.ID == nil {
-			break
-		}
-
-		return e.complexity.AuthzPermission.ID(childComplexity), true
-
-	case "AuthzPermission.name":
-		if e.complexity.AuthzPermission.Name == nil {
-			break
-		}
-
-		return e.complexity.AuthzPermission.Name(childComplexity), true
-
-	case "AuthzPermission.policies":
-		if e.complexity.AuthzPermission.Policies == nil {
-			break
-		}
-
-		return e.complexity.AuthzPermission.Policies(childComplexity), true
-
-	case "AuthzPermission.resource":
-		if e.complexity.AuthzPermission.Resource == nil {
-			break
-		}
-
-		return e.complexity.AuthzPermission.Resource(childComplexity), true
-
-	case "AuthzPermission.scopes":
-		if e.complexity.AuthzPermission.Scopes == nil {
-			break
-		}
-
-		return e.complexity.AuthzPermission.Scopes(childComplexity), true
-
-	case "AuthzPermission.updated_at":
-		if e.complexity.AuthzPermission.UpdatedAt == nil {
-			break
-		}
-
-		return e.complexity.AuthzPermission.UpdatedAt(childComplexity), true
-
-	case "AuthzPermissions.pagination":
-		if e.complexity.AuthzPermissions.Pagination == nil {
-			break
-		}
-
-		return e.complexity.AuthzPermissions.Pagination(childComplexity), true
-
-	case "AuthzPermissions.permissions":
-		if e.complexity.AuthzPermissions.Permissions == nil {
-			break
-		}
-
-		return e.complexity.AuthzPermissions.Permissions(childComplexity), true
-
-	case "AuthzPolicies.pagination":
-		if e.complexity.AuthzPolicies.Pagination == nil {
-			break
-		}
-
-		return e.complexity.AuthzPolicies.Pagination(childComplexity), true
-
-	case "AuthzPolicies.policies":
-		if e.complexity.AuthzPolicies.Policies == nil {
-			break
-		}
-
-		return e.complexity.AuthzPolicies.Policies(childComplexity), true
-
-	case "AuthzPolicy.created_at":
-		if e.complexity.AuthzPolicy.CreatedAt == nil {
-			break
-		}
-
-		return e.complexity.AuthzPolicy.CreatedAt(childComplexity), true
-
-	case "AuthzPolicy.decision_strategy":
-		if e.complexity.AuthzPolicy.DecisionStrategy == nil {
-			break
-		}
-
-		return e.complexity.AuthzPolicy.DecisionStrategy(childComplexity), true
-
-	case "AuthzPolicy.description":
-		if e.complexity.AuthzPolicy.Description == nil {
-			break
-		}
-
-		return e.complexity.AuthzPolicy.Description(childComplexity), true
-
-	case "AuthzPolicy.id":
-		if e.complexity.AuthzPolicy.ID == nil {
-			break
-		}
-
-		return e.complexity.AuthzPolicy.ID(childComplexity), true
-
-	case "AuthzPolicy.logic":
-		if e.complexity.AuthzPolicy.Logic == nil {
-			break
-		}
-
-		return e.complexity.AuthzPolicy.Logic(childComplexity), true
-
-	case "AuthzPolicy.name":
-		if e.complexity.AuthzPolicy.Name == nil {
-			break
-		}
-
-		return e.complexity.AuthzPolicy.Name(childComplexity), true
-
-	case "AuthzPolicy.targets":
-		if e.complexity.AuthzPolicy.Targets == nil {
-			break
-		}
-
-		return e.complexity.AuthzPolicy.Targets(childComplexity), true
-
-	case "AuthzPolicy.type":
-		if e.complexity.AuthzPolicy.Type == nil {
-			break
-		}
-
-		return e.complexity.AuthzPolicy.Type(childComplexity), true
-
-	case "AuthzPolicy.updated_at":
-		if e.complexity.AuthzPolicy.UpdatedAt == nil {
-			break
-		}
-
-		return e.complexity.AuthzPolicy.UpdatedAt(childComplexity), true
-
-	case "AuthzPolicyTarget.id":
-		if e.complexity.AuthzPolicyTarget.ID == nil {
-			break
-		}
-
-		return e.complexity.AuthzPolicyTarget.ID(childComplexity), true
-
-	case "AuthzPolicyTarget.target_type":
-		if e.complexity.AuthzPolicyTarget.TargetType == nil {
-			break
-		}
-
-		return e.complexity.AuthzPolicyTarget.TargetType(childComplexity), true
-
-	case "AuthzPolicyTarget.target_value":
-		if e.complexity.AuthzPolicyTarget.TargetValue == nil {
-			break
-		}
-
-		return e.complexity.AuthzPolicyTarget.TargetValue(childComplexity), true
-
-	case "AuthzResource.created_at":
-		if e.complexity.AuthzResource.CreatedAt == nil {
-			break
-		}
-
-		return e.complexity.AuthzResource.CreatedAt(childComplexity), true
-
-	case "AuthzResource.description":
-		if e.complexity.AuthzResource.Description == nil {
-			break
-		}
-
-		return e.complexity.AuthzResource.Description(childComplexity), true
-
-	case "AuthzResource.id":
-		if e.complexity.AuthzResource.ID == nil {
-			break
-		}
-
-		return e.complexity.AuthzResource.ID(childComplexity), true
-
-	case "AuthzResource.name":
-		if e.complexity.AuthzResource.Name == nil {
-			break
-		}
-
-		return e.complexity.AuthzResource.Name(childComplexity), true
-
-	case "AuthzResource.updated_at":
-		if e.complexity.AuthzResource.UpdatedAt == nil {
-			break
-		}
-
-		return e.complexity.AuthzResource.UpdatedAt(childComplexity), true
-
-	case "AuthzResources.pagination":
-		if e.complexity.AuthzResources.Pagination == nil {
-			break
-		}
-
-		return e.complexity.AuthzResources.Pagination(childComplexity), true
-
-	case "AuthzResources.resources":
-		if e.complexity.AuthzResources.Resources == nil {
-			break
-		}
-
-		return e.complexity.AuthzResources.Resources(childComplexity), true
-
-	case "AuthzScope.created_at":
-		if e.complexity.AuthzScope.CreatedAt == nil {
-			break
-		}
-
-		return e.complexity.AuthzScope.CreatedAt(childComplexity), true
-
-	case "AuthzScope.description":
-		if e.complexity.AuthzScope.Description == nil {
-			break
-		}
-
-		return e.complexity.AuthzScope.Description(childComplexity), true
-
-	case "AuthzScope.id":
-		if e.complexity.AuthzScope.ID == nil {
-			break
-		}
-
-		return e.complexity.AuthzScope.ID(childComplexity), true
-
-	case "AuthzScope.name":
-		if e.complexity.AuthzScope.Name == nil {
-			break
-		}
-
-		return e.complexity.AuthzScope.Name(childComplexity), true
-
-	case "AuthzScope.updated_at":
-		if e.complexity.AuthzScope.UpdatedAt == nil {
-			break
-		}
-
-		return e.complexity.AuthzScope.UpdatedAt(childComplexity), true
-
-	case "AuthzScopes.pagination":
-		if e.complexity.AuthzScopes.Pagination == nil {
-			break
-		}
-
-		return e.complexity.AuthzScopes.Pagination(childComplexity), true
-
-	case "AuthzScopes.scopes":
-		if e.complexity.AuthzScopes.Scopes == nil {
-			break
-		}
-
-		return e.complexity.AuthzScopes.Scopes(childComplexity), true
-
 	case "EmailTemplate.created_at":
 		if e.complexity.EmailTemplate.CreatedAt == nil {
 			break
@@ -1567,6 +1233,76 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.Error.Reason(childComplexity), true
 
+	case "FgaBatchCheckResponse.results":
+		if e.complexity.FgaBatchCheckResponse.Results == nil {
+			break
+		}
+
+		return e.complexity.FgaBatchCheckResponse.Results(childComplexity), true
+
+	case "FgaCheckResponse.allowed":
+		if e.complexity.FgaCheckResponse.Allowed == nil {
+			break
+		}
+
+		return e.complexity.FgaCheckResponse.Allowed(childComplexity), true
+
+	case "FgaListObjectsResponse.objects":
+		if e.complexity.FgaListObjectsResponse.Objects == nil {
+			break
+		}
+
+		return e.complexity.FgaListObjectsResponse.Objects(childComplexity), true
+
+	case "FgaModel.dsl":
+		if e.complexity.FgaModel.Dsl == nil {
+			break
+		}
+
+		return e.complexity.FgaModel.Dsl(childComplexity), true
+
+	case "FgaModel.id":
+		if e.complexity.FgaModel.ID == nil {
+			break
+		}
+
+		return e.complexity.FgaModel.ID(childComplexity), true
+
+	case "FgaTuple.object":
+		if e.complexity.FgaTuple.Object == nil {
+			break
+		}
+
+		return e.complexity.FgaTuple.Object(childComplexity), true
+
+	case "FgaTuple.relation":
+		if e.complexity.FgaTuple.Relation == nil {
+			break
+		}
+
+		return e.complexity.FgaTuple.Relation(childComplexity), true
+
+	case "FgaTuple.user":
+		if e.complexity.FgaTuple.User == nil {
+			break
+		}
+
+		return e.complexity.FgaTuple.User(childComplexity), true
+
+	case "FgaTuples.continuation_token":
+		if e.complexity.FgaTuples.ContinuationToken == nil {
+			break
+		}
+
+		return e.complexity.FgaTuples.ContinuationToken(childComplexity), true
+
+	case "FgaTuples.tuples":
+		if e.complexity.FgaTuples.Tuples == nil {
+			break
+		}
+
+		return e.complexity.FgaTuples.Tuples(childComplexity), true
+
 	case "ForgotPasswordResponse.message":
 		if e.complexity.ForgotPasswordResponse.Message == nil {
 			break
@@ -1811,204 +1547,96 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.Mutation.AdminSignup(childComplexity, args["params"].(model.AdminSignupRequest)), true
 
-	case "Mutation._authz_add_permission":
-		if e.complexity.Mutation.AuthzAddPermission == nil {
+	case "Mutation.deactivate_account":
+		if e.complexity.Mutation.DeactivateAccount == nil {
 			break
 		}
 
-		args, err := ec.field_Mutation__authz_add_permission_args(ctx, rawArgs)
-		if err != nil {
-			return 0, false
-		}
-
-		return e.complexity.Mutation.AuthzAddPermission(childComplexity, args["params"].(model.AddPermissionInput)), true
+		return e.complexity.Mutation.DeactivateAccount(childComplexity), true
 
-	case "Mutation._authz_add_policy":
-		if e.complexity.Mutation.AuthzAddPolicy == nil {
+	case "Mutation._delete_email_template":
+		if e.complexity.Mutation.DeleteEmailTemplate == nil {
 			break
 		}
 
-		args, err := ec.field_Mutation__authz_add_policy_args(ctx, rawArgs)
+		args, err := ec.field_Mutation__delete_email_template_args(ctx, rawArgs)
 		if err != nil {
 			return 0, false
 		}
 
-		return e.complexity.Mutation.AuthzAddPolicy(childComplexity, args["params"].(model.AddPolicyInput)), true
+		return e.complexity.Mutation.DeleteEmailTemplate(childComplexity, args["params"].(model.DeleteEmailTemplateRequest)), true
 
-	case "Mutation._authz_add_resource":
-		if e.complexity.Mutation.AuthzAddResource == nil {
-			break
-		}
-
-		args, err := ec.field_Mutation__authz_add_resource_args(ctx, rawArgs)
-		if err != nil {
-			return 0, false
-		}
-
-		return e.complexity.Mutation.AuthzAddResource(childComplexity, args["params"].(model.AddResourceInput)), true
-
-	case "Mutation._authz_add_scope":
-		if e.complexity.Mutation.AuthzAddScope == nil {
-			break
-		}
-
-		args, err := ec.field_Mutation__authz_add_scope_args(ctx, rawArgs)
-		if err != nil {
-			return 0, false
-		}
-
-		return e.complexity.Mutation.AuthzAddScope(childComplexity, args["params"].(model.AddScopeInput)), true
-
-	case "Mutation._authz_delete_permission":
-		if e.complexity.Mutation.AuthzDeletePermission == nil {
-			break
-		}
-
-		args, err := ec.field_Mutation__authz_delete_permission_args(ctx, rawArgs)
-		if err != nil {
-			return 0, false
-		}
-
-		return e.complexity.Mutation.AuthzDeletePermission(childComplexity, args["id"].(string)), true
-
-	case "Mutation._authz_delete_policy":
-		if e.complexity.Mutation.AuthzDeletePolicy == nil {
-			break
-		}
-
-		args, err := ec.field_Mutation__authz_delete_policy_args(ctx, rawArgs)
-		if err != nil {
-			return 0, false
-		}
-
-		return e.complexity.Mutation.AuthzDeletePolicy(childComplexity, args["id"].(string)), true
-
-	case "Mutation._authz_delete_resource":
-		if e.complexity.Mutation.AuthzDeleteResource == nil {
-			break
-		}
-
-		args, err := ec.field_Mutation__authz_delete_resource_args(ctx, rawArgs)
-		if err != nil {
-			return 0, false
-		}
-
-		return e.complexity.Mutation.AuthzDeleteResource(childComplexity, args["id"].(string)), true
-
-	case "Mutation._authz_delete_scope":
-		if e.complexity.Mutation.AuthzDeleteScope == nil {
-			break
-		}
-
-		args, err := ec.field_Mutation__authz_delete_scope_args(ctx, rawArgs)
-		if err != nil {
-			return 0, false
-		}
-
-		return e.complexity.Mutation.AuthzDeleteScope(childComplexity, args["id"].(string)), true
-
-	case "Mutation._authz_update_permission":
-		if e.complexity.Mutation.AuthzUpdatePermission == nil {
-			break
-		}
-
-		args, err := ec.field_Mutation__authz_update_permission_args(ctx, rawArgs)
-		if err != nil {
-			return 0, false
-		}
-
-		return e.complexity.Mutation.AuthzUpdatePermission(childComplexity, args["params"].(model.UpdatePermissionInput)), true
-
-	case "Mutation._authz_update_policy":
-		if e.complexity.Mutation.AuthzUpdatePolicy == nil {
-			break
-		}
-
-		args, err := ec.field_Mutation__authz_update_policy_args(ctx, rawArgs)
-		if err != nil {
-			return 0, false
-		}
-
-		return e.complexity.Mutation.AuthzUpdatePolicy(childComplexity, args["params"].(model.UpdatePolicyInput)), true
-
-	case "Mutation._authz_update_resource":
-		if e.complexity.Mutation.AuthzUpdateResource == nil {
+	case "Mutation._delete_user":
+		if e.complexity.Mutation.DeleteUser == nil {
 			break
 		}
 
-		args, err := ec.field_Mutation__authz_update_resource_args(ctx, rawArgs)
+		args, err := ec.field_Mutation__delete_user_args(ctx, rawArgs)
 		if err != nil {
 			return 0, false
 		}
 
-		return e.complexity.Mutation.AuthzUpdateResource(childComplexity, args["params"].(model.UpdateResourceInput)), true
+		return e.complexity.Mutation.DeleteUser(childComplexity, args["params"].(model.DeleteUserRequest)), true
 
-	case "Mutation._authz_update_scope":
-		if e.complexity.Mutation.AuthzUpdateScope == nil {
+	case "Mutation._delete_webhook":
+		if e.complexity.Mutation.DeleteWebhook == nil {
 			break
 		}
 
-		args, err := ec.field_Mutation__authz_update_scope_args(ctx, rawArgs)
+		args, err := ec.field_Mutation__delete_webhook_args(ctx, rawArgs)
 		if err != nil {
 			return 0, false
 		}
 
-		return e.complexity.Mutation.AuthzUpdateScope(childComplexity, args["params"].(model.UpdateScopeInput)), true
-
-	case "Mutation.deactivate_account":
-		if e.complexity.Mutation.DeactivateAccount == nil {
-			break
-		}
-
-		return e.complexity.Mutation.DeactivateAccount(childComplexity), true
+		return e.complexity.Mutation.DeleteWebhook(childComplexity, args["params"].(model.WebhookRequest)), true
 
-	case "Mutation._delete_email_template":
-		if e.complexity.Mutation.DeleteEmailTemplate == nil {
+	case "Mutation._enable_access":
+		if e.complexity.Mutation.EnableAccess == nil {
 			break
 		}
 
-		args, err := ec.field_Mutation__delete_email_template_args(ctx, rawArgs)
+		args, err := ec.field_Mutation__enable_access_args(ctx, rawArgs)
 		if err != nil {
 			return 0, false
 		}
 
-		return e.complexity.Mutation.DeleteEmailTemplate(childComplexity, args["params"].(model.DeleteEmailTemplateRequest)), true
+		return e.complexity.Mutation.EnableAccess(childComplexity, args["param"].(model.UpdateAccessRequest)), true
 
-	case "Mutation._delete_user":
-		if e.complexity.Mutation.DeleteUser == nil {
+	case "Mutation._fga_delete_tuples":
+		if e.complexity.Mutation.FgaDeleteTuples == nil {
 			break
 		}
 
-		args, err := ec.field_Mutation__delete_user_args(ctx, rawArgs)
+		args, err := ec.field_Mutation__fga_delete_tuples_args(ctx, rawArgs)
 		if err != nil {
 			return 0, false
 		}
 
-		return e.complexity.Mutation.DeleteUser(childComplexity, args["params"].(model.DeleteUserRequest)), true
+		return e.complexity.Mutation.FgaDeleteTuples(childComplexity, args["params"].(model.FgaWriteTuplesInput)), true
 
-	case "Mutation._delete_webhook":
-		if e.complexity.Mutation.DeleteWebhook == nil {
+	case "Mutation._fga_write_model":
+		if e.complexity.Mutation.FgaWriteModel == nil {
 			break
 		}
 
-		args, err := ec.field_Mutation__delete_webhook_args(ctx, rawArgs)
+		args, err := ec.field_Mutation__fga_write_model_args(ctx, rawArgs)
 		if err != nil {
 			return 0, false
 		}
 
-		return e.complexity.Mutation.DeleteWebhook(childComplexity, args["params"].(model.WebhookRequest)), true
+		return e.complexity.Mutation.FgaWriteModel(childComplexity, args["params"].(model.FgaWriteModelInput)), true
 
-	case "Mutation._enable_access":
-		if e.complexity.Mutation.EnableAccess == nil {
+	case "Mutation._fga_write_tuples":
+		if e.complexity.Mutation.FgaWriteTuples == nil {
 			break
 		}
 
-		args, err := ec.field_Mutation__enable_access_args(ctx, rawArgs)
+		args, err := ec.field_Mutation__fga_write_tuples_args(ctx, rawArgs)
 		if err != nil {
 			return 0, false
 		}
 
-		return e.complexity.Mutation.EnableAccess(childComplexity, args["param"].(model.UpdateAccessRequest)), true
+		return e.complexity.Mutation.FgaWriteTuples(childComplexity, args["params"].(model.FgaWriteTuplesInput)), true
 
 	case "Mutation.forgot_password":
 		if e.complexity.Mutation.ForgotPassword == nil {
@@ -2297,20 +1925,6 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.Pagination.Total(childComplexity), true
 
-	case "Permission.resource":
-		if e.complexity.Permission.Resource == nil {
-			break
-		}
-
-		return e.complexity.Permission.Resource(childComplexity), true
-
-	case "Permission.scope":
-		if e.complexity.Permission.Scope == nil {
-			break
-		}
-
-		return e.complexity.Permission.Scope(childComplexity), true
-
 	case "Query._admin_session":
 		if e.complexity.Query.AdminSession == nil {
 			break
@@ -2330,72 +1944,79 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.Query.AuditLogs(childComplexity, args["params"].(*model.ListAuditLogRequest)), true
 
-	case "Query._authz_permissions":
-		if e.complexity.Query.AuthzPermissions == nil {
+	case "Query._email_templates":
+		if e.complexity.Query.EmailTemplates == nil {
 			break
 		}
 
-		args, err := ec.field_Query__authz_permissions_args(ctx, rawArgs)
+		args, err := ec.field_Query__email_templates_args(ctx, rawArgs)
 		if err != nil {
 			return 0, false
 		}
 
-		return e.complexity.Query.AuthzPermissions(childComplexity, args["params"].(*model.PaginatedRequest)), true
+		return e.complexity.Query.EmailTemplates(childComplexity, args["params"].(*model.PaginatedRequest)), true
+
+	case "Query._env":
+		if e.complexity.Query.Env == nil {
+			break
+		}
+
+		return e.complexity.Query.Env(childComplexity), true
 
-	case "Query._authz_policies":
-		if e.complexity.Query.AuthzPolicies == nil {
+	case "Query.fga_batch_check":
+		if e.complexity.Query.FgaBatchCheck == nil {
 			break
 		}
 
-		args, err := ec.field_Query__authz_policies_args(ctx, rawArgs)
+		args, err := ec.field_Query_fga_batch_check_args(ctx, rawArgs)
 		if err != nil {
 			return 0, false
 		}
 
-		return e.complexity.Query.AuthzPolicies(childComplexity, args["params"].(*model.PaginatedRequest)), true
+		return e.complexity.Query.FgaBatchCheck(childComplexity, args["params"].(model.FgaBatchCheckInput)), true
 
-	case "Query._authz_resources":
-		if e.complexity.Query.AuthzResources == nil {
+	case "Query.fga_check":
+		if e.complexity.Query.FgaCheck == nil {
 			break
 		}
 
-		args, err := ec.field_Query__authz_resources_args(ctx, rawArgs)
+		args, err := ec.field_Query_fga_check_args(ctx, rawArgs)
 		if err != nil {
 			return 0, false
 		}
 
-		return e.complexity.Query.AuthzResources(childComplexity, args["params"].(*model.PaginatedRequest)), true
+		return e.complexity.Query.FgaCheck(childComplexity, args["params"].(model.FgaCheckInput)), true
 
-	case "Query._authz_scopes":
-		if e.complexity.Query.AuthzScopes == nil {
+	case "Query._fga_get_model":
+		if e.complexity.Query.FgaGetModel == nil {
 			break
 		}
 
-		args, err := ec.field_Query__authz_scopes_args(ctx, rawArgs)
-		if err != nil {
-			return 0, false
-		}
-
-		return e.complexity.Query.AuthzScopes(childComplexity, args["params"].(*model.PaginatedRequest)), true
+		return e.complexity.Query.FgaGetModel(childComplexity), true
 
-	case "Query._email_templates":
-		if e.complexity.Query.EmailTemplates == nil {
+	case "Query.fga_list_objects":
+		if e.complexity.Query.FgaListObjects == nil {
 			break
 		}
 
-		args, err := ec.field_Query__email_templates_args(ctx, rawArgs)
+		args, err := ec.field_Query_fga_list_objects_args(ctx, rawArgs)
 		if err != nil {
 			return 0, false
 		}
 
-		return e.complexity.Query.EmailTemplates(childComplexity, args["params"].(*model.PaginatedRequest)), true
+		return e.complexity.Query.FgaListObjects(childComplexity, args["params"].(model.FgaListObjectsInput)), true
 
-	case "Query._env":
-		if e.complexity.Query.Env == nil {
+	case "Query._fga_read_tuples":
+		if e.complexity.Query.FgaReadTuples == nil {
 			break
 		}
 
-		return e.complexity.Query.Env(childComplexity), true
+		args, err := ec.field_Query__fga_read_tuples_args(ctx, rawArgs)
+		if err != nil {
+			return 0, false
+		}
+
+		return e.complexity.Query.FgaReadTuples(childComplexity, args["params"].(model.FgaReadTuplesInput)), true
 
 	case "Query.meta":
 		if e.complexity.Query.Meta == nil {
@@ -2404,13 +2025,6 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.Query.Meta(childComplexity), true
 
-	case "Query.permissions":
-		if e.complexity.Query.Permissions == nil {
-			break
-		}
-
-		return e.complexity.Query.Permissions(childComplexity), true
-
 	case "Query.profile":
 		if e.complexity.Query.Profile == nil {
 			break
@@ -2948,15 +2562,20 @@ func (e *executableSchema) Exec(ctx context.Context) graphql.ResponseHandler {
 	ec := executionContext{opCtx, e, 0, 0, make(chan graphql.DeferredResult)}
 	inputUnmarshalMap := graphql.BuildUnmarshalerMap(
 		ec.unmarshalInputAddEmailTemplateRequest,
-		ec.unmarshalInputAddPermissionInput,
-		ec.unmarshalInputAddPolicyInput,
-		ec.unmarshalInputAddResourceInput,
-		ec.unmarshalInputAddScopeInput,
 		ec.unmarshalInputAddWebhookRequest,
 		ec.unmarshalInputAdminLoginRequest,
 		ec.unmarshalInputAdminSignupRequest,
 		ec.unmarshalInputDeleteEmailTemplateRequest,
 		ec.unmarshalInputDeleteUserRequest,
+		ec.unmarshalInputFgaBatchCheckInput,
+		ec.unmarshalInputFgaCheckInput,
+		ec.unmarshalInputFgaCheckPairInput,
+		ec.unmarshalInputFgaListObjectsInput,
+		ec.unmarshalInputFgaReadTuplesInput,
+		ec.unmarshalInputFgaRelationInput,
+		ec.unmarshalInputFgaTupleInput,
+		ec.unmarshalInputFgaWriteModelInput,
+		ec.unmarshalInputFgaWriteTuplesInput,
 		ec.unmarshalInputForgotPasswordRequest,
 		ec.unmarshalInputGenerateJWTKeysRequest,
 		ec.unmarshalInputGetUserRequest,
@@ -2970,8 +2589,6 @@ func (e *executableSchema) Exec(ctx context.Context) graphql.ResponseHandler {
 		ec.unmarshalInputOAuthRevokeRequest,
 		ec.unmarshalInputPaginatedRequest,
 		ec.unmarshalInputPaginationRequest,
-		ec.unmarshalInputPermissionInput,
-		ec.unmarshalInputPolicyTargetInput,
 		ec.unmarshalInputResendOTPRequest,
 		ec.unmarshalInputResendVerifyEmailRequest,
 		ec.unmarshalInputResetPasswordRequest,
@@ -2981,11 +2598,7 @@ func (e *executableSchema) Exec(ctx context.Context) graphql.ResponseHandler {
 		ec.unmarshalInputUpdateAccessRequest,
 		ec.unmarshalInputUpdateEmailTemplateRequest,
 		ec.unmarshalInputUpdateEnvRequest,
-		ec.unmarshalInputUpdatePermissionInput,
-		ec.unmarshalInputUpdatePolicyInput,
 		ec.unmarshalInputUpdateProfileRequest,
-		ec.unmarshalInputUpdateResourceInput,
-		ec.unmarshalInputUpdateScopeInput,
 		ec.unmarshalInputUpdateUserRequest,
 		ec.unmarshalInputUpdateWebhookRequest,
 		ec.unmarshalInputValidateJWTTokenRequest,
@@ -3202,6 +2815,44 @@ type Response {
   message: String!
 }
 
+# ---- Fine-grained authorization (FGA) types ----
+
+# FgaTuple is a single relationship: user is related to object via relation.
+# Identifiers follow OpenFGA conventions: user "user:alice" (or userset
+# "role:admin#assignee"), object "document:1".
+type FgaTuple {
+  user: String!
+  relation: String!
+  object: String!
+}
+
+# FgaModel describes an authorization model (id + DSL form).
+type FgaModel {
+  id: String!
+  dsl: String!
+}
+
+# FgaTuples is a page of tuples plus a continuation token (empty when exhausted).
+type FgaTuples {
+  tuples: [FgaTuple!]!
+  continuation_token: String
+}
+
+# FgaCheckResponse is the result of a single relationship check.
+type FgaCheckResponse {
+  allowed: Boolean!
+}
+
+# FgaBatchCheckResponse is the positionally-aligned result of a batch check.
+type FgaBatchCheckResponse {
+  results: [FgaCheckResponse!]!
+}
+
+# FgaListObjectsResponse lists fully-qualified object ids the caller relates to.
+type FgaListObjectsResponse {
+  objects: [String!]!
+}
+
 type ForgotPasswordResponse {
   message: String!
   should_show_mobile_otp_screen: Boolean
@@ -3602,10 +3253,10 @@ input SessionQueryRequest {
   # when a session already exists and the login UI auto-detects it,
   # passing state ensures the authorization code state is properly stored
   state: String
-  # required_permissions is an optional list of resource:scope pairs that
-  # must all be granted to the principal. If any is denied the query returns
-  # unauthorized (AND semantics, matching the roles filter).
-  required_permissions: [PermissionInput!]
+  # required_relations gates the session on fine-grained authorization.
+  # Each (relation, object) is checked against the authenticated caller with
+  # AND semantics, fail-closed. Requires --authorization-engine=fga.
+  required_relations: [FgaRelationInput!]
 }
 
 input PaginationRequest {
@@ -3634,13 +3285,17 @@ input ValidateJWTTokenRequest {
   token_type: String!
   token: String!
   roles: [String!]
-  required_permissions: [PermissionInput!]
+  # required_relations gates validation on fine-grained authorization.
+  # AND semantics, fail-closed. Requires --authorization-engine=fga.
+  required_relations: [FgaRelationInput!]
 }
 
 input ValidateSessionRequest {
   cookie: String!
   roles: [String!]
-  required_permissions: [PermissionInput!]
+  # required_relations gates validation on fine-grained authorization.
+  # AND semantics, fail-closed. Requires --authorization-engine=fga.
+  required_relations: [FgaRelationInput!]
 }
 
 input GenerateJWTKeysRequest {
@@ -3739,143 +3394,71 @@ input GetUserRequest {
   email: String
 }
 
-type AuthzResource {
-  id: ID!
-  name: String!
-  description: String
-  created_at: Int64!
-  updated_at: Int64!
-}
-
-type AuthzResources {
-  pagination: Pagination!
-  resources: [AuthzResource!]!
-}
-
-type AuthzScope {
-  id: ID!
-  name: String!
-  description: String
-  created_at: Int64!
-  updated_at: Int64!
-}
-
-type AuthzScopes {
-  pagination: Pagination!
-  scopes: [AuthzScope!]!
-}
-
-type AuthzPolicyTarget {
-  id: ID!
-  target_type: String!
-  target_value: String!
-}
-
-type AuthzPolicy {
-  id: ID!
-  name: String!
-  description: String
-  type: String!
-  logic: String!
-  decision_strategy: String!
-  targets: [AuthzPolicyTarget!]!
-  created_at: Int64!
-  updated_at: Int64!
-}
-
-type AuthzPolicies {
-  pagination: Pagination!
-  policies: [AuthzPolicy!]!
-}
-
-type AuthzPermission {
-  id: ID!
-  name: String!
-  description: String
-  resource: AuthzResource!
-  scopes: [AuthzScope!]!
-  policies: [AuthzPolicy!]!
-  decision_strategy: String!
-  created_at: Int64!
-  updated_at: Int64!
-}
-
-type AuthzPermissions {
-  pagination: Pagination!
-  permissions: [AuthzPermission!]!
-}
-
-type Permission {
-  resource: String!
-  scope: String!
-}
-
-input AddResourceInput {
-  name: String!
-  description: String
-}
+# ---- Fine-grained authorization (FGA) inputs ----
 
-input UpdateResourceInput {
-  id: ID!
-  name: String
-  description: String
+# FgaTupleInput is a single relationship tuple supplied by an admin for write /
+# delete / read operations.
+input FgaTupleInput {
+  user: String!
+  relation: String!
+  object: String!
 }
 
-input AddScopeInput {
-  name: String!
-  description: String
+# FgaWriteModelInput installs a new authorization model from its DSL form.
+input FgaWriteModelInput {
+  dsl: String!
 }
 
-input UpdateScopeInput {
-  id: ID!
-  name: String
-  description: String
+# FgaWriteTuplesInput is used for both writing and deleting tuples.
+input FgaWriteTuplesInput {
+  tuples: [FgaTupleInput!]!
 }
 
-input PolicyTargetInput {
-  target_type: String!
-  target_value: String!
+# FgaReadTuplesInput is a paginated, optionally-filtered tuple read. Any empty
+# field acts as a wildcard for that position.
+input FgaReadTuplesInput {
+  user: String
+  relation: String
+  object: String
+  page_size: Int64
+  continuation_token: String
 }
 
-input AddPolicyInput {
-  name: String!
-  description: String
-  type: String!
-  logic: String
-  decision_strategy: String
-  targets: [PolicyTargetInput!]!
+# FgaCheckInput asks "is the authenticated caller related to object via
+# relation?". The caller (user) is pinned server-side from the auth token and is
+# NEVER taken from client input. Only relation, object and optional contextual
+# tuples are accepted from the client.
+input FgaCheckInput {
+  relation: String!
+  object: String!
+  contextual_tuples: [FgaTupleInput!]
 }
 
-input UpdatePolicyInput {
-  id: ID!
-  name: String
-  description: String
-  logic: String
-  decision_strategy: String
-  targets: [PolicyTargetInput!]
+# FgaBatchCheckInput evaluates multiple relation/object pairs for the
+# authenticated caller (principal pinned server-side).
+input FgaBatchCheckInput {
+  checks: [FgaCheckPairInput!]!
 }
 
-input AddPermissionInput {
-  name: String!
-  description: String
-  resource_id: ID!
-  scope_ids: [ID!]!
-  policy_ids: [ID!]!
-  decision_strategy: String
+# FgaCheckPairInput is one relation/object pair within a batch check.
+input FgaCheckPairInput {
+  relation: String!
+  object: String!
+  contextual_tuples: [FgaTupleInput!]
 }
 
-input UpdatePermissionInput {
-  id: ID!
-  name: String
-  description: String
-  scope_ids: [ID!]
-  policy_ids: [ID!]
-  decision_strategy: String
+# FgaListObjectsInput enumerates objects of type object_type the authenticated
+# caller relates to via relation (principal pinned server-side).
+input FgaListObjectsInput {
+  relation: String!
+  object_type: String!
 }
 
-input PermissionInput {
-  resource: String!
-  scope: String!
+# FgaRelationInput is a (relation, object) requirement evaluated against the
+# authenticated caller during session/validate. AND semantics, fail-closed.
+input FgaRelationInput {
+  relation: String!
+  object: String!
 }
 
 type Mutation {
@@ -3917,22 +3500,10 @@ type Mutation {
   _add_email_template(params: AddEmailTemplateRequest!): Response!
   _update_email_template(params: UpdateEmailTemplateRequest!): Response!
   _delete_email_template(params: DeleteEmailTemplateRequest!): Response!
-  # Authorization: Resources
-  _authz_add_resource(params: AddResourceInput!): AuthzResource!
-  _authz_update_resource(params: UpdateResourceInput!): AuthzResource!
-  _authz_delete_resource(id: ID!): Response!
-  # Authorization: Scopes
-  _authz_add_scope(params: AddScopeInput!): AuthzScope!
-  _authz_update_scope(params: UpdateScopeInput!): AuthzScope!
-  _authz_delete_scope(id: ID!): Response!
-  # Authorization: Policies
-  _authz_add_policy(params: AddPolicyInput!): AuthzPolicy!
-  _authz_update_policy(params: UpdatePolicyInput!): AuthzPolicy!
-  _authz_delete_policy(id: ID!): Response!
-  # Authorization: Permissions
-  _authz_add_permission(params: AddPermissionInput!): AuthzPermission!
-  _authz_update_permission(params: UpdatePermissionInput!): AuthzPermission!
-  _authz_delete_permission(id: ID!): Response!
+  # FGA admin mutations (super-admin only)
+  _fga_write_model(params: FgaWriteModelInput!): FgaModel!
+  _fga_write_tuples(params: FgaWriteTuplesInput!): Response!
+  _fga_delete_tuples(params: FgaWriteTuplesInput!): Response!
 }
 
 type Query {
@@ -3953,13 +3524,13 @@ type Query {
   _webhook_logs(params: ListWebhookLogRequest): WebhookLogs!
   _email_templates(params: PaginatedRequest): EmailTemplates!
   _audit_logs(params: ListAuditLogRequest): AuditLogs!
-  # Authorization: Admin queries
-  _authz_resources(params: PaginatedRequest): AuthzResources!
-  _authz_scopes(params: PaginatedRequest): AuthzScopes!
-  _authz_policies(params: PaginatedRequest): AuthzPolicies!
-  _authz_permissions(params: PaginatedRequest): AuthzPermissions!
-  # Authorization: User-facing queries
-  permissions: [Permission!]!
+  # FGA admin queries (super-admin only)
+  _fga_get_model: FgaModel!
+  _fga_read_tuples(params: FgaReadTuplesInput!): FgaTuples!
+  # FGA runtime queries (authenticated caller; principal pinned server-side)
+  fga_check(params: FgaCheckInput!): FgaCheckResponse!
+  fga_batch_check(params: FgaBatchCheckInput!): FgaBatchCheckResponse!
+  fga_list_objects(params: FgaListObjectsInput!): FgaListObjectsResponse!
 }
 `, BuiltIn: false},
 }
@@ -4081,476 +3652,224 @@ func (ec *executionContext) field_Mutation__admin_signup_argsParams(
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation__authz_add_permission_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__delete_email_template_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation__authz_add_permission_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__delete_email_template_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation__authz_add_permission_argsParams(
+func (ec *executionContext) field_Mutation__delete_email_template_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.AddPermissionInput, error) {
+) (model.DeleteEmailTemplateRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.AddPermissionInput
+		var zeroVal model.DeleteEmailTemplateRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNAddPermissionInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAddPermissionInput(ctx, tmp)
+		return ec.unmarshalNDeleteEmailTemplateRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐDeleteEmailTemplateRequest(ctx, tmp)
 	}
 
-	var zeroVal model.AddPermissionInput
+	var zeroVal model.DeleteEmailTemplateRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation__authz_add_policy_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__delete_user_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation__authz_add_policy_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__delete_user_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation__authz_add_policy_argsParams(
+func (ec *executionContext) field_Mutation__delete_user_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.AddPolicyInput, error) {
+) (model.DeleteUserRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.AddPolicyInput
+		var zeroVal model.DeleteUserRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNAddPolicyInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAddPolicyInput(ctx, tmp)
+		return ec.unmarshalNDeleteUserRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐDeleteUserRequest(ctx, tmp)
 	}
 
-	var zeroVal model.AddPolicyInput
+	var zeroVal model.DeleteUserRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation__authz_add_resource_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__delete_webhook_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation__authz_add_resource_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__delete_webhook_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation__authz_add_resource_argsParams(
+func (ec *executionContext) field_Mutation__delete_webhook_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.AddResourceInput, error) {
+) (model.WebhookRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.AddResourceInput
+		var zeroVal model.WebhookRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNAddResourceInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAddResourceInput(ctx, tmp)
+		return ec.unmarshalNWebhookRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhookRequest(ctx, tmp)
 	}
 
-	var zeroVal model.AddResourceInput
+	var zeroVal model.WebhookRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation__authz_add_scope_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__enable_access_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation__authz_add_scope_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__enable_access_argsParam(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
-	args["params"] = arg0
+	args["param"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation__authz_add_scope_argsParams(
+func (ec *executionContext) field_Mutation__enable_access_argsParam(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.AddScopeInput, error) {
-	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.AddScopeInput
+) (model.UpdateAccessRequest, error) {
+	if _, ok := rawArgs["param"]; !ok {
+		var zeroVal model.UpdateAccessRequest
 		return zeroVal, nil
 	}
 
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
-	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNAddScopeInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAddScopeInput(ctx, tmp)
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("param"))
+	if tmp, ok := rawArgs["param"]; ok {
+		return ec.unmarshalNUpdateAccessRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateAccessRequest(ctx, tmp)
 	}
 
-	var zeroVal model.AddScopeInput
+	var zeroVal model.UpdateAccessRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation__authz_delete_permission_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__fga_delete_tuples_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation__authz_delete_permission_argsID(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__fga_delete_tuples_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
-	args["id"] = arg0
+	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation__authz_delete_permission_argsID(
+func (ec *executionContext) field_Mutation__fga_delete_tuples_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (string, error) {
-	if _, ok := rawArgs["id"]; !ok {
-		var zeroVal string
+) (model.FgaWriteTuplesInput, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal model.FgaWriteTuplesInput
 		return zeroVal, nil
 	}
 
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
-	if tmp, ok := rawArgs["id"]; ok {
-		return ec.unmarshalNID2string(ctx, tmp)
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalNFgaWriteTuplesInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaWriteTuplesInput(ctx, tmp)
 	}
 
-	var zeroVal string
+	var zeroVal model.FgaWriteTuplesInput
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation__authz_delete_policy_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__fga_write_model_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation__authz_delete_policy_argsID(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__fga_write_model_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
-	args["id"] = arg0
+	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation__authz_delete_policy_argsID(
+func (ec *executionContext) field_Mutation__fga_write_model_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (string, error) {
-	if _, ok := rawArgs["id"]; !ok {
-		var zeroVal string
+) (model.FgaWriteModelInput, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal model.FgaWriteModelInput
 		return zeroVal, nil
 	}
 
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
-	if tmp, ok := rawArgs["id"]; ok {
-		return ec.unmarshalNID2string(ctx, tmp)
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalNFgaWriteModelInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaWriteModelInput(ctx, tmp)
 	}
 
-	var zeroVal string
+	var zeroVal model.FgaWriteModelInput
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation__authz_delete_resource_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__fga_write_tuples_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation__authz_delete_resource_argsID(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__fga_write_tuples_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
-	args["id"] = arg0
+	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation__authz_delete_resource_argsID(
+func (ec *executionContext) field_Mutation__fga_write_tuples_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (string, error) {
-	if _, ok := rawArgs["id"]; !ok {
-		var zeroVal string
+) (model.FgaWriteTuplesInput, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal model.FgaWriteTuplesInput
 		return zeroVal, nil
 	}
 
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
-	if tmp, ok := rawArgs["id"]; ok {
-		return ec.unmarshalNID2string(ctx, tmp)
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalNFgaWriteTuplesInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaWriteTuplesInput(ctx, tmp)
 	}
 
-	var zeroVal string
+	var zeroVal model.FgaWriteTuplesInput
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Mutation__authz_delete_scope_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Mutation__generate_jwt_keys_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Mutation__authz_delete_scope_argsID(ctx, rawArgs)
+	arg0, err := ec.field_Mutation__generate_jwt_keys_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
-	args["id"] = arg0
+	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Mutation__authz_delete_scope_argsID(
+func (ec *executionContext) field_Mutation__generate_jwt_keys_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (string, error) {
-	if _, ok := rawArgs["id"]; !ok {
-		var zeroVal string
+) (model.GenerateJWTKeysRequest, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal model.GenerateJWTKeysRequest
 		return zeroVal, nil
 	}
 
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
-	if tmp, ok := rawArgs["id"]; ok {
-		return ec.unmarshalNID2string(ctx, tmp)
-	}
-
-	var zeroVal string
-	return zeroVal, nil
-}
-
-func (ec *executionContext) field_Mutation__authz_update_permission_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
-	var err error
-	args := map[string]any{}
-	arg0, err := ec.field_Mutation__authz_update_permission_argsParams(ctx, rawArgs)
-	if err != nil {
-		return nil, err
-	}
-	args["params"] = arg0
-	return args, nil
-}
-func (ec *executionContext) field_Mutation__authz_update_permission_argsParams(
-	ctx context.Context,
-	rawArgs map[string]any,
-) (model.UpdatePermissionInput, error) {
-	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.UpdatePermissionInput
-		return zeroVal, nil
-	}
-
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
-	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNUpdatePermissionInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdatePermissionInput(ctx, tmp)
-	}
-
-	var zeroVal model.UpdatePermissionInput
-	return zeroVal, nil
-}
-
-func (ec *executionContext) field_Mutation__authz_update_policy_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
-	var err error
-	args := map[string]any{}
-	arg0, err := ec.field_Mutation__authz_update_policy_argsParams(ctx, rawArgs)
-	if err != nil {
-		return nil, err
-	}
-	args["params"] = arg0
-	return args, nil
-}
-func (ec *executionContext) field_Mutation__authz_update_policy_argsParams(
-	ctx context.Context,
-	rawArgs map[string]any,
-) (model.UpdatePolicyInput, error) {
-	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.UpdatePolicyInput
-		return zeroVal, nil
-	}
-
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
-	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNUpdatePolicyInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdatePolicyInput(ctx, tmp)
-	}
-
-	var zeroVal model.UpdatePolicyInput
-	return zeroVal, nil
-}
-
-func (ec *executionContext) field_Mutation__authz_update_resource_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
-	var err error
-	args := map[string]any{}
-	arg0, err := ec.field_Mutation__authz_update_resource_argsParams(ctx, rawArgs)
-	if err != nil {
-		return nil, err
-	}
-	args["params"] = arg0
-	return args, nil
-}
-func (ec *executionContext) field_Mutation__authz_update_resource_argsParams(
-	ctx context.Context,
-	rawArgs map[string]any,
-) (model.UpdateResourceInput, error) {
-	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.UpdateResourceInput
-		return zeroVal, nil
-	}
-
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
-	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNUpdateResourceInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateResourceInput(ctx, tmp)
-	}
-
-	var zeroVal model.UpdateResourceInput
-	return zeroVal, nil
-}
-
-func (ec *executionContext) field_Mutation__authz_update_scope_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
-	var err error
-	args := map[string]any{}
-	arg0, err := ec.field_Mutation__authz_update_scope_argsParams(ctx, rawArgs)
-	if err != nil {
-		return nil, err
-	}
-	args["params"] = arg0
-	return args, nil
-}
-func (ec *executionContext) field_Mutation__authz_update_scope_argsParams(
-	ctx context.Context,
-	rawArgs map[string]any,
-) (model.UpdateScopeInput, error) {
-	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.UpdateScopeInput
-		return zeroVal, nil
-	}
-
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
-	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNUpdateScopeInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateScopeInput(ctx, tmp)
-	}
-
-	var zeroVal model.UpdateScopeInput
-	return zeroVal, nil
-}
-
-func (ec *executionContext) field_Mutation__delete_email_template_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
-	var err error
-	args := map[string]any{}
-	arg0, err := ec.field_Mutation__delete_email_template_argsParams(ctx, rawArgs)
-	if err != nil {
-		return nil, err
-	}
-	args["params"] = arg0
-	return args, nil
-}
-func (ec *executionContext) field_Mutation__delete_email_template_argsParams(
-	ctx context.Context,
-	rawArgs map[string]any,
-) (model.DeleteEmailTemplateRequest, error) {
-	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.DeleteEmailTemplateRequest
-		return zeroVal, nil
-	}
-
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
-	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNDeleteEmailTemplateRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐDeleteEmailTemplateRequest(ctx, tmp)
-	}
-
-	var zeroVal model.DeleteEmailTemplateRequest
-	return zeroVal, nil
-}
-
-func (ec *executionContext) field_Mutation__delete_user_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
-	var err error
-	args := map[string]any{}
-	arg0, err := ec.field_Mutation__delete_user_argsParams(ctx, rawArgs)
-	if err != nil {
-		return nil, err
-	}
-	args["params"] = arg0
-	return args, nil
-}
-func (ec *executionContext) field_Mutation__delete_user_argsParams(
-	ctx context.Context,
-	rawArgs map[string]any,
-) (model.DeleteUserRequest, error) {
-	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.DeleteUserRequest
-		return zeroVal, nil
-	}
-
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
-	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNDeleteUserRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐDeleteUserRequest(ctx, tmp)
-	}
-
-	var zeroVal model.DeleteUserRequest
-	return zeroVal, nil
-}
-
-func (ec *executionContext) field_Mutation__delete_webhook_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
-	var err error
-	args := map[string]any{}
-	arg0, err := ec.field_Mutation__delete_webhook_argsParams(ctx, rawArgs)
-	if err != nil {
-		return nil, err
-	}
-	args["params"] = arg0
-	return args, nil
-}
-func (ec *executionContext) field_Mutation__delete_webhook_argsParams(
-	ctx context.Context,
-	rawArgs map[string]any,
-) (model.WebhookRequest, error) {
-	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.WebhookRequest
-		return zeroVal, nil
-	}
-
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
-	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNWebhookRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhookRequest(ctx, tmp)
-	}
-
-	var zeroVal model.WebhookRequest
-	return zeroVal, nil
-}
-
-func (ec *executionContext) field_Mutation__enable_access_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
-	var err error
-	args := map[string]any{}
-	arg0, err := ec.field_Mutation__enable_access_argsParam(ctx, rawArgs)
-	if err != nil {
-		return nil, err
-	}
-	args["param"] = arg0
-	return args, nil
-}
-func (ec *executionContext) field_Mutation__enable_access_argsParam(
-	ctx context.Context,
-	rawArgs map[string]any,
-) (model.UpdateAccessRequest, error) {
-	if _, ok := rawArgs["param"]; !ok {
-		var zeroVal model.UpdateAccessRequest
-		return zeroVal, nil
-	}
-
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("param"))
-	if tmp, ok := rawArgs["param"]; ok {
-		return ec.unmarshalNUpdateAccessRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateAccessRequest(ctx, tmp)
-	}
-
-	var zeroVal model.UpdateAccessRequest
-	return zeroVal, nil
-}
-
-func (ec *executionContext) field_Mutation__generate_jwt_keys_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
-	var err error
-	args := map[string]any{}
-	arg0, err := ec.field_Mutation__generate_jwt_keys_argsParams(ctx, rawArgs)
-	if err != nil {
-		return nil, err
-	}
-	args["params"] = arg0
-	return args, nil
-}
-func (ec *executionContext) field_Mutation__generate_jwt_keys_argsParams(
-	ctx context.Context,
-	rawArgs map[string]any,
-) (model.GenerateJWTKeysRequest, error) {
-	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.GenerateJWTKeysRequest
-		return zeroVal, nil
-	}
-
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
-	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNGenerateJWTKeysRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐGenerateJWTKeysRequest(ctx, tmp)
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalNGenerateJWTKeysRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐGenerateJWTKeysRequest(ctx, tmp)
 	}
 
 	var zeroVal model.GenerateJWTKeysRequest
@@ -5173,17 +4492,17 @@ func (ec *executionContext) field_Query__audit_logs_argsParams(
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query__authz_permissions_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Query__email_templates_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query__authz_permissions_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Query__email_templates_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query__authz_permissions_argsParams(
+func (ec *executionContext) field_Query__email_templates_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
 ) (*model.PaginatedRequest, error) {
@@ -5201,73 +4520,73 @@ func (ec *executionContext) field_Query__authz_permissions_argsParams(
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query__authz_policies_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Query__fga_read_tuples_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query__authz_policies_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Query__fga_read_tuples_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query__authz_policies_argsParams(
+func (ec *executionContext) field_Query__fga_read_tuples_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (*model.PaginatedRequest, error) {
+) (model.FgaReadTuplesInput, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal *model.PaginatedRequest
+		var zeroVal model.FgaReadTuplesInput
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalOPaginatedRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPaginatedRequest(ctx, tmp)
+		return ec.unmarshalNFgaReadTuplesInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaReadTuplesInput(ctx, tmp)
 	}
 
-	var zeroVal *model.PaginatedRequest
+	var zeroVal model.FgaReadTuplesInput
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query__authz_resources_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Query__user_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query__authz_resources_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Query__user_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query__authz_resources_argsParams(
+func (ec *executionContext) field_Query__user_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (*model.PaginatedRequest, error) {
+) (model.GetUserRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal *model.PaginatedRequest
+		var zeroVal model.GetUserRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalOPaginatedRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPaginatedRequest(ctx, tmp)
+		return ec.unmarshalNGetUserRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐGetUserRequest(ctx, tmp)
 	}
 
-	var zeroVal *model.PaginatedRequest
+	var zeroVal model.GetUserRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query__authz_scopes_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Query__users_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query__authz_scopes_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Query__users_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query__authz_scopes_argsParams(
+func (ec *executionContext) field_Query__users_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
 ) (*model.PaginatedRequest, error) {
@@ -5285,17 +4604,17 @@ func (ec *executionContext) field_Query__authz_scopes_argsParams(
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query__email_templates_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Query__verification_requests_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query__email_templates_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Query__verification_requests_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query__email_templates_argsParams(
+func (ec *executionContext) field_Query__verification_requests_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
 ) (*model.PaginatedRequest, error) {
@@ -5313,73 +4632,73 @@ func (ec *executionContext) field_Query__email_templates_argsParams(
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query__user_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Query__webhook_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query__user_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Query__webhook_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query__user_argsParams(
+func (ec *executionContext) field_Query__webhook_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.GetUserRequest, error) {
+) (model.WebhookRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.GetUserRequest
+		var zeroVal model.WebhookRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNGetUserRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐGetUserRequest(ctx, tmp)
+		return ec.unmarshalNWebhookRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhookRequest(ctx, tmp)
 	}
 
-	var zeroVal model.GetUserRequest
+	var zeroVal model.WebhookRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query__users_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Query__webhook_logs_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query__users_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Query__webhook_logs_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query__users_argsParams(
+func (ec *executionContext) field_Query__webhook_logs_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (*model.PaginatedRequest, error) {
+) (*model.ListWebhookLogRequest, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal *model.PaginatedRequest
+		var zeroVal *model.ListWebhookLogRequest
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalOPaginatedRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPaginatedRequest(ctx, tmp)
+		return ec.unmarshalOListWebhookLogRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐListWebhookLogRequest(ctx, tmp)
 	}
 
-	var zeroVal *model.PaginatedRequest
+	var zeroVal *model.ListWebhookLogRequest
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query__verification_requests_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Query__webhooks_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query__verification_requests_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Query__webhooks_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query__verification_requests_argsParams(
+func (ec *executionContext) field_Query__webhooks_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
 ) (*model.PaginatedRequest, error) {
@@ -5397,87 +4716,87 @@ func (ec *executionContext) field_Query__verification_requests_argsParams(
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query__webhook_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Query_fga_batch_check_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query__webhook_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Query_fga_batch_check_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query__webhook_argsParams(
+func (ec *executionContext) field_Query_fga_batch_check_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.WebhookRequest, error) {
+) (model.FgaBatchCheckInput, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.WebhookRequest
+		var zeroVal model.FgaBatchCheckInput
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNWebhookRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhookRequest(ctx, tmp)
+		return ec.unmarshalNFgaBatchCheckInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaBatchCheckInput(ctx, tmp)
 	}
 
-	var zeroVal model.WebhookRequest
+	var zeroVal model.FgaBatchCheckInput
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query__webhook_logs_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Query_fga_check_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query__webhook_logs_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Query_fga_check_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query__webhook_logs_argsParams(
+func (ec *executionContext) field_Query_fga_check_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (*model.ListWebhookLogRequest, error) {
+) (model.FgaCheckInput, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal *model.ListWebhookLogRequest
+		var zeroVal model.FgaCheckInput
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalOListWebhookLogRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐListWebhookLogRequest(ctx, tmp)
+		return ec.unmarshalNFgaCheckInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckInput(ctx, tmp)
 	}
 
-	var zeroVal *model.ListWebhookLogRequest
+	var zeroVal model.FgaCheckInput
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query__webhooks_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Query_fga_list_objects_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query__webhooks_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Query_fga_list_objects_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query__webhooks_argsParams(
+func (ec *executionContext) field_Query_fga_list_objects_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (*model.PaginatedRequest, error) {
+) (model.FgaListObjectsInput, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal *model.PaginatedRequest
+		var zeroVal model.FgaListObjectsInput
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalOPaginatedRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPaginatedRequest(ctx, tmp)
+		return ec.unmarshalNFgaListObjectsInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaListObjectsInput(ctx, tmp)
 	}
 
-	var zeroVal *model.PaginatedRequest
+	var zeroVal model.FgaListObjectsInput
 	return zeroVal, nil
 }
 
@@ -6798,8 +6117,8 @@ func (ec *executionContext) fieldContext_AuthResponse_authenticator_recovery_cod
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPermission_id(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPermission) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPermission_id(ctx, field)
+func (ec *executionContext) _EmailTemplate_id(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_EmailTemplate_id(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6829,9 +6148,9 @@ func (ec *executionContext) _AuthzPermission_id(ctx context.Context, field graph
 	return ec.marshalNID2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPermission_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_EmailTemplate_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPermission",
+		Object:     "EmailTemplate",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -6842,8 +6161,8 @@ func (ec *executionContext) fieldContext_AuthzPermission_id(_ context.Context, f
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPermission_name(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPermission) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPermission_name(ctx, field)
+func (ec *executionContext) _EmailTemplate_event_name(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_EmailTemplate_event_name(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6856,7 +6175,7 @@ func (ec *executionContext) _AuthzPermission_name(ctx context.Context, field gra
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Name, nil
+		return obj.EventName, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -6873,9 +6192,9 @@ func (ec *executionContext) _AuthzPermission_name(ctx context.Context, field gra
 	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPermission_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_EmailTemplate_event_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPermission",
+		Object:     "EmailTemplate",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -6886,8 +6205,8 @@ func (ec *executionContext) fieldContext_AuthzPermission_name(_ context.Context,
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPermission_description(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPermission) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPermission_description(ctx, field)
+func (ec *executionContext) _EmailTemplate_template(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_EmailTemplate_template(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6900,23 +6219,26 @@ func (ec *executionContext) _AuthzPermission_description(ctx context.Context, fi
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Description, nil
+		return obj.Template, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPermission_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_EmailTemplate_template(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPermission",
+		Object:     "EmailTemplate",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -6927,8 +6249,8 @@ func (ec *executionContext) fieldContext_AuthzPermission_description(_ context.C
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPermission_resource(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPermission) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPermission_resource(ctx, field)
+func (ec *executionContext) _EmailTemplate_design(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_EmailTemplate_design(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6941,7 +6263,7 @@ func (ec *executionContext) _AuthzPermission_resource(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Resource, nil
+		return obj.Design, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -6953,38 +6275,26 @@ func (ec *executionContext) _AuthzPermission_resource(ctx context.Context, field
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthzResource)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNAuthzResource2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResource(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPermission_resource(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_EmailTemplate_design(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPermission",
+		Object:     "EmailTemplate",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_AuthzResource_id(ctx, field)
-			case "name":
-				return ec.fieldContext_AuthzResource_name(ctx, field)
-			case "description":
-				return ec.fieldContext_AuthzResource_description(ctx, field)
-			case "created_at":
-				return ec.fieldContext_AuthzResource_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_AuthzResource_updated_at(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthzResource", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPermission_scopes(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPermission) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPermission_scopes(ctx, field)
+func (ec *executionContext) _EmailTemplate_subject(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_EmailTemplate_subject(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -6997,7 +6307,7 @@ func (ec *executionContext) _AuthzPermission_scopes(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Scopes, nil
+		return obj.Subject, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -7009,38 +6319,26 @@ func (ec *executionContext) _AuthzPermission_scopes(ctx context.Context, field g
 		}
 		return graphql.Null
 	}
-	res := resTmp.([]*model.AuthzScope)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNAuthzScope2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzScopeᚄ(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPermission_scopes(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_EmailTemplate_subject(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPermission",
+		Object:     "EmailTemplate",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_AuthzScope_id(ctx, field)
-			case "name":
-				return ec.fieldContext_AuthzScope_name(ctx, field)
-			case "description":
-				return ec.fieldContext_AuthzScope_description(ctx, field)
-			case "created_at":
-				return ec.fieldContext_AuthzScope_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_AuthzScope_updated_at(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthzScope", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPermission_policies(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPermission) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPermission_policies(ctx, field)
+func (ec *executionContext) _EmailTemplate_created_at(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_EmailTemplate_created_at(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7053,58 +6351,35 @@ func (ec *executionContext) _AuthzPermission_policies(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Policies, nil
+		return obj.CreatedAt, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.([]*model.AuthzPolicy)
+	res := resTmp.(*int64)
 	fc.Result = res
-	return ec.marshalNAuthzPolicy2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicyᚄ(ctx, field.Selections, res)
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPermission_policies(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_EmailTemplate_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPermission",
+		Object:     "EmailTemplate",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_AuthzPolicy_id(ctx, field)
-			case "name":
-				return ec.fieldContext_AuthzPolicy_name(ctx, field)
-			case "description":
-				return ec.fieldContext_AuthzPolicy_description(ctx, field)
-			case "type":
-				return ec.fieldContext_AuthzPolicy_type(ctx, field)
-			case "logic":
-				return ec.fieldContext_AuthzPolicy_logic(ctx, field)
-			case "decision_strategy":
-				return ec.fieldContext_AuthzPolicy_decision_strategy(ctx, field)
-			case "targets":
-				return ec.fieldContext_AuthzPolicy_targets(ctx, field)
-			case "created_at":
-				return ec.fieldContext_AuthzPolicy_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_AuthzPolicy_updated_at(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthzPolicy", field.Name)
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPermission_decision_strategy(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPermission) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPermission_decision_strategy(ctx, field)
+func (ec *executionContext) _EmailTemplate_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_EmailTemplate_updated_at(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7117,38 +6392,35 @@ func (ec *executionContext) _AuthzPermission_decision_strategy(ctx context.Conte
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DecisionStrategy, nil
+		return obj.UpdatedAt, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*int64)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPermission_decision_strategy(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_EmailTemplate_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPermission",
+		Object:     "EmailTemplate",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPermission_created_at(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPermission) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPermission_created_at(ctx, field)
+func (ec *executionContext) _EmailTemplates_pagination(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplates) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_EmailTemplates_pagination(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7161,7 +6433,7 @@ func (ec *executionContext) _AuthzPermission_created_at(ctx context.Context, fie
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.CreatedAt, nil
+		return obj.Pagination, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -7173,26 +6445,36 @@ func (ec *executionContext) _AuthzPermission_created_at(ctx context.Context, fie
 		}
 		return graphql.Null
 	}
-	res := resTmp.(int64)
+	res := resTmp.(*model.Pagination)
 	fc.Result = res
-	return ec.marshalNInt642int64(ctx, field.Selections, res)
+	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPermission_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_EmailTemplates_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPermission",
+		Object:     "EmailTemplates",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			switch field.Name {
+			case "limit":
+				return ec.fieldContext_Pagination_limit(ctx, field)
+			case "page":
+				return ec.fieldContext_Pagination_page(ctx, field)
+			case "offset":
+				return ec.fieldContext_Pagination_offset(ctx, field)
+			case "total":
+				return ec.fieldContext_Pagination_total(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPermission_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPermission) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPermission_updated_at(ctx, field)
+func (ec *executionContext) _EmailTemplates_email_templates(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplates) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_EmailTemplates_email_templates(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7205,7 +6487,7 @@ func (ec *executionContext) _AuthzPermission_updated_at(ctx context.Context, fie
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.UpdatedAt, nil
+		return obj.EmailTemplates, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -7217,26 +6499,42 @@ func (ec *executionContext) _AuthzPermission_updated_at(ctx context.Context, fie
 		}
 		return graphql.Null
 	}
-	res := resTmp.(int64)
+	res := resTmp.([]*model.EmailTemplate)
 	fc.Result = res
-	return ec.marshalNInt642int64(ctx, field.Selections, res)
+	return ec.marshalNEmailTemplate2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEmailTemplateᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPermission_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_EmailTemplates_email_templates(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPermission",
+		Object:     "EmailTemplates",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_EmailTemplate_id(ctx, field)
+			case "event_name":
+				return ec.fieldContext_EmailTemplate_event_name(ctx, field)
+			case "template":
+				return ec.fieldContext_EmailTemplate_template(ctx, field)
+			case "design":
+				return ec.fieldContext_EmailTemplate_design(ctx, field)
+			case "subject":
+				return ec.fieldContext_EmailTemplate_subject(ctx, field)
+			case "created_at":
+				return ec.fieldContext_EmailTemplate_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_EmailTemplate_updated_at(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type EmailTemplate", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPermissions_pagination(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPermissions) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPermissions_pagination(ctx, field)
+func (ec *executionContext) _Env_ACCESS_TOKEN_EXPIRY_TIME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_ACCESS_TOKEN_EXPIRY_TIME(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7249,48 +6547,35 @@ func (ec *executionContext) _AuthzPermissions_pagination(ctx context.Context, fi
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Pagination, nil
+		return obj.AccessTokenExpiryTime, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Pagination)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPermissions_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_ACCESS_TOKEN_EXPIRY_TIME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPermissions",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "limit":
-				return ec.fieldContext_Pagination_limit(ctx, field)
-			case "page":
-				return ec.fieldContext_Pagination_page(ctx, field)
-			case "offset":
-				return ec.fieldContext_Pagination_offset(ctx, field)
-			case "total":
-				return ec.fieldContext_Pagination_total(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPermissions_permissions(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPermissions) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPermissions_permissions(ctx, field)
+func (ec *executionContext) _Env_ADMIN_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_ADMIN_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7303,58 +6588,35 @@ func (ec *executionContext) _AuthzPermissions_permissions(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Permissions, nil
+		return obj.AdminSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.([]*model.AuthzPermission)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNAuthzPermission2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPermissionᚄ(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPermissions_permissions(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_ADMIN_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPermissions",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_AuthzPermission_id(ctx, field)
-			case "name":
-				return ec.fieldContext_AuthzPermission_name(ctx, field)
-			case "description":
-				return ec.fieldContext_AuthzPermission_description(ctx, field)
-			case "resource":
-				return ec.fieldContext_AuthzPermission_resource(ctx, field)
-			case "scopes":
-				return ec.fieldContext_AuthzPermission_scopes(ctx, field)
-			case "policies":
-				return ec.fieldContext_AuthzPermission_policies(ctx, field)
-			case "decision_strategy":
-				return ec.fieldContext_AuthzPermission_decision_strategy(ctx, field)
-			case "created_at":
-				return ec.fieldContext_AuthzPermission_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_AuthzPermission_updated_at(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthzPermission", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPolicies_pagination(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicies) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPolicies_pagination(ctx, field)
+func (ec *executionContext) _Env_DATABASE_NAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DATABASE_NAME(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7367,48 +6629,35 @@ func (ec *executionContext) _AuthzPolicies_pagination(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Pagination, nil
+		return obj.DatabaseName, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Pagination)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPolicies_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DATABASE_NAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPolicies",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "limit":
-				return ec.fieldContext_Pagination_limit(ctx, field)
-			case "page":
-				return ec.fieldContext_Pagination_page(ctx, field)
-			case "offset":
-				return ec.fieldContext_Pagination_offset(ctx, field)
-			case "total":
-				return ec.fieldContext_Pagination_total(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPolicies_policies(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicies) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPolicies_policies(ctx, field)
+func (ec *executionContext) _Env_DATABASE_URL(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DATABASE_URL(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7421,58 +6670,35 @@ func (ec *executionContext) _AuthzPolicies_policies(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Policies, nil
+		return obj.DatabaseURL, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.([]*model.AuthzPolicy)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNAuthzPolicy2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicyᚄ(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPolicies_policies(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DATABASE_URL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPolicies",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_AuthzPolicy_id(ctx, field)
-			case "name":
-				return ec.fieldContext_AuthzPolicy_name(ctx, field)
-			case "description":
-				return ec.fieldContext_AuthzPolicy_description(ctx, field)
-			case "type":
-				return ec.fieldContext_AuthzPolicy_type(ctx, field)
-			case "logic":
-				return ec.fieldContext_AuthzPolicy_logic(ctx, field)
-			case "decision_strategy":
-				return ec.fieldContext_AuthzPolicy_decision_strategy(ctx, field)
-			case "targets":
-				return ec.fieldContext_AuthzPolicy_targets(ctx, field)
-			case "created_at":
-				return ec.fieldContext_AuthzPolicy_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_AuthzPolicy_updated_at(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthzPolicy", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPolicy_id(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicy) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPolicy_id(ctx, field)
+func (ec *executionContext) _Env_DATABASE_TYPE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DATABASE_TYPE(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7485,38 +6711,35 @@ func (ec *executionContext) _AuthzPolicy_id(ctx context.Context, field graphql.C
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ID, nil
+		return obj.DatabaseType, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNID2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPolicy_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DATABASE_TYPE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPolicy",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type ID does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPolicy_name(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicy) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPolicy_name(ctx, field)
+func (ec *executionContext) _Env_DATABASE_USERNAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DATABASE_USERNAME(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7529,26 +6752,23 @@ func (ec *executionContext) _AuthzPolicy_name(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Name, nil
+		return obj.DatabaseUsername, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPolicy_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DATABASE_USERNAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPolicy",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -7559,8 +6779,8 @@ func (ec *executionContext) fieldContext_AuthzPolicy_name(_ context.Context, fie
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPolicy_description(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicy) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPolicy_description(ctx, field)
+func (ec *executionContext) _Env_DATABASE_PASSWORD(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DATABASE_PASSWORD(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7573,7 +6793,7 @@ func (ec *executionContext) _AuthzPolicy_description(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Description, nil
+		return obj.DatabasePassword, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -7587,9 +6807,9 @@ func (ec *executionContext) _AuthzPolicy_description(ctx context.Context, field
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPolicy_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DATABASE_PASSWORD(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPolicy",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -7600,8 +6820,8 @@ func (ec *executionContext) fieldContext_AuthzPolicy_description(_ context.Conte
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPolicy_type(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicy) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPolicy_type(ctx, field)
+func (ec *executionContext) _Env_DATABASE_HOST(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DATABASE_HOST(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7614,26 +6834,23 @@ func (ec *executionContext) _AuthzPolicy_type(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Type, nil
+		return obj.DatabaseHost, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPolicy_type(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DATABASE_HOST(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPolicy",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -7644,8 +6861,8 @@ func (ec *executionContext) fieldContext_AuthzPolicy_type(_ context.Context, fie
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPolicy_logic(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicy) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPolicy_logic(ctx, field)
+func (ec *executionContext) _Env_DATABASE_PORT(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DATABASE_PORT(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7658,26 +6875,23 @@ func (ec *executionContext) _AuthzPolicy_logic(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Logic, nil
+		return obj.DatabasePort, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPolicy_logic(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DATABASE_PORT(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPolicy",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -7688,8 +6902,8 @@ func (ec *executionContext) fieldContext_AuthzPolicy_logic(_ context.Context, fi
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPolicy_decision_strategy(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicy) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPolicy_decision_strategy(ctx, field)
+func (ec *executionContext) _Env_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_CLIENT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7702,7 +6916,7 @@ func (ec *executionContext) _AuthzPolicy_decision_strategy(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DecisionStrategy, nil
+		return obj.ClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -7719,9 +6933,9 @@ func (ec *executionContext) _AuthzPolicy_decision_strategy(ctx context.Context,
 	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPolicy_decision_strategy(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPolicy",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -7732,8 +6946,8 @@ func (ec *executionContext) fieldContext_AuthzPolicy_decision_strategy(_ context
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPolicy_targets(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicy) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPolicy_targets(ctx, field)
+func (ec *executionContext) _Env_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_CLIENT_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7746,7 +6960,7 @@ func (ec *executionContext) _AuthzPolicy_targets(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Targets, nil
+		return obj.ClientSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -7758,34 +6972,26 @@ func (ec *executionContext) _AuthzPolicy_targets(ctx context.Context, field grap
 		}
 		return graphql.Null
 	}
-	res := resTmp.([]*model.AuthzPolicyTarget)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNAuthzPolicyTarget2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicyTargetᚄ(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPolicy_targets(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPolicy",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_AuthzPolicyTarget_id(ctx, field)
-			case "target_type":
-				return ec.fieldContext_AuthzPolicyTarget_target_type(ctx, field)
-			case "target_value":
-				return ec.fieldContext_AuthzPolicyTarget_target_value(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthzPolicyTarget", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPolicy_created_at(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicy) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPolicy_created_at(ctx, field)
+func (ec *executionContext) _Env_CUSTOM_ACCESS_TOKEN_SCRIPT(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_CUSTOM_ACCESS_TOKEN_SCRIPT(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7798,38 +7004,35 @@ func (ec *executionContext) _AuthzPolicy_created_at(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.CreatedAt, nil
+		return obj.CustomAccessTokenScript, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(int64)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNInt642int64(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPolicy_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_CUSTOM_ACCESS_TOKEN_SCRIPT(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPolicy",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPolicy_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicy) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPolicy_updated_at(ctx, field)
+func (ec *executionContext) _Env_SMTP_HOST(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_SMTP_HOST(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7842,38 +7045,35 @@ func (ec *executionContext) _AuthzPolicy_updated_at(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.UpdatedAt, nil
+		return obj.SMTPHost, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(int64)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNInt642int64(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPolicy_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_SMTP_HOST(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPolicy",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPolicyTarget_id(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicyTarget) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPolicyTarget_id(ctx, field)
+func (ec *executionContext) _Env_SMTP_PORT(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_SMTP_PORT(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7886,38 +7086,35 @@ func (ec *executionContext) _AuthzPolicyTarget_id(ctx context.Context, field gra
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ID, nil
+		return obj.SMTPPort, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNID2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPolicyTarget_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_SMTP_PORT(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPolicyTarget",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type ID does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPolicyTarget_target_type(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicyTarget) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPolicyTarget_target_type(ctx, field)
+func (ec *executionContext) _Env_SMTP_USERNAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_SMTP_USERNAME(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7930,26 +7127,23 @@ func (ec *executionContext) _AuthzPolicyTarget_target_type(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.TargetType, nil
+		return obj.SMTPUsername, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPolicyTarget_target_type(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_SMTP_USERNAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPolicyTarget",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -7960,8 +7154,8 @@ func (ec *executionContext) fieldContext_AuthzPolicyTarget_target_type(_ context
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzPolicyTarget_target_value(ctx context.Context, field graphql.CollectedField, obj *model.AuthzPolicyTarget) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzPolicyTarget_target_value(ctx, field)
+func (ec *executionContext) _Env_SMTP_PASSWORD(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_SMTP_PASSWORD(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -7974,26 +7168,23 @@ func (ec *executionContext) _AuthzPolicyTarget_target_value(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.TargetValue, nil
+		return obj.SMTPPassword, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzPolicyTarget_target_value(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_SMTP_PASSWORD(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzPolicyTarget",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -8004,8 +7195,8 @@ func (ec *executionContext) fieldContext_AuthzPolicyTarget_target_value(_ contex
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzResource_id(ctx context.Context, field graphql.CollectedField, obj *model.AuthzResource) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzResource_id(ctx, field)
+func (ec *executionContext) _Env_SMTP_LOCAL_NAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_SMTP_LOCAL_NAME(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8018,38 +7209,35 @@ func (ec *executionContext) _AuthzResource_id(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ID, nil
+		return obj.SMTPLocalName, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNID2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzResource_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_SMTP_LOCAL_NAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzResource",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type ID does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzResource_name(ctx context.Context, field graphql.CollectedField, obj *model.AuthzResource) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzResource_name(ctx, field)
+func (ec *executionContext) _Env_SENDER_EMAIL(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_SENDER_EMAIL(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8062,26 +7250,23 @@ func (ec *executionContext) _AuthzResource_name(ctx context.Context, field graph
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Name, nil
+		return obj.SenderEmail, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzResource_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_SENDER_EMAIL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzResource",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -8092,8 +7277,8 @@ func (ec *executionContext) fieldContext_AuthzResource_name(_ context.Context, f
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzResource_description(ctx context.Context, field graphql.CollectedField, obj *model.AuthzResource) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzResource_description(ctx, field)
+func (ec *executionContext) _Env_SENDER_NAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_SENDER_NAME(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8106,7 +7291,7 @@ func (ec *executionContext) _AuthzResource_description(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Description, nil
+		return obj.SenderName, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8120,9 +7305,9 @@ func (ec *executionContext) _AuthzResource_description(ctx context.Context, fiel
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzResource_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_SENDER_NAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzResource",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -8133,8 +7318,8 @@ func (ec *executionContext) fieldContext_AuthzResource_description(_ context.Con
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzResource_created_at(ctx context.Context, field graphql.CollectedField, obj *model.AuthzResource) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzResource_created_at(ctx, field)
+func (ec *executionContext) _Env_JWT_TYPE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_JWT_TYPE(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8147,38 +7332,35 @@ func (ec *executionContext) _AuthzResource_created_at(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.CreatedAt, nil
+		return obj.JwtType, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(int64)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNInt642int64(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzResource_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_JWT_TYPE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzResource",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzResource_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.AuthzResource) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzResource_updated_at(ctx, field)
+func (ec *executionContext) _Env_JWT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_JWT_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8191,38 +7373,35 @@ func (ec *executionContext) _AuthzResource_updated_at(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.UpdatedAt, nil
+		return obj.JwtSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(int64)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNInt642int64(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzResource_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_JWT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzResource",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzResources_pagination(ctx context.Context, field graphql.CollectedField, obj *model.AuthzResources) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzResources_pagination(ctx, field)
+func (ec *executionContext) _Env_JWT_PRIVATE_KEY(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_JWT_PRIVATE_KEY(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8235,48 +7414,35 @@ func (ec *executionContext) _AuthzResources_pagination(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Pagination, nil
+		return obj.JwtPrivateKey, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Pagination)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzResources_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_JWT_PRIVATE_KEY(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzResources",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "limit":
-				return ec.fieldContext_Pagination_limit(ctx, field)
-			case "page":
-				return ec.fieldContext_Pagination_page(ctx, field)
-			case "offset":
-				return ec.fieldContext_Pagination_offset(ctx, field)
-			case "total":
-				return ec.fieldContext_Pagination_total(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzResources_resources(ctx context.Context, field graphql.CollectedField, obj *model.AuthzResources) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzResources_resources(ctx, field)
+func (ec *executionContext) _Env_JWT_PUBLIC_KEY(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_JWT_PUBLIC_KEY(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8289,50 +7455,35 @@ func (ec *executionContext) _AuthzResources_resources(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Resources, nil
+		return obj.JwtPublicKey, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.([]*model.AuthzResource)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNAuthzResource2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResourceᚄ(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzResources_resources(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_JWT_PUBLIC_KEY(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzResources",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_AuthzResource_id(ctx, field)
-			case "name":
-				return ec.fieldContext_AuthzResource_name(ctx, field)
-			case "description":
-				return ec.fieldContext_AuthzResource_description(ctx, field)
-			case "created_at":
-				return ec.fieldContext_AuthzResource_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_AuthzResource_updated_at(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthzResource", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzScope_id(ctx context.Context, field graphql.CollectedField, obj *model.AuthzScope) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzScope_id(ctx, field)
+func (ec *executionContext) _Env_ALLOWED_ORIGINS(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_ALLOWED_ORIGINS(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8345,38 +7496,35 @@ func (ec *executionContext) _AuthzScope_id(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ID, nil
+		return obj.AllowedOrigins, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.([]string)
 	fc.Result = res
-	return ec.marshalNID2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚕstringᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzScope_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_ALLOWED_ORIGINS(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzScope",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type ID does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzScope_name(ctx context.Context, field graphql.CollectedField, obj *model.AuthzScope) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzScope_name(ctx, field)
+func (ec *executionContext) _Env_APP_URL(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_APP_URL(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8389,26 +7537,23 @@ func (ec *executionContext) _AuthzScope_name(ctx context.Context, field graphql.
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Name, nil
+		return obj.AppURL, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzScope_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_APP_URL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzScope",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -8419,8 +7564,8 @@ func (ec *executionContext) fieldContext_AuthzScope_name(_ context.Context, fiel
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzScope_description(ctx context.Context, field graphql.CollectedField, obj *model.AuthzScope) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzScope_description(ctx, field)
+func (ec *executionContext) _Env_REDIS_URL(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_REDIS_URL(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8433,7 +7578,7 @@ func (ec *executionContext) _AuthzScope_description(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Description, nil
+		return obj.RedisURL, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8447,9 +7592,9 @@ func (ec *executionContext) _AuthzScope_description(ctx context.Context, field g
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzScope_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_REDIS_URL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzScope",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -8460,8 +7605,8 @@ func (ec *executionContext) fieldContext_AuthzScope_description(_ context.Contex
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzScope_created_at(ctx context.Context, field graphql.CollectedField, obj *model.AuthzScope) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzScope_created_at(ctx, field)
+func (ec *executionContext) _Env_RESET_PASSWORD_URL(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_RESET_PASSWORD_URL(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8474,38 +7619,35 @@ func (ec *executionContext) _AuthzScope_created_at(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.CreatedAt, nil
+		return obj.ResetPasswordURL, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(int64)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNInt642int64(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzScope_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_RESET_PASSWORD_URL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzScope",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzScope_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.AuthzScope) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzScope_updated_at(ctx, field)
+func (ec *executionContext) _Env_DISABLE_EMAIL_VERIFICATION(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_EMAIL_VERIFICATION(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8518,7 +7660,7 @@ func (ec *executionContext) _AuthzScope_updated_at(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.UpdatedAt, nil
+		return obj.DisableEmailVerification, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8530,26 +7672,26 @@ func (ec *executionContext) _AuthzScope_updated_at(ctx context.Context, field gr
 		}
 		return graphql.Null
 	}
-	res := resTmp.(int64)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNInt642int64(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzScope_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_EMAIL_VERIFICATION(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzScope",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzScopes_pagination(ctx context.Context, field graphql.CollectedField, obj *model.AuthzScopes) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzScopes_pagination(ctx, field)
+func (ec *executionContext) _Env_DISABLE_BASIC_AUTHENTICATION(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_BASIC_AUTHENTICATION(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8562,7 +7704,7 @@ func (ec *executionContext) _AuthzScopes_pagination(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Pagination, nil
+		return obj.DisableBasicAuthentication, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8574,36 +7716,26 @@ func (ec *executionContext) _AuthzScopes_pagination(ctx context.Context, field g
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Pagination)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzScopes_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_BASIC_AUTHENTICATION(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzScopes",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "limit":
-				return ec.fieldContext_Pagination_limit(ctx, field)
-			case "page":
-				return ec.fieldContext_Pagination_page(ctx, field)
-			case "offset":
-				return ec.fieldContext_Pagination_offset(ctx, field)
-			case "total":
-				return ec.fieldContext_Pagination_total(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _AuthzScopes_scopes(ctx context.Context, field graphql.CollectedField, obj *model.AuthzScopes) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_AuthzScopes_scopes(ctx, field)
+func (ec *executionContext) _Env_DISABLE_MOBILE_BASIC_AUTHENTICATION(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_MOBILE_BASIC_AUTHENTICATION(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8616,7 +7748,7 @@ func (ec *executionContext) _AuthzScopes_scopes(ctx context.Context, field graph
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Scopes, nil
+		return obj.DisableMobileBasicAuthentication, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8628,38 +7760,26 @@ func (ec *executionContext) _AuthzScopes_scopes(ctx context.Context, field graph
 		}
 		return graphql.Null
 	}
-	res := resTmp.([]*model.AuthzScope)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNAuthzScope2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzScopeᚄ(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_AuthzScopes_scopes(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_MOBILE_BASIC_AUTHENTICATION(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "AuthzScopes",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_AuthzScope_id(ctx, field)
-			case "name":
-				return ec.fieldContext_AuthzScope_name(ctx, field)
-			case "description":
-				return ec.fieldContext_AuthzScope_description(ctx, field)
-			case "created_at":
-				return ec.fieldContext_AuthzScope_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_AuthzScope_updated_at(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthzScope", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _EmailTemplate_id(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_EmailTemplate_id(ctx, field)
+func (ec *executionContext) _Env_DISABLE_MAGIC_LINK_LOGIN(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_MAGIC_LINK_LOGIN(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8672,7 +7792,7 @@ func (ec *executionContext) _EmailTemplate_id(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ID, nil
+		return obj.DisableMagicLinkLogin, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8684,26 +7804,26 @@ func (ec *executionContext) _EmailTemplate_id(ctx context.Context, field graphql
 		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNID2string(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_EmailTemplate_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_MAGIC_LINK_LOGIN(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "EmailTemplate",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type ID does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _EmailTemplate_event_name(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_EmailTemplate_event_name(ctx, field)
+func (ec *executionContext) _Env_DISABLE_LOGIN_PAGE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_LOGIN_PAGE(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8716,7 +7836,7 @@ func (ec *executionContext) _EmailTemplate_event_name(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.EventName, nil
+		return obj.DisableLoginPage, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8728,26 +7848,26 @@ func (ec *executionContext) _EmailTemplate_event_name(ctx context.Context, field
 		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_EmailTemplate_event_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_LOGIN_PAGE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "EmailTemplate",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _EmailTemplate_template(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_EmailTemplate_template(ctx, field)
+func (ec *executionContext) _Env_DISABLE_SIGN_UP(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_SIGN_UP(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8760,7 +7880,7 @@ func (ec *executionContext) _EmailTemplate_template(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Template, nil
+		return obj.DisableSignUp, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8772,26 +7892,26 @@ func (ec *executionContext) _EmailTemplate_template(ctx context.Context, field g
 		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_EmailTemplate_template(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_SIGN_UP(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "EmailTemplate",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _EmailTemplate_design(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_EmailTemplate_design(ctx, field)
+func (ec *executionContext) _Env_DISABLE_REDIS_FOR_ENV(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_REDIS_FOR_ENV(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8804,7 +7924,7 @@ func (ec *executionContext) _EmailTemplate_design(ctx context.Context, field gra
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Design, nil
+		return obj.DisableRedisForEnv, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8816,26 +7936,26 @@ func (ec *executionContext) _EmailTemplate_design(ctx context.Context, field gra
 		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_EmailTemplate_design(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_REDIS_FOR_ENV(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "EmailTemplate",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _EmailTemplate_subject(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_EmailTemplate_subject(ctx, field)
+func (ec *executionContext) _Env_DISABLE_STRONG_PASSWORD(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_STRONG_PASSWORD(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8848,7 +7968,7 @@ func (ec *executionContext) _EmailTemplate_subject(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Subject, nil
+		return obj.DisableStrongPassword, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -8860,26 +7980,26 @@ func (ec *executionContext) _EmailTemplate_subject(ctx context.Context, field gr
 		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_EmailTemplate_subject(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_STRONG_PASSWORD(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "EmailTemplate",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _EmailTemplate_created_at(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_EmailTemplate_created_at(ctx, field)
+func (ec *executionContext) _Env_DISABLE_MULTI_FACTOR_AUTHENTICATION(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_MULTI_FACTOR_AUTHENTICATION(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8892,35 +8012,38 @@ func (ec *executionContext) _EmailTemplate_created_at(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.CreatedAt, nil
+		return obj.DisableMultiFactorAuthentication, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_EmailTemplate_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_MULTI_FACTOR_AUTHENTICATION(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "EmailTemplate",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _EmailTemplate_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_EmailTemplate_updated_at(ctx, field)
+func (ec *executionContext) _Env_ENFORCE_MULTI_FACTOR_AUTHENTICATION(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_ENFORCE_MULTI_FACTOR_AUTHENTICATION(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8933,35 +8056,38 @@ func (ec *executionContext) _EmailTemplate_updated_at(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.UpdatedAt, nil
+		return obj.EnforceMultiFactorAuthentication, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_EmailTemplate_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_ENFORCE_MULTI_FACTOR_AUTHENTICATION(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "EmailTemplate",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _EmailTemplates_pagination(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplates) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_EmailTemplates_pagination(ctx, field)
+func (ec *executionContext) _Env_ROLES(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_ROLES(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -8974,48 +8100,35 @@ func (ec *executionContext) _EmailTemplates_pagination(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Pagination, nil
+		return obj.Roles, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Pagination)
+	res := resTmp.([]string)
 	fc.Result = res
-	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
+	return ec.marshalOString2ᚕstringᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_EmailTemplates_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_ROLES(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "EmailTemplates",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "limit":
-				return ec.fieldContext_Pagination_limit(ctx, field)
-			case "page":
-				return ec.fieldContext_Pagination_page(ctx, field)
-			case "offset":
-				return ec.fieldContext_Pagination_offset(ctx, field)
-			case "total":
-				return ec.fieldContext_Pagination_total(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _EmailTemplates_email_templates(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplates) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_EmailTemplates_email_templates(ctx, field)
+func (ec *executionContext) _Env_PROTECTED_ROLES(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_PROTECTED_ROLES(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9028,54 +8141,35 @@ func (ec *executionContext) _EmailTemplates_email_templates(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.EmailTemplates, nil
+		return obj.ProtectedRoles, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.([]*model.EmailTemplate)
+	res := resTmp.([]string)
 	fc.Result = res
-	return ec.marshalNEmailTemplate2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEmailTemplateᚄ(ctx, field.Selections, res)
+	return ec.marshalOString2ᚕstringᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_EmailTemplates_email_templates(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_PROTECTED_ROLES(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "EmailTemplates",
+		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_EmailTemplate_id(ctx, field)
-			case "event_name":
-				return ec.fieldContext_EmailTemplate_event_name(ctx, field)
-			case "template":
-				return ec.fieldContext_EmailTemplate_template(ctx, field)
-			case "design":
-				return ec.fieldContext_EmailTemplate_design(ctx, field)
-			case "subject":
-				return ec.fieldContext_EmailTemplate_subject(ctx, field)
-			case "created_at":
-				return ec.fieldContext_EmailTemplate_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_EmailTemplate_updated_at(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type EmailTemplate", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_ACCESS_TOKEN_EXPIRY_TIME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_ACCESS_TOKEN_EXPIRY_TIME(ctx, field)
+func (ec *executionContext) _Env_DEFAULT_ROLES(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DEFAULT_ROLES(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9088,7 +8182,7 @@ func (ec *executionContext) _Env_ACCESS_TOKEN_EXPIRY_TIME(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.AccessTokenExpiryTime, nil
+		return obj.DefaultRoles, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9097,12 +8191,12 @@ func (ec *executionContext) _Env_ACCESS_TOKEN_EXPIRY_TIME(ctx context.Context, f
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.([]string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalOString2ᚕstringᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_ACCESS_TOKEN_EXPIRY_TIME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DEFAULT_ROLES(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -9115,8 +8209,8 @@ func (ec *executionContext) fieldContext_Env_ACCESS_TOKEN_EXPIRY_TIME(_ context.
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_ADMIN_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_ADMIN_SECRET(ctx, field)
+func (ec *executionContext) _Env_JWT_ROLE_CLAIM(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_JWT_ROLE_CLAIM(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9129,7 +8223,7 @@ func (ec *executionContext) _Env_ADMIN_SECRET(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.AdminSecret, nil
+		return obj.JwtRoleClaim, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9143,7 +8237,7 @@ func (ec *executionContext) _Env_ADMIN_SECRET(ctx context.Context, field graphql
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_ADMIN_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_JWT_ROLE_CLAIM(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -9156,8 +8250,8 @@ func (ec *executionContext) fieldContext_Env_ADMIN_SECRET(_ context.Context, fie
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DATABASE_NAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DATABASE_NAME(ctx, field)
+func (ec *executionContext) _Env_GOOGLE_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_GOOGLE_CLIENT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9170,7 +8264,7 @@ func (ec *executionContext) _Env_DATABASE_NAME(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DatabaseName, nil
+		return obj.GoogleClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9184,7 +8278,7 @@ func (ec *executionContext) _Env_DATABASE_NAME(ctx context.Context, field graphq
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DATABASE_NAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_GOOGLE_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -9197,8 +8291,8 @@ func (ec *executionContext) fieldContext_Env_DATABASE_NAME(_ context.Context, fi
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DATABASE_URL(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DATABASE_URL(ctx, field)
+func (ec *executionContext) _Env_GOOGLE_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_GOOGLE_CLIENT_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9211,7 +8305,7 @@ func (ec *executionContext) _Env_DATABASE_URL(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DatabaseURL, nil
+		return obj.GoogleClientSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9225,7 +8319,7 @@ func (ec *executionContext) _Env_DATABASE_URL(ctx context.Context, field graphql
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DATABASE_URL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_GOOGLE_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -9238,8 +8332,8 @@ func (ec *executionContext) fieldContext_Env_DATABASE_URL(_ context.Context, fie
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DATABASE_TYPE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DATABASE_TYPE(ctx, field)
+func (ec *executionContext) _Env_GITHUB_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_GITHUB_CLIENT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9252,7 +8346,7 @@ func (ec *executionContext) _Env_DATABASE_TYPE(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DatabaseType, nil
+		return obj.GithubClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9266,7 +8360,7 @@ func (ec *executionContext) _Env_DATABASE_TYPE(ctx context.Context, field graphq
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DATABASE_TYPE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_GITHUB_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -9279,8 +8373,8 @@ func (ec *executionContext) fieldContext_Env_DATABASE_TYPE(_ context.Context, fi
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DATABASE_USERNAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DATABASE_USERNAME(ctx, field)
+func (ec *executionContext) _Env_GITHUB_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_GITHUB_CLIENT_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9293,7 +8387,7 @@ func (ec *executionContext) _Env_DATABASE_USERNAME(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DatabaseUsername, nil
+		return obj.GithubClientSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9307,7 +8401,7 @@ func (ec *executionContext) _Env_DATABASE_USERNAME(ctx context.Context, field gr
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DATABASE_USERNAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_GITHUB_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -9320,8 +8414,8 @@ func (ec *executionContext) fieldContext_Env_DATABASE_USERNAME(_ context.Context
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DATABASE_PASSWORD(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DATABASE_PASSWORD(ctx, field)
+func (ec *executionContext) _Env_FACEBOOK_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_FACEBOOK_CLIENT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9334,7 +8428,7 @@ func (ec *executionContext) _Env_DATABASE_PASSWORD(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DatabasePassword, nil
+		return obj.FacebookClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9348,7 +8442,7 @@ func (ec *executionContext) _Env_DATABASE_PASSWORD(ctx context.Context, field gr
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DATABASE_PASSWORD(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_FACEBOOK_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -9361,8 +8455,8 @@ func (ec *executionContext) fieldContext_Env_DATABASE_PASSWORD(_ context.Context
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DATABASE_HOST(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DATABASE_HOST(ctx, field)
+func (ec *executionContext) _Env_FACEBOOK_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_FACEBOOK_CLIENT_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9375,7 +8469,7 @@ func (ec *executionContext) _Env_DATABASE_HOST(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DatabaseHost, nil
+		return obj.FacebookClientSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9389,7 +8483,7 @@ func (ec *executionContext) _Env_DATABASE_HOST(ctx context.Context, field graphq
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DATABASE_HOST(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_FACEBOOK_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -9402,8 +8496,8 @@ func (ec *executionContext) fieldContext_Env_DATABASE_HOST(_ context.Context, fi
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DATABASE_PORT(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DATABASE_PORT(ctx, field)
+func (ec *executionContext) _Env_LINKEDIN_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_LINKEDIN_CLIENT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9416,7 +8510,7 @@ func (ec *executionContext) _Env_DATABASE_PORT(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DatabasePort, nil
+		return obj.LinkedinClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9430,7 +8524,7 @@ func (ec *executionContext) _Env_DATABASE_PORT(ctx context.Context, field graphq
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DATABASE_PORT(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_LINKEDIN_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -9443,8 +8537,8 @@ func (ec *executionContext) fieldContext_Env_DATABASE_PORT(_ context.Context, fi
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_CLIENT_ID(ctx, field)
+func (ec *executionContext) _Env_LINKEDIN_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_LINKEDIN_CLIENT_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9457,24 +8551,21 @@ func (ec *executionContext) _Env_CLIENT_ID(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ClientID, nil
+		return obj.LinkedinClientSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_LINKEDIN_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -9487,8 +8578,8 @@ func (ec *executionContext) fieldContext_Env_CLIENT_ID(_ context.Context, field
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_CLIENT_SECRET(ctx, field)
+func (ec *executionContext) _Env_APPLE_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_APPLE_CLIENT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9501,24 +8592,21 @@ func (ec *executionContext) _Env_CLIENT_SECRET(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ClientSecret, nil
+		return obj.AppleClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_APPLE_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -9531,8 +8619,8 @@ func (ec *executionContext) fieldContext_Env_CLIENT_SECRET(_ context.Context, fi
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_CUSTOM_ACCESS_TOKEN_SCRIPT(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_CUSTOM_ACCESS_TOKEN_SCRIPT(ctx, field)
+func (ec *executionContext) _Env_APPLE_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_APPLE_CLIENT_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9545,7 +8633,7 @@ func (ec *executionContext) _Env_CUSTOM_ACCESS_TOKEN_SCRIPT(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.CustomAccessTokenScript, nil
+		return obj.AppleClientSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9559,7 +8647,7 @@ func (ec *executionContext) _Env_CUSTOM_ACCESS_TOKEN_SCRIPT(ctx context.Context,
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_CUSTOM_ACCESS_TOKEN_SCRIPT(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_APPLE_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -9572,8 +8660,8 @@ func (ec *executionContext) fieldContext_Env_CUSTOM_ACCESS_TOKEN_SCRIPT(_ contex
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_SMTP_HOST(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_SMTP_HOST(ctx, field)
+func (ec *executionContext) _Env_DISCORD_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISCORD_CLIENT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9586,7 +8674,7 @@ func (ec *executionContext) _Env_SMTP_HOST(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.SMTPHost, nil
+		return obj.DiscordClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9600,7 +8688,7 @@ func (ec *executionContext) _Env_SMTP_HOST(ctx context.Context, field graphql.Co
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_SMTP_HOST(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISCORD_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -9613,8 +8701,8 @@ func (ec *executionContext) fieldContext_Env_SMTP_HOST(_ context.Context, field
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_SMTP_PORT(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_SMTP_PORT(ctx, field)
+func (ec *executionContext) _Env_DISCORD_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISCORD_CLIENT_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9627,7 +8715,7 @@ func (ec *executionContext) _Env_SMTP_PORT(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.SMTPPort, nil
+		return obj.DiscordClientSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9641,7 +8729,7 @@ func (ec *executionContext) _Env_SMTP_PORT(ctx context.Context, field graphql.Co
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_SMTP_PORT(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISCORD_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -9654,8 +8742,8 @@ func (ec *executionContext) fieldContext_Env_SMTP_PORT(_ context.Context, field
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_SMTP_USERNAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_SMTP_USERNAME(ctx, field)
+func (ec *executionContext) _Env_TWITTER_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_TWITTER_CLIENT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9668,7 +8756,7 @@ func (ec *executionContext) _Env_SMTP_USERNAME(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.SMTPUsername, nil
+		return obj.TwitterClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9682,7 +8770,7 @@ func (ec *executionContext) _Env_SMTP_USERNAME(ctx context.Context, field graphq
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_SMTP_USERNAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_TWITTER_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -9695,8 +8783,8 @@ func (ec *executionContext) fieldContext_Env_SMTP_USERNAME(_ context.Context, fi
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_SMTP_PASSWORD(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_SMTP_PASSWORD(ctx, field)
+func (ec *executionContext) _Env_TWITTER_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_TWITTER_CLIENT_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9709,7 +8797,7 @@ func (ec *executionContext) _Env_SMTP_PASSWORD(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.SMTPPassword, nil
+		return obj.TwitterClientSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9723,7 +8811,7 @@ func (ec *executionContext) _Env_SMTP_PASSWORD(ctx context.Context, field graphq
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_SMTP_PASSWORD(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_TWITTER_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -9736,8 +8824,8 @@ func (ec *executionContext) fieldContext_Env_SMTP_PASSWORD(_ context.Context, fi
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_SMTP_LOCAL_NAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_SMTP_LOCAL_NAME(ctx, field)
+func (ec *executionContext) _Env_MICROSOFT_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_MICROSOFT_CLIENT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9750,7 +8838,7 @@ func (ec *executionContext) _Env_SMTP_LOCAL_NAME(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.SMTPLocalName, nil
+		return obj.MicrosoftClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9764,7 +8852,7 @@ func (ec *executionContext) _Env_SMTP_LOCAL_NAME(ctx context.Context, field grap
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_SMTP_LOCAL_NAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_MICROSOFT_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -9777,8 +8865,8 @@ func (ec *executionContext) fieldContext_Env_SMTP_LOCAL_NAME(_ context.Context,
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_SENDER_EMAIL(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_SENDER_EMAIL(ctx, field)
+func (ec *executionContext) _Env_MICROSOFT_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_MICROSOFT_CLIENT_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9791,7 +8879,7 @@ func (ec *executionContext) _Env_SENDER_EMAIL(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.SenderEmail, nil
+		return obj.MicrosoftClientSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9805,7 +8893,7 @@ func (ec *executionContext) _Env_SENDER_EMAIL(ctx context.Context, field graphql
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_SENDER_EMAIL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_MICROSOFT_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -9818,8 +8906,8 @@ func (ec *executionContext) fieldContext_Env_SENDER_EMAIL(_ context.Context, fie
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_SENDER_NAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_SENDER_NAME(ctx, field)
+func (ec *executionContext) _Env_MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9832,7 +8920,7 @@ func (ec *executionContext) _Env_SENDER_NAME(ctx context.Context, field graphql.
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.SenderName, nil
+		return obj.MicrosoftActiveDirectoryTenantID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9846,7 +8934,7 @@ func (ec *executionContext) _Env_SENDER_NAME(ctx context.Context, field graphql.
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_SENDER_NAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -9859,8 +8947,8 @@ func (ec *executionContext) fieldContext_Env_SENDER_NAME(_ context.Context, fiel
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_JWT_TYPE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_JWT_TYPE(ctx, field)
+func (ec *executionContext) _Env_TWITCH_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_TWITCH_CLIENT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9873,7 +8961,7 @@ func (ec *executionContext) _Env_JWT_TYPE(ctx context.Context, field graphql.Col
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.JwtType, nil
+		return obj.TwitchClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9887,7 +8975,7 @@ func (ec *executionContext) _Env_JWT_TYPE(ctx context.Context, field graphql.Col
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_JWT_TYPE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_TWITCH_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -9900,8 +8988,8 @@ func (ec *executionContext) fieldContext_Env_JWT_TYPE(_ context.Context, field g
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_JWT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_JWT_SECRET(ctx, field)
+func (ec *executionContext) _Env_TWITCH_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_TWITCH_CLIENT_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9914,7 +9002,7 @@ func (ec *executionContext) _Env_JWT_SECRET(ctx context.Context, field graphql.C
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.JwtSecret, nil
+		return obj.TwitchClientSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9928,7 +9016,7 @@ func (ec *executionContext) _Env_JWT_SECRET(ctx context.Context, field graphql.C
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_JWT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_TWITCH_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -9941,8 +9029,8 @@ func (ec *executionContext) fieldContext_Env_JWT_SECRET(_ context.Context, field
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_JWT_PRIVATE_KEY(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_JWT_PRIVATE_KEY(ctx, field)
+func (ec *executionContext) _Env_ROBLOX_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_ROBLOX_CLIENT_ID(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9955,7 +9043,7 @@ func (ec *executionContext) _Env_JWT_PRIVATE_KEY(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.JwtPrivateKey, nil
+		return obj.RobloxClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9969,7 +9057,7 @@ func (ec *executionContext) _Env_JWT_PRIVATE_KEY(ctx context.Context, field grap
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_JWT_PRIVATE_KEY(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_ROBLOX_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -9982,8 +9070,8 @@ func (ec *executionContext) fieldContext_Env_JWT_PRIVATE_KEY(_ context.Context,
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_JWT_PUBLIC_KEY(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_JWT_PUBLIC_KEY(ctx, field)
+func (ec *executionContext) _Env_ROBLOX_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_ROBLOX_CLIENT_SECRET(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9996,7 +9084,7 @@ func (ec *executionContext) _Env_JWT_PUBLIC_KEY(ctx context.Context, field graph
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.JwtPublicKey, nil
+		return obj.RobloxClientSecret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -10010,7 +9098,7 @@ func (ec *executionContext) _Env_JWT_PUBLIC_KEY(ctx context.Context, field graph
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_JWT_PUBLIC_KEY(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_ROBLOX_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -10023,8 +9111,8 @@ func (ec *executionContext) fieldContext_Env_JWT_PUBLIC_KEY(_ context.Context, f
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_ALLOWED_ORIGINS(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_ALLOWED_ORIGINS(ctx, field)
+func (ec *executionContext) _Env_ORGANIZATION_NAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_ORGANIZATION_NAME(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10037,7 +9125,7 @@ func (ec *executionContext) _Env_ALLOWED_ORIGINS(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.AllowedOrigins, nil
+		return obj.OrganizationName, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -10046,12 +9134,12 @@ func (ec *executionContext) _Env_ALLOWED_ORIGINS(ctx context.Context, field grap
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.([]string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalOString2ᚕstringᚄ(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_ALLOWED_ORIGINS(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_ORGANIZATION_NAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -10064,8 +9152,8 @@ func (ec *executionContext) fieldContext_Env_ALLOWED_ORIGINS(_ context.Context,
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_APP_URL(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_APP_URL(ctx, field)
+func (ec *executionContext) _Env_ORGANIZATION_LOGO(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_ORGANIZATION_LOGO(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10078,7 +9166,7 @@ func (ec *executionContext) _Env_APP_URL(ctx context.Context, field graphql.Coll
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.AppURL, nil
+		return obj.OrganizationLogo, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -10092,7 +9180,7 @@ func (ec *executionContext) _Env_APP_URL(ctx context.Context, field graphql.Coll
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_APP_URL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_ORGANIZATION_LOGO(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -10105,9 +9193,9 @@ func (ec *executionContext) fieldContext_Env_APP_URL(_ context.Context, field gr
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_REDIS_URL(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_REDIS_URL(ctx, field)
-	if err != nil {
+func (ec *executionContext) _Env_APP_COOKIE_SECURE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_APP_COOKIE_SECURE(ctx, field)
+	if err != nil {
 		return graphql.Null
 	}
 	ctx = graphql.WithFieldContext(ctx, fc)
@@ -10119,35 +9207,38 @@ func (ec *executionContext) _Env_REDIS_URL(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.RedisURL, nil
+		return obj.AppCookieSecure, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_REDIS_URL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_APP_COOKIE_SECURE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_RESET_PASSWORD_URL(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_RESET_PASSWORD_URL(ctx, field)
+func (ec *executionContext) _Env_ADMIN_COOKIE_SECURE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_ADMIN_COOKIE_SECURE(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10160,35 +9251,38 @@ func (ec *executionContext) _Env_RESET_PASSWORD_URL(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ResetPasswordURL, nil
+		return obj.AdminCookieSecure, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_RESET_PASSWORD_URL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_ADMIN_COOKIE_SECURE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_EMAIL_VERIFICATION(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_EMAIL_VERIFICATION(ctx, field)
+func (ec *executionContext) _Env_DEFAULT_AUTHORIZE_RESPONSE_TYPE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_TYPE(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10201,38 +9295,35 @@ func (ec *executionContext) _Env_DISABLE_EMAIL_VERIFICATION(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisableEmailVerification, nil
+		return obj.DefaultAuthorizeResponseType, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_EMAIL_VERIFICATION(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_TYPE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_BASIC_AUTHENTICATION(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_BASIC_AUTHENTICATION(ctx, field)
+func (ec *executionContext) _Env_DEFAULT_AUTHORIZE_RESPONSE_MODE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_MODE(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10245,38 +9336,35 @@ func (ec *executionContext) _Env_DISABLE_BASIC_AUTHENTICATION(ctx context.Contex
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisableBasicAuthentication, nil
+		return obj.DefaultAuthorizeResponseMode, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_BASIC_AUTHENTICATION(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_MODE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_MOBILE_BASIC_AUTHENTICATION(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_MOBILE_BASIC_AUTHENTICATION(ctx, field)
+func (ec *executionContext) _Env_DISABLE_PLAYGROUND(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_PLAYGROUND(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10289,7 +9377,7 @@ func (ec *executionContext) _Env_DISABLE_MOBILE_BASIC_AUTHENTICATION(ctx context
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisableMobileBasicAuthentication, nil
+		return obj.DisablePlayground, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -10306,7 +9394,7 @@ func (ec *executionContext) _Env_DISABLE_MOBILE_BASIC_AUTHENTICATION(ctx context
 	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_MOBILE_BASIC_AUTHENTICATION(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_PLAYGROUND(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -10319,8 +9407,8 @@ func (ec *executionContext) fieldContext_Env_DISABLE_MOBILE_BASIC_AUTHENTICATION
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_MAGIC_LINK_LOGIN(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_MAGIC_LINK_LOGIN(ctx, field)
+func (ec *executionContext) _Env_DISABLE_MAIL_OTP_LOGIN(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_MAIL_OTP_LOGIN(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10333,7 +9421,7 @@ func (ec *executionContext) _Env_DISABLE_MAGIC_LINK_LOGIN(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisableMagicLinkLogin, nil
+		return obj.DisableMailOtpLogin, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -10350,7 +9438,7 @@ func (ec *executionContext) _Env_DISABLE_MAGIC_LINK_LOGIN(ctx context.Context, f
 	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_MAGIC_LINK_LOGIN(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_MAIL_OTP_LOGIN(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -10363,8 +9451,8 @@ func (ec *executionContext) fieldContext_Env_DISABLE_MAGIC_LINK_LOGIN(_ context.
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_LOGIN_PAGE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_LOGIN_PAGE(ctx, field)
+func (ec *executionContext) _Env_DISABLE_TOTP_LOGIN(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Env_DISABLE_TOTP_LOGIN(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10377,7 +9465,7 @@ func (ec *executionContext) _Env_DISABLE_LOGIN_PAGE(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisableLoginPage, nil
+		return obj.DisableTotpLogin, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -10394,7 +9482,7 @@ func (ec *executionContext) _Env_DISABLE_LOGIN_PAGE(ctx context.Context, field g
 	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_LOGIN_PAGE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Env_DISABLE_TOTP_LOGIN(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Env",
 		Field:      field,
@@ -10407,8 +9495,8 @@ func (ec *executionContext) fieldContext_Env_DISABLE_LOGIN_PAGE(_ context.Contex
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_SIGN_UP(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_SIGN_UP(ctx, field)
+func (ec *executionContext) _Error_message(ctx context.Context, field graphql.CollectedField, obj *model.Error) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Error_message(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10421,7 +9509,7 @@ func (ec *executionContext) _Env_DISABLE_SIGN_UP(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisableSignUp, nil
+		return obj.Message, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -10433,26 +9521,26 @@ func (ec *executionContext) _Env_DISABLE_SIGN_UP(ctx context.Context, field grap
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_SIGN_UP(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Error_message(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "Error",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_REDIS_FOR_ENV(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_REDIS_FOR_ENV(ctx, field)
+func (ec *executionContext) _Error_reason(ctx context.Context, field graphql.CollectedField, obj *model.Error) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Error_reason(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10465,7 +9553,7 @@ func (ec *executionContext) _Env_DISABLE_REDIS_FOR_ENV(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisableRedisForEnv, nil
+		return obj.Reason, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -10477,26 +9565,26 @@ func (ec *executionContext) _Env_DISABLE_REDIS_FOR_ENV(ctx context.Context, fiel
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_REDIS_FOR_ENV(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Error_reason(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "Error",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_STRONG_PASSWORD(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_STRONG_PASSWORD(ctx, field)
+func (ec *executionContext) _FgaBatchCheckResponse_results(ctx context.Context, field graphql.CollectedField, obj *model.FgaBatchCheckResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_FgaBatchCheckResponse_results(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10509,7 +9597,7 @@ func (ec *executionContext) _Env_DISABLE_STRONG_PASSWORD(ctx context.Context, fi
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisableStrongPassword, nil
+		return obj.Results, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -10521,26 +9609,30 @@ func (ec *executionContext) _Env_DISABLE_STRONG_PASSWORD(ctx context.Context, fi
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.([]*model.FgaCheckResponse)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNFgaCheckResponse2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckResponseᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_STRONG_PASSWORD(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_FgaBatchCheckResponse_results(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "FgaBatchCheckResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "allowed":
+				return ec.fieldContext_FgaCheckResponse_allowed(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type FgaCheckResponse", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_MULTI_FACTOR_AUTHENTICATION(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_MULTI_FACTOR_AUTHENTICATION(ctx, field)
+func (ec *executionContext) _FgaCheckResponse_allowed(ctx context.Context, field graphql.CollectedField, obj *model.FgaCheckResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_FgaCheckResponse_allowed(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10553,7 +9645,7 @@ func (ec *executionContext) _Env_DISABLE_MULTI_FACTOR_AUTHENTICATION(ctx context
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisableMultiFactorAuthentication, nil
+		return obj.Allowed, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -10570,9 +9662,9 @@ func (ec *executionContext) _Env_DISABLE_MULTI_FACTOR_AUTHENTICATION(ctx context
 	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_MULTI_FACTOR_AUTHENTICATION(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_FgaCheckResponse_allowed(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "FgaCheckResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -10583,8 +9675,8 @@ func (ec *executionContext) fieldContext_Env_DISABLE_MULTI_FACTOR_AUTHENTICATION
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_ENFORCE_MULTI_FACTOR_AUTHENTICATION(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_ENFORCE_MULTI_FACTOR_AUTHENTICATION(ctx, field)
+func (ec *executionContext) _FgaListObjectsResponse_objects(ctx context.Context, field graphql.CollectedField, obj *model.FgaListObjectsResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_FgaListObjectsResponse_objects(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10597,7 +9689,7 @@ func (ec *executionContext) _Env_ENFORCE_MULTI_FACTOR_AUTHENTICATION(ctx context
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.EnforceMultiFactorAuthentication, nil
+		return obj.Objects, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -10609,26 +9701,26 @@ func (ec *executionContext) _Env_ENFORCE_MULTI_FACTOR_AUTHENTICATION(ctx context
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.([]string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNString2ᚕstringᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_ENFORCE_MULTI_FACTOR_AUTHENTICATION(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_FgaListObjectsResponse_objects(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "FgaListObjectsResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_ROLES(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_ROLES(ctx, field)
+func (ec *executionContext) _FgaModel_id(ctx context.Context, field graphql.CollectedField, obj *model.FgaModel) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_FgaModel_id(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10641,23 +9733,26 @@ func (ec *executionContext) _Env_ROLES(ctx context.Context, field graphql.Collec
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Roles, nil
+		return obj.ID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.([]string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚕstringᚄ(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_ROLES(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_FgaModel_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "FgaModel",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -10668,8 +9763,8 @@ func (ec *executionContext) fieldContext_Env_ROLES(_ context.Context, field grap
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_PROTECTED_ROLES(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_PROTECTED_ROLES(ctx, field)
+func (ec *executionContext) _FgaModel_dsl(ctx context.Context, field graphql.CollectedField, obj *model.FgaModel) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_FgaModel_dsl(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10682,23 +9777,26 @@ func (ec *executionContext) _Env_PROTECTED_ROLES(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ProtectedRoles, nil
+		return obj.Dsl, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.([]string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚕstringᚄ(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_PROTECTED_ROLES(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_FgaModel_dsl(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "FgaModel",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -10709,8 +9807,8 @@ func (ec *executionContext) fieldContext_Env_PROTECTED_ROLES(_ context.Context,
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DEFAULT_ROLES(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DEFAULT_ROLES(ctx, field)
+func (ec *executionContext) _FgaTuple_user(ctx context.Context, field graphql.CollectedField, obj *model.FgaTuple) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_FgaTuple_user(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10723,23 +9821,26 @@ func (ec *executionContext) _Env_DEFAULT_ROLES(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DefaultRoles, nil
+		return obj.User, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.([]string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚕstringᚄ(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DEFAULT_ROLES(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_FgaTuple_user(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "FgaTuple",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -10750,8 +9851,8 @@ func (ec *executionContext) fieldContext_Env_DEFAULT_ROLES(_ context.Context, fi
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_JWT_ROLE_CLAIM(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_JWT_ROLE_CLAIM(ctx, field)
+func (ec *executionContext) _FgaTuple_relation(ctx context.Context, field graphql.CollectedField, obj *model.FgaTuple) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_FgaTuple_relation(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10764,23 +9865,26 @@ func (ec *executionContext) _Env_JWT_ROLE_CLAIM(ctx context.Context, field graph
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.JwtRoleClaim, nil
+		return obj.Relation, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_JWT_ROLE_CLAIM(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_FgaTuple_relation(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "FgaTuple",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -10791,8 +9895,8 @@ func (ec *executionContext) fieldContext_Env_JWT_ROLE_CLAIM(_ context.Context, f
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_GOOGLE_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_GOOGLE_CLIENT_ID(ctx, field)
+func (ec *executionContext) _FgaTuple_object(ctx context.Context, field graphql.CollectedField, obj *model.FgaTuple) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_FgaTuple_object(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10805,23 +9909,26 @@ func (ec *executionContext) _Env_GOOGLE_CLIENT_ID(ctx context.Context, field gra
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.GoogleClientID, nil
+		return obj.Object, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_GOOGLE_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_FgaTuple_object(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "FgaTuple",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -10832,8 +9939,8 @@ func (ec *executionContext) fieldContext_Env_GOOGLE_CLIENT_ID(_ context.Context,
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_GOOGLE_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_GOOGLE_CLIENT_SECRET(ctx, field)
+func (ec *executionContext) _FgaTuples_tuples(ctx context.Context, field graphql.CollectedField, obj *model.FgaTuples) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_FgaTuples_tuples(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10846,35 +9953,46 @@ func (ec *executionContext) _Env_GOOGLE_CLIENT_SECRET(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.GoogleClientSecret, nil
+		return obj.Tuples, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.([]*model.FgaTuple)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNFgaTuple2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaTupleᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_GOOGLE_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_FgaTuples_tuples(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "FgaTuples",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "user":
+				return ec.fieldContext_FgaTuple_user(ctx, field)
+			case "relation":
+				return ec.fieldContext_FgaTuple_relation(ctx, field)
+			case "object":
+				return ec.fieldContext_FgaTuple_object(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type FgaTuple", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_GITHUB_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_GITHUB_CLIENT_ID(ctx, field)
+func (ec *executionContext) _FgaTuples_continuation_token(ctx context.Context, field graphql.CollectedField, obj *model.FgaTuples) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_FgaTuples_continuation_token(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10887,7 +10005,7 @@ func (ec *executionContext) _Env_GITHUB_CLIENT_ID(ctx context.Context, field gra
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.GithubClientID, nil
+		return obj.ContinuationToken, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -10901,9 +10019,9 @@ func (ec *executionContext) _Env_GITHUB_CLIENT_ID(ctx context.Context, field gra
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_GITHUB_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_FgaTuples_continuation_token(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "FgaTuples",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -10914,8 +10032,8 @@ func (ec *executionContext) fieldContext_Env_GITHUB_CLIENT_ID(_ context.Context,
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_GITHUB_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_GITHUB_CLIENT_SECRET(ctx, field)
+func (ec *executionContext) _ForgotPasswordResponse_message(ctx context.Context, field graphql.CollectedField, obj *model.ForgotPasswordResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_ForgotPasswordResponse_message(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10928,23 +10046,26 @@ func (ec *executionContext) _Env_GITHUB_CLIENT_SECRET(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.GithubClientSecret, nil
+		return obj.Message, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_GITHUB_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_ForgotPasswordResponse_message(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "ForgotPasswordResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -10955,8 +10076,8 @@ func (ec *executionContext) fieldContext_Env_GITHUB_CLIENT_SECRET(_ context.Cont
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_FACEBOOK_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_FACEBOOK_CLIENT_ID(ctx, field)
+func (ec *executionContext) _ForgotPasswordResponse_should_show_mobile_otp_screen(ctx context.Context, field graphql.CollectedField, obj *model.ForgotPasswordResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_ForgotPasswordResponse_should_show_mobile_otp_screen(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10969,7 +10090,7 @@ func (ec *executionContext) _Env_FACEBOOK_CLIENT_ID(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.FacebookClientID, nil
+		return obj.ShouldShowMobileOtpScreen, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -10978,26 +10099,26 @@ func (ec *executionContext) _Env_FACEBOOK_CLIENT_ID(ctx context.Context, field g
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*bool)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalOBoolean2ᚖbool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_FACEBOOK_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_ForgotPasswordResponse_should_show_mobile_otp_screen(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "ForgotPasswordResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_FACEBOOK_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_FACEBOOK_CLIENT_SECRET(ctx, field)
+func (ec *executionContext) _GenerateJWTKeysResponse_secret(ctx context.Context, field graphql.CollectedField, obj *model.GenerateJWTKeysResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_GenerateJWTKeysResponse_secret(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11010,7 +10131,7 @@ func (ec *executionContext) _Env_FACEBOOK_CLIENT_SECRET(ctx context.Context, fie
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.FacebookClientSecret, nil
+		return obj.Secret, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -11024,9 +10145,9 @@ func (ec *executionContext) _Env_FACEBOOK_CLIENT_SECRET(ctx context.Context, fie
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_FACEBOOK_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_GenerateJWTKeysResponse_secret(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "GenerateJWTKeysResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -11037,8 +10158,8 @@ func (ec *executionContext) fieldContext_Env_FACEBOOK_CLIENT_SECRET(_ context.Co
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_LINKEDIN_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_LINKEDIN_CLIENT_ID(ctx, field)
+func (ec *executionContext) _GenerateJWTKeysResponse_public_key(ctx context.Context, field graphql.CollectedField, obj *model.GenerateJWTKeysResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_GenerateJWTKeysResponse_public_key(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11051,7 +10172,7 @@ func (ec *executionContext) _Env_LINKEDIN_CLIENT_ID(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.LinkedinClientID, nil
+		return obj.PublicKey, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -11065,9 +10186,9 @@ func (ec *executionContext) _Env_LINKEDIN_CLIENT_ID(ctx context.Context, field g
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_LINKEDIN_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_GenerateJWTKeysResponse_public_key(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "GenerateJWTKeysResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -11078,8 +10199,8 @@ func (ec *executionContext) fieldContext_Env_LINKEDIN_CLIENT_ID(_ context.Contex
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_LINKEDIN_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_LINKEDIN_CLIENT_SECRET(ctx, field)
+func (ec *executionContext) _GenerateJWTKeysResponse_private_key(ctx context.Context, field graphql.CollectedField, obj *model.GenerateJWTKeysResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_GenerateJWTKeysResponse_private_key(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11092,7 +10213,7 @@ func (ec *executionContext) _Env_LINKEDIN_CLIENT_SECRET(ctx context.Context, fie
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.LinkedinClientSecret, nil
+		return obj.PrivateKey, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -11106,9 +10227,9 @@ func (ec *executionContext) _Env_LINKEDIN_CLIENT_SECRET(ctx context.Context, fie
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_LINKEDIN_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_GenerateJWTKeysResponse_private_key(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "GenerateJWTKeysResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -11119,8 +10240,8 @@ func (ec *executionContext) fieldContext_Env_LINKEDIN_CLIENT_SECRET(_ context.Co
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_APPLE_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_APPLE_CLIENT_ID(ctx, field)
+func (ec *executionContext) _InviteMembersResponse_message(ctx context.Context, field graphql.CollectedField, obj *model.InviteMembersResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_InviteMembersResponse_message(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11133,23 +10254,26 @@ func (ec *executionContext) _Env_APPLE_CLIENT_ID(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.AppleClientID, nil
+		return obj.Message, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_APPLE_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_InviteMembersResponse_message(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "InviteMembersResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -11160,8 +10284,8 @@ func (ec *executionContext) fieldContext_Env_APPLE_CLIENT_ID(_ context.Context,
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_APPLE_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_APPLE_CLIENT_SECRET(ctx, field)
+func (ec *executionContext) _InviteMembersResponse_Users(ctx context.Context, field graphql.CollectedField, obj *model.InviteMembersResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_InviteMembersResponse_Users(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11174,35 +10298,80 @@ func (ec *executionContext) _Env_APPLE_CLIENT_SECRET(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.AppleClientSecret, nil
+		return obj.Users, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.([]*model.User)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNUser2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUserᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_APPLE_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_InviteMembersResponse_Users(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "InviteMembersResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_User_id(ctx, field)
+			case "email":
+				return ec.fieldContext_User_email(ctx, field)
+			case "email_verified":
+				return ec.fieldContext_User_email_verified(ctx, field)
+			case "signup_methods":
+				return ec.fieldContext_User_signup_methods(ctx, field)
+			case "given_name":
+				return ec.fieldContext_User_given_name(ctx, field)
+			case "family_name":
+				return ec.fieldContext_User_family_name(ctx, field)
+			case "middle_name":
+				return ec.fieldContext_User_middle_name(ctx, field)
+			case "nickname":
+				return ec.fieldContext_User_nickname(ctx, field)
+			case "preferred_username":
+				return ec.fieldContext_User_preferred_username(ctx, field)
+			case "gender":
+				return ec.fieldContext_User_gender(ctx, field)
+			case "birthdate":
+				return ec.fieldContext_User_birthdate(ctx, field)
+			case "phone_number":
+				return ec.fieldContext_User_phone_number(ctx, field)
+			case "phone_number_verified":
+				return ec.fieldContext_User_phone_number_verified(ctx, field)
+			case "picture":
+				return ec.fieldContext_User_picture(ctx, field)
+			case "roles":
+				return ec.fieldContext_User_roles(ctx, field)
+			case "created_at":
+				return ec.fieldContext_User_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_User_updated_at(ctx, field)
+			case "revoked_timestamp":
+				return ec.fieldContext_User_revoked_timestamp(ctx, field)
+			case "is_multi_factor_auth_enabled":
+				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
+			case "app_data":
+				return ec.fieldContext_User_app_data(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISCORD_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISCORD_CLIENT_ID(ctx, field)
+func (ec *executionContext) _Meta_version(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_version(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11215,23 +10384,26 @@ func (ec *executionContext) _Env_DISCORD_CLIENT_ID(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DiscordClientID, nil
+		return obj.Version, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISCORD_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_version(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -11242,8 +10414,8 @@ func (ec *executionContext) fieldContext_Env_DISCORD_CLIENT_ID(_ context.Context
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISCORD_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISCORD_CLIENT_SECRET(ctx, field)
+func (ec *executionContext) _Meta_client_id(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_client_id(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11256,23 +10428,26 @@ func (ec *executionContext) _Env_DISCORD_CLIENT_SECRET(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DiscordClientSecret, nil
+		return obj.ClientID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISCORD_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_client_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -11283,8 +10458,8 @@ func (ec *executionContext) fieldContext_Env_DISCORD_CLIENT_SECRET(_ context.Con
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_TWITTER_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_TWITTER_CLIENT_ID(ctx, field)
+func (ec *executionContext) _Meta_is_google_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_google_login_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11297,35 +10472,38 @@ func (ec *executionContext) _Env_TWITTER_CLIENT_ID(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.TwitterClientID, nil
+		return obj.IsGoogleLoginEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_TWITTER_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_google_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_TWITTER_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_TWITTER_CLIENT_SECRET(ctx, field)
+func (ec *executionContext) _Meta_is_facebook_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_facebook_login_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11338,35 +10516,38 @@ func (ec *executionContext) _Env_TWITTER_CLIENT_SECRET(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.TwitterClientSecret, nil
+		return obj.IsFacebookLoginEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_TWITTER_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_facebook_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_MICROSOFT_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_MICROSOFT_CLIENT_ID(ctx, field)
+func (ec *executionContext) _Meta_is_github_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_github_login_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11379,35 +10560,38 @@ func (ec *executionContext) _Env_MICROSOFT_CLIENT_ID(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.MicrosoftClientID, nil
+		return obj.IsGithubLoginEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_MICROSOFT_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_github_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_MICROSOFT_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_MICROSOFT_CLIENT_SECRET(ctx, field)
+func (ec *executionContext) _Meta_is_linkedin_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_linkedin_login_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11420,35 +10604,38 @@ func (ec *executionContext) _Env_MICROSOFT_CLIENT_SECRET(ctx context.Context, fi
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.MicrosoftClientSecret, nil
+		return obj.IsLinkedinLoginEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_MICROSOFT_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_linkedin_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID(ctx, field)
+func (ec *executionContext) _Meta_is_apple_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_apple_login_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11461,35 +10648,38 @@ func (ec *executionContext) _Env_MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID(ctx contex
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.MicrosoftActiveDirectoryTenantID, nil
+		return obj.IsAppleLoginEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_apple_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_TWITCH_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_TWITCH_CLIENT_ID(ctx, field)
+func (ec *executionContext) _Meta_is_discord_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_discord_login_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11502,35 +10692,38 @@ func (ec *executionContext) _Env_TWITCH_CLIENT_ID(ctx context.Context, field gra
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.TwitchClientID, nil
+		return obj.IsDiscordLoginEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_TWITCH_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_discord_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_TWITCH_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_TWITCH_CLIENT_SECRET(ctx, field)
+func (ec *executionContext) _Meta_is_twitter_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_twitter_login_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11543,35 +10736,38 @@ func (ec *executionContext) _Env_TWITCH_CLIENT_SECRET(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.TwitchClientSecret, nil
+		return obj.IsTwitterLoginEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_TWITCH_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_twitter_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_ROBLOX_CLIENT_ID(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_ROBLOX_CLIENT_ID(ctx, field)
+func (ec *executionContext) _Meta_is_microsoft_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_microsoft_login_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11584,35 +10780,38 @@ func (ec *executionContext) _Env_ROBLOX_CLIENT_ID(ctx context.Context, field gra
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.RobloxClientID, nil
+		return obj.IsMicrosoftLoginEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_ROBLOX_CLIENT_ID(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_microsoft_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_ROBLOX_CLIENT_SECRET(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_ROBLOX_CLIENT_SECRET(ctx, field)
+func (ec *executionContext) _Meta_is_twitch_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_twitch_login_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11625,35 +10824,38 @@ func (ec *executionContext) _Env_ROBLOX_CLIENT_SECRET(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.RobloxClientSecret, nil
+		return obj.IsTwitchLoginEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_ROBLOX_CLIENT_SECRET(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_twitch_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_ORGANIZATION_NAME(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_ORGANIZATION_NAME(ctx, field)
+func (ec *executionContext) _Meta_is_roblox_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_roblox_login_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11666,35 +10868,38 @@ func (ec *executionContext) _Env_ORGANIZATION_NAME(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.OrganizationName, nil
+		return obj.IsRobloxLoginEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_ORGANIZATION_NAME(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_roblox_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_ORGANIZATION_LOGO(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_ORGANIZATION_LOGO(ctx, field)
+func (ec *executionContext) _Meta_is_email_verification_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_email_verification_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11707,35 +10912,38 @@ func (ec *executionContext) _Env_ORGANIZATION_LOGO(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.OrganizationLogo, nil
+		return obj.IsEmailVerificationEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_ORGANIZATION_LOGO(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_email_verification_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_APP_COOKIE_SECURE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_APP_COOKIE_SECURE(ctx, field)
+func (ec *executionContext) _Meta_is_basic_authentication_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_basic_authentication_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11748,7 +10956,7 @@ func (ec *executionContext) _Env_APP_COOKIE_SECURE(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.AppCookieSecure, nil
+		return obj.IsBasicAuthenticationEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -11765,9 +10973,9 @@ func (ec *executionContext) _Env_APP_COOKIE_SECURE(ctx context.Context, field gr
 	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_APP_COOKIE_SECURE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_basic_authentication_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -11778,8 +10986,8 @@ func (ec *executionContext) fieldContext_Env_APP_COOKIE_SECURE(_ context.Context
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_ADMIN_COOKIE_SECURE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_ADMIN_COOKIE_SECURE(ctx, field)
+func (ec *executionContext) _Meta_is_magic_link_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_magic_link_login_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11792,7 +11000,7 @@ func (ec *executionContext) _Env_ADMIN_COOKIE_SECURE(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.AdminCookieSecure, nil
+		return obj.IsMagicLinkLoginEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -11809,9 +11017,9 @@ func (ec *executionContext) _Env_ADMIN_COOKIE_SECURE(ctx context.Context, field
 	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_ADMIN_COOKIE_SECURE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_magic_link_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -11822,8 +11030,8 @@ func (ec *executionContext) fieldContext_Env_ADMIN_COOKIE_SECURE(_ context.Conte
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DEFAULT_AUTHORIZE_RESPONSE_TYPE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_TYPE(ctx, field)
+func (ec *executionContext) _Meta_is_sign_up_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_sign_up_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11836,35 +11044,38 @@ func (ec *executionContext) _Env_DEFAULT_AUTHORIZE_RESPONSE_TYPE(ctx context.Con
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DefaultAuthorizeResponseType, nil
+		return obj.IsSignUpEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_TYPE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_sign_up_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DEFAULT_AUTHORIZE_RESPONSE_MODE(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_MODE(ctx, field)
+func (ec *executionContext) _Meta_is_strong_password_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_strong_password_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11877,35 +11088,38 @@ func (ec *executionContext) _Env_DEFAULT_AUTHORIZE_RESPONSE_MODE(ctx context.Con
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DefaultAuthorizeResponseMode, nil
+		return obj.IsStrongPasswordEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_MODE(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_strong_password_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_PLAYGROUND(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_PLAYGROUND(ctx, field)
+func (ec *executionContext) _Meta_is_multi_factor_auth_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_multi_factor_auth_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11918,7 +11132,7 @@ func (ec *executionContext) _Env_DISABLE_PLAYGROUND(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisablePlayground, nil
+		return obj.IsMultiFactorAuthEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -11935,9 +11149,9 @@ func (ec *executionContext) _Env_DISABLE_PLAYGROUND(ctx context.Context, field g
 	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_PLAYGROUND(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_multi_factor_auth_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -11948,8 +11162,8 @@ func (ec *executionContext) fieldContext_Env_DISABLE_PLAYGROUND(_ context.Contex
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_MAIL_OTP_LOGIN(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_MAIL_OTP_LOGIN(ctx, field)
+func (ec *executionContext) _Meta_is_mobile_basic_authentication_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_mobile_basic_authentication_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -11962,7 +11176,7 @@ func (ec *executionContext) _Env_DISABLE_MAIL_OTP_LOGIN(ctx context.Context, fie
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisableMailOtpLogin, nil
+		return obj.IsMobileBasicAuthenticationEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -11979,9 +11193,9 @@ func (ec *executionContext) _Env_DISABLE_MAIL_OTP_LOGIN(ctx context.Context, fie
 	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_MAIL_OTP_LOGIN(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_mobile_basic_authentication_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -11992,8 +11206,8 @@ func (ec *executionContext) fieldContext_Env_DISABLE_MAIL_OTP_LOGIN(_ context.Co
 	return fc, nil
 }
 
-func (ec *executionContext) _Env_DISABLE_TOTP_LOGIN(ctx context.Context, field graphql.CollectedField, obj *model.Env) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Env_DISABLE_TOTP_LOGIN(ctx, field)
+func (ec *executionContext) _Meta_is_phone_verification_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Meta_is_phone_verification_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12006,7 +11220,7 @@ func (ec *executionContext) _Env_DISABLE_TOTP_LOGIN(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.DisableTotpLogin, nil
+		return obj.IsPhoneVerificationEnabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12023,9 +11237,9 @@ func (ec *executionContext) _Env_DISABLE_TOTP_LOGIN(ctx context.Context, field g
 	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Env_DISABLE_TOTP_LOGIN(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Meta_is_phone_verification_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Env",
+		Object:     "Meta",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -12036,8 +11250,8 @@ func (ec *executionContext) fieldContext_Env_DISABLE_TOTP_LOGIN(_ context.Contex
 	return fc, nil
 }
 
-func (ec *executionContext) _Error_message(ctx context.Context, field graphql.CollectedField, obj *model.Error) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Error_message(ctx, field)
+func (ec *executionContext) _Mutation_signup(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_signup(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12050,7 +11264,7 @@ func (ec *executionContext) _Error_message(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Message, nil
+		return ec.resolvers.Mutation().Signup(rctx, fc.Args["params"].(model.SignUpRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12062,26 +11276,63 @@ func (ec *executionContext) _Error_message(ctx context.Context, field graphql.Co
 		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*model.AuthResponse)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Error_message(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_signup(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Error",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_AuthResponse_message(ctx, field)
+			case "should_show_email_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
+			case "should_show_mobile_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
+			case "should_show_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
+			case "access_token":
+				return ec.fieldContext_AuthResponse_access_token(ctx, field)
+			case "id_token":
+				return ec.fieldContext_AuthResponse_id_token(ctx, field)
+			case "refresh_token":
+				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
+			case "expires_in":
+				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
+			case "user":
+				return ec.fieldContext_AuthResponse_user(ctx, field)
+			case "authenticator_scanner_image":
+				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
+			case "authenticator_secret":
+				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
+			case "authenticator_recovery_codes":
+				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation_signup_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Error_reason(ctx context.Context, field graphql.CollectedField, obj *model.Error) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Error_reason(ctx, field)
+func (ec *executionContext) _Mutation_mobile_signup(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_mobile_signup(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12094,7 +11345,7 @@ func (ec *executionContext) _Error_reason(ctx context.Context, field graphql.Col
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Reason, nil
+		return ec.resolvers.Mutation().MobileSignup(rctx, fc.Args["params"].(*model.MobileSignUpRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12106,26 +11357,63 @@ func (ec *executionContext) _Error_reason(ctx context.Context, field graphql.Col
 		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*model.AuthResponse)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Error_reason(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_mobile_signup(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Error",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_AuthResponse_message(ctx, field)
+			case "should_show_email_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
+			case "should_show_mobile_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
+			case "should_show_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
+			case "access_token":
+				return ec.fieldContext_AuthResponse_access_token(ctx, field)
+			case "id_token":
+				return ec.fieldContext_AuthResponse_id_token(ctx, field)
+			case "refresh_token":
+				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
+			case "expires_in":
+				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
+			case "user":
+				return ec.fieldContext_AuthResponse_user(ctx, field)
+			case "authenticator_scanner_image":
+				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
+			case "authenticator_secret":
+				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
+			case "authenticator_recovery_codes":
+				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation_mobile_signup_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _ForgotPasswordResponse_message(ctx context.Context, field graphql.CollectedField, obj *model.ForgotPasswordResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_ForgotPasswordResponse_message(ctx, field)
+func (ec *executionContext) _Mutation_login(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_login(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12138,7 +11426,7 @@ func (ec *executionContext) _ForgotPasswordResponse_message(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Message, nil
+		return ec.resolvers.Mutation().Login(rctx, fc.Args["params"].(model.LoginRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12150,26 +11438,63 @@ func (ec *executionContext) _ForgotPasswordResponse_message(ctx context.Context,
 		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*model.AuthResponse)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_ForgotPasswordResponse_message(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_login(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "ForgotPasswordResponse",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_AuthResponse_message(ctx, field)
+			case "should_show_email_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
+			case "should_show_mobile_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
+			case "should_show_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
+			case "access_token":
+				return ec.fieldContext_AuthResponse_access_token(ctx, field)
+			case "id_token":
+				return ec.fieldContext_AuthResponse_id_token(ctx, field)
+			case "refresh_token":
+				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
+			case "expires_in":
+				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
+			case "user":
+				return ec.fieldContext_AuthResponse_user(ctx, field)
+			case "authenticator_scanner_image":
+				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
+			case "authenticator_secret":
+				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
+			case "authenticator_recovery_codes":
+				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation_login_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _ForgotPasswordResponse_should_show_mobile_otp_screen(ctx context.Context, field graphql.CollectedField, obj *model.ForgotPasswordResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_ForgotPasswordResponse_should_show_mobile_otp_screen(ctx, field)
+func (ec *executionContext) _Mutation_mobile_login(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_mobile_login(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12182,35 +11507,75 @@ func (ec *executionContext) _ForgotPasswordResponse_should_show_mobile_otp_scree
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ShouldShowMobileOtpScreen, nil
+		return ec.resolvers.Mutation().MobileLogin(rctx, fc.Args["params"].(model.MobileLoginRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*bool)
+	res := resTmp.(*model.AuthResponse)
 	fc.Result = res
-	return ec.marshalOBoolean2ᚖbool(ctx, field.Selections, res)
+	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_ForgotPasswordResponse_should_show_mobile_otp_screen(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_mobile_login(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "ForgotPasswordResponse",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_AuthResponse_message(ctx, field)
+			case "should_show_email_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
+			case "should_show_mobile_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
+			case "should_show_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
+			case "access_token":
+				return ec.fieldContext_AuthResponse_access_token(ctx, field)
+			case "id_token":
+				return ec.fieldContext_AuthResponse_id_token(ctx, field)
+			case "refresh_token":
+				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
+			case "expires_in":
+				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
+			case "user":
+				return ec.fieldContext_AuthResponse_user(ctx, field)
+			case "authenticator_scanner_image":
+				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
+			case "authenticator_secret":
+				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
+			case "authenticator_recovery_codes":
+				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation_mobile_login_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _GenerateJWTKeysResponse_secret(ctx context.Context, field graphql.CollectedField, obj *model.GenerateJWTKeysResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_GenerateJWTKeysResponse_secret(ctx, field)
+func (ec *executionContext) _Mutation_magic_link_login(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_magic_link_login(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12223,35 +11588,53 @@ func (ec *executionContext) _GenerateJWTKeysResponse_secret(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Secret, nil
+		return ec.resolvers.Mutation().MagicLinkLogin(rctx, fc.Args["params"].(model.MagicLinkLoginRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_GenerateJWTKeysResponse_secret(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_magic_link_login(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "GenerateJWTKeysResponse",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation_magic_link_login_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _GenerateJWTKeysResponse_public_key(ctx context.Context, field graphql.CollectedField, obj *model.GenerateJWTKeysResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_GenerateJWTKeysResponse_public_key(ctx, field)
+func (ec *executionContext) _Mutation_logout(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_logout(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12264,35 +11647,42 @@ func (ec *executionContext) _GenerateJWTKeysResponse_public_key(ctx context.Cont
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.PublicKey, nil
+		return ec.resolvers.Mutation().Logout(rctx)
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_GenerateJWTKeysResponse_public_key(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_logout(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "GenerateJWTKeysResponse",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _GenerateJWTKeysResponse_private_key(ctx context.Context, field graphql.CollectedField, obj *model.GenerateJWTKeysResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_GenerateJWTKeysResponse_private_key(ctx, field)
+func (ec *executionContext) _Mutation_update_profile(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_update_profile(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12305,79 +11695,53 @@ func (ec *executionContext) _GenerateJWTKeysResponse_private_key(ctx context.Con
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.PrivateKey, nil
+		return ec.resolvers.Mutation().UpdateProfile(rctx, fc.Args["params"].(model.UpdateProfileRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_GenerateJWTKeysResponse_private_key(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_update_profile(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "GenerateJWTKeysResponse",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) _InviteMembersResponse_message(ctx context.Context, field graphql.CollectedField, obj *model.InviteMembersResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_InviteMembersResponse_message(ctx, field)
-	if err != nil {
-		return graphql.Null
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+		},
 	}
-	ctx = graphql.WithFieldContext(ctx, fc)
 	defer func() {
 		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
 		}
 	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Message, nil
-	})
-	if err != nil {
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation_update_profile_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
-		return graphql.Null
-	}
-	res := resTmp.(string)
-	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext_InviteMembersResponse_message(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "InviteMembersResponse",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
+		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _InviteMembersResponse_Users(ctx context.Context, field graphql.CollectedField, obj *model.InviteMembersResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_InviteMembersResponse_Users(ctx, field)
+func (ec *executionContext) _Mutation_verify_email(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_verify_email(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12390,7 +11754,7 @@ func (ec *executionContext) _InviteMembersResponse_Users(ctx context.Context, fi
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Users, nil
+		return ec.resolvers.Mutation().VerifyEmail(rctx, fc.Args["params"].(model.VerifyEmailRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12402,68 +11766,63 @@ func (ec *executionContext) _InviteMembersResponse_Users(ctx context.Context, fi
 		}
 		return graphql.Null
 	}
-	res := resTmp.([]*model.User)
+	res := resTmp.(*model.AuthResponse)
 	fc.Result = res
-	return ec.marshalNUser2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUserᚄ(ctx, field.Selections, res)
+	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_InviteMembersResponse_Users(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_verify_email(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "InviteMembersResponse",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "id":
-				return ec.fieldContext_User_id(ctx, field)
-			case "email":
-				return ec.fieldContext_User_email(ctx, field)
-			case "email_verified":
-				return ec.fieldContext_User_email_verified(ctx, field)
-			case "signup_methods":
-				return ec.fieldContext_User_signup_methods(ctx, field)
-			case "given_name":
-				return ec.fieldContext_User_given_name(ctx, field)
-			case "family_name":
-				return ec.fieldContext_User_family_name(ctx, field)
-			case "middle_name":
-				return ec.fieldContext_User_middle_name(ctx, field)
-			case "nickname":
-				return ec.fieldContext_User_nickname(ctx, field)
-			case "preferred_username":
-				return ec.fieldContext_User_preferred_username(ctx, field)
-			case "gender":
-				return ec.fieldContext_User_gender(ctx, field)
-			case "birthdate":
-				return ec.fieldContext_User_birthdate(ctx, field)
-			case "phone_number":
-				return ec.fieldContext_User_phone_number(ctx, field)
-			case "phone_number_verified":
-				return ec.fieldContext_User_phone_number_verified(ctx, field)
-			case "picture":
-				return ec.fieldContext_User_picture(ctx, field)
-			case "roles":
-				return ec.fieldContext_User_roles(ctx, field)
-			case "created_at":
-				return ec.fieldContext_User_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_User_updated_at(ctx, field)
-			case "revoked_timestamp":
-				return ec.fieldContext_User_revoked_timestamp(ctx, field)
-			case "is_multi_factor_auth_enabled":
-				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
-			case "app_data":
-				return ec.fieldContext_User_app_data(ctx, field)
+			case "message":
+				return ec.fieldContext_AuthResponse_message(ctx, field)
+			case "should_show_email_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
+			case "should_show_mobile_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
+			case "should_show_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
+			case "access_token":
+				return ec.fieldContext_AuthResponse_access_token(ctx, field)
+			case "id_token":
+				return ec.fieldContext_AuthResponse_id_token(ctx, field)
+			case "refresh_token":
+				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
+			case "expires_in":
+				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
+			case "user":
+				return ec.fieldContext_AuthResponse_user(ctx, field)
+			case "authenticator_scanner_image":
+				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
+			case "authenticator_secret":
+				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
+			case "authenticator_recovery_codes":
+				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation_verify_email_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_version(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_version(ctx, field)
+func (ec *executionContext) _Mutation_resend_verify_email(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_resend_verify_email(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12476,7 +11835,7 @@ func (ec *executionContext) _Meta_version(ctx context.Context, field graphql.Col
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Version, nil
+		return ec.resolvers.Mutation().ResendVerifyEmail(rctx, fc.Args["params"].(model.ResendVerifyEmailRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12488,26 +11847,41 @@ func (ec *executionContext) _Meta_version(ctx context.Context, field graphql.Col
 		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_version(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_resend_verify_email(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation_resend_verify_email_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_client_id(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_client_id(ctx, field)
+func (ec *executionContext) _Mutation_forgot_password(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_forgot_password(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12520,7 +11894,7 @@ func (ec *executionContext) _Meta_client_id(ctx context.Context, field graphql.C
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ClientID, nil
+		return ec.resolvers.Mutation().ForgotPassword(rctx, fc.Args["params"].(model.ForgotPasswordRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12532,26 +11906,43 @@ func (ec *executionContext) _Meta_client_id(ctx context.Context, field graphql.C
 		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*model.ForgotPasswordResponse)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalNForgotPasswordResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐForgotPasswordResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_client_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_forgot_password(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_ForgotPasswordResponse_message(ctx, field)
+			case "should_show_mobile_otp_screen":
+				return ec.fieldContext_ForgotPasswordResponse_should_show_mobile_otp_screen(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type ForgotPasswordResponse", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation_forgot_password_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_google_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_google_login_enabled(ctx, field)
+func (ec *executionContext) _Mutation_reset_password(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_reset_password(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12564,7 +11955,7 @@ func (ec *executionContext) _Meta_is_google_login_enabled(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsGoogleLoginEnabled, nil
+		return ec.resolvers.Mutation().ResetPassword(rctx, fc.Args["params"].(model.ResetPasswordRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12576,26 +11967,41 @@ func (ec *executionContext) _Meta_is_google_login_enabled(ctx context.Context, f
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_google_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_reset_password(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation_reset_password_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_facebook_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_facebook_login_enabled(ctx, field)
+func (ec *executionContext) _Mutation_revoke(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_revoke(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12608,7 +12014,7 @@ func (ec *executionContext) _Meta_is_facebook_login_enabled(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsFacebookLoginEnabled, nil
+		return ec.resolvers.Mutation().Revoke(rctx, fc.Args["params"].(model.OAuthRevokeRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12620,26 +12026,41 @@ func (ec *executionContext) _Meta_is_facebook_login_enabled(ctx context.Context,
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_facebook_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_revoke(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation_revoke_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_github_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_github_login_enabled(ctx, field)
+func (ec *executionContext) _Mutation_verify_otp(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_verify_otp(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12652,7 +12073,7 @@ func (ec *executionContext) _Meta_is_github_login_enabled(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsGithubLoginEnabled, nil
+		return ec.resolvers.Mutation().VerifyOtp(rctx, fc.Args["params"].(model.VerifyOTPRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12664,26 +12085,63 @@ func (ec *executionContext) _Meta_is_github_login_enabled(ctx context.Context, f
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.AuthResponse)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_github_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_verify_otp(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_AuthResponse_message(ctx, field)
+			case "should_show_email_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
+			case "should_show_mobile_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
+			case "should_show_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
+			case "access_token":
+				return ec.fieldContext_AuthResponse_access_token(ctx, field)
+			case "id_token":
+				return ec.fieldContext_AuthResponse_id_token(ctx, field)
+			case "refresh_token":
+				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
+			case "expires_in":
+				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
+			case "user":
+				return ec.fieldContext_AuthResponse_user(ctx, field)
+			case "authenticator_scanner_image":
+				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
+			case "authenticator_secret":
+				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
+			case "authenticator_recovery_codes":
+				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation_verify_otp_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_linkedin_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_linkedin_login_enabled(ctx, field)
+func (ec *executionContext) _Mutation_resend_otp(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_resend_otp(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12696,7 +12154,7 @@ func (ec *executionContext) _Meta_is_linkedin_login_enabled(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsLinkedinLoginEnabled, nil
+		return ec.resolvers.Mutation().ResendOtp(rctx, fc.Args["params"].(model.ResendOTPRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12708,26 +12166,41 @@ func (ec *executionContext) _Meta_is_linkedin_login_enabled(ctx context.Context,
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_linkedin_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_resend_otp(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation_resend_otp_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_apple_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_apple_login_enabled(ctx, field)
+func (ec *executionContext) _Mutation_deactivate_account(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation_deactivate_account(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12740,7 +12213,7 @@ func (ec *executionContext) _Meta_is_apple_login_enabled(ctx context.Context, fi
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsAppleLoginEnabled, nil
+		return ec.resolvers.Mutation().DeactivateAccount(rctx)
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12752,26 +12225,30 @@ func (ec *executionContext) _Meta_is_apple_login_enabled(ctx context.Context, fi
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_apple_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation_deactivate_account(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_discord_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_discord_login_enabled(ctx, field)
+func (ec *executionContext) _Mutation__delete_user(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__delete_user(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12784,7 +12261,7 @@ func (ec *executionContext) _Meta_is_discord_login_enabled(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsDiscordLoginEnabled, nil
+		return ec.resolvers.Mutation().DeleteUser(rctx, fc.Args["params"].(model.DeleteUserRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12796,26 +12273,41 @@ func (ec *executionContext) _Meta_is_discord_login_enabled(ctx context.Context,
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_discord_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__delete_user(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__delete_user_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_twitter_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_twitter_login_enabled(ctx, field)
+func (ec *executionContext) _Mutation__update_user(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__update_user(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12828,7 +12320,7 @@ func (ec *executionContext) _Meta_is_twitter_login_enabled(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsTwitterLoginEnabled, nil
+		return ec.resolvers.Mutation().UpdateUser(rctx, fc.Args["params"].(model.UpdateUserRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12840,26 +12332,79 @@ func (ec *executionContext) _Meta_is_twitter_login_enabled(ctx context.Context,
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.User)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNUser2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUser(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_twitter_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__update_user(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_User_id(ctx, field)
+			case "email":
+				return ec.fieldContext_User_email(ctx, field)
+			case "email_verified":
+				return ec.fieldContext_User_email_verified(ctx, field)
+			case "signup_methods":
+				return ec.fieldContext_User_signup_methods(ctx, field)
+			case "given_name":
+				return ec.fieldContext_User_given_name(ctx, field)
+			case "family_name":
+				return ec.fieldContext_User_family_name(ctx, field)
+			case "middle_name":
+				return ec.fieldContext_User_middle_name(ctx, field)
+			case "nickname":
+				return ec.fieldContext_User_nickname(ctx, field)
+			case "preferred_username":
+				return ec.fieldContext_User_preferred_username(ctx, field)
+			case "gender":
+				return ec.fieldContext_User_gender(ctx, field)
+			case "birthdate":
+				return ec.fieldContext_User_birthdate(ctx, field)
+			case "phone_number":
+				return ec.fieldContext_User_phone_number(ctx, field)
+			case "phone_number_verified":
+				return ec.fieldContext_User_phone_number_verified(ctx, field)
+			case "picture":
+				return ec.fieldContext_User_picture(ctx, field)
+			case "roles":
+				return ec.fieldContext_User_roles(ctx, field)
+			case "created_at":
+				return ec.fieldContext_User_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_User_updated_at(ctx, field)
+			case "revoked_timestamp":
+				return ec.fieldContext_User_revoked_timestamp(ctx, field)
+			case "is_multi_factor_auth_enabled":
+				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
+			case "app_data":
+				return ec.fieldContext_User_app_data(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__update_user_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_microsoft_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_microsoft_login_enabled(ctx, field)
+func (ec *executionContext) _Mutation__admin_signup(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__admin_signup(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12872,7 +12417,7 @@ func (ec *executionContext) _Meta_is_microsoft_login_enabled(ctx context.Context
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsMicrosoftLoginEnabled, nil
+		return ec.resolvers.Mutation().AdminSignup(rctx, fc.Args["params"].(model.AdminSignupRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12884,26 +12429,41 @@ func (ec *executionContext) _Meta_is_microsoft_login_enabled(ctx context.Context
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_microsoft_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__admin_signup(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__admin_signup_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_twitch_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_twitch_login_enabled(ctx, field)
+func (ec *executionContext) _Mutation__admin_login(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__admin_login(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12916,7 +12476,7 @@ func (ec *executionContext) _Meta_is_twitch_login_enabled(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsTwitchLoginEnabled, nil
+		return ec.resolvers.Mutation().AdminLogin(rctx, fc.Args["params"].(model.AdminLoginRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12928,26 +12488,41 @@ func (ec *executionContext) _Meta_is_twitch_login_enabled(ctx context.Context, f
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_twitch_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__admin_login(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__admin_login_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_roblox_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_roblox_login_enabled(ctx, field)
+func (ec *executionContext) _Mutation__admin_logout(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__admin_logout(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -12960,7 +12535,7 @@ func (ec *executionContext) _Meta_is_roblox_login_enabled(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsRobloxLoginEnabled, nil
+		return ec.resolvers.Mutation().AdminLogout(rctx)
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -12972,26 +12547,30 @@ func (ec *executionContext) _Meta_is_roblox_login_enabled(ctx context.Context, f
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_roblox_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__admin_logout(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_email_verification_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_email_verification_enabled(ctx, field)
+func (ec *executionContext) _Mutation__update_env(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__update_env(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13004,7 +12583,7 @@ func (ec *executionContext) _Meta_is_email_verification_enabled(ctx context.Cont
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsEmailVerificationEnabled, nil
+		return ec.resolvers.Mutation().UpdateEnv(rctx, fc.Args["params"].(model.UpdateEnvRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13016,26 +12595,41 @@ func (ec *executionContext) _Meta_is_email_verification_enabled(ctx context.Cont
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_email_verification_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__update_env(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__update_env_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_basic_authentication_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_basic_authentication_enabled(ctx, field)
+func (ec *executionContext) _Mutation__invite_members(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__invite_members(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13048,7 +12642,7 @@ func (ec *executionContext) _Meta_is_basic_authentication_enabled(ctx context.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsBasicAuthenticationEnabled, nil
+		return ec.resolvers.Mutation().InviteMembers(rctx, fc.Args["params"].(model.InviteMemberRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13060,26 +12654,43 @@ func (ec *executionContext) _Meta_is_basic_authentication_enabled(ctx context.Co
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.InviteMembersResponse)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNInviteMembersResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐInviteMembersResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_basic_authentication_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__invite_members(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_InviteMembersResponse_message(ctx, field)
+			case "Users":
+				return ec.fieldContext_InviteMembersResponse_Users(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type InviteMembersResponse", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__invite_members_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_magic_link_login_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_magic_link_login_enabled(ctx, field)
+func (ec *executionContext) _Mutation__revoke_access(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__revoke_access(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13092,7 +12703,7 @@ func (ec *executionContext) _Meta_is_magic_link_login_enabled(ctx context.Contex
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsMagicLinkLoginEnabled, nil
+		return ec.resolvers.Mutation().RevokeAccess(rctx, fc.Args["param"].(model.UpdateAccessRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13104,26 +12715,41 @@ func (ec *executionContext) _Meta_is_magic_link_login_enabled(ctx context.Contex
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_magic_link_login_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__revoke_access(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__revoke_access_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_sign_up_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_sign_up_enabled(ctx, field)
+func (ec *executionContext) _Mutation__enable_access(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__enable_access(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13136,7 +12762,7 @@ func (ec *executionContext) _Meta_is_sign_up_enabled(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsSignUpEnabled, nil
+		return ec.resolvers.Mutation().EnableAccess(rctx, fc.Args["param"].(model.UpdateAccessRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13148,26 +12774,41 @@ func (ec *executionContext) _Meta_is_sign_up_enabled(ctx context.Context, field
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_sign_up_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__enable_access(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__enable_access_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_strong_password_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_strong_password_enabled(ctx, field)
+func (ec *executionContext) _Mutation__generate_jwt_keys(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__generate_jwt_keys(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13180,7 +12821,7 @@ func (ec *executionContext) _Meta_is_strong_password_enabled(ctx context.Context
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsStrongPasswordEnabled, nil
+		return ec.resolvers.Mutation().GenerateJwtKeys(rctx, fc.Args["params"].(model.GenerateJWTKeysRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13192,70 +12833,45 @@ func (ec *executionContext) _Meta_is_strong_password_enabled(ctx context.Context
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.GenerateJWTKeysResponse)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNGenerateJWTKeysResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐGenerateJWTKeysResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_strong_password_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__generate_jwt_keys(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) _Meta_is_multi_factor_auth_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_multi_factor_auth_enabled(ctx, field)
-	if err != nil {
-		return graphql.Null
+			switch field.Name {
+			case "secret":
+				return ec.fieldContext_GenerateJWTKeysResponse_secret(ctx, field)
+			case "public_key":
+				return ec.fieldContext_GenerateJWTKeysResponse_public_key(ctx, field)
+			case "private_key":
+				return ec.fieldContext_GenerateJWTKeysResponse_private_key(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type GenerateJWTKeysResponse", field.Name)
+		},
 	}
-	ctx = graphql.WithFieldContext(ctx, fc)
 	defer func() {
 		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
 		}
 	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.IsMultiFactorAuthEnabled, nil
-	})
-	if err != nil {
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__generate_jwt_keys_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
-		return graphql.Null
-	}
-	res := resTmp.(bool)
-	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext_Meta_is_multi_factor_auth_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "Meta",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
-		},
+		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_mobile_basic_authentication_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_mobile_basic_authentication_enabled(ctx, field)
+func (ec *executionContext) _Mutation__add_webhook(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__add_webhook(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13268,7 +12884,7 @@ func (ec *executionContext) _Meta_is_mobile_basic_authentication_enabled(ctx con
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsMobileBasicAuthenticationEnabled, nil
+		return ec.resolvers.Mutation().AddWebhook(rctx, fc.Args["params"].(model.AddWebhookRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13280,26 +12896,41 @@ func (ec *executionContext) _Meta_is_mobile_basic_authentication_enabled(ctx con
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_mobile_basic_authentication_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__add_webhook(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__add_webhook_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Meta_is_phone_verification_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Meta_is_phone_verification_enabled(ctx, field)
+func (ec *executionContext) _Mutation__update_webhook(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__update_webhook(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13312,7 +12943,7 @@ func (ec *executionContext) _Meta_is_phone_verification_enabled(ctx context.Cont
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsPhoneVerificationEnabled, nil
+		return ec.resolvers.Mutation().UpdateWebhook(rctx, fc.Args["params"].(model.UpdateWebhookRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13324,26 +12955,41 @@ func (ec *executionContext) _Meta_is_phone_verification_enabled(ctx context.Cont
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Meta_is_phone_verification_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__update_webhook(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Meta",
+		Object:     "Mutation",
 		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
+		IsMethod:   true,
+		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__update_webhook_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_signup(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_signup(ctx, field)
+func (ec *executionContext) _Mutation__delete_webhook(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__delete_webhook(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13356,7 +13002,7 @@ func (ec *executionContext) _Mutation_signup(ctx context.Context, field graphql.
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().Signup(rctx, fc.Args["params"].(model.SignUpRequest))
+		return ec.resolvers.Mutation().DeleteWebhook(rctx, fc.Args["params"].(model.WebhookRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13368,12 +13014,12 @@ func (ec *executionContext) _Mutation_signup(ctx context.Context, field graphql.
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthResponse)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_signup(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__delete_webhook(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Mutation",
 		Field:      field,
@@ -13382,31 +13028,9 @@ func (ec *executionContext) fieldContext_Mutation_signup(ctx context.Context, fi
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
 			case "message":
-				return ec.fieldContext_AuthResponse_message(ctx, field)
-			case "should_show_email_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
-			case "should_show_mobile_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
-			case "should_show_totp_screen":
-				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
-			case "access_token":
-				return ec.fieldContext_AuthResponse_access_token(ctx, field)
-			case "id_token":
-				return ec.fieldContext_AuthResponse_id_token(ctx, field)
-			case "refresh_token":
-				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
-			case "expires_in":
-				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
-			case "user":
-				return ec.fieldContext_AuthResponse_user(ctx, field)
-			case "authenticator_scanner_image":
-				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
-			case "authenticator_secret":
-				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
-			case "authenticator_recovery_codes":
-				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
+				return ec.fieldContext_Response_message(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
 	defer func() {
@@ -13416,15 +13040,15 @@ func (ec *executionContext) fieldContext_Mutation_signup(ctx context.Context, fi
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_signup_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Mutation__delete_webhook_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_mobile_signup(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_mobile_signup(ctx, field)
+func (ec *executionContext) _Mutation__test_endpoint(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__test_endpoint(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13437,7 +13061,7 @@ func (ec *executionContext) _Mutation_mobile_signup(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().MobileSignup(rctx, fc.Args["params"].(*model.MobileSignUpRequest))
+		return ec.resolvers.Mutation().TestEndpoint(rctx, fc.Args["params"].(model.TestEndpointRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13449,12 +13073,12 @@ func (ec *executionContext) _Mutation_mobile_signup(ctx context.Context, field g
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthResponse)
+	res := resTmp.(*model.TestEndpointResponse)
 	fc.Result = res
-	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
+	return ec.marshalNTestEndpointResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐTestEndpointResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_mobile_signup(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__test_endpoint(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Mutation",
 		Field:      field,
@@ -13462,32 +13086,12 @@ func (ec *executionContext) fieldContext_Mutation_mobile_signup(ctx context.Cont
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "message":
-				return ec.fieldContext_AuthResponse_message(ctx, field)
-			case "should_show_email_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
-			case "should_show_mobile_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
-			case "should_show_totp_screen":
-				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
-			case "access_token":
-				return ec.fieldContext_AuthResponse_access_token(ctx, field)
-			case "id_token":
-				return ec.fieldContext_AuthResponse_id_token(ctx, field)
-			case "refresh_token":
-				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
-			case "expires_in":
-				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
-			case "user":
-				return ec.fieldContext_AuthResponse_user(ctx, field)
-			case "authenticator_scanner_image":
-				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
-			case "authenticator_secret":
-				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
-			case "authenticator_recovery_codes":
-				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
+			case "http_status":
+				return ec.fieldContext_TestEndpointResponse_http_status(ctx, field)
+			case "response":
+				return ec.fieldContext_TestEndpointResponse_response(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type TestEndpointResponse", field.Name)
 		},
 	}
 	defer func() {
@@ -13497,15 +13101,15 @@ func (ec *executionContext) fieldContext_Mutation_mobile_signup(ctx context.Cont
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_mobile_signup_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Mutation__test_endpoint_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_login(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_login(ctx, field)
+func (ec *executionContext) _Mutation__add_email_template(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__add_email_template(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13518,7 +13122,7 @@ func (ec *executionContext) _Mutation_login(ctx context.Context, field graphql.C
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().Login(rctx, fc.Args["params"].(model.LoginRequest))
+		return ec.resolvers.Mutation().AddEmailTemplate(rctx, fc.Args["params"].(model.AddEmailTemplateRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13530,12 +13134,12 @@ func (ec *executionContext) _Mutation_login(ctx context.Context, field graphql.C
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthResponse)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_login(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__add_email_template(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Mutation",
 		Field:      field,
@@ -13544,31 +13148,9 @@ func (ec *executionContext) fieldContext_Mutation_login(ctx context.Context, fie
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
 			case "message":
-				return ec.fieldContext_AuthResponse_message(ctx, field)
-			case "should_show_email_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
-			case "should_show_mobile_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
-			case "should_show_totp_screen":
-				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
-			case "access_token":
-				return ec.fieldContext_AuthResponse_access_token(ctx, field)
-			case "id_token":
-				return ec.fieldContext_AuthResponse_id_token(ctx, field)
-			case "refresh_token":
-				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
-			case "expires_in":
-				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
-			case "user":
-				return ec.fieldContext_AuthResponse_user(ctx, field)
-			case "authenticator_scanner_image":
-				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
-			case "authenticator_secret":
-				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
-			case "authenticator_recovery_codes":
-				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
+				return ec.fieldContext_Response_message(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
 	defer func() {
@@ -13578,15 +13160,15 @@ func (ec *executionContext) fieldContext_Mutation_login(ctx context.Context, fie
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_login_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Mutation__add_email_template_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_mobile_login(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_mobile_login(ctx, field)
+func (ec *executionContext) _Mutation__update_email_template(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__update_email_template(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13599,7 +13181,7 @@ func (ec *executionContext) _Mutation_mobile_login(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().MobileLogin(rctx, fc.Args["params"].(model.MobileLoginRequest))
+		return ec.resolvers.Mutation().UpdateEmailTemplate(rctx, fc.Args["params"].(model.UpdateEmailTemplateRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13611,12 +13193,12 @@ func (ec *executionContext) _Mutation_mobile_login(ctx context.Context, field gr
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthResponse)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_mobile_login(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__update_email_template(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Mutation",
 		Field:      field,
@@ -13625,31 +13207,9 @@ func (ec *executionContext) fieldContext_Mutation_mobile_login(ctx context.Conte
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
 			case "message":
-				return ec.fieldContext_AuthResponse_message(ctx, field)
-			case "should_show_email_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
-			case "should_show_mobile_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
-			case "should_show_totp_screen":
-				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
-			case "access_token":
-				return ec.fieldContext_AuthResponse_access_token(ctx, field)
-			case "id_token":
-				return ec.fieldContext_AuthResponse_id_token(ctx, field)
-			case "refresh_token":
-				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
-			case "expires_in":
-				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
-			case "user":
-				return ec.fieldContext_AuthResponse_user(ctx, field)
-			case "authenticator_scanner_image":
-				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
-			case "authenticator_secret":
-				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
-			case "authenticator_recovery_codes":
-				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
+				return ec.fieldContext_Response_message(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
 	defer func() {
@@ -13659,15 +13219,15 @@ func (ec *executionContext) fieldContext_Mutation_mobile_login(ctx context.Conte
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_mobile_login_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Mutation__update_email_template_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_magic_link_login(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_magic_link_login(ctx, field)
+func (ec *executionContext) _Mutation__delete_email_template(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__delete_email_template(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13680,7 +13240,7 @@ func (ec *executionContext) _Mutation_magic_link_login(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().MagicLinkLogin(rctx, fc.Args["params"].(model.MagicLinkLoginRequest))
+		return ec.resolvers.Mutation().DeleteEmailTemplate(rctx, fc.Args["params"].(model.DeleteEmailTemplateRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13697,7 +13257,7 @@ func (ec *executionContext) _Mutation_magic_link_login(ctx context.Context, fiel
 	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_magic_link_login(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__delete_email_template(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Mutation",
 		Field:      field,
@@ -13718,15 +13278,15 @@ func (ec *executionContext) fieldContext_Mutation_magic_link_login(ctx context.C
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_magic_link_login_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Mutation__delete_email_template_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_logout(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_logout(ctx, field)
+func (ec *executionContext) _Mutation__fga_write_model(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__fga_write_model(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13739,7 +13299,7 @@ func (ec *executionContext) _Mutation_logout(ctx context.Context, field graphql.
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().Logout(rctx)
+		return ec.resolvers.Mutation().FgaWriteModel(rctx, fc.Args["params"].(model.FgaWriteModelInput))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13751,12 +13311,12 @@ func (ec *executionContext) _Mutation_logout(ctx context.Context, field graphql.
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*model.FgaModel)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNFgaModel2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaModel(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_logout(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__fga_write_model(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Mutation",
 		Field:      field,
@@ -13764,17 +13324,30 @@ func (ec *executionContext) fieldContext_Mutation_logout(_ context.Context, fiel
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
+			case "id":
+				return ec.fieldContext_FgaModel_id(ctx, field)
+			case "dsl":
+				return ec.fieldContext_FgaModel_dsl(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type FgaModel", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Mutation__fga_write_model_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_update_profile(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_update_profile(ctx, field)
+func (ec *executionContext) _Mutation__fga_write_tuples(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__fga_write_tuples(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13787,7 +13360,7 @@ func (ec *executionContext) _Mutation_update_profile(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().UpdateProfile(rctx, fc.Args["params"].(model.UpdateProfileRequest))
+		return ec.resolvers.Mutation().FgaWriteTuples(rctx, fc.Args["params"].(model.FgaWriteTuplesInput))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13804,7 +13377,7 @@ func (ec *executionContext) _Mutation_update_profile(ctx context.Context, field
 	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_update_profile(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__fga_write_tuples(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Mutation",
 		Field:      field,
@@ -13825,15 +13398,15 @@ func (ec *executionContext) fieldContext_Mutation_update_profile(ctx context.Con
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_update_profile_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Mutation__fga_write_tuples_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_verify_email(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_verify_email(ctx, field)
+func (ec *executionContext) _Mutation__fga_delete_tuples(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__fga_delete_tuples(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13846,7 +13419,7 @@ func (ec *executionContext) _Mutation_verify_email(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().VerifyEmail(rctx, fc.Args["params"].(model.VerifyEmailRequest))
+		return ec.resolvers.Mutation().FgaDeleteTuples(rctx, fc.Args["params"].(model.FgaWriteTuplesInput))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13858,12 +13431,12 @@ func (ec *executionContext) _Mutation_verify_email(ctx context.Context, field gr
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthResponse)
+	res := resTmp.(*model.Response)
 	fc.Result = res
-	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_verify_email(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Mutation__fga_delete_tuples(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Mutation",
 		Field:      field,
@@ -13872,31 +13445,9 @@ func (ec *executionContext) fieldContext_Mutation_verify_email(ctx context.Conte
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
 			case "message":
-				return ec.fieldContext_AuthResponse_message(ctx, field)
-			case "should_show_email_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
-			case "should_show_mobile_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
-			case "should_show_totp_screen":
-				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
-			case "access_token":
-				return ec.fieldContext_AuthResponse_access_token(ctx, field)
-			case "id_token":
-				return ec.fieldContext_AuthResponse_id_token(ctx, field)
-			case "refresh_token":
-				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
-			case "expires_in":
-				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
-			case "user":
-				return ec.fieldContext_AuthResponse_user(ctx, field)
-			case "authenticator_scanner_image":
-				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
-			case "authenticator_secret":
-				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
-			case "authenticator_recovery_codes":
-				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
+				return ec.fieldContext_Response_message(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
 	defer func() {
@@ -13906,15 +13457,15 @@ func (ec *executionContext) fieldContext_Mutation_verify_email(ctx context.Conte
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_verify_email_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Mutation__fga_delete_tuples_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_resend_verify_email(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_resend_verify_email(ctx, field)
+func (ec *executionContext) _Pagination_limit(ctx context.Context, field graphql.CollectedField, obj *model.Pagination) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Pagination_limit(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13927,7 +13478,7 @@ func (ec *executionContext) _Mutation_resend_verify_email(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().ResendVerifyEmail(rctx, fc.Args["params"].(model.ResendVerifyEmailRequest))
+		return obj.Limit, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13939,41 +13490,26 @@ func (ec *executionContext) _Mutation_resend_verify_email(ctx context.Context, f
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(int64)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNInt642int64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_resend_verify_email(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Pagination_limit(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Pagination",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_resend_verify_email_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_forgot_password(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_forgot_password(ctx, field)
+func (ec *executionContext) _Pagination_page(ctx context.Context, field graphql.CollectedField, obj *model.Pagination) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Pagination_page(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -13986,7 +13522,7 @@ func (ec *executionContext) _Mutation_forgot_password(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().ForgotPassword(rctx, fc.Args["params"].(model.ForgotPasswordRequest))
+		return obj.Page, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -13998,43 +13534,26 @@ func (ec *executionContext) _Mutation_forgot_password(ctx context.Context, field
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.ForgotPasswordResponse)
+	res := resTmp.(int64)
 	fc.Result = res
-	return ec.marshalNForgotPasswordResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐForgotPasswordResponse(ctx, field.Selections, res)
+	return ec.marshalNInt642int64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_forgot_password(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Pagination_page(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Pagination",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_ForgotPasswordResponse_message(ctx, field)
-			case "should_show_mobile_otp_screen":
-				return ec.fieldContext_ForgotPasswordResponse_should_show_mobile_otp_screen(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type ForgotPasswordResponse", field.Name)
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_forgot_password_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_reset_password(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_reset_password(ctx, field)
+func (ec *executionContext) _Pagination_offset(ctx context.Context, field graphql.CollectedField, obj *model.Pagination) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Pagination_offset(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14047,7 +13566,7 @@ func (ec *executionContext) _Mutation_reset_password(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().ResetPassword(rctx, fc.Args["params"].(model.ResetPasswordRequest))
+		return obj.Offset, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -14059,41 +13578,26 @@ func (ec *executionContext) _Mutation_reset_password(ctx context.Context, field
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(int64)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNInt642int64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_reset_password(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Pagination_offset(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Pagination",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_reset_password_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_revoke(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_revoke(ctx, field)
+func (ec *executionContext) _Pagination_total(ctx context.Context, field graphql.CollectedField, obj *model.Pagination) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Pagination_total(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14106,7 +13610,7 @@ func (ec *executionContext) _Mutation_revoke(ctx context.Context, field graphql.
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().Revoke(rctx, fc.Args["params"].(model.OAuthRevokeRequest))
+		return obj.Total, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -14118,41 +13622,26 @@ func (ec *executionContext) _Mutation_revoke(ctx context.Context, field graphql.
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(int64)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNInt642int64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_revoke(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Pagination_total(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Pagination",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_revoke_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_verify_otp(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_verify_otp(ctx, field)
+func (ec *executionContext) _Query_meta(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query_meta(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14165,7 +13654,7 @@ func (ec *executionContext) _Mutation_verify_otp(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().VerifyOtp(rctx, fc.Args["params"].(model.VerifyOTPRequest))
+		return ec.resolvers.Query().Meta(rctx)
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -14177,23 +13666,109 @@ func (ec *executionContext) _Mutation_verify_otp(ctx context.Context, field grap
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthResponse)
+	res := resTmp.(*model.Meta)
 	fc.Result = res
-	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
+	return ec.marshalNMeta2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐMeta(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_verify_otp(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query_meta(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "message":
-				return ec.fieldContext_AuthResponse_message(ctx, field)
-			case "should_show_email_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
+			case "version":
+				return ec.fieldContext_Meta_version(ctx, field)
+			case "client_id":
+				return ec.fieldContext_Meta_client_id(ctx, field)
+			case "is_google_login_enabled":
+				return ec.fieldContext_Meta_is_google_login_enabled(ctx, field)
+			case "is_facebook_login_enabled":
+				return ec.fieldContext_Meta_is_facebook_login_enabled(ctx, field)
+			case "is_github_login_enabled":
+				return ec.fieldContext_Meta_is_github_login_enabled(ctx, field)
+			case "is_linkedin_login_enabled":
+				return ec.fieldContext_Meta_is_linkedin_login_enabled(ctx, field)
+			case "is_apple_login_enabled":
+				return ec.fieldContext_Meta_is_apple_login_enabled(ctx, field)
+			case "is_discord_login_enabled":
+				return ec.fieldContext_Meta_is_discord_login_enabled(ctx, field)
+			case "is_twitter_login_enabled":
+				return ec.fieldContext_Meta_is_twitter_login_enabled(ctx, field)
+			case "is_microsoft_login_enabled":
+				return ec.fieldContext_Meta_is_microsoft_login_enabled(ctx, field)
+			case "is_twitch_login_enabled":
+				return ec.fieldContext_Meta_is_twitch_login_enabled(ctx, field)
+			case "is_roblox_login_enabled":
+				return ec.fieldContext_Meta_is_roblox_login_enabled(ctx, field)
+			case "is_email_verification_enabled":
+				return ec.fieldContext_Meta_is_email_verification_enabled(ctx, field)
+			case "is_basic_authentication_enabled":
+				return ec.fieldContext_Meta_is_basic_authentication_enabled(ctx, field)
+			case "is_magic_link_login_enabled":
+				return ec.fieldContext_Meta_is_magic_link_login_enabled(ctx, field)
+			case "is_sign_up_enabled":
+				return ec.fieldContext_Meta_is_sign_up_enabled(ctx, field)
+			case "is_strong_password_enabled":
+				return ec.fieldContext_Meta_is_strong_password_enabled(ctx, field)
+			case "is_multi_factor_auth_enabled":
+				return ec.fieldContext_Meta_is_multi_factor_auth_enabled(ctx, field)
+			case "is_mobile_basic_authentication_enabled":
+				return ec.fieldContext_Meta_is_mobile_basic_authentication_enabled(ctx, field)
+			case "is_phone_verification_enabled":
+				return ec.fieldContext_Meta_is_phone_verification_enabled(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Meta", field.Name)
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _Query_session(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query_session(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return ec.resolvers.Query().Session(rctx, fc.Args["params"].(*model.SessionQueryRequest))
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(*model.AuthResponse)
+	fc.Result = res
+	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Query_session(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Query",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: true,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_AuthResponse_message(ctx, field)
+			case "should_show_email_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
 			case "should_show_mobile_otp_screen":
 				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
 			case "should_show_totp_screen":
@@ -14225,15 +13800,15 @@ func (ec *executionContext) fieldContext_Mutation_verify_otp(ctx context.Context
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_verify_otp_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Query_session_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_resend_otp(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_resend_otp(ctx, field)
+func (ec *executionContext) _Query_profile(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query_profile(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14246,7 +13821,7 @@ func (ec *executionContext) _Mutation_resend_otp(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().ResendOtp(rctx, fc.Args["params"].(model.ResendOTPRequest))
+		return ec.resolvers.Query().Profile(rctx)
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -14258,41 +13833,68 @@ func (ec *executionContext) _Mutation_resend_otp(ctx context.Context, field grap
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*model.User)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNUser2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUser(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_resend_otp(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query_profile(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
+			case "id":
+				return ec.fieldContext_User_id(ctx, field)
+			case "email":
+				return ec.fieldContext_User_email(ctx, field)
+			case "email_verified":
+				return ec.fieldContext_User_email_verified(ctx, field)
+			case "signup_methods":
+				return ec.fieldContext_User_signup_methods(ctx, field)
+			case "given_name":
+				return ec.fieldContext_User_given_name(ctx, field)
+			case "family_name":
+				return ec.fieldContext_User_family_name(ctx, field)
+			case "middle_name":
+				return ec.fieldContext_User_middle_name(ctx, field)
+			case "nickname":
+				return ec.fieldContext_User_nickname(ctx, field)
+			case "preferred_username":
+				return ec.fieldContext_User_preferred_username(ctx, field)
+			case "gender":
+				return ec.fieldContext_User_gender(ctx, field)
+			case "birthdate":
+				return ec.fieldContext_User_birthdate(ctx, field)
+			case "phone_number":
+				return ec.fieldContext_User_phone_number(ctx, field)
+			case "phone_number_verified":
+				return ec.fieldContext_User_phone_number_verified(ctx, field)
+			case "picture":
+				return ec.fieldContext_User_picture(ctx, field)
+			case "roles":
+				return ec.fieldContext_User_roles(ctx, field)
+			case "created_at":
+				return ec.fieldContext_User_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_User_updated_at(ctx, field)
+			case "revoked_timestamp":
+				return ec.fieldContext_User_revoked_timestamp(ctx, field)
+			case "is_multi_factor_auth_enabled":
+				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
+			case "app_data":
+				return ec.fieldContext_User_app_data(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation_resend_otp_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation_deactivate_account(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation_deactivate_account(ctx, field)
+func (ec *executionContext) _Query_validate_jwt_token(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query_validate_jwt_token(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14305,7 +13907,7 @@ func (ec *executionContext) _Mutation_deactivate_account(ctx context.Context, fi
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().DeactivateAccount(rctx)
+		return ec.resolvers.Query().ValidateJwtToken(rctx, fc.Args["params"].(model.ValidateJWTTokenRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -14317,30 +13919,43 @@ func (ec *executionContext) _Mutation_deactivate_account(ctx context.Context, fi
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*model.ValidateJWTTokenResponse)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNValidateJWTTokenResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐValidateJWTTokenResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation_deactivate_account(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query_validate_jwt_token(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
+			case "is_valid":
+				return ec.fieldContext_ValidateJWTTokenResponse_is_valid(ctx, field)
+			case "claims":
+				return ec.fieldContext_ValidateJWTTokenResponse_claims(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type ValidateJWTTokenResponse", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Query_validate_jwt_token_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__delete_user(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__delete_user(ctx, field)
+func (ec *executionContext) _Query_validate_session(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query_validate_session(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14353,7 +13968,7 @@ func (ec *executionContext) _Mutation__delete_user(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().DeleteUser(rctx, fc.Args["params"].(model.DeleteUserRequest))
+		return ec.resolvers.Query().ValidateSession(rctx, fc.Args["params"].(*model.ValidateSessionRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -14365,23 +13980,25 @@ func (ec *executionContext) _Mutation__delete_user(ctx context.Context, field gr
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*model.ValidateSessionResponse)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNValidateSessionResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐValidateSessionResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__delete_user(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query_validate_session(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
+			case "is_valid":
+				return ec.fieldContext_ValidateSessionResponse_is_valid(ctx, field)
+			case "user":
+				return ec.fieldContext_ValidateSessionResponse_user(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type ValidateSessionResponse", field.Name)
 		},
 	}
 	defer func() {
@@ -14391,15 +14008,15 @@ func (ec *executionContext) fieldContext_Mutation__delete_user(ctx context.Conte
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__delete_user_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Query_validate_session_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__update_user(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__update_user(ctx, field)
+func (ec *executionContext) _Query__users(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__users(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14412,7 +14029,7 @@ func (ec *executionContext) _Mutation__update_user(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().UpdateUser(rctx, fc.Args["params"].(model.UpdateUserRequest))
+		return ec.resolvers.Query().Users(rctx, fc.Args["params"].(*model.PaginatedRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -14424,61 +14041,25 @@ func (ec *executionContext) _Mutation__update_user(ctx context.Context, field gr
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.User)
+	res := resTmp.(*model.Users)
 	fc.Result = res
-	return ec.marshalNUser2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUser(ctx, field.Selections, res)
+	return ec.marshalNUsers2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUsers(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__update_user(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__users(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "id":
-				return ec.fieldContext_User_id(ctx, field)
-			case "email":
-				return ec.fieldContext_User_email(ctx, field)
-			case "email_verified":
-				return ec.fieldContext_User_email_verified(ctx, field)
-			case "signup_methods":
-				return ec.fieldContext_User_signup_methods(ctx, field)
-			case "given_name":
-				return ec.fieldContext_User_given_name(ctx, field)
-			case "family_name":
-				return ec.fieldContext_User_family_name(ctx, field)
-			case "middle_name":
-				return ec.fieldContext_User_middle_name(ctx, field)
-			case "nickname":
-				return ec.fieldContext_User_nickname(ctx, field)
-			case "preferred_username":
-				return ec.fieldContext_User_preferred_username(ctx, field)
-			case "gender":
-				return ec.fieldContext_User_gender(ctx, field)
-			case "birthdate":
-				return ec.fieldContext_User_birthdate(ctx, field)
-			case "phone_number":
-				return ec.fieldContext_User_phone_number(ctx, field)
-			case "phone_number_verified":
-				return ec.fieldContext_User_phone_number_verified(ctx, field)
-			case "picture":
-				return ec.fieldContext_User_picture(ctx, field)
-			case "roles":
-				return ec.fieldContext_User_roles(ctx, field)
-			case "created_at":
-				return ec.fieldContext_User_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_User_updated_at(ctx, field)
-			case "revoked_timestamp":
-				return ec.fieldContext_User_revoked_timestamp(ctx, field)
-			case "is_multi_factor_auth_enabled":
-				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
-			case "app_data":
-				return ec.fieldContext_User_app_data(ctx, field)
+			case "pagination":
+				return ec.fieldContext_Users_pagination(ctx, field)
+			case "users":
+				return ec.fieldContext_Users_users(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type Users", field.Name)
 		},
 	}
 	defer func() {
@@ -14488,15 +14069,15 @@ func (ec *executionContext) fieldContext_Mutation__update_user(ctx context.Conte
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__update_user_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Query__users_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__admin_signup(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__admin_signup(ctx, field)
+func (ec *executionContext) _Query__user(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__user(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14509,7 +14090,7 @@ func (ec *executionContext) _Mutation__admin_signup(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().AdminSignup(rctx, fc.Args["params"].(model.AdminSignupRequest))
+		return ec.resolvers.Query().User(rctx, fc.Args["params"].(model.GetUserRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -14521,23 +14102,61 @@ func (ec *executionContext) _Mutation__admin_signup(ctx context.Context, field g
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*model.User)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNUser2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUser(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__admin_signup(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__user(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
+			case "id":
+				return ec.fieldContext_User_id(ctx, field)
+			case "email":
+				return ec.fieldContext_User_email(ctx, field)
+			case "email_verified":
+				return ec.fieldContext_User_email_verified(ctx, field)
+			case "signup_methods":
+				return ec.fieldContext_User_signup_methods(ctx, field)
+			case "given_name":
+				return ec.fieldContext_User_given_name(ctx, field)
+			case "family_name":
+				return ec.fieldContext_User_family_name(ctx, field)
+			case "middle_name":
+				return ec.fieldContext_User_middle_name(ctx, field)
+			case "nickname":
+				return ec.fieldContext_User_nickname(ctx, field)
+			case "preferred_username":
+				return ec.fieldContext_User_preferred_username(ctx, field)
+			case "gender":
+				return ec.fieldContext_User_gender(ctx, field)
+			case "birthdate":
+				return ec.fieldContext_User_birthdate(ctx, field)
+			case "phone_number":
+				return ec.fieldContext_User_phone_number(ctx, field)
+			case "phone_number_verified":
+				return ec.fieldContext_User_phone_number_verified(ctx, field)
+			case "picture":
+				return ec.fieldContext_User_picture(ctx, field)
+			case "roles":
+				return ec.fieldContext_User_roles(ctx, field)
+			case "created_at":
+				return ec.fieldContext_User_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_User_updated_at(ctx, field)
+			case "revoked_timestamp":
+				return ec.fieldContext_User_revoked_timestamp(ctx, field)
+			case "is_multi_factor_auth_enabled":
+				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
+			case "app_data":
+				return ec.fieldContext_User_app_data(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
 		},
 	}
 	defer func() {
@@ -14547,15 +14166,15 @@ func (ec *executionContext) fieldContext_Mutation__admin_signup(ctx context.Cont
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__admin_signup_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Query__user_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__admin_login(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__admin_login(ctx, field)
+func (ec *executionContext) _Query__verification_requests(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__verification_requests(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14568,7 +14187,7 @@ func (ec *executionContext) _Mutation__admin_login(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().AdminLogin(rctx, fc.Args["params"].(model.AdminLoginRequest))
+		return ec.resolvers.Query().VerificationRequests(rctx, fc.Args["params"].(*model.PaginatedRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -14580,23 +14199,25 @@ func (ec *executionContext) _Mutation__admin_login(ctx context.Context, field gr
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*model.VerificationRequests)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNVerificationRequests2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐVerificationRequests(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__admin_login(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__verification_requests(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
+			case "pagination":
+				return ec.fieldContext_VerificationRequests_pagination(ctx, field)
+			case "verification_requests":
+				return ec.fieldContext_VerificationRequests_verification_requests(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type VerificationRequests", field.Name)
 		},
 	}
 	defer func() {
@@ -14606,63 +14227,15 @@ func (ec *executionContext) fieldContext_Mutation__admin_login(ctx context.Conte
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__admin_login_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Query__verification_requests_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__admin_logout(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__admin_logout(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().AdminLogout(rctx)
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
-		return graphql.Null
-	}
-	res := resTmp.(*model.Response)
-	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext_Mutation__admin_logout(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "Mutation",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) _Mutation__update_env(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__update_env(ctx, field)
+func (ec *executionContext) _Query__admin_session(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__admin_session(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14675,7 +14248,7 @@ func (ec *executionContext) _Mutation__update_env(ctx context.Context, field gra
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().UpdateEnv(rctx, fc.Args["params"].(model.UpdateEnvRequest))
+		return ec.resolvers.Query().AdminSession(rctx)
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -14692,9 +14265,9 @@ func (ec *executionContext) _Mutation__update_env(ctx context.Context, field gra
 	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__update_env(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__admin_session(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
@@ -14706,83 +14279,11 @@ func (ec *executionContext) fieldContext_Mutation__update_env(ctx context.Contex
 			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__update_env_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) _Mutation__invite_members(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__invite_members(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().InviteMembers(rctx, fc.Args["params"].(model.InviteMemberRequest))
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
-		return graphql.Null
-	}
-	res := resTmp.(*model.InviteMembersResponse)
-	fc.Result = res
-	return ec.marshalNInviteMembersResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐInviteMembersResponse(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext_Mutation__invite_members(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "Mutation",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_InviteMembersResponse_message(ctx, field)
-			case "Users":
-				return ec.fieldContext_InviteMembersResponse_Users(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type InviteMembersResponse", field.Name)
-		},
-	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__invite_members_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__revoke_access(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__revoke_access(ctx, field)
+func (ec *executionContext) _Query__env(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__env(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14795,7 +14296,7 @@ func (ec *executionContext) _Mutation__revoke_access(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().RevokeAccess(rctx, fc.Args["param"].(model.UpdateAccessRequest))
+		return ec.resolvers.Query().Env(rctx)
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -14807,41 +14308,170 @@ func (ec *executionContext) _Mutation__revoke_access(ctx context.Context, field
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*model.Env)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNEnv2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEnv(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__revoke_access(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__env(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			case "ACCESS_TOKEN_EXPIRY_TIME":
+				return ec.fieldContext_Env_ACCESS_TOKEN_EXPIRY_TIME(ctx, field)
+			case "ADMIN_SECRET":
+				return ec.fieldContext_Env_ADMIN_SECRET(ctx, field)
+			case "DATABASE_NAME":
+				return ec.fieldContext_Env_DATABASE_NAME(ctx, field)
+			case "DATABASE_URL":
+				return ec.fieldContext_Env_DATABASE_URL(ctx, field)
+			case "DATABASE_TYPE":
+				return ec.fieldContext_Env_DATABASE_TYPE(ctx, field)
+			case "DATABASE_USERNAME":
+				return ec.fieldContext_Env_DATABASE_USERNAME(ctx, field)
+			case "DATABASE_PASSWORD":
+				return ec.fieldContext_Env_DATABASE_PASSWORD(ctx, field)
+			case "DATABASE_HOST":
+				return ec.fieldContext_Env_DATABASE_HOST(ctx, field)
+			case "DATABASE_PORT":
+				return ec.fieldContext_Env_DATABASE_PORT(ctx, field)
+			case "CLIENT_ID":
+				return ec.fieldContext_Env_CLIENT_ID(ctx, field)
+			case "CLIENT_SECRET":
+				return ec.fieldContext_Env_CLIENT_SECRET(ctx, field)
+			case "CUSTOM_ACCESS_TOKEN_SCRIPT":
+				return ec.fieldContext_Env_CUSTOM_ACCESS_TOKEN_SCRIPT(ctx, field)
+			case "SMTP_HOST":
+				return ec.fieldContext_Env_SMTP_HOST(ctx, field)
+			case "SMTP_PORT":
+				return ec.fieldContext_Env_SMTP_PORT(ctx, field)
+			case "SMTP_USERNAME":
+				return ec.fieldContext_Env_SMTP_USERNAME(ctx, field)
+			case "SMTP_PASSWORD":
+				return ec.fieldContext_Env_SMTP_PASSWORD(ctx, field)
+			case "SMTP_LOCAL_NAME":
+				return ec.fieldContext_Env_SMTP_LOCAL_NAME(ctx, field)
+			case "SENDER_EMAIL":
+				return ec.fieldContext_Env_SENDER_EMAIL(ctx, field)
+			case "SENDER_NAME":
+				return ec.fieldContext_Env_SENDER_NAME(ctx, field)
+			case "JWT_TYPE":
+				return ec.fieldContext_Env_JWT_TYPE(ctx, field)
+			case "JWT_SECRET":
+				return ec.fieldContext_Env_JWT_SECRET(ctx, field)
+			case "JWT_PRIVATE_KEY":
+				return ec.fieldContext_Env_JWT_PRIVATE_KEY(ctx, field)
+			case "JWT_PUBLIC_KEY":
+				return ec.fieldContext_Env_JWT_PUBLIC_KEY(ctx, field)
+			case "ALLOWED_ORIGINS":
+				return ec.fieldContext_Env_ALLOWED_ORIGINS(ctx, field)
+			case "APP_URL":
+				return ec.fieldContext_Env_APP_URL(ctx, field)
+			case "REDIS_URL":
+				return ec.fieldContext_Env_REDIS_URL(ctx, field)
+			case "RESET_PASSWORD_URL":
+				return ec.fieldContext_Env_RESET_PASSWORD_URL(ctx, field)
+			case "DISABLE_EMAIL_VERIFICATION":
+				return ec.fieldContext_Env_DISABLE_EMAIL_VERIFICATION(ctx, field)
+			case "DISABLE_BASIC_AUTHENTICATION":
+				return ec.fieldContext_Env_DISABLE_BASIC_AUTHENTICATION(ctx, field)
+			case "DISABLE_MOBILE_BASIC_AUTHENTICATION":
+				return ec.fieldContext_Env_DISABLE_MOBILE_BASIC_AUTHENTICATION(ctx, field)
+			case "DISABLE_MAGIC_LINK_LOGIN":
+				return ec.fieldContext_Env_DISABLE_MAGIC_LINK_LOGIN(ctx, field)
+			case "DISABLE_LOGIN_PAGE":
+				return ec.fieldContext_Env_DISABLE_LOGIN_PAGE(ctx, field)
+			case "DISABLE_SIGN_UP":
+				return ec.fieldContext_Env_DISABLE_SIGN_UP(ctx, field)
+			case "DISABLE_REDIS_FOR_ENV":
+				return ec.fieldContext_Env_DISABLE_REDIS_FOR_ENV(ctx, field)
+			case "DISABLE_STRONG_PASSWORD":
+				return ec.fieldContext_Env_DISABLE_STRONG_PASSWORD(ctx, field)
+			case "DISABLE_MULTI_FACTOR_AUTHENTICATION":
+				return ec.fieldContext_Env_DISABLE_MULTI_FACTOR_AUTHENTICATION(ctx, field)
+			case "ENFORCE_MULTI_FACTOR_AUTHENTICATION":
+				return ec.fieldContext_Env_ENFORCE_MULTI_FACTOR_AUTHENTICATION(ctx, field)
+			case "ROLES":
+				return ec.fieldContext_Env_ROLES(ctx, field)
+			case "PROTECTED_ROLES":
+				return ec.fieldContext_Env_PROTECTED_ROLES(ctx, field)
+			case "DEFAULT_ROLES":
+				return ec.fieldContext_Env_DEFAULT_ROLES(ctx, field)
+			case "JWT_ROLE_CLAIM":
+				return ec.fieldContext_Env_JWT_ROLE_CLAIM(ctx, field)
+			case "GOOGLE_CLIENT_ID":
+				return ec.fieldContext_Env_GOOGLE_CLIENT_ID(ctx, field)
+			case "GOOGLE_CLIENT_SECRET":
+				return ec.fieldContext_Env_GOOGLE_CLIENT_SECRET(ctx, field)
+			case "GITHUB_CLIENT_ID":
+				return ec.fieldContext_Env_GITHUB_CLIENT_ID(ctx, field)
+			case "GITHUB_CLIENT_SECRET":
+				return ec.fieldContext_Env_GITHUB_CLIENT_SECRET(ctx, field)
+			case "FACEBOOK_CLIENT_ID":
+				return ec.fieldContext_Env_FACEBOOK_CLIENT_ID(ctx, field)
+			case "FACEBOOK_CLIENT_SECRET":
+				return ec.fieldContext_Env_FACEBOOK_CLIENT_SECRET(ctx, field)
+			case "LINKEDIN_CLIENT_ID":
+				return ec.fieldContext_Env_LINKEDIN_CLIENT_ID(ctx, field)
+			case "LINKEDIN_CLIENT_SECRET":
+				return ec.fieldContext_Env_LINKEDIN_CLIENT_SECRET(ctx, field)
+			case "APPLE_CLIENT_ID":
+				return ec.fieldContext_Env_APPLE_CLIENT_ID(ctx, field)
+			case "APPLE_CLIENT_SECRET":
+				return ec.fieldContext_Env_APPLE_CLIENT_SECRET(ctx, field)
+			case "DISCORD_CLIENT_ID":
+				return ec.fieldContext_Env_DISCORD_CLIENT_ID(ctx, field)
+			case "DISCORD_CLIENT_SECRET":
+				return ec.fieldContext_Env_DISCORD_CLIENT_SECRET(ctx, field)
+			case "TWITTER_CLIENT_ID":
+				return ec.fieldContext_Env_TWITTER_CLIENT_ID(ctx, field)
+			case "TWITTER_CLIENT_SECRET":
+				return ec.fieldContext_Env_TWITTER_CLIENT_SECRET(ctx, field)
+			case "MICROSOFT_CLIENT_ID":
+				return ec.fieldContext_Env_MICROSOFT_CLIENT_ID(ctx, field)
+			case "MICROSOFT_CLIENT_SECRET":
+				return ec.fieldContext_Env_MICROSOFT_CLIENT_SECRET(ctx, field)
+			case "MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID":
+				return ec.fieldContext_Env_MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID(ctx, field)
+			case "TWITCH_CLIENT_ID":
+				return ec.fieldContext_Env_TWITCH_CLIENT_ID(ctx, field)
+			case "TWITCH_CLIENT_SECRET":
+				return ec.fieldContext_Env_TWITCH_CLIENT_SECRET(ctx, field)
+			case "ROBLOX_CLIENT_ID":
+				return ec.fieldContext_Env_ROBLOX_CLIENT_ID(ctx, field)
+			case "ROBLOX_CLIENT_SECRET":
+				return ec.fieldContext_Env_ROBLOX_CLIENT_SECRET(ctx, field)
+			case "ORGANIZATION_NAME":
+				return ec.fieldContext_Env_ORGANIZATION_NAME(ctx, field)
+			case "ORGANIZATION_LOGO":
+				return ec.fieldContext_Env_ORGANIZATION_LOGO(ctx, field)
+			case "APP_COOKIE_SECURE":
+				return ec.fieldContext_Env_APP_COOKIE_SECURE(ctx, field)
+			case "ADMIN_COOKIE_SECURE":
+				return ec.fieldContext_Env_ADMIN_COOKIE_SECURE(ctx, field)
+			case "DEFAULT_AUTHORIZE_RESPONSE_TYPE":
+				return ec.fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_TYPE(ctx, field)
+			case "DEFAULT_AUTHORIZE_RESPONSE_MODE":
+				return ec.fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_MODE(ctx, field)
+			case "DISABLE_PLAYGROUND":
+				return ec.fieldContext_Env_DISABLE_PLAYGROUND(ctx, field)
+			case "DISABLE_MAIL_OTP_LOGIN":
+				return ec.fieldContext_Env_DISABLE_MAIL_OTP_LOGIN(ctx, field)
+			case "DISABLE_TOTP_LOGIN":
+				return ec.fieldContext_Env_DISABLE_TOTP_LOGIN(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Env", field.Name)
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__revoke_access_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__enable_access(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__enable_access(ctx, field)
+func (ec *executionContext) _Query__webhook(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__webhook(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14854,7 +14484,7 @@ func (ec *executionContext) _Mutation__enable_access(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().EnableAccess(rctx, fc.Args["param"].(model.UpdateAccessRequest))
+		return ec.resolvers.Query().Webhook(rctx, fc.Args["params"].(model.WebhookRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -14866,23 +14496,37 @@ func (ec *executionContext) _Mutation__enable_access(ctx context.Context, field
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*model.Webhook)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNWebhook2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhook(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__enable_access(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__webhook(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
+			case "id":
+				return ec.fieldContext_Webhook_id(ctx, field)
+			case "event_name":
+				return ec.fieldContext_Webhook_event_name(ctx, field)
+			case "event_description":
+				return ec.fieldContext_Webhook_event_description(ctx, field)
+			case "endpoint":
+				return ec.fieldContext_Webhook_endpoint(ctx, field)
+			case "enabled":
+				return ec.fieldContext_Webhook_enabled(ctx, field)
+			case "headers":
+				return ec.fieldContext_Webhook_headers(ctx, field)
+			case "created_at":
+				return ec.fieldContext_Webhook_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_Webhook_updated_at(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type Webhook", field.Name)
 		},
 	}
 	defer func() {
@@ -14892,15 +14536,15 @@ func (ec *executionContext) fieldContext_Mutation__enable_access(ctx context.Con
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__enable_access_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Query__webhook_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__generate_jwt_keys(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__generate_jwt_keys(ctx, field)
+func (ec *executionContext) _Query__webhooks(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__webhooks(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14913,7 +14557,7 @@ func (ec *executionContext) _Mutation__generate_jwt_keys(ctx context.Context, fi
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().GenerateJwtKeys(rctx, fc.Args["params"].(model.GenerateJWTKeysRequest))
+		return ec.resolvers.Query().Webhooks(rctx, fc.Args["params"].(*model.PaginatedRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -14925,27 +14569,25 @@ func (ec *executionContext) _Mutation__generate_jwt_keys(ctx context.Context, fi
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.GenerateJWTKeysResponse)
+	res := resTmp.(*model.Webhooks)
 	fc.Result = res
-	return ec.marshalNGenerateJWTKeysResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐGenerateJWTKeysResponse(ctx, field.Selections, res)
+	return ec.marshalNWebhooks2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhooks(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__generate_jwt_keys(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__webhooks(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "secret":
-				return ec.fieldContext_GenerateJWTKeysResponse_secret(ctx, field)
-			case "public_key":
-				return ec.fieldContext_GenerateJWTKeysResponse_public_key(ctx, field)
-			case "private_key":
-				return ec.fieldContext_GenerateJWTKeysResponse_private_key(ctx, field)
+			case "pagination":
+				return ec.fieldContext_Webhooks_pagination(ctx, field)
+			case "webhooks":
+				return ec.fieldContext_Webhooks_webhooks(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type GenerateJWTKeysResponse", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type Webhooks", field.Name)
 		},
 	}
 	defer func() {
@@ -14955,15 +14597,15 @@ func (ec *executionContext) fieldContext_Mutation__generate_jwt_keys(ctx context
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__generate_jwt_keys_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Query__webhooks_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__add_webhook(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__add_webhook(ctx, field)
+func (ec *executionContext) _Query__webhook_logs(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__webhook_logs(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14976,7 +14618,7 @@ func (ec *executionContext) _Mutation__add_webhook(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().AddWebhook(rctx, fc.Args["params"].(model.AddWebhookRequest))
+		return ec.resolvers.Query().WebhookLogs(rctx, fc.Args["params"].(*model.ListWebhookLogRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -14988,23 +14630,25 @@ func (ec *executionContext) _Mutation__add_webhook(ctx context.Context, field gr
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*model.WebhookLogs)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNWebhookLogs2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhookLogs(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__add_webhook(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__webhook_logs(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
+			case "pagination":
+				return ec.fieldContext_WebhookLogs_pagination(ctx, field)
+			case "webhook_logs":
+				return ec.fieldContext_WebhookLogs_webhook_logs(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type WebhookLogs", field.Name)
 		},
 	}
 	defer func() {
@@ -15014,15 +14658,15 @@ func (ec *executionContext) fieldContext_Mutation__add_webhook(ctx context.Conte
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__add_webhook_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Query__webhook_logs_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__update_webhook(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__update_webhook(ctx, field)
+func (ec *executionContext) _Query__email_templates(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__email_templates(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15035,7 +14679,7 @@ func (ec *executionContext) _Mutation__update_webhook(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().UpdateWebhook(rctx, fc.Args["params"].(model.UpdateWebhookRequest))
+		return ec.resolvers.Query().EmailTemplates(rctx, fc.Args["params"].(*model.PaginatedRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -15047,23 +14691,25 @@ func (ec *executionContext) _Mutation__update_webhook(ctx context.Context, field
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*model.EmailTemplates)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNEmailTemplates2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEmailTemplates(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__update_webhook(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__email_templates(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
+			case "pagination":
+				return ec.fieldContext_EmailTemplates_pagination(ctx, field)
+			case "email_templates":
+				return ec.fieldContext_EmailTemplates_email_templates(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type EmailTemplates", field.Name)
 		},
 	}
 	defer func() {
@@ -15073,15 +14719,15 @@ func (ec *executionContext) fieldContext_Mutation__update_webhook(ctx context.Co
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__update_webhook_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Query__email_templates_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__delete_webhook(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__delete_webhook(ctx, field)
+func (ec *executionContext) _Query__audit_logs(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__audit_logs(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15094,7 +14740,7 @@ func (ec *executionContext) _Mutation__delete_webhook(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().DeleteWebhook(rctx, fc.Args["params"].(model.WebhookRequest))
+		return ec.resolvers.Query().AuditLogs(rctx, fc.Args["params"].(*model.ListAuditLogRequest))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -15106,23 +14752,25 @@ func (ec *executionContext) _Mutation__delete_webhook(ctx context.Context, field
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*model.AuditLogs)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNAuditLogs2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuditLogs(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__delete_webhook(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__audit_logs(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
+			case "pagination":
+				return ec.fieldContext_AuditLogs_pagination(ctx, field)
+			case "audit_logs":
+				return ec.fieldContext_AuditLogs_audit_logs(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type AuditLogs", field.Name)
 		},
 	}
 	defer func() {
@@ -15132,15 +14780,15 @@ func (ec *executionContext) fieldContext_Mutation__delete_webhook(ctx context.Co
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__delete_webhook_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Query__audit_logs_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__test_endpoint(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__test_endpoint(ctx, field)
+func (ec *executionContext) _Query__fga_get_model(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__fga_get_model(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15153,7 +14801,7 @@ func (ec *executionContext) _Mutation__test_endpoint(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().TestEndpoint(rctx, fc.Args["params"].(model.TestEndpointRequest))
+		return ec.resolvers.Query().FgaGetModel(rctx)
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -15165,43 +14813,32 @@ func (ec *executionContext) _Mutation__test_endpoint(ctx context.Context, field
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.TestEndpointResponse)
+	res := resTmp.(*model.FgaModel)
 	fc.Result = res
-	return ec.marshalNTestEndpointResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐTestEndpointResponse(ctx, field.Selections, res)
+	return ec.marshalNFgaModel2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaModel(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__test_endpoint(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__fga_get_model(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "http_status":
-				return ec.fieldContext_TestEndpointResponse_http_status(ctx, field)
-			case "response":
-				return ec.fieldContext_TestEndpointResponse_response(ctx, field)
+			case "id":
+				return ec.fieldContext_FgaModel_id(ctx, field)
+			case "dsl":
+				return ec.fieldContext_FgaModel_dsl(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type TestEndpointResponse", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type FgaModel", field.Name)
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__test_endpoint_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__add_email_template(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__add_email_template(ctx, field)
+func (ec *executionContext) _Query__fga_read_tuples(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__fga_read_tuples(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15214,7 +14851,7 @@ func (ec *executionContext) _Mutation__add_email_template(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().AddEmailTemplate(rctx, fc.Args["params"].(model.AddEmailTemplateRequest))
+		return ec.resolvers.Query().FgaReadTuples(rctx, fc.Args["params"].(model.FgaReadTuplesInput))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -15226,23 +14863,25 @@ func (ec *executionContext) _Mutation__add_email_template(ctx context.Context, f
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*model.FgaTuples)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNFgaTuples2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaTuples(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__add_email_template(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query__fga_read_tuples(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
+			case "tuples":
+				return ec.fieldContext_FgaTuples_tuples(ctx, field)
+			case "continuation_token":
+				return ec.fieldContext_FgaTuples_continuation_token(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type FgaTuples", field.Name)
 		},
 	}
 	defer func() {
@@ -15252,15 +14891,15 @@ func (ec *executionContext) fieldContext_Mutation__add_email_template(ctx contex
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__add_email_template_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Query__fga_read_tuples_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__update_email_template(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__update_email_template(ctx, field)
+func (ec *executionContext) _Query_fga_check(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query_fga_check(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15273,7 +14912,7 @@ func (ec *executionContext) _Mutation__update_email_template(ctx context.Context
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().UpdateEmailTemplate(rctx, fc.Args["params"].(model.UpdateEmailTemplateRequest))
+		return ec.resolvers.Query().FgaCheck(rctx, fc.Args["params"].(model.FgaCheckInput))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -15285,23 +14924,23 @@ func (ec *executionContext) _Mutation__update_email_template(ctx context.Context
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*model.FgaCheckResponse)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNFgaCheckResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__update_email_template(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query_fga_check(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
+			case "allowed":
+				return ec.fieldContext_FgaCheckResponse_allowed(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type FgaCheckResponse", field.Name)
 		},
 	}
 	defer func() {
@@ -15311,15 +14950,15 @@ func (ec *executionContext) fieldContext_Mutation__update_email_template(ctx con
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__update_email_template_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Query_fga_check_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__delete_email_template(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__delete_email_template(ctx, field)
+func (ec *executionContext) _Query_fga_batch_check(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query_fga_batch_check(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15332,7 +14971,7 @@ func (ec *executionContext) _Mutation__delete_email_template(ctx context.Context
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().DeleteEmailTemplate(rctx, fc.Args["params"].(model.DeleteEmailTemplateRequest))
+		return ec.resolvers.Query().FgaBatchCheck(rctx, fc.Args["params"].(model.FgaBatchCheckInput))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -15344,23 +14983,23 @@ func (ec *executionContext) _Mutation__delete_email_template(ctx context.Context
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*model.FgaBatchCheckResponse)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNFgaBatchCheckResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaBatchCheckResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__delete_email_template(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query_fga_batch_check(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
+			case "results":
+				return ec.fieldContext_FgaBatchCheckResponse_results(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type FgaBatchCheckResponse", field.Name)
 		},
 	}
 	defer func() {
@@ -15370,15 +15009,15 @@ func (ec *executionContext) fieldContext_Mutation__delete_email_template(ctx con
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__delete_email_template_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Query_fga_batch_check_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__authz_add_resource(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__authz_add_resource(ctx, field)
+func (ec *executionContext) _Query_fga_list_objects(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query_fga_list_objects(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15391,7 +15030,7 @@ func (ec *executionContext) _Mutation__authz_add_resource(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().AuthzAddResource(rctx, fc.Args["params"].(model.AddResourceInput))
+		return ec.resolvers.Query().FgaListObjects(rctx, fc.Args["params"].(model.FgaListObjectsInput))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -15403,31 +15042,23 @@ func (ec *executionContext) _Mutation__authz_add_resource(ctx context.Context, f
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthzResource)
+	res := resTmp.(*model.FgaListObjectsResponse)
 	fc.Result = res
-	return ec.marshalNAuthzResource2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResource(ctx, field.Selections, res)
+	return ec.marshalNFgaListObjectsResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaListObjectsResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__authz_add_resource(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query_fga_list_objects(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
 		IsResolver: true,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "id":
-				return ec.fieldContext_AuthzResource_id(ctx, field)
-			case "name":
-				return ec.fieldContext_AuthzResource_name(ctx, field)
-			case "description":
-				return ec.fieldContext_AuthzResource_description(ctx, field)
-			case "created_at":
-				return ec.fieldContext_AuthzResource_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_AuthzResource_updated_at(ctx, field)
+			case "objects":
+				return ec.fieldContext_FgaListObjectsResponse_objects(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthzResource", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type FgaListObjectsResponse", field.Name)
 		},
 	}
 	defer func() {
@@ -15437,15 +15068,15 @@ func (ec *executionContext) fieldContext_Mutation__authz_add_resource(ctx contex
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__authz_add_resource_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Query_fga_list_objects_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__authz_update_resource(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__authz_update_resource(ctx, field)
+func (ec *executionContext) _Query___type(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query___type(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15458,43 +15089,52 @@ func (ec *executionContext) _Mutation__authz_update_resource(ctx context.Context
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().AuthzUpdateResource(rctx, fc.Args["params"].(model.UpdateResourceInput))
+		return ec.introspectType(fc.Args["name"].(string))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthzResource)
+	res := resTmp.(*introspection.Type)
 	fc.Result = res
-	return ec.marshalNAuthzResource2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResource(ctx, field.Selections, res)
+	return ec.marshalO__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__authz_update_resource(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query___type(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
-		IsResolver: true,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "id":
-				return ec.fieldContext_AuthzResource_id(ctx, field)
+			case "kind":
+				return ec.fieldContext___Type_kind(ctx, field)
 			case "name":
-				return ec.fieldContext_AuthzResource_name(ctx, field)
+				return ec.fieldContext___Type_name(ctx, field)
 			case "description":
-				return ec.fieldContext_AuthzResource_description(ctx, field)
-			case "created_at":
-				return ec.fieldContext_AuthzResource_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_AuthzResource_updated_at(ctx, field)
+				return ec.fieldContext___Type_description(ctx, field)
+			case "specifiedByURL":
+				return ec.fieldContext___Type_specifiedByURL(ctx, field)
+			case "fields":
+				return ec.fieldContext___Type_fields(ctx, field)
+			case "interfaces":
+				return ec.fieldContext___Type_interfaces(ctx, field)
+			case "possibleTypes":
+				return ec.fieldContext___Type_possibleTypes(ctx, field)
+			case "enumValues":
+				return ec.fieldContext___Type_enumValues(ctx, field)
+			case "inputFields":
+				return ec.fieldContext___Type_inputFields(ctx, field)
+			case "ofType":
+				return ec.fieldContext___Type_ofType(ctx, field)
+			case "isOneOf":
+				return ec.fieldContext___Type_isOneOf(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthzResource", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
 		},
 	}
 	defer func() {
@@ -15504,15 +15144,15 @@ func (ec *executionContext) fieldContext_Mutation__authz_update_resource(ctx con
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__authz_update_resource_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Query___type_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__authz_delete_resource(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__authz_delete_resource(ctx, field)
+func (ec *executionContext) _Query___schema(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query___schema(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15525,53 +15165,49 @@ func (ec *executionContext) _Mutation__authz_delete_resource(ctx context.Context
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().AuthzDeleteResource(rctx, fc.Args["id"].(string))
+		return ec.introspectSchema()
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*introspection.Schema)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalO__Schema2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐSchema(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__authz_delete_resource(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query___schema(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Query",
 		Field:      field,
 		IsMethod:   true,
-		IsResolver: true,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
+			case "description":
+				return ec.fieldContext___Schema_description(ctx, field)
+			case "types":
+				return ec.fieldContext___Schema_types(ctx, field)
+			case "queryType":
+				return ec.fieldContext___Schema_queryType(ctx, field)
+			case "mutationType":
+				return ec.fieldContext___Schema_mutationType(ctx, field)
+			case "subscriptionType":
+				return ec.fieldContext___Schema_subscriptionType(ctx, field)
+			case "directives":
+				return ec.fieldContext___Schema_directives(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type __Schema", field.Name)
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__authz_delete_resource_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__authz_add_scope(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__authz_add_scope(ctx, field)
+func (ec *executionContext) _Response_message(ctx context.Context, field graphql.CollectedField, obj *model.Response) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Response_message(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15584,7 +15220,7 @@ func (ec *executionContext) _Mutation__authz_add_scope(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().AuthzAddScope(rctx, fc.Args["params"].(model.AddScopeInput))
+		return obj.Message, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -15596,49 +15232,26 @@ func (ec *executionContext) _Mutation__authz_add_scope(ctx context.Context, fiel
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthzScope)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNAuthzScope2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzScope(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__authz_add_scope(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Response_message(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "Response",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_AuthzScope_id(ctx, field)
-			case "name":
-				return ec.fieldContext_AuthzScope_name(ctx, field)
-			case "description":
-				return ec.fieldContext_AuthzScope_description(ctx, field)
-			case "created_at":
-				return ec.fieldContext_AuthzScope_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_AuthzScope_updated_at(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthzScope", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__authz_add_scope_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__authz_update_scope(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__authz_update_scope(ctx, field)
+func (ec *executionContext) _TestEndpointResponse_http_status(ctx context.Context, field graphql.CollectedField, obj *model.TestEndpointResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_TestEndpointResponse_http_status(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15651,61 +15264,35 @@ func (ec *executionContext) _Mutation__authz_update_scope(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().AuthzUpdateScope(rctx, fc.Args["params"].(model.UpdateScopeInput))
+		return obj.HTTPStatus, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthzScope)
+	res := resTmp.(*int64)
 	fc.Result = res
-	return ec.marshalNAuthzScope2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzScope(ctx, field.Selections, res)
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__authz_update_scope(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_TestEndpointResponse_http_status(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "TestEndpointResponse",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_AuthzScope_id(ctx, field)
-			case "name":
-				return ec.fieldContext_AuthzScope_name(ctx, field)
-			case "description":
-				return ec.fieldContext_AuthzScope_description(ctx, field)
-			case "created_at":
-				return ec.fieldContext_AuthzScope_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_AuthzScope_updated_at(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthzScope", field.Name)
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__authz_update_scope_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__authz_delete_scope(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__authz_delete_scope(ctx, field)
+func (ec *executionContext) _TestEndpointResponse_response(ctx context.Context, field graphql.CollectedField, obj *model.TestEndpointResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_TestEndpointResponse_response(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15718,53 +15305,35 @@ func (ec *executionContext) _Mutation__authz_delete_scope(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().AuthzDeleteScope(rctx, fc.Args["id"].(string))
+		return obj.Response, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__authz_delete_scope(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_TestEndpointResponse_response(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "TestEndpointResponse",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__authz_delete_scope_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__authz_add_policy(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__authz_add_policy(ctx, field)
+func (ec *executionContext) _User_id(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_id(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15777,7 +15346,7 @@ func (ec *executionContext) _Mutation__authz_add_policy(ctx context.Context, fie
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().AuthzAddPolicy(rctx, fc.Args["params"].(model.AddPolicyInput))
+		return obj.ID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -15789,57 +15358,26 @@ func (ec *executionContext) _Mutation__authz_add_policy(ctx context.Context, fie
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthzPolicy)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNAuthzPolicy2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicy(ctx, field.Selections, res)
+	return ec.marshalNID2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__authz_add_policy(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_AuthzPolicy_id(ctx, field)
-			case "name":
-				return ec.fieldContext_AuthzPolicy_name(ctx, field)
-			case "description":
-				return ec.fieldContext_AuthzPolicy_description(ctx, field)
-			case "type":
-				return ec.fieldContext_AuthzPolicy_type(ctx, field)
-			case "logic":
-				return ec.fieldContext_AuthzPolicy_logic(ctx, field)
-			case "decision_strategy":
-				return ec.fieldContext_AuthzPolicy_decision_strategy(ctx, field)
-			case "targets":
-				return ec.fieldContext_AuthzPolicy_targets(ctx, field)
-			case "created_at":
-				return ec.fieldContext_AuthzPolicy_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_AuthzPolicy_updated_at(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthzPolicy", field.Name)
+			return nil, errors.New("field of type ID does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__authz_add_policy_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__authz_update_policy(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__authz_update_policy(ctx, field)
+func (ec *executionContext) _User_email(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_email(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15852,69 +15390,35 @@ func (ec *executionContext) _Mutation__authz_update_policy(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().AuthzUpdatePolicy(rctx, fc.Args["params"].(model.UpdatePolicyInput))
+		return obj.Email, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthzPolicy)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNAuthzPolicy2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicy(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__authz_update_policy(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_email(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_AuthzPolicy_id(ctx, field)
-			case "name":
-				return ec.fieldContext_AuthzPolicy_name(ctx, field)
-			case "description":
-				return ec.fieldContext_AuthzPolicy_description(ctx, field)
-			case "type":
-				return ec.fieldContext_AuthzPolicy_type(ctx, field)
-			case "logic":
-				return ec.fieldContext_AuthzPolicy_logic(ctx, field)
-			case "decision_strategy":
-				return ec.fieldContext_AuthzPolicy_decision_strategy(ctx, field)
-			case "targets":
-				return ec.fieldContext_AuthzPolicy_targets(ctx, field)
-			case "created_at":
-				return ec.fieldContext_AuthzPolicy_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_AuthzPolicy_updated_at(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthzPolicy", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__authz_update_policy_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__authz_delete_policy(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__authz_delete_policy(ctx, field)
+func (ec *executionContext) _User_email_verified(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_email_verified(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15927,7 +15431,7 @@ func (ec *executionContext) _Mutation__authz_delete_policy(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().AuthzDeletePolicy(rctx, fc.Args["id"].(string))
+		return obj.EmailVerified, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -15939,41 +15443,26 @@ func (ec *executionContext) _Mutation__authz_delete_policy(ctx context.Context,
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__authz_delete_policy(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_email_verified(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__authz_delete_policy_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__authz_add_permission(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__authz_add_permission(ctx, field)
+func (ec *executionContext) _User_signup_methods(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_signup_methods(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15986,7 +15475,7 @@ func (ec *executionContext) _Mutation__authz_add_permission(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().AuthzAddPermission(rctx, fc.Args["params"].(model.AddPermissionInput))
+		return obj.SignupMethods, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -15998,57 +15487,26 @@ func (ec *executionContext) _Mutation__authz_add_permission(ctx context.Context,
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthzPermission)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNAuthzPermission2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPermission(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__authz_add_permission(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_signup_methods(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_AuthzPermission_id(ctx, field)
-			case "name":
-				return ec.fieldContext_AuthzPermission_name(ctx, field)
-			case "description":
-				return ec.fieldContext_AuthzPermission_description(ctx, field)
-			case "resource":
-				return ec.fieldContext_AuthzPermission_resource(ctx, field)
-			case "scopes":
-				return ec.fieldContext_AuthzPermission_scopes(ctx, field)
-			case "policies":
-				return ec.fieldContext_AuthzPermission_policies(ctx, field)
-			case "decision_strategy":
-				return ec.fieldContext_AuthzPermission_decision_strategy(ctx, field)
-			case "created_at":
-				return ec.fieldContext_AuthzPermission_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_AuthzPermission_updated_at(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthzPermission", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__authz_add_permission_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__authz_update_permission(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__authz_update_permission(ctx, field)
+func (ec *executionContext) _User_given_name(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_given_name(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16061,69 +15519,35 @@ func (ec *executionContext) _Mutation__authz_update_permission(ctx context.Conte
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().AuthzUpdatePermission(rctx, fc.Args["params"].(model.UpdatePermissionInput))
+		return obj.GivenName, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthzPermission)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNAuthzPermission2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPermission(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__authz_update_permission(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_given_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_AuthzPermission_id(ctx, field)
-			case "name":
-				return ec.fieldContext_AuthzPermission_name(ctx, field)
-			case "description":
-				return ec.fieldContext_AuthzPermission_description(ctx, field)
-			case "resource":
-				return ec.fieldContext_AuthzPermission_resource(ctx, field)
-			case "scopes":
-				return ec.fieldContext_AuthzPermission_scopes(ctx, field)
-			case "policies":
-				return ec.fieldContext_AuthzPermission_policies(ctx, field)
-			case "decision_strategy":
-				return ec.fieldContext_AuthzPermission_decision_strategy(ctx, field)
-			case "created_at":
-				return ec.fieldContext_AuthzPermission_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_AuthzPermission_updated_at(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthzPermission", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__authz_update_permission_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Mutation__authz_delete_permission(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Mutation__authz_delete_permission(ctx, field)
+func (ec *executionContext) _User_family_name(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_family_name(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16136,53 +15560,35 @@ func (ec *executionContext) _Mutation__authz_delete_permission(ctx context.Conte
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Mutation().AuthzDeletePermission(rctx, fc.Args["id"].(string))
+		return obj.FamilyName, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Mutation__authz_delete_permission(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_family_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Mutation",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Mutation__authz_delete_permission_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Pagination_limit(ctx context.Context, field graphql.CollectedField, obj *model.Pagination) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Pagination_limit(ctx, field)
+func (ec *executionContext) _User_middle_name(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_middle_name(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16195,38 +15601,35 @@ func (ec *executionContext) _Pagination_limit(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Limit, nil
+		return obj.MiddleName, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(int64)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNInt642int64(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Pagination_limit(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_middle_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Pagination",
+		Object:     "User",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Pagination_page(ctx context.Context, field graphql.CollectedField, obj *model.Pagination) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Pagination_page(ctx, field)
+func (ec *executionContext) _User_nickname(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_nickname(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16239,38 +15642,35 @@ func (ec *executionContext) _Pagination_page(ctx context.Context, field graphql.
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Page, nil
+		return obj.Nickname, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(int64)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNInt642int64(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Pagination_page(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_nickname(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Pagination",
+		Object:     "User",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Pagination_offset(ctx context.Context, field graphql.CollectedField, obj *model.Pagination) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Pagination_offset(ctx, field)
+func (ec *executionContext) _User_preferred_username(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_preferred_username(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16283,38 +15683,35 @@ func (ec *executionContext) _Pagination_offset(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Offset, nil
+		return obj.PreferredUsername, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(int64)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNInt642int64(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Pagination_offset(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_preferred_username(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Pagination",
+		Object:     "User",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Pagination_total(ctx context.Context, field graphql.CollectedField, obj *model.Pagination) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Pagination_total(ctx, field)
+func (ec *executionContext) _User_gender(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_gender(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16327,38 +15724,35 @@ func (ec *executionContext) _Pagination_total(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Total, nil
+		return obj.Gender, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(int64)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNInt642int64(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Pagination_total(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_gender(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Pagination",
+		Object:     "User",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Permission_resource(ctx context.Context, field graphql.CollectedField, obj *model.Permission) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Permission_resource(ctx, field)
+func (ec *executionContext) _User_birthdate(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_birthdate(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16371,26 +15765,23 @@ func (ec *executionContext) _Permission_resource(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Resource, nil
+		return obj.Birthdate, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Permission_resource(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_birthdate(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Permission",
+		Object:     "User",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -16401,8 +15792,8 @@ func (ec *executionContext) fieldContext_Permission_resource(_ context.Context,
 	return fc, nil
 }
 
-func (ec *executionContext) _Permission_scope(ctx context.Context, field graphql.CollectedField, obj *model.Permission) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Permission_scope(ctx, field)
+func (ec *executionContext) _User_phone_number(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_phone_number(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16415,26 +15806,23 @@ func (ec *executionContext) _Permission_scope(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Scope, nil
+		return obj.PhoneNumber, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Permission_scope(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_phone_number(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Permission",
+		Object:     "User",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -16445,8 +15833,8 @@ func (ec *executionContext) fieldContext_Permission_scope(_ context.Context, fie
 	return fc, nil
 }
 
-func (ec *executionContext) _Query_meta(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query_meta(ctx, field)
+func (ec *executionContext) _User_phone_number_verified(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_phone_number_verified(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16459,7 +15847,7 @@ func (ec *executionContext) _Query_meta(ctx context.Context, field graphql.Colle
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().Meta(rctx)
+		return obj.PhoneNumberVerified, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -16471,68 +15859,26 @@ func (ec *executionContext) _Query_meta(ctx context.Context, field graphql.Colle
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Meta)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNMeta2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐMeta(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query_meta(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_phone_number_verified(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "version":
-				return ec.fieldContext_Meta_version(ctx, field)
-			case "client_id":
-				return ec.fieldContext_Meta_client_id(ctx, field)
-			case "is_google_login_enabled":
-				return ec.fieldContext_Meta_is_google_login_enabled(ctx, field)
-			case "is_facebook_login_enabled":
-				return ec.fieldContext_Meta_is_facebook_login_enabled(ctx, field)
-			case "is_github_login_enabled":
-				return ec.fieldContext_Meta_is_github_login_enabled(ctx, field)
-			case "is_linkedin_login_enabled":
-				return ec.fieldContext_Meta_is_linkedin_login_enabled(ctx, field)
-			case "is_apple_login_enabled":
-				return ec.fieldContext_Meta_is_apple_login_enabled(ctx, field)
-			case "is_discord_login_enabled":
-				return ec.fieldContext_Meta_is_discord_login_enabled(ctx, field)
-			case "is_twitter_login_enabled":
-				return ec.fieldContext_Meta_is_twitter_login_enabled(ctx, field)
-			case "is_microsoft_login_enabled":
-				return ec.fieldContext_Meta_is_microsoft_login_enabled(ctx, field)
-			case "is_twitch_login_enabled":
-				return ec.fieldContext_Meta_is_twitch_login_enabled(ctx, field)
-			case "is_roblox_login_enabled":
-				return ec.fieldContext_Meta_is_roblox_login_enabled(ctx, field)
-			case "is_email_verification_enabled":
-				return ec.fieldContext_Meta_is_email_verification_enabled(ctx, field)
-			case "is_basic_authentication_enabled":
-				return ec.fieldContext_Meta_is_basic_authentication_enabled(ctx, field)
-			case "is_magic_link_login_enabled":
-				return ec.fieldContext_Meta_is_magic_link_login_enabled(ctx, field)
-			case "is_sign_up_enabled":
-				return ec.fieldContext_Meta_is_sign_up_enabled(ctx, field)
-			case "is_strong_password_enabled":
-				return ec.fieldContext_Meta_is_strong_password_enabled(ctx, field)
-			case "is_multi_factor_auth_enabled":
-				return ec.fieldContext_Meta_is_multi_factor_auth_enabled(ctx, field)
-			case "is_mobile_basic_authentication_enabled":
-				return ec.fieldContext_Meta_is_mobile_basic_authentication_enabled(ctx, field)
-			case "is_phone_verification_enabled":
-				return ec.fieldContext_Meta_is_phone_verification_enabled(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Meta", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query_session(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query_session(ctx, field)
+func (ec *executionContext) _User_picture(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_picture(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16545,75 +15891,35 @@ func (ec *executionContext) _Query_session(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().Session(rctx, fc.Args["params"].(*model.SessionQueryRequest))
+		return obj.Picture, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthResponse)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query_session(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_picture(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_AuthResponse_message(ctx, field)
-			case "should_show_email_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
-			case "should_show_mobile_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
-			case "should_show_totp_screen":
-				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
-			case "access_token":
-				return ec.fieldContext_AuthResponse_access_token(ctx, field)
-			case "id_token":
-				return ec.fieldContext_AuthResponse_id_token(ctx, field)
-			case "refresh_token":
-				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
-			case "expires_in":
-				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
-			case "user":
-				return ec.fieldContext_AuthResponse_user(ctx, field)
-			case "authenticator_scanner_image":
-				return ec.fieldContext_AuthResponse_authenticator_scanner_image(ctx, field)
-			case "authenticator_secret":
-				return ec.fieldContext_AuthResponse_authenticator_secret(ctx, field)
-			case "authenticator_recovery_codes":
-				return ec.fieldContext_AuthResponse_authenticator_recovery_codes(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthResponse", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query_session_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query_profile(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query_profile(ctx, field)
+func (ec *executionContext) _User_roles(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_roles(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16626,7 +15932,7 @@ func (ec *executionContext) _Query_profile(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().Profile(rctx)
+		return obj.Roles, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -16638,68 +15944,26 @@ func (ec *executionContext) _Query_profile(ctx context.Context, field graphql.Co
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.User)
+	res := resTmp.([]string)
 	fc.Result = res
-	return ec.marshalNUser2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUser(ctx, field.Selections, res)
+	return ec.marshalNString2ᚕstringᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query_profile(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_roles(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_User_id(ctx, field)
-			case "email":
-				return ec.fieldContext_User_email(ctx, field)
-			case "email_verified":
-				return ec.fieldContext_User_email_verified(ctx, field)
-			case "signup_methods":
-				return ec.fieldContext_User_signup_methods(ctx, field)
-			case "given_name":
-				return ec.fieldContext_User_given_name(ctx, field)
-			case "family_name":
-				return ec.fieldContext_User_family_name(ctx, field)
-			case "middle_name":
-				return ec.fieldContext_User_middle_name(ctx, field)
-			case "nickname":
-				return ec.fieldContext_User_nickname(ctx, field)
-			case "preferred_username":
-				return ec.fieldContext_User_preferred_username(ctx, field)
-			case "gender":
-				return ec.fieldContext_User_gender(ctx, field)
-			case "birthdate":
-				return ec.fieldContext_User_birthdate(ctx, field)
-			case "phone_number":
-				return ec.fieldContext_User_phone_number(ctx, field)
-			case "phone_number_verified":
-				return ec.fieldContext_User_phone_number_verified(ctx, field)
-			case "picture":
-				return ec.fieldContext_User_picture(ctx, field)
-			case "roles":
-				return ec.fieldContext_User_roles(ctx, field)
-			case "created_at":
-				return ec.fieldContext_User_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_User_updated_at(ctx, field)
-			case "revoked_timestamp":
-				return ec.fieldContext_User_revoked_timestamp(ctx, field)
-			case "is_multi_factor_auth_enabled":
-				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
-			case "app_data":
-				return ec.fieldContext_User_app_data(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query_validate_jwt_token(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query_validate_jwt_token(ctx, field)
+func (ec *executionContext) _User_created_at(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_created_at(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16712,55 +15976,76 @@ func (ec *executionContext) _Query_validate_jwt_token(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().ValidateJwtToken(rctx, fc.Args["params"].(model.ValidateJWTTokenRequest))
+		return obj.CreatedAt, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.ValidateJWTTokenResponse)
+	res := resTmp.(*int64)
 	fc.Result = res
-	return ec.marshalNValidateJWTTokenResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐValidateJWTTokenResponse(ctx, field.Selections, res)
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query_validate_jwt_token(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "is_valid":
-				return ec.fieldContext_ValidateJWTTokenResponse_is_valid(ctx, field)
-			case "claims":
-				return ec.fieldContext_ValidateJWTTokenResponse_claims(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type ValidateJWTTokenResponse", field.Name)
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
+	return fc, nil
+}
+
+func (ec *executionContext) _User_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_updated_at(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
 	defer func() {
 		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
 		}
 	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query_validate_jwt_token_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.UpdatedAt, nil
+	})
+	if err != nil {
 		ec.Error(ctx, err)
-		return fc, err
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*int64)
+	fc.Result = res
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_User_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "User",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Int64 does not have child fields")
+		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query_validate_session(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query_validate_session(ctx, field)
+func (ec *executionContext) _User_revoked_timestamp(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_revoked_timestamp(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16773,55 +16058,76 @@ func (ec *executionContext) _Query_validate_session(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().ValidateSession(rctx, fc.Args["params"].(*model.ValidateSessionRequest))
+		return obj.RevokedTimestamp, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.ValidateSessionResponse)
+	res := resTmp.(*int64)
 	fc.Result = res
-	return ec.marshalNValidateSessionResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐValidateSessionResponse(ctx, field.Selections, res)
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query_validate_session(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_revoked_timestamp(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "is_valid":
-				return ec.fieldContext_ValidateSessionResponse_is_valid(ctx, field)
-			case "user":
-				return ec.fieldContext_ValidateSessionResponse_user(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type ValidateSessionResponse", field.Name)
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
+	return fc, nil
+}
+
+func (ec *executionContext) _User_is_multi_factor_auth_enabled(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
 	defer func() {
 		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
 		}
 	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query_validate_session_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.IsMultiFactorAuthEnabled, nil
+	})
+	if err != nil {
 		ec.Error(ctx, err)
-		return fc, err
+		return graphql.Null
+	}
+	if resTmp == nil {
+		return graphql.Null
+	}
+	res := resTmp.(*bool)
+	fc.Result = res
+	return ec.marshalOBoolean2ᚖbool(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_User_is_multi_factor_auth_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "User",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Boolean does not have child fields")
+		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query__users(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__users(ctx, field)
+func (ec *executionContext) _User_app_data(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_User_app_data(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16834,55 +16140,89 @@ func (ec *executionContext) _Query__users(ctx context.Context, field graphql.Col
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().Users(rctx, fc.Args["params"].(*model.PaginatedRequest))
+		return obj.AppData, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Users)
+	res := resTmp.(map[string]any)
 	fc.Result = res
-	return ec.marshalNUsers2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUsers(ctx, field.Selections, res)
+	return ec.marshalOMap2map(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__users(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_User_app_data(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "User",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "pagination":
-				return ec.fieldContext_Users_pagination(ctx, field)
-			case "users":
-				return ec.fieldContext_Users_users(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Users", field.Name)
+			return nil, errors.New("field of type Map does not have child fields")
 		},
 	}
+	return fc, nil
+}
+
+func (ec *executionContext) _Users_pagination(ctx context.Context, field graphql.CollectedField, obj *model.Users) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Users_pagination(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
 	defer func() {
 		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
 		}
 	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query__users_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Pagination, nil
+	})
+	if err != nil {
 		ec.Error(ctx, err)
-		return fc, err
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(*model.Pagination)
+	fc.Result = res
+	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Users_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Users",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "limit":
+				return ec.fieldContext_Pagination_limit(ctx, field)
+			case "page":
+				return ec.fieldContext_Pagination_page(ctx, field)
+			case "offset":
+				return ec.fieldContext_Pagination_offset(ctx, field)
+			case "total":
+				return ec.fieldContext_Pagination_total(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
+		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query__user(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__user(ctx, field)
+func (ec *executionContext) _Users_users(ctx context.Context, field graphql.CollectedField, obj *model.Users) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Users_users(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16895,7 +16235,7 @@ func (ec *executionContext) _Query__user(ctx context.Context, field graphql.Coll
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().User(rctx, fc.Args["params"].(model.GetUserRequest))
+		return obj.Users, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -16907,17 +16247,17 @@ func (ec *executionContext) _Query__user(ctx context.Context, field graphql.Coll
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.User)
+	res := resTmp.([]*model.User)
 	fc.Result = res
-	return ec.marshalNUser2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUser(ctx, field.Selections, res)
+	return ec.marshalNUser2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUserᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__user(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Users_users(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "Users",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
 			case "id":
@@ -16964,22 +16304,11 @@ func (ec *executionContext) fieldContext_Query__user(ctx context.Context, field
 			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query__user_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query__verification_requests(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__verification_requests(ctx, field)
+func (ec *executionContext) _ValidateJWTTokenResponse_is_valid(ctx context.Context, field graphql.CollectedField, obj *model.ValidateJWTTokenResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_ValidateJWTTokenResponse_is_valid(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -16992,7 +16321,7 @@ func (ec *executionContext) _Query__verification_requests(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().VerificationRequests(rctx, fc.Args["params"].(*model.PaginatedRequest))
+		return obj.IsValid, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -17004,43 +16333,26 @@ func (ec *executionContext) _Query__verification_requests(ctx context.Context, f
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.VerificationRequests)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNVerificationRequests2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐVerificationRequests(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__verification_requests(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_ValidateJWTTokenResponse_is_valid(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "ValidateJWTTokenResponse",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "pagination":
-				return ec.fieldContext_VerificationRequests_pagination(ctx, field)
-			case "verification_requests":
-				return ec.fieldContext_VerificationRequests_verification_requests(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type VerificationRequests", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query__verification_requests_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query__admin_session(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__admin_session(ctx, field)
+func (ec *executionContext) _ValidateJWTTokenResponse_claims(ctx context.Context, field graphql.CollectedField, obj *model.ValidateJWTTokenResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_ValidateJWTTokenResponse_claims(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17053,42 +16365,35 @@ func (ec *executionContext) _Query__admin_session(ctx context.Context, field gra
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().AdminSession(rctx)
+		return obj.Claims, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Response)
+	res := resTmp.(map[string]any)
 	fc.Result = res
-	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+	return ec.marshalOMap2map(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__admin_session(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_ValidateJWTTokenResponse_claims(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "ValidateJWTTokenResponse",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_Response_message(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+			return nil, errors.New("field of type Map does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query__env(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__env(ctx, field)
+func (ec *executionContext) _ValidateSessionResponse_is_valid(ctx context.Context, field graphql.CollectedField, obj *model.ValidateSessionResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_ValidateSessionResponse_is_valid(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17101,7 +16406,7 @@ func (ec *executionContext) _Query__env(ctx context.Context, field graphql.Colle
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().Env(rctx)
+		return obj.IsValid, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -17113,170 +16418,26 @@ func (ec *executionContext) _Query__env(ctx context.Context, field graphql.Colle
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Env)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNEnv2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEnv(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__env(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_ValidateSessionResponse_is_valid(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "ValidateSessionResponse",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "ACCESS_TOKEN_EXPIRY_TIME":
-				return ec.fieldContext_Env_ACCESS_TOKEN_EXPIRY_TIME(ctx, field)
-			case "ADMIN_SECRET":
-				return ec.fieldContext_Env_ADMIN_SECRET(ctx, field)
-			case "DATABASE_NAME":
-				return ec.fieldContext_Env_DATABASE_NAME(ctx, field)
-			case "DATABASE_URL":
-				return ec.fieldContext_Env_DATABASE_URL(ctx, field)
-			case "DATABASE_TYPE":
-				return ec.fieldContext_Env_DATABASE_TYPE(ctx, field)
-			case "DATABASE_USERNAME":
-				return ec.fieldContext_Env_DATABASE_USERNAME(ctx, field)
-			case "DATABASE_PASSWORD":
-				return ec.fieldContext_Env_DATABASE_PASSWORD(ctx, field)
-			case "DATABASE_HOST":
-				return ec.fieldContext_Env_DATABASE_HOST(ctx, field)
-			case "DATABASE_PORT":
-				return ec.fieldContext_Env_DATABASE_PORT(ctx, field)
-			case "CLIENT_ID":
-				return ec.fieldContext_Env_CLIENT_ID(ctx, field)
-			case "CLIENT_SECRET":
-				return ec.fieldContext_Env_CLIENT_SECRET(ctx, field)
-			case "CUSTOM_ACCESS_TOKEN_SCRIPT":
-				return ec.fieldContext_Env_CUSTOM_ACCESS_TOKEN_SCRIPT(ctx, field)
-			case "SMTP_HOST":
-				return ec.fieldContext_Env_SMTP_HOST(ctx, field)
-			case "SMTP_PORT":
-				return ec.fieldContext_Env_SMTP_PORT(ctx, field)
-			case "SMTP_USERNAME":
-				return ec.fieldContext_Env_SMTP_USERNAME(ctx, field)
-			case "SMTP_PASSWORD":
-				return ec.fieldContext_Env_SMTP_PASSWORD(ctx, field)
-			case "SMTP_LOCAL_NAME":
-				return ec.fieldContext_Env_SMTP_LOCAL_NAME(ctx, field)
-			case "SENDER_EMAIL":
-				return ec.fieldContext_Env_SENDER_EMAIL(ctx, field)
-			case "SENDER_NAME":
-				return ec.fieldContext_Env_SENDER_NAME(ctx, field)
-			case "JWT_TYPE":
-				return ec.fieldContext_Env_JWT_TYPE(ctx, field)
-			case "JWT_SECRET":
-				return ec.fieldContext_Env_JWT_SECRET(ctx, field)
-			case "JWT_PRIVATE_KEY":
-				return ec.fieldContext_Env_JWT_PRIVATE_KEY(ctx, field)
-			case "JWT_PUBLIC_KEY":
-				return ec.fieldContext_Env_JWT_PUBLIC_KEY(ctx, field)
-			case "ALLOWED_ORIGINS":
-				return ec.fieldContext_Env_ALLOWED_ORIGINS(ctx, field)
-			case "APP_URL":
-				return ec.fieldContext_Env_APP_URL(ctx, field)
-			case "REDIS_URL":
-				return ec.fieldContext_Env_REDIS_URL(ctx, field)
-			case "RESET_PASSWORD_URL":
-				return ec.fieldContext_Env_RESET_PASSWORD_URL(ctx, field)
-			case "DISABLE_EMAIL_VERIFICATION":
-				return ec.fieldContext_Env_DISABLE_EMAIL_VERIFICATION(ctx, field)
-			case "DISABLE_BASIC_AUTHENTICATION":
-				return ec.fieldContext_Env_DISABLE_BASIC_AUTHENTICATION(ctx, field)
-			case "DISABLE_MOBILE_BASIC_AUTHENTICATION":
-				return ec.fieldContext_Env_DISABLE_MOBILE_BASIC_AUTHENTICATION(ctx, field)
-			case "DISABLE_MAGIC_LINK_LOGIN":
-				return ec.fieldContext_Env_DISABLE_MAGIC_LINK_LOGIN(ctx, field)
-			case "DISABLE_LOGIN_PAGE":
-				return ec.fieldContext_Env_DISABLE_LOGIN_PAGE(ctx, field)
-			case "DISABLE_SIGN_UP":
-				return ec.fieldContext_Env_DISABLE_SIGN_UP(ctx, field)
-			case "DISABLE_REDIS_FOR_ENV":
-				return ec.fieldContext_Env_DISABLE_REDIS_FOR_ENV(ctx, field)
-			case "DISABLE_STRONG_PASSWORD":
-				return ec.fieldContext_Env_DISABLE_STRONG_PASSWORD(ctx, field)
-			case "DISABLE_MULTI_FACTOR_AUTHENTICATION":
-				return ec.fieldContext_Env_DISABLE_MULTI_FACTOR_AUTHENTICATION(ctx, field)
-			case "ENFORCE_MULTI_FACTOR_AUTHENTICATION":
-				return ec.fieldContext_Env_ENFORCE_MULTI_FACTOR_AUTHENTICATION(ctx, field)
-			case "ROLES":
-				return ec.fieldContext_Env_ROLES(ctx, field)
-			case "PROTECTED_ROLES":
-				return ec.fieldContext_Env_PROTECTED_ROLES(ctx, field)
-			case "DEFAULT_ROLES":
-				return ec.fieldContext_Env_DEFAULT_ROLES(ctx, field)
-			case "JWT_ROLE_CLAIM":
-				return ec.fieldContext_Env_JWT_ROLE_CLAIM(ctx, field)
-			case "GOOGLE_CLIENT_ID":
-				return ec.fieldContext_Env_GOOGLE_CLIENT_ID(ctx, field)
-			case "GOOGLE_CLIENT_SECRET":
-				return ec.fieldContext_Env_GOOGLE_CLIENT_SECRET(ctx, field)
-			case "GITHUB_CLIENT_ID":
-				return ec.fieldContext_Env_GITHUB_CLIENT_ID(ctx, field)
-			case "GITHUB_CLIENT_SECRET":
-				return ec.fieldContext_Env_GITHUB_CLIENT_SECRET(ctx, field)
-			case "FACEBOOK_CLIENT_ID":
-				return ec.fieldContext_Env_FACEBOOK_CLIENT_ID(ctx, field)
-			case "FACEBOOK_CLIENT_SECRET":
-				return ec.fieldContext_Env_FACEBOOK_CLIENT_SECRET(ctx, field)
-			case "LINKEDIN_CLIENT_ID":
-				return ec.fieldContext_Env_LINKEDIN_CLIENT_ID(ctx, field)
-			case "LINKEDIN_CLIENT_SECRET":
-				return ec.fieldContext_Env_LINKEDIN_CLIENT_SECRET(ctx, field)
-			case "APPLE_CLIENT_ID":
-				return ec.fieldContext_Env_APPLE_CLIENT_ID(ctx, field)
-			case "APPLE_CLIENT_SECRET":
-				return ec.fieldContext_Env_APPLE_CLIENT_SECRET(ctx, field)
-			case "DISCORD_CLIENT_ID":
-				return ec.fieldContext_Env_DISCORD_CLIENT_ID(ctx, field)
-			case "DISCORD_CLIENT_SECRET":
-				return ec.fieldContext_Env_DISCORD_CLIENT_SECRET(ctx, field)
-			case "TWITTER_CLIENT_ID":
-				return ec.fieldContext_Env_TWITTER_CLIENT_ID(ctx, field)
-			case "TWITTER_CLIENT_SECRET":
-				return ec.fieldContext_Env_TWITTER_CLIENT_SECRET(ctx, field)
-			case "MICROSOFT_CLIENT_ID":
-				return ec.fieldContext_Env_MICROSOFT_CLIENT_ID(ctx, field)
-			case "MICROSOFT_CLIENT_SECRET":
-				return ec.fieldContext_Env_MICROSOFT_CLIENT_SECRET(ctx, field)
-			case "MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID":
-				return ec.fieldContext_Env_MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID(ctx, field)
-			case "TWITCH_CLIENT_ID":
-				return ec.fieldContext_Env_TWITCH_CLIENT_ID(ctx, field)
-			case "TWITCH_CLIENT_SECRET":
-				return ec.fieldContext_Env_TWITCH_CLIENT_SECRET(ctx, field)
-			case "ROBLOX_CLIENT_ID":
-				return ec.fieldContext_Env_ROBLOX_CLIENT_ID(ctx, field)
-			case "ROBLOX_CLIENT_SECRET":
-				return ec.fieldContext_Env_ROBLOX_CLIENT_SECRET(ctx, field)
-			case "ORGANIZATION_NAME":
-				return ec.fieldContext_Env_ORGANIZATION_NAME(ctx, field)
-			case "ORGANIZATION_LOGO":
-				return ec.fieldContext_Env_ORGANIZATION_LOGO(ctx, field)
-			case "APP_COOKIE_SECURE":
-				return ec.fieldContext_Env_APP_COOKIE_SECURE(ctx, field)
-			case "ADMIN_COOKIE_SECURE":
-				return ec.fieldContext_Env_ADMIN_COOKIE_SECURE(ctx, field)
-			case "DEFAULT_AUTHORIZE_RESPONSE_TYPE":
-				return ec.fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_TYPE(ctx, field)
-			case "DEFAULT_AUTHORIZE_RESPONSE_MODE":
-				return ec.fieldContext_Env_DEFAULT_AUTHORIZE_RESPONSE_MODE(ctx, field)
-			case "DISABLE_PLAYGROUND":
-				return ec.fieldContext_Env_DISABLE_PLAYGROUND(ctx, field)
-			case "DISABLE_MAIL_OTP_LOGIN":
-				return ec.fieldContext_Env_DISABLE_MAIL_OTP_LOGIN(ctx, field)
-			case "DISABLE_TOTP_LOGIN":
-				return ec.fieldContext_Env_DISABLE_TOTP_LOGIN(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Env", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query__webhook(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__webhook(ctx, field)
+func (ec *executionContext) _ValidateSessionResponse_user(ctx context.Context, field graphql.CollectedField, obj *model.ValidateSessionResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_ValidateSessionResponse_user(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17289,7 +16450,7 @@ func (ec *executionContext) _Query__webhook(ctx context.Context, field graphql.C
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().Webhook(rctx, fc.Args["params"].(model.WebhookRequest))
+		return obj.User, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -17301,55 +16462,68 @@ func (ec *executionContext) _Query__webhook(ctx context.Context, field graphql.C
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Webhook)
+	res := resTmp.(*model.User)
 	fc.Result = res
-	return ec.marshalNWebhook2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhook(ctx, field.Selections, res)
+	return ec.marshalNUser2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUser(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__webhook(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_ValidateSessionResponse_user(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "ValidateSessionResponse",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
 			case "id":
-				return ec.fieldContext_Webhook_id(ctx, field)
-			case "event_name":
-				return ec.fieldContext_Webhook_event_name(ctx, field)
-			case "event_description":
-				return ec.fieldContext_Webhook_event_description(ctx, field)
-			case "endpoint":
-				return ec.fieldContext_Webhook_endpoint(ctx, field)
-			case "enabled":
-				return ec.fieldContext_Webhook_enabled(ctx, field)
-			case "headers":
-				return ec.fieldContext_Webhook_headers(ctx, field)
-			case "created_at":
-				return ec.fieldContext_Webhook_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_Webhook_updated_at(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Webhook", field.Name)
-		},
-	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query__webhook_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
-	return fc, nil
-}
+				return ec.fieldContext_User_id(ctx, field)
+			case "email":
+				return ec.fieldContext_User_email(ctx, field)
+			case "email_verified":
+				return ec.fieldContext_User_email_verified(ctx, field)
+			case "signup_methods":
+				return ec.fieldContext_User_signup_methods(ctx, field)
+			case "given_name":
+				return ec.fieldContext_User_given_name(ctx, field)
+			case "family_name":
+				return ec.fieldContext_User_family_name(ctx, field)
+			case "middle_name":
+				return ec.fieldContext_User_middle_name(ctx, field)
+			case "nickname":
+				return ec.fieldContext_User_nickname(ctx, field)
+			case "preferred_username":
+				return ec.fieldContext_User_preferred_username(ctx, field)
+			case "gender":
+				return ec.fieldContext_User_gender(ctx, field)
+			case "birthdate":
+				return ec.fieldContext_User_birthdate(ctx, field)
+			case "phone_number":
+				return ec.fieldContext_User_phone_number(ctx, field)
+			case "phone_number_verified":
+				return ec.fieldContext_User_phone_number_verified(ctx, field)
+			case "picture":
+				return ec.fieldContext_User_picture(ctx, field)
+			case "roles":
+				return ec.fieldContext_User_roles(ctx, field)
+			case "created_at":
+				return ec.fieldContext_User_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_User_updated_at(ctx, field)
+			case "revoked_timestamp":
+				return ec.fieldContext_User_revoked_timestamp(ctx, field)
+			case "is_multi_factor_auth_enabled":
+				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
+			case "app_data":
+				return ec.fieldContext_User_app_data(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
+		},
+	}
+	return fc, nil
+}
 
-func (ec *executionContext) _Query__webhooks(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__webhooks(ctx, field)
+func (ec *executionContext) _VerificationRequest_id(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_VerificationRequest_id(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17362,7 +16536,7 @@ func (ec *executionContext) _Query__webhooks(ctx context.Context, field graphql.
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().Webhooks(rctx, fc.Args["params"].(*model.PaginatedRequest))
+		return obj.ID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -17374,43 +16548,26 @@ func (ec *executionContext) _Query__webhooks(ctx context.Context, field graphql.
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Webhooks)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNWebhooks2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhooks(ctx, field.Selections, res)
+	return ec.marshalNID2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__webhooks(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_VerificationRequest_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "VerificationRequest",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "pagination":
-				return ec.fieldContext_Webhooks_pagination(ctx, field)
-			case "webhooks":
-				return ec.fieldContext_Webhooks_webhooks(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Webhooks", field.Name)
+			return nil, errors.New("field of type ID does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query__webhooks_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query__webhook_logs(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__webhook_logs(ctx, field)
+func (ec *executionContext) _VerificationRequest_identifier(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_VerificationRequest_identifier(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17423,55 +16580,35 @@ func (ec *executionContext) _Query__webhook_logs(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().WebhookLogs(rctx, fc.Args["params"].(*model.ListWebhookLogRequest))
+		return obj.Identifier, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.WebhookLogs)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNWebhookLogs2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhookLogs(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__webhook_logs(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_VerificationRequest_identifier(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "VerificationRequest",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "pagination":
-				return ec.fieldContext_WebhookLogs_pagination(ctx, field)
-			case "webhook_logs":
-				return ec.fieldContext_WebhookLogs_webhook_logs(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type WebhookLogs", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query__webhook_logs_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query__email_templates(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__email_templates(ctx, field)
+func (ec *executionContext) _VerificationRequest_token(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_VerificationRequest_token(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17484,55 +16621,35 @@ func (ec *executionContext) _Query__email_templates(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().EmailTemplates(rctx, fc.Args["params"].(*model.PaginatedRequest))
+		return obj.Token, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.EmailTemplates)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNEmailTemplates2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEmailTemplates(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__email_templates(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_VerificationRequest_token(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "VerificationRequest",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "pagination":
-				return ec.fieldContext_EmailTemplates_pagination(ctx, field)
-			case "email_templates":
-				return ec.fieldContext_EmailTemplates_email_templates(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type EmailTemplates", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query__email_templates_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query__audit_logs(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__audit_logs(ctx, field)
+func (ec *executionContext) _VerificationRequest_email(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_VerificationRequest_email(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17545,55 +16662,35 @@ func (ec *executionContext) _Query__audit_logs(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().AuditLogs(rctx, fc.Args["params"].(*model.ListAuditLogRequest))
+		return obj.Email, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuditLogs)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNAuditLogs2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuditLogs(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__audit_logs(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_VerificationRequest_email(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "VerificationRequest",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "pagination":
-				return ec.fieldContext_AuditLogs_pagination(ctx, field)
-			case "audit_logs":
-				return ec.fieldContext_AuditLogs_audit_logs(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuditLogs", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query__audit_logs_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query__authz_resources(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__authz_resources(ctx, field)
+func (ec *executionContext) _VerificationRequest_expires(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_VerificationRequest_expires(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17606,55 +16703,35 @@ func (ec *executionContext) _Query__authz_resources(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().AuthzResources(rctx, fc.Args["params"].(*model.PaginatedRequest))
+		return obj.Expires, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthzResources)
+	res := resTmp.(*int64)
 	fc.Result = res
-	return ec.marshalNAuthzResources2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResources(ctx, field.Selections, res)
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__authz_resources(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_VerificationRequest_expires(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "VerificationRequest",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "pagination":
-				return ec.fieldContext_AuthzResources_pagination(ctx, field)
-			case "resources":
-				return ec.fieldContext_AuthzResources_resources(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthzResources", field.Name)
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query__authz_resources_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query__authz_scopes(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__authz_scopes(ctx, field)
+func (ec *executionContext) _VerificationRequest_created_at(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_VerificationRequest_created_at(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17667,55 +16744,35 @@ func (ec *executionContext) _Query__authz_scopes(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().AuthzScopes(rctx, fc.Args["params"].(*model.PaginatedRequest))
+		return obj.CreatedAt, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthzScopes)
+	res := resTmp.(*int64)
 	fc.Result = res
-	return ec.marshalNAuthzScopes2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzScopes(ctx, field.Selections, res)
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__authz_scopes(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_VerificationRequest_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "VerificationRequest",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "pagination":
-				return ec.fieldContext_AuthzScopes_pagination(ctx, field)
-			case "scopes":
-				return ec.fieldContext_AuthzScopes_scopes(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthzScopes", field.Name)
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query__authz_scopes_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query__authz_policies(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__authz_policies(ctx, field)
+func (ec *executionContext) _VerificationRequest_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_VerificationRequest_updated_at(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17728,55 +16785,35 @@ func (ec *executionContext) _Query__authz_policies(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().AuthzPolicies(rctx, fc.Args["params"].(*model.PaginatedRequest))
+		return obj.UpdatedAt, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthzPolicies)
+	res := resTmp.(*int64)
 	fc.Result = res
-	return ec.marshalNAuthzPolicies2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicies(ctx, field.Selections, res)
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__authz_policies(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_VerificationRequest_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "VerificationRequest",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "pagination":
-				return ec.fieldContext_AuthzPolicies_pagination(ctx, field)
-			case "policies":
-				return ec.fieldContext_AuthzPolicies_policies(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthzPolicies", field.Name)
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query__authz_policies_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query__authz_permissions(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query__authz_permissions(ctx, field)
+func (ec *executionContext) _VerificationRequest_nonce(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_VerificationRequest_nonce(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17789,55 +16826,35 @@ func (ec *executionContext) _Query__authz_permissions(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().AuthzPermissions(rctx, fc.Args["params"].(*model.PaginatedRequest))
+		return obj.Nonce, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthzPermissions)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNAuthzPermissions2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPermissions(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query__authz_permissions(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_VerificationRequest_nonce(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "VerificationRequest",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "pagination":
-				return ec.fieldContext_AuthzPermissions_pagination(ctx, field)
-			case "permissions":
-				return ec.fieldContext_AuthzPermissions_permissions(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type AuthzPermissions", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query__authz_permissions_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query_permissions(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query_permissions(ctx, field)
+func (ec *executionContext) _VerificationRequest_redirect_uri(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_VerificationRequest_redirect_uri(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17850,44 +16867,35 @@ func (ec *executionContext) _Query_permissions(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().Permissions(rctx)
+		return obj.RedirectURI, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.([]*model.Permission)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNPermission2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPermissionᚄ(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query_permissions(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_VerificationRequest_redirect_uri(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "VerificationRequest",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "resource":
-				return ec.fieldContext_Permission_resource(ctx, field)
-			case "scope":
-				return ec.fieldContext_Permission_scope(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Permission", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query___type(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query___type(ctx, field)
+func (ec *executionContext) _VerificationRequests_pagination(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequests) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_VerificationRequests_pagination(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17900,70 +16908,48 @@ func (ec *executionContext) _Query___type(ctx context.Context, field graphql.Col
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.introspectType(fc.Args["name"].(string))
+		return obj.Pagination, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*introspection.Type)
+	res := resTmp.(*model.Pagination)
 	fc.Result = res
-	return ec.marshalO__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
+	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query___type(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_VerificationRequests_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "VerificationRequests",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "kind":
-				return ec.fieldContext___Type_kind(ctx, field)
-			case "name":
-				return ec.fieldContext___Type_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Type_description(ctx, field)
-			case "specifiedByURL":
-				return ec.fieldContext___Type_specifiedByURL(ctx, field)
-			case "fields":
-				return ec.fieldContext___Type_fields(ctx, field)
-			case "interfaces":
-				return ec.fieldContext___Type_interfaces(ctx, field)
-			case "possibleTypes":
-				return ec.fieldContext___Type_possibleTypes(ctx, field)
-			case "enumValues":
-				return ec.fieldContext___Type_enumValues(ctx, field)
-			case "inputFields":
-				return ec.fieldContext___Type_inputFields(ctx, field)
-			case "ofType":
-				return ec.fieldContext___Type_ofType(ctx, field)
-			case "isOneOf":
-				return ec.fieldContext___Type_isOneOf(ctx, field)
+			case "limit":
+				return ec.fieldContext_Pagination_limit(ctx, field)
+			case "page":
+				return ec.fieldContext_Pagination_page(ctx, field)
+			case "offset":
+				return ec.fieldContext_Pagination_offset(ctx, field)
+			case "total":
+				return ec.fieldContext_Pagination_total(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
 		},
 	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query___type_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query___schema(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query___schema(ctx, field)
+func (ec *executionContext) _VerificationRequests_verification_requests(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequests) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_VerificationRequests_verification_requests(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -17976,49 +16962,58 @@ func (ec *executionContext) _Query___schema(ctx context.Context, field graphql.C
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.introspectSchema()
+		return obj.VerificationRequests, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*introspection.Schema)
+	res := resTmp.([]*model.VerificationRequest)
 	fc.Result = res
-	return ec.marshalO__Schema2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐSchema(ctx, field.Selections, res)
+	return ec.marshalNVerificationRequest2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐVerificationRequestᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query___schema(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_VerificationRequests_verification_requests(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "VerificationRequests",
 		Field:      field,
-		IsMethod:   true,
+		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "description":
-				return ec.fieldContext___Schema_description(ctx, field)
-			case "types":
-				return ec.fieldContext___Schema_types(ctx, field)
-			case "queryType":
-				return ec.fieldContext___Schema_queryType(ctx, field)
-			case "mutationType":
-				return ec.fieldContext___Schema_mutationType(ctx, field)
-			case "subscriptionType":
-				return ec.fieldContext___Schema_subscriptionType(ctx, field)
-			case "directives":
-				return ec.fieldContext___Schema_directives(ctx, field)
+			case "id":
+				return ec.fieldContext_VerificationRequest_id(ctx, field)
+			case "identifier":
+				return ec.fieldContext_VerificationRequest_identifier(ctx, field)
+			case "token":
+				return ec.fieldContext_VerificationRequest_token(ctx, field)
+			case "email":
+				return ec.fieldContext_VerificationRequest_email(ctx, field)
+			case "expires":
+				return ec.fieldContext_VerificationRequest_expires(ctx, field)
+			case "created_at":
+				return ec.fieldContext_VerificationRequest_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_VerificationRequest_updated_at(ctx, field)
+			case "nonce":
+				return ec.fieldContext_VerificationRequest_nonce(ctx, field)
+			case "redirect_uri":
+				return ec.fieldContext_VerificationRequest_redirect_uri(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type __Schema", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type VerificationRequest", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Response_message(ctx context.Context, field graphql.CollectedField, obj *model.Response) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Response_message(ctx, field)
+func (ec *executionContext) _Webhook_id(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Webhook_id(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18031,7 +17026,7 @@ func (ec *executionContext) _Response_message(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Message, nil
+		return obj.ID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -18045,24 +17040,24 @@ func (ec *executionContext) _Response_message(ctx context.Context, field graphql
 	}
 	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalNID2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Response_message(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Webhook_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Response",
+		Object:     "Webhook",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type ID does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _TestEndpointResponse_http_status(ctx context.Context, field graphql.CollectedField, obj *model.TestEndpointResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_TestEndpointResponse_http_status(ctx, field)
+func (ec *executionContext) _Webhook_event_name(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Webhook_event_name(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18075,7 +17070,7 @@ func (ec *executionContext) _TestEndpointResponse_http_status(ctx context.Contex
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.HTTPStatus, nil
+		return obj.EventName, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -18084,26 +17079,26 @@ func (ec *executionContext) _TestEndpointResponse_http_status(ctx context.Contex
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_TestEndpointResponse_http_status(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Webhook_event_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "TestEndpointResponse",
+		Object:     "Webhook",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _TestEndpointResponse_response(ctx context.Context, field graphql.CollectedField, obj *model.TestEndpointResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_TestEndpointResponse_response(ctx, field)
+func (ec *executionContext) _Webhook_event_description(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Webhook_event_description(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18116,7 +17111,7 @@ func (ec *executionContext) _TestEndpointResponse_response(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Response, nil
+		return obj.EventDescription, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -18130,9 +17125,9 @@ func (ec *executionContext) _TestEndpointResponse_response(ctx context.Context,
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_TestEndpointResponse_response(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Webhook_event_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "TestEndpointResponse",
+		Object:     "Webhook",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -18143,8 +17138,8 @@ func (ec *executionContext) fieldContext_TestEndpointResponse_response(_ context
 	return fc, nil
 }
 
-func (ec *executionContext) _User_id(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_id(ctx, field)
+func (ec *executionContext) _Webhook_endpoint(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Webhook_endpoint(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18157,38 +17152,35 @@ func (ec *executionContext) _User_id(ctx context.Context, field graphql.Collecte
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ID, nil
+		return obj.Endpoint, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNID2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Webhook_endpoint(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Webhook",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type ID does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_email(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_email(ctx, field)
+func (ec *executionContext) _Webhook_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Webhook_enabled(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18201,7 +17193,7 @@ func (ec *executionContext) _User_email(ctx context.Context, field graphql.Colle
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Email, nil
+		return obj.Enabled, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -18210,26 +17202,26 @@ func (ec *executionContext) _User_email(ctx context.Context, field graphql.Colle
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*bool)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalOBoolean2ᚖbool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_email(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Webhook_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Webhook",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_email_verified(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_email_verified(ctx, field)
+func (ec *executionContext) _Webhook_headers(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Webhook_headers(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18242,38 +17234,35 @@ func (ec *executionContext) _User_email_verified(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.EmailVerified, nil
+		return obj.Headers, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(map[string]any)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOMap2map(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_email_verified(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Webhook_headers(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Webhook",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type Map does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_signup_methods(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_signup_methods(ctx, field)
+func (ec *executionContext) _Webhook_created_at(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Webhook_created_at(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18286,38 +17275,35 @@ func (ec *executionContext) _User_signup_methods(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.SignupMethods, nil
+		return obj.CreatedAt, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*int64)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_signup_methods(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Webhook_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Webhook",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_given_name(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_given_name(ctx, field)
+func (ec *executionContext) _Webhook_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Webhook_updated_at(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18330,7 +17316,7 @@ func (ec *executionContext) _User_given_name(ctx context.Context, field graphql.
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.GivenName, nil
+		return obj.UpdatedAt, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -18339,26 +17325,26 @@ func (ec *executionContext) _User_given_name(ctx context.Context, field graphql.
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*int64)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_given_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Webhook_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Webhook",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_family_name(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_family_name(ctx, field)
+func (ec *executionContext) _WebhookLog_id(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_WebhookLog_id(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18371,35 +17357,38 @@ func (ec *executionContext) _User_family_name(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.FamilyName, nil
+		return obj.ID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNID2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_family_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_WebhookLog_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "WebhookLog",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type ID does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_middle_name(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_middle_name(ctx, field)
+func (ec *executionContext) _WebhookLog_http_status(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_WebhookLog_http_status(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18412,7 +17401,7 @@ func (ec *executionContext) _User_middle_name(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.MiddleName, nil
+		return obj.HTTPStatus, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -18421,26 +17410,26 @@ func (ec *executionContext) _User_middle_name(ctx context.Context, field graphql
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*int64)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_middle_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_WebhookLog_http_status(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "WebhookLog",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_nickname(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_nickname(ctx, field)
+func (ec *executionContext) _WebhookLog_response(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_WebhookLog_response(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18453,7 +17442,7 @@ func (ec *executionContext) _User_nickname(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Nickname, nil
+		return obj.Response, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -18467,9 +17456,9 @@ func (ec *executionContext) _User_nickname(ctx context.Context, field graphql.Co
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_nickname(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_WebhookLog_response(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "WebhookLog",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -18480,8 +17469,8 @@ func (ec *executionContext) fieldContext_User_nickname(_ context.Context, field
 	return fc, nil
 }
 
-func (ec *executionContext) _User_preferred_username(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_preferred_username(ctx, field)
+func (ec *executionContext) _WebhookLog_request(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_WebhookLog_request(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18494,7 +17483,7 @@ func (ec *executionContext) _User_preferred_username(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.PreferredUsername, nil
+		return obj.Request, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -18508,9 +17497,9 @@ func (ec *executionContext) _User_preferred_username(ctx context.Context, field
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_preferred_username(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_WebhookLog_request(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "WebhookLog",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -18521,8 +17510,8 @@ func (ec *executionContext) fieldContext_User_preferred_username(_ context.Conte
 	return fc, nil
 }
 
-func (ec *executionContext) _User_gender(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_gender(ctx, field)
+func (ec *executionContext) _WebhookLog_webhook_id(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_WebhookLog_webhook_id(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18535,7 +17524,7 @@ func (ec *executionContext) _User_gender(ctx context.Context, field graphql.Coll
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Gender, nil
+		return obj.WebhookID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -18546,24 +17535,24 @@ func (ec *executionContext) _User_gender(ctx context.Context, field graphql.Coll
 	}
 	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalOID2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_gender(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_WebhookLog_webhook_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "WebhookLog",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type ID does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_birthdate(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_birthdate(ctx, field)
+func (ec *executionContext) _WebhookLog_created_at(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_WebhookLog_created_at(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18576,7 +17565,7 @@ func (ec *executionContext) _User_birthdate(ctx context.Context, field graphql.C
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Birthdate, nil
+		return obj.CreatedAt, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -18585,26 +17574,26 @@ func (ec *executionContext) _User_birthdate(ctx context.Context, field graphql.C
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*int64)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_birthdate(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_WebhookLog_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "WebhookLog",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_phone_number(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_phone_number(ctx, field)
+func (ec *executionContext) _WebhookLog_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_WebhookLog_updated_at(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18617,7 +17606,7 @@ func (ec *executionContext) _User_phone_number(ctx context.Context, field graphq
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.PhoneNumber, nil
+		return obj.UpdatedAt, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -18626,26 +17615,26 @@ func (ec *executionContext) _User_phone_number(ctx context.Context, field graphq
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*int64)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_phone_number(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_WebhookLog_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "WebhookLog",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Int64 does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_phone_number_verified(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_phone_number_verified(ctx, field)
+func (ec *executionContext) _WebhookLogs_pagination(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLogs) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_WebhookLogs_pagination(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18658,7 +17647,7 @@ func (ec *executionContext) _User_phone_number_verified(ctx context.Context, fie
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.PhoneNumberVerified, nil
+		return obj.Pagination, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -18670,26 +17659,36 @@ func (ec *executionContext) _User_phone_number_verified(ctx context.Context, fie
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*model.Pagination)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_phone_number_verified(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_WebhookLogs_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "WebhookLogs",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "limit":
+				return ec.fieldContext_Pagination_limit(ctx, field)
+			case "page":
+				return ec.fieldContext_Pagination_page(ctx, field)
+			case "offset":
+				return ec.fieldContext_Pagination_offset(ctx, field)
+			case "total":
+				return ec.fieldContext_Pagination_total(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_picture(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_picture(ctx, field)
+func (ec *executionContext) _WebhookLogs_webhook_logs(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLogs) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_WebhookLogs_webhook_logs(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18702,35 +17701,54 @@ func (ec *executionContext) _User_picture(ctx context.Context, field graphql.Col
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Picture, nil
+		return obj.WebhookLogs, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.([]*model.WebhookLog)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNWebhookLog2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhookLogᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_picture(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_WebhookLogs_webhook_logs(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "WebhookLogs",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_WebhookLog_id(ctx, field)
+			case "http_status":
+				return ec.fieldContext_WebhookLog_http_status(ctx, field)
+			case "response":
+				return ec.fieldContext_WebhookLog_response(ctx, field)
+			case "request":
+				return ec.fieldContext_WebhookLog_request(ctx, field)
+			case "webhook_id":
+				return ec.fieldContext_WebhookLog_webhook_id(ctx, field)
+			case "created_at":
+				return ec.fieldContext_WebhookLog_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_WebhookLog_updated_at(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type WebhookLog", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_roles(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_roles(ctx, field)
+func (ec *executionContext) _Webhooks_pagination(ctx context.Context, field graphql.CollectedField, obj *model.Webhooks) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Webhooks_pagination(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18743,7 +17761,7 @@ func (ec *executionContext) _User_roles(ctx context.Context, field graphql.Colle
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Roles, nil
+		return obj.Pagination, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -18755,26 +17773,36 @@ func (ec *executionContext) _User_roles(ctx context.Context, field graphql.Colle
 		}
 		return graphql.Null
 	}
-	res := resTmp.([]string)
+	res := resTmp.(*model.Pagination)
 	fc.Result = res
-	return ec.marshalNString2ᚕstringᚄ(ctx, field.Selections, res)
+	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_roles(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Webhooks_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Webhooks",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "limit":
+				return ec.fieldContext_Pagination_limit(ctx, field)
+			case "page":
+				return ec.fieldContext_Pagination_page(ctx, field)
+			case "offset":
+				return ec.fieldContext_Pagination_offset(ctx, field)
+			case "total":
+				return ec.fieldContext_Pagination_total(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_created_at(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_created_at(ctx, field)
+func (ec *executionContext) _Webhooks_webhooks(ctx context.Context, field graphql.CollectedField, obj *model.Webhooks) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Webhooks_webhooks(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18787,35 +17815,56 @@ func (ec *executionContext) _User_created_at(ctx context.Context, field graphql.
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.CreatedAt, nil
+		return obj.Webhooks, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.([]*model.Webhook)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalNWebhook2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhookᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Webhooks_webhooks(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "Webhooks",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			switch field.Name {
+			case "id":
+				return ec.fieldContext_Webhook_id(ctx, field)
+			case "event_name":
+				return ec.fieldContext_Webhook_event_name(ctx, field)
+			case "event_description":
+				return ec.fieldContext_Webhook_event_description(ctx, field)
+			case "endpoint":
+				return ec.fieldContext_Webhook_endpoint(ctx, field)
+			case "enabled":
+				return ec.fieldContext_Webhook_enabled(ctx, field)
+			case "headers":
+				return ec.fieldContext_Webhook_headers(ctx, field)
+			case "created_at":
+				return ec.fieldContext_Webhook_created_at(ctx, field)
+			case "updated_at":
+				return ec.fieldContext_Webhook_updated_at(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Webhook", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_updated_at(ctx, field)
+func (ec *executionContext) ___Directive_name(ctx context.Context, field graphql.CollectedField, obj *introspection.Directive) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Directive_name(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18828,35 +17877,38 @@ func (ec *executionContext) _User_updated_at(ctx context.Context, field graphql.
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.UpdatedAt, nil
+		return obj.Name, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Directive_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "__Directive",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_revoked_timestamp(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_revoked_timestamp(ctx, field)
+func (ec *executionContext) ___Directive_description(ctx context.Context, field graphql.CollectedField, obj *introspection.Directive) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Directive_description(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18869,7 +17921,7 @@ func (ec *executionContext) _User_revoked_timestamp(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.RevokedTimestamp, nil
+		return obj.Description(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -18878,26 +17930,26 @@ func (ec *executionContext) _User_revoked_timestamp(ctx context.Context, field g
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_revoked_timestamp(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Directive_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "__Directive",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _User_is_multi_factor_auth_enabled(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
+func (ec *executionContext) ___Directive_isRepeatable(ctx context.Context, field graphql.CollectedField, obj *introspection.Directive) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Directive_isRepeatable(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18910,23 +17962,26 @@ func (ec *executionContext) _User_is_multi_factor_auth_enabled(ctx context.Conte
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsMultiFactorAuthEnabled, nil
+		return obj.IsRepeatable, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*bool)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalOBoolean2ᚖbool(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_is_multi_factor_auth_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Directive_isRepeatable(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "__Directive",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -18937,8 +17992,8 @@ func (ec *executionContext) fieldContext_User_is_multi_factor_auth_enabled(_ con
 	return fc, nil
 }
 
-func (ec *executionContext) _User_app_data(ctx context.Context, field graphql.CollectedField, obj *model.User) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_User_app_data(ctx, field)
+func (ec *executionContext) ___Directive_locations(ctx context.Context, field graphql.CollectedField, obj *introspection.Directive) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Directive_locations(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18951,35 +18006,38 @@ func (ec *executionContext) _User_app_data(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.AppData, nil
+		return obj.Locations, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(map[string]any)
+	res := resTmp.([]string)
 	fc.Result = res
-	return ec.marshalOMap2map(ctx, field.Selections, res)
+	return ec.marshalN__DirectiveLocation2ᚕstringᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_User_app_data(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Directive_locations(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "User",
+		Object:     "__Directive",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Map does not have child fields")
+			return nil, errors.New("field of type __DirectiveLocation does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Users_pagination(ctx context.Context, field graphql.CollectedField, obj *model.Users) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Users_pagination(ctx, field)
+func (ec *executionContext) ___Directive_args(ctx context.Context, field graphql.CollectedField, obj *introspection.Directive) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Directive_args(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -18992,7 +18050,7 @@ func (ec *executionContext) _Users_pagination(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Pagination, nil
+		return obj.Args, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -19004,36 +18062,51 @@ func (ec *executionContext) _Users_pagination(ctx context.Context, field graphql
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Pagination)
+	res := resTmp.([]introspection.InputValue)
 	fc.Result = res
-	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
+	return ec.marshalN__InputValue2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐInputValueᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Users_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Directive_args(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Users",
+		Object:     "__Directive",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "limit":
-				return ec.fieldContext_Pagination_limit(ctx, field)
-			case "page":
-				return ec.fieldContext_Pagination_page(ctx, field)
-			case "offset":
-				return ec.fieldContext_Pagination_offset(ctx, field)
-			case "total":
-				return ec.fieldContext_Pagination_total(ctx, field)
+			case "name":
+				return ec.fieldContext___InputValue_name(ctx, field)
+			case "description":
+				return ec.fieldContext___InputValue_description(ctx, field)
+			case "type":
+				return ec.fieldContext___InputValue_type(ctx, field)
+			case "defaultValue":
+				return ec.fieldContext___InputValue_defaultValue(ctx, field)
+			case "isDeprecated":
+				return ec.fieldContext___InputValue_isDeprecated(ctx, field)
+			case "deprecationReason":
+				return ec.fieldContext___InputValue_deprecationReason(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type __InputValue", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field___Directive_args_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Users_users(ctx context.Context, field graphql.CollectedField, obj *model.Users) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Users_users(ctx, field)
+func (ec *executionContext) ___EnumValue_name(ctx context.Context, field graphql.CollectedField, obj *introspection.EnumValue) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___EnumValue_name(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -19046,7 +18119,7 @@ func (ec *executionContext) _Users_users(ctx context.Context, field graphql.Coll
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Users, nil
+		return obj.Name, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -19058,68 +18131,26 @@ func (ec *executionContext) _Users_users(ctx context.Context, field graphql.Coll
 		}
 		return graphql.Null
 	}
-	res := resTmp.([]*model.User)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNUser2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUserᚄ(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Users_users(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___EnumValue_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Users",
+		Object:     "__EnumValue",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_User_id(ctx, field)
-			case "email":
-				return ec.fieldContext_User_email(ctx, field)
-			case "email_verified":
-				return ec.fieldContext_User_email_verified(ctx, field)
-			case "signup_methods":
-				return ec.fieldContext_User_signup_methods(ctx, field)
-			case "given_name":
-				return ec.fieldContext_User_given_name(ctx, field)
-			case "family_name":
-				return ec.fieldContext_User_family_name(ctx, field)
-			case "middle_name":
-				return ec.fieldContext_User_middle_name(ctx, field)
-			case "nickname":
-				return ec.fieldContext_User_nickname(ctx, field)
-			case "preferred_username":
-				return ec.fieldContext_User_preferred_username(ctx, field)
-			case "gender":
-				return ec.fieldContext_User_gender(ctx, field)
-			case "birthdate":
-				return ec.fieldContext_User_birthdate(ctx, field)
-			case "phone_number":
-				return ec.fieldContext_User_phone_number(ctx, field)
-			case "phone_number_verified":
-				return ec.fieldContext_User_phone_number_verified(ctx, field)
-			case "picture":
-				return ec.fieldContext_User_picture(ctx, field)
-			case "roles":
-				return ec.fieldContext_User_roles(ctx, field)
-			case "created_at":
-				return ec.fieldContext_User_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_User_updated_at(ctx, field)
-			case "revoked_timestamp":
-				return ec.fieldContext_User_revoked_timestamp(ctx, field)
-			case "is_multi_factor_auth_enabled":
-				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
-			case "app_data":
-				return ec.fieldContext_User_app_data(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _ValidateJWTTokenResponse_is_valid(ctx context.Context, field graphql.CollectedField, obj *model.ValidateJWTTokenResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_ValidateJWTTokenResponse_is_valid(ctx, field)
+func (ec *executionContext) ___EnumValue_description(ctx context.Context, field graphql.CollectedField, obj *introspection.EnumValue) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___EnumValue_description(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -19132,38 +18163,35 @@ func (ec *executionContext) _ValidateJWTTokenResponse_is_valid(ctx context.Conte
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsValid, nil
+		return obj.Description(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_ValidateJWTTokenResponse_is_valid(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___EnumValue_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "ValidateJWTTokenResponse",
+		Object:     "__EnumValue",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _ValidateJWTTokenResponse_claims(ctx context.Context, field graphql.CollectedField, obj *model.ValidateJWTTokenResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_ValidateJWTTokenResponse_claims(ctx, field)
+func (ec *executionContext) ___EnumValue_isDeprecated(ctx context.Context, field graphql.CollectedField, obj *introspection.EnumValue) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___EnumValue_isDeprecated(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -19176,35 +18204,38 @@ func (ec *executionContext) _ValidateJWTTokenResponse_claims(ctx context.Context
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Claims, nil
+		return obj.IsDeprecated(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(map[string]any)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalOMap2map(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_ValidateJWTTokenResponse_claims(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___EnumValue_isDeprecated(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "ValidateJWTTokenResponse",
+		Object:     "__EnumValue",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Map does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _ValidateSessionResponse_is_valid(ctx context.Context, field graphql.CollectedField, obj *model.ValidateSessionResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_ValidateSessionResponse_is_valid(ctx, field)
+func (ec *executionContext) ___EnumValue_deprecationReason(ctx context.Context, field graphql.CollectedField, obj *introspection.EnumValue) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___EnumValue_deprecationReason(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -19217,38 +18248,35 @@ func (ec *executionContext) _ValidateSessionResponse_is_valid(ctx context.Contex
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.IsValid, nil
+		return obj.DeprecationReason(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_ValidateSessionResponse_is_valid(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___EnumValue_deprecationReason(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "ValidateSessionResponse",
+		Object:     "__EnumValue",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _ValidateSessionResponse_user(ctx context.Context, field graphql.CollectedField, obj *model.ValidateSessionResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_ValidateSessionResponse_user(ctx, field)
+func (ec *executionContext) ___Field_name(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Field_name(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -19261,7 +18289,7 @@ func (ec *executionContext) _ValidateSessionResponse_user(ctx context.Context, f
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.User, nil
+		return obj.Name, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -19273,68 +18301,26 @@ func (ec *executionContext) _ValidateSessionResponse_user(ctx context.Context, f
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.User)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNUser2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUser(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_ValidateSessionResponse_user(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Field_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "ValidateSessionResponse",
+		Object:     "__Field",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_User_id(ctx, field)
-			case "email":
-				return ec.fieldContext_User_email(ctx, field)
-			case "email_verified":
-				return ec.fieldContext_User_email_verified(ctx, field)
-			case "signup_methods":
-				return ec.fieldContext_User_signup_methods(ctx, field)
-			case "given_name":
-				return ec.fieldContext_User_given_name(ctx, field)
-			case "family_name":
-				return ec.fieldContext_User_family_name(ctx, field)
-			case "middle_name":
-				return ec.fieldContext_User_middle_name(ctx, field)
-			case "nickname":
-				return ec.fieldContext_User_nickname(ctx, field)
-			case "preferred_username":
-				return ec.fieldContext_User_preferred_username(ctx, field)
-			case "gender":
-				return ec.fieldContext_User_gender(ctx, field)
-			case "birthdate":
-				return ec.fieldContext_User_birthdate(ctx, field)
-			case "phone_number":
-				return ec.fieldContext_User_phone_number(ctx, field)
-			case "phone_number_verified":
-				return ec.fieldContext_User_phone_number_verified(ctx, field)
-			case "picture":
-				return ec.fieldContext_User_picture(ctx, field)
-			case "roles":
-				return ec.fieldContext_User_roles(ctx, field)
-			case "created_at":
-				return ec.fieldContext_User_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_User_updated_at(ctx, field)
-			case "revoked_timestamp":
-				return ec.fieldContext_User_revoked_timestamp(ctx, field)
-			case "is_multi_factor_auth_enabled":
-				return ec.fieldContext_User_is_multi_factor_auth_enabled(ctx, field)
-			case "app_data":
-				return ec.fieldContext_User_app_data(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type User", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _VerificationRequest_id(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_VerificationRequest_id(ctx, field)
+func (ec *executionContext) ___Field_description(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Field_description(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -19347,38 +18333,35 @@ func (ec *executionContext) _VerificationRequest_id(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ID, nil
+		return obj.Description(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNID2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_VerificationRequest_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Field_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "VerificationRequest",
+		Object:     "__Field",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type ID does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _VerificationRequest_identifier(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_VerificationRequest_identifier(ctx, field)
+func (ec *executionContext) ___Field_args(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Field_args(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -19391,35 +18374,63 @@ func (ec *executionContext) _VerificationRequest_identifier(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Identifier, nil
+		return obj.Args, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.([]introspection.InputValue)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalN__InputValue2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐInputValueᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_VerificationRequest_identifier(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Field_args(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "VerificationRequest",
+		Object:     "__Field",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "name":
+				return ec.fieldContext___InputValue_name(ctx, field)
+			case "description":
+				return ec.fieldContext___InputValue_description(ctx, field)
+			case "type":
+				return ec.fieldContext___InputValue_type(ctx, field)
+			case "defaultValue":
+				return ec.fieldContext___InputValue_defaultValue(ctx, field)
+			case "isDeprecated":
+				return ec.fieldContext___InputValue_isDeprecated(ctx, field)
+			case "deprecationReason":
+				return ec.fieldContext___InputValue_deprecationReason(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __InputValue", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field___Field_args_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _VerificationRequest_token(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_VerificationRequest_token(ctx, field)
+func (ec *executionContext) ___Field_type(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Field_type(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -19432,35 +18443,62 @@ func (ec *executionContext) _VerificationRequest_token(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Token, nil
+		return obj.Type, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*introspection.Type)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalN__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_VerificationRequest_token(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Field_type(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "VerificationRequest",
+		Object:     "__Field",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "kind":
+				return ec.fieldContext___Type_kind(ctx, field)
+			case "name":
+				return ec.fieldContext___Type_name(ctx, field)
+			case "description":
+				return ec.fieldContext___Type_description(ctx, field)
+			case "specifiedByURL":
+				return ec.fieldContext___Type_specifiedByURL(ctx, field)
+			case "fields":
+				return ec.fieldContext___Type_fields(ctx, field)
+			case "interfaces":
+				return ec.fieldContext___Type_interfaces(ctx, field)
+			case "possibleTypes":
+				return ec.fieldContext___Type_possibleTypes(ctx, field)
+			case "enumValues":
+				return ec.fieldContext___Type_enumValues(ctx, field)
+			case "inputFields":
+				return ec.fieldContext___Type_inputFields(ctx, field)
+			case "ofType":
+				return ec.fieldContext___Type_ofType(ctx, field)
+			case "isOneOf":
+				return ec.fieldContext___Type_isOneOf(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _VerificationRequest_email(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_VerificationRequest_email(ctx, field)
+func (ec *executionContext) ___Field_isDeprecated(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Field_isDeprecated(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -19473,35 +18511,38 @@ func (ec *executionContext) _VerificationRequest_email(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Email, nil
+		return obj.IsDeprecated(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_VerificationRequest_email(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Field_isDeprecated(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "VerificationRequest",
+		Object:     "__Field",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _VerificationRequest_expires(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_VerificationRequest_expires(ctx, field)
+func (ec *executionContext) ___Field_deprecationReason(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Field_deprecationReason(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -19514,7 +18555,7 @@ func (ec *executionContext) _VerificationRequest_expires(ctx context.Context, fi
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Expires, nil
+		return obj.DeprecationReason(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -19523,26 +18564,26 @@ func (ec *executionContext) _VerificationRequest_expires(ctx context.Context, fi
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_VerificationRequest_expires(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Field_deprecationReason(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "VerificationRequest",
+		Object:     "__Field",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _VerificationRequest_created_at(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_VerificationRequest_created_at(ctx, field)
+func (ec *executionContext) ___InputValue_name(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___InputValue_name(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -19555,35 +18596,38 @@ func (ec *executionContext) _VerificationRequest_created_at(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.CreatedAt, nil
+		return obj.Name, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_VerificationRequest_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___InputValue_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "VerificationRequest",
+		Object:     "__InputValue",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _VerificationRequest_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_VerificationRequest_updated_at(ctx, field)
+func (ec *executionContext) ___InputValue_description(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___InputValue_description(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -19596,7 +18640,7 @@ func (ec *executionContext) _VerificationRequest_updated_at(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.UpdatedAt, nil
+		return obj.Description(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -19605,26 +18649,26 @@ func (ec *executionContext) _VerificationRequest_updated_at(ctx context.Context,
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_VerificationRequest_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___InputValue_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "VerificationRequest",
+		Object:     "__InputValue",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _VerificationRequest_nonce(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_VerificationRequest_nonce(ctx, field)
+func (ec *executionContext) ___InputValue_type(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___InputValue_type(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -19637,35 +18681,62 @@ func (ec *executionContext) _VerificationRequest_nonce(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Nonce, nil
+		return obj.Type, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*introspection.Type)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalN__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_VerificationRequest_nonce(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___InputValue_type(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "VerificationRequest",
+		Object:     "__InputValue",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "kind":
+				return ec.fieldContext___Type_kind(ctx, field)
+			case "name":
+				return ec.fieldContext___Type_name(ctx, field)
+			case "description":
+				return ec.fieldContext___Type_description(ctx, field)
+			case "specifiedByURL":
+				return ec.fieldContext___Type_specifiedByURL(ctx, field)
+			case "fields":
+				return ec.fieldContext___Type_fields(ctx, field)
+			case "interfaces":
+				return ec.fieldContext___Type_interfaces(ctx, field)
+			case "possibleTypes":
+				return ec.fieldContext___Type_possibleTypes(ctx, field)
+			case "enumValues":
+				return ec.fieldContext___Type_enumValues(ctx, field)
+			case "inputFields":
+				return ec.fieldContext___Type_inputFields(ctx, field)
+			case "ofType":
+				return ec.fieldContext___Type_ofType(ctx, field)
+			case "isOneOf":
+				return ec.fieldContext___Type_isOneOf(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _VerificationRequest_redirect_uri(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequest) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_VerificationRequest_redirect_uri(ctx, field)
+func (ec *executionContext) ___InputValue_defaultValue(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___InputValue_defaultValue(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -19678,7 +18749,7 @@ func (ec *executionContext) _VerificationRequest_redirect_uri(ctx context.Contex
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.RedirectURI, nil
+		return obj.DefaultValue, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -19692,9 +18763,9 @@ func (ec *executionContext) _VerificationRequest_redirect_uri(ctx context.Contex
 	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_VerificationRequest_redirect_uri(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___InputValue_defaultValue(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "VerificationRequest",
+		Object:     "__InputValue",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -19705,8 +18776,8 @@ func (ec *executionContext) fieldContext_VerificationRequest_redirect_uri(_ cont
 	return fc, nil
 }
 
-func (ec *executionContext) _VerificationRequests_pagination(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequests) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_VerificationRequests_pagination(ctx, field)
+func (ec *executionContext) ___InputValue_isDeprecated(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___InputValue_isDeprecated(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -19719,7 +18790,7 @@ func (ec *executionContext) _VerificationRequests_pagination(ctx context.Context
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Pagination, nil
+		return obj.IsDeprecated(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -19731,36 +18802,26 @@ func (ec *executionContext) _VerificationRequests_pagination(ctx context.Context
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Pagination)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_VerificationRequests_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___InputValue_isDeprecated(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "VerificationRequests",
+		Object:     "__InputValue",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "limit":
-				return ec.fieldContext_Pagination_limit(ctx, field)
-			case "page":
-				return ec.fieldContext_Pagination_page(ctx, field)
-			case "offset":
-				return ec.fieldContext_Pagination_offset(ctx, field)
-			case "total":
-				return ec.fieldContext_Pagination_total(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _VerificationRequests_verification_requests(ctx context.Context, field graphql.CollectedField, obj *model.VerificationRequests) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_VerificationRequests_verification_requests(ctx, field)
+func (ec *executionContext) ___InputValue_deprecationReason(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___InputValue_deprecationReason(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -19773,58 +18834,35 @@ func (ec *executionContext) _VerificationRequests_verification_requests(ctx cont
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.VerificationRequests, nil
+		return obj.DeprecationReason(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.([]*model.VerificationRequest)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNVerificationRequest2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐVerificationRequestᚄ(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_VerificationRequests_verification_requests(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___InputValue_deprecationReason(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "VerificationRequests",
+		Object:     "__InputValue",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_VerificationRequest_id(ctx, field)
-			case "identifier":
-				return ec.fieldContext_VerificationRequest_identifier(ctx, field)
-			case "token":
-				return ec.fieldContext_VerificationRequest_token(ctx, field)
-			case "email":
-				return ec.fieldContext_VerificationRequest_email(ctx, field)
-			case "expires":
-				return ec.fieldContext_VerificationRequest_expires(ctx, field)
-			case "created_at":
-				return ec.fieldContext_VerificationRequest_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_VerificationRequest_updated_at(ctx, field)
-			case "nonce":
-				return ec.fieldContext_VerificationRequest_nonce(ctx, field)
-			case "redirect_uri":
-				return ec.fieldContext_VerificationRequest_redirect_uri(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type VerificationRequest", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Webhook_id(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Webhook_id(ctx, field)
+func (ec *executionContext) ___Schema_description(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Schema_description(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -19837,38 +18875,35 @@ func (ec *executionContext) _Webhook_id(ctx context.Context, field graphql.Colle
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ID, nil
+		return obj.Description(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNID2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Webhook_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Schema_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Webhook",
+		Object:     "__Schema",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type ID does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Webhook_event_name(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Webhook_event_name(ctx, field)
+func (ec *executionContext) ___Schema_types(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Schema_types(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -19881,35 +18916,62 @@ func (ec *executionContext) _Webhook_event_name(ctx context.Context, field graph
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.EventName, nil
+		return obj.Types(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.([]introspection.Type)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalN__Type2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐTypeᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Webhook_event_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Schema_types(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Webhook",
+		Object:     "__Schema",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "kind":
+				return ec.fieldContext___Type_kind(ctx, field)
+			case "name":
+				return ec.fieldContext___Type_name(ctx, field)
+			case "description":
+				return ec.fieldContext___Type_description(ctx, field)
+			case "specifiedByURL":
+				return ec.fieldContext___Type_specifiedByURL(ctx, field)
+			case "fields":
+				return ec.fieldContext___Type_fields(ctx, field)
+			case "interfaces":
+				return ec.fieldContext___Type_interfaces(ctx, field)
+			case "possibleTypes":
+				return ec.fieldContext___Type_possibleTypes(ctx, field)
+			case "enumValues":
+				return ec.fieldContext___Type_enumValues(ctx, field)
+			case "inputFields":
+				return ec.fieldContext___Type_inputFields(ctx, field)
+			case "ofType":
+				return ec.fieldContext___Type_ofType(ctx, field)
+			case "isOneOf":
+				return ec.fieldContext___Type_isOneOf(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Webhook_event_description(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Webhook_event_description(ctx, field)
+func (ec *executionContext) ___Schema_queryType(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Schema_queryType(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -19922,35 +18984,62 @@ func (ec *executionContext) _Webhook_event_description(ctx context.Context, fiel
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.EventDescription, nil
+		return obj.QueryType(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*introspection.Type)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalN__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Webhook_event_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Schema_queryType(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Webhook",
+		Object:     "__Schema",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "kind":
+				return ec.fieldContext___Type_kind(ctx, field)
+			case "name":
+				return ec.fieldContext___Type_name(ctx, field)
+			case "description":
+				return ec.fieldContext___Type_description(ctx, field)
+			case "specifiedByURL":
+				return ec.fieldContext___Type_specifiedByURL(ctx, field)
+			case "fields":
+				return ec.fieldContext___Type_fields(ctx, field)
+			case "interfaces":
+				return ec.fieldContext___Type_interfaces(ctx, field)
+			case "possibleTypes":
+				return ec.fieldContext___Type_possibleTypes(ctx, field)
+			case "enumValues":
+				return ec.fieldContext___Type_enumValues(ctx, field)
+			case "inputFields":
+				return ec.fieldContext___Type_inputFields(ctx, field)
+			case "ofType":
+				return ec.fieldContext___Type_ofType(ctx, field)
+			case "isOneOf":
+				return ec.fieldContext___Type_isOneOf(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Webhook_endpoint(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Webhook_endpoint(ctx, field)
+func (ec *executionContext) ___Schema_mutationType(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Schema_mutationType(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -19963,7 +19052,7 @@ func (ec *executionContext) _Webhook_endpoint(ctx context.Context, field graphql
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Endpoint, nil
+		return obj.MutationType(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -19972,26 +19061,50 @@ func (ec *executionContext) _Webhook_endpoint(ctx context.Context, field graphql
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.(*introspection.Type)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalO__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Webhook_endpoint(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Schema_mutationType(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Webhook",
+		Object:     "__Schema",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "kind":
+				return ec.fieldContext___Type_kind(ctx, field)
+			case "name":
+				return ec.fieldContext___Type_name(ctx, field)
+			case "description":
+				return ec.fieldContext___Type_description(ctx, field)
+			case "specifiedByURL":
+				return ec.fieldContext___Type_specifiedByURL(ctx, field)
+			case "fields":
+				return ec.fieldContext___Type_fields(ctx, field)
+			case "interfaces":
+				return ec.fieldContext___Type_interfaces(ctx, field)
+			case "possibleTypes":
+				return ec.fieldContext___Type_possibleTypes(ctx, field)
+			case "enumValues":
+				return ec.fieldContext___Type_enumValues(ctx, field)
+			case "inputFields":
+				return ec.fieldContext___Type_inputFields(ctx, field)
+			case "ofType":
+				return ec.fieldContext___Type_ofType(ctx, field)
+			case "isOneOf":
+				return ec.fieldContext___Type_isOneOf(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Webhook_enabled(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Webhook_enabled(ctx, field)
+func (ec *executionContext) ___Schema_subscriptionType(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Schema_subscriptionType(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -20004,7 +19117,7 @@ func (ec *executionContext) _Webhook_enabled(ctx context.Context, field graphql.
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Enabled, nil
+		return obj.SubscriptionType(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -20013,26 +19126,50 @@ func (ec *executionContext) _Webhook_enabled(ctx context.Context, field graphql.
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*bool)
+	res := resTmp.(*introspection.Type)
 	fc.Result = res
-	return ec.marshalOBoolean2ᚖbool(ctx, field.Selections, res)
+	return ec.marshalO__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Webhook_enabled(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Schema_subscriptionType(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Webhook",
+		Object:     "__Schema",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			switch field.Name {
+			case "kind":
+				return ec.fieldContext___Type_kind(ctx, field)
+			case "name":
+				return ec.fieldContext___Type_name(ctx, field)
+			case "description":
+				return ec.fieldContext___Type_description(ctx, field)
+			case "specifiedByURL":
+				return ec.fieldContext___Type_specifiedByURL(ctx, field)
+			case "fields":
+				return ec.fieldContext___Type_fields(ctx, field)
+			case "interfaces":
+				return ec.fieldContext___Type_interfaces(ctx, field)
+			case "possibleTypes":
+				return ec.fieldContext___Type_possibleTypes(ctx, field)
+			case "enumValues":
+				return ec.fieldContext___Type_enumValues(ctx, field)
+			case "inputFields":
+				return ec.fieldContext___Type_inputFields(ctx, field)
+			case "ofType":
+				return ec.fieldContext___Type_ofType(ctx, field)
+			case "isOneOf":
+				return ec.fieldContext___Type_isOneOf(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Webhook_headers(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Webhook_headers(ctx, field)
+func (ec *executionContext) ___Schema_directives(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Schema_directives(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -20045,35 +19182,50 @@ func (ec *executionContext) _Webhook_headers(ctx context.Context, field graphql.
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Headers, nil
+		return obj.Directives(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(map[string]any)
+	res := resTmp.([]introspection.Directive)
 	fc.Result = res
-	return ec.marshalOMap2map(ctx, field.Selections, res)
+	return ec.marshalN__Directive2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐDirectiveᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Webhook_headers(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Schema_directives(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Webhook",
+		Object:     "__Schema",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Map does not have child fields")
+			switch field.Name {
+			case "name":
+				return ec.fieldContext___Directive_name(ctx, field)
+			case "description":
+				return ec.fieldContext___Directive_description(ctx, field)
+			case "isRepeatable":
+				return ec.fieldContext___Directive_isRepeatable(ctx, field)
+			case "locations":
+				return ec.fieldContext___Directive_locations(ctx, field)
+			case "args":
+				return ec.fieldContext___Directive_args(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __Directive", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Webhook_created_at(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Webhook_created_at(ctx, field)
+func (ec *executionContext) ___Type_kind(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Type_kind(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -20086,35 +19238,38 @@ func (ec *executionContext) _Webhook_created_at(ctx context.Context, field graph
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.CreatedAt, nil
+		return obj.Kind(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalN__TypeKind2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Webhook_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Type_kind(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Webhook",
+		Object:     "__Type",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type __TypeKind does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Webhook_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.Webhook) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Webhook_updated_at(ctx, field)
+func (ec *executionContext) ___Type_name(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Type_name(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -20127,7 +19282,7 @@ func (ec *executionContext) _Webhook_updated_at(ctx context.Context, field graph
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.UpdatedAt, nil
+		return obj.Name(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -20136,26 +19291,26 @@ func (ec *executionContext) _Webhook_updated_at(ctx context.Context, field graph
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Webhook_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Type_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Webhook",
+		Object:     "__Type",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _WebhookLog_id(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_WebhookLog_id(ctx, field)
+func (ec *executionContext) ___Type_description(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Type_description(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -20168,38 +19323,35 @@ func (ec *executionContext) _WebhookLog_id(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ID, nil
+		return obj.Description(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalNID2string(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_WebhookLog_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Type_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "WebhookLog",
+		Object:     "__Type",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type ID does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _WebhookLog_http_status(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_WebhookLog_http_status(ctx, field)
+func (ec *executionContext) ___Type_specifiedByURL(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Type_specifiedByURL(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -20212,7 +19364,7 @@ func (ec *executionContext) _WebhookLog_http_status(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.HTTPStatus, nil
+		return obj.SpecifiedByURL(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -20221,26 +19373,26 @@ func (ec *executionContext) _WebhookLog_http_status(ctx context.Context, field g
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.(*string)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_WebhookLog_http_status(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Type_specifiedByURL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "WebhookLog",
+		Object:     "__Type",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _WebhookLog_response(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_WebhookLog_response(ctx, field)
+func (ec *executionContext) ___Type_fields(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Type_fields(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -20253,7 +19405,7 @@ func (ec *executionContext) _WebhookLog_response(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Response, nil
+		return obj.Fields(fc.Args["includeDeprecated"].(bool)), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -20262,26 +19414,51 @@ func (ec *executionContext) _WebhookLog_response(ctx context.Context, field grap
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.([]introspection.Field)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalO__Field2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐFieldᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_WebhookLog_response(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Type_fields(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "WebhookLog",
+		Object:     "__Type",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
+			switch field.Name {
+			case "name":
+				return ec.fieldContext___Field_name(ctx, field)
+			case "description":
+				return ec.fieldContext___Field_description(ctx, field)
+			case "args":
+				return ec.fieldContext___Field_args(ctx, field)
+			case "type":
+				return ec.fieldContext___Field_type(ctx, field)
+			case "isDeprecated":
+				return ec.fieldContext___Field_isDeprecated(ctx, field)
+			case "deprecationReason":
+				return ec.fieldContext___Field_deprecationReason(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __Field", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field___Type_fields_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _WebhookLog_request(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_WebhookLog_request(ctx, field)
+func (ec *executionContext) ___Type_interfaces(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Type_interfaces(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -20294,7 +19471,7 @@ func (ec *executionContext) _WebhookLog_request(ctx context.Context, field graph
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Request, nil
+		return obj.Interfaces(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -20303,67 +19480,50 @@ func (ec *executionContext) _WebhookLog_request(ctx context.Context, field graph
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*string)
+	res := resTmp.([]introspection.Type)
 	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+	return ec.marshalO__Type2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐTypeᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_WebhookLog_request(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Type_interfaces(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "WebhookLog",
+		Object:     "__Type",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) _WebhookLog_webhook_id(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_WebhookLog_webhook_id(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.WebhookID, nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.(*string)
-	fc.Result = res
-	return ec.marshalOID2ᚖstring(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext_WebhookLog_webhook_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "WebhookLog",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type ID does not have child fields")
+			switch field.Name {
+			case "kind":
+				return ec.fieldContext___Type_kind(ctx, field)
+			case "name":
+				return ec.fieldContext___Type_name(ctx, field)
+			case "description":
+				return ec.fieldContext___Type_description(ctx, field)
+			case "specifiedByURL":
+				return ec.fieldContext___Type_specifiedByURL(ctx, field)
+			case "fields":
+				return ec.fieldContext___Type_fields(ctx, field)
+			case "interfaces":
+				return ec.fieldContext___Type_interfaces(ctx, field)
+			case "possibleTypes":
+				return ec.fieldContext___Type_possibleTypes(ctx, field)
+			case "enumValues":
+				return ec.fieldContext___Type_enumValues(ctx, field)
+			case "inputFields":
+				return ec.fieldContext___Type_inputFields(ctx, field)
+			case "ofType":
+				return ec.fieldContext___Type_ofType(ctx, field)
+			case "isOneOf":
+				return ec.fieldContext___Type_isOneOf(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _WebhookLog_created_at(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_WebhookLog_created_at(ctx, field)
+func (ec *executionContext) ___Type_possibleTypes(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Type_possibleTypes(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -20376,7 +19536,7 @@ func (ec *executionContext) _WebhookLog_created_at(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.CreatedAt, nil
+		return obj.PossibleTypes(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -20385,26 +19545,50 @@ func (ec *executionContext) _WebhookLog_created_at(ctx context.Context, field gr
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.([]introspection.Type)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalO__Type2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐTypeᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_WebhookLog_created_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Type_possibleTypes(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "WebhookLog",
+		Object:     "__Type",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			switch field.Name {
+			case "kind":
+				return ec.fieldContext___Type_kind(ctx, field)
+			case "name":
+				return ec.fieldContext___Type_name(ctx, field)
+			case "description":
+				return ec.fieldContext___Type_description(ctx, field)
+			case "specifiedByURL":
+				return ec.fieldContext___Type_specifiedByURL(ctx, field)
+			case "fields":
+				return ec.fieldContext___Type_fields(ctx, field)
+			case "interfaces":
+				return ec.fieldContext___Type_interfaces(ctx, field)
+			case "possibleTypes":
+				return ec.fieldContext___Type_possibleTypes(ctx, field)
+			case "enumValues":
+				return ec.fieldContext___Type_enumValues(ctx, field)
+			case "inputFields":
+				return ec.fieldContext___Type_inputFields(ctx, field)
+			case "ofType":
+				return ec.fieldContext___Type_ofType(ctx, field)
+			case "isOneOf":
+				return ec.fieldContext___Type_isOneOf(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _WebhookLog_updated_at(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLog) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_WebhookLog_updated_at(ctx, field)
+func (ec *executionContext) ___Type_enumValues(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Type_enumValues(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -20417,7 +19601,7 @@ func (ec *executionContext) _WebhookLog_updated_at(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.UpdatedAt, nil
+		return obj.EnumValues(fc.Args["includeDeprecated"].(bool)), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -20426,26 +19610,47 @@ func (ec *executionContext) _WebhookLog_updated_at(ctx context.Context, field gr
 	if resTmp == nil {
 		return graphql.Null
 	}
-	res := resTmp.(*int64)
+	res := resTmp.([]introspection.EnumValue)
 	fc.Result = res
-	return ec.marshalOInt642ᚖint64(ctx, field.Selections, res)
+	return ec.marshalO__EnumValue2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐEnumValueᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_WebhookLog_updated_at(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Type_enumValues(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "WebhookLog",
+		Object:     "__Type",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Int64 does not have child fields")
+			switch field.Name {
+			case "name":
+				return ec.fieldContext___EnumValue_name(ctx, field)
+			case "description":
+				return ec.fieldContext___EnumValue_description(ctx, field)
+			case "isDeprecated":
+				return ec.fieldContext___EnumValue_isDeprecated(ctx, field)
+			case "deprecationReason":
+				return ec.fieldContext___EnumValue_deprecationReason(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type __EnumValue", field.Name)
 		},
 	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field___Type_enumValues_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
 	return fc, nil
 }
 
-func (ec *executionContext) _WebhookLogs_pagination(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLogs) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_WebhookLogs_pagination(ctx, field)
+func (ec *executionContext) ___Type_inputFields(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Type_inputFields(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -20458,48 +19663,49 @@ func (ec *executionContext) _WebhookLogs_pagination(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Pagination, nil
+		return obj.InputFields(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Pagination)
+	res := resTmp.([]introspection.InputValue)
 	fc.Result = res
-	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
+	return ec.marshalO__InputValue2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐInputValueᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_WebhookLogs_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Type_inputFields(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "WebhookLogs",
+		Object:     "__Type",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "limit":
-				return ec.fieldContext_Pagination_limit(ctx, field)
-			case "page":
-				return ec.fieldContext_Pagination_page(ctx, field)
-			case "offset":
-				return ec.fieldContext_Pagination_offset(ctx, field)
-			case "total":
-				return ec.fieldContext_Pagination_total(ctx, field)
+			case "name":
+				return ec.fieldContext___InputValue_name(ctx, field)
+			case "description":
+				return ec.fieldContext___InputValue_description(ctx, field)
+			case "type":
+				return ec.fieldContext___InputValue_type(ctx, field)
+			case "defaultValue":
+				return ec.fieldContext___InputValue_defaultValue(ctx, field)
+			case "isDeprecated":
+				return ec.fieldContext___InputValue_isDeprecated(ctx, field)
+			case "deprecationReason":
+				return ec.fieldContext___InputValue_deprecationReason(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type __InputValue", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _WebhookLogs_webhook_logs(ctx context.Context, field graphql.CollectedField, obj *model.WebhookLogs) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_WebhookLogs_webhook_logs(ctx, field)
+func (ec *executionContext) ___Type_ofType(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Type_ofType(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -20512,54 +19718,59 @@ func (ec *executionContext) _WebhookLogs_webhook_logs(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.WebhookLogs, nil
+		return obj.OfType(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.([]*model.WebhookLog)
+	res := resTmp.(*introspection.Type)
 	fc.Result = res
-	return ec.marshalNWebhookLog2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhookLogᚄ(ctx, field.Selections, res)
+	return ec.marshalO__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_WebhookLogs_webhook_logs(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Type_ofType(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "WebhookLogs",
+		Object:     "__Type",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
-			case "id":
-				return ec.fieldContext_WebhookLog_id(ctx, field)
-			case "http_status":
-				return ec.fieldContext_WebhookLog_http_status(ctx, field)
-			case "response":
-				return ec.fieldContext_WebhookLog_response(ctx, field)
-			case "request":
-				return ec.fieldContext_WebhookLog_request(ctx, field)
-			case "webhook_id":
-				return ec.fieldContext_WebhookLog_webhook_id(ctx, field)
-			case "created_at":
-				return ec.fieldContext_WebhookLog_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_WebhookLog_updated_at(ctx, field)
+			case "kind":
+				return ec.fieldContext___Type_kind(ctx, field)
+			case "name":
+				return ec.fieldContext___Type_name(ctx, field)
+			case "description":
+				return ec.fieldContext___Type_description(ctx, field)
+			case "specifiedByURL":
+				return ec.fieldContext___Type_specifiedByURL(ctx, field)
+			case "fields":
+				return ec.fieldContext___Type_fields(ctx, field)
+			case "interfaces":
+				return ec.fieldContext___Type_interfaces(ctx, field)
+			case "possibleTypes":
+				return ec.fieldContext___Type_possibleTypes(ctx, field)
+			case "enumValues":
+				return ec.fieldContext___Type_enumValues(ctx, field)
+			case "inputFields":
+				return ec.fieldContext___Type_inputFields(ctx, field)
+			case "ofType":
+				return ec.fieldContext___Type_ofType(ctx, field)
+			case "isOneOf":
+				return ec.fieldContext___Type_isOneOf(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type WebhookLog", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Webhooks_pagination(ctx context.Context, field graphql.CollectedField, obj *model.Webhooks) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Webhooks_pagination(ctx, field)
+func (ec *executionContext) ___Type_isOneOf(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext___Type_isOneOf(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -20572,3368 +19783,829 @@ func (ec *executionContext) _Webhooks_pagination(ctx context.Context, field grap
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Pagination, nil
+		return obj.IsOneOf(), nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
 		return graphql.Null
 	}
 	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Pagination)
+	res := resTmp.(bool)
 	fc.Result = res
-	return ec.marshalNPagination2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPagination(ctx, field.Selections, res)
+	return ec.marshalOBoolean2bool(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Webhooks_pagination(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext___Type_isOneOf(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Webhooks",
+		Object:     "__Type",
 		Field:      field,
-		IsMethod:   false,
+		IsMethod:   true,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "limit":
-				return ec.fieldContext_Pagination_limit(ctx, field)
-			case "page":
-				return ec.fieldContext_Pagination_page(ctx, field)
-			case "offset":
-				return ec.fieldContext_Pagination_offset(ctx, field)
-			case "total":
-				return ec.fieldContext_Pagination_total(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Pagination", field.Name)
+			return nil, errors.New("field of type Boolean does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Webhooks_webhooks(ctx context.Context, field graphql.CollectedField, obj *model.Webhooks) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Webhooks_webhooks(ctx, field)
-	if err != nil {
-		return graphql.Null
+// endregion **************************** field.gotpl *****************************
+
+// region    **************************** input.gotpl *****************************
+
+func (ec *executionContext) unmarshalInputAddEmailTemplateRequest(ctx context.Context, obj any) (model.AddEmailTemplateRequest, error) {
+	var it model.AddEmailTemplateRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
 	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
+
+	fieldsInOrder := [...]string{"event_name", "subject", "template", "design"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
 		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Webhooks, nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
+		switch k {
+		case "event_name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_name"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.EventName = data
+		case "subject":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("subject"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Subject = data
+		case "template":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("template"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Template = data
+		case "design":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("design"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Design = data
 		}
-		return graphql.Null
 	}
-	res := resTmp.([]*model.Webhook)
-	fc.Result = res
-	return ec.marshalNWebhook2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐWebhookᚄ(ctx, field.Selections, res)
+
+	return it, nil
 }
 
-func (ec *executionContext) fieldContext_Webhooks_webhooks(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "Webhooks",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "id":
-				return ec.fieldContext_Webhook_id(ctx, field)
-			case "event_name":
-				return ec.fieldContext_Webhook_event_name(ctx, field)
-			case "event_description":
-				return ec.fieldContext_Webhook_event_description(ctx, field)
-			case "endpoint":
-				return ec.fieldContext_Webhook_endpoint(ctx, field)
-			case "enabled":
-				return ec.fieldContext_Webhook_enabled(ctx, field)
-			case "headers":
-				return ec.fieldContext_Webhook_headers(ctx, field)
-			case "created_at":
-				return ec.fieldContext_Webhook_created_at(ctx, field)
-			case "updated_at":
-				return ec.fieldContext_Webhook_updated_at(ctx, field)
+func (ec *executionContext) unmarshalInputAddWebhookRequest(ctx context.Context, obj any) (model.AddWebhookRequest, error) {
+	var it model.AddWebhookRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"event_name", "event_description", "endpoint", "enabled", "headers"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "event_name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_name"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
 			}
-			return nil, fmt.Errorf("no field named %q was found under type Webhook", field.Name)
-		},
+			it.EventName = data
+		case "event_description":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_description"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.EventDescription = data
+		case "endpoint":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("endpoint"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Endpoint = data
+		case "enabled":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("enabled"))
+			data, err := ec.unmarshalNBoolean2bool(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Enabled = data
+		case "headers":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("headers"))
+			data, err := ec.unmarshalOMap2map(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Headers = data
+		}
 	}
-	return fc, nil
+
+	return it, nil
 }
 
-func (ec *executionContext) ___Directive_name(ctx context.Context, field graphql.CollectedField, obj *introspection.Directive) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Directive_name(ctx, field)
-	if err != nil {
-		return graphql.Null
+func (ec *executionContext) unmarshalInputAdminLoginRequest(ctx context.Context, obj any) (model.AdminLoginRequest, error) {
+	var it model.AdminLoginRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
 	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
+
+	fieldsInOrder := [...]string{"admin_secret"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
 		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Name, nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
+		switch k {
+		case "admin_secret":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("admin_secret"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.AdminSecret = data
 		}
-		return graphql.Null
 	}
-	res := resTmp.(string)
-	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
-}
 
-func (ec *executionContext) fieldContext___Directive_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Directive",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
-	}
-	return fc, nil
+	return it, nil
 }
 
-func (ec *executionContext) ___Directive_description(ctx context.Context, field graphql.CollectedField, obj *introspection.Directive) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Directive_description(ctx, field)
-	if err != nil {
-		return graphql.Null
+func (ec *executionContext) unmarshalInputAdminSignupRequest(ctx context.Context, obj any) (model.AdminSignupRequest, error) {
+	var it model.AdminSignupRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
 	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
+
+	fieldsInOrder := [...]string{"admin_secret"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "admin_secret":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("admin_secret"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.AdminSecret = data
 		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Description(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
 	}
-	res := resTmp.(*string)
-	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
+
+	return it, nil
 }
 
-func (ec *executionContext) fieldContext___Directive_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Directive",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
+func (ec *executionContext) unmarshalInputDeleteEmailTemplateRequest(ctx context.Context, obj any) (model.DeleteEmailTemplateRequest, error) {
+	var it model.DeleteEmailTemplateRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
 	}
-	return fc, nil
-}
 
-func (ec *executionContext) ___Directive_isRepeatable(ctx context.Context, field graphql.CollectedField, obj *introspection.Directive) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Directive_isRepeatable(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
+	fieldsInOrder := [...]string{"id"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
 		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.IsRepeatable, nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
+		switch k {
+		case "id":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
+			data, err := ec.unmarshalNID2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.ID = data
 		}
-		return graphql.Null
 	}
-	res := resTmp.(bool)
-	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
-}
 
-func (ec *executionContext) fieldContext___Directive_isRepeatable(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Directive",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
-		},
-	}
-	return fc, nil
+	return it, nil
 }
 
-func (ec *executionContext) ___Directive_locations(ctx context.Context, field graphql.CollectedField, obj *introspection.Directive) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Directive_locations(ctx, field)
-	if err != nil {
-		return graphql.Null
+func (ec *executionContext) unmarshalInputDeleteUserRequest(ctx context.Context, obj any) (model.DeleteUserRequest, error) {
+	var it model.DeleteUserRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
 	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
+
+	fieldsInOrder := [...]string{"email"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
 		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Locations, nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
+		switch k {
+		case "email":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Email = data
 		}
-		return graphql.Null
 	}
-	res := resTmp.([]string)
-	fc.Result = res
-	return ec.marshalN__DirectiveLocation2ᚕstringᚄ(ctx, field.Selections, res)
-}
 
-func (ec *executionContext) fieldContext___Directive_locations(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Directive",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type __DirectiveLocation does not have child fields")
-		},
-	}
-	return fc, nil
+	return it, nil
 }
 
-func (ec *executionContext) ___Directive_args(ctx context.Context, field graphql.CollectedField, obj *introspection.Directive) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Directive_args(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Args, nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
-		return graphql.Null
+func (ec *executionContext) unmarshalInputFgaBatchCheckInput(ctx context.Context, obj any) (model.FgaBatchCheckInput, error) {
+	var it model.FgaBatchCheckInput
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
 	}
-	res := resTmp.([]introspection.InputValue)
-	fc.Result = res
-	return ec.marshalN__InputValue2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐInputValueᚄ(ctx, field.Selections, res)
-}
 
-func (ec *executionContext) fieldContext___Directive_args(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Directive",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "name":
-				return ec.fieldContext___InputValue_name(ctx, field)
-			case "description":
-				return ec.fieldContext___InputValue_description(ctx, field)
-			case "type":
-				return ec.fieldContext___InputValue_type(ctx, field)
-			case "defaultValue":
-				return ec.fieldContext___InputValue_defaultValue(ctx, field)
-			case "isDeprecated":
-				return ec.fieldContext___InputValue_isDeprecated(ctx, field)
-			case "deprecationReason":
-				return ec.fieldContext___InputValue_deprecationReason(ctx, field)
+	fieldsInOrder := [...]string{"checks"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "checks":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("checks"))
+			data, err := ec.unmarshalNFgaCheckPairInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckPairInputᚄ(ctx, v)
+			if err != nil {
+				return it, err
 			}
-			return nil, fmt.Errorf("no field named %q was found under type __InputValue", field.Name)
-		},
-	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
+			it.Checks = data
 		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field___Directive_args_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
 	}
-	return fc, nil
+
+	return it, nil
 }
 
-func (ec *executionContext) ___EnumValue_name(ctx context.Context, field graphql.CollectedField, obj *introspection.EnumValue) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___EnumValue_name(ctx, field)
-	if err != nil {
-		return graphql.Null
+func (ec *executionContext) unmarshalInputFgaCheckInput(ctx context.Context, obj any) (model.FgaCheckInput, error) {
+	var it model.FgaCheckInput
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
 	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
+
+	fieldsInOrder := [...]string{"relation", "object", "contextual_tuples"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
 		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Name, nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
+		switch k {
+		case "relation":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("relation"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Relation = data
+		case "object":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("object"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Object = data
+		case "contextual_tuples":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("contextual_tuples"))
+			data, err := ec.unmarshalOFgaTupleInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaTupleInputᚄ(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.ContextualTuples = data
 		}
-		return graphql.Null
 	}
-	res := resTmp.(string)
-	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
-}
 
-func (ec *executionContext) fieldContext___EnumValue_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__EnumValue",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
-	}
-	return fc, nil
+	return it, nil
 }
 
-func (ec *executionContext) ___EnumValue_description(ctx context.Context, field graphql.CollectedField, obj *introspection.EnumValue) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___EnumValue_description(ctx, field)
-	if err != nil {
-		return graphql.Null
+func (ec *executionContext) unmarshalInputFgaCheckPairInput(ctx context.Context, obj any) (model.FgaCheckPairInput, error) {
+	var it model.FgaCheckPairInput
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
 	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
+
+	fieldsInOrder := [...]string{"relation", "object", "contextual_tuples"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "relation":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("relation"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Relation = data
+		case "object":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("object"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Object = data
+		case "contextual_tuples":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("contextual_tuples"))
+			data, err := ec.unmarshalOFgaTupleInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaTupleInputᚄ(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.ContextualTuples = data
 		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Description(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
 	}
-	res := resTmp.(*string)
-	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
-}
 
-func (ec *executionContext) fieldContext___EnumValue_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__EnumValue",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
-	}
-	return fc, nil
+	return it, nil
 }
 
-func (ec *executionContext) ___EnumValue_isDeprecated(ctx context.Context, field graphql.CollectedField, obj *introspection.EnumValue) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___EnumValue_isDeprecated(ctx, field)
-	if err != nil {
-		return graphql.Null
+func (ec *executionContext) unmarshalInputFgaListObjectsInput(ctx context.Context, obj any) (model.FgaListObjectsInput, error) {
+	var it model.FgaListObjectsInput
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
 	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
+
+	fieldsInOrder := [...]string{"relation", "object_type"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
 		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.IsDeprecated(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
+		switch k {
+		case "relation":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("relation"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Relation = data
+		case "object_type":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("object_type"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.ObjectType = data
 		}
-		return graphql.Null
 	}
-	res := resTmp.(bool)
-	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
-}
 
-func (ec *executionContext) fieldContext___EnumValue_isDeprecated(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__EnumValue",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
-		},
-	}
-	return fc, nil
+	return it, nil
 }
 
-func (ec *executionContext) ___EnumValue_deprecationReason(ctx context.Context, field graphql.CollectedField, obj *introspection.EnumValue) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___EnumValue_deprecationReason(ctx, field)
-	if err != nil {
-		return graphql.Null
+func (ec *executionContext) unmarshalInputFgaReadTuplesInput(ctx context.Context, obj any) (model.FgaReadTuplesInput, error) {
+	var it model.FgaReadTuplesInput
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
 	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
+
+	fieldsInOrder := [...]string{"user", "relation", "object", "page_size", "continuation_token"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "user":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("user"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.User = data
+		case "relation":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("relation"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Relation = data
+		case "object":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("object"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Object = data
+		case "page_size":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("page_size"))
+			data, err := ec.unmarshalOInt642ᚖint64(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.PageSize = data
+		case "continuation_token":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("continuation_token"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.ContinuationToken = data
 		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.DeprecationReason(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
 	}
-	res := resTmp.(*string)
-	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
-}
 
-func (ec *executionContext) fieldContext___EnumValue_deprecationReason(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__EnumValue",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
-	}
-	return fc, nil
+	return it, nil
 }
 
-func (ec *executionContext) ___Field_name(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Field_name(ctx, field)
-	if err != nil {
-		return graphql.Null
+func (ec *executionContext) unmarshalInputFgaRelationInput(ctx context.Context, obj any) (model.FgaRelationInput, error) {
+	var it model.FgaRelationInput
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
 	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
+
+	fieldsInOrder := [...]string{"relation", "object"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
 		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Name, nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
+		switch k {
+		case "relation":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("relation"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Relation = data
+		case "object":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("object"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Object = data
 		}
-		return graphql.Null
 	}
-	res := resTmp.(string)
-	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
-}
 
-func (ec *executionContext) fieldContext___Field_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Field",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
-	}
-	return fc, nil
+	return it, nil
 }
 
-func (ec *executionContext) ___Field_description(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Field_description(ctx, field)
-	if err != nil {
-		return graphql.Null
+func (ec *executionContext) unmarshalInputFgaTupleInput(ctx context.Context, obj any) (model.FgaTupleInput, error) {
+	var it model.FgaTupleInput
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
 	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Description(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.(*string)
-	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___Field_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Field",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___Field_args(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Field_args(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Args, nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
-		return graphql.Null
-	}
-	res := resTmp.([]introspection.InputValue)
-	fc.Result = res
-	return ec.marshalN__InputValue2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐInputValueᚄ(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___Field_args(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Field",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "name":
-				return ec.fieldContext___InputValue_name(ctx, field)
-			case "description":
-				return ec.fieldContext___InputValue_description(ctx, field)
-			case "type":
-				return ec.fieldContext___InputValue_type(ctx, field)
-			case "defaultValue":
-				return ec.fieldContext___InputValue_defaultValue(ctx, field)
-			case "isDeprecated":
-				return ec.fieldContext___InputValue_isDeprecated(ctx, field)
-			case "deprecationReason":
-				return ec.fieldContext___InputValue_deprecationReason(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __InputValue", field.Name)
-		},
-	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field___Field_args_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___Field_type(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Field_type(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Type, nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
-		return graphql.Null
-	}
-	res := resTmp.(*introspection.Type)
-	fc.Result = res
-	return ec.marshalN__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___Field_type(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Field",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "kind":
-				return ec.fieldContext___Type_kind(ctx, field)
-			case "name":
-				return ec.fieldContext___Type_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Type_description(ctx, field)
-			case "specifiedByURL":
-				return ec.fieldContext___Type_specifiedByURL(ctx, field)
-			case "fields":
-				return ec.fieldContext___Type_fields(ctx, field)
-			case "interfaces":
-				return ec.fieldContext___Type_interfaces(ctx, field)
-			case "possibleTypes":
-				return ec.fieldContext___Type_possibleTypes(ctx, field)
-			case "enumValues":
-				return ec.fieldContext___Type_enumValues(ctx, field)
-			case "inputFields":
-				return ec.fieldContext___Type_inputFields(ctx, field)
-			case "ofType":
-				return ec.fieldContext___Type_ofType(ctx, field)
-			case "isOneOf":
-				return ec.fieldContext___Type_isOneOf(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___Field_isDeprecated(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Field_isDeprecated(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.IsDeprecated(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
-		return graphql.Null
-	}
-	res := resTmp.(bool)
-	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___Field_isDeprecated(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Field",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___Field_deprecationReason(ctx context.Context, field graphql.CollectedField, obj *introspection.Field) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Field_deprecationReason(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.DeprecationReason(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.(*string)
-	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___Field_deprecationReason(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Field",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___InputValue_name(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___InputValue_name(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Name, nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
-		return graphql.Null
-	}
-	res := resTmp.(string)
-	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___InputValue_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__InputValue",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___InputValue_description(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___InputValue_description(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Description(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.(*string)
-	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___InputValue_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__InputValue",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___InputValue_type(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___InputValue_type(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Type, nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
-		return graphql.Null
-	}
-	res := resTmp.(*introspection.Type)
-	fc.Result = res
-	return ec.marshalN__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___InputValue_type(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__InputValue",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "kind":
-				return ec.fieldContext___Type_kind(ctx, field)
-			case "name":
-				return ec.fieldContext___Type_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Type_description(ctx, field)
-			case "specifiedByURL":
-				return ec.fieldContext___Type_specifiedByURL(ctx, field)
-			case "fields":
-				return ec.fieldContext___Type_fields(ctx, field)
-			case "interfaces":
-				return ec.fieldContext___Type_interfaces(ctx, field)
-			case "possibleTypes":
-				return ec.fieldContext___Type_possibleTypes(ctx, field)
-			case "enumValues":
-				return ec.fieldContext___Type_enumValues(ctx, field)
-			case "inputFields":
-				return ec.fieldContext___Type_inputFields(ctx, field)
-			case "ofType":
-				return ec.fieldContext___Type_ofType(ctx, field)
-			case "isOneOf":
-				return ec.fieldContext___Type_isOneOf(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___InputValue_defaultValue(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___InputValue_defaultValue(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.DefaultValue, nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.(*string)
-	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___InputValue_defaultValue(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__InputValue",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___InputValue_isDeprecated(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___InputValue_isDeprecated(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.IsDeprecated(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
-		return graphql.Null
-	}
-	res := resTmp.(bool)
-	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___InputValue_isDeprecated(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__InputValue",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___InputValue_deprecationReason(ctx context.Context, field graphql.CollectedField, obj *introspection.InputValue) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___InputValue_deprecationReason(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.DeprecationReason(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.(*string)
-	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___InputValue_deprecationReason(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__InputValue",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___Schema_description(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Schema_description(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Description(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.(*string)
-	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___Schema_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Schema",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___Schema_types(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Schema_types(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Types(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
-		return graphql.Null
-	}
-	res := resTmp.([]introspection.Type)
-	fc.Result = res
-	return ec.marshalN__Type2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐTypeᚄ(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___Schema_types(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Schema",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "kind":
-				return ec.fieldContext___Type_kind(ctx, field)
-			case "name":
-				return ec.fieldContext___Type_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Type_description(ctx, field)
-			case "specifiedByURL":
-				return ec.fieldContext___Type_specifiedByURL(ctx, field)
-			case "fields":
-				return ec.fieldContext___Type_fields(ctx, field)
-			case "interfaces":
-				return ec.fieldContext___Type_interfaces(ctx, field)
-			case "possibleTypes":
-				return ec.fieldContext___Type_possibleTypes(ctx, field)
-			case "enumValues":
-				return ec.fieldContext___Type_enumValues(ctx, field)
-			case "inputFields":
-				return ec.fieldContext___Type_inputFields(ctx, field)
-			case "ofType":
-				return ec.fieldContext___Type_ofType(ctx, field)
-			case "isOneOf":
-				return ec.fieldContext___Type_isOneOf(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___Schema_queryType(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Schema_queryType(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.QueryType(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
-		return graphql.Null
-	}
-	res := resTmp.(*introspection.Type)
-	fc.Result = res
-	return ec.marshalN__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___Schema_queryType(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Schema",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "kind":
-				return ec.fieldContext___Type_kind(ctx, field)
-			case "name":
-				return ec.fieldContext___Type_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Type_description(ctx, field)
-			case "specifiedByURL":
-				return ec.fieldContext___Type_specifiedByURL(ctx, field)
-			case "fields":
-				return ec.fieldContext___Type_fields(ctx, field)
-			case "interfaces":
-				return ec.fieldContext___Type_interfaces(ctx, field)
-			case "possibleTypes":
-				return ec.fieldContext___Type_possibleTypes(ctx, field)
-			case "enumValues":
-				return ec.fieldContext___Type_enumValues(ctx, field)
-			case "inputFields":
-				return ec.fieldContext___Type_inputFields(ctx, field)
-			case "ofType":
-				return ec.fieldContext___Type_ofType(ctx, field)
-			case "isOneOf":
-				return ec.fieldContext___Type_isOneOf(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___Schema_mutationType(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Schema_mutationType(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.MutationType(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.(*introspection.Type)
-	fc.Result = res
-	return ec.marshalO__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___Schema_mutationType(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Schema",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "kind":
-				return ec.fieldContext___Type_kind(ctx, field)
-			case "name":
-				return ec.fieldContext___Type_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Type_description(ctx, field)
-			case "specifiedByURL":
-				return ec.fieldContext___Type_specifiedByURL(ctx, field)
-			case "fields":
-				return ec.fieldContext___Type_fields(ctx, field)
-			case "interfaces":
-				return ec.fieldContext___Type_interfaces(ctx, field)
-			case "possibleTypes":
-				return ec.fieldContext___Type_possibleTypes(ctx, field)
-			case "enumValues":
-				return ec.fieldContext___Type_enumValues(ctx, field)
-			case "inputFields":
-				return ec.fieldContext___Type_inputFields(ctx, field)
-			case "ofType":
-				return ec.fieldContext___Type_ofType(ctx, field)
-			case "isOneOf":
-				return ec.fieldContext___Type_isOneOf(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___Schema_subscriptionType(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Schema_subscriptionType(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.SubscriptionType(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.(*introspection.Type)
-	fc.Result = res
-	return ec.marshalO__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___Schema_subscriptionType(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Schema",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "kind":
-				return ec.fieldContext___Type_kind(ctx, field)
-			case "name":
-				return ec.fieldContext___Type_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Type_description(ctx, field)
-			case "specifiedByURL":
-				return ec.fieldContext___Type_specifiedByURL(ctx, field)
-			case "fields":
-				return ec.fieldContext___Type_fields(ctx, field)
-			case "interfaces":
-				return ec.fieldContext___Type_interfaces(ctx, field)
-			case "possibleTypes":
-				return ec.fieldContext___Type_possibleTypes(ctx, field)
-			case "enumValues":
-				return ec.fieldContext___Type_enumValues(ctx, field)
-			case "inputFields":
-				return ec.fieldContext___Type_inputFields(ctx, field)
-			case "ofType":
-				return ec.fieldContext___Type_ofType(ctx, field)
-			case "isOneOf":
-				return ec.fieldContext___Type_isOneOf(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___Schema_directives(ctx context.Context, field graphql.CollectedField, obj *introspection.Schema) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Schema_directives(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Directives(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
-		return graphql.Null
-	}
-	res := resTmp.([]introspection.Directive)
-	fc.Result = res
-	return ec.marshalN__Directive2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐDirectiveᚄ(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___Schema_directives(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Schema",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "name":
-				return ec.fieldContext___Directive_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Directive_description(ctx, field)
-			case "isRepeatable":
-				return ec.fieldContext___Directive_isRepeatable(ctx, field)
-			case "locations":
-				return ec.fieldContext___Directive_locations(ctx, field)
-			case "args":
-				return ec.fieldContext___Directive_args(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __Directive", field.Name)
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___Type_kind(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Type_kind(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Kind(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
-		return graphql.Null
-	}
-	res := resTmp.(string)
-	fc.Result = res
-	return ec.marshalN__TypeKind2string(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___Type_kind(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Type",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type __TypeKind does not have child fields")
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___Type_name(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Type_name(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Name(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.(*string)
-	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___Type_name(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Type",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___Type_description(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Type_description(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Description(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.(*string)
-	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___Type_description(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Type",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___Type_specifiedByURL(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Type_specifiedByURL(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.SpecifiedByURL(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.(*string)
-	fc.Result = res
-	return ec.marshalOString2ᚖstring(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___Type_specifiedByURL(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Type",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___Type_fields(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Type_fields(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Fields(fc.Args["includeDeprecated"].(bool)), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.([]introspection.Field)
-	fc.Result = res
-	return ec.marshalO__Field2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐFieldᚄ(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___Type_fields(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Type",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "name":
-				return ec.fieldContext___Field_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Field_description(ctx, field)
-			case "args":
-				return ec.fieldContext___Field_args(ctx, field)
-			case "type":
-				return ec.fieldContext___Field_type(ctx, field)
-			case "isDeprecated":
-				return ec.fieldContext___Field_isDeprecated(ctx, field)
-			case "deprecationReason":
-				return ec.fieldContext___Field_deprecationReason(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __Field", field.Name)
-		},
-	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field___Type_fields_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___Type_interfaces(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Type_interfaces(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Interfaces(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.([]introspection.Type)
-	fc.Result = res
-	return ec.marshalO__Type2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐTypeᚄ(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___Type_interfaces(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Type",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "kind":
-				return ec.fieldContext___Type_kind(ctx, field)
-			case "name":
-				return ec.fieldContext___Type_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Type_description(ctx, field)
-			case "specifiedByURL":
-				return ec.fieldContext___Type_specifiedByURL(ctx, field)
-			case "fields":
-				return ec.fieldContext___Type_fields(ctx, field)
-			case "interfaces":
-				return ec.fieldContext___Type_interfaces(ctx, field)
-			case "possibleTypes":
-				return ec.fieldContext___Type_possibleTypes(ctx, field)
-			case "enumValues":
-				return ec.fieldContext___Type_enumValues(ctx, field)
-			case "inputFields":
-				return ec.fieldContext___Type_inputFields(ctx, field)
-			case "ofType":
-				return ec.fieldContext___Type_ofType(ctx, field)
-			case "isOneOf":
-				return ec.fieldContext___Type_isOneOf(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___Type_possibleTypes(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Type_possibleTypes(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.PossibleTypes(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.([]introspection.Type)
-	fc.Result = res
-	return ec.marshalO__Type2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐTypeᚄ(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___Type_possibleTypes(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Type",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "kind":
-				return ec.fieldContext___Type_kind(ctx, field)
-			case "name":
-				return ec.fieldContext___Type_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Type_description(ctx, field)
-			case "specifiedByURL":
-				return ec.fieldContext___Type_specifiedByURL(ctx, field)
-			case "fields":
-				return ec.fieldContext___Type_fields(ctx, field)
-			case "interfaces":
-				return ec.fieldContext___Type_interfaces(ctx, field)
-			case "possibleTypes":
-				return ec.fieldContext___Type_possibleTypes(ctx, field)
-			case "enumValues":
-				return ec.fieldContext___Type_enumValues(ctx, field)
-			case "inputFields":
-				return ec.fieldContext___Type_inputFields(ctx, field)
-			case "ofType":
-				return ec.fieldContext___Type_ofType(ctx, field)
-			case "isOneOf":
-				return ec.fieldContext___Type_isOneOf(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___Type_enumValues(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Type_enumValues(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.EnumValues(fc.Args["includeDeprecated"].(bool)), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.([]introspection.EnumValue)
-	fc.Result = res
-	return ec.marshalO__EnumValue2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐEnumValueᚄ(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___Type_enumValues(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Type",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "name":
-				return ec.fieldContext___EnumValue_name(ctx, field)
-			case "description":
-				return ec.fieldContext___EnumValue_description(ctx, field)
-			case "isDeprecated":
-				return ec.fieldContext___EnumValue_isDeprecated(ctx, field)
-			case "deprecationReason":
-				return ec.fieldContext___EnumValue_deprecationReason(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __EnumValue", field.Name)
-		},
-	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field___Type_enumValues_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___Type_inputFields(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Type_inputFields(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.InputFields(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.([]introspection.InputValue)
-	fc.Result = res
-	return ec.marshalO__InputValue2ᚕgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐInputValueᚄ(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___Type_inputFields(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Type",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "name":
-				return ec.fieldContext___InputValue_name(ctx, field)
-			case "description":
-				return ec.fieldContext___InputValue_description(ctx, field)
-			case "type":
-				return ec.fieldContext___InputValue_type(ctx, field)
-			case "defaultValue":
-				return ec.fieldContext___InputValue_defaultValue(ctx, field)
-			case "isDeprecated":
-				return ec.fieldContext___InputValue_isDeprecated(ctx, field)
-			case "deprecationReason":
-				return ec.fieldContext___InputValue_deprecationReason(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __InputValue", field.Name)
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___Type_ofType(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Type_ofType(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.OfType(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.(*introspection.Type)
-	fc.Result = res
-	return ec.marshalO__Type2ᚖgithubᚗcomᚋ99designsᚋgqlgenᚋgraphqlᚋintrospectionᚐType(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___Type_ofType(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Type",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "kind":
-				return ec.fieldContext___Type_kind(ctx, field)
-			case "name":
-				return ec.fieldContext___Type_name(ctx, field)
-			case "description":
-				return ec.fieldContext___Type_description(ctx, field)
-			case "specifiedByURL":
-				return ec.fieldContext___Type_specifiedByURL(ctx, field)
-			case "fields":
-				return ec.fieldContext___Type_fields(ctx, field)
-			case "interfaces":
-				return ec.fieldContext___Type_interfaces(ctx, field)
-			case "possibleTypes":
-				return ec.fieldContext___Type_possibleTypes(ctx, field)
-			case "enumValues":
-				return ec.fieldContext___Type_enumValues(ctx, field)
-			case "inputFields":
-				return ec.fieldContext___Type_inputFields(ctx, field)
-			case "ofType":
-				return ec.fieldContext___Type_ofType(ctx, field)
-			case "isOneOf":
-				return ec.fieldContext___Type_isOneOf(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type __Type", field.Name)
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) ___Type_isOneOf(ctx context.Context, field graphql.CollectedField, obj *introspection.Type) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext___Type_isOneOf(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.IsOneOf(), nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		return graphql.Null
-	}
-	res := resTmp.(bool)
-	fc.Result = res
-	return ec.marshalOBoolean2bool(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext___Type_isOneOf(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "__Type",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
-		},
-	}
-	return fc, nil
-}
-
-// endregion **************************** field.gotpl *****************************
-
-// region    **************************** input.gotpl *****************************
-
-func (ec *executionContext) unmarshalInputAddEmailTemplateRequest(ctx context.Context, obj any) (model.AddEmailTemplateRequest, error) {
-	var it model.AddEmailTemplateRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"event_name", "subject", "template", "design"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "event_name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_name"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.EventName = data
-		case "subject":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("subject"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Subject = data
-		case "template":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("template"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Template = data
-		case "design":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("design"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Design = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputAddPermissionInput(ctx context.Context, obj any) (model.AddPermissionInput, error) {
-	var it model.AddPermissionInput
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"name", "description", "resource_id", "scope_ids", "policy_ids", "decision_strategy"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("name"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Name = data
-		case "description":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("description"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Description = data
-		case "resource_id":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("resource_id"))
-			data, err := ec.unmarshalNID2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.ResourceID = data
-		case "scope_ids":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("scope_ids"))
-			data, err := ec.unmarshalNID2ᚕstringᚄ(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.ScopeIds = data
-		case "policy_ids":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("policy_ids"))
-			data, err := ec.unmarshalNID2ᚕstringᚄ(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.PolicyIds = data
-		case "decision_strategy":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("decision_strategy"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.DecisionStrategy = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputAddPolicyInput(ctx context.Context, obj any) (model.AddPolicyInput, error) {
-	var it model.AddPolicyInput
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"name", "description", "type", "logic", "decision_strategy", "targets"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("name"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Name = data
-		case "description":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("description"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Description = data
-		case "type":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("type"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Type = data
-		case "logic":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("logic"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Logic = data
-		case "decision_strategy":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("decision_strategy"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.DecisionStrategy = data
-		case "targets":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("targets"))
-			data, err := ec.unmarshalNPolicyTargetInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPolicyTargetInputᚄ(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Targets = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputAddResourceInput(ctx context.Context, obj any) (model.AddResourceInput, error) {
-	var it model.AddResourceInput
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"name", "description"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("name"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Name = data
-		case "description":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("description"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Description = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputAddScopeInput(ctx context.Context, obj any) (model.AddScopeInput, error) {
-	var it model.AddScopeInput
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"name", "description"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("name"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Name = data
-		case "description":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("description"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Description = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputAddWebhookRequest(ctx context.Context, obj any) (model.AddWebhookRequest, error) {
-	var it model.AddWebhookRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"event_name", "event_description", "endpoint", "enabled", "headers"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "event_name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_name"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.EventName = data
-		case "event_description":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_description"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.EventDescription = data
-		case "endpoint":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("endpoint"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Endpoint = data
-		case "enabled":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("enabled"))
-			data, err := ec.unmarshalNBoolean2bool(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Enabled = data
-		case "headers":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("headers"))
-			data, err := ec.unmarshalOMap2map(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Headers = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputAdminLoginRequest(ctx context.Context, obj any) (model.AdminLoginRequest, error) {
-	var it model.AdminLoginRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"admin_secret"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "admin_secret":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("admin_secret"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.AdminSecret = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputAdminSignupRequest(ctx context.Context, obj any) (model.AdminSignupRequest, error) {
-	var it model.AdminSignupRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"admin_secret"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "admin_secret":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("admin_secret"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.AdminSecret = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputDeleteEmailTemplateRequest(ctx context.Context, obj any) (model.DeleteEmailTemplateRequest, error) {
-	var it model.DeleteEmailTemplateRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"id"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "id":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
-			data, err := ec.unmarshalNID2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.ID = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputDeleteUserRequest(ctx context.Context, obj any) (model.DeleteUserRequest, error) {
-	var it model.DeleteUserRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"email"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "email":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Email = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputForgotPasswordRequest(ctx context.Context, obj any) (model.ForgotPasswordRequest, error) {
-	var it model.ForgotPasswordRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"email", "phone_number", "state", "redirect_uri"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "email":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Email = data
-		case "phone_number":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.PhoneNumber = data
-		case "state":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.State = data
-		case "redirect_uri":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("redirect_uri"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.RedirectURI = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputGenerateJWTKeysRequest(ctx context.Context, obj any) (model.GenerateJWTKeysRequest, error) {
-	var it model.GenerateJWTKeysRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"type"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "type":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("type"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Type = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputGetUserRequest(ctx context.Context, obj any) (model.GetUserRequest, error) {
-	var it model.GetUserRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"id", "email"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "id":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.ID = data
-		case "email":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Email = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputInviteMemberRequest(ctx context.Context, obj any) (model.InviteMemberRequest, error) {
-	var it model.InviteMemberRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"emails", "redirect_uri"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "emails":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("emails"))
-			data, err := ec.unmarshalNString2ᚕstringᚄ(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Emails = data
-		case "redirect_uri":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("redirect_uri"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.RedirectURI = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputListAuditLogRequest(ctx context.Context, obj any) (model.ListAuditLogRequest, error) {
-	var it model.ListAuditLogRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"pagination", "action", "actor_id", "resource_type", "resource_id", "from_timestamp", "to_timestamp"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "pagination":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("pagination"))
-			data, err := ec.unmarshalOPaginationRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPaginationRequest(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Pagination = data
-		case "action":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("action"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Action = data
-		case "actor_id":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("actor_id"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.ActorID = data
-		case "resource_type":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("resource_type"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.ResourceType = data
-		case "resource_id":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("resource_id"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.ResourceID = data
-		case "from_timestamp":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("from_timestamp"))
-			data, err := ec.unmarshalOInt642ᚖint64(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.FromTimestamp = data
-		case "to_timestamp":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("to_timestamp"))
-			data, err := ec.unmarshalOInt642ᚖint64(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.ToTimestamp = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputListWebhookLogRequest(ctx context.Context, obj any) (model.ListWebhookLogRequest, error) {
-	var it model.ListWebhookLogRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"pagination", "webhook_id"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "pagination":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("pagination"))
-			data, err := ec.unmarshalOPaginationRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPaginationRequest(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Pagination = data
-		case "webhook_id":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("webhook_id"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.WebhookID = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputLoginRequest(ctx context.Context, obj any) (model.LoginRequest, error) {
-	var it model.LoginRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"email", "phone_number", "password", "roles", "scope", "state"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "email":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Email = data
-		case "phone_number":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.PhoneNumber = data
-		case "password":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("password"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Password = data
-		case "roles":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
-			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Roles = data
-		case "scope":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("scope"))
-			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Scope = data
-		case "state":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.State = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputMagicLinkLoginRequest(ctx context.Context, obj any) (model.MagicLinkLoginRequest, error) {
-	var it model.MagicLinkLoginRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"email", "roles", "scope", "state", "redirect_uri"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "email":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Email = data
-		case "roles":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
-			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Roles = data
-		case "scope":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("scope"))
-			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Scope = data
-		case "state":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.State = data
-		case "redirect_uri":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("redirect_uri"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.RedirectURI = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputMobileLoginRequest(ctx context.Context, obj any) (model.MobileLoginRequest, error) {
-	var it model.MobileLoginRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"phone_number", "password", "roles", "scope", "state"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "phone_number":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.PhoneNumber = data
-		case "password":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("password"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Password = data
-		case "roles":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
-			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Roles = data
-		case "scope":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("scope"))
-			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Scope = data
-		case "state":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.State = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputMobileSignUpRequest(ctx context.Context, obj any) (model.MobileSignUpRequest, error) {
-	var it model.MobileSignUpRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"email", "given_name", "family_name", "middle_name", "nickname", "gender", "birthdate", "phone_number", "picture", "password", "confirm_password", "roles", "scope", "redirect_uri", "is_multi_factor_auth_enabled", "state", "app_data"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
+
+	fieldsInOrder := [...]string{"user", "relation", "object"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
 		}
 		switch k {
-		case "email":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Email = data
-		case "given_name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("given_name"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.GivenName = data
-		case "family_name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("family_name"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.FamilyName = data
-		case "middle_name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("middle_name"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.MiddleName = data
-		case "nickname":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("nickname"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Nickname = data
-		case "gender":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("gender"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Gender = data
-		case "birthdate":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("birthdate"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Birthdate = data
-		case "phone_number":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number"))
+		case "user":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("user"))
 			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.PhoneNumber = data
-		case "picture":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("picture"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Picture = data
-		case "password":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("password"))
+			it.User = data
+		case "relation":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("relation"))
 			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Password = data
-		case "confirm_password":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("confirm_password"))
+			it.Relation = data
+		case "object":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("object"))
 			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.ConfirmPassword = data
-		case "roles":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
-			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Roles = data
-		case "scope":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("scope"))
-			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Scope = data
-		case "redirect_uri":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("redirect_uri"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.RedirectURI = data
-		case "is_multi_factor_auth_enabled":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("is_multi_factor_auth_enabled"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.IsMultiFactorAuthEnabled = data
-		case "state":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.State = data
-		case "app_data":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("app_data"))
-			data, err := ec.unmarshalOMap2map(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.AppData = data
+			it.Object = data
 		}
 	}
 
 	return it, nil
 }
 
-func (ec *executionContext) unmarshalInputOAuthRevokeRequest(ctx context.Context, obj any) (model.OAuthRevokeRequest, error) {
-	var it model.OAuthRevokeRequest
+func (ec *executionContext) unmarshalInputFgaWriteModelInput(ctx context.Context, obj any) (model.FgaWriteModelInput, error) {
+	var it model.FgaWriteModelInput
 	asMap := map[string]any{}
 	for k, v := range obj.(map[string]any) {
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"refresh_token"}
+	fieldsInOrder := [...]string{"dsl"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
 			continue
 		}
 		switch k {
-		case "refresh_token":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("refresh_token"))
+		case "dsl":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("dsl"))
 			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.RefreshToken = data
+			it.Dsl = data
 		}
 	}
 
 	return it, nil
 }
 
-func (ec *executionContext) unmarshalInputPaginatedRequest(ctx context.Context, obj any) (model.PaginatedRequest, error) {
-	var it model.PaginatedRequest
+func (ec *executionContext) unmarshalInputFgaWriteTuplesInput(ctx context.Context, obj any) (model.FgaWriteTuplesInput, error) {
+	var it model.FgaWriteTuplesInput
 	asMap := map[string]any{}
 	for k, v := range obj.(map[string]any) {
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"pagination"}
+	fieldsInOrder := [...]string{"tuples"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
 			continue
 		}
 		switch k {
-		case "pagination":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("pagination"))
-			data, err := ec.unmarshalOPaginationRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPaginationRequest(ctx, v)
+		case "tuples":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("tuples"))
+			data, err := ec.unmarshalNFgaTupleInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaTupleInputᚄ(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Pagination = data
+			it.Tuples = data
 		}
 	}
 
 	return it, nil
 }
 
-func (ec *executionContext) unmarshalInputPaginationRequest(ctx context.Context, obj any) (model.PaginationRequest, error) {
-	var it model.PaginationRequest
+func (ec *executionContext) unmarshalInputForgotPasswordRequest(ctx context.Context, obj any) (model.ForgotPasswordRequest, error) {
+	var it model.ForgotPasswordRequest
 	asMap := map[string]any{}
 	for k, v := range obj.(map[string]any) {
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"limit", "page"}
+	fieldsInOrder := [...]string{"email", "phone_number", "state", "redirect_uri"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
 			continue
 		}
 		switch k {
-		case "limit":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("limit"))
-			data, err := ec.unmarshalOInt642ᚖint64(ctx, v)
+		case "email":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Limit = data
-		case "page":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("page"))
-			data, err := ec.unmarshalOInt642ᚖint64(ctx, v)
+			it.Email = data
+		case "phone_number":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Page = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputPermissionInput(ctx context.Context, obj any) (model.PermissionInput, error) {
-	var it model.PermissionInput
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"resource", "scope"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "resource":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("resource"))
-			data, err := ec.unmarshalNString2string(ctx, v)
+			it.PhoneNumber = data
+		case "state":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Resource = data
-		case "scope":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("scope"))
-			data, err := ec.unmarshalNString2string(ctx, v)
+			it.State = data
+		case "redirect_uri":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("redirect_uri"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Scope = data
+			it.RedirectURI = data
 		}
 	}
 
 	return it, nil
 }
 
-func (ec *executionContext) unmarshalInputPolicyTargetInput(ctx context.Context, obj any) (model.PolicyTargetInput, error) {
-	var it model.PolicyTargetInput
+func (ec *executionContext) unmarshalInputGenerateJWTKeysRequest(ctx context.Context, obj any) (model.GenerateJWTKeysRequest, error) {
+	var it model.GenerateJWTKeysRequest
 	asMap := map[string]any{}
 	for k, v := range obj.(map[string]any) {
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"target_type", "target_value"}
+	fieldsInOrder := [...]string{"type"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
 			continue
 		}
 		switch k {
-		case "target_type":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("target_type"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.TargetType = data
-		case "target_value":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("target_value"))
+		case "type":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("type"))
 			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.TargetValue = data
+			it.Type = data
 		}
 	}
 
 	return it, nil
 }
 
-func (ec *executionContext) unmarshalInputResendOTPRequest(ctx context.Context, obj any) (model.ResendOTPRequest, error) {
-	var it model.ResendOTPRequest
+func (ec *executionContext) unmarshalInputGetUserRequest(ctx context.Context, obj any) (model.GetUserRequest, error) {
+	var it model.GetUserRequest
 	asMap := map[string]any{}
 	for k, v := range obj.(map[string]any) {
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"email", "phone_number", "state"}
+	fieldsInOrder := [...]string{"id", "email"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
 			continue
 		}
 		switch k {
-		case "email":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Email = data
-		case "phone_number":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number"))
+		case "id":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.PhoneNumber = data
-		case "state":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
+			it.ID = data
+		case "email":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.State = data
+			it.Email = data
 		}
 	}
 
 	return it, nil
 }
 
-func (ec *executionContext) unmarshalInputResendVerifyEmailRequest(ctx context.Context, obj any) (model.ResendVerifyEmailRequest, error) {
-	var it model.ResendVerifyEmailRequest
+func (ec *executionContext) unmarshalInputInviteMemberRequest(ctx context.Context, obj any) (model.InviteMemberRequest, error) {
+	var it model.InviteMemberRequest
 	asMap := map[string]any{}
 	for k, v := range obj.(map[string]any) {
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"email", "identifier", "state"}
+	fieldsInOrder := [...]string{"emails", "redirect_uri"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
 			continue
 		}
 		switch k {
-		case "email":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Email = data
-		case "identifier":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("identifier"))
-			data, err := ec.unmarshalNString2string(ctx, v)
+		case "emails":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("emails"))
+			data, err := ec.unmarshalNString2ᚕstringᚄ(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Identifier = data
-		case "state":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
+			it.Emails = data
+		case "redirect_uri":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("redirect_uri"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.State = data
+			it.RedirectURI = data
 		}
 	}
 
 	return it, nil
 }
 
-func (ec *executionContext) unmarshalInputResetPasswordRequest(ctx context.Context, obj any) (model.ResetPasswordRequest, error) {
-	var it model.ResetPasswordRequest
+func (ec *executionContext) unmarshalInputListAuditLogRequest(ctx context.Context, obj any) (model.ListAuditLogRequest, error) {
+	var it model.ListAuditLogRequest
 	asMap := map[string]any{}
 	for k, v := range obj.(map[string]any) {
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"token", "otp", "phone_number", "password", "confirm_password"}
+	fieldsInOrder := [...]string{"pagination", "action", "actor_id", "resource_type", "resource_id", "from_timestamp", "to_timestamp"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
 			continue
 		}
 		switch k {
-		case "token":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("token"))
+		case "pagination":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("pagination"))
+			data, err := ec.unmarshalOPaginationRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPaginationRequest(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Pagination = data
+		case "action":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("action"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Token = data
-		case "otp":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("otp"))
+			it.Action = data
+		case "actor_id":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("actor_id"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Otp = data
-		case "phone_number":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number"))
+			it.ActorID = data
+		case "resource_type":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("resource_type"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.PhoneNumber = data
-		case "password":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("password"))
-			data, err := ec.unmarshalNString2string(ctx, v)
+			it.ResourceType = data
+		case "resource_id":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("resource_id"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Password = data
-		case "confirm_password":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("confirm_password"))
-			data, err := ec.unmarshalNString2string(ctx, v)
+			it.ResourceID = data
+		case "from_timestamp":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("from_timestamp"))
+			data, err := ec.unmarshalOInt642ᚖint64(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.ConfirmPassword = data
+			it.FromTimestamp = data
+		case "to_timestamp":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("to_timestamp"))
+			data, err := ec.unmarshalOInt642ᚖint64(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.ToTimestamp = data
 		}
 	}
 
 	return it, nil
 }
 
-func (ec *executionContext) unmarshalInputSessionQueryRequest(ctx context.Context, obj any) (model.SessionQueryRequest, error) {
-	var it model.SessionQueryRequest
+func (ec *executionContext) unmarshalInputListWebhookLogRequest(ctx context.Context, obj any) (model.ListWebhookLogRequest, error) {
+	var it model.ListWebhookLogRequest
 	asMap := map[string]any{}
 	for k, v := range obj.(map[string]any) {
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"roles", "scope", "state", "required_permissions"}
+	fieldsInOrder := [...]string{"pagination", "webhook_id"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
 			continue
 		}
 		switch k {
-		case "roles":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
-			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Roles = data
-		case "scope":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("scope"))
-			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
+		case "pagination":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("pagination"))
+			data, err := ec.unmarshalOPaginationRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPaginationRequest(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Scope = data
-		case "state":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
+			it.Pagination = data
+		case "webhook_id":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("webhook_id"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.State = data
-		case "required_permissions":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("required_permissions"))
-			data, err := ec.unmarshalOPermissionInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPermissionInputᚄ(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.RequiredPermissions = data
+			it.WebhookID = data
 		}
 	}
 
 	return it, nil
 }
 
-func (ec *executionContext) unmarshalInputSignUpRequest(ctx context.Context, obj any) (model.SignUpRequest, error) {
-	var it model.SignUpRequest
+func (ec *executionContext) unmarshalInputLoginRequest(ctx context.Context, obj any) (model.LoginRequest, error) {
+	var it model.LoginRequest
 	asMap := map[string]any{}
 	for k, v := range obj.(map[string]any) {
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"email", "given_name", "family_name", "middle_name", "nickname", "gender", "birthdate", "phone_number", "picture", "password", "confirm_password", "roles", "scope", "redirect_uri", "is_multi_factor_auth_enabled", "state", "app_data"}
+	fieldsInOrder := [...]string{"email", "phone_number", "password", "roles", "scope", "state"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
@@ -23947,48 +20619,6 @@ func (ec *executionContext) unmarshalInputSignUpRequest(ctx context.Context, obj
 				return it, err
 			}
 			it.Email = data
-		case "given_name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("given_name"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.GivenName = data
-		case "family_name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("family_name"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.FamilyName = data
-		case "middle_name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("middle_name"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.MiddleName = data
-		case "nickname":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("nickname"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Nickname = data
-		case "gender":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("gender"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Gender = data
-		case "birthdate":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("birthdate"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Birthdate = data
 		case "phone_number":
 			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
@@ -23996,13 +20626,6 @@ func (ec *executionContext) unmarshalInputSignUpRequest(ctx context.Context, obj
 				return it, err
 			}
 			it.PhoneNumber = data
-		case "picture":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("picture"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Picture = data
 		case "password":
 			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("password"))
 			data, err := ec.unmarshalNString2string(ctx, v)
@@ -24010,13 +20633,6 @@ func (ec *executionContext) unmarshalInputSignUpRequest(ctx context.Context, obj
 				return it, err
 			}
 			it.Password = data
-		case "confirm_password":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("confirm_password"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.ConfirmPassword = data
 		case "roles":
 			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
 			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
@@ -24031,20 +20647,6 @@ func (ec *executionContext) unmarshalInputSignUpRequest(ctx context.Context, obj
 				return it, err
 			}
 			it.Scope = data
-		case "redirect_uri":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("redirect_uri"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.RedirectURI = data
-		case "is_multi_factor_auth_enabled":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("is_multi_factor_auth_enabled"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.IsMultiFactorAuthEnabled = data
 		case "state":
 			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
@@ -24052,611 +20654,756 @@ func (ec *executionContext) unmarshalInputSignUpRequest(ctx context.Context, obj
 				return it, err
 			}
 			it.State = data
-		case "app_data":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("app_data"))
-			data, err := ec.unmarshalOMap2map(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.AppData = data
 		}
 	}
 
 	return it, nil
 }
 
-func (ec *executionContext) unmarshalInputTestEndpointRequest(ctx context.Context, obj any) (model.TestEndpointRequest, error) {
-	var it model.TestEndpointRequest
+func (ec *executionContext) unmarshalInputMagicLinkLoginRequest(ctx context.Context, obj any) (model.MagicLinkLoginRequest, error) {
+	var it model.MagicLinkLoginRequest
 	asMap := map[string]any{}
 	for k, v := range obj.(map[string]any) {
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"endpoint", "event_name", "event_description", "headers"}
+	fieldsInOrder := [...]string{"email", "roles", "scope", "state", "redirect_uri"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
 			continue
 		}
 		switch k {
-		case "endpoint":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("endpoint"))
+		case "email":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
 			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Endpoint = data
-		case "event_name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_name"))
-			data, err := ec.unmarshalNString2string(ctx, v)
+			it.Email = data
+		case "roles":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
+			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.EventName = data
-		case "event_description":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_description"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.Roles = data
+		case "scope":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("scope"))
+			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.EventDescription = data
-		case "headers":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("headers"))
-			data, err := ec.unmarshalOMap2map(ctx, v)
+			it.Scope = data
+		case "state":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Headers = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputUpdateAccessRequest(ctx context.Context, obj any) (model.UpdateAccessRequest, error) {
-	var it model.UpdateAccessRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"user_id"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "user_id":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("user_id"))
-			data, err := ec.unmarshalNString2string(ctx, v)
+			it.State = data
+		case "redirect_uri":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("redirect_uri"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.UserID = data
+			it.RedirectURI = data
 		}
 	}
 
 	return it, nil
 }
 
-func (ec *executionContext) unmarshalInputUpdateEmailTemplateRequest(ctx context.Context, obj any) (model.UpdateEmailTemplateRequest, error) {
-	var it model.UpdateEmailTemplateRequest
+func (ec *executionContext) unmarshalInputMobileLoginRequest(ctx context.Context, obj any) (model.MobileLoginRequest, error) {
+	var it model.MobileLoginRequest
 	asMap := map[string]any{}
 	for k, v := range obj.(map[string]any) {
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"id", "event_name", "template", "subject", "design"}
+	fieldsInOrder := [...]string{"phone_number", "password", "roles", "scope", "state"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
 			continue
 		}
 		switch k {
-		case "id":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
-			data, err := ec.unmarshalNID2string(ctx, v)
+		case "phone_number":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number"))
+			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.ID = data
-		case "event_name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_name"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.PhoneNumber = data
+		case "password":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("password"))
+			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.EventName = data
-		case "template":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("template"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.Password = data
+		case "roles":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
+			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Template = data
-		case "subject":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("subject"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.Roles = data
+		case "scope":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("scope"))
+			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Subject = data
-		case "design":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("design"))
+			it.Scope = data
+		case "state":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Design = data
+			it.State = data
 		}
 	}
 
 	return it, nil
 }
 
-func (ec *executionContext) unmarshalInputUpdateEnvRequest(ctx context.Context, obj any) (model.UpdateEnvRequest, error) {
-	var it model.UpdateEnvRequest
+func (ec *executionContext) unmarshalInputMobileSignUpRequest(ctx context.Context, obj any) (model.MobileSignUpRequest, error) {
+	var it model.MobileSignUpRequest
 	asMap := map[string]any{}
 	for k, v := range obj.(map[string]any) {
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"ACCESS_TOKEN_EXPIRY_TIME", "ADMIN_SECRET", "CUSTOM_ACCESS_TOKEN_SCRIPT", "OLD_ADMIN_SECRET", "SMTP_HOST", "SMTP_PORT", "SMTP_USERNAME", "SMTP_PASSWORD", "SMTP_LOCAL_NAME", "SENDER_EMAIL", "SENDER_NAME", "JWT_TYPE", "JWT_SECRET", "JWT_PRIVATE_KEY", "JWT_PUBLIC_KEY", "ALLOWED_ORIGINS", "APP_URL", "RESET_PASSWORD_URL", "APP_COOKIE_SECURE", "ADMIN_COOKIE_SECURE", "DISABLE_EMAIL_VERIFICATION", "DISABLE_BASIC_AUTHENTICATION", "DISABLE_MOBILE_BASIC_AUTHENTICATION", "DISABLE_MAGIC_LINK_LOGIN", "DISABLE_LOGIN_PAGE", "DISABLE_SIGN_UP", "DISABLE_REDIS_FOR_ENV", "DISABLE_STRONG_PASSWORD", "DISABLE_MULTI_FACTOR_AUTHENTICATION", "ENFORCE_MULTI_FACTOR_AUTHENTICATION", "ROLES", "PROTECTED_ROLES", "DEFAULT_ROLES", "JWT_ROLE_CLAIM", "GOOGLE_CLIENT_ID", "GOOGLE_CLIENT_SECRET", "GITHUB_CLIENT_ID", "GITHUB_CLIENT_SECRET", "FACEBOOK_CLIENT_ID", "FACEBOOK_CLIENT_SECRET", "LINKEDIN_CLIENT_ID", "LINKEDIN_CLIENT_SECRET", "APPLE_CLIENT_ID", "APPLE_CLIENT_SECRET", "DISCORD_CLIENT_ID", "DISCORD_CLIENT_SECRET", "TWITTER_CLIENT_ID", "TWITTER_CLIENT_SECRET", "MICROSOFT_CLIENT_ID", "MICROSOFT_CLIENT_SECRET", "MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID", "TWITCH_CLIENT_ID", "TWITCH_CLIENT_SECRET", "ROBLOX_CLIENT_ID", "ROBLOX_CLIENT_SECRET", "ORGANIZATION_NAME", "ORGANIZATION_LOGO", "DEFAULT_AUTHORIZE_RESPONSE_TYPE", "DEFAULT_AUTHORIZE_RESPONSE_MODE", "DISABLE_PLAYGROUND", "DISABLE_MAIL_OTP_LOGIN", "DISABLE_TOTP_LOGIN"}
+	fieldsInOrder := [...]string{"email", "given_name", "family_name", "middle_name", "nickname", "gender", "birthdate", "phone_number", "picture", "password", "confirm_password", "roles", "scope", "redirect_uri", "is_multi_factor_auth_enabled", "state", "app_data"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
 			continue
 		}
 		switch k {
-		case "ACCESS_TOKEN_EXPIRY_TIME":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("ACCESS_TOKEN_EXPIRY_TIME"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.AccessTokenExpiryTime = data
-		case "ADMIN_SECRET":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("ADMIN_SECRET"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.AdminSecret = data
-		case "CUSTOM_ACCESS_TOKEN_SCRIPT":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("CUSTOM_ACCESS_TOKEN_SCRIPT"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.CustomAccessTokenScript = data
-		case "OLD_ADMIN_SECRET":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("OLD_ADMIN_SECRET"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.OldAdminSecret = data
-		case "SMTP_HOST":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("SMTP_HOST"))
+		case "email":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.SMTPHost = data
-		case "SMTP_PORT":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("SMTP_PORT"))
+			it.Email = data
+		case "given_name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("given_name"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.SMTPPort = data
-		case "SMTP_USERNAME":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("SMTP_USERNAME"))
+			it.GivenName = data
+		case "family_name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("family_name"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.SMTPUsername = data
-		case "SMTP_PASSWORD":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("SMTP_PASSWORD"))
+			it.FamilyName = data
+		case "middle_name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("middle_name"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.SMTPPassword = data
-		case "SMTP_LOCAL_NAME":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("SMTP_LOCAL_NAME"))
+			it.MiddleName = data
+		case "nickname":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("nickname"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.SMTPLocalName = data
-		case "SENDER_EMAIL":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("SENDER_EMAIL"))
+			it.Nickname = data
+		case "gender":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("gender"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.SenderEmail = data
-		case "SENDER_NAME":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("SENDER_NAME"))
+			it.Gender = data
+		case "birthdate":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("birthdate"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.SenderName = data
-		case "JWT_TYPE":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("JWT_TYPE"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.Birthdate = data
+		case "phone_number":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number"))
+			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.JwtType = data
-		case "JWT_SECRET":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("JWT_SECRET"))
+			it.PhoneNumber = data
+		case "picture":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("picture"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.JwtSecret = data
-		case "JWT_PRIVATE_KEY":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("JWT_PRIVATE_KEY"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.Picture = data
+		case "password":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("password"))
+			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.JwtPrivateKey = data
-		case "JWT_PUBLIC_KEY":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("JWT_PUBLIC_KEY"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.Password = data
+		case "confirm_password":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("confirm_password"))
+			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.JwtPublicKey = data
-		case "ALLOWED_ORIGINS":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("ALLOWED_ORIGINS"))
+			it.ConfirmPassword = data
+		case "roles":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
 			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.AllowedOrigins = data
-		case "APP_URL":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("APP_URL"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.Roles = data
+		case "scope":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("scope"))
+			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.AppURL = data
-		case "RESET_PASSWORD_URL":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("RESET_PASSWORD_URL"))
+			it.Scope = data
+		case "redirect_uri":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("redirect_uri"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.ResetPasswordURL = data
-		case "APP_COOKIE_SECURE":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("APP_COOKIE_SECURE"))
+			it.RedirectURI = data
+		case "is_multi_factor_auth_enabled":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("is_multi_factor_auth_enabled"))
 			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.AppCookieSecure = data
-		case "ADMIN_COOKIE_SECURE":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("ADMIN_COOKIE_SECURE"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			it.IsMultiFactorAuthEnabled = data
+		case "state":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.AdminCookieSecure = data
-		case "DISABLE_EMAIL_VERIFICATION":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_EMAIL_VERIFICATION"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			it.State = data
+		case "app_data":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("app_data"))
+			data, err := ec.unmarshalOMap2map(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.DisableEmailVerification = data
-		case "DISABLE_BASIC_AUTHENTICATION":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_BASIC_AUTHENTICATION"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			it.AppData = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputOAuthRevokeRequest(ctx context.Context, obj any) (model.OAuthRevokeRequest, error) {
+	var it model.OAuthRevokeRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"refresh_token"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "refresh_token":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("refresh_token"))
+			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.DisableBasicAuthentication = data
-		case "DISABLE_MOBILE_BASIC_AUTHENTICATION":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_MOBILE_BASIC_AUTHENTICATION"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			it.RefreshToken = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputPaginatedRequest(ctx context.Context, obj any) (model.PaginatedRequest, error) {
+	var it model.PaginatedRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"pagination"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "pagination":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("pagination"))
+			data, err := ec.unmarshalOPaginationRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPaginationRequest(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.DisableMobileBasicAuthentication = data
-		case "DISABLE_MAGIC_LINK_LOGIN":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_MAGIC_LINK_LOGIN"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			it.Pagination = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputPaginationRequest(ctx context.Context, obj any) (model.PaginationRequest, error) {
+	var it model.PaginationRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"limit", "page"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "limit":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("limit"))
+			data, err := ec.unmarshalOInt642ᚖint64(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.DisableMagicLinkLogin = data
-		case "DISABLE_LOGIN_PAGE":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_LOGIN_PAGE"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			it.Limit = data
+		case "page":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("page"))
+			data, err := ec.unmarshalOInt642ᚖint64(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.DisableLoginPage = data
-		case "DISABLE_SIGN_UP":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_SIGN_UP"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			it.Page = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputResendOTPRequest(ctx context.Context, obj any) (model.ResendOTPRequest, error) {
+	var it model.ResendOTPRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"email", "phone_number", "state"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "email":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.DisableSignUp = data
-		case "DISABLE_REDIS_FOR_ENV":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_REDIS_FOR_ENV"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			it.Email = data
+		case "phone_number":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.DisableRedisForEnv = data
-		case "DISABLE_STRONG_PASSWORD":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_STRONG_PASSWORD"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			it.PhoneNumber = data
+		case "state":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.DisableStrongPassword = data
-		case "DISABLE_MULTI_FACTOR_AUTHENTICATION":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_MULTI_FACTOR_AUTHENTICATION"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			it.State = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputResendVerifyEmailRequest(ctx context.Context, obj any) (model.ResendVerifyEmailRequest, error) {
+	var it model.ResendVerifyEmailRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"email", "identifier", "state"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "email":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
+			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.DisableMultiFactorAuthentication = data
-		case "ENFORCE_MULTI_FACTOR_AUTHENTICATION":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("ENFORCE_MULTI_FACTOR_AUTHENTICATION"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			it.Email = data
+		case "identifier":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("identifier"))
+			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.EnforceMultiFactorAuthentication = data
-		case "ROLES":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("ROLES"))
-			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
+			it.Identifier = data
+		case "state":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Roles = data
-		case "PROTECTED_ROLES":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("PROTECTED_ROLES"))
-			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
+			it.State = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputResetPasswordRequest(ctx context.Context, obj any) (model.ResetPasswordRequest, error) {
+	var it model.ResetPasswordRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"token", "otp", "phone_number", "password", "confirm_password"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "token":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("token"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.ProtectedRoles = data
-		case "DEFAULT_ROLES":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DEFAULT_ROLES"))
-			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
+			it.Token = data
+		case "otp":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("otp"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.DefaultRoles = data
-		case "JWT_ROLE_CLAIM":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("JWT_ROLE_CLAIM"))
+			it.Otp = data
+		case "phone_number":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.JwtRoleClaim = data
-		case "GOOGLE_CLIENT_ID":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("GOOGLE_CLIENT_ID"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.PhoneNumber = data
+		case "password":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("password"))
+			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.GoogleClientID = data
-		case "GOOGLE_CLIENT_SECRET":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("GOOGLE_CLIENT_SECRET"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.Password = data
+		case "confirm_password":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("confirm_password"))
+			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.GoogleClientSecret = data
-		case "GITHUB_CLIENT_ID":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("GITHUB_CLIENT_ID"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.ConfirmPassword = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputSessionQueryRequest(ctx context.Context, obj any) (model.SessionQueryRequest, error) {
+	var it model.SessionQueryRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"roles", "scope", "state", "required_relations"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "roles":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
+			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.GithubClientID = data
-		case "GITHUB_CLIENT_SECRET":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("GITHUB_CLIENT_SECRET"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.Roles = data
+		case "scope":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("scope"))
+			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.GithubClientSecret = data
-		case "FACEBOOK_CLIENT_ID":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("FACEBOOK_CLIENT_ID"))
+			it.Scope = data
+		case "state":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.FacebookClientID = data
-		case "FACEBOOK_CLIENT_SECRET":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("FACEBOOK_CLIENT_SECRET"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.State = data
+		case "required_relations":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("required_relations"))
+			data, err := ec.unmarshalOFgaRelationInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaRelationInputᚄ(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.FacebookClientSecret = data
-		case "LINKEDIN_CLIENT_ID":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("LINKEDIN_CLIENT_ID"))
+			it.RequiredRelations = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputSignUpRequest(ctx context.Context, obj any) (model.SignUpRequest, error) {
+	var it model.SignUpRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"email", "given_name", "family_name", "middle_name", "nickname", "gender", "birthdate", "phone_number", "picture", "password", "confirm_password", "roles", "scope", "redirect_uri", "is_multi_factor_auth_enabled", "state", "app_data"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "email":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.LinkedinClientID = data
-		case "LINKEDIN_CLIENT_SECRET":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("LINKEDIN_CLIENT_SECRET"))
+			it.Email = data
+		case "given_name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("given_name"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.LinkedinClientSecret = data
-		case "APPLE_CLIENT_ID":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("APPLE_CLIENT_ID"))
+			it.GivenName = data
+		case "family_name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("family_name"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.AppleClientID = data
-		case "APPLE_CLIENT_SECRET":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("APPLE_CLIENT_SECRET"))
+			it.FamilyName = data
+		case "middle_name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("middle_name"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.AppleClientSecret = data
-		case "DISCORD_CLIENT_ID":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISCORD_CLIENT_ID"))
+			it.MiddleName = data
+		case "nickname":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("nickname"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.DiscordClientID = data
-		case "DISCORD_CLIENT_SECRET":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISCORD_CLIENT_SECRET"))
+			it.Nickname = data
+		case "gender":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("gender"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.DiscordClientSecret = data
-		case "TWITTER_CLIENT_ID":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("TWITTER_CLIENT_ID"))
+			it.Gender = data
+		case "birthdate":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("birthdate"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.TwitterClientID = data
-		case "TWITTER_CLIENT_SECRET":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("TWITTER_CLIENT_SECRET"))
+			it.Birthdate = data
+		case "phone_number":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.TwitterClientSecret = data
-		case "MICROSOFT_CLIENT_ID":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("MICROSOFT_CLIENT_ID"))
+			it.PhoneNumber = data
+		case "picture":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("picture"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.MicrosoftClientID = data
-		case "MICROSOFT_CLIENT_SECRET":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("MICROSOFT_CLIENT_SECRET"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.Picture = data
+		case "password":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("password"))
+			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.MicrosoftClientSecret = data
-		case "MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.Password = data
+		case "confirm_password":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("confirm_password"))
+			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.MicrosoftActiveDirectoryTenantID = data
-		case "TWITCH_CLIENT_ID":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("TWITCH_CLIENT_ID"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.ConfirmPassword = data
+		case "roles":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
+			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.TwitchClientID = data
-		case "TWITCH_CLIENT_SECRET":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("TWITCH_CLIENT_SECRET"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.Roles = data
+		case "scope":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("scope"))
+			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.TwitchClientSecret = data
-		case "ROBLOX_CLIENT_ID":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("ROBLOX_CLIENT_ID"))
+			it.Scope = data
+		case "redirect_uri":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("redirect_uri"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.RobloxClientID = data
-		case "ROBLOX_CLIENT_SECRET":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("ROBLOX_CLIENT_SECRET"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.RedirectURI = data
+		case "is_multi_factor_auth_enabled":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("is_multi_factor_auth_enabled"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.RobloxClientSecret = data
-		case "ORGANIZATION_NAME":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("ORGANIZATION_NAME"))
+			it.IsMultiFactorAuthEnabled = data
+		case "state":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.OrganizationName = data
-		case "ORGANIZATION_LOGO":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("ORGANIZATION_LOGO"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.State = data
+		case "app_data":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("app_data"))
+			data, err := ec.unmarshalOMap2map(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.OrganizationLogo = data
-		case "DEFAULT_AUTHORIZE_RESPONSE_TYPE":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DEFAULT_AUTHORIZE_RESPONSE_TYPE"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.AppData = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputTestEndpointRequest(ctx context.Context, obj any) (model.TestEndpointRequest, error) {
+	var it model.TestEndpointRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"endpoint", "event_name", "event_description", "headers"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "endpoint":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("endpoint"))
+			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.DefaultAuthorizeResponseType = data
-		case "DEFAULT_AUTHORIZE_RESPONSE_MODE":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DEFAULT_AUTHORIZE_RESPONSE_MODE"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.Endpoint = data
+		case "event_name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_name"))
+			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.DefaultAuthorizeResponseMode = data
-		case "DISABLE_PLAYGROUND":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_PLAYGROUND"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			it.EventName = data
+		case "event_description":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_description"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.DisablePlayground = data
-		case "DISABLE_MAIL_OTP_LOGIN":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_MAIL_OTP_LOGIN"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			it.EventDescription = data
+		case "headers":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("headers"))
+			data, err := ec.unmarshalOMap2map(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.DisableMailOtpLogin = data
-		case "DISABLE_TOTP_LOGIN":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_TOTP_LOGIN"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			it.Headers = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputUpdateAccessRequest(ctx context.Context, obj any) (model.UpdateAccessRequest, error) {
+	var it model.UpdateAccessRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"user_id"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "user_id":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("user_id"))
+			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.DisableTotpLogin = data
+			it.UserID = data
 		}
 	}
 
 	return it, nil
 }
 
-func (ec *executionContext) unmarshalInputUpdatePermissionInput(ctx context.Context, obj any) (model.UpdatePermissionInput, error) {
-	var it model.UpdatePermissionInput
+func (ec *executionContext) unmarshalInputUpdateEmailTemplateRequest(ctx context.Context, obj any) (model.UpdateEmailTemplateRequest, error) {
+	var it model.UpdateEmailTemplateRequest
 	asMap := map[string]any{}
 	for k, v := range obj.(map[string]any) {
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"id", "name", "description", "scope_ids", "policy_ids", "decision_strategy"}
+	fieldsInOrder := [...]string{"id", "event_name", "template", "subject", "design"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
@@ -24670,640 +21417,578 @@ func (ec *executionContext) unmarshalInputUpdatePermissionInput(ctx context.Cont
 				return it, err
 			}
 			it.ID = data
-		case "name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("name"))
+		case "event_name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_name"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Name = data
-		case "description":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("description"))
+			it.EventName = data
+		case "template":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("template"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Description = data
-		case "scope_ids":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("scope_ids"))
-			data, err := ec.unmarshalOID2ᚕstringᚄ(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.ScopeIds = data
-		case "policy_ids":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("policy_ids"))
-			data, err := ec.unmarshalOID2ᚕstringᚄ(ctx, v)
+			it.Template = data
+		case "subject":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("subject"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.PolicyIds = data
-		case "decision_strategy":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("decision_strategy"))
+			it.Subject = data
+		case "design":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("design"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.DecisionStrategy = data
+			it.Design = data
 		}
 	}
 
 	return it, nil
 }
 
-func (ec *executionContext) unmarshalInputUpdatePolicyInput(ctx context.Context, obj any) (model.UpdatePolicyInput, error) {
-	var it model.UpdatePolicyInput
+func (ec *executionContext) unmarshalInputUpdateEnvRequest(ctx context.Context, obj any) (model.UpdateEnvRequest, error) {
+	var it model.UpdateEnvRequest
 	asMap := map[string]any{}
 	for k, v := range obj.(map[string]any) {
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"id", "name", "description", "logic", "decision_strategy", "targets"}
+	fieldsInOrder := [...]string{"ACCESS_TOKEN_EXPIRY_TIME", "ADMIN_SECRET", "CUSTOM_ACCESS_TOKEN_SCRIPT", "OLD_ADMIN_SECRET", "SMTP_HOST", "SMTP_PORT", "SMTP_USERNAME", "SMTP_PASSWORD", "SMTP_LOCAL_NAME", "SENDER_EMAIL", "SENDER_NAME", "JWT_TYPE", "JWT_SECRET", "JWT_PRIVATE_KEY", "JWT_PUBLIC_KEY", "ALLOWED_ORIGINS", "APP_URL", "RESET_PASSWORD_URL", "APP_COOKIE_SECURE", "ADMIN_COOKIE_SECURE", "DISABLE_EMAIL_VERIFICATION", "DISABLE_BASIC_AUTHENTICATION", "DISABLE_MOBILE_BASIC_AUTHENTICATION", "DISABLE_MAGIC_LINK_LOGIN", "DISABLE_LOGIN_PAGE", "DISABLE_SIGN_UP", "DISABLE_REDIS_FOR_ENV", "DISABLE_STRONG_PASSWORD", "DISABLE_MULTI_FACTOR_AUTHENTICATION", "ENFORCE_MULTI_FACTOR_AUTHENTICATION", "ROLES", "PROTECTED_ROLES", "DEFAULT_ROLES", "JWT_ROLE_CLAIM", "GOOGLE_CLIENT_ID", "GOOGLE_CLIENT_SECRET", "GITHUB_CLIENT_ID", "GITHUB_CLIENT_SECRET", "FACEBOOK_CLIENT_ID", "FACEBOOK_CLIENT_SECRET", "LINKEDIN_CLIENT_ID", "LINKEDIN_CLIENT_SECRET", "APPLE_CLIENT_ID", "APPLE_CLIENT_SECRET", "DISCORD_CLIENT_ID", "DISCORD_CLIENT_SECRET", "TWITTER_CLIENT_ID", "TWITTER_CLIENT_SECRET", "MICROSOFT_CLIENT_ID", "MICROSOFT_CLIENT_SECRET", "MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID", "TWITCH_CLIENT_ID", "TWITCH_CLIENT_SECRET", "ROBLOX_CLIENT_ID", "ROBLOX_CLIENT_SECRET", "ORGANIZATION_NAME", "ORGANIZATION_LOGO", "DEFAULT_AUTHORIZE_RESPONSE_TYPE", "DEFAULT_AUTHORIZE_RESPONSE_MODE", "DISABLE_PLAYGROUND", "DISABLE_MAIL_OTP_LOGIN", "DISABLE_TOTP_LOGIN"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
 			continue
 		}
 		switch k {
-		case "id":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
-			data, err := ec.unmarshalNID2string(ctx, v)
+		case "ACCESS_TOKEN_EXPIRY_TIME":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("ACCESS_TOKEN_EXPIRY_TIME"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.AccessTokenExpiryTime = data
+		case "ADMIN_SECRET":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("ADMIN_SECRET"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.AdminSecret = data
+		case "CUSTOM_ACCESS_TOKEN_SCRIPT":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("CUSTOM_ACCESS_TOKEN_SCRIPT"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.CustomAccessTokenScript = data
+		case "OLD_ADMIN_SECRET":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("OLD_ADMIN_SECRET"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.OldAdminSecret = data
+		case "SMTP_HOST":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("SMTP_HOST"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.SMTPHost = data
+		case "SMTP_PORT":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("SMTP_PORT"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.SMTPPort = data
+		case "SMTP_USERNAME":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("SMTP_USERNAME"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.SMTPUsername = data
+		case "SMTP_PASSWORD":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("SMTP_PASSWORD"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.SMTPPassword = data
+		case "SMTP_LOCAL_NAME":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("SMTP_LOCAL_NAME"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.SMTPLocalName = data
+		case "SENDER_EMAIL":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("SENDER_EMAIL"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.SenderEmail = data
+		case "SENDER_NAME":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("SENDER_NAME"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.SenderName = data
+		case "JWT_TYPE":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("JWT_TYPE"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.JwtType = data
+		case "JWT_SECRET":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("JWT_SECRET"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.JwtSecret = data
+		case "JWT_PRIVATE_KEY":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("JWT_PRIVATE_KEY"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.ID = data
-		case "name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("name"))
+			it.JwtPrivateKey = data
+		case "JWT_PUBLIC_KEY":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("JWT_PUBLIC_KEY"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Name = data
-		case "description":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("description"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.JwtPublicKey = data
+		case "ALLOWED_ORIGINS":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("ALLOWED_ORIGINS"))
+			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Description = data
-		case "logic":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("logic"))
+			it.AllowedOrigins = data
+		case "APP_URL":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("APP_URL"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Logic = data
-		case "decision_strategy":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("decision_strategy"))
+			it.AppURL = data
+		case "RESET_PASSWORD_URL":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("RESET_PASSWORD_URL"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.DecisionStrategy = data
-		case "targets":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("targets"))
-			data, err := ec.unmarshalOPolicyTargetInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPolicyTargetInputᚄ(ctx, v)
+			it.ResetPasswordURL = data
+		case "APP_COOKIE_SECURE":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("APP_COOKIE_SECURE"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Targets = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputUpdateProfileRequest(ctx context.Context, obj any) (model.UpdateProfileRequest, error) {
-	var it model.UpdateProfileRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"old_password", "new_password", "confirm_new_password", "email", "given_name", "family_name", "middle_name", "nickname", "gender", "birthdate", "phone_number", "picture", "is_multi_factor_auth_enabled", "app_data"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "old_password":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("old_password"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.AppCookieSecure = data
+		case "ADMIN_COOKIE_SECURE":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("ADMIN_COOKIE_SECURE"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.OldPassword = data
-		case "new_password":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("new_password"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.AdminCookieSecure = data
+		case "DISABLE_EMAIL_VERIFICATION":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_EMAIL_VERIFICATION"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.NewPassword = data
-		case "confirm_new_password":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("confirm_new_password"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.DisableEmailVerification = data
+		case "DISABLE_BASIC_AUTHENTICATION":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_BASIC_AUTHENTICATION"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.ConfirmNewPassword = data
-		case "email":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.DisableBasicAuthentication = data
+		case "DISABLE_MOBILE_BASIC_AUTHENTICATION":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_MOBILE_BASIC_AUTHENTICATION"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Email = data
-		case "given_name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("given_name"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.DisableMobileBasicAuthentication = data
+		case "DISABLE_MAGIC_LINK_LOGIN":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_MAGIC_LINK_LOGIN"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.GivenName = data
-		case "family_name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("family_name"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.DisableMagicLinkLogin = data
+		case "DISABLE_LOGIN_PAGE":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_LOGIN_PAGE"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.FamilyName = data
-		case "middle_name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("middle_name"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.DisableLoginPage = data
+		case "DISABLE_SIGN_UP":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_SIGN_UP"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.MiddleName = data
-		case "nickname":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("nickname"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.DisableSignUp = data
+		case "DISABLE_REDIS_FOR_ENV":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_REDIS_FOR_ENV"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Nickname = data
-		case "gender":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("gender"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.DisableRedisForEnv = data
+		case "DISABLE_STRONG_PASSWORD":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_STRONG_PASSWORD"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Gender = data
-		case "birthdate":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("birthdate"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.DisableStrongPassword = data
+		case "DISABLE_MULTI_FACTOR_AUTHENTICATION":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_MULTI_FACTOR_AUTHENTICATION"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Birthdate = data
-		case "phone_number":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.DisableMultiFactorAuthentication = data
+		case "ENFORCE_MULTI_FACTOR_AUTHENTICATION":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("ENFORCE_MULTI_FACTOR_AUTHENTICATION"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.PhoneNumber = data
-		case "picture":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("picture"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.EnforceMultiFactorAuthentication = data
+		case "ROLES":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("ROLES"))
+			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Picture = data
-		case "is_multi_factor_auth_enabled":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("is_multi_factor_auth_enabled"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			it.Roles = data
+		case "PROTECTED_ROLES":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("PROTECTED_ROLES"))
+			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.IsMultiFactorAuthEnabled = data
-		case "app_data":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("app_data"))
-			data, err := ec.unmarshalOMap2map(ctx, v)
+			it.ProtectedRoles = data
+		case "DEFAULT_ROLES":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DEFAULT_ROLES"))
+			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.AppData = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputUpdateResourceInput(ctx context.Context, obj any) (model.UpdateResourceInput, error) {
-	var it model.UpdateResourceInput
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"id", "name", "description"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "id":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
-			data, err := ec.unmarshalNID2string(ctx, v)
+			it.DefaultRoles = data
+		case "JWT_ROLE_CLAIM":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("JWT_ROLE_CLAIM"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.ID = data
-		case "name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("name"))
+			it.JwtRoleClaim = data
+		case "GOOGLE_CLIENT_ID":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("GOOGLE_CLIENT_ID"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Name = data
-		case "description":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("description"))
+			it.GoogleClientID = data
+		case "GOOGLE_CLIENT_SECRET":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("GOOGLE_CLIENT_SECRET"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Description = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputUpdateScopeInput(ctx context.Context, obj any) (model.UpdateScopeInput, error) {
-	var it model.UpdateScopeInput
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"id", "name", "description"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "id":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
-			data, err := ec.unmarshalNID2string(ctx, v)
+			it.GoogleClientSecret = data
+		case "GITHUB_CLIENT_ID":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("GITHUB_CLIENT_ID"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.ID = data
-		case "name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("name"))
+			it.GithubClientID = data
+		case "GITHUB_CLIENT_SECRET":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("GITHUB_CLIENT_SECRET"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Name = data
-		case "description":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("description"))
+			it.GithubClientSecret = data
+		case "FACEBOOK_CLIENT_ID":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("FACEBOOK_CLIENT_ID"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Description = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputUpdateUserRequest(ctx context.Context, obj any) (model.UpdateUserRequest, error) {
-	var it model.UpdateUserRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"id", "email", "email_verified", "given_name", "family_name", "middle_name", "nickname", "gender", "birthdate", "phone_number", "phone_number_verified", "picture", "roles", "is_multi_factor_auth_enabled", "app_data"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "id":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
-			data, err := ec.unmarshalNID2string(ctx, v)
+			it.FacebookClientID = data
+		case "FACEBOOK_CLIENT_SECRET":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("FACEBOOK_CLIENT_SECRET"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.FacebookClientSecret = data
+		case "LINKEDIN_CLIENT_ID":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("LINKEDIN_CLIENT_ID"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.LinkedinClientID = data
+		case "LINKEDIN_CLIENT_SECRET":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("LINKEDIN_CLIENT_SECRET"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.ID = data
-		case "email":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
+			it.LinkedinClientSecret = data
+		case "APPLE_CLIENT_ID":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("APPLE_CLIENT_ID"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Email = data
-		case "email_verified":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email_verified"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			it.AppleClientID = data
+		case "APPLE_CLIENT_SECRET":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("APPLE_CLIENT_SECRET"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.EmailVerified = data
-		case "given_name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("given_name"))
+			it.AppleClientSecret = data
+		case "DISCORD_CLIENT_ID":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISCORD_CLIENT_ID"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.GivenName = data
-		case "family_name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("family_name"))
+			it.DiscordClientID = data
+		case "DISCORD_CLIENT_SECRET":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISCORD_CLIENT_SECRET"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.FamilyName = data
-		case "middle_name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("middle_name"))
+			it.DiscordClientSecret = data
+		case "TWITTER_CLIENT_ID":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("TWITTER_CLIENT_ID"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.MiddleName = data
-		case "nickname":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("nickname"))
+			it.TwitterClientID = data
+		case "TWITTER_CLIENT_SECRET":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("TWITTER_CLIENT_SECRET"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Nickname = data
-		case "gender":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("gender"))
+			it.TwitterClientSecret = data
+		case "MICROSOFT_CLIENT_ID":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("MICROSOFT_CLIENT_ID"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Gender = data
-		case "birthdate":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("birthdate"))
+			it.MicrosoftClientID = data
+		case "MICROSOFT_CLIENT_SECRET":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("MICROSOFT_CLIENT_SECRET"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Birthdate = data
-		case "phone_number":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number"))
+			it.MicrosoftClientSecret = data
+		case "MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.PhoneNumber = data
-		case "phone_number_verified":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number_verified"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			it.MicrosoftActiveDirectoryTenantID = data
+		case "TWITCH_CLIENT_ID":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("TWITCH_CLIENT_ID"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.PhoneNumberVerified = data
-		case "picture":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("picture"))
+			it.TwitchClientID = data
+		case "TWITCH_CLIENT_SECRET":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("TWITCH_CLIENT_SECRET"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Picture = data
-		case "roles":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
-			data, err := ec.unmarshalOString2ᚕᚖstring(ctx, v)
+			it.TwitchClientSecret = data
+		case "ROBLOX_CLIENT_ID":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("ROBLOX_CLIENT_ID"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Roles = data
-		case "is_multi_factor_auth_enabled":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("is_multi_factor_auth_enabled"))
-			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			it.RobloxClientID = data
+		case "ROBLOX_CLIENT_SECRET":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("ROBLOX_CLIENT_SECRET"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.IsMultiFactorAuthEnabled = data
-		case "app_data":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("app_data"))
-			data, err := ec.unmarshalOMap2map(ctx, v)
+			it.RobloxClientSecret = data
+		case "ORGANIZATION_NAME":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("ORGANIZATION_NAME"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.AppData = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputUpdateWebhookRequest(ctx context.Context, obj any) (model.UpdateWebhookRequest, error) {
-	var it model.UpdateWebhookRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"id", "event_name", "event_description", "endpoint", "enabled", "headers"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "id":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
-			data, err := ec.unmarshalNID2string(ctx, v)
+			it.OrganizationName = data
+		case "ORGANIZATION_LOGO":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("ORGANIZATION_LOGO"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.ID = data
-		case "event_name":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_name"))
+			it.OrganizationLogo = data
+		case "DEFAULT_AUTHORIZE_RESPONSE_TYPE":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DEFAULT_AUTHORIZE_RESPONSE_TYPE"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.EventName = data
-		case "event_description":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_description"))
+			it.DefaultAuthorizeResponseType = data
+		case "DEFAULT_AUTHORIZE_RESPONSE_MODE":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DEFAULT_AUTHORIZE_RESPONSE_MODE"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.EventDescription = data
-		case "endpoint":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("endpoint"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.DefaultAuthorizeResponseMode = data
+		case "DISABLE_PLAYGROUND":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_PLAYGROUND"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Endpoint = data
-		case "enabled":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("enabled"))
+			it.DisablePlayground = data
+		case "DISABLE_MAIL_OTP_LOGIN":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_MAIL_OTP_LOGIN"))
 			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Enabled = data
-		case "headers":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("headers"))
-			data, err := ec.unmarshalOMap2map(ctx, v)
+			it.DisableMailOtpLogin = data
+		case "DISABLE_TOTP_LOGIN":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("DISABLE_TOTP_LOGIN"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Headers = data
+			it.DisableTotpLogin = data
 		}
 	}
 
 	return it, nil
 }
 
-func (ec *executionContext) unmarshalInputValidateJWTTokenRequest(ctx context.Context, obj any) (model.ValidateJWTTokenRequest, error) {
-	var it model.ValidateJWTTokenRequest
+func (ec *executionContext) unmarshalInputUpdateProfileRequest(ctx context.Context, obj any) (model.UpdateProfileRequest, error) {
+	var it model.UpdateProfileRequest
 	asMap := map[string]any{}
 	for k, v := range obj.(map[string]any) {
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"token_type", "token", "roles", "required_permissions"}
+	fieldsInOrder := [...]string{"old_password", "new_password", "confirm_new_password", "email", "given_name", "family_name", "middle_name", "nickname", "gender", "birthdate", "phone_number", "picture", "is_multi_factor_auth_enabled", "app_data"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
 			continue
 		}
 		switch k {
-		case "token_type":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("token_type"))
-			data, err := ec.unmarshalNString2string(ctx, v)
+		case "old_password":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("old_password"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.TokenType = data
-		case "token":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("token"))
-			data, err := ec.unmarshalNString2string(ctx, v)
+			it.OldPassword = data
+		case "new_password":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("new_password"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Token = data
-		case "roles":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
-			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
+			it.NewPassword = data
+		case "confirm_new_password":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("confirm_new_password"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Roles = data
-		case "required_permissions":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("required_permissions"))
-			data, err := ec.unmarshalOPermissionInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPermissionInputᚄ(ctx, v)
+			it.ConfirmNewPassword = data
+		case "email":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.RequiredPermissions = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputValidateSessionRequest(ctx context.Context, obj any) (model.ValidateSessionRequest, error) {
-	var it model.ValidateSessionRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"cookie", "roles", "required_permissions"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "cookie":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("cookie"))
-			data, err := ec.unmarshalNString2string(ctx, v)
+			it.Email = data
+		case "given_name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("given_name"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Cookie = data
-		case "roles":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
-			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
+			it.GivenName = data
+		case "family_name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("family_name"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Roles = data
-		case "required_permissions":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("required_permissions"))
-			data, err := ec.unmarshalOPermissionInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPermissionInputᚄ(ctx, v)
+			it.FamilyName = data
+		case "middle_name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("middle_name"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.RequiredPermissions = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputVerifyEmailRequest(ctx context.Context, obj any) (model.VerifyEmailRequest, error) {
-	var it model.VerifyEmailRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"token", "state"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "token":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("token"))
-			data, err := ec.unmarshalNString2string(ctx, v)
+			it.MiddleName = data
+		case "nickname":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("nickname"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Token = data
-		case "state":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
+			it.Nickname = data
+		case "gender":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("gender"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.State = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputVerifyOTPRequest(ctx context.Context, obj any) (model.VerifyOTPRequest, error) {
-	var it model.VerifyOTPRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"email", "phone_number", "otp", "is_totp", "state"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "email":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
+			it.Gender = data
+		case "birthdate":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("birthdate"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Email = data
+			it.Birthdate = data
 		case "phone_number":
 			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number"))
 			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
@@ -25311,41 +21996,41 @@ func (ec *executionContext) unmarshalInputVerifyOTPRequest(ctx context.Context,
 				return it, err
 			}
 			it.PhoneNumber = data
-		case "otp":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("otp"))
-			data, err := ec.unmarshalNString2string(ctx, v)
+		case "picture":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("picture"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Otp = data
-		case "is_totp":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("is_totp"))
+			it.Picture = data
+		case "is_multi_factor_auth_enabled":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("is_multi_factor_auth_enabled"))
 			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.IsTotp = data
-		case "state":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			it.IsMultiFactorAuthEnabled = data
+		case "app_data":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("app_data"))
+			data, err := ec.unmarshalOMap2map(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.State = data
+			it.AppData = data
 		}
 	}
 
 	return it, nil
 }
 
-func (ec *executionContext) unmarshalInputWebhookRequest(ctx context.Context, obj any) (model.WebhookRequest, error) {
-	var it model.WebhookRequest
+func (ec *executionContext) unmarshalInputUpdateUserRequest(ctx context.Context, obj any) (model.UpdateUserRequest, error) {
+	var it model.UpdateUserRequest
 	asMap := map[string]any{}
 	for k, v := range obj.(map[string]any) {
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"id"}
+	fieldsInOrder := [...]string{"id", "email", "email_verified", "given_name", "family_name", "middle_name", "nickname", "gender", "birthdate", "phone_number", "phone_number_verified", "picture", "roles", "is_multi_factor_auth_enabled", "app_data"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
@@ -25359,550 +22044,421 @@ func (ec *executionContext) unmarshalInputWebhookRequest(ctx context.Context, ob
 				return it, err
 			}
 			it.ID = data
-		}
-	}
-
-	return it, nil
-}
-
-// endregion **************************** input.gotpl *****************************
-
-// region    ************************** interface.gotpl ***************************
-
-// endregion ************************** interface.gotpl ***************************
-
-// region    **************************** object.gotpl ****************************
-
-var auditLogImplementors = []string{"AuditLog"}
-
-func (ec *executionContext) _AuditLog(ctx context.Context, sel ast.SelectionSet, obj *model.AuditLog) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, auditLogImplementors)
-
-	out := graphql.NewFieldSet(fields)
-	deferred := make(map[string]*graphql.FieldSet)
-	for i, field := range fields {
-		switch field.Name {
-		case "__typename":
-			out.Values[i] = graphql.MarshalString("AuditLog")
-		case "id":
-			out.Values[i] = ec._AuditLog_id(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+		case "email":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
 			}
-		case "actor_id":
-			out.Values[i] = ec._AuditLog_actor_id(ctx, field, obj)
-		case "actor_type":
-			out.Values[i] = ec._AuditLog_actor_type(ctx, field, obj)
-		case "actor_email":
-			out.Values[i] = ec._AuditLog_actor_email(ctx, field, obj)
-		case "action":
-			out.Values[i] = ec._AuditLog_action(ctx, field, obj)
-		case "resource_type":
-			out.Values[i] = ec._AuditLog_resource_type(ctx, field, obj)
-		case "resource_id":
-			out.Values[i] = ec._AuditLog_resource_id(ctx, field, obj)
-		case "ip_address":
-			out.Values[i] = ec._AuditLog_ip_address(ctx, field, obj)
-		case "user_agent":
-			out.Values[i] = ec._AuditLog_user_agent(ctx, field, obj)
-		case "metadata":
-			out.Values[i] = ec._AuditLog_metadata(ctx, field, obj)
-		case "created_at":
-			out.Values[i] = ec._AuditLog_created_at(ctx, field, obj)
-		default:
-			panic("unknown field " + strconv.Quote(field.Name))
-		}
-	}
-	out.Dispatch(ctx)
-	if out.Invalids > 0 {
-		return graphql.Null
-	}
-
-	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
-
-	for label, dfs := range deferred {
-		ec.processDeferredGroup(graphql.DeferredGroup{
-			Label:    label,
-			Path:     graphql.GetPath(ctx),
-			FieldSet: dfs,
-			Context:  ctx,
-		})
-	}
-
-	return out
-}
-
-var auditLogsImplementors = []string{"AuditLogs"}
-
-func (ec *executionContext) _AuditLogs(ctx context.Context, sel ast.SelectionSet, obj *model.AuditLogs) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, auditLogsImplementors)
-
-	out := graphql.NewFieldSet(fields)
-	deferred := make(map[string]*graphql.FieldSet)
-	for i, field := range fields {
-		switch field.Name {
-		case "__typename":
-			out.Values[i] = graphql.MarshalString("AuditLogs")
-		case "pagination":
-			out.Values[i] = ec._AuditLogs_pagination(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+			it.Email = data
+		case "email_verified":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email_verified"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			if err != nil {
+				return it, err
 			}
-		case "audit_logs":
-			out.Values[i] = ec._AuditLogs_audit_logs(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+			it.EmailVerified = data
+		case "given_name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("given_name"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
 			}
-		default:
-			panic("unknown field " + strconv.Quote(field.Name))
-		}
-	}
-	out.Dispatch(ctx)
-	if out.Invalids > 0 {
-		return graphql.Null
-	}
-
-	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
-
-	for label, dfs := range deferred {
-		ec.processDeferredGroup(graphql.DeferredGroup{
-			Label:    label,
-			Path:     graphql.GetPath(ctx),
-			FieldSet: dfs,
-			Context:  ctx,
-		})
-	}
-
-	return out
-}
-
-var authResponseImplementors = []string{"AuthResponse"}
-
-func (ec *executionContext) _AuthResponse(ctx context.Context, sel ast.SelectionSet, obj *model.AuthResponse) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, authResponseImplementors)
-
-	out := graphql.NewFieldSet(fields)
-	deferred := make(map[string]*graphql.FieldSet)
-	for i, field := range fields {
-		switch field.Name {
-		case "__typename":
-			out.Values[i] = graphql.MarshalString("AuthResponse")
-		case "message":
-			out.Values[i] = ec._AuthResponse_message(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+			it.GivenName = data
+		case "family_name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("family_name"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.FamilyName = data
+		case "middle_name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("middle_name"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.MiddleName = data
+		case "nickname":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("nickname"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Nickname = data
+		case "gender":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("gender"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Gender = data
+		case "birthdate":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("birthdate"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Birthdate = data
+		case "phone_number":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.PhoneNumber = data
+		case "phone_number_verified":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number_verified"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			if err != nil {
+				return it, err
 			}
-		case "should_show_email_otp_screen":
-			out.Values[i] = ec._AuthResponse_should_show_email_otp_screen(ctx, field, obj)
-		case "should_show_mobile_otp_screen":
-			out.Values[i] = ec._AuthResponse_should_show_mobile_otp_screen(ctx, field, obj)
-		case "should_show_totp_screen":
-			out.Values[i] = ec._AuthResponse_should_show_totp_screen(ctx, field, obj)
-		case "access_token":
-			out.Values[i] = ec._AuthResponse_access_token(ctx, field, obj)
-		case "id_token":
-			out.Values[i] = ec._AuthResponse_id_token(ctx, field, obj)
-		case "refresh_token":
-			out.Values[i] = ec._AuthResponse_refresh_token(ctx, field, obj)
-		case "expires_in":
-			out.Values[i] = ec._AuthResponse_expires_in(ctx, field, obj)
-		case "user":
-			out.Values[i] = ec._AuthResponse_user(ctx, field, obj)
-		case "authenticator_scanner_image":
-			out.Values[i] = ec._AuthResponse_authenticator_scanner_image(ctx, field, obj)
-		case "authenticator_secret":
-			out.Values[i] = ec._AuthResponse_authenticator_secret(ctx, field, obj)
-		case "authenticator_recovery_codes":
-			out.Values[i] = ec._AuthResponse_authenticator_recovery_codes(ctx, field, obj)
-		default:
-			panic("unknown field " + strconv.Quote(field.Name))
+			it.PhoneNumberVerified = data
+		case "picture":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("picture"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Picture = data
+		case "roles":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
+			data, err := ec.unmarshalOString2ᚕᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Roles = data
+		case "is_multi_factor_auth_enabled":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("is_multi_factor_auth_enabled"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.IsMultiFactorAuthEnabled = data
+		case "app_data":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("app_data"))
+			data, err := ec.unmarshalOMap2map(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.AppData = data
 		}
 	}
-	out.Dispatch(ctx)
-	if out.Invalids > 0 {
-		return graphql.Null
-	}
-
-	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
-
-	for label, dfs := range deferred {
-		ec.processDeferredGroup(graphql.DeferredGroup{
-			Label:    label,
-			Path:     graphql.GetPath(ctx),
-			FieldSet: dfs,
-			Context:  ctx,
-		})
-	}
 
-	return out
+	return it, nil
 }
 
-var authzPermissionImplementors = []string{"AuthzPermission"}
-
-func (ec *executionContext) _AuthzPermission(ctx context.Context, sel ast.SelectionSet, obj *model.AuthzPermission) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, authzPermissionImplementors)
+func (ec *executionContext) unmarshalInputUpdateWebhookRequest(ctx context.Context, obj any) (model.UpdateWebhookRequest, error) {
+	var it model.UpdateWebhookRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
 
-	out := graphql.NewFieldSet(fields)
-	deferred := make(map[string]*graphql.FieldSet)
-	for i, field := range fields {
-		switch field.Name {
-		case "__typename":
-			out.Values[i] = graphql.MarshalString("AuthzPermission")
+	fieldsInOrder := [...]string{"id", "event_name", "event_description", "endpoint", "enabled", "headers"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
 		case "id":
-			out.Values[i] = ec._AuthzPermission_id(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "name":
-			out.Values[i] = ec._AuthzPermission_name(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "description":
-			out.Values[i] = ec._AuthzPermission_description(ctx, field, obj)
-		case "resource":
-			out.Values[i] = ec._AuthzPermission_resource(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
+			data, err := ec.unmarshalNID2string(ctx, v)
+			if err != nil {
+				return it, err
 			}
-		case "scopes":
-			out.Values[i] = ec._AuthzPermission_scopes(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+			it.ID = data
+		case "event_name":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_name"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
 			}
-		case "policies":
-			out.Values[i] = ec._AuthzPermission_policies(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+			it.EventName = data
+		case "event_description":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("event_description"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
 			}
-		case "decision_strategy":
-			out.Values[i] = ec._AuthzPermission_decision_strategy(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+			it.EventDescription = data
+		case "endpoint":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("endpoint"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
 			}
-		case "created_at":
-			out.Values[i] = ec._AuthzPermission_created_at(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+			it.Endpoint = data
+		case "enabled":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("enabled"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			if err != nil {
+				return it, err
 			}
-		case "updated_at":
-			out.Values[i] = ec._AuthzPermission_updated_at(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+			it.Enabled = data
+		case "headers":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("headers"))
+			data, err := ec.unmarshalOMap2map(ctx, v)
+			if err != nil {
+				return it, err
 			}
-		default:
-			panic("unknown field " + strconv.Quote(field.Name))
+			it.Headers = data
 		}
 	}
-	out.Dispatch(ctx)
-	if out.Invalids > 0 {
-		return graphql.Null
-	}
-
-	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
-
-	for label, dfs := range deferred {
-		ec.processDeferredGroup(graphql.DeferredGroup{
-			Label:    label,
-			Path:     graphql.GetPath(ctx),
-			FieldSet: dfs,
-			Context:  ctx,
-		})
-	}
 
-	return out
+	return it, nil
 }
 
-var authzPermissionsImplementors = []string{"AuthzPermissions"}
-
-func (ec *executionContext) _AuthzPermissions(ctx context.Context, sel ast.SelectionSet, obj *model.AuthzPermissions) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, authzPermissionsImplementors)
+func (ec *executionContext) unmarshalInputValidateJWTTokenRequest(ctx context.Context, obj any) (model.ValidateJWTTokenRequest, error) {
+	var it model.ValidateJWTTokenRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
 
-	out := graphql.NewFieldSet(fields)
-	deferred := make(map[string]*graphql.FieldSet)
-	for i, field := range fields {
-		switch field.Name {
-		case "__typename":
-			out.Values[i] = graphql.MarshalString("AuthzPermissions")
-		case "pagination":
-			out.Values[i] = ec._AuthzPermissions_pagination(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+	fieldsInOrder := [...]string{"token_type", "token", "roles", "required_relations"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "token_type":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("token_type"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
 			}
-		case "permissions":
-			out.Values[i] = ec._AuthzPermissions_permissions(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+			it.TokenType = data
+		case "token":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("token"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
 			}
-		default:
-			panic("unknown field " + strconv.Quote(field.Name))
+			it.Token = data
+		case "roles":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
+			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Roles = data
+		case "required_relations":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("required_relations"))
+			data, err := ec.unmarshalOFgaRelationInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaRelationInputᚄ(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.RequiredRelations = data
 		}
 	}
-	out.Dispatch(ctx)
-	if out.Invalids > 0 {
-		return graphql.Null
-	}
 
-	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+	return it, nil
+}
 
-	for label, dfs := range deferred {
-		ec.processDeferredGroup(graphql.DeferredGroup{
-			Label:    label,
-			Path:     graphql.GetPath(ctx),
-			FieldSet: dfs,
-			Context:  ctx,
-		})
+func (ec *executionContext) unmarshalInputValidateSessionRequest(ctx context.Context, obj any) (model.ValidateSessionRequest, error) {
+	var it model.ValidateSessionRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"cookie", "roles", "required_relations"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "cookie":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("cookie"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Cookie = data
+		case "roles":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("roles"))
+			data, err := ec.unmarshalOString2ᚕstringᚄ(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Roles = data
+		case "required_relations":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("required_relations"))
+			data, err := ec.unmarshalOFgaRelationInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaRelationInputᚄ(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.RequiredRelations = data
+		}
 	}
 
-	return out
+	return it, nil
 }
 
-var authzPoliciesImplementors = []string{"AuthzPolicies"}
-
-func (ec *executionContext) _AuthzPolicies(ctx context.Context, sel ast.SelectionSet, obj *model.AuthzPolicies) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, authzPoliciesImplementors)
+func (ec *executionContext) unmarshalInputVerifyEmailRequest(ctx context.Context, obj any) (model.VerifyEmailRequest, error) {
+	var it model.VerifyEmailRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
 
-	out := graphql.NewFieldSet(fields)
-	deferred := make(map[string]*graphql.FieldSet)
-	for i, field := range fields {
-		switch field.Name {
-		case "__typename":
-			out.Values[i] = graphql.MarshalString("AuthzPolicies")
-		case "pagination":
-			out.Values[i] = ec._AuthzPolicies_pagination(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+	fieldsInOrder := [...]string{"token", "state"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "token":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("token"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
 			}
-		case "policies":
-			out.Values[i] = ec._AuthzPolicies_policies(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+			it.Token = data
+		case "state":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
 			}
-		default:
-			panic("unknown field " + strconv.Quote(field.Name))
+			it.State = data
 		}
 	}
-	out.Dispatch(ctx)
-	if out.Invalids > 0 {
-		return graphql.Null
-	}
-
-	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
-
-	for label, dfs := range deferred {
-		ec.processDeferredGroup(graphql.DeferredGroup{
-			Label:    label,
-			Path:     graphql.GetPath(ctx),
-			FieldSet: dfs,
-			Context:  ctx,
-		})
-	}
 
-	return out
+	return it, nil
 }
 
-var authzPolicyImplementors = []string{"AuthzPolicy"}
-
-func (ec *executionContext) _AuthzPolicy(ctx context.Context, sel ast.SelectionSet, obj *model.AuthzPolicy) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, authzPolicyImplementors)
+func (ec *executionContext) unmarshalInputVerifyOTPRequest(ctx context.Context, obj any) (model.VerifyOTPRequest, error) {
+	var it model.VerifyOTPRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
 
-	out := graphql.NewFieldSet(fields)
-	deferred := make(map[string]*graphql.FieldSet)
-	for i, field := range fields {
-		switch field.Name {
-		case "__typename":
-			out.Values[i] = graphql.MarshalString("AuthzPolicy")
-		case "id":
-			out.Values[i] = ec._AuthzPolicy_id(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "name":
-			out.Values[i] = ec._AuthzPolicy_name(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "description":
-			out.Values[i] = ec._AuthzPolicy_description(ctx, field, obj)
-		case "type":
-			out.Values[i] = ec._AuthzPolicy_type(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "logic":
-			out.Values[i] = ec._AuthzPolicy_logic(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+	fieldsInOrder := [...]string{"email", "phone_number", "otp", "is_totp", "state"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "email":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
 			}
-		case "decision_strategy":
-			out.Values[i] = ec._AuthzPolicy_decision_strategy(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+			it.Email = data
+		case "phone_number":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("phone_number"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
 			}
-		case "targets":
-			out.Values[i] = ec._AuthzPolicy_targets(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+			it.PhoneNumber = data
+		case "otp":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("otp"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
 			}
-		case "created_at":
-			out.Values[i] = ec._AuthzPolicy_created_at(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+			it.Otp = data
+		case "is_totp":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("is_totp"))
+			data, err := ec.unmarshalOBoolean2ᚖbool(ctx, v)
+			if err != nil {
+				return it, err
 			}
-		case "updated_at":
-			out.Values[i] = ec._AuthzPolicy_updated_at(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+			it.IsTotp = data
+		case "state":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("state"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
 			}
-		default:
-			panic("unknown field " + strconv.Quote(field.Name))
+			it.State = data
 		}
 	}
-	out.Dispatch(ctx)
-	if out.Invalids > 0 {
-		return graphql.Null
-	}
-
-	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
-
-	for label, dfs := range deferred {
-		ec.processDeferredGroup(graphql.DeferredGroup{
-			Label:    label,
-			Path:     graphql.GetPath(ctx),
-			FieldSet: dfs,
-			Context:  ctx,
-		})
-	}
 
-	return out
+	return it, nil
 }
 
-var authzPolicyTargetImplementors = []string{"AuthzPolicyTarget"}
-
-func (ec *executionContext) _AuthzPolicyTarget(ctx context.Context, sel ast.SelectionSet, obj *model.AuthzPolicyTarget) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, authzPolicyTargetImplementors)
+func (ec *executionContext) unmarshalInputWebhookRequest(ctx context.Context, obj any) (model.WebhookRequest, error) {
+	var it model.WebhookRequest
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
 
-	out := graphql.NewFieldSet(fields)
-	deferred := make(map[string]*graphql.FieldSet)
-	for i, field := range fields {
-		switch field.Name {
-		case "__typename":
-			out.Values[i] = graphql.MarshalString("AuthzPolicyTarget")
+	fieldsInOrder := [...]string{"id"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
 		case "id":
-			out.Values[i] = ec._AuthzPolicyTarget_id(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "target_type":
-			out.Values[i] = ec._AuthzPolicyTarget_target_type(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "target_value":
-			out.Values[i] = ec._AuthzPolicyTarget_target_value(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
+			data, err := ec.unmarshalNID2string(ctx, v)
+			if err != nil {
+				return it, err
 			}
-		default:
-			panic("unknown field " + strconv.Quote(field.Name))
+			it.ID = data
 		}
 	}
-	out.Dispatch(ctx)
-	if out.Invalids > 0 {
-		return graphql.Null
-	}
-
-	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
-
-	for label, dfs := range deferred {
-		ec.processDeferredGroup(graphql.DeferredGroup{
-			Label:    label,
-			Path:     graphql.GetPath(ctx),
-			FieldSet: dfs,
-			Context:  ctx,
-		})
-	}
 
-	return out
+	return it, nil
 }
 
-var authzResourceImplementors = []string{"AuthzResource"}
-
-func (ec *executionContext) _AuthzResource(ctx context.Context, sel ast.SelectionSet, obj *model.AuthzResource) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, authzResourceImplementors)
-
-	out := graphql.NewFieldSet(fields)
-	deferred := make(map[string]*graphql.FieldSet)
-	for i, field := range fields {
-		switch field.Name {
-		case "__typename":
-			out.Values[i] = graphql.MarshalString("AuthzResource")
-		case "id":
-			out.Values[i] = ec._AuthzResource_id(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "name":
-			out.Values[i] = ec._AuthzResource_name(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "description":
-			out.Values[i] = ec._AuthzResource_description(ctx, field, obj)
-		case "created_at":
-			out.Values[i] = ec._AuthzResource_created_at(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "updated_at":
-			out.Values[i] = ec._AuthzResource_updated_at(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		default:
-			panic("unknown field " + strconv.Quote(field.Name))
-		}
-	}
-	out.Dispatch(ctx)
-	if out.Invalids > 0 {
-		return graphql.Null
-	}
+// endregion **************************** input.gotpl *****************************
 
-	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+// region    ************************** interface.gotpl ***************************
 
-	for label, dfs := range deferred {
-		ec.processDeferredGroup(graphql.DeferredGroup{
-			Label:    label,
-			Path:     graphql.GetPath(ctx),
-			FieldSet: dfs,
-			Context:  ctx,
-		})
-	}
+// endregion ************************** interface.gotpl ***************************
 
-	return out
-}
+// region    **************************** object.gotpl ****************************
 
-var authzResourcesImplementors = []string{"AuthzResources"}
+var auditLogImplementors = []string{"AuditLog"}
 
-func (ec *executionContext) _AuthzResources(ctx context.Context, sel ast.SelectionSet, obj *model.AuthzResources) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, authzResourcesImplementors)
+func (ec *executionContext) _AuditLog(ctx context.Context, sel ast.SelectionSet, obj *model.AuditLog) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, auditLogImplementors)
 
 	out := graphql.NewFieldSet(fields)
 	deferred := make(map[string]*graphql.FieldSet)
 	for i, field := range fields {
 		switch field.Name {
 		case "__typename":
-			out.Values[i] = graphql.MarshalString("AuthzResources")
-		case "pagination":
-			out.Values[i] = ec._AuthzResources_pagination(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "resources":
-			out.Values[i] = ec._AuthzResources_resources(ctx, field, obj)
+			out.Values[i] = graphql.MarshalString("AuditLog")
+		case "id":
+			out.Values[i] = ec._AuditLog_id(ctx, field, obj)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
+		case "actor_id":
+			out.Values[i] = ec._AuditLog_actor_id(ctx, field, obj)
+		case "actor_type":
+			out.Values[i] = ec._AuditLog_actor_type(ctx, field, obj)
+		case "actor_email":
+			out.Values[i] = ec._AuditLog_actor_email(ctx, field, obj)
+		case "action":
+			out.Values[i] = ec._AuditLog_action(ctx, field, obj)
+		case "resource_type":
+			out.Values[i] = ec._AuditLog_resource_type(ctx, field, obj)
+		case "resource_id":
+			out.Values[i] = ec._AuditLog_resource_id(ctx, field, obj)
+		case "ip_address":
+			out.Values[i] = ec._AuditLog_ip_address(ctx, field, obj)
+		case "user_agent":
+			out.Values[i] = ec._AuditLog_user_agent(ctx, field, obj)
+		case "metadata":
+			out.Values[i] = ec._AuditLog_metadata(ctx, field, obj)
+		case "created_at":
+			out.Values[i] = ec._AuditLog_created_at(ctx, field, obj)
 		default:
 			panic("unknown field " + strconv.Quote(field.Name))
 		}
@@ -25926,36 +22482,24 @@ func (ec *executionContext) _AuthzResources(ctx context.Context, sel ast.Selecti
 	return out
 }
 
-var authzScopeImplementors = []string{"AuthzScope"}
+var auditLogsImplementors = []string{"AuditLogs"}
 
-func (ec *executionContext) _AuthzScope(ctx context.Context, sel ast.SelectionSet, obj *model.AuthzScope) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, authzScopeImplementors)
+func (ec *executionContext) _AuditLogs(ctx context.Context, sel ast.SelectionSet, obj *model.AuditLogs) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, auditLogsImplementors)
 
 	out := graphql.NewFieldSet(fields)
 	deferred := make(map[string]*graphql.FieldSet)
 	for i, field := range fields {
 		switch field.Name {
 		case "__typename":
-			out.Values[i] = graphql.MarshalString("AuthzScope")
-		case "id":
-			out.Values[i] = ec._AuthzScope_id(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "name":
-			out.Values[i] = ec._AuthzScope_name(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "description":
-			out.Values[i] = ec._AuthzScope_description(ctx, field, obj)
-		case "created_at":
-			out.Values[i] = ec._AuthzScope_created_at(ctx, field, obj)
+			out.Values[i] = graphql.MarshalString("AuditLogs")
+		case "pagination":
+			out.Values[i] = ec._AuditLogs_pagination(ctx, field, obj)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "updated_at":
-			out.Values[i] = ec._AuthzScope_updated_at(ctx, field, obj)
+		case "audit_logs":
+			out.Values[i] = ec._AuditLogs_audit_logs(ctx, field, obj)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
@@ -25982,27 +22526,44 @@ func (ec *executionContext) _AuthzScope(ctx context.Context, sel ast.SelectionSe
 	return out
 }
 
-var authzScopesImplementors = []string{"AuthzScopes"}
+var authResponseImplementors = []string{"AuthResponse"}
 
-func (ec *executionContext) _AuthzScopes(ctx context.Context, sel ast.SelectionSet, obj *model.AuthzScopes) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, authzScopesImplementors)
+func (ec *executionContext) _AuthResponse(ctx context.Context, sel ast.SelectionSet, obj *model.AuthResponse) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, authResponseImplementors)
 
 	out := graphql.NewFieldSet(fields)
 	deferred := make(map[string]*graphql.FieldSet)
 	for i, field := range fields {
 		switch field.Name {
 		case "__typename":
-			out.Values[i] = graphql.MarshalString("AuthzScopes")
-		case "pagination":
-			out.Values[i] = ec._AuthzScopes_pagination(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "scopes":
-			out.Values[i] = ec._AuthzScopes_scopes(ctx, field, obj)
+			out.Values[i] = graphql.MarshalString("AuthResponse")
+		case "message":
+			out.Values[i] = ec._AuthResponse_message(ctx, field, obj)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
+		case "should_show_email_otp_screen":
+			out.Values[i] = ec._AuthResponse_should_show_email_otp_screen(ctx, field, obj)
+		case "should_show_mobile_otp_screen":
+			out.Values[i] = ec._AuthResponse_should_show_mobile_otp_screen(ctx, field, obj)
+		case "should_show_totp_screen":
+			out.Values[i] = ec._AuthResponse_should_show_totp_screen(ctx, field, obj)
+		case "access_token":
+			out.Values[i] = ec._AuthResponse_access_token(ctx, field, obj)
+		case "id_token":
+			out.Values[i] = ec._AuthResponse_id_token(ctx, field, obj)
+		case "refresh_token":
+			out.Values[i] = ec._AuthResponse_refresh_token(ctx, field, obj)
+		case "expires_in":
+			out.Values[i] = ec._AuthResponse_expires_in(ctx, field, obj)
+		case "user":
+			out.Values[i] = ec._AuthResponse_user(ctx, field, obj)
+		case "authenticator_scanner_image":
+			out.Values[i] = ec._AuthResponse_authenticator_scanner_image(ctx, field, obj)
+		case "authenticator_secret":
+			out.Values[i] = ec._AuthResponse_authenticator_secret(ctx, field, obj)
+		case "authenticator_recovery_codes":
+			out.Values[i] = ec._AuthResponse_authenticator_recovery_codes(ctx, field, obj)
 		default:
 			panic("unknown field " + strconv.Quote(field.Name))
 		}
@@ -26249,91 +22810,345 @@ func (ec *executionContext) _Env(ctx context.Context, sel ast.SelectionSet, obj
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "ENFORCE_MULTI_FACTOR_AUTHENTICATION":
-			out.Values[i] = ec._Env_ENFORCE_MULTI_FACTOR_AUTHENTICATION(ctx, field, obj)
+		case "ENFORCE_MULTI_FACTOR_AUTHENTICATION":
+			out.Values[i] = ec._Env_ENFORCE_MULTI_FACTOR_AUTHENTICATION(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "ROLES":
+			out.Values[i] = ec._Env_ROLES(ctx, field, obj)
+		case "PROTECTED_ROLES":
+			out.Values[i] = ec._Env_PROTECTED_ROLES(ctx, field, obj)
+		case "DEFAULT_ROLES":
+			out.Values[i] = ec._Env_DEFAULT_ROLES(ctx, field, obj)
+		case "JWT_ROLE_CLAIM":
+			out.Values[i] = ec._Env_JWT_ROLE_CLAIM(ctx, field, obj)
+		case "GOOGLE_CLIENT_ID":
+			out.Values[i] = ec._Env_GOOGLE_CLIENT_ID(ctx, field, obj)
+		case "GOOGLE_CLIENT_SECRET":
+			out.Values[i] = ec._Env_GOOGLE_CLIENT_SECRET(ctx, field, obj)
+		case "GITHUB_CLIENT_ID":
+			out.Values[i] = ec._Env_GITHUB_CLIENT_ID(ctx, field, obj)
+		case "GITHUB_CLIENT_SECRET":
+			out.Values[i] = ec._Env_GITHUB_CLIENT_SECRET(ctx, field, obj)
+		case "FACEBOOK_CLIENT_ID":
+			out.Values[i] = ec._Env_FACEBOOK_CLIENT_ID(ctx, field, obj)
+		case "FACEBOOK_CLIENT_SECRET":
+			out.Values[i] = ec._Env_FACEBOOK_CLIENT_SECRET(ctx, field, obj)
+		case "LINKEDIN_CLIENT_ID":
+			out.Values[i] = ec._Env_LINKEDIN_CLIENT_ID(ctx, field, obj)
+		case "LINKEDIN_CLIENT_SECRET":
+			out.Values[i] = ec._Env_LINKEDIN_CLIENT_SECRET(ctx, field, obj)
+		case "APPLE_CLIENT_ID":
+			out.Values[i] = ec._Env_APPLE_CLIENT_ID(ctx, field, obj)
+		case "APPLE_CLIENT_SECRET":
+			out.Values[i] = ec._Env_APPLE_CLIENT_SECRET(ctx, field, obj)
+		case "DISCORD_CLIENT_ID":
+			out.Values[i] = ec._Env_DISCORD_CLIENT_ID(ctx, field, obj)
+		case "DISCORD_CLIENT_SECRET":
+			out.Values[i] = ec._Env_DISCORD_CLIENT_SECRET(ctx, field, obj)
+		case "TWITTER_CLIENT_ID":
+			out.Values[i] = ec._Env_TWITTER_CLIENT_ID(ctx, field, obj)
+		case "TWITTER_CLIENT_SECRET":
+			out.Values[i] = ec._Env_TWITTER_CLIENT_SECRET(ctx, field, obj)
+		case "MICROSOFT_CLIENT_ID":
+			out.Values[i] = ec._Env_MICROSOFT_CLIENT_ID(ctx, field, obj)
+		case "MICROSOFT_CLIENT_SECRET":
+			out.Values[i] = ec._Env_MICROSOFT_CLIENT_SECRET(ctx, field, obj)
+		case "MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID":
+			out.Values[i] = ec._Env_MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID(ctx, field, obj)
+		case "TWITCH_CLIENT_ID":
+			out.Values[i] = ec._Env_TWITCH_CLIENT_ID(ctx, field, obj)
+		case "TWITCH_CLIENT_SECRET":
+			out.Values[i] = ec._Env_TWITCH_CLIENT_SECRET(ctx, field, obj)
+		case "ROBLOX_CLIENT_ID":
+			out.Values[i] = ec._Env_ROBLOX_CLIENT_ID(ctx, field, obj)
+		case "ROBLOX_CLIENT_SECRET":
+			out.Values[i] = ec._Env_ROBLOX_CLIENT_SECRET(ctx, field, obj)
+		case "ORGANIZATION_NAME":
+			out.Values[i] = ec._Env_ORGANIZATION_NAME(ctx, field, obj)
+		case "ORGANIZATION_LOGO":
+			out.Values[i] = ec._Env_ORGANIZATION_LOGO(ctx, field, obj)
+		case "APP_COOKIE_SECURE":
+			out.Values[i] = ec._Env_APP_COOKIE_SECURE(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "ADMIN_COOKIE_SECURE":
+			out.Values[i] = ec._Env_ADMIN_COOKIE_SECURE(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "DEFAULT_AUTHORIZE_RESPONSE_TYPE":
+			out.Values[i] = ec._Env_DEFAULT_AUTHORIZE_RESPONSE_TYPE(ctx, field, obj)
+		case "DEFAULT_AUTHORIZE_RESPONSE_MODE":
+			out.Values[i] = ec._Env_DEFAULT_AUTHORIZE_RESPONSE_MODE(ctx, field, obj)
+		case "DISABLE_PLAYGROUND":
+			out.Values[i] = ec._Env_DISABLE_PLAYGROUND(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "DISABLE_MAIL_OTP_LOGIN":
+			out.Values[i] = ec._Env_DISABLE_MAIL_OTP_LOGIN(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "DISABLE_TOTP_LOGIN":
+			out.Values[i] = ec._Env_DISABLE_TOTP_LOGIN(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
+		}
+	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
+
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
+	}
+
+	return out
+}
+
+var errorImplementors = []string{"Error"}
+
+func (ec *executionContext) _Error(ctx context.Context, sel ast.SelectionSet, obj *model.Error) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, errorImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("Error")
+		case "message":
+			out.Values[i] = ec._Error_message(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "reason":
+			out.Values[i] = ec._Error_reason(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
+		}
+	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
+
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
+	}
+
+	return out
+}
+
+var fgaBatchCheckResponseImplementors = []string{"FgaBatchCheckResponse"}
+
+func (ec *executionContext) _FgaBatchCheckResponse(ctx context.Context, sel ast.SelectionSet, obj *model.FgaBatchCheckResponse) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, fgaBatchCheckResponseImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("FgaBatchCheckResponse")
+		case "results":
+			out.Values[i] = ec._FgaBatchCheckResponse_results(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
+		}
+	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
+
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
+	}
+
+	return out
+}
+
+var fgaCheckResponseImplementors = []string{"FgaCheckResponse"}
+
+func (ec *executionContext) _FgaCheckResponse(ctx context.Context, sel ast.SelectionSet, obj *model.FgaCheckResponse) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, fgaCheckResponseImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("FgaCheckResponse")
+		case "allowed":
+			out.Values[i] = ec._FgaCheckResponse_allowed(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
+		}
+	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
+
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
+	}
+
+	return out
+}
+
+var fgaListObjectsResponseImplementors = []string{"FgaListObjectsResponse"}
+
+func (ec *executionContext) _FgaListObjectsResponse(ctx context.Context, sel ast.SelectionSet, obj *model.FgaListObjectsResponse) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, fgaListObjectsResponseImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("FgaListObjectsResponse")
+		case "objects":
+			out.Values[i] = ec._FgaListObjectsResponse_objects(ctx, field, obj)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "ROLES":
-			out.Values[i] = ec._Env_ROLES(ctx, field, obj)
-		case "PROTECTED_ROLES":
-			out.Values[i] = ec._Env_PROTECTED_ROLES(ctx, field, obj)
-		case "DEFAULT_ROLES":
-			out.Values[i] = ec._Env_DEFAULT_ROLES(ctx, field, obj)
-		case "JWT_ROLE_CLAIM":
-			out.Values[i] = ec._Env_JWT_ROLE_CLAIM(ctx, field, obj)
-		case "GOOGLE_CLIENT_ID":
-			out.Values[i] = ec._Env_GOOGLE_CLIENT_ID(ctx, field, obj)
-		case "GOOGLE_CLIENT_SECRET":
-			out.Values[i] = ec._Env_GOOGLE_CLIENT_SECRET(ctx, field, obj)
-		case "GITHUB_CLIENT_ID":
-			out.Values[i] = ec._Env_GITHUB_CLIENT_ID(ctx, field, obj)
-		case "GITHUB_CLIENT_SECRET":
-			out.Values[i] = ec._Env_GITHUB_CLIENT_SECRET(ctx, field, obj)
-		case "FACEBOOK_CLIENT_ID":
-			out.Values[i] = ec._Env_FACEBOOK_CLIENT_ID(ctx, field, obj)
-		case "FACEBOOK_CLIENT_SECRET":
-			out.Values[i] = ec._Env_FACEBOOK_CLIENT_SECRET(ctx, field, obj)
-		case "LINKEDIN_CLIENT_ID":
-			out.Values[i] = ec._Env_LINKEDIN_CLIENT_ID(ctx, field, obj)
-		case "LINKEDIN_CLIENT_SECRET":
-			out.Values[i] = ec._Env_LINKEDIN_CLIENT_SECRET(ctx, field, obj)
-		case "APPLE_CLIENT_ID":
-			out.Values[i] = ec._Env_APPLE_CLIENT_ID(ctx, field, obj)
-		case "APPLE_CLIENT_SECRET":
-			out.Values[i] = ec._Env_APPLE_CLIENT_SECRET(ctx, field, obj)
-		case "DISCORD_CLIENT_ID":
-			out.Values[i] = ec._Env_DISCORD_CLIENT_ID(ctx, field, obj)
-		case "DISCORD_CLIENT_SECRET":
-			out.Values[i] = ec._Env_DISCORD_CLIENT_SECRET(ctx, field, obj)
-		case "TWITTER_CLIENT_ID":
-			out.Values[i] = ec._Env_TWITTER_CLIENT_ID(ctx, field, obj)
-		case "TWITTER_CLIENT_SECRET":
-			out.Values[i] = ec._Env_TWITTER_CLIENT_SECRET(ctx, field, obj)
-		case "MICROSOFT_CLIENT_ID":
-			out.Values[i] = ec._Env_MICROSOFT_CLIENT_ID(ctx, field, obj)
-		case "MICROSOFT_CLIENT_SECRET":
-			out.Values[i] = ec._Env_MICROSOFT_CLIENT_SECRET(ctx, field, obj)
-		case "MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID":
-			out.Values[i] = ec._Env_MICROSOFT_ACTIVE_DIRECTORY_TENANT_ID(ctx, field, obj)
-		case "TWITCH_CLIENT_ID":
-			out.Values[i] = ec._Env_TWITCH_CLIENT_ID(ctx, field, obj)
-		case "TWITCH_CLIENT_SECRET":
-			out.Values[i] = ec._Env_TWITCH_CLIENT_SECRET(ctx, field, obj)
-		case "ROBLOX_CLIENT_ID":
-			out.Values[i] = ec._Env_ROBLOX_CLIENT_ID(ctx, field, obj)
-		case "ROBLOX_CLIENT_SECRET":
-			out.Values[i] = ec._Env_ROBLOX_CLIENT_SECRET(ctx, field, obj)
-		case "ORGANIZATION_NAME":
-			out.Values[i] = ec._Env_ORGANIZATION_NAME(ctx, field, obj)
-		case "ORGANIZATION_LOGO":
-			out.Values[i] = ec._Env_ORGANIZATION_LOGO(ctx, field, obj)
-		case "APP_COOKIE_SECURE":
-			out.Values[i] = ec._Env_APP_COOKIE_SECURE(ctx, field, obj)
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
+		}
+	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
+
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
+	}
+
+	return out
+}
+
+var fgaModelImplementors = []string{"FgaModel"}
+
+func (ec *executionContext) _FgaModel(ctx context.Context, sel ast.SelectionSet, obj *model.FgaModel) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, fgaModelImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("FgaModel")
+		case "id":
+			out.Values[i] = ec._FgaModel_id(ctx, field, obj)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "ADMIN_COOKIE_SECURE":
-			out.Values[i] = ec._Env_ADMIN_COOKIE_SECURE(ctx, field, obj)
+		case "dsl":
+			out.Values[i] = ec._FgaModel_dsl(ctx, field, obj)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "DEFAULT_AUTHORIZE_RESPONSE_TYPE":
-			out.Values[i] = ec._Env_DEFAULT_AUTHORIZE_RESPONSE_TYPE(ctx, field, obj)
-		case "DEFAULT_AUTHORIZE_RESPONSE_MODE":
-			out.Values[i] = ec._Env_DEFAULT_AUTHORIZE_RESPONSE_MODE(ctx, field, obj)
-		case "DISABLE_PLAYGROUND":
-			out.Values[i] = ec._Env_DISABLE_PLAYGROUND(ctx, field, obj)
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
+		}
+	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
+
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
+	}
+
+	return out
+}
+
+var fgaTupleImplementors = []string{"FgaTuple"}
+
+func (ec *executionContext) _FgaTuple(ctx context.Context, sel ast.SelectionSet, obj *model.FgaTuple) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, fgaTupleImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("FgaTuple")
+		case "user":
+			out.Values[i] = ec._FgaTuple_user(ctx, field, obj)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "DISABLE_MAIL_OTP_LOGIN":
-			out.Values[i] = ec._Env_DISABLE_MAIL_OTP_LOGIN(ctx, field, obj)
+		case "relation":
+			out.Values[i] = ec._FgaTuple_relation(ctx, field, obj)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "DISABLE_TOTP_LOGIN":
-			out.Values[i] = ec._Env_DISABLE_TOTP_LOGIN(ctx, field, obj)
+		case "object":
+			out.Values[i] = ec._FgaTuple_object(ctx, field, obj)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
@@ -26360,27 +23175,24 @@ func (ec *executionContext) _Env(ctx context.Context, sel ast.SelectionSet, obj
 	return out
 }
 
-var errorImplementors = []string{"Error"}
+var fgaTuplesImplementors = []string{"FgaTuples"}
 
-func (ec *executionContext) _Error(ctx context.Context, sel ast.SelectionSet, obj *model.Error) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, errorImplementors)
+func (ec *executionContext) _FgaTuples(ctx context.Context, sel ast.SelectionSet, obj *model.FgaTuples) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, fgaTuplesImplementors)
 
 	out := graphql.NewFieldSet(fields)
 	deferred := make(map[string]*graphql.FieldSet)
 	for i, field := range fields {
 		switch field.Name {
 		case "__typename":
-			out.Values[i] = graphql.MarshalString("Error")
-		case "message":
-			out.Values[i] = ec._Error_message(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "reason":
-			out.Values[i] = ec._Error_reason(ctx, field, obj)
+			out.Values[i] = graphql.MarshalString("FgaTuples")
+		case "tuples":
+			out.Values[i] = ec._FgaTuples_tuples(ctx, field, obj)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
+		case "continuation_token":
+			out.Values[i] = ec._FgaTuples_continuation_token(ctx, field, obj)
 		default:
 			panic("unknown field " + strconv.Quote(field.Name))
 		}
@@ -26801,191 +23613,128 @@ func (ec *executionContext) _Mutation(ctx context.Context, sel ast.SelectionSet)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "_admin_signup":
-			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__admin_signup(ctx, field)
-			})
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "_admin_login":
-			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__admin_login(ctx, field)
-			})
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "_admin_logout":
-			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__admin_logout(ctx, field)
-			})
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "_update_env":
-			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__update_env(ctx, field)
-			})
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "_invite_members":
-			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__invite_members(ctx, field)
-			})
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "_revoke_access":
-			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__revoke_access(ctx, field)
-			})
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "_enable_access":
-			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__enable_access(ctx, field)
-			})
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "_generate_jwt_keys":
-			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__generate_jwt_keys(ctx, field)
-			})
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "_add_webhook":
-			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__add_webhook(ctx, field)
-			})
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "_update_webhook":
+		case "_admin_signup":
 			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__update_webhook(ctx, field)
+				return ec._Mutation__admin_signup(ctx, field)
 			})
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "_delete_webhook":
+		case "_admin_login":
 			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__delete_webhook(ctx, field)
+				return ec._Mutation__admin_login(ctx, field)
 			})
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "_test_endpoint":
+		case "_admin_logout":
 			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__test_endpoint(ctx, field)
+				return ec._Mutation__admin_logout(ctx, field)
 			})
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "_add_email_template":
+		case "_update_env":
 			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__add_email_template(ctx, field)
+				return ec._Mutation__update_env(ctx, field)
 			})
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "_update_email_template":
+		case "_invite_members":
 			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__update_email_template(ctx, field)
+				return ec._Mutation__invite_members(ctx, field)
 			})
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "_delete_email_template":
+		case "_revoke_access":
 			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__delete_email_template(ctx, field)
+				return ec._Mutation__revoke_access(ctx, field)
 			})
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "_authz_add_resource":
+		case "_enable_access":
 			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__authz_add_resource(ctx, field)
+				return ec._Mutation__enable_access(ctx, field)
 			})
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "_authz_update_resource":
+		case "_generate_jwt_keys":
 			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__authz_update_resource(ctx, field)
+				return ec._Mutation__generate_jwt_keys(ctx, field)
 			})
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "_authz_delete_resource":
+		case "_add_webhook":
 			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__authz_delete_resource(ctx, field)
+				return ec._Mutation__add_webhook(ctx, field)
 			})
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "_authz_add_scope":
+		case "_update_webhook":
 			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__authz_add_scope(ctx, field)
+				return ec._Mutation__update_webhook(ctx, field)
 			})
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "_authz_update_scope":
+		case "_delete_webhook":
 			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__authz_update_scope(ctx, field)
+				return ec._Mutation__delete_webhook(ctx, field)
 			})
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "_authz_delete_scope":
+		case "_test_endpoint":
 			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__authz_delete_scope(ctx, field)
+				return ec._Mutation__test_endpoint(ctx, field)
 			})
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "_authz_add_policy":
+		case "_add_email_template":
 			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__authz_add_policy(ctx, field)
+				return ec._Mutation__add_email_template(ctx, field)
 			})
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "_authz_update_policy":
+		case "_update_email_template":
 			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__authz_update_policy(ctx, field)
+				return ec._Mutation__update_email_template(ctx, field)
 			})
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "_authz_delete_policy":
+		case "_delete_email_template":
 			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__authz_delete_policy(ctx, field)
+				return ec._Mutation__delete_email_template(ctx, field)
 			})
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "_authz_add_permission":
+		case "_fga_write_model":
 			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__authz_add_permission(ctx, field)
+				return ec._Mutation__fga_write_model(ctx, field)
 			})
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "_authz_update_permission":
+		case "_fga_write_tuples":
 			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__authz_update_permission(ctx, field)
+				return ec._Mutation__fga_write_tuples(ctx, field)
 			})
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "_authz_delete_permission":
+		case "_fga_delete_tuples":
 			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
-				return ec._Mutation__authz_delete_permission(ctx, field)
+				return ec._Mutation__fga_delete_tuples(ctx, field)
 			})
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
@@ -27067,50 +23816,6 @@ func (ec *executionContext) _Pagination(ctx context.Context, sel ast.SelectionSe
 	return out
 }
 
-var permissionImplementors = []string{"Permission"}
-
-func (ec *executionContext) _Permission(ctx context.Context, sel ast.SelectionSet, obj *model.Permission) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, permissionImplementors)
-
-	out := graphql.NewFieldSet(fields)
-	deferred := make(map[string]*graphql.FieldSet)
-	for i, field := range fields {
-		switch field.Name {
-		case "__typename":
-			out.Values[i] = graphql.MarshalString("Permission")
-		case "resource":
-			out.Values[i] = ec._Permission_resource(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "scope":
-			out.Values[i] = ec._Permission_scope(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		default:
-			panic("unknown field " + strconv.Quote(field.Name))
-		}
-	}
-	out.Dispatch(ctx)
-	if out.Invalids > 0 {
-		return graphql.Null
-	}
-
-	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
-
-	for label, dfs := range deferred {
-		ec.processDeferredGroup(graphql.DeferredGroup{
-			Label:    label,
-			Path:     graphql.GetPath(ctx),
-			FieldSet: dfs,
-			Context:  ctx,
-		})
-	}
-
-	return out
-}
-
 var queryImplementors = []string{"Query"}
 
 func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) graphql.Marshaler {
@@ -27460,7 +24165,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 			}
 
 			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
-		case "_authz_resources":
+		case "_fga_get_model":
 			field := field
 
 			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
@@ -27469,7 +24174,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 						ec.Error(ctx, ec.Recover(ctx, r))
 					}
 				}()
-				res = ec._Query__authz_resources(ctx, field)
+				res = ec._Query__fga_get_model(ctx, field)
 				if res == graphql.Null {
 					atomic.AddUint32(&fs.Invalids, 1)
 				}
@@ -27482,7 +24187,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 			}
 
 			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
-		case "_authz_scopes":
+		case "_fga_read_tuples":
 			field := field
 
 			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
@@ -27491,7 +24196,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 						ec.Error(ctx, ec.Recover(ctx, r))
 					}
 				}()
-				res = ec._Query__authz_scopes(ctx, field)
+				res = ec._Query__fga_read_tuples(ctx, field)
 				if res == graphql.Null {
 					atomic.AddUint32(&fs.Invalids, 1)
 				}
@@ -27504,7 +24209,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 			}
 
 			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
-		case "_authz_policies":
+		case "fga_check":
 			field := field
 
 			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
@@ -27513,7 +24218,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 						ec.Error(ctx, ec.Recover(ctx, r))
 					}
 				}()
-				res = ec._Query__authz_policies(ctx, field)
+				res = ec._Query_fga_check(ctx, field)
 				if res == graphql.Null {
 					atomic.AddUint32(&fs.Invalids, 1)
 				}
@@ -27526,7 +24231,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 			}
 
 			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
-		case "_authz_permissions":
+		case "fga_batch_check":
 			field := field
 
 			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
@@ -27535,7 +24240,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 						ec.Error(ctx, ec.Recover(ctx, r))
 					}
 				}()
-				res = ec._Query__authz_permissions(ctx, field)
+				res = ec._Query_fga_batch_check(ctx, field)
 				if res == graphql.Null {
 					atomic.AddUint32(&fs.Invalids, 1)
 				}
@@ -27548,7 +24253,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 			}
 
 			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
-		case "permissions":
+		case "fga_list_objects":
 			field := field
 
 			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
@@ -27557,7 +24262,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 						ec.Error(ctx, ec.Recover(ctx, r))
 					}
 				}()
-				res = ec._Query_permissions(ctx, field)
+				res = ec._Query_fga_list_objects(ctx, field)
 				if res == graphql.Null {
 					atomic.AddUint32(&fs.Invalids, 1)
 				}
@@ -28527,26 +25232,6 @@ func (ec *executionContext) unmarshalNAddEmailTemplateRequest2githubᚗcomᚋaut
 	return res, graphql.ErrorOnPath(ctx, err)
 }
 
-func (ec *executionContext) unmarshalNAddPermissionInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAddPermissionInput(ctx context.Context, v any) (model.AddPermissionInput, error) {
-	res, err := ec.unmarshalInputAddPermissionInput(ctx, v)
-	return res, graphql.ErrorOnPath(ctx, err)
-}
-
-func (ec *executionContext) unmarshalNAddPolicyInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAddPolicyInput(ctx context.Context, v any) (model.AddPolicyInput, error) {
-	res, err := ec.unmarshalInputAddPolicyInput(ctx, v)
-	return res, graphql.ErrorOnPath(ctx, err)
-}
-
-func (ec *executionContext) unmarshalNAddResourceInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAddResourceInput(ctx context.Context, v any) (model.AddResourceInput, error) {
-	res, err := ec.unmarshalInputAddResourceInput(ctx, v)
-	return res, graphql.ErrorOnPath(ctx, err)
-}
-
-func (ec *executionContext) unmarshalNAddScopeInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAddScopeInput(ctx context.Context, v any) (model.AddScopeInput, error) {
-	res, err := ec.unmarshalInputAddScopeInput(ctx, v)
-	return res, graphql.ErrorOnPath(ctx, err)
-}
-
 func (ec *executionContext) unmarshalNAddWebhookRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAddWebhookRequest(ctx context.Context, v any) (model.AddWebhookRequest, error) {
 	res, err := ec.unmarshalInputAddWebhookRequest(ctx, v)
 	return res, graphql.ErrorOnPath(ctx, err)
@@ -28644,151 +25329,33 @@ func (ec *executionContext) marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdev
 	return ec._AuthResponse(ctx, sel, v)
 }
 
-func (ec *executionContext) marshalNAuthzPermission2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPermission(ctx context.Context, sel ast.SelectionSet, v model.AuthzPermission) graphql.Marshaler {
-	return ec._AuthzPermission(ctx, sel, &v)
-}
-
-func (ec *executionContext) marshalNAuthzPermission2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPermissionᚄ(ctx context.Context, sel ast.SelectionSet, v []*model.AuthzPermission) graphql.Marshaler {
-	ret := make(graphql.Array, len(v))
-	var wg sync.WaitGroup
-	isLen1 := len(v) == 1
-	if !isLen1 {
-		wg.Add(len(v))
-	}
-	for i := range v {
-		i := i
-		fc := &graphql.FieldContext{
-			Index:  &i,
-			Result: &v[i],
-		}
-		ctx := graphql.WithFieldContext(ctx, fc)
-		f := func(i int) {
-			defer func() {
-				if r := recover(); r != nil {
-					ec.Error(ctx, ec.Recover(ctx, r))
-					ret = nil
-				}
-			}()
-			if !isLen1 {
-				defer wg.Done()
-			}
-			ret[i] = ec.marshalNAuthzPermission2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPermission(ctx, sel, v[i])
-		}
-		if isLen1 {
-			f(i)
-		} else {
-			go f(i)
-		}
-
-	}
-	wg.Wait()
-
-	for _, e := range ret {
-		if e == graphql.Null {
-			return graphql.Null
-		}
-	}
-
-	return ret
-}
-
-func (ec *executionContext) marshalNAuthzPermission2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPermission(ctx context.Context, sel ast.SelectionSet, v *model.AuthzPermission) graphql.Marshaler {
-	if v == nil {
-		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
-			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
-		}
-		return graphql.Null
-	}
-	return ec._AuthzPermission(ctx, sel, v)
-}
-
-func (ec *executionContext) marshalNAuthzPermissions2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPermissions(ctx context.Context, sel ast.SelectionSet, v model.AuthzPermissions) graphql.Marshaler {
-	return ec._AuthzPermissions(ctx, sel, &v)
-}
-
-func (ec *executionContext) marshalNAuthzPermissions2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPermissions(ctx context.Context, sel ast.SelectionSet, v *model.AuthzPermissions) graphql.Marshaler {
-	if v == nil {
-		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
-			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
-		}
-		return graphql.Null
-	}
-	return ec._AuthzPermissions(ctx, sel, v)
-}
-
-func (ec *executionContext) marshalNAuthzPolicies2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicies(ctx context.Context, sel ast.SelectionSet, v model.AuthzPolicies) graphql.Marshaler {
-	return ec._AuthzPolicies(ctx, sel, &v)
+func (ec *executionContext) unmarshalNBoolean2bool(ctx context.Context, v any) (bool, error) {
+	res, err := graphql.UnmarshalBoolean(v)
+	return res, graphql.ErrorOnPath(ctx, err)
 }
 
-func (ec *executionContext) marshalNAuthzPolicies2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicies(ctx context.Context, sel ast.SelectionSet, v *model.AuthzPolicies) graphql.Marshaler {
-	if v == nil {
+func (ec *executionContext) marshalNBoolean2bool(ctx context.Context, sel ast.SelectionSet, v bool) graphql.Marshaler {
+	_ = sel
+	res := graphql.MarshalBoolean(v)
+	if res == graphql.Null {
 		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
 			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
 		}
-		return graphql.Null
 	}
-	return ec._AuthzPolicies(ctx, sel, v)
-}
-
-func (ec *executionContext) marshalNAuthzPolicy2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicy(ctx context.Context, sel ast.SelectionSet, v model.AuthzPolicy) graphql.Marshaler {
-	return ec._AuthzPolicy(ctx, sel, &v)
+	return res
 }
 
-func (ec *executionContext) marshalNAuthzPolicy2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicyᚄ(ctx context.Context, sel ast.SelectionSet, v []*model.AuthzPolicy) graphql.Marshaler {
-	ret := make(graphql.Array, len(v))
-	var wg sync.WaitGroup
-	isLen1 := len(v) == 1
-	if !isLen1 {
-		wg.Add(len(v))
-	}
-	for i := range v {
-		i := i
-		fc := &graphql.FieldContext{
-			Index:  &i,
-			Result: &v[i],
-		}
-		ctx := graphql.WithFieldContext(ctx, fc)
-		f := func(i int) {
-			defer func() {
-				if r := recover(); r != nil {
-					ec.Error(ctx, ec.Recover(ctx, r))
-					ret = nil
-				}
-			}()
-			if !isLen1 {
-				defer wg.Done()
-			}
-			ret[i] = ec.marshalNAuthzPolicy2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicy(ctx, sel, v[i])
-		}
-		if isLen1 {
-			f(i)
-		} else {
-			go f(i)
-		}
-
-	}
-	wg.Wait()
-
-	for _, e := range ret {
-		if e == graphql.Null {
-			return graphql.Null
-		}
-	}
-
-	return ret
+func (ec *executionContext) unmarshalNDeleteEmailTemplateRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐDeleteEmailTemplateRequest(ctx context.Context, v any) (model.DeleteEmailTemplateRequest, error) {
+	res, err := ec.unmarshalInputDeleteEmailTemplateRequest(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
 }
 
-func (ec *executionContext) marshalNAuthzPolicy2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicy(ctx context.Context, sel ast.SelectionSet, v *model.AuthzPolicy) graphql.Marshaler {
-	if v == nil {
-		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
-			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
-		}
-		return graphql.Null
-	}
-	return ec._AuthzPolicy(ctx, sel, v)
+func (ec *executionContext) unmarshalNDeleteUserRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐDeleteUserRequest(ctx context.Context, v any) (model.DeleteUserRequest, error) {
+	res, err := ec.unmarshalInputDeleteUserRequest(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
 }
 
-func (ec *executionContext) marshalNAuthzPolicyTarget2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicyTargetᚄ(ctx context.Context, sel ast.SelectionSet, v []*model.AuthzPolicyTarget) graphql.Marshaler {
+func (ec *executionContext) marshalNEmailTemplate2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEmailTemplateᚄ(ctx context.Context, sel ast.SelectionSet, v []*model.EmailTemplate) graphql.Marshaler {
 	ret := make(graphql.Array, len(v))
 	var wg sync.WaitGroup
 	isLen1 := len(v) == 1
@@ -28812,7 +25379,7 @@ func (ec *executionContext) marshalNAuthzPolicyTarget2ᚕᚖgithubᚗcomᚋautho
 			if !isLen1 {
 				defer wg.Done()
 			}
-			ret[i] = ec.marshalNAuthzPolicyTarget2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicyTarget(ctx, sel, v[i])
+			ret[i] = ec.marshalNEmailTemplate2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEmailTemplate(ctx, sel, v[i])
 		}
 		if isLen1 {
 			f(i)
@@ -28832,93 +25399,93 @@ func (ec *executionContext) marshalNAuthzPolicyTarget2ᚕᚖgithubᚗcomᚋautho
 	return ret
 }
 
-func (ec *executionContext) marshalNAuthzPolicyTarget2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzPolicyTarget(ctx context.Context, sel ast.SelectionSet, v *model.AuthzPolicyTarget) graphql.Marshaler {
+func (ec *executionContext) marshalNEmailTemplate2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEmailTemplate(ctx context.Context, sel ast.SelectionSet, v *model.EmailTemplate) graphql.Marshaler {
 	if v == nil {
 		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
-			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
-		}
-		return graphql.Null
-	}
-	return ec._AuthzPolicyTarget(ctx, sel, v)
-}
-
-func (ec *executionContext) marshalNAuthzResource2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResource(ctx context.Context, sel ast.SelectionSet, v model.AuthzResource) graphql.Marshaler {
-	return ec._AuthzResource(ctx, sel, &v)
-}
-
-func (ec *executionContext) marshalNAuthzResource2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResourceᚄ(ctx context.Context, sel ast.SelectionSet, v []*model.AuthzResource) graphql.Marshaler {
-	ret := make(graphql.Array, len(v))
-	var wg sync.WaitGroup
-	isLen1 := len(v) == 1
-	if !isLen1 {
-		wg.Add(len(v))
-	}
-	for i := range v {
-		i := i
-		fc := &graphql.FieldContext{
-			Index:  &i,
-			Result: &v[i],
-		}
-		ctx := graphql.WithFieldContext(ctx, fc)
-		f := func(i int) {
-			defer func() {
-				if r := recover(); r != nil {
-					ec.Error(ctx, ec.Recover(ctx, r))
-					ret = nil
-				}
-			}()
-			if !isLen1 {
-				defer wg.Done()
-			}
-			ret[i] = ec.marshalNAuthzResource2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResource(ctx, sel, v[i])
-		}
-		if isLen1 {
-			f(i)
-		} else {
-			go f(i)
+			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
 		}
-
+		return graphql.Null
 	}
-	wg.Wait()
+	return ec._EmailTemplate(ctx, sel, v)
+}
 
-	for _, e := range ret {
-		if e == graphql.Null {
-			return graphql.Null
+func (ec *executionContext) marshalNEmailTemplates2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEmailTemplates(ctx context.Context, sel ast.SelectionSet, v model.EmailTemplates) graphql.Marshaler {
+	return ec._EmailTemplates(ctx, sel, &v)
+}
+
+func (ec *executionContext) marshalNEmailTemplates2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEmailTemplates(ctx context.Context, sel ast.SelectionSet, v *model.EmailTemplates) graphql.Marshaler {
+	if v == nil {
+		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
+			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
 		}
+		return graphql.Null
 	}
+	return ec._EmailTemplates(ctx, sel, v)
+}
 
-	return ret
+func (ec *executionContext) marshalNEnv2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEnv(ctx context.Context, sel ast.SelectionSet, v model.Env) graphql.Marshaler {
+	return ec._Env(ctx, sel, &v)
 }
 
-func (ec *executionContext) marshalNAuthzResource2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResource(ctx context.Context, sel ast.SelectionSet, v *model.AuthzResource) graphql.Marshaler {
+func (ec *executionContext) marshalNEnv2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEnv(ctx context.Context, sel ast.SelectionSet, v *model.Env) graphql.Marshaler {
 	if v == nil {
 		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
 			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
 		}
 		return graphql.Null
 	}
-	return ec._AuthzResource(ctx, sel, v)
+	return ec._Env(ctx, sel, v)
+}
+
+func (ec *executionContext) unmarshalNFgaBatchCheckInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaBatchCheckInput(ctx context.Context, v any) (model.FgaBatchCheckInput, error) {
+	res, err := ec.unmarshalInputFgaBatchCheckInput(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
 }
 
-func (ec *executionContext) marshalNAuthzResources2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResources(ctx context.Context, sel ast.SelectionSet, v model.AuthzResources) graphql.Marshaler {
-	return ec._AuthzResources(ctx, sel, &v)
+func (ec *executionContext) marshalNFgaBatchCheckResponse2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaBatchCheckResponse(ctx context.Context, sel ast.SelectionSet, v model.FgaBatchCheckResponse) graphql.Marshaler {
+	return ec._FgaBatchCheckResponse(ctx, sel, &v)
 }
 
-func (ec *executionContext) marshalNAuthzResources2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzResources(ctx context.Context, sel ast.SelectionSet, v *model.AuthzResources) graphql.Marshaler {
+func (ec *executionContext) marshalNFgaBatchCheckResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaBatchCheckResponse(ctx context.Context, sel ast.SelectionSet, v *model.FgaBatchCheckResponse) graphql.Marshaler {
 	if v == nil {
 		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
 			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
 		}
 		return graphql.Null
 	}
-	return ec._AuthzResources(ctx, sel, v)
+	return ec._FgaBatchCheckResponse(ctx, sel, v)
+}
+
+func (ec *executionContext) unmarshalNFgaCheckInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckInput(ctx context.Context, v any) (model.FgaCheckInput, error) {
+	res, err := ec.unmarshalInputFgaCheckInput(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
+}
+
+func (ec *executionContext) unmarshalNFgaCheckPairInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckPairInputᚄ(ctx context.Context, v any) ([]*model.FgaCheckPairInput, error) {
+	var vSlice []any
+	vSlice = graphql.CoerceList(v)
+	var err error
+	res := make([]*model.FgaCheckPairInput, len(vSlice))
+	for i := range vSlice {
+		ctx := graphql.WithPathContext(ctx, graphql.NewPathWithIndex(i))
+		res[i], err = ec.unmarshalNFgaCheckPairInput2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckPairInput(ctx, vSlice[i])
+		if err != nil {
+			return nil, err
+		}
+	}
+	return res, nil
+}
+
+func (ec *executionContext) unmarshalNFgaCheckPairInput2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckPairInput(ctx context.Context, v any) (*model.FgaCheckPairInput, error) {
+	res, err := ec.unmarshalInputFgaCheckPairInput(ctx, v)
+	return &res, graphql.ErrorOnPath(ctx, err)
 }
 
-func (ec *executionContext) marshalNAuthzScope2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzScope(ctx context.Context, sel ast.SelectionSet, v model.AuthzScope) graphql.Marshaler {
-	return ec._AuthzScope(ctx, sel, &v)
+func (ec *executionContext) marshalNFgaCheckResponse2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckResponse(ctx context.Context, sel ast.SelectionSet, v model.FgaCheckResponse) graphql.Marshaler {
+	return ec._FgaCheckResponse(ctx, sel, &v)
 }
 
-func (ec *executionContext) marshalNAuthzScope2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzScopeᚄ(ctx context.Context, sel ast.SelectionSet, v []*model.AuthzScope) graphql.Marshaler {
+func (ec *executionContext) marshalNFgaCheckResponse2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckResponseᚄ(ctx context.Context, sel ast.SelectionSet, v []*model.FgaCheckResponse) graphql.Marshaler {
 	ret := make(graphql.Array, len(v))
 	var wg sync.WaitGroup
 	isLen1 := len(v) == 1
@@ -28942,7 +25509,7 @@ func (ec *executionContext) marshalNAuthzScope2ᚕᚖgithubᚗcomᚋauthorizerde
 			if !isLen1 {
 				defer wg.Done()
 			}
-			ret[i] = ec.marshalNAuthzScope2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzScope(ctx, sel, v[i])
+			ret[i] = ec.marshalNFgaCheckResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckResponse(ctx, sel, v[i])
 		}
 		if isLen1 {
 			f(i)
@@ -28962,57 +25529,60 @@ func (ec *executionContext) marshalNAuthzScope2ᚕᚖgithubᚗcomᚋauthorizerde
 	return ret
 }
 
-func (ec *executionContext) marshalNAuthzScope2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzScope(ctx context.Context, sel ast.SelectionSet, v *model.AuthzScope) graphql.Marshaler {
+func (ec *executionContext) marshalNFgaCheckResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckResponse(ctx context.Context, sel ast.SelectionSet, v *model.FgaCheckResponse) graphql.Marshaler {
 	if v == nil {
 		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
 			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
 		}
 		return graphql.Null
 	}
-	return ec._AuthzScope(ctx, sel, v)
+	return ec._FgaCheckResponse(ctx, sel, v)
+}
+
+func (ec *executionContext) unmarshalNFgaListObjectsInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaListObjectsInput(ctx context.Context, v any) (model.FgaListObjectsInput, error) {
+	res, err := ec.unmarshalInputFgaListObjectsInput(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
 }
 
-func (ec *executionContext) marshalNAuthzScopes2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzScopes(ctx context.Context, sel ast.SelectionSet, v model.AuthzScopes) graphql.Marshaler {
-	return ec._AuthzScopes(ctx, sel, &v)
+func (ec *executionContext) marshalNFgaListObjectsResponse2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaListObjectsResponse(ctx context.Context, sel ast.SelectionSet, v model.FgaListObjectsResponse) graphql.Marshaler {
+	return ec._FgaListObjectsResponse(ctx, sel, &v)
 }
 
-func (ec *executionContext) marshalNAuthzScopes2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthzScopes(ctx context.Context, sel ast.SelectionSet, v *model.AuthzScopes) graphql.Marshaler {
+func (ec *executionContext) marshalNFgaListObjectsResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaListObjectsResponse(ctx context.Context, sel ast.SelectionSet, v *model.FgaListObjectsResponse) graphql.Marshaler {
 	if v == nil {
 		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
 			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
 		}
 		return graphql.Null
 	}
-	return ec._AuthzScopes(ctx, sel, v)
+	return ec._FgaListObjectsResponse(ctx, sel, v)
 }
 
-func (ec *executionContext) unmarshalNBoolean2bool(ctx context.Context, v any) (bool, error) {
-	res, err := graphql.UnmarshalBoolean(v)
-	return res, graphql.ErrorOnPath(ctx, err)
+func (ec *executionContext) marshalNFgaModel2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaModel(ctx context.Context, sel ast.SelectionSet, v model.FgaModel) graphql.Marshaler {
+	return ec._FgaModel(ctx, sel, &v)
 }
 
-func (ec *executionContext) marshalNBoolean2bool(ctx context.Context, sel ast.SelectionSet, v bool) graphql.Marshaler {
-	_ = sel
-	res := graphql.MarshalBoolean(v)
-	if res == graphql.Null {
+func (ec *executionContext) marshalNFgaModel2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaModel(ctx context.Context, sel ast.SelectionSet, v *model.FgaModel) graphql.Marshaler {
+	if v == nil {
 		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
 			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
 		}
+		return graphql.Null
 	}
-	return res
+	return ec._FgaModel(ctx, sel, v)
 }
 
-func (ec *executionContext) unmarshalNDeleteEmailTemplateRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐDeleteEmailTemplateRequest(ctx context.Context, v any) (model.DeleteEmailTemplateRequest, error) {
-	res, err := ec.unmarshalInputDeleteEmailTemplateRequest(ctx, v)
+func (ec *executionContext) unmarshalNFgaReadTuplesInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaReadTuplesInput(ctx context.Context, v any) (model.FgaReadTuplesInput, error) {
+	res, err := ec.unmarshalInputFgaReadTuplesInput(ctx, v)
 	return res, graphql.ErrorOnPath(ctx, err)
 }
 
-func (ec *executionContext) unmarshalNDeleteUserRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐDeleteUserRequest(ctx context.Context, v any) (model.DeleteUserRequest, error) {
-	res, err := ec.unmarshalInputDeleteUserRequest(ctx, v)
-	return res, graphql.ErrorOnPath(ctx, err)
+func (ec *executionContext) unmarshalNFgaRelationInput2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaRelationInput(ctx context.Context, v any) (*model.FgaRelationInput, error) {
+	res, err := ec.unmarshalInputFgaRelationInput(ctx, v)
+	return &res, graphql.ErrorOnPath(ctx, err)
 }
 
-func (ec *executionContext) marshalNEmailTemplate2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEmailTemplateᚄ(ctx context.Context, sel ast.SelectionSet, v []*model.EmailTemplate) graphql.Marshaler {
+func (ec *executionContext) marshalNFgaTuple2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaTupleᚄ(ctx context.Context, sel ast.SelectionSet, v []*model.FgaTuple) graphql.Marshaler {
 	ret := make(graphql.Array, len(v))
 	var wg sync.WaitGroup
 	isLen1 := len(v) == 1
@@ -29036,7 +25606,7 @@ func (ec *executionContext) marshalNEmailTemplate2ᚕᚖgithubᚗcomᚋauthorize
 			if !isLen1 {
 				defer wg.Done()
 			}
-			ret[i] = ec.marshalNEmailTemplate2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEmailTemplate(ctx, sel, v[i])
+			ret[i] = ec.marshalNFgaTuple2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaTuple(ctx, sel, v[i])
 		}
 		if isLen1 {
 			f(i)
@@ -29056,42 +25626,58 @@ func (ec *executionContext) marshalNEmailTemplate2ᚕᚖgithubᚗcomᚋauthorize
 	return ret
 }
 
-func (ec *executionContext) marshalNEmailTemplate2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEmailTemplate(ctx context.Context, sel ast.SelectionSet, v *model.EmailTemplate) graphql.Marshaler {
+func (ec *executionContext) marshalNFgaTuple2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaTuple(ctx context.Context, sel ast.SelectionSet, v *model.FgaTuple) graphql.Marshaler {
 	if v == nil {
 		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
 			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
 		}
 		return graphql.Null
 	}
-	return ec._EmailTemplate(ctx, sel, v)
-}
-
-func (ec *executionContext) marshalNEmailTemplates2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEmailTemplates(ctx context.Context, sel ast.SelectionSet, v model.EmailTemplates) graphql.Marshaler {
-	return ec._EmailTemplates(ctx, sel, &v)
+	return ec._FgaTuple(ctx, sel, v)
 }
 
-func (ec *executionContext) marshalNEmailTemplates2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEmailTemplates(ctx context.Context, sel ast.SelectionSet, v *model.EmailTemplates) graphql.Marshaler {
-	if v == nil {
-		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
-			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
+func (ec *executionContext) unmarshalNFgaTupleInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaTupleInputᚄ(ctx context.Context, v any) ([]*model.FgaTupleInput, error) {
+	var vSlice []any
+	vSlice = graphql.CoerceList(v)
+	var err error
+	res := make([]*model.FgaTupleInput, len(vSlice))
+	for i := range vSlice {
+		ctx := graphql.WithPathContext(ctx, graphql.NewPathWithIndex(i))
+		res[i], err = ec.unmarshalNFgaTupleInput2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaTupleInput(ctx, vSlice[i])
+		if err != nil {
+			return nil, err
 		}
-		return graphql.Null
 	}
-	return ec._EmailTemplates(ctx, sel, v)
+	return res, nil
 }
 
-func (ec *executionContext) marshalNEnv2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEnv(ctx context.Context, sel ast.SelectionSet, v model.Env) graphql.Marshaler {
-	return ec._Env(ctx, sel, &v)
+func (ec *executionContext) unmarshalNFgaTupleInput2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaTupleInput(ctx context.Context, v any) (*model.FgaTupleInput, error) {
+	res, err := ec.unmarshalInputFgaTupleInput(ctx, v)
+	return &res, graphql.ErrorOnPath(ctx, err)
 }
 
-func (ec *executionContext) marshalNEnv2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐEnv(ctx context.Context, sel ast.SelectionSet, v *model.Env) graphql.Marshaler {
+func (ec *executionContext) marshalNFgaTuples2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaTuples(ctx context.Context, sel ast.SelectionSet, v model.FgaTuples) graphql.Marshaler {
+	return ec._FgaTuples(ctx, sel, &v)
+}
+
+func (ec *executionContext) marshalNFgaTuples2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaTuples(ctx context.Context, sel ast.SelectionSet, v *model.FgaTuples) graphql.Marshaler {
 	if v == nil {
 		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
 			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
 		}
 		return graphql.Null
 	}
-	return ec._Env(ctx, sel, v)
+	return ec._FgaTuples(ctx, sel, v)
+}
+
+func (ec *executionContext) unmarshalNFgaWriteModelInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaWriteModelInput(ctx context.Context, v any) (model.FgaWriteModelInput, error) {
+	res, err := ec.unmarshalInputFgaWriteModelInput(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
+}
+
+func (ec *executionContext) unmarshalNFgaWriteTuplesInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaWriteTuplesInput(ctx context.Context, v any) (model.FgaWriteTuplesInput, error) {
+	res, err := ec.unmarshalInputFgaWriteTuplesInput(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
 }
 
 func (ec *executionContext) unmarshalNForgotPasswordRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐForgotPasswordRequest(ctx context.Context, v any) (model.ForgotPasswordRequest, error) {
@@ -29153,36 +25739,6 @@ func (ec *executionContext) marshalNID2string(ctx context.Context, sel ast.Selec
 	return res
 }
 
-func (ec *executionContext) unmarshalNID2ᚕstringᚄ(ctx context.Context, v any) ([]string, error) {
-	var vSlice []any
-	vSlice = graphql.CoerceList(v)
-	var err error
-	res := make([]string, len(vSlice))
-	for i := range vSlice {
-		ctx := graphql.WithPathContext(ctx, graphql.NewPathWithIndex(i))
-		res[i], err = ec.unmarshalNID2string(ctx, vSlice[i])
-		if err != nil {
-			return nil, err
-		}
-	}
-	return res, nil
-}
-
-func (ec *executionContext) marshalNID2ᚕstringᚄ(ctx context.Context, sel ast.SelectionSet, v []string) graphql.Marshaler {
-	ret := make(graphql.Array, len(v))
-	for i := range v {
-		ret[i] = ec.marshalNID2string(ctx, sel, v[i])
-	}
-
-	for _, e := range ret {
-		if e == graphql.Null {
-			return graphql.Null
-		}
-	}
-
-	return ret
-}
-
 func (ec *executionContext) unmarshalNInt642int64(ctx context.Context, v any) (int64, error) {
 	res, err := graphql.UnmarshalInt64(v)
 	return res, graphql.ErrorOnPath(ctx, err)
@@ -29262,85 +25818,6 @@ func (ec *executionContext) marshalNPagination2ᚖgithubᚗcomᚋauthorizerdev
 	return ec._Pagination(ctx, sel, v)
 }
 
-func (ec *executionContext) marshalNPermission2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPermissionᚄ(ctx context.Context, sel ast.SelectionSet, v []*model.Permission) graphql.Marshaler {
-	ret := make(graphql.Array, len(v))
-	var wg sync.WaitGroup
-	isLen1 := len(v) == 1
-	if !isLen1 {
-		wg.Add(len(v))
-	}
-	for i := range v {
-		i := i
-		fc := &graphql.FieldContext{
-			Index:  &i,
-			Result: &v[i],
-		}
-		ctx := graphql.WithFieldContext(ctx, fc)
-		f := func(i int) {
-			defer func() {
-				if r := recover(); r != nil {
-					ec.Error(ctx, ec.Recover(ctx, r))
-					ret = nil
-				}
-			}()
-			if !isLen1 {
-				defer wg.Done()
-			}
-			ret[i] = ec.marshalNPermission2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPermission(ctx, sel, v[i])
-		}
-		if isLen1 {
-			f(i)
-		} else {
-			go f(i)
-		}
-
-	}
-	wg.Wait()
-
-	for _, e := range ret {
-		if e == graphql.Null {
-			return graphql.Null
-		}
-	}
-
-	return ret
-}
-
-func (ec *executionContext) marshalNPermission2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPermission(ctx context.Context, sel ast.SelectionSet, v *model.Permission) graphql.Marshaler {
-	if v == nil {
-		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
-			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
-		}
-		return graphql.Null
-	}
-	return ec._Permission(ctx, sel, v)
-}
-
-func (ec *executionContext) unmarshalNPermissionInput2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPermissionInput(ctx context.Context, v any) (*model.PermissionInput, error) {
-	res, err := ec.unmarshalInputPermissionInput(ctx, v)
-	return &res, graphql.ErrorOnPath(ctx, err)
-}
-
-func (ec *executionContext) unmarshalNPolicyTargetInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPolicyTargetInputᚄ(ctx context.Context, v any) ([]*model.PolicyTargetInput, error) {
-	var vSlice []any
-	vSlice = graphql.CoerceList(v)
-	var err error
-	res := make([]*model.PolicyTargetInput, len(vSlice))
-	for i := range vSlice {
-		ctx := graphql.WithPathContext(ctx, graphql.NewPathWithIndex(i))
-		res[i], err = ec.unmarshalNPolicyTargetInput2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPolicyTargetInput(ctx, vSlice[i])
-		if err != nil {
-			return nil, err
-		}
-	}
-	return res, nil
-}
-
-func (ec *executionContext) unmarshalNPolicyTargetInput2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPolicyTargetInput(ctx context.Context, v any) (*model.PolicyTargetInput, error) {
-	res, err := ec.unmarshalInputPolicyTargetInput(ctx, v)
-	return &res, graphql.ErrorOnPath(ctx, err)
-}
-
 func (ec *executionContext) unmarshalNResendOTPRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResendOTPRequest(ctx context.Context, v any) (model.ResendOTPRequest, error) {
 	res, err := ec.unmarshalInputResendOTPRequest(ctx, v)
 	return res, graphql.ErrorOnPath(ctx, err)
@@ -29455,31 +25932,11 @@ func (ec *executionContext) unmarshalNUpdateEnvRequest2githubᚗcomᚋauthorizer
 	return res, graphql.ErrorOnPath(ctx, err)
 }
 
-func (ec *executionContext) unmarshalNUpdatePermissionInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdatePermissionInput(ctx context.Context, v any) (model.UpdatePermissionInput, error) {
-	res, err := ec.unmarshalInputUpdatePermissionInput(ctx, v)
-	return res, graphql.ErrorOnPath(ctx, err)
-}
-
-func (ec *executionContext) unmarshalNUpdatePolicyInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdatePolicyInput(ctx context.Context, v any) (model.UpdatePolicyInput, error) {
-	res, err := ec.unmarshalInputUpdatePolicyInput(ctx, v)
-	return res, graphql.ErrorOnPath(ctx, err)
-}
-
 func (ec *executionContext) unmarshalNUpdateProfileRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateProfileRequest(ctx context.Context, v any) (model.UpdateProfileRequest, error) {
 	res, err := ec.unmarshalInputUpdateProfileRequest(ctx, v)
 	return res, graphql.ErrorOnPath(ctx, err)
 }
 
-func (ec *executionContext) unmarshalNUpdateResourceInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateResourceInput(ctx context.Context, v any) (model.UpdateResourceInput, error) {
-	res, err := ec.unmarshalInputUpdateResourceInput(ctx, v)
-	return res, graphql.ErrorOnPath(ctx, err)
-}
-
-func (ec *executionContext) unmarshalNUpdateScopeInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateScopeInput(ctx context.Context, v any) (model.UpdateScopeInput, error) {
-	res, err := ec.unmarshalInputUpdateScopeInput(ctx, v)
-	return res, graphql.ErrorOnPath(ctx, err)
-}
-
 func (ec *executionContext) unmarshalNUpdateUserRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐUpdateUserRequest(ctx context.Context, v any) (model.UpdateUserRequest, error) {
 	res, err := ec.unmarshalInputUpdateUserRequest(ctx, v)
 	return res, graphql.ErrorOnPath(ctx, err)
@@ -30101,17 +26558,17 @@ func (ec *executionContext) marshalOBoolean2ᚖbool(ctx context.Context, sel ast
 	return res
 }
 
-func (ec *executionContext) unmarshalOID2ᚕstringᚄ(ctx context.Context, v any) ([]string, error) {
+func (ec *executionContext) unmarshalOFgaRelationInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaRelationInputᚄ(ctx context.Context, v any) ([]*model.FgaRelationInput, error) {
 	if v == nil {
 		return nil, nil
 	}
 	var vSlice []any
 	vSlice = graphql.CoerceList(v)
 	var err error
-	res := make([]string, len(vSlice))
+	res := make([]*model.FgaRelationInput, len(vSlice))
 	for i := range vSlice {
 		ctx := graphql.WithPathContext(ctx, graphql.NewPathWithIndex(i))
-		res[i], err = ec.unmarshalNID2string(ctx, vSlice[i])
+		res[i], err = ec.unmarshalNFgaRelationInput2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaRelationInput(ctx, vSlice[i])
 		if err != nil {
 			return nil, err
 		}
@@ -30119,22 +26576,22 @@ func (ec *executionContext) unmarshalOID2ᚕstringᚄ(ctx context.Context, v any
 	return res, nil
 }
 
-func (ec *executionContext) marshalOID2ᚕstringᚄ(ctx context.Context, sel ast.SelectionSet, v []string) graphql.Marshaler {
+func (ec *executionContext) unmarshalOFgaTupleInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaTupleInputᚄ(ctx context.Context, v any) ([]*model.FgaTupleInput, error) {
 	if v == nil {
-		return graphql.Null
-	}
-	ret := make(graphql.Array, len(v))
-	for i := range v {
-		ret[i] = ec.marshalNID2string(ctx, sel, v[i])
+		return nil, nil
 	}
-
-	for _, e := range ret {
-		if e == graphql.Null {
-			return graphql.Null
+	var vSlice []any
+	vSlice = graphql.CoerceList(v)
+	var err error
+	res := make([]*model.FgaTupleInput, len(vSlice))
+	for i := range vSlice {
+		ctx := graphql.WithPathContext(ctx, graphql.NewPathWithIndex(i))
+		res[i], err = ec.unmarshalNFgaTupleInput2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaTupleInput(ctx, vSlice[i])
+		if err != nil {
+			return nil, err
 		}
 	}
-
-	return ret
+	return res, nil
 }
 
 func (ec *executionContext) unmarshalOID2ᚖstring(ctx context.Context, v any) (*string, error) {
@@ -30231,42 +26688,6 @@ func (ec *executionContext) unmarshalOPaginationRequest2ᚖgithubᚗcomᚋauthor
 	return &res, graphql.ErrorOnPath(ctx, err)
 }
 
-func (ec *executionContext) unmarshalOPermissionInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPermissionInputᚄ(ctx context.Context, v any) ([]*model.PermissionInput, error) {
-	if v == nil {
-		return nil, nil
-	}
-	var vSlice []any
-	vSlice = graphql.CoerceList(v)
-	var err error
-	res := make([]*model.PermissionInput, len(vSlice))
-	for i := range vSlice {
-		ctx := graphql.WithPathContext(ctx, graphql.NewPathWithIndex(i))
-		res[i], err = ec.unmarshalNPermissionInput2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPermissionInput(ctx, vSlice[i])
-		if err != nil {
-			return nil, err
-		}
-	}
-	return res, nil
-}
-
-func (ec *executionContext) unmarshalOPolicyTargetInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPolicyTargetInputᚄ(ctx context.Context, v any) ([]*model.PolicyTargetInput, error) {
-	if v == nil {
-		return nil, nil
-	}
-	var vSlice []any
-	vSlice = graphql.CoerceList(v)
-	var err error
-	res := make([]*model.PolicyTargetInput, len(vSlice))
-	for i := range vSlice {
-		ctx := graphql.WithPathContext(ctx, graphql.NewPathWithIndex(i))
-		res[i], err = ec.unmarshalNPolicyTargetInput2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPolicyTargetInput(ctx, vSlice[i])
-		if err != nil {
-			return nil, err
-		}
-	}
-	return res, nil
-}
-
 func (ec *executionContext) unmarshalOSessionQueryRequest2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐSessionQueryRequest(ctx context.Context, v any) (*model.SessionQueryRequest, error) {
 	if v == nil {
 		return nil, nil
diff --git a/internal/graph/model/models_gen.go b/internal/graph/model/models_gen.go
index 028a0b1a..ae7f1c4c 100644
--- a/internal/graph/model/models_gen.go
+++ b/internal/graph/model/models_gen.go
@@ -9,34 +9,6 @@ type AddEmailTemplateRequest struct {
 	Design    *string `json:"design,omitempty"`
 }
 
-type AddPermissionInput struct {
-	Name             string   `json:"name"`
-	Description      *string  `json:"description,omitempty"`
-	ResourceID       string   `json:"resource_id"`
-	ScopeIds         []string `json:"scope_ids"`
-	PolicyIds        []string `json:"policy_ids"`
-	DecisionStrategy *string  `json:"decision_strategy,omitempty"`
-}
-
-type AddPolicyInput struct {
-	Name             string               `json:"name"`
-	Description      *string              `json:"description,omitempty"`
-	Type             string               `json:"type"`
-	Logic            *string              `json:"logic,omitempty"`
-	DecisionStrategy *string              `json:"decision_strategy,omitempty"`
-	Targets          []*PolicyTargetInput `json:"targets"`
-}
-
-type AddResourceInput struct {
-	Name        string  `json:"name"`
-	Description *string `json:"description,omitempty"`
-}
-
-type AddScopeInput struct {
-	Name        string  `json:"name"`
-	Description *string `json:"description,omitempty"`
-}
-
 type AddWebhookRequest struct {
 	EventName        string         `json:"event_name"`
 	EventDescription *string        `json:"event_description,omitempty"`
@@ -87,72 +59,6 @@ type AuthResponse struct {
 	AuthenticatorRecoveryCodes []*string `json:"authenticator_recovery_codes,omitempty"`
 }
 
-type AuthzPermission struct {
-	ID               string         `json:"id"`
-	Name             string         `json:"name"`
-	Description      *string        `json:"description,omitempty"`
-	Resource         *AuthzResource `json:"resource"`
-	Scopes           []*AuthzScope  `json:"scopes"`
-	Policies         []*AuthzPolicy `json:"policies"`
-	DecisionStrategy string         `json:"decision_strategy"`
-	CreatedAt        int64          `json:"created_at"`
-	UpdatedAt        int64          `json:"updated_at"`
-}
-
-type AuthzPermissions struct {
-	Pagination  *Pagination        `json:"pagination"`
-	Permissions []*AuthzPermission `json:"permissions"`
-}
-
-type AuthzPolicies struct {
-	Pagination *Pagination    `json:"pagination"`
-	Policies   []*AuthzPolicy `json:"policies"`
-}
-
-type AuthzPolicy struct {
-	ID               string               `json:"id"`
-	Name             string               `json:"name"`
-	Description      *string              `json:"description,omitempty"`
-	Type             string               `json:"type"`
-	Logic            string               `json:"logic"`
-	DecisionStrategy string               `json:"decision_strategy"`
-	Targets          []*AuthzPolicyTarget `json:"targets"`
-	CreatedAt        int64                `json:"created_at"`
-	UpdatedAt        int64                `json:"updated_at"`
-}
-
-type AuthzPolicyTarget struct {
-	ID          string `json:"id"`
-	TargetType  string `json:"target_type"`
-	TargetValue string `json:"target_value"`
-}
-
-type AuthzResource struct {
-	ID          string  `json:"id"`
-	Name        string  `json:"name"`
-	Description *string `json:"description,omitempty"`
-	CreatedAt   int64   `json:"created_at"`
-	UpdatedAt   int64   `json:"updated_at"`
-}
-
-type AuthzResources struct {
-	Pagination *Pagination      `json:"pagination"`
-	Resources  []*AuthzResource `json:"resources"`
-}
-
-type AuthzScope struct {
-	ID          string  `json:"id"`
-	Name        string  `json:"name"`
-	Description *string `json:"description,omitempty"`
-	CreatedAt   int64   `json:"created_at"`
-	UpdatedAt   int64   `json:"updated_at"`
-}
-
-type AuthzScopes struct {
-	Pagination *Pagination   `json:"pagination"`
-	Scopes     []*AuthzScope `json:"scopes"`
-}
-
 type DeleteEmailTemplateRequest struct {
 	ID string `json:"id"`
 }
@@ -255,6 +161,82 @@ type Error struct {
 	Reason  string `json:"reason"`
 }
 
+type FgaBatchCheckInput struct {
+	Checks []*FgaCheckPairInput `json:"checks"`
+}
+
+type FgaBatchCheckResponse struct {
+	Results []*FgaCheckResponse `json:"results"`
+}
+
+type FgaCheckInput struct {
+	Relation         string           `json:"relation"`
+	Object           string           `json:"object"`
+	ContextualTuples []*FgaTupleInput `json:"contextual_tuples,omitempty"`
+}
+
+type FgaCheckPairInput struct {
+	Relation         string           `json:"relation"`
+	Object           string           `json:"object"`
+	ContextualTuples []*FgaTupleInput `json:"contextual_tuples,omitempty"`
+}
+
+type FgaCheckResponse struct {
+	Allowed bool `json:"allowed"`
+}
+
+type FgaListObjectsInput struct {
+	Relation   string `json:"relation"`
+	ObjectType string `json:"object_type"`
+}
+
+type FgaListObjectsResponse struct {
+	Objects []string `json:"objects"`
+}
+
+type FgaModel struct {
+	ID  string `json:"id"`
+	Dsl string `json:"dsl"`
+}
+
+type FgaReadTuplesInput struct {
+	User              *string `json:"user,omitempty"`
+	Relation          *string `json:"relation,omitempty"`
+	Object            *string `json:"object,omitempty"`
+	PageSize          *int64  `json:"page_size,omitempty"`
+	ContinuationToken *string `json:"continuation_token,omitempty"`
+}
+
+type FgaRelationInput struct {
+	Relation string `json:"relation"`
+	Object   string `json:"object"`
+}
+
+type FgaTuple struct {
+	User     string `json:"user"`
+	Relation string `json:"relation"`
+	Object   string `json:"object"`
+}
+
+type FgaTupleInput struct {
+	User     string `json:"user"`
+	Relation string `json:"relation"`
+	Object   string `json:"object"`
+}
+
+type FgaTuples struct {
+	Tuples            []*FgaTuple `json:"tuples"`
+	ContinuationToken *string     `json:"continuation_token,omitempty"`
+}
+
+type FgaWriteModelInput struct {
+	Dsl string `json:"dsl"`
+}
+
+type FgaWriteTuplesInput struct {
+	Tuples []*FgaTupleInput `json:"tuples"`
+}
+
 type ForgotPasswordRequest struct {
 	Email       *string `json:"email,omitempty"`
 	PhoneNumber *string `json:"phone_number,omitempty"`
@@ -398,21 +380,6 @@ type PaginationRequest struct {
 	Page  *int64 `json:"page,omitempty"`
 }
 
-type Permission struct {
-	Resource string `json:"resource"`
-	Scope    string `json:"scope"`
-}
-
-type PermissionInput struct {
-	Resource string `json:"resource"`
-	Scope    string `json:"scope"`
-}
-
-type PolicyTargetInput struct {
-	TargetType  string `json:"target_type"`
-	TargetValue string `json:"target_value"`
-}
-
 type Query struct {
 }
 
@@ -441,10 +408,10 @@ type Response struct {
 }
 
 type SessionQueryRequest struct {
-	Roles               []string           `json:"roles,omitempty"`
-	Scope               []string           `json:"scope,omitempty"`
-	State               *string            `json:"state,omitempty"`
-	RequiredPermissions []*PermissionInput `json:"required_permissions,omitempty"`
+	Roles             []string            `json:"roles,omitempty"`
+	Scope             []string            `json:"scope,omitempty"`
+	State             *string             `json:"state,omitempty"`
+	RequiredRelations []*FgaRelationInput `json:"required_relations,omitempty"`
 }
 
 type SignUpRequest struct {
@@ -556,24 +523,6 @@ type UpdateEnvRequest struct {
 	DisableTotpLogin                 *bool    `json:"DISABLE_TOTP_LOGIN,omitempty"`
 }
 
-type UpdatePermissionInput struct {
-	ID               string   `json:"id"`
-	Name             *string  `json:"name,omitempty"`
-	Description      *string  `json:"description,omitempty"`
-	ScopeIds         []string `json:"scope_ids,omitempty"`
-	PolicyIds        []string `json:"policy_ids,omitempty"`
-	DecisionStrategy *string  `json:"decision_strategy,omitempty"`
-}
-
-type UpdatePolicyInput struct {
-	ID               string               `json:"id"`
-	Name             *string              `json:"name,omitempty"`
-	Description      *string              `json:"description,omitempty"`
-	Logic            *string              `json:"logic,omitempty"`
-	DecisionStrategy *string              `json:"decision_strategy,omitempty"`
-	Targets          []*PolicyTargetInput `json:"targets,omitempty"`
-}
-
 type UpdateProfileRequest struct {
 	OldPassword              *string        `json:"old_password,omitempty"`
 	NewPassword              *string        `json:"new_password,omitempty"`
@@ -591,18 +540,6 @@ type UpdateProfileRequest struct {
 	AppData                  map[string]any `json:"app_data,omitempty"`
 }
 
-type UpdateResourceInput struct {
-	ID          string  `json:"id"`
-	Name        *string `json:"name,omitempty"`
-	Description *string `json:"description,omitempty"`
-}
-
-type UpdateScopeInput struct {
-	ID          string  `json:"id"`
-	Name        *string `json:"name,omitempty"`
-	Description *string `json:"description,omitempty"`
-}
-
 type UpdateUserRequest struct {
 	ID                       string         `json:"id"`
 	Email                    *string        `json:"email,omitempty"`
@@ -659,10 +596,10 @@ type Users struct {
 }
 
 type ValidateJWTTokenRequest struct {
-	TokenType           string             `json:"token_type"`
-	Token               string             `json:"token"`
-	Roles               []string           `json:"roles,omitempty"`
-	RequiredPermissions []*PermissionInput `json:"required_permissions,omitempty"`
+	TokenType         string              `json:"token_type"`
+	Token             string              `json:"token"`
+	Roles             []string            `json:"roles,omitempty"`
+	RequiredRelations []*FgaRelationInput `json:"required_relations,omitempty"`
 }
 
 type ValidateJWTTokenResponse struct {
@@ -671,9 +608,9 @@ type ValidateJWTTokenResponse struct {
 }
 
 type ValidateSessionRequest struct {
-	Cookie              string             `json:"cookie"`
-	Roles               []string           `json:"roles,omitempty"`
-	RequiredPermissions []*PermissionInput `json:"required_permissions,omitempty"`
+	Cookie            string              `json:"cookie"`
+	Roles             []string            `json:"roles,omitempty"`
+	RequiredRelations []*FgaRelationInput `json:"required_relations,omitempty"`
 }
 
 type ValidateSessionResponse struct {
diff --git a/internal/graph/schema.graphqls b/internal/graph/schema.graphqls
index 152f1ab8..af2598a8 100644
--- a/internal/graph/schema.graphqls
+++ b/internal/graph/schema.graphqls
@@ -110,6 +110,44 @@ type Response {
   message: String!
 }
 
+# ---- Fine-grained authorization (FGA) types ----
+
+# FgaTuple is a single relationship: user is related to object via relation.
+# Identifiers follow OpenFGA conventions: user "user:alice" (or userset
+# "role:admin#assignee"), object "document:1".
+type FgaTuple {
+  user: String!
+  relation: String!
+  object: String!
+}
+
+# FgaModel describes an authorization model (id + DSL form).
+type FgaModel {
+  id: String!
+  dsl: String!
+}
+
+# FgaTuples is a page of tuples plus a continuation token (empty when exhausted).
+type FgaTuples {
+  tuples: [FgaTuple!]!
+  continuation_token: String
+}
+
+# FgaCheckResponse is the result of a single relationship check.
+type FgaCheckResponse {
+  allowed: Boolean!
+}
+
+# FgaBatchCheckResponse is the positionally-aligned result of a batch check.
+type FgaBatchCheckResponse {
+  results: [FgaCheckResponse!]!
+}
+
+# FgaListObjectsResponse lists fully-qualified object ids the caller relates to.
+type FgaListObjectsResponse {
+  objects: [String!]!
+}
+
 type ForgotPasswordResponse {
   message: String!
   should_show_mobile_otp_screen: Boolean
@@ -510,10 +548,10 @@ input SessionQueryRequest {
   # when a session already exists and the login UI auto-detects it,
   # passing state ensures the authorization code state is properly stored
   state: String
-  # required_permissions is an optional list of resource:scope pairs that
-  # must all be granted to the principal. If any is denied the query returns
-  # unauthorized (AND semantics, matching the roles filter).
-  required_permissions: [PermissionInput!]
+  # required_relations gates the session on fine-grained authorization.
+  # Each (relation, object) is checked against the authenticated caller with
+  # AND semantics, fail-closed. Requires --authorization-engine=fga.
+  required_relations: [FgaRelationInput!]
 }
 
 input PaginationRequest {
@@ -542,13 +580,17 @@ input ValidateJWTTokenRequest {
   token_type: String!
   token: String!
   roles: [String!]
-  required_permissions: [PermissionInput!]
+  # required_relations gates validation on fine-grained authorization.
+  # AND semantics, fail-closed. Requires --authorization-engine=fga.
+  required_relations: [FgaRelationInput!]
 }
 
 input ValidateSessionRequest {
   cookie: String!
   roles: [String!]
-  required_permissions: [PermissionInput!]
+  # required_relations gates validation on fine-grained authorization.
+  # AND semantics, fail-closed. Requires --authorization-engine=fga.
+  required_relations: [FgaRelationInput!]
 }
 
 input GenerateJWTKeysRequest {
@@ -647,143 +689,71 @@ input GetUserRequest {
   email: String
 }
 
-type AuthzResource {
-  id: ID!
-  name: String!
-  description: String
-  created_at: Int64!
-  updated_at: Int64!
-}
+# ---- Fine-grained authorization (FGA) inputs ----
 
-type AuthzResources {
-  pagination: Pagination!
-  resources: [AuthzResource!]!
+# FgaTupleInput is a single relationship tuple supplied by an admin for write /
+# delete / read operations.
+input FgaTupleInput {
+  user: String!
+  relation: String!
+  object: String!
 }
 
-type AuthzScope {
-  id: ID!
-  name: String!
-  description: String
-  created_at: Int64!
-  updated_at: Int64!
+# FgaWriteModelInput installs a new authorization model from its DSL form.
+input FgaWriteModelInput {
+  dsl: String!
 }
 
-type AuthzScopes {
-  pagination: Pagination!
-  scopes: [AuthzScope!]!
+# FgaWriteTuplesInput is used for both writing and deleting tuples.
+input FgaWriteTuplesInput {
+  tuples: [FgaTupleInput!]!
 }
 
-type AuthzPolicyTarget {
-  id: ID!
-  target_type: String!
-  target_value: String!
+# FgaReadTuplesInput is a paginated, optionally-filtered tuple read. Any empty
+# field acts as a wildcard for that position.
+input FgaReadTuplesInput {
+  user: String
+  relation: String
+  object: String
+  page_size: Int64
+  continuation_token: String
 }
 
-type AuthzPolicy {
-  id: ID!
-  name: String!
-  description: String
-  type: String!
-  logic: String!
-  decision_strategy: String!
-  targets: [AuthzPolicyTarget!]!
-  created_at: Int64!
-  updated_at: Int64!
+# FgaCheckInput asks "is the authenticated caller related to object via
+# relation?". The caller (user) is pinned server-side from the auth token and is
+# NEVER taken from client input. Only relation, object and optional contextual
+# tuples are accepted from the client.
+input FgaCheckInput {
+  relation: String!
+  object: String!
+  contextual_tuples: [FgaTupleInput!]
 }
 
-type AuthzPolicies {
-  pagination: Pagination!
-  policies: [AuthzPolicy!]!
+# FgaBatchCheckInput evaluates multiple relation/object pairs for the
+# authenticated caller (principal pinned server-side).
+input FgaBatchCheckInput {
+  checks: [FgaCheckPairInput!]!
 }
 
-type AuthzPermission {
-  id: ID!
-  name: String!
-  description: String
-  resource: AuthzResource!
-  scopes: [AuthzScope!]!
-  policies: [AuthzPolicy!]!
-  decision_strategy: String!
-  created_at: Int64!
-  updated_at: Int64!
+# FgaCheckPairInput is one relation/object pair within a batch check.
+input FgaCheckPairInput {
+  relation: String!
+  object: String!
+  contextual_tuples: [FgaTupleInput!]
 }
 
-type AuthzPermissions {
-  pagination: Pagination!
-  permissions: [AuthzPermission!]!
-}
-
-type Permission {
-  resource: String!
-  scope: String!
-}
-
-input AddResourceInput {
-  name: String!
-  description: String
-}
-
-input UpdateResourceInput {
-  id: ID!
-  name: String
-  description: String
-}
-
-input AddScopeInput {
-  name: String!
-  description: String
-}
-
-input UpdateScopeInput {
-  id: ID!
-  name: String
-  description: String
-}
-
-input PolicyTargetInput {
-  target_type: String!
-  target_value: String!
-}
-
-input AddPolicyInput {
-  name: String!
-  description: String
-  type: String!
-  logic: String
-  decision_strategy: String
-  targets: [PolicyTargetInput!]!
-}
-
-input UpdatePolicyInput {
-  id: ID!
-  name: String
-  description: String
-  logic: String
-  decision_strategy: String
-  targets: [PolicyTargetInput!]
-}
-
-input AddPermissionInput {
-  name: String!
-  description: String
-  resource_id: ID!
-  scope_ids: [ID!]!
-  policy_ids: [ID!]!
-  decision_strategy: String
-}
-
-input UpdatePermissionInput {
-  id: ID!
-  name: String
-  description: String
-  scope_ids: [ID!]
-  policy_ids: [ID!]
-  decision_strategy: String
+# FgaListObjectsInput enumerates objects of type object_type the authenticated
+# caller relates to via relation (principal pinned server-side).
+input FgaListObjectsInput {
+  relation: String!
+  object_type: String!
 }
 
-input PermissionInput {
-  resource: String!
-  scope: String!
+# FgaRelationInput is a (relation, object) requirement evaluated against the
+# authenticated caller during session/validate. AND semantics, fail-closed.
+input FgaRelationInput {
+  relation: String!
+  object: String!
 }
 
 type Mutation {
@@ -825,22 +795,10 @@ type Mutation {
   _add_email_template(params: AddEmailTemplateRequest!): Response!
   _update_email_template(params: UpdateEmailTemplateRequest!): Response!
   _delete_email_template(params: DeleteEmailTemplateRequest!): Response!
-  # Authorization: Resources
-  _authz_add_resource(params: AddResourceInput!): AuthzResource!
-  _authz_update_resource(params: UpdateResourceInput!): AuthzResource!
-  _authz_delete_resource(id: ID!): Response!
-  # Authorization: Scopes
-  _authz_add_scope(params: AddScopeInput!): AuthzScope!
-  _authz_update_scope(params: UpdateScopeInput!): AuthzScope!
-  _authz_delete_scope(id: ID!): Response!
-  # Authorization: Policies
-  _authz_add_policy(params: AddPolicyInput!): AuthzPolicy!
-  _authz_update_policy(params: UpdatePolicyInput!): AuthzPolicy!
-  _authz_delete_policy(id: ID!): Response!
-  # Authorization: Permissions
-  _authz_add_permission(params: AddPermissionInput!): AuthzPermission!
-  _authz_update_permission(params: UpdatePermissionInput!): AuthzPermission!
-  _authz_delete_permission(id: ID!): Response!
+  # FGA admin mutations (super-admin only)
+  _fga_write_model(params: FgaWriteModelInput!): FgaModel!
+  _fga_write_tuples(params: FgaWriteTuplesInput!): Response!
+  _fga_delete_tuples(params: FgaWriteTuplesInput!): Response!
 }
 
 type Query {
@@ -861,11 +819,11 @@ type Query {
   _webhook_logs(params: ListWebhookLogRequest): WebhookLogs!
   _email_templates(params: PaginatedRequest): EmailTemplates!
   _audit_logs(params: ListAuditLogRequest): AuditLogs!
-  # Authorization: Admin queries
-  _authz_resources(params: PaginatedRequest): AuthzResources!
-  _authz_scopes(params: PaginatedRequest): AuthzScopes!
-  _authz_policies(params: PaginatedRequest): AuthzPolicies!
-  _authz_permissions(params: PaginatedRequest): AuthzPermissions!
-  # Authorization: User-facing queries
-  permissions: [Permission!]!
+  # FGA admin queries (super-admin only)
+  _fga_get_model: FgaModel!
+  _fga_read_tuples(params: FgaReadTuplesInput!): FgaTuples!
+  # FGA runtime queries (authenticated caller; principal pinned server-side)
+  fga_check(params: FgaCheckInput!): FgaCheckResponse!
+  fga_batch_check(params: FgaBatchCheckInput!): FgaBatchCheckResponse!
+  fga_list_objects(params: FgaListObjectsInput!): FgaListObjectsResponse!
 }
diff --git a/internal/graph/schema.resolvers.go b/internal/graph/schema.resolvers.go
index 12c099c2..54795cc1 100644
--- a/internal/graph/schema.resolvers.go
+++ b/internal/graph/schema.resolvers.go
@@ -172,64 +172,19 @@ func (r *mutationResolver) DeleteEmailTemplate(ctx context.Context, params model
 	return r.GraphQLProvider.DeleteEmailTemplate(ctx, &params)
 }
 
-// AuthzAddResource is the resolver for the _authz_add_resource field.
-func (r *mutationResolver) AuthzAddResource(ctx context.Context, params model.AddResourceInput) (*model.AuthzResource, error) {
-	return r.GraphQLProvider.AuthzAddResource(ctx, &params)
+// FgaWriteModel is the resolver for the _fga_write_model field.
+func (r *mutationResolver) FgaWriteModel(ctx context.Context, params model.FgaWriteModelInput) (*model.FgaModel, error) {
+	return r.GraphQLProvider.FgaWriteModel(ctx, &params)
 }
 
-// AuthzUpdateResource is the resolver for the _authz_update_resource field.
-func (r *mutationResolver) AuthzUpdateResource(ctx context.Context, params model.UpdateResourceInput) (*model.AuthzResource, error) {
-	return r.GraphQLProvider.AuthzUpdateResource(ctx, &params)
+// FgaWriteTuples is the resolver for the _fga_write_tuples field.
+func (r *mutationResolver) FgaWriteTuples(ctx context.Context, params model.FgaWriteTuplesInput) (*model.Response, error) {
+	return r.GraphQLProvider.FgaWriteTuples(ctx, &params)
 }
 
-// AuthzDeleteResource is the resolver for the _authz_delete_resource field.
-func (r *mutationResolver) AuthzDeleteResource(ctx context.Context, id string) (*model.Response, error) {
-	return r.GraphQLProvider.AuthzDeleteResource(ctx, id)
-}
-
-// AuthzAddScope is the resolver for the _authz_add_scope field.
-func (r *mutationResolver) AuthzAddScope(ctx context.Context, params model.AddScopeInput) (*model.AuthzScope, error) {
-	return r.GraphQLProvider.AuthzAddScope(ctx, &params)
-}
-
-// AuthzUpdateScope is the resolver for the _authz_update_scope field.
-func (r *mutationResolver) AuthzUpdateScope(ctx context.Context, params model.UpdateScopeInput) (*model.AuthzScope, error) {
-	return r.GraphQLProvider.AuthzUpdateScope(ctx, &params)
-}
-
-// AuthzDeleteScope is the resolver for the _authz_delete_scope field.
-func (r *mutationResolver) AuthzDeleteScope(ctx context.Context, id string) (*model.Response, error) {
-	return r.GraphQLProvider.AuthzDeleteScope(ctx, id)
-}
-
-// AuthzAddPolicy is the resolver for the _authz_add_policy field.
-func (r *mutationResolver) AuthzAddPolicy(ctx context.Context, params model.AddPolicyInput) (*model.AuthzPolicy, error) {
-	return r.GraphQLProvider.AuthzAddPolicy(ctx, &params)
-}
-
-// AuthzUpdatePolicy is the resolver for the _authz_update_policy field.
-func (r *mutationResolver) AuthzUpdatePolicy(ctx context.Context, params model.UpdatePolicyInput) (*model.AuthzPolicy, error) {
-	return r.GraphQLProvider.AuthzUpdatePolicy(ctx, &params)
-}
-
-// AuthzDeletePolicy is the resolver for the _authz_delete_policy field.
-func (r *mutationResolver) AuthzDeletePolicy(ctx context.Context, id string) (*model.Response, error) {
-	return r.GraphQLProvider.AuthzDeletePolicy(ctx, id)
-}
-
-// AuthzAddPermission is the resolver for the _authz_add_permission field.
-func (r *mutationResolver) AuthzAddPermission(ctx context.Context, params model.AddPermissionInput) (*model.AuthzPermission, error) {
-	return r.GraphQLProvider.AuthzAddPermission(ctx, &params)
-}
-
-// AuthzUpdatePermission is the resolver for the _authz_update_permission field.
-func (r *mutationResolver) AuthzUpdatePermission(ctx context.Context, params model.UpdatePermissionInput) (*model.AuthzPermission, error) {
-	return r.GraphQLProvider.AuthzUpdatePermission(ctx, &params)
-}
-
-// AuthzDeletePermission is the resolver for the _authz_delete_permission field.
-func (r *mutationResolver) AuthzDeletePermission(ctx context.Context, id string) (*model.Response, error) {
-	return r.GraphQLProvider.AuthzDeletePermission(ctx, id)
+// FgaDeleteTuples is the resolver for the _fga_delete_tuples field.
+func (r *mutationResolver) FgaDeleteTuples(ctx context.Context, params model.FgaWriteTuplesInput) (*model.Response, error) {
+	return r.GraphQLProvider.FgaDeleteTuples(ctx, &params)
 }
 
 // Meta is the resolver for the meta field.
@@ -307,29 +262,29 @@ func (r *queryResolver) AuditLogs(ctx context.Context, params *model.ListAuditLo
 	return r.GraphQLProvider.AuditLogs(ctx, params)
 }
 
-// AuthzResources is the resolver for the _authz_resources field.
-func (r *queryResolver) AuthzResources(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzResources, error) {
-	return r.GraphQLProvider.AuthzResources(ctx, params)
+// FgaGetModel is the resolver for the _fga_get_model field.
+func (r *queryResolver) FgaGetModel(ctx context.Context) (*model.FgaModel, error) {
+	return r.GraphQLProvider.FgaGetModel(ctx)
 }
 
-// AuthzScopes is the resolver for the _authz_scopes field.
-func (r *queryResolver) AuthzScopes(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzScopes, error) {
-	return r.GraphQLProvider.AuthzScopes(ctx, params)
+// FgaReadTuples is the resolver for the _fga_read_tuples field.
+func (r *queryResolver) FgaReadTuples(ctx context.Context, params model.FgaReadTuplesInput) (*model.FgaTuples, error) {
+	return r.GraphQLProvider.FgaReadTuples(ctx, &params)
 }
 
-// AuthzPolicies is the resolver for the _authz_policies field.
-func (r *queryResolver) AuthzPolicies(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzPolicies, error) {
-	return r.GraphQLProvider.AuthzPolicies(ctx, params)
+// FgaCheck is the resolver for the fga_check field.
+func (r *queryResolver) FgaCheck(ctx context.Context, params model.FgaCheckInput) (*model.FgaCheckResponse, error) {
+	return r.GraphQLProvider.FgaCheck(ctx, &params)
 }
 
-// AuthzPermissions is the resolver for the _authz_permissions field.
-func (r *queryResolver) AuthzPermissions(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzPermissions, error) {
-	return r.GraphQLProvider.AuthzPermissions(ctx, params)
+// FgaBatchCheck is the resolver for the fga_batch_check field.
+func (r *queryResolver) FgaBatchCheck(ctx context.Context, params model.FgaBatchCheckInput) (*model.FgaBatchCheckResponse, error) {
+	return r.GraphQLProvider.FgaBatchCheck(ctx, &params)
 }
 
-// Permissions is the resolver for the permissions field.
-func (r *queryResolver) Permissions(ctx context.Context) ([]*model.Permission, error) {
-	return r.GraphQLProvider.Permissions(ctx)
+// FgaListObjects is the resolver for the fga_list_objects field.
+func (r *queryResolver) FgaListObjects(ctx context.Context, params model.FgaListObjectsInput) (*model.FgaListObjectsResponse, error) {
+	return r.GraphQLProvider.FgaListObjects(ctx, &params)
 }
 
 // Mutation returns generated.MutationResolver implementation.
diff --git a/internal/graphql/authz_add_permission.go b/internal/graphql/authz_add_permission.go
deleted file mode 100644
index 7b9bdd37..00000000
--- a/internal/graphql/authz_add_permission.go
+++ /dev/null
@@ -1,176 +0,0 @@
-package graphql
-
-import (
-	"context"
-	"fmt"
-	"strings"
-	"unicode"
-
-	"github.com/authorizerdev/authorizer/internal/audit"
-	"github.com/authorizerdev/authorizer/internal/constants"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-	"github.com/authorizerdev/authorizer/internal/utils"
-)
-
-// AuthzAddPermission is the method to create a new authorization permission
-// binding a resource to scopes and policies.
-// Permissions: authorizer:admin
-func (g *graphqlProvider) AuthzAddPermission(ctx context.Context, params *model.AddPermissionInput) (*model.AuthzPermission, error) {
-	log := g.Log.With().Str("func", "AuthzAddPermission").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-
-	name := strings.TrimSpace(params.Name)
-	if name == "" {
-		return nil, fmt.Errorf("permission name is required")
-	}
-	if len(name) > constants.MaxAuthzIdentifierLength {
-		return nil, fmt.Errorf("invalid name: must be %d characters or fewer", constants.MaxAuthzIdentifierLength)
-	}
-	for _, r := range name {
-		if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
-			return nil, fmt.Errorf("invalid name: must contain only letters, digits, hyphens, and underscores")
-		}
-	}
-
-	if strings.TrimSpace(params.ResourceID) == "" {
-		return nil, fmt.Errorf("resource_id is required")
-	}
-
-	if len(params.ScopeIds) == 0 {
-		return nil, fmt.Errorf("at least one scope_id is required")
-	}
-
-	if len(params.PolicyIds) == 0 {
-		return nil, fmt.Errorf("at least one policy_id is required")
-	}
-
-	description := ""
-	if params.Description != nil {
-		description = *params.Description
-	}
-
-	decisionStrategy := constants.DecisionStrategyAffirmative
-	if params.DecisionStrategy != nil {
-		decisionStrategy = *params.DecisionStrategy
-	}
-	if decisionStrategy != constants.DecisionStrategyAffirmative && decisionStrategy != constants.DecisionStrategyUnanimous {
-		return nil, fmt.Errorf("invalid decision strategy: must be '%s' or '%s'",
-			constants.DecisionStrategyAffirmative, constants.DecisionStrategyUnanimous)
-	}
-
-	// Verify resource exists
-	resource, err := g.StorageProvider.GetResourceByID(ctx, params.ResourceID)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get resource by ID")
-		return nil, fmt.Errorf("resource not found: %s", params.ResourceID)
-	}
-
-	permission, err := g.StorageProvider.AddPermission(ctx, &schemas.Permission{
-		Name:             name,
-		Description:      description,
-		ResourceID:       params.ResourceID,
-		DecisionStrategy: decisionStrategy,
-	})
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to add permission")
-		return nil, err
-	}
-
-	// Attach scopes + policies. The storage layer does not expose transactions
-	// across these provider-level calls, so a failure mid-attach would leave
-	// the newly created permission row orphaned (present but with partial or
-	// no scope/policy links). To keep the system consistent we compensate by
-	// deleting the permission when any attach step fails. The delete uses
-	// context.Background() so it survives request cancellation (mirrors the
-	// pattern already used for InvalidateCache below). If the compensation
-	// itself fails, log at ERROR level so operators can manually clean up,
-	// but still return the ORIGINAL error — that is the failure operators
-	// need to see first.
-	apiScopes, apiPolicies, err := g.attachPermissionScopesAndPolicies(ctx, permission.ID, params)
-	if err != nil {
-		if delErr := g.StorageProvider.DeletePermission(context.Background(), permission.ID); delErr != nil {
-			log.Error().
-				Err(delErr).
-				Str("permission_id", permission.ID).
-				Msg("failed to roll back orphaned permission after partial AddPermission failure; manual cleanup required")
-		}
-		return nil, err
-	}
-
-	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
-
-	g.AuditProvider.LogEvent(audit.Event{
-		Action:       constants.AuditAdminAuthzPermissionCreatedEvent,
-		ActorType:    constants.AuditActorTypeAdmin,
-		ResourceType: constants.AuditResourceTypeAuthzPermission,
-		ResourceID:   permission.ID,
-		IPAddress:    utils.GetIP(gc.Request),
-		UserAgent:    utils.GetUserAgent(gc.Request),
-	})
-
-	return permission.AsAPIPermission(resource.AsAPIResource(), apiScopes, apiPolicies), nil
-}
-
-// attachPermissionScopesAndPolicies creates PermissionScope and PermissionPolicy
-// link rows for a newly added permission and returns the API-shape scope and
-// policy slices used to build the GraphQL response. It returns the first error
-// encountered so the caller can roll back the permission.
-func (g *graphqlProvider) attachPermissionScopesAndPolicies(
-	ctx context.Context,
-	permissionID string,
-	params *model.AddPermissionInput,
-) ([]*model.AuthzScope, []*model.AuthzPolicy, error) {
-	log := g.Log.With().Str("func", "attachPermissionScopesAndPolicies").Logger()
-
-	apiScopes := make([]*model.AuthzScope, 0, len(params.ScopeIds))
-	for _, scopeID := range params.ScopeIds {
-		_, err := g.StorageProvider.AddPermissionScope(ctx, &schemas.PermissionScope{
-			PermissionID: permissionID,
-			ScopeID:      scopeID,
-		})
-		if err != nil {
-			log.Debug().Err(err).Str("scope_id", scopeID).Msg("Failed to add permission scope")
-			return nil, nil, err
-		}
-		scope, err := g.StorageProvider.GetScopeByID(ctx, scopeID)
-		if err != nil {
-			log.Debug().Err(err).Str("scope_id", scopeID).Msg("Failed to get scope by ID")
-			return nil, nil, err
-		}
-		apiScopes = append(apiScopes, scope.AsAPIScope())
-	}
-
-	apiPolicies := make([]*model.AuthzPolicy, 0, len(params.PolicyIds))
-	for _, policyID := range params.PolicyIds {
-		_, err := g.StorageProvider.AddPermissionPolicy(ctx, &schemas.PermissionPolicy{
-			PermissionID: permissionID,
-			PolicyID:     policyID,
-		})
-		if err != nil {
-			log.Debug().Err(err).Str("policy_id", policyID).Msg("Failed to add permission policy")
-			return nil, nil, err
-		}
-		policy, err := g.StorageProvider.GetPolicyByID(ctx, policyID)
-		if err != nil {
-			log.Debug().Err(err).Str("policy_id", policyID).Msg("Failed to get policy by ID")
-			return nil, nil, err
-		}
-		targets, err := g.StorageProvider.GetPolicyTargets(ctx, policyID)
-		if err != nil {
-			log.Debug().Err(err).Str("policy_id", policyID).Msg("Failed to get policy targets")
-			return nil, nil, err
-		}
-		apiPolicies = append(apiPolicies, policy.AsAPIPolicy(targets))
-	}
-
-	return apiScopes, apiPolicies, nil
-}
diff --git a/internal/graphql/authz_add_policy.go b/internal/graphql/authz_add_policy.go
deleted file mode 100644
index 51296499..00000000
--- a/internal/graphql/authz_add_policy.go
+++ /dev/null
@@ -1,122 +0,0 @@
-package graphql
-
-import (
-	"context"
-	"fmt"
-	"strings"
-	"unicode"
-
-	"github.com/authorizerdev/authorizer/internal/audit"
-	"github.com/authorizerdev/authorizer/internal/constants"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-	"github.com/authorizerdev/authorizer/internal/utils"
-)
-
-// AuthzAddPolicy is the method to create a new authorization policy with targets.
-// Permissions: authorizer:admin
-func (g *graphqlProvider) AuthzAddPolicy(ctx context.Context, params *model.AddPolicyInput) (*model.AuthzPolicy, error) {
-	log := g.Log.With().Str("func", "AuthzAddPolicy").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-
-	name := strings.TrimSpace(params.Name)
-	if name == "" {
-		return nil, fmt.Errorf("policy name is required")
-	}
-	if len(name) > constants.MaxAuthzIdentifierLength {
-		return nil, fmt.Errorf("invalid name: must be %d characters or fewer", constants.MaxAuthzIdentifierLength)
-	}
-	for _, r := range name {
-		if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
-			return nil, fmt.Errorf("invalid name: must contain only letters, digits, hyphens, and underscores")
-		}
-	}
-
-	policyType := strings.TrimSpace(params.Type)
-	if policyType == "" {
-		return nil, fmt.Errorf("policy type is required")
-	}
-	validPolicyTypes := map[string]bool{
-		constants.PolicyTypeRole: true,
-		constants.PolicyTypeUser: true,
-	}
-	if !validPolicyTypes[policyType] {
-		return nil, fmt.Errorf("invalid policy type: must be '%s' or '%s'",
-			constants.PolicyTypeRole, constants.PolicyTypeUser)
-	}
-
-	description := ""
-	if params.Description != nil {
-		description = *params.Description
-	}
-
-	logic := constants.PolicyLogicPositive
-	if params.Logic != nil {
-		logic = *params.Logic
-	}
-	if logic != constants.PolicyLogicPositive && logic != constants.PolicyLogicNegative {
-		return nil, fmt.Errorf("invalid policy logic: must be '%s' or '%s'",
-			constants.PolicyLogicPositive, constants.PolicyLogicNegative)
-	}
-
-	decisionStrategy := constants.DecisionStrategyAffirmative
-	if params.DecisionStrategy != nil {
-		decisionStrategy = *params.DecisionStrategy
-	}
-	if decisionStrategy != constants.DecisionStrategyAffirmative && decisionStrategy != constants.DecisionStrategyUnanimous {
-		return nil, fmt.Errorf("invalid decision strategy: must be '%s' or '%s'",
-			constants.DecisionStrategyAffirmative, constants.DecisionStrategyUnanimous)
-	}
-
-	if err := validatePolicyTargets(policyType, params.Targets, g.Config.Roles); err != nil {
-		return nil, err
-	}
-
-	policy, err := g.StorageProvider.AddPolicy(ctx, &schemas.Policy{
-		Name:             name,
-		Description:      description,
-		Type:             policyType,
-		Logic:            logic,
-		DecisionStrategy: decisionStrategy,
-	})
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to add policy")
-		return nil, err
-	}
-
-	// Create policy targets
-	var targets []*schemas.PolicyTarget
-	for _, t := range params.Targets {
-		target, err := g.StorageProvider.AddPolicyTarget(ctx, &schemas.PolicyTarget{
-			PolicyID:    policy.ID,
-			TargetType:  t.TargetType,
-			TargetValue: t.TargetValue,
-		})
-		if err != nil {
-			log.Debug().Err(err).Msg("Failed to add policy target")
-			return nil, err
-		}
-		targets = append(targets, target)
-	}
-
-	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
-
-	g.AuditProvider.LogEvent(audit.Event{
-		Action:       constants.AuditAdminAuthzPolicyCreatedEvent,
-		ActorType:    constants.AuditActorTypeAdmin,
-		ResourceType: constants.AuditResourceTypeAuthzPolicy,
-		ResourceID:   policy.ID,
-		IPAddress:    utils.GetIP(gc.Request),
-		UserAgent:    utils.GetUserAgent(gc.Request),
-	})
-
-	return policy.AsAPIPolicy(targets), nil
-}
diff --git a/internal/graphql/authz_add_resource.go b/internal/graphql/authz_add_resource.go
deleted file mode 100644
index 23e41cc7..00000000
--- a/internal/graphql/authz_add_resource.go
+++ /dev/null
@@ -1,69 +0,0 @@
-package graphql
-
-import (
-	"context"
-	"fmt"
-	"strings"
-	"unicode"
-
-	"github.com/authorizerdev/authorizer/internal/audit"
-	"github.com/authorizerdev/authorizer/internal/constants"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-	"github.com/authorizerdev/authorizer/internal/utils"
-)
-
-// AuthzAddResource is the method to create a new authorization resource.
-// Permissions: authorizer:admin
-func (g *graphqlProvider) AuthzAddResource(ctx context.Context, params *model.AddResourceInput) (*model.AuthzResource, error) {
-	log := g.Log.With().Str("func", "AuthzAddResource").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-
-	name := strings.TrimSpace(params.Name)
-	if name == "" {
-		return nil, fmt.Errorf("resource name is required")
-	}
-	if len(name) > constants.MaxAuthzIdentifierLength {
-		return nil, fmt.Errorf("invalid name: must be %d characters or fewer", constants.MaxAuthzIdentifierLength)
-	}
-	for _, r := range name {
-		if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
-			return nil, fmt.Errorf("invalid name: must contain only letters, digits, hyphens, and underscores")
-		}
-	}
-
-	description := ""
-	if params.Description != nil {
-		description = *params.Description
-	}
-
-	resource, err := g.StorageProvider.AddResource(ctx, &schemas.Resource{
-		Name:        name,
-		Description: description,
-	})
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to add resource")
-		return nil, err
-	}
-
-	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
-
-	g.AuditProvider.LogEvent(audit.Event{
-		Action:       constants.AuditAdminAuthzResourceCreatedEvent,
-		ActorType:    constants.AuditActorTypeAdmin,
-		ResourceType: constants.AuditResourceTypeAuthzResource,
-		ResourceID:   resource.ID,
-		IPAddress:    utils.GetIP(gc.Request),
-		UserAgent:    utils.GetUserAgent(gc.Request),
-	})
-
-	return resource.AsAPIResource(), nil
-}
diff --git a/internal/graphql/authz_add_scope.go b/internal/graphql/authz_add_scope.go
deleted file mode 100644
index cd47c282..00000000
--- a/internal/graphql/authz_add_scope.go
+++ /dev/null
@@ -1,69 +0,0 @@
-package graphql
-
-import (
-	"context"
-	"fmt"
-	"strings"
-	"unicode"
-
-	"github.com/authorizerdev/authorizer/internal/audit"
-	"github.com/authorizerdev/authorizer/internal/constants"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-	"github.com/authorizerdev/authorizer/internal/utils"
-)
-
-// AuthzAddScope is the method to create a new authorization scope.
-// Permissions: authorizer:admin
-func (g *graphqlProvider) AuthzAddScope(ctx context.Context, params *model.AddScopeInput) (*model.AuthzScope, error) {
-	log := g.Log.With().Str("func", "AuthzAddScope").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-
-	name := strings.TrimSpace(params.Name)
-	if name == "" {
-		return nil, fmt.Errorf("scope name is required")
-	}
-	if len(name) > constants.MaxAuthzIdentifierLength {
-		return nil, fmt.Errorf("invalid name: must be %d characters or fewer", constants.MaxAuthzIdentifierLength)
-	}
-	for _, r := range name {
-		if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
-			return nil, fmt.Errorf("invalid name: must contain only letters, digits, hyphens, and underscores")
-		}
-	}
-
-	description := ""
-	if params.Description != nil {
-		description = *params.Description
-	}
-
-	scope, err := g.StorageProvider.AddScope(ctx, &schemas.Scope{
-		Name:        name,
-		Description: description,
-	})
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to add scope")
-		return nil, err
-	}
-
-	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
-
-	g.AuditProvider.LogEvent(audit.Event{
-		Action:       constants.AuditAdminAuthzScopeCreatedEvent,
-		ActorType:    constants.AuditActorTypeAdmin,
-		ResourceType: constants.AuditResourceTypeAuthzScope,
-		ResourceID:   scope.ID,
-		IPAddress:    utils.GetIP(gc.Request),
-		UserAgent:    utils.GetUserAgent(gc.Request),
-	})
-
-	return scope.AsAPIScope(), nil
-}
diff --git a/internal/graphql/authz_delete_permission.go b/internal/graphql/authz_delete_permission.go
deleted file mode 100644
index 32ff5154..00000000
--- a/internal/graphql/authz_delete_permission.go
+++ /dev/null
@@ -1,65 +0,0 @@
-package graphql
-
-import (
-	"context"
-	"fmt"
-	"strings"
-
-	"github.com/authorizerdev/authorizer/internal/audit"
-	"github.com/authorizerdev/authorizer/internal/constants"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/utils"
-)
-
-// AuthzDeletePermission is the method to delete an authorization permission.
-// Permissions: authorizer:admin
-func (g *graphqlProvider) AuthzDeletePermission(ctx context.Context, id string) (*model.Response, error) {
-	log := g.Log.With().Str("func", "AuthzDeletePermission").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-
-	if strings.TrimSpace(id) == "" {
-		return nil, fmt.Errorf("permission ID is required")
-	}
-
-	// Clean up join tables first
-	err = g.StorageProvider.DeletePermissionScopesByPermissionID(ctx, id)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to delete permission scopes")
-		return nil, err
-	}
-
-	err = g.StorageProvider.DeletePermissionPoliciesByPermissionID(ctx, id)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to delete permission policies")
-		return nil, err
-	}
-
-	err = g.StorageProvider.DeletePermission(ctx, id)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to delete permission")
-		return nil, err
-	}
-
-	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
-
-	g.AuditProvider.LogEvent(audit.Event{
-		Action:       constants.AuditAdminAuthzPermissionDeletedEvent,
-		ActorType:    constants.AuditActorTypeAdmin,
-		ResourceType: constants.AuditResourceTypeAuthzPermission,
-		ResourceID:   id,
-		IPAddress:    utils.GetIP(gc.Request),
-		UserAgent:    utils.GetUserAgent(gc.Request),
-	})
-
-	return &model.Response{
-		Message: "Permission deleted successfully",
-	}, nil
-}
diff --git a/internal/graphql/authz_delete_policy.go b/internal/graphql/authz_delete_policy.go
deleted file mode 100644
index 584ea1a6..00000000
--- a/internal/graphql/authz_delete_policy.go
+++ /dev/null
@@ -1,54 +0,0 @@
-package graphql
-
-import (
-	"context"
-	"fmt"
-	"strings"
-
-	"github.com/authorizerdev/authorizer/internal/audit"
-	"github.com/authorizerdev/authorizer/internal/constants"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/utils"
-)
-
-// AuthzDeletePolicy is the method to delete an authorization policy.
-// Permissions: authorizer:admin
-func (g *graphqlProvider) AuthzDeletePolicy(ctx context.Context, id string) (*model.Response, error) {
-	log := g.Log.With().Str("func", "AuthzDeletePolicy").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-
-	if strings.TrimSpace(id) == "" {
-		return nil, fmt.Errorf("policy ID is required")
-	}
-
-	// DeletePolicy checks referential integrity (permission_policy refs) and
-	// cascade-deletes policy targets internally.
-	err = g.StorageProvider.DeletePolicy(ctx, id)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to delete policy")
-		return nil, err
-	}
-
-	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
-
-	g.AuditProvider.LogEvent(audit.Event{
-		Action:       constants.AuditAdminAuthzPolicyDeletedEvent,
-		ActorType:    constants.AuditActorTypeAdmin,
-		ResourceType: constants.AuditResourceTypeAuthzPolicy,
-		ResourceID:   id,
-		IPAddress:    utils.GetIP(gc.Request),
-		UserAgent:    utils.GetUserAgent(gc.Request),
-	})
-
-	return &model.Response{
-		Message: "Policy deleted successfully",
-	}, nil
-}
diff --git a/internal/graphql/authz_delete_resource.go b/internal/graphql/authz_delete_resource.go
deleted file mode 100644
index b5f7b716..00000000
--- a/internal/graphql/authz_delete_resource.go
+++ /dev/null
@@ -1,52 +0,0 @@
-package graphql
-
-import (
-	"context"
-	"fmt"
-	"strings"
-
-	"github.com/authorizerdev/authorizer/internal/audit"
-	"github.com/authorizerdev/authorizer/internal/constants"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/utils"
-)
-
-// AuthzDeleteResource is the method to delete an authorization resource.
-// Permissions: authorizer:admin
-func (g *graphqlProvider) AuthzDeleteResource(ctx context.Context, id string) (*model.Response, error) {
-	log := g.Log.With().Str("func", "AuthzDeleteResource").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-
-	if strings.TrimSpace(id) == "" {
-		return nil, fmt.Errorf("resource ID is required")
-	}
-
-	err = g.StorageProvider.DeleteResource(ctx, id)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to delete resource")
-		return nil, err
-	}
-
-	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
-
-	g.AuditProvider.LogEvent(audit.Event{
-		Action:       constants.AuditAdminAuthzResourceDeletedEvent,
-		ActorType:    constants.AuditActorTypeAdmin,
-		ResourceType: constants.AuditResourceTypeAuthzResource,
-		ResourceID:   id,
-		IPAddress:    utils.GetIP(gc.Request),
-		UserAgent:    utils.GetUserAgent(gc.Request),
-	})
-
-	return &model.Response{
-		Message: "Resource deleted successfully",
-	}, nil
-}
diff --git a/internal/graphql/authz_delete_scope.go b/internal/graphql/authz_delete_scope.go
deleted file mode 100644
index 8295dce4..00000000
--- a/internal/graphql/authz_delete_scope.go
+++ /dev/null
@@ -1,52 +0,0 @@
-package graphql
-
-import (
-	"context"
-	"fmt"
-	"strings"
-
-	"github.com/authorizerdev/authorizer/internal/audit"
-	"github.com/authorizerdev/authorizer/internal/constants"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/utils"
-)
-
-// AuthzDeleteScope is the method to delete an authorization scope.
-// Permissions: authorizer:admin
-func (g *graphqlProvider) AuthzDeleteScope(ctx context.Context, id string) (*model.Response, error) {
-	log := g.Log.With().Str("func", "AuthzDeleteScope").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-
-	if strings.TrimSpace(id) == "" {
-		return nil, fmt.Errorf("scope ID is required")
-	}
-
-	err = g.StorageProvider.DeleteScope(ctx, id)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to delete scope")
-		return nil, err
-	}
-
-	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
-
-	g.AuditProvider.LogEvent(audit.Event{
-		Action:       constants.AuditAdminAuthzScopeDeletedEvent,
-		ActorType:    constants.AuditActorTypeAdmin,
-		ResourceType: constants.AuditResourceTypeAuthzScope,
-		ResourceID:   id,
-		IPAddress:    utils.GetIP(gc.Request),
-		UserAgent:    utils.GetUserAgent(gc.Request),
-	})
-
-	return &model.Response{
-		Message: "Scope deleted successfully",
-	}, nil
-}
diff --git a/internal/graphql/authz_permissions.go b/internal/graphql/authz_permissions.go
deleted file mode 100644
index a00b44ef..00000000
--- a/internal/graphql/authz_permissions.go
+++ /dev/null
@@ -1,97 +0,0 @@
-package graphql
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/utils"
-)
-
-// AuthzPermissions is the method to list authorization permissions with pagination.
-// Permissions: authorizer:admin
-func (g *graphqlProvider) AuthzPermissions(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzPermissions, error) {
-	log := g.Log.With().Str("func", "AuthzPermissions").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-
-	pagination := utils.GetPagination(params)
-	permissions, pagination, err := g.StorageProvider.ListPermissions(ctx, pagination)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to list permissions")
-		return nil, err
-	}
-
-	res := make([]*model.AuthzPermission, len(permissions))
-	for i, p := range permissions {
-		resource, err := g.StorageProvider.GetResourceByID(ctx, p.ResourceID)
-		if err != nil {
-			log.Debug().Err(err).Str("resource_id", p.ResourceID).Msg("Failed to get resource")
-			return nil, err
-		}
-
-		apiScopes, err := g.resolvePermissionScopes(ctx, p.ID)
-		if err != nil {
-			log.Debug().Err(err).Str("permission_id", p.ID).Msg("Failed to resolve permission scopes")
-			return nil, err
-		}
-
-		apiPolicies, err := g.resolvePermissionPolicies(ctx, p.ID)
-		if err != nil {
-			log.Debug().Err(err).Str("permission_id", p.ID).Msg("Failed to resolve permission policies")
-			return nil, err
-		}
-
-		res[i] = p.AsAPIPermission(resource.AsAPIResource(), apiScopes, apiPolicies)
-	}
-
-	return &model.AuthzPermissions{
-		Pagination:  pagination,
-		Permissions: res,
-	}, nil
-}
-
-// resolvePermissionScopes resolves the scopes for a permission.
-func (g *graphqlProvider) resolvePermissionScopes(ctx context.Context, permissionID string) ([]*model.AuthzScope, error) {
-	permissionScopes, err := g.StorageProvider.GetPermissionScopes(ctx, permissionID)
-	if err != nil {
-		return nil, err
-	}
-	apiScopes := make([]*model.AuthzScope, 0, len(permissionScopes))
-	for _, ps := range permissionScopes {
-		scope, err := g.StorageProvider.GetScopeByID(ctx, ps.ScopeID)
-		if err != nil {
-			return nil, err
-		}
-		apiScopes = append(apiScopes, scope.AsAPIScope())
-	}
-	return apiScopes, nil
-}
-
-// resolvePermissionPolicies resolves the policies with their targets for a permission.
-func (g *graphqlProvider) resolvePermissionPolicies(ctx context.Context, permissionID string) ([]*model.AuthzPolicy, error) {
-	permissionPolicies, err := g.StorageProvider.GetPermissionPolicies(ctx, permissionID)
-	if err != nil {
-		return nil, err
-	}
-	apiPolicies := make([]*model.AuthzPolicy, 0, len(permissionPolicies))
-	for _, pp := range permissionPolicies {
-		policy, err := g.StorageProvider.GetPolicyByID(ctx, pp.PolicyID)
-		if err != nil {
-			return nil, err
-		}
-		targets, err := g.StorageProvider.GetPolicyTargets(ctx, policy.ID)
-		if err != nil {
-			return nil, err
-		}
-		apiPolicies = append(apiPolicies, policy.AsAPIPolicy(targets))
-	}
-	return apiPolicies, nil
-}
diff --git a/internal/graphql/authz_policies.go b/internal/graphql/authz_policies.go
deleted file mode 100644
index 075ea084..00000000
--- a/internal/graphql/authz_policies.go
+++ /dev/null
@@ -1,46 +0,0 @@
-package graphql
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/utils"
-)
-
-// AuthzPolicies is the method to list authorization policies with pagination.
-// Permissions: authorizer:admin
-func (g *graphqlProvider) AuthzPolicies(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzPolicies, error) {
-	log := g.Log.With().Str("func", "AuthzPolicies").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-
-	pagination := utils.GetPagination(params)
-	policies, pagination, err := g.StorageProvider.ListPolicies(ctx, pagination)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to list policies")
-		return nil, err
-	}
-
-	res := make([]*model.AuthzPolicy, len(policies))
-	for i, p := range policies {
-		targets, err := g.StorageProvider.GetPolicyTargets(ctx, p.ID)
-		if err != nil {
-			log.Debug().Err(err).Str("policy_id", p.ID).Msg("Failed to get policy targets")
-			return nil, err
-		}
-		res[i] = p.AsAPIPolicy(targets)
-	}
-
-	return &model.AuthzPolicies{
-		Pagination: pagination,
-		Policies:   res,
-	}, nil
-}
diff --git a/internal/graphql/authz_resources.go b/internal/graphql/authz_resources.go
deleted file mode 100644
index 9377ed47..00000000
--- a/internal/graphql/authz_resources.go
+++ /dev/null
@@ -1,41 +0,0 @@
-package graphql
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/utils"
-)
-
-// AuthzResources is the method to list authorization resources with pagination.
-// Permissions: authorizer:admin
-func (g *graphqlProvider) AuthzResources(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzResources, error) {
-	log := g.Log.With().Str("func", "AuthzResources").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-
-	pagination := utils.GetPagination(params)
-	resources, pagination, err := g.StorageProvider.ListResources(ctx, pagination)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to list resources")
-		return nil, err
-	}
-
-	res := make([]*model.AuthzResource, len(resources))
-	for i, r := range resources {
-		res[i] = r.AsAPIResource()
-	}
-
-	return &model.AuthzResources{
-		Pagination: pagination,
-		Resources:  res,
-	}, nil
-}
diff --git a/internal/graphql/authz_scopes.go b/internal/graphql/authz_scopes.go
deleted file mode 100644
index 23751511..00000000
--- a/internal/graphql/authz_scopes.go
+++ /dev/null
@@ -1,41 +0,0 @@
-package graphql
-
-import (
-	"context"
-	"fmt"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/utils"
-)
-
-// AuthzScopes is the method to list authorization scopes with pagination.
-// Permissions: authorizer:admin
-func (g *graphqlProvider) AuthzScopes(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzScopes, error) {
-	log := g.Log.With().Str("func", "AuthzScopes").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-
-	pagination := utils.GetPagination(params)
-	scopes, pagination, err := g.StorageProvider.ListScopes(ctx, pagination)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to list scopes")
-		return nil, err
-	}
-
-	res := make([]*model.AuthzScope, len(scopes))
-	for i, s := range scopes {
-		res[i] = s.AsAPIScope()
-	}
-
-	return &model.AuthzScopes{
-		Pagination: pagination,
-		Scopes:     res,
-	}, nil
-}
diff --git a/internal/graphql/authz_update_permission.go b/internal/graphql/authz_update_permission.go
deleted file mode 100644
index 7b6adbc5..00000000
--- a/internal/graphql/authz_update_permission.go
+++ /dev/null
@@ -1,239 +0,0 @@
-package graphql
-
-import (
-	"context"
-	"fmt"
-	"strings"
-	"unicode"
-
-	"github.com/authorizerdev/authorizer/internal/audit"
-	"github.com/authorizerdev/authorizer/internal/constants"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-	"github.com/authorizerdev/authorizer/internal/utils"
-)
-
-// AuthzUpdatePermission is the method to update an existing authorization permission.
-// Permissions: authorizer:admin
-func (g *graphqlProvider) AuthzUpdatePermission(ctx context.Context, params *model.UpdatePermissionInput) (*model.AuthzPermission, error) {
-	log := g.Log.With().Str("func", "AuthzUpdatePermission").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-
-	if strings.TrimSpace(params.ID) == "" {
-		return nil, fmt.Errorf("permission ID is required")
-	}
-
-	permission, err := g.StorageProvider.GetPermissionByID(ctx, params.ID)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get permission by ID")
-		return nil, err
-	}
-
-	// Build a copy of the permission with the requested field changes applied.
-	// Persistence is deferred until AFTER the link-rebuild loops succeed so that
-	// a link-attach failure does not leave the row with new fields but old links.
-	newPermission := *permission
-	if params.Name != nil {
-		name := strings.TrimSpace(*params.Name)
-		if name == "" {
-			return nil, fmt.Errorf("permission name cannot be empty")
-		}
-		if len(name) > constants.MaxAuthzIdentifierLength {
-			return nil, fmt.Errorf("invalid name: must be %d characters or fewer", constants.MaxAuthzIdentifierLength)
-		}
-		for _, r := range name {
-			if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
-				return nil, fmt.Errorf("invalid name: must contain only letters, digits, hyphens, and underscores")
-			}
-		}
-		newPermission.Name = name
-	}
-	if params.Description != nil {
-		newPermission.Description = *params.Description
-	}
-	if params.DecisionStrategy != nil {
-		ds := *params.DecisionStrategy
-		if ds != constants.DecisionStrategyAffirmative && ds != constants.DecisionStrategyUnanimous {
-			return nil, fmt.Errorf("invalid decision strategy: must be '%s' or '%s'",
-				constants.DecisionStrategyAffirmative, constants.DecisionStrategyUnanimous)
-		}
-		newPermission.DecisionStrategy = ds
-	}
-
-	var apiScopes []*model.AuthzScope
-	if params.ScopeIds != nil {
-		if len(params.ScopeIds) == 0 {
-			return nil, fmt.Errorf("at least one scope_id is required")
-		}
-		apiScopes = make([]*model.AuthzScope, 0, len(params.ScopeIds))
-		for _, scopeID := range params.ScopeIds {
-			scope, err := g.StorageProvider.GetScopeByID(ctx, scopeID)
-			if err != nil {
-				log.Debug().Err(err).Str("scope_id", scopeID).Msg("Failed to get scope by ID")
-				return nil, fmt.Errorf("scope not found: %s", scopeID)
-			}
-			apiScopes = append(apiScopes, scope.AsAPIScope())
-		}
-	}
-
-	var apiPolicies []*model.AuthzPolicy
-	if params.PolicyIds != nil {
-		if len(params.PolicyIds) == 0 {
-			return nil, fmt.Errorf("at least one policy_id is required")
-		}
-		apiPolicies = make([]*model.AuthzPolicy, 0, len(params.PolicyIds))
-		for _, policyID := range params.PolicyIds {
-			policy, err := g.StorageProvider.GetPolicyByID(ctx, policyID)
-			if err != nil {
-				log.Debug().Err(err).Str("policy_id", policyID).Msg("Failed to get policy by ID")
-				return nil, fmt.Errorf("policy not found: %s", policyID)
-			}
-			targets, err := g.StorageProvider.GetPolicyTargets(ctx, policyID)
-			if err != nil {
-				log.Debug().Err(err).Str("policy_id", policyID).Msg("Failed to get policy targets")
-				return nil, err
-			}
-			apiPolicies = append(apiPolicies, policy.AsAPIPolicy(targets))
-		}
-	}
-
-	oldScopeLinks, err := g.StorageProvider.GetPermissionScopes(ctx, permission.ID)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get existing permission scopes")
-		return nil, err
-	}
-	oldPolicyLinks, err := g.StorageProvider.GetPermissionPolicies(ctx, permission.ID)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get existing permission policies")
-		return nil, err
-	}
-
-	// Replace scopes if provided. Delete-then-add ordering avoids accumulating
-	// duplicates. On failure, restore the previous link sets and bail out
-	// WITHOUT persisting the field changes (newPermission has not been written
-	// yet), so the on-disk permission row remains untouched.
-	if params.ScopeIds != nil {
-		err = g.StorageProvider.DeletePermissionScopesByPermissionID(ctx, permission.ID)
-		if err != nil {
-			log.Debug().Err(err).Msg("Failed to delete existing permission scopes")
-			return nil, err
-		}
-		for _, scopeID := range params.ScopeIds {
-			_, err := g.StorageProvider.AddPermissionScope(ctx, &schemas.PermissionScope{
-				PermissionID: permission.ID,
-				ScopeID:      scopeID,
-			})
-			if err != nil {
-				log.Debug().Err(err).Str("scope_id", scopeID).Msg("Failed to add permission scope")
-				g.rollbackPermissionLinks(permission.ID, oldScopeLinks, oldPolicyLinks)
-				g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
-				return nil, err
-			}
-		}
-	}
-
-	// Replace policies if provided. Same delete-then-add semantics as scopes.
-	if params.PolicyIds != nil {
-		err = g.StorageProvider.DeletePermissionPoliciesByPermissionID(ctx, permission.ID)
-		if err != nil {
-			log.Debug().Err(err).Msg("Failed to delete existing permission policies")
-			g.rollbackPermissionLinks(permission.ID, oldScopeLinks, oldPolicyLinks)
-			g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
-			return nil, err
-		}
-		for _, policyID := range params.PolicyIds {
-			_, err := g.StorageProvider.AddPermissionPolicy(ctx, &schemas.PermissionPolicy{
-				PermissionID: permission.ID,
-				PolicyID:     policyID,
-			})
-			if err != nil {
-				log.Debug().Err(err).Str("policy_id", policyID).Msg("Failed to add permission policy")
-				g.rollbackPermissionLinks(permission.ID, oldScopeLinks, oldPolicyLinks)
-				g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
-				return nil, err
-			}
-		}
-	}
-
-	// Persist the field changes only AFTER both link-rebuild loops have
-	// succeeded. If this fails, undo the link replacements so the permission
-	// row + its links remain consistent (old fields, old links).
-	updated, err := g.StorageProvider.UpdatePermission(ctx, &newPermission)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to update permission")
-		g.rollbackPermissionLinks(permission.ID, oldScopeLinks, oldPolicyLinks)
-		g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
-		return nil, err
-	}
-	permission = updated
-
-	// Resolve the full permission for the response
-	resource, err := g.StorageProvider.GetResourceByID(ctx, permission.ResourceID)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get resource")
-		return nil, err
-	}
-
-	if params.ScopeIds == nil {
-		apiScopes, err = g.resolvePermissionScopes(ctx, permission.ID)
-		if err != nil {
-			log.Debug().Err(err).Msg("Failed to resolve permission scopes")
-			return nil, err
-		}
-	}
-
-	if params.PolicyIds == nil {
-		apiPolicies, err = g.resolvePermissionPolicies(ctx, permission.ID)
-		if err != nil {
-			log.Debug().Err(err).Msg("Failed to resolve permission policies")
-			return nil, err
-		}
-	}
-
-	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
-
-	g.AuditProvider.LogEvent(audit.Event{
-		Action:       constants.AuditAdminAuthzPermissionUpdatedEvent,
-		ActorType:    constants.AuditActorTypeAdmin,
-		ResourceType: constants.AuditResourceTypeAuthzPermission,
-		ResourceID:   permission.ID,
-		IPAddress:    utils.GetIP(gc.Request),
-		UserAgent:    utils.GetUserAgent(gc.Request),
-	})
-
-	return permission.AsAPIPermission(resource.AsAPIResource(), apiScopes, apiPolicies), nil
-}
-
-func (g *graphqlProvider) rollbackPermissionLinks(permissionID string, scopes []*schemas.PermissionScope, policies []*schemas.PermissionPolicy) {
-	log := g.Log.With().Str("func", "rollbackPermissionLinks").Logger()
-	if err := g.StorageProvider.DeletePermissionScopesByPermissionID(context.Background(), permissionID); err != nil {
-		log.Error().Err(err).Str("permission_id", permissionID).Msg("failed to delete permission scopes during rollback")
-	}
-	for _, scope := range scopes {
-		if _, err := g.StorageProvider.AddPermissionScope(context.Background(), &schemas.PermissionScope{
-			PermissionID: permissionID,
-			ScopeID:      scope.ScopeID,
-		}); err != nil {
-			log.Error().Err(err).Str("permission_id", permissionID).Str("scope_id", scope.ScopeID).Msg("failed to restore permission scope during rollback")
-		}
-	}
-	if err := g.StorageProvider.DeletePermissionPoliciesByPermissionID(context.Background(), permissionID); err != nil {
-		log.Error().Err(err).Str("permission_id", permissionID).Msg("failed to delete permission policies during rollback")
-	}
-	for _, policy := range policies {
-		if _, err := g.StorageProvider.AddPermissionPolicy(context.Background(), &schemas.PermissionPolicy{
-			PermissionID: permissionID,
-			PolicyID:     policy.PolicyID,
-		}); err != nil {
-			log.Error().Err(err).Str("permission_id", permissionID).Str("policy_id", policy.PolicyID).Msg("failed to restore permission policy during rollback")
-		}
-	}
-}
diff --git a/internal/graphql/authz_update_policy.go b/internal/graphql/authz_update_policy.go
deleted file mode 100644
index 392157eb..00000000
--- a/internal/graphql/authz_update_policy.go
+++ /dev/null
@@ -1,126 +0,0 @@
-package graphql
-
-import (
-	"context"
-	"fmt"
-	"strings"
-	"unicode"
-
-	"github.com/authorizerdev/authorizer/internal/audit"
-	"github.com/authorizerdev/authorizer/internal/constants"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-	"github.com/authorizerdev/authorizer/internal/utils"
-)
-
-// AuthzUpdatePolicy is the method to update an existing authorization policy.
-// Permissions: authorizer:admin
-func (g *graphqlProvider) AuthzUpdatePolicy(ctx context.Context, params *model.UpdatePolicyInput) (*model.AuthzPolicy, error) {
-	log := g.Log.With().Str("func", "AuthzUpdatePolicy").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-
-	if strings.TrimSpace(params.ID) == "" {
-		return nil, fmt.Errorf("policy ID is required")
-	}
-
-	policy, err := g.StorageProvider.GetPolicyByID(ctx, params.ID)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get policy by ID")
-		return nil, err
-	}
-
-	if params.Name != nil {
-		name := strings.TrimSpace(*params.Name)
-		if name == "" {
-			return nil, fmt.Errorf("policy name cannot be empty")
-		}
-		if len(name) > constants.MaxAuthzIdentifierLength {
-			return nil, fmt.Errorf("invalid name: must be %d characters or fewer", constants.MaxAuthzIdentifierLength)
-		}
-		for _, r := range name {
-			if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
-				return nil, fmt.Errorf("invalid name: must contain only letters, digits, hyphens, and underscores")
-			}
-		}
-		policy.Name = name
-	}
-	if params.Description != nil {
-		policy.Description = *params.Description
-	}
-	if params.Logic != nil {
-		logic := *params.Logic
-		if logic != constants.PolicyLogicPositive && logic != constants.PolicyLogicNegative {
-			return nil, fmt.Errorf("invalid policy logic: must be '%s' or '%s'",
-				constants.PolicyLogicPositive, constants.PolicyLogicNegative)
-		}
-		policy.Logic = logic
-	}
-	if params.DecisionStrategy != nil {
-		ds := *params.DecisionStrategy
-		if ds != constants.DecisionStrategyAffirmative && ds != constants.DecisionStrategyUnanimous {
-			return nil, fmt.Errorf("invalid decision strategy: must be '%s' or '%s'",
-				constants.DecisionStrategyAffirmative, constants.DecisionStrategyUnanimous)
-		}
-		policy.DecisionStrategy = ds
-	}
-
-	policy, err = g.StorageProvider.UpdatePolicy(ctx, policy)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to update policy")
-		return nil, err
-	}
-
-	// Replace targets if provided
-	var targets []*schemas.PolicyTarget
-	if params.Targets != nil {
-		// Validate against the existing policy.Type — Type is immutable on update,
-		// so targets must conform to whatever the policy was created with.
-		if err := validatePolicyTargets(policy.Type, params.Targets, g.Config.Roles); err != nil {
-			return nil, err
-		}
-		err = g.StorageProvider.DeletePolicyTargetsByPolicyID(ctx, policy.ID)
-		if err != nil {
-			log.Debug().Err(err).Msg("Failed to delete existing policy targets")
-			return nil, err
-		}
-		for _, t := range params.Targets {
-			target, err := g.StorageProvider.AddPolicyTarget(ctx, &schemas.PolicyTarget{
-				PolicyID:    policy.ID,
-				TargetType:  t.TargetType,
-				TargetValue: t.TargetValue,
-			})
-			if err != nil {
-				log.Debug().Err(err).Msg("Failed to add policy target")
-				return nil, err
-			}
-			targets = append(targets, target)
-		}
-	} else {
-		targets, err = g.StorageProvider.GetPolicyTargets(ctx, policy.ID)
-		if err != nil {
-			log.Debug().Err(err).Msg("Failed to get policy targets")
-			return nil, err
-		}
-	}
-
-	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
-
-	g.AuditProvider.LogEvent(audit.Event{
-		Action:       constants.AuditAdminAuthzPolicyUpdatedEvent,
-		ActorType:    constants.AuditActorTypeAdmin,
-		ResourceType: constants.AuditResourceTypeAuthzPolicy,
-		ResourceID:   policy.ID,
-		IPAddress:    utils.GetIP(gc.Request),
-		UserAgent:    utils.GetUserAgent(gc.Request),
-	})
-
-	return policy.AsAPIPolicy(targets), nil
-}
diff --git a/internal/graphql/authz_update_resource.go b/internal/graphql/authz_update_resource.go
deleted file mode 100644
index 0c54ae98..00000000
--- a/internal/graphql/authz_update_resource.go
+++ /dev/null
@@ -1,76 +0,0 @@
-package graphql
-
-import (
-	"context"
-	"fmt"
-	"strings"
-	"unicode"
-
-	"github.com/authorizerdev/authorizer/internal/audit"
-	"github.com/authorizerdev/authorizer/internal/constants"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/utils"
-)
-
-// AuthzUpdateResource is the method to update an existing authorization resource.
-// Permissions: authorizer:admin
-func (g *graphqlProvider) AuthzUpdateResource(ctx context.Context, params *model.UpdateResourceInput) (*model.AuthzResource, error) {
-	log := g.Log.With().Str("func", "AuthzUpdateResource").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-
-	if strings.TrimSpace(params.ID) == "" {
-		return nil, fmt.Errorf("resource ID is required")
-	}
-
-	resource, err := g.StorageProvider.GetResourceByID(ctx, params.ID)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get resource by ID")
-		return nil, err
-	}
-
-	if params.Name != nil {
-		name := strings.TrimSpace(*params.Name)
-		if name == "" {
-			return nil, fmt.Errorf("resource name cannot be empty")
-		}
-		if len(name) > constants.MaxAuthzIdentifierLength {
-			return nil, fmt.Errorf("invalid name: must be %d characters or fewer", constants.MaxAuthzIdentifierLength)
-		}
-		for _, r := range name {
-			if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
-				return nil, fmt.Errorf("invalid name: must contain only letters, digits, hyphens, and underscores")
-			}
-		}
-		resource.Name = name
-	}
-	if params.Description != nil {
-		resource.Description = *params.Description
-	}
-
-	resource, err = g.StorageProvider.UpdateResource(ctx, resource)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to update resource")
-		return nil, err
-	}
-
-	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
-
-	g.AuditProvider.LogEvent(audit.Event{
-		Action:       constants.AuditAdminAuthzResourceUpdatedEvent,
-		ActorType:    constants.AuditActorTypeAdmin,
-		ResourceType: constants.AuditResourceTypeAuthzResource,
-		ResourceID:   resource.ID,
-		IPAddress:    utils.GetIP(gc.Request),
-		UserAgent:    utils.GetUserAgent(gc.Request),
-	})
-
-	return resource.AsAPIResource(), nil
-}
diff --git a/internal/graphql/authz_update_scope.go b/internal/graphql/authz_update_scope.go
deleted file mode 100644
index 83fe172d..00000000
--- a/internal/graphql/authz_update_scope.go
+++ /dev/null
@@ -1,76 +0,0 @@
-package graphql
-
-import (
-	"context"
-	"fmt"
-	"strings"
-	"unicode"
-
-	"github.com/authorizerdev/authorizer/internal/audit"
-	"github.com/authorizerdev/authorizer/internal/constants"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/utils"
-)
-
-// AuthzUpdateScope is the method to update an existing authorization scope.
-// Permissions: authorizer:admin
-func (g *graphqlProvider) AuthzUpdateScope(ctx context.Context, params *model.UpdateScopeInput) (*model.AuthzScope, error) {
-	log := g.Log.With().Str("func", "AuthzUpdateScope").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-
-	if strings.TrimSpace(params.ID) == "" {
-		return nil, fmt.Errorf("scope ID is required")
-	}
-
-	scope, err := g.StorageProvider.GetScopeByID(ctx, params.ID)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get scope by ID")
-		return nil, err
-	}
-
-	if params.Name != nil {
-		name := strings.TrimSpace(*params.Name)
-		if name == "" {
-			return nil, fmt.Errorf("scope name cannot be empty")
-		}
-		if len(name) > constants.MaxAuthzIdentifierLength {
-			return nil, fmt.Errorf("invalid name: must be %d characters or fewer", constants.MaxAuthzIdentifierLength)
-		}
-		for _, r := range name {
-			if !unicode.IsLetter(r) && !unicode.IsDigit(r) && r != '-' && r != '_' {
-				return nil, fmt.Errorf("invalid name: must contain only letters, digits, hyphens, and underscores")
-			}
-		}
-		scope.Name = name
-	}
-	if params.Description != nil {
-		scope.Description = *params.Description
-	}
-
-	scope, err = g.StorageProvider.UpdateScope(ctx, scope)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to update scope")
-		return nil, err
-	}
-
-	g.AuthorizationProvider.InvalidateCache(context.Background(), "authz:")
-
-	g.AuditProvider.LogEvent(audit.Event{
-		Action:       constants.AuditAdminAuthzScopeUpdatedEvent,
-		ActorType:    constants.AuditActorTypeAdmin,
-		ResourceType: constants.AuditResourceTypeAuthzScope,
-		ResourceID:   scope.ID,
-		IPAddress:    utils.GetIP(gc.Request),
-		UserAgent:    utils.GetUserAgent(gc.Request),
-	})
-
-	return scope.AsAPIScope(), nil
-}
diff --git a/internal/graphql/fga_admin.go b/internal/graphql/fga_admin.go
new file mode 100644
index 00000000..7e71859d
--- /dev/null
+++ b/internal/graphql/fga_admin.go
@@ -0,0 +1,226 @@
+package graphql
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/internal/audit"
+	"github.com/authorizerdev/authorizer/internal/authorization/engine"
+	"github.com/authorizerdev/authorizer/internal/constants"
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/refs"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// errFgaNotEnabled is returned by every FGA resolver when no authorization
+// engine is configured (i.e. --authorization-engine != fga). Fail-closed.
+var errFgaNotEnabled = errors.New("fine-grained authorization is not enabled")
+
+// maxFgaTuplesPerWrite caps the number of tuples accepted in a single write or
+// delete to bound the work an admin call performs.
+const maxFgaTuplesPerWrite = 100
+
+// maxFgaReadPageSize caps the page size for tuple reads. OpenFGA's ReadRequest
+// enforces a [1, 100] range, so this is both a safety cap and a hard backend
+// limit.
+const maxFgaReadPageSize = 100
+
+// FgaWriteModel installs a new fine-grained authorization model from its DSL.
+// Permission: authorizer:admin. Audited.
+func (g *graphqlProvider) FgaWriteModel(ctx context.Context, params *model.FgaWriteModelInput) (*model.FgaModel, error) {
+	log := g.Log.With().Str("func", "FgaWriteModel").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+	if g.AuthzEngine == nil {
+		return nil, errFgaNotEnabled
+	}
+	if params == nil || strings.TrimSpace(params.Dsl) == "" {
+		return nil, fmt.Errorf("dsl is required")
+	}
+	modelID, err := g.AuthzEngine.WriteModel(ctx, params.Dsl)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to write authorization model")
+		return nil, err
+	}
+	g.AuditProvider.LogEvent(audit.Event{
+		Action:       constants.AuditAdminFgaModelWrittenEvent,
+		ActorType:    constants.AuditActorTypeAdmin,
+		ResourceType: constants.AuditResourceTypeFgaModel,
+		ResourceID:   modelID,
+		IPAddress:    utils.GetIP(gc.Request),
+		UserAgent:    utils.GetUserAgent(gc.Request),
+	})
+	return &model.FgaModel{ID: modelID, Dsl: params.Dsl}, nil
+}
+
+// FgaGetModel returns the active fine-grained authorization model as DSL.
+// Permission: authorizer:admin.
+func (g *graphqlProvider) FgaGetModel(ctx context.Context) (*model.FgaModel, error) {
+	log := g.Log.With().Str("func", "FgaGetModel").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+	if g.AuthzEngine == nil {
+		return nil, errFgaNotEnabled
+	}
+	dsl, err := g.AuthzEngine.ReadModel(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to read authorization model")
+		return nil, err
+	}
+	return &model.FgaModel{Dsl: dsl}, nil
+}
+
+// FgaWriteTuples persists the given relationship tuples.
+// Permission: authorizer:admin. Audited.
+func (g *graphqlProvider) FgaWriteTuples(ctx context.Context, params *model.FgaWriteTuplesInput) (*model.Response, error) {
+	log := g.Log.With().Str("func", "FgaWriteTuples").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+	if g.AuthzEngine == nil {
+		return nil, errFgaNotEnabled
+	}
+	tuples, err := toEngineTuples(params)
+	if err != nil {
+		return nil, err
+	}
+	if err := g.AuthzEngine.WriteTuples(ctx, tuples); err != nil {
+		log.Debug().Err(err).Msg("Failed to write tuples")
+		return nil, err
+	}
+	g.AuditProvider.LogEvent(audit.Event{
+		Action:       constants.AuditAdminFgaTuplesWrittenEvent,
+		ActorType:    constants.AuditActorTypeAdmin,
+		ResourceType: constants.AuditResourceTypeFgaTuple,
+		IPAddress:    utils.GetIP(gc.Request),
+		UserAgent:    utils.GetUserAgent(gc.Request),
+		Metadata:     fmt.Sprintf("count=%d", len(tuples)),
+	})
+	return &model.Response{Message: "Tuples written successfully"}, nil
+}
+
+// FgaDeleteTuples removes the given relationship tuples.
+// Permission: authorizer:admin. Audited.
+func (g *graphqlProvider) FgaDeleteTuples(ctx context.Context, params *model.FgaWriteTuplesInput) (*model.Response, error) {
+	log := g.Log.With().Str("func", "FgaDeleteTuples").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+	if g.AuthzEngine == nil {
+		return nil, errFgaNotEnabled
+	}
+	tuples, err := toEngineTuples(params)
+	if err != nil {
+		return nil, err
+	}
+	if err := g.AuthzEngine.DeleteTuples(ctx, tuples); err != nil {
+		log.Debug().Err(err).Msg("Failed to delete tuples")
+		return nil, err
+	}
+	g.AuditProvider.LogEvent(audit.Event{
+		Action:       constants.AuditAdminFgaTuplesDeletedEvent,
+		ActorType:    constants.AuditActorTypeAdmin,
+		ResourceType: constants.AuditResourceTypeFgaTuple,
+		IPAddress:    utils.GetIP(gc.Request),
+		UserAgent:    utils.GetUserAgent(gc.Request),
+		Metadata:     fmt.Sprintf("count=%d", len(tuples)),
+	})
+	return &model.Response{Message: "Tuples deleted successfully"}, nil
+}
+
+// FgaReadTuples returns a page of persisted tuples matching the filter.
+// Permission: authorizer:admin.
+func (g *graphqlProvider) FgaReadTuples(ctx context.Context, params *model.FgaReadTuplesInput) (*model.FgaTuples, error) {
+	log := g.Log.With().Str("func", "FgaReadTuples").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+	if g.AuthzEngine == nil {
+		return nil, errFgaNotEnabled
+	}
+	filter := engine.ReadTuplesFilter{}
+	if params != nil {
+		filter.User = refs.StringValue(params.User)
+		filter.Relation = refs.StringValue(params.Relation)
+		filter.Object = refs.StringValue(params.Object)
+		filter.ContinuationToken = refs.StringValue(params.ContinuationToken)
+		if params.PageSize != nil {
+			ps := *params.PageSize
+			// Cap page size; it is an enumeration surface and the backend
+			// enforces a [1, 100] range.
+			if ps <= 0 || ps > maxFgaReadPageSize {
+				ps = maxFgaReadPageSize
+			}
+			filter.PageSize = int32(ps)
+		}
+	}
+	if filter.PageSize == 0 {
+		filter.PageSize = maxFgaReadPageSize
+	}
+	res, err := g.AuthzEngine.ReadTuples(ctx, filter)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to read tuples")
+		return nil, err
+	}
+	out := &model.FgaTuples{Tuples: make([]*model.FgaTuple, 0, len(res.Tuples))}
+	for _, t := range res.Tuples {
+		out.Tuples = append(out.Tuples, &model.FgaTuple{User: t.User, Relation: t.Relation, Object: t.Object})
+	}
+	if res.ContinuationToken != "" {
+		out.ContinuationToken = refs.NewStringRef(res.ContinuationToken)
+	}
+	return out, nil
+}
+
+// toEngineTuples validates and converts admin-supplied tuple inputs into engine
+// tuples. It enforces a per-call cap and rejects empty fields.
+func toEngineTuples(params *model.FgaWriteTuplesInput) ([]engine.TupleKey, error) {
+	if params == nil || len(params.Tuples) == 0 {
+		return nil, fmt.Errorf("at least one tuple is required")
+	}
+	if len(params.Tuples) > maxFgaTuplesPerWrite {
+		return nil, fmt.Errorf("too many tuples: max %d per request", maxFgaTuplesPerWrite)
+	}
+	tuples := make([]engine.TupleKey, 0, len(params.Tuples))
+	for _, t := range params.Tuples {
+		if t == nil || strings.TrimSpace(t.User) == "" || strings.TrimSpace(t.Relation) == "" || strings.TrimSpace(t.Object) == "" {
+			return nil, fmt.Errorf("each tuple requires user, relation and object")
+		}
+		tuples = append(tuples, engine.TupleKey{User: t.User, Relation: t.Relation, Object: t.Object})
+	}
+	return tuples, nil
+}
diff --git a/internal/graphql/fga_relation_check.go b/internal/graphql/fga_relation_check.go
new file mode 100644
index 00000000..b7de2224
--- /dev/null
+++ b/internal/graphql/fga_relation_check.go
@@ -0,0 +1,49 @@
+package graphql
+
+import (
+	"context"
+	"errors"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/internal/authorization/engine"
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+)
+
+// enforceRequiredRelations gates a request on fine-grained authorization. For
+// each required (relation, object) it asks the engine whether the caller
+// (subject "user:<userID>") holds that relation. Semantics:
+//
+//   - AND: every relation must be allowed.
+//   - Fail-closed: an engine error OR any deny => "unauthorized".
+//   - Empty list => authorized (preserves the prior common-case behavior where
+//     no fine-grained gating was requested).
+//   - Non-empty list with a nil engine => error (FGA not enabled but required).
+//
+// The subject is always derived server-side from the resolved userID, never
+// from client input.
+func enforceRequiredRelations(ctx context.Context, eng engine.AuthorizationEngine, userID string, required []*model.FgaRelationInput) error {
+	if len(required) == 0 {
+		return nil
+	}
+	if eng == nil {
+		return errFgaNotEnabled
+	}
+	if strings.TrimSpace(userID) == "" {
+		return errors.New("unauthorized")
+	}
+	subject := "user:" + userID
+	for _, r := range required {
+		if r == nil || strings.TrimSpace(r.Relation) == "" || strings.TrimSpace(r.Object) == "" {
+			return errors.New("each required relation needs relation and object")
+		}
+		allowed, err := eng.Check(ctx, subject, r.Relation, r.Object)
+		if err != nil {
+			// Fail closed.
+			return errors.New("unauthorized")
+		}
+		if !allowed {
+			return errors.New("unauthorized")
+		}
+	}
+	return nil
+}
diff --git a/internal/graphql/fga_runtime.go b/internal/graphql/fga_runtime.go
new file mode 100644
index 00000000..661d975e
--- /dev/null
+++ b/internal/graphql/fga_runtime.go
@@ -0,0 +1,164 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/internal/authorization/engine"
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// maxFgaListResults caps the number of objects returned by fga_list_objects and
+// the page size of admin tuple reads. ListObjects is an expensive enumeration
+// surface, so the result set is bounded.
+const maxFgaListResults = 1000
+
+// maxFgaBatchChecks caps the number of pairs accepted in a single batch check.
+const maxFgaBatchChecks = 100
+
+// principalForRequest resolves the authenticated caller and returns the pinned
+// OpenFGA subject ("user:<sub>"). The principal is ALWAYS derived from the auth
+// token / session — never from client input — so a caller can only ask about
+// their own access.
+func (g *graphqlProvider) principalForRequest(ctx context.Context) (string, error) {
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		return "", err
+	}
+	tokenData, err := g.TokenProvider.GetUserIDFromSessionOrAccessToken(gc)
+	if err != nil {
+		return "", err
+	}
+	if strings.TrimSpace(tokenData.UserID) == "" {
+		return "", fmt.Errorf("unauthorized")
+	}
+	return "user:" + tokenData.UserID, nil
+}
+
+// toContextualTuples converts client-supplied contextual tuples. These are
+// request-scoped only (never persisted) and are safe to accept from the client.
+func toContextualTuples(in []*model.FgaTupleInput) ([]engine.ContextualTuple, error) {
+	if len(in) == 0 {
+		return nil, nil
+	}
+	out := make([]engine.ContextualTuple, 0, len(in))
+	for _, t := range in {
+		if t == nil || strings.TrimSpace(t.User) == "" || strings.TrimSpace(t.Relation) == "" || strings.TrimSpace(t.Object) == "" {
+			return nil, fmt.Errorf("each contextual tuple requires user, relation and object")
+		}
+		out = append(out, engine.ContextualTuple{User: t.User, Relation: t.Relation, Object: t.Object})
+	}
+	return out, nil
+}
+
+// FgaCheck answers "is the authenticated caller related to object via relation?".
+// PRINCIPAL PINNING: the subject is the caller's token sub ("user:<sub>"), never
+// client input. Fail-closed: any engine error denies.
+// Permission: authorized user.
+func (g *graphqlProvider) FgaCheck(ctx context.Context, params *model.FgaCheckInput) (*model.FgaCheckResponse, error) {
+	log := g.Log.With().Str("func", "FgaCheck").Logger()
+	if g.AuthzEngine == nil {
+		return nil, errFgaNotEnabled
+	}
+	if params == nil || strings.TrimSpace(params.Relation) == "" || strings.TrimSpace(params.Object) == "" {
+		return nil, fmt.Errorf("relation and object are required")
+	}
+	// PRINCIPAL PINNING — derive subject from the authenticated caller only.
+	principal, err := g.principalForRequest(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to resolve principal")
+		return nil, fmt.Errorf("unauthorized")
+	}
+	ctxTuples, err := toContextualTuples(params.ContextualTuples)
+	if err != nil {
+		return nil, err
+	}
+	allowed, err := g.AuthzEngine.Check(ctx, principal, params.Relation, params.Object, ctxTuples...)
+	if err != nil {
+		// Fail closed: treat engine error as deny.
+		log.Debug().Err(err).Msg("Check failed; denying")
+		return nil, fmt.Errorf("authorization check failed")
+	}
+	return &model.FgaCheckResponse{Allowed: allowed}, nil
+}
+
+// FgaBatchCheck evaluates multiple relation/object pairs for the authenticated
+// caller. Principal pinned; fail-closed per the engine contract.
+// Permission: authorized user.
+func (g *graphqlProvider) FgaBatchCheck(ctx context.Context, params *model.FgaBatchCheckInput) (*model.FgaBatchCheckResponse, error) {
+	log := g.Log.With().Str("func", "FgaBatchCheck").Logger()
+	if g.AuthzEngine == nil {
+		return nil, errFgaNotEnabled
+	}
+	if params == nil || len(params.Checks) == 0 {
+		return nil, fmt.Errorf("at least one check is required")
+	}
+	if len(params.Checks) > maxFgaBatchChecks {
+		return nil, fmt.Errorf("too many checks: max %d per request", maxFgaBatchChecks)
+	}
+	// PRINCIPAL PINNING — derive subject from the authenticated caller only.
+	principal, err := g.principalForRequest(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to resolve principal")
+		return nil, fmt.Errorf("unauthorized")
+	}
+	requests := make([]engine.CheckRequest, 0, len(params.Checks))
+	for _, c := range params.Checks {
+		if c == nil || strings.TrimSpace(c.Relation) == "" || strings.TrimSpace(c.Object) == "" {
+			return nil, fmt.Errorf("each check requires relation and object")
+		}
+		ctxTuples, err := toContextualTuples(c.ContextualTuples)
+		if err != nil {
+			return nil, err
+		}
+		requests = append(requests, engine.CheckRequest{
+			User:             principal,
+			Relation:         c.Relation,
+			Object:           c.Object,
+			ContextualTuples: ctxTuples,
+		})
+	}
+	results, err := g.AuthzEngine.BatchCheck(ctx, requests)
+	if err != nil {
+		// Fail closed for the whole batch.
+		log.Debug().Err(err).Msg("BatchCheck failed; denying")
+		return nil, fmt.Errorf("authorization check failed")
+	}
+	out := &model.FgaBatchCheckResponse{Results: make([]*model.FgaCheckResponse, 0, len(results))}
+	for _, r := range results {
+		out.Results = append(out.Results, &model.FgaCheckResponse{Allowed: r.Allowed})
+	}
+	return out, nil
+}
+
+// FgaListObjects enumerates objects of object_type the authenticated caller
+// relates to via relation. Principal pinned; result set capped (enumeration
+// surface). Fail-closed.
+// Permission: authorized user.
+func (g *graphqlProvider) FgaListObjects(ctx context.Context, params *model.FgaListObjectsInput) (*model.FgaListObjectsResponse, error) {
+	log := g.Log.With().Str("func", "FgaListObjects").Logger()
+	if g.AuthzEngine == nil {
+		return nil, errFgaNotEnabled
+	}
+	if params == nil || strings.TrimSpace(params.Relation) == "" || strings.TrimSpace(params.ObjectType) == "" {
+		return nil, fmt.Errorf("relation and object_type are required")
+	}
+	// PRINCIPAL PINNING — derive subject from the authenticated caller only.
+	principal, err := g.principalForRequest(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to resolve principal")
+		return nil, fmt.Errorf("unauthorized")
+	}
+	objects, err := g.AuthzEngine.ListObjects(ctx, principal, params.Relation, params.ObjectType)
+	if err != nil {
+		log.Debug().Err(err).Msg("ListObjects failed; denying")
+		return nil, fmt.Errorf("authorization list failed")
+	}
+	// Cap the result set; ListObjects is an expensive enumeration surface.
+	if len(objects) > maxFgaListResults {
+		objects = objects[:maxFgaListResults]
+	}
+	return &model.FgaListObjectsResponse{Objects: objects}, nil
+}
diff --git a/internal/graphql/permission_check.go b/internal/graphql/permission_check.go
deleted file mode 100644
index dcf27240..00000000
--- a/internal/graphql/permission_check.go
+++ /dev/null
@@ -1,67 +0,0 @@
-package graphql
-
-import (
-	"context"
-	"errors"
-
-	"github.com/rs/zerolog"
-
-	"github.com/authorizerdev/authorizer/internal/authorization"
-	"github.com/authorizerdev/authorizer/internal/constants"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/metrics"
-)
-
-// enforceRequiredPermissions evaluates each required permission against the
-// authorization provider with AND semantics — every entry must be allowed,
-// otherwise the caller is treated as unauthorized.
-//
-// endpoint identifies the GraphQL operation that called this helper and
-// becomes the `endpoint` label on authorizer_required_permissions_checks_total.
-// It must be one of metrics.RequiredPermissionsEndpoint* — passing an
-// unbounded string risks Prometheus cardinality explosion.
-//
-// When required is empty (the common case) callers observe no error,
-// though the metric is still incremented with outcome=not_requested so
-// adoption can be measured per endpoint.
-//
-// Each terminal return below MUST be paired with exactly one
-// RecordRequiredPermissionsCheck call. The loop returns on the first
-// error or deny, so per-iteration emission cannot double-count — preserve
-// that invariant if you refactor.
-func (g *graphqlProvider) enforceRequiredPermissions(
-	ctx context.Context,
-	log zerolog.Logger,
-	endpoint string,
-	userID string,
-	roles []string,
-	required []*model.PermissionInput,
-) error {
-	if len(required) == 0 {
-		metrics.RecordRequiredPermissionsCheck(endpoint, metrics.RequiredPermissionsOutcomeNotRequested)
-		return nil
-	}
-	principal := &authorization.Principal{
-		ID:    userID,
-		Type:  constants.PrincipalTypeUser,
-		Roles: roles,
-	}
-	for _, p := range required {
-		if p == nil {
-			continue
-		}
-		res, err := g.AuthorizationProvider.CheckPermission(ctx, principal, p.Resource, p.Scope)
-		if err != nil {
-			log.Debug().Err(err).Str("resource", p.Resource).Str("scope", p.Scope).Msg("required permission check errored")
-			metrics.RecordRequiredPermissionsCheck(endpoint, metrics.RequiredPermissionsOutcomeError)
-			return errors.New("unauthorized")
-		}
-		if res == nil || !res.Allowed {
-			log.Debug().Str("resource", p.Resource).Str("scope", p.Scope).Msg("required permission denied")
-			metrics.RecordRequiredPermissionsCheck(endpoint, metrics.RequiredPermissionsOutcomeDenied)
-			return errors.New("unauthorized")
-		}
-	}
-	metrics.RecordRequiredPermissionsCheck(endpoint, metrics.RequiredPermissionsOutcomeGranted)
-	return nil
-}
diff --git a/internal/graphql/permissions.go b/internal/graphql/permissions.go
deleted file mode 100644
index 07c66077..00000000
--- a/internal/graphql/permissions.go
+++ /dev/null
@@ -1,62 +0,0 @@
-package graphql
-
-import (
-	"context"
-	"fmt"
-	"strings"
-
-	"github.com/authorizerdev/authorizer/internal/authorization"
-	"github.com/authorizerdev/authorizer/internal/constants"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/utils"
-)
-
-// Permissions is the method to get all permissions for the authenticated user.
-// Permissions: authorized user
-func (g *graphqlProvider) Permissions(ctx context.Context) ([]*model.Permission, error) {
-	log := g.Log.With().Str("func", "Permissions").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-
-	tokenData, err := g.TokenProvider.GetUserIDFromSessionOrAccessToken(gc)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get user from token")
-		return nil, fmt.Errorf("unauthorized")
-	}
-
-	user, err := g.StorageProvider.GetUserByID(ctx, tokenData.UserID)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get user by ID")
-		return nil, err
-	}
-
-	var roles []string
-	if user.Roles != "" {
-		roles = strings.Split(user.Roles, ",")
-	}
-
-	principal := &authorization.Principal{
-		ID:    user.ID,
-		Type:  constants.PrincipalTypeUser,
-		Roles: roles,
-	}
-
-	resourceScopes, err := g.AuthorizationProvider.GetPrincipalPermissions(ctx, principal)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get principal permissions")
-		return nil, err
-	}
-
-	res := make([]*model.Permission, len(resourceScopes))
-	for i, rs := range resourceScopes {
-		res[i] = &model.Permission{
-			Resource: rs.Resource,
-			Scope:    rs.Scope,
-		}
-	}
-
-	return res, nil
-}
diff --git a/internal/graphql/policy_targets.go b/internal/graphql/policy_targets.go
deleted file mode 100644
index 430652da..00000000
--- a/internal/graphql/policy_targets.go
+++ /dev/null
@@ -1,47 +0,0 @@
-package graphql
-
-import (
-	"fmt"
-	"strings"
-
-	"github.com/authorizerdev/authorizer/internal/constants"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-)
-
-// validatePolicyTargets enforces that every target on a policy is consistent
-// with the policy's type and references a real value:
-//
-//   - target_type must equal policyType (role or user) so that the storage row
-//     and the evaluator agree on how to match it.
-//   - target_value must be non-empty after trimming.
-//   - For role targets, target_value must be one of the configured ROLES so
-//     that policies cannot be silently dead — a typo'd role would evaluate to
-//     "no match" forever.
-//
-// User targets are not checked against the users table here: that lookup is
-// per-target and would race with deletes, so we only enforce non-emptiness
-// and let the evaluator no-op on missing IDs.
-func validatePolicyTargets(policyType string, targets []*model.PolicyTargetInput, configRoles []string) error {
-	if len(targets) == 0 {
-		return fmt.Errorf("at least one policy target is required")
-	}
-
-	allowedRoles := make(map[string]bool, len(configRoles))
-	for _, r := range configRoles {
-		allowedRoles[r] = true
-	}
-
-	for i, t := range targets {
-		if t.TargetType != policyType {
-			return fmt.Errorf("target %d: target_type %q does not match policy type %q", i, t.TargetType, policyType)
-		}
-		value := strings.TrimSpace(t.TargetValue)
-		if value == "" {
-			return fmt.Errorf("target %d: target_value is required", i)
-		}
-		if policyType == constants.PolicyTypeRole && !allowedRoles[value] {
-			return fmt.Errorf("target %d: role %q is not in configured ROLES", i, value)
-		}
-	}
-	return nil
-}
diff --git a/internal/graphql/policy_targets_test.go b/internal/graphql/policy_targets_test.go
deleted file mode 100644
index d1285aa1..00000000
--- a/internal/graphql/policy_targets_test.go
+++ /dev/null
@@ -1,61 +0,0 @@
-package graphql
-
-import (
-	"testing"
-
-	"github.com/authorizerdev/authorizer/internal/constants"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/stretchr/testify/assert"
-)
-
-func TestValidatePolicyTargets(t *testing.T) {
-	roles := []string{"admin", "editor", "viewer"}
-
-	t.Run("rejects empty targets", func(t *testing.T) {
-		err := validatePolicyTargets(constants.PolicyTypeRole, nil, roles)
-		assert.Error(t, err)
-	})
-
-	t.Run("rejects target_type mismatch", func(t *testing.T) {
-		err := validatePolicyTargets(constants.PolicyTypeRole, []*model.PolicyTargetInput{
-			{TargetType: constants.TargetTypeUser, TargetValue: "admin"},
-		}, roles)
-		assert.ErrorContains(t, err, "does not match policy type")
-	})
-
-	t.Run("rejects empty target_value", func(t *testing.T) {
-		err := validatePolicyTargets(constants.PolicyTypeRole, []*model.PolicyTargetInput{
-			{TargetType: constants.TargetTypeRole, TargetValue: "  "},
-		}, roles)
-		assert.ErrorContains(t, err, "target_value is required")
-	})
-
-	t.Run("rejects role not in configured ROLES", func(t *testing.T) {
-		err := validatePolicyTargets(constants.PolicyTypeRole, []*model.PolicyTargetInput{
-			{TargetType: constants.TargetTypeRole, TargetValue: "ghost"},
-		}, roles)
-		assert.ErrorContains(t, err, "not in configured ROLES")
-	})
-
-	t.Run("accepts role in configured ROLES", func(t *testing.T) {
-		err := validatePolicyTargets(constants.PolicyTypeRole, []*model.PolicyTargetInput{
-			{TargetType: constants.TargetTypeRole, TargetValue: "admin"},
-			{TargetType: constants.TargetTypeRole, TargetValue: "editor"},
-		}, roles)
-		assert.NoError(t, err)
-	})
-
-	t.Run("user targets are not checked against ROLES", func(t *testing.T) {
-		err := validatePolicyTargets(constants.PolicyTypeUser, []*model.PolicyTargetInput{
-			{TargetType: constants.TargetTypeUser, TargetValue: "6f1a2b3c-4d5e-6f70-8a9b-0c1d2e3f4a5b"},
-		}, roles)
-		assert.NoError(t, err)
-	})
-
-	t.Run("user targets still require non-empty value", func(t *testing.T) {
-		err := validatePolicyTargets(constants.PolicyTypeUser, []*model.PolicyTargetInput{
-			{TargetType: constants.TargetTypeUser, TargetValue: ""},
-		}, roles)
-		assert.ErrorContains(t, err, "target_value is required")
-	})
-}
diff --git a/internal/graphql/provider.go b/internal/graphql/provider.go
index 418c3147..98d36154 100644
--- a/internal/graphql/provider.go
+++ b/internal/graphql/provider.go
@@ -7,7 +7,7 @@ import (
 
 	"github.com/authorizerdev/authorizer/internal/audit"
 	"github.com/authorizerdev/authorizer/internal/authenticators"
-	"github.com/authorizerdev/authorizer/internal/authorization"
+	"github.com/authorizerdev/authorizer/internal/authorization/engine"
 	"github.com/authorizerdev/authorizer/internal/config"
 	"github.com/authorizerdev/authorizer/internal/email"
 	"github.com/authorizerdev/authorizer/internal/events"
@@ -39,8 +39,14 @@ type Dependencies struct {
 	StorageProvider storage.Provider
 	// TokenProvider is used to generate tokens
 	TokenProvider token.Provider
-	// AuthorizationProvider is used for fine-grained authorization checks
-	AuthorizationProvider authorization.Provider
+	// AuthzEngine is the fine-grained authorization (FGA) engine.
+	// It is nil unless --authorization-engine=fga; resolvers MUST fail closed
+	// (return an error) when it is nil.
+	//
+	// Named AuthzEngine (not AuthorizationEngine) to avoid an ambiguous-selector
+	// clash with config.Config.AuthorizationEngine, which graphqlProvider also
+	// embeds.
+	AuthzEngine engine.AuthorizationEngine
 }
 
 // New constructs a new graphql provider with given arguments
@@ -187,62 +193,28 @@ type Provider interface {
 	// Webhooks is the method to list webhooks.
 	// Permissions: authorizer:admin
 	Webhooks(ctx context.Context, in *model.PaginatedRequest) (*model.Webhooks, error)
-
-	// === Fine-Grained Authorization ===
-
-	// AuthzAddResource creates a new authorization resource.
-	// Permissions: authorizer:admin
-	AuthzAddResource(ctx context.Context, params *model.AddResourceInput) (*model.AuthzResource, error)
-	// AuthzUpdateResource updates an existing authorization resource.
-	// Permissions: authorizer:admin
-	AuthzUpdateResource(ctx context.Context, params *model.UpdateResourceInput) (*model.AuthzResource, error)
-	// AuthzDeleteResource deletes an authorization resource by ID.
-	// Permissions: authorizer:admin
-	AuthzDeleteResource(ctx context.Context, id string) (*model.Response, error)
-	// AuthzResources lists authorization resources with pagination.
+	// FgaWriteModel installs a new fine-grained authorization model.
 	// Permissions: authorizer:admin
-	AuthzResources(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzResources, error)
-
-	// AuthzAddScope creates a new authorization scope.
-	// Permissions: authorizer:admin
-	AuthzAddScope(ctx context.Context, params *model.AddScopeInput) (*model.AuthzScope, error)
-	// AuthzUpdateScope updates an existing authorization scope.
-	// Permissions: authorizer:admin
-	AuthzUpdateScope(ctx context.Context, params *model.UpdateScopeInput) (*model.AuthzScope, error)
-	// AuthzDeleteScope deletes an authorization scope by ID.
+	FgaWriteModel(ctx context.Context, params *model.FgaWriteModelInput) (*model.FgaModel, error)
+	// FgaGetModel returns the active fine-grained authorization model.
 	// Permissions: authorizer:admin
-	AuthzDeleteScope(ctx context.Context, id string) (*model.Response, error)
-	// AuthzScopes lists authorization scopes with pagination.
-	// Permissions: authorizer:admin
-	AuthzScopes(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzScopes, error)
-
-	// AuthzAddPolicy creates a new authorization policy with targets.
+	FgaGetModel(ctx context.Context) (*model.FgaModel, error)
+	// FgaWriteTuples writes fine-grained authorization tuples.
 	// Permissions: authorizer:admin
-	AuthzAddPolicy(ctx context.Context, params *model.AddPolicyInput) (*model.AuthzPolicy, error)
-	// AuthzUpdatePolicy updates an existing authorization policy.
+	FgaWriteTuples(ctx context.Context, params *model.FgaWriteTuplesInput) (*model.Response, error)
+	// FgaDeleteTuples deletes fine-grained authorization tuples.
 	// Permissions: authorizer:admin
-	AuthzUpdatePolicy(ctx context.Context, params *model.UpdatePolicyInput) (*model.AuthzPolicy, error)
-	// AuthzDeletePolicy deletes an authorization policy by ID.
+	FgaDeleteTuples(ctx context.Context, params *model.FgaWriteTuplesInput) (*model.Response, error)
+	// FgaReadTuples reads a page of fine-grained authorization tuples.
 	// Permissions: authorizer:admin
-	AuthzDeletePolicy(ctx context.Context, id string) (*model.Response, error)
-	// AuthzPolicies lists authorization policies with pagination.
-	// Permissions: authorizer:admin
-	AuthzPolicies(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzPolicies, error)
-
-	// AuthzAddPermission creates a new authorization permission binding a resource to scopes and policies.
-	// Permissions: authorizer:admin
-	AuthzAddPermission(ctx context.Context, params *model.AddPermissionInput) (*model.AuthzPermission, error)
-	// AuthzUpdatePermission updates an existing authorization permission.
-	// Permissions: authorizer:admin
-	AuthzUpdatePermission(ctx context.Context, params *model.UpdatePermissionInput) (*model.AuthzPermission, error)
-	// AuthzDeletePermission deletes an authorization permission by ID.
-	// Permissions: authorizer:admin
-	AuthzDeletePermission(ctx context.Context, id string) (*model.Response, error)
-	// AuthzPermissions lists authorization permissions with pagination.
-	// Permissions: authorizer:admin
-	AuthzPermissions(ctx context.Context, params *model.PaginatedRequest) (*model.AuthzPermissions, error)
-
-	// Permissions returns all resource:scope pairs the authenticated user has access to.
+	FgaReadTuples(ctx context.Context, params *model.FgaReadTuplesInput) (*model.FgaTuples, error)
+	// FgaCheck checks a relation for the authenticated caller (principal pinned).
+	// Permissions: authorized user
+	FgaCheck(ctx context.Context, params *model.FgaCheckInput) (*model.FgaCheckResponse, error)
+	// FgaBatchCheck checks multiple relations for the authenticated caller.
+	// Permissions: authorized user
+	FgaBatchCheck(ctx context.Context, params *model.FgaBatchCheckInput) (*model.FgaBatchCheckResponse, error)
+	// FgaListObjects lists objects the authenticated caller relates to.
 	// Permissions: authorized user
-	Permissions(ctx context.Context) ([]*model.Permission, error)
+	FgaListObjects(ctx context.Context, params *model.FgaListObjectsInput) (*model.FgaListObjectsResponse, error)
 }
diff --git a/internal/graphql/session.go b/internal/graphql/session.go
index 2539f434..bbbdf760 100644
--- a/internal/graphql/session.go
+++ b/internal/graphql/session.go
@@ -12,7 +12,6 @@ import (
 	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/cookie"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/metrics"
 	"github.com/authorizerdev/authorizer/internal/parsers"
 	"github.com/authorizerdev/authorizer/internal/refs"
 	"github.com/authorizerdev/authorizer/internal/token"
@@ -64,8 +63,10 @@ func (g *graphqlProvider) Session(ctx context.Context, params *model.SessionQuer
 		}
 	}
 
-	if params != nil {
-		if err := g.enforceRequiredPermissions(ctx, log, metrics.RequiredPermissionsEndpointSession, user.ID, claimRoles, params.RequiredPermissions); err != nil {
+	// Fine-grained authorization gate (AND semantics, fail-closed).
+	if params != nil && len(params.RequiredRelations) > 0 {
+		if err := enforceRequiredRelations(ctx, g.AuthzEngine, userID, params.RequiredRelations); err != nil {
+			log.Debug().Err(err).Msg("Required relations not satisfied")
 			return nil, err
 		}
 	}
diff --git a/internal/graphql/validate_jwt_token.go b/internal/graphql/validate_jwt_token.go
index 8b17ff50..c2f7d06a 100644
--- a/internal/graphql/validate_jwt_token.go
+++ b/internal/graphql/validate_jwt_token.go
@@ -9,7 +9,6 @@ import (
 
 	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/metrics"
 	"github.com/authorizerdev/authorizer/internal/parsers"
 	"github.com/authorizerdev/authorizer/internal/storage/schemas"
 	"github.com/authorizerdev/authorizer/internal/token"
@@ -126,8 +125,12 @@ func (g *graphqlProvider) ValidateJWTToken(ctx context.Context, params *model.Va
 			}
 		}
 	}
-	if err := g.enforceRequiredPermissions(ctx, log, metrics.RequiredPermissionsEndpointValidateJWTToken, userID, claimRoles, params.RequiredPermissions); err != nil {
-		return nil, err
+	// Fine-grained authorization gate (AND semantics, fail-closed).
+	if len(params.RequiredRelations) > 0 {
+		if err := enforceRequiredRelations(ctx, g.AuthzEngine, userID, params.RequiredRelations); err != nil {
+			log.Debug().Err(err).Msg("Required relations not satisfied")
+			return nil, err
+		}
 	}
 	return &model.ValidateJWTTokenResponse{
 		IsValid: true,
diff --git a/internal/graphql/validate_session.go b/internal/graphql/validate_session.go
index f5686cad..d8c23f86 100644
--- a/internal/graphql/validate_session.go
+++ b/internal/graphql/validate_session.go
@@ -7,7 +7,6 @@ import (
 
 	"github.com/authorizerdev/authorizer/internal/cookie"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/metrics"
 	"github.com/authorizerdev/authorizer/internal/utils"
 )
 
@@ -61,8 +60,10 @@ func (g *graphqlProvider) ValidateSession(ctx context.Context, params *model.Val
 			}
 		}
 	}
-	if params != nil {
-		if err := g.enforceRequiredPermissions(ctx, log, metrics.RequiredPermissionsEndpointValidateSession, user.ID, claimRoles, params.RequiredPermissions); err != nil {
+	// Fine-grained authorization gate (AND semantics, fail-closed).
+	if params != nil && len(params.RequiredRelations) > 0 {
+		if err := enforceRequiredRelations(ctx, g.AuthzEngine, userID, params.RequiredRelations); err != nil {
+			log.Debug().Err(err).Msg("Required relations not satisfied")
 			return nil, err
 		}
 	}
diff --git a/internal/http_handlers/graphql.go b/internal/http_handlers/graphql.go
index ad6e5e97..ab098cf9 100644
--- a/internal/http_handlers/graphql.go
+++ b/internal/http_handlers/graphql.go
@@ -218,7 +218,7 @@ func (h *httpProvider) GraphqlHandler() gin.HandlerFunc {
 		SMSProvider:           h.SMSProvider,
 		StorageProvider:       h.StorageProvider,
 		TokenProvider:         h.TokenProvider,
-		AuthorizationProvider: h.AuthorizationProvider,
+		AuthzEngine:           h.AuthzEngine,
 	})
 	if err != nil {
 		h.Log.Error().Err(err).Msg("Failed to create graphql provider")
diff --git a/internal/http_handlers/provider.go b/internal/http_handlers/provider.go
index 966c2c3c..1fa2fc62 100644
--- a/internal/http_handlers/provider.go
+++ b/internal/http_handlers/provider.go
@@ -6,7 +6,7 @@ import (
 
 	"github.com/authorizerdev/authorizer/internal/audit"
 	"github.com/authorizerdev/authorizer/internal/authenticators"
-	"github.com/authorizerdev/authorizer/internal/authorization"
+	"github.com/authorizerdev/authorizer/internal/authorization/engine"
 	"github.com/authorizerdev/authorizer/internal/config"
 	"github.com/authorizerdev/authorizer/internal/email"
 	"github.com/authorizerdev/authorizer/internal/events"
@@ -43,8 +43,12 @@ type Dependencies struct {
 	OAuthProvider oauth.Provider
 	// RateLimitProvider is used for per-IP rate limiting
 	RateLimitProvider rate_limit.Provider
-	// AuthorizationProvider is used for fine-grained authorization checks
-	AuthorizationProvider authorization.Provider
+	// AuthzEngine is the fine-grained authorization (FGA) engine.
+	// It is nil unless --authorization-engine=fga.
+	//
+	// Named AuthzEngine (not AuthorizationEngine) to avoid an ambiguous-selector
+	// clash with config.Config.AuthorizationEngine, which httpProvider embeds.
+	AuthzEngine engine.AuthorizationEngine
 }
 
 // New constructs a new http provider with given arguments
diff --git a/internal/integration_tests/authorization_test.go b/internal/integration_tests/authorization_test.go
deleted file mode 100644
index d02c4647..00000000
--- a/internal/integration_tests/authorization_test.go
+++ /dev/null
@@ -1,1114 +0,0 @@
-package integration_tests
-
-import (
-	"context"
-	"fmt"
-	"testing"
-
-	"github.com/authorizerdev/authorizer/internal/authorization"
-	"github.com/authorizerdev/authorizer/internal/constants"
-	"github.com/authorizerdev/authorizer/internal/crypto"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/metrics"
-	"github.com/authorizerdev/authorizer/internal/refs"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-	"github.com/google/uuid"
-	"github.com/prometheus/client_golang/prometheus/testutil"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-// TestAuthorizationCRUD tests the fine-grained authorization CRUD operations
-// and permission checking.
-func TestAuthorizationCRUD(t *testing.T) {
-	cfg := getTestConfig()
-	ts := initTestSetup(t, cfg)
-	req, ctx := createContext(ts)
-
-	// Set admin auth cookie for admin operations
-	adminHash, err := crypto.EncryptPassword(cfg.AdminSecret)
-	require.NoError(t, err)
-	req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
-
-	// IDs collected across subtests
-	var resourceID string
-	var scopeID string
-	var policyID string
-	var permissionID string
-
-	t.Run("should add resource", func(t *testing.T) {
-		res, err := ts.GraphQLProvider.AuthzAddResource(ctx, &model.AddResourceInput{
-			Name:        "documents",
-			Description: refs.NewStringRef("Document resource for testing"),
-		})
-		require.NoError(t, err)
-		require.NotNil(t, res)
-		assert.NotEmpty(t, res.ID)
-		assert.Equal(t, "documents", res.Name)
-		assert.NotNil(t, res.Description)
-		assert.Equal(t, "Document resource for testing", *res.Description)
-		resourceID = res.ID
-	})
-
-	t.Run("should add scope", func(t *testing.T) {
-		res, err := ts.GraphQLProvider.AuthzAddScope(ctx, &model.AddScopeInput{
-			Name:        "read",
-			Description: refs.NewStringRef("Read access scope"),
-		})
-		require.NoError(t, err)
-		require.NotNil(t, res)
-		assert.NotEmpty(t, res.ID)
-		assert.Equal(t, "read", res.Name)
-		scopeID = res.ID
-	})
-
-	t.Run("should add policy", func(t *testing.T) {
-		res, err := ts.GraphQLProvider.AuthzAddPolicy(ctx, &model.AddPolicyInput{
-			Name:        "user-role-policy",
-			Description: refs.NewStringRef("Policy for user role"),
-			Type:        "role",
-			Targets: []*model.PolicyTargetInput{
-				{
-					TargetType:  "role",
-					TargetValue: "user",
-				},
-			},
-		})
-		require.NoError(t, err)
-		require.NotNil(t, res)
-		assert.NotEmpty(t, res.ID)
-		assert.Equal(t, "user-role-policy", res.Name)
-		assert.Equal(t, "role", res.Type)
-		assert.Equal(t, "positive", res.Logic)
-		assert.Equal(t, "affirmative", res.DecisionStrategy)
-		require.Len(t, res.Targets, 1)
-		assert.Equal(t, "role", res.Targets[0].TargetType)
-		assert.Equal(t, "user", res.Targets[0].TargetValue)
-		policyID = res.ID
-	})
-
-	t.Run("should add permission", func(t *testing.T) {
-		require.NotEmpty(t, resourceID, "resourceID must be set from prior subtest")
-		require.NotEmpty(t, scopeID, "scopeID must be set from prior subtest")
-		require.NotEmpty(t, policyID, "policyID must be set from prior subtest")
-
-		res, err := ts.GraphQLProvider.AuthzAddPermission(ctx, &model.AddPermissionInput{
-			Name:       "documents-read",
-			ResourceID: resourceID,
-			ScopeIds:   []string{scopeID},
-			PolicyIds:  []string{policyID},
-		})
-		require.NoError(t, err)
-		require.NotNil(t, res)
-		assert.NotEmpty(t, res.ID)
-		assert.Equal(t, "documents-read", res.Name)
-		assert.Equal(t, "affirmative", res.DecisionStrategy)
-		require.NotNil(t, res.Resource)
-		assert.Equal(t, resourceID, res.Resource.ID)
-		require.Len(t, res.Scopes, 1)
-		assert.Equal(t, scopeID, res.Scopes[0].ID)
-		require.Len(t, res.Policies, 1)
-		assert.Equal(t, policyID, res.Policies[0].ID)
-		permissionID = res.ID
-	})
-
-	t.Run("should list resources", func(t *testing.T) {
-		res, err := ts.GraphQLProvider.AuthzResources(ctx, &model.PaginatedRequest{})
-		require.NoError(t, err)
-		require.NotNil(t, res)
-		assert.GreaterOrEqual(t, len(res.Resources), 1)
-		assert.NotNil(t, res.Pagination)
-
-		found := false
-		for _, r := range res.Resources {
-			if r.ID == resourceID {
-				found = true
-				assert.Equal(t, "documents", r.Name)
-				break
-			}
-		}
-		assert.True(t, found, "expected resource not found in list")
-	})
-
-	t.Run("should list scopes", func(t *testing.T) {
-		res, err := ts.GraphQLProvider.AuthzScopes(ctx, &model.PaginatedRequest{})
-		require.NoError(t, err)
-		require.NotNil(t, res)
-		assert.GreaterOrEqual(t, len(res.Scopes), 1)
-	})
-
-	t.Run("should list policies", func(t *testing.T) {
-		res, err := ts.GraphQLProvider.AuthzPolicies(ctx, &model.PaginatedRequest{})
-		require.NoError(t, err)
-		require.NotNil(t, res)
-		assert.GreaterOrEqual(t, len(res.Policies), 1)
-	})
-
-	t.Run("should list permissions", func(t *testing.T) {
-		res, err := ts.GraphQLProvider.AuthzPermissions(ctx, &model.PaginatedRequest{})
-		require.NoError(t, err)
-		require.NotNil(t, res)
-		assert.GreaterOrEqual(t, len(res.Permissions), 1)
-	})
-
-	t.Run("should update resource", func(t *testing.T) {
-		require.NotEmpty(t, resourceID)
-		newName := "documents-updated"
-		res, err := ts.GraphQLProvider.AuthzUpdateResource(ctx, &model.UpdateResourceInput{
-			ID:          resourceID,
-			Name:        &newName,
-			Description: refs.NewStringRef("Updated description"),
-		})
-		require.NoError(t, err)
-		require.NotNil(t, res)
-		assert.Equal(t, resourceID, res.ID)
-		assert.Equal(t, "documents-updated", res.Name)
-		assert.Equal(t, "Updated description", *res.Description)
-
-		// Revert name for subsequent tests that reference "documents" by ID
-		origName := "documents"
-		_, err = ts.GraphQLProvider.AuthzUpdateResource(ctx, &model.UpdateResourceInput{
-			ID:   resourceID,
-			Name: &origName,
-		})
-		require.NoError(t, err)
-	})
-
-	t.Run("should check permission granted by role", func(t *testing.T) {
-		res, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
-			ID:    uuid.New().String(),
-			Type:  constants.PrincipalTypeUser,
-			Roles: []string{"user"},
-		}, "documents", "read")
-		require.NoError(t, err)
-		require.NotNil(t, res)
-		assert.True(t, res.Allowed, "principal with 'user' role should have read access to documents")
-	})
-
-	t.Run("should check permission denied for wrong role", func(t *testing.T) {
-		// Add an admin-only policy + a "write" scope + a permission requiring
-		// the "admin" role for "write" on documents.
-		adminPolicy, err := ts.GraphQLProvider.AuthzAddPolicy(ctx, &model.AddPolicyInput{
-			Name: "admin-only-policy",
-			Type: "role",
-			Targets: []*model.PolicyTargetInput{
-				{
-					TargetType:  "role",
-					TargetValue: "admin",
-				},
-			},
-		})
-		require.NoError(t, err)
-
-		writeScope, err := ts.GraphQLProvider.AuthzAddScope(ctx, &model.AddScopeInput{
-			Name: "write",
-		})
-		require.NoError(t, err)
-
-		_, err = ts.GraphQLProvider.AuthzAddPermission(ctx, &model.AddPermissionInput{
-			Name:       "documents-write",
-			ResourceID: resourceID,
-			ScopeIds:   []string{writeScope.ID},
-			PolicyIds:  []string{adminPolicy.ID},
-		})
-		require.NoError(t, err)
-
-		res, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
-			ID:    uuid.New().String(),
-			Type:  constants.PrincipalTypeUser,
-			Roles: []string{"user"},
-		}, "documents", "write")
-		require.NoError(t, err)
-		require.NotNil(t, res)
-		assert.False(t, res.Allowed, "principal with 'user' role should NOT have write access requiring 'admin' role")
-	})
-
-	// Re-set admin cookie for remaining admin operations
-	t.Run("should delete permission", func(t *testing.T) {
-		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
-		require.NotEmpty(t, permissionID)
-
-		res, err := ts.GraphQLProvider.AuthzDeletePermission(ctx, permissionID)
-		require.NoError(t, err)
-		require.NotNil(t, res)
-		assert.Contains(t, res.Message, "deleted")
-	})
-
-	t.Run("should delete resource blocked by permission", func(t *testing.T) {
-		// The "documents-write" permission still references this resource,
-		// so delete should fail.
-		_, err := ts.GraphQLProvider.AuthzDeleteResource(ctx, resourceID)
-		assert.Error(t, err)
-		assert.Contains(t, err.Error(), "permission")
-	})
-
-	t.Run("should delete scope blocked by permission", func(t *testing.T) {
-		// The "write" scope is referenced by "documents-write" permission.
-		// Find the write scope ID from the scopes list.
-		scopes, err := ts.GraphQLProvider.AuthzScopes(ctx, &model.PaginatedRequest{})
-		require.NoError(t, err)
-		var writeScopeID string
-		for _, s := range scopes.Scopes {
-			if s.Name == "write" {
-				writeScopeID = s.ID
-				break
-			}
-		}
-		require.NotEmpty(t, writeScopeID, "write scope must exist")
-
-		_, err = ts.GraphQLProvider.AuthzDeleteScope(ctx, writeScopeID)
-		assert.Error(t, err)
-		assert.Contains(t, err.Error(), "permission")
-	})
-
-	t.Run("should delete policy blocked by permission", func(t *testing.T) {
-		// The "admin-only-policy" is referenced by "documents-write" permission.
-		policies, err := ts.GraphQLProvider.AuthzPolicies(ctx, &model.PaginatedRequest{})
-		require.NoError(t, err)
-		var adminPolicyID string
-		for _, p := range policies.Policies {
-			if p.Name == "admin-only-policy" {
-				adminPolicyID = p.ID
-				break
-			}
-		}
-		require.NotEmpty(t, adminPolicyID, "admin-only-policy must exist")
-
-		_, err = ts.GraphQLProvider.AuthzDeletePolicy(ctx, adminPolicyID)
-		assert.Error(t, err)
-		assert.Contains(t, err.Error(), "permission")
-	})
-
-	// Cleanup: delete the remaining permission first, then the rest
-	t.Run("cleanup should delete remaining permission then resources", func(t *testing.T) {
-		// Find and delete the "documents-write" permission
-		perms, err := ts.GraphQLProvider.AuthzPermissions(ctx, &model.PaginatedRequest{})
-		require.NoError(t, err)
-
-		for _, p := range perms.Permissions {
-			if p.Name == "documents-write" {
-				res, err := ts.GraphQLProvider.AuthzDeletePermission(ctx, p.ID)
-				require.NoError(t, err)
-				assert.Contains(t, res.Message, "deleted")
-				break
-			}
-		}
-
-		// Now resource, scope, and policy should be deletable
-		res, err := ts.GraphQLProvider.AuthzDeleteResource(ctx, resourceID)
-		require.NoError(t, err)
-		assert.Contains(t, res.Message, "deleted")
-
-		res, err = ts.GraphQLProvider.AuthzDeleteScope(ctx, scopeID)
-		require.NoError(t, err)
-		assert.Contains(t, res.Message, "deleted")
-
-		res, err = ts.GraphQLProvider.AuthzDeletePolicy(ctx, policyID)
-		require.NoError(t, err)
-		assert.Contains(t, res.Message, "deleted")
-	})
-}
-
-// TestCheckPermission_NoPermissions_Denies verifies that a check for a
-// (resource, scope) pair with no matching permission is denied.
-func TestCheckPermission_NoPermissions_Denies(t *testing.T) {
-	ts := initTestSetup(t, getTestConfig())
-	_, ctx := createContext(ts)
-
-	result, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
-		ID:   "user-1",
-		Type: constants.PrincipalTypeUser,
-	}, "orders", "read")
-
-	require.NoError(t, err)
-	require.False(t, result.Allowed, "no matching permission must deny")
-}
-
-// TestCheckPermission_ExplicitDenyPolicy_Denies verifies that once a
-// permission exists for the (resource, scope) and attaches a negative-logic
-// policy that matches the principal, the check is denied.
-func TestCheckPermission_ExplicitDenyPolicy_Denies(t *testing.T) {
-	ts := initTestSetup(t, getTestConfig())
-	req, ctx := createContext(ts)
-
-	// Authenticate as admin for seeding operations.
-	adminHash, err := crypto.EncryptPassword(ts.Config.AdminSecret)
-	require.NoError(t, err)
-	req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
-
-	// Seed resource + scope + permission + negative role policy targeting "blocked-role".
-	seedResourceScopePermissionWithDenyPolicy(t, ts, ctx, "orders", "read", "blocked-role")
-
-	// Clear admin cookie — CheckPermission here is a direct provider call; no auth context needed.
-	req.Header.Del("Cookie")
-
-	result, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
-		ID:    "user-1",
-		Type:  constants.PrincipalTypeUser,
-		Roles: []string{"blocked-role"},
-	}, "orders", "read")
-
-	require.NoError(t, err)
-	require.False(t, result.Allowed, "explicit deny must apply even in permissive mode")
-}
-
-func TestCheckPermission_ExplicitDenyOverridesAffirmativeGrant(t *testing.T) {
-	ts := initTestSetup(t, getTestConfig())
-	req, ctx := createContext(ts)
-
-	adminHash, err := crypto.EncryptPassword(ts.Config.AdminSecret)
-	require.NoError(t, err)
-	req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
-
-	res, err := ts.GraphQLProvider.AuthzAddResource(ctx, &model.AddResourceInput{Name: "deny-override-docs"})
-	require.NoError(t, err)
-	sc, err := ts.GraphQLProvider.AuthzAddScope(ctx, &model.AddScopeInput{Name: "read-deny-override"})
-	require.NoError(t, err)
-
-	positive := constants.PolicyLogicPositive
-	grantPolicy, err := ts.GraphQLProvider.AuthzAddPolicy(ctx, &model.AddPolicyInput{
-		Name:  "grant-user-" + uuid.New().String(),
-		Type:  constants.PolicyTypeRole,
-		Logic: &positive,
-		Targets: []*model.PolicyTargetInput{{
-			TargetType:  constants.TargetTypeRole,
-			TargetValue: "user",
-		}},
-	})
-	require.NoError(t, err)
-
-	negative := constants.PolicyLogicNegative
-	denyPolicy, err := ts.GraphQLProvider.AuthzAddPolicy(ctx, &model.AddPolicyInput{
-		Name:  "deny-blocked-" + uuid.New().String(),
-		Type:  constants.PolicyTypeRole,
-		Logic: &negative,
-		Targets: []*model.PolicyTargetInput{{
-			TargetType:  constants.TargetTypeRole,
-			TargetValue: "blocked-role",
-		}},
-	})
-	require.NoError(t, err)
-
-	_, err = ts.GraphQLProvider.AuthzAddPermission(ctx, &model.AddPermissionInput{
-		Name:       "deny-override-permission-" + uuid.New().String(),
-		ResourceID: res.ID,
-		ScopeIds:   []string{sc.ID},
-		PolicyIds:  []string{grantPolicy.ID, denyPolicy.ID},
-	})
-	require.NoError(t, err)
-
-	result, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
-		ID:    "user-1",
-		Type:  constants.PrincipalTypeUser,
-		Roles: []string{"user", "blocked-role"},
-	}, "deny-override-docs", "read-deny-override")
-	require.NoError(t, err)
-	require.False(t, result.Allowed, "matching negative policy must override an affirmative grant")
-
-	result, err = ts.Authz.CheckPermission(ctx, &authorization.Principal{
-		ID:    "user-2",
-		Type:  constants.PrincipalTypeUser,
-		Roles: []string{"user"},
-	}, "deny-override-docs", "read-deny-override")
-	require.NoError(t, err)
-	require.True(t, result.Allowed, "non-matching negative policy must not block a positive grant")
-
-	result, err = ts.Authz.CheckPermission(ctx, &authorization.Principal{
-		ID:    "user-3",
-		Type:  constants.PrincipalTypeUser,
-		Roles: []string{"other-role"},
-	}, "deny-override-docs", "read-deny-override")
-	require.NoError(t, err)
-	require.False(t, result.Allowed, "non-matching negative policy must not grant access by itself")
-}
-
-func TestCheckPermission_CacheKeyIncludesRoles(t *testing.T) {
-	ts := initTestSetup(t, getTestConfig())
-	req, ctx := createContext(ts)
-
-	adminHash, err := crypto.EncryptPassword(ts.Config.AdminSecret)
-	require.NoError(t, err)
-	req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
-
-	seedResourceScopePermissionWithPositivePolicy(t, ts, ctx, "cached-docs", "read", "viewer")
-
-	result, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
-		ID:    "user-1",
-		Type:  constants.PrincipalTypeUser,
-		Roles: []string{"viewer"},
-	}, "cached-docs", "read")
-	require.NoError(t, err)
-	require.True(t, result.Allowed)
-
-	result, err = ts.Authz.CheckPermission(ctx, &authorization.Principal{
-		ID:   "user-1",
-		Type: constants.PrincipalTypeUser,
-	}, "cached-docs", "read")
-	require.NoError(t, err)
-	require.False(t, result.Allowed, "cached allow for viewer role must not apply to the same user without that role")
-}
-
-func TestUpdatePermission_InvalidScopeDoesNotDropExistingLinks(t *testing.T) {
-	ts := initTestSetup(t, getTestConfig())
-	req, ctx := createContext(ts)
-
-	adminHash, err := crypto.EncryptPassword(ts.Config.AdminSecret)
-	require.NoError(t, err)
-	req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
-
-	res, err := ts.GraphQLProvider.AuthzAddResource(ctx, &model.AddResourceInput{Name: "update-safe-docs"})
-	require.NoError(t, err)
-	sc, err := ts.GraphQLProvider.AuthzAddScope(ctx, &model.AddScopeInput{Name: "update-safe-read"})
-	require.NoError(t, err)
-	policy, err := ts.GraphQLProvider.AuthzAddPolicy(ctx, &model.AddPolicyInput{
-		Name: "update-safe-policy-" + uuid.New().String(),
-		Type: constants.PolicyTypeRole,
-		Targets: []*model.PolicyTargetInput{{
-			TargetType:  constants.TargetTypeRole,
-			TargetValue: "viewer",
-		}},
-	})
-	require.NoError(t, err)
-	perm, err := ts.GraphQLProvider.AuthzAddPermission(ctx, &model.AddPermissionInput{
-		Name:       "update-safe-permission-" + uuid.New().String(),
-		ResourceID: res.ID,
-		ScopeIds:   []string{sc.ID},
-		PolicyIds:  []string{policy.ID},
-	})
-	require.NoError(t, err)
-
-	// Capture pre-failure state. Field-level rollback is part of the contract:
-	// a failed update must leave Name, Description, and DecisionStrategy
-	// untouched on the persisted permission row.
-	origPerm, err := ts.StorageProvider.GetPermissionByID(ctx, perm.ID)
-	require.NoError(t, err)
-	origName := origPerm.Name
-	origDescription := origPerm.Description
-	origDecision := origPerm.DecisionStrategy
-
-	newName := "should-not-be-applied"
-	newDescription := "should-not-be-applied-description"
-	newDecision := constants.DecisionStrategyUnanimous
-	_, err = ts.GraphQLProvider.AuthzUpdatePermission(ctx, &model.UpdatePermissionInput{
-		ID:               perm.ID,
-		Name:             &newName,
-		Description:      &newDescription,
-		DecisionStrategy: &newDecision,
-		ScopeIds:         []string{"missing-scope-id"},
-	})
-	require.Error(t, err)
-
-	scopes, err := ts.StorageProvider.GetPermissionScopes(ctx, perm.ID)
-	require.NoError(t, err)
-	require.Len(t, scopes, 1)
-	require.Equal(t, sc.ID, scopes[0].ScopeID)
-
-	// Verify field changes were rolled back. The persisted row must still hold
-	// the original values; the attempted update must have written nothing.
-	after, err := ts.StorageProvider.GetPermissionByID(ctx, perm.ID)
-	require.NoError(t, err)
-	require.Equal(t, origName, after.Name, "name must not change when update fails")
-	require.Equal(t, origDescription, after.Description, "description must not change when update fails")
-	require.Equal(t, origDecision, after.DecisionStrategy, "decision strategy must not change when update fails")
-
-	result, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
-		ID:    "user-1",
-		Type:  constants.PrincipalTypeUser,
-		Roles: []string{"viewer"},
-	}, "update-safe-docs", "update-safe-read")
-	require.NoError(t, err)
-	require.True(t, result.Allowed, "failed update must not remove existing permission scope")
-}
-
-func TestAddPermission_DuplicateNameReturnsConflict(t *testing.T) {
-	ts := initTestSetup(t, getTestConfig())
-	req, ctx := createContext(ts)
-
-	adminHash, err := crypto.EncryptPassword(ts.Config.AdminSecret)
-	require.NoError(t, err)
-	req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
-
-	res, err := ts.GraphQLProvider.AuthzAddResource(ctx, &model.AddResourceInput{Name: "duplicate-docs"})
-	require.NoError(t, err)
-	sc, err := ts.GraphQLProvider.AuthzAddScope(ctx, &model.AddScopeInput{Name: "duplicate-read"})
-	require.NoError(t, err)
-	policy, err := ts.GraphQLProvider.AuthzAddPolicy(ctx, &model.AddPolicyInput{
-		Name: "duplicate-policy-" + uuid.New().String(),
-		Type: constants.PolicyTypeRole,
-		Targets: []*model.PolicyTargetInput{{
-			TargetType:  constants.TargetTypeRole,
-			TargetValue: "viewer",
-		}},
-	})
-	require.NoError(t, err)
-
-	input := &model.AddPermissionInput{
-		Name:       "duplicate-permission",
-		ResourceID: res.ID,
-		ScopeIds:   []string{sc.ID},
-		PolicyIds:  []string{policy.ID},
-	}
-	_, err = ts.GraphQLProvider.AuthzAddPermission(ctx, input)
-	require.NoError(t, err)
-
-	// The exact error wording is provider-specific (SQL emits "already exists",
-	// while NoSQL backends surface their native duplicate-key errors). Only the
-	// presence of an error is contractual.
-	_, err = ts.GraphQLProvider.AuthzAddPermission(ctx, input)
-	require.Error(t, err, "duplicate permission name must surface as an error from any storage backend")
-}
-
-// TestCheckPermission_IncrementsPrometheusCounters verifies that an unmatched
-// check increments metrics.AuthzUnmatchedTotal by exactly one. The
-// (resource, scope) pair MUST be registered first so that the "known but no
-// matching permission" path is exercised — unknown identifiers intentionally
-// do not bump the counter (DoS guard).
-func TestCheckPermission_IncrementsPrometheusCounters(t *testing.T) {
-	ts := initTestSetup(t, getTestConfig())
-	_, ctx := createContext(ts)
-
-	// Seed resource + scope directly via storage (no permission). This makes
-	// validateResourceExists / validateScopeExists return known=true, so the
-	// subsequent CheckPermission lands on the "known, no permission" path
-	// that DOES bump counters.
-	seedKnownResourceScopeNoPermission(t, ts, ctx, "orders", "read")
-
-	before := testutil.ToFloat64(metrics.AuthzUnmatchedTotal)
-
-	_, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
-		ID:   "user-1",
-		Type: constants.PrincipalTypeUser,
-	}, "orders", "read")
-	require.NoError(t, err)
-
-	after := testutil.ToFloat64(metrics.AuthzUnmatchedTotal)
-	require.Equal(t, before+1, after, "unmatched counter must increment once per unmatched check")
-}
-
-// TestCheckPermission_UnknownResource_DeniesAndDoesNotBumpUnmatchedCounter
-// verifies the DoS guard: unknown (resource, scope) pairs are denied
-// (enforcing is the only mode), and the unmatched counter must NOT grow for
-// attacker-controlled input. Authenticated callers can still reach
-// CheckPermission with arbitrary identifiers via GraphQL (permissions /
-// required_permissions) — without this guard they could flood the in-process
-// sync.Map with arbitrary (resource, scope) pairs.
-func TestCheckPermission_UnknownResource_DeniesAndDoesNotBumpUnmatchedCounter(t *testing.T) {
-	ts := initTestSetup(t, getTestConfig())
-	_, ctx := createContext(ts)
-
-	before := testutil.ToFloat64(metrics.AuthzUnmatchedTotal)
-
-	result, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
-		ID: "user-1", Type: constants.PrincipalTypeUser,
-	}, "unknown-resource", "unknown-scope")
-
-	require.NoError(t, err)
-	require.False(t, result.Allowed, "unknown resource is always denied (enforcing-only)")
-
-	after := testutil.ToFloat64(metrics.AuthzUnmatchedTotal)
-	require.Equal(t, before, after, "unknown-resource calls must NOT bump the unmatched counter (DoS guard)")
-}
-
-// seedKnownResourceScopeNoPermission inserts a Resource and Scope row via the
-// storage provider without attaching a Permission. This is the minimal seed
-// needed to exercise the "known (resource, scope), no matching permission"
-// path in CheckPermission after Fix B/C.
-func seedKnownResourceScopeNoPermission(t *testing.T, ts *testSetup, _ context.Context, resource, scope string) {
-	t.Helper()
-	_, err := ts.StorageProvider.AddResource(context.Background(), &schemas.Resource{
-		Name:        resource,
-		Description: "seed (no permission) resource",
-	})
-	require.NoError(t, err)
-	_, err = ts.StorageProvider.AddScope(context.Background(), &schemas.Scope{
-		Name:        scope,
-		Description: "seed (no permission) scope",
-	})
-	require.NoError(t, err)
-}
-
-// seedResourceScopePermissionWithDenyPolicy seeds a resource, scope, a
-// negative-logic role policy targeting the given role, and a permission that
-// links them. It uses the GraphQL provider (mirroring TestAuthorizationCRUD),
-// so the caller must have already authenticated as admin on the request
-// attached to ts.GinContext.
-func seedResourceScopePermissionWithDenyPolicy(
-	t *testing.T,
-	ts *testSetup,
-	ctx context.Context,
-	resource, scope, role string,
-) {
-	t.Helper()
-
-	res, err := ts.GraphQLProvider.AuthzAddResource(ctx, &model.AddResourceInput{
-		Name:        resource,
-		Description: refs.NewStringRef("seed resource"),
-	})
-	require.NoError(t, err)
-	require.NotNil(t, res)
-
-	sc, err := ts.GraphQLProvider.AuthzAddScope(ctx, &model.AddScopeInput{
-		Name:        scope,
-		Description: refs.NewStringRef("seed scope"),
-	})
-	require.NoError(t, err)
-	require.NotNil(t, sc)
-
-	negative := constants.PolicyLogicNegative
-	policy, err := ts.GraphQLProvider.AuthzAddPolicy(ctx, &model.AddPolicyInput{
-		Name:        "deny-" + role + "-" + uuid.New().String(),
-		Description: refs.NewStringRef("seed deny policy"),
-		Type:        constants.PolicyTypeRole,
-		Logic:       &negative,
-		Targets: []*model.PolicyTargetInput{
-			{
-				TargetType:  constants.TargetTypeRole,
-				TargetValue: role,
-			},
-		},
-	})
-	require.NoError(t, err)
-	require.NotNil(t, policy)
-	require.Equal(t, constants.PolicyLogicNegative, policy.Logic, "policy must be stored as negative")
-
-	perm, err := ts.GraphQLProvider.AuthzAddPermission(ctx, &model.AddPermissionInput{
-		Name:       resource + "-" + scope,
-		ResourceID: res.ID,
-		ScopeIds:   []string{sc.ID},
-		PolicyIds:  []string{policy.ID},
-	})
-	require.NoError(t, err)
-	require.NotNil(t, perm)
-}
-
-// TestCheckPermission_ResultLabels_IncrementCorrectCounter covers the result
-// labels on authorizer_authz_checks_total: allowed, denied, unmatched, and
-// error. Each subtest builds the exact shape needed to land on one terminal
-// path in CheckPermission and asserts that exactly one increment is recorded
-// on the matching counter series.
-// Co-located with the authz tests because it shares their fixtures.
-func TestCheckPermission_ResultLabels_IncrementCorrectCounter(t *testing.T) {
-	t.Run("allowed", func(t *testing.T) {
-		ts := initTestSetup(t, getTestConfig())
-		req, ctx := createContext(ts)
-		adminHash, err := crypto.EncryptPassword(ts.Config.AdminSecret)
-		require.NoError(t, err)
-		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
-
-		// Seed a granting role policy + permission for (orders, read) and a
-		// user principal with the "user" role so the affirmative grant fires.
-		seedResourceScopePermissionAllowingRole(t, ts, ctx, "orders", "read", "user")
-
-		before := testutil.ToFloat64(metrics.AuthzChecksTotal.WithLabelValues(metrics.AuthzResultAllowed))
-
-		res, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
-			ID: "user-allowed", Type: constants.PrincipalTypeUser, Roles: []string{"user"},
-		}, "orders", "read")
-		require.NoError(t, err)
-		require.True(t, res.Allowed)
-
-		after := testutil.ToFloat64(metrics.AuthzChecksTotal.WithLabelValues(metrics.AuthzResultAllowed))
-		require.Equal(t, before+1, after, "allowed counter must increment once")
-	})
-
-	t.Run("denied", func(t *testing.T) {
-		ts := initTestSetup(t, getTestConfig())
-		req, ctx := createContext(ts)
-		adminHash, err := crypto.EncryptPassword(ts.Config.AdminSecret)
-		require.NoError(t, err)
-		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
-
-		// Negative-logic policy targeting "user" — any principal with that
-		// role is explicitly denied on (orders, read).
-		seedResourceScopePermissionWithDenyPolicy(t, ts, ctx, "orders", "read", "user")
-
-		before := testutil.ToFloat64(metrics.AuthzChecksTotal.WithLabelValues(metrics.AuthzResultDenied))
-
-		res, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
-			ID: "user-denied", Type: constants.PrincipalTypeUser, Roles: []string{"user"},
-		}, "orders", "read")
-		require.NoError(t, err)
-		require.False(t, res.Allowed)
-
-		after := testutil.ToFloat64(metrics.AuthzChecksTotal.WithLabelValues(metrics.AuthzResultDenied))
-		require.Equal(t, before+1, after, "denied counter must increment once")
-	})
-
-	t.Run("unmatched", func(t *testing.T) {
-		ts := initTestSetup(t, getTestConfig())
-		_, ctx := createContext(ts)
-
-		// Known (resource, scope) with no permission row → denied, increments unmatched.
-		seedKnownResourceScopeNoPermission(t, ts, ctx, "orders", "read")
-
-		before := testutil.ToFloat64(metrics.AuthzChecksTotal.WithLabelValues(metrics.AuthzResultUnmatched))
-
-		res, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
-			ID: "user-unmatched", Type: constants.PrincipalTypeUser,
-		}, "orders", "read")
-		require.NoError(t, err)
-		require.False(t, res.Allowed)
-
-		after := testutil.ToFloat64(metrics.AuthzChecksTotal.WithLabelValues(metrics.AuthzResultUnmatched))
-		require.Equal(t, before+1, after, "unmatched counter must increment once")
-	})
-
-	t.Run("error", func(t *testing.T) {
-		ts := initTestSetup(t, getTestConfig())
-		_, ctx := createContext(ts)
-
-		before := testutil.ToFloat64(metrics.AuthzChecksTotal.WithLabelValues(metrics.AuthzResultError))
-
-		// Invalid identifier — fails the input validation path which records
-		// AuthzResultError before any storage or cache lookup.
-		_, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
-			ID: "user-error", Type: constants.PrincipalTypeUser,
-		}, "bad resource with spaces", "read")
-		require.Error(t, err)
-
-		after := testutil.ToFloat64(metrics.AuthzChecksTotal.WithLabelValues(metrics.AuthzResultError))
-		require.Equal(t, before+1, after, "error counter must increment once")
-	})
-}
-
-// seedResourceScopePermissionAllowingRole seeds a resource + scope and an
-// affirmative-logic role policy targeting `role`, then attaches a permission
-// linking them. Mirrors seedResourceScopePermissionWithDenyPolicy but for the
-// grant path.
-func seedResourceScopePermissionAllowingRole(
-	t *testing.T,
-	ts *testSetup,
-	ctx context.Context,
-	resource, scope, role string,
-) {
-	t.Helper()
-
-	res, err := ts.GraphQLProvider.AuthzAddResource(ctx, &model.AddResourceInput{
-		Name:        resource,
-		Description: refs.NewStringRef("seed resource"),
-	})
-	require.NoError(t, err)
-
-	sc, err := ts.GraphQLProvider.AuthzAddScope(ctx, &model.AddScopeInput{
-		Name:        scope,
-		Description: refs.NewStringRef("seed scope"),
-	})
-	require.NoError(t, err)
-
-	pol, err := ts.GraphQLProvider.AuthzAddPolicy(ctx, &model.AddPolicyInput{
-		Name:        "allow-" + role + "-" + uuid.New().String()[:8],
-		Description: refs.NewStringRef("seed allow policy"),
-		Type:        constants.PolicyTypeRole,
-		Logic:       refs.NewStringRef(constants.PolicyLogicPositive),
-		Targets: []*model.PolicyTargetInput{
-			{TargetType: constants.TargetTypeRole, TargetValue: role},
-		},
-	})
-	require.NoError(t, err)
-
-	perm, err := ts.GraphQLProvider.AuthzAddPermission(ctx, &model.AddPermissionInput{
-		Name:        "allow-" + resource + "-" + scope + "-" + uuid.New().String()[:8],
-		Description: refs.NewStringRef("seed allow permission"),
-		ResourceID:  res.ID,
-		ScopeIds:    []string{sc.ID},
-		PolicyIds:   []string{pol.ID},
-	})
-	require.NoError(t, err)
-	require.NotNil(t, perm)
-}
-
-// seedResourceScopePermissionWithRolePolicy seeds a resource, scope, a
-// role policy with the given logic targeting the given role, and a permission
-// that links them. Shared implementation used by the positive- and
-// negative-logic helpers.
-func seedResourceScopePermissionWithRolePolicy(
-	t *testing.T,
-	ts *testSetup,
-	ctx context.Context,
-	resource, scope, role, logic string,
-) {
-	t.Helper()
-
-	res, err := ts.GraphQLProvider.AuthzAddResource(ctx, &model.AddResourceInput{
-		Name:        resource,
-		Description: refs.NewStringRef("seed resource"),
-	})
-	require.NoError(t, err)
-	require.NotNil(t, res)
-
-	sc, err := ts.GraphQLProvider.AuthzAddScope(ctx, &model.AddScopeInput{
-		Name:        scope,
-		Description: refs.NewStringRef("seed scope"),
-	})
-	require.NoError(t, err)
-	require.NotNil(t, sc)
-
-	logicRef := logic
-	policy, err := ts.GraphQLProvider.AuthzAddPolicy(ctx, &model.AddPolicyInput{
-		Name:        logic + "-" + role + "-" + uuid.New().String(),
-		Description: refs.NewStringRef("seed role policy"),
-		Type:        constants.PolicyTypeRole,
-		Logic:       &logicRef,
-		Targets: []*model.PolicyTargetInput{
-			{
-				TargetType:  constants.TargetTypeRole,
-				TargetValue: role,
-			},
-		},
-	})
-	require.NoError(t, err)
-	require.NotNil(t, policy)
-	require.Equal(t, logic, policy.Logic, "policy must be stored with requested logic")
-
-	perm, err := ts.GraphQLProvider.AuthzAddPermission(ctx, &model.AddPermissionInput{
-		Name:       resource + "-" + scope + "-" + uuid.New().String(),
-		ResourceID: res.ID,
-		ScopeIds:   []string{sc.ID},
-		PolicyIds:  []string{policy.ID},
-	})
-	require.NoError(t, err)
-	require.NotNil(t, perm)
-}
-
-// seedResourceScopePermissionWithPositivePolicy seeds a resource, scope, a
-// positive-logic role policy targeting the given role, and a permission that
-// links them. Mirrors seedResourceScopePermissionWithDenyPolicy but with grant
-// semantics.
-func seedResourceScopePermissionWithPositivePolicy(
-	t *testing.T,
-	ts *testSetup,
-	ctx context.Context,
-	resource, scope, role string,
-) {
-	t.Helper()
-	seedResourceScopePermissionWithRolePolicy(t, ts, ctx, resource, scope, role, constants.PolicyLogicPositive)
-}
-
-// seedResourceScopeWithUnanimousDualRolePolicy seeds a resource, scope, TWO
-// positive-logic role policies (one per role), and a permission that links
-// them with DecisionStrategy=unanimous. This is the minimal setup to exercise
-// the unanimous evaluation path (all attached policies must agree).
-func seedResourceScopeWithUnanimousDualRolePolicy(
-	t *testing.T,
-	ts *testSetup,
-	ctx context.Context,
-	resource, scope, roleA, roleB string,
-) {
-	t.Helper()
-
-	res, err := ts.GraphQLProvider.AuthzAddResource(ctx, &model.AddResourceInput{
-		Name:        resource,
-		Description: refs.NewStringRef("seed resource"),
-	})
-	require.NoError(t, err)
-	require.NotNil(t, res)
-
-	sc, err := ts.GraphQLProvider.AuthzAddScope(ctx, &model.AddScopeInput{
-		Name:        scope,
-		Description: refs.NewStringRef("seed scope"),
-	})
-	require.NoError(t, err)
-	require.NotNil(t, sc)
-
-	positive := constants.PolicyLogicPositive
-
-	policyA, err := ts.GraphQLProvider.AuthzAddPolicy(ctx, &model.AddPolicyInput{
-		Name:        "grant-" + roleA + "-" + uuid.New().String(),
-		Description: refs.NewStringRef("seed positive role policy A"),
-		Type:        constants.PolicyTypeRole,
-		Logic:       &positive,
-		Targets: []*model.PolicyTargetInput{
-			{
-				TargetType:  constants.TargetTypeRole,
-				TargetValue: roleA,
-			},
-		},
-	})
-	require.NoError(t, err)
-	require.NotNil(t, policyA)
-
-	policyB, err := ts.GraphQLProvider.AuthzAddPolicy(ctx, &model.AddPolicyInput{
-		Name:        "grant-" + roleB + "-" + uuid.New().String(),
-		Description: refs.NewStringRef("seed positive role policy B"),
-		Type:        constants.PolicyTypeRole,
-		Logic:       &positive,
-		Targets: []*model.PolicyTargetInput{
-			{
-				TargetType:  constants.TargetTypeRole,
-				TargetValue: roleB,
-			},
-		},
-	})
-	require.NoError(t, err)
-	require.NotNil(t, policyB)
-
-	unanimous := constants.DecisionStrategyUnanimous
-	perm, err := ts.GraphQLProvider.AuthzAddPermission(ctx, &model.AddPermissionInput{
-		Name:             resource + "-" + scope + "-" + uuid.New().String(),
-		ResourceID:       res.ID,
-		ScopeIds:         []string{sc.ID},
-		PolicyIds:        []string{policyA.ID, policyB.ID},
-		DecisionStrategy: &unanimous,
-	})
-	require.NoError(t, err)
-	require.NotNil(t, perm)
-	require.Equal(t, constants.DecisionStrategyUnanimous, perm.DecisionStrategy,
-		"permission must be persisted with unanimous strategy")
-}
-
-// seedResourceScopeWithUserPolicyPermission seeds a resource, scope, a
-// positive-logic user policy targeting the given userID, and a permission that
-// links them. Exercises the PolicyTypeUser path: the policy matches on
-// principal.ID, not roles.
-func seedResourceScopeWithUserPolicyPermission(
-	t *testing.T,
-	ts *testSetup,
-	ctx context.Context,
-	resource, scope, userID string,
-) {
-	t.Helper()
-
-	res, err := ts.GraphQLProvider.AuthzAddResource(ctx, &model.AddResourceInput{
-		Name:        resource,
-		Description: refs.NewStringRef("seed resource"),
-	})
-	require.NoError(t, err)
-	require.NotNil(t, res)
-
-	sc, err := ts.GraphQLProvider.AuthzAddScope(ctx, &model.AddScopeInput{
-		Name:        scope,
-		Description: refs.NewStringRef("seed scope"),
-	})
-	require.NoError(t, err)
-	require.NotNil(t, sc)
-
-	positive := constants.PolicyLogicPositive
-	policy, err := ts.GraphQLProvider.AuthzAddPolicy(ctx, &model.AddPolicyInput{
-		Name:        "user-grant-" + uuid.New().String(),
-		Description: refs.NewStringRef("seed user policy"),
-		Type:        constants.PolicyTypeUser,
-		Logic:       &positive,
-		Targets: []*model.PolicyTargetInput{
-			{
-				TargetType:  constants.TargetTypeUser,
-				TargetValue: userID,
-			},
-		},
-	})
-	require.NoError(t, err)
-	require.NotNil(t, policy)
-
-	perm, err := ts.GraphQLProvider.AuthzAddPermission(ctx, &model.AddPermissionInput{
-		Name:       resource + "-" + scope + "-" + uuid.New().String(),
-		ResourceID: res.ID,
-		ScopeIds:   []string{sc.ID},
-		PolicyIds:  []string{policy.ID},
-	})
-	require.NoError(t, err)
-	require.NotNil(t, perm)
-}
-
-// TestCheckPermission_MaxScopes_InsideCeiling_UsesPolicy verifies that when a
-// principal's delegation ceiling (MaxScopes) explicitly includes the requested
-// resource:scope, the normal policy evaluation proceeds and a matching
-// positive policy still grants access.
-func TestCheckPermission_MaxScopes_InsideCeiling_UsesPolicy(t *testing.T) {
-	ts := initTestSetup(t, getTestConfig())
-	req, ctx := createContext(ts)
-	adminHash, err := crypto.EncryptPassword(ts.Config.AdminSecret)
-	require.NoError(t, err)
-	req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
-
-	seedResourceScopePermissionWithPositivePolicy(t, ts, ctx, "docs", "read", "viewer")
-
-	result, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
-		ID:        "user-1",
-		Type:      constants.PrincipalTypeUser,
-		Roles:     []string{"viewer"},
-		MaxScopes: []string{"docs:read"},
-	}, "docs", "read")
-	require.NoError(t, err)
-	require.True(t, result.Allowed)
-}
-
-// TestCheckPermission_MaxScopes_OutsideCeiling_DeniesBeforePolicy verifies that
-// even when a principal's roles/policies would normally grant access, a
-// MaxScopes ceiling that does not include the requested resource:scope MUST
-// deny the check short-circuit — delegation ceilings are evaluated before
-// policy matching.
-func TestCheckPermission_MaxScopes_OutsideCeiling_DeniesBeforePolicy(t *testing.T) {
-	ts := initTestSetup(t, getTestConfig())
-	req, ctx := createContext(ts)
-	adminHash, err := crypto.EncryptPassword(ts.Config.AdminSecret)
-	require.NoError(t, err)
-	req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
-
-	seedResourceScopePermissionWithPositivePolicy(t, ts, ctx, "docs", "read", "viewer")
-
-	result, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
-		ID:        "user-1",
-		Type:      constants.PrincipalTypeUser,
-		Roles:     []string{"viewer"},
-		MaxScopes: []string{"docs:write"},
-	}, "docs", "read")
-	require.NoError(t, err)
-	require.False(t, result.Allowed, "MaxScopes ceiling must deny before policy eval")
-}
-
-// TestCheckPermission_UnanimousDecisionStrategy_AllPoliciesMustAgree verifies
-// that a permission with DecisionStrategy=unanimous only grants when every
-// attached policy's target matches the principal. A principal with only one of
-// the two required roles must be denied; a principal with both is allowed.
-func TestCheckPermission_UnanimousDecisionStrategy_AllPoliciesMustAgree(t *testing.T) {
-	ts := initTestSetup(t, getTestConfig())
-	req, ctx := createContext(ts)
-	adminHash, err := crypto.EncryptPassword(ts.Config.AdminSecret)
-	require.NoError(t, err)
-	req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
-
-	seedResourceScopeWithUnanimousDualRolePolicy(t, ts, ctx, "ledger", "read", "accountant", "auditor")
-
-	res, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
-		ID:    "user-1",
-		Type:  constants.PrincipalTypeUser,
-		Roles: []string{"accountant"},
-	}, "ledger", "read")
-	require.NoError(t, err)
-	require.False(t, res.Allowed, "unanimous: missing one role")
-
-	res2, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
-		ID:    "user-2",
-		Type:  constants.PrincipalTypeUser,
-		Roles: []string{"accountant", "auditor"},
-	}, "ledger", "read")
-	require.NoError(t, err)
-	require.True(t, res2.Allowed, "unanimous: all roles present")
-}
-
-// TestCheckPermission_UserTypePolicy_MatchesOnPrincipalID verifies that a
-// PolicyTypeUser policy matches the principal by its ID (not by role). The
-// seeded policy grants access to a specific user; any other user must be
-// denied.
-func TestCheckPermission_UserTypePolicy_MatchesOnPrincipalID(t *testing.T) {
-	ts := initTestSetup(t, getTestConfig())
-	req, ctx := createContext(ts)
-	adminHash, err := crypto.EncryptPassword(ts.Config.AdminSecret)
-	require.NoError(t, err)
-	req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
-
-	seedResourceScopeWithUserPolicyPermission(t, ts, ctx, "secret", "read", "user-alice")
-
-	res, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
-		ID:   "user-alice",
-		Type: constants.PrincipalTypeUser,
-	}, "secret", "read")
-	require.NoError(t, err)
-	require.True(t, res.Allowed)
-
-	res2, err := ts.Authz.CheckPermission(ctx, &authorization.Principal{
-		ID:   "user-bob",
-		Type: constants.PrincipalTypeUser,
-	}, "secret", "read")
-	require.NoError(t, err)
-	require.False(t, res2.Allowed)
-}
diff --git a/internal/integration_tests/authz_cache_invalidation_test.go b/internal/integration_tests/authz_cache_invalidation_test.go
deleted file mode 100644
index 1aaf7625..00000000
--- a/internal/integration_tests/authz_cache_invalidation_test.go
+++ /dev/null
@@ -1,162 +0,0 @@
-package integration_tests
-
-import (
-	"context"
-	"fmt"
-	"testing"
-
-	"github.com/google/uuid"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/authorizerdev/authorizer/internal/authorization"
-	"github.com/authorizerdev/authorizer/internal/constants"
-	"github.com/authorizerdev/authorizer/internal/crypto"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-)
-
-// TestAuthzCacheInvalidation_OnAdminMutations verifies that the memory_store-
-// backed decision cache is actually invalidated when the policy graph changes
-// via admin mutations. The test enables the authz cache (CacheTTL > 0),
-// primes a deny verdict for (resource, scope), then mutates the graph via
-// each admin operation that should invalidate cache, and confirms the next
-// check produces the new verdict instead of the cached one.
-func TestAuthzCacheInvalidation_OnAdminMutations(t *testing.T) {
-	cfg := getTestConfig()
-	cfg.AuthorizationCacheTTL = 300 // turn the cache ON for this test
-	ts := initTestSetup(t, cfg)
-	req, ctx := createContext(ts)
-
-	adminHash, err := crypto.EncryptPassword(cfg.AdminSecret)
-	require.NoError(t, err)
-	req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
-	t.Cleanup(func() { req.Header.Del("Cookie") })
-
-	resource, err := ts.GraphQLProvider.AuthzAddResource(ctx, &model.AddResourceInput{Name: "inv-docs"})
-	require.NoError(t, err)
-	readScope, err := ts.GraphQLProvider.AuthzAddScope(ctx, &model.AddScopeInput{Name: "inv-read"})
-	require.NoError(t, err)
-	writeScope, err := ts.GraphQLProvider.AuthzAddScope(ctx, &model.AddScopeInput{Name: "inv-write"})
-	require.NoError(t, err)
-	policy, err := ts.GraphQLProvider.AuthzAddPolicy(ctx, &model.AddPolicyInput{
-		Name: "inv-user-role",
-		Type: "role",
-		Targets: []*model.PolicyTargetInput{
-			{TargetType: "role", TargetValue: "user"},
-		},
-	})
-	require.NoError(t, err)
-
-	principal := &authorization.Principal{
-		ID:    uuid.New().String(),
-		Type:  constants.PrincipalTypeUser,
-		Roles: []string{"user"},
-	}
-
-	check := func(t *testing.T, scope string) bool {
-		t.Helper()
-		res, err := ts.Authz.CheckPermission(context.Background(), principal, "inv-docs", scope)
-		require.NoError(t, err)
-		require.NotNil(t, res)
-		return res.Allowed
-	}
-
-	t.Run("add permission flips cached deny to allow", func(t *testing.T) {
-		// Prime: no permission row exists yet, evaluator returns deny and
-		// memory_store now holds "false" for this (principal, resource, scope).
-		assert.False(t, check(t, "inv-read"), "must deny before any permission exists")
-
-		// Mutate: add a permission granting inv-docs:inv-read via the
-		// user-role policy. The graphql layer calls InvalidateCache.
-		perm, err := ts.GraphQLProvider.AuthzAddPermission(ctx, &model.AddPermissionInput{
-			Name:       "inv-docs-read",
-			ResourceID: resource.ID,
-			ScopeIds:   []string{readScope.ID},
-			PolicyIds:  []string{policy.ID},
-		})
-		require.NoError(t, err)
-		t.Cleanup(func() {
-			_, _ = ts.GraphQLProvider.AuthzDeletePermission(ctx, perm.ID)
-		})
-
-		// Verdict must update — if the cache wasn't invalidated, we'd still
-		// see the stale "false".
-		assert.True(t, check(t, "inv-read"), "cached deny must be invalidated; new permission should grant access")
-	})
-
-	t.Run("update permission swap-scopes flips verdicts", func(t *testing.T) {
-		// Seed a permission for inv-read, prime cache (allow for inv-read,
-		// deny for inv-write).
-		perm, err := ts.GraphQLProvider.AuthzAddPermission(ctx, &model.AddPermissionInput{
-			Name:       "inv-update-perm",
-			ResourceID: resource.ID,
-			ScopeIds:   []string{readScope.ID},
-			PolicyIds:  []string{policy.ID},
-		})
-		require.NoError(t, err)
-		t.Cleanup(func() {
-			_, _ = ts.GraphQLProvider.AuthzDeletePermission(ctx, perm.ID)
-		})
-
-		require.True(t, check(t, "inv-read"), "precondition: inv-read allowed via new permission")
-		require.False(t, check(t, "inv-write"), "precondition: inv-write denied (not in any permission row)")
-
-		// Swap the permission's scope set from read → write. Cache for both
-		// pairs must be invalidated.
-		_, err = ts.GraphQLProvider.AuthzUpdatePermission(ctx, &model.UpdatePermissionInput{
-			ID:       perm.ID,
-			ScopeIds: []string{writeScope.ID},
-		})
-		require.NoError(t, err)
-
-		assert.False(t, check(t, "inv-read"), "cached allow must be invalidated after scope removed")
-		assert.True(t, check(t, "inv-write"), "cached deny must be invalidated after scope added")
-	})
-
-	t.Run("delete permission flips cached allow back to deny", func(t *testing.T) {
-		perm, err := ts.GraphQLProvider.AuthzAddPermission(ctx, &model.AddPermissionInput{
-			Name:       "inv-delete-perm",
-			ResourceID: resource.ID,
-			ScopeIds:   []string{readScope.ID},
-			PolicyIds:  []string{policy.ID},
-		})
-		require.NoError(t, err)
-		require.True(t, check(t, "inv-read"), "precondition: inv-read allowed before delete")
-
-		_, err = ts.GraphQLProvider.AuthzDeletePermission(ctx, perm.ID)
-		require.NoError(t, err)
-
-		assert.False(t, check(t, "inv-read"), "cached allow must be invalidated after permission deletion")
-	})
-
-	t.Run("delete resource invalidates downstream cache", func(t *testing.T) {
-		// Fresh resource so the deletion doesn't disturb the outer fixtures.
-		tmpResource, err := ts.GraphQLProvider.AuthzAddResource(ctx, &model.AddResourceInput{Name: "inv-tmp"})
-		require.NoError(t, err)
-		perm, err := ts.GraphQLProvider.AuthzAddPermission(ctx, &model.AddPermissionInput{
-			Name:       "inv-tmp-perm",
-			ResourceID: tmpResource.ID,
-			ScopeIds:   []string{readScope.ID},
-			PolicyIds:  []string{policy.ID},
-		})
-		require.NoError(t, err)
-
-		res, err := ts.Authz.CheckPermission(context.Background(), principal, "inv-tmp", "inv-read")
-		require.NoError(t, err)
-		require.True(t, res.Allowed, "precondition: granted before resource delete")
-
-		// Cascade-delete the permission first (Postgres FK + Mongo lookup
-		// reasons), then drop the resource.
-		_, err = ts.GraphQLProvider.AuthzDeletePermission(ctx, perm.ID)
-		require.NoError(t, err)
-		_, err = ts.GraphQLProvider.AuthzDeleteResource(ctx, tmpResource.ID)
-		require.NoError(t, err)
-
-		// Re-check — the cached allow must be gone (DeletePermission already
-		// invalidates; this assertion guards against a future regression
-		// where DeleteResource forgets to invalidate.)
-		res, err = ts.Authz.CheckPermission(context.Background(), principal, "inv-tmp", "inv-read")
-		require.NoError(t, err)
-		assert.False(t, res.Allowed, "cached allow must be invalidated after resource deletion")
-	})
-}
diff --git a/internal/integration_tests/authz_pagination_test.go b/internal/integration_tests/authz_pagination_test.go
deleted file mode 100644
index dd5c37f3..00000000
--- a/internal/integration_tests/authz_pagination_test.go
+++ /dev/null
@@ -1,220 +0,0 @@
-package integration_tests
-
-import (
-	"fmt"
-	"testing"
-
-	"github.com/google/uuid"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/authorizerdev/authorizer/internal/constants"
-	"github.com/authorizerdev/authorizer/internal/crypto"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-)
-
-// TestAuthzListPagination_AdminQueries seeds N rows of each FGA entity and
-// asserts the four list resolvers (Resources / Scopes / Policies /
-// Permissions) honor limit, page, offset, and total. Each subtest exercises
-// page 1 + page 2 + an over-the-end page to confirm offset math and that
-// total reflects the full row count regardless of the returned slice size.
-func TestAuthzListPagination_AdminQueries(t *testing.T) {
-	cfg := getTestConfig()
-	ts := initTestSetup(t, cfg)
-	req, ctx := createContext(ts)
-
-	adminHash, err := crypto.EncryptPassword(cfg.AdminSecret)
-	require.NoError(t, err)
-	req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
-	t.Cleanup(func() { req.Header.Del("Cookie") })
-
-	// Unique prefix isolates this test's fixtures from other tests in the
-	// same test binary (which all share an SQLite DB inside t.TempDir()).
-	prefix := "page-" + uuid.New().String()[:8] + "-"
-	const seedCount = 5
-	resourceIDs := make([]string, 0, seedCount)
-	scopeIDs := make([]string, 0, seedCount)
-	policyIDs := make([]string, 0, seedCount)
-	permissionIDs := make([]string, 0, seedCount)
-
-	for i := 0; i < seedCount; i++ {
-		res, err := ts.GraphQLProvider.AuthzAddResource(ctx, &model.AddResourceInput{
-			Name: fmt.Sprintf("%sresource-%d", prefix, i),
-		})
-		require.NoError(t, err)
-		resourceIDs = append(resourceIDs, res.ID)
-
-		scope, err := ts.GraphQLProvider.AuthzAddScope(ctx, &model.AddScopeInput{
-			Name: fmt.Sprintf("%sscope-%d", prefix, i),
-		})
-		require.NoError(t, err)
-		scopeIDs = append(scopeIDs, scope.ID)
-
-		pol, err := ts.GraphQLProvider.AuthzAddPolicy(ctx, &model.AddPolicyInput{
-			Name: fmt.Sprintf("%spolicy-%d", prefix, i),
-			Type: "role",
-			Targets: []*model.PolicyTargetInput{
-				{TargetType: "role", TargetValue: "user"},
-			},
-		})
-		require.NoError(t, err)
-		policyIDs = append(policyIDs, pol.ID)
-
-		perm, err := ts.GraphQLProvider.AuthzAddPermission(ctx, &model.AddPermissionInput{
-			Name:       fmt.Sprintf("%spermission-%d", prefix, i),
-			ResourceID: res.ID,
-			ScopeIds:   []string{scope.ID},
-			PolicyIds:  []string{pol.ID},
-		})
-		require.NoError(t, err)
-		permissionIDs = append(permissionIDs, perm.ID)
-	}
-
-	// page1 + page2 + over-the-end behavior is symmetric across the four
-	// resolvers, so each subtest below makes the same three assertions
-	// against a different list endpoint.
-
-	t.Run("resources pagination", func(t *testing.T) {
-		page1, err := ts.GraphQLProvider.AuthzResources(ctx, &model.PaginatedRequest{
-			Pagination: &model.PaginationRequest{Limit: ptrInt64(2), Page: ptrInt64(1)},
-		})
-		require.NoError(t, err)
-		require.NotNil(t, page1)
-		require.NotNil(t, page1.Pagination)
-		assert.Equal(t, int64(2), page1.Pagination.Limit, "limit echoes input")
-		assert.Equal(t, int64(1), page1.Pagination.Page, "page echoes input")
-		assert.Equal(t, int64(0), page1.Pagination.Offset, "page 1 offset = 0")
-		assert.GreaterOrEqual(t, page1.Pagination.Total, int64(seedCount), "total must include all seeded rows")
-		assert.Len(t, page1.Resources, 2, "page 1 returns Limit items")
-
-		page2, err := ts.GraphQLProvider.AuthzResources(ctx, &model.PaginatedRequest{
-			Pagination: &model.PaginationRequest{Limit: ptrInt64(2), Page: ptrInt64(2)},
-		})
-		require.NoError(t, err)
-		assert.Equal(t, int64(2), page2.Pagination.Offset, "page 2 offset = (page-1)*limit")
-		assert.Len(t, page2.Resources, 2, "page 2 returns Limit items")
-		assertNoOverlap(t, idsOf(page1.Resources), idsOf(page2.Resources))
-
-		// Page far past the end returns zero items but the total is still
-		// the full row count.
-		pageEnd, err := ts.GraphQLProvider.AuthzResources(ctx, &model.PaginatedRequest{
-			Pagination: &model.PaginationRequest{Limit: ptrInt64(2), Page: ptrInt64(100)},
-		})
-		require.NoError(t, err)
-		assert.Empty(t, pageEnd.Resources, "page past the end is empty")
-		assert.Equal(t, page1.Pagination.Total, pageEnd.Pagination.Total, "total is invariant across pages")
-	})
-
-	t.Run("scopes pagination", func(t *testing.T) {
-		page1, err := ts.GraphQLProvider.AuthzScopes(ctx, &model.PaginatedRequest{
-			Pagination: &model.PaginationRequest{Limit: ptrInt64(2), Page: ptrInt64(1)},
-		})
-		require.NoError(t, err)
-		require.NotNil(t, page1)
-		require.NotNil(t, page1.Pagination)
-		assert.Equal(t, int64(2), page1.Pagination.Limit)
-		assert.Equal(t, int64(0), page1.Pagination.Offset)
-		assert.GreaterOrEqual(t, page1.Pagination.Total, int64(seedCount))
-		assert.Len(t, page1.Scopes, 2)
-
-		page2, err := ts.GraphQLProvider.AuthzScopes(ctx, &model.PaginatedRequest{
-			Pagination: &model.PaginationRequest{Limit: ptrInt64(2), Page: ptrInt64(2)},
-		})
-		require.NoError(t, err)
-		assert.Equal(t, int64(2), page2.Pagination.Offset)
-		assert.Len(t, page2.Scopes, 2)
-		assertNoOverlap(t, scopeIdsOf(page1.Scopes), scopeIdsOf(page2.Scopes))
-	})
-
-	t.Run("policies pagination", func(t *testing.T) {
-		page1, err := ts.GraphQLProvider.AuthzPolicies(ctx, &model.PaginatedRequest{
-			Pagination: &model.PaginationRequest{Limit: ptrInt64(2), Page: ptrInt64(1)},
-		})
-		require.NoError(t, err)
-		require.NotNil(t, page1)
-		assert.Equal(t, int64(0), page1.Pagination.Offset)
-		assert.GreaterOrEqual(t, page1.Pagination.Total, int64(seedCount))
-		assert.Len(t, page1.Policies, 2)
-
-		page2, err := ts.GraphQLProvider.AuthzPolicies(ctx, &model.PaginatedRequest{
-			Pagination: &model.PaginationRequest{Limit: ptrInt64(2), Page: ptrInt64(2)},
-		})
-		require.NoError(t, err)
-		assert.Equal(t, int64(2), page2.Pagination.Offset)
-		assert.Len(t, page2.Policies, 2)
-		assertNoOverlap(t, policyIdsOf(page1.Policies), policyIdsOf(page2.Policies))
-	})
-
-	t.Run("permissions pagination", func(t *testing.T) {
-		page1, err := ts.GraphQLProvider.AuthzPermissions(ctx, &model.PaginatedRequest{
-			Pagination: &model.PaginationRequest{Limit: ptrInt64(2), Page: ptrInt64(1)},
-		})
-		require.NoError(t, err)
-		require.NotNil(t, page1)
-		assert.Equal(t, int64(0), page1.Pagination.Offset)
-		assert.GreaterOrEqual(t, page1.Pagination.Total, int64(seedCount))
-		assert.Len(t, page1.Permissions, 2)
-
-		page2, err := ts.GraphQLProvider.AuthzPermissions(ctx, &model.PaginatedRequest{
-			Pagination: &model.PaginationRequest{Limit: ptrInt64(2), Page: ptrInt64(2)},
-		})
-		require.NoError(t, err)
-		assert.Equal(t, int64(2), page2.Pagination.Offset)
-		assert.Len(t, page2.Permissions, 2)
-		assertNoOverlap(t, permissionIdsOf(page1.Permissions), permissionIdsOf(page2.Permissions))
-	})
-
-	// Touch the seeded IDs so the linter sees them as used even if a future
-	// edit drops a subtest. They're meaningful as fixture witnesses.
-	_ = resourceIDs
-	_ = scopeIDs
-	_ = policyIDs
-	_ = permissionIDs
-}
-
-func ptrInt64(v int64) *int64 { return &v }
-
-func idsOf(items []*model.AuthzResource) []string {
-	ids := make([]string, len(items))
-	for i, x := range items {
-		ids[i] = x.ID
-	}
-	return ids
-}
-
-func scopeIdsOf(items []*model.AuthzScope) []string {
-	ids := make([]string, len(items))
-	for i, x := range items {
-		ids[i] = x.ID
-	}
-	return ids
-}
-
-func policyIdsOf(items []*model.AuthzPolicy) []string {
-	ids := make([]string, len(items))
-	for i, x := range items {
-		ids[i] = x.ID
-	}
-	return ids
-}
-
-func permissionIdsOf(items []*model.AuthzPermission) []string {
-	ids := make([]string, len(items))
-	for i, x := range items {
-		ids[i] = x.ID
-	}
-	return ids
-}
-
-func assertNoOverlap(t *testing.T, a, b []string) {
-	t.Helper()
-	set := make(map[string]struct{}, len(a))
-	for _, id := range a {
-		set[id] = struct{}{}
-	}
-	for _, id := range b {
-		if _, ok := set[id]; ok {
-			t.Errorf("page 2 contains ID %q that already appeared on page 1", id)
-		}
-	}
-}
diff --git a/internal/integration_tests/fga_test.go b/internal/integration_tests/fga_test.go
new file mode 100644
index 00000000..f5841e32
--- /dev/null
+++ b/internal/integration_tests/fga_test.go
@@ -0,0 +1,350 @@
+package integration_tests
+
+import (
+	"fmt"
+	"net/http/httptest"
+	"testing"
+
+	"github.com/gin-gonic/gin"
+	"github.com/google/uuid"
+	"github.com/rs/zerolog"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/authorizerdev/authorizer/internal/audit"
+	"github.com/authorizerdev/authorizer/internal/authenticators"
+	"github.com/authorizerdev/authorizer/internal/authorization/engine"
+	fgaengine "github.com/authorizerdev/authorizer/internal/authorization/engine/openfga"
+	"github.com/authorizerdev/authorizer/internal/config"
+	"github.com/authorizerdev/authorizer/internal/constants"
+	"github.com/authorizerdev/authorizer/internal/crypto"
+	"github.com/authorizerdev/authorizer/internal/email"
+	"github.com/authorizerdev/authorizer/internal/events"
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/graphql"
+	"github.com/authorizerdev/authorizer/internal/http_handlers"
+	"github.com/authorizerdev/authorizer/internal/memory_store"
+	"github.com/authorizerdev/authorizer/internal/oauth"
+	"github.com/authorizerdev/authorizer/internal/rate_limit"
+	"github.com/authorizerdev/authorizer/internal/sms"
+	"github.com/authorizerdev/authorizer/internal/storage"
+	"github.com/authorizerdev/authorizer/internal/token"
+)
+
+// fgaTestModel is a minimal ReBAC model used to exercise the FGA GraphQL surface.
+const fgaTestModel = `model
+  schema 1.1
+type user
+type document
+  relations
+    define viewer: [user]
+    define can_view: viewer
+`
+
+// initFGATestSetup mirrors initTestSetup but injects an embedded OpenFGA engine
+// (memory store) into both the GraphQL and HTTP providers, so the runtime/admin
+// FGA resolvers are routed.
+func initFGATestSetup(t *testing.T, cfg *config.Config) (*testSetup, engine.AuthorizationEngine) {
+	logger := zerolog.New(zerolog.NewTestWriter(t)).With().Timestamp().Logger()
+
+	cfg.DatabaseURL = t.TempDir() + "/authorizer_fga.db"
+
+	storageProvider, err := storage.New(cfg, &storage.Dependencies{Log: &logger})
+	require.NoError(t, err)
+
+	authProvider, err := authenticators.New(cfg, &authenticators.Dependencies{Log: &logger, StorageProvider: storageProvider})
+	require.NoError(t, err)
+	emailProvider, err := email.New(cfg, &email.Dependencies{Log: &logger, StorageProvider: storageProvider})
+	require.NoError(t, err)
+	eventsProvider, err := events.New(cfg, &events.Dependencies{Log: &logger, StorageProvider: storageProvider})
+	require.NoError(t, err)
+	memoryStoreProvider, err := memory_store.New(cfg, &memory_store.Dependencies{Log: &logger})
+	require.NoError(t, err)
+	smsProvider, err := sms.New(cfg, &sms.Dependencies{Log: &logger})
+	require.NoError(t, err)
+	tokenProvider, err := token.New(cfg, &token.Dependencies{Log: &logger, MemoryStoreProvider: memoryStoreProvider})
+	require.NoError(t, err)
+	rateLimitProvider, err := rate_limit.New(cfg, &rate_limit.Dependencies{Log: &logger})
+	require.NoError(t, err)
+	oauthProvider, err := oauth.New(cfg, &oauth.Dependencies{Log: &logger})
+	require.NoError(t, err)
+	auditProvider := audit.New(&audit.Dependencies{Log: &logger, StorageProvider: storageProvider})
+
+	// Embedded OpenFGA engine with an in-memory store (dev/test only).
+	fgaEngine, err := fgaengine.New(
+		&fgaengine.Config{Store: fgaengine.StoreMemory, StoreName: "authorizer-test"},
+		&fgaengine.Dependencies{Log: &logger},
+	)
+	require.NoError(t, err)
+
+	gqlProvider, err := graphql.New(cfg, &graphql.Dependencies{
+		Log:                   &logger,
+		AuditProvider:         auditProvider,
+		AuthenticatorProvider: authProvider,
+		EmailProvider:         emailProvider,
+		EventsProvider:        eventsProvider,
+		MemoryStoreProvider:   memoryStoreProvider,
+		SMSProvider:           smsProvider,
+		StorageProvider:       storageProvider,
+		TokenProvider:         tokenProvider,
+		AuthzEngine:           fgaEngine,
+	})
+	require.NoError(t, err)
+
+	httpProvider, err := http_handlers.New(cfg, &http_handlers.Dependencies{
+		Log:                   &logger,
+		AuditProvider:         auditProvider,
+		AuthenticatorProvider: authProvider,
+		EmailProvider:         emailProvider,
+		EventsProvider:        eventsProvider,
+		MemoryStoreProvider:   memoryStoreProvider,
+		SMSProvider:           smsProvider,
+		StorageProvider:       storageProvider,
+		TokenProvider:         tokenProvider,
+		RateLimitProvider:     rateLimitProvider,
+		OAuthProvider:         oauthProvider,
+		AuthzEngine:           fgaEngine,
+	})
+	require.NoError(t, err)
+
+	w := httptest.NewRecorder()
+	ctx, r := gin.CreateTestContext(w)
+	r.Use(httpProvider.CORSMiddleware())
+	r.Use(httpProvider.ContextMiddleware())
+	r.Use(httpProvider.LoggerMiddleware())
+	r.POST("/graphql", httpProvider.GraphqlHandler())
+	server := httptest.NewServer(r)
+
+	t.Cleanup(func() {
+		server.Close()
+		if closer, ok := fgaEngine.(interface{ Close() }); ok {
+			closer.Close()
+		}
+		if storageProvider != nil {
+			if err := storageProvider.Close(); err != nil {
+				t.Logf("close storage provider: %v", err)
+			}
+		}
+	})
+
+	return &testSetup{
+		GraphQLProvider:       gqlProvider,
+		HttpProvider:          httpProvider,
+		HttpServer:            server,
+		Config:                cfg,
+		Logger:                &logger,
+		GinContext:            ctx,
+		StorageProvider:       storageProvider,
+		MemoryStoreProvider:   memoryStoreProvider,
+		AuthenticatorProvider: authProvider,
+		TokenProvider:         tokenProvider,
+	}, fgaEngine
+}
+
+// setAdminCookie authenticates the current gin request as super admin.
+func setAdminCookie(t *testing.T, ts *testSetup) {
+	h, err := crypto.EncryptPassword(ts.Config.AdminSecret)
+	require.NoError(t, err)
+	ts.GinContext.Request.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, h))
+}
+
+// clearCookies removes all cookies from the current gin request.
+func clearCookies(ts *testSetup) {
+	ts.GinContext.Request.Header.Del("Cookie")
+}
+
+func TestFGA(t *testing.T) {
+	cfg := getTestConfig()
+	cfg.AuthorizationEngine = "fga"
+	ts, eng := initFGATestSetup(t, cfg)
+	req, ctx := createContext(ts)
+
+	// Create + log in a regular user; their token sub is the principal.
+	email := "fga_test_" + uuid.New().String() + "@authorizer.dev"
+	password := "Password@123"
+	_, err := ts.GraphQLProvider.SignUp(ctx, &model.SignUpRequest{
+		Email: &email, Password: password, ConfirmPassword: password,
+	})
+	require.NoError(t, err)
+	loginRes, err := ts.GraphQLProvider.Login(ctx, &model.LoginRequest{Email: &email, Password: password})
+	require.NoError(t, err)
+	require.NotNil(t, loginRes)
+	userID := loginRes.User.ID
+	sessionToken := latestAppSessionCookie(ts)
+	require.NotEmpty(t, sessionToken)
+
+	// ---- Admin: write the authorization model. ----
+	t.Run("_fga_write_model requires super admin", func(t *testing.T) {
+		clearCookies(ts)
+		res, err := ts.GraphQLProvider.FgaWriteModel(ctx, &model.FgaWriteModelInput{Dsl: fgaTestModel})
+		assert.Error(t, err)
+		assert.Nil(t, res)
+	})
+
+	setAdminCookie(t, ts)
+	modelRes, err := ts.GraphQLProvider.FgaWriteModel(ctx, &model.FgaWriteModelInput{Dsl: fgaTestModel})
+	require.NoError(t, err)
+	require.NotNil(t, modelRes)
+	require.NotEmpty(t, modelRes.ID)
+
+	// ---- Admin: write tuples granting THIS user viewer on document:1 only. ----
+	_, err = ts.GraphQLProvider.FgaWriteTuples(ctx, &model.FgaWriteTuplesInput{
+		Tuples: []*model.FgaTupleInput{
+			{User: "user:" + userID, Relation: "viewer", Object: "document:1"},
+		},
+	})
+	require.NoError(t, err)
+
+	// ---- Admin: read tuples back. ----
+	t.Run("_fga_read_tuples returns written tuple", func(t *testing.T) {
+		tuplesRes, err := ts.GraphQLProvider.FgaReadTuples(ctx, &model.FgaReadTuplesInput{})
+		require.NoError(t, err)
+		require.NotNil(t, tuplesRes)
+		found := false
+		for _, tup := range tuplesRes.Tuples {
+			if tup.User == "user:"+userID && tup.Relation == "viewer" && tup.Object == "document:1" {
+				found = true
+			}
+		}
+		assert.True(t, found, "written tuple should be readable")
+	})
+
+	// Switch back to the user's session for runtime calls.
+	// Drop the admin cookie; runtime resolvers pin the principal from the
+	// session/access token, NOT the admin cookie.
+	clearCookies(ts)
+	ts.GinContext.Request.Header.Set("Cookie", fmt.Sprintf("%s_session=%s", constants.AppCookieName, sessionToken))
+
+	// ---- Runtime: fga_check allow (principal pinned to the caller). ----
+	t.Run("fga_check allows owner on granted object", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.FgaCheck(ctx, &model.FgaCheckInput{
+			Relation: "can_view", Object: "document:1",
+		})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.True(t, res.Allowed)
+	})
+
+	// ---- Runtime: fga_check deny on a non-granted object. ----
+	t.Run("fga_check denies on ungranted object", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.FgaCheck(ctx, &model.FgaCheckInput{
+			Relation: "can_view", Object: "document:2",
+		})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.False(t, res.Allowed)
+	})
+
+	// ---- Runtime: PRINCIPAL PINNING — client cannot ask about another user. ----
+	t.Run("fga_check pins principal to caller (no impersonation)", func(t *testing.T) {
+		// Grant a DIFFERENT user viewer on document:3.
+		setAdminCookie(t, ts)
+		_, err := ts.GraphQLProvider.FgaWriteTuples(ctx, &model.FgaWriteTuplesInput{
+			Tuples: []*model.FgaTupleInput{
+				{User: "user:someone-else", Relation: "viewer", Object: "document:3"},
+			},
+		})
+		require.NoError(t, err)
+		clearCookies(ts)
+		ts.GinContext.Request.Header.Set("Cookie", fmt.Sprintf("%s_session=%s", constants.AppCookieName, sessionToken))
+
+		// The caller (who is NOT someone-else) must be denied on document:3.
+		// There is no client-supplied "user" field, so impersonation is impossible.
+		res, err := ts.GraphQLProvider.FgaCheck(ctx, &model.FgaCheckInput{
+			Relation: "can_view", Object: "document:3",
+		})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.False(t, res.Allowed, "caller must not inherit another user's grant")
+	})
+
+	// ---- Runtime: fga_list_objects returns only the caller's objects. ----
+	t.Run("fga_list_objects returns granted objects for caller", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.FgaListObjects(ctx, &model.FgaListObjectsInput{
+			Relation: "can_view", ObjectType: "document",
+		})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.Contains(t, res.Objects, "document:1")
+		assert.NotContains(t, res.Objects, "document:3")
+	})
+
+	// ---- Runtime: fga_batch_check. ----
+	t.Run("fga_batch_check positional allow/deny", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.FgaBatchCheck(ctx, &model.FgaBatchCheckInput{
+			Checks: []*model.FgaCheckPairInput{
+				{Relation: "can_view", Object: "document:1"},
+				{Relation: "can_view", Object: "document:2"},
+			},
+		})
+		require.NoError(t, err)
+		require.Len(t, res.Results, 2)
+		assert.True(t, res.Results[0].Allowed)
+		assert.False(t, res.Results[1].Allowed)
+	})
+
+	// ---- Phase 4: validate_session honors required_relations. ----
+	t.Run("validate_session passes when required relation is satisfied", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.ValidateSession(ctx, &model.ValidateSessionRequest{
+			Cookie: sessionToken,
+			RequiredRelations: []*model.FgaRelationInput{
+				{Relation: "can_view", Object: "document:1"},
+			},
+		})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.True(t, res.IsValid)
+	})
+
+	t.Run("validate_session fails when required relation is not satisfied", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.ValidateSession(ctx, &model.ValidateSessionRequest{
+			Cookie: sessionToken,
+			RequiredRelations: []*model.FgaRelationInput{
+				{Relation: "can_view", Object: "document:2"},
+			},
+		})
+		assert.Error(t, err)
+		assert.Nil(t, res)
+	})
+
+	_ = req
+	_ = eng
+}
+
+// TestFGADisabled asserts fail-closed behavior when no engine is configured.
+func TestFGADisabled(t *testing.T) {
+	cfg := getTestConfig()
+	ts := initTestSetup(t, cfg) // no AuthzEngine wired
+	_, ctx := createContext(ts)
+
+	t.Run("fga_check errors when engine not enabled", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.FgaCheck(ctx, &model.FgaCheckInput{
+			Relation: "can_view", Object: "document:1",
+		})
+		assert.Error(t, err)
+		assert.Nil(t, res)
+		assert.Contains(t, err.Error(), "fine-grained authorization is not enabled")
+	})
+
+	t.Run("validate_session errors when required_relations set but engine disabled", func(t *testing.T) {
+		email := "fga_disabled_" + uuid.New().String() + "@authorizer.dev"
+		password := "Password@123"
+		_, err := ts.GraphQLProvider.SignUp(ctx, &model.SignUpRequest{
+			Email: &email, Password: password, ConfirmPassword: password,
+		})
+		require.NoError(t, err)
+		_, err = ts.GraphQLProvider.Login(ctx, &model.LoginRequest{Email: &email, Password: password})
+		require.NoError(t, err)
+		sessionToken := latestAppSessionCookie(ts)
+		require.NotEmpty(t, sessionToken)
+
+		res, err := ts.GraphQLProvider.ValidateSession(ctx, &model.ValidateSessionRequest{
+			Cookie: sessionToken,
+			RequiredRelations: []*model.FgaRelationInput{
+				{Relation: "can_view", Object: "document:1"},
+			},
+		})
+		assert.Error(t, err)
+		assert.Nil(t, res)
+	})
+}
diff --git a/internal/integration_tests/metrics_test.go b/internal/integration_tests/metrics_test.go
index 50d2e6bd..2f83a8ad 100644
--- a/internal/integration_tests/metrics_test.go
+++ b/internal/integration_tests/metrics_test.go
@@ -300,35 +300,6 @@ func TestRecordAuthEventHelpers(t *testing.T) {
 	})
 }
 
-// TestMetrics_AuthzCollectorsRegistered verifies the FGA authz collectors
-// (checks total, unmatched total, and check duration histogram) are registered
-// with the default Prometheus registry and appear in the scrape output once
-// incremented. It also asserts the low-cardinality label values are exactly
-// the package constants.
-func TestMetrics_AuthzCollectorsRegistered(t *testing.T) {
-	cfg := getTestConfig()
-	ts := initTestSetup(t, cfg)
-
-	router := gin.New()
-	router.GET("/metrics", ts.HttpProvider.MetricsHandler())
-
-	// Bump each collector once so it appears in scrape output.
-	metrics.RecordAuthzCheck(metrics.AuthzResultUnmatched)
-	metrics.RecordAuthzUnmatched()
-	metrics.AuthzCheckDuration.Observe(0.001)
-
-	w := httptest.NewRecorder()
-	req, err := http.NewRequest(http.MethodGet, "/metrics", nil)
-	require.NoError(t, err)
-	router.ServeHTTP(w, req)
-
-	body := w.Body.String()
-	require.Contains(t, body, "authorizer_authz_checks_total")
-	require.Contains(t, body, "authorizer_authz_unmatched_total")
-	require.Contains(t, body, "authorizer_authz_check_duration_seconds")
-	require.Contains(t, body, `result="unmatched"`)
-}
-
 // TestAdminLoginMetrics verifies admin login records metrics.
 func TestAdminLoginMetrics(t *testing.T) {
 	cfg := getTestConfig()
diff --git a/internal/integration_tests/permissions_test.go b/internal/integration_tests/permissions_test.go
deleted file mode 100644
index 6cba1fb1..00000000
--- a/internal/integration_tests/permissions_test.go
+++ /dev/null
@@ -1,119 +0,0 @@
-package integration_tests
-
-import (
-	"fmt"
-	"sort"
-	"testing"
-
-	"github.com/google/uuid"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/authorizerdev/authorizer/internal/constants"
-	"github.com/authorizerdev/authorizer/internal/crypto"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-)
-
-// TestPermissions exercises the permissions query end-to-end. It seeds a
-// policy graph as admin, signs up a regular user, logs them in, and asserts the
-// flat (resource, scope) list returned by permissions matches what the
-// "user" role is granted via the policy targets — and that scopes attached to
-// roles the principal does not hold are excluded.
-func TestPermissions(t *testing.T) {
-	cfg := getTestConfig()
-	ts := initTestSetup(t, cfg)
-	req, ctx := createContext(ts)
-
-	// Authenticate as admin to seed the FGA graph.
-	adminHash, err := crypto.EncryptPassword(cfg.AdminSecret)
-	require.NoError(t, err)
-	req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
-
-	docs, err := ts.GraphQLProvider.AuthzAddResource(ctx, &model.AddResourceInput{Name: "docs"})
-	require.NoError(t, err)
-	billing, err := ts.GraphQLProvider.AuthzAddResource(ctx, &model.AddResourceInput{Name: "billing"})
-	require.NoError(t, err)
-
-	read, err := ts.GraphQLProvider.AuthzAddScope(ctx, &model.AddScopeInput{Name: "read"})
-	require.NoError(t, err)
-	write, err := ts.GraphQLProvider.AuthzAddScope(ctx, &model.AddScopeInput{Name: "write"})
-	require.NoError(t, err)
-
-	userPolicy, err := ts.GraphQLProvider.AuthzAddPolicy(ctx, &model.AddPolicyInput{
-		Name: "my-perms-user-role",
-		Type: "role",
-		Targets: []*model.PolicyTargetInput{
-			{TargetType: "role", TargetValue: "user"},
-		},
-	})
-	require.NoError(t, err)
-	adminPolicy, err := ts.GraphQLProvider.AuthzAddPolicy(ctx, &model.AddPolicyInput{
-		Name: "my-perms-admin-role",
-		Type: "role",
-		Targets: []*model.PolicyTargetInput{
-			{TargetType: "role", TargetValue: "admin"},
-		},
-	})
-	require.NoError(t, err)
-
-	// user role can read docs and read billing; admin role can write docs.
-	// The signed-up user has role "user" only, so they must see exactly two
-	// (resource, scope) pairs and NOT docs:write.
-	_, err = ts.GraphQLProvider.AuthzAddPermission(ctx, &model.AddPermissionInput{
-		Name:       "my-perms-docs-read",
-		ResourceID: docs.ID,
-		ScopeIds:   []string{read.ID},
-		PolicyIds:  []string{userPolicy.ID},
-	})
-	require.NoError(t, err)
-	_, err = ts.GraphQLProvider.AuthzAddPermission(ctx, &model.AddPermissionInput{
-		Name:       "my-perms-billing-read",
-		ResourceID: billing.ID,
-		ScopeIds:   []string{read.ID},
-		PolicyIds:  []string{userPolicy.ID},
-	})
-	require.NoError(t, err)
-	_, err = ts.GraphQLProvider.AuthzAddPermission(ctx, &model.AddPermissionInput{
-		Name:       "my-perms-docs-write",
-		ResourceID: docs.ID,
-		ScopeIds:   []string{write.ID},
-		PolicyIds:  []string{adminPolicy.ID},
-	})
-	require.NoError(t, err)
-
-	req.Header.Del("Cookie")
-
-	password := "Password@123"
-	signupEmail := "my_perms_" + uuid.New().String() + "@authorizer.dev"
-	_, err = ts.GraphQLProvider.SignUp(ctx, &model.SignUpRequest{
-		Email:           &signupEmail,
-		Password:        password,
-		ConfirmPassword: password,
-	})
-	require.NoError(t, err)
-	_, err = ts.GraphQLProvider.Login(ctx, &model.LoginRequest{
-		Email:    &signupEmail,
-		Password: password,
-	})
-	require.NoError(t, err)
-
-	// Use the freshly minted session cookie so permissions resolves the
-	// caller via the standard session-cookie path.
-	sessionToken, _ := captureTokens(t, ts)
-	req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AppCookieName+"_session", sessionToken))
-	t.Cleanup(func() { req.Header.Del("Cookie") })
-
-	perms, err := ts.GraphQLProvider.Permissions(ctx)
-	require.NoError(t, err)
-	require.NotNil(t, perms)
-
-	got := make([]string, 0, len(perms))
-	for _, p := range perms {
-		require.NotNil(t, p)
-		got = append(got, p.Resource+":"+p.Scope)
-	}
-	sort.Strings(got)
-
-	want := []string{"billing:read", "docs:read"}
-	assert.Equal(t, want, got, "permissions must return the user-role grants and exclude admin-only docs:write")
-}
diff --git a/internal/integration_tests/required_permissions_test.go b/internal/integration_tests/required_permissions_test.go
deleted file mode 100644
index b6866c91..00000000
--- a/internal/integration_tests/required_permissions_test.go
+++ /dev/null
@@ -1,276 +0,0 @@
-package integration_tests
-
-import (
-	"fmt"
-	"strings"
-	"testing"
-
-	"github.com/authorizerdev/authorizer/internal/constants"
-	"github.com/authorizerdev/authorizer/internal/crypto"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/metrics"
-	"github.com/google/uuid"
-	"github.com/prometheus/client_golang/prometheus/testutil"
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-)
-
-// captureTokens returns the most recent session and access tokens from the
-// in-memory store. Helper for tests that need to read tokens minted by Login.
-func captureTokens(t *testing.T, ts *testSetup) (sessionToken, accessToken string) {
-	t.Helper()
-	allData, err := ts.MemoryStoreProvider.GetAllData()
-	require.NoError(t, err)
-	for k, v := range allData {
-		switch {
-		case strings.Contains(k, constants.TokenTypeSessionToken):
-			sessionToken = v
-		case strings.Contains(k, constants.TokenTypeAccessToken):
-			accessToken = v
-		}
-	}
-	require.NotEmpty(t, sessionToken, "session token must be present")
-	require.NotEmpty(t, accessToken, "access token must be present")
-	return sessionToken, accessToken
-}
-
-// TestRequiredPermissions verifies the new optional required_permissions field
-// on session, validate_jwt_token, and validate_session. It also asserts the
-// backward-compatible path (callers that omit the field see no change).
-func TestRequiredPermissions(t *testing.T) {
-	cfg := getTestConfig()
-	ts := initTestSetup(t, cfg)
-	req, ctx := createContext(ts)
-
-	// Seed an authz permission as admin: docs:read granted to the "user"
-	// role. The default signup assigns "user" role.
-	adminHash, err := crypto.EncryptPassword(cfg.AdminSecret)
-	require.NoError(t, err)
-	req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, adminHash))
-
-	resource, err := ts.GraphQLProvider.AuthzAddResource(ctx, &model.AddResourceInput{Name: "docs"})
-	require.NoError(t, err)
-
-	scope, err := ts.GraphQLProvider.AuthzAddScope(ctx, &model.AddScopeInput{Name: "read"})
-	require.NoError(t, err)
-
-	policy, err := ts.GraphQLProvider.AuthzAddPolicy(ctx, &model.AddPolicyInput{
-		Name: "user-role-can-read",
-		Type: "role",
-		Targets: []*model.PolicyTargetInput{
-			{TargetType: "role", TargetValue: "user"},
-		},
-	})
-	require.NoError(t, err)
-
-	_, err = ts.GraphQLProvider.AuthzAddPermission(ctx, &model.AddPermissionInput{
-		Name:       "docs-read",
-		ResourceID: resource.ID,
-		ScopeIds:   []string{scope.ID},
-		PolicyIds:  []string{policy.ID},
-	})
-	require.NoError(t, err)
-
-	req.Header.Del("Cookie")
-
-	password := "Password@123"
-	signupEmail := "required_perms_" + uuid.New().String() + "@authorizer.dev"
-	_, err = ts.GraphQLProvider.SignUp(ctx, &model.SignUpRequest{
-		Email:           &signupEmail,
-		Password:        password,
-		ConfirmPassword: password,
-	})
-	require.NoError(t, err)
-
-	login := func(t *testing.T) {
-		t.Helper()
-		_, err := ts.GraphQLProvider.Login(ctx, &model.LoginRequest{
-			Email:    &signupEmail,
-			Password: password,
-		})
-		require.NoError(t, err)
-	}
-
-	// validate_jwt_token and validate_session do NOT rotate, so a single login
-	// suffices for all six of their subtests.
-	login(t)
-	sessionToken, accessToken := captureTokens(t, ts)
-
-	t.Run("validate_jwt_token", func(t *testing.T) {
-		t.Run("backward compat: no required_permissions still works", func(t *testing.T) {
-			res, err := ts.GraphQLProvider.ValidateJWTToken(ctx, &model.ValidateJWTTokenRequest{
-				Token:     accessToken,
-				TokenType: constants.TokenTypeAccessToken,
-			})
-			require.NoError(t, err)
-			require.NotNil(t, res)
-			assert.True(t, res.IsValid)
-		})
-
-		t.Run("granted permission passes", func(t *testing.T) {
-			res, err := ts.GraphQLProvider.ValidateJWTToken(ctx, &model.ValidateJWTTokenRequest{
-				Token:     accessToken,
-				TokenType: constants.TokenTypeAccessToken,
-				RequiredPermissions: []*model.PermissionInput{
-					{Resource: "docs", Scope: "read"},
-				},
-			})
-			require.NoError(t, err)
-			require.NotNil(t, res)
-			assert.True(t, res.IsValid)
-		})
-
-		t.Run("denied permission returns unauthorized", func(t *testing.T) {
-			res, err := ts.GraphQLProvider.ValidateJWTToken(ctx, &model.ValidateJWTTokenRequest{
-				Token:     accessToken,
-				TokenType: constants.TokenTypeAccessToken,
-				RequiredPermissions: []*model.PermissionInput{
-					{Resource: "docs", Scope: "write"},
-				},
-			})
-			require.Error(t, err)
-			require.Nil(t, res)
-			assert.Contains(t, err.Error(), "unauthorized")
-		})
-	})
-
-	t.Run("validate_session", func(t *testing.T) {
-		t.Run("backward compat: no required_permissions still works", func(t *testing.T) {
-			res, err := ts.GraphQLProvider.ValidateSession(ctx, &model.ValidateSessionRequest{
-				Cookie: sessionToken,
-			})
-			require.NoError(t, err)
-			require.NotNil(t, res)
-			assert.True(t, res.IsValid)
-		})
-
-		t.Run("granted permission passes", func(t *testing.T) {
-			res, err := ts.GraphQLProvider.ValidateSession(ctx, &model.ValidateSessionRequest{
-				Cookie: sessionToken,
-				RequiredPermissions: []*model.PermissionInput{
-					{Resource: "docs", Scope: "read"},
-				},
-			})
-			require.NoError(t, err)
-			require.NotNil(t, res)
-			assert.True(t, res.IsValid)
-		})
-
-		t.Run("denied permission returns unauthorized", func(t *testing.T) {
-			res, err := ts.GraphQLProvider.ValidateSession(ctx, &model.ValidateSessionRequest{
-				Cookie: sessionToken,
-				RequiredPermissions: []*model.PermissionInput{
-					{Resource: "docs", Scope: "write"},
-				},
-			})
-			require.Error(t, err)
-			require.Nil(t, res)
-			assert.Contains(t, err.Error(), "unauthorized")
-		})
-	})
-
-	// session() rotates the session on every successful call — re-login per
-	// subtest so each one starts with a fresh, valid session cookie.
-	callSession := func(t *testing.T, params *model.SessionQueryRequest) (*model.AuthResponse, error) {
-		t.Helper()
-		login(t)
-		st, _ := captureTokens(t, ts)
-		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AppCookieName+"_session", st))
-		defer req.Header.Del("Cookie")
-		return ts.GraphQLProvider.Session(ctx, params)
-	}
-
-	t.Run("session", func(t *testing.T) {
-		t.Run("backward compat: no required_permissions still works", func(t *testing.T) {
-			res, err := callSession(t, &model.SessionQueryRequest{})
-			require.NoError(t, err)
-			require.NotNil(t, res)
-			assert.NotEmpty(t, res.AccessToken)
-		})
-
-		t.Run("granted permission passes", func(t *testing.T) {
-			res, err := callSession(t, &model.SessionQueryRequest{
-				RequiredPermissions: []*model.PermissionInput{
-					{Resource: "docs", Scope: "read"},
-				},
-			})
-			require.NoError(t, err)
-			require.NotNil(t, res)
-			assert.NotEmpty(t, res.AccessToken)
-		})
-
-		t.Run("denied permission returns unauthorized", func(t *testing.T) {
-			res, err := callSession(t, &model.SessionQueryRequest{
-				RequiredPermissions: []*model.PermissionInput{
-					{Resource: "docs", Scope: "write"},
-				},
-			})
-			require.Error(t, err)
-			require.Nil(t, res)
-			assert.Contains(t, err.Error(), "unauthorized")
-		})
-	})
-
-	t.Run("metrics counters increment per outcome", func(t *testing.T) {
-		// Re-login to get a fresh access token — the session subtests above each
-		// call login() internally (session rotates on every call), which replaces
-		// the memory-store entries and makes the top-level accessToken stale.
-		login(t)
-		_, freshAccessToken := captureTokens(t, ts)
-
-		grantedBefore := testutil.ToFloat64(metrics.RequiredPermissionsChecksTotal.WithLabelValues(
-			metrics.RequiredPermissionsEndpointValidateJWTToken,
-			metrics.RequiredPermissionsOutcomeGranted,
-		))
-		deniedBefore := testutil.ToFloat64(metrics.RequiredPermissionsChecksTotal.WithLabelValues(
-			metrics.RequiredPermissionsEndpointValidateJWTToken,
-			metrics.RequiredPermissionsOutcomeDenied,
-		))
-		notReqBefore := testutil.ToFloat64(metrics.RequiredPermissionsChecksTotal.WithLabelValues(
-			metrics.RequiredPermissionsEndpointValidateJWTToken,
-			metrics.RequiredPermissionsOutcomeNotRequested,
-		))
-
-		// not_requested
-		_, err := ts.GraphQLProvider.ValidateJWTToken(ctx, &model.ValidateJWTTokenRequest{
-			Token:     freshAccessToken,
-			TokenType: constants.TokenTypeAccessToken,
-		})
-		require.NoError(t, err)
-
-		// granted
-		_, err = ts.GraphQLProvider.ValidateJWTToken(ctx, &model.ValidateJWTTokenRequest{
-			Token:     freshAccessToken,
-			TokenType: constants.TokenTypeAccessToken,
-			RequiredPermissions: []*model.PermissionInput{
-				{Resource: "docs", Scope: "read"},
-			},
-		})
-		require.NoError(t, err)
-
-		// denied — error is intentional; only the counter increment matters.
-		// outcome=error is not exercised here: simulating a CheckPermission
-		// storage fault from an integration test requires fault injection
-		// the provider doesn't currently expose.
-		_, _ = ts.GraphQLProvider.ValidateJWTToken(ctx, &model.ValidateJWTTokenRequest{
-			Token:     freshAccessToken,
-			TokenType: constants.TokenTypeAccessToken,
-			RequiredPermissions: []*model.PermissionInput{
-				{Resource: "docs", Scope: "write"},
-			},
-		})
-
-		assert.Equal(t, grantedBefore+1, testutil.ToFloat64(metrics.RequiredPermissionsChecksTotal.WithLabelValues(
-			metrics.RequiredPermissionsEndpointValidateJWTToken,
-			metrics.RequiredPermissionsOutcomeGranted,
-		)))
-		assert.Equal(t, deniedBefore+1, testutil.ToFloat64(metrics.RequiredPermissionsChecksTotal.WithLabelValues(
-			metrics.RequiredPermissionsEndpointValidateJWTToken,
-			metrics.RequiredPermissionsOutcomeDenied,
-		)))
-		assert.Equal(t, notReqBefore+1, testutil.ToFloat64(metrics.RequiredPermissionsChecksTotal.WithLabelValues(
-			metrics.RequiredPermissionsEndpointValidateJWTToken,
-			metrics.RequiredPermissionsOutcomeNotRequested,
-		)))
-	})
-}
diff --git a/internal/integration_tests/test_helper.go b/internal/integration_tests/test_helper.go
index f4005c35..d154500b 100644
--- a/internal/integration_tests/test_helper.go
+++ b/internal/integration_tests/test_helper.go
@@ -15,7 +15,6 @@ import (
 
 	"github.com/authorizerdev/authorizer/internal/audit"
 	"github.com/authorizerdev/authorizer/internal/authenticators"
-	"github.com/authorizerdev/authorizer/internal/authorization"
 	"github.com/authorizerdev/authorizer/internal/config"
 	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/email"
@@ -44,9 +43,6 @@ type testSetup struct {
 	MemoryStoreProvider   memory_store.Provider
 	AuthenticatorProvider authenticators.Provider
 	TokenProvider         token.Provider
-	// Authz is the authorization provider, exposed for tests that exercise
-	// CheckPermission / GetPrincipalPermissions directly (bypassing GraphQL).
-	Authz authorization.Provider
 }
 
 func createContext(s *testSetup) (*http.Request, context.Context) {
@@ -188,19 +184,6 @@ func initTestSetup(t *testing.T, cfg *config.Config) *testSetup {
 	})
 	require.NoError(t, err)
 
-	// Initialize authorization provider. Tests that need the decision cache
-	// active can set cfg.AuthorizationCacheTTL > 0 in their getTestConfig
-	// equivalent; the default (0) keeps existing tests on the no-cache path
-	// they were written against.
-	authzProvider, err := authorization.New(&authorization.Config{
-		CacheTTL: cfg.AuthorizationCacheTTL,
-	}, &authorization.Dependencies{
-		Log:                 &logger,
-		StorageProvider:     storageProvider,
-		MemoryStoreProvider: memoryStoreProvider,
-	})
-	require.NoError(t, err)
-
 	// Initialize audit provider
 	auditProvider := audit.New(&audit.Dependencies{
 		Log:             &logger,
@@ -212,7 +195,6 @@ func initTestSetup(t *testing.T, cfg *config.Config) *testSetup {
 		Log:                   &logger,
 		AuditProvider:         auditProvider,
 		AuthenticatorProvider: authProvider,
-		AuthorizationProvider: authzProvider,
 		EmailProvider:         emailProvider,
 		EventsProvider:        eventsProvider,
 		MemoryStoreProvider:   memoryStoreProvider,
@@ -279,7 +261,6 @@ func initTestSetup(t *testing.T, cfg *config.Config) *testSetup {
 		MemoryStoreProvider:   memoryStoreProvider,
 		AuthenticatorProvider: authProvider,
 		TokenProvider:         tokenProvider,
-		Authz:                 authzProvider,
 	}
 }
 
diff --git a/internal/metrics/metrics.go b/internal/metrics/metrics.go
index f76d482b..56e6e9c3 100644
--- a/internal/metrics/metrics.go
+++ b/internal/metrics/metrics.go
@@ -35,32 +35,6 @@ const (
 	StatusFailure = "failure"
 )
 
-// Authorization check result labels.
-const (
-	AuthzResultAllowed   = "allowed"   // matched policy, granted
-	AuthzResultDenied    = "denied"    // matched policy, denied
-	AuthzResultUnmatched = "unmatched" // no permission row for (resource, scope)
-	AuthzResultError     = "error"     // validation / storage error
-)
-
-// Outcome constants for the required_permissions counter (per-request bucket,
-// distinct from per-CheckPermission AuthzResult* above). Low cardinality.
-const (
-	RequiredPermissionsOutcomeGranted      = "granted"       // all listed permissions allowed
-	RequiredPermissionsOutcomeDenied       = "denied"        // one or more denied by policy
-	RequiredPermissionsOutcomeNotRequested = "not_requested" // caller omitted required_permissions
-	RequiredPermissionsOutcomeError        = "error"         // CheckPermission errored (DB/validation)
-)
-
-// RequiredPermissionsEndpoint* are the bounded endpoint label values for the
-// required_permissions counter. New endpoints adopting required_permissions
-// must add a constant here rather than passing raw strings.
-const (
-	RequiredPermissionsEndpointSession          = "session"
-	RequiredPermissionsEndpointValidateSession  = "validate_session"
-	RequiredPermissionsEndpointValidateJWTToken = "validate_jwt_token"
-)
-
 var (
 	// HTTPRequestsTotal is the total number of HTTP requests received.
 	HTTPRequestsTotal = prometheus.NewCounterVec(
@@ -155,44 +129,6 @@ var (
 			Help: "Total requests that omitted X-Authorizer-Client-ID (allowed for some routes)",
 		},
 	)
-
-	// AuthzChecksTotal counts every CheckPermission call, labelled by result.
-	AuthzChecksTotal = prometheus.NewCounterVec(
-		prometheus.CounterOpts{
-			Name: "authorizer_authz_checks_total",
-			Help: "Total fine-grained authorization checks. result=allowed|denied|unmatched|error",
-		},
-		[]string{"result"},
-	)
-
-	// AuthzUnmatchedTotal counts checks that found no matching permission.
-	AuthzUnmatchedTotal = prometheus.NewCounter(
-		prometheus.CounterOpts{
-			Name: "authorizer_authz_unmatched_total",
-			Help: "Total CheckPermission calls where no permission matched the (resource, scope) pair.",
-		},
-	)
-
-	// AuthzCheckDuration measures end-to-end CheckPermission latency.
-	AuthzCheckDuration = prometheus.NewHistogram(
-		prometheus.HistogramOpts{
-			Name:    "authorizer_authz_check_duration_seconds",
-			Help:    "CheckPermission latency including validation, cache, and storage queries",
-			Buckets: prometheus.DefBuckets,
-		},
-	)
-
-	// RequiredPermissionsChecksTotal counts each endpoint invocation that the
-	// required_permissions field flows through, labelled by endpoint and the
-	// per-request outcome. This is the FGA adoption + enforcement signal;
-	// the per-CheckPermission AuthzChecksTotal is the evaluator signal.
-	RequiredPermissionsChecksTotal = prometheus.NewCounterVec(
-		prometheus.CounterOpts{
-			Name: "authorizer_required_permissions_checks_total",
-			Help: "Per-endpoint required_permissions outcome. endpoint=session|validate_session|validate_jwt_token. outcome=granted|denied|not_requested|error.",
-		},
-		[]string{"endpoint", "outcome"},
-	)
 )
 
 // staticAssetPathSuffixes are path suffixes (after lowercasing) treated as static files
@@ -275,10 +211,6 @@ func Init() {
 		prometheus.MustRegister(GraphQLRequestDuration)
 		prometheus.MustRegister(DBHealthCheckTotal)
 		prometheus.MustRegister(ClientIDHeaderMissingTotal)
-		prometheus.MustRegister(AuthzChecksTotal)
-		prometheus.MustRegister(AuthzUnmatchedTotal)
-		prometheus.MustRegister(AuthzCheckDuration)
-		prometheus.MustRegister(RequiredPermissionsChecksTotal)
 	})
 }
 
@@ -328,21 +260,3 @@ func RecordGraphQLLimitRejection(limit string) {
 func RecordClientIDHeaderMissing() {
 	ClientIDHeaderMissingTotal.Inc()
 }
-
-// RecordAuthzCheck records a CheckPermission call outcome.
-// result must be one of AuthzResult* constants.
-func RecordAuthzCheck(result string) {
-	AuthzChecksTotal.WithLabelValues(result).Inc()
-}
-
-// RecordAuthzUnmatched records a CheckPermission call that found no matching permission.
-func RecordAuthzUnmatched() {
-	AuthzUnmatchedTotal.Inc()
-}
-
-// RecordRequiredPermissionsCheck records the per-request outcome of
-// enforceRequiredPermissions. endpoint must be one of RequiredPermissionsEndpoint*;
-// outcome must be one of RequiredPermissionsOutcome*.
-func RecordRequiredPermissionsCheck(endpoint, outcome string) {
-	RequiredPermissionsChecksTotal.WithLabelValues(endpoint, outcome).Inc()
-}
diff --git a/internal/storage/db/arangodb/permission.go b/internal/storage/db/arangodb/permission.go
deleted file mode 100644
index 7476c08c..00000000
--- a/internal/storage/db/arangodb/permission.go
+++ /dev/null
@@ -1,363 +0,0 @@
-package arangodb
-
-import (
-	"context"
-	"fmt"
-	"time"
-
-	arangoDriver "github.com/arangodb/go-driver"
-	"github.com/google/uuid"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddPermission creates a new authorization permission.
-func (p *provider) AddPermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
-	if permission.ID == "" {
-		permission.ID = uuid.New().String()
-	}
-	permission.Key = permission.ID
-	permission.CreatedAt = time.Now().Unix()
-	permission.UpdatedAt = time.Now().Unix()
-	collection, _ := p.db.Collection(ctx, schemas.Collections.Permission)
-	meta, err := collection.CreateDocument(ctx, permission)
-	if err != nil {
-		return nil, err
-	}
-	permission.Key = meta.Key
-	return permission, nil
-}
-
-// UpdatePermission updates an existing authorization permission.
-func (p *provider) UpdatePermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
-	permission.UpdatedAt = time.Now().Unix()
-	collection, _ := p.db.Collection(ctx, schemas.Collections.Permission)
-	meta, err := collection.UpdateDocument(ctx, permission.Key, permission)
-	if err != nil {
-		return nil, err
-	}
-	permission.Key = meta.Key
-	return permission, nil
-}
-
-// DeletePermission deletes an authorization permission by ID.
-// Cascade-deletes associated permission_scopes and permission_policies.
-func (p *provider) DeletePermission(ctx context.Context, id string) error {
-	// Cascade-delete permission_scopes
-	deleteScopesQuery := fmt.Sprintf("FOR d IN %s FILTER d.permission_id == @permission_id REMOVE d IN %s", schemas.Collections.PermissionScope, schemas.Collections.PermissionScope)
-	scopeCursor, err := p.db.Query(ctx, deleteScopesQuery, map[string]interface{}{
-		"permission_id": id,
-	})
-	if err != nil {
-		return err
-	}
-	defer scopeCursor.Close()
-
-	// Cascade-delete permission_policies
-	deletePoliciesQuery := fmt.Sprintf("FOR d IN %s FILTER d.permission_id == @permission_id REMOVE d IN %s", schemas.Collections.PermissionPolicy, schemas.Collections.PermissionPolicy)
-	policyCursor, err := p.db.Query(ctx, deletePoliciesQuery, map[string]interface{}{
-		"permission_id": id,
-	})
-	if err != nil {
-		return err
-	}
-	defer policyCursor.Close()
-
-	// Find the document key for this permission
-	permission, err := p.GetPermissionByID(ctx, id)
-	if err != nil {
-		return err
-	}
-	collection, _ := p.db.Collection(ctx, schemas.Collections.Permission)
-	_, err = collection.RemoveDocument(ctx, permission.Key)
-	return err
-}
-
-// GetPermissionByID returns an authorization permission by its ID.
-func (p *provider) GetPermissionByID(ctx context.Context, id string) (*schemas.Permission, error) {
-	var permission *schemas.Permission
-	query := fmt.Sprintf("FOR d IN %s FILTER d._key == @id RETURN d", schemas.Collections.Permission)
-	bindVars := map[string]interface{}{
-		"id": id,
-	}
-	cursor, err := p.db.Query(ctx, query, bindVars)
-	if err != nil {
-		return nil, err
-	}
-	defer cursor.Close()
-	for {
-		if !cursor.HasMore() {
-			if permission == nil {
-				return nil, fmt.Errorf("permission not found")
-			}
-			break
-		}
-		_, err := cursor.ReadDocument(ctx, &permission)
-		if err != nil {
-			return nil, err
-		}
-	}
-	return permission, nil
-}
-
-// ListPermissions returns a paginated list of authorization permissions.
-func (p *provider) ListPermissions(ctx context.Context, pagination *model.Pagination) ([]*schemas.Permission, *model.Pagination, error) {
-	permissions := []*schemas.Permission{}
-	query := fmt.Sprintf("FOR d IN %s SORT d.created_at DESC LIMIT %d, %d RETURN d", schemas.Collections.Permission, pagination.Offset, pagination.Limit)
-	sctx := arangoDriver.WithQueryFullCount(ctx)
-	cursor, err := p.db.Query(sctx, query, nil)
-	if err != nil {
-		return nil, nil, err
-	}
-	defer cursor.Close()
-	paginationClone := *pagination
-	paginationClone.Total = cursor.Statistics().FullCount()
-	for {
-		var permission *schemas.Permission
-		meta, err := cursor.ReadDocument(ctx, &permission)
-		if arangoDriver.IsNoMoreDocuments(err) {
-			break
-		} else if err != nil {
-			return nil, nil, err
-		}
-		if meta.Key != "" {
-			permissions = append(permissions, permission)
-		}
-	}
-	return permissions, &paginationClone, nil
-}
-
-// AddPermissionScope links a scope to a permission.
-func (p *provider) AddPermissionScope(ctx context.Context, ps *schemas.PermissionScope) (*schemas.PermissionScope, error) {
-	if ps.ID == "" {
-		ps.ID = uuid.New().String()
-	}
-	ps.Key = ps.ID
-	ps.CreatedAt = time.Now().Unix()
-	collection, _ := p.db.Collection(ctx, schemas.Collections.PermissionScope)
-	meta, err := collection.CreateDocument(ctx, ps)
-	if err != nil {
-		return nil, err
-	}
-	ps.Key = meta.Key
-	return ps, nil
-}
-
-// DeletePermissionScopesByPermissionID removes all scope links for a permission.
-func (p *provider) DeletePermissionScopesByPermissionID(ctx context.Context, permissionID string) error {
-	query := fmt.Sprintf("FOR d IN %s FILTER d.permission_id == @permission_id REMOVE d IN %s", schemas.Collections.PermissionScope, schemas.Collections.PermissionScope)
-	cursor, err := p.db.Query(ctx, query, map[string]interface{}{
-		"permission_id": permissionID,
-	})
-	if err != nil {
-		return err
-	}
-	defer cursor.Close()
-	return nil
-}
-
-// GetPermissionScopes returns all scope links for a permission.
-func (p *provider) GetPermissionScopes(ctx context.Context, permissionID string) ([]*schemas.PermissionScope, error) {
-	scopes := []*schemas.PermissionScope{}
-	query := fmt.Sprintf("FOR d IN %s FILTER d.permission_id == @permission_id RETURN d", schemas.Collections.PermissionScope)
-	cursor, err := p.db.Query(ctx, query, map[string]interface{}{
-		"permission_id": permissionID,
-	})
-	if err != nil {
-		return nil, err
-	}
-	defer cursor.Close()
-	for {
-		var ps *schemas.PermissionScope
-		if _, err := cursor.ReadDocument(ctx, &ps); arangoDriver.IsNoMoreDocuments(err) {
-			break
-		} else if err != nil {
-			return nil, err
-		}
-		scopes = append(scopes, ps)
-	}
-	return scopes, nil
-}
-
-// AddPermissionPolicy links a policy to a permission.
-func (p *provider) AddPermissionPolicy(ctx context.Context, pp *schemas.PermissionPolicy) (*schemas.PermissionPolicy, error) {
-	if pp.ID == "" {
-		pp.ID = uuid.New().String()
-	}
-	pp.Key = pp.ID
-	pp.CreatedAt = time.Now().Unix()
-	collection, _ := p.db.Collection(ctx, schemas.Collections.PermissionPolicy)
-	meta, err := collection.CreateDocument(ctx, pp)
-	if err != nil {
-		return nil, err
-	}
-	pp.Key = meta.Key
-	return pp, nil
-}
-
-// DeletePermissionPoliciesByPermissionID removes all policy links for a permission.
-func (p *provider) DeletePermissionPoliciesByPermissionID(ctx context.Context, permissionID string) error {
-	query := fmt.Sprintf("FOR d IN %s FILTER d.permission_id == @permission_id REMOVE d IN %s", schemas.Collections.PermissionPolicy, schemas.Collections.PermissionPolicy)
-	cursor, err := p.db.Query(ctx, query, map[string]interface{}{
-		"permission_id": permissionID,
-	})
-	if err != nil {
-		return err
-	}
-	defer cursor.Close()
-	return nil
-}
-
-// GetPermissionPolicies returns all policy links for a permission.
-func (p *provider) GetPermissionPolicies(ctx context.Context, permissionID string) ([]*schemas.PermissionPolicy, error) {
-	policies := []*schemas.PermissionPolicy{}
-	query := fmt.Sprintf("FOR d IN %s FILTER d.permission_id == @permission_id RETURN d", schemas.Collections.PermissionPolicy)
-	cursor, err := p.db.Query(ctx, query, map[string]interface{}{
-		"permission_id": permissionID,
-	})
-	if err != nil {
-		return nil, err
-	}
-	defer cursor.Close()
-	for {
-		var pp *schemas.PermissionPolicy
-		if _, err := cursor.ReadDocument(ctx, &pp); arangoDriver.IsNoMoreDocuments(err) {
-			break
-		} else if err != nil {
-			return nil, err
-		}
-		policies = append(policies, pp)
-	}
-	return policies, nil
-}
-
-// GetPermissionsForResourceScope returns all permissions (with their policies and targets)
-// that match a given resource name and scope name. This is the hot-path query used by
-// the evaluation engine. Uses sequential lookups across collections.
-func (p *provider) GetPermissionsForResourceScope(ctx context.Context, resourceName string, scopeName string) ([]*schemas.PermissionWithPolicies, error) {
-	// Step 1: Find the resource by name
-	resource, err := p.GetResourceByName(ctx, resourceName)
-	if err != nil {
-		return nil, nil // Resource not found means no permissions
-	}
-
-	// Step 2: Find the scope by name
-	scope, err := p.GetScopeByName(ctx, scopeName)
-	if err != nil {
-		return nil, nil // Scope not found means no permissions
-	}
-
-	// Step 3: Find permissions for this resource
-	permQuery := fmt.Sprintf("FOR d IN %s FILTER d.resource_id == @resource_id RETURN d", schemas.Collections.Permission)
-	permCursor, err := p.db.Query(ctx, permQuery, map[string]interface{}{
-		"resource_id": resource.ID,
-	})
-	if err != nil {
-		return nil, err
-	}
-	defer permCursor.Close()
-
-	var permissions []*schemas.Permission
-	for {
-		var perm *schemas.Permission
-		if _, err := permCursor.ReadDocument(ctx, &perm); arangoDriver.IsNoMoreDocuments(err) {
-			break
-		} else if err != nil {
-			return nil, err
-		}
-		permissions = append(permissions, perm)
-	}
-
-	if len(permissions) == 0 {
-		return nil, nil
-	}
-
-	// Step 4: Filter permissions that have this scope linked
-	var matchedPermissions []*schemas.Permission
-	for _, perm := range permissions {
-		psQuery := fmt.Sprintf("FOR d IN %s FILTER d.permission_id == @permission_id AND d.scope_id == @scope_id RETURN d", schemas.Collections.PermissionScope)
-		psCursor, err := p.db.Query(ctx, psQuery, map[string]interface{}{
-			"permission_id": perm.ID,
-			"scope_id":      scope.ID,
-		})
-		if err != nil {
-			return nil, err
-		}
-		var ps *schemas.PermissionScope
-		if _, err := psCursor.ReadDocument(ctx, &ps); err == nil && ps != nil {
-			matchedPermissions = append(matchedPermissions, perm)
-		}
-		psCursor.Close()
-	}
-
-	if len(matchedPermissions) == 0 {
-		return nil, nil
-	}
-
-	// Step 5: For each matched permission, resolve policies and targets
-	var result []*schemas.PermissionWithPolicies
-	for _, perm := range matchedPermissions {
-		pwp := &schemas.PermissionWithPolicies{
-			PermissionID:     perm.ID,
-			PermissionName:   perm.Name,
-			DecisionStrategy: perm.DecisionStrategy,
-		}
-
-		// Get permission_policies for this permission
-		ppQuery := fmt.Sprintf("FOR d IN %s FILTER d.permission_id == @permission_id RETURN d", schemas.Collections.PermissionPolicy)
-		ppCursor, err := p.db.Query(ctx, ppQuery, map[string]interface{}{
-			"permission_id": perm.ID,
-		})
-		if err != nil {
-			return nil, err
-		}
-
-		var permPolicies []*schemas.PermissionPolicy
-		for {
-			var pp *schemas.PermissionPolicy
-			if _, err := ppCursor.ReadDocument(ctx, &pp); arangoDriver.IsNoMoreDocuments(err) {
-				break
-			} else if err != nil {
-				ppCursor.Close()
-				return nil, err
-			}
-			permPolicies = append(permPolicies, pp)
-		}
-		ppCursor.Close()
-
-		// For each linked policy, resolve the policy and its targets
-		for _, pp := range permPolicies {
-			policy, err := p.GetPolicyByID(ctx, pp.PolicyID)
-			if err != nil {
-				continue // Skip policies that can't be found
-			}
-
-			pwt := schemas.PolicyWithTargets{
-				PolicyID:         policy.ID,
-				PolicyName:       policy.Name,
-				Type:             policy.Type,
-				Logic:            policy.Logic,
-				DecisionStrategy: policy.DecisionStrategy,
-			}
-
-			// Get targets for this policy
-			targets, err := p.GetPolicyTargets(ctx, policy.ID)
-			if err != nil {
-				return nil, err
-			}
-			for _, t := range targets {
-				pwt.Targets = append(pwt.Targets, schemas.PolicyTargetView{
-					TargetType:  t.TargetType,
-					TargetValue: t.TargetValue,
-				})
-			}
-
-			pwp.Policies = append(pwp.Policies, pwt)
-		}
-
-		result = append(result, pwp)
-	}
-
-	return result, nil
-}
diff --git a/internal/storage/db/arangodb/policy.go b/internal/storage/db/arangodb/policy.go
deleted file mode 100644
index aec4e431..00000000
--- a/internal/storage/db/arangodb/policy.go
+++ /dev/null
@@ -1,191 +0,0 @@
-package arangodb
-
-import (
-	"context"
-	"fmt"
-	"time"
-
-	arangoDriver "github.com/arangodb/go-driver"
-	"github.com/google/uuid"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddPolicy creates a new authorization policy.
-func (p *provider) AddPolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
-	if policy.ID == "" {
-		policy.ID = uuid.New().String()
-	}
-	policy.Key = policy.ID
-	policy.CreatedAt = time.Now().Unix()
-	policy.UpdatedAt = time.Now().Unix()
-	collection, _ := p.db.Collection(ctx, schemas.Collections.Policy)
-	meta, err := collection.CreateDocument(ctx, policy)
-	if err != nil {
-		return nil, err
-	}
-	policy.Key = meta.Key
-	return policy, nil
-}
-
-// UpdatePolicy updates an existing authorization policy.
-func (p *provider) UpdatePolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
-	policy.UpdatedAt = time.Now().Unix()
-	collection, _ := p.db.Collection(ctx, schemas.Collections.Policy)
-	meta, err := collection.UpdateDocument(ctx, policy.Key, policy)
-	if err != nil {
-		return nil, err
-	}
-	policy.Key = meta.Key
-	return policy, nil
-}
-
-// DeletePolicy deletes an authorization policy by ID.
-// Returns an error if any permission_policy references this policy.
-// Cascade-deletes associated policy targets.
-func (p *provider) DeletePolicy(ctx context.Context, id string) error {
-	// Check for referencing permission_policies
-	countQuery := fmt.Sprintf("FOR d IN %s FILTER d.policy_id == @policy_id COLLECT WITH COUNT INTO length RETURN length", schemas.Collections.PermissionPolicy)
-	cursor, err := p.db.Query(ctx, countQuery, map[string]interface{}{
-		"policy_id": id,
-	})
-	if err != nil {
-		return err
-	}
-	defer cursor.Close()
-	var count int64
-	if cursor.HasMore() {
-		if _, err := cursor.ReadDocument(ctx, &count); err != nil {
-			return err
-		}
-	}
-	if count > 0 {
-		return fmt.Errorf("cannot delete policy: %d permission_policy(s) reference it", count)
-	}
-
-	// Cascade-delete policy targets
-	deleteTargetsQuery := fmt.Sprintf("FOR d IN %s FILTER d.policy_id == @policy_id REMOVE d IN %s", schemas.Collections.PolicyTarget, schemas.Collections.PolicyTarget)
-	targetCursor, err := p.db.Query(ctx, deleteTargetsQuery, map[string]interface{}{
-		"policy_id": id,
-	})
-	if err != nil {
-		return err
-	}
-	defer targetCursor.Close()
-
-	// Find the document key for this policy
-	policy, err := p.GetPolicyByID(ctx, id)
-	if err != nil {
-		return err
-	}
-	collection, _ := p.db.Collection(ctx, schemas.Collections.Policy)
-	_, err = collection.RemoveDocument(ctx, policy.Key)
-	return err
-}
-
-// GetPolicyByID returns an authorization policy by its ID.
-func (p *provider) GetPolicyByID(ctx context.Context, id string) (*schemas.Policy, error) {
-	var policy *schemas.Policy
-	query := fmt.Sprintf("FOR d IN %s FILTER d._key == @id RETURN d", schemas.Collections.Policy)
-	bindVars := map[string]interface{}{
-		"id": id,
-	}
-	cursor, err := p.db.Query(ctx, query, bindVars)
-	if err != nil {
-		return nil, err
-	}
-	defer cursor.Close()
-	for {
-		if !cursor.HasMore() {
-			if policy == nil {
-				return nil, fmt.Errorf("policy not found")
-			}
-			break
-		}
-		_, err := cursor.ReadDocument(ctx, &policy)
-		if err != nil {
-			return nil, err
-		}
-	}
-	return policy, nil
-}
-
-// ListPolicies returns a paginated list of authorization policies.
-func (p *provider) ListPolicies(ctx context.Context, pagination *model.Pagination) ([]*schemas.Policy, *model.Pagination, error) {
-	policies := []*schemas.Policy{}
-	query := fmt.Sprintf("FOR d IN %s SORT d.created_at DESC LIMIT %d, %d RETURN d", schemas.Collections.Policy, pagination.Offset, pagination.Limit)
-	sctx := arangoDriver.WithQueryFullCount(ctx)
-	cursor, err := p.db.Query(sctx, query, nil)
-	if err != nil {
-		return nil, nil, err
-	}
-	defer cursor.Close()
-	paginationClone := *pagination
-	paginationClone.Total = cursor.Statistics().FullCount()
-	for {
-		var policy *schemas.Policy
-		meta, err := cursor.ReadDocument(ctx, &policy)
-		if arangoDriver.IsNoMoreDocuments(err) {
-			break
-		} else if err != nil {
-			return nil, nil, err
-		}
-		if meta.Key != "" {
-			policies = append(policies, policy)
-		}
-	}
-	return policies, &paginationClone, nil
-}
-
-// AddPolicyTarget adds a target (role name or user ID) to a policy.
-func (p *provider) AddPolicyTarget(ctx context.Context, target *schemas.PolicyTarget) (*schemas.PolicyTarget, error) {
-	if target.ID == "" {
-		target.ID = uuid.New().String()
-	}
-	target.Key = target.ID
-	target.CreatedAt = time.Now().Unix()
-	collection, _ := p.db.Collection(ctx, schemas.Collections.PolicyTarget)
-	meta, err := collection.CreateDocument(ctx, target)
-	if err != nil {
-		return nil, err
-	}
-	target.Key = meta.Key
-	return target, nil
-}
-
-// DeletePolicyTargetsByPolicyID removes all targets for a policy.
-func (p *provider) DeletePolicyTargetsByPolicyID(ctx context.Context, policyID string) error {
-	query := fmt.Sprintf("FOR d IN %s FILTER d.policy_id == @policy_id REMOVE d IN %s", schemas.Collections.PolicyTarget, schemas.Collections.PolicyTarget)
-	cursor, err := p.db.Query(ctx, query, map[string]interface{}{
-		"policy_id": policyID,
-	})
-	if err != nil {
-		return err
-	}
-	defer cursor.Close()
-	return nil
-}
-
-// GetPolicyTargets returns all targets for a policy.
-func (p *provider) GetPolicyTargets(ctx context.Context, policyID string) ([]*schemas.PolicyTarget, error) {
-	targets := []*schemas.PolicyTarget{}
-	query := fmt.Sprintf("FOR d IN %s FILTER d.policy_id == @policy_id RETURN d", schemas.Collections.PolicyTarget)
-	cursor, err := p.db.Query(ctx, query, map[string]interface{}{
-		"policy_id": policyID,
-	})
-	if err != nil {
-		return nil, err
-	}
-	defer cursor.Close()
-	for {
-		var target *schemas.PolicyTarget
-		if _, err := cursor.ReadDocument(ctx, &target); arangoDriver.IsNoMoreDocuments(err) {
-			break
-		} else if err != nil {
-			return nil, err
-		}
-		targets = append(targets, target)
-	}
-	return targets, nil
-}
diff --git a/internal/storage/db/arangodb/provider.go b/internal/storage/db/arangodb/provider.go
index 79c3e422..0b840197 100644
--- a/internal/storage/db/arangodb/provider.go
+++ b/internal/storage/db/arangodb/provider.go
@@ -348,161 +348,6 @@ func NewProvider(cfg *config.Config, deps *Dependencies) (*provider, error) {
 		Sparse: true,
 	})
 
-	// Resource collection and indexes
-	resourceCollectionExists, err := arangodb.CollectionExists(ctx, schemas.Collections.Resource)
-	if err != nil {
-		return nil, err
-	}
-	if !resourceCollectionExists {
-		_, err = arangodb.CreateCollection(ctx, schemas.Collections.Resource, nil)
-		if err != nil {
-			return nil, err
-		}
-	}
-	resourceCollection, err := arangodb.Collection(ctx, schemas.Collections.Resource)
-	if err != nil {
-		return nil, err
-	}
-	resourceCollection.EnsureHashIndex(ctx, []string{"name"}, &arangoDriver.EnsureHashIndexOptions{
-		Unique: true,
-		Sparse: true,
-	})
-
-	// Scope collection and indexes
-	scopeCollectionExists, err := arangodb.CollectionExists(ctx, schemas.Collections.Scope)
-	if err != nil {
-		return nil, err
-	}
-	if !scopeCollectionExists {
-		_, err = arangodb.CreateCollection(ctx, schemas.Collections.Scope, nil)
-		if err != nil {
-			return nil, err
-		}
-	}
-	scopeCollection, err := arangodb.Collection(ctx, schemas.Collections.Scope)
-	if err != nil {
-		return nil, err
-	}
-	scopeCollection.EnsureHashIndex(ctx, []string{"name"}, &arangoDriver.EnsureHashIndexOptions{
-		Unique: true,
-		Sparse: true,
-	})
-
-	// Policy collection and indexes
-	policyCollectionExists, err := arangodb.CollectionExists(ctx, schemas.Collections.Policy)
-	if err != nil {
-		return nil, err
-	}
-	if !policyCollectionExists {
-		_, err = arangodb.CreateCollection(ctx, schemas.Collections.Policy, nil)
-		if err != nil {
-			return nil, err
-		}
-	}
-	policyCollection, err := arangodb.Collection(ctx, schemas.Collections.Policy)
-	if err != nil {
-		return nil, err
-	}
-	policyCollection.EnsureHashIndex(ctx, []string{"name"}, &arangoDriver.EnsureHashIndexOptions{
-		Unique: true,
-		Sparse: true,
-	})
-	policyCollection.EnsureHashIndex(ctx, []string{"type"}, &arangoDriver.EnsureHashIndexOptions{
-		Sparse: true,
-	})
-
-	// PolicyTarget collection and indexes
-	policyTargetCollectionExists, err := arangodb.CollectionExists(ctx, schemas.Collections.PolicyTarget)
-	if err != nil {
-		return nil, err
-	}
-	if !policyTargetCollectionExists {
-		_, err = arangodb.CreateCollection(ctx, schemas.Collections.PolicyTarget, nil)
-		if err != nil {
-			return nil, err
-		}
-	}
-	policyTargetCollection, err := arangodb.Collection(ctx, schemas.Collections.PolicyTarget)
-	if err != nil {
-		return nil, err
-	}
-	policyTargetCollection.EnsureHashIndex(ctx, []string{"policy_id"}, &arangoDriver.EnsureHashIndexOptions{
-		Sparse: true,
-	})
-	policyTargetCollection.EnsureHashIndex(ctx, []string{"policy_id", "target_type", "target_value"}, &arangoDriver.EnsureHashIndexOptions{
-		Unique: true,
-		Sparse: true,
-	})
-
-	// Permission collection and indexes
-	permissionCollectionExists, err := arangodb.CollectionExists(ctx, schemas.Collections.Permission)
-	if err != nil {
-		return nil, err
-	}
-	if !permissionCollectionExists {
-		_, err = arangodb.CreateCollection(ctx, schemas.Collections.Permission, nil)
-		if err != nil {
-			return nil, err
-		}
-	}
-	permissionCollection, err := arangodb.Collection(ctx, schemas.Collections.Permission)
-	if err != nil {
-		return nil, err
-	}
-	permissionCollection.EnsureHashIndex(ctx, []string{"name"}, &arangoDriver.EnsureHashIndexOptions{
-		Unique: true,
-		Sparse: true,
-	})
-	permissionCollection.EnsureHashIndex(ctx, []string{"resource_id"}, &arangoDriver.EnsureHashIndexOptions{
-		Sparse: true,
-	})
-
-	// PermissionScope collection and indexes
-	permissionScopeCollectionExists, err := arangodb.CollectionExists(ctx, schemas.Collections.PermissionScope)
-	if err != nil {
-		return nil, err
-	}
-	if !permissionScopeCollectionExists {
-		_, err = arangodb.CreateCollection(ctx, schemas.Collections.PermissionScope, nil)
-		if err != nil {
-			return nil, err
-		}
-	}
-	permissionScopeCollection, err := arangodb.Collection(ctx, schemas.Collections.PermissionScope)
-	if err != nil {
-		return nil, err
-	}
-	permissionScopeCollection.EnsureHashIndex(ctx, []string{"permission_id"}, &arangoDriver.EnsureHashIndexOptions{
-		Sparse: true,
-	})
-	permissionScopeCollection.EnsureHashIndex(ctx, []string{"permission_id", "scope_id"}, &arangoDriver.EnsureHashIndexOptions{
-		Unique: true,
-		Sparse: true,
-	})
-
-	// PermissionPolicy collection and indexes
-	permissionPolicyCollectionExists, err := arangodb.CollectionExists(ctx, schemas.Collections.PermissionPolicy)
-	if err != nil {
-		return nil, err
-	}
-	if !permissionPolicyCollectionExists {
-		_, err = arangodb.CreateCollection(ctx, schemas.Collections.PermissionPolicy, nil)
-		if err != nil {
-			return nil, err
-		}
-	}
-	permissionPolicyCollection, err := arangodb.Collection(ctx, schemas.Collections.PermissionPolicy)
-	if err != nil {
-		return nil, err
-	}
-	permissionPolicyCollection.EnsureHashIndex(ctx, []string{"permission_id"}, &arangoDriver.EnsureHashIndexOptions{
-		Sparse: true,
-	})
-	permissionPolicyCollection.EnsureHashIndex(ctx, []string{"permission_id", "policy_id"}, &arangoDriver.EnsureHashIndexOptions{
-		Unique: true,
-		Sparse: true,
-	})
-
 	return &provider{
 		config:       cfg,
 		dependencies: deps,
diff --git a/internal/storage/db/arangodb/resource.go b/internal/storage/db/arangodb/resource.go
deleted file mode 100644
index af5ae05d..00000000
--- a/internal/storage/db/arangodb/resource.go
+++ /dev/null
@@ -1,155 +0,0 @@
-package arangodb
-
-import (
-	"context"
-	"fmt"
-	"time"
-
-	arangoDriver "github.com/arangodb/go-driver"
-	"github.com/google/uuid"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddResource creates a new authorization resource.
-func (p *provider) AddResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
-	if resource.ID == "" {
-		resource.ID = uuid.New().String()
-	}
-	resource.Key = resource.ID
-	resource.CreatedAt = time.Now().Unix()
-	resource.UpdatedAt = time.Now().Unix()
-	collection, _ := p.db.Collection(ctx, schemas.Collections.Resource)
-	meta, err := collection.CreateDocument(ctx, resource)
-	if err != nil {
-		return nil, err
-	}
-	resource.Key = meta.Key
-	return resource, nil
-}
-
-// UpdateResource updates an existing authorization resource.
-func (p *provider) UpdateResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
-	resource.UpdatedAt = time.Now().Unix()
-	collection, _ := p.db.Collection(ctx, schemas.Collections.Resource)
-	meta, err := collection.UpdateDocument(ctx, resource.Key, resource)
-	if err != nil {
-		return nil, err
-	}
-	resource.Key = meta.Key
-	return resource, nil
-}
-
-// DeleteResource deletes an authorization resource by ID.
-// Returns an error if any permission references this resource.
-func (p *provider) DeleteResource(ctx context.Context, id string) error {
-	// Check for referencing permissions
-	countQuery := fmt.Sprintf("FOR d IN %s FILTER d.resource_id == @resource_id COLLECT WITH COUNT INTO length RETURN length", schemas.Collections.Permission)
-	cursor, err := p.db.Query(ctx, countQuery, map[string]interface{}{
-		"resource_id": id,
-	})
-	if err != nil {
-		return err
-	}
-	defer cursor.Close()
-	var count int64
-	if cursor.HasMore() {
-		if _, err := cursor.ReadDocument(ctx, &count); err != nil {
-			return err
-		}
-	}
-	if count > 0 {
-		return fmt.Errorf("cannot delete resource: %d permission(s) reference it", count)
-	}
-
-	// Find the document key for this resource
-	resource, err := p.GetResourceByID(ctx, id)
-	if err != nil {
-		return err
-	}
-	collection, _ := p.db.Collection(ctx, schemas.Collections.Resource)
-	_, err = collection.RemoveDocument(ctx, resource.Key)
-	return err
-}
-
-// GetResourceByID returns an authorization resource by its ID.
-func (p *provider) GetResourceByID(ctx context.Context, id string) (*schemas.Resource, error) {
-	var resource *schemas.Resource
-	query := fmt.Sprintf("FOR d IN %s FILTER d._key == @id RETURN d", schemas.Collections.Resource)
-	bindVars := map[string]interface{}{
-		"id": id,
-	}
-	cursor, err := p.db.Query(ctx, query, bindVars)
-	if err != nil {
-		return nil, err
-	}
-	defer cursor.Close()
-	for {
-		if !cursor.HasMore() {
-			if resource == nil {
-				return nil, fmt.Errorf("resource not found")
-			}
-			break
-		}
-		_, err := cursor.ReadDocument(ctx, &resource)
-		if err != nil {
-			return nil, err
-		}
-	}
-	return resource, nil
-}
-
-// GetResourceByName returns an authorization resource by its unique name.
-func (p *provider) GetResourceByName(ctx context.Context, name string) (*schemas.Resource, error) {
-	var resource *schemas.Resource
-	query := fmt.Sprintf("FOR d IN %s FILTER d.name == @name RETURN d", schemas.Collections.Resource)
-	bindVars := map[string]interface{}{
-		"name": name,
-	}
-	cursor, err := p.db.Query(ctx, query, bindVars)
-	if err != nil {
-		return nil, err
-	}
-	defer cursor.Close()
-	for {
-		if !cursor.HasMore() {
-			if resource == nil {
-				return nil, fmt.Errorf("resource not found")
-			}
-			break
-		}
-		_, err := cursor.ReadDocument(ctx, &resource)
-		if err != nil {
-			return nil, err
-		}
-	}
-	return resource, nil
-}
-
-// ListResources returns a paginated list of authorization resources.
-func (p *provider) ListResources(ctx context.Context, pagination *model.Pagination) ([]*schemas.Resource, *model.Pagination, error) {
-	resources := []*schemas.Resource{}
-	query := fmt.Sprintf("FOR d IN %s SORT d.created_at DESC LIMIT %d, %d RETURN d", schemas.Collections.Resource, pagination.Offset, pagination.Limit)
-	sctx := arangoDriver.WithQueryFullCount(ctx)
-	cursor, err := p.db.Query(sctx, query, nil)
-	if err != nil {
-		return nil, nil, err
-	}
-	defer cursor.Close()
-	paginationClone := *pagination
-	paginationClone.Total = cursor.Statistics().FullCount()
-	for {
-		var resource *schemas.Resource
-		meta, err := cursor.ReadDocument(ctx, &resource)
-		if arangoDriver.IsNoMoreDocuments(err) {
-			break
-		} else if err != nil {
-			return nil, nil, err
-		}
-		if meta.Key != "" {
-			resources = append(resources, resource)
-		}
-	}
-	return resources, &paginationClone, nil
-}
diff --git a/internal/storage/db/arangodb/scope.go b/internal/storage/db/arangodb/scope.go
deleted file mode 100644
index 7455c90d..00000000
--- a/internal/storage/db/arangodb/scope.go
+++ /dev/null
@@ -1,155 +0,0 @@
-package arangodb
-
-import (
-	"context"
-	"fmt"
-	"time"
-
-	arangoDriver "github.com/arangodb/go-driver"
-	"github.com/google/uuid"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddScope creates a new authorization scope.
-func (p *provider) AddScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
-	if scope.ID == "" {
-		scope.ID = uuid.New().String()
-	}
-	scope.Key = scope.ID
-	scope.CreatedAt = time.Now().Unix()
-	scope.UpdatedAt = time.Now().Unix()
-	collection, _ := p.db.Collection(ctx, schemas.Collections.Scope)
-	meta, err := collection.CreateDocument(ctx, scope)
-	if err != nil {
-		return nil, err
-	}
-	scope.Key = meta.Key
-	return scope, nil
-}
-
-// UpdateScope updates an existing authorization scope.
-func (p *provider) UpdateScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
-	scope.UpdatedAt = time.Now().Unix()
-	collection, _ := p.db.Collection(ctx, schemas.Collections.Scope)
-	meta, err := collection.UpdateDocument(ctx, scope.Key, scope)
-	if err != nil {
-		return nil, err
-	}
-	scope.Key = meta.Key
-	return scope, nil
-}
-
-// DeleteScope deletes an authorization scope by ID.
-// Returns an error if any permission_scope references this scope.
-func (p *provider) DeleteScope(ctx context.Context, id string) error {
-	// Check for referencing permission_scopes
-	countQuery := fmt.Sprintf("FOR d IN %s FILTER d.scope_id == @scope_id COLLECT WITH COUNT INTO length RETURN length", schemas.Collections.PermissionScope)
-	cursor, err := p.db.Query(ctx, countQuery, map[string]interface{}{
-		"scope_id": id,
-	})
-	if err != nil {
-		return err
-	}
-	defer cursor.Close()
-	var count int64
-	if cursor.HasMore() {
-		if _, err := cursor.ReadDocument(ctx, &count); err != nil {
-			return err
-		}
-	}
-	if count > 0 {
-		return fmt.Errorf("cannot delete scope: %d permission_scope(s) reference it", count)
-	}
-
-	// Find the document key for this scope
-	scope, err := p.GetScopeByID(ctx, id)
-	if err != nil {
-		return err
-	}
-	collection, _ := p.db.Collection(ctx, schemas.Collections.Scope)
-	_, err = collection.RemoveDocument(ctx, scope.Key)
-	return err
-}
-
-// GetScopeByID returns an authorization scope by its ID.
-func (p *provider) GetScopeByID(ctx context.Context, id string) (*schemas.Scope, error) {
-	var scope *schemas.Scope
-	query := fmt.Sprintf("FOR d IN %s FILTER d._key == @id RETURN d", schemas.Collections.Scope)
-	bindVars := map[string]interface{}{
-		"id": id,
-	}
-	cursor, err := p.db.Query(ctx, query, bindVars)
-	if err != nil {
-		return nil, err
-	}
-	defer cursor.Close()
-	for {
-		if !cursor.HasMore() {
-			if scope == nil {
-				return nil, fmt.Errorf("scope not found")
-			}
-			break
-		}
-		_, err := cursor.ReadDocument(ctx, &scope)
-		if err != nil {
-			return nil, err
-		}
-	}
-	return scope, nil
-}
-
-// GetScopeByName returns an authorization scope by its unique name.
-func (p *provider) GetScopeByName(ctx context.Context, name string) (*schemas.Scope, error) {
-	var scope *schemas.Scope
-	query := fmt.Sprintf("FOR d IN %s FILTER d.name == @name RETURN d", schemas.Collections.Scope)
-	bindVars := map[string]interface{}{
-		"name": name,
-	}
-	cursor, err := p.db.Query(ctx, query, bindVars)
-	if err != nil {
-		return nil, err
-	}
-	defer cursor.Close()
-	for {
-		if !cursor.HasMore() {
-			if scope == nil {
-				return nil, fmt.Errorf("scope not found")
-			}
-			break
-		}
-		_, err := cursor.ReadDocument(ctx, &scope)
-		if err != nil {
-			return nil, err
-		}
-	}
-	return scope, nil
-}
-
-// ListScopes returns a paginated list of authorization scopes.
-func (p *provider) ListScopes(ctx context.Context, pagination *model.Pagination) ([]*schemas.Scope, *model.Pagination, error) {
-	scopes := []*schemas.Scope{}
-	query := fmt.Sprintf("FOR d IN %s SORT d.created_at DESC LIMIT %d, %d RETURN d", schemas.Collections.Scope, pagination.Offset, pagination.Limit)
-	sctx := arangoDriver.WithQueryFullCount(ctx)
-	cursor, err := p.db.Query(sctx, query, nil)
-	if err != nil {
-		return nil, nil, err
-	}
-	defer cursor.Close()
-	paginationClone := *pagination
-	paginationClone.Total = cursor.Statistics().FullCount()
-	for {
-		var scope *schemas.Scope
-		meta, err := cursor.ReadDocument(ctx, &scope)
-		if arangoDriver.IsNoMoreDocuments(err) {
-			break
-		} else if err != nil {
-			return nil, nil, err
-		}
-		if meta.Key != "" {
-			scopes = append(scopes, scope)
-		}
-	}
-	return scopes, &paginationClone, nil
-}
diff --git a/internal/storage/db/cassandradb/permission.go b/internal/storage/db/cassandradb/permission.go
deleted file mode 100644
index 5307c9ff..00000000
--- a/internal/storage/db/cassandradb/permission.go
+++ /dev/null
@@ -1,423 +0,0 @@
-package cassandradb
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"strings"
-	"time"
-
-	"github.com/gocql/gocql"
-	"github.com/google/uuid"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddPermission creates a new authorization permission.
-func (p *provider) AddPermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
-	if permission.ID == "" {
-		permission.ID = uuid.New().String()
-	}
-	permission.Key = permission.ID
-	permission.CreatedAt = time.Now().Unix()
-	permission.UpdatedAt = time.Now().Unix()
-	insertQuery := fmt.Sprintf("INSERT INTO %s (id, name, description, resource_id, decision_strategy, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?)",
-		KeySpace+"."+schemas.Collections.Permission)
-	err := p.db.Query(insertQuery, permission.ID, permission.Name, permission.Description, permission.ResourceID, permission.DecisionStrategy, permission.CreatedAt, permission.UpdatedAt).Exec()
-	if err != nil {
-		return nil, err
-	}
-	return permission, nil
-}
-
-// UpdatePermission updates an existing authorization permission.
-func (p *provider) UpdatePermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
-	permission.UpdatedAt = time.Now().Unix()
-	bytes, err := json.Marshal(permission)
-	if err != nil {
-		return nil, err
-	}
-	decoder := json.NewDecoder(strings.NewReader(string(bytes)))
-	decoder.UseNumber()
-	permissionMap := map[string]interface{}{}
-	err = decoder.Decode(&permissionMap)
-	if err != nil {
-		return nil, err
-	}
-	convertMapValues(permissionMap)
-	updateFields := ""
-	var updateValues []interface{}
-	for key, value := range permissionMap {
-		if key == "_id" || key == "_key" || key == "id" || key == "key" {
-			continue
-		}
-		if value == nil {
-			updateFields += fmt.Sprintf("%s = null,", key)
-			continue
-		}
-		updateFields += fmt.Sprintf("%s = ?, ", key)
-		updateValues = append(updateValues, value)
-	}
-	updateFields = strings.Trim(updateFields, " ")
-	updateFields = strings.TrimSuffix(updateFields, ",")
-	updateValues = append(updateValues, permission.ID)
-	query := fmt.Sprintf("UPDATE %s SET %s WHERE id = ?", KeySpace+"."+schemas.Collections.Permission, updateFields)
-	err = p.db.Query(query, updateValues...).Exec()
-	if err != nil {
-		return nil, err
-	}
-	return permission, nil
-}
-
-// DeletePermission deletes an authorization permission by ID.
-// Cascade-deletes associated permission_scopes and permission_policies.
-func (p *provider) DeletePermission(ctx context.Context, id string) error {
-	// Cascade-delete permission_scopes
-	getScopesQuery := fmt.Sprintf("SELECT id FROM %s WHERE permission_id = ? ALLOW FILTERING", KeySpace+"."+schemas.Collections.PermissionScope)
-	scanner := p.db.Query(getScopesQuery, id).Iter().Scanner()
-	var scopeIDs []string
-	for scanner.Next() {
-		var scopeID string
-		err := scanner.Scan(&scopeID)
-		if err != nil {
-			return err
-		}
-		scopeIDs = append(scopeIDs, scopeID)
-	}
-	if len(scopeIDs) > 0 {
-		placeholders := strings.Repeat("?,", len(scopeIDs))
-		placeholders = strings.TrimSuffix(placeholders, ",")
-		deleteValues := make([]interface{}, len(scopeIDs))
-		for i, sid := range scopeIDs {
-			deleteValues[i] = sid
-		}
-		deleteScopesQuery := fmt.Sprintf("DELETE FROM %s WHERE id IN (%s)", KeySpace+"."+schemas.Collections.PermissionScope, placeholders)
-		err := p.db.Query(deleteScopesQuery, deleteValues...).Exec()
-		if err != nil {
-			return err
-		}
-	}
-	// Cascade-delete permission_policies
-	getPoliciesQuery := fmt.Sprintf("SELECT id FROM %s WHERE permission_id = ? ALLOW FILTERING", KeySpace+"."+schemas.Collections.PermissionPolicy)
-	scanner = p.db.Query(getPoliciesQuery, id).Iter().Scanner()
-	var policyIDs []string
-	for scanner.Next() {
-		var policyID string
-		err := scanner.Scan(&policyID)
-		if err != nil {
-			return err
-		}
-		policyIDs = append(policyIDs, policyID)
-	}
-	if len(policyIDs) > 0 {
-		placeholders := strings.Repeat("?,", len(policyIDs))
-		placeholders = strings.TrimSuffix(placeholders, ",")
-		deleteValues := make([]interface{}, len(policyIDs))
-		for i, pid := range policyIDs {
-			deleteValues[i] = pid
-		}
-		deletePoliciesQuery := fmt.Sprintf("DELETE FROM %s WHERE id IN (%s)", KeySpace+"."+schemas.Collections.PermissionPolicy, placeholders)
-		err := p.db.Query(deletePoliciesQuery, deleteValues...).Exec()
-		if err != nil {
-			return err
-		}
-	}
-	// Delete the permission itself
-	query := fmt.Sprintf("DELETE FROM %s WHERE id = ?", KeySpace+"."+schemas.Collections.Permission)
-	err := p.db.Query(query, id).Exec()
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// GetPermissionByID returns an authorization permission by its ID.
-func (p *provider) GetPermissionByID(ctx context.Context, id string) (*schemas.Permission, error) {
-	var permission schemas.Permission
-	query := fmt.Sprintf("SELECT id, name, description, resource_id, decision_strategy, created_at, updated_at FROM %s WHERE id = ? LIMIT 1",
-		KeySpace+"."+schemas.Collections.Permission)
-	err := p.db.Query(query, id).Consistency(gocql.One).Scan(
-		&permission.ID, &permission.Name, &permission.Description, &permission.ResourceID, &permission.DecisionStrategy, &permission.CreatedAt, &permission.UpdatedAt)
-	if err != nil {
-		return nil, err
-	}
-	return &permission, nil
-}
-
-// ListPermissions returns a paginated list of authorization permissions.
-func (p *provider) ListPermissions(ctx context.Context, pagination *model.Pagination) ([]*schemas.Permission, *model.Pagination, error) {
-	permissions := []*schemas.Permission{}
-	paginationClone := *pagination
-	totalCountQuery := fmt.Sprintf("SELECT COUNT(*) FROM %s", KeySpace+"."+schemas.Collections.Permission)
-	err := p.db.Query(totalCountQuery).Consistency(gocql.One).Scan(&paginationClone.Total)
-	if err != nil {
-		return nil, nil, err
-	}
-	query := fmt.Sprintf("SELECT id, name, description, resource_id, decision_strategy, created_at, updated_at FROM %s LIMIT %d",
-		KeySpace+"."+schemas.Collections.Permission, pagination.Limit+pagination.Offset)
-	scanner := p.db.Query(query).Iter().Scanner()
-	counter := int64(0)
-	for scanner.Next() {
-		if counter >= pagination.Offset {
-			var permission schemas.Permission
-			err := scanner.Scan(&permission.ID, &permission.Name, &permission.Description, &permission.ResourceID, &permission.DecisionStrategy, &permission.CreatedAt, &permission.UpdatedAt)
-			if err != nil {
-				return nil, nil, err
-			}
-			permissions = append(permissions, &permission)
-		}
-		counter++
-	}
-	return permissions, &paginationClone, nil
-}
-
-// AddPermissionScope links a scope to a permission.
-func (p *provider) AddPermissionScope(ctx context.Context, ps *schemas.PermissionScope) (*schemas.PermissionScope, error) {
-	if ps.ID == "" {
-		ps.ID = uuid.New().String()
-	}
-	ps.Key = ps.ID
-	ps.CreatedAt = time.Now().Unix()
-	insertQuery := fmt.Sprintf("INSERT INTO %s (id, permission_id, scope_id, created_at) VALUES (?, ?, ?, ?)",
-		KeySpace+"."+schemas.Collections.PermissionScope)
-	err := p.db.Query(insertQuery, ps.ID, ps.PermissionID, ps.ScopeID, ps.CreatedAt).Exec()
-	if err != nil {
-		return nil, err
-	}
-	return ps, nil
-}
-
-// DeletePermissionScopesByPermissionID removes all scope links for a permission.
-func (p *provider) DeletePermissionScopesByPermissionID(ctx context.Context, permissionID string) error {
-	getQuery := fmt.Sprintf("SELECT id FROM %s WHERE permission_id = ? ALLOW FILTERING", KeySpace+"."+schemas.Collections.PermissionScope)
-	scanner := p.db.Query(getQuery, permissionID).Iter().Scanner()
-	var ids []string
-	for scanner.Next() {
-		var id string
-		err := scanner.Scan(&id)
-		if err != nil {
-			return err
-		}
-		ids = append(ids, id)
-	}
-	if len(ids) > 0 {
-		placeholders := strings.Repeat("?,", len(ids))
-		placeholders = strings.TrimSuffix(placeholders, ",")
-		deleteValues := make([]interface{}, len(ids))
-		for i, id := range ids {
-			deleteValues[i] = id
-		}
-		query := fmt.Sprintf("DELETE FROM %s WHERE id IN (%s)", KeySpace+"."+schemas.Collections.PermissionScope, placeholders)
-		err := p.db.Query(query, deleteValues...).Exec()
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// GetPermissionScopes returns all scope links for a permission.
-func (p *provider) GetPermissionScopes(ctx context.Context, permissionID string) ([]*schemas.PermissionScope, error) {
-	scopes := []*schemas.PermissionScope{}
-	query := fmt.Sprintf("SELECT id, permission_id, scope_id, created_at FROM %s WHERE permission_id = ? ALLOW FILTERING",
-		KeySpace+"."+schemas.Collections.PermissionScope)
-	scanner := p.db.Query(query, permissionID).Iter().Scanner()
-	for scanner.Next() {
-		var ps schemas.PermissionScope
-		err := scanner.Scan(&ps.ID, &ps.PermissionID, &ps.ScopeID, &ps.CreatedAt)
-		if err != nil {
-			return nil, err
-		}
-		scopes = append(scopes, &ps)
-	}
-	return scopes, nil
-}
-
-// AddPermissionPolicy links a policy to a permission.
-func (p *provider) AddPermissionPolicy(ctx context.Context, pp *schemas.PermissionPolicy) (*schemas.PermissionPolicy, error) {
-	if pp.ID == "" {
-		pp.ID = uuid.New().String()
-	}
-	pp.Key = pp.ID
-	pp.CreatedAt = time.Now().Unix()
-	insertQuery := fmt.Sprintf("INSERT INTO %s (id, permission_id, policy_id, created_at) VALUES (?, ?, ?, ?)",
-		KeySpace+"."+schemas.Collections.PermissionPolicy)
-	err := p.db.Query(insertQuery, pp.ID, pp.PermissionID, pp.PolicyID, pp.CreatedAt).Exec()
-	if err != nil {
-		return nil, err
-	}
-	return pp, nil
-}
-
-// DeletePermissionPoliciesByPermissionID removes all policy links for a permission.
-func (p *provider) DeletePermissionPoliciesByPermissionID(ctx context.Context, permissionID string) error {
-	getQuery := fmt.Sprintf("SELECT id FROM %s WHERE permission_id = ? ALLOW FILTERING", KeySpace+"."+schemas.Collections.PermissionPolicy)
-	scanner := p.db.Query(getQuery, permissionID).Iter().Scanner()
-	var ids []string
-	for scanner.Next() {
-		var id string
-		err := scanner.Scan(&id)
-		if err != nil {
-			return err
-		}
-		ids = append(ids, id)
-	}
-	if len(ids) > 0 {
-		placeholders := strings.Repeat("?,", len(ids))
-		placeholders = strings.TrimSuffix(placeholders, ",")
-		deleteValues := make([]interface{}, len(ids))
-		for i, id := range ids {
-			deleteValues[i] = id
-		}
-		query := fmt.Sprintf("DELETE FROM %s WHERE id IN (%s)", KeySpace+"."+schemas.Collections.PermissionPolicy, placeholders)
-		err := p.db.Query(query, deleteValues...).Exec()
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// GetPermissionPolicies returns all policy links for a permission.
-func (p *provider) GetPermissionPolicies(ctx context.Context, permissionID string) ([]*schemas.PermissionPolicy, error) {
-	policies := []*schemas.PermissionPolicy{}
-	query := fmt.Sprintf("SELECT id, permission_id, policy_id, created_at FROM %s WHERE permission_id = ? ALLOW FILTERING",
-		KeySpace+"."+schemas.Collections.PermissionPolicy)
-	scanner := p.db.Query(query, permissionID).Iter().Scanner()
-	for scanner.Next() {
-		var pp schemas.PermissionPolicy
-		err := scanner.Scan(&pp.ID, &pp.PermissionID, &pp.PolicyID, &pp.CreatedAt)
-		if err != nil {
-			return nil, err
-		}
-		policies = append(policies, &pp)
-	}
-	return policies, nil
-}
-
-// GetPermissionsForResourceScope returns all permissions (with their policies and targets)
-// that match a given resource name and scope name. This is the hot-path query used by
-// the evaluation engine. Uses sequential queries since Cassandra does not support JOINs.
-func (p *provider) GetPermissionsForResourceScope(ctx context.Context, resourceName string, scopeName string) ([]*schemas.PermissionWithPolicies, error) {
-	// 1. Find resource by name
-	var resourceID string
-	resourceQuery := fmt.Sprintf("SELECT id FROM %s WHERE name = ? LIMIT 1 ALLOW FILTERING",
-		KeySpace+"."+schemas.Collections.Resource)
-	err := p.db.Query(resourceQuery, resourceName).Consistency(gocql.One).Scan(&resourceID)
-	if err != nil {
-		return nil, err
-	}
-
-	// 2. Find scope by name
-	var scopeID string
-	scopeQuery := fmt.Sprintf("SELECT id FROM %s WHERE name = ? LIMIT 1 ALLOW FILTERING",
-		KeySpace+"."+schemas.Collections.Scope)
-	err = p.db.Query(scopeQuery, scopeName).Consistency(gocql.One).Scan(&scopeID)
-	if err != nil {
-		return nil, err
-	}
-
-	// 3. Find permissions for this resource
-	permQuery := fmt.Sprintf("SELECT id, name, decision_strategy FROM %s WHERE resource_id = ? ALLOW FILTERING",
-		KeySpace+"."+schemas.Collections.Permission)
-	permScanner := p.db.Query(permQuery, resourceID).Iter().Scanner()
-
-	type permInfo struct {
-		ID               string
-		Name             string
-		DecisionStrategy string
-	}
-	var permissions []permInfo
-	for permScanner.Next() {
-		var pi permInfo
-		err := permScanner.Scan(&pi.ID, &pi.Name, &pi.DecisionStrategy)
-		if err != nil {
-			return nil, err
-		}
-		permissions = append(permissions, pi)
-	}
-
-	if len(permissions) == 0 {
-		return nil, nil
-	}
-
-	// 4. For each permission, check if it has the requested scope
-	var result []*schemas.PermissionWithPolicies
-
-	for _, perm := range permissions {
-		var scopeCount int64
-		scopeCountQuery := fmt.Sprintf("SELECT COUNT(*) FROM %s WHERE permission_id = ? AND scope_id = ? ALLOW FILTERING",
-			KeySpace+"."+schemas.Collections.PermissionScope)
-		err := p.db.Query(scopeCountQuery, perm.ID, scopeID).Consistency(gocql.One).Scan(&scopeCount)
-		if err != nil {
-			return nil, err
-		}
-		if scopeCount == 0 {
-			continue
-		}
-
-		// 5. Find permission_policies for this permission
-		ppQuery := fmt.Sprintf("SELECT policy_id FROM %s WHERE permission_id = ? ALLOW FILTERING",
-			KeySpace+"."+schemas.Collections.PermissionPolicy)
-		ppScanner := p.db.Query(ppQuery, perm.ID).Iter().Scanner()
-		var policyIDs []string
-		for ppScanner.Next() {
-			var policyID string
-			err := ppScanner.Scan(&policyID)
-			if err != nil {
-				return nil, err
-			}
-			policyIDs = append(policyIDs, policyID)
-		}
-
-		if len(policyIDs) == 0 {
-			continue
-		}
-
-		// 6. For each policy, resolve the policy and its targets
-		var policiesWithTargets []schemas.PolicyWithTargets
-		for _, policyID := range policyIDs {
-			var policy schemas.Policy
-			policyQuery := fmt.Sprintf("SELECT id, name, type, logic, decision_strategy FROM %s WHERE id = ? LIMIT 1",
-				KeySpace+"."+schemas.Collections.Policy)
-			err := p.db.Query(policyQuery, policyID).Consistency(gocql.One).Scan(
-				&policy.ID, &policy.Name, &policy.Type, &policy.Logic, &policy.DecisionStrategy)
-			if err != nil {
-				return nil, err
-			}
-
-			// Get targets for this policy
-			targetQuery := fmt.Sprintf("SELECT target_type, target_value FROM %s WHERE policy_id = ? ALLOW FILTERING",
-				KeySpace+"."+schemas.Collections.PolicyTarget)
-			targetScanner := p.db.Query(targetQuery, policyID).Iter().Scanner()
-			var targets []schemas.PolicyTargetView
-			for targetScanner.Next() {
-				var tv schemas.PolicyTargetView
-				err := targetScanner.Scan(&tv.TargetType, &tv.TargetValue)
-				if err != nil {
-					return nil, err
-				}
-				targets = append(targets, tv)
-			}
-
-			policiesWithTargets = append(policiesWithTargets, schemas.PolicyWithTargets{
-				PolicyID:         policy.ID,
-				PolicyName:       policy.Name,
-				Type:             policy.Type,
-				Logic:            policy.Logic,
-				DecisionStrategy: policy.DecisionStrategy,
-				Targets:          targets,
-			})
-		}
-
-		result = append(result, &schemas.PermissionWithPolicies{
-			PermissionID:     perm.ID,
-			PermissionName:   perm.Name,
-			DecisionStrategy: perm.DecisionStrategy,
-			Policies:         policiesWithTargets,
-		})
-	}
-
-	return result, nil
-}
diff --git a/internal/storage/db/cassandradb/policy.go b/internal/storage/db/cassandradb/policy.go
deleted file mode 100644
index a7ca6f6a..00000000
--- a/internal/storage/db/cassandradb/policy.go
+++ /dev/null
@@ -1,221 +0,0 @@
-package cassandradb
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"strings"
-	"time"
-
-	"github.com/gocql/gocql"
-	"github.com/google/uuid"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddPolicy creates a new authorization policy.
-func (p *provider) AddPolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
-	if policy.ID == "" {
-		policy.ID = uuid.New().String()
-	}
-	policy.Key = policy.ID
-	policy.CreatedAt = time.Now().Unix()
-	policy.UpdatedAt = time.Now().Unix()
-	insertQuery := fmt.Sprintf("INSERT INTO %s (id, name, description, type, logic, decision_strategy, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?)",
-		KeySpace+"."+schemas.Collections.Policy)
-	err := p.db.Query(insertQuery, policy.ID, policy.Name, policy.Description, policy.Type, policy.Logic, policy.DecisionStrategy, policy.CreatedAt, policy.UpdatedAt).Exec()
-	if err != nil {
-		return nil, err
-	}
-	return policy, nil
-}
-
-// UpdatePolicy updates an existing authorization policy.
-func (p *provider) UpdatePolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
-	policy.UpdatedAt = time.Now().Unix()
-	bytes, err := json.Marshal(policy)
-	if err != nil {
-		return nil, err
-	}
-	decoder := json.NewDecoder(strings.NewReader(string(bytes)))
-	decoder.UseNumber()
-	policyMap := map[string]interface{}{}
-	err = decoder.Decode(&policyMap)
-	if err != nil {
-		return nil, err
-	}
-	convertMapValues(policyMap)
-	updateFields := ""
-	var updateValues []interface{}
-	for key, value := range policyMap {
-		if key == "_id" || key == "_key" || key == "id" || key == "key" {
-			continue
-		}
-		if value == nil {
-			updateFields += fmt.Sprintf("%s = null,", key)
-			continue
-		}
-		updateFields += fmt.Sprintf("%s = ?, ", key)
-		updateValues = append(updateValues, value)
-	}
-	updateFields = strings.Trim(updateFields, " ")
-	updateFields = strings.TrimSuffix(updateFields, ",")
-	updateValues = append(updateValues, policy.ID)
-	query := fmt.Sprintf("UPDATE %s SET %s WHERE id = ?", KeySpace+"."+schemas.Collections.Policy, updateFields)
-	err = p.db.Query(query, updateValues...).Exec()
-	if err != nil {
-		return nil, err
-	}
-	return policy, nil
-}
-
-// DeletePolicy deletes an authorization policy by ID.
-// Returns an error if any permission_policy references this policy.
-// Cascade-deletes associated policy targets.
-func (p *provider) DeletePolicy(ctx context.Context, id string) error {
-	// Check for referencing permission_policies
-	var count int64
-	countQuery := fmt.Sprintf("SELECT COUNT(*) FROM %s WHERE policy_id = ? ALLOW FILTERING", KeySpace+"."+schemas.Collections.PermissionPolicy)
-	err := p.db.Query(countQuery, id).Consistency(gocql.One).Scan(&count)
-	if err != nil {
-		return err
-	}
-	if count > 0 {
-		return fmt.Errorf("cannot delete policy: %d permission_policy(s) reference it", count)
-	}
-	// Cascade-delete policy targets
-	getTargetsQuery := fmt.Sprintf("SELECT id FROM %s WHERE policy_id = ? ALLOW FILTERING", KeySpace+"."+schemas.Collections.PolicyTarget)
-	scanner := p.db.Query(getTargetsQuery, id).Iter().Scanner()
-	var targetIDs []string
-	for scanner.Next() {
-		var targetID string
-		err = scanner.Scan(&targetID)
-		if err != nil {
-			return err
-		}
-		targetIDs = append(targetIDs, targetID)
-	}
-	if len(targetIDs) > 0 {
-		placeholders := strings.Repeat("?,", len(targetIDs))
-		placeholders = strings.TrimSuffix(placeholders, ",")
-		deleteValues := make([]interface{}, len(targetIDs))
-		for i, tid := range targetIDs {
-			deleteValues[i] = tid
-		}
-		deleteTargetsQuery := fmt.Sprintf("DELETE FROM %s WHERE id IN (%s)", KeySpace+"."+schemas.Collections.PolicyTarget, placeholders)
-		err = p.db.Query(deleteTargetsQuery, deleteValues...).Exec()
-		if err != nil {
-			return err
-		}
-	}
-	// Delete the policy itself
-	query := fmt.Sprintf("DELETE FROM %s WHERE id = ?", KeySpace+"."+schemas.Collections.Policy)
-	err = p.db.Query(query, id).Exec()
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// GetPolicyByID returns an authorization policy by its ID.
-func (p *provider) GetPolicyByID(ctx context.Context, id string) (*schemas.Policy, error) {
-	var policy schemas.Policy
-	query := fmt.Sprintf("SELECT id, name, description, type, logic, decision_strategy, created_at, updated_at FROM %s WHERE id = ? LIMIT 1",
-		KeySpace+"."+schemas.Collections.Policy)
-	err := p.db.Query(query, id).Consistency(gocql.One).Scan(
-		&policy.ID, &policy.Name, &policy.Description, &policy.Type, &policy.Logic, &policy.DecisionStrategy, &policy.CreatedAt, &policy.UpdatedAt)
-	if err != nil {
-		return nil, err
-	}
-	return &policy, nil
-}
-
-// ListPolicies returns a paginated list of authorization policies.
-func (p *provider) ListPolicies(ctx context.Context, pagination *model.Pagination) ([]*schemas.Policy, *model.Pagination, error) {
-	policies := []*schemas.Policy{}
-	paginationClone := *pagination
-	totalCountQuery := fmt.Sprintf("SELECT COUNT(*) FROM %s", KeySpace+"."+schemas.Collections.Policy)
-	err := p.db.Query(totalCountQuery).Consistency(gocql.One).Scan(&paginationClone.Total)
-	if err != nil {
-		return nil, nil, err
-	}
-	query := fmt.Sprintf("SELECT id, name, description, type, logic, decision_strategy, created_at, updated_at FROM %s LIMIT %d",
-		KeySpace+"."+schemas.Collections.Policy, pagination.Limit+pagination.Offset)
-	scanner := p.db.Query(query).Iter().Scanner()
-	counter := int64(0)
-	for scanner.Next() {
-		if counter >= pagination.Offset {
-			var policy schemas.Policy
-			err := scanner.Scan(&policy.ID, &policy.Name, &policy.Description, &policy.Type, &policy.Logic, &policy.DecisionStrategy, &policy.CreatedAt, &policy.UpdatedAt)
-			if err != nil {
-				return nil, nil, err
-			}
-			policies = append(policies, &policy)
-		}
-		counter++
-	}
-	return policies, &paginationClone, nil
-}
-
-// AddPolicyTarget adds a target (role name or user ID) to a policy.
-func (p *provider) AddPolicyTarget(ctx context.Context, target *schemas.PolicyTarget) (*schemas.PolicyTarget, error) {
-	if target.ID == "" {
-		target.ID = uuid.New().String()
-	}
-	target.Key = target.ID
-	target.CreatedAt = time.Now().Unix()
-	insertQuery := fmt.Sprintf("INSERT INTO %s (id, policy_id, target_type, target_value, created_at) VALUES (?, ?, ?, ?, ?)",
-		KeySpace+"."+schemas.Collections.PolicyTarget)
-	err := p.db.Query(insertQuery, target.ID, target.PolicyID, target.TargetType, target.TargetValue, target.CreatedAt).Exec()
-	if err != nil {
-		return nil, err
-	}
-	return target, nil
-}
-
-// DeletePolicyTargetsByPolicyID removes all targets for a policy.
-func (p *provider) DeletePolicyTargetsByPolicyID(ctx context.Context, policyID string) error {
-	getTargetsQuery := fmt.Sprintf("SELECT id FROM %s WHERE policy_id = ? ALLOW FILTERING", KeySpace+"."+schemas.Collections.PolicyTarget)
-	scanner := p.db.Query(getTargetsQuery, policyID).Iter().Scanner()
-	var targetIDs []string
-	for scanner.Next() {
-		var targetID string
-		err := scanner.Scan(&targetID)
-		if err != nil {
-			return err
-		}
-		targetIDs = append(targetIDs, targetID)
-	}
-	if len(targetIDs) > 0 {
-		placeholders := strings.Repeat("?,", len(targetIDs))
-		placeholders = strings.TrimSuffix(placeholders, ",")
-		deleteValues := make([]interface{}, len(targetIDs))
-		for i, tid := range targetIDs {
-			deleteValues[i] = tid
-		}
-		query := fmt.Sprintf("DELETE FROM %s WHERE id IN (%s)", KeySpace+"."+schemas.Collections.PolicyTarget, placeholders)
-		err := p.db.Query(query, deleteValues...).Exec()
-		if err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// GetPolicyTargets returns all targets for a policy.
-func (p *provider) GetPolicyTargets(ctx context.Context, policyID string) ([]*schemas.PolicyTarget, error) {
-	targets := []*schemas.PolicyTarget{}
-	query := fmt.Sprintf("SELECT id, policy_id, target_type, target_value, created_at FROM %s WHERE policy_id = ? ALLOW FILTERING",
-		KeySpace+"."+schemas.Collections.PolicyTarget)
-	scanner := p.db.Query(query, policyID).Iter().Scanner()
-	for scanner.Next() {
-		var target schemas.PolicyTarget
-		err := scanner.Scan(&target.ID, &target.PolicyID, &target.TargetType, &target.TargetValue, &target.CreatedAt)
-		if err != nil {
-			return nil, err
-		}
-		targets = append(targets, &target)
-	}
-	return targets, nil
-}
diff --git a/internal/storage/db/cassandradb/provider.go b/internal/storage/db/cassandradb/provider.go
index 9e621b32..ff7aa371 100644
--- a/internal/storage/db/cassandradb/provider.go
+++ b/internal/storage/db/cassandradb/provider.go
@@ -366,110 +366,6 @@ func NewProvider(cfg *config.Config, deps *Dependencies) (*provider, error) {
 		return nil, err
 	}
 
-	// Resource table
-	resourceCollectionQuery := fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s.%s (id text, name text, description text, created_at bigint, updated_at bigint, PRIMARY KEY (id))", KeySpace, schemas.Collections.Resource)
-	err = session.Query(resourceCollectionQuery).Exec()
-	if err != nil {
-		return nil, err
-	}
-	resourceNameIndex := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_resource_name ON %s.%s (name)", KeySpace, schemas.Collections.Resource)
-	err = session.Query(resourceNameIndex).Exec()
-	if err != nil {
-		return nil, err
-	}
-
-	// Scope table
-	scopeCollectionQuery := fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s.%s (id text, name text, description text, created_at bigint, updated_at bigint, PRIMARY KEY (id))", KeySpace, schemas.Collections.Scope)
-	err = session.Query(scopeCollectionQuery).Exec()
-	if err != nil {
-		return nil, err
-	}
-	scopeNameIndex := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_scope_name ON %s.%s (name)", KeySpace, schemas.Collections.Scope)
-	err = session.Query(scopeNameIndex).Exec()
-	if err != nil {
-		return nil, err
-	}
-
-	// Policy table
-	policyCollectionQuery := fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s.%s (id text, name text, description text, type text, logic text, decision_strategy text, created_at bigint, updated_at bigint, PRIMARY KEY (id))", KeySpace, schemas.Collections.Policy)
-	err = session.Query(policyCollectionQuery).Exec()
-	if err != nil {
-		return nil, err
-	}
-	policyNameIndex := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_policy_name ON %s.%s (name)", KeySpace, schemas.Collections.Policy)
-	err = session.Query(policyNameIndex).Exec()
-	if err != nil {
-		return nil, err
-	}
-	policyTypeIndex := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_policy_type ON %s.%s (type)", KeySpace, schemas.Collections.Policy)
-	err = session.Query(policyTypeIndex).Exec()
-	if err != nil {
-		return nil, err
-	}
-
-	// PolicyTarget table
-	policyTargetCollectionQuery := fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s.%s (id text, policy_id text, target_type text, target_value text, created_at bigint, PRIMARY KEY (id))", KeySpace, schemas.Collections.PolicyTarget)
-	err = session.Query(policyTargetCollectionQuery).Exec()
-	if err != nil {
-		return nil, err
-	}
-	policyTargetPolicyIDIndex := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_policy_target_policy_id ON %s.%s (policy_id)", KeySpace, schemas.Collections.PolicyTarget)
-	err = session.Query(policyTargetPolicyIDIndex).Exec()
-	if err != nil {
-		return nil, err
-	}
-
-	// Permission table
-	permissionCollectionQuery := fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s.%s (id text, name text, description text, resource_id text, decision_strategy text, created_at bigint, updated_at bigint, PRIMARY KEY (id))", KeySpace, schemas.Collections.Permission)
-	err = session.Query(permissionCollectionQuery).Exec()
-	if err != nil {
-		return nil, err
-	}
-	permissionNameIndex := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_permission_name ON %s.%s (name)", KeySpace, schemas.Collections.Permission)
-	err = session.Query(permissionNameIndex).Exec()
-	if err != nil {
-		return nil, err
-	}
-	permissionResourceIDIndex := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_permission_resource_id ON %s.%s (resource_id)", KeySpace, schemas.Collections.Permission)
-	err = session.Query(permissionResourceIDIndex).Exec()
-	if err != nil {
-		return nil, err
-	}
-
-	// PermissionScope join table
-	permissionScopeCollectionQuery := fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s.%s (id text, permission_id text, scope_id text, created_at bigint, PRIMARY KEY (id))", KeySpace, schemas.Collections.PermissionScope)
-	err = session.Query(permissionScopeCollectionQuery).Exec()
-	if err != nil {
-		return nil, err
-	}
-	permissionScopePermIDIndex := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_permission_scope_permission_id ON %s.%s (permission_id)", KeySpace, schemas.Collections.PermissionScope)
-	err = session.Query(permissionScopePermIDIndex).Exec()
-	if err != nil {
-		return nil, err
-	}
-	permissionScopeScopeIDIndex := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_permission_scope_scope_id ON %s.%s (scope_id)", KeySpace, schemas.Collections.PermissionScope)
-	err = session.Query(permissionScopeScopeIDIndex).Exec()
-	if err != nil {
-		return nil, err
-	}
-
-	// PermissionPolicy join table
-	permissionPolicyCollectionQuery := fmt.Sprintf("CREATE TABLE IF NOT EXISTS %s.%s (id text, permission_id text, policy_id text, created_at bigint, PRIMARY KEY (id))", KeySpace, schemas.Collections.PermissionPolicy)
-	err = session.Query(permissionPolicyCollectionQuery).Exec()
-	if err != nil {
-		return nil, err
-	}
-	permissionPolicyPermIDIndex := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_permission_policy_permission_id ON %s.%s (permission_id)", KeySpace, schemas.Collections.PermissionPolicy)
-	err = session.Query(permissionPolicyPermIDIndex).Exec()
-	if err != nil {
-		return nil, err
-	}
-	permissionPolicyPolicyIDIndex := fmt.Sprintf("CREATE INDEX IF NOT EXISTS authorizer_permission_policy_policy_id ON %s.%s (policy_id)", KeySpace, schemas.Collections.PermissionPolicy)
-	err = session.Query(permissionPolicyPolicyIDIndex).Exec()
-	if err != nil {
-		return nil, err
-	}
-
 	return &provider{
 		config:       cfg,
 		dependencies: deps,
diff --git a/internal/storage/db/cassandradb/resource.go b/internal/storage/db/cassandradb/resource.go
deleted file mode 100644
index 7407287b..00000000
--- a/internal/storage/db/cassandradb/resource.go
+++ /dev/null
@@ -1,144 +0,0 @@
-package cassandradb
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"strings"
-	"time"
-
-	"github.com/gocql/gocql"
-	"github.com/google/uuid"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddResource creates a new authorization resource.
-func (p *provider) AddResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
-	if resource.ID == "" {
-		resource.ID = uuid.New().String()
-	}
-	resource.Key = resource.ID
-	resource.CreatedAt = time.Now().Unix()
-	resource.UpdatedAt = time.Now().Unix()
-	insertQuery := fmt.Sprintf("INSERT INTO %s (id, name, description, created_at, updated_at) VALUES (?, ?, ?, ?, ?)",
-		KeySpace+"."+schemas.Collections.Resource)
-	err := p.db.Query(insertQuery, resource.ID, resource.Name, resource.Description, resource.CreatedAt, resource.UpdatedAt).Exec()
-	if err != nil {
-		return nil, err
-	}
-	return resource, nil
-}
-
-// UpdateResource updates an existing authorization resource.
-func (p *provider) UpdateResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
-	resource.UpdatedAt = time.Now().Unix()
-	bytes, err := json.Marshal(resource)
-	if err != nil {
-		return nil, err
-	}
-	decoder := json.NewDecoder(strings.NewReader(string(bytes)))
-	decoder.UseNumber()
-	resourceMap := map[string]interface{}{}
-	err = decoder.Decode(&resourceMap)
-	if err != nil {
-		return nil, err
-	}
-	convertMapValues(resourceMap)
-	updateFields := ""
-	var updateValues []interface{}
-	for key, value := range resourceMap {
-		if key == "_id" || key == "_key" || key == "id" || key == "key" {
-			continue
-		}
-		if value == nil {
-			updateFields += fmt.Sprintf("%s = null,", key)
-			continue
-		}
-		updateFields += fmt.Sprintf("%s = ?, ", key)
-		updateValues = append(updateValues, value)
-	}
-	updateFields = strings.Trim(updateFields, " ")
-	updateFields = strings.TrimSuffix(updateFields, ",")
-	updateValues = append(updateValues, resource.ID)
-	query := fmt.Sprintf("UPDATE %s SET %s WHERE id = ?", KeySpace+"."+schemas.Collections.Resource, updateFields)
-	err = p.db.Query(query, updateValues...).Exec()
-	if err != nil {
-		return nil, err
-	}
-	return resource, nil
-}
-
-// DeleteResource deletes an authorization resource by ID.
-// Returns an error if any permission references this resource.
-func (p *provider) DeleteResource(ctx context.Context, id string) error {
-	var count int64
-	countQuery := fmt.Sprintf("SELECT COUNT(*) FROM %s WHERE resource_id = ? ALLOW FILTERING", KeySpace+"."+schemas.Collections.Permission)
-	err := p.db.Query(countQuery, id).Consistency(gocql.One).Scan(&count)
-	if err != nil {
-		return err
-	}
-	if count > 0 {
-		return fmt.Errorf("cannot delete resource: %d permission(s) reference it", count)
-	}
-	query := fmt.Sprintf("DELETE FROM %s WHERE id = ?", KeySpace+"."+schemas.Collections.Resource)
-	err = p.db.Query(query, id).Exec()
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// GetResourceByID returns an authorization resource by its ID.
-func (p *provider) GetResourceByID(ctx context.Context, id string) (*schemas.Resource, error) {
-	var resource schemas.Resource
-	query := fmt.Sprintf("SELECT id, name, description, created_at, updated_at FROM %s WHERE id = ? LIMIT 1",
-		KeySpace+"."+schemas.Collections.Resource)
-	err := p.db.Query(query, id).Consistency(gocql.One).Scan(
-		&resource.ID, &resource.Name, &resource.Description, &resource.CreatedAt, &resource.UpdatedAt)
-	if err != nil {
-		return nil, err
-	}
-	return &resource, nil
-}
-
-// GetResourceByName returns an authorization resource by its unique name.
-func (p *provider) GetResourceByName(ctx context.Context, name string) (*schemas.Resource, error) {
-	var resource schemas.Resource
-	query := fmt.Sprintf("SELECT id, name, description, created_at, updated_at FROM %s WHERE name = ? LIMIT 1 ALLOW FILTERING",
-		KeySpace+"."+schemas.Collections.Resource)
-	err := p.db.Query(query, name).Consistency(gocql.One).Scan(
-		&resource.ID, &resource.Name, &resource.Description, &resource.CreatedAt, &resource.UpdatedAt)
-	if err != nil {
-		return nil, err
-	}
-	return &resource, nil
-}
-
-// ListResources returns a paginated list of authorization resources.
-func (p *provider) ListResources(ctx context.Context, pagination *model.Pagination) ([]*schemas.Resource, *model.Pagination, error) {
-	resources := []*schemas.Resource{}
-	paginationClone := *pagination
-	totalCountQuery := fmt.Sprintf("SELECT COUNT(*) FROM %s", KeySpace+"."+schemas.Collections.Resource)
-	err := p.db.Query(totalCountQuery).Consistency(gocql.One).Scan(&paginationClone.Total)
-	if err != nil {
-		return nil, nil, err
-	}
-	query := fmt.Sprintf("SELECT id, name, description, created_at, updated_at FROM %s LIMIT %d",
-		KeySpace+"."+schemas.Collections.Resource, pagination.Limit+pagination.Offset)
-	scanner := p.db.Query(query).Iter().Scanner()
-	counter := int64(0)
-	for scanner.Next() {
-		if counter >= pagination.Offset {
-			var resource schemas.Resource
-			err := scanner.Scan(&resource.ID, &resource.Name, &resource.Description, &resource.CreatedAt, &resource.UpdatedAt)
-			if err != nil {
-				return nil, nil, err
-			}
-			resources = append(resources, &resource)
-		}
-		counter++
-	}
-	return resources, &paginationClone, nil
-}
diff --git a/internal/storage/db/cassandradb/scope.go b/internal/storage/db/cassandradb/scope.go
deleted file mode 100644
index f6b56d0a..00000000
--- a/internal/storage/db/cassandradb/scope.go
+++ /dev/null
@@ -1,144 +0,0 @@
-package cassandradb
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"strings"
-	"time"
-
-	"github.com/gocql/gocql"
-	"github.com/google/uuid"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddScope creates a new authorization scope.
-func (p *provider) AddScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
-	if scope.ID == "" {
-		scope.ID = uuid.New().String()
-	}
-	scope.Key = scope.ID
-	scope.CreatedAt = time.Now().Unix()
-	scope.UpdatedAt = time.Now().Unix()
-	insertQuery := fmt.Sprintf("INSERT INTO %s (id, name, description, created_at, updated_at) VALUES (?, ?, ?, ?, ?)",
-		KeySpace+"."+schemas.Collections.Scope)
-	err := p.db.Query(insertQuery, scope.ID, scope.Name, scope.Description, scope.CreatedAt, scope.UpdatedAt).Exec()
-	if err != nil {
-		return nil, err
-	}
-	return scope, nil
-}
-
-// UpdateScope updates an existing authorization scope.
-func (p *provider) UpdateScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
-	scope.UpdatedAt = time.Now().Unix()
-	bytes, err := json.Marshal(scope)
-	if err != nil {
-		return nil, err
-	}
-	decoder := json.NewDecoder(strings.NewReader(string(bytes)))
-	decoder.UseNumber()
-	scopeMap := map[string]interface{}{}
-	err = decoder.Decode(&scopeMap)
-	if err != nil {
-		return nil, err
-	}
-	convertMapValues(scopeMap)
-	updateFields := ""
-	var updateValues []interface{}
-	for key, value := range scopeMap {
-		if key == "_id" || key == "_key" || key == "id" || key == "key" {
-			continue
-		}
-		if value == nil {
-			updateFields += fmt.Sprintf("%s = null,", key)
-			continue
-		}
-		updateFields += fmt.Sprintf("%s = ?, ", key)
-		updateValues = append(updateValues, value)
-	}
-	updateFields = strings.Trim(updateFields, " ")
-	updateFields = strings.TrimSuffix(updateFields, ",")
-	updateValues = append(updateValues, scope.ID)
-	query := fmt.Sprintf("UPDATE %s SET %s WHERE id = ?", KeySpace+"."+schemas.Collections.Scope, updateFields)
-	err = p.db.Query(query, updateValues...).Exec()
-	if err != nil {
-		return nil, err
-	}
-	return scope, nil
-}
-
-// DeleteScope deletes an authorization scope by ID.
-// Returns an error if any permission_scope references this scope.
-func (p *provider) DeleteScope(ctx context.Context, id string) error {
-	var count int64
-	countQuery := fmt.Sprintf("SELECT COUNT(*) FROM %s WHERE scope_id = ? ALLOW FILTERING", KeySpace+"."+schemas.Collections.PermissionScope)
-	err := p.db.Query(countQuery, id).Consistency(gocql.One).Scan(&count)
-	if err != nil {
-		return err
-	}
-	if count > 0 {
-		return fmt.Errorf("cannot delete scope: %d permission_scope(s) reference it", count)
-	}
-	query := fmt.Sprintf("DELETE FROM %s WHERE id = ?", KeySpace+"."+schemas.Collections.Scope)
-	err = p.db.Query(query, id).Exec()
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// GetScopeByID returns an authorization scope by its ID.
-func (p *provider) GetScopeByID(ctx context.Context, id string) (*schemas.Scope, error) {
-	var scope schemas.Scope
-	query := fmt.Sprintf("SELECT id, name, description, created_at, updated_at FROM %s WHERE id = ? LIMIT 1",
-		KeySpace+"."+schemas.Collections.Scope)
-	err := p.db.Query(query, id).Consistency(gocql.One).Scan(
-		&scope.ID, &scope.Name, &scope.Description, &scope.CreatedAt, &scope.UpdatedAt)
-	if err != nil {
-		return nil, err
-	}
-	return &scope, nil
-}
-
-// GetScopeByName returns an authorization scope by its unique name.
-func (p *provider) GetScopeByName(ctx context.Context, name string) (*schemas.Scope, error) {
-	var scope schemas.Scope
-	query := fmt.Sprintf("SELECT id, name, description, created_at, updated_at FROM %s WHERE name = ? LIMIT 1 ALLOW FILTERING",
-		KeySpace+"."+schemas.Collections.Scope)
-	err := p.db.Query(query, name).Consistency(gocql.One).Scan(
-		&scope.ID, &scope.Name, &scope.Description, &scope.CreatedAt, &scope.UpdatedAt)
-	if err != nil {
-		return nil, err
-	}
-	return &scope, nil
-}
-
-// ListScopes returns a paginated list of authorization scopes.
-func (p *provider) ListScopes(ctx context.Context, pagination *model.Pagination) ([]*schemas.Scope, *model.Pagination, error) {
-	scopes := []*schemas.Scope{}
-	paginationClone := *pagination
-	totalCountQuery := fmt.Sprintf("SELECT COUNT(*) FROM %s", KeySpace+"."+schemas.Collections.Scope)
-	err := p.db.Query(totalCountQuery).Consistency(gocql.One).Scan(&paginationClone.Total)
-	if err != nil {
-		return nil, nil, err
-	}
-	query := fmt.Sprintf("SELECT id, name, description, created_at, updated_at FROM %s LIMIT %d",
-		KeySpace+"."+schemas.Collections.Scope, pagination.Limit+pagination.Offset)
-	scanner := p.db.Query(query).Iter().Scanner()
-	counter := int64(0)
-	for scanner.Next() {
-		if counter >= pagination.Offset {
-			var scope schemas.Scope
-			err := scanner.Scan(&scope.ID, &scope.Name, &scope.Description, &scope.CreatedAt, &scope.UpdatedAt)
-			if err != nil {
-				return nil, nil, err
-			}
-			scopes = append(scopes, &scope)
-		}
-		counter++
-	}
-	return scopes, &paginationClone, nil
-}
diff --git a/internal/storage/db/couchbase/permission.go b/internal/storage/db/couchbase/permission.go
deleted file mode 100644
index 5900a5ee..00000000
--- a/internal/storage/db/couchbase/permission.go
+++ /dev/null
@@ -1,429 +0,0 @@
-package couchbase
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"log"
-	"strings"
-	"time"
-
-	"github.com/couchbase/gocb/v2"
-	"github.com/google/uuid"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddPermission creates a new authorization permission.
-func (p *provider) AddPermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
-	if permission.ID == "" {
-		permission.ID = uuid.New().String()
-	}
-	permission.Key = permission.ID
-	permission.CreatedAt = time.Now().Unix()
-	permission.UpdatedAt = time.Now().Unix()
-	insertOpt := gocb.InsertOptions{
-		Context: ctx,
-	}
-	_, err := p.db.Collection(schemas.Collections.Permission).Insert(permission.ID, permission, &insertOpt)
-	if err != nil {
-		return nil, err
-	}
-	return permission, nil
-}
-
-// UpdatePermission updates an existing authorization permission.
-func (p *provider) UpdatePermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
-	permission.UpdatedAt = time.Now().Unix()
-	bytes, err := json.Marshal(permission)
-	if err != nil {
-		return nil, err
-	}
-	decoder := json.NewDecoder(strings.NewReader(string(bytes)))
-	decoder.UseNumber()
-	permissionMap := map[string]interface{}{}
-	err = decoder.Decode(&permissionMap)
-	if err != nil {
-		return nil, err
-	}
-	updateFields, params := GetSetFields(permissionMap)
-	params["id"] = permission.ID
-	query := fmt.Sprintf(`UPDATE %s.%s SET %s WHERE id=$id`, p.scopeName, schemas.Collections.Permission, updateFields)
-	_, err = p.db.Query(query, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return nil, err
-	}
-	return permission, nil
-}
-
-// DeletePermission deletes an authorization permission by ID.
-// Cascade-deletes associated permission_scopes and permission_policies.
-func (p *provider) DeletePermission(ctx context.Context, id string) error {
-	params := make(map[string]interface{}, 1)
-	params["permission_id"] = id
-	// Cascade-delete permission_scopes
-	scopeQuery := fmt.Sprintf(`DELETE FROM %s.%s WHERE permission_id=$permission_id`, p.scopeName, schemas.Collections.PermissionScope)
-	_, err := p.db.Query(scopeQuery, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return err
-	}
-	// Cascade-delete permission_policies
-	policyQuery := fmt.Sprintf(`DELETE FROM %s.%s WHERE permission_id=$permission_id`, p.scopeName, schemas.Collections.PermissionPolicy)
-	_, err = p.db.Query(policyQuery, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return err
-	}
-	removeOpt := gocb.RemoveOptions{
-		Context: ctx,
-	}
-	_, err = p.db.Collection(schemas.Collections.Permission).Remove(id, &removeOpt)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// GetPermissionByID returns an authorization permission by its ID.
-func (p *provider) GetPermissionByID(ctx context.Context, id string) (*schemas.Permission, error) {
-	var permission *schemas.Permission
-	params := make(map[string]interface{}, 1)
-	params["id"] = id
-	query := fmt.Sprintf(`SELECT id, name, description, resource_id, decision_strategy, created_at, updated_at FROM %s.%s WHERE id=$id LIMIT 1`, p.scopeName, schemas.Collections.Permission)
-	q, err := p.db.Query(query, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return nil, err
-	}
-	err = q.One(&permission)
-	if err != nil {
-		return nil, err
-	}
-	return permission, nil
-}
-
-// ListPermissions returns a paginated list of authorization permissions.
-func (p *provider) ListPermissions(ctx context.Context, pagination *model.Pagination) ([]*schemas.Permission, *model.Pagination, error) {
-	permissions := []*schemas.Permission{}
-	paginationClone := *pagination
-	params := make(map[string]interface{}, 1)
-	params["offset"] = paginationClone.Offset
-	params["limit"] = paginationClone.Limit
-	total, err := p.GetTotalDocs(ctx, schemas.Collections.Permission)
-	if err != nil {
-		return nil, nil, err
-	}
-	paginationClone.Total = total
-	query := fmt.Sprintf("SELECT id, name, description, resource_id, decision_strategy, created_at, updated_at FROM %s.%s ORDER BY created_at DESC OFFSET $offset LIMIT $limit", p.scopeName, schemas.Collections.Permission)
-	queryResult, err := p.db.Query(query, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return nil, nil, err
-	}
-	for queryResult.Next() {
-		var permission schemas.Permission
-		err := queryResult.Row(&permission)
-		if err != nil {
-			log.Fatal(err)
-		}
-		permissions = append(permissions, &permission)
-	}
-	if err := queryResult.Err(); err != nil {
-		return nil, nil, err
-	}
-	return permissions, &paginationClone, nil
-}
-
-// AddPermissionScope links a scope to a permission.
-func (p *provider) AddPermissionScope(ctx context.Context, ps *schemas.PermissionScope) (*schemas.PermissionScope, error) {
-	if ps.ID == "" {
-		ps.ID = uuid.New().String()
-	}
-	ps.Key = ps.ID
-	ps.CreatedAt = time.Now().Unix()
-	insertOpt := gocb.InsertOptions{
-		Context: ctx,
-	}
-	_, err := p.db.Collection(schemas.Collections.PermissionScope).Insert(ps.ID, ps, &insertOpt)
-	if err != nil {
-		return nil, err
-	}
-	return ps, nil
-}
-
-// DeletePermissionScopesByPermissionID removes all scope links for a permission.
-func (p *provider) DeletePermissionScopesByPermissionID(ctx context.Context, permissionID string) error {
-	params := make(map[string]interface{}, 1)
-	params["permission_id"] = permissionID
-	query := fmt.Sprintf(`DELETE FROM %s.%s WHERE permission_id=$permission_id`, p.scopeName, schemas.Collections.PermissionScope)
-	_, err := p.db.Query(query, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// GetPermissionScopes returns all scope links for a permission.
-func (p *provider) GetPermissionScopes(ctx context.Context, permissionID string) ([]*schemas.PermissionScope, error) {
-	scopes := []*schemas.PermissionScope{}
-	params := make(map[string]interface{}, 1)
-	params["permission_id"] = permissionID
-	query := fmt.Sprintf(`SELECT id, permission_id, scope_id, created_at FROM %s.%s WHERE permission_id=$permission_id`, p.scopeName, schemas.Collections.PermissionScope)
-	queryResult, err := p.db.Query(query, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return nil, err
-	}
-	for queryResult.Next() {
-		var ps schemas.PermissionScope
-		err := queryResult.Row(&ps)
-		if err != nil {
-			log.Fatal(err)
-		}
-		scopes = append(scopes, &ps)
-	}
-	if err := queryResult.Err(); err != nil {
-		return nil, err
-	}
-	return scopes, nil
-}
-
-// AddPermissionPolicy links a policy to a permission.
-func (p *provider) AddPermissionPolicy(ctx context.Context, pp *schemas.PermissionPolicy) (*schemas.PermissionPolicy, error) {
-	if pp.ID == "" {
-		pp.ID = uuid.New().String()
-	}
-	pp.Key = pp.ID
-	pp.CreatedAt = time.Now().Unix()
-	insertOpt := gocb.InsertOptions{
-		Context: ctx,
-	}
-	_, err := p.db.Collection(schemas.Collections.PermissionPolicy).Insert(pp.ID, pp, &insertOpt)
-	if err != nil {
-		return nil, err
-	}
-	return pp, nil
-}
-
-// DeletePermissionPoliciesByPermissionID removes all policy links for a permission.
-func (p *provider) DeletePermissionPoliciesByPermissionID(ctx context.Context, permissionID string) error {
-	params := make(map[string]interface{}, 1)
-	params["permission_id"] = permissionID
-	query := fmt.Sprintf(`DELETE FROM %s.%s WHERE permission_id=$permission_id`, p.scopeName, schemas.Collections.PermissionPolicy)
-	_, err := p.db.Query(query, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// GetPermissionPolicies returns all policy links for a permission.
-func (p *provider) GetPermissionPolicies(ctx context.Context, permissionID string) ([]*schemas.PermissionPolicy, error) {
-	policies := []*schemas.PermissionPolicy{}
-	params := make(map[string]interface{}, 1)
-	params["permission_id"] = permissionID
-	query := fmt.Sprintf(`SELECT id, permission_id, policy_id, created_at FROM %s.%s WHERE permission_id=$permission_id`, p.scopeName, schemas.Collections.PermissionPolicy)
-	queryResult, err := p.db.Query(query, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return nil, err
-	}
-	for queryResult.Next() {
-		var pp schemas.PermissionPolicy
-		err := queryResult.Row(&pp)
-		if err != nil {
-			log.Fatal(err)
-		}
-		policies = append(policies, &pp)
-	}
-	if err := queryResult.Err(); err != nil {
-		return nil, err
-	}
-	return policies, nil
-}
-
-// GetPermissionsForResourceScope returns all permissions (with their policies and targets)
-// that match a given resource name and scope name. This is the hot-path query used by
-// the evaluation engine. Uses sequential queries for clarity.
-func (p *provider) GetPermissionsForResourceScope(ctx context.Context, resourceName string, scopeName string) ([]*schemas.PermissionWithPolicies, error) {
-	// 1. Find resource by name
-	resource, err := p.GetResourceByName(ctx, resourceName)
-	if err != nil {
-		return nil, err
-	}
-
-	// 2. Find scope by name
-	scope, err := p.GetScopeByName(ctx, scopeName)
-	if err != nil {
-		return nil, err
-	}
-
-	// 3. Find permissions for this resource
-	permParams := make(map[string]interface{}, 1)
-	permParams["resource_id"] = resource.ID
-	permQuery := fmt.Sprintf(`SELECT id, name, description, resource_id, decision_strategy, created_at, updated_at FROM %s.%s WHERE resource_id=$resource_id`, p.scopeName, schemas.Collections.Permission)
-	permResult, err := p.db.Query(permQuery, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: permParams,
-	})
-	if err != nil {
-		return nil, err
-	}
-	var permissions []schemas.Permission
-	for permResult.Next() {
-		var perm schemas.Permission
-		if err := permResult.Row(&perm); err != nil {
-			return nil, err
-		}
-		permissions = append(permissions, perm)
-	}
-	if err := permResult.Err(); err != nil {
-		return nil, err
-	}
-
-	if len(permissions) == 0 {
-		return nil, nil
-	}
-
-	// 4. For each permission, check if it has the requested scope
-	var result []*schemas.PermissionWithPolicies
-
-	for _, perm := range permissions {
-		// Check if this permission has the requested scope
-		scopeCheckParams := make(map[string]interface{}, 2)
-		scopeCheckParams["permission_id"] = perm.ID
-		scopeCheckParams["scope_id"] = scope.ID
-		scopeCountQuery := fmt.Sprintf(`SELECT COUNT(*) as Total FROM %s.%s WHERE permission_id=$permission_id AND scope_id=$scope_id`, p.scopeName, schemas.Collections.PermissionScope)
-		scopeCountResult, err := p.db.Query(scopeCountQuery, &gocb.QueryOptions{
-			Context:         ctx,
-			ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-			NamedParameters: scopeCheckParams,
-		})
-		if err != nil {
-			return nil, err
-		}
-		var countDocs TotalDocs
-		err = scopeCountResult.One(&countDocs)
-		if err != nil {
-			return nil, err
-		}
-		if countDocs.Total == 0 {
-			continue
-		}
-
-		// 5. Find permission_policies for this permission
-		ppParams := make(map[string]interface{}, 1)
-		ppParams["permission_id"] = perm.ID
-		ppQuery := fmt.Sprintf(`SELECT id, permission_id, policy_id, created_at FROM %s.%s WHERE permission_id=$permission_id`, p.scopeName, schemas.Collections.PermissionPolicy)
-		ppResult, err := p.db.Query(ppQuery, &gocb.QueryOptions{
-			Context:         ctx,
-			ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-			NamedParameters: ppParams,
-		})
-		if err != nil {
-			return nil, err
-		}
-		var permPolicies []schemas.PermissionPolicy
-		for ppResult.Next() {
-			var pp schemas.PermissionPolicy
-			if err := ppResult.Row(&pp); err != nil {
-				return nil, err
-			}
-			permPolicies = append(permPolicies, pp)
-		}
-		if err := ppResult.Err(); err != nil {
-			return nil, err
-		}
-
-		if len(permPolicies) == 0 {
-			continue
-		}
-
-		// 6. For each permission_policy, resolve the policy and its targets
-		var policiesWithTargets []schemas.PolicyWithTargets
-		for _, pp := range permPolicies {
-			policy, err := p.GetPolicyByID(ctx, pp.PolicyID)
-			if err != nil {
-				return nil, err
-			}
-
-			// Get targets for this policy
-			targetParams := make(map[string]interface{}, 1)
-			targetParams["policy_id"] = policy.ID
-			targetQuery := fmt.Sprintf(`SELECT id, policy_id, target_type, target_value, created_at FROM %s.%s WHERE policy_id=$policy_id`, p.scopeName, schemas.Collections.PolicyTarget)
-			targetResult, err := p.db.Query(targetQuery, &gocb.QueryOptions{
-				Context:         ctx,
-				ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-				NamedParameters: targetParams,
-			})
-			if err != nil {
-				return nil, err
-			}
-			var targets []schemas.PolicyTargetView
-			for targetResult.Next() {
-				var target schemas.PolicyTarget
-				if err := targetResult.Row(&target); err != nil {
-					return nil, err
-				}
-				targets = append(targets, schemas.PolicyTargetView{
-					TargetType:  target.TargetType,
-					TargetValue: target.TargetValue,
-				})
-			}
-			if err := targetResult.Err(); err != nil {
-				return nil, err
-			}
-
-			policiesWithTargets = append(policiesWithTargets, schemas.PolicyWithTargets{
-				PolicyID:         policy.ID,
-				PolicyName:       policy.Name,
-				Type:             policy.Type,
-				Logic:            policy.Logic,
-				DecisionStrategy: policy.DecisionStrategy,
-				Targets:          targets,
-			})
-		}
-
-		result = append(result, &schemas.PermissionWithPolicies{
-			PermissionID:     perm.ID,
-			PermissionName:   perm.Name,
-			DecisionStrategy: perm.DecisionStrategy,
-			Policies:         policiesWithTargets,
-		})
-	}
-
-	return result, nil
-}
diff --git a/internal/storage/db/couchbase/policy.go b/internal/storage/db/couchbase/policy.go
deleted file mode 100644
index 87fed2d6..00000000
--- a/internal/storage/db/couchbase/policy.go
+++ /dev/null
@@ -1,223 +0,0 @@
-package couchbase
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"log"
-	"strings"
-	"time"
-
-	"github.com/couchbase/gocb/v2"
-	"github.com/google/uuid"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddPolicy creates a new authorization policy.
-func (p *provider) AddPolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
-	if policy.ID == "" {
-		policy.ID = uuid.New().String()
-	}
-	policy.Key = policy.ID
-	policy.CreatedAt = time.Now().Unix()
-	policy.UpdatedAt = time.Now().Unix()
-	insertOpt := gocb.InsertOptions{
-		Context: ctx,
-	}
-	_, err := p.db.Collection(schemas.Collections.Policy).Insert(policy.ID, policy, &insertOpt)
-	if err != nil {
-		return nil, err
-	}
-	return policy, nil
-}
-
-// UpdatePolicy updates an existing authorization policy.
-func (p *provider) UpdatePolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
-	policy.UpdatedAt = time.Now().Unix()
-	bytes, err := json.Marshal(policy)
-	if err != nil {
-		return nil, err
-	}
-	decoder := json.NewDecoder(strings.NewReader(string(bytes)))
-	decoder.UseNumber()
-	policyMap := map[string]interface{}{}
-	err = decoder.Decode(&policyMap)
-	if err != nil {
-		return nil, err
-	}
-	updateFields, params := GetSetFields(policyMap)
-	params["id"] = policy.ID
-	query := fmt.Sprintf(`UPDATE %s.%s SET %s WHERE id=$id`, p.scopeName, schemas.Collections.Policy, updateFields)
-	_, err = p.db.Query(query, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return nil, err
-	}
-	return policy, nil
-}
-
-// DeletePolicy deletes an authorization policy by ID.
-// Returns an error if any permission_policy references this policy.
-// Cascade-deletes associated policy targets.
-func (p *provider) DeletePolicy(ctx context.Context, id string) error {
-	// Check for permission_policy references
-	params := make(map[string]interface{}, 1)
-	params["policy_id"] = id
-	query := fmt.Sprintf(`SELECT COUNT(*) as Total FROM %s.%s WHERE policy_id=$policy_id`, p.scopeName, schemas.Collections.PermissionPolicy)
-	queryResult, err := p.db.Query(query, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return err
-	}
-	var totalDocs TotalDocs
-	err = queryResult.One(&totalDocs)
-	if err != nil {
-		return err
-	}
-	if totalDocs.Total > 0 {
-		return fmt.Errorf("cannot delete policy: %d permission_policy(s) reference it", totalDocs.Total)
-	}
-	// Cascade-delete policy targets
-	deleteQuery := fmt.Sprintf(`DELETE FROM %s.%s WHERE policy_id=$policy_id`, p.scopeName, schemas.Collections.PolicyTarget)
-	_, err = p.db.Query(deleteQuery, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return err
-	}
-	removeOpt := gocb.RemoveOptions{
-		Context: ctx,
-	}
-	_, err = p.db.Collection(schemas.Collections.Policy).Remove(id, &removeOpt)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// GetPolicyByID returns an authorization policy by its ID.
-func (p *provider) GetPolicyByID(ctx context.Context, id string) (*schemas.Policy, error) {
-	var policy *schemas.Policy
-	params := make(map[string]interface{}, 1)
-	params["id"] = id
-	query := fmt.Sprintf(`SELECT id, name, description, type, logic, decision_strategy, created_at, updated_at FROM %s.%s WHERE id=$id LIMIT 1`, p.scopeName, schemas.Collections.Policy)
-	q, err := p.db.Query(query, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return nil, err
-	}
-	err = q.One(&policy)
-	if err != nil {
-		return nil, err
-	}
-	return policy, nil
-}
-
-// ListPolicies returns a paginated list of authorization policies.
-func (p *provider) ListPolicies(ctx context.Context, pagination *model.Pagination) ([]*schemas.Policy, *model.Pagination, error) {
-	policies := []*schemas.Policy{}
-	paginationClone := *pagination
-	params := make(map[string]interface{}, 1)
-	params["offset"] = paginationClone.Offset
-	params["limit"] = paginationClone.Limit
-	total, err := p.GetTotalDocs(ctx, schemas.Collections.Policy)
-	if err != nil {
-		return nil, nil, err
-	}
-	paginationClone.Total = total
-	query := fmt.Sprintf("SELECT id, name, description, type, logic, decision_strategy, created_at, updated_at FROM %s.%s ORDER BY created_at DESC OFFSET $offset LIMIT $limit", p.scopeName, schemas.Collections.Policy)
-	queryResult, err := p.db.Query(query, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return nil, nil, err
-	}
-	for queryResult.Next() {
-		var policy schemas.Policy
-		err := queryResult.Row(&policy)
-		if err != nil {
-			log.Fatal(err)
-		}
-		policies = append(policies, &policy)
-	}
-	if err := queryResult.Err(); err != nil {
-		return nil, nil, err
-	}
-	return policies, &paginationClone, nil
-}
-
-// AddPolicyTarget adds a target (role name or user ID) to a policy.
-func (p *provider) AddPolicyTarget(ctx context.Context, target *schemas.PolicyTarget) (*schemas.PolicyTarget, error) {
-	if target.ID == "" {
-		target.ID = uuid.New().String()
-	}
-	target.Key = target.ID
-	target.CreatedAt = time.Now().Unix()
-	insertOpt := gocb.InsertOptions{
-		Context: ctx,
-	}
-	_, err := p.db.Collection(schemas.Collections.PolicyTarget).Insert(target.ID, target, &insertOpt)
-	if err != nil {
-		return nil, err
-	}
-	return target, nil
-}
-
-// DeletePolicyTargetsByPolicyID removes all targets for a policy.
-func (p *provider) DeletePolicyTargetsByPolicyID(ctx context.Context, policyID string) error {
-	params := make(map[string]interface{}, 1)
-	params["policy_id"] = policyID
-	query := fmt.Sprintf(`DELETE FROM %s.%s WHERE policy_id=$policy_id`, p.scopeName, schemas.Collections.PolicyTarget)
-	_, err := p.db.Query(query, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// GetPolicyTargets returns all targets for a policy.
-func (p *provider) GetPolicyTargets(ctx context.Context, policyID string) ([]*schemas.PolicyTarget, error) {
-	targets := []*schemas.PolicyTarget{}
-	params := make(map[string]interface{}, 1)
-	params["policy_id"] = policyID
-	query := fmt.Sprintf(`SELECT id, policy_id, target_type, target_value, created_at FROM %s.%s WHERE policy_id=$policy_id`, p.scopeName, schemas.Collections.PolicyTarget)
-	queryResult, err := p.db.Query(query, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return nil, err
-	}
-	for queryResult.Next() {
-		var target schemas.PolicyTarget
-		err := queryResult.Row(&target)
-		if err != nil {
-			log.Fatal(err)
-		}
-		targets = append(targets, &target)
-	}
-	if err := queryResult.Err(); err != nil {
-		return nil, err
-	}
-	return targets, nil
-}
diff --git a/internal/storage/db/couchbase/provider.go b/internal/storage/db/couchbase/provider.go
index e0163e19..9efccfcc 100644
--- a/internal/storage/db/couchbase/provider.go
+++ b/internal/storage/db/couchbase/provider.go
@@ -243,37 +243,5 @@ func getIndex(scopeName string) map[string][]string {
 	auditLogIndex3 := fmt.Sprintf("CREATE INDEX AuditLogTimestampIndex ON %s.%s(timestamp)", scopeName, schemas.Collections.AuditLog)
 	indices[schemas.Collections.AuditLog] = []string{auditLogIndex1, auditLogIndex2, auditLogIndex3}
 
-	// Resource index
-	resourceIndex1 := fmt.Sprintf("CREATE INDEX ResourceNameIndex ON %s.%s(name)", scopeName, schemas.Collections.Resource)
-	indices[schemas.Collections.Resource] = []string{resourceIndex1}
-
-	// Scope index
-	scopeIndex1 := fmt.Sprintf("CREATE INDEX ScopeNameIndex ON %s.%s(name)", scopeName, schemas.Collections.Scope)
-	indices[schemas.Collections.Scope] = []string{scopeIndex1}
-
-	// Policy index
-	policyIndex1 := fmt.Sprintf("CREATE INDEX PolicyNameIndex ON %s.%s(name)", scopeName, schemas.Collections.Policy)
-	policyIndex2 := fmt.Sprintf("CREATE INDEX PolicyTypeIndex ON %s.%s(type)", scopeName, schemas.Collections.Policy)
-	indices[schemas.Collections.Policy] = []string{policyIndex1, policyIndex2}
-
-	// PolicyTarget index
-	policyTargetIndex1 := fmt.Sprintf("CREATE INDEX PolicyTargetPolicyIdIndex ON %s.%s(policy_id)", scopeName, schemas.Collections.PolicyTarget)
-	indices[schemas.Collections.PolicyTarget] = []string{policyTargetIndex1}
-
-	// Permission index
-	permissionIndex1 := fmt.Sprintf("CREATE INDEX PermissionNameIndex ON %s.%s(name)", scopeName, schemas.Collections.Permission)
-	permissionIndex2 := fmt.Sprintf("CREATE INDEX PermissionResourceIdIndex ON %s.%s(resource_id)", scopeName, schemas.Collections.Permission)
-	indices[schemas.Collections.Permission] = []string{permissionIndex1, permissionIndex2}
-
-	// PermissionScope index
-	permissionScopeIndex1 := fmt.Sprintf("CREATE INDEX PermissionScopePermissionIdIndex ON %s.%s(permission_id)", scopeName, schemas.Collections.PermissionScope)
-	permissionScopeIndex2 := fmt.Sprintf("CREATE INDEX PermissionScopeScopeIdIndex ON %s.%s(scope_id)", scopeName, schemas.Collections.PermissionScope)
-	indices[schemas.Collections.PermissionScope] = []string{permissionScopeIndex1, permissionScopeIndex2}
-
-	// PermissionPolicy index
-	permissionPolicyIndex1 := fmt.Sprintf("CREATE INDEX PermissionPolicyPermissionIdIndex ON %s.%s(permission_id)", scopeName, schemas.Collections.PermissionPolicy)
-	permissionPolicyIndex2 := fmt.Sprintf("CREATE INDEX PermissionPolicyPolicyIdIndex ON %s.%s(policy_id)", scopeName, schemas.Collections.PermissionPolicy)
-	indices[schemas.Collections.PermissionPolicy] = []string{permissionPolicyIndex1, permissionPolicyIndex2}
-
 	return indices
 }
diff --git a/internal/storage/db/couchbase/resource.go b/internal/storage/db/couchbase/resource.go
deleted file mode 100644
index f5ebb181..00000000
--- a/internal/storage/db/couchbase/resource.go
+++ /dev/null
@@ -1,177 +0,0 @@
-package couchbase
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"log"
-	"strings"
-	"time"
-
-	"github.com/couchbase/gocb/v2"
-	"github.com/google/uuid"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddResource creates a new authorization resource.
-// Couchbase has no per-field unique constraints, so we explicitly
-// reject duplicates on Name before inserting.
-func (p *provider) AddResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
-	if existing, err := p.GetResourceByName(ctx, resource.Name); err == nil && existing != nil {
-		return nil, fmt.Errorf("resource with name %q already exists", resource.Name)
-	}
-	if resource.ID == "" {
-		resource.ID = uuid.New().String()
-	}
-	resource.Key = resource.ID
-	resource.CreatedAt = time.Now().Unix()
-	resource.UpdatedAt = time.Now().Unix()
-	insertOpt := gocb.InsertOptions{
-		Context: ctx,
-	}
-	_, err := p.db.Collection(schemas.Collections.Resource).Insert(resource.ID, resource, &insertOpt)
-	if err != nil {
-		return nil, err
-	}
-	return resource, nil
-}
-
-// UpdateResource updates an existing authorization resource.
-func (p *provider) UpdateResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
-	resource.UpdatedAt = time.Now().Unix()
-	bytes, err := json.Marshal(resource)
-	if err != nil {
-		return nil, err
-	}
-	decoder := json.NewDecoder(strings.NewReader(string(bytes)))
-	decoder.UseNumber()
-	resourceMap := map[string]interface{}{}
-	err = decoder.Decode(&resourceMap)
-	if err != nil {
-		return nil, err
-	}
-	updateFields, params := GetSetFields(resourceMap)
-	params["id"] = resource.ID
-	query := fmt.Sprintf(`UPDATE %s.%s SET %s WHERE id=$id`, p.scopeName, schemas.Collections.Resource, updateFields)
-	_, err = p.db.Query(query, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return nil, err
-	}
-	return resource, nil
-}
-
-// DeleteResource deletes an authorization resource by ID.
-// Returns an error if any permission references this resource.
-func (p *provider) DeleteResource(ctx context.Context, id string) error {
-	// Check for permission references
-	params := make(map[string]interface{}, 1)
-	params["resource_id"] = id
-	query := fmt.Sprintf(`SELECT COUNT(*) as Total FROM %s.%s WHERE resource_id=$resource_id`, p.scopeName, schemas.Collections.Permission)
-	queryResult, err := p.db.Query(query, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return err
-	}
-	var totalDocs TotalDocs
-	err = queryResult.One(&totalDocs)
-	if err != nil {
-		return err
-	}
-	if totalDocs.Total > 0 {
-		return fmt.Errorf("cannot delete resource: %d permission(s) reference it", totalDocs.Total)
-	}
-	removeOpt := gocb.RemoveOptions{
-		Context: ctx,
-	}
-	_, err = p.db.Collection(schemas.Collections.Resource).Remove(id, &removeOpt)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// GetResourceByID returns an authorization resource by its ID.
-func (p *provider) GetResourceByID(ctx context.Context, id string) (*schemas.Resource, error) {
-	var resource *schemas.Resource
-	params := make(map[string]interface{}, 1)
-	params["id"] = id
-	query := fmt.Sprintf(`SELECT id, name, description, created_at, updated_at FROM %s.%s WHERE id=$id LIMIT 1`, p.scopeName, schemas.Collections.Resource)
-	q, err := p.db.Query(query, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return nil, err
-	}
-	err = q.One(&resource)
-	if err != nil {
-		return nil, err
-	}
-	return resource, nil
-}
-
-// GetResourceByName returns an authorization resource by its unique name.
-func (p *provider) GetResourceByName(ctx context.Context, name string) (*schemas.Resource, error) {
-	var resource *schemas.Resource
-	params := make(map[string]interface{}, 1)
-	params["name"] = name
-	query := fmt.Sprintf(`SELECT id, name, description, created_at, updated_at FROM %s.%s WHERE name=$name LIMIT 1`, p.scopeName, schemas.Collections.Resource)
-	q, err := p.db.Query(query, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return nil, err
-	}
-	err = q.One(&resource)
-	if err != nil {
-		return nil, err
-	}
-	return resource, nil
-}
-
-// ListResources returns a paginated list of authorization resources.
-func (p *provider) ListResources(ctx context.Context, pagination *model.Pagination) ([]*schemas.Resource, *model.Pagination, error) {
-	resources := []*schemas.Resource{}
-	paginationClone := *pagination
-	params := make(map[string]interface{}, 1)
-	params["offset"] = paginationClone.Offset
-	params["limit"] = paginationClone.Limit
-	total, err := p.GetTotalDocs(ctx, schemas.Collections.Resource)
-	if err != nil {
-		return nil, nil, err
-	}
-	paginationClone.Total = total
-	query := fmt.Sprintf("SELECT id, name, description, created_at, updated_at FROM %s.%s ORDER BY created_at DESC OFFSET $offset LIMIT $limit", p.scopeName, schemas.Collections.Resource)
-	queryResult, err := p.db.Query(query, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return nil, nil, err
-	}
-	for queryResult.Next() {
-		var resource schemas.Resource
-		err := queryResult.Row(&resource)
-		if err != nil {
-			log.Fatal(err)
-		}
-		resources = append(resources, &resource)
-	}
-	if err := queryResult.Err(); err != nil {
-		return nil, nil, err
-	}
-	return resources, &paginationClone, nil
-}
diff --git a/internal/storage/db/couchbase/scope.go b/internal/storage/db/couchbase/scope.go
deleted file mode 100644
index 5d57f93a..00000000
--- a/internal/storage/db/couchbase/scope.go
+++ /dev/null
@@ -1,177 +0,0 @@
-package couchbase
-
-import (
-	"context"
-	"encoding/json"
-	"fmt"
-	"log"
-	"strings"
-	"time"
-
-	"github.com/couchbase/gocb/v2"
-	"github.com/google/uuid"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddScope creates a new authorization scope.
-// Couchbase has no per-field unique constraints, so we explicitly
-// reject duplicates on Name before inserting.
-func (p *provider) AddScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
-	if existing, err := p.GetScopeByName(ctx, scope.Name); err == nil && existing != nil {
-		return nil, fmt.Errorf("scope with name %q already exists", scope.Name)
-	}
-	if scope.ID == "" {
-		scope.ID = uuid.New().String()
-	}
-	scope.Key = scope.ID
-	scope.CreatedAt = time.Now().Unix()
-	scope.UpdatedAt = time.Now().Unix()
-	insertOpt := gocb.InsertOptions{
-		Context: ctx,
-	}
-	_, err := p.db.Collection(schemas.Collections.Scope).Insert(scope.ID, scope, &insertOpt)
-	if err != nil {
-		return nil, err
-	}
-	return scope, nil
-}
-
-// UpdateScope updates an existing authorization scope.
-func (p *provider) UpdateScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
-	scope.UpdatedAt = time.Now().Unix()
-	bytes, err := json.Marshal(scope)
-	if err != nil {
-		return nil, err
-	}
-	decoder := json.NewDecoder(strings.NewReader(string(bytes)))
-	decoder.UseNumber()
-	scopeMap := map[string]interface{}{}
-	err = decoder.Decode(&scopeMap)
-	if err != nil {
-		return nil, err
-	}
-	updateFields, params := GetSetFields(scopeMap)
-	params["id"] = scope.ID
-	query := fmt.Sprintf(`UPDATE %s.%s SET %s WHERE id=$id`, p.scopeName, schemas.Collections.Scope, updateFields)
-	_, err = p.db.Query(query, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return nil, err
-	}
-	return scope, nil
-}
-
-// DeleteScope deletes an authorization scope by ID.
-// Returns an error if any permission_scope references this scope.
-func (p *provider) DeleteScope(ctx context.Context, id string) error {
-	// Check for permission_scope references
-	params := make(map[string]interface{}, 1)
-	params["scope_id"] = id
-	query := fmt.Sprintf(`SELECT COUNT(*) as Total FROM %s.%s WHERE scope_id=$scope_id`, p.scopeName, schemas.Collections.PermissionScope)
-	queryResult, err := p.db.Query(query, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return err
-	}
-	var totalDocs TotalDocs
-	err = queryResult.One(&totalDocs)
-	if err != nil {
-		return err
-	}
-	if totalDocs.Total > 0 {
-		return fmt.Errorf("cannot delete scope: %d permission_scope(s) reference it", totalDocs.Total)
-	}
-	removeOpt := gocb.RemoveOptions{
-		Context: ctx,
-	}
-	_, err = p.db.Collection(schemas.Collections.Scope).Remove(id, &removeOpt)
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// GetScopeByID returns an authorization scope by its ID.
-func (p *provider) GetScopeByID(ctx context.Context, id string) (*schemas.Scope, error) {
-	var scope *schemas.Scope
-	params := make(map[string]interface{}, 1)
-	params["id"] = id
-	query := fmt.Sprintf(`SELECT id, name, description, created_at, updated_at FROM %s.%s WHERE id=$id LIMIT 1`, p.scopeName, schemas.Collections.Scope)
-	q, err := p.db.Query(query, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return nil, err
-	}
-	err = q.One(&scope)
-	if err != nil {
-		return nil, err
-	}
-	return scope, nil
-}
-
-// GetScopeByName returns an authorization scope by its unique name.
-func (p *provider) GetScopeByName(ctx context.Context, name string) (*schemas.Scope, error) {
-	var scope *schemas.Scope
-	params := make(map[string]interface{}, 1)
-	params["name"] = name
-	query := fmt.Sprintf(`SELECT id, name, description, created_at, updated_at FROM %s.%s WHERE name=$name LIMIT 1`, p.scopeName, schemas.Collections.Scope)
-	q, err := p.db.Query(query, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return nil, err
-	}
-	err = q.One(&scope)
-	if err != nil {
-		return nil, err
-	}
-	return scope, nil
-}
-
-// ListScopes returns a paginated list of authorization scopes.
-func (p *provider) ListScopes(ctx context.Context, pagination *model.Pagination) ([]*schemas.Scope, *model.Pagination, error) {
-	scopes := []*schemas.Scope{}
-	paginationClone := *pagination
-	params := make(map[string]interface{}, 1)
-	params["offset"] = paginationClone.Offset
-	params["limit"] = paginationClone.Limit
-	total, err := p.GetTotalDocs(ctx, schemas.Collections.Scope)
-	if err != nil {
-		return nil, nil, err
-	}
-	paginationClone.Total = total
-	query := fmt.Sprintf("SELECT id, name, description, created_at, updated_at FROM %s.%s ORDER BY created_at DESC OFFSET $offset LIMIT $limit", p.scopeName, schemas.Collections.Scope)
-	queryResult, err := p.db.Query(query, &gocb.QueryOptions{
-		Context:         ctx,
-		ScanConsistency: gocb.QueryScanConsistencyRequestPlus,
-		NamedParameters: params,
-	})
-	if err != nil {
-		return nil, nil, err
-	}
-	for queryResult.Next() {
-		var scope schemas.Scope
-		err := queryResult.Row(&scope)
-		if err != nil {
-			log.Fatal(err)
-		}
-		scopes = append(scopes, &scope)
-	}
-	if err := queryResult.Err(); err != nil {
-		return nil, nil, err
-	}
-	return scopes, &paginationClone, nil
-}
diff --git a/internal/storage/db/dynamodb/permission.go b/internal/storage/db/dynamodb/permission.go
deleted file mode 100644
index bb421e32..00000000
--- a/internal/storage/db/dynamodb/permission.go
+++ /dev/null
@@ -1,318 +0,0 @@
-package dynamodb
-
-import (
-	"context"
-	"errors"
-	"time"
-
-	"github.com/aws/aws-sdk-go-v2/feature/dynamodb/expression"
-	"github.com/aws/aws-sdk-go-v2/service/dynamodb/types"
-	"github.com/google/uuid"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddPermission creates a new authorization permission.
-func (p *provider) AddPermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
-	if permission.ID == "" {
-		permission.ID = uuid.New().String()
-	}
-	permission.Key = permission.ID
-	permission.CreatedAt = time.Now().Unix()
-	permission.UpdatedAt = time.Now().Unix()
-	if err := p.putItem(ctx, schemas.Collections.Permission, permission); err != nil {
-		return nil, err
-	}
-	return permission, nil
-}
-
-// UpdatePermission updates an existing authorization permission.
-func (p *provider) UpdatePermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
-	permission.UpdatedAt = time.Now().Unix()
-	if err := p.updateByHashKey(ctx, schemas.Collections.Permission, "id", permission.ID, permission); err != nil {
-		return nil, err
-	}
-	return permission, nil
-}
-
-// DeletePermission deletes an authorization permission by ID.
-// Cascade-deletes all permission_scopes and permission_policies for this permission.
-func (p *provider) DeletePermission(ctx context.Context, id string) error {
-	if err := p.DeletePermissionScopesByPermissionID(ctx, id); err != nil {
-		return err
-	}
-	if err := p.DeletePermissionPoliciesByPermissionID(ctx, id); err != nil {
-		return err
-	}
-	return p.deleteItemByHash(ctx, schemas.Collections.Permission, "id", id)
-}
-
-// GetPermissionByID returns an authorization permission by its ID.
-func (p *provider) GetPermissionByID(ctx context.Context, id string) (*schemas.Permission, error) {
-	var permission schemas.Permission
-	if err := p.getItemByHash(ctx, schemas.Collections.Permission, "id", id, &permission); err != nil {
-		return nil, err
-	}
-	if permission.ID == "" {
-		return nil, errors.New("no document found")
-	}
-	return &permission, nil
-}
-
-// ListPermissions returns a paginated list of authorization permissions.
-func (p *provider) ListPermissions(ctx context.Context, pagination *model.Pagination) ([]*schemas.Permission, *model.Pagination, error) {
-	var lastKey map[string]types.AttributeValue
-	var iteration int64
-	paginationClone := *pagination
-	var permissions []*schemas.Permission
-
-	count, err := p.scanCount(ctx, schemas.Collections.Permission, nil)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	for (paginationClone.Offset + paginationClone.Limit) > iteration {
-		items, next, err := p.scanPageIter(ctx, schemas.Collections.Permission, nil, int32(paginationClone.Limit), lastKey)
-		if err != nil {
-			return nil, nil, err
-		}
-		for _, it := range items {
-			var perm schemas.Permission
-			if err := unmarshalItem(it, &perm); err != nil {
-				return nil, nil, err
-			}
-			if paginationClone.Offset == iteration {
-				permissions = append(permissions, &perm)
-			}
-		}
-		lastKey = next
-		iteration += paginationClone.Limit
-		if lastKey == nil {
-			break
-		}
-	}
-	paginationClone.Total = count
-	return permissions, &paginationClone, nil
-}
-
-// AddPermissionScope links a scope to a permission.
-func (p *provider) AddPermissionScope(ctx context.Context, ps *schemas.PermissionScope) (*schemas.PermissionScope, error) {
-	if ps.ID == "" {
-		ps.ID = uuid.New().String()
-	}
-	ps.Key = ps.ID
-	ps.CreatedAt = time.Now().Unix()
-	if err := p.putItem(ctx, schemas.Collections.PermissionScope, ps); err != nil {
-		return nil, err
-	}
-	return ps, nil
-}
-
-// DeletePermissionScopesByPermissionID removes all scope links for a permission.
-func (p *provider) DeletePermissionScopesByPermissionID(ctx context.Context, permissionID string) error {
-	f := expression.Name("permission_id").Equal(expression.Value(permissionID))
-	items, err := p.scanFilteredAll(ctx, schemas.Collections.PermissionScope, nil, &f)
-	if err != nil {
-		return err
-	}
-	for _, it := range items {
-		var ps schemas.PermissionScope
-		if err := unmarshalItem(it, &ps); err != nil {
-			return err
-		}
-		if err := p.deleteItemByHash(ctx, schemas.Collections.PermissionScope, "id", ps.ID); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// GetPermissionScopes returns all scope links for a permission.
-func (p *provider) GetPermissionScopes(ctx context.Context, permissionID string) ([]*schemas.PermissionScope, error) {
-	f := expression.Name("permission_id").Equal(expression.Value(permissionID))
-	items, err := p.scanFilteredAll(ctx, schemas.Collections.PermissionScope, nil, &f)
-	if err != nil {
-		return nil, err
-	}
-	var scopes []*schemas.PermissionScope
-	for _, it := range items {
-		var ps schemas.PermissionScope
-		if err := unmarshalItem(it, &ps); err != nil {
-			return nil, err
-		}
-		scopes = append(scopes, &ps)
-	}
-	return scopes, nil
-}
-
-// AddPermissionPolicy links a policy to a permission.
-func (p *provider) AddPermissionPolicy(ctx context.Context, pp *schemas.PermissionPolicy) (*schemas.PermissionPolicy, error) {
-	if pp.ID == "" {
-		pp.ID = uuid.New().String()
-	}
-	pp.Key = pp.ID
-	pp.CreatedAt = time.Now().Unix()
-	if err := p.putItem(ctx, schemas.Collections.PermissionPolicy, pp); err != nil {
-		return nil, err
-	}
-	return pp, nil
-}
-
-// DeletePermissionPoliciesByPermissionID removes all policy links for a permission.
-func (p *provider) DeletePermissionPoliciesByPermissionID(ctx context.Context, permissionID string) error {
-	f := expression.Name("permission_id").Equal(expression.Value(permissionID))
-	items, err := p.scanFilteredAll(ctx, schemas.Collections.PermissionPolicy, nil, &f)
-	if err != nil {
-		return err
-	}
-	for _, it := range items {
-		var pp schemas.PermissionPolicy
-		if err := unmarshalItem(it, &pp); err != nil {
-			return err
-		}
-		if err := p.deleteItemByHash(ctx, schemas.Collections.PermissionPolicy, "id", pp.ID); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// GetPermissionPolicies returns all policy links for a permission.
-func (p *provider) GetPermissionPolicies(ctx context.Context, permissionID string) ([]*schemas.PermissionPolicy, error) {
-	f := expression.Name("permission_id").Equal(expression.Value(permissionID))
-	items, err := p.scanFilteredAll(ctx, schemas.Collections.PermissionPolicy, nil, &f)
-	if err != nil {
-		return nil, err
-	}
-	var policies []*schemas.PermissionPolicy
-	for _, it := range items {
-		var pp schemas.PermissionPolicy
-		if err := unmarshalItem(it, &pp); err != nil {
-			return nil, err
-		}
-		policies = append(policies, &pp)
-	}
-	return policies, nil
-}
-
-// GetPermissionsForResourceScope returns all permissions (with their policies and targets)
-// that apply to a given resource name and scope name. Used by the evaluation engine.
-func (p *provider) GetPermissionsForResourceScope(ctx context.Context, resourceName string, scopeName string) ([]*schemas.PermissionWithPolicies, error) {
-	// 1. Find resource by name
-	resourceItems, err := p.queryEqLimit(ctx, schemas.Collections.Resource, "name", "name", resourceName, nil, 1)
-	if err != nil {
-		return nil, err
-	}
-	if len(resourceItems) == 0 {
-		return nil, errors.New("no document found")
-	}
-	var resource schemas.Resource
-	if err := unmarshalItem(resourceItems[0], &resource); err != nil {
-		return nil, err
-	}
-
-	// 2. Find scope by name
-	scopeItems, err := p.queryEqLimit(ctx, schemas.Collections.Scope, "name", "name", scopeName, nil, 1)
-	if err != nil {
-		return nil, err
-	}
-	if len(scopeItems) == 0 {
-		return nil, errors.New("no document found")
-	}
-	var scope schemas.Scope
-	if err := unmarshalItem(scopeItems[0], &scope); err != nil {
-		return nil, err
-	}
-
-	// 3. Find permissions for this resource
-	f := expression.Name("resource_id").Equal(expression.Value(resource.ID))
-	permItems, err := p.scanFilteredAll(ctx, schemas.Collections.Permission, nil, &f)
-	if err != nil {
-		return nil, err
-	}
-	if len(permItems) == 0 {
-		return nil, nil
-	}
-
-	var result []*schemas.PermissionWithPolicies
-
-	for _, permItem := range permItems {
-		var perm schemas.Permission
-		if err := unmarshalItem(permItem, &perm); err != nil {
-			return nil, err
-		}
-
-		// 4. Check if this permission has the requested scope
-		psFilter := expression.Name("permission_id").Equal(expression.Value(perm.ID)).
-			And(expression.Name("scope_id").Equal(expression.Value(scope.ID)))
-		psItems, err := p.scanFilteredAll(ctx, schemas.Collections.PermissionScope, nil, &psFilter)
-		if err != nil {
-			return nil, err
-		}
-		if len(psItems) == 0 {
-			continue
-		}
-
-		// 5. Find permission_policies for this permission
-		ppFilter := expression.Name("permission_id").Equal(expression.Value(perm.ID))
-		ppItems, err := p.scanFilteredAll(ctx, schemas.Collections.PermissionPolicy, nil, &ppFilter)
-		if err != nil {
-			return nil, err
-		}
-		if len(ppItems) == 0 {
-			continue
-		}
-
-		// 6. For each permission_policy, resolve the policy and its targets
-		var policiesWithTargets []schemas.PolicyWithTargets
-		for _, ppItem := range ppItems {
-			var pp schemas.PermissionPolicy
-			if err := unmarshalItem(ppItem, &pp); err != nil {
-				return nil, err
-			}
-
-			var policy schemas.Policy
-			if err := p.getItemByHash(ctx, schemas.Collections.Policy, "id", pp.PolicyID, &policy); err != nil {
-				return nil, err
-			}
-
-			// Get targets for this policy
-			tFilter := expression.Name("policy_id").Equal(expression.Value(policy.ID))
-			tItems, err := p.scanFilteredAll(ctx, schemas.Collections.PolicyTarget, nil, &tFilter)
-			if err != nil {
-				return nil, err
-			}
-
-			var targets []schemas.PolicyTargetView
-			for _, tItem := range tItems {
-				var target schemas.PolicyTarget
-				if err := unmarshalItem(tItem, &target); err != nil {
-					return nil, err
-				}
-				targets = append(targets, schemas.PolicyTargetView{
-					TargetType:  target.TargetType,
-					TargetValue: target.TargetValue,
-				})
-			}
-
-			policiesWithTargets = append(policiesWithTargets, schemas.PolicyWithTargets{
-				PolicyID:         policy.ID,
-				PolicyName:       policy.Name,
-				Type:             policy.Type,
-				Logic:            policy.Logic,
-				DecisionStrategy: policy.DecisionStrategy,
-				Targets:          targets,
-			})
-		}
-
-		result = append(result, &schemas.PermissionWithPolicies{
-			PermissionID:     perm.ID,
-			PermissionName:   perm.Name,
-			DecisionStrategy: perm.DecisionStrategy,
-			Policies:         policiesWithTargets,
-		})
-	}
-
-	return result, nil
-}
diff --git a/internal/storage/db/dynamodb/policy.go b/internal/storage/db/dynamodb/policy.go
deleted file mode 100644
index 4584c3f3..00000000
--- a/internal/storage/db/dynamodb/policy.go
+++ /dev/null
@@ -1,156 +0,0 @@
-package dynamodb
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"time"
-
-	"github.com/aws/aws-sdk-go-v2/feature/dynamodb/expression"
-	"github.com/aws/aws-sdk-go-v2/service/dynamodb/types"
-	"github.com/google/uuid"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddPolicy creates a new authorization policy.
-func (p *provider) AddPolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
-	if policy.ID == "" {
-		policy.ID = uuid.New().String()
-	}
-	policy.Key = policy.ID
-	policy.CreatedAt = time.Now().Unix()
-	policy.UpdatedAt = time.Now().Unix()
-	if err := p.putItem(ctx, schemas.Collections.Policy, policy); err != nil {
-		return nil, err
-	}
-	return policy, nil
-}
-
-// UpdatePolicy updates an existing authorization policy.
-func (p *provider) UpdatePolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
-	policy.UpdatedAt = time.Now().Unix()
-	if err := p.updateByHashKey(ctx, schemas.Collections.Policy, "id", policy.ID, policy); err != nil {
-		return nil, err
-	}
-	return policy, nil
-}
-
-// DeletePolicy deletes an authorization policy by ID.
-// Returns an error if any permission_policy references this policy.
-// Also cascade-deletes all policy_targets for this policy.
-func (p *provider) DeletePolicy(ctx context.Context, id string) error {
-	// Check for referencing permission_policies
-	f := expression.Name("policy_id").Equal(expression.Value(id))
-	items, err := p.scanFilteredAll(ctx, schemas.Collections.PermissionPolicy, nil, &f)
-	if err != nil {
-		return err
-	}
-	if len(items) > 0 {
-		return fmt.Errorf("cannot delete policy: %d permission_policy(ies) reference it", len(items))
-	}
-	// Cascade-delete policy targets
-	if err := p.DeletePolicyTargetsByPolicyID(ctx, id); err != nil {
-		return err
-	}
-	return p.deleteItemByHash(ctx, schemas.Collections.Policy, "id", id)
-}
-
-// GetPolicyByID returns an authorization policy by its ID.
-func (p *provider) GetPolicyByID(ctx context.Context, id string) (*schemas.Policy, error) {
-	var policy schemas.Policy
-	if err := p.getItemByHash(ctx, schemas.Collections.Policy, "id", id, &policy); err != nil {
-		return nil, err
-	}
-	if policy.ID == "" {
-		return nil, errors.New("no document found")
-	}
-	return &policy, nil
-}
-
-// ListPolicies returns a paginated list of authorization policies.
-func (p *provider) ListPolicies(ctx context.Context, pagination *model.Pagination) ([]*schemas.Policy, *model.Pagination, error) {
-	var lastKey map[string]types.AttributeValue
-	var iteration int64
-	paginationClone := *pagination
-	var policies []*schemas.Policy
-
-	count, err := p.scanCount(ctx, schemas.Collections.Policy, nil)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	for (paginationClone.Offset + paginationClone.Limit) > iteration {
-		items, next, err := p.scanPageIter(ctx, schemas.Collections.Policy, nil, int32(paginationClone.Limit), lastKey)
-		if err != nil {
-			return nil, nil, err
-		}
-		for _, it := range items {
-			var pol schemas.Policy
-			if err := unmarshalItem(it, &pol); err != nil {
-				return nil, nil, err
-			}
-			if paginationClone.Offset == iteration {
-				policies = append(policies, &pol)
-			}
-		}
-		lastKey = next
-		iteration += paginationClone.Limit
-		if lastKey == nil {
-			break
-		}
-	}
-	paginationClone.Total = count
-	return policies, &paginationClone, nil
-}
-
-// AddPolicyTarget adds a target (role name or user ID) to a policy.
-func (p *provider) AddPolicyTarget(ctx context.Context, target *schemas.PolicyTarget) (*schemas.PolicyTarget, error) {
-	if target.ID == "" {
-		target.ID = uuid.New().String()
-	}
-	target.Key = target.ID
-	target.CreatedAt = time.Now().Unix()
-	if err := p.putItem(ctx, schemas.Collections.PolicyTarget, target); err != nil {
-		return nil, err
-	}
-	return target, nil
-}
-
-// DeletePolicyTargetsByPolicyID removes all targets for a policy.
-func (p *provider) DeletePolicyTargetsByPolicyID(ctx context.Context, policyID string) error {
-	f := expression.Name("policy_id").Equal(expression.Value(policyID))
-	items, err := p.scanFilteredAll(ctx, schemas.Collections.PolicyTarget, nil, &f)
-	if err != nil {
-		return err
-	}
-	for _, it := range items {
-		var target schemas.PolicyTarget
-		if err := unmarshalItem(it, &target); err != nil {
-			return err
-		}
-		if err := p.deleteItemByHash(ctx, schemas.Collections.PolicyTarget, "id", target.ID); err != nil {
-			return err
-		}
-	}
-	return nil
-}
-
-// GetPolicyTargets returns all targets for a policy.
-func (p *provider) GetPolicyTargets(ctx context.Context, policyID string) ([]*schemas.PolicyTarget, error) {
-	f := expression.Name("policy_id").Equal(expression.Value(policyID))
-	items, err := p.scanFilteredAll(ctx, schemas.Collections.PolicyTarget, nil, &f)
-	if err != nil {
-		return nil, err
-	}
-	var targets []*schemas.PolicyTarget
-	for _, it := range items {
-		var target schemas.PolicyTarget
-		if err := unmarshalItem(it, &target); err != nil {
-			return nil, err
-		}
-		targets = append(targets, &target)
-	}
-	return targets, nil
-}
diff --git a/internal/storage/db/dynamodb/resource.go b/internal/storage/db/dynamodb/resource.go
deleted file mode 100644
index 14cfb366..00000000
--- a/internal/storage/db/dynamodb/resource.go
+++ /dev/null
@@ -1,122 +0,0 @@
-package dynamodb
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"time"
-
-	"github.com/aws/aws-sdk-go-v2/feature/dynamodb/expression"
-	"github.com/aws/aws-sdk-go-v2/service/dynamodb/types"
-	"github.com/google/uuid"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddResource creates a new authorization resource.
-// DynamoDB lacks unique secondary-index constraints, so we explicitly
-// check for an existing resource with the same name before inserting.
-func (p *provider) AddResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
-	if existing, err := p.GetResourceByName(ctx, resource.Name); err == nil && existing != nil {
-		return nil, fmt.Errorf("resource with name %q already exists", resource.Name)
-	}
-	if resource.ID == "" {
-		resource.ID = uuid.New().String()
-	}
-	resource.Key = resource.ID
-	resource.CreatedAt = time.Now().Unix()
-	resource.UpdatedAt = time.Now().Unix()
-	if err := p.putItem(ctx, schemas.Collections.Resource, resource); err != nil {
-		return nil, err
-	}
-	return resource, nil
-}
-
-// UpdateResource updates an existing authorization resource.
-func (p *provider) UpdateResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
-	resource.UpdatedAt = time.Now().Unix()
-	if err := p.updateByHashKey(ctx, schemas.Collections.Resource, "id", resource.ID, resource); err != nil {
-		return nil, err
-	}
-	return resource, nil
-}
-
-// DeleteResource deletes an authorization resource by ID.
-// Returns an error if any permission references this resource.
-func (p *provider) DeleteResource(ctx context.Context, id string) error {
-	// Check for referencing permissions via resource_id GSI
-	f := expression.Name("resource_id").Equal(expression.Value(id))
-	items, err := p.scanFilteredAll(ctx, schemas.Collections.Permission, nil, &f)
-	if err != nil {
-		return err
-	}
-	if len(items) > 0 {
-		return fmt.Errorf("cannot delete resource: %d permission(s) reference it", len(items))
-	}
-	return p.deleteItemByHash(ctx, schemas.Collections.Resource, "id", id)
-}
-
-// GetResourceByID returns an authorization resource by its ID.
-func (p *provider) GetResourceByID(ctx context.Context, id string) (*schemas.Resource, error) {
-	var resource schemas.Resource
-	if err := p.getItemByHash(ctx, schemas.Collections.Resource, "id", id, &resource); err != nil {
-		return nil, err
-	}
-	if resource.ID == "" {
-		return nil, errors.New("no document found")
-	}
-	return &resource, nil
-}
-
-// GetResourceByName returns an authorization resource by its unique name.
-func (p *provider) GetResourceByName(ctx context.Context, name string) (*schemas.Resource, error) {
-	items, err := p.queryEqLimit(ctx, schemas.Collections.Resource, "name", "name", name, nil, 1)
-	if err != nil {
-		return nil, err
-	}
-	if len(items) == 0 {
-		return nil, errors.New("no document found")
-	}
-	var resource schemas.Resource
-	if err := unmarshalItem(items[0], &resource); err != nil {
-		return nil, err
-	}
-	return &resource, nil
-}
-
-// ListResources returns a paginated list of authorization resources.
-func (p *provider) ListResources(ctx context.Context, pagination *model.Pagination) ([]*schemas.Resource, *model.Pagination, error) {
-	var lastKey map[string]types.AttributeValue
-	var iteration int64
-	paginationClone := *pagination
-	var resources []*schemas.Resource
-
-	count, err := p.scanCount(ctx, schemas.Collections.Resource, nil)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	for (paginationClone.Offset + paginationClone.Limit) > iteration {
-		items, next, err := p.scanPageIter(ctx, schemas.Collections.Resource, nil, int32(paginationClone.Limit), lastKey)
-		if err != nil {
-			return nil, nil, err
-		}
-		for _, it := range items {
-			var r schemas.Resource
-			if err := unmarshalItem(it, &r); err != nil {
-				return nil, nil, err
-			}
-			if paginationClone.Offset == iteration {
-				resources = append(resources, &r)
-			}
-		}
-		lastKey = next
-		iteration += paginationClone.Limit
-		if lastKey == nil {
-			break
-		}
-	}
-	paginationClone.Total = count
-	return resources, &paginationClone, nil
-}
diff --git a/internal/storage/db/dynamodb/scope.go b/internal/storage/db/dynamodb/scope.go
deleted file mode 100644
index ba9c3098..00000000
--- a/internal/storage/db/dynamodb/scope.go
+++ /dev/null
@@ -1,121 +0,0 @@
-package dynamodb
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"time"
-
-	"github.com/aws/aws-sdk-go-v2/feature/dynamodb/expression"
-	"github.com/aws/aws-sdk-go-v2/service/dynamodb/types"
-	"github.com/google/uuid"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddScope creates a new authorization scope.
-// DynamoDB lacks unique secondary-index constraints, so we explicitly
-// check for an existing scope with the same name before inserting.
-func (p *provider) AddScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
-	if existing, err := p.GetScopeByName(ctx, scope.Name); err == nil && existing != nil {
-		return nil, fmt.Errorf("scope with name %q already exists", scope.Name)
-	}
-	if scope.ID == "" {
-		scope.ID = uuid.New().String()
-	}
-	scope.Key = scope.ID
-	scope.CreatedAt = time.Now().Unix()
-	scope.UpdatedAt = time.Now().Unix()
-	if err := p.putItem(ctx, schemas.Collections.Scope, scope); err != nil {
-		return nil, err
-	}
-	return scope, nil
-}
-
-// UpdateScope updates an existing authorization scope.
-func (p *provider) UpdateScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
-	scope.UpdatedAt = time.Now().Unix()
-	if err := p.updateByHashKey(ctx, schemas.Collections.Scope, "id", scope.ID, scope); err != nil {
-		return nil, err
-	}
-	return scope, nil
-}
-
-// DeleteScope deletes an authorization scope by ID.
-// Returns an error if any permission_scope references this scope.
-func (p *provider) DeleteScope(ctx context.Context, id string) error {
-	f := expression.Name("scope_id").Equal(expression.Value(id))
-	items, err := p.scanFilteredAll(ctx, schemas.Collections.PermissionScope, nil, &f)
-	if err != nil {
-		return err
-	}
-	if len(items) > 0 {
-		return fmt.Errorf("cannot delete scope: %d permission_scope(s) reference it", len(items))
-	}
-	return p.deleteItemByHash(ctx, schemas.Collections.Scope, "id", id)
-}
-
-// GetScopeByID returns an authorization scope by its ID.
-func (p *provider) GetScopeByID(ctx context.Context, id string) (*schemas.Scope, error) {
-	var scope schemas.Scope
-	if err := p.getItemByHash(ctx, schemas.Collections.Scope, "id", id, &scope); err != nil {
-		return nil, err
-	}
-	if scope.ID == "" {
-		return nil, errors.New("no document found")
-	}
-	return &scope, nil
-}
-
-// GetScopeByName returns an authorization scope by its unique name.
-func (p *provider) GetScopeByName(ctx context.Context, name string) (*schemas.Scope, error) {
-	items, err := p.queryEqLimit(ctx, schemas.Collections.Scope, "name", "name", name, nil, 1)
-	if err != nil {
-		return nil, err
-	}
-	if len(items) == 0 {
-		return nil, errors.New("no document found")
-	}
-	var scope schemas.Scope
-	if err := unmarshalItem(items[0], &scope); err != nil {
-		return nil, err
-	}
-	return &scope, nil
-}
-
-// ListScopes returns a paginated list of authorization scopes.
-func (p *provider) ListScopes(ctx context.Context, pagination *model.Pagination) ([]*schemas.Scope, *model.Pagination, error) {
-	var lastKey map[string]types.AttributeValue
-	var iteration int64
-	paginationClone := *pagination
-	var scopes []*schemas.Scope
-
-	count, err := p.scanCount(ctx, schemas.Collections.Scope, nil)
-	if err != nil {
-		return nil, nil, err
-	}
-
-	for (paginationClone.Offset + paginationClone.Limit) > iteration {
-		items, next, err := p.scanPageIter(ctx, schemas.Collections.Scope, nil, int32(paginationClone.Limit), lastKey)
-		if err != nil {
-			return nil, nil, err
-		}
-		for _, it := range items {
-			var s schemas.Scope
-			if err := unmarshalItem(it, &s); err != nil {
-				return nil, nil, err
-			}
-			if paginationClone.Offset == iteration {
-				scopes = append(scopes, &s)
-			}
-		}
-		lastKey = next
-		iteration += paginationClone.Limit
-		if lastKey == nil {
-			break
-		}
-	}
-	paginationClone.Total = count
-	return scopes, &paginationClone, nil
-}
diff --git a/internal/storage/db/dynamodb/tables.go b/internal/storage/db/dynamodb/tables.go
index 0109a204..81b8b705 100644
--- a/internal/storage/db/dynamodb/tables.go
+++ b/internal/storage/db/dynamodb/tables.go
@@ -173,74 +173,6 @@ func (p *provider) ensureTables(ctx context.Context) error {
 				gsi("action", "action"),
 			},
 		},
-		// Authorization tables
-		{
-			name: schemas.Collections.Resource,
-			hash: "id",
-			attr: []types.AttributeDefinition{
-				{AttributeName: aws.String("id"), AttributeType: types.ScalarAttributeTypeS},
-				{AttributeName: aws.String("name"), AttributeType: types.ScalarAttributeTypeS},
-			},
-			gsi: []types.GlobalSecondaryIndex{gsi("name", "name")},
-		},
-		{
-			name: schemas.Collections.Scope,
-			hash: "id",
-			attr: []types.AttributeDefinition{
-				{AttributeName: aws.String("id"), AttributeType: types.ScalarAttributeTypeS},
-				{AttributeName: aws.String("name"), AttributeType: types.ScalarAttributeTypeS},
-			},
-			gsi: []types.GlobalSecondaryIndex{gsi("name", "name")},
-		},
-		{
-			name: schemas.Collections.Policy,
-			hash: "id",
-			attr: []types.AttributeDefinition{
-				{AttributeName: aws.String("id"), AttributeType: types.ScalarAttributeTypeS},
-				{AttributeName: aws.String("name"), AttributeType: types.ScalarAttributeTypeS},
-			},
-			gsi: []types.GlobalSecondaryIndex{gsi("name", "name")},
-		},
-		{
-			name: schemas.Collections.PolicyTarget,
-			hash: "id",
-			attr: []types.AttributeDefinition{
-				{AttributeName: aws.String("id"), AttributeType: types.ScalarAttributeTypeS},
-				{AttributeName: aws.String("policy_id"), AttributeType: types.ScalarAttributeTypeS},
-			},
-			gsi: []types.GlobalSecondaryIndex{gsi("policy_id", "policy_id")},
-		},
-		{
-			name: schemas.Collections.Permission,
-			hash: "id",
-			attr: []types.AttributeDefinition{
-				{AttributeName: aws.String("id"), AttributeType: types.ScalarAttributeTypeS},
-				{AttributeName: aws.String("name"), AttributeType: types.ScalarAttributeTypeS},
-				{AttributeName: aws.String("resource_id"), AttributeType: types.ScalarAttributeTypeS},
-			},
-			gsi: []types.GlobalSecondaryIndex{
-				gsi("name", "name"),
-				gsi("resource_id", "resource_id"),
-			},
-		},
-		{
-			name: schemas.Collections.PermissionScope,
-			hash: "id",
-			attr: []types.AttributeDefinition{
-				{AttributeName: aws.String("id"), AttributeType: types.ScalarAttributeTypeS},
-				{AttributeName: aws.String("permission_id"), AttributeType: types.ScalarAttributeTypeS},
-			},
-			gsi: []types.GlobalSecondaryIndex{gsi("permission_id", "permission_id")},
-		},
-		{
-			name: schemas.Collections.PermissionPolicy,
-			hash: "id",
-			attr: []types.AttributeDefinition{
-				{AttributeName: aws.String("id"), AttributeType: types.ScalarAttributeTypeS},
-				{AttributeName: aws.String("permission_id"), AttributeType: types.ScalarAttributeTypeS},
-			},
-			gsi: []types.GlobalSecondaryIndex{gsi("permission_id", "permission_id")},
-		},
 	}
 
 	for _, t := range tables {
diff --git a/internal/storage/db/mongodb/permission.go b/internal/storage/db/mongodb/permission.go
deleted file mode 100644
index 75dd9808..00000000
--- a/internal/storage/db/mongodb/permission.go
+++ /dev/null
@@ -1,325 +0,0 @@
-package mongodb
-
-import (
-	"context"
-	"time"
-
-	"github.com/google/uuid"
-	"go.mongodb.org/mongo-driver/bson"
-	"go.mongodb.org/mongo-driver/mongo/options"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddPermission creates a new authorization permission.
-func (p *provider) AddPermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
-	if permission.ID == "" {
-		permission.ID = uuid.New().String()
-	}
-	permission.Key = permission.ID
-	permission.CreatedAt = time.Now().Unix()
-	permission.UpdatedAt = time.Now().Unix()
-	collection := p.db.Collection(schemas.Collections.Permission, options.Collection())
-	_, err := collection.InsertOne(ctx, permission)
-	if err != nil {
-		return nil, err
-	}
-	return permission, nil
-}
-
-// UpdatePermission updates an existing authorization permission.
-func (p *provider) UpdatePermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
-	permission.UpdatedAt = time.Now().Unix()
-	collection := p.db.Collection(schemas.Collections.Permission, options.Collection())
-	_, err := collection.UpdateOne(ctx, bson.M{"_id": bson.M{"$eq": permission.ID}}, bson.M{"$set": permission}, options.MergeUpdateOptions())
-	if err != nil {
-		return nil, err
-	}
-	return permission, nil
-}
-
-// DeletePermission deletes an authorization permission by ID.
-// Cascade-deletes associated permission_scopes and permission_policies.
-func (p *provider) DeletePermission(ctx context.Context, id string) error {
-	permissionScopeCollection := p.db.Collection(schemas.Collections.PermissionScope, options.Collection())
-	_, err := permissionScopeCollection.DeleteMany(ctx, bson.M{"permission_id": id}, options.Delete())
-	if err != nil {
-		return err
-	}
-	permissionPolicyCollection := p.db.Collection(schemas.Collections.PermissionPolicy, options.Collection())
-	_, err = permissionPolicyCollection.DeleteMany(ctx, bson.M{"permission_id": id}, options.Delete())
-	if err != nil {
-		return err
-	}
-	collection := p.db.Collection(schemas.Collections.Permission, options.Collection())
-	_, err = collection.DeleteOne(ctx, bson.M{"_id": id}, options.Delete())
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// GetPermissionByID returns an authorization permission by its ID.
-func (p *provider) GetPermissionByID(ctx context.Context, id string) (*schemas.Permission, error) {
-	var permission schemas.Permission
-	collection := p.db.Collection(schemas.Collections.Permission, options.Collection())
-	err := collection.FindOne(ctx, bson.M{"_id": id}).Decode(&permission)
-	if err != nil {
-		return nil, err
-	}
-	return &permission, nil
-}
-
-// ListPermissions returns a paginated list of authorization permissions.
-func (p *provider) ListPermissions(ctx context.Context, pagination *model.Pagination) ([]*schemas.Permission, *model.Pagination, error) {
-	permissions := []*schemas.Permission{}
-	opts := options.Find()
-	opts.SetLimit(pagination.Limit)
-	opts.SetSkip(pagination.Offset)
-	opts.SetSort(bson.M{"created_at": -1})
-	paginationClone := *pagination
-	collection := p.db.Collection(schemas.Collections.Permission, options.Collection())
-	count, err := collection.CountDocuments(ctx, bson.M{}, options.Count())
-	if err != nil {
-		return nil, nil, err
-	}
-	paginationClone.Total = count
-	cursor, err := collection.Find(ctx, bson.M{}, opts)
-	if err != nil {
-		return nil, nil, err
-	}
-	defer cursor.Close(ctx)
-	for cursor.Next(ctx) {
-		var permission *schemas.Permission
-		err := cursor.Decode(&permission)
-		if err != nil {
-			return nil, nil, err
-		}
-		permissions = append(permissions, permission)
-	}
-	return permissions, &paginationClone, nil
-}
-
-// AddPermissionScope links a scope to a permission.
-func (p *provider) AddPermissionScope(ctx context.Context, ps *schemas.PermissionScope) (*schemas.PermissionScope, error) {
-	if ps.ID == "" {
-		ps.ID = uuid.New().String()
-	}
-	ps.Key = ps.ID
-	ps.CreatedAt = time.Now().Unix()
-	collection := p.db.Collection(schemas.Collections.PermissionScope, options.Collection())
-	_, err := collection.InsertOne(ctx, ps)
-	if err != nil {
-		return nil, err
-	}
-	return ps, nil
-}
-
-// DeletePermissionScopesByPermissionID removes all scope links for a permission.
-func (p *provider) DeletePermissionScopesByPermissionID(ctx context.Context, permissionID string) error {
-	collection := p.db.Collection(schemas.Collections.PermissionScope, options.Collection())
-	_, err := collection.DeleteMany(ctx, bson.M{"permission_id": permissionID}, options.Delete())
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// GetPermissionScopes returns all scope links for a permission.
-func (p *provider) GetPermissionScopes(ctx context.Context, permissionID string) ([]*schemas.PermissionScope, error) {
-	scopes := []*schemas.PermissionScope{}
-	collection := p.db.Collection(schemas.Collections.PermissionScope, options.Collection())
-	cursor, err := collection.Find(ctx, bson.M{"permission_id": permissionID})
-	if err != nil {
-		return nil, err
-	}
-	defer cursor.Close(ctx)
-	for cursor.Next(ctx) {
-		var ps *schemas.PermissionScope
-		err := cursor.Decode(&ps)
-		if err != nil {
-			return nil, err
-		}
-		scopes = append(scopes, ps)
-	}
-	return scopes, nil
-}
-
-// AddPermissionPolicy links a policy to a permission.
-func (p *provider) AddPermissionPolicy(ctx context.Context, pp *schemas.PermissionPolicy) (*schemas.PermissionPolicy, error) {
-	if pp.ID == "" {
-		pp.ID = uuid.New().String()
-	}
-	pp.Key = pp.ID
-	pp.CreatedAt = time.Now().Unix()
-	collection := p.db.Collection(schemas.Collections.PermissionPolicy, options.Collection())
-	_, err := collection.InsertOne(ctx, pp)
-	if err != nil {
-		return nil, err
-	}
-	return pp, nil
-}
-
-// DeletePermissionPoliciesByPermissionID removes all policy links for a permission.
-func (p *provider) DeletePermissionPoliciesByPermissionID(ctx context.Context, permissionID string) error {
-	collection := p.db.Collection(schemas.Collections.PermissionPolicy, options.Collection())
-	_, err := collection.DeleteMany(ctx, bson.M{"permission_id": permissionID}, options.Delete())
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// GetPermissionPolicies returns all policy links for a permission.
-func (p *provider) GetPermissionPolicies(ctx context.Context, permissionID string) ([]*schemas.PermissionPolicy, error) {
-	policies := []*schemas.PermissionPolicy{}
-	collection := p.db.Collection(schemas.Collections.PermissionPolicy, options.Collection())
-	cursor, err := collection.Find(ctx, bson.M{"permission_id": permissionID})
-	if err != nil {
-		return nil, err
-	}
-	defer cursor.Close(ctx)
-	for cursor.Next(ctx) {
-		var pp *schemas.PermissionPolicy
-		err := cursor.Decode(&pp)
-		if err != nil {
-			return nil, err
-		}
-		policies = append(policies, pp)
-	}
-	return policies, nil
-}
-
-// GetPermissionsForResourceScope returns all permissions (with their policies and targets)
-// that match a given resource name and scope name. This is the hot-path query used by
-// the evaluation engine. Uses sequential queries for clarity.
-func (p *provider) GetPermissionsForResourceScope(ctx context.Context, resourceName string, scopeName string) ([]*schemas.PermissionWithPolicies, error) {
-	// 1. Find resource by name
-	var resource schemas.Resource
-	resourceCollection := p.db.Collection(schemas.Collections.Resource, options.Collection())
-	err := resourceCollection.FindOne(ctx, bson.M{"name": resourceName}).Decode(&resource)
-	if err != nil {
-		return nil, err
-	}
-
-	// 2. Find scope by name
-	var scope schemas.Scope
-	scopeCollection := p.db.Collection(schemas.Collections.Scope, options.Collection())
-	err = scopeCollection.FindOne(ctx, bson.M{"name": scopeName}).Decode(&scope)
-	if err != nil {
-		return nil, err
-	}
-
-	// 3. Find permissions for this resource
-	permissionCollection := p.db.Collection(schemas.Collections.Permission, options.Collection())
-	permCursor, err := permissionCollection.Find(ctx, bson.M{"resource_id": resource.ID})
-	if err != nil {
-		return nil, err
-	}
-	defer permCursor.Close(ctx)
-
-	var permissions []schemas.Permission
-	for permCursor.Next(ctx) {
-		var perm schemas.Permission
-		if err := permCursor.Decode(&perm); err != nil {
-			return nil, err
-		}
-		permissions = append(permissions, perm)
-	}
-
-	if len(permissions) == 0 {
-		return nil, nil
-	}
-
-	// 4. For each permission, check if it has the requested scope
-	permissionScopeCollection := p.db.Collection(schemas.Collections.PermissionScope, options.Collection())
-	permissionPolicyCollection := p.db.Collection(schemas.Collections.PermissionPolicy, options.Collection())
-	policyCollection := p.db.Collection(schemas.Collections.Policy, options.Collection())
-	policyTargetCollection := p.db.Collection(schemas.Collections.PolicyTarget, options.Collection())
-
-	var result []*schemas.PermissionWithPolicies
-
-	for _, perm := range permissions {
-		// Check if this permission has the requested scope
-		scopeCount, err := permissionScopeCollection.CountDocuments(ctx, bson.M{
-			"permission_id": perm.ID,
-			"scope_id":      scope.ID,
-		}, options.Count())
-		if err != nil {
-			return nil, err
-		}
-		if scopeCount == 0 {
-			continue
-		}
-
-		// 5. Find permission_policies for this permission
-		ppCursor, err := permissionPolicyCollection.Find(ctx, bson.M{"permission_id": perm.ID})
-		if err != nil {
-			return nil, err
-		}
-
-		var permPolicies []schemas.PermissionPolicy
-		for ppCursor.Next(ctx) {
-			var pp schemas.PermissionPolicy
-			if err := ppCursor.Decode(&pp); err != nil {
-				ppCursor.Close(ctx)
-				return nil, err
-			}
-			permPolicies = append(permPolicies, pp)
-		}
-		ppCursor.Close(ctx)
-
-		if len(permPolicies) == 0 {
-			continue
-		}
-
-		// 6. For each permission_policy, resolve the policy and its targets
-		var policiesWithTargets []schemas.PolicyWithTargets
-		for _, pp := range permPolicies {
-			var policy schemas.Policy
-			err := policyCollection.FindOne(ctx, bson.M{"_id": pp.PolicyID}).Decode(&policy)
-			if err != nil {
-				return nil, err
-			}
-
-			// Get targets for this policy
-			targetCursor, err := policyTargetCollection.Find(ctx, bson.M{"policy_id": policy.ID})
-			if err != nil {
-				return nil, err
-			}
-
-			var targets []schemas.PolicyTargetView
-			for targetCursor.Next(ctx) {
-				var target schemas.PolicyTarget
-				if err := targetCursor.Decode(&target); err != nil {
-					targetCursor.Close(ctx)
-					return nil, err
-				}
-				targets = append(targets, schemas.PolicyTargetView{
-					TargetType:  target.TargetType,
-					TargetValue: target.TargetValue,
-				})
-			}
-			targetCursor.Close(ctx)
-
-			policiesWithTargets = append(policiesWithTargets, schemas.PolicyWithTargets{
-				PolicyID:         policy.ID,
-				PolicyName:       policy.Name,
-				Type:             policy.Type,
-				Logic:            policy.Logic,
-				DecisionStrategy: policy.DecisionStrategy,
-				Targets:          targets,
-			})
-		}
-
-		result = append(result, &schemas.PermissionWithPolicies{
-			PermissionID:     perm.ID,
-			PermissionName:   perm.Name,
-			DecisionStrategy: perm.DecisionStrategy,
-			Policies:         policiesWithTargets,
-		})
-	}
-
-	return result, nil
-}
diff --git a/internal/storage/db/mongodb/policy.go b/internal/storage/db/mongodb/policy.go
deleted file mode 100644
index dd5dadac..00000000
--- a/internal/storage/db/mongodb/policy.go
+++ /dev/null
@@ -1,153 +0,0 @@
-package mongodb
-
-import (
-	"context"
-	"fmt"
-	"time"
-
-	"github.com/google/uuid"
-	"go.mongodb.org/mongo-driver/bson"
-	"go.mongodb.org/mongo-driver/mongo/options"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddPolicy creates a new authorization policy.
-func (p *provider) AddPolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
-	if policy.ID == "" {
-		policy.ID = uuid.New().String()
-	}
-	policy.Key = policy.ID
-	policy.CreatedAt = time.Now().Unix()
-	policy.UpdatedAt = time.Now().Unix()
-	collection := p.db.Collection(schemas.Collections.Policy, options.Collection())
-	_, err := collection.InsertOne(ctx, policy)
-	if err != nil {
-		return nil, err
-	}
-	return policy, nil
-}
-
-// UpdatePolicy updates an existing authorization policy.
-func (p *provider) UpdatePolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
-	policy.UpdatedAt = time.Now().Unix()
-	collection := p.db.Collection(schemas.Collections.Policy, options.Collection())
-	_, err := collection.UpdateOne(ctx, bson.M{"_id": bson.M{"$eq": policy.ID}}, bson.M{"$set": policy}, options.MergeUpdateOptions())
-	if err != nil {
-		return nil, err
-	}
-	return policy, nil
-}
-
-// DeletePolicy deletes an authorization policy by ID.
-// Returns an error if any permission_policy references this policy.
-// Cascade-deletes associated policy targets.
-func (p *provider) DeletePolicy(ctx context.Context, id string) error {
-	permissionPolicyCollection := p.db.Collection(schemas.Collections.PermissionPolicy, options.Collection())
-	count, err := permissionPolicyCollection.CountDocuments(ctx, bson.M{"policy_id": id}, options.Count())
-	if err != nil {
-		return err
-	}
-	if count > 0 {
-		return fmt.Errorf("cannot delete policy: %d permission_policy(s) reference it", count)
-	}
-	// Cascade-delete policy targets
-	policyTargetCollection := p.db.Collection(schemas.Collections.PolicyTarget, options.Collection())
-	_, err = policyTargetCollection.DeleteMany(ctx, bson.M{"policy_id": id}, options.Delete())
-	if err != nil {
-		return err
-	}
-	collection := p.db.Collection(schemas.Collections.Policy, options.Collection())
-	_, err = collection.DeleteOne(ctx, bson.M{"_id": id}, options.Delete())
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// GetPolicyByID returns an authorization policy by its ID.
-func (p *provider) GetPolicyByID(ctx context.Context, id string) (*schemas.Policy, error) {
-	var policy schemas.Policy
-	collection := p.db.Collection(schemas.Collections.Policy, options.Collection())
-	err := collection.FindOne(ctx, bson.M{"_id": id}).Decode(&policy)
-	if err != nil {
-		return nil, err
-	}
-	return &policy, nil
-}
-
-// ListPolicies returns a paginated list of authorization policies.
-func (p *provider) ListPolicies(ctx context.Context, pagination *model.Pagination) ([]*schemas.Policy, *model.Pagination, error) {
-	policies := []*schemas.Policy{}
-	opts := options.Find()
-	opts.SetLimit(pagination.Limit)
-	opts.SetSkip(pagination.Offset)
-	opts.SetSort(bson.M{"created_at": -1})
-	paginationClone := *pagination
-	collection := p.db.Collection(schemas.Collections.Policy, options.Collection())
-	count, err := collection.CountDocuments(ctx, bson.M{}, options.Count())
-	if err != nil {
-		return nil, nil, err
-	}
-	paginationClone.Total = count
-	cursor, err := collection.Find(ctx, bson.M{}, opts)
-	if err != nil {
-		return nil, nil, err
-	}
-	defer cursor.Close(ctx)
-	for cursor.Next(ctx) {
-		var policy *schemas.Policy
-		err := cursor.Decode(&policy)
-		if err != nil {
-			return nil, nil, err
-		}
-		policies = append(policies, policy)
-	}
-	return policies, &paginationClone, nil
-}
-
-// AddPolicyTarget adds a target (role name or user ID) to a policy.
-func (p *provider) AddPolicyTarget(ctx context.Context, target *schemas.PolicyTarget) (*schemas.PolicyTarget, error) {
-	if target.ID == "" {
-		target.ID = uuid.New().String()
-	}
-	target.Key = target.ID
-	target.CreatedAt = time.Now().Unix()
-	collection := p.db.Collection(schemas.Collections.PolicyTarget, options.Collection())
-	_, err := collection.InsertOne(ctx, target)
-	if err != nil {
-		return nil, err
-	}
-	return target, nil
-}
-
-// DeletePolicyTargetsByPolicyID removes all targets for a policy.
-func (p *provider) DeletePolicyTargetsByPolicyID(ctx context.Context, policyID string) error {
-	collection := p.db.Collection(schemas.Collections.PolicyTarget, options.Collection())
-	_, err := collection.DeleteMany(ctx, bson.M{"policy_id": policyID}, options.Delete())
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// GetPolicyTargets returns all targets for a policy.
-func (p *provider) GetPolicyTargets(ctx context.Context, policyID string) ([]*schemas.PolicyTarget, error) {
-	targets := []*schemas.PolicyTarget{}
-	collection := p.db.Collection(schemas.Collections.PolicyTarget, options.Collection())
-	cursor, err := collection.Find(ctx, bson.M{"policy_id": policyID})
-	if err != nil {
-		return nil, err
-	}
-	defer cursor.Close(ctx)
-	for cursor.Next(ctx) {
-		var target *schemas.PolicyTarget
-		err := cursor.Decode(&target)
-		if err != nil {
-			return nil, err
-		}
-		targets = append(targets, target)
-	}
-	return targets, nil
-}
diff --git a/internal/storage/db/mongodb/provider.go b/internal/storage/db/mongodb/provider.go
index b89f4e5f..273107fc 100644
--- a/internal/storage/db/mongodb/provider.go
+++ b/internal/storage/db/mongodb/provider.go
@@ -196,96 +196,6 @@ func NewProvider(config *config.Config, deps *Dependencies) (*provider, error) {
 		},
 	}, options.CreateIndexes())
 
-	// Resource collection and indexes
-	mongodb.CreateCollection(ctx, schemas.Collections.Resource, options.CreateCollection())
-	resourceCollection := mongodb.Collection(schemas.Collections.Resource, options.Collection())
-	resourceCollection.Indexes().CreateMany(ctx, []mongo.IndexModel{
-		{
-			Keys:    bson.M{"name": 1},
-			Options: options.Index().SetUnique(true).SetSparse(true),
-		},
-	}, options.CreateIndexes())
-
-	// Scope collection and indexes
-	mongodb.CreateCollection(ctx, schemas.Collections.Scope, options.CreateCollection())
-	scopeCollection := mongodb.Collection(schemas.Collections.Scope, options.Collection())
-	scopeCollection.Indexes().CreateMany(ctx, []mongo.IndexModel{
-		{
-			Keys:    bson.M{"name": 1},
-			Options: options.Index().SetUnique(true).SetSparse(true),
-		},
-	}, options.CreateIndexes())
-
-	// Policy collection and indexes
-	mongodb.CreateCollection(ctx, schemas.Collections.Policy, options.CreateCollection())
-	policyCollection := mongodb.Collection(schemas.Collections.Policy, options.Collection())
-	policyCollection.Indexes().CreateMany(ctx, []mongo.IndexModel{
-		{
-			Keys:    bson.M{"name": 1},
-			Options: options.Index().SetUnique(true).SetSparse(true),
-		},
-		{
-			Keys:    bson.M{"type": 1},
-			Options: options.Index().SetSparse(true),
-		},
-	}, options.CreateIndexes())
-
-	// PolicyTarget collection and indexes
-	mongodb.CreateCollection(ctx, schemas.Collections.PolicyTarget, options.CreateCollection())
-	policyTargetCollection := mongodb.Collection(schemas.Collections.PolicyTarget, options.Collection())
-	policyTargetCollection.Indexes().CreateMany(ctx, []mongo.IndexModel{
-		{
-			Keys:    bson.M{"policy_id": 1},
-			Options: options.Index().SetSparse(true),
-		},
-		{
-			Keys:    bson.D{{Key: "policy_id", Value: 1}, {Key: "target_type", Value: 1}, {Key: "target_value", Value: 1}},
-			Options: options.Index().SetUnique(true).SetSparse(true),
-		},
-	}, options.CreateIndexes())
-
-	// Permission collection and indexes
-	mongodb.CreateCollection(ctx, schemas.Collections.Permission, options.CreateCollection())
-	permissionCollection := mongodb.Collection(schemas.Collections.Permission, options.Collection())
-	permissionCollection.Indexes().CreateMany(ctx, []mongo.IndexModel{
-		{
-			Keys:    bson.M{"name": 1},
-			Options: options.Index().SetUnique(true).SetSparse(true),
-		},
-		{
-			Keys:    bson.M{"resource_id": 1},
-			Options: options.Index().SetSparse(true),
-		},
-	}, options.CreateIndexes())
-
-	// PermissionScope collection and indexes
-	mongodb.CreateCollection(ctx, schemas.Collections.PermissionScope, options.CreateCollection())
-	permissionScopeCollection := mongodb.Collection(schemas.Collections.PermissionScope, options.Collection())
-	permissionScopeCollection.Indexes().CreateMany(ctx, []mongo.IndexModel{
-		{
-			Keys:    bson.M{"permission_id": 1},
-			Options: options.Index().SetSparse(true),
-		},
-		{
-			Keys:    bson.D{{Key: "permission_id", Value: 1}, {Key: "scope_id", Value: 1}},
-			Options: options.Index().SetUnique(true).SetSparse(true),
-		},
-	}, options.CreateIndexes())
-
-	// PermissionPolicy collection and indexes
-	mongodb.CreateCollection(ctx, schemas.Collections.PermissionPolicy, options.CreateCollection())
-	permissionPolicyCollection := mongodb.Collection(schemas.Collections.PermissionPolicy, options.Collection())
-	permissionPolicyCollection.Indexes().CreateMany(ctx, []mongo.IndexModel{
-		{
-			Keys:    bson.M{"permission_id": 1},
-			Options: options.Index().SetSparse(true),
-		},
-		{
-			Keys:    bson.D{{Key: "permission_id", Value: 1}, {Key: "policy_id", Value: 1}},
-			Options: options.Index().SetUnique(true).SetSparse(true),
-		},
-	}, options.CreateIndexes())
-
 	return &provider{
 		config:       config,
 		dependencies: deps,
diff --git a/internal/storage/db/mongodb/resource.go b/internal/storage/db/mongodb/resource.go
deleted file mode 100644
index b0cbe4d8..00000000
--- a/internal/storage/db/mongodb/resource.go
+++ /dev/null
@@ -1,112 +0,0 @@
-package mongodb
-
-import (
-	"context"
-	"fmt"
-	"time"
-
-	"github.com/google/uuid"
-	"go.mongodb.org/mongo-driver/bson"
-	"go.mongodb.org/mongo-driver/mongo/options"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddResource creates a new authorization resource.
-func (p *provider) AddResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
-	if resource.ID == "" {
-		resource.ID = uuid.New().String()
-	}
-	resource.Key = resource.ID
-	resource.CreatedAt = time.Now().Unix()
-	resource.UpdatedAt = time.Now().Unix()
-	collection := p.db.Collection(schemas.Collections.Resource, options.Collection())
-	_, err := collection.InsertOne(ctx, resource)
-	if err != nil {
-		return nil, err
-	}
-	return resource, nil
-}
-
-// UpdateResource updates an existing authorization resource.
-func (p *provider) UpdateResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
-	resource.UpdatedAt = time.Now().Unix()
-	collection := p.db.Collection(schemas.Collections.Resource, options.Collection())
-	_, err := collection.UpdateOne(ctx, bson.M{"_id": bson.M{"$eq": resource.ID}}, bson.M{"$set": resource}, options.MergeUpdateOptions())
-	if err != nil {
-		return nil, err
-	}
-	return resource, nil
-}
-
-// DeleteResource deletes an authorization resource by ID.
-// Returns an error if any permission references this resource.
-func (p *provider) DeleteResource(ctx context.Context, id string) error {
-	permissionCollection := p.db.Collection(schemas.Collections.Permission, options.Collection())
-	count, err := permissionCollection.CountDocuments(ctx, bson.M{"resource_id": id}, options.Count())
-	if err != nil {
-		return err
-	}
-	if count > 0 {
-		return fmt.Errorf("cannot delete resource: %d permission(s) reference it", count)
-	}
-	collection := p.db.Collection(schemas.Collections.Resource, options.Collection())
-	_, err = collection.DeleteOne(ctx, bson.M{"_id": id}, options.Delete())
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// GetResourceByID returns an authorization resource by its ID.
-func (p *provider) GetResourceByID(ctx context.Context, id string) (*schemas.Resource, error) {
-	var resource schemas.Resource
-	collection := p.db.Collection(schemas.Collections.Resource, options.Collection())
-	err := collection.FindOne(ctx, bson.M{"_id": id}).Decode(&resource)
-	if err != nil {
-		return nil, err
-	}
-	return &resource, nil
-}
-
-// GetResourceByName returns an authorization resource by its unique name.
-func (p *provider) GetResourceByName(ctx context.Context, name string) (*schemas.Resource, error) {
-	var resource schemas.Resource
-	collection := p.db.Collection(schemas.Collections.Resource, options.Collection())
-	err := collection.FindOne(ctx, bson.M{"name": name}).Decode(&resource)
-	if err != nil {
-		return nil, err
-	}
-	return &resource, nil
-}
-
-// ListResources returns a paginated list of authorization resources.
-func (p *provider) ListResources(ctx context.Context, pagination *model.Pagination) ([]*schemas.Resource, *model.Pagination, error) {
-	resources := []*schemas.Resource{}
-	opts := options.Find()
-	opts.SetLimit(pagination.Limit)
-	opts.SetSkip(pagination.Offset)
-	opts.SetSort(bson.M{"created_at": -1})
-	paginationClone := *pagination
-	collection := p.db.Collection(schemas.Collections.Resource, options.Collection())
-	count, err := collection.CountDocuments(ctx, bson.M{}, options.Count())
-	if err != nil {
-		return nil, nil, err
-	}
-	paginationClone.Total = count
-	cursor, err := collection.Find(ctx, bson.M{}, opts)
-	if err != nil {
-		return nil, nil, err
-	}
-	defer cursor.Close(ctx)
-	for cursor.Next(ctx) {
-		var resource *schemas.Resource
-		err := cursor.Decode(&resource)
-		if err != nil {
-			return nil, nil, err
-		}
-		resources = append(resources, resource)
-	}
-	return resources, &paginationClone, nil
-}
diff --git a/internal/storage/db/mongodb/scope.go b/internal/storage/db/mongodb/scope.go
deleted file mode 100644
index 9d4b2edb..00000000
--- a/internal/storage/db/mongodb/scope.go
+++ /dev/null
@@ -1,112 +0,0 @@
-package mongodb
-
-import (
-	"context"
-	"fmt"
-	"time"
-
-	"github.com/google/uuid"
-	"go.mongodb.org/mongo-driver/bson"
-	"go.mongodb.org/mongo-driver/mongo/options"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddScope creates a new authorization scope.
-func (p *provider) AddScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
-	if scope.ID == "" {
-		scope.ID = uuid.New().String()
-	}
-	scope.Key = scope.ID
-	scope.CreatedAt = time.Now().Unix()
-	scope.UpdatedAt = time.Now().Unix()
-	collection := p.db.Collection(schemas.Collections.Scope, options.Collection())
-	_, err := collection.InsertOne(ctx, scope)
-	if err != nil {
-		return nil, err
-	}
-	return scope, nil
-}
-
-// UpdateScope updates an existing authorization scope.
-func (p *provider) UpdateScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
-	scope.UpdatedAt = time.Now().Unix()
-	collection := p.db.Collection(schemas.Collections.Scope, options.Collection())
-	_, err := collection.UpdateOne(ctx, bson.M{"_id": bson.M{"$eq": scope.ID}}, bson.M{"$set": scope}, options.MergeUpdateOptions())
-	if err != nil {
-		return nil, err
-	}
-	return scope, nil
-}
-
-// DeleteScope deletes an authorization scope by ID.
-// Returns an error if any permission_scope references this scope.
-func (p *provider) DeleteScope(ctx context.Context, id string) error {
-	permissionScopeCollection := p.db.Collection(schemas.Collections.PermissionScope, options.Collection())
-	count, err := permissionScopeCollection.CountDocuments(ctx, bson.M{"scope_id": id}, options.Count())
-	if err != nil {
-		return err
-	}
-	if count > 0 {
-		return fmt.Errorf("cannot delete scope: %d permission_scope(s) reference it", count)
-	}
-	collection := p.db.Collection(schemas.Collections.Scope, options.Collection())
-	_, err = collection.DeleteOne(ctx, bson.M{"_id": id}, options.Delete())
-	if err != nil {
-		return err
-	}
-	return nil
-}
-
-// GetScopeByID returns an authorization scope by its ID.
-func (p *provider) GetScopeByID(ctx context.Context, id string) (*schemas.Scope, error) {
-	var scope schemas.Scope
-	collection := p.db.Collection(schemas.Collections.Scope, options.Collection())
-	err := collection.FindOne(ctx, bson.M{"_id": id}).Decode(&scope)
-	if err != nil {
-		return nil, err
-	}
-	return &scope, nil
-}
-
-// GetScopeByName returns an authorization scope by its unique name.
-func (p *provider) GetScopeByName(ctx context.Context, name string) (*schemas.Scope, error) {
-	var scope schemas.Scope
-	collection := p.db.Collection(schemas.Collections.Scope, options.Collection())
-	err := collection.FindOne(ctx, bson.M{"name": name}).Decode(&scope)
-	if err != nil {
-		return nil, err
-	}
-	return &scope, nil
-}
-
-// ListScopes returns a paginated list of authorization scopes.
-func (p *provider) ListScopes(ctx context.Context, pagination *model.Pagination) ([]*schemas.Scope, *model.Pagination, error) {
-	scopes := []*schemas.Scope{}
-	opts := options.Find()
-	opts.SetLimit(pagination.Limit)
-	opts.SetSkip(pagination.Offset)
-	opts.SetSort(bson.M{"created_at": -1})
-	paginationClone := *pagination
-	collection := p.db.Collection(schemas.Collections.Scope, options.Collection())
-	count, err := collection.CountDocuments(ctx, bson.M{}, options.Count())
-	if err != nil {
-		return nil, nil, err
-	}
-	paginationClone.Total = count
-	cursor, err := collection.Find(ctx, bson.M{}, opts)
-	if err != nil {
-		return nil, nil, err
-	}
-	defer cursor.Close(ctx)
-	for cursor.Next(ctx) {
-		var scope *schemas.Scope
-		err := cursor.Decode(&scope)
-		if err != nil {
-			return nil, nil, err
-		}
-		scopes = append(scopes, scope)
-	}
-	return scopes, &paginationClone, nil
-}
diff --git a/internal/storage/db/sql/permission.go b/internal/storage/db/sql/permission.go
deleted file mode 100644
index c7c7d89a..00000000
--- a/internal/storage/db/sql/permission.go
+++ /dev/null
@@ -1,250 +0,0 @@
-package sql
-
-import (
-	"context"
-	"fmt"
-	"time"
-
-	"github.com/google/uuid"
-	"gorm.io/gorm/clause"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddPermission creates a new authorization permission.
-func (p *provider) AddPermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
-	if permission.ID == "" {
-		permission.ID = uuid.New().String()
-	}
-	permission.Key = permission.ID
-	permission.CreatedAt = time.Now().Unix()
-	permission.UpdatedAt = time.Now().Unix()
-	res := p.db.Clauses(clause.OnConflict{DoNothing: true}).Create(&permission)
-	if res.Error != nil {
-		return nil, res.Error
-	}
-	if res.RowsAffected == 0 {
-		return nil, fmt.Errorf("permission already exists: %s", permission.Name)
-	}
-	return permission, nil
-}
-
-// UpdatePermission updates an existing authorization permission.
-func (p *provider) UpdatePermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error) {
-	permission.UpdatedAt = time.Now().Unix()
-	result := p.db.Save(&permission)
-	if result.Error != nil {
-		return nil, result.Error
-	}
-	return permission, nil
-}
-
-// DeletePermission deletes an authorization permission by ID.
-// Cascade-deletes associated permission_scopes and permission_policies.
-func (p *provider) DeletePermission(ctx context.Context, id string) error {
-	result := p.db.Where("permission_id = ?", id).Delete(&schemas.PermissionScope{})
-	if result.Error != nil {
-		return result.Error
-	}
-	result = p.db.Where("permission_id = ?", id).Delete(&schemas.PermissionPolicy{})
-	if result.Error != nil {
-		return result.Error
-	}
-	result = p.db.Where("id = ?", id).Delete(&schemas.Permission{})
-	if result.Error != nil {
-		return result.Error
-	}
-	return nil
-}
-
-// GetPermissionByID returns an authorization permission by its ID.
-func (p *provider) GetPermissionByID(ctx context.Context, id string) (*schemas.Permission, error) {
-	var permission schemas.Permission
-	result := p.db.Where("id = ?", id).First(&permission)
-	if result.Error != nil {
-		return nil, result.Error
-	}
-	return &permission, nil
-}
-
-// ListPermissions returns a paginated list of authorization permissions.
-func (p *provider) ListPermissions(ctx context.Context, pagination *model.Pagination) ([]*schemas.Permission, *model.Pagination, error) {
-	var permissions []*schemas.Permission
-	result := p.db.Limit(int(pagination.Limit)).Offset(int(pagination.Offset)).Order("created_at DESC").Find(&permissions)
-	if result.Error != nil {
-		return nil, nil, result.Error
-	}
-	var total int64
-	totalRes := p.db.Model(&schemas.Permission{}).Count(&total)
-	if totalRes.Error != nil {
-		return nil, nil, totalRes.Error
-	}
-	paginationClone := *pagination
-	paginationClone.Total = total
-	return permissions, &paginationClone, nil
-}
-
-// AddPermissionScope links a scope to a permission.
-func (p *provider) AddPermissionScope(ctx context.Context, ps *schemas.PermissionScope) (*schemas.PermissionScope, error) {
-	if ps.ID == "" {
-		ps.ID = uuid.New().String()
-	}
-	ps.Key = ps.ID
-	ps.CreatedAt = time.Now().Unix()
-	res := p.db.Clauses(clause.OnConflict{DoNothing: true}).Create(&ps)
-	if res.Error != nil {
-		return nil, res.Error
-	}
-	return ps, nil
-}
-
-// DeletePermissionScopesByPermissionID removes all scope links for a permission.
-func (p *provider) DeletePermissionScopesByPermissionID(ctx context.Context, permissionID string) error {
-	result := p.db.Where("permission_id = ?", permissionID).Delete(&schemas.PermissionScope{})
-	if result.Error != nil {
-		return result.Error
-	}
-	return nil
-}
-
-// GetPermissionScopes returns all scope links for a permission.
-func (p *provider) GetPermissionScopes(ctx context.Context, permissionID string) ([]*schemas.PermissionScope, error) {
-	var scopes []*schemas.PermissionScope
-	result := p.db.Where("permission_id = ?", permissionID).Find(&scopes)
-	if result.Error != nil {
-		return nil, result.Error
-	}
-	return scopes, nil
-}
-
-// AddPermissionPolicy links a policy to a permission.
-func (p *provider) AddPermissionPolicy(ctx context.Context, pp *schemas.PermissionPolicy) (*schemas.PermissionPolicy, error) {
-	if pp.ID == "" {
-		pp.ID = uuid.New().String()
-	}
-	pp.Key = pp.ID
-	pp.CreatedAt = time.Now().Unix()
-	res := p.db.Clauses(clause.OnConflict{DoNothing: true}).Create(&pp)
-	if res.Error != nil {
-		return nil, res.Error
-	}
-	return pp, nil
-}
-
-// DeletePermissionPoliciesByPermissionID removes all policy links for a permission.
-func (p *provider) DeletePermissionPoliciesByPermissionID(ctx context.Context, permissionID string) error {
-	result := p.db.Where("permission_id = ?", permissionID).Delete(&schemas.PermissionPolicy{})
-	if result.Error != nil {
-		return result.Error
-	}
-	return nil
-}
-
-// GetPermissionPolicies returns all policy links for a permission.
-func (p *provider) GetPermissionPolicies(ctx context.Context, permissionID string) ([]*schemas.PermissionPolicy, error) {
-	var policies []*schemas.PermissionPolicy
-	result := p.db.Where("permission_id = ?", permissionID).Find(&policies)
-	if result.Error != nil {
-		return nil, result.Error
-	}
-	return policies, nil
-}
-
-// permissionRow is an intermediate struct for scanning the multi-JOIN query result
-// in GetPermissionsForResourceScope.
-type permissionRow struct {
-	PermissionID           string `gorm:"column:permission_id"`
-	PermissionName         string `gorm:"column:permission_name"`
-	DecisionStrategy       string `gorm:"column:decision_strategy"`
-	PolicyID               string `gorm:"column:policy_id"`
-	PolicyName             string `gorm:"column:policy_name"`
-	PolicyType             string `gorm:"column:policy_type"`
-	PolicyLogic            string `gorm:"column:policy_logic"`
-	PolicyDecisionStrategy string `gorm:"column:policy_decision_strategy"`
-	TargetType             string `gorm:"column:target_type"`
-	TargetValue            string `gorm:"column:target_value"`
-}
-
-// GetPermissionsForResourceScope returns all permissions (with their policies and targets)
-// that match a given resource name and scope name. This is the hot-path query used by
-// the evaluation engine.
-func (p *provider) GetPermissionsForResourceScope(ctx context.Context, resourceName string, scopeName string) ([]*schemas.PermissionWithPolicies, error) {
-	query := `SELECT p.id AS permission_id, p.name AS permission_name, p.decision_strategy,
-       pol.id AS policy_id, pol.name AS policy_name, pol.type AS policy_type, pol.logic AS policy_logic, pol.decision_strategy AS policy_decision_strategy,
-       pt.target_type, pt.target_value
-FROM ` + schemas.Prefix + `permissions p
-JOIN ` + schemas.Prefix + `resources r ON r.id = p.resource_id
-JOIN ` + schemas.Prefix + `permission_scopes ps ON ps.permission_id = p.id
-JOIN ` + schemas.Prefix + `scopes s ON s.id = ps.scope_id
-JOIN ` + schemas.Prefix + `permission_policies pp ON pp.permission_id = p.id
-JOIN ` + schemas.Prefix + `policies pol ON pol.id = pp.policy_id
-JOIN ` + schemas.Prefix + `policy_targets pt ON pt.policy_id = pol.id
-WHERE r.name = ? AND s.name = ?`
-
-	var rows []permissionRow
-	result := p.db.Raw(query, resourceName, scopeName).Scan(&rows)
-	if result.Error != nil {
-		return nil, result.Error
-	}
-
-	return groupPermissionRows(rows), nil
-}
-
-// groupPermissionRows groups flat permissionRow results into nested PermissionWithPolicies structs.
-func groupPermissionRows(rows []permissionRow) []*schemas.PermissionWithPolicies {
-	// Track insertion order for permissions and policies
-	permOrder := make([]string, 0)
-	permMap := make(map[string]*schemas.PermissionWithPolicies)
-	policyOrderMap := make(map[string][]string)              // permissionID -> ordered policy IDs
-	policyMap := make(map[string]*schemas.PolicyWithTargets) // "permID:polID" -> policy
-
-	for _, row := range rows {
-		// Ensure permission exists
-		perm, ok := permMap[row.PermissionID]
-		if !ok {
-			perm = &schemas.PermissionWithPolicies{
-				PermissionID:     row.PermissionID,
-				PermissionName:   row.PermissionName,
-				DecisionStrategy: row.DecisionStrategy,
-				Policies:         nil,
-			}
-			permMap[row.PermissionID] = perm
-			permOrder = append(permOrder, row.PermissionID)
-		}
-
-		// Ensure policy exists within this permission
-		policyKey := row.PermissionID + ":" + row.PolicyID
-		pol, ok := policyMap[policyKey]
-		if !ok {
-			pol = &schemas.PolicyWithTargets{
-				PolicyID:         row.PolicyID,
-				PolicyName:       row.PolicyName,
-				Type:             row.PolicyType,
-				Logic:            row.PolicyLogic,
-				DecisionStrategy: row.PolicyDecisionStrategy,
-				Targets:          nil,
-			}
-			policyMap[policyKey] = pol
-			policyOrderMap[row.PermissionID] = append(policyOrderMap[row.PermissionID], policyKey)
-		}
-
-		// Add target
-		pol.Targets = append(pol.Targets, schemas.PolicyTargetView{
-			TargetType:  row.TargetType,
-			TargetValue: row.TargetValue,
-		})
-	}
-
-	// Assemble in order
-	result := make([]*schemas.PermissionWithPolicies, 0, len(permOrder))
-	for _, permID := range permOrder {
-		perm := permMap[permID]
-		for _, policyKey := range policyOrderMap[permID] {
-			pol := policyMap[policyKey]
-			perm.Policies = append(perm.Policies, *pol)
-		}
-		result = append(result, perm)
-	}
-	return result
-}
diff --git a/internal/storage/db/sql/policy.go b/internal/storage/db/sql/policy.go
deleted file mode 100644
index 6d42d32f..00000000
--- a/internal/storage/db/sql/policy.go
+++ /dev/null
@@ -1,122 +0,0 @@
-package sql
-
-import (
-	"context"
-	"fmt"
-	"time"
-
-	"github.com/google/uuid"
-	"gorm.io/gorm/clause"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddPolicy creates a new authorization policy.
-func (p *provider) AddPolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
-	if policy.ID == "" {
-		policy.ID = uuid.New().String()
-	}
-	policy.Key = policy.ID
-	policy.CreatedAt = time.Now().Unix()
-	policy.UpdatedAt = time.Now().Unix()
-	res := p.db.Clauses(clause.OnConflict{DoNothing: true}).Create(&policy)
-	if res.Error != nil {
-		return nil, res.Error
-	}
-	if res.RowsAffected == 0 {
-		return nil, fmt.Errorf("policy already exists: %s", policy.Name)
-	}
-	return policy, nil
-}
-
-// UpdatePolicy updates an existing authorization policy.
-func (p *provider) UpdatePolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error) {
-	policy.UpdatedAt = time.Now().Unix()
-	result := p.db.Save(&policy)
-	if result.Error != nil {
-		return nil, result.Error
-	}
-	return policy, nil
-}
-
-// DeletePolicy deletes an authorization policy by ID.
-// Returns an error if any permission_policy references this policy.
-// Cascade-deletes associated policy targets.
-func (p *provider) DeletePolicy(ctx context.Context, id string) error {
-	var count int64
-	p.db.Model(&schemas.PermissionPolicy{}).Where("policy_id = ?", id).Count(&count)
-	if count > 0 {
-		return fmt.Errorf("cannot delete policy: %d permission_policy(s) reference it", count)
-	}
-	// Cascade-delete policy targets
-	result := p.db.Where("policy_id = ?", id).Delete(&schemas.PolicyTarget{})
-	if result.Error != nil {
-		return result.Error
-	}
-	result = p.db.Where("id = ?", id).Delete(&schemas.Policy{})
-	if result.Error != nil {
-		return result.Error
-	}
-	return nil
-}
-
-// GetPolicyByID returns an authorization policy by its ID.
-func (p *provider) GetPolicyByID(ctx context.Context, id string) (*schemas.Policy, error) {
-	var policy schemas.Policy
-	result := p.db.Where("id = ?", id).First(&policy)
-	if result.Error != nil {
-		return nil, result.Error
-	}
-	return &policy, nil
-}
-
-// ListPolicies returns a paginated list of authorization policies.
-func (p *provider) ListPolicies(ctx context.Context, pagination *model.Pagination) ([]*schemas.Policy, *model.Pagination, error) {
-	var policies []*schemas.Policy
-	result := p.db.Limit(int(pagination.Limit)).Offset(int(pagination.Offset)).Order("created_at DESC").Find(&policies)
-	if result.Error != nil {
-		return nil, nil, result.Error
-	}
-	var total int64
-	totalRes := p.db.Model(&schemas.Policy{}).Count(&total)
-	if totalRes.Error != nil {
-		return nil, nil, totalRes.Error
-	}
-	paginationClone := *pagination
-	paginationClone.Total = total
-	return policies, &paginationClone, nil
-}
-
-// AddPolicyTarget adds a target (role name or user ID) to a policy.
-func (p *provider) AddPolicyTarget(ctx context.Context, target *schemas.PolicyTarget) (*schemas.PolicyTarget, error) {
-	if target.ID == "" {
-		target.ID = uuid.New().String()
-	}
-	target.Key = target.ID
-	target.CreatedAt = time.Now().Unix()
-	res := p.db.Clauses(clause.OnConflict{DoNothing: true}).Create(&target)
-	if res.Error != nil {
-		return nil, res.Error
-	}
-	return target, nil
-}
-
-// DeletePolicyTargetsByPolicyID removes all targets for a policy.
-func (p *provider) DeletePolicyTargetsByPolicyID(ctx context.Context, policyID string) error {
-	result := p.db.Where("policy_id = ?", policyID).Delete(&schemas.PolicyTarget{})
-	if result.Error != nil {
-		return result.Error
-	}
-	return nil
-}
-
-// GetPolicyTargets returns all targets for a policy.
-func (p *provider) GetPolicyTargets(ctx context.Context, policyID string) ([]*schemas.PolicyTarget, error) {
-	var targets []*schemas.PolicyTarget
-	result := p.db.Where("policy_id = ?", policyID).Find(&targets)
-	if result.Error != nil {
-		return nil, result.Error
-	}
-	return targets, nil
-}
diff --git a/internal/storage/db/sql/provider.go b/internal/storage/db/sql/provider.go
index 495c1551..52643355 100644
--- a/internal/storage/db/sql/provider.go
+++ b/internal/storage/db/sql/provider.go
@@ -2,7 +2,6 @@ package sql
 
 import (
 	libsql "github.com/ekristen/gorm-libsql"
-	"github.com/glebarez/sqlite"
 	"github.com/rs/zerolog"
 	"gorm.io/driver/mysql"
 	"gorm.io/driver/postgres"
@@ -12,6 +11,7 @@ import (
 
 	"github.com/authorizerdev/authorizer/internal/config"
 	"github.com/authorizerdev/authorizer/internal/constants"
+	sqlite "github.com/authorizerdev/authorizer/internal/storage/db/sql/sqlitedialect"
 	"github.com/authorizerdev/authorizer/internal/storage/schemas"
 )
 
@@ -83,7 +83,7 @@ func NewProvider(
 		}
 	}
 
-	err = sqlDB.AutoMigrate(&schemas.User{}, &schemas.VerificationRequest{}, &schemas.Session{}, &schemas.Env{}, &schemas.Webhook{}, &schemas.WebhookLog{}, &schemas.EmailTemplate{}, &schemas.OTP{}, &schemas.Authenticator{}, &schemas.SessionToken{}, &schemas.MFASession{}, &schemas.OAuthState{}, &schemas.AuditLog{}, &schemas.Resource{}, &schemas.Scope{}, &schemas.Policy{}, &schemas.PolicyTarget{}, &schemas.Permission{}, &schemas.PermissionScope{}, &schemas.PermissionPolicy{})
+	err = sqlDB.AutoMigrate(&schemas.User{}, &schemas.VerificationRequest{}, &schemas.Session{}, &schemas.Env{}, &schemas.Webhook{}, &schemas.WebhookLog{}, &schemas.EmailTemplate{}, &schemas.OTP{}, &schemas.Authenticator{}, &schemas.SessionToken{}, &schemas.MFASession{}, &schemas.OAuthState{}, &schemas.AuditLog{})
 	if err != nil {
 		return nil, err
 	}
diff --git a/internal/storage/db/sql/resource.go b/internal/storage/db/sql/resource.go
deleted file mode 100644
index b8319343..00000000
--- a/internal/storage/db/sql/resource.go
+++ /dev/null
@@ -1,93 +0,0 @@
-package sql
-
-import (
-	"context"
-	"fmt"
-	"time"
-
-	"github.com/google/uuid"
-	"gorm.io/gorm/clause"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddResource creates a new authorization resource.
-func (p *provider) AddResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
-	if resource.ID == "" {
-		resource.ID = uuid.New().String()
-	}
-	resource.Key = resource.ID
-	resource.CreatedAt = time.Now().Unix()
-	resource.UpdatedAt = time.Now().Unix()
-	res := p.db.Clauses(clause.OnConflict{DoNothing: true}).Create(&resource)
-	if res.Error != nil {
-		return nil, res.Error
-	}
-	if res.RowsAffected == 0 {
-		return nil, fmt.Errorf("resource already exists: %s", resource.Name)
-	}
-	return resource, nil
-}
-
-// UpdateResource updates an existing authorization resource.
-func (p *provider) UpdateResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error) {
-	resource.UpdatedAt = time.Now().Unix()
-	result := p.db.Save(&resource)
-	if result.Error != nil {
-		return nil, result.Error
-	}
-	return resource, nil
-}
-
-// DeleteResource deletes an authorization resource by ID.
-// Returns an error if any permission references this resource.
-func (p *provider) DeleteResource(ctx context.Context, id string) error {
-	var count int64
-	p.db.Model(&schemas.Permission{}).Where("resource_id = ?", id).Count(&count)
-	if count > 0 {
-		return fmt.Errorf("cannot delete resource: %d permission(s) reference it", count)
-	}
-	result := p.db.Where("id = ?", id).Delete(&schemas.Resource{})
-	if result.Error != nil {
-		return result.Error
-	}
-	return nil
-}
-
-// GetResourceByID returns an authorization resource by its ID.
-func (p *provider) GetResourceByID(ctx context.Context, id string) (*schemas.Resource, error) {
-	var resource schemas.Resource
-	result := p.db.Where("id = ?", id).First(&resource)
-	if result.Error != nil {
-		return nil, result.Error
-	}
-	return &resource, nil
-}
-
-// GetResourceByName returns an authorization resource by its unique name.
-func (p *provider) GetResourceByName(ctx context.Context, name string) (*schemas.Resource, error) {
-	var resource schemas.Resource
-	result := p.db.Where("name = ?", name).First(&resource)
-	if result.Error != nil {
-		return nil, result.Error
-	}
-	return &resource, nil
-}
-
-// ListResources returns a paginated list of authorization resources.
-func (p *provider) ListResources(ctx context.Context, pagination *model.Pagination) ([]*schemas.Resource, *model.Pagination, error) {
-	var resources []*schemas.Resource
-	result := p.db.Limit(int(pagination.Limit)).Offset(int(pagination.Offset)).Order("created_at DESC").Find(&resources)
-	if result.Error != nil {
-		return nil, nil, result.Error
-	}
-	var total int64
-	totalRes := p.db.Model(&schemas.Resource{}).Count(&total)
-	if totalRes.Error != nil {
-		return nil, nil, totalRes.Error
-	}
-	paginationClone := *pagination
-	paginationClone.Total = total
-	return resources, &paginationClone, nil
-}
diff --git a/internal/storage/db/sql/scope.go b/internal/storage/db/sql/scope.go
deleted file mode 100644
index 39b1fac3..00000000
--- a/internal/storage/db/sql/scope.go
+++ /dev/null
@@ -1,93 +0,0 @@
-package sql
-
-import (
-	"context"
-	"fmt"
-	"time"
-
-	"github.com/google/uuid"
-	"gorm.io/gorm/clause"
-
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/storage/schemas"
-)
-
-// AddScope creates a new authorization scope.
-func (p *provider) AddScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
-	if scope.ID == "" {
-		scope.ID = uuid.New().String()
-	}
-	scope.Key = scope.ID
-	scope.CreatedAt = time.Now().Unix()
-	scope.UpdatedAt = time.Now().Unix()
-	res := p.db.Clauses(clause.OnConflict{DoNothing: true}).Create(&scope)
-	if res.Error != nil {
-		return nil, res.Error
-	}
-	if res.RowsAffected == 0 {
-		return nil, fmt.Errorf("scope already exists: %s", scope.Name)
-	}
-	return scope, nil
-}
-
-// UpdateScope updates an existing authorization scope.
-func (p *provider) UpdateScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error) {
-	scope.UpdatedAt = time.Now().Unix()
-	result := p.db.Save(&scope)
-	if result.Error != nil {
-		return nil, result.Error
-	}
-	return scope, nil
-}
-
-// DeleteScope deletes an authorization scope by ID.
-// Returns an error if any permission_scope references this scope.
-func (p *provider) DeleteScope(ctx context.Context, id string) error {
-	var count int64
-	p.db.Model(&schemas.PermissionScope{}).Where("scope_id = ?", id).Count(&count)
-	if count > 0 {
-		return fmt.Errorf("cannot delete scope: %d permission_scope(s) reference it", count)
-	}
-	result := p.db.Where("id = ?", id).Delete(&schemas.Scope{})
-	if result.Error != nil {
-		return result.Error
-	}
-	return nil
-}
-
-// GetScopeByID returns an authorization scope by its ID.
-func (p *provider) GetScopeByID(ctx context.Context, id string) (*schemas.Scope, error) {
-	var scope schemas.Scope
-	result := p.db.Where("id = ?", id).First(&scope)
-	if result.Error != nil {
-		return nil, result.Error
-	}
-	return &scope, nil
-}
-
-// GetScopeByName returns an authorization scope by its unique name.
-func (p *provider) GetScopeByName(ctx context.Context, name string) (*schemas.Scope, error) {
-	var scope schemas.Scope
-	result := p.db.Where("name = ?", name).First(&scope)
-	if result.Error != nil {
-		return nil, result.Error
-	}
-	return &scope, nil
-}
-
-// ListScopes returns a paginated list of authorization scopes.
-func (p *provider) ListScopes(ctx context.Context, pagination *model.Pagination) ([]*schemas.Scope, *model.Pagination, error) {
-	var scopes []*schemas.Scope
-	result := p.db.Limit(int(pagination.Limit)).Offset(int(pagination.Offset)).Order("created_at DESC").Find(&scopes)
-	if result.Error != nil {
-		return nil, nil, result.Error
-	}
-	var total int64
-	totalRes := p.db.Model(&schemas.Scope{}).Count(&total)
-	if totalRes.Error != nil {
-		return nil, nil, totalRes.Error
-	}
-	paginationClone := *pagination
-	paginationClone.Total = total
-	return scopes, &paginationClone, nil
-}
diff --git a/internal/storage/db/sql/sqlitedialect/ddlmod.go b/internal/storage/db/sql/sqlitedialect/ddlmod.go
new file mode 100644
index 00000000..dcc22d81
--- /dev/null
+++ b/internal/storage/db/sql/sqlitedialect/ddlmod.go
@@ -0,0 +1,296 @@
+package sqlitedialect
+
+import (
+	"database/sql"
+	"errors"
+	"fmt"
+	"regexp"
+	"strconv"
+	"strings"
+
+	"gorm.io/gorm/migrator"
+)
+
+var (
+	sqliteSeparator    = "`|\"|'|\t"
+	indexRegexp        = regexp.MustCompile(fmt.Sprintf(`(?is)CREATE(?: UNIQUE)? INDEX [%v]?[\w\d-]+[%v]? ON (.*)$`, sqliteSeparator, sqliteSeparator))
+	tableRegexp        = regexp.MustCompile(fmt.Sprintf(`(?is)(CREATE TABLE [%v]?[\w\d-]+[%v]?)(?:\s*\((.*)\))?`, sqliteSeparator, sqliteSeparator))
+	separatorRegexp    = regexp.MustCompile(fmt.Sprintf("[%v]", sqliteSeparator))
+	columnsRegexp      = regexp.MustCompile(fmt.Sprintf(`[(,][%v]?(\w+)[%v]?`, sqliteSeparator, sqliteSeparator))
+	columnRegexp       = regexp.MustCompile(fmt.Sprintf(`^[%v]?([\w\d]+)[%v]?\s+([\w\(\)\d]+)(.*)$`, sqliteSeparator, sqliteSeparator))
+	defaultValueRegexp = regexp.MustCompile(`(?i) DEFAULT \(?(.+)?\)?( |COLLATE|GENERATED|$)`)
+	regRealDataType    = regexp.MustCompile(`[^\d](\d+)[^\d]?`)
+)
+
+func getAllColumns(s string) []string {
+	allMatches := columnsRegexp.FindAllStringSubmatch(s, -1)
+	columns := make([]string, 0, len(allMatches))
+	for _, matches := range allMatches {
+		if len(matches) > 1 {
+			columns = append(columns, matches[1])
+		}
+	}
+	return columns
+}
+
+type ddl struct {
+	head    string
+	fields  []string
+	columns []migrator.ColumnType
+}
+
+func parseDDL(strs ...string) (*ddl, error) {
+	var result ddl
+	for _, str := range strs {
+		if sections := tableRegexp.FindStringSubmatch(str); len(sections) > 0 {
+			var (
+				ddlBody      = sections[2]
+				ddlBodyRunes = []rune(ddlBody)
+				bracketLevel int
+				quote        rune
+				buf          string
+			)
+			ddlBodyRunesLen := len(ddlBodyRunes)
+
+			result.head = sections[1]
+
+			for idx := 0; idx < ddlBodyRunesLen; idx++ {
+				var (
+					next rune = 0
+					c         = ddlBodyRunes[idx]
+				)
+				if idx+1 < ddlBodyRunesLen {
+					next = ddlBodyRunes[idx+1]
+				}
+
+				if sc := string(c); separatorRegexp.MatchString(sc) {
+					if c == next {
+						buf += sc // Skip escaped quote
+						idx++
+					} else if quote > 0 {
+						quote = 0
+					} else {
+						quote = c
+					}
+				} else if quote == 0 {
+					if c == '(' {
+						bracketLevel++
+					} else if c == ')' {
+						bracketLevel--
+					} else if bracketLevel == 0 {
+						if c == ',' {
+							result.fields = append(result.fields, strings.TrimSpace(buf))
+							buf = ""
+							continue
+						}
+					}
+				}
+
+				if bracketLevel < 0 {
+					return nil, errors.New("invalid DDL, unbalanced brackets")
+				}
+
+				buf += string(c)
+			}
+
+			if bracketLevel != 0 {
+				return nil, errors.New("invalid DDL, unbalanced brackets")
+			}
+
+			if buf != "" {
+				result.fields = append(result.fields, strings.TrimSpace(buf))
+			}
+
+			for _, f := range result.fields {
+				fUpper := strings.ToUpper(f)
+				if strings.HasPrefix(fUpper, "CHECK") ||
+					strings.HasPrefix(fUpper, "CONSTRAINT") {
+					continue
+				}
+
+				if strings.HasPrefix(fUpper, "PRIMARY KEY") {
+					for _, name := range getAllColumns(f) {
+						for idx, column := range result.columns {
+							if column.NameValue.String == name {
+								column.PrimaryKeyValue = sql.NullBool{Bool: true, Valid: true}
+								result.columns[idx] = column
+								break
+							}
+						}
+					}
+				} else if matches := columnRegexp.FindStringSubmatch(f); len(matches) > 0 {
+					columnType := migrator.ColumnType{
+						NameValue:         sql.NullString{String: matches[1], Valid: true},
+						DataTypeValue:     sql.NullString{String: matches[2], Valid: true},
+						ColumnTypeValue:   sql.NullString{String: matches[2], Valid: true},
+						PrimaryKeyValue:   sql.NullBool{Valid: true},
+						UniqueValue:       sql.NullBool{Valid: true},
+						NullableValue:     sql.NullBool{Bool: true, Valid: true},
+						DefaultValueValue: sql.NullString{Valid: false},
+					}
+
+					matchUpper := strings.ToUpper(matches[3])
+					if strings.Contains(matchUpper, " NOT NULL") {
+						columnType.NullableValue = sql.NullBool{Bool: false, Valid: true}
+					} else if strings.Contains(matchUpper, " NULL") {
+						columnType.NullableValue = sql.NullBool{Bool: true, Valid: true}
+					}
+					if strings.Contains(matchUpper, " UNIQUE") {
+						columnType.UniqueValue = sql.NullBool{Bool: true, Valid: true}
+					}
+					if strings.Contains(matchUpper, " PRIMARY") {
+						columnType.PrimaryKeyValue = sql.NullBool{Bool: true, Valid: true}
+					}
+					if defaultMatches := defaultValueRegexp.FindStringSubmatch(matches[3]); len(defaultMatches) > 1 {
+						if strings.ToLower(defaultMatches[1]) != "null" {
+							columnType.DefaultValueValue = sql.NullString{String: strings.Trim(defaultMatches[1], `"`), Valid: true}
+						}
+					}
+
+					// data type length
+					matches := regRealDataType.FindAllStringSubmatch(columnType.DataTypeValue.String, -1)
+					if len(matches) == 1 && len(matches[0]) == 2 {
+						size, _ := strconv.Atoi(matches[0][1])
+						columnType.LengthValue = sql.NullInt64{Valid: true, Int64: int64(size)}
+						columnType.DataTypeValue.String = strings.TrimSuffix(columnType.DataTypeValue.String, matches[0][0])
+					}
+
+					result.columns = append(result.columns, columnType)
+				}
+			}
+		} else if matches := indexRegexp.FindStringSubmatch(str); len(matches) > 0 {
+			for _, column := range getAllColumns(matches[1]) {
+				for idx, c := range result.columns {
+					if c.NameValue.String == column {
+						c.UniqueValue = sql.NullBool{Bool: strings.ToUpper(strings.Fields(str)[1]) == "UNIQUE", Valid: true}
+						result.columns[idx] = c
+					}
+				}
+			}
+		} else {
+			return nil, errors.New("invalid DDL")
+		}
+	}
+
+	return &result, nil
+}
+
+func (d *ddl) clone() *ddl {
+	copied := new(ddl)
+	*copied = *d
+
+	copied.fields = make([]string, len(d.fields))
+	copy(copied.fields, d.fields)
+	copied.columns = make([]migrator.ColumnType, len(d.columns))
+	copy(copied.columns, d.columns)
+
+	return copied
+}
+
+func (d *ddl) compile() string {
+	if len(d.fields) == 0 {
+		return d.head
+	}
+
+	return fmt.Sprintf("%s (%s)", d.head, strings.Join(d.fields, ","))
+}
+
+func (d *ddl) renameTable(dst, src string) error {
+	tableReg, err := regexp.Compile("\\s*('|`|\")?\\b" + regexp.QuoteMeta(src) + "\\b('|`|\")?\\s*")
+	if err != nil {
+		return err
+	}
+
+	replaced := tableReg.ReplaceAllString(d.head, fmt.Sprintf(" `%s` ", dst))
+	if replaced == d.head {
+		return fmt.Errorf("failed to look up tablename `%s` from DDL head '%s'", src, d.head)
+	}
+
+	d.head = replaced
+	return nil
+}
+
+func (d *ddl) addConstraint(name string, sql string) {
+	reg := regexp.MustCompile("^CONSTRAINT [\"`]?" + regexp.QuoteMeta(name) + "[\"` ]")
+
+	for i := 0; i < len(d.fields); i++ {
+		if reg.MatchString(d.fields[i]) {
+			d.fields[i] = sql
+			return
+		}
+	}
+
+	d.fields = append(d.fields, sql)
+}
+
+func (d *ddl) removeConstraint(name string) bool {
+	reg := regexp.MustCompile("^CONSTRAINT [\"`]?" + regexp.QuoteMeta(name) + "[\"` ]")
+
+	for i := 0; i < len(d.fields); i++ {
+		if reg.MatchString(d.fields[i]) {
+			d.fields = append(d.fields[:i], d.fields[i+1:]...)
+			return true
+		}
+	}
+	return false
+}
+
+func (d *ddl) hasConstraint(name string) bool {
+	reg := regexp.MustCompile("^CONSTRAINT [\"`]?" + regexp.QuoteMeta(name) + "[\"` ]")
+
+	for _, f := range d.fields {
+		if reg.MatchString(f) {
+			return true
+		}
+	}
+	return false
+}
+
+func (d *ddl) getColumns() []string {
+	res := []string{}
+
+	for _, f := range d.fields {
+		fUpper := strings.ToUpper(f)
+		if strings.HasPrefix(fUpper, "PRIMARY KEY") ||
+			strings.HasPrefix(fUpper, "CHECK") ||
+			strings.HasPrefix(fUpper, "CONSTRAINT") ||
+			strings.Contains(fUpper, "GENERATED ALWAYS AS") {
+			continue
+		}
+
+		reg := regexp.MustCompile("^[\"`']?([\\w\\d]+)[\"`']?")
+		match := reg.FindStringSubmatch(f)
+
+		if match != nil {
+			res = append(res, "`"+match[1]+"`")
+		}
+	}
+	return res
+}
+
+func (d *ddl) alterColumn(name, sql string) bool {
+	reg := regexp.MustCompile("^(`|'|\"| )" + regexp.QuoteMeta(name) + "(`|'|\"| ) .*?$")
+
+	for i := 0; i < len(d.fields); i++ {
+		if reg.MatchString(d.fields[i]) {
+			d.fields[i] = sql
+			return false
+		}
+	}
+
+	d.fields = append(d.fields, sql)
+	return true
+}
+
+func (d *ddl) removeColumn(name string) bool {
+	reg := regexp.MustCompile("^(`|'|\"| )" + regexp.QuoteMeta(name) + "(`|'|\"| ) .*?$")
+
+	for i := 0; i < len(d.fields); i++ {
+		if reg.MatchString(d.fields[i]) {
+			d.fields = append(d.fields[:i], d.fields[i+1:]...)
+			return true
+		}
+	}
+
+	return false
+}
diff --git a/internal/storage/db/sql/sqlitedialect/errors.go b/internal/storage/db/sql/sqlitedialect/errors.go
new file mode 100644
index 00000000..b7f401df
--- /dev/null
+++ b/internal/storage/db/sql/sqlitedialect/errors.go
@@ -0,0 +1,7 @@
+package sqlitedialect
+
+import "errors"
+
+var (
+	ErrConstraintsNotImplemented = errors.New("constraints not implemented on sqlite, consider using DisableForeignKeyConstraintWhenMigrating, more details https://github.com/go-gorm/gorm/wiki/GORM-V2-Release-Note-Draft#all-new-migrator")
+)
diff --git a/internal/storage/db/sql/sqlitedialect/migrator.go b/internal/storage/db/sql/sqlitedialect/migrator.go
new file mode 100644
index 00000000..7bfcf564
--- /dev/null
+++ b/internal/storage/db/sql/sqlitedialect/migrator.go
@@ -0,0 +1,406 @@
+package sqlitedialect
+
+import (
+	"database/sql"
+	"fmt"
+	"strings"
+
+	"gorm.io/gorm"
+	"gorm.io/gorm/clause"
+	"gorm.io/gorm/migrator"
+	"gorm.io/gorm/schema"
+)
+
+type Migrator struct {
+	migrator.Migrator
+}
+
+func (m *Migrator) RunWithoutForeignKey(fc func() error) error {
+	var enabled int
+	m.DB.Raw("PRAGMA foreign_keys").Scan(&enabled)
+	if enabled == 1 {
+		m.DB.Exec("PRAGMA foreign_keys = OFF")
+		defer m.DB.Exec("PRAGMA foreign_keys = ON")
+	}
+
+	return fc()
+}
+
+func (m Migrator) HasTable(value interface{}) bool {
+	var count int
+	m.Migrator.RunWithValue(value, func(stmt *gorm.Statement) error {
+		return m.DB.Raw("SELECT count(*) FROM sqlite_master WHERE type='table' AND name=?", stmt.Table).Row().Scan(&count)
+	})
+	return count > 0
+}
+
+func (m Migrator) DropTable(values ...interface{}) error {
+	return m.RunWithoutForeignKey(func() error {
+		values = m.ReorderModels(values, false)
+		tx := m.DB.Session(&gorm.Session{})
+
+		for i := len(values) - 1; i >= 0; i-- {
+			if err := m.RunWithValue(values[i], func(stmt *gorm.Statement) error {
+				return tx.Exec("DROP TABLE IF EXISTS ?", clause.Table{Name: stmt.Table}).Error
+			}); err != nil {
+				return err
+			}
+		}
+
+		return nil
+	})
+}
+
+func (m Migrator) GetTables() (tableList []string, err error) {
+	return tableList, m.DB.Raw("SELECT name FROM sqlite_master where type=?", "table").Scan(&tableList).Error
+}
+
+func (m Migrator) HasColumn(value interface{}, name string) bool {
+	var count int
+	m.Migrator.RunWithValue(value, func(stmt *gorm.Statement) error {
+		if stmt.Schema != nil {
+			if field := stmt.Schema.LookUpField(name); field != nil {
+				name = field.DBName
+			}
+		}
+
+		if name != "" {
+			m.DB.Raw(
+				"SELECT count(*) FROM sqlite_master WHERE type = ? AND tbl_name = ? AND (sql LIKE ? OR sql LIKE ? OR sql LIKE ? OR sql LIKE ? OR sql LIKE ?)",
+				"table", stmt.Table, `%"`+name+`" %`, `%`+name+` %`, "%`"+name+"`%", "%["+name+"]%", "%\t"+name+"\t%",
+			).Row().Scan(&count)
+		}
+		return nil
+	})
+	return count > 0
+}
+
+func (m Migrator) AlterColumn(value interface{}, name string) error {
+	return m.RunWithoutForeignKey(func() error {
+		return m.recreateTable(value, nil, func(ddl *ddl, stmt *gorm.Statement) (*ddl, []interface{}, error) {
+			if field := stmt.Schema.LookUpField(name); field != nil {
+				if ddl.alterColumn(field.DBName, fmt.Sprintf("`%s` ?", field.DBName)) {
+					return nil, nil, fmt.Errorf("field `%s` not found in origin ddl, ddl= '%s'", name, ddl.compile())
+				}
+
+				return ddl, []interface{}{m.FullDataTypeOf(field)}, nil
+			}
+
+			return nil, nil, fmt.Errorf("failed to alter field with name `%s`", name)
+		})
+	})
+}
+
+// ColumnTypes return columnTypes []gorm.ColumnType and execErr error
+func (m Migrator) ColumnTypes(value interface{}) ([]gorm.ColumnType, error) {
+	columnTypes := make([]gorm.ColumnType, 0)
+	execErr := m.RunWithValue(value, func(stmt *gorm.Statement) (err error) {
+		var (
+			sqls   []string
+			sqlDDL *ddl
+		)
+
+		if err := m.DB.Raw("SELECT sql FROM sqlite_master WHERE type IN ? AND tbl_name = ? AND sql IS NOT NULL order by type = ? desc", []string{"table", "index"}, stmt.Table, "table").Scan(&sqls).Error; err != nil {
+			return err
+		}
+
+		if sqlDDL, err = parseDDL(sqls...); err != nil {
+			return err
+		}
+
+		rows, err := m.DB.Session(&gorm.Session{}).Table(stmt.Table).Limit(1).Rows()
+		if err != nil {
+			return err
+		}
+		defer func() {
+			err = rows.Close()
+		}()
+
+		var rawColumnTypes []*sql.ColumnType
+		rawColumnTypes, err = rows.ColumnTypes()
+		if err != nil {
+			return err
+		}
+
+		for _, c := range rawColumnTypes {
+			columnType := migrator.ColumnType{SQLColumnType: c}
+			for _, column := range sqlDDL.columns {
+				if column.NameValue.String == c.Name() {
+					column.SQLColumnType = c
+					columnType = column
+					break
+				}
+			}
+			columnTypes = append(columnTypes, columnType)
+		}
+
+		return err
+	})
+
+	return columnTypes, execErr
+}
+
+func (m Migrator) DropColumn(value interface{}, name string) error {
+	return m.recreateTable(value, nil, func(ddl *ddl, stmt *gorm.Statement) (*ddl, []interface{}, error) {
+		if field := stmt.Schema.LookUpField(name); field != nil {
+			name = field.DBName
+		}
+
+		ddl.removeColumn(name)
+		return ddl, nil, nil
+	})
+}
+
+func (m Migrator) CreateConstraint(value interface{}, name string) error {
+	return m.RunWithValue(value, func(stmt *gorm.Statement) error {
+		constraint, chk, table := m.GuessConstraintAndTable(stmt, name)
+
+		return m.recreateTable(value, &table,
+			func(ddl *ddl, stmt *gorm.Statement) (*ddl, []interface{}, error) {
+				var (
+					constraintName   string
+					constraintSql    string
+					constraintValues []interface{}
+				)
+
+				if constraint != nil {
+					constraintName = constraint.Name
+					constraintSql, constraintValues = buildConstraint(constraint)
+				} else if chk != nil {
+					constraintName = chk.Name
+					constraintSql = "CONSTRAINT ? CHECK (?)"
+					constraintValues = []interface{}{clause.Column{Name: chk.Name}, clause.Expr{SQL: chk.Constraint}}
+				} else {
+					return nil, nil, nil
+				}
+
+				ddl.addConstraint(constraintName, constraintSql)
+				return ddl, constraintValues, nil
+			})
+	})
+}
+
+func (m Migrator) DropConstraint(value interface{}, name string) error {
+	return m.RunWithValue(value, func(stmt *gorm.Statement) error {
+		constraint, chk, table := m.GuessConstraintAndTable(stmt, name)
+		if constraint != nil {
+			name = constraint.Name
+		} else if chk != nil {
+			name = chk.Name
+		}
+
+		return m.recreateTable(value, &table,
+			func(ddl *ddl, stmt *gorm.Statement) (*ddl, []interface{}, error) {
+				ddl.removeConstraint(name)
+				return ddl, nil, nil
+			})
+	})
+}
+
+func (m Migrator) HasConstraint(value interface{}, name string) bool {
+	var count int64
+	m.RunWithValue(value, func(stmt *gorm.Statement) error {
+		constraint, chk, table := m.GuessConstraintAndTable(stmt, name)
+		if constraint != nil {
+			name = constraint.Name
+		} else if chk != nil {
+			name = chk.Name
+		}
+
+		m.DB.Raw(
+			"SELECT count(*) FROM sqlite_master WHERE type = ? AND tbl_name = ? AND (sql LIKE ? OR sql LIKE ? OR sql LIKE ? OR sql LIKE ? OR sql LIKE ?)",
+			"table", table, `%CONSTRAINT "`+name+`" %`, `%CONSTRAINT `+name+` %`, "%CONSTRAINT `"+name+"`%", "%CONSTRAINT ["+name+"]%", "%CONSTRAINT \t"+name+"\t%",
+		).Row().Scan(&count)
+
+		return nil
+	})
+
+	return count > 0
+}
+
+func (m Migrator) CurrentDatabase() (name string) {
+	var null interface{}
+	m.DB.Raw("PRAGMA database_list").Row().Scan(&null, &name, &null)
+	return
+}
+
+func (m Migrator) BuildIndexOptions(opts []schema.IndexOption, stmt *gorm.Statement) (results []interface{}) {
+	for _, opt := range opts {
+		str := stmt.Quote(opt.DBName)
+		if opt.Expression != "" {
+			str = opt.Expression
+		}
+
+		if opt.Collate != "" {
+			str += " COLLATE " + opt.Collate
+		}
+
+		if opt.Sort != "" {
+			str += " " + opt.Sort
+		}
+		results = append(results, clause.Expr{SQL: str})
+	}
+	return
+}
+
+func (m Migrator) CreateIndex(value interface{}, name string) error {
+	return m.RunWithValue(value, func(stmt *gorm.Statement) error {
+		if stmt.Schema != nil {
+			if idx := stmt.Schema.LookIndex(name); idx != nil {
+				opts := m.BuildIndexOptions(idx.Fields, stmt)
+				values := []interface{}{clause.Column{Name: idx.Name}, clause.Table{Name: stmt.Table}, opts}
+
+				createIndexSQL := "CREATE "
+				if idx.Class != "" {
+					createIndexSQL += idx.Class + " "
+				}
+				createIndexSQL += "INDEX ?"
+
+				if idx.Type != "" {
+					createIndexSQL += " USING " + idx.Type
+				}
+				createIndexSQL += " ON ??"
+
+				if idx.Where != "" {
+					createIndexSQL += " WHERE " + idx.Where
+				}
+
+				return m.DB.Exec(createIndexSQL, values...).Error
+			}
+		}
+		return fmt.Errorf("failed to create index with name %v", name)
+	})
+}
+
+func (m Migrator) HasIndex(value interface{}, name string) bool {
+	var count int
+	m.RunWithValue(value, func(stmt *gorm.Statement) error {
+		if stmt.Schema != nil {
+			if idx := stmt.Schema.LookIndex(name); idx != nil {
+				name = idx.Name
+			}
+		}
+
+		if name != "" {
+			m.DB.Raw(
+				"SELECT count(*) FROM sqlite_master WHERE type = ? AND tbl_name = ? AND name = ?", "index", stmt.Table, name,
+			).Row().Scan(&count)
+		}
+		return nil
+	})
+	return count > 0
+}
+
+func (m Migrator) RenameIndex(value interface{}, oldName, newName string) error {
+	return m.RunWithValue(value, func(stmt *gorm.Statement) error {
+		var sql string
+		m.DB.Raw("SELECT sql FROM sqlite_master WHERE type = ? AND tbl_name = ? AND name = ?", "index", stmt.Table, oldName).Row().Scan(&sql)
+		if sql != "" {
+			if err := m.DropIndex(value, oldName); err != nil {
+				return err
+			}
+			return m.DB.Exec(strings.Replace(sql, oldName, newName, 1)).Error
+		}
+		return fmt.Errorf("failed to find index with name %v", oldName)
+	})
+}
+
+func (m Migrator) DropIndex(value interface{}, name string) error {
+	return m.RunWithValue(value, func(stmt *gorm.Statement) error {
+		if stmt.Schema != nil {
+			if idx := stmt.Schema.LookIndex(name); idx != nil {
+				name = idx.Name
+			}
+		}
+
+		return m.DB.Exec("DROP INDEX ?", clause.Column{Name: name}).Error
+	})
+}
+
+func buildConstraint(constraint *schema.Constraint) (sql string, results []interface{}) {
+	sql = "CONSTRAINT ? FOREIGN KEY ? REFERENCES ??"
+	if constraint.OnDelete != "" {
+		sql += " ON DELETE " + constraint.OnDelete
+	}
+
+	if constraint.OnUpdate != "" {
+		sql += " ON UPDATE " + constraint.OnUpdate
+	}
+
+	var foreignKeys, references []interface{}
+	for _, field := range constraint.ForeignKeys {
+		foreignKeys = append(foreignKeys, clause.Column{Name: field.DBName})
+	}
+
+	for _, field := range constraint.References {
+		references = append(references, clause.Column{Name: field.DBName})
+	}
+	results = append(results, clause.Table{Name: constraint.Name}, foreignKeys, clause.Table{Name: constraint.ReferenceSchema.Table}, references)
+	return
+}
+
+func (m Migrator) getRawDDL(table string) (string, error) {
+	var createSQL string
+	m.DB.Raw("SELECT sql FROM sqlite_master WHERE type = ? AND tbl_name = ? AND name = ?", "table", table, table).Row().Scan(&createSQL)
+
+	if m.DB.Error != nil {
+		return "", m.DB.Error
+	}
+	return createSQL, nil
+}
+
+func (m Migrator) recreateTable(
+	value interface{}, tablePtr *string,
+	getCreateSQL func(ddl *ddl, stmt *gorm.Statement) (sql *ddl, sqlArgs []interface{}, err error),
+) error {
+	return m.RunWithValue(value, func(stmt *gorm.Statement) error {
+		table := stmt.Table
+		if tablePtr != nil {
+			table = *tablePtr
+		}
+
+		rawDDL, err := m.getRawDDL(table)
+		if err != nil {
+			return err
+		}
+
+		originDDL, err := parseDDL(rawDDL)
+		if err != nil {
+			return err
+		}
+
+		createDDL, sqlArgs, err := getCreateSQL(originDDL.clone(), stmt)
+		if err != nil {
+			return err
+		}
+		if createDDL == nil {
+			return nil
+		}
+
+		newTableName := table + "__temp"
+		if err := createDDL.renameTable(newTableName, table); err != nil {
+			return err
+		}
+
+		columns := createDDL.getColumns()
+		createSQL := createDDL.compile()
+
+		return m.DB.Transaction(func(tx *gorm.DB) error {
+			if err := tx.Exec(createSQL, sqlArgs...).Error; err != nil {
+				return err
+			}
+
+			queries := []string{
+				fmt.Sprintf("INSERT INTO `%v`(%v) SELECT %v FROM `%v`", newTableName, strings.Join(columns, ","), strings.Join(columns, ","), table),
+				fmt.Sprintf("DROP TABLE `%v`", table),
+				fmt.Sprintf("ALTER TABLE `%v` RENAME TO `%v`", newTableName, table),
+			}
+			for _, query := range queries {
+				if err := tx.Exec(query).Error; err != nil {
+					return err
+				}
+			}
+			return nil
+		})
+	})
+}
diff --git a/internal/storage/db/sql/sqlitedialect/sqlite.go b/internal/storage/db/sql/sqlitedialect/sqlite.go
new file mode 100644
index 00000000..ba4f6f18
--- /dev/null
+++ b/internal/storage/db/sql/sqlitedialect/sqlite.go
@@ -0,0 +1,298 @@
+// Package sqlitedialect is a pure-Go GORM SQLite dialector.
+//
+// It is a vendored copy of github.com/glebarez/sqlite v1.10.0 with one surgical
+// change: the underlying SQLite driver/error type is sourced from
+// modernc.org/sqlite directly instead of github.com/glebarez/go-sqlite (which is
+// itself a thin wrapper over modernc.org/sqlite).
+//
+// Why this exists: glebarez/go-sqlite and modernc.org/sqlite BOTH call
+// sql.Register("sqlite", ...) in their init(). OpenFGA's SQL datastores pull in
+// modernc.org/sqlite, so linking glebarez/go-sqlite as well panics at startup
+// with "sql: Register called twice for driver sqlite". By dropping
+// glebarez/sqlite (and thus glebarez/go-sqlite) and using modernc.org/sqlite as
+// the SINGLE registrant, Authorizer's GORM SQLite path and OpenFGA's embedded
+// SQL datastores coexist in one default binary with no registration conflict.
+//
+// The dialect logic (DDL, type mapping, clause builders, migrator) is unchanged
+// from glebarez/sqlite and is plain SQLite SQL — not driver-specific.
+package sqlitedialect
+
+import (
+	"context"
+	"database/sql"
+	"strconv"
+
+	"gorm.io/gorm/callbacks"
+
+	// modernc.org/sqlite is a pure-Go (no-cgo) SQLite driver that registers the
+	// "sqlite" database/sql driver in its init(). It is the single canonical
+	// registrant of that driver name across the binary (OpenFGA's SQL datastores
+	// also use it), which is exactly why this dialect targets it directly instead
+	// of github.com/glebarez/go-sqlite — the latter would register "sqlite" a
+	// second time and panic at startup ("sql: Register called twice").
+	gosqlite "modernc.org/sqlite"
+	sqlite3 "modernc.org/sqlite/lib"
+
+	"gorm.io/gorm"
+	"gorm.io/gorm/clause"
+	"gorm.io/gorm/logger"
+	"gorm.io/gorm/migrator"
+	"gorm.io/gorm/schema"
+)
+
+// DriverName is the default driver name for SQLite.
+const DriverName = "sqlite"
+
+type Dialector struct {
+	DriverName string
+	DSN        string
+	Conn       gorm.ConnPool
+}
+
+func Open(dsn string) gorm.Dialector {
+	return &Dialector{DSN: dsn}
+}
+
+func (dialector Dialector) Name() string {
+	return "sqlite"
+}
+
+func (dialector Dialector) Initialize(db *gorm.DB) (err error) {
+	if dialector.DriverName == "" {
+		dialector.DriverName = DriverName
+	}
+
+	if dialector.Conn != nil {
+		db.ConnPool = dialector.Conn
+	} else {
+		conn, err := sql.Open(dialector.DriverName, dialector.DSN)
+		if err != nil {
+			return err
+		}
+		db.ConnPool = conn
+	}
+
+	var version string
+	if err := db.ConnPool.QueryRowContext(context.Background(), "select sqlite_version()").Scan(&version); err != nil {
+		return err
+	}
+	// https://www.sqlite.org/releaselog/3_35_0.html
+	if compareVersion(version, "3.35.0") >= 0 {
+		callbacks.RegisterDefaultCallbacks(db, &callbacks.Config{
+			CreateClauses:        []string{"INSERT", "VALUES", "ON CONFLICT", "RETURNING"},
+			UpdateClauses:        []string{"UPDATE", "SET", "FROM", "WHERE", "RETURNING"},
+			DeleteClauses:        []string{"DELETE", "FROM", "WHERE", "RETURNING"},
+			LastInsertIDReversed: true,
+		})
+	} else {
+		callbacks.RegisterDefaultCallbacks(db, &callbacks.Config{
+			LastInsertIDReversed: true,
+		})
+	}
+
+	for k, v := range dialector.ClauseBuilders() {
+		db.ClauseBuilders[k] = v
+	}
+	return
+}
+
+func (dialector Dialector) ClauseBuilders() map[string]clause.ClauseBuilder {
+	return map[string]clause.ClauseBuilder{
+		"INSERT": func(c clause.Clause, builder clause.Builder) {
+			if insert, ok := c.Expression.(clause.Insert); ok {
+				if stmt, ok := builder.(*gorm.Statement); ok {
+					stmt.WriteString("INSERT ")
+					if insert.Modifier != "" {
+						stmt.WriteString(insert.Modifier)
+						stmt.WriteByte(' ')
+					}
+
+					stmt.WriteString("INTO ")
+					if insert.Table.Name == "" {
+						stmt.WriteQuoted(stmt.Table)
+					} else {
+						stmt.WriteQuoted(insert.Table)
+					}
+					return
+				}
+			}
+
+			c.Build(builder)
+		},
+		"LIMIT": func(c clause.Clause, builder clause.Builder) {
+			if limit, ok := c.Expression.(clause.Limit); ok {
+				var lmt = -1
+				if limit.Limit != nil && *limit.Limit >= 0 {
+					lmt = *limit.Limit
+				}
+				if lmt >= 0 || limit.Offset > 0 {
+					builder.WriteString("LIMIT ")
+					builder.WriteString(strconv.Itoa(lmt))
+				}
+				if limit.Offset > 0 {
+					builder.WriteString(" OFFSET ")
+					builder.WriteString(strconv.Itoa(limit.Offset))
+				}
+			}
+		},
+		"FOR": func(c clause.Clause, builder clause.Builder) {
+			if _, ok := c.Expression.(clause.Locking); ok {
+				// SQLite3 does not support row-level locking.
+				return
+			}
+			c.Build(builder)
+		},
+	}
+}
+
+func (dialector Dialector) DefaultValueOf(field *schema.Field) clause.Expression {
+	if field.AutoIncrement {
+		return clause.Expr{SQL: "NULL"}
+	}
+
+	// doesn't work, will raise error
+	return clause.Expr{SQL: "DEFAULT"}
+}
+
+func (dialector Dialector) Migrator(db *gorm.DB) gorm.Migrator {
+	return Migrator{migrator.Migrator{Config: migrator.Config{
+		DB:                          db,
+		Dialector:                   dialector,
+		CreateIndexAfterCreateTable: true,
+	}}}
+}
+
+func (dialector Dialector) BindVarTo(writer clause.Writer, stmt *gorm.Statement, v interface{}) {
+	writer.WriteByte('?')
+}
+
+func (dialector Dialector) QuoteTo(writer clause.Writer, str string) {
+	var (
+		underQuoted, selfQuoted bool
+		continuousBacktick      int8
+		shiftDelimiter          int8
+	)
+
+	for _, v := range []byte(str) {
+		switch v {
+		case '`':
+			continuousBacktick++
+			if continuousBacktick == 2 {
+				writer.WriteString("``")
+				continuousBacktick = 0
+			}
+		case '.':
+			if continuousBacktick > 0 || !selfQuoted {
+				shiftDelimiter = 0
+				underQuoted = false
+				continuousBacktick = 0
+				writer.WriteString("`")
+			}
+			writer.WriteByte(v)
+			continue
+		default:
+			if shiftDelimiter-continuousBacktick <= 0 && !underQuoted {
+				writer.WriteString("`")
+				underQuoted = true
+				if selfQuoted = continuousBacktick > 0; selfQuoted {
+					continuousBacktick -= 1
+				}
+			}
+
+			for ; continuousBacktick > 0; continuousBacktick -= 1 {
+				writer.WriteString("``")
+			}
+
+			writer.WriteByte(v)
+		}
+		shiftDelimiter++
+	}
+
+	if continuousBacktick > 0 && !selfQuoted {
+		writer.WriteString("``")
+	}
+	writer.WriteString("`")
+}
+
+func (dialector Dialector) Explain(sql string, vars ...interface{}) string {
+	return logger.ExplainSQL(sql, nil, `"`, vars...)
+}
+
+func (dialector Dialector) DataTypeOf(field *schema.Field) string {
+	switch field.DataType {
+	case schema.Bool:
+		return "numeric"
+	case schema.Int, schema.Uint:
+		if field.AutoIncrement {
+			// doesn't check `PrimaryKey`, to keep backward compatibility
+			// https://www.sqlite.org/autoinc.html
+			return "integer PRIMARY KEY AUTOINCREMENT"
+		} else {
+			return "integer"
+		}
+	case schema.Float:
+		return "real"
+	case schema.String:
+		return "text"
+	case schema.Time:
+		// Distinguish between schema.Time and tag time
+		if val, ok := field.TagSettings["TYPE"]; ok {
+			return val
+		} else {
+			return "datetime"
+		}
+	case schema.Bytes:
+		return "blob"
+	}
+
+	return string(field.DataType)
+}
+
+func (dialectopr Dialector) SavePoint(tx *gorm.DB, name string) error {
+	tx.Exec("SAVEPOINT " + name)
+	return nil
+}
+
+func (dialectopr Dialector) RollbackTo(tx *gorm.DB, name string) error {
+	tx.Exec("ROLLBACK TO SAVEPOINT " + name)
+	return nil
+}
+
+func (dialector Dialector) Translate(err error) error {
+	switch terr := err.(type) {
+	case *gosqlite.Error:
+		switch terr.Code() {
+		case sqlite3.SQLITE_CONSTRAINT_UNIQUE:
+			return gorm.ErrDuplicatedKey
+		case sqlite3.SQLITE_CONSTRAINT_PRIMARYKEY:
+			return gorm.ErrDuplicatedKey
+		case sqlite3.SQLITE_CONSTRAINT_FOREIGNKEY:
+			return gorm.ErrForeignKeyViolated
+		}
+	}
+	return err
+}
+
+func compareVersion(version1, version2 string) int {
+	n, m := len(version1), len(version2)
+	i, j := 0, 0
+	for i < n || j < m {
+		x := 0
+		for ; i < n && version1[i] != '.'; i++ {
+			x = x*10 + int(version1[i]-'0')
+		}
+		i++
+		y := 0
+		for ; j < m && version2[j] != '.'; j++ {
+			y = y*10 + int(version2[j]-'0')
+		}
+		j++
+		if x > y {
+			return 1
+		}
+		if x < y {
+			return -1
+		}
+	}
+	return 0
+}
diff --git a/internal/storage/provider.go b/internal/storage/provider.go
index 4854dc1f..bbf1b551 100644
--- a/internal/storage/provider.go
+++ b/internal/storage/provider.go
@@ -174,101 +174,6 @@ type Provider interface {
 
 	// Close releases resources held by the provider (e.g. database connection pools).
 	Close() error
-
-	// === Authorization: Resources ===
-
-	// AddResource creates a new authorization resource.
-	AddResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error)
-	// UpdateResource updates an existing authorization resource.
-	UpdateResource(ctx context.Context, resource *schemas.Resource) (*schemas.Resource, error)
-	// DeleteResource deletes an authorization resource by ID.
-	// Returns an error if any permission references this resource.
-	DeleteResource(ctx context.Context, id string) error
-	// GetResourceByID returns an authorization resource by its ID.
-	GetResourceByID(ctx context.Context, id string) (*schemas.Resource, error)
-	// GetResourceByName returns an authorization resource by its unique name.
-	GetResourceByName(ctx context.Context, name string) (*schemas.Resource, error)
-	// ListResources returns a paginated list of authorization resources.
-	ListResources(ctx context.Context, pagination *model.Pagination) ([]*schemas.Resource, *model.Pagination, error)
-
-	// === Authorization: Scopes ===
-
-	// AddScope creates a new authorization scope.
-	AddScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error)
-	// UpdateScope updates an existing authorization scope.
-	UpdateScope(ctx context.Context, scope *schemas.Scope) (*schemas.Scope, error)
-	// DeleteScope deletes an authorization scope by ID.
-	// Returns an error if any permission_scope references this scope.
-	DeleteScope(ctx context.Context, id string) error
-	// GetScopeByID returns an authorization scope by its ID.
-	GetScopeByID(ctx context.Context, id string) (*schemas.Scope, error)
-	// GetScopeByName returns an authorization scope by its unique name.
-	GetScopeByName(ctx context.Context, name string) (*schemas.Scope, error)
-	// ListScopes returns a paginated list of authorization scopes.
-	ListScopes(ctx context.Context, pagination *model.Pagination) ([]*schemas.Scope, *model.Pagination, error)
-
-	// === Authorization: Policies ===
-
-	// AddPolicy creates a new authorization policy.
-	AddPolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error)
-	// UpdatePolicy updates an existing authorization policy.
-	UpdatePolicy(ctx context.Context, policy *schemas.Policy) (*schemas.Policy, error)
-	// DeletePolicy deletes an authorization policy by ID.
-	// Returns an error if any permission_policy references this policy.
-	DeletePolicy(ctx context.Context, id string) error
-	// GetPolicyByID returns an authorization policy by its ID.
-	GetPolicyByID(ctx context.Context, id string) (*schemas.Policy, error)
-	// ListPolicies returns a paginated list of authorization policies.
-	ListPolicies(ctx context.Context, pagination *model.Pagination) ([]*schemas.Policy, *model.Pagination, error)
-
-	// === Authorization: Policy Targets ===
-
-	// AddPolicyTarget adds a target (role name or user ID) to a policy.
-	AddPolicyTarget(ctx context.Context, target *schemas.PolicyTarget) (*schemas.PolicyTarget, error)
-	// DeletePolicyTargetsByPolicyID removes all targets for a policy.
-	// Used during policy update to replace targets atomically.
-	DeletePolicyTargetsByPolicyID(ctx context.Context, policyID string) error
-	// GetPolicyTargets returns all targets for a policy.
-	GetPolicyTargets(ctx context.Context, policyID string) ([]*schemas.PolicyTarget, error)
-
-	// === Authorization: Permissions ===
-
-	// AddPermission creates a new authorization permission.
-	AddPermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error)
-	// UpdatePermission updates an existing authorization permission.
-	UpdatePermission(ctx context.Context, permission *schemas.Permission) (*schemas.Permission, error)
-	// DeletePermission deletes an authorization permission by ID.
-	DeletePermission(ctx context.Context, id string) error
-	// GetPermissionByID returns an authorization permission by its ID.
-	GetPermissionByID(ctx context.Context, id string) (*schemas.Permission, error)
-	// ListPermissions returns a paginated list of authorization permissions.
-	ListPermissions(ctx context.Context, pagination *model.Pagination) ([]*schemas.Permission, *model.Pagination, error)
-
-	// === Authorization: Permission Scopes (join table) ===
-
-	// AddPermissionScope links a scope to a permission.
-	AddPermissionScope(ctx context.Context, ps *schemas.PermissionScope) (*schemas.PermissionScope, error)
-	// DeletePermissionScopesByPermissionID removes all scope links for a permission.
-	DeletePermissionScopesByPermissionID(ctx context.Context, permissionID string) error
-	// GetPermissionScopes returns all scope links for a permission.
-	GetPermissionScopes(ctx context.Context, permissionID string) ([]*schemas.PermissionScope, error)
-
-	// === Authorization: Permission Policies (join table) ===
-
-	// AddPermissionPolicy links a policy to a permission.
-	AddPermissionPolicy(ctx context.Context, pp *schemas.PermissionPolicy) (*schemas.PermissionPolicy, error)
-	// DeletePermissionPoliciesByPermissionID removes all policy links for a permission.
-	DeletePermissionPoliciesByPermissionID(ctx context.Context, permissionID string) error
-	// GetPermissionPolicies returns all policy links for a permission.
-	GetPermissionPolicies(ctx context.Context, permissionID string) ([]*schemas.PermissionPolicy, error)
-
-	// === Authorization: Optimized Evaluation Query ===
-
-	// GetPermissionsForResourceScope returns all permissions (with their policies and targets)
-	// that match a given resource name and scope name. This is the hot-path query used by
-	// the evaluation engine. SQL providers use a single JOIN query. NoSQL providers use
-	// a denormalized lookup collection.
-	GetPermissionsForResourceScope(ctx context.Context, resourceName string, scopeName string) ([]*schemas.PermissionWithPolicies, error)
 }
 
 // New creates a new database provider based on the configuration
diff --git a/internal/storage/provider_test.go b/internal/storage/provider_test.go
index 962d1714..721618e2 100644
--- a/internal/storage/provider_test.go
+++ b/internal/storage/provider_test.go
@@ -2,7 +2,6 @@ package storage
 
 import (
 	"context"
-	"fmt"
 	"net"
 	"os"
 	"strings"
@@ -163,22 +162,6 @@ func TestStorageProvider(t *testing.T) {
 				testAuditLogOperations(t, ctx, provider)
 			})
 
-			t.Run("Resource Operations", func(t *testing.T) {
-				testResourceOperations(t, ctx, provider)
-			})
-
-			t.Run("Scope Operations", func(t *testing.T) {
-				testScopeOperations(t, ctx, provider)
-			})
-
-			t.Run("Policy Operations", func(t *testing.T) {
-				testPolicyOperations(t, ctx, provider)
-			})
-
-			t.Run("Permission Operations", func(t *testing.T) {
-				testPermissionOperations(t, ctx, provider)
-			})
-
 		})
 	}
 }
@@ -888,827 +871,3 @@ func testOAuthStateOperations(t *testing.T, ctx context.Context, provider Provid
 	}
 	assert.True(t, found, "Should find test_state_key_2 in all states")
 }
-
-// testResourceOperations covers all six Provider methods for authorization resources:
-// AddResource, GetResourceByID, GetResourceByName, UpdateResource, ListResources, DeleteResource.
-func testResourceOperations(t *testing.T, ctx context.Context, provider Provider) {
-	t.Helper()
-
-	t.Run("add and get by id", func(t *testing.T) {
-		id := uuid.New().String()
-		r := &schemas.Resource{
-			ID:          id,
-			Key:         id,
-			Name:        "res-add-get-" + id[:8],
-			Description: "test resource",
-		}
-		created, err := provider.AddResource(ctx, r)
-		require.NoError(t, err)
-		require.NotNil(t, created)
-		assert.Equal(t, r.Name, created.Name)
-
-		fetched, err := provider.GetResourceByID(ctx, id)
-		require.NoError(t, err)
-		assert.Equal(t, r.Name, fetched.Name)
-
-		// cleanup
-		require.NoError(t, provider.DeleteResource(ctx, id))
-	})
-
-	t.Run("add and get by name", func(t *testing.T) {
-		id := uuid.New().String()
-		name := "res-byname-" + id[:8]
-		r := &schemas.Resource{ID: id, Key: id, Name: name, Description: "by-name test"}
-		_, err := provider.AddResource(ctx, r)
-		require.NoError(t, err)
-
-		fetched, err := provider.GetResourceByName(ctx, name)
-		require.NoError(t, err)
-		assert.Equal(t, name, fetched.Name)
-
-		require.NoError(t, provider.DeleteResource(ctx, id))
-	})
-
-	t.Run("update mutates persisted fields", func(t *testing.T) {
-		id := uuid.New().String()
-		r := &schemas.Resource{ID: id, Key: id, Name: "res-update-" + id[:8], Description: "original"}
-		created, err := provider.AddResource(ctx, r)
-		require.NoError(t, err)
-
-		created.Description = "updated description"
-		updated, err := provider.UpdateResource(ctx, created)
-		require.NoError(t, err)
-		assert.Equal(t, "updated description", updated.Description)
-
-		refetched, err := provider.GetResourceByID(ctx, id)
-		require.NoError(t, err)
-		assert.Equal(t, "updated description", refetched.Description)
-
-		require.NoError(t, provider.DeleteResource(ctx, id))
-	})
-
-	t.Run("delete removes the row", func(t *testing.T) {
-		id := uuid.New().String()
-		r := &schemas.Resource{ID: id, Key: id, Name: "res-delete-" + id[:8]}
-		_, err := provider.AddResource(ctx, r)
-		require.NoError(t, err)
-
-		require.NoError(t, provider.DeleteResource(ctx, id))
-
-		_, err = provider.GetResourceByID(ctx, id)
-		assert.Error(t, err, "GetResourceByID should return error after deletion")
-	})
-
-	t.Run("list returns inserted rows with correct pagination", func(t *testing.T) {
-		// Insert 3 uniquely-named resources.
-		suffix := uuid.New().String()[:8]
-		ids := make([]string, 3)
-		for i := range ids {
-			id := uuid.New().String()
-			ids[i] = id
-			name := fmt.Sprintf("res-list-%s-%d", suffix, i)
-			r := &schemas.Resource{ID: id, Key: id, Name: name}
-			_, err := provider.AddResource(ctx, r)
-			require.NoError(t, err)
-		}
-
-		// First page: limit 2, offset 0.
-		pag1 := &model.Pagination{Limit: 2, Offset: 0}
-		items1, retPag1, err := provider.ListResources(ctx, pag1)
-		require.NoError(t, err)
-		require.NotNil(t, retPag1)
-		assert.GreaterOrEqual(t, retPag1.Total, int64(3))
-		assert.LessOrEqual(t, len(items1), 2)
-
-		// Second page: limit 2, offset 2.
-		pag2 := &model.Pagination{Limit: 2, Offset: 2}
-		items2, retPag2, err := provider.ListResources(ctx, pag2)
-		require.NoError(t, err)
-		require.NotNil(t, retPag2)
-		assert.GreaterOrEqual(t, len(items2), 0)
-
-		// cleanup
-		for _, id := range ids {
-			_ = provider.DeleteResource(ctx, id)
-		}
-	})
-
-	t.Run("list does not mutate caller pagination pointer", func(t *testing.T) {
-		pag := &model.Pagination{Limit: 10, Offset: 0}
-		_, retPag, err := provider.ListResources(ctx, pag)
-		require.NoError(t, err)
-		assert.NotSame(t, pag, retPag, "ListResources should return a new pagination object")
-	})
-
-	t.Run("add duplicate name returns error", func(t *testing.T) {
-		if strings.Contains(t.Name(), constants.DbTypeScyllaDB) {
-			t.Skip("Cassandra/ScyllaDB does not enforce uniqueness constraints on non-partition-key columns")
-		}
-		id1 := uuid.New().String()
-		name := "res-dup-" + id1[:8]
-		r1 := &schemas.Resource{ID: id1, Key: id1, Name: name}
-		_, err := provider.AddResource(ctx, r1)
-		require.NoError(t, err)
-
-		id2 := uuid.New().String()
-		r2 := &schemas.Resource{ID: id2, Key: id2, Name: name}
-		_, err = provider.AddResource(ctx, r2)
-		assert.Error(t, err, "adding a resource with a duplicate name should fail")
-
-		require.NoError(t, provider.DeleteResource(ctx, id1))
-	})
-}
-
-// testScopeOperations covers all six Provider methods for authorization scopes:
-// AddScope, GetScopeByID, GetScopeByName, UpdateScope, ListScopes, DeleteScope.
-func testScopeOperations(t *testing.T, ctx context.Context, provider Provider) {
-	t.Helper()
-
-	t.Run("add and get by id", func(t *testing.T) {
-		id := uuid.New().String()
-		s := &schemas.Scope{
-			ID:          id,
-			Key:         id,
-			Name:        "scope-add-" + id[:8],
-			Description: "test scope",
-		}
-		created, err := provider.AddScope(ctx, s)
-		require.NoError(t, err)
-		require.NotNil(t, created)
-		assert.Equal(t, s.Name, created.Name)
-
-		fetched, err := provider.GetScopeByID(ctx, id)
-		require.NoError(t, err)
-		assert.Equal(t, s.Name, fetched.Name)
-
-		require.NoError(t, provider.DeleteScope(ctx, id))
-	})
-
-	t.Run("add and get by name", func(t *testing.T) {
-		id := uuid.New().String()
-		name := "scope-byname-" + id[:8]
-		s := &schemas.Scope{ID: id, Key: id, Name: name, Description: "by-name test"}
-		_, err := provider.AddScope(ctx, s)
-		require.NoError(t, err)
-
-		fetched, err := provider.GetScopeByName(ctx, name)
-		require.NoError(t, err)
-		assert.Equal(t, name, fetched.Name)
-
-		require.NoError(t, provider.DeleteScope(ctx, id))
-	})
-
-	t.Run("update mutates persisted fields", func(t *testing.T) {
-		id := uuid.New().String()
-		s := &schemas.Scope{ID: id, Key: id, Name: "scope-update-" + id[:8], Description: "original"}
-		created, err := provider.AddScope(ctx, s)
-		require.NoError(t, err)
-
-		created.Description = "updated scope description"
-		updated, err := provider.UpdateScope(ctx, created)
-		require.NoError(t, err)
-		assert.Equal(t, "updated scope description", updated.Description)
-
-		refetched, err := provider.GetScopeByID(ctx, id)
-		require.NoError(t, err)
-		assert.Equal(t, "updated scope description", refetched.Description)
-
-		require.NoError(t, provider.DeleteScope(ctx, id))
-	})
-
-	t.Run("delete removes the row", func(t *testing.T) {
-		id := uuid.New().String()
-		s := &schemas.Scope{ID: id, Key: id, Name: "scope-delete-" + id[:8]}
-		_, err := provider.AddScope(ctx, s)
-		require.NoError(t, err)
-
-		require.NoError(t, provider.DeleteScope(ctx, id))
-
-		_, err = provider.GetScopeByID(ctx, id)
-		assert.Error(t, err, "GetScopeByID should return error after deletion")
-	})
-
-	t.Run("list returns inserted rows with correct pagination", func(t *testing.T) {
-		suffix := uuid.New().String()[:8]
-		ids := make([]string, 3)
-		for i := range ids {
-			id := uuid.New().String()
-			ids[i] = id
-			name := fmt.Sprintf("scope-list-%s-%d", suffix, i)
-			s := &schemas.Scope{ID: id, Key: id, Name: name}
-			_, err := provider.AddScope(ctx, s)
-			require.NoError(t, err)
-		}
-
-		pag1 := &model.Pagination{Limit: 2, Offset: 0}
-		items1, retPag1, err := provider.ListScopes(ctx, pag1)
-		require.NoError(t, err)
-		require.NotNil(t, retPag1)
-		assert.GreaterOrEqual(t, retPag1.Total, int64(3))
-		assert.LessOrEqual(t, len(items1), 2)
-
-		pag2 := &model.Pagination{Limit: 2, Offset: 2}
-		items2, retPag2, err := provider.ListScopes(ctx, pag2)
-		require.NoError(t, err)
-		require.NotNil(t, retPag2)
-		assert.GreaterOrEqual(t, len(items2), 0)
-
-		for _, id := range ids {
-			_ = provider.DeleteScope(ctx, id)
-		}
-	})
-
-	t.Run("list does not mutate caller pagination pointer", func(t *testing.T) {
-		pag := &model.Pagination{Limit: 10, Offset: 0}
-		_, retPag, err := provider.ListScopes(ctx, pag)
-		require.NoError(t, err)
-		assert.NotSame(t, pag, retPag, "ListScopes should return a new pagination object")
-	})
-
-	t.Run("add duplicate name returns error", func(t *testing.T) {
-		if strings.Contains(t.Name(), constants.DbTypeScyllaDB) {
-			t.Skip("Cassandra/ScyllaDB does not enforce uniqueness constraints on non-partition-key columns")
-		}
-		id1 := uuid.New().String()
-		name := "scope-dup-" + id1[:8]
-		s1 := &schemas.Scope{ID: id1, Key: id1, Name: name}
-		_, err := provider.AddScope(ctx, s1)
-		require.NoError(t, err)
-
-		id2 := uuid.New().String()
-		s2 := &schemas.Scope{ID: id2, Key: id2, Name: name}
-		_, err = provider.AddScope(ctx, s2)
-		assert.Error(t, err, "adding a scope with a duplicate name should fail")
-
-		require.NoError(t, provider.DeleteScope(ctx, id1))
-	})
-}
-
-// testPolicyOperations covers all eight Provider methods for authorization policies:
-// AddPolicy, GetPolicyByID, UpdatePolicy, ListPolicies, DeletePolicy,
-// AddPolicyTarget, GetPolicyTargets, DeletePolicyTargetsByPolicyID.
-func testPolicyOperations(t *testing.T, ctx context.Context, provider Provider) {
-	t.Helper()
-
-	t.Run("add and get by id", func(t *testing.T) {
-		id := uuid.New().String()
-		p := &schemas.Policy{
-			ID:               id,
-			Key:              id,
-			Name:             "pol-add-" + id[:8],
-			Description:      "test policy",
-			Type:             constants.PolicyTypeRole,
-			Logic:            constants.PolicyLogicPositive,
-			DecisionStrategy: constants.DecisionStrategyAffirmative,
-		}
-		created, err := provider.AddPolicy(ctx, p)
-		require.NoError(t, err)
-		require.NotNil(t, created)
-		assert.Equal(t, p.Name, created.Name)
-		assert.Equal(t, constants.PolicyTypeRole, created.Type)
-
-		fetched, err := provider.GetPolicyByID(ctx, id)
-		require.NoError(t, err)
-		assert.Equal(t, p.Name, fetched.Name)
-		assert.Equal(t, constants.PolicyLogicPositive, fetched.Logic)
-
-		require.NoError(t, provider.DeletePolicy(ctx, id))
-	})
-
-	t.Run("update mutates persisted fields", func(t *testing.T) {
-		id := uuid.New().String()
-		p := &schemas.Policy{
-			ID:               id,
-			Key:              id,
-			Name:             "pol-update-" + id[:8],
-			Type:             constants.PolicyTypeRole,
-			Logic:            constants.PolicyLogicPositive,
-			DecisionStrategy: constants.DecisionStrategyAffirmative,
-		}
-		created, err := provider.AddPolicy(ctx, p)
-		require.NoError(t, err)
-
-		created.Description = "updated policy description"
-		created.Logic = constants.PolicyLogicNegative
-		updated, err := provider.UpdatePolicy(ctx, created)
-		require.NoError(t, err)
-		assert.Equal(t, "updated policy description", updated.Description)
-		assert.Equal(t, constants.PolicyLogicNegative, updated.Logic)
-
-		refetched, err := provider.GetPolicyByID(ctx, id)
-		require.NoError(t, err)
-		assert.Equal(t, constants.PolicyLogicNegative, refetched.Logic)
-
-		require.NoError(t, provider.DeletePolicy(ctx, id))
-	})
-
-	t.Run("delete removes the row", func(t *testing.T) {
-		id := uuid.New().String()
-		p := &schemas.Policy{
-			ID:               id,
-			Key:              id,
-			Name:             "pol-delete-" + id[:8],
-			Type:             constants.PolicyTypeUser,
-			Logic:            constants.PolicyLogicPositive,
-			DecisionStrategy: constants.DecisionStrategyUnanimous,
-		}
-		_, err := provider.AddPolicy(ctx, p)
-		require.NoError(t, err)
-
-		require.NoError(t, provider.DeletePolicy(ctx, id))
-
-		_, err = provider.GetPolicyByID(ctx, id)
-		assert.Error(t, err, "GetPolicyByID should return error after deletion")
-	})
-
-	t.Run("list returns inserted rows with correct pagination", func(t *testing.T) {
-		suffix := uuid.New().String()[:8]
-		ids := make([]string, 3)
-		for i := range ids {
-			id := uuid.New().String()
-			ids[i] = id
-			name := fmt.Sprintf("pol-list-%s-%d", suffix, i)
-			p := &schemas.Policy{
-				ID:               id,
-				Key:              id,
-				Name:             name,
-				Type:             constants.PolicyTypeRole,
-				Logic:            constants.PolicyLogicPositive,
-				DecisionStrategy: constants.DecisionStrategyAffirmative,
-			}
-			_, err := provider.AddPolicy(ctx, p)
-			require.NoError(t, err)
-		}
-
-		pag1 := &model.Pagination{Limit: 2, Offset: 0}
-		items1, retPag1, err := provider.ListPolicies(ctx, pag1)
-		require.NoError(t, err)
-		require.NotNil(t, retPag1)
-		assert.GreaterOrEqual(t, retPag1.Total, int64(3))
-		assert.LessOrEqual(t, len(items1), 2)
-
-		pag2 := &model.Pagination{Limit: 2, Offset: 2}
-		items2, retPag2, err := provider.ListPolicies(ctx, pag2)
-		require.NoError(t, err)
-		require.NotNil(t, retPag2)
-		assert.GreaterOrEqual(t, len(items2), 0)
-
-		for _, id := range ids {
-			_ = provider.DeletePolicy(ctx, id)
-		}
-	})
-
-	t.Run("list does not mutate caller pagination pointer", func(t *testing.T) {
-		pag := &model.Pagination{Limit: 10, Offset: 0}
-		_, retPag, err := provider.ListPolicies(ctx, pag)
-		require.NoError(t, err)
-		assert.NotSame(t, pag, retPag, "ListPolicies should return a new pagination object")
-	})
-
-	t.Run("policy targets add get and delete", func(t *testing.T) {
-		// Create parent policy.
-		polID := uuid.New().String()
-		pol := &schemas.Policy{
-			ID:               polID,
-			Key:              polID,
-			Name:             "pol-targets-" + polID[:8],
-			Type:             constants.PolicyTypeRole,
-			Logic:            constants.PolicyLogicPositive,
-			DecisionStrategy: constants.DecisionStrategyAffirmative,
-		}
-		_, err := provider.AddPolicy(ctx, pol)
-		require.NoError(t, err)
-
-		// Add two targets.
-		t1ID := uuid.New().String()
-		t2ID := uuid.New().String()
-		tgt1 := &schemas.PolicyTarget{
-			ID:          t1ID,
-			Key:         t1ID,
-			PolicyID:    polID,
-			TargetType:  "role",
-			TargetValue: "editor",
-			CreatedAt:   time.Now().Unix(),
-		}
-		tgt2 := &schemas.PolicyTarget{
-			ID:          t2ID,
-			Key:         t2ID,
-			PolicyID:    polID,
-			TargetType:  "role",
-			TargetValue: "admin",
-			CreatedAt:   time.Now().Unix(),
-		}
-		_, err = provider.AddPolicyTarget(ctx, tgt1)
-		require.NoError(t, err)
-		_, err = provider.AddPolicyTarget(ctx, tgt2)
-		require.NoError(t, err)
-
-		// GetPolicyTargets should return both.
-		targets, err := provider.GetPolicyTargets(ctx, polID)
-		require.NoError(t, err)
-		assert.Len(t, targets, 2, "expected 2 policy targets")
-
-		// DeletePolicyTargetsByPolicyID removes all targets.
-		require.NoError(t, provider.DeletePolicyTargetsByPolicyID(ctx, polID))
-
-		targets, err = provider.GetPolicyTargets(ctx, polID)
-		require.NoError(t, err)
-		assert.Empty(t, targets, "targets should be empty after DeletePolicyTargetsByPolicyID")
-
-		// cleanup policy
-		require.NoError(t, provider.DeletePolicy(ctx, polID))
-	})
-}
-
-// testPermissionOperations covers all Provider methods for authorization permissions
-// and their join tables:
-// AddPermission, GetPermissionByID, UpdatePermission, ListPermissions, DeletePermission,
-// AddPermissionScope, GetPermissionScopes, DeletePermissionScopesByPermissionID,
-// AddPermissionPolicy, GetPermissionPolicies, DeletePermissionPoliciesByPermissionID,
-// GetPermissionsForResourceScope.
-func testPermissionOperations(t *testing.T, ctx context.Context, provider Provider) {
-	t.Helper()
-
-	// Helper to create a throwaway resource for permission tests.
-	newResource := func(t *testing.T, nameSuffix string) *schemas.Resource {
-		t.Helper()
-		id := uuid.New().String()
-		r := &schemas.Resource{ID: id, Key: id, Name: "perm-res-" + nameSuffix + "-" + id[:8]}
-		created, err := provider.AddResource(ctx, r)
-		require.NoError(t, err)
-		return created
-	}
-
-	t.Run("add and get by id", func(t *testing.T) {
-		res := newResource(t, "add")
-		id := uuid.New().String()
-		perm := &schemas.Permission{
-			ID:               id,
-			Key:              id,
-			Name:             "perm-add-" + id[:8],
-			Description:      "test permission",
-			ResourceID:       res.ID,
-			DecisionStrategy: constants.DecisionStrategyAffirmative,
-		}
-		created, err := provider.AddPermission(ctx, perm)
-		require.NoError(t, err)
-		require.NotNil(t, created)
-		assert.Equal(t, perm.Name, created.Name)
-		assert.Equal(t, res.ID, created.ResourceID)
-
-		fetched, err := provider.GetPermissionByID(ctx, id)
-		require.NoError(t, err)
-		assert.Equal(t, perm.Name, fetched.Name)
-
-		// cleanup: permission first (no join rows), then resource
-		require.NoError(t, provider.DeletePermission(ctx, id))
-		require.NoError(t, provider.DeleteResource(ctx, res.ID))
-	})
-
-	t.Run("update mutates persisted fields", func(t *testing.T) {
-		res := newResource(t, "upd")
-		id := uuid.New().String()
-		perm := &schemas.Permission{
-			ID:               id,
-			Key:              id,
-			Name:             "perm-upd-" + id[:8],
-			ResourceID:       res.ID,
-			DecisionStrategy: constants.DecisionStrategyAffirmative,
-		}
-		created, err := provider.AddPermission(ctx, perm)
-		require.NoError(t, err)
-
-		created.Description = "updated permission description"
-		created.DecisionStrategy = constants.DecisionStrategyUnanimous
-		updated, err := provider.UpdatePermission(ctx, created)
-		require.NoError(t, err)
-		assert.Equal(t, "updated permission description", updated.Description)
-		assert.Equal(t, constants.DecisionStrategyUnanimous, updated.DecisionStrategy)
-
-		refetched, err := provider.GetPermissionByID(ctx, id)
-		require.NoError(t, err)
-		assert.Equal(t, constants.DecisionStrategyUnanimous, refetched.DecisionStrategy)
-
-		require.NoError(t, provider.DeletePermission(ctx, id))
-		require.NoError(t, provider.DeleteResource(ctx, res.ID))
-	})
-
-	t.Run("delete removes the row", func(t *testing.T) {
-		res := newResource(t, "del")
-		id := uuid.New().String()
-		perm := &schemas.Permission{
-			ID:               id,
-			Key:              id,
-			Name:             "perm-del-" + id[:8],
-			ResourceID:       res.ID,
-			DecisionStrategy: constants.DecisionStrategyAffirmative,
-		}
-		_, err := provider.AddPermission(ctx, perm)
-		require.NoError(t, err)
-
-		require.NoError(t, provider.DeletePermission(ctx, id))
-
-		_, err = provider.GetPermissionByID(ctx, id)
-		assert.Error(t, err, "GetPermissionByID should return error after deletion")
-
-		require.NoError(t, provider.DeleteResource(ctx, res.ID))
-	})
-
-	t.Run("list returns inserted rows with correct pagination", func(t *testing.T) {
-		res := newResource(t, "list")
-		suffix := uuid.New().String()[:8]
-		ids := make([]string, 3)
-		for i := range ids {
-			id := uuid.New().String()
-			ids[i] = id
-			name := fmt.Sprintf("perm-list-%s-%d", suffix, i)
-			perm := &schemas.Permission{
-				ID:               id,
-				Key:              id,
-				Name:             name,
-				ResourceID:       res.ID,
-				DecisionStrategy: constants.DecisionStrategyAffirmative,
-			}
-			_, err := provider.AddPermission(ctx, perm)
-			require.NoError(t, err)
-		}
-
-		pag1 := &model.Pagination{Limit: 2, Offset: 0}
-		items1, retPag1, err := provider.ListPermissions(ctx, pag1)
-		require.NoError(t, err)
-		require.NotNil(t, retPag1)
-		assert.GreaterOrEqual(t, retPag1.Total, int64(3))
-		assert.LessOrEqual(t, len(items1), 2)
-
-		pag2 := &model.Pagination{Limit: 2, Offset: 2}
-		items2, retPag2, err := provider.ListPermissions(ctx, pag2)
-		require.NoError(t, err)
-		require.NotNil(t, retPag2)
-		assert.GreaterOrEqual(t, len(items2), 0)
-
-		// cleanup: permissions first, then resource
-		for _, id := range ids {
-			_ = provider.DeletePermission(ctx, id)
-		}
-		require.NoError(t, provider.DeleteResource(ctx, res.ID))
-	})
-
-	t.Run("list does not mutate caller pagination pointer", func(t *testing.T) {
-		pag := &model.Pagination{Limit: 10, Offset: 0}
-		_, retPag, err := provider.ListPermissions(ctx, pag)
-		require.NoError(t, err)
-		assert.NotSame(t, pag, retPag, "ListPermissions should return a new pagination object")
-	})
-
-	t.Run("permission scopes add get and delete", func(t *testing.T) {
-		res := newResource(t, "ps")
-		permID := uuid.New().String()
-		perm := &schemas.Permission{
-			ID:               permID,
-			Key:              permID,
-			Name:             "perm-ps-" + permID[:8],
-			ResourceID:       res.ID,
-			DecisionStrategy: constants.DecisionStrategyAffirmative,
-		}
-		_, err := provider.AddPermission(ctx, perm)
-		require.NoError(t, err)
-
-		// Create two scopes and link them.
-		scopeID1 := uuid.New().String()
-		scope1 := &schemas.Scope{ID: scopeID1, Key: scopeID1, Name: "scope-ps1-" + scopeID1[:8]}
-		_, err = provider.AddScope(ctx, scope1)
-		require.NoError(t, err)
-
-		scopeID2 := uuid.New().String()
-		scope2 := &schemas.Scope{ID: scopeID2, Key: scopeID2, Name: "scope-ps2-" + scopeID2[:8]}
-		_, err = provider.AddScope(ctx, scope2)
-		require.NoError(t, err)
-
-		ps1ID := uuid.New().String()
-		ps1 := &schemas.PermissionScope{
-			ID:           ps1ID,
-			Key:          ps1ID,
-			PermissionID: permID,
-			ScopeID:      scopeID1,
-			CreatedAt:    time.Now().Unix(),
-		}
-		ps2ID := uuid.New().String()
-		ps2 := &schemas.PermissionScope{
-			ID:           ps2ID,
-			Key:          ps2ID,
-			PermissionID: permID,
-			ScopeID:      scopeID2,
-			CreatedAt:    time.Now().Unix(),
-		}
-		_, err = provider.AddPermissionScope(ctx, ps1)
-		require.NoError(t, err)
-		_, err = provider.AddPermissionScope(ctx, ps2)
-		require.NoError(t, err)
-
-		psLinks, err := provider.GetPermissionScopes(ctx, permID)
-		require.NoError(t, err)
-		assert.Len(t, psLinks, 2, "expected 2 permission-scope links")
-
-		require.NoError(t, provider.DeletePermissionScopesByPermissionID(ctx, permID))
-
-		psLinks, err = provider.GetPermissionScopes(ctx, permID)
-		require.NoError(t, err)
-		assert.Empty(t, psLinks, "permission scopes should be empty after delete")
-
-		// cleanup
-		require.NoError(t, provider.DeletePermission(ctx, permID))
-		require.NoError(t, provider.DeleteScope(ctx, scopeID1))
-		require.NoError(t, provider.DeleteScope(ctx, scopeID2))
-		require.NoError(t, provider.DeleteResource(ctx, res.ID))
-	})
-
-	t.Run("permission policies add get and delete", func(t *testing.T) {
-		res := newResource(t, "pp")
-		permID := uuid.New().String()
-		perm := &schemas.Permission{
-			ID:               permID,
-			Key:              permID,
-			Name:             "perm-pp-" + permID[:8],
-			ResourceID:       res.ID,
-			DecisionStrategy: constants.DecisionStrategyAffirmative,
-		}
-		_, err := provider.AddPermission(ctx, perm)
-		require.NoError(t, err)
-
-		// Create two policies and link them.
-		polID1 := uuid.New().String()
-		pol1 := &schemas.Policy{
-			ID:               polID1,
-			Key:              polID1,
-			Name:             "pol-pp1-" + polID1[:8],
-			Type:             constants.PolicyTypeRole,
-			Logic:            constants.PolicyLogicPositive,
-			DecisionStrategy: constants.DecisionStrategyAffirmative,
-		}
-		_, err = provider.AddPolicy(ctx, pol1)
-		require.NoError(t, err)
-
-		polID2 := uuid.New().String()
-		pol2 := &schemas.Policy{
-			ID:               polID2,
-			Key:              polID2,
-			Name:             "pol-pp2-" + polID2[:8],
-			Type:             constants.PolicyTypeUser,
-			Logic:            constants.PolicyLogicPositive,
-			DecisionStrategy: constants.DecisionStrategyAffirmative,
-		}
-		_, err = provider.AddPolicy(ctx, pol2)
-		require.NoError(t, err)
-
-		pp1ID := uuid.New().String()
-		pp1 := &schemas.PermissionPolicy{
-			ID:           pp1ID,
-			Key:          pp1ID,
-			PermissionID: permID,
-			PolicyID:     polID1,
-			CreatedAt:    time.Now().Unix(),
-		}
-		pp2ID := uuid.New().String()
-		pp2 := &schemas.PermissionPolicy{
-			ID:           pp2ID,
-			Key:          pp2ID,
-			PermissionID: permID,
-			PolicyID:     polID2,
-			CreatedAt:    time.Now().Unix(),
-		}
-		_, err = provider.AddPermissionPolicy(ctx, pp1)
-		require.NoError(t, err)
-		_, err = provider.AddPermissionPolicy(ctx, pp2)
-		require.NoError(t, err)
-
-		ppLinks, err := provider.GetPermissionPolicies(ctx, permID)
-		require.NoError(t, err)
-		assert.Len(t, ppLinks, 2, "expected 2 permission-policy links")
-
-		require.NoError(t, provider.DeletePermissionPoliciesByPermissionID(ctx, permID))
-
-		ppLinks, err = provider.GetPermissionPolicies(ctx, permID)
-		require.NoError(t, err)
-		assert.Empty(t, ppLinks, "permission policies should be empty after delete")
-
-		// cleanup
-		require.NoError(t, provider.DeletePermission(ctx, permID))
-		require.NoError(t, provider.DeletePolicy(ctx, polID1))
-		require.NoError(t, provider.DeletePolicy(ctx, polID2))
-		require.NoError(t, provider.DeleteResource(ctx, res.ID))
-	})
-
-	t.Run("GetPermissionsForResourceScope evaluator hot-path", func(t *testing.T) {
-		// Seed: resource + scope + policy (with one target) + permission linking all three.
-		resID := uuid.New().String()
-		suffix := resID[:8]
-		resource := &schemas.Resource{ID: resID, Key: resID, Name: "evalres-" + suffix}
-		_, err := provider.AddResource(ctx, resource)
-		require.NoError(t, err)
-
-		scopeID := uuid.New().String()
-		scope := &schemas.Scope{ID: scopeID, Key: scopeID, Name: "evalscope-" + suffix}
-		_, err = provider.AddScope(ctx, scope)
-		require.NoError(t, err)
-
-		polID := uuid.New().String()
-		policy := &schemas.Policy{
-			ID:               polID,
-			Key:              polID,
-			Name:             "evalpol-" + suffix,
-			Type:             constants.PolicyTypeRole,
-			Logic:            constants.PolicyLogicPositive,
-			DecisionStrategy: constants.DecisionStrategyAffirmative,
-		}
-		_, err = provider.AddPolicy(ctx, policy)
-		require.NoError(t, err)
-
-		tgtID := uuid.New().String()
-		tgt := &schemas.PolicyTarget{
-			ID:          tgtID,
-			Key:         tgtID,
-			PolicyID:    polID,
-			TargetType:  "role",
-			TargetValue: "editor",
-			CreatedAt:   time.Now().Unix(),
-		}
-		_, err = provider.AddPolicyTarget(ctx, tgt)
-		require.NoError(t, err)
-
-		permID := uuid.New().String()
-		perm := &schemas.Permission{
-			ID:               permID,
-			Key:              permID,
-			Name:             "evalperm-" + suffix,
-			ResourceID:       resID,
-			DecisionStrategy: constants.DecisionStrategyAffirmative,
-		}
-		_, err = provider.AddPermission(ctx, perm)
-		require.NoError(t, err)
-
-		// Link scope to permission.
-		psID := uuid.New().String()
-		ps := &schemas.PermissionScope{
-			ID:           psID,
-			Key:          psID,
-			PermissionID: permID,
-			ScopeID:      scopeID,
-			CreatedAt:    time.Now().Unix(),
-		}
-		_, err = provider.AddPermissionScope(ctx, ps)
-		require.NoError(t, err)
-
-		// Link policy to permission.
-		ppID := uuid.New().String()
-		pp := &schemas.PermissionPolicy{
-			ID:           ppID,
-			Key:          ppID,
-			PermissionID: permID,
-			PolicyID:     polID,
-			CreatedAt:    time.Now().Unix(),
-		}
-		_, err = provider.AddPermissionPolicy(ctx, pp)
-		require.NoError(t, err)
-
-		// Query the evaluator hot-path by resource name and scope name.
-		results, err := provider.GetPermissionsForResourceScope(ctx, resource.Name, scope.Name)
-		require.NoError(t, err)
-		require.NotEmpty(t, results, "expected at least one PermissionWithPolicies")
-
-		// Find our seeded permission in the results (other tests may have left rows).
-		var found *schemas.PermissionWithPolicies
-		for _, r := range results {
-			if r.PermissionID == permID {
-				found = r
-				break
-			}
-		}
-		require.NotNil(t, found, "seeded permission not found in GetPermissionsForResourceScope result")
-		assert.Equal(t, perm.Name, found.PermissionName)
-		assert.Equal(t, constants.DecisionStrategyAffirmative, found.DecisionStrategy)
-		require.NotEmpty(t, found.Policies, "expected at least one policy in the result")
-
-		var foundPol *schemas.PolicyWithTargets
-		for i := range found.Policies {
-			if found.Policies[i].PolicyID == polID {
-				foundPol = &found.Policies[i]
-				break
-			}
-		}
-		require.NotNil(t, foundPol, "seeded policy not found in PermissionWithPolicies.Policies")
-		assert.Equal(t, policy.Name, foundPol.PolicyName)
-		assert.Equal(t, constants.PolicyTypeRole, foundPol.Type)
-		require.NotEmpty(t, foundPol.Targets, "expected policy target in result")
-		assert.Equal(t, "role", foundPol.Targets[0].TargetType)
-		assert.Equal(t, "editor", foundPol.Targets[0].TargetValue)
-
-		// cleanup: join rows first, then leaves, then root resource
-		_ = provider.DeletePermissionScopesByPermissionID(ctx, permID)
-		_ = provider.DeletePermissionPoliciesByPermissionID(ctx, permID)
-		_ = provider.DeletePermission(ctx, permID)
-		_ = provider.DeletePolicyTargetsByPolicyID(ctx, polID)
-		_ = provider.DeletePolicy(ctx, polID)
-		_ = provider.DeleteScope(ctx, scopeID)
-		_ = provider.DeleteResource(ctx, resID)
-	})
-}
diff --git a/internal/storage/schemas/model.go b/internal/storage/schemas/model.go
index 86653692..43f4e464 100644
--- a/internal/storage/schemas/model.go
+++ b/internal/storage/schemas/model.go
@@ -16,14 +16,6 @@ type CollectionList struct {
 	MFASession             string
 	OAuthState             string
 	AuditLog               string
-	// Authorization tables
-	Resource         string
-	Scope            string
-	Policy           string
-	PolicyTarget     string
-	Permission       string
-	PermissionScope  string
-	PermissionPolicy string
 }
 
 var (
@@ -45,13 +37,5 @@ var (
 		MFASession:             Prefix + "mfa_sessions",
 		OAuthState:             Prefix + "oauth_states",
 		AuditLog:               Prefix + "audit_logs",
-		// Authorization collections
-		Resource:         Prefix + "resources",
-		Scope:            Prefix + "scopes",
-		Policy:           Prefix + "policies",
-		PolicyTarget:     Prefix + "policy_targets",
-		Permission:       Prefix + "permissions",
-		PermissionScope:  Prefix + "permission_scopes",
-		PermissionPolicy: Prefix + "permission_policies",
 	}
 )
diff --git a/internal/storage/schemas/permission.go b/internal/storage/schemas/permission.go
deleted file mode 100644
index 5d4fd89f..00000000
--- a/internal/storage/schemas/permission.go
+++ /dev/null
@@ -1,112 +0,0 @@
-package schemas
-
-import "github.com/authorizerdev/authorizer/internal/graph/model"
-
-// Permission is the binding layer of the authorization model.
-// It connects a Resource to Scopes (via PermissionScope) and Policies (via PermissionPolicy).
-// A permission answers: "WHO can do WHAT on WHICH resource?"
-type Permission struct {
-	// ID is the unique identifier (UUID v4).
-	ID string `json:"id" gorm:"primaryKey;type:char(36)" bson:"_id" cql:"id" dynamo:"id,hash"`
-	// Key is an alias for ID used by some NoSQL providers (json tag is "_key" for arangodb document key).
-	Key string `json:"_key,omitempty" gorm:"type:char(36)" bson:"key" cql:"key" dynamo:"key"`
-	// Name is a unique human-readable identifier (e.g., "edit-documents").
-	Name string `json:"name" gorm:"type:varchar(100);uniqueIndex" bson:"name" cql:"name" dynamo:"name"`
-	// Description provides optional context about this permission.
-	Description string `json:"description" gorm:"type:text" bson:"description" cql:"description" dynamo:"description"`
-	// ResourceID is the foreign key to the Resource this permission protects.
-	ResourceID string `json:"resource_id" gorm:"type:char(36);index" bson:"resource_id" cql:"resource_id" dynamo:"resource_id"`
-	// DecisionStrategy controls how multiple policies attached to this permission are evaluated.
-	// "affirmative" = any policy grants access (OR), "unanimous" = all must agree (AND).
-	DecisionStrategy string `json:"decision_strategy" gorm:"type:varchar(20);default:affirmative" bson:"decision_strategy" cql:"decision_strategy" dynamo:"decision_strategy"`
-	// CreatedAt is the unix timestamp of creation.
-	CreatedAt int64 `json:"created_at" gorm:"autoCreateTime" bson:"created_at" cql:"created_at" dynamo:"created_at"`
-	// UpdatedAt is the unix timestamp of last update.
-	UpdatedAt int64 `json:"updated_at" gorm:"autoUpdateTime" bson:"updated_at" cql:"updated_at" dynamo:"updated_at"`
-}
-
-// PermissionScope is the join table linking a Permission to its allowed Scopes.
-// A permission can cover multiple scopes (e.g., "read" and "write").
-type PermissionScope struct {
-	// ID is the unique identifier (UUID v4).
-	ID string `json:"id" gorm:"primaryKey;type:char(36)" bson:"_id" cql:"id" dynamo:"id,hash"`
-	// Key is an alias for ID used by some NoSQL providers (json tag is "_key" for arangodb document key).
-	Key string `json:"_key,omitempty" gorm:"type:char(36)" bson:"key" cql:"key" dynamo:"key"`
-	// PermissionID is the foreign key to the parent Permission.
-	PermissionID string `json:"permission_id" gorm:"type:char(36);index;uniqueIndex:idx_ps_unique" bson:"permission_id" cql:"permission_id" dynamo:"permission_id"`
-	// ScopeID is the foreign key to the Scope.
-	ScopeID string `json:"scope_id" gorm:"type:char(36);index;uniqueIndex:idx_ps_unique" bson:"scope_id" cql:"scope_id" dynamo:"scope_id"`
-	// CreatedAt is the unix timestamp of creation.
-	CreatedAt int64 `json:"created_at" gorm:"autoCreateTime" bson:"created_at" cql:"created_at" dynamo:"created_at"`
-}
-
-// PermissionPolicy is the join table linking a Permission to its governing Policies.
-// A permission can be governed by multiple policies, evaluated using the permission's DecisionStrategy.
-type PermissionPolicy struct {
-	// ID is the unique identifier (UUID v4).
-	ID string `json:"id" gorm:"primaryKey;type:char(36)" bson:"_id" cql:"id" dynamo:"id,hash"`
-	// Key is an alias for ID used by some NoSQL providers (json tag is "_key" for arangodb document key).
-	Key string `json:"_key,omitempty" gorm:"type:char(36)" bson:"key" cql:"key" dynamo:"key"`
-	// PermissionID is the foreign key to the parent Permission.
-	PermissionID string `json:"permission_id" gorm:"type:char(36);index;uniqueIndex:idx_pp_unique" bson:"permission_id" cql:"permission_id" dynamo:"permission_id"`
-	// PolicyID is the foreign key to the Policy.
-	PolicyID string `json:"policy_id" gorm:"type:char(36);index;uniqueIndex:idx_pp_unique" bson:"policy_id" cql:"policy_id" dynamo:"policy_id"`
-	// CreatedAt is the unix timestamp of creation.
-	CreatedAt int64 `json:"created_at" gorm:"autoCreateTime" bson:"created_at" cql:"created_at" dynamo:"created_at"`
-}
-
-// PermissionWithPolicies is a denormalized view used by the evaluation engine.
-// It bundles a permission with its resolved policies and targets for efficient
-// single-query evaluation. Not a database table -- constructed by
-// GetPermissionsForResourceScope().
-type PermissionWithPolicies struct {
-	// PermissionID is the permission being evaluated.
-	PermissionID string
-	// PermissionName is for logging and debugging.
-	PermissionName string
-	// DecisionStrategy is how to combine policy results for this permission.
-	DecisionStrategy string
-	// Policies contains the resolved policies with their targets.
-	Policies []PolicyWithTargets
-}
-
-// PolicyWithTargets bundles a policy with its resolved targets.
-// Used by the evaluation engine to avoid N+1 queries.
-type PolicyWithTargets struct {
-	// PolicyID is the policy identifier.
-	PolicyID string
-	// PolicyName is for logging and debugging.
-	PolicyName string
-	// Type is the policy type discriminator (role, user, client, agent).
-	Type string
-	// Logic is positive or negative.
-	Logic string
-	// DecisionStrategy is how to combine targets within this policy.
-	DecisionStrategy string
-	// Targets are the resolved policy targets.
-	Targets []PolicyTargetView
-}
-
-// PolicyTargetView is a read-only view of a policy target for evaluation.
-type PolicyTargetView struct {
-	// TargetType is "role", "user", "client", or "agent".
-	TargetType string
-	// TargetValue is the role name, user ID, client ID, or agent ID.
-	TargetValue string
-}
-
-// AsAPIPermission converts a storage Permission to the GraphQL API model
-// with its resolved resource, scopes, and policies.
-func (p *Permission) AsAPIPermission(resource *model.AuthzResource, scopes []*model.AuthzScope, policies []*model.AuthzPolicy) *model.AuthzPermission {
-	return &model.AuthzPermission{
-		ID:               p.ID,
-		Name:             p.Name,
-		Description:      &p.Description,
-		Resource:         resource,
-		Scopes:           scopes,
-		Policies:         policies,
-		DecisionStrategy: p.DecisionStrategy,
-		CreatedAt:        p.CreatedAt,
-		UpdatedAt:        p.UpdatedAt,
-	}
-}
diff --git a/internal/storage/schemas/policy.go b/internal/storage/schemas/policy.go
deleted file mode 100644
index d6ac60ec..00000000
--- a/internal/storage/schemas/policy.go
+++ /dev/null
@@ -1,73 +0,0 @@
-package schemas
-
-import "github.com/authorizerdev/authorizer/internal/graph/model"
-
-// Policy defines conditions for granting or denying access.
-// Policies are the brain of the authorization model -- they determine WHO gets access.
-// A policy has a Type (role-based, user-based, etc.) and Logic (positive=grant, negative=deny).
-type Policy struct {
-	// ID is the unique identifier (UUID v4).
-	ID string `json:"id" gorm:"primaryKey;type:char(36)" bson:"_id" cql:"id" dynamo:"id,hash"`
-	// Key is an alias for ID used by some NoSQL providers (json tag is "_key" for arangodb document key).
-	Key string `json:"_key,omitempty" gorm:"type:char(36)" bson:"key" cql:"key" dynamo:"key"`
-	// Name is a unique human-readable identifier (e.g., "editors-policy").
-	Name string `json:"name" gorm:"type:varchar(100);uniqueIndex" bson:"name" cql:"name" dynamo:"name"`
-	// Description provides optional context about this policy.
-	Description string `json:"description" gorm:"type:text" bson:"description" cql:"description" dynamo:"description"`
-	// Type is the policy type discriminator: "role" or "user" (extensible to "client", "agent").
-	// See constants.PolicyTypeRole, constants.PolicyTypeUser.
-	Type string `json:"type" gorm:"type:varchar(50);index" bson:"type" cql:"type" dynamo:"type"`
-	// Logic determines whether matching GRANTS or DENIES access.
-	// "positive" = grant when matched, "negative" = deny when matched.
-	// See constants.PolicyLogicPositive, constants.PolicyLogicNegative.
-	Logic string `json:"logic" gorm:"type:varchar(10);default:positive" bson:"logic" cql:"logic" dynamo:"logic"`
-	// DecisionStrategy controls how multiple targets within this policy are evaluated.
-	// "affirmative" = any target match grants, "unanimous" = all targets must match.
-	// See constants.DecisionStrategyAffirmative, constants.DecisionStrategyUnanimous.
-	DecisionStrategy string `json:"decision_strategy" gorm:"type:varchar(20);default:affirmative" bson:"decision_strategy" cql:"decision_strategy" dynamo:"decision_strategy"`
-	// CreatedAt is the unix timestamp of creation.
-	CreatedAt int64 `json:"created_at" gorm:"autoCreateTime" bson:"created_at" cql:"created_at" dynamo:"created_at"`
-	// UpdatedAt is the unix timestamp of last update.
-	UpdatedAt int64 `json:"updated_at" gorm:"autoUpdateTime" bson:"updated_at" cql:"updated_at" dynamo:"updated_at"`
-}
-
-// PolicyTarget specifies who/what a policy applies to.
-// For a role-based policy, targets are role names. For a user-based policy, targets are user IDs.
-type PolicyTarget struct {
-	// ID is the unique identifier (UUID v4).
-	ID string `json:"id" gorm:"primaryKey;type:char(36)" bson:"_id" cql:"id" dynamo:"id,hash"`
-	// Key is an alias for ID used by some NoSQL providers (json tag is "_key" for arangodb document key).
-	Key string `json:"_key,omitempty" gorm:"type:char(36)" bson:"key" cql:"key" dynamo:"key"`
-	// PolicyID is the foreign key to the parent Policy.
-	PolicyID string `json:"policy_id" gorm:"type:char(36);index;uniqueIndex:idx_pt_unique" bson:"policy_id" cql:"policy_id" dynamo:"policy_id"`
-	// TargetType describes what kind of target this is: "role" or "user"
-	// (extensible to "client", "agent").
-	TargetType string `json:"target_type" gorm:"type:varchar(50);uniqueIndex:idx_pt_unique" bson:"target_type" cql:"target_type" dynamo:"target_type"`
-	// TargetValue is the role name or user/client/agent ID this target matches.
-	TargetValue string `json:"target_value" gorm:"type:varchar(256);uniqueIndex:idx_pt_unique" bson:"target_value" cql:"target_value" dynamo:"target_value"`
-	// CreatedAt is the unix timestamp of creation.
-	CreatedAt int64 `json:"created_at" gorm:"autoCreateTime" bson:"created_at" cql:"created_at" dynamo:"created_at"`
-}
-
-// AsAPIPolicy converts a storage Policy and its targets to the GraphQL API model.
-func (p *Policy) AsAPIPolicy(targets []*PolicyTarget) *model.AuthzPolicy {
-	apiTargets := make([]*model.AuthzPolicyTarget, len(targets))
-	for i, t := range targets {
-		apiTargets[i] = &model.AuthzPolicyTarget{
-			ID:          t.ID,
-			TargetType:  t.TargetType,
-			TargetValue: t.TargetValue,
-		}
-	}
-	return &model.AuthzPolicy{
-		ID:               p.ID,
-		Name:             p.Name,
-		Description:      &p.Description,
-		Type:             p.Type,
-		Logic:            p.Logic,
-		DecisionStrategy: p.DecisionStrategy,
-		Targets:          apiTargets,
-		CreatedAt:        p.CreatedAt,
-		UpdatedAt:        p.UpdatedAt,
-	}
-}
diff --git a/internal/storage/schemas/resource.go b/internal/storage/schemas/resource.go
deleted file mode 100644
index b66d66d2..00000000
--- a/internal/storage/schemas/resource.go
+++ /dev/null
@@ -1,33 +0,0 @@
-package schemas
-
-import "github.com/authorizerdev/authorizer/internal/graph/model"
-
-// Resource represents a protected resource type in the authorization model.
-// Resources are types (e.g., "document", "invoice"), not instances.
-// They define WHAT is being protected.
-type Resource struct {
-	// ID is the unique identifier (UUID v4).
-	ID string `json:"id" gorm:"primaryKey;type:char(36)" bson:"_id" cql:"id" dynamo:"id,hash"`
-	// Key is an alias for ID used by some NoSQL providers (json tag is "_key" for arangodb document key).
-	Key string `json:"_key,omitempty" gorm:"type:char(36)" bson:"key" cql:"key" dynamo:"key"`
-	// Name is a unique human-readable identifier (e.g., "document", "invoice").
-	// Must be alphanumeric with hyphens and underscores, max 100 chars.
-	Name string `json:"name" gorm:"type:varchar(100);uniqueIndex" bson:"name" cql:"name" dynamo:"name"`
-	// Description provides optional context about what this resource represents.
-	Description string `json:"description" gorm:"type:text" bson:"description" cql:"description" dynamo:"description"`
-	// CreatedAt is the unix timestamp of creation.
-	CreatedAt int64 `json:"created_at" gorm:"autoCreateTime" bson:"created_at" cql:"created_at" dynamo:"created_at"`
-	// UpdatedAt is the unix timestamp of last update.
-	UpdatedAt int64 `json:"updated_at" gorm:"autoUpdateTime" bson:"updated_at" cql:"updated_at" dynamo:"updated_at"`
-}
-
-// AsAPIResource converts a storage Resource to the GraphQL API model.
-func (r *Resource) AsAPIResource() *model.AuthzResource {
-	return &model.AuthzResource{
-		ID:          r.ID,
-		Name:        r.Name,
-		Description: &r.Description,
-		CreatedAt:   r.CreatedAt,
-		UpdatedAt:   r.UpdatedAt,
-	}
-}
diff --git a/internal/storage/schemas/scope.go b/internal/storage/schemas/scope.go
deleted file mode 100644
index c8597c07..00000000
--- a/internal/storage/schemas/scope.go
+++ /dev/null
@@ -1,33 +0,0 @@
-package schemas
-
-import "github.com/authorizerdev/authorizer/internal/graph/model"
-
-// Scope represents an action that can be performed on a resource.
-// Scopes are global verbs (e.g., "read", "write", "delete", "approve").
-// They define WHAT ACTIONS are allowed.
-type Scope struct {
-	// ID is the unique identifier (UUID v4).
-	ID string `json:"id" gorm:"primaryKey;type:char(36)" bson:"_id" cql:"id" dynamo:"id,hash"`
-	// Key is an alias for ID used by some NoSQL providers (json tag is "_key" for arangodb document key).
-	Key string `json:"_key,omitempty" gorm:"type:char(36)" bson:"key" cql:"key" dynamo:"key"`
-	// Name is a unique human-readable identifier (e.g., "read", "write").
-	// Must be alphanumeric with hyphens and underscores, max 100 chars.
-	Name string `json:"name" gorm:"type:varchar(100);uniqueIndex" bson:"name" cql:"name" dynamo:"name"`
-	// Description provides optional context about what this scope represents.
-	Description string `json:"description" gorm:"type:text" bson:"description" cql:"description" dynamo:"description"`
-	// CreatedAt is the unix timestamp of creation.
-	CreatedAt int64 `json:"created_at" gorm:"autoCreateTime" bson:"created_at" cql:"created_at" dynamo:"created_at"`
-	// UpdatedAt is the unix timestamp of last update.
-	UpdatedAt int64 `json:"updated_at" gorm:"autoUpdateTime" bson:"updated_at" cql:"updated_at" dynamo:"updated_at"`
-}
-
-// AsAPIScope converts a storage Scope to the GraphQL API model.
-func (s *Scope) AsAPIScope() *model.AuthzScope {
-	return &model.AuthzScope{
-		ID:          s.ID,
-		Name:        s.Name,
-		Description: &s.Description,
-		CreatedAt:   s.CreatedAt,
-		UpdatedAt:   s.UpdatedAt,
-	}
-}
diff --git a/web/dashboard/src/components/FgaNotEnabled.tsx b/web/dashboard/src/components/FgaNotEnabled.tsx
new file mode 100644
index 00000000..2ca1016c
--- /dev/null
+++ b/web/dashboard/src/components/FgaNotEnabled.tsx
@@ -0,0 +1,26 @@
+import React from 'react';
+import { ShieldOff } from 'lucide-react';
+
+// FgaNotEnabled renders an informative empty state shown when the backend
+// reports that fine-grained authorization is not enabled (the server is not
+// running with --authorization-engine=fga).
+const FgaNotEnabled = () => {
+	return (
+		<div className="flex min-h-[40vh] flex-col items-center justify-center text-center text-gray-400">
+			<ShieldOff className="mb-4 h-16 w-16" />
+			<p className="text-2xl font-bold text-gray-600">
+				Fine-Grained Authorization is not enabled
+			</p>
+			<p className="mt-2 max-w-md text-sm text-gray-500">
+				Start the Authorizer server with{' '}
+				<code className="rounded bg-gray-100 px-1.5 py-0.5 text-gray-700">
+					--authorization-engine=fga
+				</code>{' '}
+				to manage authorization models, relationship tuples and run access
+				checks from this dashboard.
+			</p>
+		</div>
+	);
+};
+
+export default FgaNotEnabled;
diff --git a/web/dashboard/src/components/Sidebar.tsx b/web/dashboard/src/components/Sidebar.tsx
index bc4d7dbd..91b3b696 100644
--- a/web/dashboard/src/components/Sidebar.tsx
+++ b/web/dashboard/src/components/Sidebar.tsx
@@ -11,7 +11,10 @@ import {
 	LogOut,
 	Menu,
 	ExternalLink,
-	Shield,
+	ShieldCheck,
+	FileCode,
+	Network,
+	SearchCheck,
 } from 'lucide-react';
 import type { LucideIcon } from 'lucide-react';
 import { cn } from '../lib/utils';
@@ -32,8 +35,42 @@ const navItems: NavItemConfig[] = [
 	{ name: 'Users', icon: Users, route: '/users' },
 	{ name: 'Webhooks', icon: Webhook, route: '/webhooks' },
 	{ name: 'Email Templates', icon: Mail, route: '/email-templates' },
-	{ name: 'Authorization', icon: Shield, route: '/authorization' },
 	{ name: 'Audit Logs', icon: ScrollText, route: '/audit-logs' },
+];
+
+interface NavGroupConfig {
+	name: string;
+	icon: LucideIcon;
+	basePath: string;
+	items: NavItemConfig[];
+}
+
+const navGroups: NavGroupConfig[] = [
+	{
+		name: 'Authorization',
+		icon: ShieldCheck,
+		basePath: '/authorization',
+		items: [
+			{
+				name: 'Authorization Model',
+				icon: FileCode,
+				route: '/authorization/model',
+			},
+			{
+				name: 'Relationship Tuples',
+				icon: Network,
+				route: '/authorization/tuples',
+			},
+			{
+				name: 'Access Tester',
+				icon: SearchCheck,
+				route: '/authorization/tester',
+			},
+		],
+	},
+];
+
+const externalNavItems: NavItemConfig[] = [
 	{
 		name: 'API Playground',
 		icon: SquareTerminal,
@@ -76,24 +113,8 @@ export const Sidebar = ({ onClose }: SidebarProps) => {
 			</div>
 
 			{/* Navigation */}
-			<nav className="flex-1 space-y-1 px-3 py-4">
+			<nav className="flex-1 space-y-1 overflow-y-auto px-3 py-4">
 				{navItems.map((item) => {
-					if (item.external) {
-						return (
-							<a
-								key={item.name}
-								href={item.route}
-								target="_blank"
-								rel="noopener noreferrer"
-								className="flex items-center gap-3 rounded-md px-3 py-2 text-sm font-medium text-gray-700 hover:bg-gray-100 hover:text-gray-900 transition-colors"
-							>
-								<item.icon className="h-4 w-4" />
-								{item.name}
-								<ExternalLink className="ml-auto h-3 w-3 text-gray-400" />
-							</a>
-						);
-					}
-
 					const isActive =
 						item.route === '/'
 							? pathname === '/'
@@ -116,6 +137,62 @@ export const Sidebar = ({ onClose }: SidebarProps) => {
 						</NavLink>
 					);
 				})}
+
+				{/* Grouped navigation */}
+				{navGroups.map((group) => {
+					const isGroupActive = pathname.startsWith(group.basePath);
+					return (
+						<div key={group.name} className="pt-2">
+							<div
+								className={cn(
+									'flex items-center gap-3 px-3 py-2 text-xs font-semibold uppercase tracking-wider',
+									isGroupActive ? 'text-blue-600' : 'text-gray-400',
+								)}
+							>
+								<group.icon className="h-4 w-4" />
+								{group.name}
+							</div>
+							<div className="space-y-1">
+								{group.items.map((item) => {
+									const isActive = pathname.startsWith(item.route);
+									return (
+										<NavLink
+											key={item.name}
+											to={item.route}
+											onClick={onClose}
+											className={cn(
+												'flex items-center gap-3 rounded-md py-2 pl-9 pr-3 text-sm font-medium transition-colors',
+												isActive
+													? 'bg-blue-50 text-blue-600'
+													: 'text-gray-700 hover:bg-gray-100 hover:text-gray-900',
+											)}
+										>
+											<item.icon className="h-4 w-4" />
+											{item.name}
+										</NavLink>
+									);
+								})}
+							</div>
+						</div>
+					);
+				})}
+
+				{/* External links */}
+				<div className="pt-2">
+					{externalNavItems.map((item) => (
+						<a
+							key={item.name}
+							href={item.route}
+							target="_blank"
+							rel="noopener noreferrer"
+							className="flex items-center gap-3 rounded-md px-3 py-2 text-sm font-medium text-gray-700 hover:bg-gray-100 hover:text-gray-900 transition-colors"
+						>
+							<item.icon className="h-4 w-4" />
+							{item.name}
+							<ExternalLink className="ml-auto h-3 w-3 text-gray-400" />
+						</a>
+					))}
+				</div>
 			</nav>
 
 			{/* Footer */}
diff --git a/web/dashboard/src/graphql/mutation/index.ts b/web/dashboard/src/graphql/mutation/index.ts
index ac5efae2..685a061e 100644
--- a/web/dashboard/src/graphql/mutation/index.ts
+++ b/web/dashboard/src/graphql/mutation/index.ts
@@ -121,151 +121,34 @@ export const EditEmailTemplate = `
   }
 `;
 
-// Authorization mutations
-export const AddResource = `
-  mutation addResource($params: AddResourceInput!) {
-    _authz_add_resource(params: $params) {
-      id
-      name
-      description
-    }
-  }
-`;
-
-export const UpdateResource = `
-  mutation updateResource($params: UpdateResourceInput!) {
-    _authz_update_resource(params: $params) {
-      id
-      name
-      description
-    }
-  }
-`;
-
-export const DeleteResource = `
-  mutation deleteResource($id: ID!) {
-    _authz_delete_resource(id: $id) {
-      message
-    }
-  }
-`;
-
-export const AddScope = `
-  mutation addScope($params: AddScopeInput!) {
-    _authz_add_scope(params: $params) {
-      id
-      name
-      description
-    }
-  }
-`;
-
-export const UpdateScope = `
-  mutation updateScope($params: UpdateScopeInput!) {
-    _authz_update_scope(params: $params) {
-      id
-      name
-      description
-    }
-  }
-`;
-
-export const DeleteScope = `
-  mutation deleteScope($id: ID!) {
-    _authz_delete_scope(id: $id) {
-      message
-    }
-  }
-`;
-
-export const AddPolicy = `
-  mutation addPolicy($params: AddPolicyInput!) {
-    _authz_add_policy(params: $params) {
-      id
-      name
-      description
-      type
-      logic
-      decision_strategy
-      targets {
-        id
-        target_type
-        target_value
-      }
-    }
-  }
-`;
-
-export const UpdatePolicy = `
-  mutation updatePolicy($params: UpdatePolicyInput!) {
-    _authz_update_policy(params: $params) {
-      id
-      name
-      description
-      logic
-      decision_strategy
-      targets {
-        id
-        target_type
-        target_value
-      }
-    }
-  }
-`;
-
-export const DeletePolicy = `
-  mutation deletePolicy($id: ID!) {
-    _authz_delete_policy(id: $id) {
+export const DeleteEmailTemplate = `
+  mutation deleteEmailTemplate($params: DeleteEmailTemplateRequest!) {
+    _delete_email_template(params: $params) {
       message
     }
   }
 `;
 
-export const AddPermission = `
-  mutation addPermission($params: AddPermissionInput!) {
-    _authz_add_permission(params: $params) {
-      id
-      name
-      description
-      resource {
-        id
-        name
-      }
-      scopes {
-        id
-        name
-      }
-      policies {
-        id
-        name
-      }
-      decision_strategy
-    }
-  }
-`;
-
-export const UpdatePermission = `
-  mutation updatePermission($params: UpdatePermissionInput!) {
-    _authz_update_permission(params: $params) {
+export const FgaWriteModel = `
+  mutation fgaWriteModel($params: FgaWriteModelInput!) {
+    _fga_write_model(params: $params) {
       id
-      name
-      description
-      decision_strategy
+      dsl
     }
   }
 `;
 
-export const DeletePermission = `
-  mutation deletePermission($id: ID!) {
-    _authz_delete_permission(id: $id) {
+export const FgaWriteTuples = `
+  mutation fgaWriteTuples($params: FgaWriteTuplesInput!) {
+    _fga_write_tuples(params: $params) {
       message
     }
   }
 `;
 
-export const DeleteEmailTemplate = `
-  mutation deleteEmailTemplate($params: DeleteEmailTemplateRequest!) {
-    _delete_email_template(params: $params) {
+export const FgaDeleteTuples = `
+  mutation fgaDeleteTuples($params: FgaWriteTuplesInput!) {
+    _fga_delete_tuples(params: $params) {
       message
     }
   }
diff --git a/web/dashboard/src/graphql/queries/index.ts b/web/dashboard/src/graphql/queries/index.ts
index ae7a2b5b..3f43411b 100644
--- a/web/dashboard/src/graphql/queries/index.ts
+++ b/web/dashboard/src/graphql/queries/index.ts
@@ -109,118 +109,6 @@ export const WebhookLogsQuery = `
   }
 `;
 
-// Authorization queries
-export const ResourcesQuery = `
-  query getResources($params: PaginatedRequest) {
-    _authz_resources(params: $params) {
-      resources {
-        id
-        name
-        description
-        created_at
-        updated_at
-      }
-      pagination {
-        limit
-        page
-        offset
-        total
-      }
-    }
-  }
-`;
-
-export const ScopesQuery = `
-  query getScopes($params: PaginatedRequest) {
-    _authz_scopes(params: $params) {
-      scopes {
-        id
-        name
-        description
-        created_at
-        updated_at
-      }
-      pagination {
-        limit
-        page
-        offset
-        total
-      }
-    }
-  }
-`;
-
-export const PoliciesQuery = `
-  query getPolicies($params: PaginatedRequest) {
-    _authz_policies(params: $params) {
-      policies {
-        id
-        name
-        description
-        type
-        logic
-        decision_strategy
-        targets {
-          id
-          target_type
-          target_value
-        }
-        created_at
-        updated_at
-      }
-      pagination {
-        limit
-        page
-        offset
-        total
-      }
-    }
-  }
-`;
-
-export const PermissionsQuery = `
-  query getPermissions($params: PaginatedRequest) {
-    _authz_permissions(params: $params) {
-      permissions {
-        id
-        name
-        description
-        resource {
-          id
-          name
-          description
-        }
-        scopes {
-          id
-          name
-          description
-        }
-        policies {
-          id
-          name
-          type
-          logic
-          decision_strategy
-          targets {
-            id
-            target_type
-            target_value
-          }
-        }
-        decision_strategy
-        created_at
-        updated_at
-      }
-      pagination {
-        limit
-        page
-        offset
-        total
-      }
-    }
-  }
-`;
-
 export const AuditLogsQuery = `
   query getAuditLogs($params: ListAuditLogRequest!) {
     _audit_logs(params: $params) {
@@ -246,3 +134,33 @@ export const AuditLogsQuery = `
     }
   }
 `;
+
+export const FgaGetModelQuery = `
+  query fgaGetModel {
+    _fga_get_model {
+      id
+      dsl
+    }
+  }
+`;
+
+export const FgaReadTuplesQuery = `
+  query fgaReadTuples($params: FgaReadTuplesInput!) {
+    _fga_read_tuples(params: $params) {
+      tuples {
+        user
+        relation
+        object
+      }
+      continuation_token
+    }
+  }
+`;
+
+export const FgaCheckQuery = `
+  query fgaCheck($params: FgaCheckInput!) {
+    fga_check(params: $params) {
+      allowed
+    }
+  }
+`;
diff --git a/web/dashboard/src/lib/utils.ts b/web/dashboard/src/lib/utils.ts
index 7637fb9e..2515add1 100644
--- a/web/dashboard/src/lib/utils.ts
+++ b/web/dashboard/src/lib/utils.ts
@@ -4,3 +4,15 @@ import { twMerge } from 'tailwind-merge';
 export function cn(...inputs: ClassValue[]) {
 	return twMerge(clsx(inputs));
 }
+
+// isFgaNotEnabledError detects the backend error returned by every FGA
+// resolver when the server is not running with --authorization-engine=fga.
+// The backend message is "fine-grained authorization is not enabled".
+export function isFgaNotEnabledError(error?: { message?: string } | null) {
+	if (!error?.message) {
+		return false;
+	}
+	return error.message
+		.toLowerCase()
+		.includes('fine-grained authorization is not enabled');
+}
diff --git a/web/dashboard/src/pages/Authorization.tsx b/web/dashboard/src/pages/Authorization.tsx
deleted file mode 100644
index cee60df2..00000000
--- a/web/dashboard/src/pages/Authorization.tsx
+++ /dev/null
@@ -1,68 +0,0 @@
-import React, { lazy, Suspense } from 'react';
-import { NavLink, Routes, Route, Navigate } from 'react-router-dom';
-import { cn } from '../lib/utils';
-
-const Resources = lazy(() => import('./authorization/Resources'));
-const Scopes = lazy(() => import('./authorization/Scopes'));
-const Policies = lazy(() => import('./authorization/Policies'));
-const Permissions = lazy(() => import('./authorization/Permissions'));
-
-// Tab paths are absolute (relative to the BrowserRouter basename "/dashboard").
-// Using relative paths here would resolve against the current URL — clicking
-// "Scopes" while on "/dashboard/authorization/resources" would yield
-// "/dashboard/authorization/resources/scopes" and break the inner <Routes>.
-const tabs = [
-	{ name: 'Resources', path: '/authorization/resources' },
-	{ name: 'Scopes', path: '/authorization/scopes' },
-	{ name: 'Policies', path: '/authorization/policies' },
-	{ name: 'Permissions', path: '/authorization/permissions' },
-];
-
-export default function Authorization() {
-	return (
-		<div className="m-5 rounded-md bg-white py-5 px-10">
-			<div className="my-4">
-				<h1 className="text-2xl font-semibold text-gray-900">
-					Authorization
-				</h1>
-				<p className="mt-1 text-sm text-gray-500">
-					Fine-grained authorization management: resources, scopes, policies,
-					and permissions.
-				</p>
-			</div>
-
-			{/* Tab navigation */}
-			<div className="border-b border-gray-200 mb-6">
-				<nav className="-mb-px flex gap-4">
-					{tabs.map((tab) => (
-						<NavLink
-							key={tab.path}
-							to={tab.path}
-							className={({ isActive }) =>
-								cn(
-									'whitespace-nowrap border-b-2 pb-3 pt-2 px-1 text-sm font-medium transition-colors',
-									isActive
-										? 'border-blue-500 text-blue-600'
-										: 'border-transparent text-gray-500 hover:border-gray-300 hover:text-gray-700',
-								)
-							}
-						>
-							{tab.name}
-						</NavLink>
-					))}
-				</nav>
-			</div>
-
-			{/* Tab content */}
-			<Suspense fallback={<div className="py-8 text-center text-gray-400">Loading...</div>}>
-				<Routes>
-					<Route path="resources" element={<Resources />} />
-					<Route path="scopes" element={<Scopes />} />
-					<Route path="policies" element={<Policies />} />
-					<Route path="permissions" element={<Permissions />} />
-					<Route path="*" element={<Navigate to="/authorization/resources" replace />} />
-				</Routes>
-			</Suspense>
-		</div>
-	);
-}
diff --git a/web/dashboard/src/pages/authorization/Model.tsx b/web/dashboard/src/pages/authorization/Model.tsx
new file mode 100644
index 00000000..2343fd6d
--- /dev/null
+++ b/web/dashboard/src/pages/authorization/Model.tsx
@@ -0,0 +1,157 @@
+import React, { useCallback, useEffect, useState } from 'react';
+import { useClient } from 'urql';
+import { toast } from 'sonner';
+import { AlertCircle, Save } from 'lucide-react';
+import { FgaGetModelQuery } from '../../graphql/queries';
+import { FgaWriteModel } from '../../graphql/mutation';
+import { Button } from '../../components/ui/button';
+import { Textarea } from '../../components/ui/textarea';
+import { Skeleton } from '../../components/ui/skeleton';
+import { Badge } from '../../components/ui/badge';
+import FgaNotEnabled from '../../components/FgaNotEnabled';
+import { isFgaNotEnabledError } from '../../lib/utils';
+import type {
+	FgaGetModelResponse,
+	FgaWriteModelResponse,
+} from '../../types';
+
+const Model = () => {
+	const client = useClient();
+	const [loading, setLoading] = useState<boolean>(true);
+	const [saving, setSaving] = useState<boolean>(false);
+	const [fgaDisabled, setFgaDisabled] = useState<boolean>(false);
+	const [dsl, setDsl] = useState<string>('');
+	const [modelId, setModelId] = useState<string>('');
+	const [validationError, setValidationError] = useState<string>('');
+
+	const fetchModel = useCallback(async () => {
+		setLoading(true);
+		try {
+			const res = await client
+				.query<FgaGetModelResponse>(
+					FgaGetModelQuery,
+					{},
+					{ requestPolicy: 'network-only' },
+				)
+				.toPromise();
+
+			if (res.error) {
+				if (isFgaNotEnabledError(res.error)) {
+					setFgaDisabled(true);
+				} else {
+					toast.error('Failed to load authorization model');
+				}
+				return;
+			}
+
+			if (res.data?._fga_get_model) {
+				setDsl(res.data._fga_get_model.dsl || '');
+				setModelId(res.data._fga_get_model.id || '');
+			}
+		} catch {
+			toast.error('Failed to load authorization model');
+		} finally {
+			setLoading(false);
+		}
+	}, [client]);
+
+	useEffect(() => {
+		fetchModel();
+	}, [fetchModel]);
+
+	const handleSave = async () => {
+		if (!dsl.trim()) {
+			setValidationError('Model DSL cannot be empty.');
+			return;
+		}
+		setValidationError('');
+		setSaving(true);
+		try {
+			const res = await client
+				.mutation<FgaWriteModelResponse>(FgaWriteModel, {
+					params: { dsl },
+				})
+				.toPromise();
+
+			if (res.error) {
+				if (isFgaNotEnabledError(res.error)) {
+					setFgaDisabled(true);
+				} else {
+					setValidationError(res.error.message.replace('[GraphQL] ', ''));
+					toast.error('Failed to save authorization model');
+				}
+				return;
+			}
+
+			if (res.data?._fga_write_model) {
+				setModelId(res.data._fga_write_model.id);
+				setDsl(res.data._fga_write_model.dsl || dsl);
+				toast.success('Authorization model saved');
+			}
+		} catch {
+			toast.error('Failed to save authorization model');
+		} finally {
+			setSaving(false);
+		}
+	};
+
+	return (
+		<div className="m-5 rounded-md bg-white py-5 px-10">
+			<div className="my-4 flex items-center justify-between">
+				<div>
+					<h1 className="text-2xl font-semibold text-gray-900">
+						Authorization Model
+					</h1>
+					<p className="mt-1 text-sm text-gray-500">
+						Define the OpenFGA authorization model in DSL form.
+					</p>
+				</div>
+				{!fgaDisabled && (
+					<Button onClick={handleSave} disabled={saving || loading}>
+						<Save className="mr-2 h-4 w-4" />
+						{saving ? 'Saving...' : 'Save Model'}
+					</Button>
+				)}
+			</div>
+
+			{loading ? (
+				<div className="space-y-3">
+					<Skeleton className="h-10 w-1/3" />
+					<Skeleton className="h-64 w-full" />
+				</div>
+			) : fgaDisabled ? (
+				<FgaNotEnabled />
+			) : (
+				<div className="space-y-4">
+					{modelId && (
+						<div className="flex items-center gap-2 text-sm text-gray-600">
+							<span>Current model id:</span>
+							<Badge variant="secondary">{modelId}</Badge>
+						</div>
+					)}
+
+					<Textarea
+						value={dsl}
+						onChange={(e) => setDsl(e.target.value)}
+						spellCheck={false}
+						className="min-h-[420px] font-mono text-xs leading-relaxed"
+						placeholder={
+							'model\n  schema 1.1\n\ntype user\n\ntype document\n  relations\n    define viewer: [user]\n    define editor: [user]'
+						}
+					/>
+
+					{validationError && (
+						<div className="flex items-start gap-2 rounded-md border border-red-200 bg-red-50 p-3 text-sm text-red-700">
+							<AlertCircle className="mt-0.5 h-4 w-4 shrink-0" />
+							<span className="whitespace-pre-wrap break-words">
+								{validationError}
+							</span>
+						</div>
+					)}
+				</div>
+			)}
+		</div>
+	);
+};
+
+export default Model;
diff --git a/web/dashboard/src/pages/authorization/Permissions.tsx b/web/dashboard/src/pages/authorization/Permissions.tsx
deleted file mode 100644
index 52e6d566..00000000
--- a/web/dashboard/src/pages/authorization/Permissions.tsx
+++ /dev/null
@@ -1,580 +0,0 @@
-import React from 'react';
-import { useClient } from 'urql';
-import { toast } from 'sonner';
-import dayjs from 'dayjs';
-import { Plus, Pencil, Trash2, AlertCircle } from 'lucide-react';
-import {
-	PermissionsQuery,
-	ResourcesQuery,
-	ScopesQuery,
-	PoliciesQuery,
-} from '../../graphql/queries';
-import {
-	AddPermission,
-	UpdatePermission,
-	DeletePermission,
-} from '../../graphql/mutation';
-import { getGraphQLErrorMessage } from '../../utils';
-import { Button } from '../../components/ui/button';
-import { Input } from '../../components/ui/input';
-import { Textarea } from '../../components/ui/textarea';
-import { Label } from '../../components/ui/label';
-import { Badge } from '../../components/ui/badge';
-import { Skeleton } from '../../components/ui/skeleton';
-import { Select } from '../../components/ui/select';
-import {
-	Dialog,
-	DialogContent,
-	DialogHeader,
-	DialogTitle,
-	DialogFooter,
-	DialogDescription,
-} from '../../components/ui/dialog';
-import {
-	Table,
-	TableHeader,
-	TableBody,
-	TableRow,
-	TableHead,
-	TableCell,
-} from '../../components/ui/table';
-import type {
-	AuthzPermission,
-	AuthzPermissionsResponse,
-	AuthzResource,
-	AuthzResourcesResponse,
-	AuthzScope,
-	AuthzScopesResponse,
-	AuthzPolicy,
-	AuthzPoliciesResponse,
-} from '../../types';
-
-export default function Permissions() {
-	const client = useClient();
-	const [permissions, setPermissions] = React.useState<AuthzPermission[]>([]);
-	const [allResources, setAllResources] = React.useState<AuthzResource[]>([]);
-	const [allScopes, setAllScopes] = React.useState<AuthzScope[]>([]);
-	const [allPolicies, setAllPolicies] = React.useState<AuthzPolicy[]>([]);
-	const [loading, setLoading] = React.useState(false);
-	const [dialogOpen, setDialogOpen] = React.useState(false);
-	const [deleteDialogOpen, setDeleteDialogOpen] = React.useState(false);
-	const [editingPermission, setEditingPermission] =
-		React.useState<AuthzPermission | null>(null);
-	const [deletingPermission, setDeletingPermission] =
-		React.useState<AuthzPermission | null>(null);
-	const [formName, setFormName] = React.useState('');
-	const [formDescription, setFormDescription] = React.useState('');
-	const [formResourceId, setFormResourceId] = React.useState('');
-	const [formScopeIds, setFormScopeIds] = React.useState<string[]>([]);
-	const [formPolicyIds, setFormPolicyIds] = React.useState<string[]>([]);
-	const [formDecisionStrategy, setFormDecisionStrategy] =
-		React.useState('affirmative');
-	const [saving, setSaving] = React.useState(false);
-
-	const fetchPermissions = async () => {
-		setLoading(true);
-		const { data, error } = await client
-			.query<AuthzPermissionsResponse>(PermissionsQuery, {
-				params: { pagination: { limit: 100, page: 1 } },
-			})
-			.toPromise();
-		if (data?._authz_permissions) {
-			setPermissions(data._authz_permissions.permissions);
-		}
-		if (error) {
-			toast.error(
-				getGraphQLErrorMessage(error, 'Failed to load permissions'),
-			);
-		}
-		setLoading(false);
-	};
-
-	const fetchRelatedData = async () => {
-		const [resourcesRes, scopesRes, policiesRes] = await Promise.all([
-			client
-				.query<AuthzResourcesResponse>(ResourcesQuery, {
-					params: { pagination: { limit: 100, page: 1 } },
-				})
-				.toPromise(),
-			client
-				.query<AuthzScopesResponse>(ScopesQuery, {
-					params: { pagination: { limit: 100, page: 1 } },
-				})
-				.toPromise(),
-			client
-				.query<AuthzPoliciesResponse>(PoliciesQuery, {
-					params: { pagination: { limit: 100, page: 1 } },
-				})
-				.toPromise(),
-		]);
-		if (resourcesRes.data?._authz_resources) {
-			setAllResources(resourcesRes.data._authz_resources.resources);
-		}
-		if (scopesRes.data?._authz_scopes) {
-			setAllScopes(scopesRes.data._authz_scopes.scopes);
-		}
-		if (policiesRes.data?._authz_policies) {
-			setAllPolicies(policiesRes.data._authz_policies.policies);
-		}
-	};
-
-	React.useEffect(() => {
-		fetchPermissions();
-		fetchRelatedData();
-	}, []);
-
-	const openAddDialog = () => {
-		setEditingPermission(null);
-		setFormName('');
-		setFormDescription('');
-		setFormResourceId('');
-		setFormScopeIds([]);
-		setFormPolicyIds([]);
-		setFormDecisionStrategy('affirmative');
-		setDialogOpen(true);
-	};
-
-	const openEditDialog = (permission: AuthzPermission) => {
-		setEditingPermission(permission);
-		setFormName(permission.name);
-		setFormDescription(permission.description || '');
-		setFormResourceId(permission.resource.id);
-		setFormScopeIds(permission.scopes.map((s) => s.id));
-		setFormPolicyIds(permission.policies.map((p) => p.id));
-		setFormDecisionStrategy(permission.decision_strategy);
-		setDialogOpen(true);
-	};
-
-	const openDeleteDialog = (permission: AuthzPermission) => {
-		setDeletingPermission(permission);
-		setDeleteDialogOpen(true);
-	};
-
-	const toggleScopeId = (id: string) => {
-		setFormScopeIds((prev) =>
-			prev.includes(id) ? prev.filter((s) => s !== id) : [...prev, id],
-		);
-	};
-
-	const togglePolicyId = (id: string) => {
-		setFormPolicyIds((prev) =>
-			prev.includes(id) ? prev.filter((p) => p !== id) : [...prev, id],
-		);
-	};
-
-	const handleSave = async () => {
-		if (!formName.trim()) {
-			toast.error('Name is required');
-			return;
-		}
-		if (!formResourceId) {
-			toast.error('Resource is required');
-			return;
-		}
-		if (formScopeIds.length === 0) {
-			toast.error('At least one scope is required');
-			return;
-		}
-		if (formPolicyIds.length === 0) {
-			toast.error('At least one policy is required');
-			return;
-		}
-		setSaving(true);
-		if (editingPermission) {
-			const { error } = await client
-				.mutation(UpdatePermission, {
-					params: {
-						id: editingPermission.id,
-						name: formName,
-						description: formDescription || undefined,
-						scope_ids: formScopeIds,
-						policy_ids: formPolicyIds,
-						decision_strategy: formDecisionStrategy,
-					},
-				})
-				.toPromise();
-			if (error) {
-				toast.error(
-					getGraphQLErrorMessage(error, 'Failed to update permission'),
-				);
-			} else {
-				toast.success('Permission updated');
-				setDialogOpen(false);
-				fetchPermissions();
-			}
-		} else {
-			const { error } = await client
-				.mutation(AddPermission, {
-					params: {
-						name: formName,
-						description: formDescription || undefined,
-						resource_id: formResourceId,
-						scope_ids: formScopeIds,
-						policy_ids: formPolicyIds,
-						decision_strategy: formDecisionStrategy,
-					},
-				})
-				.toPromise();
-			if (error) {
-				toast.error(
-					getGraphQLErrorMessage(error, 'Failed to add permission'),
-				);
-			} else {
-				toast.success('Permission added');
-				setDialogOpen(false);
-				fetchPermissions();
-			}
-		}
-		setSaving(false);
-	};
-
-	const handleDelete = async () => {
-		if (!deletingPermission) return;
-		setSaving(true);
-		const { error } = await client
-			.mutation(DeletePermission, { id: deletingPermission.id })
-			.toPromise();
-		if (error) {
-			toast.error(
-				getGraphQLErrorMessage(error, 'Failed to delete permission'),
-			);
-		} else {
-			toast.success('Permission deleted');
-			setDeleteDialogOpen(false);
-			setDeletingPermission(null);
-			fetchPermissions();
-		}
-		setSaving(false);
-	};
-
-	// Build natural language summary
-	const buildSummary = (): string => {
-		const resource = allResources.find((r) => r.id === formResourceId);
-		const scopes = allScopes.filter((s) => formScopeIds.includes(s.id));
-		const policies = allPolicies.filter((p) => formPolicyIds.includes(p.id));
-		if (!resource || scopes.length === 0 || policies.length === 0) {
-			return 'Select a resource, scopes, and policies to see a summary.';
-		}
-		const scopeNames = scopes.map((s) => s.name).join(', ');
-		const policyNames = policies.map((p) => `${p.name} (${p.type})`).join(', ');
-		const strategy =
-			formDecisionStrategy === 'affirmative'
-				? 'any matching policy grants access'
-				: 'all policies must match';
-		return `Allow ${scopeNames} on "${resource.name}" when ${policyNames} — ${strategy}.`;
-	};
-
-	return (
-		<div>
-			<div className="flex items-center justify-between mb-4">
-				<div>
-					<h2 className="text-lg font-semibold text-gray-900">Permissions</h2>
-					<p className="text-sm text-gray-500">
-						Combine resources, scopes, and policies into permission rules.
-					</p>
-				</div>
-				<Button onClick={openAddDialog}>
-					<Plus className="h-4 w-4 mr-2" />
-					Add Permission
-				</Button>
-			</div>
-
-			{loading ? (
-				<div className="space-y-3">
-					{[1, 2, 3].map((i) => (
-						<Skeleton key={i} className="h-10 w-full" />
-					))}
-				</div>
-			) : permissions.length > 0 ? (
-				<Table>
-					<TableHeader>
-						<TableRow>
-							<TableHead>Name</TableHead>
-							<TableHead>Resource</TableHead>
-							<TableHead>Scopes</TableHead>
-							<TableHead>Policies</TableHead>
-							<TableHead>Strategy</TableHead>
-							<TableHead>Created</TableHead>
-							<TableHead className="w-[100px]">Actions</TableHead>
-						</TableRow>
-					</TableHeader>
-					<TableBody>
-						{permissions.map((perm) => (
-							<TableRow key={perm.id}>
-								<TableCell className="font-medium">{perm.name}</TableCell>
-								<TableCell>
-									<Badge>{perm.resource.name}</Badge>
-								</TableCell>
-								<TableCell>
-									<div className="flex flex-wrap gap-1">
-										{perm.scopes.map((s) => (
-											<Badge key={s.id} variant="secondary">
-												{s.name}
-											</Badge>
-										))}
-									</div>
-								</TableCell>
-								<TableCell>
-									<div className="flex flex-wrap gap-1">
-										{perm.policies.map((p) => (
-											<Badge
-												key={p.id}
-												variant={
-													p.type === 'role' ? 'default' : 'outline'
-												}
-											>
-												{p.name}
-											</Badge>
-										))}
-									</div>
-								</TableCell>
-								<TableCell className="text-sm">
-									{perm.decision_strategy === 'affirmative'
-										? 'Any match'
-										: 'All must match'}
-								</TableCell>
-								<TableCell className="text-sm">
-									{dayjs(perm.created_at * 1000).format('MMM DD, YYYY')}
-								</TableCell>
-								<TableCell>
-									<div className="flex gap-1">
-										<Button
-											variant="ghost"
-											size="icon"
-											onClick={() => openEditDialog(perm)}
-										>
-											<Pencil className="h-4 w-4" />
-										</Button>
-										<Button
-											variant="ghost"
-											size="icon"
-											onClick={() => openDeleteDialog(perm)}
-										>
-											<Trash2 className="h-4 w-4 text-red-500" />
-										</Button>
-									</div>
-								</TableCell>
-							</TableRow>
-						))}
-					</TableBody>
-				</Table>
-			) : (
-				<div className="flex min-h-[25vh] flex-col items-center justify-center text-gray-300">
-					<AlertCircle className="h-16 w-16 mb-2" />
-					<p className="text-2xl font-bold">No Permissions</p>
-					<p className="text-sm mt-1">
-						Create resources, scopes, and policies first, then combine them
-						into permissions.
-					</p>
-				</div>
-			)}
-
-			{/* Add/Edit Dialog */}
-			<Dialog open={dialogOpen} onOpenChange={setDialogOpen}>
-				<DialogContent className="max-w-lg max-h-[90vh] overflow-y-auto">
-					<DialogHeader>
-						<DialogTitle>
-							{editingPermission ? 'Edit Permission' : 'Add Permission'}
-						</DialogTitle>
-						<DialogDescription>
-							{editingPermission
-								? 'Update the permission configuration.'
-								: 'Build a permission by combining resource, scopes, and policies.'}
-						</DialogDescription>
-					</DialogHeader>
-					<div className="space-y-4">
-						<div>
-							<Label htmlFor="perm-name">Name</Label>
-							<Input
-								id="perm-name"
-								placeholder="e.g. view-documents or documents_read"
-								value={formName}
-								onChange={(e) => setFormName(e.target.value)}
-								className="mt-1"
-							/>
-							<p className="text-xs text-gray-500 mt-1">
-								Letters, digits, hyphens, and underscores only. Max 100
-								characters. No spaces.
-							</p>
-						</div>
-						<div>
-							<Label htmlFor="perm-desc">Description</Label>
-							<Textarea
-								id="perm-desc"
-								placeholder="Optional human-readable description"
-								value={formDescription}
-								onChange={(e) => setFormDescription(e.target.value)}
-								className="mt-1"
-							/>
-							<p className="text-xs text-gray-500 mt-1">
-								Free-form text shown in the dashboard. Not used for matching.
-							</p>
-						</div>
-
-						{/* Resource */}
-						<div>
-							<Label htmlFor="perm-resource">Resource</Label>
-							<Select
-								id="perm-resource"
-								value={formResourceId}
-								onChange={(e) => setFormResourceId(e.target.value)}
-								className="mt-1"
-								disabled={!!editingPermission}
-							>
-								<option value="">Select a resource...</option>
-								{allResources.map((r) => (
-									<option key={r.id} value={r.id}>
-										{r.name}
-									</option>
-								))}
-							</Select>
-						</div>
-
-						{/* Scopes - multi-select checkboxes */}
-						<div>
-							<Label>Scopes</Label>
-							<div className="mt-1 space-y-2 max-h-32 overflow-y-auto border rounded-md p-2">
-								{allScopes.length === 0 ? (
-									<p className="text-sm text-gray-400">
-										No scopes defined yet.
-									</p>
-								) : (
-									allScopes.map((scope) => (
-										<label
-											key={scope.id}
-											className="flex items-center gap-2 text-sm cursor-pointer"
-										>
-											<input
-												type="checkbox"
-												checked={formScopeIds.includes(scope.id)}
-												onChange={() => toggleScopeId(scope.id)}
-												className="rounded border-gray-300"
-											/>
-											<span>{scope.name}</span>
-											{scope.description && (
-												<span className="text-gray-400">
-													- {scope.description}
-												</span>
-											)}
-										</label>
-									))
-								)}
-							</div>
-						</div>
-
-						{/* Policies - multi-select checkboxes with type preview */}
-						<div>
-							<Label>Policies</Label>
-							<div className="mt-1 space-y-2 max-h-40 overflow-y-auto border rounded-md p-2">
-								{allPolicies.length === 0 ? (
-									<p className="text-sm text-gray-400">
-										No policies defined yet.
-									</p>
-								) : (
-									allPolicies.map((policy) => (
-										<label
-											key={policy.id}
-											className="flex items-center gap-2 text-sm cursor-pointer"
-										>
-											<input
-												type="checkbox"
-												checked={formPolicyIds.includes(policy.id)}
-												onChange={() => togglePolicyId(policy.id)}
-												className="rounded border-gray-300"
-											/>
-											<span>{policy.name}</span>
-											<Badge
-												variant={
-													policy.type === 'role' ? 'default' : 'secondary'
-												}
-												className="text-xs"
-											>
-												{policy.type}
-											</Badge>
-											<span className="text-gray-400 text-xs">
-												{policy.targets
-													.map((t) => t.target_value)
-													.join(', ')}
-											</span>
-										</label>
-									))
-								)}
-							</div>
-						</div>
-
-						{/* Decision strategy */}
-						<div>
-							<Label htmlFor="perm-strategy">Decision Strategy</Label>
-							<Select
-								id="perm-strategy"
-								value={formDecisionStrategy}
-								onChange={(e) => setFormDecisionStrategy(e.target.value)}
-								className="mt-1"
-							>
-								<option value="affirmative">Any match grants</option>
-								<option value="unanimous">All must match</option>
-							</Select>
-							<p className="text-xs text-gray-500 mt-1">
-								Affirmative: any allowed policy grants access (OR). Unanimous:
-								every selected policy must allow (AND). Explicit deny always
-								wins.
-							</p>
-						</div>
-
-						{/* Natural language summary */}
-						<div className="rounded-md bg-blue-50 p-3 text-sm text-blue-800">
-							<strong>Summary: </strong>
-							{buildSummary()}
-						</div>
-					</div>
-					<DialogFooter>
-						<Button
-							variant="outline"
-							onClick={() => setDialogOpen(false)}
-							disabled={saving}
-						>
-							Cancel
-						</Button>
-						<Button onClick={handleSave} disabled={saving}>
-							{saving
-								? 'Saving...'
-								: editingPermission
-									? 'Update'
-									: 'Add'}
-						</Button>
-					</DialogFooter>
-				</DialogContent>
-			</Dialog>
-
-			{/* Delete Confirmation Dialog */}
-			<Dialog open={deleteDialogOpen} onOpenChange={setDeleteDialogOpen}>
-				<DialogContent>
-					<DialogHeader>
-						<DialogTitle>Delete Permission</DialogTitle>
-						<DialogDescription>
-							Are you sure you want to delete{' '}
-							<strong>{deletingPermission?.name}</strong>? This action cannot be
-							undone.
-						</DialogDescription>
-					</DialogHeader>
-					<DialogFooter>
-						<Button
-							variant="outline"
-							onClick={() => setDeleteDialogOpen(false)}
-							disabled={saving}
-						>
-							Cancel
-						</Button>
-						<Button
-							variant="destructive"
-							onClick={handleDelete}
-							disabled={saving}
-						>
-							{saving ? 'Deleting...' : 'Delete'}
-						</Button>
-					</DialogFooter>
-				</DialogContent>
-			</Dialog>
-		</div>
-	);
-}
diff --git a/web/dashboard/src/pages/authorization/Policies.tsx b/web/dashboard/src/pages/authorization/Policies.tsx
deleted file mode 100644
index 4bfeae9d..00000000
--- a/web/dashboard/src/pages/authorization/Policies.tsx
+++ /dev/null
@@ -1,506 +0,0 @@
-import React from 'react';
-import { useClient } from 'urql';
-import { toast } from 'sonner';
-import dayjs from 'dayjs';
-import { Plus, Pencil, Trash2, AlertCircle } from 'lucide-react';
-import { PoliciesQuery } from '../../graphql/queries';
-import { AddPolicy, UpdatePolicy, DeletePolicy } from '../../graphql/mutation';
-import { getGraphQLErrorMessage } from '../../utils';
-import { Button } from '../../components/ui/button';
-import { Input } from '../../components/ui/input';
-import { Textarea } from '../../components/ui/textarea';
-import { Label } from '../../components/ui/label';
-import { Badge } from '../../components/ui/badge';
-import { Skeleton } from '../../components/ui/skeleton';
-import { Select } from '../../components/ui/select';
-import { Switch } from '../../components/ui/switch';
-import {
-	Dialog,
-	DialogContent,
-	DialogHeader,
-	DialogTitle,
-	DialogFooter,
-	DialogDescription,
-} from '../../components/ui/dialog';
-import {
-	Table,
-	TableHeader,
-	TableBody,
-	TableRow,
-	TableHead,
-	TableCell,
-} from '../../components/ui/table';
-import type { AuthzPolicy, AuthzPoliciesResponse } from '../../types';
-
-interface PolicyTarget {
-	target_type: string;
-	target_value: string;
-}
-
-export default function Policies() {
-	const client = useClient();
-	const [policies, setPolicies] = React.useState<AuthzPolicy[]>([]);
-	const [loading, setLoading] = React.useState(false);
-	const [dialogOpen, setDialogOpen] = React.useState(false);
-	const [deleteDialogOpen, setDeleteDialogOpen] = React.useState(false);
-	const [editingPolicy, setEditingPolicy] = React.useState<AuthzPolicy | null>(
-		null,
-	);
-	const [deletingPolicy, setDeletingPolicy] =
-		React.useState<AuthzPolicy | null>(null);
-	const [formName, setFormName] = React.useState('');
-	const [formDescription, setFormDescription] = React.useState('');
-	const [formType, setFormType] = React.useState('role');
-	const [formLogic, setFormLogic] = React.useState('positive');
-	const [formDecisionStrategy, setFormDecisionStrategy] =
-		React.useState('affirmative');
-	const [formTargets, setFormTargets] = React.useState<PolicyTarget[]>([
-		{ target_type: 'role', target_value: '' },
-	]);
-	const [saving, setSaving] = React.useState(false);
-
-	const fetchPolicies = async () => {
-		setLoading(true);
-		const { data, error } = await client
-			.query<AuthzPoliciesResponse>(PoliciesQuery, {
-				params: { pagination: { limit: 100, page: 1 } },
-			})
-			.toPromise();
-		if (data?._authz_policies) {
-			setPolicies(data._authz_policies.policies);
-		}
-		if (error) {
-			toast.error(getGraphQLErrorMessage(error, 'Failed to load policies'));
-		}
-		setLoading(false);
-	};
-
-	React.useEffect(() => {
-		fetchPolicies();
-	}, []);
-
-	const openAddDialog = () => {
-		setEditingPolicy(null);
-		setFormName('');
-		setFormDescription('');
-		setFormType('role');
-		setFormLogic('positive');
-		setFormDecisionStrategy('affirmative');
-		setFormTargets([{ target_type: 'role', target_value: '' }]);
-		setDialogOpen(true);
-	};
-
-	const openEditDialog = (policy: AuthzPolicy) => {
-		setEditingPolicy(policy);
-		setFormName(policy.name);
-		setFormDescription(policy.description || '');
-		setFormType(policy.type);
-		setFormLogic(policy.logic);
-		setFormDecisionStrategy(policy.decision_strategy);
-		setFormTargets(
-			policy.targets.map((t) => ({
-				target_type: t.target_type,
-				target_value: t.target_value,
-			})),
-		);
-		setDialogOpen(true);
-	};
-
-	const openDeleteDialog = (policy: AuthzPolicy) => {
-		setDeletingPolicy(policy);
-		setDeleteDialogOpen(true);
-	};
-
-	const handleTypeChange = (newType: string) => {
-		setFormType(newType);
-		setFormTargets([{ target_type: newType, target_value: '' }]);
-	};
-
-	const addTarget = () => {
-		setFormTargets([
-			...formTargets,
-			{ target_type: formType, target_value: '' },
-		]);
-	};
-
-	const removeTarget = (index: number) => {
-		setFormTargets(formTargets.filter((_, i) => i !== index));
-	};
-
-	const updateTarget = (index: number, value: string) => {
-		const updated = [...formTargets];
-		updated[index] = { ...updated[index], target_value: value };
-		setFormTargets(updated);
-	};
-
-	const handleSave = async () => {
-		if (!formName.trim()) {
-			toast.error('Name is required');
-			return;
-		}
-		const validTargets = formTargets.filter(
-			(t) => t.target_value.trim() !== '',
-		);
-		if (validTargets.length === 0) {
-			toast.error('At least one target is required');
-			return;
-		}
-		setSaving(true);
-		if (editingPolicy) {
-			const { error } = await client
-				.mutation(UpdatePolicy, {
-					params: {
-						id: editingPolicy.id,
-						name: formName,
-						description: formDescription || undefined,
-						logic: formLogic,
-						decision_strategy: formDecisionStrategy,
-						targets: validTargets,
-					},
-				})
-				.toPromise();
-			if (error) {
-				toast.error(getGraphQLErrorMessage(error, 'Failed to update policy'));
-			} else {
-				toast.success('Policy updated');
-				setDialogOpen(false);
-				fetchPolicies();
-			}
-		} else {
-			const { error } = await client
-				.mutation(AddPolicy, {
-					params: {
-						name: formName,
-						description: formDescription || undefined,
-						type: formType,
-						logic: formLogic,
-						decision_strategy: formDecisionStrategy,
-						targets: validTargets,
-					},
-				})
-				.toPromise();
-			if (error) {
-				toast.error(getGraphQLErrorMessage(error, 'Failed to add policy'));
-			} else {
-				toast.success('Policy added');
-				setDialogOpen(false);
-				fetchPolicies();
-			}
-		}
-		setSaving(false);
-	};
-
-	const handleDelete = async () => {
-		if (!deletingPolicy) return;
-		setSaving(true);
-		const { error } = await client
-			.mutation(DeletePolicy, { id: deletingPolicy.id })
-			.toPromise();
-		if (error) {
-			toast.error(getGraphQLErrorMessage(error, 'Failed to delete policy'));
-		} else {
-			toast.success('Policy deleted');
-			setDeleteDialogOpen(false);
-			setDeletingPolicy(null);
-			fetchPolicies();
-		}
-		setSaving(false);
-	};
-
-	return (
-		<div>
-			<div className="flex items-center justify-between mb-4">
-				<div>
-					<h2 className="text-lg font-semibold text-gray-900">Policies</h2>
-					<p className="text-sm text-gray-500">
-						Define who gets access based on roles or specific users.
-					</p>
-				</div>
-				<Button onClick={openAddDialog}>
-					<Plus className="h-4 w-4 mr-2" />
-					Add Policy
-				</Button>
-			</div>
-
-			{loading ? (
-				<div className="space-y-3">
-					{[1, 2, 3].map((i) => (
-						<Skeleton key={i} className="h-10 w-full" />
-					))}
-				</div>
-			) : policies.length > 0 ? (
-				<Table>
-					<TableHeader>
-						<TableRow>
-							<TableHead>Name</TableHead>
-							<TableHead>Type</TableHead>
-							<TableHead>Targets</TableHead>
-							<TableHead>Logic</TableHead>
-							<TableHead>Strategy</TableHead>
-							<TableHead>Created</TableHead>
-							<TableHead className="w-[100px]">Actions</TableHead>
-						</TableRow>
-					</TableHeader>
-					<TableBody>
-						{policies.map((policy) => (
-							<TableRow key={policy.id}>
-								<TableCell className="font-medium">{policy.name}</TableCell>
-								<TableCell>
-									<Badge variant={policy.type === 'role' ? 'default' : 'secondary'}>
-										{policy.type}
-									</Badge>
-								</TableCell>
-								<TableCell className="text-sm text-gray-500 max-w-[200px] truncate">
-									{policy.targets
-										.map((t) => t.target_value)
-										.join(', ')}
-								</TableCell>
-								<TableCell>
-									<Badge
-										variant={
-											policy.logic === 'positive' ? 'success' : 'destructive'
-										}
-									>
-										{policy.logic === 'positive' ? 'Grant' : 'Deny'}
-									</Badge>
-								</TableCell>
-								<TableCell className="text-sm">
-									{policy.decision_strategy === 'affirmative'
-										? 'Any match'
-										: 'All must match'}
-								</TableCell>
-								<TableCell className="text-sm">
-									{dayjs(policy.created_at * 1000).format('MMM DD, YYYY')}
-								</TableCell>
-								<TableCell>
-									<div className="flex gap-1">
-										<Button
-											variant="ghost"
-											size="icon"
-											onClick={() => openEditDialog(policy)}
-										>
-											<Pencil className="h-4 w-4" />
-										</Button>
-										<Button
-											variant="ghost"
-											size="icon"
-											onClick={() => openDeleteDialog(policy)}
-										>
-											<Trash2 className="h-4 w-4 text-red-500" />
-										</Button>
-									</div>
-								</TableCell>
-							</TableRow>
-						))}
-					</TableBody>
-				</Table>
-			) : (
-				<div className="flex min-h-[25vh] flex-col items-center justify-center text-gray-300">
-					<AlertCircle className="h-16 w-16 mb-2" />
-					<p className="text-2xl font-bold">No Policies</p>
-					<p className="text-sm mt-1">
-						Add a policy to define access rules.
-					</p>
-				</div>
-			)}
-
-			{/* Add/Edit Dialog */}
-			<Dialog open={dialogOpen} onOpenChange={setDialogOpen}>
-				<DialogContent className="max-w-lg max-h-[90vh] overflow-y-auto">
-					<DialogHeader>
-						<DialogTitle>
-							{editingPolicy ? 'Edit Policy' : 'Add Policy'}
-						</DialogTitle>
-						<DialogDescription>
-							{editingPolicy
-								? 'Update the policy configuration.'
-								: 'Create a new access policy.'}
-						</DialogDescription>
-					</DialogHeader>
-					<div className="space-y-4">
-						<div>
-							<Label htmlFor="policy-name">Name</Label>
-							<Input
-								id="policy-name"
-								placeholder="e.g. admin-access or editor_role"
-								value={formName}
-								onChange={(e) => setFormName(e.target.value)}
-								className="mt-1"
-							/>
-							<p className="text-xs text-gray-500 mt-1">
-								Letters, digits, hyphens, and underscores only. Max 100
-								characters. No spaces.
-							</p>
-						</div>
-						<div>
-							<Label htmlFor="policy-desc">Description</Label>
-							<Textarea
-								id="policy-desc"
-								placeholder="Optional human-readable description"
-								value={formDescription}
-								onChange={(e) => setFormDescription(e.target.value)}
-								className="mt-1"
-							/>
-							<p className="text-xs text-gray-500 mt-1">
-								Free-form text shown in the dashboard. Not used for matching.
-							</p>
-						</div>
-
-						{/* Type toggle */}
-						{!editingPolicy && (
-							<div>
-								<Label>Type</Label>
-								<div className="flex items-center gap-3 mt-1">
-									<span
-										className={`text-sm ${formType === 'role' ? 'font-semibold text-gray-900' : 'text-gray-500'}`}
-									>
-										Roles
-									</span>
-									<Switch
-										checked={formType === 'user'}
-										onCheckedChange={(checked) =>
-											handleTypeChange(checked ? 'user' : 'role')
-										}
-									/>
-									<span
-										className={`text-sm ${formType === 'user' ? 'font-semibold text-gray-900' : 'text-gray-500'}`}
-									>
-										Specific Users
-									</span>
-								</div>
-								<p className="text-xs text-gray-500 mt-1">
-									Roles: targets match by role name. Specific Users: targets
-									match by user ID. Cannot be changed after creation.
-								</p>
-							</div>
-						)}
-
-						{/* Logic */}
-						<div>
-							<Label htmlFor="policy-logic">Logic</Label>
-							<Select
-								id="policy-logic"
-								value={formLogic}
-								onChange={(e) => setFormLogic(e.target.value)}
-								className="mt-1"
-							>
-								<option value="positive">Grant when matched</option>
-								<option value="negative">Deny when matched</option>
-							</Select>
-							<p className="text-xs text-gray-500 mt-1">
-								Positive policies grant access on match. Negative policies
-								explicitly deny on match (deny always wins over grant).
-							</p>
-						</div>
-
-						{/* Decision strategy */}
-						<div>
-							<Label htmlFor="policy-strategy">Decision Strategy</Label>
-							<Select
-								id="policy-strategy"
-								value={formDecisionStrategy}
-								onChange={(e) => setFormDecisionStrategy(e.target.value)}
-								className="mt-1"
-							>
-								<option value="affirmative">Any match grants</option>
-								<option value="unanimous">All must match</option>
-							</Select>
-							<p className="text-xs text-gray-500 mt-1">
-								Affirmative: any matching target satisfies the policy (OR).
-								Unanimous: every target must match (AND).
-							</p>
-						</div>
-
-						{/* Targets */}
-						<div>
-							<Label>
-								{formType === 'role' ? 'Role Names' : 'User IDs'}
-							</Label>
-							<p className="text-xs text-gray-500 mt-1 mb-2">
-								{formType === 'role'
-									? 'One role name per row (e.g. admin, editor). Must match a configured role exactly — letters, digits, hyphens, and underscores only.'
-									: 'One user ID (UUID) per row. This is the user\'s internal ID, not their email — copy it from the Users page.'}
-							</p>
-							<div className="space-y-2 mt-1">
-								{formTargets.map((target, index) => (
-									<div key={index} className="flex gap-2">
-										<Input
-											placeholder={
-												formType === 'role'
-													? 'e.g. admin'
-													: 'e.g. 6f1a2b3c-4d5e-6f70-8a9b-0c1d2e3f4a5b'
-											}
-											value={target.target_value}
-											onChange={(e) => updateTarget(index, e.target.value)}
-											className="flex-1"
-										/>
-										{formTargets.length > 1 && (
-											<Button
-												variant="ghost"
-												size="icon"
-												onClick={() => removeTarget(index)}
-											>
-												<Trash2 className="h-4 w-4 text-red-500" />
-											</Button>
-										)}
-									</div>
-								))}
-								<Button
-									variant="outline"
-									size="sm"
-									onClick={addTarget}
-									className="mt-1"
-								>
-									<Plus className="h-3 w-3 mr-1" />
-									Add {formType === 'role' ? 'Role' : 'User'}
-								</Button>
-							</div>
-						</div>
-					</div>
-					<DialogFooter>
-						<Button
-							variant="outline"
-							onClick={() => setDialogOpen(false)}
-							disabled={saving}
-						>
-							Cancel
-						</Button>
-						<Button onClick={handleSave} disabled={saving}>
-							{saving ? 'Saving...' : editingPolicy ? 'Update' : 'Add'}
-						</Button>
-					</DialogFooter>
-				</DialogContent>
-			</Dialog>
-
-			{/* Delete Confirmation Dialog */}
-			<Dialog open={deleteDialogOpen} onOpenChange={setDeleteDialogOpen}>
-				<DialogContent>
-					<DialogHeader>
-						<DialogTitle>Delete Policy</DialogTitle>
-						<DialogDescription>
-							Are you sure you want to delete{' '}
-							<strong>{deletingPolicy?.name}</strong>? This action cannot be
-							undone.
-						</DialogDescription>
-					</DialogHeader>
-					<DialogFooter>
-						<Button
-							variant="outline"
-							onClick={() => setDeleteDialogOpen(false)}
-							disabled={saving}
-						>
-							Cancel
-						</Button>
-						<Button
-							variant="destructive"
-							onClick={handleDelete}
-							disabled={saving}
-						>
-							{saving ? 'Deleting...' : 'Delete'}
-						</Button>
-					</DialogFooter>
-				</DialogContent>
-			</Dialog>
-		</div>
-	);
-}
diff --git a/web/dashboard/src/pages/authorization/Resources.tsx b/web/dashboard/src/pages/authorization/Resources.tsx
deleted file mode 100644
index 0568cd3c..00000000
--- a/web/dashboard/src/pages/authorization/Resources.tsx
+++ /dev/null
@@ -1,314 +0,0 @@
-import React from 'react';
-import { useClient } from 'urql';
-import { toast } from 'sonner';
-import dayjs from 'dayjs';
-import { Plus, Pencil, Trash2, AlertCircle } from 'lucide-react';
-import { ResourcesQuery } from '../../graphql/queries';
-import {
-	AddResource,
-	UpdateResource,
-	DeleteResource,
-} from '../../graphql/mutation';
-import { getGraphQLErrorMessage } from '../../utils';
-import { Button } from '../../components/ui/button';
-import { Input } from '../../components/ui/input';
-import { Textarea } from '../../components/ui/textarea';
-import { Label } from '../../components/ui/label';
-import { Skeleton } from '../../components/ui/skeleton';
-import {
-	Dialog,
-	DialogContent,
-	DialogHeader,
-	DialogTitle,
-	DialogFooter,
-	DialogDescription,
-} from '../../components/ui/dialog';
-import {
-	Table,
-	TableHeader,
-	TableBody,
-	TableRow,
-	TableHead,
-	TableCell,
-} from '../../components/ui/table';
-import type { AuthzResource, AuthzResourcesResponse } from '../../types';
-
-export default function Resources() {
-	const client = useClient();
-	const [resources, setResources] = React.useState<AuthzResource[]>([]);
-	const [loading, setLoading] = React.useState(false);
-	const [dialogOpen, setDialogOpen] = React.useState(false);
-	const [deleteDialogOpen, setDeleteDialogOpen] = React.useState(false);
-	const [editingResource, setEditingResource] =
-		React.useState<AuthzResource | null>(null);
-	const [deletingResource, setDeletingResource] =
-		React.useState<AuthzResource | null>(null);
-	const [formName, setFormName] = React.useState('');
-	const [formDescription, setFormDescription] = React.useState('');
-	const [saving, setSaving] = React.useState(false);
-
-	const fetchResources = async () => {
-		setLoading(true);
-		const { data, error } = await client
-			.query<AuthzResourcesResponse>(ResourcesQuery, {
-				params: { pagination: { limit: 100, page: 1 } },
-			})
-			.toPromise();
-		if (data?._authz_resources) {
-			setResources(data._authz_resources.resources);
-		}
-		if (error) {
-			toast.error(getGraphQLErrorMessage(error, 'Failed to load resources'));
-		}
-		setLoading(false);
-	};
-
-	React.useEffect(() => {
-		fetchResources();
-	}, []);
-
-	const openAddDialog = () => {
-		setEditingResource(null);
-		setFormName('');
-		setFormDescription('');
-		setDialogOpen(true);
-	};
-
-	const openEditDialog = (resource: AuthzResource) => {
-		setEditingResource(resource);
-		setFormName(resource.name);
-		setFormDescription(resource.description || '');
-		setDialogOpen(true);
-	};
-
-	const openDeleteDialog = (resource: AuthzResource) => {
-		setDeletingResource(resource);
-		setDeleteDialogOpen(true);
-	};
-
-	const handleSave = async () => {
-		if (!formName.trim()) {
-			toast.error('Name is required');
-			return;
-		}
-		setSaving(true);
-		if (editingResource) {
-			const { error } = await client
-				.mutation(UpdateResource, {
-					params: {
-						id: editingResource.id,
-						name: formName,
-						description: formDescription || undefined,
-					},
-				})
-				.toPromise();
-			if (error) {
-				toast.error(
-					getGraphQLErrorMessage(error, 'Failed to update resource'),
-				);
-			} else {
-				toast.success('Resource updated');
-				setDialogOpen(false);
-				fetchResources();
-			}
-		} else {
-			const { error } = await client
-				.mutation(AddResource, {
-					params: {
-						name: formName,
-						description: formDescription || undefined,
-					},
-				})
-				.toPromise();
-			if (error) {
-				toast.error(getGraphQLErrorMessage(error, 'Failed to add resource'));
-			} else {
-				toast.success('Resource added');
-				setDialogOpen(false);
-				fetchResources();
-			}
-		}
-		setSaving(false);
-	};
-
-	const handleDelete = async () => {
-		if (!deletingResource) return;
-		setSaving(true);
-		const { error } = await client
-			.mutation(DeleteResource, { id: deletingResource.id })
-			.toPromise();
-		if (error) {
-			toast.error(getGraphQLErrorMessage(error, 'Failed to delete resource'));
-		} else {
-			toast.success('Resource deleted');
-			setDeleteDialogOpen(false);
-			setDeletingResource(null);
-			fetchResources();
-		}
-		setSaving(false);
-	};
-
-	return (
-		<div>
-			<div className="flex items-center justify-between mb-4">
-				<div>
-					<h2 className="text-lg font-semibold text-gray-900">Resources</h2>
-					<p className="text-sm text-gray-500">
-						Define the resources to protect with fine-grained authorization.
-					</p>
-				</div>
-				<Button onClick={openAddDialog}>
-					<Plus className="h-4 w-4 mr-2" />
-					Add Resource
-				</Button>
-			</div>
-
-			{loading ? (
-				<div className="space-y-3">
-					{[1, 2, 3].map((i) => (
-						<Skeleton key={i} className="h-10 w-full" />
-					))}
-				</div>
-			) : resources.length > 0 ? (
-				<Table>
-					<TableHeader>
-						<TableRow>
-							<TableHead>Name</TableHead>
-							<TableHead>Description</TableHead>
-							<TableHead>Created</TableHead>
-							<TableHead className="w-[100px]">Actions</TableHead>
-						</TableRow>
-					</TableHeader>
-					<TableBody>
-						{resources.map((resource) => (
-							<TableRow key={resource.id}>
-								<TableCell className="font-medium">
-									{resource.name}
-								</TableCell>
-								<TableCell className="text-sm text-gray-500">
-									{resource.description || '-'}
-								</TableCell>
-								<TableCell className="text-sm">
-									{dayjs(resource.created_at * 1000).format('MMM DD, YYYY')}
-								</TableCell>
-								<TableCell>
-									<div className="flex gap-1">
-										<Button
-											variant="ghost"
-											size="icon"
-											onClick={() => openEditDialog(resource)}
-										>
-											<Pencil className="h-4 w-4" />
-										</Button>
-										<Button
-											variant="ghost"
-											size="icon"
-											onClick={() => openDeleteDialog(resource)}
-										>
-											<Trash2 className="h-4 w-4 text-red-500" />
-										</Button>
-									</div>
-								</TableCell>
-							</TableRow>
-						))}
-					</TableBody>
-				</Table>
-			) : (
-				<div className="flex min-h-[25vh] flex-col items-center justify-center text-gray-300">
-					<AlertCircle className="h-16 w-16 mb-2" />
-					<p className="text-2xl font-bold">No Resources</p>
-					<p className="text-sm mt-1">
-						Add a resource to get started with authorization.
-					</p>
-				</div>
-			)}
-
-			{/* Add/Edit Dialog */}
-			<Dialog open={dialogOpen} onOpenChange={setDialogOpen}>
-				<DialogContent>
-					<DialogHeader>
-						<DialogTitle>
-							{editingResource ? 'Edit Resource' : 'Add Resource'}
-						</DialogTitle>
-						<DialogDescription>
-							{editingResource
-								? 'Update the resource details.'
-								: 'Define a new resource to protect.'}
-						</DialogDescription>
-					</DialogHeader>
-					<div className="space-y-4">
-						<div>
-							<Label htmlFor="resource-name">Name</Label>
-							<Input
-								id="resource-name"
-								placeholder="e.g. documents or user-profile"
-								value={formName}
-								onChange={(e) => setFormName(e.target.value)}
-								className="mt-1"
-							/>
-							<p className="text-xs text-gray-500 mt-1">
-								Letters, digits, hyphens, and underscores only. Max 100
-								characters. No spaces.
-							</p>
-						</div>
-						<div>
-							<Label htmlFor="resource-desc">Description</Label>
-							<Textarea
-								id="resource-desc"
-								placeholder="Optional human-readable description"
-								value={formDescription}
-								onChange={(e) => setFormDescription(e.target.value)}
-								className="mt-1"
-							/>
-							<p className="text-xs text-gray-500 mt-1">
-								Free-form text shown in the dashboard. Not used for matching.
-							</p>
-						</div>
-					</div>
-					<DialogFooter>
-						<Button
-							variant="outline"
-							onClick={() => setDialogOpen(false)}
-							disabled={saving}
-						>
-							Cancel
-						</Button>
-						<Button onClick={handleSave} disabled={saving}>
-							{saving ? 'Saving...' : editingResource ? 'Update' : 'Add'}
-						</Button>
-					</DialogFooter>
-				</DialogContent>
-			</Dialog>
-
-			{/* Delete Confirmation Dialog */}
-			<Dialog open={deleteDialogOpen} onOpenChange={setDeleteDialogOpen}>
-				<DialogContent>
-					<DialogHeader>
-						<DialogTitle>Delete Resource</DialogTitle>
-						<DialogDescription>
-							Are you sure you want to delete{' '}
-							<strong>{deletingResource?.name}</strong>? This action cannot be
-							undone.
-						</DialogDescription>
-					</DialogHeader>
-					<DialogFooter>
-						<Button
-							variant="outline"
-							onClick={() => setDeleteDialogOpen(false)}
-							disabled={saving}
-						>
-							Cancel
-						</Button>
-						<Button
-							variant="destructive"
-							onClick={handleDelete}
-							disabled={saving}
-						>
-							{saving ? 'Deleting...' : 'Delete'}
-						</Button>
-					</DialogFooter>
-				</DialogContent>
-			</Dialog>
-		</div>
-	);
-}
diff --git a/web/dashboard/src/pages/authorization/Scopes.tsx b/web/dashboard/src/pages/authorization/Scopes.tsx
deleted file mode 100644
index 829ba414..00000000
--- a/web/dashboard/src/pages/authorization/Scopes.tsx
+++ /dev/null
@@ -1,308 +0,0 @@
-import React from 'react';
-import { useClient } from 'urql';
-import { toast } from 'sonner';
-import dayjs from 'dayjs';
-import { Plus, Pencil, Trash2, AlertCircle } from 'lucide-react';
-import { ScopesQuery } from '../../graphql/queries';
-import { AddScope, UpdateScope, DeleteScope } from '../../graphql/mutation';
-import { getGraphQLErrorMessage } from '../../utils';
-import { Button } from '../../components/ui/button';
-import { Input } from '../../components/ui/input';
-import { Textarea } from '../../components/ui/textarea';
-import { Label } from '../../components/ui/label';
-import { Skeleton } from '../../components/ui/skeleton';
-import {
-	Dialog,
-	DialogContent,
-	DialogHeader,
-	DialogTitle,
-	DialogFooter,
-	DialogDescription,
-} from '../../components/ui/dialog';
-import {
-	Table,
-	TableHeader,
-	TableBody,
-	TableRow,
-	TableHead,
-	TableCell,
-} from '../../components/ui/table';
-import type { AuthzScope, AuthzScopesResponse } from '../../types';
-
-export default function Scopes() {
-	const client = useClient();
-	const [scopes, setScopes] = React.useState<AuthzScope[]>([]);
-	const [loading, setLoading] = React.useState(false);
-	const [dialogOpen, setDialogOpen] = React.useState(false);
-	const [deleteDialogOpen, setDeleteDialogOpen] = React.useState(false);
-	const [editingScope, setEditingScope] = React.useState<AuthzScope | null>(
-		null,
-	);
-	const [deletingScope, setDeletingScope] = React.useState<AuthzScope | null>(
-		null,
-	);
-	const [formName, setFormName] = React.useState('');
-	const [formDescription, setFormDescription] = React.useState('');
-	const [saving, setSaving] = React.useState(false);
-
-	const fetchScopes = async () => {
-		setLoading(true);
-		const { data, error } = await client
-			.query<AuthzScopesResponse>(ScopesQuery, {
-				params: { pagination: { limit: 100, page: 1 } },
-			})
-			.toPromise();
-		if (data?._authz_scopes) {
-			setScopes(data._authz_scopes.scopes);
-		}
-		if (error) {
-			toast.error(getGraphQLErrorMessage(error, 'Failed to load scopes'));
-		}
-		setLoading(false);
-	};
-
-	React.useEffect(() => {
-		fetchScopes();
-	}, []);
-
-	const openAddDialog = () => {
-		setEditingScope(null);
-		setFormName('');
-		setFormDescription('');
-		setDialogOpen(true);
-	};
-
-	const openEditDialog = (scope: AuthzScope) => {
-		setEditingScope(scope);
-		setFormName(scope.name);
-		setFormDescription(scope.description || '');
-		setDialogOpen(true);
-	};
-
-	const openDeleteDialog = (scope: AuthzScope) => {
-		setDeletingScope(scope);
-		setDeleteDialogOpen(true);
-	};
-
-	const handleSave = async () => {
-		if (!formName.trim()) {
-			toast.error('Name is required');
-			return;
-		}
-		setSaving(true);
-		if (editingScope) {
-			const { error } = await client
-				.mutation(UpdateScope, {
-					params: {
-						id: editingScope.id,
-						name: formName,
-						description: formDescription || undefined,
-					},
-				})
-				.toPromise();
-			if (error) {
-				toast.error(getGraphQLErrorMessage(error, 'Failed to update scope'));
-			} else {
-				toast.success('Scope updated');
-				setDialogOpen(false);
-				fetchScopes();
-			}
-		} else {
-			const { error } = await client
-				.mutation(AddScope, {
-					params: {
-						name: formName,
-						description: formDescription || undefined,
-					},
-				})
-				.toPromise();
-			if (error) {
-				toast.error(getGraphQLErrorMessage(error, 'Failed to add scope'));
-			} else {
-				toast.success('Scope added');
-				setDialogOpen(false);
-				fetchScopes();
-			}
-		}
-		setSaving(false);
-	};
-
-	const handleDelete = async () => {
-		if (!deletingScope) return;
-		setSaving(true);
-		const { error } = await client
-			.mutation(DeleteScope, { id: deletingScope.id })
-			.toPromise();
-		if (error) {
-			toast.error(getGraphQLErrorMessage(error, 'Failed to delete scope'));
-		} else {
-			toast.success('Scope deleted');
-			setDeleteDialogOpen(false);
-			setDeletingScope(null);
-			fetchScopes();
-		}
-		setSaving(false);
-	};
-
-	return (
-		<div>
-			<div className="flex items-center justify-between mb-4">
-				<div>
-					<h2 className="text-lg font-semibold text-gray-900">Scopes</h2>
-					<p className="text-sm text-gray-500">
-						Define the actions or operations that can be performed on resources.
-					</p>
-				</div>
-				<Button onClick={openAddDialog}>
-					<Plus className="h-4 w-4 mr-2" />
-					Add Scope
-				</Button>
-			</div>
-
-			{loading ? (
-				<div className="space-y-3">
-					{[1, 2, 3].map((i) => (
-						<Skeleton key={i} className="h-10 w-full" />
-					))}
-				</div>
-			) : scopes.length > 0 ? (
-				<Table>
-					<TableHeader>
-						<TableRow>
-							<TableHead>Name</TableHead>
-							<TableHead>Description</TableHead>
-							<TableHead>Created</TableHead>
-							<TableHead className="w-[100px]">Actions</TableHead>
-						</TableRow>
-					</TableHeader>
-					<TableBody>
-						{scopes.map((scope) => (
-							<TableRow key={scope.id}>
-								<TableCell className="font-medium">{scope.name}</TableCell>
-								<TableCell className="text-sm text-gray-500">
-									{scope.description || '-'}
-								</TableCell>
-								<TableCell className="text-sm">
-									{dayjs(scope.created_at * 1000).format('MMM DD, YYYY')}
-								</TableCell>
-								<TableCell>
-									<div className="flex gap-1">
-										<Button
-											variant="ghost"
-											size="icon"
-											onClick={() => openEditDialog(scope)}
-										>
-											<Pencil className="h-4 w-4" />
-										</Button>
-										<Button
-											variant="ghost"
-											size="icon"
-											onClick={() => openDeleteDialog(scope)}
-										>
-											<Trash2 className="h-4 w-4 text-red-500" />
-										</Button>
-									</div>
-								</TableCell>
-							</TableRow>
-						))}
-					</TableBody>
-				</Table>
-			) : (
-				<div className="flex min-h-[25vh] flex-col items-center justify-center text-gray-300">
-					<AlertCircle className="h-16 w-16 mb-2" />
-					<p className="text-2xl font-bold">No Scopes</p>
-					<p className="text-sm mt-1">
-						Add a scope to define actions on your resources.
-					</p>
-				</div>
-			)}
-
-			{/* Add/Edit Dialog */}
-			<Dialog open={dialogOpen} onOpenChange={setDialogOpen}>
-				<DialogContent>
-					<DialogHeader>
-						<DialogTitle>
-							{editingScope ? 'Edit Scope' : 'Add Scope'}
-						</DialogTitle>
-						<DialogDescription>
-							{editingScope
-								? 'Update the scope details.'
-								: 'Define a new scope (action) for authorization.'}
-						</DialogDescription>
-					</DialogHeader>
-					<div className="space-y-4">
-						<div>
-							<Label htmlFor="scope-name">Name</Label>
-							<Input
-								id="scope-name"
-								placeholder="e.g. read or write_metadata"
-								value={formName}
-								onChange={(e) => setFormName(e.target.value)}
-								className="mt-1"
-							/>
-							<p className="text-xs text-gray-500 mt-1">
-								Letters, digits, hyphens, and underscores only. Max 100
-								characters. No spaces.
-							</p>
-						</div>
-						<div>
-							<Label htmlFor="scope-desc">Description</Label>
-							<Textarea
-								id="scope-desc"
-								placeholder="Optional human-readable description"
-								value={formDescription}
-								onChange={(e) => setFormDescription(e.target.value)}
-								className="mt-1"
-							/>
-							<p className="text-xs text-gray-500 mt-1">
-								Free-form text shown in the dashboard. Not used for matching.
-							</p>
-						</div>
-					</div>
-					<DialogFooter>
-						<Button
-							variant="outline"
-							onClick={() => setDialogOpen(false)}
-							disabled={saving}
-						>
-							Cancel
-						</Button>
-						<Button onClick={handleSave} disabled={saving}>
-							{saving ? 'Saving...' : editingScope ? 'Update' : 'Add'}
-						</Button>
-					</DialogFooter>
-				</DialogContent>
-			</Dialog>
-
-			{/* Delete Confirmation Dialog */}
-			<Dialog open={deleteDialogOpen} onOpenChange={setDeleteDialogOpen}>
-				<DialogContent>
-					<DialogHeader>
-						<DialogTitle>Delete Scope</DialogTitle>
-						<DialogDescription>
-							Are you sure you want to delete{' '}
-							<strong>{deletingScope?.name}</strong>? This action cannot be
-							undone.
-						</DialogDescription>
-					</DialogHeader>
-					<DialogFooter>
-						<Button
-							variant="outline"
-							onClick={() => setDeleteDialogOpen(false)}
-							disabled={saving}
-						>
-							Cancel
-						</Button>
-						<Button
-							variant="destructive"
-							onClick={handleDelete}
-							disabled={saving}
-						>
-							{saving ? 'Deleting...' : 'Delete'}
-						</Button>
-					</DialogFooter>
-				</DialogContent>
-			</Dialog>
-		</div>
-	);
-}
diff --git a/web/dashboard/src/pages/authorization/Tester.tsx b/web/dashboard/src/pages/authorization/Tester.tsx
new file mode 100644
index 00000000..835d78c7
--- /dev/null
+++ b/web/dashboard/src/pages/authorization/Tester.tsx
@@ -0,0 +1,243 @@
+import React, { useState } from 'react';
+import { useClient } from 'urql';
+import { toast } from 'sonner';
+import { Plus, Trash2, ShieldCheck, ShieldX, Play } from 'lucide-react';
+import { FgaCheckQuery } from '../../graphql/queries';
+import { Button } from '../../components/ui/button';
+import { Input } from '../../components/ui/input';
+import { Label } from '../../components/ui/label';
+import { Badge } from '../../components/ui/badge';
+import FgaNotEnabled from '../../components/FgaNotEnabled';
+import { isFgaNotEnabledError } from '../../lib/utils';
+import type { FgaTuple, FgaCheckResponse } from '../../types';
+
+const emptyTuple: FgaTuple = { user: '', relation: '', object: '' };
+
+const Tester = () => {
+	const client = useClient();
+	const [fgaDisabled, setFgaDisabled] = useState<boolean>(false);
+	const [relation, setRelation] = useState<string>('');
+	const [object, setObject] = useState<string>('');
+	const [contextualTuples, setContextualTuples] = useState<FgaTuple[]>([]);
+	const [running, setRunning] = useState<boolean>(false);
+	const [result, setResult] = useState<boolean | null>(null);
+
+	const addContextualTuple = () => {
+		setContextualTuples((prev) => [...prev, { ...emptyTuple }]);
+	};
+
+	const updateContextualTuple = (
+		index: number,
+		field: keyof FgaTuple,
+		value: string,
+	) => {
+		setContextualTuples((prev) =>
+			prev.map((t, i) => (i === index ? { ...t, [field]: value } : t)),
+		);
+	};
+
+	const removeContextualTuple = (index: number) => {
+		setContextualTuples((prev) => prev.filter((_, i) => i !== index));
+	};
+
+	const handleCheck = async (e: React.FormEvent) => {
+		e.preventDefault();
+		if (!relation.trim() || !object.trim()) {
+			toast.error('relation and object are required');
+			return;
+		}
+		setRunning(true);
+		setResult(null);
+		try {
+			const validContextual = contextualTuples
+				.filter(
+					(t) => t.user.trim() && t.relation.trim() && t.object.trim(),
+				)
+				.map((t) => ({
+					user: t.user.trim(),
+					relation: t.relation.trim(),
+					object: t.object.trim(),
+				}));
+
+			const params: {
+				relation: string;
+				object: string;
+				contextual_tuples?: FgaTuple[];
+			} = {
+				relation: relation.trim(),
+				object: object.trim(),
+			};
+			if (validContextual.length) {
+				params.contextual_tuples = validContextual;
+			}
+
+			const res = await client
+				.query<FgaCheckResponse>(
+					FgaCheckQuery,
+					{ params },
+					{ requestPolicy: 'network-only' },
+				)
+				.toPromise();
+
+			if (res.error) {
+				if (isFgaNotEnabledError(res.error)) {
+					setFgaDisabled(true);
+				} else {
+					toast.error(res.error.message.replace('[GraphQL] ', ''));
+				}
+				return;
+			}
+
+			if (res.data?.fga_check) {
+				setResult(res.data.fga_check.allowed);
+			}
+		} catch {
+			toast.error('Failed to run access check');
+		} finally {
+			setRunning(false);
+		}
+	};
+
+	if (fgaDisabled) {
+		return (
+			<div className="m-5 rounded-md bg-white py-5 px-10">
+				<div className="my-4">
+					<h1 className="text-2xl font-semibold text-gray-900">
+						Access Tester
+					</h1>
+				</div>
+				<FgaNotEnabled />
+			</div>
+		);
+	}
+
+	return (
+		<div className="m-5 rounded-md bg-white py-5 px-10">
+			<div className="my-4">
+				<h1 className="text-2xl font-semibold text-gray-900">Access Tester</h1>
+				<p className="mt-1 text-sm text-gray-500">
+					Run a relationship check. The check is evaluated for{' '}
+					<strong>the currently logged-in admin</strong> &mdash; the principal
+					is pinned to your token by the server and cannot be changed here.
+				</p>
+			</div>
+
+			<form onSubmit={handleCheck} className="max-w-2xl space-y-5">
+				<div className="grid grid-cols-1 gap-3 md:grid-cols-2">
+					<div className="space-y-1">
+						<Label htmlFor="check-relation">Relation</Label>
+						<Input
+							id="check-relation"
+							placeholder="viewer"
+							value={relation}
+							onChange={(e) => setRelation(e.target.value)}
+						/>
+					</div>
+					<div className="space-y-1">
+						<Label htmlFor="check-object">Object</Label>
+						<Input
+							id="check-object"
+							placeholder="document:1"
+							value={object}
+							onChange={(e) => setObject(e.target.value)}
+						/>
+					</div>
+				</div>
+
+				{/* Contextual tuples */}
+				<div className="space-y-2">
+					<div className="flex items-center justify-between">
+						<Label>Contextual tuples (optional)</Label>
+						<Button
+							type="button"
+							variant="outline"
+							size="sm"
+							onClick={addContextualTuple}
+						>
+							<Plus className="mr-2 h-4 w-4" />
+							Add
+						</Button>
+					</div>
+					{contextualTuples.length === 0 ? (
+						<p className="text-xs text-gray-400">
+							Contextual tuples are evaluated only for this check and are not
+							persisted.
+						</p>
+					) : (
+						contextualTuples.map((tuple, index) => (
+							<div
+								key={index}
+								className="grid grid-cols-1 gap-2 md:grid-cols-[1fr_1fr_1fr_auto] md:items-center"
+							>
+								<Input
+									placeholder="user:alice"
+									value={tuple.user}
+									onChange={(e) =>
+										updateContextualTuple(index, 'user', e.target.value)
+									}
+								/>
+								<Input
+									placeholder="viewer"
+									value={tuple.relation}
+									onChange={(e) =>
+										updateContextualTuple(index, 'relation', e.target.value)
+									}
+								/>
+								<Input
+									placeholder="document:1"
+									value={tuple.object}
+									onChange={(e) =>
+										updateContextualTuple(index, 'object', e.target.value)
+									}
+								/>
+								<Button
+									type="button"
+									variant="ghost"
+									size="sm"
+									onClick={() => removeContextualTuple(index)}
+								>
+									<Trash2 className="h-4 w-4 text-red-500" />
+								</Button>
+							</div>
+						))
+					)}
+				</div>
+
+				<Button type="submit" disabled={running}>
+					<Play className="mr-2 h-4 w-4" />
+					{running ? 'Checking...' : 'Run Check'}
+				</Button>
+			</form>
+
+			{result !== null && (
+				<div className="mt-6 max-w-2xl">
+					{result ? (
+						<div className="flex items-center gap-3 rounded-md border border-green-200 bg-green-50 p-4">
+							<ShieldCheck className="h-6 w-6 text-green-600" />
+							<div>
+								<Badge variant="success">Allowed</Badge>
+								<p className="mt-1 text-sm text-gray-600">
+									You have <strong>{relation}</strong> access to{' '}
+									<strong>{object}</strong>.
+								</p>
+							</div>
+						</div>
+					) : (
+						<div className="flex items-center gap-3 rounded-md border border-red-200 bg-red-50 p-4">
+							<ShieldX className="h-6 w-6 text-red-600" />
+							<div>
+								<Badge variant="destructive">Denied</Badge>
+								<p className="mt-1 text-sm text-gray-600">
+									You do not have <strong>{relation}</strong> access to{' '}
+									<strong>{object}</strong>.
+								</p>
+							</div>
+						</div>
+					)}
+				</div>
+			)}
+		</div>
+	);
+};
+
+export default Tester;
diff --git a/web/dashboard/src/pages/authorization/Tuples.tsx b/web/dashboard/src/pages/authorization/Tuples.tsx
new file mode 100644
index 00000000..f129fe18
--- /dev/null
+++ b/web/dashboard/src/pages/authorization/Tuples.tsx
@@ -0,0 +1,317 @@
+import React, { useCallback, useEffect, useState } from 'react';
+import { useClient } from 'urql';
+import { toast } from 'sonner';
+import { AlertCircle, Plus, Trash2, ChevronRight, RotateCcw } from 'lucide-react';
+import { FgaReadTuplesQuery } from '../../graphql/queries';
+import { FgaWriteTuples, FgaDeleteTuples } from '../../graphql/mutation';
+import { Button } from '../../components/ui/button';
+import { Input } from '../../components/ui/input';
+import { Label } from '../../components/ui/label';
+import { Skeleton } from '../../components/ui/skeleton';
+import {
+	Table,
+	TableHeader,
+	TableBody,
+	TableRow,
+	TableHead,
+	TableCell,
+} from '../../components/ui/table';
+import FgaNotEnabled from '../../components/FgaNotEnabled';
+import { isFgaNotEnabledError } from '../../lib/utils';
+import type {
+	FgaTuple,
+	FgaReadTuplesResponse,
+	FgaWriteTuplesResponse,
+	FgaDeleteTuplesResponse,
+} from '../../types';
+
+const PAGE_SIZE = 25;
+
+const emptyForm = { user: '', relation: '', object: '' };
+
+const Tuples = () => {
+	const client = useClient();
+	const [loading, setLoading] = useState<boolean>(true);
+	const [fgaDisabled, setFgaDisabled] = useState<boolean>(false);
+	const [tuples, setTuples] = useState<FgaTuple[]>([]);
+	// continuation token of the page currently displayed.
+	const [currentToken, setCurrentToken] = useState<string>('');
+	// continuation token to load the next page (empty when exhausted).
+	const [nextToken, setNextToken] = useState<string>('');
+	// stack of tokens for previous pages so we can page backwards.
+	const [tokenStack, setTokenStack] = useState<string[]>([]);
+	const [form, setForm] = useState<typeof emptyForm>(emptyForm);
+	const [submitting, setSubmitting] = useState<boolean>(false);
+
+	const fetchTuples = useCallback(
+		async (continuationToken: string) => {
+			setLoading(true);
+			try {
+				const res = await client
+					.query<FgaReadTuplesResponse>(
+						FgaReadTuplesQuery,
+						{
+							params: {
+								page_size: PAGE_SIZE,
+								continuation_token: continuationToken || undefined,
+							},
+						},
+						{ requestPolicy: 'network-only' },
+					)
+					.toPromise();
+
+				if (res.error) {
+					if (isFgaNotEnabledError(res.error)) {
+						setFgaDisabled(true);
+					} else {
+						toast.error('Failed to load relationship tuples');
+					}
+					return;
+				}
+
+				if (res.data?._fga_read_tuples) {
+					setTuples(res.data._fga_read_tuples.tuples || []);
+					setNextToken(res.data._fga_read_tuples.continuation_token || '');
+				}
+			} catch {
+				toast.error('Failed to load relationship tuples');
+			} finally {
+				setLoading(false);
+			}
+		},
+		[client],
+	);
+
+	useEffect(() => {
+		fetchTuples('');
+	}, [fetchTuples]);
+
+	const goNext = () => {
+		if (!nextToken) {
+			return;
+		}
+		setTokenStack((prev) => [...prev, currentToken]);
+		setCurrentToken(nextToken);
+		fetchTuples(nextToken);
+	};
+
+	const goReset = () => {
+		setTokenStack([]);
+		setCurrentToken('');
+		fetchTuples('');
+	};
+
+	const handleAdd = async (e: React.FormEvent) => {
+		e.preventDefault();
+		if (!form.user.trim() || !form.relation.trim() || !form.object.trim()) {
+			toast.error('user, relation and object are all required');
+			return;
+		}
+		setSubmitting(true);
+		try {
+			const res = await client
+				.mutation<FgaWriteTuplesResponse>(FgaWriteTuples, {
+					params: {
+						tuples: [
+							{
+								user: form.user.trim(),
+								relation: form.relation.trim(),
+								object: form.object.trim(),
+							},
+						],
+					},
+				})
+				.toPromise();
+
+			if (res.error) {
+				if (isFgaNotEnabledError(res.error)) {
+					setFgaDisabled(true);
+				} else {
+					toast.error(res.error.message.replace('[GraphQL] ', ''));
+				}
+				return;
+			}
+
+			toast.success('Tuple added');
+			setForm(emptyForm);
+			goReset();
+		} catch {
+			toast.error('Failed to add tuple');
+		} finally {
+			setSubmitting(false);
+		}
+	};
+
+	const handleDelete = async (tuple: FgaTuple) => {
+		try {
+			const res = await client
+				.mutation<FgaDeleteTuplesResponse>(FgaDeleteTuples, {
+					params: {
+						tuples: [
+							{
+								user: tuple.user,
+								relation: tuple.relation,
+								object: tuple.object,
+							},
+						],
+					},
+				})
+				.toPromise();
+
+			if (res.error) {
+				if (isFgaNotEnabledError(res.error)) {
+					setFgaDisabled(true);
+				} else {
+					toast.error(res.error.message.replace('[GraphQL] ', ''));
+				}
+				return;
+			}
+
+			toast.success('Tuple deleted');
+			fetchTuples(currentToken);
+		} catch {
+			toast.error('Failed to delete tuple');
+		}
+	};
+
+	if (fgaDisabled) {
+		return (
+			<div className="m-5 rounded-md bg-white py-5 px-10">
+				<div className="my-4">
+					<h1 className="text-2xl font-semibold text-gray-900">
+						Relationship Tuples
+					</h1>
+				</div>
+				<FgaNotEnabled />
+			</div>
+		);
+	}
+
+	return (
+		<div className="m-5 rounded-md bg-white py-5 px-10">
+			<div className="my-4">
+				<h1 className="text-2xl font-semibold text-gray-900">
+					Relationship Tuples
+				</h1>
+				<p className="mt-1 text-sm text-gray-500">
+					Manage relationship tuples (user, relation, object) stored in the FGA
+					store.
+				</p>
+			</div>
+
+			{/* Add tuple form */}
+			<form
+				onSubmit={handleAdd}
+				className="mb-6 grid grid-cols-1 gap-3 rounded-md border border-gray-100 bg-gray-50 p-4 md:grid-cols-[1fr_1fr_1fr_auto] md:items-end"
+			>
+				<div className="space-y-1">
+					<Label htmlFor="tuple-user">User</Label>
+					<Input
+						id="tuple-user"
+						placeholder="user:alice"
+						value={form.user}
+						onChange={(e) => setForm({ ...form, user: e.target.value })}
+					/>
+				</div>
+				<div className="space-y-1">
+					<Label htmlFor="tuple-relation">Relation</Label>
+					<Input
+						id="tuple-relation"
+						placeholder="viewer"
+						value={form.relation}
+						onChange={(e) => setForm({ ...form, relation: e.target.value })}
+					/>
+				</div>
+				<div className="space-y-1">
+					<Label htmlFor="tuple-object">Object</Label>
+					<Input
+						id="tuple-object"
+						placeholder="document:1"
+						value={form.object}
+						onChange={(e) => setForm({ ...form, object: e.target.value })}
+					/>
+				</div>
+				<Button type="submit" disabled={submitting}>
+					<Plus className="mr-2 h-4 w-4" />
+					{submitting ? 'Adding...' : 'Add'}
+				</Button>
+			</form>
+
+			{loading ? (
+				<div className="space-y-3">
+					{[1, 2, 3].map((i) => (
+						<Skeleton key={i} className="h-10 w-full" />
+					))}
+				</div>
+			) : tuples.length ? (
+				<>
+					<Table>
+						<TableHeader>
+							<TableRow>
+								<TableHead>User</TableHead>
+								<TableHead>Relation</TableHead>
+								<TableHead>Object</TableHead>
+								<TableHead className="text-right">Actions</TableHead>
+							</TableRow>
+						</TableHeader>
+						<TableBody>
+							{tuples.map((tuple) => (
+								<TableRow
+									key={`${tuple.user}|${tuple.relation}|${tuple.object}`}
+								>
+									<TableCell className="font-mono text-sm">
+										{tuple.user}
+									</TableCell>
+									<TableCell className="font-mono text-sm">
+										{tuple.relation}
+									</TableCell>
+									<TableCell className="font-mono text-sm">
+										{tuple.object}
+									</TableCell>
+									<TableCell className="text-right">
+										<Button
+											variant="ghost"
+											size="sm"
+											onClick={() => handleDelete(tuple)}
+										>
+											<Trash2 className="h-4 w-4 text-red-500" />
+										</Button>
+									</TableCell>
+								</TableRow>
+							))}
+						</TableBody>
+					</Table>
+
+					{/* Continuation-token pagination */}
+					<div className="mt-4 flex items-center justify-between">
+						<Button
+							variant="outline"
+							size="sm"
+							onClick={goReset}
+							disabled={tokenStack.length === 0 && !currentToken}
+						>
+							<RotateCcw className="mr-2 h-4 w-4" />
+							First page
+						</Button>
+						<Button
+							variant="outline"
+							size="sm"
+							onClick={goNext}
+							disabled={!nextToken}
+						>
+							Next page
+							<ChevronRight className="ml-2 h-4 w-4" />
+						</Button>
+					</div>
+				</>
+			) : (
+				<div className="flex min-h-[25vh] flex-col items-center justify-center text-gray-300">
+					<AlertCircle className="mb-2 h-16 w-16" />
+					<p className="text-2xl font-bold">No Tuples</p>
+				</div>
+			)}
+		</div>
+	);
+};
+
+export default Tuples;
diff --git a/web/dashboard/src/routes/index.tsx b/web/dashboard/src/routes/index.tsx
index 6b1da1e4..4d6e41e1 100644
--- a/web/dashboard/src/routes/index.tsx
+++ b/web/dashboard/src/routes/index.tsx
@@ -10,7 +10,9 @@ const Users = lazy(() => import('../pages/Users'));
 const Webhooks = lazy(() => import('../pages/Webhooks'));
 const EmailTemplates = lazy(() => import('../pages/EmailTemplates'));
 const AuditLogs = lazy(() => import('../pages/AuditLogs'));
-const Authorization = lazy(() => import('../pages/Authorization'));
+const AuthorizationModel = lazy(() => import('../pages/authorization/Model'));
+const AuthorizationTuples = lazy(() => import('../pages/authorization/Tuples'));
+const AuthorizationTester = lazy(() => import('../pages/authorization/Tester'));
 
 export const AppRoutes = () => {
 	const { isLoggedIn } = useAuthContext();
@@ -32,7 +34,18 @@ export const AppRoutes = () => {
 							<Route path="webhooks" element={<Webhooks />} />
 							<Route path="email-templates" element={<EmailTemplates />} />
 							<Route path="audit-logs" element={<AuditLogs />} />
-							<Route path="authorization/*" element={<Authorization />} />
+							<Route
+								path="authorization/model"
+								element={<AuthorizationModel />}
+							/>
+							<Route
+								path="authorization/tuples"
+								element={<AuthorizationTuples />}
+							/>
+							<Route
+								path="authorization/tester"
+								element={<AuthorizationTester />}
+							/>
 							<Route path="*" element={<Overview />} />
 						</Route>
 					</Routes>
diff --git a/web/dashboard/src/types.ts b/web/dashboard/src/types.ts
index 07a9037b..3448dd1b 100644
--- a/web/dashboard/src/types.ts
+++ b/web/dashboard/src/types.ts
@@ -121,79 +121,47 @@ export interface AdminSessionResponse {
 	};
 }
 
-// Authorization types
-
-export interface AuthzResource {
+export interface FgaModel {
 	id: string;
-	name: string;
-	description?: string;
-	created_at: number;
-	updated_at: number;
+	dsl: string;
 }
 
-export interface AuthzScope {
-	id: string;
-	name: string;
-	description?: string;
-	created_at: number;
-	updated_at: number;
+export interface FgaTuple {
+	user: string;
+	relation: string;
+	object: string;
 }
 
-export interface AuthzPolicyTarget {
-	id: string;
-	target_type: string;
-	target_value: string;
+export interface FgaGetModelResponse {
+	_fga_get_model: FgaModel;
 }
 
-export interface AuthzPolicy {
-	id: string;
-	name: string;
-	description?: string;
-	type: string;
-	logic: string;
-	decision_strategy: string;
-	targets: AuthzPolicyTarget[];
-	created_at: number;
-	updated_at: number;
+export interface FgaWriteModelResponse {
+	_fga_write_model: FgaModel;
 }
 
-export interface AuthzPermission {
-	id: string;
-	name: string;
-	description?: string;
-	resource: AuthzResource;
-	scopes: AuthzScope[];
-	policies: AuthzPolicy[];
-	decision_strategy: string;
-	created_at: number;
-	updated_at: number;
-}
-
-export interface AuthzResourcesResponse {
-	_authz_resources: {
-		pagination: PaginationInfo;
-		resources: AuthzResource[];
+export interface FgaReadTuplesResponse {
+	_fga_read_tuples: {
+		tuples: FgaTuple[];
+		continuation_token?: string | null;
 	};
 }
 
-export interface AuthzScopesResponse {
-	_authz_scopes: {
-		pagination: PaginationInfo;
-		scopes: AuthzScope[];
+export interface FgaWriteTuplesResponse {
+	_fga_write_tuples: {
+		message: string;
 	};
 }
 
-export interface AuthzPoliciesResponse {
-	_authz_policies: {
-		pagination: PaginationInfo;
-		policies: AuthzPolicy[];
+export interface FgaDeleteTuplesResponse {
+	_fga_delete_tuples: {
+		message: string;
 	};
 }
 
-export interface AuthzPermissionsResponse {
-	_authz_permissions: {
-		pagination: PaginationInfo;
-		permissions: AuthzPermission[];
+export interface FgaCheckResponse {
+	fga_check: {
+		allowed: boolean;
 	};
 }
 

From c64757b89ff37fbb2b783eac94472979d83f6c31 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 8 Jun 2026 11:10:37 +0530
Subject: [PATCH 02/39] docs(authz): OpenFGA migration plan, agentic-auth
 design, enterprise model

Add design docs for the OpenFGA migration and the agentic-authorization
program, and update the v2 roadmap.

- FGA_OPENFGA_MIGRATION_PLAN.md: phased plan, locked decisions, deployment
  modes (single-node / HA / serverless), implementation status.
- ENTERPRISE_AUTHZ_MODEL.md: OpenFGA model patterns (role grants,
  user-specific overrides, exclusions, hierarchy) with a worked example.
- AGENTIC_DELEGATION_DESIGN.md: RFC 8693 token exchange, act claim,
  attenuation, audit delegation chain, revocation.
- FGA_IMPLEMENTATION_AGENTS.md: program execution plan.
- ROADMAP_V2.md: agentic authorization track; corrected FGA/audit status.
---
 AGENTIC_DELEGATION_DESIGN.md  | 152 +++++++++++++++++++++++++
 CLAUDE.md                     |   5 +
 ENTERPRISE_AUTHZ_MODEL.md     | 173 ++++++++++++++++++++++++++++
 FGA_IMPLEMENTATION_AGENTS.md  |  80 +++++++++++++
 FGA_OPENFGA_MIGRATION_PLAN.md | 204 ++++++++++++++++++++++++++++++++++
 ROADMAP_V2.md                 |  38 ++++++-
 6 files changed, 650 insertions(+), 2 deletions(-)
 create mode 100644 AGENTIC_DELEGATION_DESIGN.md
 create mode 100644 ENTERPRISE_AUTHZ_MODEL.md
 create mode 100644 FGA_IMPLEMENTATION_AGENTS.md
 create mode 100644 FGA_OPENFGA_MIGRATION_PLAN.md

diff --git a/AGENTIC_DELEGATION_DESIGN.md b/AGENTIC_DELEGATION_DESIGN.md
new file mode 100644
index 00000000..42f2fb30
--- /dev/null
+++ b/AGENTIC_DELEGATION_DESIGN.md
@@ -0,0 +1,152 @@
+# Design: Agentic Delegation Chain (Token Exchange · Attenuation · Audit)
+
+**Scope:** Capabilities #13 (RFC 8693 token exchange), #14 (attenuation / least-privilege), #21 (audit delegation chain) from the agentic-auth capability matrix. This is the **highest-leverage layer after ReBAC** — it answers *"who is asking, with whose borrowed authority, and constrained to what?"*
+
+**Current state (verified in code):** greenfield. No token-exchange grant, no `act` claim, audit has a single actor. `authorization.Principal.MaxScopes` exists as a "delegation ceiling" to build on.
+
+---
+
+## 1. The problem
+
+An agent acts **as itself** **on behalf of a user**, possibly delegated through one or more apps. Three things must be true on every downstream call:
+
+1. **Both identities travel together** — the resource server and audit must see *agent X acting for user Y*.
+2. **The agent gets least privilege** — a token downscoped to the task, never the user's full power.
+3. **The full chain is recorded** — `app → agent → user` is queryable in audit.
+
+RFC 8693 (OAuth 2.0 Token Exchange) is the standard mechanism. The `act` claim carries the chain.
+
+---
+
+## 2. The `act` claim — the heart of the design
+
+A task-scoped token minted for the agent:
+
+```jsonc
+{
+  "sub": "user:alice",                  // whose authority is exercised
+  "aud": "https://calendar.example",    // bound target (RFC 8707)
+  "scope": "calendar:read",             // attenuated, not alice's full scope
+  "exp": "<now+5m>",                    // short-lived
+  "act": {                              // who is acting
+    "sub": "agent:booking-bot",
+    "act": {                            // nested: who delegated to the agent
+      "sub": "app:concierge"
+    }
+  }
+}
+```
+
+- `sub` stays the **user** (authority source); `act.sub` is the **immediate actor**; nested `act` encodes multi-hop delegation.
+- **`act` becomes a reserved claim** (alongside `roles`, `scope`, …) in `internal/token/auth_token.go` so `CustomAccessTokenScript` cannot forge it.
+
+---
+
+## 3. Token exchange endpoint (#13)
+
+Extend `POST /oauth/token` with `grant_type=urn:ietf:params:oauth:grant-type:token-exchange`.
+
+| Param | Meaning |
+|---|---|
+| `subject_token` (+ `_type`) | the user's token (authority being exercised) |
+| `actor_token` (+ `_type`) | the agent's token (the actor) — present ⇒ **delegation** |
+| `requested_token_type` | usually `urn:ietf:params:oauth:token-type:access_token` |
+| `resource` / `audience` | RFC 8707 target binding (**required** for MCP) |
+| `scope` | requested (down)scope |
+
+**Two semantics:**
+- **Delegation** (`actor_token` present): mint composite token with `sub=user`, `act` chain. Default agent path.
+- **Impersonation** (no `actor_token`): actor fully becomes the subject. **Admin-gated, always audited.** Used sparingly (support tooling), not the agent path.
+
+**Flow:**
+```
+1. validate subject_token + actor_token (sig, exp, aud, not revoked)
+2. resolve actor's delegation ceiling (agent service-account MaxScopes)
+3. attenuated_scope = intersection(subject_effective, requested_scope, actor_ceiling)   ← §4
+4. mint access_token: sub=subject, act=chain, aud=resource, scope=attenuated, short exp
+5. audit: actor=agent, on_behalf_of=user, chain                                          ← §5
+```
+
+---
+
+## 4. Attenuation — least privilege per task (#14)
+
+The exchanged token's authority is the **intersection** of three ceilings:
+
+```
+effective = subject_permissions  ∩  requested_scope  ∩  agent_delegation_ceiling
+```
+
+- **`subject_permissions`** — what the user actually has (scopes + FGA-derived).
+- **`requested_scope`** — what the agent asked for (RAR can carry structured detail).
+- **`agent_delegation_ceiling`** — `Principal.MaxScopes` on the agent's service account (the existing primitive). An agent can never exceed its registered ceiling even if the user is an admin.
+
+Further constraints stamped on the token:
+- **Audience binding** (`aud` = `resource`, RFC 8707) — token works only at the named MCP server / API.
+- **Short TTL** — 5 min default for agent tokens (matches roadmap 4.2).
+- **(Later)** sender-constraint via DPoP (Phase 5.2).
+
+**FGA interplay:** object-level checks still run at the resource server as `Check(user:alice, relation, object, context={actor: agent, purpose})`. OpenFGA **Conditions** can additionally require the actor be a delegated agent / within a context window. Token attenuation is the *coarse* least-privilege gate; FGA is the *fine* one. Both apply.
+
+---
+
+## 5. Audit delegation chain (#21)
+
+**Schema change (storage tax across all DBs).** Extend `schemas.AuditLog` and `audit.Event`:
+
+```go
+// audit.Event — add:
+OnBehalfOfID    string  // the subject (user) the actor acted for
+OnBehalfOfType  string  // "user" | "agent"
+DelegationChain string  // serialized act chain, e.g. "app:concierge>agent:booking-bot>user:alice"
+```
+
+- Every action performed with an exchanged token logs **actor + on-behalf-of + chain**.
+- Makes "what did `booking-bot` do for Alice last week?" and "every action delegated through `app:concierge`" queryable.
+- Schema must be added to all 6 DB implementations + AutoMigrate / collection setup (same multi-DB pattern as any new field).
+
+---
+
+## 6. End-to-end runtime flow
+
+```
+User ──OIDC──► Authorizer ──► user token (sub=alice)
+App/agent ──token-exchange(subject=user, actor=agent, scope=calendar:read, resource=calendar)──► Authorizer
+Authorizer ──► attenuated token (sub=alice, act=[app>agent], aud=calendar, scope=calendar:read, exp=5m)
+Agent ──► MCP tool / Calendar API  (presents attenuated token)
+Resource server ──► validate aud+scope ──► FGA Check(alice, read, calendar:..., ctx{actor:agent})
+Authorizer audit ──► {actor: agent, on_behalf_of: alice, chain: app>agent>alice, action, resource}
+User ──► dashboard: view / revoke active agent delegations   (roadmap 4.3)
+```
+
+---
+
+## 7. Decisions (LOCKED — principal-engineer calls)
+
+| # | Decision | Locked choice |
+|---|---|---|
+| DC1 | Delegation vs impersonation | **Both**; impersonation admin-gated + always audited |
+| DC2 | Where the agent ceiling lives | Agent **service-account `MaxScopes`** + optional FGA tuples |
+| DC3 | `act` claim format | **RFC 8693 nested `act`** (multi-hop chains) |
+| DC4 | Token binding | **RFC 8707 `resource`/`aud` required** for exchanged/MCP tokens; DPoP later (Phase 5.2) |
+| DC5 | Revocation | **Short TTL (5m) baseline + revocation-list-via-introspection for sensitive scopes** (see §7.1) |
+
+### 7.1 Revocation — the real design (not a footnote)
+A two-tier model, reusing the **existing `/oauth/introspect` endpoint**:
+- **Default (non-sensitive scopes):** rely on the **5-minute TTL**. Revoking a delegation stops *refresh*; in-flight access tokens expire within the window. Acceptable for the common case.
+- **Sensitive scopes (operator-flagged, e.g. `payments:*`):** the exchanged token is marked `sensitive`, and **resource servers MUST call `/oauth/introspect`** before honoring it. Introspection checks a **revocation list** updated the instant a user revokes the delegation (dashboard / `revoke` mutation) → immediate effect, no TTL wait.
+- **Distributed propagation:** the revocation list lives in `memory_store` (Redis/DB) so all nodes and the introspect endpoint see revocations consistently. Document the (sub-second) propagation window.
+
+This keeps the hot path cheap (short TTL, no introspection) while giving immediate revocation where it actually matters.
+
+**Prereq dependency (review fix #10):** this design sits on **agent identity + M2M/client-credentials** (roadmap Phase 2 / 4.2) and the **OpenFGA decision core** (FGA_OPENFGA_MIGRATION_PLAN.md). Do not start Wave 2 before those land.
+
+## 8. Phasing (verify-gated)
+
+1. **`act` claim + reserved-claim guard** → verify: minted token carries `act`; custom script cannot overwrite it.
+2. **Token-exchange grant (delegation only)** → verify: subject+actor tokens produce composite token with correct `act` + intersected scope + bound `aud`.
+3. **Attenuation via agent `MaxScopes`** → verify: agent cannot exceed its ceiling even with an admin subject token.
+4. **Audit chain fields (all DBs)** → verify: exchanged-token action logs actor + on_behalf_of + chain; `make test-all-db` green.
+5. **Impersonation (admin-gated) + dashboard revocation** → verify: impersonation requires admin + audits; user can revoke an active delegation.
+
+**Dependency:** sits on top of the OpenFGA decision core (FGA_OPENFGA_MIGRATION_PLAN.md) and the M2M/service-account + agent-identity work (roadmap 2.2 / 4.2).
diff --git a/CLAUDE.md b/CLAUDE.md
index 00a5e3db..ec536527 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -58,6 +58,9 @@ Detailed rules load via skills (see below) — don't restate them here.
 | `principal-engineer` | opus | Full SDLC: Plan → Execute → Test → Review across Go, storage, GraphQL, HTTP. Use for any change touching >1 subsystem. |
 | `security-engineer` | opus | OAuth2/OIDC, JWT, MFA, vulnerability audit. Second-pass on auth-sensitive PRs. |
 | `doc-writer` | haiku | API docs, guides, migration docs. |
+| `authz-researcher` | opus | Deep, adversarially-verified research on authz standards (OpenFGA, RFC 8693/8707/9728, MCP, CIBA, AuthZEN). Run before designing/building any authz capability. |
+| `fga-engineer` | opus | Implements the OpenFGA migration (Wave 1) per FGA_OPENFGA_MIGRATION_PLAN.md. |
+| `delegation-engineer` | opus | Implements the agentic delegation chain (Wave 2) per AGENTIC_DELEGATION_DESIGN.md. Security-critical. |
 
 ## Project Skills (auto-load on matching files)
 
@@ -70,6 +73,8 @@ Detailed rules load via skills (see below) — don't restate them here.
 | `authorizer-security` | auth-sensitive code or `security/` branches |
 | `authorizer-testing` | any `*_test.go` |
 | `authorizer-frontend` | `web/app/`, `web/dashboard/` |
+| `openfga-modeling` | FGA engine (`internal/authorization/`), authz models/tuples, `_fga_*`/`fga_*` GraphQL |
+| `agentic-auth-standards` | token exchange, delegation, MCP, agent-identity (`internal/token/`, `internal/http_handlers/`) |
 
 ## Token Optimization Notes
 
diff --git a/ENTERPRISE_AUTHZ_MODEL.md b/ENTERPRISE_AUTHZ_MODEL.md
new file mode 100644
index 00000000..36faa64d
--- /dev/null
+++ b/ENTERPRISE_AUTHZ_MODEL.md
@@ -0,0 +1,173 @@
+# Enterprise Authorization Model (OpenFGA ReBAC)
+
+How an enterprise expresses **fine-grained permissions on resources by role**, plus **one-off user-specific grants**, plus **user-specific exceptions/denials** — and how all of them mix in a single check.
+
+---
+
+## The mental model: every check is `UNION of grants − exclusions`
+
+Four ways a user gets (or loses) access, all evaluated together:
+
+| Layer | Mechanism | Example |
+|---|---|---|
+| **1. Role-based** (broad) | Assign a *role* to a relation → everyone with the role inherits | "all `editor`s can edit project docs" |
+| **2. Structural** (hierarchy) | Membership + inheritance org→team→project→doc | "engineering team members can view phoenix docs" |
+| **3. User-specific grant** (additive) | Direct tuple to one user | "Frank gets view on this one budget" |
+| **4. User-specific exception** (subtractive) | `blocked` relation + `but not` | "Erin is blocked from this sensitive doc despite team membership" |
+
+A `Check` resolves to: **(role grants ∪ structural grants ∪ direct grants) − blocked**. That intersection/union/exclusion *is* "all the mix-matches."
+
+---
+
+## The authorization model (DSL — authored once)
+
+```dsl
+model
+  schema 1.1
+
+type user
+
+# Roles are first-class objects so they can be assigned to any relation (RBAC-in-ReBAC)
+type role
+  relations
+    define assignee: [user]
+
+type organization
+  relations
+    define admin:  [user, role#assignee]
+    define member: [user, role#assignee] or admin
+
+type team
+  relations
+    define org:    [organization]
+    define member: [user, team#member] or admin from org   # org admins are implicitly team members
+
+type project
+  relations
+    define team:   [team]
+    define lead:   [user, role#assignee]
+    define editor: [user, role#assignee] or lead or member from team
+    define viewer: [user, role#assignee] or editor
+
+type document
+  relations
+    define project: [project]
+    define owner:   [user]
+    define blocked: [user]                                  # user-specific exception
+    define editor:  [user, role#assignee] or owner or editor from project
+    define viewer:  [user, role#assignee] or editor or viewer from project
+    define can_edit: editor but not blocked                 # effective permission
+    define can_view: viewer but not blocked
+```
+
+Key constructs that deliver each layer:
+- `[role#assignee]` → **role-based** grants (assign a whole role to a relation).
+- `[user]` → **user-specific** one-off grants.
+- `X from Y` → **hierarchical inheritance** (e.g., `editor from project`).
+- `but not blocked` → **user-specific exception/deny** override.
+
+---
+
+## Worked scenario: Acme Corp
+
+**Structure:** `org:acme` → `team:engineering`, `team:finance` → `project:phoenix` (eng), `project:ledger` (finance) → `doc:design-spec` (phoenix), `doc:q4-budget` (ledger).
+**Roles:** `role:org-admin`, `role:editor`, `role:auditor`.
+
+### Relationship tuples (the data — written at runtime)
+
+```text
+# --- roles & org ---
+role:org-admin#assignee        @ user:alice
+organization:acme#admin        @ role:org-admin#assignee     # role grants org admin
+team:engineering#org           @ organization:acme
+team:finance#org               @ organization:acme
+
+# --- structural membership ---
+team:engineering#member        @ user:bob
+team:engineering#member        @ user:erin
+team:finance#member            @ user:carol
+
+# --- project wiring + role-based grant ---
+project:phoenix#team           @ team:engineering
+project:ledger#team            @ team:finance
+project:phoenix#editor         @ role:editor#assignee        # role:editor → edit phoenix
+role:editor#assignee           @ user:bob
+project:ledger#viewer          @ role:auditor#assignee       # role:auditor → view ledger
+role:auditor#assignee          @ user:dave
+
+# --- documents ---
+document:design-spec#project   @ project:phoenix
+document:q4-budget#project     @ project:ledger
+
+# --- user-specific overrides ---
+document:design-spec#blocked   @ user:erin                   # exception: deny (layer 4)
+document:q4-budget#viewer      @ user:frank                  # odd one-off grant (layer 3)
+```
+
+### Resulting access (Check results)
+
+| User | Why | `can_view design-spec` | `can_edit design-spec` | `can_view q4-budget` |
+|---|---|---|---|---|
+| **alice** | org-admin role → admin → (member→editor→) inherits everywhere | ✅ | ✅ | ✅ |
+| **bob** | `role:editor` → project editor → doc editor | ✅ | ✅ | ❌ |
+| **erin** | eng member → would inherit viewer **but blocked** | ❌ *(exception)* | ❌ *(exception)* | ❌ |
+| **frank** | not a member; **direct one-off** viewer on budget only | ❌ | ❌ | ✅ *(one-off)* |
+| **dave** | `role:auditor` → view ledger only (read) | ❌ | ❌ | ✅ *(role, read-only)* |
+| **carol** | finance member; no path to eng docs | ❌ | ❌ | ✅ |
+
+### The mix-match, on one resource
+
+`doc:design-spec` effective **can_edit** set =
+
+```
+  { alice }            # role-based (org-admin) + structural inheritance
+∪ { bob }              # role-based (role:editor on project)
+∪ { <project leads> }  # role/structural
+∪ { <direct owners> }  # user-specific grant
+−  { erin }            # user-specific exception (but not blocked)
+```
+
+One check, four layers, resolved by the engine. Adding a contractor for a day = one tuple; revoking = delete it. No role explosion, no policy rewrite.
+
+---
+
+## ABAC / conditional twist (optional)
+
+Need "editors may edit **only during business hours**" or "**only from corp network**"? Attach an OpenFGA **Condition**:
+
+```dsl
+condition in_business_hours(now: timestamp) {
+  now.Hours >= 9 && now.Hours < 18
+}
+type document
+  relations
+    define editor: [user, role#assignee with in_business_hours] or ...
+```
+
+Context (`now`, IP, purpose) is passed at check time — no separate ABAC engine.
+
+---
+
+## How the enterprise drives this (Dashboard + API)
+
+| Task | Dashboard | API |
+|---|---|---|
+| Define the model | **Authorization Model** page (DSL editor) | `_fga_write_model` |
+| Assign a role to a user | "Assign role" (writes `role:X#assignee@user:Y`) | `_fga_write_tuples` |
+| Grant role broad access on a resource type | Model relation `[role#assignee]` + tuple | `_fga_write_tuples` |
+| One-off share to a user | "Share resource" | `_fga_write_tuples` |
+| Block/except a user | "Block user" (writes `#blocked`) | `_fga_write_tuples` |
+| Ask "can X do Y on Z?" | **Access Tester** | `fga_check` |
+| "What can X see?" (UI / RAG) | — | `fga_list_objects` |
+| "Who can see Z?" | resource access panel | `expand` |
+
+---
+
+## Why this is the enterprise sweet spot
+
+- **Roles still feel like roles** (assign a role, broad access follows) — admins keep the mental model they know.
+- **One-off exceptions don't break the model** — additive grants and `but not` exclusions are just tuples.
+- **Hierarchy is automatic** — grant at org/team/project, resources inherit.
+- **Reverse queries** (`list_objects`) power both AI retrieval and "show me everything I can access" UIs.
+- **Auditable & revocable** — every grant is a tuple with a clear provenance; revoke = delete.
+```
diff --git a/FGA_IMPLEMENTATION_AGENTS.md b/FGA_IMPLEMENTATION_AGENTS.md
new file mode 100644
index 00000000..bb57db9f
--- /dev/null
+++ b/FGA_IMPLEMENTATION_AGENTS.md
@@ -0,0 +1,80 @@
+# FGA → OpenFGA + Agentic Auth: Agent Fleet & Execution Plan
+
+How a small fleet of specialized agents carries the OpenFGA migration and agentic-auth program forward **to standard, with verification at every gate**. This is the orchestration layer over the design docs.
+
+**Source-of-truth docs (agents MUST read before acting):**
+- `FGA_OPENFGA_MIGRATION_PLAN.md` — phased plan + LOCKED decisions (D1–D4, store, why-logs)
+- `AGENTIC_DELEGATION_DESIGN.md` — Wave 2 delegation (DC1–DC5)
+- `ENTERPRISE_AUTHZ_MODEL.md` — the OpenFGA model + Acme worked example
+- `ROADMAP_V2.md` — Agentic Authorization Track (4 waves)
+
+---
+
+## The fleet
+
+| Agent | Model | Owns | Reads | Produces |
+|---|---|---|---|---|
+| **authz-researcher** | opus | Deep, adversarially-verified research on OpenFGA, Zanzibar, Auth0 parity, and standards (RFC 8693/8707/9728, MCP, CIBA, AuthZEN) | the web + design docs | cited research briefs that gate design choices |
+| **fga-engineer** | opus | Wave 1 — engine SPI, embedded/external OpenFGA, model/tuple/check APIs, GraphQL `_fga_*`/`fga_*`, session/validate changes, dashboard wiring, SDK FGA surface | migration plan, openfga-modeling skill | working code + tests, one verified phase at a time |
+| **delegation-engineer** | opus | Wave 2 — RFC 8693 token exchange, `act` claim, attenuation, audit delegation chain | delegation design, agentic-auth-standards skill | working code + tests, security-first |
+
+**Existing agents reused (do not duplicate):**
+- `principal-engineer` — owns any change touching >1 subsystem; the default driver if a program agent isn't a better fit.
+- `security-engineer` — **mandatory second pass** on every FGA/delegation PR (auth-sensitive).
+- `doc-writer` — migration guide, API docs, Auth0-import guide.
+
+**Domain skills (auto-load on matching work):**
+- `openfga-modeling` — DSL/tuple patterns, enterprise model, the **verified embed API**, check/list_objects, conditions.
+- `agentic-auth-standards` — the standards + the LOCKED decisions, so no agent re-litigates them.
+
+---
+
+## Execution waves (each gated by `Verify`)
+
+### Wave 0 — Research & validate *(authz-researcher)*
+- Confirm current OpenFGA embed API + SQLite/Postgres datastore bootstrap (the one remaining spike step).
+- Track standards deltas (MCP spec, ID-JAG draft status, AuthZEN).
+- → **Verify:** every claim feeding a design decision is cited and adversarially checked. Spike code compiles & runs.
+
+### Wave 1 — Decision core *(fga-engineer → security-engineer)*
+Follows `FGA_OPENFGA_MIGRATION_PLAN.md` Phases 1→7, **two-release rollout** (both engines behind `--authorization-engine`, remove old in N+1).
+- → **Verify per phase:** the phase's own Verify gate + `go build ./...` + `make test-all-db` (proves no DB-impl dangling refs) + security-engineer review.
+
+### Wave 2 — Delegation core *(delegation-engineer → security-engineer)*
+Follows `AGENTIC_DELEGATION_DESIGN.md`. **Prereq:** agent identity + M2M (roadmap Phase 2). Do not start before it lands.
+- → **Verify:** `act` chain correct, attenuation can't exceed ceiling, revocation works for sensitive scopes, audit chain queryable, security review.
+
+### Waves 3–4 — Async/custody + Enterprise hardening
+CIBA+RAR, Token Vault, MCP/ID-JAG, JIT/guardrails. New research brief per capability before build.
+
+---
+
+## Handoff protocol (research → implement → review)
+
+1. **Research first.** No engineer agent starts a capability without a current `authz-researcher` brief (or a cited section in the design docs). "Don't assume" is enforced here.
+2. **Implement to the plan.** Engineer agents follow the phased plan + locked decisions verbatim. Deviation requires an explicit, written rationale appended to the relevant design doc — not a silent change.
+3. **Verify before claiming done.** Build + tests + the phase's Verify gate. No "should work."
+4. **Security review is mandatory**, not optional, for every FGA/token/delegation PR (`security-engineer`).
+5. **Docs follow** (`doc-writer`) once an API is frozen.
+
+---
+
+## Definition of Done (program standard — non-negotiable)
+
+A change is done only when ALL hold:
+- [ ] Matches the LOCKED decisions (or amends the design doc with rationale).
+- [ ] `go build ./...` green; `make generate-graphql` run if schema changed.
+- [ ] Tests written and passing; `make test-all-db` green for storage-touching changes.
+- [ ] Auth-sensitive code reviewed by `security-engineer`.
+- [ ] Principal pinned to token `sub` on every `fga_*` runtime check; admin-gating on `_fga_*` and model edits; fail-closed on engine error.
+- [ ] No secrets in logs; no stale-allow cache path (cache only in embedded mode).
+- [ ] Verified against the phase's `Verify` gate with real output, not assertion.
+
+---
+
+## Guardrails the agents must respect (lessons already paid for)
+- **FGA store is SQL-only** (SQLite single-node / external Postgres for HA). Do not attempt Mongo/Dynamo adapters.
+- **Don't double-cache** decisions in external mode.
+- **`required_relations` is the new fine path; `roles` filter stays for coarse** — never force capabilities into ReBAC except via the singleton-object pattern.
+- **Two-release removal** of the old engine, not big-bang.
+- **`go.mod` probe passed** (openfga v1.17.1, sqlite→v1.51.0 compiles clean) — but re-run `make test-sqlite` on the integration branch.
diff --git a/FGA_OPENFGA_MIGRATION_PLAN.md b/FGA_OPENFGA_MIGRATION_PLAN.md
new file mode 100644
index 00000000..a5f94edd
--- /dev/null
+++ b/FGA_OPENFGA_MIGRATION_PLAN.md
@@ -0,0 +1,204 @@
+# Migration Plan: Replace Bespoke FGA with OpenFGA
+
+**Status:** Decisions locked · Phase 0 PASSED · Phases 1–4 DONE on branch `feat/fga-engine-spi` (uncommitted) · **Precondition:** FGA is pre-stable (no GA compat guarantee) · **Type:** Breaking, full replacement
+
+> **Implementation status:** Old FGA (Resource/Scope/Policy/Permission, #607/#610/#611) **fully removed** (never rolled out). New OpenFGA engine seam (Phase 1), GraphQL `_fga_*`/`fga_*` API + engine routed into request paths (Phase 3), and `required_relations` on session/validate (Phase 4) all **DONE** — `go build ./...` green, FGA + integration tests pass, proof-grep clean, principal-pinning + nil-engine handling tested. **Remaining:** the SQLite driver decision below, dashboard FGA pages (Phase 5), SDK cleanup in the separate `authorizer-go`/`authorizer-js` repos (Phase 6), Auth0 import tool + docs (Phase 7).
+
+> ⚠️ **KNOWN ISSUE — SQLite driver double-registration (needs a decision).** Linking OpenFGA's SQL datastores (`modernc.org/sqlite`) into the same binary as Authorizer's GORM SQLite driver (`glebarez/go-sqlite`) panics at startup: `sql: Register called twice for driver sqlite` (both register the name `sqlite`; glebarez is itself a modernc wrapper). Contained for now: OpenFGA's SQL datastores are behind the `fga_sql` build tag, so the **default build works** with embedded **`memory`** mode + **`external`** mode (external links no datastore → no conflict). **Embedded SQL-backed FGA in one binary is currently unusable.** Options: (A) **revise D1 → embedded = memory only; SQL persistence requires external OpenFGA** *(recommended — simplest, aligns with "external first-class for HA"; drops the embedded-SQLite single-node convenience)*; (B) dedupe the driver — point GORM at `modernc.org/sqlite` directly so only one `sqlite` registration exists *(keeps embedded-SQLite but is a storage-layer change with SQLite-test-suite impact)*; (C) accept external-only for persistence. **Pending your call.**
+
+> **Phase 0 spike result (FULLY validated, not assumed):** `openfga v1.17.1` embeds in-process; DSL→model→tuples→`Check`→`ListObjects` work incl. `but not` exclusion. **Persistent SQLite datastore verified** — data written by one process is read back by a separate fresh process (persistence across restart proven); bootstrap = `migrate.RunMigrations(...)` then `sqlite.New(uri, sqlcommon.NewConfig())` (pure-Go, no CGO). `go.mod` integration probe **passed** (whole authorizer tree builds with openfga added, `modernc.org/sqlite`→v1.51.0). Binary +~36–38M. See `openfga-modeling` skill for the verified bootstrap recipe + gotchas. **No open Phase 0 risks.**
+
+---
+
+## 0. Decisions (LOCKED — principal-engineer calls)
+
+| # | Decision | Locked choice | Note |
+|---|---|---|---|
+| **D1** | Multi-DB / FGA store | **Decouple from main DB.** Embedded **SQLite = single-node/dev only**; **external Postgres/MySQL required for HA/multi-replica.** No custom datastore adapters for Mongo/Dynamo/etc. | ⚠️ SQLite cannot back multi-writer. **Honest cost: any HA install runs a second datastore** — the real price of the multi-DB moat for FGA. |
+| **D2** | Deployment | **Both, configurable.** Embedded default (single-binary for dev/single-node) + **external OpenFGA first-class** (HA/distributed/cloud-native). | — |
+| **D3** | Permissions API | **Replace `required_permissions` → `required_relations`.** Keep existing `roles`/`scope` filters for coarse gating; document **singleton-object pattern** (`feature:x#reader`) for capability checks. | `roles` filter already covers coarse RBAC; no dead fields kept. |
+| **D4** | Roles ↔ graph | **Dual: keep `roles` claim AND mirror role grants as tuples** (`role:x#assignee@user:y`), maintained by Authorizer on role assignment. | Required for `[role#assignee]` grants + `list_objects`. |
+| **Store** | Multi-tenancy | **Single global OpenFGA store; isolate tenants in the graph** (namespaced object IDs + org-membership relations). Per-store only for data-residency isolation. | OpenFGA stores aren't built for thousands of tenants. |
+| **Why** | Explainability | **OpenFGA `Expand` for "why"; log decision traces for denied sensitive checks.** No custom explainer. | Compliance requirement. |
+
+**Model-change governance:** the authorization model (DSL) is extremely powerful (one edit re-grants broadly) → admin-gated, audited, and staged (write new model version, validate, then activate).
+
+**What is NOT removed:** core auth — login, OAuth2/OIDC, token issuance, sessions, **roles** (`roles`/`allowed_roles` claims), **OAuth scopes**, and the **custom-token-script hook**. Only the FGA Resource/Scope/Policy/Permission subsystem is removed.
+
+> ⚠️ **Two different "scope" concepts — do not conflate.** (a) **OAuth `scope`** (the `scope` claim, `SessionQueryRequest.scope`, consent) is core OIDC — **untouched**. (b) The FGA **`Scope` entity** (resource scope) is what we delete. The removal inventory in §1 refers only to (b).
+
+### Auth0 authz layers — what coexists with OpenFGA
+OpenFGA covers only the ReBAC layer. The full Auth0-parity stack is layered; these layers are **retained and integrated**, not replaced:
+
+| Auth0 layer | Covered by | Plan action |
+|---|---|---|
+| OAuth/OIDC scopes (API gate) | OAuth scopes (existing) | Keep; checked **before** FGA (cheap coarse gate) |
+| RBAC roles → token | roles claims (existing) | Keep; bridge to graph per D4 |
+| ReBAC (object access) | **OpenFGA (new)** | This plan |
+| Actions/Rules (token pipeline) | `CustomAccessTokenScript` (existing) | Keep; expose `engine.Check`/`ListObjects` to it |
+| ABAC / conditional | **OpenFGA Conditions + contextual tuples** | Fold in — no separate ABAC engine |
+| Organizations / B2B | tuples (`org:X#member@user:Y`) + `org_id` claim | Model membership as tuples |
+| CIBA / Token Vault / RFC 8693 delegation | — | **Out of scope** (next agent-auth layer; FGA authorizes, doesn't implement) |
+
+**Enforcement order at runtime:** OAuth scope check → FGA `Check`. Both must pass.
+
+---
+
+## 1. Removal inventory (what "completely remove" deletes)
+
+Verifiable by `grep` returning zero hits post-removal (excluding OpenFGA-new code).
+
+**Backend — storage**
+- `internal/storage/schemas/`: `resource.go`, `scope.go`, `policy.go`, `permission.go` (Resource, Scope, Policy, PolicyTarget, Permission, PermissionScope, PermissionPolicy, and the `*WithPolicies`/`*View` denorm types)
+- Provider interface methods in `internal/storage/provider.go`: all `*Resource`, `*Scope`, `*Policy`, `*PolicyTarget`, `*Permission`, `*PermissionScope`, `*PermissionPolicy`, `GetPermissionsForResourceScope`
+- All 6 DB implementations of the above: `db/sql/`, `db/mongodb/`, `db/arangodb/`, `db/cassandradb/`, `db/couchbase/`, `db/dynamodb/` (`resource.go`, `scope.go`, `policy.go`, `permission.go` in each)
+- AutoMigrate / collection-creation entries for those schemas in each `db/*/provider.go`
+- `schemas/model.go` `CollectionList` entries for those collections
+
+**Backend — engine**
+- `internal/authorization/` evaluator logic for resource/scope/policy (`evaluator.go`, parts of `cache.go`) — **repurposed**, not all deleted (the `Provider` interface + cache plumbing is reused by the new engine; see §3)
+
+**Backend — GraphQL**
+- `internal/graph/schema.graphqls`: types `AuthzResource(s)`, `AuthzScope(s)`, `AuthzPolicy/Target/Policies`, `AuthzPermission(s)`, `Permission`, `PermissionInput`; inputs `Add/Update Resource/Scope/Policy/Permission`, `PolicyTargetInput`; mutations `_authz_add/update/delete_{resource,scope,policy,permission}`; queries `_authz_{resources,scopes,policies,permissions}`, `permissions`
+- `internal/graphql/`: `authz_*.go` (16 files), `permission_check.go`, `permissions.go`
+
+**Dashboard**
+- `web/dashboard/src/pages/authorization/`: `Resources.tsx`, `Scopes.tsx`, `Policies.tsx`, `Permissions.tsx`
+- Authz entries in `graphql/mutation/index.ts`, `graphql/queries/index.ts`, `types.ts`
+
+**SDKs**
+- `authorizer-go`: `PermissionInput{Resource,Scope}`, `RequiredPermissions` fields on `get_session.go`, `validate_jwt_token.go`, `validate_session.go`
+- `authorizer-js`: `PermissionInput`, `Permission`, `required_permissions` on session/validate types
+
+---
+
+## 2. Target architecture
+
+```
+Relying app / AI agent / MCP client
+        │  check(user, relation, object) · list_objects · batch_check
+        ▼
+Authorizer GraphQL  ──►  AuthorizationEngine (OpenFGA)
+   _fga_* admin              ├─ embedded openfga lib (default)   ┐
+   fga_check / list          └─ external openfga (gRPC, config)  ┘
+        │                                  │
+   validate_jwt_token / validate_session / session
+   (required_permissions → relation checks)
+                                           ▼
+                              FGA tuple store (SQLite | Postgres | MySQL)
+```
+
+- **Model**: OpenFGA authorization model (DSL) — types, relations, conditions.
+- **Data**: relationship tuples `(object, relation, user)`.
+- **Decision**: `Check`; **retrieval**: `ListObjects` (RAG pre-filter), `BatchCheck`.
+
+### 2.1 Deployment modes (single-node / HA / serverless)
+The FGA store is the deciding factor. Same engine, different backing.
+
+| Mode | Engine | FGA store | Migrations | Notes |
+|---|---|---|---|---|
+| **Single-node / dev** | embedded | **SQLite file** | on boot (idempotent) OK | one process only; WAL sidecar files on local disk |
+| **HA / multi-replica** | embedded *or* external | **external Postgres/MySQL** | **separate init job** | SQLite cannot back multiple writers |
+| **Serverless** (Lambda/Cloud Run-scale/Vercel/Fly) | **external OpenFGA service preferred** (or embedded engine → external SQL) | **external managed Postgres/MySQL behind a connection pooler** | **separate init job; NEVER on cold start** | see rules below |
+
+**Serverless rules (review-derived — embedded-SQLite is NOT serverless-compatible):**
+- ❌ **No embedded SQLite** — ephemeral, non-shared disk; N concurrent instances can't share one file. Serverless ⇒ external SQL store, same constraint as HA but stricter.
+- ❌ **No migrate-on-cold-start** — run `migrate.RunMigrations` as a deploy/init job; concurrent cold starts must not race migrations and must not pay init latency.
+- ⚠️ **Connection pooling required** — per-instance pgx pools × many instances = connection explosion. Front Postgres with pgbouncer / RDS Proxy / provider pooling.
+- ⚠️ **Flush before response on freeze platforms (Lambda)** — OpenFGA workers and Authorizer's fire-and-forget audit goroutine (incl. the delegation audit chain) may be frozen post-response; ensure audit writes complete before returning, or enqueue.
+- ✅ **External `memory_store`** (Redis/DB) already serverless-ready — used for sessions, the FGA decision cache (embedded mode only), and the delegation revocation list.
+- ✅ **Don't cache FGA decisions in external mode** (locked rule) — so no stale-allow across ephemeral instances.
+- **Platform fit:** Cloud Run/Fly (process alive while warm) tolerate the embedded engine + external store; Lambda/Vercel (freeze-based) prefer the **external OpenFGA service** so the function binary stays lean and no in-process engine state depends on the frozen runtime.
+
+---
+
+## 3. Phased plan (goal-driven; each phase has a verify gate)
+
+### Phase 1 — Engine seam + OpenFGA embed
+1. Add `internal/authorization/engine` interface: `Check(ctx, user, relation, object, ctxTuples) (bool, error)`, `ListObjects(ctx, user, relation, type) ([]string, error)`, `BatchCheck`, `WriteTuples`, `DeleteTuples`, `ReadTuples`, `WriteModel`, `ReadModel`.
+2. Vendor `github.com/openfga/openfga` as an in-process library; implement `engine.openfga`.
+3. Wire FGA store config: `--fga-store=sqlite|postgres|mysql`, `--fga-store-url`, `--fga-mode=embedded|external`, `--fga-external-url`.
+4. Init in `cmd/root.go` after Storage/MemoryStore.
+
+→ **Verify:** unit test writes a model + tuples, `Check` returns expected allow/deny against the embedded store; server boots with `--fga-mode=embedded` on a Mongo main DB.
+
+### Phase 2 — Remove bespoke storage + engine *(deferred one release — review fix #4)*
+**Do not big-bang.** Ship Phase 1's SPI with **both** engines for one release: OpenFGA default, old `policy` engine still selectable (`--authorization-engine=fga|policy`). Validate FGA in production, *then* remove the old engine in the following release. The "completely remove" directive still holds — just one release later, behind the seam that exists precisely to de-risk this.
+1. (Release N) Both engines live behind SPI; default `fga`.
+2. (Release N+1) Delete schemas, provider methods, and all 6 DB impls per §1; remove AutoMigrate / collection entries; delete dead `evaluator.go` resource/scope/policy paths (keep cache plumbing reused by the new engine).
+
+→ **Verify:** N: both engines pass integration tests. N+1: `grep -r "Resource\|Scope\|Policy\|Permission" internal/storage` returns only unrelated hits; `go build ./...` green; `make test-all-db` green.
+
+### Phase 3 — GraphQL API replacement (breaking)
+1. Remove all `_authz_*` + `permissions` + `Permission*` schema/resolvers.
+2. Add admin model/tuple management (admin-gated, `_` prefix):
+   - `_fga_write_model(params): FgaModel!` / `_fga_get_model: FgaModel!`
+   - `_fga_write_tuples(params: [FgaTupleInput!]!): Response!`
+   - `_fga_delete_tuples(params: [FgaTupleInput!]!): Response!`
+   - `_fga_read_tuples(params: FgaReadInput!): FgaTuples!`
+3. Add runtime check API (authenticated, principal = `user:<id>`):
+   - `fga_check(params: FgaCheckInput!): FgaCheckResponse!`
+   - `fga_list_objects(params: FgaListObjectsInput!): FgaObjects!`
+   - `fga_batch_check(params: [FgaCheckInput!]!): [FgaCheckResponse!]!`
+   - `FgaCheckInput { object: String!, relation: String!, context: Map }`
+4. `make generate-graphql`.
+
+→ **Verify:** integration test: admin writes model+tuples via GraphQL, authenticated user gets correct `fga_check`/`fga_list_objects` results; old `_authz_*` ops return "unknown field".
+
+### Phase 4 — session / validate_session / validate_jwt (the API the user flagged) *(D3 — review fix #2)*
+**Coarse vs fine are different questions — don't force capabilities into ReBAC.**
+- **Coarse gating stays** on the existing `roles` (and `scope`) filters — pure "user must have role/scope X" needs no graph.
+- **Fine gating is new:** replace `required_permissions` with `required_relations: [{object, relation}]` (AND, OpenFGA `Check` with `user:<principal.ID>`).
+- **Capability-style checks** (e.g., "can read reports at all") use the **singleton-object pattern** — model `feature:reports#reader` and check `{object: "feature:reports", relation: "reader"}`. Documented, not awkward.
+1. Schema: remove `required_permissions: [PermissionInput!]`; add `required_relations: [FgaRelationCheck!]` on `SessionQueryRequest`, `ValidateJWTTokenRequest`, `ValidateSessionRequest`. Keep `roles`/`scope` filters untouched.
+2. Replace `enforceRequiredPermissions` → `enforceRequiredRelations`: loop `engine.Check(user, rel.relation, rel.object)`, AND semantics, fail-closed, keep metrics/labels shape.
+3. Update `session.go`, `validate_jwt_token.go`, `validate_session.go` call sites.
+
+→ **Verify:** `validate_session` with a satisfied relation → authorized; unsatisfied → `unauthorized`; empty list still authorizes; existing `roles` filter still gates coarsely.
+
+### Phase 5 — Dashboard
+Replace `pages/authorization/{Resources,Scopes,Policies,Permissions}.tsx` with:
+1. **Authorization Model** page — DSL editor (textarea + validate-on-save via `_fga_write_model`), shows current model + version.
+2. **Relationship Tuples** page — table + add/delete (`object`, `relation`, `user`), backed by `_fga_read/write/delete_tuples`.
+3. **Access Tester** page — form (`user`, `relation`, `object`) → calls `fga_check`, shows allow/deny + (optionally) `expand`.
+4. Update `graphql/mutation|queries/index.ts`, `types.ts`, route stays `authorization/*`.
+
+→ **Verify:** `make build-dashboard` green; manual: define model, add tuple, tester returns allow; remove tuple, tester returns deny.
+
+### Phase 6 — SDKs (client-facing surface only, per agreed scope — no admin CRUD)
+**authorizer-go** and **authorizer-js**:
+1. Remove `PermissionInput`/`Permission`/`required_permissions`.
+2. Add `required_relations` to `GetSession`/`ValidateJWTToken`/`ValidateSession` params.
+3. Add client methods: `FgaCheck`, `FgaListObjects`, `FgaBatchCheck` (+ a thin `FgaRetriever`-style helper for RAG pre-filtering in each).
+
+→ **Verify:** SDK unit tests against a running server: `FgaCheck` allow/deny correct; `FgaListObjects` returns expected IDs; `ValidateSession` honors `required_relations`.
+
+### Phase 7 — Auth0 import tool + Docs *(review fix #7 — the migration value, actually built)*
+1. **Auth0 FGA → Authorizer import** CLI/endpoint: ingest an Auth0/OpenFGA **model (DSL)** and **tuple export** → write via `_fga_write_model` / `_fga_write_tuples`. This is the headline migration deliverable; without it "ports 1:1" is just a claim.
+2. `MIGRATION.md`: breaking-change notes + Auth0-FGA→Authorizer mapping; singleton-object pattern guide for coarse checks.
+3. Document `--fga-*` flags, **SQL-store requirement (single-node SQLite vs HA external Postgres/MySQL — D1)**, embedded vs external.
+4. Update `ROADMAP_V2.md`: FGA = OpenFGA ReBAC.
+
+→ **Verify:** a real Auth0 FGA export imports and `fga_check` reproduces the same decisions; a follower can stand up FGA from the guide alone.
+
+---
+
+## 4. Cross-cutting
+
+- **Audit/metrics:** mirror existing `RecordAuthzCheck` / required-permissions metric shape for the new check + relation paths (low-cardinality labels).
+- **Cache (review fix #5 — don't double-cache):** **only cache in embedded mode**, where Authorizer intercepts every tuple/model write and can invalidate; key on `(user, relation, object, model_version)`. In **external mode, do NOT layer Authorizer's cache** — tuples can be written directly to OpenFGA, so rely on OpenFGA's own consistency/caching. A second cache there = stale-allow bug.
+- **`list_objects` cost (review fix #9):** expensive + an enumeration surface → mandatory pagination, result cap, latency budget, and rate-limit/DoS guards on `fga_list_objects`.
+- **Security:** `_fga_*` admin-gated (`IsSuperAdmin`); `fga_*` authenticated, principal pinned to token `sub` (never client-supplied user); fail-closed on engine error. **Model edits** admin-gated + audited + staged (write→validate→activate).
+- **Test matrix:** `make test-all-db` must pass to prove removal left no DB-impl dangling refs, even though the FGA store itself is SQL-only.
+
+## 5. Ordering / rollout *(review fix #4 — seam, not big-bang)*
+- **Release N:** Phase 1 (SPI + embed) + Phases 3/4 (new API) ship with **both engines** behind `--authorization-engine`, default `fga`. Old engine still selectable.
+- **Release N+1:** Phase 2 removal once FGA is validated in production.
+- **Then:** 5 (dashboard) + 6 (SDKs) once the API is frozen; 7 (import tool + docs).
+- **Prereqs (review fix #10):** Wave-2 delegation depends on agent identity + M2M/client-credentials (roadmap Phase 2) and OAuth 2.1 AS / DCR (Phase 4.1) — not started here.
+
+## 6. Open risks
+1. **D1 multi-DB** — the central tradeoff (above).
+2. **Embedding maturity** — confirm `openfga` embeds cleanly as a lib (Phase 0 spike) vs. forcing external mode.
+3. **Consistency window** — document OpenFGA consistency options for distributed deployments.
+4. **SDK scope** — admin tuple CRUD intentionally excluded from SDKs (matches agreed client-facing-only scope).
diff --git a/ROADMAP_V2.md b/ROADMAP_V2.md
index 3e365b0d..c6fc6755 100644
--- a/ROADMAP_V2.md
+++ b/ROADMAP_V2.md
@@ -18,10 +18,10 @@
 | 13+ Database backends | Done | Unique differentiator |
 | Rate Limiting / Brute Force | Missing | No protection at all |
 | M2M / Client Credentials | Missing | No service accounts or API keys |
-| Fine-Grained Permissions | Missing | Roles only, no resource-level control |
+| Fine-Grained Permissions | In progress (pre-stable) | RBAC/ABAC Resource/Scope/Policy/Permission engine exists; migrating to OpenFGA ReBAC — see FGA_OPENFGA_MIGRATION_PLAN.md |
 | SAML | Missing | Zero support |
 | SCIM / Directory Sync | Missing | No provisioning |
-| Audit Logs | Missing | Webhooks only, no queryable audit trail |
+| Audit Logs | Partial | Structured AuditLog + audit provider exist (single actor); needs delegation-chain fields for agents — see AGENTIC_DELEGATION_DESIGN.md |
 | Bot Detection | Missing | No CAPTCHA, no fingerprinting |
 | Monitoring / Metrics | Missing | Health check only, no Prometheus |
 | MCP Auth | Missing | No OAuth 2.1 AS capabilities |
@@ -328,6 +328,40 @@ These are table-stakes features that every competitor has. Without them, Authori
 
 ---
 
+## Agentic Authorization Track (cross-phase sequencing)
+
+> A re-sequencing lens over the items above, ordered by dependency for enterprise + agentic auth. Authorization for agents is a **pipeline**, not one feature; each wave builds on the last. ReBAC is necessary but not sufficient. Design detail: `FGA_OPENFGA_MIGRATION_PLAN.md`, `AGENTIC_DELEGATION_DESIGN.md`.
+
+**The pipeline (evaluated per request):** Identity → Authentication → Token/Delegation → Authorization (scope → RBAC → ReBAC → ABAC → list_objects) → Human-in-the-loop → Governance.
+
+### Wave 1 — Decision core *(now; replaces 2.1)*
+Object-level authorization + the RAG primitive.
+- [ ] **OpenFGA ReBAC engine** (replaces Resource/Scope/Policy/Permission) — `Check`, `list_objects`, `batch_check`, Conditions (ABAC). SQL-backed FGA store (embedded default / external optional).
+- [ ] **Keep & integrate** OAuth scopes (coarse gate), RBAC roles (optionally mirrored as tuples), custom-token-script hook (may call FGA).
+- [ ] **FGA-for-RAG** SDK helpers (`list_objects` pre-filter) in authorizer-go / authorizer-js.
+- *Unlocks:* document sharing, hierarchical/B2B authz, secure RAG retrieval.
+
+### Wave 2 — Delegation core *(next; folds in 2.2, 4.2, 4.3, 5.5)*
+Who is asking, with whose borrowed authority, constrained to what.
+- [ ] **Agent identity** — agents as first-class service-account principals (4.2).
+- [ ] **RFC 8693 token exchange** + **`act` delegation claim** (5.5 / 4.2) — see design doc.
+- [ ] **Attenuation / least-privilege** — exchanged-token scope = `subject ∩ requested ∩ agent ceiling` (reuses `Principal.MaxScopes`) (4.3).
+- [ ] **Audit delegation chain** — `on_behalf_of` + `act` chain on AuditLog (all DBs).
+- *Unlocks:* "agent acting for user, least-privilege, fully audited."
+
+### Wave 3 — Async + credential custody
+Human approval and safe third-party access.
+- [ ] **CIBA + Rich Authorization Requests (RAR)** — out-of-band human approval for sensitive agent actions.
+- [ ] **Token Vault** — encrypted per-user third-party token custody; agent never sees raw credentials.
+- *Unlocks:* human-in-the-loop, agents calling Google/Slack/etc. on a user's behalf.
+
+### Wave 4 — Enterprise hardening
+- [ ] **MCP authorization** (OAuth 2.1 + RFC 9728 + RFC 8707) (4.1) and **ID-JAG / Cross-App Access** for enterprise-managed MCP.
+- [ ] **JIT / time-bound grants** (TTL tuples), **per-agent guardrails** (spend/rate limits), **consent management**.
+- *Unlocks:* enterprise-managed agent deployments at scale.
+
+---
+
 ## Phase 5: Advanced Security & Enterprise (Q2-Q3 2027)
 
 ### 5.1 Passkeys / WebAuthn

From ccde4d4b264dcb6455931ce5167aee2be385ebea Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 8 Jun 2026 11:44:12 +0530
Subject: [PATCH 03/39] feat(authz): add _fga_list_users/_fga_expand and
 trust-gated subject on FGA checks

- Admin introspection ops `_fga_list_users` and `_fga_expand` (super-admin
  gated). These reveal the access graph (who-can-access / why), so they are
  admin-only rather than end-user facing.
- Optional, trust-gated `user` on `fga_check`/`fga_batch_check`/
  `fga_list_objects`: a super-admin may query an explicit subject; an ordinary
  end-user token stays pinned to its own subject and a client-supplied `user`
  is rejected (prevents enumerating another user's access). Centralized in
  resolveFgaSubject; M2M/client-credentials callers to be allowed in Phase 2.
- Engine SPI: ListUsers and Expand methods on AuthorizationEngine.
---
 internal/authorization/engine/engine.go       |  13 +
 .../engine/openfga/operations.go              |  59 ++
 internal/graph/generated/generated.go         | 629 +++++++++++++++++-
 internal/graph/model/models_gen.go            |  26 +-
 internal/graph/schema.graphqls                |  53 +-
 internal/graph/schema.resolvers.go            |  10 +
 internal/graphql/fga_admin.go                 |  64 ++
 internal/graphql/fga_runtime.go               | 100 ++-
 internal/graphql/provider.go                  |   7 +
 internal/integration_tests/fga_test.go        |  87 +++
 10 files changed, 1008 insertions(+), 40 deletions(-)

diff --git a/internal/authorization/engine/engine.go b/internal/authorization/engine/engine.go
index b4bedb74..2848f52f 100644
--- a/internal/authorization/engine/engine.go
+++ b/internal/authorization/engine/engine.go
@@ -119,6 +119,19 @@ type AuthorizationEngine interface {
 	// rate-limit. Returned IDs are fully qualified ("document:1").
 	ListObjects(ctx context.Context, user, relation, objType string) ([]string, error)
 
+	// ListUsers returns the fully qualified user IDs (e.g. "user:alice") of type
+	// userType that have relation on object. It is the inverse of ListObjects:
+	// "who can access this object?". This is a powerful enumeration surface that
+	// reveals the access graph — callers must admin-gate, cap and audit. Returned
+	// users are fully qualified ("user:alice").
+	ListUsers(ctx context.Context, object, relation, userType string) ([]string, error)
+
+	// Expand returns the OpenFGA relationship/userset tree for (relation, object)
+	// rendered as a JSON string. This is the explainability/"why" primitive: it
+	// shows how a relation resolves (direct assignments, usersets, computed
+	// relations). It reveals the access graph and must be admin-gated.
+	Expand(ctx context.Context, relation, object string) (string, error)
+
 	// WriteTuples persists the given relationship tuples. It is additive;
 	// duplicate writes may error depending on the backend.
 	WriteTuples(ctx context.Context, tuples []TupleKey) error
diff --git a/internal/authorization/engine/openfga/operations.go b/internal/authorization/engine/openfga/operations.go
index 5e903690..46e46bc8 100644
--- a/internal/authorization/engine/openfga/operations.go
+++ b/internal/authorization/engine/openfga/operations.go
@@ -3,9 +3,11 @@ package openfga
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	openfgav1 "github.com/openfga/api/proto/openfga/v1"
 	language "github.com/openfga/language/pkg/go/transformer"
+	"github.com/openfga/openfga/pkg/tuple"
 	"google.golang.org/protobuf/encoding/protojson"
 	"google.golang.org/protobuf/types/known/wrapperspb"
 
@@ -107,6 +109,63 @@ func (e *engineImpl) ListObjects(ctx context.Context, user, relation, objType st
 	return res.GetObjects(), nil
 }
 
+// ListUsers returns the fully qualified user IDs (e.g. "user:alice") of type
+// userType that have relation on object. It is the inverse of ListObjects
+// ("who can access this object?") and an expensive enumeration surface that
+// reveals the access graph — callers must admin-gate, cap and audit.
+func (e *engineImpl) ListUsers(ctx context.Context, object, relation, userType string) ([]string, error) {
+	storeID, modelID := e.ids()
+	if modelID == "" {
+		return nil, fmt.Errorf("openfga.ListUsers: no authorization model written yet")
+	}
+	objType, objID, found := strings.Cut(object, ":")
+	if !found || objType == "" || objID == "" {
+		return nil, fmt.Errorf("openfga.ListUsers: object must be in type:id form, got %q", object)
+	}
+	res, err := e.srv.ListUsers(ctx, &openfgav1.ListUsersRequest{
+		StoreId:              storeID,
+		AuthorizationModelId: modelID,
+		Object:               &openfgav1.Object{Type: objType, Id: objID},
+		Relation:             relation,
+		UserFilters:          []*openfgav1.UserTypeFilter{{Type: userType}},
+	})
+	if err != nil {
+		return nil, fmt.Errorf("openfga.ListUsers: %w", err)
+	}
+	users := make([]string, 0, len(res.GetUsers()))
+	for _, u := range res.GetUsers() {
+		users = append(users, string(tuple.UserProtoToString(u)))
+	}
+	return users, nil
+}
+
+// Expand returns the OpenFGA relationship/userset tree for (relation, object)
+// rendered as a JSON string (the explainability/"why" primitive). The tree is
+// marshaled via protojson so it is a stable, machine-readable representation of
+// how the relation resolves.
+func (e *engineImpl) Expand(ctx context.Context, relation, object string) (string, error) {
+	storeID, modelID := e.ids()
+	if modelID == "" {
+		return "", fmt.Errorf("openfga.Expand: no authorization model written yet")
+	}
+	res, err := e.srv.Expand(ctx, &openfgav1.ExpandRequest{
+		StoreId:              storeID,
+		AuthorizationModelId: modelID,
+		TupleKey: &openfgav1.ExpandRequestTupleKey{
+			Relation: relation,
+			Object:   object,
+		},
+	})
+	if err != nil {
+		return "", fmt.Errorf("openfga.Expand: %w", err)
+	}
+	jsonBytes, err := protojson.Marshal(res.GetTree())
+	if err != nil {
+		return "", fmt.Errorf("openfga.Expand: marshal tree: %w", err)
+	}
+	return string(jsonBytes), nil
+}
+
 // WriteTuples persists the given relationship tuples.
 func (e *engineImpl) WriteTuples(ctx context.Context, tuples []engine.TupleKey) error {
 	if len(tuples) == 0 {
diff --git a/internal/graph/generated/generated.go b/internal/graph/generated/generated.go
index cdf463d1..954ecc39 100644
--- a/internal/graph/generated/generated.go
+++ b/internal/graph/generated/generated.go
@@ -182,10 +182,18 @@ type ComplexityRoot struct {
 		Allowed func(childComplexity int) int
 	}
 
+	FgaExpandResponse struct {
+		Tree func(childComplexity int) int
+	}
+
 	FgaListObjectsResponse struct {
 		Objects func(childComplexity int) int
 	}
 
+	FgaListUsersResponse struct {
+		Users func(childComplexity int) int
+	}
+
 	FgaModel struct {
 		Dsl func(childComplexity int) int
 		ID  func(childComplexity int) int
@@ -293,8 +301,10 @@ type ComplexityRoot struct {
 		Env                  func(childComplexity int) int
 		FgaBatchCheck        func(childComplexity int, params model.FgaBatchCheckInput) int
 		FgaCheck             func(childComplexity int, params model.FgaCheckInput) int
+		FgaExpand            func(childComplexity int, params model.FgaExpandInput) int
 		FgaGetModel          func(childComplexity int) int
 		FgaListObjects       func(childComplexity int, params model.FgaListObjectsInput) int
+		FgaListUsers         func(childComplexity int, params model.FgaListUsersInput) int
 		FgaReadTuples        func(childComplexity int, params model.FgaReadTuplesInput) int
 		Meta                 func(childComplexity int) int
 		Profile              func(childComplexity int) int
@@ -460,6 +470,8 @@ type QueryResolver interface {
 	AuditLogs(ctx context.Context, params *model.ListAuditLogRequest) (*model.AuditLogs, error)
 	FgaGetModel(ctx context.Context) (*model.FgaModel, error)
 	FgaReadTuples(ctx context.Context, params model.FgaReadTuplesInput) (*model.FgaTuples, error)
+	FgaListUsers(ctx context.Context, params model.FgaListUsersInput) (*model.FgaListUsersResponse, error)
+	FgaExpand(ctx context.Context, params model.FgaExpandInput) (*model.FgaExpandResponse, error)
 	FgaCheck(ctx context.Context, params model.FgaCheckInput) (*model.FgaCheckResponse, error)
 	FgaBatchCheck(ctx context.Context, params model.FgaBatchCheckInput) (*model.FgaBatchCheckResponse, error)
 	FgaListObjects(ctx context.Context, params model.FgaListObjectsInput) (*model.FgaListObjectsResponse, error)
@@ -1247,6 +1259,13 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.FgaCheckResponse.Allowed(childComplexity), true
 
+	case "FgaExpandResponse.tree":
+		if e.complexity.FgaExpandResponse.Tree == nil {
+			break
+		}
+
+		return e.complexity.FgaExpandResponse.Tree(childComplexity), true
+
 	case "FgaListObjectsResponse.objects":
 		if e.complexity.FgaListObjectsResponse.Objects == nil {
 			break
@@ -1254,6 +1273,13 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.FgaListObjectsResponse.Objects(childComplexity), true
 
+	case "FgaListUsersResponse.users":
+		if e.complexity.FgaListUsersResponse.Users == nil {
+			break
+		}
+
+		return e.complexity.FgaListUsersResponse.Users(childComplexity), true
+
 	case "FgaModel.dsl":
 		if e.complexity.FgaModel.Dsl == nil {
 			break
@@ -1987,6 +2013,18 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.Query.FgaCheck(childComplexity, args["params"].(model.FgaCheckInput)), true
 
+	case "Query._fga_expand":
+		if e.complexity.Query.FgaExpand == nil {
+			break
+		}
+
+		args, err := ec.field_Query__fga_expand_args(ctx, rawArgs)
+		if err != nil {
+			return 0, false
+		}
+
+		return e.complexity.Query.FgaExpand(childComplexity, args["params"].(model.FgaExpandInput)), true
+
 	case "Query._fga_get_model":
 		if e.complexity.Query.FgaGetModel == nil {
 			break
@@ -2006,6 +2044,18 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.Query.FgaListObjects(childComplexity, args["params"].(model.FgaListObjectsInput)), true
 
+	case "Query._fga_list_users":
+		if e.complexity.Query.FgaListUsers == nil {
+			break
+		}
+
+		args, err := ec.field_Query__fga_list_users_args(ctx, rawArgs)
+		if err != nil {
+			return 0, false
+		}
+
+		return e.complexity.Query.FgaListUsers(childComplexity, args["params"].(model.FgaListUsersInput)), true
+
 	case "Query._fga_read_tuples":
 		if e.complexity.Query.FgaReadTuples == nil {
 			break
@@ -2570,7 +2620,9 @@ func (e *executableSchema) Exec(ctx context.Context) graphql.ResponseHandler {
 		ec.unmarshalInputFgaBatchCheckInput,
 		ec.unmarshalInputFgaCheckInput,
 		ec.unmarshalInputFgaCheckPairInput,
+		ec.unmarshalInputFgaExpandInput,
 		ec.unmarshalInputFgaListObjectsInput,
+		ec.unmarshalInputFgaListUsersInput,
 		ec.unmarshalInputFgaReadTuplesInput,
 		ec.unmarshalInputFgaRelationInput,
 		ec.unmarshalInputFgaTupleInput,
@@ -2853,6 +2905,18 @@ type FgaListObjectsResponse {
   objects: [String!]!
 }
 
+# FgaListUsersResponse lists fully-qualified user ids (e.g. "user:alice") that
+# have the queried relation on an object. Admin-only (reveals the access graph).
+type FgaListUsersResponse {
+  users: [String!]!
+}
+
+# FgaExpandResponse is the OpenFGA relationship/userset tree for a (relation,
+# object), serialized as a JSON string. Admin-only (reveals the access graph).
+type FgaExpandResponse {
+  tree: String!
+}
+
 type ForgotPasswordResponse {
   message: String!
   should_show_mobile_otp_screen: Boolean
@@ -3424,14 +3488,19 @@ input FgaReadTuplesInput {
   continuation_token: String
 }
 
-# FgaCheckInput asks "is the authenticated caller related to object via
-# relation?". The caller (user) is pinned server-side from the auth token and is
-# NEVER taken from client input. Only relation, object and optional contextual
-# tuples are accepted from the client.
+# FgaCheckInput asks "is <user> related to object via relation?". The subject
+# (user) defaults to the authenticated caller and is pinned server-side from the
+# auth token. The optional ` + "`" + `user` + "`" + ` field lets a TRUSTED caller (super-admin) check
+# on behalf of another subject; a non-trusted caller supplying ` + "`" + `user` + "`" + ` is rejected
+# (no silent self-fallback). Only relation, object, optional ` + "`" + `user` + "`" + ` and optional
+# contextual tuples are accepted from the client.
 input FgaCheckInput {
   relation: String!
   object: String!
   contextual_tuples: [FgaTupleInput!]
+  # Optional subject override ("type:id" or bare id → "user:id"). Honored only
+  # for super-admin callers; rejected otherwise.
+  user: String
 }
 
 # FgaBatchCheckInput evaluates multiple relation/object pairs for the
@@ -3445,13 +3514,35 @@ input FgaCheckPairInput {
   relation: String!
   object: String!
   contextual_tuples: [FgaTupleInput!]
+  # Optional subject override ("type:id" or bare id → "user:id"). Honored only
+  # for super-admin callers; rejected otherwise.
+  user: String
 }
 
-# FgaListObjectsInput enumerates objects of type object_type the authenticated
-# caller relates to via relation (principal pinned server-side).
+# FgaListObjectsInput enumerates objects of type object_type that <user> relates
+# to via relation. The subject defaults to the authenticated caller; the optional
+# ` + "`" + `user` + "`" + ` override is honored only for super-admin callers (rejected otherwise).
 input FgaListObjectsInput {
   relation: String!
   object_type: String!
+  # Optional subject override ("type:id" or bare id → "user:id"). Honored only
+  # for super-admin callers; rejected otherwise.
+  user: String
+}
+
+# FgaListUsersInput asks "which users of user_type have relation on object?".
+# Admin-only (reveals the access graph).
+input FgaListUsersInput {
+  object: String!
+  relation: String!
+  user_type: String!
+}
+
+# FgaExpandInput asks for the relationship/userset tree of (relation, object).
+# Admin-only (reveals the access graph).
+input FgaExpandInput {
+  relation: String!
+  object: String!
 }
 
 # FgaRelationInput is a (relation, object) requirement evaluated against the
@@ -3527,6 +3618,8 @@ type Query {
   # FGA admin queries (super-admin only)
   _fga_get_model: FgaModel!
   _fga_read_tuples(params: FgaReadTuplesInput!): FgaTuples!
+  _fga_list_users(params: FgaListUsersInput!): FgaListUsersResponse!
+  _fga_expand(params: FgaExpandInput!): FgaExpandResponse!
   # FGA runtime queries (authenticated caller; principal pinned server-side)
   fga_check(params: FgaCheckInput!): FgaCheckResponse!
   fga_batch_check(params: FgaBatchCheckInput!): FgaBatchCheckResponse!
@@ -4520,6 +4613,62 @@ func (ec *executionContext) field_Query__email_templates_argsParams(
 	return zeroVal, nil
 }
 
+func (ec *executionContext) field_Query__fga_expand_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+	var err error
+	args := map[string]any{}
+	arg0, err := ec.field_Query__fga_expand_argsParams(ctx, rawArgs)
+	if err != nil {
+		return nil, err
+	}
+	args["params"] = arg0
+	return args, nil
+}
+func (ec *executionContext) field_Query__fga_expand_argsParams(
+	ctx context.Context,
+	rawArgs map[string]any,
+) (model.FgaExpandInput, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal model.FgaExpandInput
+		return zeroVal, nil
+	}
+
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalNFgaExpandInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaExpandInput(ctx, tmp)
+	}
+
+	var zeroVal model.FgaExpandInput
+	return zeroVal, nil
+}
+
+func (ec *executionContext) field_Query__fga_list_users_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+	var err error
+	args := map[string]any{}
+	arg0, err := ec.field_Query__fga_list_users_argsParams(ctx, rawArgs)
+	if err != nil {
+		return nil, err
+	}
+	args["params"] = arg0
+	return args, nil
+}
+func (ec *executionContext) field_Query__fga_list_users_argsParams(
+	ctx context.Context,
+	rawArgs map[string]any,
+) (model.FgaListUsersInput, error) {
+	if _, ok := rawArgs["params"]; !ok {
+		var zeroVal model.FgaListUsersInput
+		return zeroVal, nil
+	}
+
+	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
+	if tmp, ok := rawArgs["params"]; ok {
+		return ec.unmarshalNFgaListUsersInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaListUsersInput(ctx, tmp)
+	}
+
+	var zeroVal model.FgaListUsersInput
+	return zeroVal, nil
+}
+
 func (ec *executionContext) field_Query__fga_read_tuples_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
@@ -9675,6 +9824,50 @@ func (ec *executionContext) fieldContext_FgaCheckResponse_allowed(_ context.Cont
 	return fc, nil
 }
 
+func (ec *executionContext) _FgaExpandResponse_tree(ctx context.Context, field graphql.CollectedField, obj *model.FgaExpandResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_FgaExpandResponse_tree(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Tree, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(string)
+	fc.Result = res
+	return ec.marshalNString2string(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_FgaExpandResponse_tree(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "FgaExpandResponse",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
 func (ec *executionContext) _FgaListObjectsResponse_objects(ctx context.Context, field graphql.CollectedField, obj *model.FgaListObjectsResponse) (ret graphql.Marshaler) {
 	fc, err := ec.fieldContext_FgaListObjectsResponse_objects(ctx, field)
 	if err != nil {
@@ -9719,6 +9912,50 @@ func (ec *executionContext) fieldContext_FgaListObjectsResponse_objects(_ contex
 	return fc, nil
 }
 
+func (ec *executionContext) _FgaListUsersResponse_users(ctx context.Context, field graphql.CollectedField, obj *model.FgaListUsersResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_FgaListUsersResponse_users(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Users, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.([]string)
+	fc.Result = res
+	return ec.marshalNString2ᚕstringᚄ(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_FgaListUsersResponse_users(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "FgaListUsersResponse",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
 func (ec *executionContext) _FgaModel_id(ctx context.Context, field graphql.CollectedField, obj *model.FgaModel) (ret graphql.Marshaler) {
 	fc, err := ec.fieldContext_FgaModel_id(ctx, field)
 	if err != nil {
@@ -14898,6 +15135,124 @@ func (ec *executionContext) fieldContext_Query__fga_read_tuples(ctx context.Cont
 	return fc, nil
 }
 
+func (ec *executionContext) _Query__fga_list_users(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__fga_list_users(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return ec.resolvers.Query().FgaListUsers(rctx, fc.Args["params"].(model.FgaListUsersInput))
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(*model.FgaListUsersResponse)
+	fc.Result = res
+	return ec.marshalNFgaListUsersResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaListUsersResponse(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Query__fga_list_users(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Query",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: true,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "users":
+				return ec.fieldContext_FgaListUsersResponse_users(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type FgaListUsersResponse", field.Name)
+		},
+	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Query__fga_list_users_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _Query__fga_expand(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__fga_expand(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return ec.resolvers.Query().FgaExpand(rctx, fc.Args["params"].(model.FgaExpandInput))
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(*model.FgaExpandResponse)
+	fc.Result = res
+	return ec.marshalNFgaExpandResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaExpandResponse(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Query__fga_expand(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Query",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: true,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "tree":
+				return ec.fieldContext_FgaExpandResponse_tree(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type FgaExpandResponse", field.Name)
+		},
+	}
+	defer func() {
+		if r := recover(); r != nil {
+			err = ec.Recover(ctx, r)
+			ec.Error(ctx, err)
+		}
+	}()
+	ctx = graphql.WithFieldContext(ctx, fc)
+	if fc.Args, err = ec.field_Query__fga_expand_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+		ec.Error(ctx, err)
+		return fc, err
+	}
+	return fc, nil
+}
+
 func (ec *executionContext) _Query_fga_check(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
 	fc, err := ec.fieldContext_Query_fga_check(ctx, field)
 	if err != nil {
@@ -20059,7 +20414,7 @@ func (ec *executionContext) unmarshalInputFgaCheckInput(ctx context.Context, obj
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"relation", "object", "contextual_tuples"}
+	fieldsInOrder := [...]string{"relation", "object", "contextual_tuples", "user"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
@@ -20087,6 +20442,13 @@ func (ec *executionContext) unmarshalInputFgaCheckInput(ctx context.Context, obj
 				return it, err
 			}
 			it.ContextualTuples = data
+		case "user":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("user"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.User = data
 		}
 	}
 
@@ -20100,7 +20462,7 @@ func (ec *executionContext) unmarshalInputFgaCheckPairInput(ctx context.Context,
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"relation", "object", "contextual_tuples"}
+	fieldsInOrder := [...]string{"relation", "object", "contextual_tuples", "user"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
@@ -20128,6 +20490,47 @@ func (ec *executionContext) unmarshalInputFgaCheckPairInput(ctx context.Context,
 				return it, err
 			}
 			it.ContextualTuples = data
+		case "user":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("user"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.User = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputFgaExpandInput(ctx context.Context, obj any) (model.FgaExpandInput, error) {
+	var it model.FgaExpandInput
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"relation", "object"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "relation":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("relation"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Relation = data
+		case "object":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("object"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Object = data
 		}
 	}
 
@@ -20141,7 +20544,7 @@ func (ec *executionContext) unmarshalInputFgaListObjectsInput(ctx context.Contex
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"relation", "object_type"}
+	fieldsInOrder := [...]string{"relation", "object_type", "user"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
@@ -20162,6 +20565,54 @@ func (ec *executionContext) unmarshalInputFgaListObjectsInput(ctx context.Contex
 				return it, err
 			}
 			it.ObjectType = data
+		case "user":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("user"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.User = data
+		}
+	}
+
+	return it, nil
+}
+
+func (ec *executionContext) unmarshalInputFgaListUsersInput(ctx context.Context, obj any) (model.FgaListUsersInput, error) {
+	var it model.FgaListUsersInput
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"object", "relation", "user_type"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "object":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("object"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Object = data
+		case "relation":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("relation"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Relation = data
+		case "user_type":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("user_type"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.UserType = data
 		}
 	}
 
@@ -23043,6 +23494,45 @@ func (ec *executionContext) _FgaCheckResponse(ctx context.Context, sel ast.Selec
 	return out
 }
 
+var fgaExpandResponseImplementors = []string{"FgaExpandResponse"}
+
+func (ec *executionContext) _FgaExpandResponse(ctx context.Context, sel ast.SelectionSet, obj *model.FgaExpandResponse) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, fgaExpandResponseImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("FgaExpandResponse")
+		case "tree":
+			out.Values[i] = ec._FgaExpandResponse_tree(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
+		}
+	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
+
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
+	}
+
+	return out
+}
+
 var fgaListObjectsResponseImplementors = []string{"FgaListObjectsResponse"}
 
 func (ec *executionContext) _FgaListObjectsResponse(ctx context.Context, sel ast.SelectionSet, obj *model.FgaListObjectsResponse) graphql.Marshaler {
@@ -23082,6 +23572,45 @@ func (ec *executionContext) _FgaListObjectsResponse(ctx context.Context, sel ast
 	return out
 }
 
+var fgaListUsersResponseImplementors = []string{"FgaListUsersResponse"}
+
+func (ec *executionContext) _FgaListUsersResponse(ctx context.Context, sel ast.SelectionSet, obj *model.FgaListUsersResponse) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, fgaListUsersResponseImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("FgaListUsersResponse")
+		case "users":
+			out.Values[i] = ec._FgaListUsersResponse_users(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
+		}
+	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
+
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
+	}
+
+	return out
+}
+
 var fgaModelImplementors = []string{"FgaModel"}
 
 func (ec *executionContext) _FgaModel(ctx context.Context, sel ast.SelectionSet, obj *model.FgaModel) graphql.Marshaler {
@@ -24208,6 +24737,50 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 					func(ctx context.Context) graphql.Marshaler { return innerFunc(ctx, out) })
 			}
 
+			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
+		case "_fga_list_users":
+			field := field
+
+			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
+				defer func() {
+					if r := recover(); r != nil {
+						ec.Error(ctx, ec.Recover(ctx, r))
+					}
+				}()
+				res = ec._Query__fga_list_users(ctx, field)
+				if res == graphql.Null {
+					atomic.AddUint32(&fs.Invalids, 1)
+				}
+				return res
+			}
+
+			rrm := func(ctx context.Context) graphql.Marshaler {
+				return ec.OperationContext.RootResolverMiddleware(ctx,
+					func(ctx context.Context) graphql.Marshaler { return innerFunc(ctx, out) })
+			}
+
+			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
+		case "_fga_expand":
+			field := field
+
+			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
+				defer func() {
+					if r := recover(); r != nil {
+						ec.Error(ctx, ec.Recover(ctx, r))
+					}
+				}()
+				res = ec._Query__fga_expand(ctx, field)
+				if res == graphql.Null {
+					atomic.AddUint32(&fs.Invalids, 1)
+				}
+				return res
+			}
+
+			rrm := func(ctx context.Context) graphql.Marshaler {
+				return ec.OperationContext.RootResolverMiddleware(ctx,
+					func(ctx context.Context) graphql.Marshaler { return innerFunc(ctx, out) })
+			}
+
 			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
 		case "fga_check":
 			field := field
@@ -25539,6 +26112,25 @@ func (ec *executionContext) marshalNFgaCheckResponse2ᚖgithubᚗcomᚋauthorize
 	return ec._FgaCheckResponse(ctx, sel, v)
 }
 
+func (ec *executionContext) unmarshalNFgaExpandInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaExpandInput(ctx context.Context, v any) (model.FgaExpandInput, error) {
+	res, err := ec.unmarshalInputFgaExpandInput(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
+}
+
+func (ec *executionContext) marshalNFgaExpandResponse2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaExpandResponse(ctx context.Context, sel ast.SelectionSet, v model.FgaExpandResponse) graphql.Marshaler {
+	return ec._FgaExpandResponse(ctx, sel, &v)
+}
+
+func (ec *executionContext) marshalNFgaExpandResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaExpandResponse(ctx context.Context, sel ast.SelectionSet, v *model.FgaExpandResponse) graphql.Marshaler {
+	if v == nil {
+		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
+			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
+		}
+		return graphql.Null
+	}
+	return ec._FgaExpandResponse(ctx, sel, v)
+}
+
 func (ec *executionContext) unmarshalNFgaListObjectsInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaListObjectsInput(ctx context.Context, v any) (model.FgaListObjectsInput, error) {
 	res, err := ec.unmarshalInputFgaListObjectsInput(ctx, v)
 	return res, graphql.ErrorOnPath(ctx, err)
@@ -25558,6 +26150,25 @@ func (ec *executionContext) marshalNFgaListObjectsResponse2ᚖgithubᚗcomᚋaut
 	return ec._FgaListObjectsResponse(ctx, sel, v)
 }
 
+func (ec *executionContext) unmarshalNFgaListUsersInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaListUsersInput(ctx context.Context, v any) (model.FgaListUsersInput, error) {
+	res, err := ec.unmarshalInputFgaListUsersInput(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
+}
+
+func (ec *executionContext) marshalNFgaListUsersResponse2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaListUsersResponse(ctx context.Context, sel ast.SelectionSet, v model.FgaListUsersResponse) graphql.Marshaler {
+	return ec._FgaListUsersResponse(ctx, sel, &v)
+}
+
+func (ec *executionContext) marshalNFgaListUsersResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaListUsersResponse(ctx context.Context, sel ast.SelectionSet, v *model.FgaListUsersResponse) graphql.Marshaler {
+	if v == nil {
+		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
+			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
+		}
+		return graphql.Null
+	}
+	return ec._FgaListUsersResponse(ctx, sel, v)
+}
+
 func (ec *executionContext) marshalNFgaModel2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaModel(ctx context.Context, sel ast.SelectionSet, v model.FgaModel) graphql.Marshaler {
 	return ec._FgaModel(ctx, sel, &v)
 }
diff --git a/internal/graph/model/models_gen.go b/internal/graph/model/models_gen.go
index ae7f1c4c..af50b6ef 100644
--- a/internal/graph/model/models_gen.go
+++ b/internal/graph/model/models_gen.go
@@ -173,27 +173,49 @@ type FgaCheckInput struct {
 	Relation         string           `json:"relation"`
 	Object           string           `json:"object"`
 	ContextualTuples []*FgaTupleInput `json:"contextual_tuples,omitempty"`
+	User             *string          `json:"user,omitempty"`
 }
 
 type FgaCheckPairInput struct {
 	Relation         string           `json:"relation"`
 	Object           string           `json:"object"`
 	ContextualTuples []*FgaTupleInput `json:"contextual_tuples,omitempty"`
+	User             *string          `json:"user,omitempty"`
 }
 
 type FgaCheckResponse struct {
 	Allowed bool `json:"allowed"`
 }
 
+type FgaExpandInput struct {
+	Relation string `json:"relation"`
+	Object   string `json:"object"`
+}
+
+type FgaExpandResponse struct {
+	Tree string `json:"tree"`
+}
+
 type FgaListObjectsInput struct {
-	Relation   string `json:"relation"`
-	ObjectType string `json:"object_type"`
+	Relation   string  `json:"relation"`
+	ObjectType string  `json:"object_type"`
+	User       *string `json:"user,omitempty"`
 }
 
 type FgaListObjectsResponse struct {
 	Objects []string `json:"objects"`
 }
 
+type FgaListUsersInput struct {
+	Object   string `json:"object"`
+	Relation string `json:"relation"`
+	UserType string `json:"user_type"`
+}
+
+type FgaListUsersResponse struct {
+	Users []string `json:"users"`
+}
+
 type FgaModel struct {
 	ID  string `json:"id"`
 	Dsl string `json:"dsl"`
diff --git a/internal/graph/schema.graphqls b/internal/graph/schema.graphqls
index af2598a8..26065b88 100644
--- a/internal/graph/schema.graphqls
+++ b/internal/graph/schema.graphqls
@@ -148,6 +148,18 @@ type FgaListObjectsResponse {
   objects: [String!]!
 }
 
+# FgaListUsersResponse lists fully-qualified user ids (e.g. "user:alice") that
+# have the queried relation on an object. Admin-only (reveals the access graph).
+type FgaListUsersResponse {
+  users: [String!]!
+}
+
+# FgaExpandResponse is the OpenFGA relationship/userset tree for a (relation,
+# object), serialized as a JSON string. Admin-only (reveals the access graph).
+type FgaExpandResponse {
+  tree: String!
+}
+
 type ForgotPasswordResponse {
   message: String!
   should_show_mobile_otp_screen: Boolean
@@ -719,14 +731,19 @@ input FgaReadTuplesInput {
   continuation_token: String
 }
 
-# FgaCheckInput asks "is the authenticated caller related to object via
-# relation?". The caller (user) is pinned server-side from the auth token and is
-# NEVER taken from client input. Only relation, object and optional contextual
-# tuples are accepted from the client.
+# FgaCheckInput asks "is <user> related to object via relation?". The subject
+# (user) defaults to the authenticated caller and is pinned server-side from the
+# auth token. The optional `user` field lets a TRUSTED caller (super-admin) check
+# on behalf of another subject; a non-trusted caller supplying `user` is rejected
+# (no silent self-fallback). Only relation, object, optional `user` and optional
+# contextual tuples are accepted from the client.
 input FgaCheckInput {
   relation: String!
   object: String!
   contextual_tuples: [FgaTupleInput!]
+  # Optional subject override ("type:id" or bare id → "user:id"). Honored only
+  # for super-admin callers; rejected otherwise.
+  user: String
 }
 
 # FgaBatchCheckInput evaluates multiple relation/object pairs for the
@@ -740,13 +757,35 @@ input FgaCheckPairInput {
   relation: String!
   object: String!
   contextual_tuples: [FgaTupleInput!]
+  # Optional subject override ("type:id" or bare id → "user:id"). Honored only
+  # for super-admin callers; rejected otherwise.
+  user: String
 }
 
-# FgaListObjectsInput enumerates objects of type object_type the authenticated
-# caller relates to via relation (principal pinned server-side).
+# FgaListObjectsInput enumerates objects of type object_type that <user> relates
+# to via relation. The subject defaults to the authenticated caller; the optional
+# `user` override is honored only for super-admin callers (rejected otherwise).
 input FgaListObjectsInput {
   relation: String!
   object_type: String!
+  # Optional subject override ("type:id" or bare id → "user:id"). Honored only
+  # for super-admin callers; rejected otherwise.
+  user: String
+}
+
+# FgaListUsersInput asks "which users of user_type have relation on object?".
+# Admin-only (reveals the access graph).
+input FgaListUsersInput {
+  object: String!
+  relation: String!
+  user_type: String!
+}
+
+# FgaExpandInput asks for the relationship/userset tree of (relation, object).
+# Admin-only (reveals the access graph).
+input FgaExpandInput {
+  relation: String!
+  object: String!
 }
 
 # FgaRelationInput is a (relation, object) requirement evaluated against the
@@ -822,6 +861,8 @@ type Query {
   # FGA admin queries (super-admin only)
   _fga_get_model: FgaModel!
   _fga_read_tuples(params: FgaReadTuplesInput!): FgaTuples!
+  _fga_list_users(params: FgaListUsersInput!): FgaListUsersResponse!
+  _fga_expand(params: FgaExpandInput!): FgaExpandResponse!
   # FGA runtime queries (authenticated caller; principal pinned server-side)
   fga_check(params: FgaCheckInput!): FgaCheckResponse!
   fga_batch_check(params: FgaBatchCheckInput!): FgaBatchCheckResponse!
diff --git a/internal/graph/schema.resolvers.go b/internal/graph/schema.resolvers.go
index 54795cc1..a823d898 100644
--- a/internal/graph/schema.resolvers.go
+++ b/internal/graph/schema.resolvers.go
@@ -272,6 +272,16 @@ func (r *queryResolver) FgaReadTuples(ctx context.Context, params model.FgaReadT
 	return r.GraphQLProvider.FgaReadTuples(ctx, &params)
 }
 
+// FgaListUsers is the resolver for the _fga_list_users field.
+func (r *queryResolver) FgaListUsers(ctx context.Context, params model.FgaListUsersInput) (*model.FgaListUsersResponse, error) {
+	return r.GraphQLProvider.FgaListUsers(ctx, &params)
+}
+
+// FgaExpand is the resolver for the _fga_expand field.
+func (r *queryResolver) FgaExpand(ctx context.Context, params model.FgaExpandInput) (*model.FgaExpandResponse, error) {
+	return r.GraphQLProvider.FgaExpand(ctx, &params)
+}
+
 // FgaCheck is the resolver for the fga_check field.
 func (r *queryResolver) FgaCheck(ctx context.Context, params model.FgaCheckInput) (*model.FgaCheckResponse, error) {
 	return r.GraphQLProvider.FgaCheck(ctx, &params)
diff --git a/internal/graphql/fga_admin.go b/internal/graphql/fga_admin.go
index 7e71859d..f50556ef 100644
--- a/internal/graphql/fga_admin.go
+++ b/internal/graphql/fga_admin.go
@@ -206,6 +206,70 @@ func (g *graphqlProvider) FgaReadTuples(ctx context.Context, params *model.FgaRe
 	return out, nil
 }
 
+// FgaListUsers returns the fully-qualified user ids of user_type that have
+// relation on object ("who can access this object?"). This is an introspection
+// surface that reveals the access graph, so it is super-admin gated like the
+// other _fga_* admin ops. Read-only: no audit.
+// Permission: authorizer:admin.
+func (g *graphqlProvider) FgaListUsers(ctx context.Context, params *model.FgaListUsersInput) (*model.FgaListUsersResponse, error) {
+	log := g.Log.With().Str("func", "FgaListUsers").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+	if g.AuthzEngine == nil {
+		return nil, errFgaNotEnabled
+	}
+	if params == nil || strings.TrimSpace(params.Object) == "" || strings.TrimSpace(params.Relation) == "" || strings.TrimSpace(params.UserType) == "" {
+		return nil, fmt.Errorf("object, relation and user_type are required")
+	}
+	users, err := g.AuthzEngine.ListUsers(ctx, params.Object, params.Relation, params.UserType)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to list users")
+		return nil, err
+	}
+	// Cap the result set; ListUsers is an expensive enumeration surface.
+	if len(users) > maxFgaListResults {
+		users = users[:maxFgaListResults]
+	}
+	return &model.FgaListUsersResponse{Users: users}, nil
+}
+
+// FgaExpand returns the OpenFGA relationship/userset tree for (relation, object)
+// as a JSON string (the explainability/"why" primitive). It reveals the access
+// graph, so it is super-admin gated like the other _fga_* admin ops. Read-only:
+// no audit.
+// Permission: authorizer:admin.
+func (g *graphqlProvider) FgaExpand(ctx context.Context, params *model.FgaExpandInput) (*model.FgaExpandResponse, error) {
+	log := g.Log.With().Str("func", "FgaExpand").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+	if g.AuthzEngine == nil {
+		return nil, errFgaNotEnabled
+	}
+	if params == nil || strings.TrimSpace(params.Relation) == "" || strings.TrimSpace(params.Object) == "" {
+		return nil, fmt.Errorf("relation and object are required")
+	}
+	tree, err := g.AuthzEngine.Expand(ctx, params.Relation, params.Object)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to expand")
+		return nil, err
+	}
+	return &model.FgaExpandResponse{Tree: tree}, nil
+}
+
 // toEngineTuples validates and converts admin-supplied tuple inputs into engine
 // tuples. It enforces a per-call cap and rejects empty fields.
 func toEngineTuples(params *model.FgaWriteTuplesInput) ([]engine.TupleKey, error) {
diff --git a/internal/graphql/fga_runtime.go b/internal/graphql/fga_runtime.go
index 661d975e..43fdacd3 100644
--- a/internal/graphql/fga_runtime.go
+++ b/internal/graphql/fga_runtime.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/authorizerdev/authorizer/internal/authorization/engine"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/refs"
 	"github.com/authorizerdev/authorizer/internal/utils"
 )
 
@@ -18,25 +19,75 @@ const maxFgaListResults = 1000
 // maxFgaBatchChecks caps the number of pairs accepted in a single batch check.
 const maxFgaBatchChecks = 100
 
-// principalForRequest resolves the authenticated caller and returns the pinned
-// OpenFGA subject ("user:<sub>"). The principal is ALWAYS derived from the auth
-// token / session — never from client input — so a caller can only ask about
-// their own access.
-func (g *graphqlProvider) principalForRequest(ctx context.Context) (string, error) {
+// resolveFgaSubject is the single, centralized trust gate for the FGA decision
+// ops (fga_check, fga_batch_check, fga_list_objects). It decides which OpenFGA
+// subject ("type:id") a decision is evaluated for, given the optional
+// client-supplied explicitUser override.
+//
+// Rules (fail-closed):
+//   - The trust level is ALWAYS derived from the auth token/session/admin cookie
+//     — never from client input.
+//   - super-admin caller: an explicitly supplied explicitUser is honored
+//     (validated to look like "type:id"); if absent it defaults to the
+//     super-admin's own "user:<sub>" when they also carry a user token, else it
+//     is required (a bare admin cookie has no subject of its own).
+//   - non-super-admin caller (ordinary end-user token/cookie):
+//   - explicitUser empty  → pin to the caller's own "user:<sub>".
+//   - explicitUser set    → REJECT. We do not silently honor it (would let an
+//     end user enumerate another subject's access — IDOR / info-disclosure)
+//     and we do not silently ignore it.
+//
+// TODO(phase-2 M2M): machine-to-machine / client-credentials callers should also
+// be allowed to pass an explicit user once that caller type exists; extend the
+// trust check here (the rule must stay centralized in this one helper).
+func (g *graphqlProvider) resolveFgaSubject(ctx context.Context, explicitUser string) (string, error) {
 	gc, err := utils.GinContextFromContext(ctx)
 	if err != nil {
 		return "", err
 	}
-	tokenData, err := g.TokenProvider.GetUserIDFromSessionOrAccessToken(gc)
-	if err != nil {
-		return "", err
+	explicitUser = strings.TrimSpace(explicitUser)
+
+	// Determine the trust level first. Super-admin authenticates via the admin
+	// cookie/secret and need not carry a user token of its own, so this check
+	// must not depend on resolving a user subject.
+	isSuperAdmin := g.TokenProvider.IsSuperAdmin(gc)
+
+	if explicitUser != "" {
+		// A subject override was requested — only super-admin callers may target
+		// another subject. Everyone else is rejected (no silent self-fallback, no
+		// silent ignore).
+		if !isSuperAdmin {
+			return "", fmt.Errorf("not authorized to query authorization for another subject")
+		}
+		if err := validateFgaSubject(explicitUser); err != nil {
+			return "", err
+		}
+		return explicitUser, nil
 	}
-	if strings.TrimSpace(tokenData.UserID) == "" {
+
+	// No override: pin to the caller's own subject (unchanged self-pinning
+	// behavior). This requires a resolvable user subject from the token/session.
+	tokenData, err := g.TokenProvider.GetUserIDFromSessionOrAccessToken(gc)
+	if err != nil || strings.TrimSpace(tokenData.UserID) == "" {
 		return "", fmt.Errorf("unauthorized")
 	}
 	return "user:" + tokenData.UserID, nil
 }
 
+// validateFgaSubject ensures a super-admin-supplied subject override is in
+// OpenFGA "type:id" form (both halves non-empty). It rejects usersets
+// ("type:id#relation") and malformed values.
+func validateFgaSubject(user string) error {
+	objType, objID, found := strings.Cut(user, ":")
+	if !found || strings.TrimSpace(objType) == "" || strings.TrimSpace(objID) == "" {
+		return fmt.Errorf("user must be in type:id form, got %q", user)
+	}
+	if strings.Contains(objID, "#") {
+		return fmt.Errorf("user must be a concrete subject in type:id form, not a userset, got %q", user)
+	}
+	return nil
+}
+
 // toContextualTuples converts client-supplied contextual tuples. These are
 // request-scoped only (never persisted) and are safe to accept from the client.
 func toContextualTuples(in []*model.FgaTupleInput) ([]engine.ContextualTuple, error) {
@@ -65,11 +116,12 @@ func (g *graphqlProvider) FgaCheck(ctx context.Context, params *model.FgaCheckIn
 	if params == nil || strings.TrimSpace(params.Relation) == "" || strings.TrimSpace(params.Object) == "" {
 		return nil, fmt.Errorf("relation and object are required")
 	}
-	// PRINCIPAL PINNING — derive subject from the authenticated caller only.
-	principal, err := g.principalForRequest(ctx)
+	// TRUST GATE — derive subject from the authenticated caller; an explicit
+	// `user` override is honored only for super-admins (see resolveFgaSubject).
+	principal, err := g.resolveFgaSubject(ctx, refs.StringValue(params.User))
 	if err != nil {
-		log.Debug().Err(err).Msg("Failed to resolve principal")
-		return nil, fmt.Errorf("unauthorized")
+		log.Debug().Err(err).Msg("Failed to resolve subject")
+		return nil, err
 	}
 	ctxTuples, err := toContextualTuples(params.ContextualTuples)
 	if err != nil {
@@ -98,17 +150,18 @@ func (g *graphqlProvider) FgaBatchCheck(ctx context.Context, params *model.FgaBa
 	if len(params.Checks) > maxFgaBatchChecks {
 		return nil, fmt.Errorf("too many checks: max %d per request", maxFgaBatchChecks)
 	}
-	// PRINCIPAL PINNING — derive subject from the authenticated caller only.
-	principal, err := g.principalForRequest(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to resolve principal")
-		return nil, fmt.Errorf("unauthorized")
-	}
 	requests := make([]engine.CheckRequest, 0, len(params.Checks))
 	for _, c := range params.Checks {
 		if c == nil || strings.TrimSpace(c.Relation) == "" || strings.TrimSpace(c.Object) == "" {
 			return nil, fmt.Errorf("each check requires relation and object")
 		}
+		// TRUST GATE — derive subject per item from the authenticated caller; an
+		// explicit `user` override is honored only for super-admins.
+		principal, err := g.resolveFgaSubject(ctx, refs.StringValue(c.User))
+		if err != nil {
+			log.Debug().Err(err).Msg("Failed to resolve subject")
+			return nil, err
+		}
 		ctxTuples, err := toContextualTuples(c.ContextualTuples)
 		if err != nil {
 			return nil, err
@@ -145,11 +198,12 @@ func (g *graphqlProvider) FgaListObjects(ctx context.Context, params *model.FgaL
 	if params == nil || strings.TrimSpace(params.Relation) == "" || strings.TrimSpace(params.ObjectType) == "" {
 		return nil, fmt.Errorf("relation and object_type are required")
 	}
-	// PRINCIPAL PINNING — derive subject from the authenticated caller only.
-	principal, err := g.principalForRequest(ctx)
+	// TRUST GATE — derive subject from the authenticated caller; an explicit
+	// `user` override is honored only for super-admins (see resolveFgaSubject).
+	principal, err := g.resolveFgaSubject(ctx, refs.StringValue(params.User))
 	if err != nil {
-		log.Debug().Err(err).Msg("Failed to resolve principal")
-		return nil, fmt.Errorf("unauthorized")
+		log.Debug().Err(err).Msg("Failed to resolve subject")
+		return nil, err
 	}
 	objects, err := g.AuthzEngine.ListObjects(ctx, principal, params.Relation, params.ObjectType)
 	if err != nil {
diff --git a/internal/graphql/provider.go b/internal/graphql/provider.go
index 98d36154..79bc85a9 100644
--- a/internal/graphql/provider.go
+++ b/internal/graphql/provider.go
@@ -208,6 +208,13 @@ type Provider interface {
 	// FgaReadTuples reads a page of fine-grained authorization tuples.
 	// Permissions: authorizer:admin
 	FgaReadTuples(ctx context.Context, params *model.FgaReadTuplesInput) (*model.FgaTuples, error)
+	// FgaListUsers lists the users that have a relation on an object (reveals the
+	// access graph).
+	// Permissions: authorizer:admin
+	FgaListUsers(ctx context.Context, params *model.FgaListUsersInput) (*model.FgaListUsersResponse, error)
+	// FgaExpand returns the relationship/userset tree for a (relation, object).
+	// Permissions: authorizer:admin
+	FgaExpand(ctx context.Context, params *model.FgaExpandInput) (*model.FgaExpandResponse, error)
 	// FgaCheck checks a relation for the authenticated caller (principal pinned).
 	// Permissions: authorized user
 	FgaCheck(ctx context.Context, params *model.FgaCheckInput) (*model.FgaCheckResponse, error)
diff --git a/internal/integration_tests/fga_test.go b/internal/integration_tests/fga_test.go
index f5841e32..7d26d850 100644
--- a/internal/integration_tests/fga_test.go
+++ b/internal/integration_tests/fga_test.go
@@ -283,6 +283,93 @@ func TestFGA(t *testing.T) {
 		assert.False(t, res.Results[1].Allowed)
 	})
 
+	// ---- Admin introspection: _fga_list_users ("who can access this object?"). ----
+	t.Run("_fga_list_users returns expected users; non-admin rejected", func(t *testing.T) {
+		// Non-admin caller (user session, no admin cookie) must be rejected.
+		clearCookies(ts)
+		ts.GinContext.Request.Header.Set("Cookie", fmt.Sprintf("%s_session=%s", constants.AppCookieName, sessionToken))
+		res, err := ts.GraphQLProvider.FgaListUsers(ctx, &model.FgaListUsersInput{
+			Object: "document:1", Relation: "viewer", UserType: "user",
+		})
+		assert.Error(t, err, "non-admin must be rejected")
+		assert.Nil(t, res)
+
+		// Super-admin caller gets the access graph.
+		setAdminCookie(t, ts)
+		res, err = ts.GraphQLProvider.FgaListUsers(ctx, &model.FgaListUsersInput{
+			Object: "document:1", Relation: "viewer", UserType: "user",
+		})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.Contains(t, res.Users, "user:"+userID)
+	})
+
+	// ---- Admin introspection: _fga_expand (the "why" tree). ----
+	t.Run("_fga_expand returns non-empty tree; non-admin rejected", func(t *testing.T) {
+		// Non-admin caller must be rejected.
+		clearCookies(ts)
+		ts.GinContext.Request.Header.Set("Cookie", fmt.Sprintf("%s_session=%s", constants.AppCookieName, sessionToken))
+		res, err := ts.GraphQLProvider.FgaExpand(ctx, &model.FgaExpandInput{
+			Relation: "viewer", Object: "document:1",
+		})
+		assert.Error(t, err, "non-admin must be rejected")
+		assert.Nil(t, res)
+
+		// Super-admin caller gets a non-empty tree.
+		setAdminCookie(t, ts)
+		res, err = ts.GraphQLProvider.FgaExpand(ctx, &model.FgaExpandInput{
+			Relation: "viewer", Object: "document:1",
+		})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.NotEmpty(t, res.Tree)
+		assert.Contains(t, res.Tree, "user:"+userID)
+	})
+
+	// ---- Trust gate: explicit `user` override on the decision ops. ----
+	t.Run("fga_check super-admin may check another subject via explicit user", func(t *testing.T) {
+		setAdminCookie(t, ts)
+		otherUser := "user:someone-else" // granted viewer on document:3 above
+		res, err := ts.GraphQLProvider.FgaCheck(ctx, &model.FgaCheckInput{
+			Relation: "can_view", Object: "document:3", User: &otherUser,
+		})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.True(t, res.Allowed, "super-admin override must evaluate the supplied subject")
+
+		// Same admin, but checking the caller's own (admin) subject on document:3 → deny.
+		adminSelf := "user:does-not-have-access"
+		res, err = ts.GraphQLProvider.FgaCheck(ctx, &model.FgaCheckInput{
+			Relation: "can_view", Object: "document:3", User: &adminSelf,
+		})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.False(t, res.Allowed)
+	})
+
+	t.Run("fga_check ordinary user supplying another subject is REJECTED", func(t *testing.T) {
+		clearCookies(ts)
+		ts.GinContext.Request.Header.Set("Cookie", fmt.Sprintf("%s_session=%s", constants.AppCookieName, sessionToken))
+		otherUser := "user:someone-else"
+		res, err := ts.GraphQLProvider.FgaCheck(ctx, &model.FgaCheckInput{
+			Relation: "can_view", Object: "document:3", User: &otherUser,
+		})
+		assert.Error(t, err, "end user must not query another subject")
+		assert.Nil(t, res)
+		assert.Contains(t, err.Error(), "not authorized to query authorization for another subject")
+	})
+
+	t.Run("fga_check ordinary user with no user still self-checks", func(t *testing.T) {
+		clearCookies(ts)
+		ts.GinContext.Request.Header.Set("Cookie", fmt.Sprintf("%s_session=%s", constants.AppCookieName, sessionToken))
+		res, err := ts.GraphQLProvider.FgaCheck(ctx, &model.FgaCheckInput{
+			Relation: "can_view", Object: "document:1",
+		})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.True(t, res.Allowed, "self-check on a granted object must still succeed")
+	})
+
 	// ---- Phase 4: validate_session honors required_relations. ----
 	t.Run("validate_session passes when required relation is satisfied", func(t *testing.T) {
 		res, err := ts.GraphQLProvider.ValidateSession(ctx, &model.ValidateSessionRequest{

From 39cb463c35572d3de97c57ca67da9032730bec8d Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 8 Jun 2026 11:54:42 +0530
Subject: [PATCH 04/39] test(authz): close FGA coverage gaps

Add tests for previously-uncovered surface:
- _fga_delete_tuples (removes a tuple; non-admin rejected)
- _fga_get_model (returns active model; non-admin rejected)
- trust gate enforced per decision op: fga_list_objects and fga_batch_check
  reject an ordinary user supplying another subject (not only fga_check)
- session query honors required_relations (separate wiring of the same
  helper as validate_session)
---
 internal/integration_tests/fga_test.go | 83 ++++++++++++++++++++++++++
 1 file changed, 83 insertions(+)

diff --git a/internal/integration_tests/fga_test.go b/internal/integration_tests/fga_test.go
index 7d26d850..3d9746d8 100644
--- a/internal/integration_tests/fga_test.go
+++ b/internal/integration_tests/fga_test.go
@@ -394,6 +394,89 @@ func TestFGA(t *testing.T) {
 		assert.Nil(t, res)
 	})
 
+	// ---- Admin: _fga_delete_tuples removes a tuple (and is admin-gated). ----
+	t.Run("_fga_delete_tuples removes a tuple; non-admin rejected", func(t *testing.T) {
+		setAdminCookie(t, ts)
+		writeDel := &model.FgaWriteTuplesInput{Tuples: []*model.FgaTupleInput{
+			{User: "user:" + userID, Relation: "viewer", Object: "document:deletable"},
+		}}
+		_, err := ts.GraphQLProvider.FgaWriteTuples(ctx, writeDel)
+		require.NoError(t, err)
+
+		// Non-admin must NOT be able to delete tuples.
+		clearCookies(ts)
+		ts.GinContext.Request.Header.Set("Cookie", fmt.Sprintf("%s_session=%s", constants.AppCookieName, sessionToken))
+		_, err = ts.GraphQLProvider.FgaDeleteTuples(ctx, writeDel)
+		assert.Error(t, err, "non-admin must not delete tuples")
+
+		// Admin deletes, then the tuple is gone.
+		setAdminCookie(t, ts)
+		_, err = ts.GraphQLProvider.FgaDeleteTuples(ctx, writeDel)
+		require.NoError(t, err)
+		tuplesRes, err := ts.GraphQLProvider.FgaReadTuples(ctx, &model.FgaReadTuplesInput{})
+		require.NoError(t, err)
+		for _, tup := range tuplesRes.Tuples {
+			assert.NotEqual(t, "document:deletable", tup.Object, "deleted tuple must not remain")
+		}
+	})
+
+	// ---- Admin: _fga_get_model returns the active model (admin-gated). ----
+	t.Run("_fga_get_model returns active model; non-admin rejected", func(t *testing.T) {
+		clearCookies(ts)
+		ts.GinContext.Request.Header.Set("Cookie", fmt.Sprintf("%s_session=%s", constants.AppCookieName, sessionToken))
+		res, err := ts.GraphQLProvider.FgaGetModel(ctx)
+		assert.Error(t, err, "non-admin must be rejected")
+		assert.Nil(t, res)
+
+		setAdminCookie(t, ts)
+		res, err = ts.GraphQLProvider.FgaGetModel(ctx)
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.Contains(t, res.Dsl, "document")
+	})
+
+	// ---- Trust gate is enforced per decision op, not only on fga_check. ----
+	t.Run("fga_list_objects rejects ordinary user supplying another subject", func(t *testing.T) {
+		clearCookies(ts)
+		ts.GinContext.Request.Header.Set("Cookie", fmt.Sprintf("%s_session=%s", constants.AppCookieName, sessionToken))
+		other := "user:someone-else"
+		res, err := ts.GraphQLProvider.FgaListObjects(ctx, &model.FgaListObjectsInput{
+			Relation: "can_view", ObjectType: "document", User: &other,
+		})
+		assert.Error(t, err, "end user must not list another subject's objects")
+		assert.Nil(t, res)
+	})
+
+	t.Run("fga_batch_check rejects ordinary user supplying another subject", func(t *testing.T) {
+		clearCookies(ts)
+		ts.GinContext.Request.Header.Set("Cookie", fmt.Sprintf("%s_session=%s", constants.AppCookieName, sessionToken))
+		other := "user:someone-else"
+		res, err := ts.GraphQLProvider.FgaBatchCheck(ctx, &model.FgaBatchCheckInput{
+			Checks: []*model.FgaCheckPairInput{
+				{Relation: "can_view", Object: "document:3", User: &other},
+			},
+		})
+		assert.Error(t, err, "end user must not batch-check another subject")
+		assert.Nil(t, res)
+	})
+
+	// ---- Phase 4: the session query honors required_relations too (separate
+	// wiring of the same enforceRequiredRelations helper as validate_session). ----
+	t.Run("session query honors required_relations", func(t *testing.T) {
+		clearCookies(ts)
+		ts.GinContext.Request.Header.Set("Cookie", fmt.Sprintf("%s_session=%s", constants.AppCookieName, sessionToken))
+		res, err := ts.GraphQLProvider.Session(ctx, &model.SessionQueryRequest{
+			RequiredRelations: []*model.FgaRelationInput{{Relation: "can_view", Object: "document:1"}},
+		})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+
+		_, err = ts.GraphQLProvider.Session(ctx, &model.SessionQueryRequest{
+			RequiredRelations: []*model.FgaRelationInput{{Relation: "can_view", Object: "document:2"}},
+		})
+		assert.Error(t, err, "session must fail when a required relation is unsatisfied")
+	})
+
 	_ = req
 	_ = eng
 }

From 1c1739c419840aaa98f5c3b37b26e95653975eca Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 8 Jun 2026 12:16:53 +0530
Subject: [PATCH 05/39] fix(authz): _fga_get_model returns model id; cover
 validate_jwt_token relations

- engine.ReadModel now returns (id, dsl): _fga_get_model previously returned an
  empty FgaModel.id while _fga_write_model returned one. Populate it from the
  active OpenFGA model id.
- Add a validate_jwt_token required_relations test (the third entry point of
  the shared enforceRequiredRelations helper); re-logs in for a fresh
  access token since session ops in earlier subtests rotate the original.
---
 internal/authorization/engine/engine.go       |  6 ++--
 .../engine/openfga/openfga_test.go            |  3 +-
 .../engine/openfga/operations.go              | 16 ++++-----
 internal/graphql/fga_admin.go                 |  4 +--
 internal/integration_tests/fga_test.go        | 33 +++++++++++++++++++
 5 files changed, 48 insertions(+), 14 deletions(-)

diff --git a/internal/authorization/engine/engine.go b/internal/authorization/engine/engine.go
index 2848f52f..b503fa6d 100644
--- a/internal/authorization/engine/engine.go
+++ b/internal/authorization/engine/engine.go
@@ -150,7 +150,7 @@ type AuthorizationEngine interface {
 	// staged by callers.
 	WriteModel(ctx context.Context, dsl string) (string, error)
 
-	// ReadModel returns the currently active authorization model rendered as
-	// DSL.
-	ReadModel(ctx context.Context) (string, error)
+	// ReadModel returns the currently active authorization model: its
+	// backend-assigned id and its DSL rendering.
+	ReadModel(ctx context.Context) (id string, dsl string, err error)
 }
diff --git a/internal/authorization/engine/openfga/openfga_test.go b/internal/authorization/engine/openfga/openfga_test.go
index a017a464..dede591d 100644
--- a/internal/authorization/engine/openfga/openfga_test.go
+++ b/internal/authorization/engine/openfga/openfga_test.go
@@ -149,8 +149,9 @@ func TestOpenFGAEngine_ReadModelRoundtrip(t *testing.T) {
 	_, err := eng.WriteModel(ctx, testModel)
 	require.NoError(t, err)
 
-	dsl, err := eng.ReadModel(ctx)
+	id, dsl, err := eng.ReadModel(ctx)
 	require.NoError(t, err)
+	assert.NotEmpty(t, id, "ReadModel must return the active model id")
 	assert.Contains(t, dsl, "type document")
 	assert.Contains(t, dsl, "can_view")
 }
diff --git a/internal/authorization/engine/openfga/operations.go b/internal/authorization/engine/openfga/operations.go
index 46e46bc8..8800c14b 100644
--- a/internal/authorization/engine/openfga/operations.go
+++ b/internal/authorization/engine/openfga/operations.go
@@ -289,18 +289,18 @@ func (e *engineImpl) WriteModel(ctx context.Context, dsl string) (string, error)
 	return modelID, nil
 }
 
-// ReadModel returns the active authorization model rendered as DSL.
-func (e *engineImpl) ReadModel(ctx context.Context) (string, error) {
+// ReadModel returns the active authorization model: its id and DSL rendering.
+func (e *engineImpl) ReadModel(ctx context.Context) (string, string, error) {
 	storeID, modelID := e.ids()
 	if modelID == "" {
-		return "", fmt.Errorf("openfga.ReadModel: no authorization model written yet")
+		return "", "", fmt.Errorf("openfga.ReadModel: no authorization model written yet")
 	}
 	res, err := e.srv.ReadAuthorizationModel(ctx, &openfgav1.ReadAuthorizationModelRequest{
 		StoreId: storeID,
 		Id:      modelID,
 	})
 	if err != nil {
-		return "", fmt.Errorf("openfga.ReadModel: %w", err)
+		return "", "", fmt.Errorf("openfga.ReadModel: %w", err)
 	}
 	// Render via the JSON-string transformer rather than the proto-direct
 	// TransformJSONProtoToDSL: the latter (language v0.2.1) errors on relations
@@ -309,14 +309,14 @@ func (e *engineImpl) ReadModel(ctx context.Context) (string, error) {
 	// same model correctly.
 	jsonBytes, err := protojson.Marshal(res.GetAuthorizationModel())
 	if err != nil {
-		return "", fmt.Errorf("openfga.ReadModel: marshal model: %w", err)
+		return "", "", fmt.Errorf("openfga.ReadModel: marshal model: %w", err)
 	}
 	dsl, err := language.TransformJSONStringToDSL(string(jsonBytes))
 	if err != nil {
-		return "", fmt.Errorf("openfga.ReadModel: render DSL: %w", err)
+		return "", "", fmt.Errorf("openfga.ReadModel: render DSL: %w", err)
 	}
 	if dsl == nil {
-		return "", fmt.Errorf("openfga.ReadModel: render DSL returned nil")
+		return "", "", fmt.Errorf("openfga.ReadModel: render DSL returned nil")
 	}
-	return *dsl, nil
+	return modelID, *dsl, nil
 }
diff --git a/internal/graphql/fga_admin.go b/internal/graphql/fga_admin.go
index f50556ef..a34a227f 100644
--- a/internal/graphql/fga_admin.go
+++ b/internal/graphql/fga_admin.go
@@ -78,12 +78,12 @@ func (g *graphqlProvider) FgaGetModel(ctx context.Context) (*model.FgaModel, err
 	if g.AuthzEngine == nil {
 		return nil, errFgaNotEnabled
 	}
-	dsl, err := g.AuthzEngine.ReadModel(ctx)
+	id, dsl, err := g.AuthzEngine.ReadModel(ctx)
 	if err != nil {
 		log.Debug().Err(err).Msg("Failed to read authorization model")
 		return nil, err
 	}
-	return &model.FgaModel{Dsl: dsl}, nil
+	return &model.FgaModel{ID: id, Dsl: dsl}, nil
 }
 
 // FgaWriteTuples persists the given relationship tuples.
diff --git a/internal/integration_tests/fga_test.go b/internal/integration_tests/fga_test.go
index 3d9746d8..de804a26 100644
--- a/internal/integration_tests/fga_test.go
+++ b/internal/integration_tests/fga_test.go
@@ -432,6 +432,7 @@ func TestFGA(t *testing.T) {
 		res, err = ts.GraphQLProvider.FgaGetModel(ctx)
 		require.NoError(t, err)
 		require.NotNil(t, res)
+		assert.NotEmpty(t, res.ID, "_fga_get_model must return the active model id")
 		assert.Contains(t, res.Dsl, "document")
 	})
 
@@ -477,6 +478,38 @@ func TestFGA(t *testing.T) {
 		assert.Error(t, err, "session must fail when a required relation is unsatisfied")
 	})
 
+	// ---- Phase 4: validate_jwt_token honors required_relations (third entry
+	// point wiring the same enforceRequiredRelations helper). ----
+	t.Run("validate_jwt_token honors required_relations", func(t *testing.T) {
+		// Re-login for a current access token: earlier subtests perform session
+		// operations that rotate/invalidate the original token (access tokens are
+		// bound to the session).
+		fresh, err := ts.GraphQLProvider.Login(ctx, &model.LoginRequest{Email: &email, Password: password})
+		require.NoError(t, err)
+		require.NotNil(t, fresh.AccessToken, "login must return an access token")
+		accessToken := *fresh.AccessToken
+
+		res, err := ts.GraphQLProvider.ValidateJWTToken(ctx, &model.ValidateJWTTokenRequest{
+			TokenType: constants.TokenTypeAccessToken,
+			Token:     accessToken,
+			RequiredRelations: []*model.FgaRelationInput{
+				{Relation: "can_view", Object: "document:1"},
+			},
+		})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.True(t, res.IsValid)
+
+		_, err = ts.GraphQLProvider.ValidateJWTToken(ctx, &model.ValidateJWTTokenRequest{
+			TokenType: constants.TokenTypeAccessToken,
+			Token:     accessToken,
+			RequiredRelations: []*model.FgaRelationInput{
+				{Relation: "can_view", Object: "document:2"},
+			},
+		})
+		assert.Error(t, err, "validate_jwt_token must fail when a required relation is unsatisfied")
+	})
+
 	_ = req
 	_ = eng
 }

From cceddb5f071dee42a7c0905c88b69f5ff8327f74 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 8 Jun 2026 12:32:09 +0530
Subject: [PATCH 06/39] refactor(authz): drop --authorization-engine flag;
 enable FGA via store config
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The two-engine selector (--authorization-engine=policy|fga) was a vestige of
the SPI design — the policy engine was removed entirely, leaving only OpenFGA.
FGA is now enabled by configuring a store: --fga-store (embedded) or
--fga-external-url (external). With neither set the engine is not constructed
and the fga_* resolvers fail closed, identical to the previous default.

- Remove the AuthorizationEngine config field and CLI flag.
- --fga-store defaults to "" (set it to enable embedded FGA).
- Update stale comments/schema descriptions referencing the removed flag.
---
 FGA_IMPLEMENTATION_AGENTS.md                  |  2 +-
 cmd/root.go                                   | 32 ++++++++++---------
 internal/authorization/engine/engine.go       |  6 ++--
 .../authorization/engine/openfga/openfga.go   |  8 ++---
 internal/config/config.go                     | 21 ++++++------
 internal/graph/generated/generated.go         |  6 ++--
 internal/graph/schema.graphqls                |  6 ++--
 internal/graphql/fga_admin.go                 |  2 +-
 internal/graphql/provider.go                  |  8 ++---
 internal/http_handlers/provider.go            |  5 +--
 internal/integration_tests/fga_test.go        |  1 -
 11 files changed, 43 insertions(+), 54 deletions(-)

diff --git a/FGA_IMPLEMENTATION_AGENTS.md b/FGA_IMPLEMENTATION_AGENTS.md
index bb57db9f..f860bacf 100644
--- a/FGA_IMPLEMENTATION_AGENTS.md
+++ b/FGA_IMPLEMENTATION_AGENTS.md
@@ -37,7 +37,7 @@ How a small fleet of specialized agents carries the OpenFGA migration and agenti
 - → **Verify:** every claim feeding a design decision is cited and adversarially checked. Spike code compiles & runs.
 
 ### Wave 1 — Decision core *(fga-engineer → security-engineer)*
-Follows `FGA_OPENFGA_MIGRATION_PLAN.md` Phases 1→7, **two-release rollout** (both engines behind `--authorization-engine`, remove old in N+1).
+Follows `FGA_OPENFGA_MIGRATION_PLAN.md` Phases 1→7. The old engine was removed outright (never rolled out); FGA is enabled by configuring a store (`--fga-store` for embedded, `--fga-external-url` for external) — no separate engine-selector flag.
 - → **Verify per phase:** the phase's own Verify gate + `go build ./...` + `make test-all-db` (proves no DB-impl dangling refs) + security-engineer review.
 
 ### Wave 2 — Delegation core *(delegation-engineer → security-engineer)*
diff --git a/cmd/root.go b/cmd/root.go
index 3a917167..7b15a67c 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -244,9 +244,8 @@ func init() {
 
 	// OpenFGA / FGA engine flags (Phase 1 — additive; the FGA engine is
 	// selectable but not yet the default)
-	f.StringVar(&rootArgs.config.AuthorizationEngine, "authorization-engine", "policy", "Authorization backend: 'policy' (existing resource/scope/policy engine, default) or 'fga' (OpenFGA ReBAC engine)")
 	f.StringVar(&rootArgs.config.FGAMode, "fga-mode", "embedded", "OpenFGA run mode: 'embedded' (in-process, default) or 'external' (standalone OpenFGA service)")
-	f.StringVar(&rootArgs.config.FGAStore, "fga-store", "memory", "OpenFGA datastore: 'memory' (dev/tests, default), 'sqlite' (single-node), 'postgres' or 'mysql' (HA)")
+	f.StringVar(&rootArgs.config.FGAStore, "fga-store", "", "OpenFGA datastore for embedded mode — set to enable fine-grained authorization: 'memory' (dev/tests), 'sqlite' (single-node), 'postgres' or 'mysql' (HA). Empty = FGA disabled")
 	f.StringVar(&rootArgs.config.FGAStoreURL, "fga-store-url", "", "OpenFGA datastore connection URI (file: URI for sqlite, DSN for postgres/mysql)")
 	f.StringVar(&rootArgs.config.FGAExternalURL, "fga-external-url", "", "gRPC URL of an external OpenFGA service (used when --fga-mode=external)")
 
@@ -470,23 +469,24 @@ func runRoot(c *cobra.Command, args []string) {
 	}
 	defer rateLimitProvider.Close()
 
-	// OpenFGA authorization engine (Phase 1 — additive).
+	// OpenFGA authorization engine.
 	//
-	// This is constructed only when --authorization-engine=fga. The FGA engine
-	// is selectable but is not yet routed into the request path — later phases
-	// wire it into GraphQL and session/validate.
+	// Constructed only when an FGA store is configured (--fga-store for embedded,
+	// --fga-external-url for external); otherwise it stays nil and the fga_*
+	// resolvers fail closed. It is routed into GraphQL and session/validate below.
 	//
 	// Embedded mode runs the OpenFGA server in-process. For single-node/dev
 	// (memory or sqlite) migrations may run on boot; HA/serverless must run
 	// migrations as a separate init job (see FGA_OPENFGA_MIGRATION_PLAN.md §2.1)
 	// and must use an external SQL store.
-	// authzEngine is threaded into the HTTP/GraphQL providers below. It stays nil
-	// unless --authorization-engine=fga (and embedded mode initializes cleanly).
-	// Resolvers fail closed when it is nil.
+	// Fine-grained authorization is enabled by configuring a store: --fga-store
+	// for embedded mode, or --fga-external-url for an external OpenFGA service.
+	// With neither set the engine stays nil and the fga_* resolvers fail closed
+	// ("fine-grained authorization is not enabled").
 	var authzEngine engine.AuthorizationEngine
-	if strings.EqualFold(rootArgs.config.AuthorizationEngine, "fga") {
-		switch strings.ToLower(strings.TrimSpace(rootArgs.config.FGAMode)) {
-		case "", "embedded":
+	switch strings.ToLower(strings.TrimSpace(rootArgs.config.FGAMode)) {
+	case "", "embedded":
+		if rootArgs.config.FGAStore != "" {
 			// Run migrations on boot only for single-node embedded SQL stores.
 			// memory needs none; postgres/mysql (HA) must migrate out-of-band.
 			runMigrations := strings.EqualFold(rootArgs.config.FGAStore, fgaengine.StoreSQLite)
@@ -510,15 +510,17 @@ func runRoot(c *cobra.Command, args []string) {
 				Str("fga_mode", "embedded").
 				Str("fga_store", rootArgs.config.FGAStore).
 				Msg("OpenFGA authorization engine initialized (embedded); routed into GraphQL + session/validate")
-		case "external":
+		}
+	case "external":
+		if rootArgs.config.FGAExternalURL != "" {
 			// External-mode wiring (gRPC client to a standalone OpenFGA
 			// service) lands in a later phase; the seam and flags exist now.
 			log.Warn().
 				Str("fga_external_url", rootArgs.config.FGAExternalURL).
 				Msg("OpenFGA external mode selected but the external client is not yet wired (Phase 1 implements the embedded engine); no FGA engine started")
-		default:
-			log.Fatal().Str("fga_mode", rootArgs.config.FGAMode).Msg("invalid --fga-mode (want 'embedded' or 'external')")
 		}
+	default:
+		log.Fatal().Str("fga_mode", rootArgs.config.FGAMode).Msg("invalid --fga-mode (want 'embedded' or 'external')")
 	}
 
 	// SMS provider
diff --git a/internal/authorization/engine/engine.go b/internal/authorization/engine/engine.go
index b503fa6d..edd8cfe8 100644
--- a/internal/authorization/engine/engine.go
+++ b/internal/authorization/engine/engine.go
@@ -8,9 +8,9 @@
 // engine speaks the OpenFGA tuple vocabulary: a tuple relates a user (subject)
 // to an object via a relation, e.g. (user:alice, viewer, document:1).
 //
-// This package is additive (Phase 1 of the OpenFGA migration). It does not
-// replace the existing authorization.Provider (resource/scope/policy engine);
-// both coexist behind the --authorization-engine flag.
+// FGA is enabled by configuring a store (--fga-store for embedded mode, or
+// --fga-external-url for an external OpenFGA service); when neither is set the
+// engine is not constructed and the fga_* resolvers fail closed.
 package engine
 
 import "context"
diff --git a/internal/authorization/engine/openfga/openfga.go b/internal/authorization/engine/openfga/openfga.go
index be3b836c..eaece4c5 100644
--- a/internal/authorization/engine/openfga/openfga.go
+++ b/internal/authorization/engine/openfga/openfga.go
@@ -3,11 +3,9 @@
 // datastore (dev/tests) and persistent SQL datastores (SQLite single-node,
 // Postgres/MySQL for HA) per the migration plan's deployment modes (§2.1).
 //
-// This package is additive (Phase 1). It does not replace the existing
-// resource/scope/policy engine; both are selectable behind
-// --authorization-engine. The principal-pinning, admin-gating, audit, and
-// caching policy described in the plan live in the callers of this engine —
-// this package is the thin, fail-closed adapter over OpenFGA.
+// The principal-pinning, admin-gating, audit, and caching policy described in
+// the plan live in the callers of this engine — this package is the thin,
+// fail-closed adapter over OpenFGA.
 package openfga
 
 import (
diff --git a/internal/config/config.go b/internal/config/config.go
index 4f52ef9f..e3a7fd55 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -328,21 +328,18 @@ type Config struct {
 	// When false (default), only denied checks are logged. When true, all checks are logged.
 	AuthorizationLogAllChecks bool
 
-	// OpenFGA / Fine-Grained Authorization engine (Phase 1 — additive)
-	// These configure the OpenFGA-backed AuthorizationEngine. The engine is
-	// selectable but NOT yet the default; existing policy-based authorization is
-	// unchanged when AuthorizationEngine is empty or "policy".
+	// OpenFGA / Fine-Grained Authorization engine.
+	// FGA is enabled by configuring a store: FGAStore (embedded) or
+	// FGAExternalURL (external). With neither set the engine is not constructed
+	// and the fga_* resolvers fail closed ("fine-grained authorization is not
+	// enabled").
 
-	// AuthorizationEngine selects the authorization backend: "policy" (existing
-	// resource/scope/policy engine, default) or "fga" (OpenFGA ReBAC engine).
-	// Empty is treated as "policy" to preserve existing behavior.
-	AuthorizationEngine string
 	// FGAMode selects how the OpenFGA engine runs: "embedded" (in-process,
-	// default) or "external" (a standalone OpenFGA service). Only relevant when
-	// AuthorizationEngine is "fga".
+	// default) or "external" (a standalone OpenFGA service).
 	FGAMode string
-	// FGAStore selects the OpenFGA datastore kind: "memory" (dev/tests),
-	// "sqlite" (single-node), "postgres" or "mysql" (HA). Default: "memory".
+	// FGAStore selects the OpenFGA datastore kind for embedded mode and, when
+	// non-empty, enables FGA: "memory" (dev/tests), "sqlite" (single-node),
+	// "postgres" or "mysql" (HA). Empty disables embedded FGA.
 	FGAStore string
 	// FGAStoreURL is the OpenFGA datastore connection URI: a file: URI for
 	// sqlite, or a DSN for postgres/mysql. Ignored for the memory store.
diff --git a/internal/graph/generated/generated.go b/internal/graph/generated/generated.go
index 954ecc39..a3cc8236 100644
--- a/internal/graph/generated/generated.go
+++ b/internal/graph/generated/generated.go
@@ -3319,7 +3319,7 @@ input SessionQueryRequest {
   state: String
   # required_relations gates the session on fine-grained authorization.
   # Each (relation, object) is checked against the authenticated caller with
-  # AND semantics, fail-closed. Requires --authorization-engine=fga.
+  # AND semantics, fail-closed. Requires fine-grained authorization enabled (--fga-store / --fga-external-url).
   required_relations: [FgaRelationInput!]
 }
 
@@ -3350,7 +3350,7 @@ input ValidateJWTTokenRequest {
   token: String!
   roles: [String!]
   # required_relations gates validation on fine-grained authorization.
-  # AND semantics, fail-closed. Requires --authorization-engine=fga.
+  # AND semantics, fail-closed. Requires fine-grained authorization enabled (--fga-store / --fga-external-url).
   required_relations: [FgaRelationInput!]
 }
 
@@ -3358,7 +3358,7 @@ input ValidateSessionRequest {
   cookie: String!
   roles: [String!]
   # required_relations gates validation on fine-grained authorization.
-  # AND semantics, fail-closed. Requires --authorization-engine=fga.
+  # AND semantics, fail-closed. Requires fine-grained authorization enabled (--fga-store / --fga-external-url).
   required_relations: [FgaRelationInput!]
 }
 
diff --git a/internal/graph/schema.graphqls b/internal/graph/schema.graphqls
index 26065b88..44de1094 100644
--- a/internal/graph/schema.graphqls
+++ b/internal/graph/schema.graphqls
@@ -562,7 +562,7 @@ input SessionQueryRequest {
   state: String
   # required_relations gates the session on fine-grained authorization.
   # Each (relation, object) is checked against the authenticated caller with
-  # AND semantics, fail-closed. Requires --authorization-engine=fga.
+  # AND semantics, fail-closed. Requires fine-grained authorization enabled (--fga-store / --fga-external-url).
   required_relations: [FgaRelationInput!]
 }
 
@@ -593,7 +593,7 @@ input ValidateJWTTokenRequest {
   token: String!
   roles: [String!]
   # required_relations gates validation on fine-grained authorization.
-  # AND semantics, fail-closed. Requires --authorization-engine=fga.
+  # AND semantics, fail-closed. Requires fine-grained authorization enabled (--fga-store / --fga-external-url).
   required_relations: [FgaRelationInput!]
 }
 
@@ -601,7 +601,7 @@ input ValidateSessionRequest {
   cookie: String!
   roles: [String!]
   # required_relations gates validation on fine-grained authorization.
-  # AND semantics, fail-closed. Requires --authorization-engine=fga.
+  # AND semantics, fail-closed. Requires fine-grained authorization enabled (--fga-store / --fga-external-url).
   required_relations: [FgaRelationInput!]
 }
 
diff --git a/internal/graphql/fga_admin.go b/internal/graphql/fga_admin.go
index a34a227f..f4477b97 100644
--- a/internal/graphql/fga_admin.go
+++ b/internal/graphql/fga_admin.go
@@ -15,7 +15,7 @@ import (
 )
 
 // errFgaNotEnabled is returned by every FGA resolver when no authorization
-// engine is configured (i.e. --authorization-engine != fga). Fail-closed.
+// engine is configured (no --fga-store / --fga-external-url). Fail-closed.
 var errFgaNotEnabled = errors.New("fine-grained authorization is not enabled")
 
 // maxFgaTuplesPerWrite caps the number of tuples accepted in a single write or
diff --git a/internal/graphql/provider.go b/internal/graphql/provider.go
index 79bc85a9..464dad10 100644
--- a/internal/graphql/provider.go
+++ b/internal/graphql/provider.go
@@ -40,12 +40,8 @@ type Dependencies struct {
 	// TokenProvider is used to generate tokens
 	TokenProvider token.Provider
 	// AuthzEngine is the fine-grained authorization (FGA) engine.
-	// It is nil unless --authorization-engine=fga; resolvers MUST fail closed
-	// (return an error) when it is nil.
-	//
-	// Named AuthzEngine (not AuthorizationEngine) to avoid an ambiguous-selector
-	// clash with config.Config.AuthorizationEngine, which graphqlProvider also
-	// embeds.
+	// It is nil unless an FGA store is configured (--fga-store / --fga-external-url);
+	// resolvers MUST fail closed (return an error) when it is nil.
 	AuthzEngine engine.AuthorizationEngine
 }
 
diff --git a/internal/http_handlers/provider.go b/internal/http_handlers/provider.go
index 1fa2fc62..c6428a89 100644
--- a/internal/http_handlers/provider.go
+++ b/internal/http_handlers/provider.go
@@ -44,10 +44,7 @@ type Dependencies struct {
 	// RateLimitProvider is used for per-IP rate limiting
 	RateLimitProvider rate_limit.Provider
 	// AuthzEngine is the fine-grained authorization (FGA) engine.
-	// It is nil unless --authorization-engine=fga.
-	//
-	// Named AuthzEngine (not AuthorizationEngine) to avoid an ambiguous-selector
-	// clash with config.Config.AuthorizationEngine, which httpProvider embeds.
+	// It is nil unless an FGA store is configured (--fga-store / --fga-external-url).
 	AuthzEngine engine.AuthorizationEngine
 }
 
diff --git a/internal/integration_tests/fga_test.go b/internal/integration_tests/fga_test.go
index de804a26..54a52f94 100644
--- a/internal/integration_tests/fga_test.go
+++ b/internal/integration_tests/fga_test.go
@@ -155,7 +155,6 @@ func clearCookies(ts *testSetup) {
 
 func TestFGA(t *testing.T) {
 	cfg := getTestConfig()
-	cfg.AuthorizationEngine = "fga"
 	ts, eng := initFGATestSetup(t, cfg)
 	req, ctx := createContext(ts)
 

From 99ae9419868a8ef0f128ba02212586f82449bb0f Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 8 Jun 2026 12:46:08 +0530
Subject: [PATCH 07/39] refactor(authz): drop external-mode + dead old-engine
 flags; embed-only FGA
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Authorizer embeds OpenFGA in-process — it IS the engine. Trim the FGA config
surface to what's actually used:

- Remove --fga-mode and --fga-external-url: external-OpenFGA-service mode was a
  non-functional stub (logged a warning, started no engine). HA/serverless use
  the embedded engine + an external SQL store (postgres/mysql), not a separate
  service. The AuthorizationEngine SPI still allows adding an external client
  later if a real need arises.
- Remove three dead flags left from the old policy engine, with zero consumers
  after its removal: --authorization-cache-ttl, --include-permissions-in-token,
  --authorization-log-all-checks.

FGA is now enabled solely by --fga-store (+ --fga-store-url). Build + full
SQLite suite green.
---
 FGA_IMPLEMENTATION_AGENTS.md            |  2 +-
 FGA_OPENFGA_MIGRATION_PLAN.md           |  6 +-
 cmd/root.go                             | 89 +++++++++----------------
 internal/authorization/engine/engine.go | 14 ++--
 internal/config/config.go               | 32 ++-------
 internal/graph/generated/generated.go   |  6 +-
 internal/graph/schema.graphqls          |  6 +-
 internal/graphql/fga_admin.go           |  2 +-
 internal/graphql/provider.go            |  2 +-
 internal/http_handlers/provider.go      |  2 +-
 10 files changed, 60 insertions(+), 101 deletions(-)

diff --git a/FGA_IMPLEMENTATION_AGENTS.md b/FGA_IMPLEMENTATION_AGENTS.md
index f860bacf..68dfdfa9 100644
--- a/FGA_IMPLEMENTATION_AGENTS.md
+++ b/FGA_IMPLEMENTATION_AGENTS.md
@@ -37,7 +37,7 @@ How a small fleet of specialized agents carries the OpenFGA migration and agenti
 - → **Verify:** every claim feeding a design decision is cited and adversarially checked. Spike code compiles & runs.
 
 ### Wave 1 — Decision core *(fga-engineer → security-engineer)*
-Follows `FGA_OPENFGA_MIGRATION_PLAN.md` Phases 1→7. The old engine was removed outright (never rolled out); FGA is enabled by configuring a store (`--fga-store` for embedded, `--fga-external-url` for external) — no separate engine-selector flag.
+Follows `FGA_OPENFGA_MIGRATION_PLAN.md` Phases 1→7. The old engine was removed outright (never rolled out). Authorizer embeds OpenFGA in-process — it IS the engine; FGA is enabled by configuring a store (`--fga-store`). No engine-selector or external-service flags.
 - → **Verify per phase:** the phase's own Verify gate + `go build ./...` + `make test-all-db` (proves no DB-impl dangling refs) + security-engineer review.
 
 ### Wave 2 — Delegation core *(delegation-engineer → security-engineer)*
diff --git a/FGA_OPENFGA_MIGRATION_PLAN.md b/FGA_OPENFGA_MIGRATION_PLAN.md
index a5f94edd..e8c7eca6 100644
--- a/FGA_OPENFGA_MIGRATION_PLAN.md
+++ b/FGA_OPENFGA_MIGRATION_PLAN.md
@@ -2,9 +2,11 @@
 
 **Status:** Decisions locked · Phase 0 PASSED · Phases 1–4 DONE on branch `feat/fga-engine-spi` (uncommitted) · **Precondition:** FGA is pre-stable (no GA compat guarantee) · **Type:** Breaking, full replacement
 
-> **Implementation status:** Old FGA (Resource/Scope/Policy/Permission, #607/#610/#611) **fully removed** (never rolled out). New OpenFGA engine seam (Phase 1), GraphQL `_fga_*`/`fga_*` API + engine routed into request paths (Phase 3), and `required_relations` on session/validate (Phase 4) all **DONE** — `go build ./...` green, FGA + integration tests pass, proof-grep clean, principal-pinning + nil-engine handling tested. **Remaining:** the SQLite driver decision below, dashboard FGA pages (Phase 5), SDK cleanup in the separate `authorizer-go`/`authorizer-js` repos (Phase 6), Auth0 import tool + docs (Phase 7).
+> **Implementation status:** Old FGA (Resource/Scope/Policy/Permission, #607/#610/#611) **fully removed** (never rolled out). New OpenFGA engine seam (Phase 1), GraphQL `_fga_*`/`fga_*` API + engine routed into request paths (Phase 3), and `required_relations` on session/validate (Phase 4) all **DONE** — `go build ./...` green, FGA + integration tests pass, proof-grep clean, principal-pinning + nil-engine handling tested. **Remaining:** dashboard FGA pages (Phase 5, done), SDK cleanup in the separate `authorizer-go`/`authorizer-js` repos (Phase 6), Auth0 import tool + docs (Phase 7).
+>
+> **Config simplification (supersedes D2 + the deployment-mode external-service framing below):** Authorizer **embeds OpenFGA in-process — it IS the engine.** The `--authorization-engine`, `--fga-mode`, and `--fga-external-url` flags were **removed**, along with three dead old-engine flags (`--authorization-cache-ttl`, `--include-permissions-in-token`, `--authorization-log-all-checks`). FGA is enabled solely by `--fga-store` (+ `--fga-store-url`). HA/serverless use the **embedded engine + an external SQL store** (Postgres/MySQL), not a separate OpenFGA service. An external-service client may be added later behind the unchanged `AuthorizationEngine` SPI if a real need arises. The driver-conflict known-issue below is **resolved** (Option B: GORM standardized on `modernc.org/sqlite`).
 
-> ⚠️ **KNOWN ISSUE — SQLite driver double-registration (needs a decision).** Linking OpenFGA's SQL datastores (`modernc.org/sqlite`) into the same binary as Authorizer's GORM SQLite driver (`glebarez/go-sqlite`) panics at startup: `sql: Register called twice for driver sqlite` (both register the name `sqlite`; glebarez is itself a modernc wrapper). Contained for now: OpenFGA's SQL datastores are behind the `fga_sql` build tag, so the **default build works** with embedded **`memory`** mode + **`external`** mode (external links no datastore → no conflict). **Embedded SQL-backed FGA in one binary is currently unusable.** Options: (A) **revise D1 → embedded = memory only; SQL persistence requires external OpenFGA** *(recommended — simplest, aligns with "external first-class for HA"; drops the embedded-SQLite single-node convenience)*; (B) dedupe the driver — point GORM at `modernc.org/sqlite` directly so only one `sqlite` registration exists *(keeps embedded-SQLite but is a storage-layer change with SQLite-test-suite impact)*; (C) accept external-only for persistence. **Pending your call.**
+> ✅ **RESOLVED — SQLite driver double-registration (Option B).** Linking OpenFGA's SQL datastores (`modernc.org/sqlite`) alongside Authorizer's old GORM SQLite driver (`glebarez/go-sqlite`) panicked at startup (`sql: Register called twice for driver sqlite`, since both register the name `sqlite`). Fixed by standardizing GORM on `modernc.org/sqlite` via a local dialect (`internal/storage/db/sql/sqlitedialect/`, a near-verbatim copy of glebarez's MIT dialect with the driver import swapped) and dropping `glebarez/*`. The `fga_sql` build tag was removed — OpenFGA's SQL datastores are now in the **default build**. Verified: default binary starts with no panic; embedded SQLite FGA runs in-process alongside GORM SQLite; full SQLite suite green. Pure-Go, no CGO. *(Maintenance note: the vendored dialect is now Authorizer-maintained — apply modernc/dialect updates manually.)*
 
 > **Phase 0 spike result (FULLY validated, not assumed):** `openfga v1.17.1` embeds in-process; DSL→model→tuples→`Check`→`ListObjects` work incl. `but not` exclusion. **Persistent SQLite datastore verified** — data written by one process is read back by a separate fresh process (persistence across restart proven); bootstrap = `migrate.RunMigrations(...)` then `sqlite.New(uri, sqlcommon.NewConfig())` (pure-Go, no CGO). `go.mod` integration probe **passed** (whole authorizer tree builds with openfga added, `modernc.org/sqlite`→v1.51.0). Binary +~36–38M. See `openfga-modeling` skill for the verified bootstrap recipe + gotchas. **No open Phase 0 risks.**
 
diff --git a/cmd/root.go b/cmd/root.go
index 7b15a67c..b17c6a11 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -237,17 +237,10 @@ func init() {
 	// Back-channel logout (OIDC BCL 1.0)
 	f.StringVar(&rootArgs.config.BackchannelLogoutURI, "backchannel-logout-uri", "", "URL to POST a signed logout_token to when users log out successfully. Leave empty (default) to disable back-channel logout notifications. See OIDC Back-Channel Logout 1.0.")
 
-	// Fine-grained authorization flags
-	f.Int64Var(&rootArgs.config.AuthorizationCacheTTL, "authorization-cache-ttl", 300, "Cache TTL in seconds for permission checks (0 to disable)")
-	f.BoolVar(&rootArgs.config.IncludePermissionsInToken, "include-permissions-in-token", false, "Include permissions in JWT access tokens")
-	f.BoolVar(&rootArgs.config.AuthorizationLogAllChecks, "authorization-log-all-checks", false, "Audit log all permission checks, not just denials")
-
-	// OpenFGA / FGA engine flags (Phase 1 — additive; the FGA engine is
-	// selectable but not yet the default)
-	f.StringVar(&rootArgs.config.FGAMode, "fga-mode", "embedded", "OpenFGA run mode: 'embedded' (in-process, default) or 'external' (standalone OpenFGA service)")
-	f.StringVar(&rootArgs.config.FGAStore, "fga-store", "", "OpenFGA datastore for embedded mode — set to enable fine-grained authorization: 'memory' (dev/tests), 'sqlite' (single-node), 'postgres' or 'mysql' (HA). Empty = FGA disabled")
+	// OpenFGA fine-grained authorization. Authorizer embeds the OpenFGA engine
+	// in-process; set --fga-store to enable it.
+	f.StringVar(&rootArgs.config.FGAStore, "fga-store", "", "OpenFGA datastore — set to enable fine-grained authorization: 'memory' (dev/tests), 'sqlite' (single-node), 'postgres' or 'mysql' (HA). Empty = FGA disabled")
 	f.StringVar(&rootArgs.config.FGAStoreURL, "fga-store-url", "", "OpenFGA datastore connection URI (file: URI for sqlite, DSN for postgres/mysql)")
-	f.StringVar(&rootArgs.config.FGAExternalURL, "fga-external-url", "", "gRPC URL of an external OpenFGA service (used when --fga-mode=external)")
 
 	// Deprecated flags
 	f.MarkDeprecated("database_url", "use --database-url instead")
@@ -469,58 +462,40 @@ func runRoot(c *cobra.Command, args []string) {
 	}
 	defer rateLimitProvider.Close()
 
-	// OpenFGA authorization engine.
+	// OpenFGA fine-grained authorization engine (embedded, in-process).
 	//
-	// Constructed only when an FGA store is configured (--fga-store for embedded,
-	// --fga-external-url for external); otherwise it stays nil and the fga_*
-	// resolvers fail closed. It is routed into GraphQL and session/validate below.
+	// Authorizer embeds OpenFGA — it IS the engine. The engine is constructed
+	// only when an FGA store is configured (--fga-store); otherwise it stays nil
+	// and the fga_* resolvers fail closed ("fine-grained authorization is not
+	// enabled"). Routed into GraphQL and session/validate below.
 	//
-	// Embedded mode runs the OpenFGA server in-process. For single-node/dev
-	// (memory or sqlite) migrations may run on boot; HA/serverless must run
-	// migrations as a separate init job (see FGA_OPENFGA_MIGRATION_PLAN.md §2.1)
-	// and must use an external SQL store.
-	// Fine-grained authorization is enabled by configuring a store: --fga-store
-	// for embedded mode, or --fga-external-url for an external OpenFGA service.
-	// With neither set the engine stays nil and the fga_* resolvers fail closed
-	// ("fine-grained authorization is not enabled").
+	// For single-node/dev (memory or sqlite) migrations may run on boot; HA and
+	// serverless must use an external SQL store (postgres/mysql) and run
+	// migrations as a separate init job (see FGA_OPENFGA_MIGRATION_PLAN.md §2.1).
 	var authzEngine engine.AuthorizationEngine
-	switch strings.ToLower(strings.TrimSpace(rootArgs.config.FGAMode)) {
-	case "", "embedded":
-		if rootArgs.config.FGAStore != "" {
-			// Run migrations on boot only for single-node embedded SQL stores.
-			// memory needs none; postgres/mysql (HA) must migrate out-of-band.
-			runMigrations := strings.EqualFold(rootArgs.config.FGAStore, fgaengine.StoreSQLite)
-			fgaEngine, ferr := fgaengine.New(
-				&fgaengine.Config{
-					Store:         rootArgs.config.FGAStore,
-					StoreURL:      rootArgs.config.FGAStoreURL,
-					StoreName:     rootArgs.config.OrganizationName,
-					RunMigrations: runMigrations,
-				},
-				&fgaengine.Dependencies{Log: &log},
-			)
-			if ferr != nil {
-				log.Fatal().Err(ferr).Msg("failed to create OpenFGA authorization engine")
-			}
-			if closer, ok := fgaEngine.(interface{ Close() }); ok {
-				defer closer.Close()
-			}
-			authzEngine = fgaEngine
-			log.Info().
-				Str("fga_mode", "embedded").
-				Str("fga_store", rootArgs.config.FGAStore).
-				Msg("OpenFGA authorization engine initialized (embedded); routed into GraphQL + session/validate")
+	if rootArgs.config.FGAStore != "" {
+		// Run migrations on boot only for single-node embedded SQLite stores.
+		// memory needs none; postgres/mysql (HA) must migrate out-of-band.
+		runMigrations := strings.EqualFold(rootArgs.config.FGAStore, fgaengine.StoreSQLite)
+		fgaEngine, ferr := fgaengine.New(
+			&fgaengine.Config{
+				Store:         rootArgs.config.FGAStore,
+				StoreURL:      rootArgs.config.FGAStoreURL,
+				StoreName:     rootArgs.config.OrganizationName,
+				RunMigrations: runMigrations,
+			},
+			&fgaengine.Dependencies{Log: &log},
+		)
+		if ferr != nil {
+			log.Fatal().Err(ferr).Msg("failed to create OpenFGA authorization engine")
 		}
-	case "external":
-		if rootArgs.config.FGAExternalURL != "" {
-			// External-mode wiring (gRPC client to a standalone OpenFGA
-			// service) lands in a later phase; the seam and flags exist now.
-			log.Warn().
-				Str("fga_external_url", rootArgs.config.FGAExternalURL).
-				Msg("OpenFGA external mode selected but the external client is not yet wired (Phase 1 implements the embedded engine); no FGA engine started")
+		if closer, ok := fgaEngine.(interface{ Close() }); ok {
+			defer closer.Close()
 		}
-	default:
-		log.Fatal().Str("fga_mode", rootArgs.config.FGAMode).Msg("invalid --fga-mode (want 'embedded' or 'external')")
+		authzEngine = fgaEngine
+		log.Info().
+			Str("fga_store", rootArgs.config.FGAStore).
+			Msg("OpenFGA authorization engine initialized (embedded); routed into GraphQL + session/validate")
 	}
 
 	// SMS provider
diff --git a/internal/authorization/engine/engine.go b/internal/authorization/engine/engine.go
index edd8cfe8..2414bff9 100644
--- a/internal/authorization/engine/engine.go
+++ b/internal/authorization/engine/engine.go
@@ -2,14 +2,14 @@
 // relationship-based access control (ReBAC) backend used by Authorizer's
 // fine-grained authorization (FGA) subsystem.
 //
-// The interface is deliberately backend-agnostic. The Phase 1 implementation
-// (internal/authorization/engine/openfga) embeds OpenFGA in-process, but the
-// same contract is intended to also front an external OpenFGA service. The
-// engine speaks the OpenFGA tuple vocabulary: a tuple relates a user (subject)
-// to an object via a relation, e.g. (user:alice, viewer, document:1).
+// The interface is deliberately backend-agnostic. The current implementation
+// (internal/authorization/engine/openfga) embeds OpenFGA in-process — Authorizer
+// IS the engine — and the same contract could front an external OpenFGA service
+// in future without touching callers. The engine speaks the OpenFGA tuple
+// vocabulary: a tuple relates a user (subject) to an object via a relation,
+// e.g. (user:alice, viewer, document:1).
 //
-// FGA is enabled by configuring a store (--fga-store for embedded mode, or
-// --fga-external-url for an external OpenFGA service); when neither is set the
+// FGA is enabled by configuring a store (--fga-store); when it is empty the
 // engine is not constructed and the fga_* resolvers fail closed.
 package engine
 
diff --git a/internal/config/config.go b/internal/config/config.go
index e3a7fd55..f6ad4e40 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -317,34 +317,16 @@ type Config struct {
 	// See OIDC Back-Channel Logout 1.0 §2.5 for the protocol.
 	BackchannelLogoutURI string
 
-	// Fine-Grained Authorization
-	// AuthorizationCacheTTL is the cache time-to-live in seconds for permission checks.
-	// Set to 0 to disable caching. Default: 300 (5 minutes).
-	AuthorizationCacheTTL int64
-	// IncludePermissionsInToken controls whether permissions are embedded in JWT access tokens.
-	// When true, the permissions claim is added to access tokens. Default: false.
-	IncludePermissionsInToken bool
-	// AuthorizationLogAllChecks controls whether all permission checks are audit logged.
-	// When false (default), only denied checks are logged. When true, all checks are logged.
-	AuthorizationLogAllChecks bool
+	// OpenFGA / Fine-Grained Authorization engine. Authorizer embeds OpenFGA
+	// in-process — it IS the engine. FGA is enabled by configuring a store
+	// (FGAStore); with it empty the engine is not constructed and the fga_*
+	// resolvers fail closed ("fine-grained authorization is not enabled").
 
-	// OpenFGA / Fine-Grained Authorization engine.
-	// FGA is enabled by configuring a store: FGAStore (embedded) or
-	// FGAExternalURL (external). With neither set the engine is not constructed
-	// and the fga_* resolvers fail closed ("fine-grained authorization is not
-	// enabled").
-
-	// FGAMode selects how the OpenFGA engine runs: "embedded" (in-process,
-	// default) or "external" (a standalone OpenFGA service).
-	FGAMode string
-	// FGAStore selects the OpenFGA datastore kind for embedded mode and, when
-	// non-empty, enables FGA: "memory" (dev/tests), "sqlite" (single-node),
-	// "postgres" or "mysql" (HA). Empty disables embedded FGA.
+	// FGAStore selects the OpenFGA datastore kind and, when non-empty, enables
+	// FGA: "memory" (dev/tests), "sqlite" (single-node), "postgres" or "mysql"
+	// (HA). Empty disables FGA.
 	FGAStore string
 	// FGAStoreURL is the OpenFGA datastore connection URI: a file: URI for
 	// sqlite, or a DSN for postgres/mysql. Ignored for the memory store.
 	FGAStoreURL string
-	// FGAExternalURL is the gRPC URL of an external OpenFGA service. Only used
-	// when FGAMode is "external".
-	FGAExternalURL string
 }
diff --git a/internal/graph/generated/generated.go b/internal/graph/generated/generated.go
index a3cc8236..d4376834 100644
--- a/internal/graph/generated/generated.go
+++ b/internal/graph/generated/generated.go
@@ -3319,7 +3319,7 @@ input SessionQueryRequest {
   state: String
   # required_relations gates the session on fine-grained authorization.
   # Each (relation, object) is checked against the authenticated caller with
-  # AND semantics, fail-closed. Requires fine-grained authorization enabled (--fga-store / --fga-external-url).
+  # AND semantics, fail-closed. Requires fine-grained authorization enabled (--fga-store).
   required_relations: [FgaRelationInput!]
 }
 
@@ -3350,7 +3350,7 @@ input ValidateJWTTokenRequest {
   token: String!
   roles: [String!]
   # required_relations gates validation on fine-grained authorization.
-  # AND semantics, fail-closed. Requires fine-grained authorization enabled (--fga-store / --fga-external-url).
+  # AND semantics, fail-closed. Requires fine-grained authorization enabled (--fga-store).
   required_relations: [FgaRelationInput!]
 }
 
@@ -3358,7 +3358,7 @@ input ValidateSessionRequest {
   cookie: String!
   roles: [String!]
   # required_relations gates validation on fine-grained authorization.
-  # AND semantics, fail-closed. Requires fine-grained authorization enabled (--fga-store / --fga-external-url).
+  # AND semantics, fail-closed. Requires fine-grained authorization enabled (--fga-store).
   required_relations: [FgaRelationInput!]
 }
 
diff --git a/internal/graph/schema.graphqls b/internal/graph/schema.graphqls
index 44de1094..168fd3f8 100644
--- a/internal/graph/schema.graphqls
+++ b/internal/graph/schema.graphqls
@@ -562,7 +562,7 @@ input SessionQueryRequest {
   state: String
   # required_relations gates the session on fine-grained authorization.
   # Each (relation, object) is checked against the authenticated caller with
-  # AND semantics, fail-closed. Requires fine-grained authorization enabled (--fga-store / --fga-external-url).
+  # AND semantics, fail-closed. Requires fine-grained authorization enabled (--fga-store).
   required_relations: [FgaRelationInput!]
 }
 
@@ -593,7 +593,7 @@ input ValidateJWTTokenRequest {
   token: String!
   roles: [String!]
   # required_relations gates validation on fine-grained authorization.
-  # AND semantics, fail-closed. Requires fine-grained authorization enabled (--fga-store / --fga-external-url).
+  # AND semantics, fail-closed. Requires fine-grained authorization enabled (--fga-store).
   required_relations: [FgaRelationInput!]
 }
 
@@ -601,7 +601,7 @@ input ValidateSessionRequest {
   cookie: String!
   roles: [String!]
   # required_relations gates validation on fine-grained authorization.
-  # AND semantics, fail-closed. Requires fine-grained authorization enabled (--fga-store / --fga-external-url).
+  # AND semantics, fail-closed. Requires fine-grained authorization enabled (--fga-store).
   required_relations: [FgaRelationInput!]
 }
 
diff --git a/internal/graphql/fga_admin.go b/internal/graphql/fga_admin.go
index f4477b97..9cada128 100644
--- a/internal/graphql/fga_admin.go
+++ b/internal/graphql/fga_admin.go
@@ -15,7 +15,7 @@ import (
 )
 
 // errFgaNotEnabled is returned by every FGA resolver when no authorization
-// engine is configured (no --fga-store / --fga-external-url). Fail-closed.
+// engine is configured (no --fga-store). Fail-closed.
 var errFgaNotEnabled = errors.New("fine-grained authorization is not enabled")
 
 // maxFgaTuplesPerWrite caps the number of tuples accepted in a single write or
diff --git a/internal/graphql/provider.go b/internal/graphql/provider.go
index 464dad10..5a41d143 100644
--- a/internal/graphql/provider.go
+++ b/internal/graphql/provider.go
@@ -40,7 +40,7 @@ type Dependencies struct {
 	// TokenProvider is used to generate tokens
 	TokenProvider token.Provider
 	// AuthzEngine is the fine-grained authorization (FGA) engine.
-	// It is nil unless an FGA store is configured (--fga-store / --fga-external-url);
+	// It is nil unless an FGA store is configured (--fga-store);
 	// resolvers MUST fail closed (return an error) when it is nil.
 	AuthzEngine engine.AuthorizationEngine
 }
diff --git a/internal/http_handlers/provider.go b/internal/http_handlers/provider.go
index c6428a89..a7c4ca71 100644
--- a/internal/http_handlers/provider.go
+++ b/internal/http_handlers/provider.go
@@ -44,7 +44,7 @@ type Dependencies struct {
 	// RateLimitProvider is used for per-IP rate limiting
 	RateLimitProvider rate_limit.Provider
 	// AuthzEngine is the fine-grained authorization (FGA) engine.
-	// It is nil unless an FGA store is configured (--fga-store / --fga-external-url).
+	// It is nil unless an FGA store is configured (--fga-store).
 	AuthzEngine engine.AuthorizationEngine
 }
 

From d3da2ab1a4e5e25a9faddd676d6b0efbd36a21b0 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 8 Jun 2026 12:54:07 +0530
Subject: [PATCH 08/39] fix(dashboard): correct FGA "not enabled" message;
 polish empty states

The "not enabled" empty state referenced the removed --authorization-engine=fga
flag. Rewrite it as a helpful empty state: correct enable command (--fga-store)
with copy-to-clipboard, store options (memory/sqlite/postgres/mysql), and a docs
link, styled to the dashboard's blue accent. Also replace the bare "No Tuples"
empty state with guidance on what a tuple is and how to grant the first one.
---
 .../src/components/FgaNotEnabled.tsx          | 104 +++++++++++++++---
 web/dashboard/src/lib/utils.ts                |   2 +-
 .../src/pages/authorization/Tuples.tsx        |  21 +++-
 3 files changed, 104 insertions(+), 23 deletions(-)

diff --git a/web/dashboard/src/components/FgaNotEnabled.tsx b/web/dashboard/src/components/FgaNotEnabled.tsx
index 2ca1016c..5b6770c7 100644
--- a/web/dashboard/src/components/FgaNotEnabled.tsx
+++ b/web/dashboard/src/components/FgaNotEnabled.tsx
@@ -1,24 +1,92 @@
-import React from 'react';
-import { ShieldOff } from 'lucide-react';
+import React, { useState } from 'react';
+import { ShieldCheck, Copy, Check, ExternalLink, Database } from 'lucide-react';
+
+// FgaNotEnabled renders a helpful empty state shown when the backend reports
+// that fine-grained authorization is not enabled. FGA is enabled by starting
+// Authorizer with an OpenFGA datastore configured via --fga-store.
+const ENABLE_CMD = '--fga-store=sqlite --fga-store-url=file:fga.db';
+
+const StoreChip = ({ label }: { label: string }) => (
+	<code className="rounded bg-gray-200/70 px-1 py-0.5 text-[11px] font-medium text-gray-700">
+		{label}
+	</code>
+);
 
-// FgaNotEnabled renders an informative empty state shown when the backend
-// reports that fine-grained authorization is not enabled (the server is not
-// running with --authorization-engine=fga).
 const FgaNotEnabled = () => {
+	const [copied, setCopied] = useState(false);
+
+	const handleCopy = async () => {
+		try {
+			await navigator.clipboard.writeText(ENABLE_CMD);
+			setCopied(true);
+			window.setTimeout(() => setCopied(false), 2000);
+		} catch {
+			/* clipboard unavailable — the command is visible to copy manually */
+		}
+	};
+
 	return (
-		<div className="flex min-h-[40vh] flex-col items-center justify-center text-center text-gray-400">
-			<ShieldOff className="mb-4 h-16 w-16" />
-			<p className="text-2xl font-bold text-gray-600">
-				Fine-Grained Authorization is not enabled
-			</p>
-			<p className="mt-2 max-w-md text-sm text-gray-500">
-				Start the Authorizer server with{' '}
-				<code className="rounded bg-gray-100 px-1.5 py-0.5 text-gray-700">
-					--authorization-engine=fga
-				</code>{' '}
-				to manage authorization models, relationship tuples and run access
-				checks from this dashboard.
-			</p>
+		<div className="flex min-h-[55vh] items-center justify-center px-4">
+			<div className="w-full max-w-xl rounded-2xl border border-gray-100 bg-white p-8 text-center shadow-sm sm:p-10">
+				<div className="mx-auto mb-5 flex h-14 w-14 items-center justify-center rounded-2xl bg-blue-50">
+					<ShieldCheck className="h-7 w-7 text-blue-600" aria-hidden="true" />
+				</div>
+
+				<h2 className="text-xl font-semibold text-gray-900">
+					Fine-Grained Authorization isn&rsquo;t enabled yet
+				</h2>
+				<p className="mx-auto mt-2 max-w-md text-sm leading-relaxed text-gray-500">
+					Turn it on to define an authorization model, grant or revoke access
+					with relationship tuples, and run live access checks &mdash; all from
+					this dashboard.
+				</p>
+
+				<div className="mt-6 rounded-xl border border-gray-100 bg-gray-50 p-4 text-left">
+					<div className="mb-2 flex items-center gap-2 text-xs font-medium uppercase tracking-wide text-gray-500">
+						<Database className="h-3.5 w-3.5" aria-hidden="true" />
+						Enable it &mdash; start Authorizer with a store
+					</div>
+					<div className="flex items-center justify-between gap-3 rounded-lg bg-gray-900 px-3 py-2.5">
+						<code className="overflow-x-auto whitespace-nowrap text-xs text-gray-100">
+							{ENABLE_CMD}
+						</code>
+						<button
+							type="button"
+							onClick={handleCopy}
+							aria-label={copied ? 'Command copied' : 'Copy command'}
+							className="flex shrink-0 items-center gap-1 rounded-md bg-white/10 px-2 py-1 text-xs text-gray-200 transition-colors hover:bg-white/20 focus:outline-none focus-visible:ring-2 focus-visible:ring-blue-400"
+						>
+							{copied ? (
+								<>
+									<Check className="h-3.5 w-3.5 text-green-400" aria-hidden="true" />
+									Copied
+								</>
+							) : (
+								<>
+									<Copy className="h-3.5 w-3.5" aria-hidden="true" />
+									Copy
+								</>
+							)}
+						</button>
+					</div>
+					<p className="mt-2 text-xs leading-relaxed text-gray-500">
+						Use <StoreChip label="memory" /> for local dev,{' '}
+						<StoreChip label="sqlite" /> for a single node, or{' '}
+						<StoreChip label="postgres" /> / <StoreChip label="mysql" /> for HA.
+						Then reload this page.
+					</p>
+				</div>
+
+				<a
+					href="https://docs.authorizer.dev"
+					target="_blank"
+					rel="noopener noreferrer"
+					className="mt-6 inline-flex items-center gap-1.5 rounded-lg bg-blue-500 px-4 py-2 text-sm font-medium text-white transition-colors hover:bg-blue-600 focus:outline-none focus-visible:ring-2 focus-visible:ring-blue-500 focus-visible:ring-offset-2"
+				>
+					Read the documentation
+					<ExternalLink className="h-3.5 w-3.5" aria-hidden="true" />
+				</a>
+			</div>
 		</div>
 	);
 };
diff --git a/web/dashboard/src/lib/utils.ts b/web/dashboard/src/lib/utils.ts
index 2515add1..1c69ea20 100644
--- a/web/dashboard/src/lib/utils.ts
+++ b/web/dashboard/src/lib/utils.ts
@@ -6,7 +6,7 @@ export function cn(...inputs: ClassValue[]) {
 }
 
 // isFgaNotEnabledError detects the backend error returned by every FGA
-// resolver when the server is not running with --authorization-engine=fga.
+// resolver when the server is started without an FGA store (--fga-store).
 // The backend message is "fine-grained authorization is not enabled".
 export function isFgaNotEnabledError(error?: { message?: string } | null) {
 	if (!error?.message) {
diff --git a/web/dashboard/src/pages/authorization/Tuples.tsx b/web/dashboard/src/pages/authorization/Tuples.tsx
index f129fe18..2cc3cb2a 100644
--- a/web/dashboard/src/pages/authorization/Tuples.tsx
+++ b/web/dashboard/src/pages/authorization/Tuples.tsx
@@ -1,7 +1,7 @@
 import React, { useCallback, useEffect, useState } from 'react';
 import { useClient } from 'urql';
 import { toast } from 'sonner';
-import { AlertCircle, Plus, Trash2, ChevronRight, RotateCcw } from 'lucide-react';
+import { Link2, Plus, Trash2, ChevronRight, RotateCcw } from 'lucide-react';
 import { FgaReadTuplesQuery } from '../../graphql/queries';
 import { FgaWriteTuples, FgaDeleteTuples } from '../../graphql/mutation';
 import { Button } from '../../components/ui/button';
@@ -305,9 +305,22 @@ const Tuples = () => {
 					</div>
 				</>
 			) : (
-				<div className="flex min-h-[25vh] flex-col items-center justify-center text-gray-300">
-					<AlertCircle className="mb-2 h-16 w-16" />
-					<p className="text-2xl font-bold">No Tuples</p>
+				<div className="flex min-h-[30vh] flex-col items-center justify-center px-4 text-center">
+					<div className="mb-4 flex h-12 w-12 items-center justify-center rounded-2xl bg-blue-50">
+						<Link2 className="h-6 w-6 text-blue-600" aria-hidden="true" />
+					</div>
+					<p className="text-base font-semibold text-gray-900">
+						No relationship tuples yet
+					</p>
+					<p className="mt-1 max-w-sm text-sm leading-relaxed text-gray-500">
+						Tuples grant access &mdash; e.g.{' '}
+						<code className="rounded bg-gray-100 px-1 py-0.5 text-xs text-gray-700">user:alice</code>{' '}
+						is{' '}
+						<code className="rounded bg-gray-100 px-1 py-0.5 text-xs text-gray-700">viewer</code>{' '}
+						of{' '}
+						<code className="rounded bg-gray-100 px-1 py-0.5 text-xs text-gray-700">document:1</code>.
+						Add one above to grant your first permission.
+					</p>
 				</div>
 			)}
 		</div>

From 07cbf0aadfb4f9addc422a0dd06283db152f6c1d Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 8 Jun 2026 14:00:56 +0530
Subject: [PATCH 09/39] feat(authz): FGA reuses the main database; --fga-store
 is now an override
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

When the main database is OpenFGA-compatible (sqlite/postgres/mysql/mariadb),
FGA derives its store from --database-url automatically — no extra flags, with
OpenFGA's tables living in the main DB (as the old engine did). --fga-store /
--fga-store-url become overrides, required only when the main DB is unsupported
(mongodb, dynamodb, cassandra, couchbase, arangodb, sqlserver) or to use a
dedicated store.

- config.FGAStoreConfig() resolves the store (explicit override > main-DB
  derivation > disabled); unit-tested across the matrix.
- Migrations run on boot for SQL stores (idempotent, goose-locked → HA-safe).
- Dashboard "not enabled" copy updated to explain auto-reuse + the override.

Verified: a SQLite-configured instance auto-enables FGA (reused_main_db=true)
with no --fga-store and no driver-registration panic.
---
 FGA_OPENFGA_MIGRATION_PLAN.md                 |   4 +-
 cmd/root.go                                   |  31 +++---
 internal/config/config.go                     |  20 ++--
 internal/config/fga.go                        |  55 ++++++++++
 internal/config/fga_test.go                   | 103 ++++++++++++++++++
 .../src/components/FgaNotEnabled.tsx          |  25 +++--
 6 files changed, 204 insertions(+), 34 deletions(-)
 create mode 100644 internal/config/fga.go
 create mode 100644 internal/config/fga_test.go

diff --git a/FGA_OPENFGA_MIGRATION_PLAN.md b/FGA_OPENFGA_MIGRATION_PLAN.md
index e8c7eca6..ced8ff6b 100644
--- a/FGA_OPENFGA_MIGRATION_PLAN.md
+++ b/FGA_OPENFGA_MIGRATION_PLAN.md
@@ -4,7 +4,9 @@
 
 > **Implementation status:** Old FGA (Resource/Scope/Policy/Permission, #607/#610/#611) **fully removed** (never rolled out). New OpenFGA engine seam (Phase 1), GraphQL `_fga_*`/`fga_*` API + engine routed into request paths (Phase 3), and `required_relations` on session/validate (Phase 4) all **DONE** — `go build ./...` green, FGA + integration tests pass, proof-grep clean, principal-pinning + nil-engine handling tested. **Remaining:** dashboard FGA pages (Phase 5, done), SDK cleanup in the separate `authorizer-go`/`authorizer-js` repos (Phase 6), Auth0 import tool + docs (Phase 7).
 >
-> **Config simplification (supersedes D2 + the deployment-mode external-service framing below):** Authorizer **embeds OpenFGA in-process — it IS the engine.** The `--authorization-engine`, `--fga-mode`, and `--fga-external-url` flags were **removed**, along with three dead old-engine flags (`--authorization-cache-ttl`, `--include-permissions-in-token`, `--authorization-log-all-checks`). FGA is enabled solely by `--fga-store` (+ `--fga-store-url`). HA/serverless use the **embedded engine + an external SQL store** (Postgres/MySQL), not a separate OpenFGA service. An external-service client may be added later behind the unchanged `AuthorizationEngine` SPI if a real need arises. The driver-conflict known-issue below is **resolved** (Option B: GORM standardized on `modernc.org/sqlite`).
+> **Config simplification (supersedes D2 + the deployment-mode external-service framing below):** Authorizer **embeds OpenFGA in-process — it IS the engine.** The `--authorization-engine`, `--fga-mode`, and `--fga-external-url` flags were **removed**, along with three dead old-engine flags (`--authorization-cache-ttl`, `--include-permissions-in-token`, `--authorization-log-all-checks`).
+>
+> **FGA reuses the main database by default.** When `--database-type` is `sqlite`/`postgres`/`mysql`/`mariadb`, FGA derives its store from the existing `--database-url` automatically — **no extra flags** (OpenFGA tables live in the main DB, like the old engine; migrations run on boot, goose-locked → HA-safe). `--fga-store` (+ `--fga-store-url`) is an **override**, required only when the main DB is not OpenFGA-compatible (mongodb, dynamodb, cassandra, couchbase, arangodb, sqlserver) or to use a dedicated store. Resolved by `config.FGAStoreConfig()` (unit-tested). The driver-conflict known-issue below is **resolved** (Option B: GORM standardized on `modernc.org/sqlite`), which is what makes same-DB reuse possible.
 
 > ✅ **RESOLVED — SQLite driver double-registration (Option B).** Linking OpenFGA's SQL datastores (`modernc.org/sqlite`) alongside Authorizer's old GORM SQLite driver (`glebarez/go-sqlite`) panicked at startup (`sql: Register called twice for driver sqlite`, since both register the name `sqlite`). Fixed by standardizing GORM on `modernc.org/sqlite` via a local dialect (`internal/storage/db/sql/sqlitedialect/`, a near-verbatim copy of glebarez's MIT dialect with the driver import swapped) and dropping `glebarez/*`. The `fga_sql` build tag was removed — OpenFGA's SQL datastores are now in the **default build**. Verified: default binary starts with no panic; embedded SQLite FGA runs in-process alongside GORM SQLite; full SQLite suite green. Pure-Go, no CGO. *(Maintenance note: the vendored dialect is now Authorizer-maintained — apply modernc/dialect updates manually.)*
 
diff --git a/cmd/root.go b/cmd/root.go
index b17c6a11..1eebbbce 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -237,10 +237,12 @@ func init() {
 	// Back-channel logout (OIDC BCL 1.0)
 	f.StringVar(&rootArgs.config.BackchannelLogoutURI, "backchannel-logout-uri", "", "URL to POST a signed logout_token to when users log out successfully. Leave empty (default) to disable back-channel logout notifications. See OIDC Back-Channel Logout 1.0.")
 
-	// OpenFGA fine-grained authorization. Authorizer embeds the OpenFGA engine
-	// in-process; set --fga-store to enable it.
-	f.StringVar(&rootArgs.config.FGAStore, "fga-store", "", "OpenFGA datastore — set to enable fine-grained authorization: 'memory' (dev/tests), 'sqlite' (single-node), 'postgres' or 'mysql' (HA). Empty = FGA disabled")
-	f.StringVar(&rootArgs.config.FGAStoreURL, "fga-store-url", "", "OpenFGA datastore connection URI (file: URI for sqlite, DSN for postgres/mysql)")
+	// OpenFGA fine-grained authorization. By default FGA reuses the main database
+	// when it is sqlite/postgres/mysql/mariadb (no extra config needed). These
+	// flags override that — required only when the main DB is unsupported
+	// (mongodb, dynamodb, …) or to use a dedicated FGA store.
+	f.StringVar(&rootArgs.config.FGAStore, "fga-store", "", "Override the OpenFGA datastore: 'sqlite', 'postgres', 'mysql', or 'memory' (dev). Default: reuse the main database when it is SQL-compatible; required only for unsupported main DBs (mongodb, dynamodb, …)")
+	f.StringVar(&rootArgs.config.FGAStoreURL, "fga-store-url", "", "Connection URI for an overridden --fga-store (file: URI for sqlite, DSN for postgres/mysql). Ignored when FGA reuses the main database")
 
 	// Deprecated flags
 	f.MarkDeprecated("database_url", "use --database-url instead")
@@ -469,18 +471,18 @@ func runRoot(c *cobra.Command, args []string) {
 	// and the fga_* resolvers fail closed ("fine-grained authorization is not
 	// enabled"). Routed into GraphQL and session/validate below.
 	//
-	// For single-node/dev (memory or sqlite) migrations may run on boot; HA and
-	// serverless must use an external SQL store (postgres/mysql) and run
-	// migrations as a separate init job (see FGA_OPENFGA_MIGRATION_PLAN.md §2.1).
+	// By default FGA reuses the main database (sqlite/postgres/mysql/mariadb);
+	// --fga-store is only needed when the main DB is unsupported (mongodb,
+	// dynamodb, etc.) or to point at a dedicated store. FGAStoreConfig() resolves
+	// this. OpenFGA migrations run on boot for SQL stores (idempotent + goose-
+	// locked, so HA-safe); memory needs none.
 	var authzEngine engine.AuthorizationEngine
-	if rootArgs.config.FGAStore != "" {
-		// Run migrations on boot only for single-node embedded SQLite stores.
-		// memory needs none; postgres/mysql (HA) must migrate out-of-band.
-		runMigrations := strings.EqualFold(rootArgs.config.FGAStore, fgaengine.StoreSQLite)
+	if fgaStore, fgaStoreURL, fgaEnabled := rootArgs.config.FGAStoreConfig(); fgaEnabled {
+		runMigrations := !strings.EqualFold(fgaStore, fgaengine.StoreMemory)
 		fgaEngine, ferr := fgaengine.New(
 			&fgaengine.Config{
-				Store:         rootArgs.config.FGAStore,
-				StoreURL:      rootArgs.config.FGAStoreURL,
+				Store:         fgaStore,
+				StoreURL:      fgaStoreURL,
 				StoreName:     rootArgs.config.OrganizationName,
 				RunMigrations: runMigrations,
 			},
@@ -494,7 +496,8 @@ func runRoot(c *cobra.Command, args []string) {
 		}
 		authzEngine = fgaEngine
 		log.Info().
-			Str("fga_store", rootArgs.config.FGAStore).
+			Str("fga_store", fgaStore).
+			Bool("reused_main_db", strings.TrimSpace(rootArgs.config.FGAStore) == "").
 			Msg("OpenFGA authorization engine initialized (embedded); routed into GraphQL + session/validate")
 	}
 
diff --git a/internal/config/config.go b/internal/config/config.go
index f6ad4e40..5acbfcfd 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -318,15 +318,19 @@ type Config struct {
 	BackchannelLogoutURI string
 
 	// OpenFGA / Fine-Grained Authorization engine. Authorizer embeds OpenFGA
-	// in-process — it IS the engine. FGA is enabled by configuring a store
-	// (FGAStore); with it empty the engine is not constructed and the fga_*
-	// resolvers fail closed ("fine-grained authorization is not enabled").
+	// in-process — it IS the engine. By default FGA reuses the main database
+	// when it is OpenFGA-compatible (sqlite/postgres/mysql/mariadb); see
+	// FGAStoreConfig. Fields below override that. When neither the main DB is
+	// compatible nor FGAStore is set, the engine is not constructed and the
+	// fga_* resolvers fail closed ("fine-grained authorization is not enabled").
 
-	// FGAStore selects the OpenFGA datastore kind and, when non-empty, enables
-	// FGA: "memory" (dev/tests), "sqlite" (single-node), "postgres" or "mysql"
-	// (HA). Empty disables FGA.
+	// FGAStore overrides the OpenFGA datastore kind: "sqlite", "postgres",
+	// "mysql", or "memory" (dev/tests). Empty = reuse the main database when it
+	// is SQL-compatible; required only for unsupported main DBs (mongodb,
+	// dynamodb, …) or to use a dedicated FGA store.
 	FGAStore string
-	// FGAStoreURL is the OpenFGA datastore connection URI: a file: URI for
-	// sqlite, or a DSN for postgres/mysql. Ignored for the memory store.
+	// FGAStoreURL is the connection URI for an overridden FGAStore: a file: URI
+	// for sqlite, or a DSN for postgres/mysql. Ignored when FGA reuses the main
+	// database or for the memory store.
 	FGAStoreURL string
 }
diff --git a/internal/config/fga.go b/internal/config/fga.go
new file mode 100644
index 00000000..b7899b23
--- /dev/null
+++ b/internal/config/fga.go
@@ -0,0 +1,55 @@
+package config
+
+import (
+	"strings"
+
+	"github.com/authorizerdev/authorizer/internal/constants"
+)
+
+// FGAStoreConfig resolves the OpenFGA datastore used by fine-grained
+// authorization (FGA). Authorizer embeds OpenFGA in-process and, in the common
+// case, reuses the main database — when it is one OpenFGA supports (sqlite,
+// postgres, mysql/mariadb) — so no extra flags are needed.
+//
+// When the main database is NOT OpenFGA-compatible (e.g. mongodb, dynamodb,
+// cassandra, couchbase, arangodb, sqlserver), the operator must set FGAStore
+// (and FGAStoreURL) explicitly to point at a SQL store; otherwise FGA is
+// disabled (enabled=false) and the engine is not constructed.
+//
+// An explicit FGAStore always overrides the derived value — e.g. to use a
+// dedicated FGA database even when the main DB is SQL, or 'memory' for tests.
+func (c *Config) FGAStoreConfig() (store string, url string, enabled bool) {
+	// Explicit override wins over the main-DB-derived store.
+	if s := strings.ToLower(strings.TrimSpace(c.FGAStore)); s != "" {
+		if s == "sqlite" {
+			return "sqlite", toSQLiteFileURI(c.FGAStoreURL), true
+		}
+		return s, c.FGAStoreURL, true
+	}
+
+	// Derive from the main database when OpenFGA supports it. Postgres- and
+	// mysql-compatible variants beyond these (cockroachdb, yugabyte, libsql,
+	// planetscale) are intentionally NOT auto-mapped — they require an explicit
+	// --fga-store to avoid silent incompatibilities.
+	switch c.DatabaseType {
+	case constants.DbTypePostgres:
+		return "postgres", c.DatabaseURL, true
+	case constants.DbTypeMysql, constants.DbTypeMariaDB:
+		return "mysql", c.DatabaseURL, true
+	case constants.DbTypeSqlite:
+		return "sqlite", toSQLiteFileURI(c.DatabaseURL), true
+	default:
+		return "", "", false
+	}
+}
+
+// toSQLiteFileURI converts a SQLite path/URL into the file: URI OpenFGA's
+// datastore expects. Authorizer stores a bare path (e.g. "data.db"); OpenFGA
+// wants "file:data.db". Already-prefixed values are returned unchanged.
+func toSQLiteFileURI(dbURL string) string {
+	dbURL = strings.TrimSpace(dbURL)
+	if dbURL == "" || strings.HasPrefix(dbURL, "file:") {
+		return dbURL
+	}
+	return "file:" + dbURL
+}
diff --git a/internal/config/fga_test.go b/internal/config/fga_test.go
new file mode 100644
index 00000000..c1463cd2
--- /dev/null
+++ b/internal/config/fga_test.go
@@ -0,0 +1,103 @@
+package config
+
+import "testing"
+
+func TestFGAStoreConfig(t *testing.T) {
+	cases := []struct {
+		name        string
+		cfg         Config
+		wantStore   string
+		wantURL     string
+		wantEnabled bool
+	}{
+		{
+			name:        "sqlite main db reused, file URI added",
+			cfg:         Config{DatabaseType: "sqlite", DatabaseURL: "data.db"},
+			wantStore:   "sqlite",
+			wantURL:     "file:data.db",
+			wantEnabled: true,
+		},
+		{
+			name:        "sqlite main db already a file URI",
+			cfg:         Config{DatabaseType: "sqlite", DatabaseURL: "file:/var/lib/auth.db"},
+			wantStore:   "sqlite",
+			wantURL:     "file:/var/lib/auth.db",
+			wantEnabled: true,
+		},
+		{
+			name:        "postgres main db reused as-is",
+			cfg:         Config{DatabaseType: "postgres", DatabaseURL: "postgres://u:p@h:5432/db"},
+			wantStore:   "postgres",
+			wantURL:     "postgres://u:p@h:5432/db",
+			wantEnabled: true,
+		},
+		{
+			name:        "mysql main db reused as-is",
+			cfg:         Config{DatabaseType: "mysql", DatabaseURL: "u:p@tcp(h:3306)/db"},
+			wantStore:   "mysql",
+			wantURL:     "u:p@tcp(h:3306)/db",
+			wantEnabled: true,
+		},
+		{
+			name:        "mariadb maps to mysql store",
+			cfg:         Config{DatabaseType: "mariadb", DatabaseURL: "u:p@tcp(h:3306)/db"},
+			wantStore:   "mysql",
+			wantURL:     "u:p@tcp(h:3306)/db",
+			wantEnabled: true,
+		},
+		{
+			name:        "mongodb main db => FGA disabled (no explicit store)",
+			cfg:         Config{DatabaseType: "mongodb", DatabaseURL: "mongodb://h"},
+			wantEnabled: false,
+		},
+		{
+			name:        "dynamodb main db => FGA disabled",
+			cfg:         Config{DatabaseType: "dynamodb", DatabaseURL: "http://h"},
+			wantEnabled: false,
+		},
+		{
+			name:        "explicit fga-store overrides a NoSQL main db",
+			cfg:         Config{DatabaseType: "mongodb", DatabaseURL: "mongodb://h", FGAStore: "postgres", FGAStoreURL: "postgres://x/fga"},
+			wantStore:   "postgres",
+			wantURL:     "postgres://x/fga",
+			wantEnabled: true,
+		},
+		{
+			name:        "explicit sqlite override gets file URI",
+			cfg:         Config{DatabaseType: "mongodb", FGAStore: "sqlite", FGAStoreURL: "fga.db"},
+			wantStore:   "sqlite",
+			wantURL:     "file:fga.db",
+			wantEnabled: true,
+		},
+		{
+			name:        "explicit memory store for tests",
+			cfg:         Config{DatabaseType: "sqlite", DatabaseURL: "data.db", FGAStore: "memory"},
+			wantStore:   "memory",
+			wantURL:     "",
+			wantEnabled: true,
+		},
+		{
+			name:        "cockroachdb is NOT auto-mapped (needs explicit store)",
+			cfg:         Config{DatabaseType: "cockroachdb", DatabaseURL: "postgres://h/db"},
+			wantEnabled: false,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.name, func(t *testing.T) {
+			store, url, enabled := tc.cfg.FGAStoreConfig()
+			if enabled != tc.wantEnabled {
+				t.Fatalf("enabled = %v, want %v", enabled, tc.wantEnabled)
+			}
+			if !enabled {
+				return
+			}
+			if store != tc.wantStore {
+				t.Errorf("store = %q, want %q", store, tc.wantStore)
+			}
+			if url != tc.wantURL {
+				t.Errorf("url = %q, want %q", url, tc.wantURL)
+			}
+		})
+	}
+}
diff --git a/web/dashboard/src/components/FgaNotEnabled.tsx b/web/dashboard/src/components/FgaNotEnabled.tsx
index 5b6770c7..c670dee9 100644
--- a/web/dashboard/src/components/FgaNotEnabled.tsx
+++ b/web/dashboard/src/components/FgaNotEnabled.tsx
@@ -2,9 +2,11 @@ import React, { useState } from 'react';
 import { ShieldCheck, Copy, Check, ExternalLink, Database } from 'lucide-react';
 
 // FgaNotEnabled renders a helpful empty state shown when the backend reports
-// that fine-grained authorization is not enabled. FGA is enabled by starting
-// Authorizer with an OpenFGA datastore configured via --fga-store.
-const ENABLE_CMD = '--fga-store=sqlite --fga-store-url=file:fga.db';
+// that fine-grained authorization is not enabled. FGA reuses the main database
+// automatically when it is SQLite/Postgres/MySQL; this screen typically means
+// the main database is not OpenFGA-compatible (e.g. MongoDB, DynamoDB), so a
+// SQL store must be pointed to explicitly via --fga-store.
+const ENABLE_CMD = '--fga-store=postgres --fga-store-url=postgres://user:pass@host:5432/db';
 
 const StoreChip = ({ label }: { label: string }) => (
 	<code className="rounded bg-gray-200/70 px-1 py-0.5 text-[11px] font-medium text-gray-700">
@@ -36,15 +38,16 @@ const FgaNotEnabled = () => {
 					Fine-Grained Authorization isn&rsquo;t enabled yet
 				</h2>
 				<p className="mx-auto mt-2 max-w-md text-sm leading-relaxed text-gray-500">
-					Turn it on to define an authorization model, grant or revoke access
-					with relationship tuples, and run live access checks &mdash; all from
-					this dashboard.
+					FGA turns on automatically when Authorizer runs on{' '}
+					<span className="font-medium text-gray-700">SQLite, Postgres or MySQL</span>{' '}
+					&mdash; it reuses your database. Your current database isn&rsquo;t
+					supported by OpenFGA, so point FGA at a SQL store to enable it.
 				</p>
 
 				<div className="mt-6 rounded-xl border border-gray-100 bg-gray-50 p-4 text-left">
 					<div className="mb-2 flex items-center gap-2 text-xs font-medium uppercase tracking-wide text-gray-500">
 						<Database className="h-3.5 w-3.5" aria-hidden="true" />
-						Enable it &mdash; start Authorizer with a store
+						Point FGA at a SQL store
 					</div>
 					<div className="flex items-center justify-between gap-3 rounded-lg bg-gray-900 px-3 py-2.5">
 						<code className="overflow-x-auto whitespace-nowrap text-xs text-gray-100">
@@ -70,10 +73,10 @@ const FgaNotEnabled = () => {
 						</button>
 					</div>
 					<p className="mt-2 text-xs leading-relaxed text-gray-500">
-						Use <StoreChip label="memory" /> for local dev,{' '}
-						<StoreChip label="sqlite" /> for a single node, or{' '}
-						<StoreChip label="postgres" /> / <StoreChip label="mysql" /> for HA.
-						Then reload this page.
+						<StoreChip label="--fga-store" /> accepts{' '}
+						<StoreChip label="sqlite" />, <StoreChip label="postgres" /> or{' '}
+						<StoreChip label="mysql" /> (or <StoreChip label="memory" /> for
+						dev). Then reload this page.
 					</p>
 				</div>
 

From 3a6276426c344773d34e146573fe3ec16c559c45 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 8 Jun 2026 14:56:52 +0530
Subject: [PATCH 10/39] test(authz): FGA disabled (and instance works) for
 unsupported DBs without store
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- config: for every database OpenFGA can't use (mongodb, dynamodb, cassandra,
  scylla, couchbase, arangodb, sqlserver, libsql, cockroachdb, yugabyte,
  planetscale), FGAStoreConfig returns disabled when --fga-store/--fga-store-url
  are unset; an explicit --fga-store still enables it.
- integration: validate_session without required_relations succeeds when no FGA
  engine is configured — the instance works normally without FGA.
---
 internal/config/fga_test.go            | 48 +++++++++++++++++++++++++-
 internal/integration_tests/fga_test.go | 24 +++++++++++++
 2 files changed, 71 insertions(+), 1 deletion(-)

diff --git a/internal/config/fga_test.go b/internal/config/fga_test.go
index c1463cd2..0df3c696 100644
--- a/internal/config/fga_test.go
+++ b/internal/config/fga_test.go
@@ -1,6 +1,52 @@
 package config
 
-import "testing"
+import (
+	"testing"
+
+	"github.com/authorizerdev/authorizer/internal/constants"
+)
+
+// TestFGADisabledForUnsupportedDatabasesWithoutOverride verifies that for every
+// database OpenFGA cannot use, FGA is DISABLED when neither --fga-store nor
+// --fga-store-url is set — so the instance runs normally, just without FGA.
+// An explicit --fga-store override still turns it on for those databases.
+func TestFGADisabledForUnsupportedDatabasesWithoutOverride(t *testing.T) {
+	unsupported := []string{
+		constants.DbTypeMongoDB,
+		constants.DbTypeDynamoDB,
+		constants.DbTypeCassandraDB,
+		constants.DbTypeScyllaDB,
+		constants.DbTypeCouchbaseDB,
+		constants.DbTypeArangoDB,
+		constants.DbTypeSqlserver,
+		constants.DbTypeLibSQL,
+		constants.DbTypeCockroachDB,
+		constants.DbTypeYugabyte,
+		constants.DbTypePlanetScaleDB,
+	}
+
+	for _, dbType := range unsupported {
+		t.Run(dbType+" without store => FGA off", func(t *testing.T) {
+			cfg := Config{DatabaseType: dbType, DatabaseURL: "scheme://host/db"}
+			store, url, enabled := cfg.FGAStoreConfig()
+			if enabled {
+				t.Fatalf("FGA must be disabled for %q without --fga-store (got store=%q url=%q)", dbType, store, url)
+			}
+		})
+
+		t.Run(dbType+" with explicit store => FGA on", func(t *testing.T) {
+			cfg := Config{
+				DatabaseType: dbType,
+				DatabaseURL:  "scheme://host/db",
+				FGAStore:     "postgres",
+				FGAStoreURL:  "postgres://u:p@h:5432/fga",
+			}
+			if _, _, enabled := cfg.FGAStoreConfig(); !enabled {
+				t.Fatalf("explicit --fga-store must enable FGA for %q", dbType)
+			}
+		})
+	}
+}
 
 func TestFGAStoreConfig(t *testing.T) {
 	cases := []struct {
diff --git a/internal/integration_tests/fga_test.go b/internal/integration_tests/fga_test.go
index 54a52f94..655d0bf6 100644
--- a/internal/integration_tests/fga_test.go
+++ b/internal/integration_tests/fga_test.go
@@ -549,4 +549,28 @@ func TestFGADisabled(t *testing.T) {
 		assert.Error(t, err)
 		assert.Nil(t, res)
 	})
+
+	// The instance works normally without FGA: a session validated without any
+	// required_relations succeeds even though no FGA engine is configured. This
+	// is the common case for a non-OpenFGA-compatible database (mongodb,
+	// dynamodb, …) started without --fga-store.
+	t.Run("works without FGA: validate_session without required_relations succeeds", func(t *testing.T) {
+		email := "fga_off_ok_" + uuid.New().String() + "@authorizer.dev"
+		password := "Password@123"
+		_, err := ts.GraphQLProvider.SignUp(ctx, &model.SignUpRequest{
+			Email: &email, Password: password, ConfirmPassword: password,
+		})
+		require.NoError(t, err)
+		_, err = ts.GraphQLProvider.Login(ctx, &model.LoginRequest{Email: &email, Password: password})
+		require.NoError(t, err)
+		sessionToken := latestAppSessionCookie(ts)
+		require.NotEmpty(t, sessionToken)
+
+		res, err := ts.GraphQLProvider.ValidateSession(ctx, &model.ValidateSessionRequest{
+			Cookie: sessionToken,
+		})
+		require.NoError(t, err, "session validation must work when FGA is disabled")
+		require.NotNil(t, res)
+		assert.True(t, res.IsValid)
+	})
 }

From e513cc55ed6cfbd82f348913169970689a454d09 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 8 Jun 2026 16:43:21 +0530
Subject: [PATCH 11/39] feat(dashboard): visual authorization-model builder (no
 DSL needed)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace the raw-DSL-only model editor with a visual builder that generates
OpenFGA DSL under the hood, plus a "DSL (advanced)" escape hatch:

- ModelBuilder: add/edit types, relations and permissions via forms — direct
  assignment (chips), unions, and inheritance ("X from Y"), no DSL knowledge
  needed.
- modelDsl.ts: generateDsl / parseDsl (best-effort) / validateModel /
  plain-English summarize + 3 starter templates (document sharing, folder
  inheritance, org/team/project). Verified round-trip; advanced constructs
  (and / but not / conditions) keep the user in DSL mode.
- Model page: Builder <-> DSL tabs, template chips, live "what this model
  means" summary, clearer intro copy. Loads an existing model into the builder
  when representable, else opens DSL.
---
 .../src/pages/authorization/Model.tsx         | 251 +++++++++++++----
 .../src/pages/authorization/ModelBuilder.tsx  | 225 ++++++++++++++++
 .../src/pages/authorization/modelDsl.ts       | 254 ++++++++++++++++++
 3 files changed, 672 insertions(+), 58 deletions(-)
 create mode 100644 web/dashboard/src/pages/authorization/ModelBuilder.tsx
 create mode 100644 web/dashboard/src/pages/authorization/modelDsl.ts

diff --git a/web/dashboard/src/pages/authorization/Model.tsx b/web/dashboard/src/pages/authorization/Model.tsx
index 2343fd6d..d5653c8d 100644
--- a/web/dashboard/src/pages/authorization/Model.tsx
+++ b/web/dashboard/src/pages/authorization/Model.tsx
@@ -1,7 +1,7 @@
 import React, { useCallback, useEffect, useState } from 'react';
 import { useClient } from 'urql';
 import { toast } from 'sonner';
-import { AlertCircle, Save } from 'lucide-react';
+import { AlertCircle, Save, LayoutGrid, Code2, Info } from 'lucide-react';
 import { FgaGetModelQuery } from '../../graphql/queries';
 import { FgaWriteModel } from '../../graphql/mutation';
 import { Button } from '../../components/ui/button';
@@ -9,44 +9,85 @@ import { Textarea } from '../../components/ui/textarea';
 import { Skeleton } from '../../components/ui/skeleton';
 import { Badge } from '../../components/ui/badge';
 import FgaNotEnabled from '../../components/FgaNotEnabled';
+import ModelBuilder from './ModelBuilder';
+import {
+	generateDsl,
+	parseDsl,
+	validateModel,
+	summarize,
+	TEMPLATES,
+	type ModelDraft,
+} from './modelDsl';
 import { isFgaNotEnabledError } from '../../lib/utils';
-import type {
-	FgaGetModelResponse,
-	FgaWriteModelResponse,
-} from '../../types';
+import type { FgaGetModelResponse, FgaWriteModelResponse } from '../../types';
+
+type Mode = 'builder' | 'dsl';
+
+const STARTER: ModelDraft = { types: [{ name: 'user', relations: [] }] };
+
+const TabButton = ({
+	active,
+	onClick,
+	icon,
+	children,
+}: {
+	active: boolean;
+	onClick: () => void;
+	icon: React.ReactNode;
+	children: React.ReactNode;
+}) => (
+	<button
+		type="button"
+		onClick={onClick}
+		className={`inline-flex items-center gap-1.5 rounded-md px-3 py-1.5 text-sm font-medium transition-colors ${
+			active ? 'bg-blue-50 text-blue-600' : 'text-gray-500 hover:bg-gray-100 hover:text-gray-700'
+		}`}
+	>
+		{icon}
+		{children}
+	</button>
+);
 
 const Model = () => {
 	const client = useClient();
-	const [loading, setLoading] = useState<boolean>(true);
-	const [saving, setSaving] = useState<boolean>(false);
-	const [fgaDisabled, setFgaDisabled] = useState<boolean>(false);
-	const [dsl, setDsl] = useState<string>('');
-	const [modelId, setModelId] = useState<string>('');
-	const [validationError, setValidationError] = useState<string>('');
+	const [loading, setLoading] = useState(true);
+	const [saving, setSaving] = useState(false);
+	const [fgaDisabled, setFgaDisabled] = useState(false);
+	const [mode, setMode] = useState<Mode>('builder');
+	const [builderModel, setBuilderModel] = useState<ModelDraft>(STARTER);
+	const [dsl, setDsl] = useState('');
+	const [modelId, setModelId] = useState('');
+	const [validationError, setValidationError] = useState('');
 
 	const fetchModel = useCallback(async () => {
 		setLoading(true);
 		try {
 			const res = await client
-				.query<FgaGetModelResponse>(
-					FgaGetModelQuery,
-					{},
-					{ requestPolicy: 'network-only' },
-				)
+				.query<FgaGetModelResponse>(FgaGetModelQuery, {}, { requestPolicy: 'network-only' })
 				.toPromise();
 
 			if (res.error) {
-				if (isFgaNotEnabledError(res.error)) {
-					setFgaDisabled(true);
-				} else {
-					toast.error('Failed to load authorization model');
-				}
+				if (isFgaNotEnabledError(res.error)) setFgaDisabled(true);
+				else toast.error('Failed to load authorization model');
 				return;
 			}
 
-			if (res.data?._fga_get_model) {
-				setDsl(res.data._fga_get_model.dsl || '');
-				setModelId(res.data._fga_get_model.id || '');
+			const current = res.data?._fga_get_model;
+			if (current?.dsl) {
+				setDsl(current.dsl);
+				setModelId(current.id || '');
+				const parsed = parseDsl(current.dsl);
+				if (parsed.supported && parsed.model) {
+					setBuilderModel(parsed.model);
+					setMode('builder');
+				} else {
+					// Model uses constructs the builder can't represent — edit in DSL.
+					setMode('dsl');
+				}
+			} else {
+				// No model yet — start in the builder with a base `user` type.
+				setBuilderModel(STARTER);
+				setMode('builder');
 			}
 		} catch {
 			toast.error('Failed to load authorization model');
@@ -59,8 +100,39 @@ const Model = () => {
 		fetchModel();
 	}, [fetchModel]);
 
+	const switchToDsl = () => {
+		setDsl(generateDsl(builderModel));
+		setValidationError('');
+		setMode('dsl');
+	};
+
+	const switchToBuilder = () => {
+		const parsed = parseDsl(dsl);
+		if (parsed.supported && parsed.model) {
+			setBuilderModel(parsed.model);
+			setValidationError('');
+			setMode('builder');
+		} else {
+			toast.error('This model uses advanced constructs — keep editing in DSL');
+		}
+	};
+
+	const applyTemplate = (model: ModelDraft) => {
+		setBuilderModel(model);
+		setMode('builder');
+		setValidationError('');
+	};
+
 	const handleSave = async () => {
-		if (!dsl.trim()) {
+		let dslToSave = dsl;
+		if (mode === 'builder') {
+			const err = validateModel(builderModel);
+			if (err) {
+				setValidationError(err);
+				return;
+			}
+			dslToSave = generateDsl(builderModel);
+		} else if (!dsl.trim()) {
 			setValidationError('Model DSL cannot be empty.');
 			return;
 		}
@@ -68,15 +140,12 @@ const Model = () => {
 		setSaving(true);
 		try {
 			const res = await client
-				.mutation<FgaWriteModelResponse>(FgaWriteModel, {
-					params: { dsl },
-				})
+				.mutation<FgaWriteModelResponse>(FgaWriteModel, { params: { dsl: dslToSave } })
 				.toPromise();
 
 			if (res.error) {
-				if (isFgaNotEnabledError(res.error)) {
-					setFgaDisabled(true);
-				} else {
+				if (isFgaNotEnabledError(res.error)) setFgaDisabled(true);
+				else {
 					setValidationError(res.error.message.replace('[GraphQL] ', ''));
 					toast.error('Failed to save authorization model');
 				}
@@ -85,7 +154,7 @@ const Model = () => {
 
 			if (res.data?._fga_write_model) {
 				setModelId(res.data._fga_write_model.id);
-				setDsl(res.data._fga_write_model.dsl || dsl);
+				setDsl(res.data._fga_write_model.dsl || dslToSave);
 				toast.success('Authorization model saved');
 			}
 		} catch {
@@ -95,57 +164,123 @@ const Model = () => {
 		}
 	};
 
+	const summary = mode === 'builder' ? summarize(builderModel) : [];
+
 	return (
 		<div className="m-5 rounded-md bg-white py-5 px-10">
-			<div className="my-4 flex items-center justify-between">
+			<div className="my-4 flex items-start justify-between gap-4">
 				<div>
-					<h1 className="text-2xl font-semibold text-gray-900">
-						Authorization Model
-					</h1>
-					<p className="mt-1 text-sm text-gray-500">
-						Define the OpenFGA authorization model in DSL form.
+					<h1 className="text-2xl font-semibold text-gray-900">Authorization Model</h1>
+					<p className="mt-1 max-w-2xl text-sm text-gray-500">
+						The model is your permission rulebook: the object <strong>types</strong> you
+						protect, the <strong>relations</strong> on them (owner, editor, viewer…), and how
+						permissions are computed. Define it visually below, or switch to DSL for advanced
+						rules. Then grant access on the <strong>Relationship Tuples</strong> page.
 					</p>
 				</div>
-				{!fgaDisabled && (
-					<Button onClick={handleSave} disabled={saving || loading}>
+				{!fgaDisabled && !loading && (
+					<Button onClick={handleSave} disabled={saving}>
 						<Save className="mr-2 h-4 w-4" />
-						{saving ? 'Saving...' : 'Save Model'}
+						{saving ? 'Saving…' : 'Save model'}
 					</Button>
 				)}
 			</div>
 
 			{loading ? (
 				<div className="space-y-3">
-					<Skeleton className="h-10 w-1/3" />
+					<Skeleton className="h-9 w-64" />
 					<Skeleton className="h-64 w-full" />
 				</div>
 			) : fgaDisabled ? (
 				<FgaNotEnabled />
 			) : (
 				<div className="space-y-4">
-					{modelId && (
-						<div className="flex items-center gap-2 text-sm text-gray-600">
-							<span>Current model id:</span>
-							<Badge variant="secondary">{modelId}</Badge>
+					<div className="flex flex-wrap items-center justify-between gap-3">
+						<div className="inline-flex items-center gap-1 rounded-lg bg-gray-50 p-1">
+							<TabButton
+								active={mode === 'builder'}
+								onClick={() => mode !== 'builder' && switchToBuilder()}
+								icon={<LayoutGrid className="h-4 w-4" />}
+							>
+								Builder
+							</TabButton>
+							<TabButton
+								active={mode === 'dsl'}
+								onClick={() => mode !== 'dsl' && switchToDsl()}
+								icon={<Code2 className="h-4 w-4" />}
+							>
+								DSL (advanced)
+							</TabButton>
+						</div>
+
+						<div className="flex items-center gap-3">
+							{modelId && (
+								<span className="flex items-center gap-1.5 text-xs text-gray-500">
+									active model
+									<Badge variant="secondary">{modelId.slice(0, 12)}…</Badge>
+								</span>
+							)}
+						</div>
+					</div>
+
+					{mode === 'builder' && (
+						<div className="flex flex-wrap items-center gap-2 rounded-lg border border-dashed border-gray-200 p-2">
+							<span className="px-1 text-xs font-medium text-gray-500">Start from a template:</span>
+							{TEMPLATES.map((tpl) => (
+								<button
+									key={tpl.name}
+									type="button"
+									onClick={() => applyTemplate(tpl.model)}
+									title={tpl.description}
+									className="rounded-md border border-gray-200 bg-white px-2.5 py-1 text-xs font-medium text-gray-700 transition-colors hover:border-blue-300 hover:bg-blue-50 hover:text-blue-700"
+								>
+									{tpl.name}
+								</button>
+							))}
 						</div>
 					)}
 
-					<Textarea
-						value={dsl}
-						onChange={(e) => setDsl(e.target.value)}
-						spellCheck={false}
-						className="min-h-[420px] font-mono text-xs leading-relaxed"
-						placeholder={
-							'model\n  schema 1.1\n\ntype user\n\ntype document\n  relations\n    define viewer: [user]\n    define editor: [user]'
-						}
-					/>
+					{mode === 'builder' ? (
+						<div className="grid grid-cols-1 gap-4 lg:grid-cols-3">
+							<div className="lg:col-span-2">
+								<ModelBuilder model={builderModel} onChange={setBuilderModel} />
+							</div>
+							<aside className="lg:col-span-1">
+								<div className="sticky top-4 rounded-xl border border-gray-100 bg-gray-50 p-4">
+									<div className="mb-2 flex items-center gap-1.5 text-xs font-medium uppercase tracking-wide text-gray-500">
+										<Info className="h-3.5 w-3.5" />
+										What this model means
+									</div>
+									{summary.length ? (
+										<ul className="space-y-1.5 text-xs leading-relaxed text-gray-600">
+											{summary.map((s, i) => (
+												<li key={i}>• {s}</li>
+											))}
+										</ul>
+									) : (
+										<p className="text-xs text-gray-400">
+											Add a type with a relation to see a plain-English summary.
+										</p>
+									)}
+								</div>
+							</aside>
+						</div>
+					) : (
+						<Textarea
+							value={dsl}
+							onChange={(e) => setDsl(e.target.value)}
+							spellCheck={false}
+							className="min-h-[420px] font-mono text-xs leading-relaxed"
+							placeholder={
+								'model\n  schema 1.1\n\ntype user\n\ntype document\n  relations\n    define viewer: [user]\n    define editor: [user]\n    define can_view: viewer or editor'
+							}
+						/>
+					)}
 
 					{validationError && (
 						<div className="flex items-start gap-2 rounded-md border border-red-200 bg-red-50 p-3 text-sm text-red-700">
 							<AlertCircle className="mt-0.5 h-4 w-4 shrink-0" />
-							<span className="whitespace-pre-wrap break-words">
-								{validationError}
-							</span>
+							<span className="whitespace-pre-wrap break-words">{validationError}</span>
 						</div>
 					)}
 				</div>
diff --git a/web/dashboard/src/pages/authorization/ModelBuilder.tsx b/web/dashboard/src/pages/authorization/ModelBuilder.tsx
new file mode 100644
index 00000000..bcc277d9
--- /dev/null
+++ b/web/dashboard/src/pages/authorization/ModelBuilder.tsx
@@ -0,0 +1,225 @@
+import React, { useState } from 'react';
+import { Plus, Trash2, X } from 'lucide-react';
+import { Button } from '../../components/ui/button';
+import { Input } from '../../components/ui/input';
+import type { ModelDraft, TypeDef, RelationDef, ComputedTerm } from './modelDsl';
+
+const selectCls =
+	'rounded-md border border-gray-200 bg-white px-2 py-1 text-xs text-gray-600 focus:outline-none focus-visible:ring-2 focus-visible:ring-blue-400';
+
+const Chip = ({ label, onRemove }: { label: string; onRemove: () => void }) => (
+	<span className="inline-flex items-center gap-1 rounded-full bg-blue-50 px-2 py-0.5 text-xs font-medium text-blue-700">
+		<span className="font-mono">{label}</span>
+		<button
+			type="button"
+			onClick={onRemove}
+			aria-label={`Remove ${label}`}
+			className="text-blue-400 transition-colors hover:text-blue-700"
+		>
+			<X className="h-3 w-3" />
+		</button>
+	</span>
+);
+
+// ComputedAdder lets the user add one OR-ed computed term: a relation, optionally
+// inherited "from" another relation on this type.
+const ComputedAdder = ({
+	relNames,
+	onAdd,
+}: {
+	relNames: string[];
+	onAdd: (t: ComputedTerm) => void;
+}) => {
+	const [rel, setRel] = useState('');
+	const [from, setFrom] = useState('');
+	return (
+		<span className="inline-flex items-center gap-1">
+			<select value={rel} onChange={(e) => setRel(e.target.value)} className={selectCls}>
+				<option value="">+ relation…</option>
+				{relNames.map((n) => (
+					<option key={n} value={n}>
+						{n}
+					</option>
+				))}
+			</select>
+			{rel && (
+				<>
+					<select value={from} onChange={(e) => setFrom(e.target.value)} className={selectCls}>
+						<option value="">(direct)</option>
+						{relNames.map((n) => (
+							<option key={n} value={n}>
+								from {n}
+							</option>
+						))}
+					</select>
+					<button
+						type="button"
+						onClick={() => {
+							onAdd(from ? { relation: rel, from } : { relation: rel });
+							setRel('');
+							setFrom('');
+						}}
+						className="rounded-md bg-blue-500 px-2 py-1 text-xs font-medium text-white hover:bg-blue-600"
+					>
+						Add
+					</button>
+				</>
+			)}
+		</span>
+	);
+};
+
+interface Props {
+	model: ModelDraft;
+	onChange: (m: ModelDraft) => void;
+}
+
+const ModelBuilder = ({ model, onChange }: Props) => {
+	const setTypes = (types: TypeDef[]) => onChange({ ...model, types });
+	const updateType = (ti: number, patch: Partial<TypeDef>) =>
+		setTypes(model.types.map((t, i) => (i === ti ? { ...t, ...patch } : t)));
+	const updateRelation = (ti: number, ri: number, patch: Partial<RelationDef>) =>
+		updateType(ti, {
+			relations: model.types[ti].relations.map((r, i) => (i === ri ? { ...r, ...patch } : r)),
+		});
+
+	const typeNames = model.types.map((t) => t.name).filter(Boolean);
+
+	return (
+		<div className="space-y-4">
+			{model.types.map((t, ti) => {
+				const relNames = t.relations.map((r) => r.name).filter(Boolean);
+				return (
+					<div key={ti} className="rounded-xl border border-gray-200 bg-white p-4">
+						<div className="flex items-center gap-3">
+							<span className="text-xs font-medium uppercase tracking-wide text-gray-400">
+								type
+							</span>
+							<Input
+								value={t.name}
+								onChange={(e) => updateType(ti, { name: e.target.value.trim() })}
+								placeholder="document"
+								className="h-8 max-w-[220px] font-mono text-sm"
+							/>
+							<Button
+								variant="ghost"
+								size="sm"
+								className="ml-auto"
+								onClick={() => setTypes(model.types.filter((_, i) => i !== ti))}
+								aria-label="Delete type"
+							>
+								<Trash2 className="h-4 w-4 text-red-500" />
+							</Button>
+						</div>
+
+						{t.relations.length > 0 && (
+							<div className="mt-3 space-y-3 border-t border-gray-100 pt-3">
+								{t.relations.map((r, ri) => (
+									<div key={ri} className="rounded-lg bg-gray-50 p-3">
+										<div className="flex items-center gap-2">
+											<Input
+												value={r.name}
+												onChange={(e) => updateRelation(ti, ri, { name: e.target.value.trim() })}
+												placeholder="viewer"
+												className="h-8 max-w-[200px] font-mono text-sm"
+											/>
+											<Button
+												variant="ghost"
+												size="sm"
+												className="ml-auto"
+												onClick={() =>
+													updateType(ti, {
+														relations: t.relations.filter((_, i) => i !== ri),
+													})
+												}
+												aria-label="Delete relation"
+											>
+												<Trash2 className="h-4 w-4 text-red-400" />
+											</Button>
+										</div>
+
+										<div className="mt-2">
+											<p className="mb-1 text-xs text-gray-500">Directly assignable to</p>
+											<div className="flex flex-wrap items-center gap-1.5">
+												{r.directTypes.map((dt, di) => (
+													<Chip
+														key={di}
+														label={dt}
+														onRemove={() =>
+															updateRelation(ti, ri, {
+																directTypes: r.directTypes.filter((_, i) => i !== di),
+															})
+														}
+													/>
+												))}
+												<select
+													value=""
+													onChange={(e) => {
+														const v = e.target.value;
+														if (v && !r.directTypes.includes(v)) {
+															updateRelation(ti, ri, { directTypes: [...r.directTypes, v] });
+														}
+													}}
+													className={selectCls}
+												>
+													<option value="">+ type…</option>
+													{typeNames.map((n) => (
+														<option key={n} value={n}>
+															{n}
+														</option>
+													))}
+												</select>
+											</div>
+										</div>
+
+										<div className="mt-2">
+											<p className="mb-1 text-xs text-gray-500">Or computed from (union)</p>
+											<div className="flex flex-wrap items-center gap-1.5">
+												{r.computed.map((c, ci) => (
+													<Chip
+														key={ci}
+														label={c.from ? `${c.relation} from ${c.from}` : c.relation}
+														onRemove={() =>
+															updateRelation(ti, ri, {
+																computed: r.computed.filter((_, i) => i !== ci),
+															})
+														}
+													/>
+												))}
+												<ComputedAdder
+													relNames={relNames.filter((n) => n !== r.name)}
+													onAdd={(term) =>
+														updateRelation(ti, ri, { computed: [...r.computed, term] })
+													}
+												/>
+											</div>
+										</div>
+									</div>
+								))}
+							</div>
+						)}
+
+						<Button
+							variant="outline"
+							size="sm"
+							className="mt-3"
+							onClick={() =>
+								updateType(ti, {
+									relations: [...t.relations, { name: '', directTypes: [], computed: [] }],
+								})
+							}
+						>
+							<Plus className="mr-1 h-3.5 w-3.5" /> Add relation / permission
+						</Button>
+					</div>
+				);
+			})}
+
+			<Button variant="outline" onClick={() => setTypes([...model.types, { name: '', relations: [] }])}>
+				<Plus className="mr-2 h-4 w-4" /> Add type
+			</Button>
+		</div>
+	);
+};
+
+export default ModelBuilder;
diff --git a/web/dashboard/src/pages/authorization/modelDsl.ts b/web/dashboard/src/pages/authorization/modelDsl.ts
new file mode 100644
index 00000000..59e4e640
--- /dev/null
+++ b/web/dashboard/src/pages/authorization/modelDsl.ts
@@ -0,0 +1,254 @@
+// modelDsl.ts — pure helpers to convert between a visual ModelDraft and OpenFGA
+// authorization-model DSL. The builder covers the common subset (types, direct
+// assignment, unions via `or`, and inheritance via `X from Y`). Advanced
+// constructs (`and`, `but not`, conditions `with`, grouping) are not represented
+// in the builder — parseDsl reports supported=false for those so the UI can keep
+// the user in raw-DSL mode.
+
+// ComputedTerm is one OR-ed term of a computed relation: either another relation
+// on the same type ({relation}) or an inherited one ({relation, from}).
+export interface ComputedTerm {
+	relation: string;
+	from?: string;
+}
+
+// RelationDef is a single `define <name>: ...`. The effective rule is the union
+// (OR) of directTypes (the `[...]` assignable part) and the computed terms.
+export interface RelationDef {
+	name: string;
+	directTypes: string[]; // e.g. ["user"], ["user", "team#member"], ["folder"]
+	computed: ComputedTerm[]; // OR-ed with directTypes
+}
+
+export interface TypeDef {
+	name: string;
+	relations: RelationDef[];
+}
+
+export interface ModelDraft {
+	types: TypeDef[];
+}
+
+const IDENT = /^[a-zA-Z0-9_]+$/;
+
+// relationExpr renders the right-hand side of a `define`.
+function relationExpr(r: RelationDef): string {
+	const parts: string[] = [];
+	if (r.directTypes.length) {
+		parts.push(`[${r.directTypes.join(', ')}]`);
+	}
+	for (const c of r.computed) {
+		parts.push(c.from ? `${c.relation} from ${c.from}` : c.relation);
+	}
+	return parts.join(' or ');
+}
+
+// generateDsl renders a ModelDraft to OpenFGA DSL.
+export function generateDsl(model: ModelDraft): string {
+	const lines: string[] = ['model', '  schema 1.1', ''];
+	for (const t of model.types) {
+		lines.push(`type ${t.name}`);
+		if (t.relations.length) {
+			lines.push('  relations');
+			for (const r of t.relations) {
+				lines.push(`    define ${r.name}: ${relationExpr(r)}`);
+			}
+		}
+	}
+	return lines.join('\n') + '\n';
+}
+
+// parseDsl best-effort parses DSL into a ModelDraft. supported=false means the
+// model uses constructs the visual builder can't represent — the caller should
+// stay in DSL mode.
+export function parseDsl(dsl: string): { model: ModelDraft | null; supported: boolean } {
+	const types: TypeDef[] = [];
+	let current: TypeDef | null = null;
+
+	for (const raw of dsl.split('\n')) {
+		const trimmed = raw.trim();
+		if (
+			!trimmed ||
+			trimmed === 'model' ||
+			trimmed.startsWith('schema') ||
+			trimmed === 'relations' ||
+			trimmed.startsWith('#')
+		) {
+			continue;
+		}
+
+		if (trimmed.startsWith('type ')) {
+			current = { name: trimmed.slice(5).trim(), relations: [] };
+			types.push(current);
+			continue;
+		}
+
+		if (trimmed.startsWith('define ')) {
+			if (!current) return { model: null, supported: false };
+			const m = trimmed.match(/^define\s+([a-zA-Z0-9_]+)\s*:\s*(.+)$/);
+			if (!m) return { model: null, supported: false };
+			const expr = m[2].trim();
+			// Constructs the builder cannot represent.
+			if (/\bbut\s+not\b|\band\b|[()]|\bwith\b/.test(expr)) {
+				return { model: null, supported: false };
+			}
+			const rel: RelationDef = { name: m[1], directTypes: [], computed: [] };
+			for (const partRaw of expr.split(/\s+or\s+/)) {
+				const part = partRaw.trim();
+				if (!part) continue;
+				if (part.startsWith('[') && part.endsWith(']')) {
+					rel.directTypes.push(
+						...part
+							.slice(1, -1)
+							.split(',')
+							.map((s) => s.trim())
+							.filter(Boolean),
+					);
+				} else if (/\sfrom\s/.test(part)) {
+					const fm = part.match(/^([a-zA-Z0-9_]+)\s+from\s+([a-zA-Z0-9_]+)$/);
+					if (!fm) return { model: null, supported: false };
+					rel.computed.push({ relation: fm[1], from: fm[2] });
+				} else if (IDENT.test(part)) {
+					rel.computed.push({ relation: part });
+				} else {
+					// e.g. a computed userset like team#member — not builder-representable.
+					return { model: null, supported: false };
+				}
+			}
+			current.relations.push(rel);
+			continue;
+		}
+
+		// Unknown non-empty line — be conservative.
+		return { model: null, supported: false };
+	}
+
+	if (!types.length) return { model: null, supported: false };
+	return { model: { types }, supported: true };
+}
+
+// validateModel returns a human-readable error for an unsaveable model, or "".
+export function validateModel(model: ModelDraft): string {
+	if (!model.types.length) return 'Add at least one type.';
+	const names = new Set<string>();
+	for (const t of model.types) {
+		if (!IDENT.test(t.name)) return `Type name "${t.name}" must be alphanumeric/underscore.`;
+		if (names.has(t.name)) return `Duplicate type "${t.name}".`;
+		names.add(t.name);
+		const relNames = new Set<string>();
+		for (const r of t.relations) {
+			if (!IDENT.test(r.name)) return `Relation "${r.name}" on ${t.name} is not a valid name.`;
+			if (relNames.has(r.name)) return `Duplicate relation "${r.name}" on ${t.name}.`;
+			relNames.add(r.name);
+			if (!r.directTypes.length && !r.computed.length) {
+				return `Relation "${r.name}" on ${t.name} needs at least one assignable type or computed relation.`;
+			}
+		}
+	}
+	return '';
+}
+
+// summarize returns plain-English lines describing the model.
+export function summarize(model: ModelDraft): string[] {
+	const out: string[] = [];
+	for (const t of model.types) {
+		for (const r of t.relations) {
+			const bits: string[] = [];
+			if (r.directTypes.length) bits.push(`assigned (${r.directTypes.join(', ')})`);
+			for (const c of r.computed) {
+				bits.push(c.from ? `${c.relation} of its ${c.from}` : `a ${c.relation}`);
+			}
+			out.push(`A user who is ${bits.join(' OR ')} is "${r.name}" of a ${t.name}.`);
+		}
+	}
+	return out;
+}
+
+// TEMPLATES are builder-representable starter models.
+export const TEMPLATES: { name: string; description: string; model: ModelDraft }[] = [
+	{
+		name: 'Document sharing',
+		description: 'Owner / editor / viewer with cascading permissions.',
+		model: {
+			types: [
+				{ name: 'user', relations: [] },
+				{
+					name: 'document',
+					relations: [
+						{ name: 'owner', directTypes: ['user'], computed: [] },
+						{ name: 'editor', directTypes: ['user'], computed: [{ relation: 'owner' }] },
+						{ name: 'viewer', directTypes: ['user'], computed: [{ relation: 'editor' }] },
+						{ name: 'can_view', directTypes: [], computed: [{ relation: 'viewer' }] },
+						{ name: 'can_edit', directTypes: [], computed: [{ relation: 'editor' }] },
+						{ name: 'can_delete', directTypes: [], computed: [{ relation: 'owner' }] },
+					],
+				},
+			],
+		},
+	},
+	{
+		name: 'Folders with inheritance',
+		description: 'Documents inherit viewers from their parent folder.',
+		model: {
+			types: [
+				{ name: 'user', relations: [] },
+				{
+					name: 'folder',
+					relations: [
+						{ name: 'owner', directTypes: ['user'], computed: [] },
+						{ name: 'viewer', directTypes: ['user'], computed: [{ relation: 'owner' }] },
+					],
+				},
+				{
+					name: 'document',
+					relations: [
+						{ name: 'parent', directTypes: ['folder'], computed: [] },
+						{ name: 'owner', directTypes: ['user'], computed: [] },
+						{
+							name: 'viewer',
+							directTypes: ['user'],
+							computed: [{ relation: 'owner' }, { relation: 'viewer', from: 'parent' }],
+						},
+						{ name: 'can_view', directTypes: [], computed: [{ relation: 'viewer' }] },
+					],
+				},
+			],
+		},
+	},
+	{
+		name: 'Org / Team / Project',
+		description: 'Project access flows from team and organization membership.',
+		model: {
+			types: [
+				{ name: 'user', relations: [] },
+				{
+					name: 'organization',
+					relations: [{ name: 'member', directTypes: ['user'], computed: [] }],
+				},
+				{
+					name: 'team',
+					relations: [
+						{ name: 'org', directTypes: ['organization'], computed: [] },
+						{
+							name: 'member',
+							directTypes: ['user'],
+							computed: [{ relation: 'member', from: 'org' }],
+						},
+					],
+				},
+				{
+					name: 'project',
+					relations: [
+						{ name: 'team', directTypes: ['team'], computed: [] },
+						{
+							name: 'viewer',
+							directTypes: ['user'],
+							computed: [{ relation: 'member', from: 'team' }],
+						},
+						{ name: 'can_view', directTypes: [], computed: [{ relation: 'viewer' }] },
+					],
+				},
+			],
+		},
+	},
+];

From 1fb6775e0dd365a67bc89ad37f8af960ab551203 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 8 Jun 2026 16:57:00 +0530
Subject: [PATCH 12/39] feat(dashboard): guided 3-step FGA flow, worked
 examples, collapsible nav
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Turn the three Authorization pages into a clear guided workflow:

- AuthSteps: a shared, clickable stepper (1 Define model → 2 Grant access →
  3 Test access) shown on each page, with done/current/upcoming states. Steps
  stay deep-linkable so admins can jump directly.
- Each page now leads with "Step N · <title>", a concrete worked Example
  callout (document-sharing running example), and a "Next →" link to continue.
- "RBAC — your roles" model template generated from the instance's configured
  roles (fetched via admin _env), with role-name sanitization. Round-trip
  verified.
- Sidebar: the Authorization group is now collapsible (chevron, aria-expanded),
  default-open when on an authorization route.
---
 web/dashboard/src/components/Sidebar.tsx      | 69 +++++++++------
 web/dashboard/src/graphql/queries/index.ts    | 10 +++
 .../src/pages/authorization/AuthSteps.tsx     | 83 +++++++++++++++++++
 .../src/pages/authorization/Model.tsx         | 69 +++++++++++++--
 .../src/pages/authorization/Tester.tsx        | 27 ++++--
 .../src/pages/authorization/Tuples.tsx        | 33 ++++++--
 .../src/pages/authorization/modelDsl.ts       | 35 ++++++++
 web/dashboard/src/types.ts                    |  6 ++
 8 files changed, 281 insertions(+), 51 deletions(-)
 create mode 100644 web/dashboard/src/pages/authorization/AuthSteps.tsx

diff --git a/web/dashboard/src/components/Sidebar.tsx b/web/dashboard/src/components/Sidebar.tsx
index 91b3b696..1ffdd6d4 100644
--- a/web/dashboard/src/components/Sidebar.tsx
+++ b/web/dashboard/src/components/Sidebar.tsx
@@ -1,4 +1,4 @@
-import React from 'react';
+import React, { useState } from 'react';
 import { NavLink, useNavigate, useLocation } from 'react-router-dom';
 import { useMutation, useQuery } from 'urql';
 import {
@@ -15,6 +15,7 @@ import {
 	FileCode,
 	Network,
 	SearchCheck,
+	ChevronDown,
 } from 'lucide-react';
 import type { LucideIcon } from 'lucide-react';
 import { cn } from '../lib/utils';
@@ -89,6 +90,7 @@ export const Sidebar = ({ onClose }: SidebarProps) => {
 	const [, logout] = useMutation(AdminLogout);
 	const { setIsLoggedIn } = useAuthContext();
 	const navigate = useNavigate();
+	const [openGroups, setOpenGroups] = useState<Record<string, boolean>>({});
 
 	const handleLogout = async () => {
 		await logout({});
@@ -138,41 +140,56 @@ export const Sidebar = ({ onClose }: SidebarProps) => {
 					);
 				})}
 
-				{/* Grouped navigation */}
+				{/* Grouped navigation (collapsible) */}
 				{navGroups.map((group) => {
 					const isGroupActive = pathname.startsWith(group.basePath);
+					// Default-open when the user is on one of the group's routes.
+					const isOpen = openGroups[group.name] ?? isGroupActive;
 					return (
 						<div key={group.name} className="pt-2">
-							<div
+							<button
+								type="button"
+								onClick={() =>
+									setOpenGroups((prev) => ({ ...prev, [group.name]: !isOpen }))
+								}
+								aria-expanded={isOpen}
 								className={cn(
-									'flex items-center gap-3 px-3 py-2 text-xs font-semibold uppercase tracking-wider',
+									'flex w-full items-center gap-3 rounded-md px-3 py-2 text-xs font-semibold uppercase tracking-wider transition-colors hover:bg-gray-100',
 									isGroupActive ? 'text-blue-600' : 'text-gray-400',
 								)}
 							>
 								<group.icon className="h-4 w-4" />
 								{group.name}
-							</div>
-							<div className="space-y-1">
-								{group.items.map((item) => {
-									const isActive = pathname.startsWith(item.route);
-									return (
-										<NavLink
-											key={item.name}
-											to={item.route}
-											onClick={onClose}
-											className={cn(
-												'flex items-center gap-3 rounded-md py-2 pl-9 pr-3 text-sm font-medium transition-colors',
-												isActive
-													? 'bg-blue-50 text-blue-600'
-													: 'text-gray-700 hover:bg-gray-100 hover:text-gray-900',
-											)}
-										>
-											<item.icon className="h-4 w-4" />
-											{item.name}
-										</NavLink>
-									);
-								})}
-							</div>
+								<ChevronDown
+									className={cn(
+										'ml-auto h-4 w-4 transition-transform duration-200',
+										isOpen ? '' : '-rotate-90',
+									)}
+								/>
+							</button>
+							{isOpen && (
+								<div className="mt-1 space-y-1">
+									{group.items.map((item) => {
+										const isActive = pathname.startsWith(item.route);
+										return (
+											<NavLink
+												key={item.name}
+												to={item.route}
+												onClick={onClose}
+												className={cn(
+													'flex items-center gap-3 rounded-md py-2 pl-9 pr-3 text-sm font-medium transition-colors',
+													isActive
+														? 'bg-blue-50 text-blue-600'
+														: 'text-gray-700 hover:bg-gray-100 hover:text-gray-900',
+												)}
+											>
+												<item.icon className="h-4 w-4" />
+												{item.name}
+											</NavLink>
+										);
+									})}
+								</div>
+							)}
 						</div>
 					);
 				})}
diff --git a/web/dashboard/src/graphql/queries/index.ts b/web/dashboard/src/graphql/queries/index.ts
index 3f43411b..0784c212 100644
--- a/web/dashboard/src/graphql/queries/index.ts
+++ b/web/dashboard/src/graphql/queries/index.ts
@@ -164,3 +164,13 @@ export const FgaCheckQuery = `
     }
   }
 `;
+
+// AdminRolesQuery fetches the instance's configured roles (admin-only _env) so
+// the authorization-model builder can offer a template using the real roles.
+export const AdminRolesQuery = `
+  query adminRoles {
+    _env {
+      ROLES
+    }
+  }
+`;
diff --git a/web/dashboard/src/pages/authorization/AuthSteps.tsx b/web/dashboard/src/pages/authorization/AuthSteps.tsx
new file mode 100644
index 00000000..4cb6dd29
--- /dev/null
+++ b/web/dashboard/src/pages/authorization/AuthSteps.tsx
@@ -0,0 +1,83 @@
+import React from 'react';
+import { Link, useNavigate } from 'react-router-dom';
+import { Check, ArrowRight, Lightbulb } from 'lucide-react';
+
+// The three FGA pages are a sequential workflow: define the model, grant access,
+// then verify. AuthSteps renders that as a clickable stepper shown on each page,
+// so the flow is always visible but any step is reachable directly.
+export const STEPS = [
+	{ n: 1, label: 'Define model', desc: 'Set the rules', route: '/authorization/model' },
+	{ n: 2, label: 'Grant access', desc: 'Who can do what', route: '/authorization/tuples' },
+	{ n: 3, label: 'Test access', desc: 'Verify it works', route: '/authorization/tester' },
+] as const;
+
+const AuthSteps = ({ current }: { current: 1 | 2 | 3 }) => {
+	const navigate = useNavigate();
+	return (
+		<nav aria-label="Fine-grained authorization setup" className="mb-5">
+			<ol className="flex flex-col gap-2 sm:flex-row sm:items-stretch">
+				{STEPS.map((s) => {
+					const state = s.n < current ? 'done' : s.n === current ? 'current' : 'upcoming';
+					return (
+						<li key={s.n} className="flex-1">
+							<button
+								type="button"
+								onClick={() => navigate(s.route)}
+								aria-current={state === 'current' ? 'step' : undefined}
+								className={`flex w-full items-center gap-3 rounded-xl border px-3 py-2.5 text-left transition-colors focus:outline-none focus-visible:ring-2 focus-visible:ring-blue-400 ${
+									state === 'current'
+										? 'border-blue-200 bg-blue-50'
+										: 'border-gray-200 bg-white hover:border-gray-300 hover:bg-gray-50'
+								}`}
+							>
+								<span
+									className={`flex h-7 w-7 shrink-0 items-center justify-center rounded-full text-xs font-semibold ${
+										state === 'done'
+											? 'bg-green-100 text-green-700'
+											: state === 'current'
+												? 'bg-blue-600 text-white'
+												: 'bg-gray-100 text-gray-500'
+									}`}
+								>
+									{state === 'done' ? <Check className="h-4 w-4" aria-hidden="true" /> : s.n}
+								</span>
+								<span className="min-w-0">
+									<span
+										className={`block text-sm font-medium ${
+											state === 'current' ? 'text-blue-700' : 'text-gray-700'
+										}`}
+									>
+										{s.label}
+									</span>
+									<span className="block truncate text-xs text-gray-400">{s.desc}</span>
+								</span>
+							</button>
+						</li>
+					);
+				})}
+			</ol>
+		</nav>
+	);
+};
+
+// Example renders a concrete "for example…" callout, so each step shows what a
+// real entry looks like.
+export const Example = ({ children }: { children: React.ReactNode }) => (
+	<div className="flex items-start gap-2.5 rounded-lg border border-blue-100 bg-blue-50/60 px-3.5 py-2.5 text-sm text-gray-600">
+		<Lightbulb className="mt-0.5 h-4 w-4 shrink-0 text-blue-500" aria-hidden="true" />
+		<div className="leading-relaxed">{children}</div>
+	</div>
+);
+
+// NextStep is the primary "continue the flow" link at the bottom of a step.
+export const NextStep = ({ to, label }: { to: string; label: string }) => (
+	<Link
+		to={to}
+		className="inline-flex items-center gap-1.5 rounded-lg bg-blue-500 px-4 py-2 text-sm font-medium text-white transition-colors hover:bg-blue-600 focus:outline-none focus-visible:ring-2 focus-visible:ring-blue-500 focus-visible:ring-offset-2"
+	>
+		{label}
+		<ArrowRight className="h-4 w-4" aria-hidden="true" />
+	</Link>
+);
+
+export default AuthSteps;
diff --git a/web/dashboard/src/pages/authorization/Model.tsx b/web/dashboard/src/pages/authorization/Model.tsx
index d5653c8d..6775abeb 100644
--- a/web/dashboard/src/pages/authorization/Model.tsx
+++ b/web/dashboard/src/pages/authorization/Model.tsx
@@ -2,7 +2,7 @@ import React, { useCallback, useEffect, useState } from 'react';
 import { useClient } from 'urql';
 import { toast } from 'sonner';
 import { AlertCircle, Save, LayoutGrid, Code2, Info } from 'lucide-react';
-import { FgaGetModelQuery } from '../../graphql/queries';
+import { FgaGetModelQuery, AdminRolesQuery } from '../../graphql/queries';
 import { FgaWriteModel } from '../../graphql/mutation';
 import { Button } from '../../components/ui/button';
 import { Textarea } from '../../components/ui/textarea';
@@ -10,16 +10,22 @@ import { Skeleton } from '../../components/ui/skeleton';
 import { Badge } from '../../components/ui/badge';
 import FgaNotEnabled from '../../components/FgaNotEnabled';
 import ModelBuilder from './ModelBuilder';
+import AuthSteps, { Example, NextStep } from './AuthSteps';
 import {
 	generateDsl,
 	parseDsl,
 	validateModel,
 	summarize,
+	rolesTemplate,
 	TEMPLATES,
 	type ModelDraft,
 } from './modelDsl';
 import { isFgaNotEnabledError } from '../../lib/utils';
-import type { FgaGetModelResponse, FgaWriteModelResponse } from '../../types';
+import type {
+	FgaGetModelResponse,
+	FgaWriteModelResponse,
+	AdminRolesResponse,
+} from '../../types';
 
 type Mode = 'builder' | 'dsl';
 
@@ -58,6 +64,22 @@ const Model = () => {
 	const [dsl, setDsl] = useState('');
 	const [modelId, setModelId] = useState('');
 	const [validationError, setValidationError] = useState('');
+	const [roles, setRoles] = useState<string[]>([]);
+
+	// Fetch the instance's configured roles (admin _env) so the builder can offer
+	// a template built from the real roles. Best-effort: ignore failures.
+	useEffect(() => {
+		client
+			.query<AdminRolesResponse>(AdminRolesQuery, {})
+			.toPromise()
+			.then((res) => {
+				const r = res.data?._env?.ROLES;
+				if (Array.isArray(r)) setRoles(r.filter(Boolean));
+			})
+			.catch(() => {
+				/* roles template just won't be offered */
+			});
+	}, [client]);
 
 	const fetchModel = useCallback(async () => {
 		setLoading(true);
@@ -166,16 +188,31 @@ const Model = () => {
 
 	const summary = mode === 'builder' ? summarize(builderModel) : [];
 
+	// Offer a template built from the instance's configured roles first.
+	const roleModel = rolesTemplate(roles);
+	const templates = [
+		...(roleModel
+			? [
+					{
+						name: 'RBAC — your roles',
+						description: `Your configured roles (${roles.join(', ')}) as relations on a resource.`,
+						model: roleModel,
+					},
+			  ]
+			: []),
+		...TEMPLATES,
+	];
+
 	return (
 		<div className="m-5 rounded-md bg-white py-5 px-10">
+			<AuthSteps current={1} />
 			<div className="my-4 flex items-start justify-between gap-4">
 				<div>
-					<h1 className="text-2xl font-semibold text-gray-900">Authorization Model</h1>
+					<h1 className="text-2xl font-semibold text-gray-900">Step 1 · Define the model</h1>
 					<p className="mt-1 max-w-2xl text-sm text-gray-500">
-						The model is your permission rulebook: the object <strong>types</strong> you
-						protect, the <strong>relations</strong> on them (owner, editor, viewer…), and how
-						permissions are computed. Define it visually below, or switch to DSL for advanced
-						rules. Then grant access on the <strong>Relationship Tuples</strong> page.
+						The model is your permission <strong>rulebook</strong>: the object{' '}
+						<strong>types</strong> you protect, the <strong>relations</strong> on them (owner,
+						editor, viewer…), and how permissions are computed. You write it once.
 					</p>
 				</div>
 				{!fgaDisabled && !loading && (
@@ -185,6 +222,17 @@ const Model = () => {
 					</Button>
 				)}
 			</div>
+			{!fgaDisabled && !loading && (
+				<div className="mb-4">
+					<Example>
+						<strong>Example:</strong> a <code className="rounded bg-white px-1 py-0.5 text-xs">document</code> has{' '}
+						<code className="rounded bg-white px-1 py-0.5 text-xs">viewer</code> and{' '}
+						<code className="rounded bg-white px-1 py-0.5 text-xs">editor</code> relations, and{' '}
+						<code className="rounded bg-white px-1 py-0.5 text-xs">can_view = viewer or editor</code>. Pick a
+						template below to start, then customize.
+					</Example>
+				</div>
+			)}
 
 			{loading ? (
 				<div className="space-y-3">
@@ -226,7 +274,7 @@ const Model = () => {
 					{mode === 'builder' && (
 						<div className="flex flex-wrap items-center gap-2 rounded-lg border border-dashed border-gray-200 p-2">
 							<span className="px-1 text-xs font-medium text-gray-500">Start from a template:</span>
-							{TEMPLATES.map((tpl) => (
+							{templates.map((tpl) => (
 								<button
 									key={tpl.name}
 									type="button"
@@ -283,6 +331,11 @@ const Model = () => {
 							<span className="whitespace-pre-wrap break-words">{validationError}</span>
 						</div>
 					)}
+
+					<div className="flex items-center justify-between border-t border-gray-100 pt-4 text-sm text-gray-500">
+						<span>Save the model, then grant access with relationship tuples.</span>
+						<NextStep to="/authorization/tuples" label="Next: grant access" />
+					</div>
 				</div>
 			)}
 		</div>
diff --git a/web/dashboard/src/pages/authorization/Tester.tsx b/web/dashboard/src/pages/authorization/Tester.tsx
index 835d78c7..5a0de67b 100644
--- a/web/dashboard/src/pages/authorization/Tester.tsx
+++ b/web/dashboard/src/pages/authorization/Tester.tsx
@@ -8,6 +8,7 @@ import { Input } from '../../components/ui/input';
 import { Label } from '../../components/ui/label';
 import { Badge } from '../../components/ui/badge';
 import FgaNotEnabled from '../../components/FgaNotEnabled';
+import AuthSteps, { Example } from './AuthSteps';
 import { isFgaNotEnabledError } from '../../lib/utils';
 import type { FgaTuple, FgaCheckResponse } from '../../types';
 
@@ -101,10 +102,9 @@ const Tester = () => {
 	if (fgaDisabled) {
 		return (
 			<div className="m-5 rounded-md bg-white py-5 px-10">
+				<AuthSteps current={3} />
 				<div className="my-4">
-					<h1 className="text-2xl font-semibold text-gray-900">
-						Access Tester
-					</h1>
+					<h1 className="text-2xl font-semibold text-gray-900">Step 3 · Test access</h1>
 				</div>
 				<FgaNotEnabled />
 			</div>
@@ -113,15 +113,26 @@ const Tester = () => {
 
 	return (
 		<div className="m-5 rounded-md bg-white py-5 px-10">
+			<AuthSteps current={3} />
 			<div className="my-4">
-				<h1 className="text-2xl font-semibold text-gray-900">Access Tester</h1>
-				<p className="mt-1 text-sm text-gray-500">
-					Run a relationship check. The check is evaluated for{' '}
-					<strong>the currently logged-in admin</strong> &mdash; the principal
-					is pinned to your token by the server and cannot be changed here.
+				<h1 className="text-2xl font-semibold text-gray-900">Step 3 · Test access</h1>
+				<p className="mt-1 max-w-2xl text-sm text-gray-500">
+					Verify your rules and grants. The check runs for{' '}
+					<strong>the currently logged-in admin</strong> &mdash; the principal is pinned to your
+					token by the server and cannot be changed here.
 				</p>
 			</div>
 
+			<div className="mb-5">
+				<Example>
+					<strong>Example:</strong> ask &ldquo;can I{' '}
+					<code className="rounded bg-white px-1 py-0.5 text-xs">can_view</code>{' '}
+					<code className="rounded bg-white px-1 py-0.5 text-xs">document:1</code>?&rdquo; &mdash; if
+					you granted yourself <code className="rounded bg-white px-1 py-0.5 text-xs">viewer</code>{' '}
+					on it in step 2, the result is <strong>Allowed</strong>.
+				</Example>
+			</div>
+
 			<form onSubmit={handleCheck} className="max-w-2xl space-y-5">
 				<div className="grid grid-cols-1 gap-3 md:grid-cols-2">
 					<div className="space-y-1">
diff --git a/web/dashboard/src/pages/authorization/Tuples.tsx b/web/dashboard/src/pages/authorization/Tuples.tsx
index 2cc3cb2a..2c70a9fa 100644
--- a/web/dashboard/src/pages/authorization/Tuples.tsx
+++ b/web/dashboard/src/pages/authorization/Tuples.tsx
@@ -17,6 +17,7 @@ import {
 	TableCell,
 } from '../../components/ui/table';
 import FgaNotEnabled from '../../components/FgaNotEnabled';
+import AuthSteps, { Example, NextStep } from './AuthSteps';
 import { isFgaNotEnabledError } from '../../lib/utils';
 import type {
 	FgaTuple,
@@ -177,10 +178,9 @@ const Tuples = () => {
 	if (fgaDisabled) {
 		return (
 			<div className="m-5 rounded-md bg-white py-5 px-10">
+				<AuthSteps current={2} />
 				<div className="my-4">
-					<h1 className="text-2xl font-semibold text-gray-900">
-						Relationship Tuples
-					</h1>
+					<h1 className="text-2xl font-semibold text-gray-900">Step 2 · Grant access</h1>
 				</div>
 				<FgaNotEnabled />
 			</div>
@@ -189,16 +189,26 @@ const Tuples = () => {
 
 	return (
 		<div className="m-5 rounded-md bg-white py-5 px-10">
+			<AuthSteps current={2} />
 			<div className="my-4">
-				<h1 className="text-2xl font-semibold text-gray-900">
-					Relationship Tuples
-				</h1>
-				<p className="mt-1 text-sm text-gray-500">
-					Manage relationship tuples (user, relation, object) stored in the FGA
-					store.
+				<h1 className="text-2xl font-semibold text-gray-900">Step 2 · Grant access</h1>
+				<p className="mt-1 max-w-2xl text-sm text-gray-500">
+					Grant access by adding a <strong>relationship tuple</strong> — it links a{' '}
+					<strong>user</strong> to an <strong>object</strong> via a <strong>relation</strong>{' '}
+					from your model. Add or remove tuples any time to change who has access.
 				</p>
 			</div>
 
+			<div className="mb-4">
+				<Example>
+					<strong>Example:</strong> give{' '}
+					<code className="rounded bg-white px-1 py-0.5 text-xs">user:alice</code> the{' '}
+					<code className="rounded bg-white px-1 py-0.5 text-xs">viewer</code> relation on{' '}
+					<code className="rounded bg-white px-1 py-0.5 text-xs">document:1</code> — now Alice can
+					view that document.
+				</Example>
+			</div>
+
 			{/* Add tuple form */}
 			<form
 				onSubmit={handleAdd}
@@ -323,6 +333,11 @@ const Tuples = () => {
 					</p>
 				</div>
 			)}
+
+			<div className="mt-6 flex items-center justify-between border-t border-gray-100 pt-4 text-sm text-gray-500">
+				<span>Granted some access? Verify it works.</span>
+				<NextStep to="/authorization/tester" label="Next: test access" />
+			</div>
 		</div>
 	);
 };
diff --git a/web/dashboard/src/pages/authorization/modelDsl.ts b/web/dashboard/src/pages/authorization/modelDsl.ts
index 59e4e640..5df5dab2 100644
--- a/web/dashboard/src/pages/authorization/modelDsl.ts
+++ b/web/dashboard/src/pages/authorization/modelDsl.ts
@@ -164,6 +164,41 @@ export function summarize(model: ModelDraft): string[] {
 	return out;
 }
 
+// sanitizeRelationName makes an Authorizer role usable as an OpenFGA relation
+// name (alphanumeric/underscore). e.g. "org-admin" -> "org_admin".
+export function sanitizeRelationName(role: string): string {
+	return role.trim().replace(/[^a-zA-Z0-9_]/g, '_').replace(/^_+|_+$/g, '');
+}
+
+// rolesTemplate builds a starter model from the instance's configured roles:
+// each role becomes a directly-assignable relation on a `resource`, plus a
+// `can_access` permission that any of those roles satisfies. A concrete,
+// builder-friendly starting point the admin can then refine.
+export function rolesTemplate(roles: string[]): ModelDraft | null {
+	const seen = new Set<string>();
+	const roleRelations: RelationDef[] = [];
+	for (const raw of roles) {
+		const name = sanitizeRelationName(raw);
+		if (!name || seen.has(name)) continue;
+		seen.add(name);
+		roleRelations.push({ name, directTypes: ['user'], computed: [] });
+	}
+	if (!roleRelations.length) return null;
+
+	roleRelations.push({
+		name: 'can_access',
+		directTypes: [],
+		computed: roleRelations.map((r) => ({ relation: r.name })),
+	});
+
+	return {
+		types: [
+			{ name: 'user', relations: [] },
+			{ name: 'resource', relations: roleRelations },
+		],
+	};
+}
+
 // TEMPLATES are builder-representable starter models.
 export const TEMPLATES: { name: string; description: string; model: ModelDraft }[] = [
 	{
diff --git a/web/dashboard/src/types.ts b/web/dashboard/src/types.ts
index 3448dd1b..bf011270 100644
--- a/web/dashboard/src/types.ts
+++ b/web/dashboard/src/types.ts
@@ -132,6 +132,12 @@ export interface FgaTuple {
 	object: string;
 }
 
+export interface AdminRolesResponse {
+	_env: {
+		ROLES?: string[] | null;
+	} | null;
+}
+
 export interface FgaGetModelResponse {
 	_fga_get_model: FgaModel;
 }

From 0993846830f36bdc20b0c24ba6049f5b93effc35 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 8 Jun 2026 17:28:33 +0530
Subject: [PATCH 13/39] refactor(dashboard): replace fragile model builder with
 react-arborist tree
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The hand-rolled form builder was fragile (delete bug, cluttered layout). Replace
it with a robust master-detail tree editor:

- react-arborist tree shows types -> relations (expand/collapse, keyboard nav,
  per-node add/delete, selection); a detail pane edits the selected node's name,
  assignable types, and computed terms. Builder | DSL stays as two tabs.
- All model edits go through pure, unit-tested mutation helpers in modelDsl.ts
  (add/delete/rename type & relation, add/remove assignable & computed) — this
  eliminates the in-place-mutation delete bug at the source. Verified by a
  standalone mutation test.
- Removed the bespoke ModelBuilder.tsx.
---
 web/dashboard/package-lock.json               | 166 +++++++-
 web/dashboard/package.json                    |   1 +
 .../src/pages/authorization/Model.tsx         |  32 +-
 .../src/pages/authorization/ModelBuilder.tsx  | 225 -----------
 .../src/pages/authorization/ModelTree.tsx     | 373 ++++++++++++++++++
 .../src/pages/authorization/modelDsl.ts       |  59 +++
 6 files changed, 593 insertions(+), 263 deletions(-)
 delete mode 100644 web/dashboard/src/pages/authorization/ModelBuilder.tsx
 create mode 100644 web/dashboard/src/pages/authorization/ModelTree.tsx

diff --git a/web/dashboard/package-lock.json b/web/dashboard/package-lock.json
index d99028a9..503beb4e 100644
--- a/web/dashboard/package-lock.json
+++ b/web/dashboard/package-lock.json
@@ -24,6 +24,7 @@
 				"lodash": "^4.17.21",
 				"lucide-react": "^0.469.0",
 				"react": "^18.3.1",
+				"react-arborist": "^3.10.1",
 				"react-dom": "^18.3.1",
 				"react-dropzone": "^14.3.8",
 				"react-email-editor": "^1.7.11",
@@ -91,7 +92,6 @@
 			"integrity": "sha512-CGOfOJqWjg2qW/Mb6zNsDm+u5vFQ8DxXfbM09z69p5Z6+mE1ikP2jUXw+j42Pf1XTYED2Rni5f95npYeuwMDQA==",
 			"dev": true,
 			"license": "MIT",
-			"peer": true,
 			"dependencies": {
 				"@babel/code-frame": "^7.29.0",
 				"@babel/generator": "^7.29.0",
@@ -295,6 +295,15 @@
 				"@babel/core": "^7.0.0-0"
 			}
 		},
+		"node_modules/@babel/runtime": {
+			"version": "7.29.7",
+			"resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.29.7.tgz",
+			"integrity": "sha512-Nq8OhGWiZIZGV6hLHoyAKLLcJihP/xFeBMGJoUrxTX2psI8dCifzLhZISFb+VWS3wFMRDmCGw5R+dOySCqPLhw==",
+			"license": "MIT",
+			"engines": {
+				"node": ">=6.9.0"
+			}
+		},
 		"node_modules/@babel/template": {
 			"version": "7.28.6",
 			"resolved": "https://registry.npmjs.org/@babel/template/-/template-7.28.6.tgz",
@@ -1717,6 +1726,24 @@
 			"integrity": "sha512-HPwpGIzkl28mWyZqG52jiqDJ12waP11Pa1lGoiyUkIEuMLBP0oeK/C89esbXrxsky5we7dfd8U58nm0SgAWpVw==",
 			"license": "MIT"
 		},
+		"node_modules/@react-dnd/asap": {
+			"version": "4.0.1",
+			"resolved": "https://registry.npmjs.org/@react-dnd/asap/-/asap-4.0.1.tgz",
+			"integrity": "sha512-kLy0PJDDwvwwTXxqTFNAAllPHD73AycE9ypWeln/IguoGBEbvFcPDbCV03G52bEcC5E+YgupBE0VzHGdC8SIXg==",
+			"license": "MIT"
+		},
+		"node_modules/@react-dnd/invariant": {
+			"version": "2.0.0",
+			"resolved": "https://registry.npmjs.org/@react-dnd/invariant/-/invariant-2.0.0.tgz",
+			"integrity": "sha512-xL4RCQBCBDJ+GRwKTFhGUW8GXa4yoDfJrPbLblc3U09ciS+9ZJXJ3Qrcs/x2IODOdIE5kQxvMmE2UKyqUictUw==",
+			"license": "MIT"
+		},
+		"node_modules/@react-dnd/shallowequal": {
+			"version": "2.0.0",
+			"resolved": "https://registry.npmjs.org/@react-dnd/shallowequal/-/shallowequal-2.0.0.tgz",
+			"integrity": "sha512-Pc/AFTdwZwEKJxFJvlxrSmGe/di+aAOBn60sremrpLo6VI/6cmiUYNNwlI5KNYttg7uypzA3ILPMPgxB2GYZEg==",
+			"license": "MIT"
+		},
 		"node_modules/@rolldown/pluginutils": {
 			"version": "1.0.0-beta.27",
 			"resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-beta.27.tgz",
@@ -2489,7 +2516,6 @@
 			"integrity": "sha512-z9VXpC7MWrhfWipitjNdgCauoMLRdIILQsAEV+ZesIzBq/oUlxk0m3ApZuMFCXdnS4U7KrI+l3WRUEGQ8K1QKw==",
 			"devOptional": true,
 			"license": "MIT",
-			"peer": true,
 			"dependencies": {
 				"@types/prop-types": "*",
 				"csstype": "^3.2.2"
@@ -2501,7 +2527,6 @@
 			"integrity": "sha512-MEe3UeoENYVFXzoXEWsvcpg6ZvlrFNlOQ7EOsvhI3CfAXwzPfO8Qwuxd40nepsYKqyyVQnTdEfv68q91yLcKrQ==",
 			"devOptional": true,
 			"license": "MIT",
-			"peer": true,
 			"peerDependencies": {
 				"@types/react": "^18.0.0"
 			}
@@ -2631,7 +2656,6 @@
 				}
 			],
 			"license": "MIT",
-			"peer": true,
 			"dependencies": {
 				"baseline-browser-mapping": "^2.10.12",
 				"caniuse-lite": "^1.0.30001782",
@@ -2755,6 +2779,26 @@
 			"integrity": "sha512-ypdmJU/TbBby2Dxibuv7ZLW3Bs1QEmM7nHjEANfohJLvE0XVujisn1qPJcZxg+qDucsr+bP6fLD1rPS3AhJ7EQ==",
 			"license": "MIT"
 		},
+		"node_modules/dnd-core": {
+			"version": "14.0.1",
+			"resolved": "https://registry.npmjs.org/dnd-core/-/dnd-core-14.0.1.tgz",
+			"integrity": "sha512-+PVS2VPTgKFPYWo3vAFEA8WPbTf7/xo43TifH9G8S1KqnrQu0o77A3unrF5yOugy4mIz7K5wAVFHUcha7wsz6A==",
+			"license": "MIT",
+			"dependencies": {
+				"@react-dnd/asap": "^4.0.0",
+				"@react-dnd/invariant": "^2.0.0",
+				"redux": "^4.1.1"
+			}
+		},
+		"node_modules/dnd-core/node_modules/redux": {
+			"version": "4.2.1",
+			"resolved": "https://registry.npmjs.org/redux/-/redux-4.2.1.tgz",
+			"integrity": "sha512-LAUYz4lc+Do8/g7aeRa8JkyDErK6ekstQaqWQrNRW//MY1TvCEpMtpTWvlQ+FPbWCx+Xixu/6SHt5N0HR+SB4w==",
+			"license": "MIT",
+			"dependencies": {
+				"@babel/runtime": "^7.9.2"
+			}
+		},
 		"node_modules/electron-to-chromium": {
 			"version": "1.5.335",
 			"resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.335.tgz",
@@ -2828,6 +2872,12 @@
 				"node": ">=6"
 			}
 		},
+		"node_modules/fast-deep-equal": {
+			"version": "3.1.3",
+			"resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz",
+			"integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==",
+			"license": "MIT"
+		},
 		"node_modules/fdir": {
 			"version": "6.5.0",
 			"resolved": "https://registry.npmjs.org/fdir/-/fdir-6.5.0.tgz",
@@ -2904,11 +2954,19 @@
 			"resolved": "https://registry.npmjs.org/graphql/-/graphql-16.13.2.tgz",
 			"integrity": "sha512-5bJ+nf/UCpAjHM8i06fl7eLyVC9iuNAjm9qzkiu2ZGhM0VscSvS6WDPfAwkdkBuoXGM9FJSbKl6wylMwP9Ktig==",
 			"license": "MIT",
-			"peer": true,
 			"engines": {
 				"node": "^12.22.0 || ^14.16.0 || ^16.0.0 || >=17.0.0"
 			}
 		},
+		"node_modules/hoist-non-react-statics": {
+			"version": "3.3.2",
+			"resolved": "https://registry.npmjs.org/hoist-non-react-statics/-/hoist-non-react-statics-3.3.2.tgz",
+			"integrity": "sha512-/gGivxi8JPKWNm/W0jSmzcMPpfpPLc3dY/6GxhX2hQ9iGj3aDfklV4ET7NjKpSinLpJ5vafa9iiGIEZg10SfBw==",
+			"license": "BSD-3-Clause",
+			"dependencies": {
+				"react-is": "^16.7.0"
+			}
+		},
 		"node_modules/jiti": {
 			"version": "2.6.1",
 			"resolved": "https://registry.npmjs.org/jiti/-/jiti-2.6.1.tgz",
@@ -3259,6 +3317,12 @@
 				"@jridgewell/sourcemap-codec": "^1.5.5"
 			}
 		},
+		"node_modules/memoize-one": {
+			"version": "5.2.1",
+			"resolved": "https://registry.npmjs.org/memoize-one/-/memoize-one-5.2.1.tgz",
+			"integrity": "sha512-zYiwtZUcYyXKo/np96AGZAckk+FWWsUdJ3cHGGmld7+AhvcWmQyGCYUh1hc4Q/pkOhb65dQR/pqCyK0cOaHz4Q==",
+			"license": "MIT"
+		},
 		"node_modules/ms": {
 			"version": "2.1.3",
 			"resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
@@ -3314,7 +3378,6 @@
 			"integrity": "sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==",
 			"dev": true,
 			"license": "MIT",
-			"peer": true,
 			"engines": {
 				"node": ">=12"
 			},
@@ -3383,7 +3446,6 @@
 			"resolved": "https://registry.npmjs.org/react/-/react-18.3.1.tgz",
 			"integrity": "sha512-wS+hAgJShR0KhEvPJArfuPVN1+Hz1t0Y6n5jLrGQbkb4urgPE/0Rve+1kMB1v/oWgHgm4WIcV+i7F2pTVj+2iQ==",
 			"license": "MIT",
-			"peer": true,
 			"dependencies": {
 				"loose-envify": "^1.1.0"
 			},
@@ -3391,12 +3453,67 @@
 				"node": ">=0.10.0"
 			}
 		},
+		"node_modules/react-arborist": {
+			"version": "3.10.1",
+			"resolved": "https://registry.npmjs.org/react-arborist/-/react-arborist-3.10.1.tgz",
+			"integrity": "sha512-P9WJuj2zvtNGVzaNqTKIIBeS5aDMfvXdYT9KDVOZaALHwcfGJQON+X+gbMscTdAb5frdXDHBWl677HX3XEV1PA==",
+			"license": "MIT",
+			"dependencies": {
+				"react-dnd": "^14.0.3",
+				"react-dnd-html5-backend": "^14.0.3",
+				"react-window": "^1.8.11",
+				"redux": "^5.0.0",
+				"use-sync-external-store": "^1.2.0"
+			},
+			"peerDependencies": {
+				"react": ">= 16.14",
+				"react-dom": ">= 16.14"
+			}
+		},
+		"node_modules/react-dnd": {
+			"version": "14.0.5",
+			"resolved": "https://registry.npmjs.org/react-dnd/-/react-dnd-14.0.5.tgz",
+			"integrity": "sha512-9i1jSgbyVw0ELlEVt/NkCUkxy1hmhJOkePoCH713u75vzHGyXhPDm28oLfc2NMSBjZRM1Y+wRjHXJT3sPrTy+A==",
+			"license": "MIT",
+			"dependencies": {
+				"@react-dnd/invariant": "^2.0.0",
+				"@react-dnd/shallowequal": "^2.0.0",
+				"dnd-core": "14.0.1",
+				"fast-deep-equal": "^3.1.3",
+				"hoist-non-react-statics": "^3.3.2"
+			},
+			"peerDependencies": {
+				"@types/hoist-non-react-statics": ">= 3.3.1",
+				"@types/node": ">= 12",
+				"@types/react": ">= 16",
+				"react": ">= 16.14"
+			},
+			"peerDependenciesMeta": {
+				"@types/hoist-non-react-statics": {
+					"optional": true
+				},
+				"@types/node": {
+					"optional": true
+				},
+				"@types/react": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/react-dnd-html5-backend": {
+			"version": "14.1.0",
+			"resolved": "https://registry.npmjs.org/react-dnd-html5-backend/-/react-dnd-html5-backend-14.1.0.tgz",
+			"integrity": "sha512-6ONeqEC3XKVf4eVmMTe0oPds+c5B9Foyj8p/ZKLb7kL2qh9COYxiBHv3szd6gztqi/efkmriywLUVlPotqoJyw==",
+			"license": "MIT",
+			"dependencies": {
+				"dnd-core": "14.0.1"
+			}
+		},
 		"node_modules/react-dom": {
 			"version": "18.3.1",
 			"resolved": "https://registry.npmjs.org/react-dom/-/react-dom-18.3.1.tgz",
 			"integrity": "sha512-5m4nQKp+rZRb09LNH59GM4BxTh9251/ylbKIbpe7TpGxfJ+9kv6BLkLBXIjjspbgbnIBNqlI23tRnTWT0snUIw==",
 			"license": "MIT",
-			"peer": true,
 			"dependencies": {
 				"loose-envify": "^1.1.0",
 				"scheduler": "^0.23.2"
@@ -3560,6 +3677,29 @@
 				}
 			}
 		},
+		"node_modules/react-window": {
+			"version": "1.8.11",
+			"resolved": "https://registry.npmjs.org/react-window/-/react-window-1.8.11.tgz",
+			"integrity": "sha512-+SRbUVT2scadgFSWx+R1P754xHPEqvcfSfVX10QYg6POOz+WNgkN48pS+BtZNIMGiL1HYrSEiCkwsMS15QogEQ==",
+			"license": "MIT",
+			"dependencies": {
+				"@babel/runtime": "^7.0.0",
+				"memoize-one": ">=3.1.1 <6"
+			},
+			"engines": {
+				"node": ">8.0.0"
+			},
+			"peerDependencies": {
+				"react": "^15.0.0 || ^16.0.0 || ^17.0.0 || ^18.0.0 || ^19.0.0",
+				"react-dom": "^15.0.0 || ^16.0.0 || ^17.0.0 || ^18.0.0 || ^19.0.0"
+			}
+		},
+		"node_modules/redux": {
+			"version": "5.0.1",
+			"resolved": "https://registry.npmjs.org/redux/-/redux-5.0.1.tgz",
+			"integrity": "sha512-M9/ELqF6fy8FwmkpnF0S3YKOqMyoWJ4+CS5Efg2ct3oY9daQvd/Pc71FpGZsVsbl3Cpb+IIcjBDUnnyBdQbq4w==",
+			"license": "MIT"
+		},
 		"node_modules/rollup": {
 			"version": "4.60.1",
 			"resolved": "https://registry.npmjs.org/rollup/-/rollup-4.60.1.tgz",
@@ -3816,13 +3956,21 @@
 				}
 			}
 		},
+		"node_modules/use-sync-external-store": {
+			"version": "1.6.0",
+			"resolved": "https://registry.npmjs.org/use-sync-external-store/-/use-sync-external-store-1.6.0.tgz",
+			"integrity": "sha512-Pp6GSwGP/NrPIrxVFAIkOQeyw8lFenOHijQWkUTrDvrF4ALqylP2C/KCkeS9dpUM3KvYRQhna5vt7IL95+ZQ9w==",
+			"license": "MIT",
+			"peerDependencies": {
+				"react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0"
+			}
+		},
 		"node_modules/vite": {
 			"version": "7.3.2",
 			"resolved": "https://registry.npmjs.org/vite/-/vite-7.3.2.tgz",
 			"integrity": "sha512-Bby3NOsna2jsjfLVOHKes8sGwgl4TT0E6vvpYgnAYDIF/tie7MRaFthmKuHx1NSXjiTueXH3do80FMQgvEktRg==",
 			"dev": true,
 			"license": "MIT",
-			"peer": true,
 			"dependencies": {
 				"esbuild": "^0.27.0",
 				"fdir": "^6.5.0",
diff --git a/web/dashboard/package.json b/web/dashboard/package.json
index bb493606..06e1c0cd 100644
--- a/web/dashboard/package.json
+++ b/web/dashboard/package.json
@@ -28,6 +28,7 @@
 		"lodash": "^4.17.21",
 		"lucide-react": "^0.469.0",
 		"react": "^18.3.1",
+		"react-arborist": "^3.10.1",
 		"react-dom": "^18.3.1",
 		"react-dropzone": "^14.3.8",
 		"react-email-editor": "^1.7.11",
diff --git a/web/dashboard/src/pages/authorization/Model.tsx b/web/dashboard/src/pages/authorization/Model.tsx
index 6775abeb..3aa8f75c 100644
--- a/web/dashboard/src/pages/authorization/Model.tsx
+++ b/web/dashboard/src/pages/authorization/Model.tsx
@@ -1,7 +1,7 @@
 import React, { useCallback, useEffect, useState } from 'react';
 import { useClient } from 'urql';
 import { toast } from 'sonner';
-import { AlertCircle, Save, LayoutGrid, Code2, Info } from 'lucide-react';
+import { AlertCircle, Save, LayoutGrid, Code2 } from 'lucide-react';
 import { FgaGetModelQuery, AdminRolesQuery } from '../../graphql/queries';
 import { FgaWriteModel } from '../../graphql/mutation';
 import { Button } from '../../components/ui/button';
@@ -9,13 +9,12 @@ import { Textarea } from '../../components/ui/textarea';
 import { Skeleton } from '../../components/ui/skeleton';
 import { Badge } from '../../components/ui/badge';
 import FgaNotEnabled from '../../components/FgaNotEnabled';
-import ModelBuilder from './ModelBuilder';
+import ModelTree from './ModelTree';
 import AuthSteps, { Example, NextStep } from './AuthSteps';
 import {
 	generateDsl,
 	parseDsl,
 	validateModel,
-	summarize,
 	rolesTemplate,
 	TEMPLATES,
 	type ModelDraft,
@@ -186,8 +185,6 @@ const Model = () => {
 		}
 	};
 
-	const summary = mode === 'builder' ? summarize(builderModel) : [];
-
 	// Offer a template built from the instance's configured roles first.
 	const roleModel = rolesTemplate(roles);
 	const templates = [
@@ -289,30 +286,7 @@ const Model = () => {
 					)}
 
 					{mode === 'builder' ? (
-						<div className="grid grid-cols-1 gap-4 lg:grid-cols-3">
-							<div className="lg:col-span-2">
-								<ModelBuilder model={builderModel} onChange={setBuilderModel} />
-							</div>
-							<aside className="lg:col-span-1">
-								<div className="sticky top-4 rounded-xl border border-gray-100 bg-gray-50 p-4">
-									<div className="mb-2 flex items-center gap-1.5 text-xs font-medium uppercase tracking-wide text-gray-500">
-										<Info className="h-3.5 w-3.5" />
-										What this model means
-									</div>
-									{summary.length ? (
-										<ul className="space-y-1.5 text-xs leading-relaxed text-gray-600">
-											{summary.map((s, i) => (
-												<li key={i}>• {s}</li>
-											))}
-										</ul>
-									) : (
-										<p className="text-xs text-gray-400">
-											Add a type with a relation to see a plain-English summary.
-										</p>
-									)}
-								</div>
-							</aside>
-						</div>
+						<ModelTree model={builderModel} onChange={setBuilderModel} />
 					) : (
 						<Textarea
 							value={dsl}
diff --git a/web/dashboard/src/pages/authorization/ModelBuilder.tsx b/web/dashboard/src/pages/authorization/ModelBuilder.tsx
deleted file mode 100644
index bcc277d9..00000000
--- a/web/dashboard/src/pages/authorization/ModelBuilder.tsx
+++ /dev/null
@@ -1,225 +0,0 @@
-import React, { useState } from 'react';
-import { Plus, Trash2, X } from 'lucide-react';
-import { Button } from '../../components/ui/button';
-import { Input } from '../../components/ui/input';
-import type { ModelDraft, TypeDef, RelationDef, ComputedTerm } from './modelDsl';
-
-const selectCls =
-	'rounded-md border border-gray-200 bg-white px-2 py-1 text-xs text-gray-600 focus:outline-none focus-visible:ring-2 focus-visible:ring-blue-400';
-
-const Chip = ({ label, onRemove }: { label: string; onRemove: () => void }) => (
-	<span className="inline-flex items-center gap-1 rounded-full bg-blue-50 px-2 py-0.5 text-xs font-medium text-blue-700">
-		<span className="font-mono">{label}</span>
-		<button
-			type="button"
-			onClick={onRemove}
-			aria-label={`Remove ${label}`}
-			className="text-blue-400 transition-colors hover:text-blue-700"
-		>
-			<X className="h-3 w-3" />
-		</button>
-	</span>
-);
-
-// ComputedAdder lets the user add one OR-ed computed term: a relation, optionally
-// inherited "from" another relation on this type.
-const ComputedAdder = ({
-	relNames,
-	onAdd,
-}: {
-	relNames: string[];
-	onAdd: (t: ComputedTerm) => void;
-}) => {
-	const [rel, setRel] = useState('');
-	const [from, setFrom] = useState('');
-	return (
-		<span className="inline-flex items-center gap-1">
-			<select value={rel} onChange={(e) => setRel(e.target.value)} className={selectCls}>
-				<option value="">+ relation…</option>
-				{relNames.map((n) => (
-					<option key={n} value={n}>
-						{n}
-					</option>
-				))}
-			</select>
-			{rel && (
-				<>
-					<select value={from} onChange={(e) => setFrom(e.target.value)} className={selectCls}>
-						<option value="">(direct)</option>
-						{relNames.map((n) => (
-							<option key={n} value={n}>
-								from {n}
-							</option>
-						))}
-					</select>
-					<button
-						type="button"
-						onClick={() => {
-							onAdd(from ? { relation: rel, from } : { relation: rel });
-							setRel('');
-							setFrom('');
-						}}
-						className="rounded-md bg-blue-500 px-2 py-1 text-xs font-medium text-white hover:bg-blue-600"
-					>
-						Add
-					</button>
-				</>
-			)}
-		</span>
-	);
-};
-
-interface Props {
-	model: ModelDraft;
-	onChange: (m: ModelDraft) => void;
-}
-
-const ModelBuilder = ({ model, onChange }: Props) => {
-	const setTypes = (types: TypeDef[]) => onChange({ ...model, types });
-	const updateType = (ti: number, patch: Partial<TypeDef>) =>
-		setTypes(model.types.map((t, i) => (i === ti ? { ...t, ...patch } : t)));
-	const updateRelation = (ti: number, ri: number, patch: Partial<RelationDef>) =>
-		updateType(ti, {
-			relations: model.types[ti].relations.map((r, i) => (i === ri ? { ...r, ...patch } : r)),
-		});
-
-	const typeNames = model.types.map((t) => t.name).filter(Boolean);
-
-	return (
-		<div className="space-y-4">
-			{model.types.map((t, ti) => {
-				const relNames = t.relations.map((r) => r.name).filter(Boolean);
-				return (
-					<div key={ti} className="rounded-xl border border-gray-200 bg-white p-4">
-						<div className="flex items-center gap-3">
-							<span className="text-xs font-medium uppercase tracking-wide text-gray-400">
-								type
-							</span>
-							<Input
-								value={t.name}
-								onChange={(e) => updateType(ti, { name: e.target.value.trim() })}
-								placeholder="document"
-								className="h-8 max-w-[220px] font-mono text-sm"
-							/>
-							<Button
-								variant="ghost"
-								size="sm"
-								className="ml-auto"
-								onClick={() => setTypes(model.types.filter((_, i) => i !== ti))}
-								aria-label="Delete type"
-							>
-								<Trash2 className="h-4 w-4 text-red-500" />
-							</Button>
-						</div>
-
-						{t.relations.length > 0 && (
-							<div className="mt-3 space-y-3 border-t border-gray-100 pt-3">
-								{t.relations.map((r, ri) => (
-									<div key={ri} className="rounded-lg bg-gray-50 p-3">
-										<div className="flex items-center gap-2">
-											<Input
-												value={r.name}
-												onChange={(e) => updateRelation(ti, ri, { name: e.target.value.trim() })}
-												placeholder="viewer"
-												className="h-8 max-w-[200px] font-mono text-sm"
-											/>
-											<Button
-												variant="ghost"
-												size="sm"
-												className="ml-auto"
-												onClick={() =>
-													updateType(ti, {
-														relations: t.relations.filter((_, i) => i !== ri),
-													})
-												}
-												aria-label="Delete relation"
-											>
-												<Trash2 className="h-4 w-4 text-red-400" />
-											</Button>
-										</div>
-
-										<div className="mt-2">
-											<p className="mb-1 text-xs text-gray-500">Directly assignable to</p>
-											<div className="flex flex-wrap items-center gap-1.5">
-												{r.directTypes.map((dt, di) => (
-													<Chip
-														key={di}
-														label={dt}
-														onRemove={() =>
-															updateRelation(ti, ri, {
-																directTypes: r.directTypes.filter((_, i) => i !== di),
-															})
-														}
-													/>
-												))}
-												<select
-													value=""
-													onChange={(e) => {
-														const v = e.target.value;
-														if (v && !r.directTypes.includes(v)) {
-															updateRelation(ti, ri, { directTypes: [...r.directTypes, v] });
-														}
-													}}
-													className={selectCls}
-												>
-													<option value="">+ type…</option>
-													{typeNames.map((n) => (
-														<option key={n} value={n}>
-															{n}
-														</option>
-													))}
-												</select>
-											</div>
-										</div>
-
-										<div className="mt-2">
-											<p className="mb-1 text-xs text-gray-500">Or computed from (union)</p>
-											<div className="flex flex-wrap items-center gap-1.5">
-												{r.computed.map((c, ci) => (
-													<Chip
-														key={ci}
-														label={c.from ? `${c.relation} from ${c.from}` : c.relation}
-														onRemove={() =>
-															updateRelation(ti, ri, {
-																computed: r.computed.filter((_, i) => i !== ci),
-															})
-														}
-													/>
-												))}
-												<ComputedAdder
-													relNames={relNames.filter((n) => n !== r.name)}
-													onAdd={(term) =>
-														updateRelation(ti, ri, { computed: [...r.computed, term] })
-													}
-												/>
-											</div>
-										</div>
-									</div>
-								))}
-							</div>
-						)}
-
-						<Button
-							variant="outline"
-							size="sm"
-							className="mt-3"
-							onClick={() =>
-								updateType(ti, {
-									relations: [...t.relations, { name: '', directTypes: [], computed: [] }],
-								})
-							}
-						>
-							<Plus className="mr-1 h-3.5 w-3.5" /> Add relation / permission
-						</Button>
-					</div>
-				);
-			})}
-
-			<Button variant="outline" onClick={() => setTypes([...model.types, { name: '', relations: [] }])}>
-				<Plus className="mr-2 h-4 w-4" /> Add type
-			</Button>
-		</div>
-	);
-};
-
-export default ModelBuilder;
diff --git a/web/dashboard/src/pages/authorization/ModelTree.tsx b/web/dashboard/src/pages/authorization/ModelTree.tsx
new file mode 100644
index 00000000..c97755ec
--- /dev/null
+++ b/web/dashboard/src/pages/authorization/ModelTree.tsx
@@ -0,0 +1,373 @@
+import React, { createContext, useContext, useEffect, useRef, useState } from 'react';
+import { Tree } from 'react-arborist';
+import type { NodeRendererProps } from 'react-arborist';
+import { ChevronRight, ChevronDown, Trash2, Plus, X, Boxes, Tag } from 'lucide-react';
+import { Input } from '../../components/ui/input';
+import { Button } from '../../components/ui/button';
+import { Label } from '../../components/ui/label';
+import {
+	type ModelDraft,
+	type ComputedTerm,
+	addType,
+	deleteType,
+	renameType,
+	addRelation,
+	deleteRelation,
+	renameRelation,
+	addAssignable,
+	removeAssignable,
+	addComputed,
+	removeComputed,
+	relationExprText,
+} from './modelDsl';
+
+type Sel = { ti: number; ri: number | null } | null;
+
+interface NodeData {
+	id: string;
+	name: string;
+	kind: 'type' | 'relation';
+	ti: number;
+	ri?: number;
+	expr?: string;
+	children?: NodeData[];
+}
+
+interface TreeActions {
+	onSelect: (sel: Sel) => void;
+	onDelete: (d: NodeData) => void;
+	onAddRelation: (ti: number) => void;
+	selId: string | null;
+}
+const Ctx = createContext<TreeActions>({
+	onSelect: () => {},
+	onDelete: () => {},
+	onAddRelation: () => {},
+	selId: null,
+});
+
+const selToId = (sel: Sel) => (sel ? (sel.ri === null ? `t${sel.ti}` : `t${sel.ti}.r${sel.ri}`) : null);
+
+function buildData(model: ModelDraft): NodeData[] {
+	return model.types.map((t, ti) => ({
+		id: `t${ti}`,
+		kind: 'type',
+		name: t.name || '(unnamed type)',
+		ti,
+		children: t.relations.map((r, ri) => ({
+			id: `t${ti}.r${ri}`,
+			kind: 'relation',
+			name: r.name || '(unnamed)',
+			ti,
+			ri,
+			expr: relationExprText(r),
+		})),
+	}));
+}
+
+// Tree row renderer.
+function Node({ node, style, dragHandle }: NodeRendererProps<NodeData>) {
+	const { onSelect, onDelete, onAddRelation, selId } = useContext(Ctx);
+	const d = node.data;
+	const isType = d.kind === 'type';
+	const selected = node.id === selId;
+	return (
+		<div ref={dragHandle} style={style}>
+			<div
+				className={`group flex h-9 items-center gap-1 rounded-md pr-1 ${
+					selected ? 'bg-blue-50 ring-1 ring-blue-200' : 'hover:bg-gray-50'
+				}`}
+				style={{ paddingLeft: node.level * 18 + 4 }}
+			>
+				{isType ? (
+					<button
+						type="button"
+						onClick={() => node.toggle()}
+						className="rounded p-0.5 text-gray-400 hover:text-gray-600"
+						aria-label={node.isOpen ? 'Collapse' : 'Expand'}
+					>
+						{node.isOpen ? (
+							<ChevronDown className="h-4 w-4" />
+						) : (
+							<ChevronRight className="h-4 w-4" />
+						)}
+					</button>
+				) : (
+					<span className="w-5" />
+				)}
+				{isType ? (
+					<Boxes className="h-4 w-4 shrink-0 text-gray-400" />
+				) : (
+					<Tag className="h-3.5 w-3.5 shrink-0 text-gray-400" />
+				)}
+				<button
+					type="button"
+					onClick={() => onSelect({ ti: d.ti, ri: d.ri ?? null })}
+					className="flex min-w-0 flex-1 items-center gap-2 py-1 text-left"
+				>
+					<span
+						className={`truncate text-sm ${
+							isType ? 'font-medium text-gray-800' : 'text-gray-700'
+						}`}
+					>
+						{d.name}
+					</span>
+					{!isType && (
+						<span className="truncate font-mono text-xs text-gray-400">= {d.expr}</span>
+					)}
+				</button>
+				<div className="flex items-center gap-0.5 opacity-0 transition-opacity group-hover:opacity-100">
+					{isType && (
+						<button
+							type="button"
+							onClick={() => onAddRelation(d.ti)}
+							title="Add relation"
+							aria-label="Add relation"
+							className="rounded p-1 text-gray-400 hover:bg-gray-200 hover:text-gray-700"
+						>
+							<Plus className="h-3.5 w-3.5" />
+						</button>
+					)}
+					<button
+						type="button"
+						onClick={() => onDelete(d)}
+						title="Delete"
+						aria-label={`Delete ${d.name}`}
+						className="rounded p-1 text-gray-400 hover:bg-red-100 hover:text-red-600"
+					>
+						<Trash2 className="h-3.5 w-3.5" />
+					</button>
+				</div>
+			</div>
+		</div>
+	);
+}
+
+const Chip = ({ label, onRemove }: { label: string; onRemove: () => void }) => (
+	<span className="inline-flex items-center gap-1 rounded-full bg-blue-50 px-2 py-0.5 text-xs font-medium text-blue-700">
+		<span className="font-mono">{label}</span>
+		<button type="button" onClick={onRemove} aria-label={`Remove ${label}`} className="text-blue-400 hover:text-blue-700">
+			<X className="h-3 w-3" />
+		</button>
+	</span>
+);
+
+const selectCls =
+	'rounded-md border border-gray-200 bg-white px-2 py-1 text-xs text-gray-600 focus:outline-none focus-visible:ring-2 focus-visible:ring-blue-400';
+
+// Detail pane: edits the selected type or relation.
+const DetailPane = ({
+	model,
+	sel,
+	onChange,
+}: {
+	model: ModelDraft;
+	sel: Sel;
+	onChange: (m: ModelDraft) => void;
+}) => {
+	const [compRel, setCompRel] = useState('');
+	const [compFrom, setCompFrom] = useState('');
+
+	if (!sel || !model.types[sel.ti]) {
+		return (
+			<div className="flex min-h-[200px] items-center justify-center rounded-xl border border-dashed border-gray-200 p-6 text-center text-sm text-gray-400">
+				Select a type or relation on the left to edit it.
+			</div>
+		);
+	}
+
+	const t = model.types[sel.ti];
+
+	if (sel.ri === null) {
+		return (
+			<div className="rounded-xl border border-gray-200 bg-white p-4">
+				<div className="mb-3 text-xs font-medium uppercase tracking-wide text-gray-400">Type</div>
+				<Label htmlFor="type-name">Name</Label>
+				<Input
+					id="type-name"
+					value={t.name}
+					onChange={(e) => onChange(renameType(model, sel.ti, e.target.value.trim()))}
+					placeholder="document"
+					className="mt-1 font-mono text-sm"
+				/>
+				<p className="mt-3 text-xs leading-relaxed text-gray-500">
+					{t.relations.length} relation{t.relations.length === 1 ? '' : 's'}. Use the{' '}
+					<Plus className="inline h-3 w-3" /> on this type in the tree to add one.
+				</p>
+			</div>
+		);
+	}
+
+	const r = t.relations[sel.ri];
+	if (!r) return null;
+	const typeNames = model.types.map((x) => x.name).filter(Boolean);
+	const relNames = t.relations.map((x) => x.name).filter((n) => n && n !== r.name);
+
+	return (
+		<div className="space-y-4 rounded-xl border border-gray-200 bg-white p-4">
+			<div>
+				<div className="mb-3 text-xs font-medium uppercase tracking-wide text-gray-400">
+					Relation on <span className="font-mono lowercase text-gray-500">{t.name}</span>
+				</div>
+				<Label htmlFor="rel-name">Name</Label>
+				<Input
+					id="rel-name"
+					value={r.name}
+					onChange={(e) => onChange(renameRelation(model, sel.ti, sel.ri!, e.target.value.trim()))}
+					placeholder="viewer"
+					className="mt-1 font-mono text-sm"
+				/>
+			</div>
+
+			<div>
+				<p className="mb-1.5 text-xs font-medium text-gray-600">Directly assignable to</p>
+				<div className="flex flex-wrap items-center gap-1.5">
+					{r.directTypes.map((dt, idx) => (
+						<Chip key={idx} label={dt} onRemove={() => onChange(removeAssignable(model, sel.ti, sel.ri!, idx))} />
+					))}
+					<select
+						value=""
+						onChange={(e) => e.target.value && onChange(addAssignable(model, sel.ti, sel.ri!, e.target.value))}
+						className={selectCls}
+					>
+						<option value="">+ type…</option>
+						{typeNames.map((n) => (
+							<option key={n} value={n}>
+								{n}
+							</option>
+						))}
+					</select>
+				</div>
+			</div>
+
+			<div>
+				<p className="mb-1.5 text-xs font-medium text-gray-600">Or computed from (union)</p>
+				<div className="flex flex-wrap items-center gap-1.5">
+					{r.computed.map((c, idx) => (
+						<Chip
+							key={idx}
+							label={c.from ? `${c.relation} from ${c.from}` : c.relation}
+							onRemove={() => onChange(removeComputed(model, sel.ti, sel.ri!, idx))}
+						/>
+					))}
+					<span className="inline-flex items-center gap-1">
+						<select value={compRel} onChange={(e) => setCompRel(e.target.value)} className={selectCls}>
+							<option value="">+ relation…</option>
+							{relNames.map((n) => (
+								<option key={n} value={n}>
+									{n}
+								</option>
+							))}
+						</select>
+						{compRel && (
+							<>
+								<select value={compFrom} onChange={(e) => setCompFrom(e.target.value)} className={selectCls}>
+									<option value="">(direct)</option>
+									{relNames.map((n) => (
+										<option key={n} value={n}>
+											from {n}
+										</option>
+									))}
+								</select>
+								<button
+									type="button"
+									onClick={() => {
+										const term: ComputedTerm = compFrom
+											? { relation: compRel, from: compFrom }
+											: { relation: compRel };
+										onChange(addComputed(model, sel.ti, sel.ri!, term));
+										setCompRel('');
+										setCompFrom('');
+									}}
+									className="rounded-md bg-blue-500 px-2 py-1 text-xs font-medium text-white hover:bg-blue-600"
+								>
+									Add
+								</button>
+							</>
+						)}
+					</span>
+				</div>
+			</div>
+
+			<p className="border-t border-gray-100 pt-3 font-mono text-xs text-gray-500">
+				define {r.name || '…'}: {relationExprText(r)}
+			</p>
+		</div>
+	);
+};
+
+interface Props {
+	model: ModelDraft;
+	onChange: (m: ModelDraft) => void;
+}
+
+const ModelTree = ({ model, onChange }: Props) => {
+	const [sel, setSel] = useState<Sel>(null);
+	const containerRef = useRef<HTMLDivElement>(null);
+	const [width, setWidth] = useState(360);
+
+	useEffect(() => {
+		const el = containerRef.current;
+		if (!el) return;
+		const ro = new ResizeObserver((entries) => {
+			for (const e of entries) setWidth(e.contentRect.width);
+		});
+		ro.observe(el);
+		return () => ro.disconnect();
+	}, []);
+
+	const data = buildData(model);
+	const rowCount = data.reduce((n, t) => n + 1 + (t.children?.length || 0), 0);
+	const height = Math.min(Math.max(rowCount * 36 + 8, 160), 480);
+
+	const actions: TreeActions = {
+		selId: selToId(sel),
+		onSelect: setSel,
+		onDelete: (d) => {
+			onChange(d.kind === 'type' ? deleteType(model, d.ti) : deleteRelation(model, d.ti, d.ri!));
+			setSel(null);
+		},
+		onAddRelation: (ti) => {
+			setSel({ ti, ri: model.types[ti].relations.length });
+			onChange(addRelation(model, ti));
+		},
+	};
+
+	return (
+		<div className="grid grid-cols-1 gap-4 lg:grid-cols-2">
+			<div className="rounded-xl border border-gray-200 bg-white p-2">
+				<div ref={containerRef} className="min-h-[160px]">
+					<Ctx.Provider value={actions}>
+						<Tree<NodeData>
+							data={data}
+							openByDefault
+							width={width}
+							height={height}
+							indent={18}
+							rowHeight={36}
+							disableDrag
+							disableMultiSelection
+						>
+							{Node}
+						</Tree>
+					</Ctx.Provider>
+				</div>
+				<Button
+					variant="outline"
+					size="sm"
+					className="mt-2"
+					onClick={() => {
+						setSel({ ti: model.types.length, ri: null });
+						onChange(addType(model));
+					}}
+				>
+					<Plus className="mr-1 h-3.5 w-3.5" /> Add type
+				</Button>
+			</div>
+
+			<DetailPane key={actions.selId ?? 'none'} model={model} sel={sel} onChange={onChange} />
+		</div>
+	);
+};
+
+export default ModelTree;
diff --git a/web/dashboard/src/pages/authorization/modelDsl.ts b/web/dashboard/src/pages/authorization/modelDsl.ts
index 5df5dab2..70744d73 100644
--- a/web/dashboard/src/pages/authorization/modelDsl.ts
+++ b/web/dashboard/src/pages/authorization/modelDsl.ts
@@ -164,6 +164,65 @@ export function summarize(model: ModelDraft): string[] {
 	return out;
 }
 
+// ── Pure model mutations (kept pure + index-based so they're unit-testable;
+//    the tree editor calls these and never mutates state in place). ───────────
+
+const mapType = (m: ModelDraft, ti: number, fn: (t: TypeDef) => TypeDef): ModelDraft => ({
+	...m,
+	types: m.types.map((t, i) => (i === ti ? fn(t) : t)),
+});
+
+const mapRelation = (
+	m: ModelDraft,
+	ti: number,
+	ri: number,
+	fn: (r: RelationDef) => RelationDef,
+): ModelDraft => mapType(m, ti, (t) => ({ ...t, relations: t.relations.map((r, i) => (i === ri ? fn(r) : r)) }));
+
+export const addType = (m: ModelDraft): ModelDraft => ({
+	...m,
+	types: [...m.types, { name: '', relations: [] }],
+});
+
+export const deleteType = (m: ModelDraft, ti: number): ModelDraft => ({
+	...m,
+	types: m.types.filter((_, i) => i !== ti),
+});
+
+export const renameType = (m: ModelDraft, ti: number, name: string): ModelDraft =>
+	mapType(m, ti, (t) => ({ ...t, name }));
+
+export const addRelation = (m: ModelDraft, ti: number): ModelDraft =>
+	mapType(m, ti, (t) => ({ ...t, relations: [...t.relations, { name: '', directTypes: [], computed: [] }] }));
+
+export const deleteRelation = (m: ModelDraft, ti: number, ri: number): ModelDraft =>
+	mapType(m, ti, (t) => ({ ...t, relations: t.relations.filter((_, i) => i !== ri) }));
+
+export const renameRelation = (m: ModelDraft, ti: number, ri: number, name: string): ModelDraft =>
+	mapRelation(m, ti, ri, (r) => ({ ...r, name }));
+
+export const addAssignable = (m: ModelDraft, ti: number, ri: number, dt: string): ModelDraft =>
+	mapRelation(m, ti, ri, (r) =>
+		r.directTypes.includes(dt) ? r : { ...r, directTypes: [...r.directTypes, dt] },
+	);
+
+export const removeAssignable = (m: ModelDraft, ti: number, ri: number, idx: number): ModelDraft =>
+	mapRelation(m, ti, ri, (r) => ({ ...r, directTypes: r.directTypes.filter((_, i) => i !== idx) }));
+
+export const addComputed = (m: ModelDraft, ti: number, ri: number, term: ComputedTerm): ModelDraft =>
+	mapRelation(m, ti, ri, (r) => ({ ...r, computed: [...r.computed, term] }));
+
+export const removeComputed = (m: ModelDraft, ti: number, ri: number, idx: number): ModelDraft =>
+	mapRelation(m, ti, ri, (r) => ({ ...r, computed: r.computed.filter((_, i) => i !== idx) }));
+
+// relationExprText renders a relation's definition for compact display.
+export function relationExprText(r: RelationDef): string {
+	const parts: string[] = [];
+	if (r.directTypes.length) parts.push(`[${r.directTypes.join(', ')}]`);
+	for (const c of r.computed) parts.push(c.from ? `${c.relation} from ${c.from}` : c.relation);
+	return parts.join(' or ') || '(empty)';
+}
+
 // sanitizeRelationName makes an Authorizer role usable as an OpenFGA relation
 // name (alphanumeric/underscore). e.g. "org-admin" -> "org_admin".
 export function sanitizeRelationName(role: string): string {

From 2492cb88fb3144024a0aed810ef81ac2af9d073b Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 8 Jun 2026 18:19:52 +0530
Subject: [PATCH 14/39] feat(dashboard): simple example-driven model editor
 with a full example catalog
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace the confusing tree/builder + Builder/DSL sub-tabs with one simple,
example-driven editor:

- A catalog of 9 ready-to-use OpenFGA model examples (raw DSL, so they use the
  full language): document sharing, folder hierarchy, organizations & teams,
  RBAC roles, groups, block list (exclusion), multi-tenant SaaS, GitHub-style
  repos, and time-bound access (conditions) — plus a dynamic "Your roles"
  example. Each card shows a description; clicking loads it into the editor.
- One DSL editor + a live plain-English summary + Save. No tree, no builder,
  no model sub-tabs. CRUD is load/edit/save.
- All 9 examples validated against the OpenFGA DSL transformer (the same one
  the backend uses on save). Removed react-arborist and ModelTree.tsx.
---
 web/dashboard/package-lock.json               | 157 -------
 web/dashboard/package.json                    |   1 -
 .../src/pages/authorization/Model.tsx         | 256 ++++-------
 .../src/pages/authorization/ModelTree.tsx     | 373 ---------------
 .../src/pages/authorization/modelDsl.ts       | 431 ++++++++----------
 5 files changed, 290 insertions(+), 928 deletions(-)
 delete mode 100644 web/dashboard/src/pages/authorization/ModelTree.tsx

diff --git a/web/dashboard/package-lock.json b/web/dashboard/package-lock.json
index 503beb4e..98ae6690 100644
--- a/web/dashboard/package-lock.json
+++ b/web/dashboard/package-lock.json
@@ -24,7 +24,6 @@
 				"lodash": "^4.17.21",
 				"lucide-react": "^0.469.0",
 				"react": "^18.3.1",
-				"react-arborist": "^3.10.1",
 				"react-dom": "^18.3.1",
 				"react-dropzone": "^14.3.8",
 				"react-email-editor": "^1.7.11",
@@ -295,15 +294,6 @@
 				"@babel/core": "^7.0.0-0"
 			}
 		},
-		"node_modules/@babel/runtime": {
-			"version": "7.29.7",
-			"resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.29.7.tgz",
-			"integrity": "sha512-Nq8OhGWiZIZGV6hLHoyAKLLcJihP/xFeBMGJoUrxTX2psI8dCifzLhZISFb+VWS3wFMRDmCGw5R+dOySCqPLhw==",
-			"license": "MIT",
-			"engines": {
-				"node": ">=6.9.0"
-			}
-		},
 		"node_modules/@babel/template": {
 			"version": "7.28.6",
 			"resolved": "https://registry.npmjs.org/@babel/template/-/template-7.28.6.tgz",
@@ -1726,24 +1716,6 @@
 			"integrity": "sha512-HPwpGIzkl28mWyZqG52jiqDJ12waP11Pa1lGoiyUkIEuMLBP0oeK/C89esbXrxsky5we7dfd8U58nm0SgAWpVw==",
 			"license": "MIT"
 		},
-		"node_modules/@react-dnd/asap": {
-			"version": "4.0.1",
-			"resolved": "https://registry.npmjs.org/@react-dnd/asap/-/asap-4.0.1.tgz",
-			"integrity": "sha512-kLy0PJDDwvwwTXxqTFNAAllPHD73AycE9ypWeln/IguoGBEbvFcPDbCV03G52bEcC5E+YgupBE0VzHGdC8SIXg==",
-			"license": "MIT"
-		},
-		"node_modules/@react-dnd/invariant": {
-			"version": "2.0.0",
-			"resolved": "https://registry.npmjs.org/@react-dnd/invariant/-/invariant-2.0.0.tgz",
-			"integrity": "sha512-xL4RCQBCBDJ+GRwKTFhGUW8GXa4yoDfJrPbLblc3U09ciS+9ZJXJ3Qrcs/x2IODOdIE5kQxvMmE2UKyqUictUw==",
-			"license": "MIT"
-		},
-		"node_modules/@react-dnd/shallowequal": {
-			"version": "2.0.0",
-			"resolved": "https://registry.npmjs.org/@react-dnd/shallowequal/-/shallowequal-2.0.0.tgz",
-			"integrity": "sha512-Pc/AFTdwZwEKJxFJvlxrSmGe/di+aAOBn60sremrpLo6VI/6cmiUYNNwlI5KNYttg7uypzA3ILPMPgxB2GYZEg==",
-			"license": "MIT"
-		},
 		"node_modules/@rolldown/pluginutils": {
 			"version": "1.0.0-beta.27",
 			"resolved": "https://registry.npmjs.org/@rolldown/pluginutils/-/pluginutils-1.0.0-beta.27.tgz",
@@ -2779,26 +2751,6 @@
 			"integrity": "sha512-ypdmJU/TbBby2Dxibuv7ZLW3Bs1QEmM7nHjEANfohJLvE0XVujisn1qPJcZxg+qDucsr+bP6fLD1rPS3AhJ7EQ==",
 			"license": "MIT"
 		},
-		"node_modules/dnd-core": {
-			"version": "14.0.1",
-			"resolved": "https://registry.npmjs.org/dnd-core/-/dnd-core-14.0.1.tgz",
-			"integrity": "sha512-+PVS2VPTgKFPYWo3vAFEA8WPbTf7/xo43TifH9G8S1KqnrQu0o77A3unrF5yOugy4mIz7K5wAVFHUcha7wsz6A==",
-			"license": "MIT",
-			"dependencies": {
-				"@react-dnd/asap": "^4.0.0",
-				"@react-dnd/invariant": "^2.0.0",
-				"redux": "^4.1.1"
-			}
-		},
-		"node_modules/dnd-core/node_modules/redux": {
-			"version": "4.2.1",
-			"resolved": "https://registry.npmjs.org/redux/-/redux-4.2.1.tgz",
-			"integrity": "sha512-LAUYz4lc+Do8/g7aeRa8JkyDErK6ekstQaqWQrNRW//MY1TvCEpMtpTWvlQ+FPbWCx+Xixu/6SHt5N0HR+SB4w==",
-			"license": "MIT",
-			"dependencies": {
-				"@babel/runtime": "^7.9.2"
-			}
-		},
 		"node_modules/electron-to-chromium": {
 			"version": "1.5.335",
 			"resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.335.tgz",
@@ -2872,12 +2824,6 @@
 				"node": ">=6"
 			}
 		},
-		"node_modules/fast-deep-equal": {
-			"version": "3.1.3",
-			"resolved": "https://registry.npmjs.org/fast-deep-equal/-/fast-deep-equal-3.1.3.tgz",
-			"integrity": "sha512-f3qQ9oQy9j2AhBe/H9VC91wLmKBCCU/gDOnKNAYG5hswO7BLKj09Hc5HYNz9cGI++xlpDCIgDaitVs03ATR84Q==",
-			"license": "MIT"
-		},
 		"node_modules/fdir": {
 			"version": "6.5.0",
 			"resolved": "https://registry.npmjs.org/fdir/-/fdir-6.5.0.tgz",
@@ -2958,15 +2904,6 @@
 				"node": "^12.22.0 || ^14.16.0 || ^16.0.0 || >=17.0.0"
 			}
 		},
-		"node_modules/hoist-non-react-statics": {
-			"version": "3.3.2",
-			"resolved": "https://registry.npmjs.org/hoist-non-react-statics/-/hoist-non-react-statics-3.3.2.tgz",
-			"integrity": "sha512-/gGivxi8JPKWNm/W0jSmzcMPpfpPLc3dY/6GxhX2hQ9iGj3aDfklV4ET7NjKpSinLpJ5vafa9iiGIEZg10SfBw==",
-			"license": "BSD-3-Clause",
-			"dependencies": {
-				"react-is": "^16.7.0"
-			}
-		},
 		"node_modules/jiti": {
 			"version": "2.6.1",
 			"resolved": "https://registry.npmjs.org/jiti/-/jiti-2.6.1.tgz",
@@ -3317,12 +3254,6 @@
 				"@jridgewell/sourcemap-codec": "^1.5.5"
 			}
 		},
-		"node_modules/memoize-one": {
-			"version": "5.2.1",
-			"resolved": "https://registry.npmjs.org/memoize-one/-/memoize-one-5.2.1.tgz",
-			"integrity": "sha512-zYiwtZUcYyXKo/np96AGZAckk+FWWsUdJ3cHGGmld7+AhvcWmQyGCYUh1hc4Q/pkOhb65dQR/pqCyK0cOaHz4Q==",
-			"license": "MIT"
-		},
 		"node_modules/ms": {
 			"version": "2.1.3",
 			"resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
@@ -3453,62 +3384,6 @@
 				"node": ">=0.10.0"
 			}
 		},
-		"node_modules/react-arborist": {
-			"version": "3.10.1",
-			"resolved": "https://registry.npmjs.org/react-arborist/-/react-arborist-3.10.1.tgz",
-			"integrity": "sha512-P9WJuj2zvtNGVzaNqTKIIBeS5aDMfvXdYT9KDVOZaALHwcfGJQON+X+gbMscTdAb5frdXDHBWl677HX3XEV1PA==",
-			"license": "MIT",
-			"dependencies": {
-				"react-dnd": "^14.0.3",
-				"react-dnd-html5-backend": "^14.0.3",
-				"react-window": "^1.8.11",
-				"redux": "^5.0.0",
-				"use-sync-external-store": "^1.2.0"
-			},
-			"peerDependencies": {
-				"react": ">= 16.14",
-				"react-dom": ">= 16.14"
-			}
-		},
-		"node_modules/react-dnd": {
-			"version": "14.0.5",
-			"resolved": "https://registry.npmjs.org/react-dnd/-/react-dnd-14.0.5.tgz",
-			"integrity": "sha512-9i1jSgbyVw0ELlEVt/NkCUkxy1hmhJOkePoCH713u75vzHGyXhPDm28oLfc2NMSBjZRM1Y+wRjHXJT3sPrTy+A==",
-			"license": "MIT",
-			"dependencies": {
-				"@react-dnd/invariant": "^2.0.0",
-				"@react-dnd/shallowequal": "^2.0.0",
-				"dnd-core": "14.0.1",
-				"fast-deep-equal": "^3.1.3",
-				"hoist-non-react-statics": "^3.3.2"
-			},
-			"peerDependencies": {
-				"@types/hoist-non-react-statics": ">= 3.3.1",
-				"@types/node": ">= 12",
-				"@types/react": ">= 16",
-				"react": ">= 16.14"
-			},
-			"peerDependenciesMeta": {
-				"@types/hoist-non-react-statics": {
-					"optional": true
-				},
-				"@types/node": {
-					"optional": true
-				},
-				"@types/react": {
-					"optional": true
-				}
-			}
-		},
-		"node_modules/react-dnd-html5-backend": {
-			"version": "14.1.0",
-			"resolved": "https://registry.npmjs.org/react-dnd-html5-backend/-/react-dnd-html5-backend-14.1.0.tgz",
-			"integrity": "sha512-6ONeqEC3XKVf4eVmMTe0oPds+c5B9Foyj8p/ZKLb7kL2qh9COYxiBHv3szd6gztqi/efkmriywLUVlPotqoJyw==",
-			"license": "MIT",
-			"dependencies": {
-				"dnd-core": "14.0.1"
-			}
-		},
 		"node_modules/react-dom": {
 			"version": "18.3.1",
 			"resolved": "https://registry.npmjs.org/react-dom/-/react-dom-18.3.1.tgz",
@@ -3677,29 +3552,6 @@
 				}
 			}
 		},
-		"node_modules/react-window": {
-			"version": "1.8.11",
-			"resolved": "https://registry.npmjs.org/react-window/-/react-window-1.8.11.tgz",
-			"integrity": "sha512-+SRbUVT2scadgFSWx+R1P754xHPEqvcfSfVX10QYg6POOz+WNgkN48pS+BtZNIMGiL1HYrSEiCkwsMS15QogEQ==",
-			"license": "MIT",
-			"dependencies": {
-				"@babel/runtime": "^7.0.0",
-				"memoize-one": ">=3.1.1 <6"
-			},
-			"engines": {
-				"node": ">8.0.0"
-			},
-			"peerDependencies": {
-				"react": "^15.0.0 || ^16.0.0 || ^17.0.0 || ^18.0.0 || ^19.0.0",
-				"react-dom": "^15.0.0 || ^16.0.0 || ^17.0.0 || ^18.0.0 || ^19.0.0"
-			}
-		},
-		"node_modules/redux": {
-			"version": "5.0.1",
-			"resolved": "https://registry.npmjs.org/redux/-/redux-5.0.1.tgz",
-			"integrity": "sha512-M9/ELqF6fy8FwmkpnF0S3YKOqMyoWJ4+CS5Efg2ct3oY9daQvd/Pc71FpGZsVsbl3Cpb+IIcjBDUnnyBdQbq4w==",
-			"license": "MIT"
-		},
 		"node_modules/rollup": {
 			"version": "4.60.1",
 			"resolved": "https://registry.npmjs.org/rollup/-/rollup-4.60.1.tgz",
@@ -3956,15 +3808,6 @@
 				}
 			}
 		},
-		"node_modules/use-sync-external-store": {
-			"version": "1.6.0",
-			"resolved": "https://registry.npmjs.org/use-sync-external-store/-/use-sync-external-store-1.6.0.tgz",
-			"integrity": "sha512-Pp6GSwGP/NrPIrxVFAIkOQeyw8lFenOHijQWkUTrDvrF4ALqylP2C/KCkeS9dpUM3KvYRQhna5vt7IL95+ZQ9w==",
-			"license": "MIT",
-			"peerDependencies": {
-				"react": "^16.8.0 || ^17.0.0 || ^18.0.0 || ^19.0.0"
-			}
-		},
 		"node_modules/vite": {
 			"version": "7.3.2",
 			"resolved": "https://registry.npmjs.org/vite/-/vite-7.3.2.tgz",
diff --git a/web/dashboard/package.json b/web/dashboard/package.json
index 06e1c0cd..bb493606 100644
--- a/web/dashboard/package.json
+++ b/web/dashboard/package.json
@@ -28,7 +28,6 @@
 		"lodash": "^4.17.21",
 		"lucide-react": "^0.469.0",
 		"react": "^18.3.1",
-		"react-arborist": "^3.10.1",
 		"react-dom": "^18.3.1",
 		"react-dropzone": "^14.3.8",
 		"react-email-editor": "^1.7.11",
diff --git a/web/dashboard/src/pages/authorization/Model.tsx b/web/dashboard/src/pages/authorization/Model.tsx
index 3aa8f75c..aac94e14 100644
--- a/web/dashboard/src/pages/authorization/Model.tsx
+++ b/web/dashboard/src/pages/authorization/Model.tsx
@@ -1,7 +1,7 @@
 import React, { useCallback, useEffect, useState } from 'react';
 import { useClient } from 'urql';
 import { toast } from 'sonner';
-import { AlertCircle, Save, LayoutGrid, Code2 } from 'lucide-react';
+import { AlertCircle, Save } from 'lucide-react';
 import { FgaGetModelQuery, AdminRolesQuery } from '../../graphql/queries';
 import { FgaWriteModel } from '../../graphql/mutation';
 import { Button } from '../../components/ui/button';
@@ -9,16 +9,8 @@ import { Textarea } from '../../components/ui/textarea';
 import { Skeleton } from '../../components/ui/skeleton';
 import { Badge } from '../../components/ui/badge';
 import FgaNotEnabled from '../../components/FgaNotEnabled';
-import ModelTree from './ModelTree';
 import AuthSteps, { Example, NextStep } from './AuthSteps';
-import {
-	generateDsl,
-	parseDsl,
-	validateModel,
-	rolesTemplate,
-	TEMPLATES,
-	type ModelDraft,
-} from './modelDsl';
+import { generateDsl, parseDsl, summarize, rolesTemplate, MODEL_EXAMPLES } from './modelDsl';
 import { isFgaNotEnabledError } from '../../lib/utils';
 import type {
 	FgaGetModelResponse,
@@ -26,89 +18,42 @@ import type {
 	AdminRolesResponse,
 } from '../../types';
 
-type Mode = 'builder' | 'dsl';
+const PLACEHOLDER = `model
+  schema 1.1
 
-const STARTER: ModelDraft = { types: [{ name: 'user', relations: [] }] };
+type user
 
-const TabButton = ({
-	active,
-	onClick,
-	icon,
-	children,
-}: {
-	active: boolean;
-	onClick: () => void;
-	icon: React.ReactNode;
-	children: React.ReactNode;
-}) => (
-	<button
-		type="button"
-		onClick={onClick}
-		className={`inline-flex items-center gap-1.5 rounded-md px-3 py-1.5 text-sm font-medium transition-colors ${
-			active ? 'bg-blue-50 text-blue-600' : 'text-gray-500 hover:bg-gray-100 hover:text-gray-700'
-		}`}
-	>
-		{icon}
-		{children}
-	</button>
-);
+type document
+  relations
+    define viewer: [user]
+    define editor: [user]
+    define can_view: viewer or editor`;
 
 const Model = () => {
 	const client = useClient();
 	const [loading, setLoading] = useState(true);
 	const [saving, setSaving] = useState(false);
 	const [fgaDisabled, setFgaDisabled] = useState(false);
-	const [mode, setMode] = useState<Mode>('builder');
-	const [builderModel, setBuilderModel] = useState<ModelDraft>(STARTER);
 	const [dsl, setDsl] = useState('');
 	const [modelId, setModelId] = useState('');
 	const [validationError, setValidationError] = useState('');
 	const [roles, setRoles] = useState<string[]>([]);
 
-	// Fetch the instance's configured roles (admin _env) so the builder can offer
-	// a template built from the real roles. Best-effort: ignore failures.
-	useEffect(() => {
-		client
-			.query<AdminRolesResponse>(AdminRolesQuery, {})
-			.toPromise()
-			.then((res) => {
-				const r = res.data?._env?.ROLES;
-				if (Array.isArray(r)) setRoles(r.filter(Boolean));
-			})
-			.catch(() => {
-				/* roles template just won't be offered */
-			});
-	}, [client]);
-
 	const fetchModel = useCallback(async () => {
 		setLoading(true);
 		try {
 			const res = await client
 				.query<FgaGetModelResponse>(FgaGetModelQuery, {}, { requestPolicy: 'network-only' })
 				.toPromise();
-
 			if (res.error) {
 				if (isFgaNotEnabledError(res.error)) setFgaDisabled(true);
 				else toast.error('Failed to load authorization model');
 				return;
 			}
-
 			const current = res.data?._fga_get_model;
 			if (current?.dsl) {
 				setDsl(current.dsl);
 				setModelId(current.id || '');
-				const parsed = parseDsl(current.dsl);
-				if (parsed.supported && parsed.model) {
-					setBuilderModel(parsed.model);
-					setMode('builder');
-				} else {
-					// Model uses constructs the builder can't represent — edit in DSL.
-					setMode('dsl');
-				}
-			} else {
-				// No model yet — start in the builder with a base `user` type.
-				setBuilderModel(STARTER);
-				setMode('builder');
 			}
 		} catch {
 			toast.error('Failed to load authorization model');
@@ -121,61 +66,45 @@ const Model = () => {
 		fetchModel();
 	}, [fetchModel]);
 
-	const switchToDsl = () => {
-		setDsl(generateDsl(builderModel));
-		setValidationError('');
-		setMode('dsl');
-	};
-
-	const switchToBuilder = () => {
-		const parsed = parseDsl(dsl);
-		if (parsed.supported && parsed.model) {
-			setBuilderModel(parsed.model);
-			setValidationError('');
-			setMode('builder');
-		} else {
-			toast.error('This model uses advanced constructs — keep editing in DSL');
-		}
-	};
+	// Configured roles → a "your roles" example.
+	useEffect(() => {
+		client
+			.query<AdminRolesResponse>(AdminRolesQuery, {})
+			.toPromise()
+			.then((res) => {
+				const r = res.data?._env?.ROLES;
+				if (Array.isArray(r)) setRoles(r.filter(Boolean));
+			})
+			.catch(() => {});
+	}, [client]);
 
-	const applyTemplate = (model: ModelDraft) => {
-		setBuilderModel(model);
-		setMode('builder');
+	const applyExample = (exampleDsl: string) => {
+		setDsl(exampleDsl);
 		setValidationError('');
 	};
 
 	const handleSave = async () => {
-		let dslToSave = dsl;
-		if (mode === 'builder') {
-			const err = validateModel(builderModel);
-			if (err) {
-				setValidationError(err);
-				return;
-			}
-			dslToSave = generateDsl(builderModel);
-		} else if (!dsl.trim()) {
-			setValidationError('Model DSL cannot be empty.');
+		if (!dsl.trim()) {
+			setValidationError('The model cannot be empty. Pick an example to start.');
 			return;
 		}
 		setValidationError('');
 		setSaving(true);
 		try {
 			const res = await client
-				.mutation<FgaWriteModelResponse>(FgaWriteModel, { params: { dsl: dslToSave } })
+				.mutation<FgaWriteModelResponse>(FgaWriteModel, { params: { dsl } })
 				.toPromise();
-
 			if (res.error) {
 				if (isFgaNotEnabledError(res.error)) setFgaDisabled(true);
 				else {
 					setValidationError(res.error.message.replace('[GraphQL] ', ''));
-					toast.error('Failed to save authorization model');
+					toast.error('Could not save — check the model syntax');
 				}
 				return;
 			}
-
 			if (res.data?._fga_write_model) {
 				setModelId(res.data._fga_write_model.id);
-				setDsl(res.data._fga_write_model.dsl || dslToSave);
+				setDsl(res.data._fga_write_model.dsl || dsl);
 				toast.success('Authorization model saved');
 			}
 		} catch {
@@ -185,31 +114,35 @@ const Model = () => {
 		}
 	};
 
-	// Offer a template built from the instance's configured roles first.
 	const roleModel = rolesTemplate(roles);
-	const templates = [
+	const examples = [
 		...(roleModel
 			? [
 					{
-						name: 'RBAC — your roles',
-						description: `Your configured roles (${roles.join(', ')}) as relations on a resource.`,
-						model: roleModel,
+						name: 'Your roles',
+						description: `Your configured roles (${roles.join(', ')}) as a starting point.`,
+						dsl: generateDsl(roleModel).trimEnd(),
 					},
 			  ]
 			: []),
-		...TEMPLATES,
+		...MODEL_EXAMPLES,
 	];
 
+	const parsed = parseDsl(dsl);
+	const summary = parsed.supported && parsed.model ? summarize(parsed.model) : [];
+
 	return (
 		<div className="m-5 rounded-md bg-white py-5 px-10">
 			<AuthSteps current={1} />
+
 			<div className="my-4 flex items-start justify-between gap-4">
 				<div>
 					<h1 className="text-2xl font-semibold text-gray-900">Step 1 · Define the model</h1>
 					<p className="mt-1 max-w-2xl text-sm text-gray-500">
 						The model is your permission <strong>rulebook</strong>: the object{' '}
-						<strong>types</strong> you protect, the <strong>relations</strong> on them (owner,
-						editor, viewer…), and how permissions are computed. You write it once.
+						<strong>types</strong> you protect (document, folder…), their{' '}
+						<strong>relations</strong> (owner, editor, viewer…), and how permissions are
+						computed. You write it once.
 					</p>
 				</div>
 				{!fgaDisabled && !loading && (
@@ -219,84 +152,79 @@ const Model = () => {
 					</Button>
 				)}
 			</div>
-			{!fgaDisabled && !loading && (
-				<div className="mb-4">
-					<Example>
-						<strong>Example:</strong> a <code className="rounded bg-white px-1 py-0.5 text-xs">document</code> has{' '}
-						<code className="rounded bg-white px-1 py-0.5 text-xs">viewer</code> and{' '}
-						<code className="rounded bg-white px-1 py-0.5 text-xs">editor</code> relations, and{' '}
-						<code className="rounded bg-white px-1 py-0.5 text-xs">can_view = viewer or editor</code>. Pick a
-						template below to start, then customize.
-					</Example>
-				</div>
-			)}
 
 			{loading ? (
 				<div className="space-y-3">
 					<Skeleton className="h-9 w-64" />
-					<Skeleton className="h-64 w-full" />
+					<Skeleton className="h-72 w-full" />
 				</div>
 			) : fgaDisabled ? (
 				<FgaNotEnabled />
 			) : (
-				<div className="space-y-4">
-					<div className="flex flex-wrap items-center justify-between gap-3">
-						<div className="inline-flex items-center gap-1 rounded-lg bg-gray-50 p-1">
-							<TabButton
-								active={mode === 'builder'}
-								onClick={() => mode !== 'builder' && switchToBuilder()}
-								icon={<LayoutGrid className="h-4 w-4" />}
-							>
-								Builder
-							</TabButton>
-							<TabButton
-								active={mode === 'dsl'}
-								onClick={() => mode !== 'dsl' && switchToDsl()}
-								icon={<Code2 className="h-4 w-4" />}
-							>
-								DSL (advanced)
-							</TabButton>
-						</div>
-
-						<div className="flex items-center gap-3">
-							{modelId && (
-								<span className="flex items-center gap-1.5 text-xs text-gray-500">
-									active model
-									<Badge variant="secondary">{modelId.slice(0, 12)}…</Badge>
-								</span>
-							)}
-						</div>
-					</div>
+				<div className="space-y-5">
+					<Example>
+						<strong>Example:</strong> a{' '}
+						<code className="rounded bg-white px-1 py-0.5 text-xs">document</code> has{' '}
+						<code className="rounded bg-white px-1 py-0.5 text-xs">viewer</code> and{' '}
+						<code className="rounded bg-white px-1 py-0.5 text-xs">editor</code> relations, and{' '}
+						<code className="rounded bg-white px-1 py-0.5 text-xs">can_view = viewer or editor</code>.
+						Start from an example below and edit it.
+					</Example>
 
-					{mode === 'builder' && (
-						<div className="flex flex-wrap items-center gap-2 rounded-lg border border-dashed border-gray-200 p-2">
-							<span className="px-1 text-xs font-medium text-gray-500">Start from a template:</span>
-							{templates.map((tpl) => (
+					{/* Example templates with descriptions */}
+					<div>
+						<p className="mb-2 text-sm font-medium text-gray-700">Start from an example</p>
+						<div className="grid grid-cols-1 gap-2 sm:grid-cols-2 lg:grid-cols-4">
+							{examples.map((ex) => (
 								<button
-									key={tpl.name}
+									key={ex.name}
 									type="button"
-									onClick={() => applyTemplate(tpl.model)}
-									title={tpl.description}
-									className="rounded-md border border-gray-200 bg-white px-2.5 py-1 text-xs font-medium text-gray-700 transition-colors hover:border-blue-300 hover:bg-blue-50 hover:text-blue-700"
+									onClick={() => applyExample(ex.dsl)}
+									className="rounded-xl border border-gray-200 bg-white p-3 text-left transition-colors hover:border-blue-300 hover:bg-blue-50"
 								>
-									{tpl.name}
+									<span className="block text-sm font-medium text-gray-800">{ex.name}</span>
+									<span className="mt-0.5 block text-xs leading-relaxed text-gray-500">
+										{ex.description}
+									</span>
 								</button>
 							))}
 						</div>
-					)}
+					</div>
 
-					{mode === 'builder' ? (
-						<ModelTree model={builderModel} onChange={setBuilderModel} />
-					) : (
+					{/* The model */}
+					<div>
+						<div className="mb-1.5 flex items-center justify-between">
+							<label htmlFor="model-dsl" className="text-sm font-medium text-gray-700">
+								Model
+							</label>
+							{modelId && (
+								<span className="flex items-center gap-1.5 text-xs text-gray-400">
+									saved
+									<Badge variant="secondary">{modelId.slice(0, 12)}…</Badge>
+								</span>
+							)}
+						</div>
 						<Textarea
+							id="model-dsl"
 							value={dsl}
 							onChange={(e) => setDsl(e.target.value)}
 							spellCheck={false}
-							className="min-h-[420px] font-mono text-xs leading-relaxed"
-							placeholder={
-								'model\n  schema 1.1\n\ntype user\n\ntype document\n  relations\n    define viewer: [user]\n    define editor: [user]\n    define can_view: viewer or editor'
-							}
+							className="min-h-[360px] font-mono text-xs leading-relaxed"
+							placeholder={PLACEHOLDER}
 						/>
+					</div>
+
+					{summary.length > 0 && (
+						<div className="rounded-lg border border-gray-100 bg-gray-50 p-3">
+							<p className="mb-1.5 text-xs font-medium uppercase tracking-wide text-gray-500">
+								In plain English
+							</p>
+							<ul className="space-y-1 text-xs leading-relaxed text-gray-600">
+								{summary.map((s, i) => (
+									<li key={i}>• {s}</li>
+								))}
+							</ul>
+						</div>
 					)}
 
 					{validationError && (
diff --git a/web/dashboard/src/pages/authorization/ModelTree.tsx b/web/dashboard/src/pages/authorization/ModelTree.tsx
deleted file mode 100644
index c97755ec..00000000
--- a/web/dashboard/src/pages/authorization/ModelTree.tsx
+++ /dev/null
@@ -1,373 +0,0 @@
-import React, { createContext, useContext, useEffect, useRef, useState } from 'react';
-import { Tree } from 'react-arborist';
-import type { NodeRendererProps } from 'react-arborist';
-import { ChevronRight, ChevronDown, Trash2, Plus, X, Boxes, Tag } from 'lucide-react';
-import { Input } from '../../components/ui/input';
-import { Button } from '../../components/ui/button';
-import { Label } from '../../components/ui/label';
-import {
-	type ModelDraft,
-	type ComputedTerm,
-	addType,
-	deleteType,
-	renameType,
-	addRelation,
-	deleteRelation,
-	renameRelation,
-	addAssignable,
-	removeAssignable,
-	addComputed,
-	removeComputed,
-	relationExprText,
-} from './modelDsl';
-
-type Sel = { ti: number; ri: number | null } | null;
-
-interface NodeData {
-	id: string;
-	name: string;
-	kind: 'type' | 'relation';
-	ti: number;
-	ri?: number;
-	expr?: string;
-	children?: NodeData[];
-}
-
-interface TreeActions {
-	onSelect: (sel: Sel) => void;
-	onDelete: (d: NodeData) => void;
-	onAddRelation: (ti: number) => void;
-	selId: string | null;
-}
-const Ctx = createContext<TreeActions>({
-	onSelect: () => {},
-	onDelete: () => {},
-	onAddRelation: () => {},
-	selId: null,
-});
-
-const selToId = (sel: Sel) => (sel ? (sel.ri === null ? `t${sel.ti}` : `t${sel.ti}.r${sel.ri}`) : null);
-
-function buildData(model: ModelDraft): NodeData[] {
-	return model.types.map((t, ti) => ({
-		id: `t${ti}`,
-		kind: 'type',
-		name: t.name || '(unnamed type)',
-		ti,
-		children: t.relations.map((r, ri) => ({
-			id: `t${ti}.r${ri}`,
-			kind: 'relation',
-			name: r.name || '(unnamed)',
-			ti,
-			ri,
-			expr: relationExprText(r),
-		})),
-	}));
-}
-
-// Tree row renderer.
-function Node({ node, style, dragHandle }: NodeRendererProps<NodeData>) {
-	const { onSelect, onDelete, onAddRelation, selId } = useContext(Ctx);
-	const d = node.data;
-	const isType = d.kind === 'type';
-	const selected = node.id === selId;
-	return (
-		<div ref={dragHandle} style={style}>
-			<div
-				className={`group flex h-9 items-center gap-1 rounded-md pr-1 ${
-					selected ? 'bg-blue-50 ring-1 ring-blue-200' : 'hover:bg-gray-50'
-				}`}
-				style={{ paddingLeft: node.level * 18 + 4 }}
-			>
-				{isType ? (
-					<button
-						type="button"
-						onClick={() => node.toggle()}
-						className="rounded p-0.5 text-gray-400 hover:text-gray-600"
-						aria-label={node.isOpen ? 'Collapse' : 'Expand'}
-					>
-						{node.isOpen ? (
-							<ChevronDown className="h-4 w-4" />
-						) : (
-							<ChevronRight className="h-4 w-4" />
-						)}
-					</button>
-				) : (
-					<span className="w-5" />
-				)}
-				{isType ? (
-					<Boxes className="h-4 w-4 shrink-0 text-gray-400" />
-				) : (
-					<Tag className="h-3.5 w-3.5 shrink-0 text-gray-400" />
-				)}
-				<button
-					type="button"
-					onClick={() => onSelect({ ti: d.ti, ri: d.ri ?? null })}
-					className="flex min-w-0 flex-1 items-center gap-2 py-1 text-left"
-				>
-					<span
-						className={`truncate text-sm ${
-							isType ? 'font-medium text-gray-800' : 'text-gray-700'
-						}`}
-					>
-						{d.name}
-					</span>
-					{!isType && (
-						<span className="truncate font-mono text-xs text-gray-400">= {d.expr}</span>
-					)}
-				</button>
-				<div className="flex items-center gap-0.5 opacity-0 transition-opacity group-hover:opacity-100">
-					{isType && (
-						<button
-							type="button"
-							onClick={() => onAddRelation(d.ti)}
-							title="Add relation"
-							aria-label="Add relation"
-							className="rounded p-1 text-gray-400 hover:bg-gray-200 hover:text-gray-700"
-						>
-							<Plus className="h-3.5 w-3.5" />
-						</button>
-					)}
-					<button
-						type="button"
-						onClick={() => onDelete(d)}
-						title="Delete"
-						aria-label={`Delete ${d.name}`}
-						className="rounded p-1 text-gray-400 hover:bg-red-100 hover:text-red-600"
-					>
-						<Trash2 className="h-3.5 w-3.5" />
-					</button>
-				</div>
-			</div>
-		</div>
-	);
-}
-
-const Chip = ({ label, onRemove }: { label: string; onRemove: () => void }) => (
-	<span className="inline-flex items-center gap-1 rounded-full bg-blue-50 px-2 py-0.5 text-xs font-medium text-blue-700">
-		<span className="font-mono">{label}</span>
-		<button type="button" onClick={onRemove} aria-label={`Remove ${label}`} className="text-blue-400 hover:text-blue-700">
-			<X className="h-3 w-3" />
-		</button>
-	</span>
-);
-
-const selectCls =
-	'rounded-md border border-gray-200 bg-white px-2 py-1 text-xs text-gray-600 focus:outline-none focus-visible:ring-2 focus-visible:ring-blue-400';
-
-// Detail pane: edits the selected type or relation.
-const DetailPane = ({
-	model,
-	sel,
-	onChange,
-}: {
-	model: ModelDraft;
-	sel: Sel;
-	onChange: (m: ModelDraft) => void;
-}) => {
-	const [compRel, setCompRel] = useState('');
-	const [compFrom, setCompFrom] = useState('');
-
-	if (!sel || !model.types[sel.ti]) {
-		return (
-			<div className="flex min-h-[200px] items-center justify-center rounded-xl border border-dashed border-gray-200 p-6 text-center text-sm text-gray-400">
-				Select a type or relation on the left to edit it.
-			</div>
-		);
-	}
-
-	const t = model.types[sel.ti];
-
-	if (sel.ri === null) {
-		return (
-			<div className="rounded-xl border border-gray-200 bg-white p-4">
-				<div className="mb-3 text-xs font-medium uppercase tracking-wide text-gray-400">Type</div>
-				<Label htmlFor="type-name">Name</Label>
-				<Input
-					id="type-name"
-					value={t.name}
-					onChange={(e) => onChange(renameType(model, sel.ti, e.target.value.trim()))}
-					placeholder="document"
-					className="mt-1 font-mono text-sm"
-				/>
-				<p className="mt-3 text-xs leading-relaxed text-gray-500">
-					{t.relations.length} relation{t.relations.length === 1 ? '' : 's'}. Use the{' '}
-					<Plus className="inline h-3 w-3" /> on this type in the tree to add one.
-				</p>
-			</div>
-		);
-	}
-
-	const r = t.relations[sel.ri];
-	if (!r) return null;
-	const typeNames = model.types.map((x) => x.name).filter(Boolean);
-	const relNames = t.relations.map((x) => x.name).filter((n) => n && n !== r.name);
-
-	return (
-		<div className="space-y-4 rounded-xl border border-gray-200 bg-white p-4">
-			<div>
-				<div className="mb-3 text-xs font-medium uppercase tracking-wide text-gray-400">
-					Relation on <span className="font-mono lowercase text-gray-500">{t.name}</span>
-				</div>
-				<Label htmlFor="rel-name">Name</Label>
-				<Input
-					id="rel-name"
-					value={r.name}
-					onChange={(e) => onChange(renameRelation(model, sel.ti, sel.ri!, e.target.value.trim()))}
-					placeholder="viewer"
-					className="mt-1 font-mono text-sm"
-				/>
-			</div>
-
-			<div>
-				<p className="mb-1.5 text-xs font-medium text-gray-600">Directly assignable to</p>
-				<div className="flex flex-wrap items-center gap-1.5">
-					{r.directTypes.map((dt, idx) => (
-						<Chip key={idx} label={dt} onRemove={() => onChange(removeAssignable(model, sel.ti, sel.ri!, idx))} />
-					))}
-					<select
-						value=""
-						onChange={(e) => e.target.value && onChange(addAssignable(model, sel.ti, sel.ri!, e.target.value))}
-						className={selectCls}
-					>
-						<option value="">+ type…</option>
-						{typeNames.map((n) => (
-							<option key={n} value={n}>
-								{n}
-							</option>
-						))}
-					</select>
-				</div>
-			</div>
-
-			<div>
-				<p className="mb-1.5 text-xs font-medium text-gray-600">Or computed from (union)</p>
-				<div className="flex flex-wrap items-center gap-1.5">
-					{r.computed.map((c, idx) => (
-						<Chip
-							key={idx}
-							label={c.from ? `${c.relation} from ${c.from}` : c.relation}
-							onRemove={() => onChange(removeComputed(model, sel.ti, sel.ri!, idx))}
-						/>
-					))}
-					<span className="inline-flex items-center gap-1">
-						<select value={compRel} onChange={(e) => setCompRel(e.target.value)} className={selectCls}>
-							<option value="">+ relation…</option>
-							{relNames.map((n) => (
-								<option key={n} value={n}>
-									{n}
-								</option>
-							))}
-						</select>
-						{compRel && (
-							<>
-								<select value={compFrom} onChange={(e) => setCompFrom(e.target.value)} className={selectCls}>
-									<option value="">(direct)</option>
-									{relNames.map((n) => (
-										<option key={n} value={n}>
-											from {n}
-										</option>
-									))}
-								</select>
-								<button
-									type="button"
-									onClick={() => {
-										const term: ComputedTerm = compFrom
-											? { relation: compRel, from: compFrom }
-											: { relation: compRel };
-										onChange(addComputed(model, sel.ti, sel.ri!, term));
-										setCompRel('');
-										setCompFrom('');
-									}}
-									className="rounded-md bg-blue-500 px-2 py-1 text-xs font-medium text-white hover:bg-blue-600"
-								>
-									Add
-								</button>
-							</>
-						)}
-					</span>
-				</div>
-			</div>
-
-			<p className="border-t border-gray-100 pt-3 font-mono text-xs text-gray-500">
-				define {r.name || '…'}: {relationExprText(r)}
-			</p>
-		</div>
-	);
-};
-
-interface Props {
-	model: ModelDraft;
-	onChange: (m: ModelDraft) => void;
-}
-
-const ModelTree = ({ model, onChange }: Props) => {
-	const [sel, setSel] = useState<Sel>(null);
-	const containerRef = useRef<HTMLDivElement>(null);
-	const [width, setWidth] = useState(360);
-
-	useEffect(() => {
-		const el = containerRef.current;
-		if (!el) return;
-		const ro = new ResizeObserver((entries) => {
-			for (const e of entries) setWidth(e.contentRect.width);
-		});
-		ro.observe(el);
-		return () => ro.disconnect();
-	}, []);
-
-	const data = buildData(model);
-	const rowCount = data.reduce((n, t) => n + 1 + (t.children?.length || 0), 0);
-	const height = Math.min(Math.max(rowCount * 36 + 8, 160), 480);
-
-	const actions: TreeActions = {
-		selId: selToId(sel),
-		onSelect: setSel,
-		onDelete: (d) => {
-			onChange(d.kind === 'type' ? deleteType(model, d.ti) : deleteRelation(model, d.ti, d.ri!));
-			setSel(null);
-		},
-		onAddRelation: (ti) => {
-			setSel({ ti, ri: model.types[ti].relations.length });
-			onChange(addRelation(model, ti));
-		},
-	};
-
-	return (
-		<div className="grid grid-cols-1 gap-4 lg:grid-cols-2">
-			<div className="rounded-xl border border-gray-200 bg-white p-2">
-				<div ref={containerRef} className="min-h-[160px]">
-					<Ctx.Provider value={actions}>
-						<Tree<NodeData>
-							data={data}
-							openByDefault
-							width={width}
-							height={height}
-							indent={18}
-							rowHeight={36}
-							disableDrag
-							disableMultiSelection
-						>
-							{Node}
-						</Tree>
-					</Ctx.Provider>
-				</div>
-				<Button
-					variant="outline"
-					size="sm"
-					className="mt-2"
-					onClick={() => {
-						setSel({ ti: model.types.length, ri: null });
-						onChange(addType(model));
-					}}
-				>
-					<Plus className="mr-1 h-3.5 w-3.5" /> Add type
-				</Button>
-			</div>
-
-			<DetailPane key={actions.selId ?? 'none'} model={model} sel={sel} onChange={onChange} />
-		</div>
-	);
-};
-
-export default ModelTree;
diff --git a/web/dashboard/src/pages/authorization/modelDsl.ts b/web/dashboard/src/pages/authorization/modelDsl.ts
index 70744d73..2664a102 100644
--- a/web/dashboard/src/pages/authorization/modelDsl.ts
+++ b/web/dashboard/src/pages/authorization/modelDsl.ts
@@ -1,70 +1,52 @@
-// modelDsl.ts — pure helpers to convert between a visual ModelDraft and OpenFGA
-// authorization-model DSL. The builder covers the common subset (types, direct
-// assignment, unions via `or`, and inheritance via `X from Y`). Advanced
-// constructs (`and`, `but not`, conditions `with`, grouping) are not represented
-// in the builder — parseDsl reports supported=false for those so the UI can keep
-// the user in raw-DSL mode.
-
-// ComputedTerm is one OR-ed term of a computed relation: either another relation
-// on the same type ({relation}) or an inherited one ({relation, from}).
+// modelDsl.ts — helpers for the authorization-model editor: a plain-English
+// summary of a (simple) model, a roles-derived example, and a catalog of
+// ready-to-use OpenFGA model examples (raw DSL, so they can use the full
+// language — usersets, exclusions, conditions).
+
 export interface ComputedTerm {
 	relation: string;
 	from?: string;
 }
-
-// RelationDef is a single `define <name>: ...`. The effective rule is the union
-// (OR) of directTypes (the `[...]` assignable part) and the computed terms.
 export interface RelationDef {
 	name: string;
-	directTypes: string[]; // e.g. ["user"], ["user", "team#member"], ["folder"]
-	computed: ComputedTerm[]; // OR-ed with directTypes
+	directTypes: string[];
+	computed: ComputedTerm[];
 }
-
 export interface TypeDef {
 	name: string;
 	relations: RelationDef[];
 }
-
 export interface ModelDraft {
 	types: TypeDef[];
 }
 
 const IDENT = /^[a-zA-Z0-9_]+$/;
 
-// relationExpr renders the right-hand side of a `define`.
 function relationExpr(r: RelationDef): string {
 	const parts: string[] = [];
-	if (r.directTypes.length) {
-		parts.push(`[${r.directTypes.join(', ')}]`);
-	}
-	for (const c of r.computed) {
-		parts.push(c.from ? `${c.relation} from ${c.from}` : c.relation);
-	}
+	if (r.directTypes.length) parts.push(`[${r.directTypes.join(', ')}]`);
+	for (const c of r.computed) parts.push(c.from ? `${c.relation} from ${c.from}` : c.relation);
 	return parts.join(' or ');
 }
 
-// generateDsl renders a ModelDraft to OpenFGA DSL.
 export function generateDsl(model: ModelDraft): string {
 	const lines: string[] = ['model', '  schema 1.1', ''];
 	for (const t of model.types) {
 		lines.push(`type ${t.name}`);
 		if (t.relations.length) {
 			lines.push('  relations');
-			for (const r of t.relations) {
-				lines.push(`    define ${r.name}: ${relationExpr(r)}`);
-			}
+			for (const r of t.relations) lines.push(`    define ${r.name}: ${relationExpr(r)}`);
 		}
 	}
 	return lines.join('\n') + '\n';
 }
 
-// parseDsl best-effort parses DSL into a ModelDraft. supported=false means the
-// model uses constructs the visual builder can't represent — the caller should
-// stay in DSL mode.
+// parseDsl best-effort parses the simple subset (direct + union + inheritance)
+// so we can render a plain-English summary. Models with advanced constructs
+// return supported=false (no summary shown).
 export function parseDsl(dsl: string): { model: ModelDraft | null; supported: boolean } {
 	const types: TypeDef[] = [];
 	let current: TypeDef | null = null;
-
 	for (const raw of dsl.split('\n')) {
 		const trimmed = raw.trim();
 		if (
@@ -76,34 +58,23 @@ export function parseDsl(dsl: string): { model: ModelDraft | null; supported: bo
 		) {
 			continue;
 		}
-
 		if (trimmed.startsWith('type ')) {
 			current = { name: trimmed.slice(5).trim(), relations: [] };
 			types.push(current);
 			continue;
 		}
-
 		if (trimmed.startsWith('define ')) {
 			if (!current) return { model: null, supported: false };
 			const m = trimmed.match(/^define\s+([a-zA-Z0-9_]+)\s*:\s*(.+)$/);
 			if (!m) return { model: null, supported: false };
 			const expr = m[2].trim();
-			// Constructs the builder cannot represent.
-			if (/\bbut\s+not\b|\band\b|[()]|\bwith\b/.test(expr)) {
-				return { model: null, supported: false };
-			}
+			if (/\bbut\s+not\b|\band\b|[()]|\bwith\b/.test(expr)) return { model: null, supported: false };
 			const rel: RelationDef = { name: m[1], directTypes: [], computed: [] };
 			for (const partRaw of expr.split(/\s+or\s+/)) {
 				const part = partRaw.trim();
 				if (!part) continue;
 				if (part.startsWith('[') && part.endsWith(']')) {
-					rel.directTypes.push(
-						...part
-							.slice(1, -1)
-							.split(',')
-							.map((s) => s.trim())
-							.filter(Boolean),
-					);
+					rel.directTypes.push(...part.slice(1, -1).split(',').map((s) => s.trim()).filter(Boolean));
 				} else if (/\sfrom\s/.test(part)) {
 					const fm = part.match(/^([a-zA-Z0-9_]+)\s+from\s+([a-zA-Z0-9_]+)$/);
 					if (!fm) return { model: null, supported: false };
@@ -111,238 +82,232 @@ export function parseDsl(dsl: string): { model: ModelDraft | null; supported: bo
 				} else if (IDENT.test(part)) {
 					rel.computed.push({ relation: part });
 				} else {
-					// e.g. a computed userset like team#member — not builder-representable.
 					return { model: null, supported: false };
 				}
 			}
 			current.relations.push(rel);
 			continue;
 		}
-
-		// Unknown non-empty line — be conservative.
 		return { model: null, supported: false };
 	}
-
 	if (!types.length) return { model: null, supported: false };
 	return { model: { types }, supported: true };
 }
 
-// validateModel returns a human-readable error for an unsaveable model, or "".
-export function validateModel(model: ModelDraft): string {
-	if (!model.types.length) return 'Add at least one type.';
-	const names = new Set<string>();
-	for (const t of model.types) {
-		if (!IDENT.test(t.name)) return `Type name "${t.name}" must be alphanumeric/underscore.`;
-		if (names.has(t.name)) return `Duplicate type "${t.name}".`;
-		names.add(t.name);
-		const relNames = new Set<string>();
-		for (const r of t.relations) {
-			if (!IDENT.test(r.name)) return `Relation "${r.name}" on ${t.name} is not a valid name.`;
-			if (relNames.has(r.name)) return `Duplicate relation "${r.name}" on ${t.name}.`;
-			relNames.add(r.name);
-			if (!r.directTypes.length && !r.computed.length) {
-				return `Relation "${r.name}" on ${t.name} needs at least one assignable type or computed relation.`;
-			}
-		}
-	}
-	return '';
-}
-
-// summarize returns plain-English lines describing the model.
 export function summarize(model: ModelDraft): string[] {
 	const out: string[] = [];
 	for (const t of model.types) {
 		for (const r of t.relations) {
 			const bits: string[] = [];
 			if (r.directTypes.length) bits.push(`assigned (${r.directTypes.join(', ')})`);
-			for (const c of r.computed) {
-				bits.push(c.from ? `${c.relation} of its ${c.from}` : `a ${c.relation}`);
-			}
+			for (const c of r.computed) bits.push(c.from ? `${c.relation} of its ${c.from}` : `a ${c.relation}`);
 			out.push(`A user who is ${bits.join(' OR ')} is "${r.name}" of a ${t.name}.`);
 		}
 	}
 	return out;
 }
 
-// ── Pure model mutations (kept pure + index-based so they're unit-testable;
-//    the tree editor calls these and never mutates state in place). ───────────
-
-const mapType = (m: ModelDraft, ti: number, fn: (t: TypeDef) => TypeDef): ModelDraft => ({
-	...m,
-	types: m.types.map((t, i) => (i === ti ? fn(t) : t)),
-});
-
-const mapRelation = (
-	m: ModelDraft,
-	ti: number,
-	ri: number,
-	fn: (r: RelationDef) => RelationDef,
-): ModelDraft => mapType(m, ti, (t) => ({ ...t, relations: t.relations.map((r, i) => (i === ri ? fn(r) : r)) }));
-
-export const addType = (m: ModelDraft): ModelDraft => ({
-	...m,
-	types: [...m.types, { name: '', relations: [] }],
-});
-
-export const deleteType = (m: ModelDraft, ti: number): ModelDraft => ({
-	...m,
-	types: m.types.filter((_, i) => i !== ti),
-});
-
-export const renameType = (m: ModelDraft, ti: number, name: string): ModelDraft =>
-	mapType(m, ti, (t) => ({ ...t, name }));
-
-export const addRelation = (m: ModelDraft, ti: number): ModelDraft =>
-	mapType(m, ti, (t) => ({ ...t, relations: [...t.relations, { name: '', directTypes: [], computed: [] }] }));
-
-export const deleteRelation = (m: ModelDraft, ti: number, ri: number): ModelDraft =>
-	mapType(m, ti, (t) => ({ ...t, relations: t.relations.filter((_, i) => i !== ri) }));
-
-export const renameRelation = (m: ModelDraft, ti: number, ri: number, name: string): ModelDraft =>
-	mapRelation(m, ti, ri, (r) => ({ ...r, name }));
-
-export const addAssignable = (m: ModelDraft, ti: number, ri: number, dt: string): ModelDraft =>
-	mapRelation(m, ti, ri, (r) =>
-		r.directTypes.includes(dt) ? r : { ...r, directTypes: [...r.directTypes, dt] },
-	);
-
-export const removeAssignable = (m: ModelDraft, ti: number, ri: number, idx: number): ModelDraft =>
-	mapRelation(m, ti, ri, (r) => ({ ...r, directTypes: r.directTypes.filter((_, i) => i !== idx) }));
-
-export const addComputed = (m: ModelDraft, ti: number, ri: number, term: ComputedTerm): ModelDraft =>
-	mapRelation(m, ti, ri, (r) => ({ ...r, computed: [...r.computed, term] }));
-
-export const removeComputed = (m: ModelDraft, ti: number, ri: number, idx: number): ModelDraft =>
-	mapRelation(m, ti, ri, (r) => ({ ...r, computed: r.computed.filter((_, i) => i !== idx) }));
-
-// relationExprText renders a relation's definition for compact display.
-export function relationExprText(r: RelationDef): string {
-	const parts: string[] = [];
-	if (r.directTypes.length) parts.push(`[${r.directTypes.join(', ')}]`);
-	for (const c of r.computed) parts.push(c.from ? `${c.relation} from ${c.from}` : c.relation);
-	return parts.join(' or ') || '(empty)';
-}
-
-// sanitizeRelationName makes an Authorizer role usable as an OpenFGA relation
-// name (alphanumeric/underscore). e.g. "org-admin" -> "org_admin".
 export function sanitizeRelationName(role: string): string {
 	return role.trim().replace(/[^a-zA-Z0-9_]/g, '_').replace(/^_+|_+$/g, '');
 }
 
-// rolesTemplate builds a starter model from the instance's configured roles:
-// each role becomes a directly-assignable relation on a `resource`, plus a
-// `can_access` permission that any of those roles satisfies. A concrete,
-// builder-friendly starting point the admin can then refine.
+// rolesTemplate builds a model from the instance's configured roles: each role
+// is a relation on a `resource`, plus a `can_access` permission.
 export function rolesTemplate(roles: string[]): ModelDraft | null {
 	const seen = new Set<string>();
-	const roleRelations: RelationDef[] = [];
+	const rel: RelationDef[] = [];
 	for (const raw of roles) {
 		const name = sanitizeRelationName(raw);
 		if (!name || seen.has(name)) continue;
 		seen.add(name);
-		roleRelations.push({ name, directTypes: ['user'], computed: [] });
+		rel.push({ name, directTypes: ['user'], computed: [] });
 	}
-	if (!roleRelations.length) return null;
-
-	roleRelations.push({
-		name: 'can_access',
-		directTypes: [],
-		computed: roleRelations.map((r) => ({ relation: r.name })),
-	});
-
-	return {
-		types: [
-			{ name: 'user', relations: [] },
-			{ name: 'resource', relations: roleRelations },
-		],
-	};
+	if (!rel.length) return null;
+	rel.push({ name: 'can_access', directTypes: [], computed: rel.map((r) => ({ relation: r.name })) });
+	return { types: [{ name: 'user', relations: [] }, { name: 'resource', relations: rel }] };
+}
+
+// MODEL_EXAMPLES is a catalog of common authorization patterns as raw DSL.
+export interface ModelExample {
+	name: string;
+	description: string;
+	dsl: string;
 }
 
-// TEMPLATES are builder-representable starter models.
-export const TEMPLATES: { name: string; description: string; model: ModelDraft }[] = [
+export const MODEL_EXAMPLES: ModelExample[] = [
 	{
 		name: 'Document sharing',
-		description: 'Owner / editor / viewer with cascading permissions.',
-		model: {
-			types: [
-				{ name: 'user', relations: [] },
-				{
-					name: 'document',
-					relations: [
-						{ name: 'owner', directTypes: ['user'], computed: [] },
-						{ name: 'editor', directTypes: ['user'], computed: [{ relation: 'owner' }] },
-						{ name: 'viewer', directTypes: ['user'], computed: [{ relation: 'editor' }] },
-						{ name: 'can_view', directTypes: [], computed: [{ relation: 'viewer' }] },
-						{ name: 'can_edit', directTypes: [], computed: [{ relation: 'editor' }] },
-						{ name: 'can_delete', directTypes: [], computed: [{ relation: 'owner' }] },
-					],
-				},
-			],
-		},
+		description: 'Owner → editor → viewer, with cascading permissions.',
+		dsl: `model
+  schema 1.1
+
+type user
+
+type document
+  relations
+    define owner: [user]
+    define editor: [user] or owner
+    define viewer: [user] or editor
+    define can_view: viewer
+    define can_edit: editor
+    define can_delete: owner`,
 	},
 	{
-		name: 'Folders with inheritance',
+		name: 'Folder hierarchy',
 		description: 'Documents inherit viewers from their parent folder.',
-		model: {
-			types: [
-				{ name: 'user', relations: [] },
-				{
-					name: 'folder',
-					relations: [
-						{ name: 'owner', directTypes: ['user'], computed: [] },
-						{ name: 'viewer', directTypes: ['user'], computed: [{ relation: 'owner' }] },
-					],
-				},
-				{
-					name: 'document',
-					relations: [
-						{ name: 'parent', directTypes: ['folder'], computed: [] },
-						{ name: 'owner', directTypes: ['user'], computed: [] },
-						{
-							name: 'viewer',
-							directTypes: ['user'],
-							computed: [{ relation: 'owner' }, { relation: 'viewer', from: 'parent' }],
-						},
-						{ name: 'can_view', directTypes: [], computed: [{ relation: 'viewer' }] },
-					],
-				},
-			],
-		},
+		dsl: `model
+  schema 1.1
+
+type user
+
+type folder
+  relations
+    define owner: [user]
+    define viewer: [user] or owner
+
+type document
+  relations
+    define parent: [folder]
+    define owner: [user]
+    define viewer: [user] or owner or viewer from parent
+    define can_view: viewer
+    define can_edit: owner`,
+	},
+	{
+		name: 'Organizations & teams',
+		description: 'Team membership flows from organization membership.',
+		dsl: `model
+  schema 1.1
+
+type user
+
+type organization
+  relations
+    define admin: [user]
+    define member: [user] or admin
+
+type team
+  relations
+    define org: [organization]
+    define member: [user] or member from org`,
 	},
 	{
-		name: 'Org / Team / Project',
-		description: 'Project access flows from team and organization membership.',
-		model: {
-			types: [
-				{ name: 'user', relations: [] },
-				{
-					name: 'organization',
-					relations: [{ name: 'member', directTypes: ['user'], computed: [] }],
-				},
-				{
-					name: 'team',
-					relations: [
-						{ name: 'org', directTypes: ['organization'], computed: [] },
-						{
-							name: 'member',
-							directTypes: ['user'],
-							computed: [{ relation: 'member', from: 'org' }],
-						},
-					],
-				},
-				{
-					name: 'project',
-					relations: [
-						{ name: 'team', directTypes: ['team'], computed: [] },
-						{
-							name: 'viewer',
-							directTypes: ['user'],
-							computed: [{ relation: 'member', from: 'team' }],
-						},
-						{ name: 'can_view', directTypes: [], computed: [{ relation: 'viewer' }] },
-					],
-				},
-			],
-		},
+		name: 'RBAC roles',
+		description: 'Global roles assigned to users, referenced by resources.',
+		dsl: `model
+  schema 1.1
+
+type user
+
+type role
+  relations
+    define assignee: [user]
+
+type resource
+  relations
+    define admin: [role#assignee]
+    define editor: [user, role#assignee] or admin
+    define viewer: [user, role#assignee] or editor
+    define can_view: viewer
+    define can_edit: editor
+    define can_admin: admin`,
+	},
+	{
+		name: 'Groups',
+		description: 'Nestable user groups; grant access to a whole group.',
+		dsl: `model
+  schema 1.1
+
+type user
+
+type group
+  relations
+    define member: [user, group#member]
+
+type document
+  relations
+    define viewer: [user, group#member]
+    define can_view: viewer`,
+	},
+	{
+		name: 'Block list (exclusion)',
+		description: 'Everyone with viewer access, except blocked users.',
+		dsl: `model
+  schema 1.1
+
+type user
+
+type document
+  relations
+    define viewer: [user]
+    define blocked: [user]
+    define can_view: viewer but not blocked`,
+	},
+	{
+		name: 'Multi-tenant SaaS',
+		description: 'Organization → workspace → resource access flow.',
+		dsl: `model
+  schema 1.1
+
+type user
+
+type organization
+  relations
+    define member: [user]
+
+type workspace
+  relations
+    define org: [organization]
+    define admin: [user]
+    define member: [user] or admin or member from org
+
+type resource
+  relations
+    define workspace: [workspace]
+    define editor: [user] or admin from workspace
+    define viewer: [user] or editor or member from workspace
+    define can_view: viewer
+    define can_edit: editor`,
+	},
+	{
+		name: 'GitHub-style repos',
+		description: 'Org → repo with admin / maintainer / writer / reader.',
+		dsl: `model
+  schema 1.1
+
+type user
+
+type organization
+  relations
+    define owner: [user]
+    define member: [user] or owner
+
+type repository
+  relations
+    define org: [organization]
+    define admin: [user] or owner from org
+    define maintainer: [user] or admin
+    define writer: [user] or maintainer
+    define reader: [user] or writer or member from org
+    define can_read: reader
+    define can_push: writer
+    define can_admin: admin`,
+	},
+	{
+		name: 'Time-bound access (conditions)',
+		description: 'ABAC: a grant that is only valid until it expires.',
+		dsl: `model
+  schema 1.1
+
+type user
+
+type document
+  relations
+    define viewer: [user with non_expired_grant]
+    define can_view: viewer
+
+condition non_expired_grant(current_time: timestamp, grant_time: timestamp, grant_duration: duration) {
+  current_time < grant_time + grant_duration
+}`,
 	},
 ];

From 6007c15e17ce23974fe9c4041d6b07e707791f01 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 8 Jun 2026 18:33:26 +0530
Subject: [PATCH 15/39] fix(dashboard): Authorization nav no longer looks
 disabled

The collapsible group header was styled as a faded uppercase section label
(text-gray-400, uppercase), which read as a disabled item. Style it like a
normal nav entry (text-sm, gray-700, blue-50 when active).
---
 web/dashboard/src/components/Sidebar.tsx | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/web/dashboard/src/components/Sidebar.tsx b/web/dashboard/src/components/Sidebar.tsx
index 1ffdd6d4..dd5cacd6 100644
--- a/web/dashboard/src/components/Sidebar.tsx
+++ b/web/dashboard/src/components/Sidebar.tsx
@@ -154,8 +154,10 @@ export const Sidebar = ({ onClose }: SidebarProps) => {
 								}
 								aria-expanded={isOpen}
 								className={cn(
-									'flex w-full items-center gap-3 rounded-md px-3 py-2 text-xs font-semibold uppercase tracking-wider transition-colors hover:bg-gray-100',
-									isGroupActive ? 'text-blue-600' : 'text-gray-400',
+									'flex w-full items-center gap-3 rounded-md px-3 py-2 text-sm font-medium transition-colors',
+									isGroupActive
+										? 'bg-blue-50 text-blue-600'
+										: 'text-gray-700 hover:bg-gray-100 hover:text-gray-900',
 								)}
 							>
 								<group.icon className="h-4 w-4" />

From e292ef81ca59c26b0ffd4ef6139a80cdec10f68f Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 8 Jun 2026 18:47:53 +0530
Subject: [PATCH 16/39] feat(dashboard): FGA docs links, grant-pattern
 examples, accurate stepper
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- DocsLinks: links to OpenFGA / ReBAC concepts, modeling guide, DSL reference,
  and relationship tuples — shown on the Model and Grant-access pages.
- Grant-access page: "Common grant patterns" cards (direct, assign a role,
  grant a whole role via role#assignee, public user:*, and grant-on-a-folder so
  all resources inherit) that prefill the form, plus a tip on avoiding a tuple
  per object id.
- Model page: switching to an example now confirms if there are unsaved changes
  and shows a toast; a note explains there is one active model and saving makes
  a new immutable version active.
- Stepper now marks a step done only when actually complete (model saved /
  tuples exist), so step 1 isn't checked when no model exists.
---
 .../src/pages/authorization/AuthSteps.tsx     | 36 +++++++++-
 .../src/pages/authorization/DocsLinks.tsx     | 35 ++++++++++
 .../src/pages/authorization/Model.tsx         | 23 ++++++-
 .../src/pages/authorization/Tuples.tsx        | 68 +++++++++++++++++++
 4 files changed, 157 insertions(+), 5 deletions(-)
 create mode 100644 web/dashboard/src/pages/authorization/DocsLinks.tsx

diff --git a/web/dashboard/src/pages/authorization/AuthSteps.tsx b/web/dashboard/src/pages/authorization/AuthSteps.tsx
index 4cb6dd29..6d43016c 100644
--- a/web/dashboard/src/pages/authorization/AuthSteps.tsx
+++ b/web/dashboard/src/pages/authorization/AuthSteps.tsx
@@ -1,6 +1,9 @@
-import React from 'react';
+import React, { useEffect, useState } from 'react';
 import { Link, useNavigate } from 'react-router-dom';
+import { useClient } from 'urql';
 import { Check, ArrowRight, Lightbulb } from 'lucide-react';
+import { FgaGetModelQuery, FgaReadTuplesQuery } from '../../graphql/queries';
+import type { FgaGetModelResponse, FgaReadTuplesResponse } from '../../types';
 
 // The three FGA pages are a sequential workflow: define the model, grant access,
 // then verify. AuthSteps renders that as a clickable stepper shown on each page,
@@ -13,11 +16,40 @@ export const STEPS = [
 
 const AuthSteps = ({ current }: { current: 1 | 2 | 3 }) => {
 	const navigate = useNavigate();
+	const client = useClient();
+	// A step shows a check only when it's actually complete: step 1 when a model
+	// is saved, step 2 when at least one tuple exists. Best-effort; ignore errors.
+	const [modelDone, setModelDone] = useState(false);
+	const [tuplesDone, setTuplesDone] = useState(false);
+
+	useEffect(() => {
+		let active = true;
+		client
+			.query<FgaGetModelResponse>(FgaGetModelQuery, {}, { requestPolicy: 'network-only' })
+			.toPromise()
+			.then((r) => active && setModelDone(!!r.data?._fga_get_model?.dsl))
+			.catch(() => {});
+		client
+			.query<FgaReadTuplesResponse>(
+				FgaReadTuplesQuery,
+				{ params: { page_size: 1 } },
+				{ requestPolicy: 'network-only' },
+			)
+			.toPromise()
+			.then((r) => active && setTuplesDone((r.data?._fga_read_tuples?.tuples?.length ?? 0) > 0))
+			.catch(() => {});
+		return () => {
+			active = false;
+		};
+	}, [client]);
+
+	const isDone = (n: number) => (n === 1 ? modelDone : n === 2 ? tuplesDone : false);
+
 	return (
 		<nav aria-label="Fine-grained authorization setup" className="mb-5">
 			<ol className="flex flex-col gap-2 sm:flex-row sm:items-stretch">
 				{STEPS.map((s) => {
-					const state = s.n < current ? 'done' : s.n === current ? 'current' : 'upcoming';
+					const state = s.n === current ? 'current' : isDone(s.n) ? 'done' : 'upcoming';
 					return (
 						<li key={s.n} className="flex-1">
 							<button
diff --git a/web/dashboard/src/pages/authorization/DocsLinks.tsx b/web/dashboard/src/pages/authorization/DocsLinks.tsx
new file mode 100644
index 00000000..35211c21
--- /dev/null
+++ b/web/dashboard/src/pages/authorization/DocsLinks.tsx
@@ -0,0 +1,35 @@
+import React from 'react';
+import { BookOpen, ExternalLink } from 'lucide-react';
+
+// Curated links to the OpenFGA / ReBAC documentation that back Authorizer's
+// fine-grained authorization. Shown on the FGA pages.
+const LINKS = [
+	{ label: 'What is FGA / ReBAC', href: 'https://openfga.dev/docs/fga' },
+	{ label: 'Concepts', href: 'https://openfga.dev/docs/concepts' },
+	{ label: 'Modeling guide', href: 'https://openfga.dev/docs/modeling/getting-started' },
+	{ label: 'Model DSL', href: 'https://openfga.dev/docs/configuration-language' },
+	{ label: 'Relationship tuples', href: 'https://openfga.dev/docs/concepts#what-is-a-relationship-tuple' },
+];
+
+const DocsLinks = () => (
+	<div className="flex flex-wrap items-center gap-x-4 gap-y-1.5 rounded-lg border border-gray-100 bg-gray-50 px-3 py-2 text-xs text-gray-500">
+		<span className="inline-flex items-center gap-1.5 font-medium text-gray-600">
+			<BookOpen className="h-3.5 w-3.5" aria-hidden="true" />
+			Learn more
+		</span>
+		{LINKS.map((l) => (
+			<a
+				key={l.href}
+				href={l.href}
+				target="_blank"
+				rel="noopener noreferrer"
+				className="inline-flex items-center gap-0.5 text-blue-600 hover:underline"
+			>
+				{l.label}
+				<ExternalLink className="h-3 w-3" aria-hidden="true" />
+			</a>
+		))}
+	</div>
+);
+
+export default DocsLinks;
diff --git a/web/dashboard/src/pages/authorization/Model.tsx b/web/dashboard/src/pages/authorization/Model.tsx
index aac94e14..45b287a2 100644
--- a/web/dashboard/src/pages/authorization/Model.tsx
+++ b/web/dashboard/src/pages/authorization/Model.tsx
@@ -10,6 +10,7 @@ import { Skeleton } from '../../components/ui/skeleton';
 import { Badge } from '../../components/ui/badge';
 import FgaNotEnabled from '../../components/FgaNotEnabled';
 import AuthSteps, { Example, NextStep } from './AuthSteps';
+import DocsLinks from './DocsLinks';
 import { generateDsl, parseDsl, summarize, rolesTemplate, MODEL_EXAMPLES } from './modelDsl';
 import { isFgaNotEnabledError } from '../../lib/utils';
 import type {
@@ -78,9 +79,19 @@ const Model = () => {
 			.catch(() => {});
 	}, [client]);
 
-	const applyExample = (exampleDsl: string) => {
+	const applyExample = (name: string, exampleDsl: string) => {
+		if (
+			dsl.trim() &&
+			dsl.trim() !== exampleDsl.trim() &&
+			!window.confirm(
+				`Replace the editor with the "${name}" example? Unsaved changes will be lost.`,
+			)
+		) {
+			return;
+		}
 		setDsl(exampleDsl);
 		setValidationError('');
+		toast.success(`Loaded the "${name}" example`);
 	};
 
 	const handleSave = async () => {
@@ -179,7 +190,7 @@ const Model = () => {
 								<button
 									key={ex.name}
 									type="button"
-									onClick={() => applyExample(ex.dsl)}
+									onClick={() => applyExample(ex.name, ex.dsl)}
 									className="rounded-xl border border-gray-200 bg-white p-3 text-left transition-colors hover:border-blue-300 hover:bg-blue-50"
 								>
 									<span className="block text-sm font-medium text-gray-800">{ex.name}</span>
@@ -199,11 +210,15 @@ const Model = () => {
 							</label>
 							{modelId && (
 								<span className="flex items-center gap-1.5 text-xs text-gray-400">
-									saved
+									active version
 									<Badge variant="secondary">{modelId.slice(0, 12)}…</Badge>
 								</span>
 							)}
 						</div>
+						<p className="mb-1.5 text-xs text-gray-400">
+							There is one active model. Saving creates a new immutable version and makes it the
+							active one (previous versions are kept for in-flight checks).
+						</p>
 						<Textarea
 							id="model-dsl"
 							value={dsl}
@@ -234,6 +249,8 @@ const Model = () => {
 						</div>
 					)}
 
+					<DocsLinks />
+
 					<div className="flex items-center justify-between border-t border-gray-100 pt-4 text-sm text-gray-500">
 						<span>Save the model, then grant access with relationship tuples.</span>
 						<NextStep to="/authorization/tuples" label="Next: grant access" />
diff --git a/web/dashboard/src/pages/authorization/Tuples.tsx b/web/dashboard/src/pages/authorization/Tuples.tsx
index 2c70a9fa..d4228f3d 100644
--- a/web/dashboard/src/pages/authorization/Tuples.tsx
+++ b/web/dashboard/src/pages/authorization/Tuples.tsx
@@ -18,6 +18,7 @@ import {
 } from '../../components/ui/table';
 import FgaNotEnabled from '../../components/FgaNotEnabled';
 import AuthSteps, { Example, NextStep } from './AuthSteps';
+import DocsLinks from './DocsLinks';
 import { isFgaNotEnabledError } from '../../lib/utils';
 import type {
 	FgaTuple,
@@ -30,6 +31,41 @@ const PAGE_SIZE = 25;
 
 const emptyForm = { user: '', relation: '', object: '' };
 
+// Common grant patterns. Clicking one fills the form so you can see the shape.
+// (Each requires the model to support it — e.g. role usersets, user:* wildcard,
+// or a parent relation.)
+const GRANT_PATTERNS: {
+	name: string;
+	desc: string;
+	tuple: typeof emptyForm;
+}[] = [
+	{
+		name: 'Direct grant',
+		desc: 'One user → one object.',
+		tuple: { user: 'user:alice', relation: 'viewer', object: 'document:1' },
+	},
+	{
+		name: 'Assign a role',
+		desc: 'Put a user into a role.',
+		tuple: { user: 'user:alice', relation: 'assignee', object: 'role:editor' },
+	},
+	{
+		name: 'Grant a whole role',
+		desc: 'Everyone in role:editor becomes editor of the object.',
+		tuple: { user: 'role:editor#assignee', relation: 'editor', object: 'document:1' },
+	},
+	{
+		name: 'Public — all users',
+		desc: 'Anyone can access this object (needs user:* in the model).',
+		tuple: { user: 'user:*', relation: 'viewer', object: 'document:1' },
+	},
+	{
+		name: 'All resources in a folder',
+		desc: 'Grant on the folder once; every document under it inherits.',
+		tuple: { user: 'user:alice', relation: 'viewer', object: 'folder:root' },
+	},
+];
+
 const Tuples = () => {
 	const client = useClient();
 	const [loading, setLoading] = useState<boolean>(true);
@@ -209,6 +245,38 @@ const Tuples = () => {
 				</Example>
 			</div>
 
+			{/* Common grant patterns — click to prefill the form */}
+			<div className="mb-4">
+				<p className="mb-2 text-sm font-medium text-gray-700">Common grant patterns</p>
+				<div className="grid grid-cols-1 gap-2 sm:grid-cols-2 lg:grid-cols-3 xl:grid-cols-5">
+					{GRANT_PATTERNS.map((p) => (
+						<button
+							key={p.name}
+							type="button"
+							onClick={() => setForm(p.tuple)}
+							title="Click to fill the form below"
+							className="rounded-xl border border-gray-200 bg-white p-3 text-left transition-colors hover:border-blue-300 hover:bg-blue-50"
+						>
+							<span className="block text-sm font-medium text-gray-800">{p.name}</span>
+							<span className="mt-0.5 block text-xs leading-relaxed text-gray-500">{p.desc}</span>
+							<span className="mt-1.5 block truncate font-mono text-[11px] text-blue-600">
+								{p.tuple.user} · {p.tuple.relation} · {p.tuple.object}
+							</span>
+						</button>
+					))}
+				</div>
+				<p className="mt-2 text-xs text-gray-400">
+					<strong className="text-gray-500">Tip:</strong> to avoid a tuple per object id, grant on a{' '}
+					<code className="rounded bg-gray-100 px-1 py-0.5">folder</code>/
+					<code className="rounded bg-gray-100 px-1 py-0.5">organization</code> and let resources inherit,
+					or use <code className="rounded bg-gray-100 px-1 py-0.5">user:*</code> for public access.
+				</p>
+			</div>
+
+			<div className="mb-4">
+				<DocsLinks />
+			</div>
+
 			{/* Add tuple form */}
 			<form
 				onSubmit={handleAdd}

From 9d469579331c40313acc0bf7c25e01a0fd2e37d0 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 8 Jun 2026 18:56:11 +0530
Subject: [PATCH 17/39] docs(dashboard): explain model versioning in the model
 editor

Add an "About model versions" info panel: one active model, saving creates a
new immutable version, earlier versions are retained, OpenFGA models are
append-only (a version can't be deleted individually), and separate models
need separate stores.
---
 .../src/pages/authorization/Model.tsx          | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/web/dashboard/src/pages/authorization/Model.tsx b/web/dashboard/src/pages/authorization/Model.tsx
index 45b287a2..c7ff7e1f 100644
--- a/web/dashboard/src/pages/authorization/Model.tsx
+++ b/web/dashboard/src/pages/authorization/Model.tsx
@@ -1,7 +1,7 @@
 import React, { useCallback, useEffect, useState } from 'react';
 import { useClient } from 'urql';
 import { toast } from 'sonner';
-import { AlertCircle, Save } from 'lucide-react';
+import { AlertCircle, Save, Info } from 'lucide-react';
 import { FgaGetModelQuery, AdminRolesQuery } from '../../graphql/queries';
 import { FgaWriteModel } from '../../graphql/mutation';
 import { Button } from '../../components/ui/button';
@@ -215,10 +215,18 @@ const Model = () => {
 								</span>
 							)}
 						</div>
-						<p className="mb-1.5 text-xs text-gray-400">
-							There is one active model. Saving creates a new immutable version and makes it the
-							active one (previous versions are kept for in-flight checks).
-						</p>
+						<div className="mb-2 flex items-start gap-2 rounded-lg border border-gray-100 bg-gray-50 p-3 text-xs leading-relaxed text-gray-600">
+							<Info className="mt-0.5 h-4 w-4 shrink-0 text-gray-400" aria-hidden="true" />
+							<div>
+								<strong className="text-gray-700">About model versions.</strong> There is always
+								exactly one <em>active</em> model. Saving creates a new <strong>immutable
+								version</strong> and makes it active; earlier versions are retained so requests
+								already in flight stay valid. OpenFGA models are <strong>append-only</strong> — an
+								individual version cannot be deleted. To change the rules, save a new version; to
+								remove everything, reset the store (deletes the model and all tuples). Separate
+								models require separate stores, which aren&rsquo;t exposed here.
+							</div>
+						</div>
 						<Textarea
 							id="model-dsl"
 							value={dsl}

From fafaf72311b809752c55e89f1267232e24d1da57 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Mon, 8 Jun 2026 20:03:13 +0530
Subject: [PATCH 18/39] feat(fga): add guarded reset for the authorization
 model
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

OpenFGA models are append-only — individual versions cannot be deleted.
Reset is the only way to remove a model and all its past versions and
start fresh.

- engine: add Reset() to the AuthorizationEngine SPI; OpenFGA impl deletes
  the store (model + all versions + tuples) and creates a new empty one
- graphql: add _fga_reset mutation, super-admin gated and audited
  (admin.fga_reset). Refused while any relationship tuples still exist so
  live grants are never dropped silently — callers must delete tuples first
- dashboard: "Danger zone" on the model page. Disabled with a link to the
  Grant access page while tuples exist; otherwise a typed-confirmation
  dialog (type RESET) before wiping
- test: TestOpenFGAEngine_Reset covers store rotation, model clearing,
  tuple removal, and engine reuse
---
 internal/authorization/engine/engine.go       |   6 +
 .../authorization/engine/openfga/openfga.go   |  47 ++++--
 .../engine/openfga/openfga_test.go            |  30 ++++
 internal/constants/audit_event.go             |   3 +
 internal/graph/generated/generated.go         |  65 ++++++++
 internal/graph/schema.graphqls                |   1 +
 internal/graph/schema.resolvers.go            |   5 +
 internal/graphql/fga_admin.go                 |  46 ++++++
 internal/graphql/provider.go                  |   4 +
 web/dashboard/src/graphql/mutation/index.ts   |   8 +
 .../src/pages/authorization/Model.tsx         | 156 +++++++++++++++++-
 web/dashboard/src/types.ts                    |   6 +
 12 files changed, 362 insertions(+), 15 deletions(-)

diff --git a/internal/authorization/engine/engine.go b/internal/authorization/engine/engine.go
index 2414bff9..effb1bb9 100644
--- a/internal/authorization/engine/engine.go
+++ b/internal/authorization/engine/engine.go
@@ -153,4 +153,10 @@ type AuthorizationEngine interface {
 	// ReadModel returns the currently active authorization model: its
 	// backend-assigned id and its DSL rendering.
 	ReadModel(ctx context.Context) (id string, dsl string, err error)
+
+	// Reset deletes the entire authorization store (the model, all its versions,
+	// and all tuples) and starts a fresh, empty store. It is destructive and must
+	// be admin-gated by callers; OpenFGA has no per-version delete, so this is the
+	// only way to remove a model.
+	Reset(ctx context.Context) error
 }
diff --git a/internal/authorization/engine/openfga/openfga.go b/internal/authorization/engine/openfga/openfga.go
index eaece4c5..2f195b83 100644
--- a/internal/authorization/engine/openfga/openfga.go
+++ b/internal/authorization/engine/openfga/openfga.go
@@ -70,12 +70,13 @@ type Dependencies struct {
 // server. storeID and modelID are mutated under mu when a store/model is
 // bootstrapped at runtime (memory store / first boot).
 type engineImpl struct {
-	log     *zerolog.Logger
-	srv     *server.Server
-	ds      storage.OpenFGADatastore
-	mu      sync.RWMutex
-	storeID string
-	modelID string
+	log       *zerolog.Logger
+	srv       *server.Server
+	ds        storage.OpenFGADatastore
+	mu        sync.RWMutex
+	storeID   string
+	modelID   string
+	storeName string
 }
 
 // Compile-time interface verification.
@@ -112,11 +113,12 @@ func New(cfg *Config, deps *Dependencies) (engine.AuthorizationEngine, error) {
 	}
 
 	e := &engineImpl{
-		log:     &log,
-		srv:     srv,
-		ds:      ds,
-		storeID: cfg.StoreID,
-		modelID: cfg.ModelID,
+		log:       &log,
+		srv:       srv,
+		ds:        ds,
+		storeID:   cfg.StoreID,
+		modelID:   cfg.ModelID,
+		storeName: cfg.StoreName,
 	}
 
 	// Bootstrap a store if none was provided. The store ID is exposed via
@@ -137,6 +139,29 @@ func New(cfg *Config, deps *Dependencies) (engine.AuthorizationEngine, error) {
 	return e, nil
 }
 
+// Reset deletes the current store (model + all versions + tuples) and creates a
+// fresh empty store. The new store has no model — callers must WriteModel again
+// before checks. Destructive; admin-gated by callers.
+func (e *engineImpl) Reset(ctx context.Context) error {
+	e.mu.Lock()
+	defer e.mu.Unlock()
+	if e.storeID != "" {
+		if _, err := e.srv.DeleteStore(ctx, &openfgav1.DeleteStoreRequest{StoreId: e.storeID}); err != nil {
+			return fmt.Errorf("openfga.Reset: DeleteStore: %w", err)
+		}
+	}
+	store, err := e.srv.CreateStore(ctx, &openfgav1.CreateStoreRequest{
+		Name: storeNameOrDefault(e.storeName),
+	})
+	if err != nil {
+		return fmt.Errorf("openfga.Reset: CreateStore: %w", err)
+	}
+	e.storeID = store.GetId()
+	e.modelID = ""
+	e.log.Info().Str("store_id", e.storeID).Msg("FGA store reset; new empty store created")
+	return nil
+}
+
 // newDatastore opens the configured datastore.
 //
 // The memory store and all SQL stores (sqlite/postgres/mysql) are compiled into
diff --git a/internal/authorization/engine/openfga/openfga_test.go b/internal/authorization/engine/openfga/openfga_test.go
index dede591d..b41c5230 100644
--- a/internal/authorization/engine/openfga/openfga_test.go
+++ b/internal/authorization/engine/openfga/openfga_test.go
@@ -156,6 +156,36 @@ func TestOpenFGAEngine_ReadModelRoundtrip(t *testing.T) {
 	assert.Contains(t, dsl, "can_view")
 }
 
+func TestOpenFGAEngine_Reset(t *testing.T) {
+	ctx := context.Background()
+	eng, impl := newTestEngine(t)
+
+	_, err := eng.WriteModel(ctx, testModel)
+	require.NoError(t, err)
+	require.NoError(t, eng.WriteTuples(ctx, []engine.TupleKey{
+		{User: "user:alice", Relation: "viewer", Object: "document:1"},
+	}))
+
+	storeBefore := impl.StoreID()
+	require.NotEmpty(t, storeBefore)
+
+	// Reset wipes the store: a fresh store ID, no active model, no tuples.
+	require.NoError(t, eng.Reset(ctx))
+	assert.NotEqual(t, storeBefore, impl.StoreID(), "Reset must create a new store")
+	assert.Empty(t, impl.ModelID(), "Reset must clear the active model")
+
+	// No model after reset → reads fail closed and checks error.
+	_, _, err = eng.ReadModel(ctx)
+	assert.Error(t, err, "ReadModel must error when no model exists after reset")
+
+	// The engine is reusable: a new model and tuples can be written.
+	_, err = eng.WriteModel(ctx, testModel)
+	require.NoError(t, err)
+	res, err := eng.ReadTuples(ctx, engine.ReadTuplesFilter{})
+	require.NoError(t, err)
+	assert.Empty(t, res.Tuples, "tuples from before the reset must be gone")
+}
+
 func TestOpenFGAEngine_CheckBeforeModelFailsClosed(t *testing.T) {
 	ctx := context.Background()
 	eng, _ := newTestEngine(t)
diff --git a/internal/constants/audit_event.go b/internal/constants/audit_event.go
index 8f636bc3..7c825fb5 100644
--- a/internal/constants/audit_event.go
+++ b/internal/constants/audit_event.go
@@ -104,6 +104,9 @@ const (
 	AuditAdminFgaTuplesWrittenEvent = "admin.fga_tuples_written"
 	// AuditAdminFgaTuplesDeletedEvent is logged when an admin deletes fine-grained authorization tuples.
 	AuditAdminFgaTuplesDeletedEvent = "admin.fga_tuples_deleted"
+	// AuditAdminFgaResetEvent is logged when an admin resets the fine-grained authorization store
+	// (deletes the model, all its versions, and all tuples).
+	AuditAdminFgaResetEvent = "admin.fga_reset"
 
 	// AuditOAuthLoginInitiatedEvent is logged when an OAuth login flow is started.
 	AuditOAuthLoginInitiatedEvent = "oauth.login_initiated"
diff --git a/internal/graph/generated/generated.go b/internal/graph/generated/generated.go
index d4376834..869b7c22 100644
--- a/internal/graph/generated/generated.go
+++ b/internal/graph/generated/generated.go
@@ -261,6 +261,7 @@ type ComplexityRoot struct {
 		DeleteWebhook       func(childComplexity int, params model.WebhookRequest) int
 		EnableAccess        func(childComplexity int, param model.UpdateAccessRequest) int
 		FgaDeleteTuples     func(childComplexity int, params model.FgaWriteTuplesInput) int
+		FgaReset            func(childComplexity int) int
 		FgaWriteModel       func(childComplexity int, params model.FgaWriteModelInput) int
 		FgaWriteTuples      func(childComplexity int, params model.FgaWriteTuplesInput) int
 		ForgotPassword      func(childComplexity int, params model.ForgotPasswordRequest) int
@@ -451,6 +452,7 @@ type MutationResolver interface {
 	FgaWriteModel(ctx context.Context, params model.FgaWriteModelInput) (*model.FgaModel, error)
 	FgaWriteTuples(ctx context.Context, params model.FgaWriteTuplesInput) (*model.Response, error)
 	FgaDeleteTuples(ctx context.Context, params model.FgaWriteTuplesInput) (*model.Response, error)
+	FgaReset(ctx context.Context) (*model.Response, error)
 }
 type QueryResolver interface {
 	Meta(ctx context.Context) (*model.Meta, error)
@@ -1640,6 +1642,13 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.Mutation.FgaDeleteTuples(childComplexity, args["params"].(model.FgaWriteTuplesInput)), true
 
+	case "Mutation._fga_reset":
+		if e.complexity.Mutation.FgaReset == nil {
+			break
+		}
+
+		return e.complexity.Mutation.FgaReset(childComplexity), true
+
 	case "Mutation._fga_write_model":
 		if e.complexity.Mutation.FgaWriteModel == nil {
 			break
@@ -3595,6 +3604,7 @@ type Mutation {
   _fga_write_model(params: FgaWriteModelInput!): FgaModel!
   _fga_write_tuples(params: FgaWriteTuplesInput!): Response!
   _fga_delete_tuples(params: FgaWriteTuplesInput!): Response!
+  _fga_reset: Response!
 }
 
 type Query {
@@ -13701,6 +13711,54 @@ func (ec *executionContext) fieldContext_Mutation__fga_delete_tuples(ctx context
 	return fc, nil
 }
 
+func (ec *executionContext) _Mutation__fga_reset(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Mutation__fga_reset(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return ec.resolvers.Mutation().FgaReset(rctx)
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(*model.Response)
+	fc.Result = res
+	return ec.marshalNResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResponse(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Mutation__fga_reset(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Mutation",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: true,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_Response_message(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Response", field.Name)
+		},
+	}
+	return fc, nil
+}
+
 func (ec *executionContext) _Pagination_limit(ctx context.Context, field graphql.CollectedField, obj *model.Pagination) (ret graphql.Marshaler) {
 	fc, err := ec.fieldContext_Pagination_limit(ctx, field)
 	if err != nil {
@@ -24268,6 +24326,13 @@ func (ec *executionContext) _Mutation(ctx context.Context, sel ast.SelectionSet)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
+		case "_fga_reset":
+			out.Values[i] = ec.OperationContext.RootResolverMiddleware(innerCtx, func(ctx context.Context) (res graphql.Marshaler) {
+				return ec._Mutation__fga_reset(ctx, field)
+			})
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
 		default:
 			panic("unknown field " + strconv.Quote(field.Name))
 		}
diff --git a/internal/graph/schema.graphqls b/internal/graph/schema.graphqls
index 168fd3f8..0a300949 100644
--- a/internal/graph/schema.graphqls
+++ b/internal/graph/schema.graphqls
@@ -838,6 +838,7 @@ type Mutation {
   _fga_write_model(params: FgaWriteModelInput!): FgaModel!
   _fga_write_tuples(params: FgaWriteTuplesInput!): Response!
   _fga_delete_tuples(params: FgaWriteTuplesInput!): Response!
+  _fga_reset: Response!
 }
 
 type Query {
diff --git a/internal/graph/schema.resolvers.go b/internal/graph/schema.resolvers.go
index a823d898..5308079c 100644
--- a/internal/graph/schema.resolvers.go
+++ b/internal/graph/schema.resolvers.go
@@ -187,6 +187,11 @@ func (r *mutationResolver) FgaDeleteTuples(ctx context.Context, params model.Fga
 	return r.GraphQLProvider.FgaDeleteTuples(ctx, &params)
 }
 
+// FgaReset is the resolver for the _fga_reset field.
+func (r *mutationResolver) FgaReset(ctx context.Context) (*model.Response, error) {
+	return r.GraphQLProvider.FgaReset(ctx)
+}
+
 // Meta is the resolver for the meta field.
 func (r *queryResolver) Meta(ctx context.Context) (*model.Meta, error) {
 	return r.GraphQLProvider.Meta(ctx)
diff --git a/internal/graphql/fga_admin.go b/internal/graphql/fga_admin.go
index 9cada128..59a7237b 100644
--- a/internal/graphql/fga_admin.go
+++ b/internal/graphql/fga_admin.go
@@ -270,6 +270,52 @@ func (g *graphqlProvider) FgaExpand(ctx context.Context, params *model.FgaExpand
 	return &model.FgaExpandResponse{Tree: tree}, nil
 }
 
+// FgaReset deletes the entire fine-grained authorization store — the model, all
+// its versions, and all tuples — and starts a fresh, empty store. OpenFGA has no
+// per-version model delete, so this is the only way to remove a model.
+//
+// It is guarded: the reset is refused while any relationship tuples still exist,
+// so an admin cannot silently drop live grants. Callers must delete all tuples
+// first. Destructive and audited.
+// Permission: authorizer:admin.
+func (g *graphqlProvider) FgaReset(ctx context.Context) (*model.Response, error) {
+	log := g.Log.With().Str("func", "FgaReset").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+	if g.AuthzEngine == nil {
+		return nil, errFgaNotEnabled
+	}
+	// Safety gate: refuse to reset while tuples still exist so live grants are
+	// never dropped without an explicit prior cleanup.
+	existing, err := g.AuthzEngine.ReadTuples(ctx, engine.ReadTuplesFilter{PageSize: 1})
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to check for existing tuples before reset")
+		return nil, err
+	}
+	if existing != nil && len(existing.Tuples) > 0 {
+		return nil, fmt.Errorf("remove all relationship tuples before resetting the authorization model")
+	}
+	if err := g.AuthzEngine.Reset(ctx); err != nil {
+		log.Debug().Err(err).Msg("Failed to reset authorization store")
+		return nil, err
+	}
+	g.AuditProvider.LogEvent(audit.Event{
+		Action:       constants.AuditAdminFgaResetEvent,
+		ActorType:    constants.AuditActorTypeAdmin,
+		ResourceType: constants.AuditResourceTypeFgaModel,
+		IPAddress:    utils.GetIP(gc.Request),
+		UserAgent:    utils.GetUserAgent(gc.Request),
+	})
+	return &model.Response{Message: "Authorization model reset successfully"}, nil
+}
+
 // toEngineTuples validates and converts admin-supplied tuple inputs into engine
 // tuples. It enforces a per-call cap and rejects empty fields.
 func toEngineTuples(params *model.FgaWriteTuplesInput) ([]engine.TupleKey, error) {
diff --git a/internal/graphql/provider.go b/internal/graphql/provider.go
index 5a41d143..c7cfe6fb 100644
--- a/internal/graphql/provider.go
+++ b/internal/graphql/provider.go
@@ -201,6 +201,10 @@ type Provider interface {
 	// FgaDeleteTuples deletes fine-grained authorization tuples.
 	// Permissions: authorizer:admin
 	FgaDeleteTuples(ctx context.Context, params *model.FgaWriteTuplesInput) (*model.Response, error)
+	// FgaReset deletes the entire authorization store (model, all versions and
+	// tuples) and starts fresh. Refused while tuples still exist.
+	// Permissions: authorizer:admin
+	FgaReset(ctx context.Context) (*model.Response, error)
 	// FgaReadTuples reads a page of fine-grained authorization tuples.
 	// Permissions: authorizer:admin
 	FgaReadTuples(ctx context.Context, params *model.FgaReadTuplesInput) (*model.FgaTuples, error)
diff --git a/web/dashboard/src/graphql/mutation/index.ts b/web/dashboard/src/graphql/mutation/index.ts
index 685a061e..87ed4284 100644
--- a/web/dashboard/src/graphql/mutation/index.ts
+++ b/web/dashboard/src/graphql/mutation/index.ts
@@ -153,3 +153,11 @@ export const FgaDeleteTuples = `
     }
   }
 `;
+
+export const FgaReset = `
+  mutation fgaReset {
+    _fga_reset {
+      message
+    }
+  }
+`;
diff --git a/web/dashboard/src/pages/authorization/Model.tsx b/web/dashboard/src/pages/authorization/Model.tsx
index c7ff7e1f..24eafc17 100644
--- a/web/dashboard/src/pages/authorization/Model.tsx
+++ b/web/dashboard/src/pages/authorization/Model.tsx
@@ -1,13 +1,24 @@
 import React, { useCallback, useEffect, useState } from 'react';
+import { Link } from 'react-router-dom';
 import { useClient } from 'urql';
 import { toast } from 'sonner';
-import { AlertCircle, Save, Info } from 'lucide-react';
-import { FgaGetModelQuery, AdminRolesQuery } from '../../graphql/queries';
-import { FgaWriteModel } from '../../graphql/mutation';
+import { AlertCircle, Save, Info, RotateCcw, AlertTriangle } from 'lucide-react';
+import { FgaGetModelQuery, AdminRolesQuery, FgaReadTuplesQuery } from '../../graphql/queries';
+import { FgaWriteModel, FgaReset } from '../../graphql/mutation';
 import { Button } from '../../components/ui/button';
 import { Textarea } from '../../components/ui/textarea';
 import { Skeleton } from '../../components/ui/skeleton';
 import { Badge } from '../../components/ui/badge';
+import {
+	Dialog,
+	DialogContent,
+	DialogHeader,
+	DialogTitle,
+	DialogDescription,
+	DialogFooter,
+	DialogClose,
+} from '../../components/ui/dialog';
+import { Input } from '../../components/ui/input';
 import FgaNotEnabled from '../../components/FgaNotEnabled';
 import AuthSteps, { Example, NextStep } from './AuthSteps';
 import DocsLinks from './DocsLinks';
@@ -16,6 +27,8 @@ import { isFgaNotEnabledError } from '../../lib/utils';
 import type {
 	FgaGetModelResponse,
 	FgaWriteModelResponse,
+	FgaReadTuplesResponse,
+	FgaResetResponse,
 	AdminRolesResponse,
 } from '../../types';
 
@@ -39,6 +52,27 @@ const Model = () => {
 	const [modelId, setModelId] = useState('');
 	const [validationError, setValidationError] = useState('');
 	const [roles, setRoles] = useState<string[]>([]);
+	// Reset is destructive and guarded: it is only allowed when no relationship
+	// tuples exist (the backend enforces this too). tuplesExist gates the action.
+	const [tuplesExist, setTuplesExist] = useState(false);
+	const [resetOpen, setResetOpen] = useState(false);
+	const [resetting, setResetting] = useState(false);
+	const [confirmText, setConfirmText] = useState('');
+
+	const checkTuples = useCallback(async () => {
+		try {
+			const res = await client
+				.query<FgaReadTuplesResponse>(
+					FgaReadTuplesQuery,
+					{ params: { page_size: 1 } },
+					{ requestPolicy: 'network-only' },
+				)
+				.toPromise();
+			setTuplesExist((res.data?._fga_read_tuples?.tuples?.length ?? 0) > 0);
+		} catch {
+			// Best-effort; leave the gate closed-safe (assume tuples may exist).
+		}
+	}, [client]);
 
 	const fetchModel = useCallback(async () => {
 		setLoading(true);
@@ -65,7 +99,8 @@ const Model = () => {
 
 	useEffect(() => {
 		fetchModel();
-	}, [fetchModel]);
+		checkTuples();
+	}, [fetchModel, checkTuples]);
 
 	// Configured roles → a "your roles" example.
 	useEffect(() => {
@@ -125,6 +160,29 @@ const Model = () => {
 		}
 	};
 
+	const handleReset = async () => {
+		setResetting(true);
+		try {
+			const res = await client.mutation<FgaResetResponse>(FgaReset, {}).toPromise();
+			if (res.error) {
+				toast.error(res.error.message.replace('[GraphQL] ', ''));
+				return;
+			}
+			// Store wiped: clear the editor and local state, then re-check.
+			setDsl('');
+			setModelId('');
+			setValidationError('');
+			setResetOpen(false);
+			setConfirmText('');
+			await checkTuples();
+			toast.success('Authorization model reset — start fresh from an example');
+		} catch {
+			toast.error('Failed to reset authorization model');
+		} finally {
+			setResetting(false);
+		}
+	};
+
 	const roleModel = rolesTemplate(roles);
 	const examples = [
 		...(roleModel
@@ -259,12 +317,102 @@ const Model = () => {
 
 					<DocsLinks />
 
+					{modelId && (
+						<div className="rounded-lg border border-red-200 bg-red-50/40 p-4">
+							<div className="flex items-start gap-2">
+								<AlertTriangle
+									className="mt-0.5 h-4 w-4 shrink-0 text-red-500"
+									aria-hidden="true"
+								/>
+								<div className="flex-1">
+									<p className="text-sm font-medium text-red-800">Danger zone · Reset model</p>
+									<p className="mt-1 text-xs leading-relaxed text-red-700/80">
+										OpenFGA models are append-only — individual versions can&rsquo;t be deleted.
+										Resetting is the only way to remove the model and <strong>all its past
+										versions</strong> and start over. This cannot be undone.
+									</p>
+									{tuplesExist ? (
+										<p className="mt-2 flex flex-wrap items-center gap-1 text-xs text-red-700/80">
+											<span>
+												Reset is blocked while relationship tuples exist, so live grants are
+												never dropped silently.
+											</span>
+											<Link
+												to="/authorization/tuples"
+												className="font-medium text-red-700 underline underline-offset-2 hover:text-red-800"
+											>
+												Remove all tuples first
+											</Link>
+										</p>
+									) : (
+										<div className="mt-3">
+											<Button
+												variant="destructive"
+												size="sm"
+												onClick={() => {
+													setConfirmText('');
+													setResetOpen(true);
+												}}
+											>
+												<RotateCcw className="mr-2 h-4 w-4" />
+												Reset model
+											</Button>
+										</div>
+									)}
+								</div>
+							</div>
+						</div>
+					)}
+
 					<div className="flex items-center justify-between border-t border-gray-100 pt-4 text-sm text-gray-500">
 						<span>Save the model, then grant access with relationship tuples.</span>
 						<NextStep to="/authorization/tuples" label="Next: grant access" />
 					</div>
 				</div>
 			)}
+
+			<Dialog open={resetOpen} onOpenChange={(open) => !resetting && setResetOpen(open)}>
+				<DialogContent>
+					<DialogHeader>
+						<DialogTitle className="flex items-center gap-2 text-red-700">
+							<AlertTriangle className="h-5 w-5" aria-hidden="true" />
+							Reset authorization model
+						</DialogTitle>
+						<DialogDescription>
+							This permanently deletes the active model and every past version, then starts a
+							fresh, empty store. You&rsquo;ll need to define a new model before access checks
+							work again. This action cannot be undone.
+						</DialogDescription>
+					</DialogHeader>
+					<div className="space-y-2">
+						<label htmlFor="reset-confirm" className="text-sm font-medium text-gray-700">
+							Type <span className="font-mono font-semibold text-red-700">RESET</span> to confirm
+						</label>
+						<Input
+							id="reset-confirm"
+							value={confirmText}
+							onChange={(e) => setConfirmText(e.target.value)}
+							placeholder="RESET"
+							autoComplete="off"
+							spellCheck={false}
+						/>
+					</div>
+					<DialogFooter>
+						<DialogClose asChild>
+							<Button variant="outline" disabled={resetting}>
+								Cancel
+							</Button>
+						</DialogClose>
+						<Button
+							variant="destructive"
+							onClick={handleReset}
+							disabled={resetting || confirmText.trim() !== 'RESET'}
+						>
+							{resetting ? 'Resetting…' : 'Reset model'}
+						</Button>
+					</DialogFooter>
+				</DialogContent>
+			</Dialog>
 		</div>
 	);
 };
diff --git a/web/dashboard/src/types.ts b/web/dashboard/src/types.ts
index bf011270..3cc54bfc 100644
--- a/web/dashboard/src/types.ts
+++ b/web/dashboard/src/types.ts
@@ -165,6 +165,12 @@ export interface FgaDeleteTuplesResponse {
 	};
 }
 
+export interface FgaResetResponse {
+	_fga_reset: {
+		message: string;
+	};
+}
+
 export interface FgaCheckResponse {
 	fga_check: {
 		allowed: boolean;

From 6e16c7773fe47bac0fa4ccaade3fe1b23be23c91 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Tue, 9 Jun 2026 16:55:52 +0530
Subject: [PATCH 19/39] feat(fga): empty-model state + Prometheus metrics for
 FGA resolvers
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add engine.ErrNoModel sentinel; ReadModel returns it on a fresh store so
  callers treat "no model yet" as an empty state, not a failure. FgaGetModel
  maps it to an empty model for the dashboard's starting view. Fail-closed is
  unchanged — Check/BatchCheck/ListObjects still deny on a model-less store.
- Add authorizer_fga_checks_total, authorizer_fga_check_duration_seconds and
  authorizer_fga_operations_total, recorded across the FGA resolvers. Only
  low-cardinality constant labels are ever used as label values.
- Tests: ErrNoModel sentinel (engine), empty-model GraphQL state + metric
  recording (integration), metric helpers (unit).
---
 go.mod                                        |  1 +
 internal/authorization/engine/engine.go       | 11 ++-
 .../engine/openfga/openfga_test.go            | 11 ++-
 .../engine/openfga/operations.go              |  2 +-
 internal/graphql/fga_admin.go                 | 24 +++++
 internal/graphql/fga_runtime.go               | 15 +++
 internal/integration_tests/fga_test.go        | 54 +++++++++++
 internal/metrics/metrics.go                   | 94 +++++++++++++++++++
 internal/metrics/metrics_test.go              | 38 ++++++++
 9 files changed, 245 insertions(+), 5 deletions(-)

diff --git a/go.mod b/go.mod
index 91990ce8..d35c2449 100644
--- a/go.mod
+++ b/go.mod
@@ -116,6 +116,7 @@ require (
 	github.com/json-iterator/go v1.1.12 // indirect
 	github.com/klauspost/compress v1.18.5 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.4 // indirect
+	github.com/kylelemons/godebug v1.1.0 // indirect
 	github.com/lann/builder v0.0.0-20180802200727-47ae307949d0 // indirect
 	github.com/lann/ps v0.0.0-20150810152359-62de8c46ede0 // indirect
 	github.com/leodido/go-urn v1.2.4 // indirect
diff --git a/internal/authorization/engine/engine.go b/internal/authorization/engine/engine.go
index effb1bb9..dd5837ab 100644
--- a/internal/authorization/engine/engine.go
+++ b/internal/authorization/engine/engine.go
@@ -13,7 +13,16 @@
 // engine is not constructed and the fga_* resolvers fail closed.
 package engine
 
-import "context"
+import (
+	"context"
+	"errors"
+)
+
+// ErrNoModel is returned (wrapped) by ReadModel when no authorization model has
+// been written to the store yet. Callers can use errors.Is to treat this as an
+// empty state ("no model yet") rather than a failure — e.g. a fresh store the
+// admin has not configured. Distinct from a genuine read failure.
+var ErrNoModel = errors.New("no authorization model written yet")
 
 // TupleKey identifies a single relationship: the subject (User) is related to
 // the Object via the Relation. Identifiers are expected to be fully qualified
diff --git a/internal/authorization/engine/openfga/openfga_test.go b/internal/authorization/engine/openfga/openfga_test.go
index b41c5230..62bf8f94 100644
--- a/internal/authorization/engine/openfga/openfga_test.go
+++ b/internal/authorization/engine/openfga/openfga_test.go
@@ -146,7 +146,12 @@ func TestOpenFGAEngine_ReadModelRoundtrip(t *testing.T) {
 	ctx := context.Background()
 	eng, _ := newTestEngine(t)
 
-	_, err := eng.WriteModel(ctx, testModel)
+	// A fresh store has no model yet: ReadModel must report the typed sentinel
+	// so callers can treat it as an empty state, not a failure.
+	_, _, err := eng.ReadModel(ctx)
+	assert.ErrorIs(t, err, engine.ErrNoModel, "ReadModel on a fresh store must return ErrNoModel")
+
+	_, err = eng.WriteModel(ctx, testModel)
 	require.NoError(t, err)
 
 	id, dsl, err := eng.ReadModel(ctx)
@@ -174,9 +179,9 @@ func TestOpenFGAEngine_Reset(t *testing.T) {
 	assert.NotEqual(t, storeBefore, impl.StoreID(), "Reset must create a new store")
 	assert.Empty(t, impl.ModelID(), "Reset must clear the active model")
 
-	// No model after reset → reads fail closed and checks error.
+	// No model after reset → ReadModel reports the no-model sentinel.
 	_, _, err = eng.ReadModel(ctx)
-	assert.Error(t, err, "ReadModel must error when no model exists after reset")
+	assert.ErrorIs(t, err, engine.ErrNoModel, "ReadModel after reset must return ErrNoModel")
 
 	// The engine is reusable: a new model and tuples can be written.
 	_, err = eng.WriteModel(ctx, testModel)
diff --git a/internal/authorization/engine/openfga/operations.go b/internal/authorization/engine/openfga/operations.go
index 8800c14b..8f959d62 100644
--- a/internal/authorization/engine/openfga/operations.go
+++ b/internal/authorization/engine/openfga/operations.go
@@ -293,7 +293,7 @@ func (e *engineImpl) WriteModel(ctx context.Context, dsl string) (string, error)
 func (e *engineImpl) ReadModel(ctx context.Context) (string, string, error) {
 	storeID, modelID := e.ids()
 	if modelID == "" {
-		return "", "", fmt.Errorf("openfga.ReadModel: no authorization model written yet")
+		return "", "", fmt.Errorf("openfga.ReadModel: %w", engine.ErrNoModel)
 	}
 	res, err := e.srv.ReadAuthorizationModel(ctx, &openfgav1.ReadAuthorizationModelRequest{
 		StoreId: storeID,
diff --git a/internal/graphql/fga_admin.go b/internal/graphql/fga_admin.go
index 59a7237b..29a072ca 100644
--- a/internal/graphql/fga_admin.go
+++ b/internal/graphql/fga_admin.go
@@ -10,6 +10,7 @@ import (
 	"github.com/authorizerdev/authorizer/internal/authorization/engine"
 	"github.com/authorizerdev/authorizer/internal/constants"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/metrics"
 	"github.com/authorizerdev/authorizer/internal/refs"
 	"github.com/authorizerdev/authorizer/internal/utils"
 )
@@ -48,9 +49,11 @@ func (g *graphqlProvider) FgaWriteModel(ctx context.Context, params *model.FgaWr
 	}
 	modelID, err := g.AuthzEngine.WriteModel(ctx, params.Dsl)
 	if err != nil {
+		metrics.RecordFgaOperation(metrics.FgaOpWriteModel, metrics.FgaResultError)
 		log.Debug().Err(err).Msg("Failed to write authorization model")
 		return nil, err
 	}
+	metrics.RecordFgaOperation(metrics.FgaOpWriteModel, metrics.FgaResultSuccess)
 	g.AuditProvider.LogEvent(audit.Event{
 		Action:       constants.AuditAdminFgaModelWrittenEvent,
 		ActorType:    constants.AuditActorTypeAdmin,
@@ -80,9 +83,18 @@ func (g *graphqlProvider) FgaGetModel(ctx context.Context) (*model.FgaModel, err
 	}
 	id, dsl, err := g.AuthzEngine.ReadModel(ctx)
 	if err != nil {
+		// A store with no model yet is a normal empty state, not a failure:
+		// return an empty model so the dashboard shows its "define a model"
+		// starting point instead of an error.
+		if errors.Is(err, engine.ErrNoModel) {
+			metrics.RecordFgaOperation(metrics.FgaOpGetModel, metrics.FgaResultSuccess)
+			return &model.FgaModel{ID: "", Dsl: ""}, nil
+		}
+		metrics.RecordFgaOperation(metrics.FgaOpGetModel, metrics.FgaResultError)
 		log.Debug().Err(err).Msg("Failed to read authorization model")
 		return nil, err
 	}
+	metrics.RecordFgaOperation(metrics.FgaOpGetModel, metrics.FgaResultSuccess)
 	return &model.FgaModel{ID: id, Dsl: dsl}, nil
 }
 
@@ -107,9 +119,11 @@ func (g *graphqlProvider) FgaWriteTuples(ctx context.Context, params *model.FgaW
 		return nil, err
 	}
 	if err := g.AuthzEngine.WriteTuples(ctx, tuples); err != nil {
+		metrics.RecordFgaOperation(metrics.FgaOpWriteTuples, metrics.FgaResultError)
 		log.Debug().Err(err).Msg("Failed to write tuples")
 		return nil, err
 	}
+	metrics.RecordFgaOperation(metrics.FgaOpWriteTuples, metrics.FgaResultSuccess)
 	g.AuditProvider.LogEvent(audit.Event{
 		Action:       constants.AuditAdminFgaTuplesWrittenEvent,
 		ActorType:    constants.AuditActorTypeAdmin,
@@ -142,9 +156,11 @@ func (g *graphqlProvider) FgaDeleteTuples(ctx context.Context, params *model.Fga
 		return nil, err
 	}
 	if err := g.AuthzEngine.DeleteTuples(ctx, tuples); err != nil {
+		metrics.RecordFgaOperation(metrics.FgaOpDeleteTuples, metrics.FgaResultError)
 		log.Debug().Err(err).Msg("Failed to delete tuples")
 		return nil, err
 	}
+	metrics.RecordFgaOperation(metrics.FgaOpDeleteTuples, metrics.FgaResultSuccess)
 	g.AuditProvider.LogEvent(audit.Event{
 		Action:       constants.AuditAdminFgaTuplesDeletedEvent,
 		ActorType:    constants.AuditActorTypeAdmin,
@@ -193,9 +209,11 @@ func (g *graphqlProvider) FgaReadTuples(ctx context.Context, params *model.FgaRe
 	}
 	res, err := g.AuthzEngine.ReadTuples(ctx, filter)
 	if err != nil {
+		metrics.RecordFgaOperation(metrics.FgaOpReadTuples, metrics.FgaResultError)
 		log.Debug().Err(err).Msg("Failed to read tuples")
 		return nil, err
 	}
+	metrics.RecordFgaOperation(metrics.FgaOpReadTuples, metrics.FgaResultSuccess)
 	out := &model.FgaTuples{Tuples: make([]*model.FgaTuple, 0, len(res.Tuples))}
 	for _, t := range res.Tuples {
 		out.Tuples = append(out.Tuples, &model.FgaTuple{User: t.User, Relation: t.Relation, Object: t.Object})
@@ -230,9 +248,11 @@ func (g *graphqlProvider) FgaListUsers(ctx context.Context, params *model.FgaLis
 	}
 	users, err := g.AuthzEngine.ListUsers(ctx, params.Object, params.Relation, params.UserType)
 	if err != nil {
+		metrics.RecordFgaOperation(metrics.FgaOpListUsers, metrics.FgaResultError)
 		log.Debug().Err(err).Msg("Failed to list users")
 		return nil, err
 	}
+	metrics.RecordFgaOperation(metrics.FgaOpListUsers, metrics.FgaResultSuccess)
 	// Cap the result set; ListUsers is an expensive enumeration surface.
 	if len(users) > maxFgaListResults {
 		users = users[:maxFgaListResults]
@@ -264,9 +284,11 @@ func (g *graphqlProvider) FgaExpand(ctx context.Context, params *model.FgaExpand
 	}
 	tree, err := g.AuthzEngine.Expand(ctx, params.Relation, params.Object)
 	if err != nil {
+		metrics.RecordFgaOperation(metrics.FgaOpExpand, metrics.FgaResultError)
 		log.Debug().Err(err).Msg("Failed to expand")
 		return nil, err
 	}
+	metrics.RecordFgaOperation(metrics.FgaOpExpand, metrics.FgaResultSuccess)
 	return &model.FgaExpandResponse{Tree: tree}, nil
 }
 
@@ -303,9 +325,11 @@ func (g *graphqlProvider) FgaReset(ctx context.Context) (*model.Response, error)
 		return nil, fmt.Errorf("remove all relationship tuples before resetting the authorization model")
 	}
 	if err := g.AuthzEngine.Reset(ctx); err != nil {
+		metrics.RecordFgaOperation(metrics.FgaOpReset, metrics.FgaResultError)
 		log.Debug().Err(err).Msg("Failed to reset authorization store")
 		return nil, err
 	}
+	metrics.RecordFgaOperation(metrics.FgaOpReset, metrics.FgaResultSuccess)
 	g.AuditProvider.LogEvent(audit.Event{
 		Action:       constants.AuditAdminFgaResetEvent,
 		ActorType:    constants.AuditActorTypeAdmin,
diff --git a/internal/graphql/fga_runtime.go b/internal/graphql/fga_runtime.go
index 43fdacd3..8235129d 100644
--- a/internal/graphql/fga_runtime.go
+++ b/internal/graphql/fga_runtime.go
@@ -4,9 +4,11 @@ import (
 	"context"
 	"fmt"
 	"strings"
+	"time"
 
 	"github.com/authorizerdev/authorizer/internal/authorization/engine"
 	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/metrics"
 	"github.com/authorizerdev/authorizer/internal/refs"
 	"github.com/authorizerdev/authorizer/internal/utils"
 )
@@ -127,12 +129,16 @@ func (g *graphqlProvider) FgaCheck(ctx context.Context, params *model.FgaCheckIn
 	if err != nil {
 		return nil, err
 	}
+	start := time.Now()
 	allowed, err := g.AuthzEngine.Check(ctx, principal, params.Relation, params.Object, ctxTuples...)
+	metrics.ObserveFgaCheckDuration(metrics.FgaOpCheck, time.Since(start).Seconds())
 	if err != nil {
 		// Fail closed: treat engine error as deny.
+		metrics.RecordFgaCheck(metrics.FgaOpCheck, metrics.FgaResultError)
 		log.Debug().Err(err).Msg("Check failed; denying")
 		return nil, fmt.Errorf("authorization check failed")
 	}
+	metrics.RecordFgaCheckResult(metrics.FgaOpCheck, allowed)
 	return &model.FgaCheckResponse{Allowed: allowed}, nil
 }
 
@@ -173,14 +179,19 @@ func (g *graphqlProvider) FgaBatchCheck(ctx context.Context, params *model.FgaBa
 			ContextualTuples: ctxTuples,
 		})
 	}
+	start := time.Now()
 	results, err := g.AuthzEngine.BatchCheck(ctx, requests)
+	metrics.ObserveFgaCheckDuration(metrics.FgaOpBatchCheck, time.Since(start).Seconds())
 	if err != nil {
 		// Fail closed for the whole batch.
+		metrics.RecordFgaCheck(metrics.FgaOpBatchCheck, metrics.FgaResultError)
 		log.Debug().Err(err).Msg("BatchCheck failed; denying")
 		return nil, fmt.Errorf("authorization check failed")
 	}
 	out := &model.FgaBatchCheckResponse{Results: make([]*model.FgaCheckResponse, 0, len(results))}
 	for _, r := range results {
+		// Record each sub-decision so adoption/denial rates reflect every pair.
+		metrics.RecordFgaCheckResult(metrics.FgaOpBatchCheck, r.Allowed)
 		out.Results = append(out.Results, &model.FgaCheckResponse{Allowed: r.Allowed})
 	}
 	return out, nil
@@ -205,11 +216,15 @@ func (g *graphqlProvider) FgaListObjects(ctx context.Context, params *model.FgaL
 		log.Debug().Err(err).Msg("Failed to resolve subject")
 		return nil, err
 	}
+	start := time.Now()
 	objects, err := g.AuthzEngine.ListObjects(ctx, principal, params.Relation, params.ObjectType)
+	metrics.ObserveFgaCheckDuration(metrics.FgaOpListObjects, time.Since(start).Seconds())
 	if err != nil {
+		metrics.RecordFgaOperation(metrics.FgaOpListObjects, metrics.FgaResultError)
 		log.Debug().Err(err).Msg("ListObjects failed; denying")
 		return nil, fmt.Errorf("authorization list failed")
 	}
+	metrics.RecordFgaOperation(metrics.FgaOpListObjects, metrics.FgaResultSuccess)
 	// Cap the result set; ListObjects is an expensive enumeration surface.
 	if len(objects) > maxFgaListResults {
 		objects = objects[:maxFgaListResults]
diff --git a/internal/integration_tests/fga_test.go b/internal/integration_tests/fga_test.go
index 655d0bf6..121e9811 100644
--- a/internal/integration_tests/fga_test.go
+++ b/internal/integration_tests/fga_test.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/gin-gonic/gin"
 	"github.com/google/uuid"
+	"github.com/prometheus/client_golang/prometheus/testutil"
 	"github.com/rs/zerolog"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
@@ -24,6 +25,7 @@ import (
 	"github.com/authorizerdev/authorizer/internal/graphql"
 	"github.com/authorizerdev/authorizer/internal/http_handlers"
 	"github.com/authorizerdev/authorizer/internal/memory_store"
+	"github.com/authorizerdev/authorizer/internal/metrics"
 	"github.com/authorizerdev/authorizer/internal/oauth"
 	"github.com/authorizerdev/authorizer/internal/rate_limit"
 	"github.com/authorizerdev/authorizer/internal/sms"
@@ -181,6 +183,16 @@ func TestFGA(t *testing.T) {
 	})
 
 	setAdminCookie(t, ts)
+
+	// ---- Admin: a fresh store (no model yet) is an empty state, NOT an error. ----
+	t.Run("_fga_get_model returns empty model on a fresh store", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.FgaGetModel(ctx)
+		require.NoError(t, err, "no model yet must be an empty state, not an error")
+		require.NotNil(t, res)
+		assert.Empty(t, res.ID)
+		assert.Empty(t, res.Dsl)
+	})
+
 	modelRes, err := ts.GraphQLProvider.FgaWriteModel(ctx, &model.FgaWriteModelInput{Dsl: fgaTestModel})
 	require.NoError(t, err)
 	require.NotNil(t, modelRes)
@@ -509,6 +521,48 @@ func TestFGA(t *testing.T) {
 		assert.Error(t, err, "validate_jwt_token must fail when a required relation is unsatisfied")
 	})
 
+	// ---- Observability: the FGA resolvers feed Prometheus metrics. ----
+	t.Run("fga resolvers record decision, duration and operation metrics", func(t *testing.T) {
+		// Earlier subtests rotate/invalidate the original session, so re-login for
+		// a fresh one and pin to it for the decision checks.
+		clearCookies(ts)
+		fresh, err := ts.GraphQLProvider.Login(ctx, &model.LoginRequest{Email: &email, Password: password})
+		require.NoError(t, err)
+		require.NotNil(t, fresh)
+		freshSession := latestAppSessionCookie(ts)
+		require.NotEmpty(t, freshSession)
+		clearCookies(ts)
+		ts.GinContext.Request.Header.Set("Cookie", fmt.Sprintf("%s_session=%s", constants.AppCookieName, freshSession))
+
+		allowBefore := testutil.ToFloat64(metrics.FgaChecksTotal.WithLabelValues(metrics.FgaOpCheck, metrics.FgaResultAllowed))
+		denyBefore := testutil.ToFloat64(metrics.FgaChecksTotal.WithLabelValues(metrics.FgaOpCheck, metrics.FgaResultDenied))
+
+		// document:1 is granted to the caller (allowed); document:2 is not (denied).
+		_, err = ts.GraphQLProvider.FgaCheck(ctx, &model.FgaCheckInput{Relation: "can_view", Object: "document:1"})
+		require.NoError(t, err)
+		_, err = ts.GraphQLProvider.FgaCheck(ctx, &model.FgaCheckInput{Relation: "can_view", Object: "document:2"})
+		require.NoError(t, err)
+
+		assert.Equal(t, allowBefore+1,
+			testutil.ToFloat64(metrics.FgaChecksTotal.WithLabelValues(metrics.FgaOpCheck, metrics.FgaResultAllowed)),
+			"an allowed check must increment the allowed counter")
+		assert.Equal(t, denyBefore+1,
+			testutil.ToFloat64(metrics.FgaChecksTotal.WithLabelValues(metrics.FgaOpCheck, metrics.FgaResultDenied)),
+			"a denied check must increment the denied counter")
+		// The duration histogram has at least the 'check' series populated.
+		assert.GreaterOrEqual(t, testutil.CollectAndCount(metrics.FgaCheckDuration), 1,
+			"fga check duration histogram must have observations")
+
+		// An admin operation increments the operations counter.
+		setAdminCookie(t, ts)
+		opBefore := testutil.ToFloat64(metrics.FgaOperationsTotal.WithLabelValues(metrics.FgaOpReadTuples, metrics.FgaResultSuccess))
+		_, err = ts.GraphQLProvider.FgaReadTuples(ctx, &model.FgaReadTuplesInput{})
+		require.NoError(t, err)
+		assert.Equal(t, opBefore+1,
+			testutil.ToFloat64(metrics.FgaOperationsTotal.WithLabelValues(metrics.FgaOpReadTuples, metrics.FgaResultSuccess)),
+			"a successful admin op must increment the operations counter")
+	})
+
 	_ = req
 	_ = eng
 }
diff --git a/internal/metrics/metrics.go b/internal/metrics/metrics.go
index 56e6e9c3..4359fb20 100644
--- a/internal/metrics/metrics.go
+++ b/internal/metrics/metrics.go
@@ -129,6 +129,43 @@ var (
 			Help: "Total requests that omitted X-Authorizer-Client-ID (allowed for some routes)",
 		},
 	)
+
+	// FgaChecksTotal is the headline fine-grained-authorization access-decision
+	// counter: every fga_check / fga_batch_check decision by outcome. Use it for
+	// FGA adoption tracking and denial/error alerting.
+	// operation: check | batch_check. result: allowed | denied | error.
+	FgaChecksTotal = prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Name: "authorizer_fga_checks_total",
+			Help: "Total fine-grained authorization access decisions. operation=check|batch_check, result=allowed|denied|error",
+		},
+		[]string{"operation", "result"},
+	)
+
+	// FgaCheckDuration tracks the latency of the client-facing FGA read
+	// operations (the OpenFGA engine call), in seconds.
+	// operation: check | batch_check | list_objects.
+	FgaCheckDuration = prometheus.NewHistogramVec(
+		prometheus.HistogramOpts{
+			Name:    "authorizer_fga_check_duration_seconds",
+			Help:    "Fine-grained authorization engine call duration in seconds. operation=check|batch_check|list_objects",
+			Buckets: prometheus.DefBuckets,
+		},
+		[]string{"operation"},
+	)
+
+	// FgaOperationsTotal counts non-decision FGA operations (model/tuple
+	// management, enumeration, reset) by outcome — useful for auditing admin
+	// authorization changes and alerting on failures.
+	// operation: get_model|write_model|read_tuples|write_tuples|delete_tuples|list_users|expand|list_objects|reset.
+	// result: success | error.
+	FgaOperationsTotal = prometheus.NewCounterVec(
+		prometheus.CounterOpts{
+			Name: "authorizer_fga_operations_total",
+			Help: "Total non-decision fine-grained authorization operations by outcome. result=success|error",
+		},
+		[]string{"operation", "result"},
+	)
 )
 
 // staticAssetPathSuffixes are path suffixes (after lowercasing) treated as static files
@@ -211,6 +248,9 @@ func Init() {
 		prometheus.MustRegister(GraphQLRequestDuration)
 		prometheus.MustRegister(DBHealthCheckTotal)
 		prometheus.MustRegister(ClientIDHeaderMissingTotal)
+		prometheus.MustRegister(FgaChecksTotal)
+		prometheus.MustRegister(FgaCheckDuration)
+		prometheus.MustRegister(FgaOperationsTotal)
 	})
 }
 
@@ -260,3 +300,57 @@ func RecordGraphQLLimitRejection(limit string) {
 func RecordClientIDHeaderMissing() {
 	ClientIDHeaderMissingTotal.Inc()
 }
+
+// FGA operation labels (low-cardinality, package constants). Never pass
+// user-controlled strings as label values.
+const (
+	FgaOpCheck        = "check"
+	FgaOpBatchCheck   = "batch_check"
+	FgaOpListObjects  = "list_objects"
+	FgaOpGetModel     = "get_model"
+	FgaOpWriteModel   = "write_model"
+	FgaOpReadTuples   = "read_tuples"
+	FgaOpWriteTuples  = "write_tuples"
+	FgaOpDeleteTuples = "delete_tuples"
+	FgaOpListUsers    = "list_users"
+	FgaOpExpand       = "expand"
+	FgaOpReset        = "reset"
+)
+
+// FGA result labels.
+const (
+	FgaResultAllowed = "allowed"
+	FgaResultDenied  = "denied"
+	FgaResultError   = "error"
+	FgaResultSuccess = "success"
+)
+
+// RecordFgaCheck records a single FGA access decision.
+// operation must be FgaOpCheck or FgaOpBatchCheck; result must be one of
+// FgaResultAllowed / FgaResultDenied / FgaResultError.
+func RecordFgaCheck(operation, result string) {
+	FgaChecksTotal.WithLabelValues(operation, result).Inc()
+}
+
+// RecordFgaCheckResult is a convenience wrapper that maps a boolean decision to
+// the allowed/denied result label.
+func RecordFgaCheckResult(operation string, allowed bool) {
+	if allowed {
+		RecordFgaCheck(operation, FgaResultAllowed)
+		return
+	}
+	RecordFgaCheck(operation, FgaResultDenied)
+}
+
+// ObserveFgaCheckDuration records the latency of an FGA engine call in seconds.
+// operation must be one of the FgaOp* constants for client-facing reads.
+func ObserveFgaCheckDuration(operation string, seconds float64) {
+	FgaCheckDuration.WithLabelValues(operation).Observe(seconds)
+}
+
+// RecordFgaOperation records a non-decision FGA operation outcome.
+// operation must be an FgaOp* constant; result must be FgaResultSuccess or
+// FgaResultError.
+func RecordFgaOperation(operation, result string) {
+	FgaOperationsTotal.WithLabelValues(operation, result).Inc()
+}
diff --git a/internal/metrics/metrics_test.go b/internal/metrics/metrics_test.go
index 22565d6b..f287b13f 100644
--- a/internal/metrics/metrics_test.go
+++ b/internal/metrics/metrics_test.go
@@ -4,6 +4,7 @@ import (
 	"strings"
 	"testing"
 
+	"github.com/prometheus/client_golang/prometheus/testutil"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -63,3 +64,40 @@ func TestSkipHTTPRequestMetrics_chunkSegment(t *testing.T) {
 	assert.False(t, SkipHTTPRequestMetrics("/foo/mychunk-file.js"))
 	assert.True(t, SkipHTTPRequestMetrics("/chunk-xyz"))
 }
+
+func TestRecordFgaCheck(t *testing.T) {
+	// RecordFgaCheckResult maps the boolean decision to the right label.
+	allowBefore := testutil.ToFloat64(FgaChecksTotal.WithLabelValues(FgaOpCheck, FgaResultAllowed))
+	RecordFgaCheckResult(FgaOpCheck, true)
+	assert.Equal(t, allowBefore+1,
+		testutil.ToFloat64(FgaChecksTotal.WithLabelValues(FgaOpCheck, FgaResultAllowed)))
+
+	denyBefore := testutil.ToFloat64(FgaChecksTotal.WithLabelValues(FgaOpBatchCheck, FgaResultDenied))
+	RecordFgaCheckResult(FgaOpBatchCheck, false)
+	assert.Equal(t, denyBefore+1,
+		testutil.ToFloat64(FgaChecksTotal.WithLabelValues(FgaOpBatchCheck, FgaResultDenied)))
+
+	errBefore := testutil.ToFloat64(FgaChecksTotal.WithLabelValues(FgaOpCheck, FgaResultError))
+	RecordFgaCheck(FgaOpCheck, FgaResultError)
+	assert.Equal(t, errBefore+1,
+		testutil.ToFloat64(FgaChecksTotal.WithLabelValues(FgaOpCheck, FgaResultError)))
+}
+
+func TestRecordFgaOperation(t *testing.T) {
+	before := testutil.ToFloat64(FgaOperationsTotal.WithLabelValues(FgaOpWriteModel, FgaResultSuccess))
+	RecordFgaOperation(FgaOpWriteModel, FgaResultSuccess)
+	assert.Equal(t, before+1,
+		testutil.ToFloat64(FgaOperationsTotal.WithLabelValues(FgaOpWriteModel, FgaResultSuccess)))
+
+	errBefore := testutil.ToFloat64(FgaOperationsTotal.WithLabelValues(FgaOpReset, FgaResultError))
+	RecordFgaOperation(FgaOpReset, FgaResultError)
+	assert.Equal(t, errBefore+1,
+		testutil.ToFloat64(FgaOperationsTotal.WithLabelValues(FgaOpReset, FgaResultError)))
+}
+
+func TestObserveFgaCheckDuration(t *testing.T) {
+	ObserveFgaCheckDuration(FgaOpListObjects, 0.01)
+	ObserveFgaCheckDuration(FgaOpCheck, 0.02)
+	// At least the two observed series are present in the histogram vec.
+	assert.GreaterOrEqual(t, testutil.CollectAndCount(FgaCheckDuration), 1)
+}

From fde5a55628116602a8eda5ccbf6764016b0541a7 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Tue, 9 Jun 2026 16:56:04 +0530
Subject: [PATCH 20/39] feat(dashboard): friendly FGA model builder, example
 modals, tester subject
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Step 1 is now two-mode: a roles × permissions matrix (RbacBuilder, the
  default for non-developers) that generates a standard OpenFGA RBAC model,
  plus the Advanced (DSL) editor. No syntax to learn to define a model.
- Example catalogs (model examples and grant patterns) moved into modal
  popups so the editor and the add-tuple form stay the focus.
- Tester gains a User (subject) field so a super-admin can check any subject;
  result copy reflects the checked subject. Server already gates the override
  to admins.
- Grant page guards against writing tuples before a model exists, and only
  blocks on a genuine no-model error — never on a transient failure.
- Drop the dead _env.ROLES / AdminRolesQuery fetch.
- Add vitest + modelDsl.test.ts unit coverage (rbacModel, parse, summarize,
  example catalog).
---
 web/dashboard/package-lock.json               | 1375 ++++++++++++++++-
 web/dashboard/package.json                    |    5 +-
 web/dashboard/src/graphql/queries/index.ts    |   10 -
 .../src/pages/authorization/Model.tsx         |  394 +++--
 .../src/pages/authorization/RbacBuilder.tsx   |  362 +++++
 .../src/pages/authorization/Tester.tsx        |   74 +-
 .../src/pages/authorization/Tuples.tsx        |  226 ++-
 .../src/pages/authorization/modelDsl.test.ts  |  287 ++++
 .../src/pages/authorization/modelDsl.ts       |  155 +-
 web/dashboard/src/types.ts                    |    7 -
 web/dashboard/vitest.config.ts                |   11 +
 11 files changed, 2689 insertions(+), 217 deletions(-)
 create mode 100644 web/dashboard/src/pages/authorization/RbacBuilder.tsx
 create mode 100644 web/dashboard/src/pages/authorization/modelDsl.test.ts
 create mode 100644 web/dashboard/vitest.config.ts

diff --git a/web/dashboard/package-lock.json b/web/dashboard/package-lock.json
index 98ae6690..2769a00f 100644
--- a/web/dashboard/package-lock.json
+++ b/web/dashboard/package-lock.json
@@ -43,7 +43,8 @@
 				"prettier": "^3.3.3",
 				"tailwindcss": "^4.1.4",
 				"typescript": "^5.6.3",
-				"vite": "^7.3.0"
+				"vite": "^7.3.0",
+				"vitest": "^2.1.9"
 			}
 		},
 		"node_modules/@0no-co/graphql.web": {
@@ -2574,6 +2575,92 @@
 				"vite": "^4.2.0 || ^5.0.0 || ^6.0.0 || ^7.0.0"
 			}
 		},
+		"node_modules/@vitest/expect": {
+			"version": "2.1.9",
+			"resolved": "https://registry.npmjs.org/@vitest/expect/-/expect-2.1.9.tgz",
+			"integrity": "sha512-UJCIkTBenHeKT1TTlKMJWy1laZewsRIzYighyYiJKZreqtdxSos/S1t+ktRMQWu2CKqaarrkeszJx1cgC5tGZw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@vitest/spy": "2.1.9",
+				"@vitest/utils": "2.1.9",
+				"chai": "^5.1.2",
+				"tinyrainbow": "^1.2.0"
+			},
+			"funding": {
+				"url": "https://opencollective.com/vitest"
+			}
+		},
+		"node_modules/@vitest/pretty-format": {
+			"version": "2.1.9",
+			"resolved": "https://registry.npmjs.org/@vitest/pretty-format/-/pretty-format-2.1.9.tgz",
+			"integrity": "sha512-KhRIdGV2U9HOUzxfiHmY8IFHTdqtOhIzCpd8WRdJiE7D/HUcZVD0EgQCVjm+Q9gkUXWgBvMmTtZgIG48wq7sOQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"tinyrainbow": "^1.2.0"
+			},
+			"funding": {
+				"url": "https://opencollective.com/vitest"
+			}
+		},
+		"node_modules/@vitest/runner": {
+			"version": "2.1.9",
+			"resolved": "https://registry.npmjs.org/@vitest/runner/-/runner-2.1.9.tgz",
+			"integrity": "sha512-ZXSSqTFIrzduD63btIfEyOmNcBmQvgOVsPNPe0jYtESiXkhd8u2erDLnMxmGrDCwHCCHE7hxwRDCT3pt0esT4g==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@vitest/utils": "2.1.9",
+				"pathe": "^1.1.2"
+			},
+			"funding": {
+				"url": "https://opencollective.com/vitest"
+			}
+		},
+		"node_modules/@vitest/snapshot": {
+			"version": "2.1.9",
+			"resolved": "https://registry.npmjs.org/@vitest/snapshot/-/snapshot-2.1.9.tgz",
+			"integrity": "sha512-oBO82rEjsxLNJincVhLhaxxZdEtV0EFHMK5Kmx5sJ6H9L183dHECjiefOAdnqpIgT5eZwT04PoggUnW88vOBNQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@vitest/pretty-format": "2.1.9",
+				"magic-string": "^0.30.12",
+				"pathe": "^1.1.2"
+			},
+			"funding": {
+				"url": "https://opencollective.com/vitest"
+			}
+		},
+		"node_modules/@vitest/spy": {
+			"version": "2.1.9",
+			"resolved": "https://registry.npmjs.org/@vitest/spy/-/spy-2.1.9.tgz",
+			"integrity": "sha512-E1B35FwzXXTs9FHNK6bDszs7mtydNi5MIfUWpceJ8Xbfb1gBMscAnwLbEu+B44ed6W3XjL9/ehLPHR1fkf1KLQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"tinyspy": "^3.0.2"
+			},
+			"funding": {
+				"url": "https://opencollective.com/vitest"
+			}
+		},
+		"node_modules/@vitest/utils": {
+			"version": "2.1.9",
+			"resolved": "https://registry.npmjs.org/@vitest/utils/-/utils-2.1.9.tgz",
+			"integrity": "sha512-v0psaMSkNJ3A2NMrUEHFRzJtDPFn+/VWZ5WxImB21T9fjucJRmS7xCS3ppEnARb9y11OAzaD+P2Ps+b+BGX5iQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@vitest/pretty-format": "2.1.9",
+				"loupe": "^3.1.2",
+				"tinyrainbow": "^1.2.0"
+			},
+			"funding": {
+				"url": "https://opencollective.com/vitest"
+			}
+		},
 		"node_modules/aria-hidden": {
 			"version": "1.2.6",
 			"resolved": "https://registry.npmjs.org/aria-hidden/-/aria-hidden-1.2.6.tgz",
@@ -2586,6 +2673,16 @@
 				"node": ">=10"
 			}
 		},
+		"node_modules/assertion-error": {
+			"version": "2.0.1",
+			"resolved": "https://registry.npmjs.org/assertion-error/-/assertion-error-2.0.1.tgz",
+			"integrity": "sha512-Izi8RQcffqCeNVgFigKli1ssklIbpHnCYc6AknXGYoB6grJqyeby7jv12JUQgmTAnIDnbck1uxksT4dzN3PWBA==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=12"
+			}
+		},
 		"node_modules/attr-accept": {
 			"version": "2.2.5",
 			"resolved": "https://registry.npmjs.org/attr-accept/-/attr-accept-2.2.5.tgz",
@@ -2642,6 +2739,16 @@
 				"node": "^6 || ^7 || ^8 || ^9 || ^10 || ^11 || ^12 || >=13.7"
 			}
 		},
+		"node_modules/cac": {
+			"version": "6.7.14",
+			"resolved": "https://registry.npmjs.org/cac/-/cac-6.7.14.tgz",
+			"integrity": "sha512-b6Ilus+c3RrdDk+JhLKUAQfzzgLEPy6wcXqS7f/xe1EETvsDP6GORG7SFuOs6cID5YkqchW/LXZbX5bc8j7ZcQ==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=8"
+			}
+		},
 		"node_modules/caniuse-lite": {
 			"version": "1.0.30001787",
 			"resolved": "https://registry.npmjs.org/caniuse-lite/-/caniuse-lite-1.0.30001787.tgz",
@@ -2663,6 +2770,33 @@
 			],
 			"license": "CC-BY-4.0"
 		},
+		"node_modules/chai": {
+			"version": "5.3.3",
+			"resolved": "https://registry.npmjs.org/chai/-/chai-5.3.3.tgz",
+			"integrity": "sha512-4zNhdJD/iOjSH0A05ea+Ke6MU5mmpQcbQsSOkgdaUMJ9zTlDTD/GYlwohmIE2u0gaxHYiVHEn1Fw9mZ/ktJWgw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"assertion-error": "^2.0.1",
+				"check-error": "^2.1.1",
+				"deep-eql": "^5.0.1",
+				"loupe": "^3.1.0",
+				"pathval": "^2.0.0"
+			},
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/check-error": {
+			"version": "2.1.3",
+			"resolved": "https://registry.npmjs.org/check-error/-/check-error-2.1.3.tgz",
+			"integrity": "sha512-PAJdDJusoxnwm1VwW07VWwUN1sl7smmC3OKggvndJFadxxDRyFJBX/ggnu/KE4kQAB7a3Dp8f/YXC1FlUprWmA==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">= 16"
+			}
+		},
 		"node_modules/class-variance-authority": {
 			"version": "0.7.1",
 			"resolved": "https://registry.npmjs.org/class-variance-authority/-/class-variance-authority-0.7.1.tgz",
@@ -2735,6 +2869,16 @@
 				}
 			}
 		},
+		"node_modules/deep-eql": {
+			"version": "5.0.2",
+			"resolved": "https://registry.npmjs.org/deep-eql/-/deep-eql-5.0.2.tgz",
+			"integrity": "sha512-h5k/5U50IJJFpzfL6nO9jaaumfjO/f2NjK/oYB2Djzm4p9L+3T9qWpZqZ2hAbLPuuYq9wrU08WQyBTL5GbPk5Q==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=6"
+			}
+		},
 		"node_modules/detect-libc": {
 			"version": "2.1.2",
 			"resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.1.2.tgz",
@@ -2772,6 +2916,13 @@
 				"node": ">=10.13.0"
 			}
 		},
+		"node_modules/es-module-lexer": {
+			"version": "1.7.0",
+			"resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-1.7.0.tgz",
+			"integrity": "sha512-jEQoCwk8hyb2AZziIOLhDqpm5+2ww5uIE6lkO/6jcOCusfk6LhMHpXXfBLXTZ7Ydyt0j4VoUQv6uGNYbdW+kBA==",
+			"dev": true,
+			"license": "MIT"
+		},
 		"node_modules/esbuild": {
 			"version": "0.27.7",
 			"resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.27.7.tgz",
@@ -2824,6 +2975,26 @@
 				"node": ">=6"
 			}
 		},
+		"node_modules/estree-walker": {
+			"version": "3.0.3",
+			"resolved": "https://registry.npmjs.org/estree-walker/-/estree-walker-3.0.3.tgz",
+			"integrity": "sha512-7RUKfXgSMMkzt6ZuXmqapOurLGPPfgj6l9uRZ7lRGolvk0y2yocc35LdcxKC5PQZdn2DMqioAQ2NoWcrTKmm6g==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@types/estree": "^1.0.0"
+			}
+		},
+		"node_modules/expect-type": {
+			"version": "1.3.0",
+			"resolved": "https://registry.npmjs.org/expect-type/-/expect-type-1.3.0.tgz",
+			"integrity": "sha512-knvyeauYhqjOYvQ66MznSMs83wmHrCycNEN6Ao+2AeYEfxUIkuiVxdEa1qlGEPK+We3n0THiDciYSsCcgW/DoA==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"engines": {
+				"node": ">=12.0.0"
+			}
+		},
 		"node_modules/fdir": {
 			"version": "6.5.0",
 			"resolved": "https://registry.npmjs.org/fdir/-/fdir-6.5.0.tgz",
@@ -3225,6 +3396,13 @@
 				"loose-envify": "cli.js"
 			}
 		},
+		"node_modules/loupe": {
+			"version": "3.2.1",
+			"resolved": "https://registry.npmjs.org/loupe/-/loupe-3.2.1.tgz",
+			"integrity": "sha512-CdzqowRJCeLU72bHvWqwRBBlLcMEtIvGrlvef74kMnV2AolS9Y8xUv1I0U/MNAWMhBlKIoyuEgoJ0t/bbwHbLQ==",
+			"dev": true,
+			"license": "MIT"
+		},
 		"node_modules/lru-cache": {
 			"version": "5.1.1",
 			"resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-5.1.1.tgz",
@@ -3296,6 +3474,23 @@
 				"node": ">=0.10.0"
 			}
 		},
+		"node_modules/pathe": {
+			"version": "1.1.2",
+			"resolved": "https://registry.npmjs.org/pathe/-/pathe-1.1.2.tgz",
+			"integrity": "sha512-whLdWMYL2TwI08hn8/ZqAbrVemu0LNaNNJZX73O6qaIdCTfXutsLhMkjdENX0qhsQ9uIimo4/aQOmXkoon2nDQ==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/pathval": {
+			"version": "2.0.1",
+			"resolved": "https://registry.npmjs.org/pathval/-/pathval-2.0.1.tgz",
+			"integrity": "sha512-//nshmD55c46FuFw26xV/xFAaB5HF9Xdap7HJBBnrKdAd6/GxDBaNA1870O79+9ueg61cZLSVc+OaFlfmObYVQ==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">= 14.16"
+			}
+		},
 		"node_modules/picocolors": {
 			"version": "1.1.1",
 			"resolved": "https://registry.npmjs.org/picocolors/-/picocolors-1.1.1.tgz",
@@ -3622,6 +3817,13 @@
 			"integrity": "sha512-oeM1lpU/UvhTxw+g3cIfxXHyJRc/uidd3yK1P242gzHds0udQBYzs3y8j4gCCW+ZJ7ad0yctld8RYO+bdurlvw==",
 			"license": "MIT"
 		},
+		"node_modules/siginfo": {
+			"version": "2.0.0",
+			"resolved": "https://registry.npmjs.org/siginfo/-/siginfo-2.0.0.tgz",
+			"integrity": "sha512-ybx0WO1/8bSBLEWXZvEd7gMW3Sn3JFlW3TvX1nREbDLRNQNaeNN8WK0meBwPdAaOI7TtRRRJn/Es1zhrrCHu7g==",
+			"dev": true,
+			"license": "ISC"
+		},
 		"node_modules/sonner": {
 			"version": "1.7.4",
 			"resolved": "https://registry.npmjs.org/sonner/-/sonner-1.7.4.tgz",
@@ -3642,6 +3844,20 @@
 				"node": ">=0.10.0"
 			}
 		},
+		"node_modules/stackback": {
+			"version": "0.0.2",
+			"resolved": "https://registry.npmjs.org/stackback/-/stackback-0.0.2.tgz",
+			"integrity": "sha512-1XMJE5fQo1jGH6Y/7ebnwPOBEkIEnT4QF32d5R1+VXdXveM0IBMJt8zfaxX1P3QhVwrYe+576+jkANtSS2mBbw==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/std-env": {
+			"version": "3.10.0",
+			"resolved": "https://registry.npmjs.org/std-env/-/std-env-3.10.0.tgz",
+			"integrity": "sha512-5GS12FdOZNliM5mAOxFRg7Ir0pWz8MdpYm6AY6VPkGpbA7ZzmbzNcBJQ0GPvvyWgcY7QAhCgf9Uy89I03faLkg==",
+			"dev": true,
+			"license": "MIT"
+		},
 		"node_modules/tailwind-merge": {
 			"version": "2.6.1",
 			"resolved": "https://registry.npmjs.org/tailwind-merge/-/tailwind-merge-2.6.1.tgz",
@@ -3673,6 +3889,20 @@
 				"url": "https://opencollective.com/webpack"
 			}
 		},
+		"node_modules/tinybench": {
+			"version": "2.9.0",
+			"resolved": "https://registry.npmjs.org/tinybench/-/tinybench-2.9.0.tgz",
+			"integrity": "sha512-0+DUvqWMValLmha6lr4kD8iAMK1HzV0/aKnCtWb9v9641TnP/MFb7Pc2bxoxQjTXAErryXVgUOfv2YqNllqGeg==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/tinyexec": {
+			"version": "0.3.2",
+			"resolved": "https://registry.npmjs.org/tinyexec/-/tinyexec-0.3.2.tgz",
+			"integrity": "sha512-KQQR9yN7R5+OSwaK0XQoj22pwHoTlgYqmUscPYoknOoWCWfj/5/ABTMRi69FrKU5ffPVh5QcFikpWJI/P1ocHA==",
+			"dev": true,
+			"license": "MIT"
+		},
 		"node_modules/tinyglobby": {
 			"version": "0.2.16",
 			"resolved": "https://registry.npmjs.org/tinyglobby/-/tinyglobby-0.2.16.tgz",
@@ -3690,6 +3920,36 @@
 				"url": "https://github.com/sponsors/SuperchupuDev"
 			}
 		},
+		"node_modules/tinypool": {
+			"version": "1.1.1",
+			"resolved": "https://registry.npmjs.org/tinypool/-/tinypool-1.1.1.tgz",
+			"integrity": "sha512-Zba82s87IFq9A9XmjiX5uZA/ARWDrB03OHlq+Vw1fSdt0I+4/Kutwy8BP4Y/y/aORMo61FQ0vIb5j44vSo5Pkg==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": "^18.0.0 || >=20.0.0"
+			}
+		},
+		"node_modules/tinyrainbow": {
+			"version": "1.2.0",
+			"resolved": "https://registry.npmjs.org/tinyrainbow/-/tinyrainbow-1.2.0.tgz",
+			"integrity": "sha512-weEDEq7Z5eTHPDh4xjX789+fHfF+P8boiFB+0vbWzpbnbsEr/GRaohi/uMKxg8RZMXnl1ItAi/IUHWMsjDV7kQ==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=14.0.0"
+			}
+		},
+		"node_modules/tinyspy": {
+			"version": "3.0.2",
+			"resolved": "https://registry.npmjs.org/tinyspy/-/tinyspy-3.0.2.tgz",
+			"integrity": "sha512-n1cw8k1k0x4pgA2+9XrOkFydTerNcJ1zWCO5Nn9scWHTD+5tp8dghT2x1uduQePZTZgd3Tupf+x9BxJjeJi77Q==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=14.0.0"
+			}
+		},
 		"node_modules/tslib": {
 			"version": "2.8.1",
 			"resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz",
@@ -3883,6 +4143,1119 @@
 				}
 			}
 		},
+		"node_modules/vite-node": {
+			"version": "2.1.9",
+			"resolved": "https://registry.npmjs.org/vite-node/-/vite-node-2.1.9.tgz",
+			"integrity": "sha512-AM9aQ/IPrW/6ENLQg3AGY4K1N2TGZdR5e4gu/MmmR2xR3Ll1+dib+nook92g4TV3PXVyeyxdWwtaCAiUL0hMxA==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"cac": "^6.7.14",
+				"debug": "^4.3.7",
+				"es-module-lexer": "^1.5.4",
+				"pathe": "^1.1.2",
+				"vite": "^5.0.0"
+			},
+			"bin": {
+				"vite-node": "vite-node.mjs"
+			},
+			"engines": {
+				"node": "^18.0.0 || >=20.0.0"
+			},
+			"funding": {
+				"url": "https://opencollective.com/vitest"
+			}
+		},
+		"node_modules/vite-node/node_modules/@esbuild/aix-ppc64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.21.5.tgz",
+			"integrity": "sha512-1SDgH6ZSPTlggy1yI6+Dbkiz8xzpHJEVAlF/AM1tHPLsf5STom9rwtjE4hKAF20FfXXNTFqEYXyJNWh1GiZedQ==",
+			"cpu": [
+				"ppc64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"aix"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vite-node/node_modules/@esbuild/android-arm": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.21.5.tgz",
+			"integrity": "sha512-vCPvzSjpPHEi1siZdlvAlsPxXl7WbOVUBBAowWug4rJHb68Ox8KualB+1ocNvT5fjv6wpkX6o/iEpbDrf68zcg==",
+			"cpu": [
+				"arm"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"android"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vite-node/node_modules/@esbuild/android-arm64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.21.5.tgz",
+			"integrity": "sha512-c0uX9VAUBQ7dTDCjq+wdyGLowMdtR/GoC2U5IYk/7D1H1JYC0qseD7+11iMP2mRLN9RcCMRcjC4YMclCzGwS/A==",
+			"cpu": [
+				"arm64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"android"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vite-node/node_modules/@esbuild/android-x64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.21.5.tgz",
+			"integrity": "sha512-D7aPRUUNHRBwHxzxRvp856rjUHRFW1SdQATKXH2hqA0kAZb1hKmi02OpYRacl0TxIGz/ZmXWlbZgjwWYaCakTA==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"android"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vite-node/node_modules/@esbuild/darwin-arm64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.21.5.tgz",
+			"integrity": "sha512-DwqXqZyuk5AiWWf3UfLiRDJ5EDd49zg6O9wclZ7kUMv2WRFr4HKjXp/5t8JZ11QbQfUS6/cRCKGwYhtNAY88kQ==",
+			"cpu": [
+				"arm64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"darwin"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vite-node/node_modules/@esbuild/darwin-x64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.21.5.tgz",
+			"integrity": "sha512-se/JjF8NlmKVG4kNIuyWMV/22ZaerB+qaSi5MdrXtd6R08kvs2qCN4C09miupktDitvh8jRFflwGFBQcxZRjbw==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"darwin"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vite-node/node_modules/@esbuild/freebsd-arm64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.21.5.tgz",
+			"integrity": "sha512-5JcRxxRDUJLX8JXp/wcBCy3pENnCgBR9bN6JsY4OmhfUtIHe3ZW0mawA7+RDAcMLrMIZaf03NlQiX9DGyB8h4g==",
+			"cpu": [
+				"arm64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"freebsd"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vite-node/node_modules/@esbuild/freebsd-x64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.21.5.tgz",
+			"integrity": "sha512-J95kNBj1zkbMXtHVH29bBriQygMXqoVQOQYA+ISs0/2l3T9/kj42ow2mpqerRBxDJnmkUDCaQT/dfNXWX/ZZCQ==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"freebsd"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vite-node/node_modules/@esbuild/linux-arm": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.21.5.tgz",
+			"integrity": "sha512-bPb5AHZtbeNGjCKVZ9UGqGwo8EUu4cLq68E95A53KlxAPRmUyYv2D6F0uUI65XisGOL1hBP5mTronbgo+0bFcA==",
+			"cpu": [
+				"arm"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vite-node/node_modules/@esbuild/linux-arm64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.21.5.tgz",
+			"integrity": "sha512-ibKvmyYzKsBeX8d8I7MH/TMfWDXBF3db4qM6sy+7re0YXya+K1cem3on9XgdT2EQGMu4hQyZhan7TeQ8XkGp4Q==",
+			"cpu": [
+				"arm64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vite-node/node_modules/@esbuild/linux-ia32": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.21.5.tgz",
+			"integrity": "sha512-YvjXDqLRqPDl2dvRODYmmhz4rPeVKYvppfGYKSNGdyZkA01046pLWyRKKI3ax8fbJoK5QbxblURkwK/MWY18Tg==",
+			"cpu": [
+				"ia32"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vite-node/node_modules/@esbuild/linux-loong64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.21.5.tgz",
+			"integrity": "sha512-uHf1BmMG8qEvzdrzAqg2SIG/02+4/DHB6a9Kbya0XDvwDEKCoC8ZRWI5JJvNdUjtciBGFQ5PuBlpEOXQj+JQSg==",
+			"cpu": [
+				"loong64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vite-node/node_modules/@esbuild/linux-mips64el": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.21.5.tgz",
+			"integrity": "sha512-IajOmO+KJK23bj52dFSNCMsz1QP1DqM6cwLUv3W1QwyxkyIWecfafnI555fvSGqEKwjMXVLokcV5ygHW5b3Jbg==",
+			"cpu": [
+				"mips64el"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vite-node/node_modules/@esbuild/linux-ppc64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.21.5.tgz",
+			"integrity": "sha512-1hHV/Z4OEfMwpLO8rp7CvlhBDnjsC3CttJXIhBi+5Aj5r+MBvy4egg7wCbe//hSsT+RvDAG7s81tAvpL2XAE4w==",
+			"cpu": [
+				"ppc64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vite-node/node_modules/@esbuild/linux-riscv64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.21.5.tgz",
+			"integrity": "sha512-2HdXDMd9GMgTGrPWnJzP2ALSokE/0O5HhTUvWIbD3YdjME8JwvSCnNGBnTThKGEB91OZhzrJ4qIIxk/SBmyDDA==",
+			"cpu": [
+				"riscv64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vite-node/node_modules/@esbuild/linux-s390x": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.21.5.tgz",
+			"integrity": "sha512-zus5sxzqBJD3eXxwvjN1yQkRepANgxE9lgOW2qLnmr8ikMTphkjgXu1HR01K4FJg8h1kEEDAqDcZQtbrRnB41A==",
+			"cpu": [
+				"s390x"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vite-node/node_modules/@esbuild/linux-x64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.21.5.tgz",
+			"integrity": "sha512-1rYdTpyv03iycF1+BhzrzQJCdOuAOtaqHTWJZCWvijKD2N5Xu0TtVC8/+1faWqcP9iBCWOmjmhoH94dH82BxPQ==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vite-node/node_modules/@esbuild/netbsd-x64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.21.5.tgz",
+			"integrity": "sha512-Woi2MXzXjMULccIwMnLciyZH4nCIMpWQAs049KEeMvOcNADVxo0UBIQPfSmxB3CWKedngg7sWZdLvLczpe0tLg==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"netbsd"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vite-node/node_modules/@esbuild/openbsd-x64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.21.5.tgz",
+			"integrity": "sha512-HLNNw99xsvx12lFBUwoT8EVCsSvRNDVxNpjZ7bPn947b8gJPzeHWyNVhFsaerc0n3TsbOINvRP2byTZ5LKezow==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"openbsd"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vite-node/node_modules/@esbuild/sunos-x64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.21.5.tgz",
+			"integrity": "sha512-6+gjmFpfy0BHU5Tpptkuh8+uw3mnrvgs+dSPQXQOv3ekbordwnzTVEb4qnIvQcYXq6gzkyTnoZ9dZG+D4garKg==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"sunos"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vite-node/node_modules/@esbuild/win32-arm64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.21.5.tgz",
+			"integrity": "sha512-Z0gOTd75VvXqyq7nsl93zwahcTROgqvuAcYDUr+vOv8uHhNSKROyU961kgtCD1e95IqPKSQKH7tBTslnS3tA8A==",
+			"cpu": [
+				"arm64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"win32"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vite-node/node_modules/@esbuild/win32-ia32": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.21.5.tgz",
+			"integrity": "sha512-SWXFF1CL2RVNMaVs+BBClwtfZSvDgtL//G/smwAc5oVK/UPu2Gu9tIaRgFmYFFKrmg3SyAjSrElf0TiJ1v8fYA==",
+			"cpu": [
+				"ia32"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"win32"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vite-node/node_modules/@esbuild/win32-x64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.21.5.tgz",
+			"integrity": "sha512-tQd/1efJuzPC6rCFwEvLtci/xNFcTZknmXs98FYDfGE4wP9ClFV98nyKrzJKVPMhdDnjzLhdUyMX4PsQAPjwIw==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"win32"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vite-node/node_modules/esbuild": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.21.5.tgz",
+			"integrity": "sha512-mg3OPMV4hXywwpoDxu3Qda5xCKQi+vCTZq8S9J/EpkhB2HzKXq4SNFZE3+NK93JYxc8VMSep+lOUSC/RVKaBqw==",
+			"dev": true,
+			"hasInstallScript": true,
+			"license": "MIT",
+			"bin": {
+				"esbuild": "bin/esbuild"
+			},
+			"engines": {
+				"node": ">=12"
+			},
+			"optionalDependencies": {
+				"@esbuild/aix-ppc64": "0.21.5",
+				"@esbuild/android-arm": "0.21.5",
+				"@esbuild/android-arm64": "0.21.5",
+				"@esbuild/android-x64": "0.21.5",
+				"@esbuild/darwin-arm64": "0.21.5",
+				"@esbuild/darwin-x64": "0.21.5",
+				"@esbuild/freebsd-arm64": "0.21.5",
+				"@esbuild/freebsd-x64": "0.21.5",
+				"@esbuild/linux-arm": "0.21.5",
+				"@esbuild/linux-arm64": "0.21.5",
+				"@esbuild/linux-ia32": "0.21.5",
+				"@esbuild/linux-loong64": "0.21.5",
+				"@esbuild/linux-mips64el": "0.21.5",
+				"@esbuild/linux-ppc64": "0.21.5",
+				"@esbuild/linux-riscv64": "0.21.5",
+				"@esbuild/linux-s390x": "0.21.5",
+				"@esbuild/linux-x64": "0.21.5",
+				"@esbuild/netbsd-x64": "0.21.5",
+				"@esbuild/openbsd-x64": "0.21.5",
+				"@esbuild/sunos-x64": "0.21.5",
+				"@esbuild/win32-arm64": "0.21.5",
+				"@esbuild/win32-ia32": "0.21.5",
+				"@esbuild/win32-x64": "0.21.5"
+			}
+		},
+		"node_modules/vite-node/node_modules/vite": {
+			"version": "5.4.21",
+			"resolved": "https://registry.npmjs.org/vite/-/vite-5.4.21.tgz",
+			"integrity": "sha512-o5a9xKjbtuhY6Bi5S3+HvbRERmouabWbyUcpXXUA1u+GNUKoROi9byOJ8M0nHbHYHkYICiMlqxkg1KkYmm25Sw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"esbuild": "^0.21.3",
+				"postcss": "^8.4.43",
+				"rollup": "^4.20.0"
+			},
+			"bin": {
+				"vite": "bin/vite.js"
+			},
+			"engines": {
+				"node": "^18.0.0 || >=20.0.0"
+			},
+			"funding": {
+				"url": "https://github.com/vitejs/vite?sponsor=1"
+			},
+			"optionalDependencies": {
+				"fsevents": "~2.3.3"
+			},
+			"peerDependencies": {
+				"@types/node": "^18.0.0 || >=20.0.0",
+				"less": "*",
+				"lightningcss": "^1.21.0",
+				"sass": "*",
+				"sass-embedded": "*",
+				"stylus": "*",
+				"sugarss": "*",
+				"terser": "^5.4.0"
+			},
+			"peerDependenciesMeta": {
+				"@types/node": {
+					"optional": true
+				},
+				"less": {
+					"optional": true
+				},
+				"lightningcss": {
+					"optional": true
+				},
+				"sass": {
+					"optional": true
+				},
+				"sass-embedded": {
+					"optional": true
+				},
+				"stylus": {
+					"optional": true
+				},
+				"sugarss": {
+					"optional": true
+				},
+				"terser": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/vitest": {
+			"version": "2.1.9",
+			"resolved": "https://registry.npmjs.org/vitest/-/vitest-2.1.9.tgz",
+			"integrity": "sha512-MSmPM9REYqDGBI8439mA4mWhV5sKmDlBKWIYbA3lRb2PTHACE0mgKwA8yQ2xq9vxDTuk4iPrECBAEW2aoFXY0Q==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@vitest/expect": "2.1.9",
+				"@vitest/mocker": "2.1.9",
+				"@vitest/pretty-format": "^2.1.9",
+				"@vitest/runner": "2.1.9",
+				"@vitest/snapshot": "2.1.9",
+				"@vitest/spy": "2.1.9",
+				"@vitest/utils": "2.1.9",
+				"chai": "^5.1.2",
+				"debug": "^4.3.7",
+				"expect-type": "^1.1.0",
+				"magic-string": "^0.30.12",
+				"pathe": "^1.1.2",
+				"std-env": "^3.8.0",
+				"tinybench": "^2.9.0",
+				"tinyexec": "^0.3.1",
+				"tinypool": "^1.0.1",
+				"tinyrainbow": "^1.2.0",
+				"vite": "^5.0.0",
+				"vite-node": "2.1.9",
+				"why-is-node-running": "^2.3.0"
+			},
+			"bin": {
+				"vitest": "vitest.mjs"
+			},
+			"engines": {
+				"node": "^18.0.0 || >=20.0.0"
+			},
+			"funding": {
+				"url": "https://opencollective.com/vitest"
+			},
+			"peerDependencies": {
+				"@edge-runtime/vm": "*",
+				"@types/node": "^18.0.0 || >=20.0.0",
+				"@vitest/browser": "2.1.9",
+				"@vitest/ui": "2.1.9",
+				"happy-dom": "*",
+				"jsdom": "*"
+			},
+			"peerDependenciesMeta": {
+				"@edge-runtime/vm": {
+					"optional": true
+				},
+				"@types/node": {
+					"optional": true
+				},
+				"@vitest/browser": {
+					"optional": true
+				},
+				"@vitest/ui": {
+					"optional": true
+				},
+				"happy-dom": {
+					"optional": true
+				},
+				"jsdom": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/vitest/node_modules/@esbuild/aix-ppc64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.21.5.tgz",
+			"integrity": "sha512-1SDgH6ZSPTlggy1yI6+Dbkiz8xzpHJEVAlF/AM1tHPLsf5STom9rwtjE4hKAF20FfXXNTFqEYXyJNWh1GiZedQ==",
+			"cpu": [
+				"ppc64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"aix"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vitest/node_modules/@esbuild/android-arm": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/android-arm/-/android-arm-0.21.5.tgz",
+			"integrity": "sha512-vCPvzSjpPHEi1siZdlvAlsPxXl7WbOVUBBAowWug4rJHb68Ox8KualB+1ocNvT5fjv6wpkX6o/iEpbDrf68zcg==",
+			"cpu": [
+				"arm"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"android"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vitest/node_modules/@esbuild/android-arm64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/android-arm64/-/android-arm64-0.21.5.tgz",
+			"integrity": "sha512-c0uX9VAUBQ7dTDCjq+wdyGLowMdtR/GoC2U5IYk/7D1H1JYC0qseD7+11iMP2mRLN9RcCMRcjC4YMclCzGwS/A==",
+			"cpu": [
+				"arm64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"android"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vitest/node_modules/@esbuild/android-x64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/android-x64/-/android-x64-0.21.5.tgz",
+			"integrity": "sha512-D7aPRUUNHRBwHxzxRvp856rjUHRFW1SdQATKXH2hqA0kAZb1hKmi02OpYRacl0TxIGz/ZmXWlbZgjwWYaCakTA==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"android"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vitest/node_modules/@esbuild/darwin-arm64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/darwin-arm64/-/darwin-arm64-0.21.5.tgz",
+			"integrity": "sha512-DwqXqZyuk5AiWWf3UfLiRDJ5EDd49zg6O9wclZ7kUMv2WRFr4HKjXp/5t8JZ11QbQfUS6/cRCKGwYhtNAY88kQ==",
+			"cpu": [
+				"arm64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"darwin"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vitest/node_modules/@esbuild/darwin-x64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/darwin-x64/-/darwin-x64-0.21.5.tgz",
+			"integrity": "sha512-se/JjF8NlmKVG4kNIuyWMV/22ZaerB+qaSi5MdrXtd6R08kvs2qCN4C09miupktDitvh8jRFflwGFBQcxZRjbw==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"darwin"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vitest/node_modules/@esbuild/freebsd-arm64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/freebsd-arm64/-/freebsd-arm64-0.21.5.tgz",
+			"integrity": "sha512-5JcRxxRDUJLX8JXp/wcBCy3pENnCgBR9bN6JsY4OmhfUtIHe3ZW0mawA7+RDAcMLrMIZaf03NlQiX9DGyB8h4g==",
+			"cpu": [
+				"arm64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"freebsd"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vitest/node_modules/@esbuild/freebsd-x64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/freebsd-x64/-/freebsd-x64-0.21.5.tgz",
+			"integrity": "sha512-J95kNBj1zkbMXtHVH29bBriQygMXqoVQOQYA+ISs0/2l3T9/kj42ow2mpqerRBxDJnmkUDCaQT/dfNXWX/ZZCQ==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"freebsd"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vitest/node_modules/@esbuild/linux-arm": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-arm/-/linux-arm-0.21.5.tgz",
+			"integrity": "sha512-bPb5AHZtbeNGjCKVZ9UGqGwo8EUu4cLq68E95A53KlxAPRmUyYv2D6F0uUI65XisGOL1hBP5mTronbgo+0bFcA==",
+			"cpu": [
+				"arm"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vitest/node_modules/@esbuild/linux-arm64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-arm64/-/linux-arm64-0.21.5.tgz",
+			"integrity": "sha512-ibKvmyYzKsBeX8d8I7MH/TMfWDXBF3db4qM6sy+7re0YXya+K1cem3on9XgdT2EQGMu4hQyZhan7TeQ8XkGp4Q==",
+			"cpu": [
+				"arm64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vitest/node_modules/@esbuild/linux-ia32": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-ia32/-/linux-ia32-0.21.5.tgz",
+			"integrity": "sha512-YvjXDqLRqPDl2dvRODYmmhz4rPeVKYvppfGYKSNGdyZkA01046pLWyRKKI3ax8fbJoK5QbxblURkwK/MWY18Tg==",
+			"cpu": [
+				"ia32"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vitest/node_modules/@esbuild/linux-loong64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-loong64/-/linux-loong64-0.21.5.tgz",
+			"integrity": "sha512-uHf1BmMG8qEvzdrzAqg2SIG/02+4/DHB6a9Kbya0XDvwDEKCoC8ZRWI5JJvNdUjtciBGFQ5PuBlpEOXQj+JQSg==",
+			"cpu": [
+				"loong64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vitest/node_modules/@esbuild/linux-mips64el": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-mips64el/-/linux-mips64el-0.21.5.tgz",
+			"integrity": "sha512-IajOmO+KJK23bj52dFSNCMsz1QP1DqM6cwLUv3W1QwyxkyIWecfafnI555fvSGqEKwjMXVLokcV5ygHW5b3Jbg==",
+			"cpu": [
+				"mips64el"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vitest/node_modules/@esbuild/linux-ppc64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-ppc64/-/linux-ppc64-0.21.5.tgz",
+			"integrity": "sha512-1hHV/Z4OEfMwpLO8rp7CvlhBDnjsC3CttJXIhBi+5Aj5r+MBvy4egg7wCbe//hSsT+RvDAG7s81tAvpL2XAE4w==",
+			"cpu": [
+				"ppc64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vitest/node_modules/@esbuild/linux-riscv64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-riscv64/-/linux-riscv64-0.21.5.tgz",
+			"integrity": "sha512-2HdXDMd9GMgTGrPWnJzP2ALSokE/0O5HhTUvWIbD3YdjME8JwvSCnNGBnTThKGEB91OZhzrJ4qIIxk/SBmyDDA==",
+			"cpu": [
+				"riscv64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vitest/node_modules/@esbuild/linux-s390x": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-s390x/-/linux-s390x-0.21.5.tgz",
+			"integrity": "sha512-zus5sxzqBJD3eXxwvjN1yQkRepANgxE9lgOW2qLnmr8ikMTphkjgXu1HR01K4FJg8h1kEEDAqDcZQtbrRnB41A==",
+			"cpu": [
+				"s390x"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vitest/node_modules/@esbuild/linux-x64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/linux-x64/-/linux-x64-0.21.5.tgz",
+			"integrity": "sha512-1rYdTpyv03iycF1+BhzrzQJCdOuAOtaqHTWJZCWvijKD2N5Xu0TtVC8/+1faWqcP9iBCWOmjmhoH94dH82BxPQ==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"linux"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vitest/node_modules/@esbuild/netbsd-x64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/netbsd-x64/-/netbsd-x64-0.21.5.tgz",
+			"integrity": "sha512-Woi2MXzXjMULccIwMnLciyZH4nCIMpWQAs049KEeMvOcNADVxo0UBIQPfSmxB3CWKedngg7sWZdLvLczpe0tLg==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"netbsd"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vitest/node_modules/@esbuild/openbsd-x64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/openbsd-x64/-/openbsd-x64-0.21.5.tgz",
+			"integrity": "sha512-HLNNw99xsvx12lFBUwoT8EVCsSvRNDVxNpjZ7bPn947b8gJPzeHWyNVhFsaerc0n3TsbOINvRP2byTZ5LKezow==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"openbsd"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vitest/node_modules/@esbuild/sunos-x64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/sunos-x64/-/sunos-x64-0.21.5.tgz",
+			"integrity": "sha512-6+gjmFpfy0BHU5Tpptkuh8+uw3mnrvgs+dSPQXQOv3ekbordwnzTVEb4qnIvQcYXq6gzkyTnoZ9dZG+D4garKg==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"sunos"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vitest/node_modules/@esbuild/win32-arm64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/win32-arm64/-/win32-arm64-0.21.5.tgz",
+			"integrity": "sha512-Z0gOTd75VvXqyq7nsl93zwahcTROgqvuAcYDUr+vOv8uHhNSKROyU961kgtCD1e95IqPKSQKH7tBTslnS3tA8A==",
+			"cpu": [
+				"arm64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"win32"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vitest/node_modules/@esbuild/win32-ia32": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/win32-ia32/-/win32-ia32-0.21.5.tgz",
+			"integrity": "sha512-SWXFF1CL2RVNMaVs+BBClwtfZSvDgtL//G/smwAc5oVK/UPu2Gu9tIaRgFmYFFKrmg3SyAjSrElf0TiJ1v8fYA==",
+			"cpu": [
+				"ia32"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"win32"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vitest/node_modules/@esbuild/win32-x64": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/@esbuild/win32-x64/-/win32-x64-0.21.5.tgz",
+			"integrity": "sha512-tQd/1efJuzPC6rCFwEvLtci/xNFcTZknmXs98FYDfGE4wP9ClFV98nyKrzJKVPMhdDnjzLhdUyMX4PsQAPjwIw==",
+			"cpu": [
+				"x64"
+			],
+			"dev": true,
+			"license": "MIT",
+			"optional": true,
+			"os": [
+				"win32"
+			],
+			"engines": {
+				"node": ">=12"
+			}
+		},
+		"node_modules/vitest/node_modules/@vitest/mocker": {
+			"version": "2.1.9",
+			"resolved": "https://registry.npmjs.org/@vitest/mocker/-/mocker-2.1.9.tgz",
+			"integrity": "sha512-tVL6uJgoUdi6icpxmdrn5YNo3g3Dxv+IHJBr0GXHaEdTcw3F+cPKnsXFhli6nO+f/6SDKPHEK1UN+k+TQv0Ehg==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@vitest/spy": "2.1.9",
+				"estree-walker": "^3.0.3",
+				"magic-string": "^0.30.12"
+			},
+			"funding": {
+				"url": "https://opencollective.com/vitest"
+			},
+			"peerDependencies": {
+				"msw": "^2.4.9",
+				"vite": "^5.0.0"
+			},
+			"peerDependenciesMeta": {
+				"msw": {
+					"optional": true
+				},
+				"vite": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/vitest/node_modules/esbuild": {
+			"version": "0.21.5",
+			"resolved": "https://registry.npmjs.org/esbuild/-/esbuild-0.21.5.tgz",
+			"integrity": "sha512-mg3OPMV4hXywwpoDxu3Qda5xCKQi+vCTZq8S9J/EpkhB2HzKXq4SNFZE3+NK93JYxc8VMSep+lOUSC/RVKaBqw==",
+			"dev": true,
+			"hasInstallScript": true,
+			"license": "MIT",
+			"bin": {
+				"esbuild": "bin/esbuild"
+			},
+			"engines": {
+				"node": ">=12"
+			},
+			"optionalDependencies": {
+				"@esbuild/aix-ppc64": "0.21.5",
+				"@esbuild/android-arm": "0.21.5",
+				"@esbuild/android-arm64": "0.21.5",
+				"@esbuild/android-x64": "0.21.5",
+				"@esbuild/darwin-arm64": "0.21.5",
+				"@esbuild/darwin-x64": "0.21.5",
+				"@esbuild/freebsd-arm64": "0.21.5",
+				"@esbuild/freebsd-x64": "0.21.5",
+				"@esbuild/linux-arm": "0.21.5",
+				"@esbuild/linux-arm64": "0.21.5",
+				"@esbuild/linux-ia32": "0.21.5",
+				"@esbuild/linux-loong64": "0.21.5",
+				"@esbuild/linux-mips64el": "0.21.5",
+				"@esbuild/linux-ppc64": "0.21.5",
+				"@esbuild/linux-riscv64": "0.21.5",
+				"@esbuild/linux-s390x": "0.21.5",
+				"@esbuild/linux-x64": "0.21.5",
+				"@esbuild/netbsd-x64": "0.21.5",
+				"@esbuild/openbsd-x64": "0.21.5",
+				"@esbuild/sunos-x64": "0.21.5",
+				"@esbuild/win32-arm64": "0.21.5",
+				"@esbuild/win32-ia32": "0.21.5",
+				"@esbuild/win32-x64": "0.21.5"
+			}
+		},
+		"node_modules/vitest/node_modules/vite": {
+			"version": "5.4.21",
+			"resolved": "https://registry.npmjs.org/vite/-/vite-5.4.21.tgz",
+			"integrity": "sha512-o5a9xKjbtuhY6Bi5S3+HvbRERmouabWbyUcpXXUA1u+GNUKoROi9byOJ8M0nHbHYHkYICiMlqxkg1KkYmm25Sw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"esbuild": "^0.21.3",
+				"postcss": "^8.4.43",
+				"rollup": "^4.20.0"
+			},
+			"bin": {
+				"vite": "bin/vite.js"
+			},
+			"engines": {
+				"node": "^18.0.0 || >=20.0.0"
+			},
+			"funding": {
+				"url": "https://github.com/vitejs/vite?sponsor=1"
+			},
+			"optionalDependencies": {
+				"fsevents": "~2.3.3"
+			},
+			"peerDependencies": {
+				"@types/node": "^18.0.0 || >=20.0.0",
+				"less": "*",
+				"lightningcss": "^1.21.0",
+				"sass": "*",
+				"sass-embedded": "*",
+				"stylus": "*",
+				"sugarss": "*",
+				"terser": "^5.4.0"
+			},
+			"peerDependenciesMeta": {
+				"@types/node": {
+					"optional": true
+				},
+				"less": {
+					"optional": true
+				},
+				"lightningcss": {
+					"optional": true
+				},
+				"sass": {
+					"optional": true
+				},
+				"sass-embedded": {
+					"optional": true
+				},
+				"stylus": {
+					"optional": true
+				},
+				"sugarss": {
+					"optional": true
+				},
+				"terser": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/why-is-node-running": {
+			"version": "2.3.0",
+			"resolved": "https://registry.npmjs.org/why-is-node-running/-/why-is-node-running-2.3.0.tgz",
+			"integrity": "sha512-hUrmaWBdVDcxvYqnyh09zunKzROWjbZTiNy8dBEjkS7ehEDQibXJ7XvlmtbwuTclUiIyN+CyXQD4Vmko8fNm8w==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"siginfo": "^2.0.0",
+				"stackback": "0.0.2"
+			},
+			"bin": {
+				"why-is-node-running": "cli.js"
+			},
+			"engines": {
+				"node": ">=8"
+			}
+		},
 		"node_modules/wonka": {
 			"version": "6.3.6",
 			"resolved": "https://registry.npmjs.org/wonka/-/wonka-6.3.6.tgz",
diff --git a/web/dashboard/package.json b/web/dashboard/package.json
index bb493606..c7b0972e 100644
--- a/web/dashboard/package.json
+++ b/web/dashboard/package.json
@@ -7,6 +7,8 @@
 		"dev": "vite build --watch",
 		"build": "vite build",
 		"preview": "vite preview",
+		"test": "vitest run",
+		"test:watch": "vitest",
 		"format": "prettier --write --use-tabs 'src/**/*.(ts|tsx|js|jsx)'"
 	},
 	"keywords": [],
@@ -47,7 +49,8 @@
 		"prettier": "^3.3.3",
 		"tailwindcss": "^4.1.4",
 		"typescript": "^5.6.3",
-		"vite": "^7.3.0"
+		"vite": "^7.3.0",
+		"vitest": "^2.1.9"
 	},
 	"overrides": {
 		"postcss": "^8.5.10"
diff --git a/web/dashboard/src/graphql/queries/index.ts b/web/dashboard/src/graphql/queries/index.ts
index 0784c212..3f43411b 100644
--- a/web/dashboard/src/graphql/queries/index.ts
+++ b/web/dashboard/src/graphql/queries/index.ts
@@ -164,13 +164,3 @@ export const FgaCheckQuery = `
     }
   }
 `;
-
-// AdminRolesQuery fetches the instance's configured roles (admin-only _env) so
-// the authorization-model builder can offer a template using the real roles.
-export const AdminRolesQuery = `
-  query adminRoles {
-    _env {
-      ROLES
-    }
-  }
-`;
diff --git a/web/dashboard/src/pages/authorization/Model.tsx b/web/dashboard/src/pages/authorization/Model.tsx
index 24eafc17..85edf6b3 100644
--- a/web/dashboard/src/pages/authorization/Model.tsx
+++ b/web/dashboard/src/pages/authorization/Model.tsx
@@ -2,8 +2,15 @@ import React, { useCallback, useEffect, useState } from 'react';
 import { Link } from 'react-router-dom';
 import { useClient } from 'urql';
 import { toast } from 'sonner';
-import { AlertCircle, Save, Info, RotateCcw, AlertTriangle } from 'lucide-react';
-import { FgaGetModelQuery, AdminRolesQuery, FgaReadTuplesQuery } from '../../graphql/queries';
+import {
+	AlertCircle,
+	Save,
+	Info,
+	RotateCcw,
+	AlertTriangle,
+	LayoutTemplate,
+} from 'lucide-react';
+import { FgaGetModelQuery, FgaReadTuplesQuery } from '../../graphql/queries';
 import { FgaWriteModel, FgaReset } from '../../graphql/mutation';
 import { Button } from '../../components/ui/button';
 import { Textarea } from '../../components/ui/textarea';
@@ -22,14 +29,14 @@ import { Input } from '../../components/ui/input';
 import FgaNotEnabled from '../../components/FgaNotEnabled';
 import AuthSteps, { Example, NextStep } from './AuthSteps';
 import DocsLinks from './DocsLinks';
-import { generateDsl, parseDsl, summarize, rolesTemplate, MODEL_EXAMPLES } from './modelDsl';
+import RbacBuilder from './RbacBuilder';
+import { parseDsl, summarize, MODEL_EXAMPLES } from './modelDsl';
 import { isFgaNotEnabledError } from '../../lib/utils';
 import type {
 	FgaGetModelResponse,
 	FgaWriteModelResponse,
 	FgaReadTuplesResponse,
 	FgaResetResponse,
-	AdminRolesResponse,
 } from '../../types';
 
 const PLACEHOLDER = `model
@@ -51,13 +58,18 @@ const Model = () => {
 	const [dsl, setDsl] = useState('');
 	const [modelId, setModelId] = useState('');
 	const [validationError, setValidationError] = useState('');
-	const [roles, setRoles] = useState<string[]>([]);
+	// Step 1 has two ways in: a friendly roles × permissions matrix ("simple",
+	// the default for newcomers) and the raw OpenFGA DSL ("advanced"). An admin
+	// who already has a saved model lands in advanced so they see their model.
+	const [mode, setMode] = useState<'simple' | 'advanced'>('simple');
 	// Reset is destructive and guarded: it is only allowed when no relationship
 	// tuples exist (the backend enforces this too). tuplesExist gates the action.
 	const [tuplesExist, setTuplesExist] = useState(false);
 	const [resetOpen, setResetOpen] = useState(false);
 	const [resetting, setResetting] = useState(false);
 	const [confirmText, setConfirmText] = useState('');
+	// The example catalog lives in a modal so the editor stays the focus.
+	const [exampleOpen, setExampleOpen] = useState(false);
 
 	const checkTuples = useCallback(async () => {
 		try {
@@ -78,17 +90,27 @@ const Model = () => {
 		setLoading(true);
 		try {
 			const res = await client
-				.query<FgaGetModelResponse>(FgaGetModelQuery, {}, { requestPolicy: 'network-only' })
+				.query<FgaGetModelResponse>(
+					FgaGetModelQuery,
+					{},
+					{ requestPolicy: 'network-only' },
+				)
 				.toPromise();
 			if (res.error) {
 				if (isFgaNotEnabledError(res.error)) setFgaDisabled(true);
-				else toast.error('Failed to load authorization model');
+				else if (/no authorization model/i.test(res.error.message)) {
+					// A store with no model yet is the normal starting state, not an
+					// error — leave the builder visible. (Newer servers already
+					// return an empty model; this guards older ones.)
+				} else toast.error('Failed to load authorization model');
 				return;
 			}
 			const current = res.data?._fga_get_model;
 			if (current?.dsl) {
 				setDsl(current.dsl);
 				setModelId(current.id || '');
+				// Show an existing model in the editor rather than the builder.
+				setMode('advanced');
 			}
 		} catch {
 			toast.error('Failed to load authorization model');
@@ -102,18 +124,6 @@ const Model = () => {
 		checkTuples();
 	}, [fetchModel, checkTuples]);
 
-	// Configured roles → a "your roles" example.
-	useEffect(() => {
-		client
-			.query<AdminRolesResponse>(AdminRolesQuery, {})
-			.toPromise()
-			.then((res) => {
-				const r = res.data?._env?.ROLES;
-				if (Array.isArray(r)) setRoles(r.filter(Boolean));
-			})
-			.catch(() => {});
-	}, [client]);
-
 	const applyExample = (name: string, exampleDsl: string) => {
 		if (
 			dsl.trim() &&
@@ -130,15 +140,20 @@ const Model = () => {
 	};
 
 	const handleSave = async () => {
-		if (!dsl.trim()) {
-			setValidationError('The model cannot be empty. Pick an example to start.');
+		const toSave = dsl.trim();
+		if (!toSave) {
+			setValidationError(
+				'The model cannot be empty. Pick an example to start.',
+			);
 			return;
 		}
 		setValidationError('');
 		setSaving(true);
 		try {
 			const res = await client
-				.mutation<FgaWriteModelResponse>(FgaWriteModel, { params: { dsl } })
+				.mutation<FgaWriteModelResponse>(FgaWriteModel, {
+					params: { dsl: toSave },
+				})
 				.toPromise();
 			if (res.error) {
 				if (isFgaNotEnabledError(res.error)) setFgaDisabled(true);
@@ -163,7 +178,9 @@ const Model = () => {
 	const handleReset = async () => {
 		setResetting(true);
 		try {
-			const res = await client.mutation<FgaResetResponse>(FgaReset, {}).toPromise();
+			const res = await client
+				.mutation<FgaResetResponse>(FgaReset, {})
+				.toPromise();
 			if (res.error) {
 				toast.error(res.error.message.replace('[GraphQL] ', ''));
 				return;
@@ -183,22 +200,11 @@ const Model = () => {
 		}
 	};
 
-	const roleModel = rolesTemplate(roles);
-	const examples = [
-		...(roleModel
-			? [
-					{
-						name: 'Your roles',
-						description: `Your configured roles (${roles.join(', ')}) as a starting point.`,
-						dsl: generateDsl(roleModel).trimEnd(),
-					},
-			  ]
-			: []),
-		...MODEL_EXAMPLES,
-	];
+	const examples = MODEL_EXAMPLES;
 
 	const parsed = parseDsl(dsl);
-	const summary = parsed.supported && parsed.model ? summarize(parsed.model) : [];
+	const summary =
+		parsed.supported && parsed.model ? summarize(parsed.model) : [];
 
 	return (
 		<div className="m-5 rounded-md bg-white py-5 px-10">
@@ -206,15 +212,17 @@ const Model = () => {
 
 			<div className="my-4 flex items-start justify-between gap-4">
 				<div>
-					<h1 className="text-2xl font-semibold text-gray-900">Step 1 · Define the model</h1>
+					<h1 className="text-2xl font-semibold text-gray-900">
+						Step 1 · Define the model
+					</h1>
 					<p className="mt-1 max-w-2xl text-sm text-gray-500">
 						The model is your permission <strong>rulebook</strong>: the object{' '}
 						<strong>types</strong> you protect (document, folder…), their{' '}
-						<strong>relations</strong> (owner, editor, viewer…), and how permissions are
-						computed. You write it once.
+						<strong>relations</strong> (owner, editor, viewer…), and how
+						permissions are computed. You write it once.
 					</p>
 				</div>
-				{!fgaDisabled && !loading && (
+				{!fgaDisabled && !loading && mode === 'advanced' && (
 					<Button onClick={handleSave} disabled={saving}>
 						<Save className="mr-2 h-4 w-4" />
 						{saving ? 'Saving…' : 'Save model'}
@@ -231,88 +239,169 @@ const Model = () => {
 				<FgaNotEnabled />
 			) : (
 				<div className="space-y-5">
-					<Example>
-						<strong>Example:</strong> a{' '}
-						<code className="rounded bg-white px-1 py-0.5 text-xs">document</code> has{' '}
-						<code className="rounded bg-white px-1 py-0.5 text-xs">viewer</code> and{' '}
-						<code className="rounded bg-white px-1 py-0.5 text-xs">editor</code> relations, and{' '}
-						<code className="rounded bg-white px-1 py-0.5 text-xs">can_view = viewer or editor</code>.
-						Start from an example below and edit it.
-					</Example>
+					{/* Two ways into Step 1: a friendly matrix or the raw DSL. A
+					    two-state segmented control — aria-pressed, not tab roles,
+					    since the panels below are plain content, not tabpanels. */}
+					<div
+						role="group"
+						aria-label="Model editor mode"
+						className="inline-flex rounded-lg border border-gray-200 bg-gray-50 p-1"
+					>
+						<button
+							type="button"
+							aria-pressed={mode === 'simple'}
+							onClick={() => setMode('simple')}
+							className={`rounded-md px-3 py-1.5 text-sm font-medium transition-colors ${
+								mode === 'simple'
+									? 'bg-white text-gray-900 shadow-sm'
+									: 'text-gray-500 hover:text-gray-700'
+							}`}
+						>
+							Roles &amp; permissions
+						</button>
+						<button
+							type="button"
+							aria-pressed={mode === 'advanced'}
+							onClick={() => setMode('advanced')}
+							className={`rounded-md px-3 py-1.5 text-sm font-medium transition-colors ${
+								mode === 'advanced'
+									? 'bg-white text-gray-900 shadow-sm'
+									: 'text-gray-500 hover:text-gray-700'
+							}`}
+						>
+							Advanced (DSL)
+						</button>
+					</div>
+
+					{mode === 'simple' ? (
+						<>
+							<Example>
+								<strong>The simplest way to start:</strong> list your roles and
+								the actions they can take, then tick who can do what. We turn it
+								into a working authorization model for you — no syntax to learn.
+								Need hierarchies, groups or conditions? Switch to{' '}
+								<strong>Advanced (DSL)</strong>.
+							</Example>
+							<RbacBuilder
+								initialRoles={[]}
+								onApply={(generatedDsl) => {
+									// Populate the editor and switch to Advanced for review.
+									// Saving (a new immutable model version) stays an explicit
+									// click on "Save model", so the user controls when a
+									// version is created — no churn from repeated clicks.
+									setDsl(generatedDsl);
+									setValidationError('');
+									setMode('advanced');
+									toast.success('Model ready — review it below, then Save');
+								}}
+							/>
+						</>
+					) : (
+						<>
+							<Example>
+								<strong>Example:</strong> a{' '}
+								<code className="rounded bg-white px-1 py-0.5 text-xs">
+									document
+								</code>{' '}
+								has{' '}
+								<code className="rounded bg-white px-1 py-0.5 text-xs">
+									viewer
+								</code>{' '}
+								and{' '}
+								<code className="rounded bg-white px-1 py-0.5 text-xs">
+									editor
+								</code>{' '}
+								relations, and{' '}
+								<code className="rounded bg-white px-1 py-0.5 text-xs">
+									can_view = viewer or editor
+								</code>
+								. Start from an example below and edit it.
+							</Example>
 
-					{/* Example templates with descriptions */}
-					<div>
-						<p className="mb-2 text-sm font-medium text-gray-700">Start from an example</p>
-						<div className="grid grid-cols-1 gap-2 sm:grid-cols-2 lg:grid-cols-4">
-							{examples.map((ex) => (
-								<button
-									key={ex.name}
+							{/* Example catalog opens in a modal — see the dialog below. */}
+							<div className="flex flex-wrap items-center gap-2">
+								<Button
 									type="button"
-									onClick={() => applyExample(ex.name, ex.dsl)}
-									className="rounded-xl border border-gray-200 bg-white p-3 text-left transition-colors hover:border-blue-300 hover:bg-blue-50"
+									variant="outline"
+									size="sm"
+									onClick={() => setExampleOpen(true)}
 								>
-									<span className="block text-sm font-medium text-gray-800">{ex.name}</span>
-									<span className="mt-0.5 block text-xs leading-relaxed text-gray-500">
-										{ex.description}
-									</span>
-								</button>
-							))}
-						</div>
-					</div>
-
-					{/* The model */}
-					<div>
-						<div className="mb-1.5 flex items-center justify-between">
-							<label htmlFor="model-dsl" className="text-sm font-medium text-gray-700">
-								Model
-							</label>
-							{modelId && (
-								<span className="flex items-center gap-1.5 text-xs text-gray-400">
-									active version
-									<Badge variant="secondary">{modelId.slice(0, 12)}…</Badge>
+									<LayoutTemplate className="mr-2 h-4 w-4" aria-hidden="true" />
+									Browse examples
+								</Button>
+								<span className="text-xs text-gray-500">
+									Prebuilt models you can drop in and edit.
 								</span>
-							)}
-						</div>
-						<div className="mb-2 flex items-start gap-2 rounded-lg border border-gray-100 bg-gray-50 p-3 text-xs leading-relaxed text-gray-600">
-							<Info className="mt-0.5 h-4 w-4 shrink-0 text-gray-400" aria-hidden="true" />
+							</div>
+
+							{/* The model */}
 							<div>
-								<strong className="text-gray-700">About model versions.</strong> There is always
-								exactly one <em>active</em> model. Saving creates a new <strong>immutable
-								version</strong> and makes it active; earlier versions are retained so requests
-								already in flight stay valid. OpenFGA models are <strong>append-only</strong> — an
-								individual version cannot be deleted. To change the rules, save a new version; to
-								remove everything, reset the store (deletes the model and all tuples). Separate
-								models require separate stores, which aren&rsquo;t exposed here.
+								<div className="mb-1.5 flex items-center justify-between">
+									<label
+										htmlFor="model-dsl"
+										className="text-sm font-medium text-gray-700"
+									>
+										Model
+									</label>
+									{modelId && (
+										<span className="flex items-center gap-1.5 text-xs text-gray-400">
+											active version
+											<Badge variant="secondary">{modelId.slice(0, 12)}…</Badge>
+										</span>
+									)}
+								</div>
+								<div className="mb-2 flex items-start gap-2 rounded-lg border border-gray-100 bg-gray-50 p-3 text-xs leading-relaxed text-gray-600">
+									<Info
+										className="mt-0.5 h-4 w-4 shrink-0 text-gray-400"
+										aria-hidden="true"
+									/>
+									<div>
+										<strong className="text-gray-700">
+											About model versions.
+										</strong>{' '}
+										There is always exactly one <em>active</em> model. Saving
+										creates a new <strong>immutable version</strong> and makes
+										it active; earlier versions are retained so requests already
+										in flight stay valid. OpenFGA models are{' '}
+										<strong>append-only</strong> — an individual version cannot
+										be deleted. To change the rules, save a new version; to
+										remove everything, reset the store (deletes the model and
+										all tuples). Separate models require separate stores, which
+										aren&rsquo;t exposed here.
+									</div>
+								</div>
+								<Textarea
+									id="model-dsl"
+									value={dsl}
+									onChange={(e) => setDsl(e.target.value)}
+									spellCheck={false}
+									className="min-h-[360px] font-mono text-xs leading-relaxed"
+									placeholder={PLACEHOLDER}
+								/>
 							</div>
-						</div>
-						<Textarea
-							id="model-dsl"
-							value={dsl}
-							onChange={(e) => setDsl(e.target.value)}
-							spellCheck={false}
-							className="min-h-[360px] font-mono text-xs leading-relaxed"
-							placeholder={PLACEHOLDER}
-						/>
-					</div>
 
-					{summary.length > 0 && (
-						<div className="rounded-lg border border-gray-100 bg-gray-50 p-3">
-							<p className="mb-1.5 text-xs font-medium uppercase tracking-wide text-gray-500">
-								In plain English
-							</p>
-							<ul className="space-y-1 text-xs leading-relaxed text-gray-600">
-								{summary.map((s, i) => (
-									<li key={i}>• {s}</li>
-								))}
-							</ul>
-						</div>
-					)}
+							{summary.length > 0 && (
+								<div className="rounded-lg border border-gray-100 bg-gray-50 p-3">
+									<p className="mb-1.5 text-xs font-medium uppercase tracking-wide text-gray-500">
+										In plain English
+									</p>
+									<ul className="space-y-1 text-xs leading-relaxed text-gray-600">
+										{summary.map((s, i) => (
+											<li key={i}>• {s}</li>
+										))}
+									</ul>
+								</div>
+							)}
 
-					{validationError && (
-						<div className="flex items-start gap-2 rounded-md border border-red-200 bg-red-50 p-3 text-sm text-red-700">
-							<AlertCircle className="mt-0.5 h-4 w-4 shrink-0" />
-							<span className="whitespace-pre-wrap break-words">{validationError}</span>
-						</div>
+							{validationError && (
+								<div className="flex items-start gap-2 rounded-md border border-red-200 bg-red-50 p-3 text-sm text-red-700">
+									<AlertCircle className="mt-0.5 h-4 w-4 shrink-0" />
+									<span className="whitespace-pre-wrap break-words">
+										{validationError}
+									</span>
+								</div>
+							)}
+						</>
 					)}
 
 					<DocsLinks />
@@ -325,17 +414,20 @@ const Model = () => {
 									aria-hidden="true"
 								/>
 								<div className="flex-1">
-									<p className="text-sm font-medium text-red-800">Danger zone · Reset model</p>
+									<p className="text-sm font-medium text-red-800">
+										Danger zone · Reset model
+									</p>
 									<p className="mt-1 text-xs leading-relaxed text-red-700/80">
-										OpenFGA models are append-only — individual versions can&rsquo;t be deleted.
-										Resetting is the only way to remove the model and <strong>all its past
-										versions</strong> and start over. This cannot be undone.
+										OpenFGA models are append-only — individual versions
+										can&rsquo;t be deleted. Resetting is the only way to remove
+										the model and <strong>all its past versions</strong> and
+										start over. This cannot be undone.
 									</p>
 									{tuplesExist ? (
 										<p className="mt-2 flex flex-wrap items-center gap-1 text-xs text-red-700/80">
 											<span>
-												Reset is blocked while relationship tuples exist, so live grants are
-												never dropped silently.
+												Reset is blocked while relationship tuples exist, so
+												live grants are never dropped silently.
 											</span>
 											<Link
 												to="/authorization/tuples"
@@ -365,13 +457,51 @@ const Model = () => {
 					)}
 
 					<div className="flex items-center justify-between border-t border-gray-100 pt-4 text-sm text-gray-500">
-						<span>Save the model, then grant access with relationship tuples.</span>
+						<span>
+							Save the model, then grant access with relationship tuples.
+						</span>
 						<NextStep to="/authorization/tuples" label="Next: grant access" />
 					</div>
 				</div>
 			)}
 
-			<Dialog open={resetOpen} onOpenChange={(open) => !resetting && setResetOpen(open)}>
+			<Dialog open={exampleOpen} onOpenChange={setExampleOpen}>
+				<DialogContent className="max-w-2xl">
+					<DialogHeader>
+						<DialogTitle>Start from an example</DialogTitle>
+						<DialogDescription>
+							Pick a prebuilt model to load into the editor. You can edit it
+							before saving — nothing is saved until you click{' '}
+							<strong>Save model</strong>.
+						</DialogDescription>
+					</DialogHeader>
+					<div className="grid max-h-[60vh] grid-cols-1 gap-2 overflow-y-auto sm:grid-cols-2">
+						{examples.map((ex) => (
+							<button
+								key={ex.name}
+								type="button"
+								onClick={() => {
+									applyExample(ex.name, ex.dsl);
+									setExampleOpen(false);
+								}}
+								className="rounded-xl border border-gray-200 bg-white p-3 text-left transition-colors hover:border-blue-300 hover:bg-blue-50"
+							>
+								<span className="block text-sm font-medium text-gray-800">
+									{ex.name}
+								</span>
+								<span className="mt-0.5 block text-xs leading-relaxed text-gray-500">
+									{ex.description}
+								</span>
+							</button>
+						))}
+					</div>
+				</DialogContent>
+			</Dialog>
+
+			<Dialog
+				open={resetOpen}
+				onOpenChange={(open) => !resetting && setResetOpen(open)}
+			>
 				<DialogContent>
 					<DialogHeader>
 						<DialogTitle className="flex items-center gap-2 text-red-700">
@@ -379,14 +509,22 @@ const Model = () => {
 							Reset authorization model
 						</DialogTitle>
 						<DialogDescription>
-							This permanently deletes the active model and every past version, then starts a
-							fresh, empty store. You&rsquo;ll need to define a new model before access checks
-							work again. This action cannot be undone.
+							This permanently deletes the active model and every past version,
+							then starts a fresh, empty store. You&rsquo;ll need to define a
+							new model before access checks work again. This action cannot be
+							undone.
 						</DialogDescription>
 					</DialogHeader>
 					<div className="space-y-2">
-						<label htmlFor="reset-confirm" className="text-sm font-medium text-gray-700">
-							Type <span className="font-mono font-semibold text-red-700">RESET</span> to confirm
+						<label
+							htmlFor="reset-confirm"
+							className="text-sm font-medium text-gray-700"
+						>
+							Type{' '}
+							<span className="font-mono font-semibold text-red-700">
+								RESET
+							</span>{' '}
+							to confirm
 						</label>
 						<Input
 							id="reset-confirm"
diff --git a/web/dashboard/src/pages/authorization/RbacBuilder.tsx b/web/dashboard/src/pages/authorization/RbacBuilder.tsx
new file mode 100644
index 00000000..09632ec6
--- /dev/null
+++ b/web/dashboard/src/pages/authorization/RbacBuilder.tsx
@@ -0,0 +1,362 @@
+import React, { useMemo, useState } from 'react';
+import { Plus, X, Check, AlertCircle } from 'lucide-react';
+import { Button } from '../../components/ui/button';
+import { Input } from '../../components/ui/input';
+import { Label } from '../../components/ui/label';
+import {
+	generateDsl,
+	parseDsl,
+	rbacModel,
+	sanitizeRelationName,
+	summarize,
+	RESERVED_TYPES,
+} from './modelDsl';
+
+// RbacBuilder is the friendly default for Step 1: a roles × permissions matrix
+// that most admins already have a mental model for. It never asks the user to
+// read or write DSL — it generates a standard OpenFGA RBAC model and hands the
+// finished DSL to the parent (which owns saving). The raw DSL stays available
+// behind the "Advanced" mode for anyone who wants the full language.
+const DEFAULT_PERMISSIONS = ['view', 'edit', 'delete'];
+
+// A sensible starting grant so the matrix is never empty on first paint:
+// admins get everything, editors can view + edit, viewers can view.
+const defaultGrant = (
+	roles: string[],
+	perms: string[],
+): Record<string, string[]> => {
+	const grant: Record<string, string[]> = {};
+	for (const role of roles) {
+		if (/admin|owner/i.test(role)) grant[role] = [...perms];
+		else if (/edit|writ|maintain/i.test(role))
+			grant[role] = perms.filter((p) => p !== 'delete');
+		else grant[role] = perms.filter((p) => /view|read/i.test(p));
+	}
+	return grant;
+};
+
+// TokenList renders an editable list of names (roles or permissions) as
+// removable chips plus an "add" input. Names are sanitized to valid relation
+// identifiers on add.
+const TokenList = ({
+	label,
+	help,
+	items,
+	onAdd,
+	onRemove,
+	placeholder,
+}: {
+	label: string;
+	help: string;
+	items: string[];
+	onAdd: (name: string) => void;
+	onRemove: (name: string) => void;
+	placeholder: string;
+}) => {
+	const [draft, setDraft] = useState('');
+	const commit = () => {
+		const name = sanitizeRelationName(draft);
+		if (name) onAdd(name);
+		setDraft('');
+	};
+	return (
+		<div>
+			<Label className="text-sm font-medium text-gray-700">{label}</Label>
+			<p className="mb-2 mt-0.5 text-xs text-gray-500">{help}</p>
+			<div className="flex flex-wrap items-center gap-2">
+				{items.map((item) => (
+					<span
+						key={item}
+						className="inline-flex items-center gap-1 rounded-full border border-gray-200 bg-gray-50 py-1 pl-3 pr-1 text-sm text-gray-800"
+					>
+						<span className="font-mono text-xs">{item}</span>
+						<button
+							type="button"
+							onClick={() => onRemove(item)}
+							aria-label={`Remove ${item}`}
+							className="flex h-5 w-5 items-center justify-center rounded-full text-gray-400 transition-colors hover:bg-gray-200 hover:text-gray-700"
+						>
+							<X className="h-3 w-3" aria-hidden="true" />
+						</button>
+					</span>
+				))}
+				<span className="inline-flex items-center gap-1">
+					<Input
+						value={draft}
+						onChange={(e) => setDraft(e.target.value)}
+						onKeyDown={(e) => {
+							if (e.key === 'Enter') {
+								e.preventDefault();
+								commit();
+							}
+						}}
+						placeholder={placeholder}
+						className="h-8 w-32 text-sm"
+						aria-label={`Add ${label.toLowerCase()}`}
+						spellCheck={false}
+					/>
+					<Button
+						type="button"
+						variant="ghost"
+						size="sm"
+						onClick={commit}
+						disabled={!sanitizeRelationName(draft)}
+					>
+						<Plus className="h-4 w-4" aria-hidden="true" />
+					</Button>
+				</span>
+			</div>
+		</div>
+	);
+};
+
+const RbacBuilder = ({
+	initialRoles,
+	onApply,
+}: {
+	// Roles configured on the instance (used to seed the matrix). Falls back to a
+	// generic admin/editor/viewer set when none are configured.
+	initialRoles: string[];
+	// Called with the generated DSL when the admin is happy with the matrix.
+	onApply: (dsl: string) => void;
+}) => {
+	const seedRoles = initialRoles.length
+		? initialRoles
+		: ['admin', 'editor', 'viewer'];
+	// One or more object types to protect. All share the same roles × permissions
+	// matrix; for resources that need different shapes, use Advanced (DSL).
+	const [resourceTypes, setResourceTypes] = useState<string[]>(['document']);
+	const [roles, setRoles] = useState<string[]>(() =>
+		seedRoles.map(sanitizeRelationName).filter(Boolean),
+	);
+	const [permissions, setPermissions] = useState<string[]>(DEFAULT_PERMISSIONS);
+	const [grant, setGrant] = useState<Record<string, string[]>>(() =>
+		defaultGrant(
+			seedRoles.map(sanitizeRelationName).filter(Boolean),
+			DEFAULT_PERMISSIONS,
+		),
+	);
+	const [showDsl, setShowDsl] = useState(false);
+
+	const toggle = (role: string, perm: string) => {
+		setGrant((prev) => {
+			const current = prev[role] || [];
+			const next = current.includes(perm)
+				? current.filter((p) => p !== perm)
+				: [...current, perm];
+			return { ...prev, [role]: next };
+		});
+	};
+
+	const addResource = (name: string) =>
+		setResourceTypes((prev) => (prev.includes(name) ? prev : [...prev, name]));
+	const removeResource = (name: string) =>
+		setResourceTypes((prev) => prev.filter((r) => r !== name));
+	const addRole = (name: string) =>
+		setRoles((prev) => (prev.includes(name) ? prev : [...prev, name]));
+	const removeRole = (name: string) => {
+		setRoles((prev) => prev.filter((r) => r !== name));
+		setGrant((prev) => {
+			const next = { ...prev };
+			delete next[name];
+			return next;
+		});
+	};
+	const addPermission = (name: string) =>
+		setPermissions((prev) => (prev.includes(name) ? prev : [...prev, name]));
+	const removePermission = (name: string) => {
+		setPermissions((prev) => prev.filter((p) => p !== name));
+		setGrant((prev) => {
+			const next: Record<string, string[]> = {};
+			for (const [role, perms] of Object.entries(prev)) {
+				next[role] = perms.filter((p) => p !== name);
+			}
+			return next;
+		});
+	};
+
+	// Sanitized resource names split into usable vs reserved (user/role).
+	const cleanResources = resourceTypes
+		.map(sanitizeRelationName)
+		.filter(Boolean);
+	const reservedResources = cleanResources.filter((r) =>
+		RESERVED_TYPES.includes(r),
+	);
+	const validResources = cleanResources.filter(
+		(r) => !RESERVED_TYPES.includes(r),
+	);
+	// A label for the matrix caption — the first protected resource, or generic.
+	const resourceLabel = validResources[0] || 'resource';
+
+	const model = useMemo(
+		() => rbacModel({ resourceTypes, roles, permissions, grant }),
+		[resourceTypes, roles, permissions, grant],
+	);
+	const dsl = model ? generateDsl(model).trimEnd() : '';
+	const summary = useMemo(() => {
+		if (!dsl) return [];
+		const parsed = parseDsl(dsl);
+		return parsed.supported && parsed.model ? summarize(parsed.model) : [];
+	}, [dsl]);
+
+	// A precise reason the matrix can't be turned into a model yet, so the
+	// disabled state is never a dead end.
+	const blocker = !validResources.length
+		? reservedResources.length
+			? `"${reservedResources[0]}" is reserved — add a different resource type.`
+			: 'Add a resource type to protect (e.g. document).'
+		: !roles.length
+			? 'Add at least one role.'
+			: !model
+				? 'Grant at least one permission to a role (tick a box below).'
+				: '';
+
+	return (
+		<div className="space-y-6">
+			<div>
+				<TokenList
+					label="What are you protecting?"
+					help="The object types access is granted on — e.g. document, project, report. Add as many as you like; they share the roles & permissions below."
+					items={resourceTypes}
+					onAdd={addResource}
+					onRemove={removeResource}
+					placeholder="resource type"
+				/>
+				{reservedResources.length > 0 && (
+					<p className="mt-1 flex items-center gap-1 text-xs text-red-600">
+						<AlertCircle className="h-3.5 w-3.5" aria-hidden="true" />
+						&ldquo;{reservedResources[0]}&rdquo; is reserved — try{' '}
+						<code className="rounded bg-red-50 px-1">
+							{reservedResources[0]}_item
+						</code>
+						.
+					</p>
+				)}
+			</div>
+
+			<TokenList
+				label="Roles"
+				help="Named sets of access you assign to people — e.g. admin, editor, viewer."
+				items={roles}
+				onAdd={addRole}
+				onRemove={removeRole}
+				placeholder="role name"
+			/>
+
+			<TokenList
+				label="Permissions"
+				help="The actions people can take on the resource — e.g. view, edit, delete."
+				items={permissions}
+				onAdd={addPermission}
+				onRemove={removePermission}
+				placeholder="permission"
+			/>
+
+			{/* Roles × permissions matrix */}
+			<div>
+				<Label className="text-sm font-medium text-gray-700">
+					Which roles can do what?
+				</Label>
+				<p className="mb-2 mt-0.5 text-xs text-gray-500">
+					Tick a box to let a role perform an action on a {resourceLabel}
+					{validResources.length > 1 ? ' (and your other resources)' : ''}.
+				</p>
+				{roles.length && permissions.length ? (
+					<div className="overflow-x-auto rounded-lg border border-gray-200">
+						<table className="w-full border-collapse text-sm">
+							<thead>
+								<tr className="border-b border-gray-200 bg-gray-50">
+									<th className="px-4 py-2.5 text-left font-medium text-gray-600">
+										Role
+									</th>
+									{permissions.map((perm) => (
+										<th
+											key={perm}
+											className="px-4 py-2.5 text-center font-medium text-gray-600"
+										>
+											<span className="font-mono text-xs">can_{perm}</span>
+										</th>
+									))}
+								</tr>
+							</thead>
+							<tbody>
+								{roles.map((role) => (
+									<tr
+										key={role}
+										className="border-b border-gray-100 last:border-0"
+									>
+										<td className="px-4 py-2.5 font-mono text-xs text-gray-800">
+											{role}
+										</td>
+										{permissions.map((perm) => {
+											const checked = (grant[role] || []).includes(perm);
+											return (
+												<td key={perm} className="px-4 py-2.5 text-center">
+													<label className="inline-flex cursor-pointer items-center justify-center">
+														<input
+															type="checkbox"
+															checked={checked}
+															onChange={() => toggle(role, perm)}
+															className="h-4 w-4 cursor-pointer rounded border-gray-300 text-blue-600 focus:ring-2 focus:ring-blue-400"
+															aria-label={`${role} can ${perm} ${resourceLabel}`}
+														/>
+													</label>
+												</td>
+											);
+										})}
+									</tr>
+								))}
+							</tbody>
+						</table>
+					</div>
+				) : (
+					<p className="rounded-lg border border-dashed border-gray-200 p-4 text-sm text-gray-400">
+						Add at least one role and one permission to build the matrix.
+					</p>
+				)}
+			</div>
+
+			{/* Live "in plain English" so the matrix is never a black box */}
+			{summary.length > 0 && (
+				<div className="rounded-lg border border-gray-100 bg-gray-50 p-3">
+					<p className="mb-1.5 text-xs font-medium uppercase tracking-wide text-gray-500">
+						In plain English
+					</p>
+					<ul className="space-y-1 text-xs leading-relaxed text-gray-600">
+						{summary.map((s, i) => (
+							<li key={i}>• {s}</li>
+						))}
+					</ul>
+				</div>
+			)}
+
+			{/* Optional DSL peek for the curious — collapsed by default */}
+			{dsl && (
+				<div>
+					<button
+						type="button"
+						onClick={() => setShowDsl((v) => !v)}
+						className="text-xs font-medium text-blue-600 hover:text-blue-700"
+					>
+						{showDsl ? 'Hide' : 'Show'} the generated model (OpenFGA DSL)
+					</button>
+					{showDsl && (
+						<pre className="mt-2 overflow-x-auto rounded-lg border border-gray-200 bg-gray-900 p-3 font-mono text-xs leading-relaxed text-gray-100">
+							{dsl}
+						</pre>
+					)}
+				</div>
+			)}
+
+			<div className="flex flex-wrap items-center gap-3 border-t border-gray-100 pt-4">
+				<Button type="button" onClick={() => onApply(dsl)} disabled={!model}>
+					<Check className="mr-2 h-4 w-4" aria-hidden="true" />
+					Use this model
+				</Button>
+				{blocker && <span className="text-xs text-gray-500">{blocker}</span>}
+			</div>
+		</div>
+	);
+};
+
+export default RbacBuilder;
diff --git a/web/dashboard/src/pages/authorization/Tester.tsx b/web/dashboard/src/pages/authorization/Tester.tsx
index 5a0de67b..b50a4cea 100644
--- a/web/dashboard/src/pages/authorization/Tester.tsx
+++ b/web/dashboard/src/pages/authorization/Tester.tsx
@@ -17,11 +17,17 @@ const emptyTuple: FgaTuple = { user: '', relation: '', object: '' };
 const Tester = () => {
 	const client = useClient();
 	const [fgaDisabled, setFgaDisabled] = useState<boolean>(false);
+	// The subject to check. As a super-admin (the dashboard caller) you may check
+	// any subject; leaving it blank checks your own token, which only resolves
+	// when you signed in with a user account (not the admin secret).
+	const [user, setUser] = useState<string>('');
 	const [relation, setRelation] = useState<string>('');
 	const [object, setObject] = useState<string>('');
 	const [contextualTuples, setContextualTuples] = useState<FgaTuple[]>([]);
 	const [running, setRunning] = useState<boolean>(false);
 	const [result, setResult] = useState<boolean | null>(null);
+	// The subject the last result is for, captured at submit time for the message.
+	const [checkedUser, setCheckedUser] = useState<string>('');
 
 	const addContextualTuple = () => {
 		setContextualTuples((prev) => [...prev, { ...emptyTuple }]);
@@ -51,9 +57,7 @@ const Tester = () => {
 		setResult(null);
 		try {
 			const validContextual = contextualTuples
-				.filter(
-					(t) => t.user.trim() && t.relation.trim() && t.object.trim(),
-				)
+				.filter((t) => t.user.trim() && t.relation.trim() && t.object.trim())
 				.map((t) => ({
 					user: t.user.trim(),
 					relation: t.relation.trim(),
@@ -63,14 +67,19 @@ const Tester = () => {
 			const params: {
 				relation: string;
 				object: string;
+				user?: string;
 				contextual_tuples?: FgaTuple[];
 			} = {
 				relation: relation.trim(),
 				object: object.trim(),
 			};
+			if (user.trim()) {
+				params.user = user.trim();
+			}
 			if (validContextual.length) {
 				params.contextual_tuples = validContextual;
 			}
+			setCheckedUser(user.trim());
 
 			const res = await client
 				.query<FgaCheckResponse>(
@@ -104,7 +113,9 @@ const Tester = () => {
 			<div className="m-5 rounded-md bg-white py-5 px-10">
 				<AuthSteps current={3} />
 				<div className="my-4">
-					<h1 className="text-2xl font-semibold text-gray-900">Step 3 · Test access</h1>
+					<h1 className="text-2xl font-semibold text-gray-900">
+						Step 3 · Test access
+					</h1>
 				</div>
 				<FgaNotEnabled />
 			</div>
@@ -115,31 +126,59 @@ const Tester = () => {
 		<div className="m-5 rounded-md bg-white py-5 px-10">
 			<AuthSteps current={3} />
 			<div className="my-4">
-				<h1 className="text-2xl font-semibold text-gray-900">Step 3 · Test access</h1>
+				<h1 className="text-2xl font-semibold text-gray-900">
+					Step 3 · Test access
+				</h1>
 				<p className="mt-1 max-w-2xl text-sm text-gray-500">
-					Verify your rules and grants. The check runs for{' '}
-					<strong>the currently logged-in admin</strong> &mdash; the principal is pinned to your
-					token by the server and cannot be changed here.
+					Ask the engine &ldquo;can <strong>this user</strong> do{' '}
+					<strong>this relation</strong> on <strong>this object</strong>
+					?&rdquo;. As a super-admin you can check <strong>any subject</strong>.
+					Leave <strong>User</strong> blank to check yourself &mdash; that only
+					resolves when you signed in with a user account, not the admin secret.
 				</p>
 			</div>
 
 			<div className="mb-5">
 				<Example>
-					<strong>Example:</strong> ask &ldquo;can I{' '}
+					<strong>Example:</strong> ask &ldquo;can{' '}
+					<code className="rounded bg-white px-1 py-0.5 text-xs">
+						user:alice
+					</code>{' '}
 					<code className="rounded bg-white px-1 py-0.5 text-xs">can_view</code>{' '}
-					<code className="rounded bg-white px-1 py-0.5 text-xs">document:1</code>?&rdquo; &mdash; if
-					you granted yourself <code className="rounded bg-white px-1 py-0.5 text-xs">viewer</code>{' '}
-					on it in step 2, the result is <strong>Allowed</strong>.
+					<code className="rounded bg-white px-1 py-0.5 text-xs">
+						document:1
+					</code>
+					?&rdquo; &mdash; if you granted{' '}
+					<code className="rounded bg-white px-1 py-0.5 text-xs">
+						user:alice
+					</code>{' '}
+					the{' '}
+					<code className="rounded bg-white px-1 py-0.5 text-xs">viewer</code>{' '}
+					relation in step 2, the result is <strong>Allowed</strong>.
 				</Example>
 			</div>
 
 			<form onSubmit={handleCheck} className="max-w-2xl space-y-5">
+				<div className="space-y-1">
+					<Label htmlFor="check-user">User (subject)</Label>
+					<Input
+						id="check-user"
+						placeholder="user:alice — blank checks yourself"
+						value={user}
+						onChange={(e) => setUser(e.target.value)}
+						spellCheck={false}
+					/>
+					<p className="text-xs text-gray-400">
+						The subject to check, e.g. <code>user:alice</code>. A bare id is
+						treated as <code>user:&lt;id&gt;</code>.
+					</p>
+				</div>
 				<div className="grid grid-cols-1 gap-3 md:grid-cols-2">
 					<div className="space-y-1">
 						<Label htmlFor="check-relation">Relation</Label>
 						<Input
 							id="check-relation"
-							placeholder="viewer"
+							placeholder="can_view"
 							value={relation}
 							onChange={(e) => setRelation(e.target.value)}
 						/>
@@ -228,8 +267,9 @@ const Tester = () => {
 							<div>
 								<Badge variant="success">Allowed</Badge>
 								<p className="mt-1 text-sm text-gray-600">
-									You have <strong>{relation}</strong> access to{' '}
-									<strong>{object}</strong>.
+									<strong>{checkedUser || 'You'}</strong>{' '}
+									{checkedUser ? 'has' : 'have'} <strong>{relation}</strong>{' '}
+									access to <strong>{object}</strong>.
 								</p>
 							</div>
 						</div>
@@ -239,7 +279,9 @@ const Tester = () => {
 							<div>
 								<Badge variant="destructive">Denied</Badge>
 								<p className="mt-1 text-sm text-gray-600">
-									You do not have <strong>{relation}</strong> access to{' '}
+									<strong>{checkedUser || 'You'}</strong>{' '}
+									{checkedUser ? 'does' : 'do'} not have{' '}
+									<strong>{relation}</strong> access to{' '}
 									<strong>{object}</strong>.
 								</p>
 							</div>
diff --git a/web/dashboard/src/pages/authorization/Tuples.tsx b/web/dashboard/src/pages/authorization/Tuples.tsx
index d4228f3d..1c335938 100644
--- a/web/dashboard/src/pages/authorization/Tuples.tsx
+++ b/web/dashboard/src/pages/authorization/Tuples.tsx
@@ -1,13 +1,30 @@
 import React, { useCallback, useEffect, useState } from 'react';
+import { Link } from 'react-router-dom';
 import { useClient } from 'urql';
 import { toast } from 'sonner';
-import { Link2, Plus, Trash2, ChevronRight, RotateCcw } from 'lucide-react';
-import { FgaReadTuplesQuery } from '../../graphql/queries';
+import {
+	Link2,
+	Plus,
+	Trash2,
+	ChevronRight,
+	RotateCcw,
+	AlertTriangle,
+	ArrowRight,
+	LayoutTemplate,
+} from 'lucide-react';
+import { FgaReadTuplesQuery, FgaGetModelQuery } from '../../graphql/queries';
 import { FgaWriteTuples, FgaDeleteTuples } from '../../graphql/mutation';
 import { Button } from '../../components/ui/button';
 import { Input } from '../../components/ui/input';
 import { Label } from '../../components/ui/label';
 import { Skeleton } from '../../components/ui/skeleton';
+import {
+	Dialog,
+	DialogContent,
+	DialogHeader,
+	DialogTitle,
+	DialogDescription,
+} from '../../components/ui/dialog';
 import {
 	Table,
 	TableHeader,
@@ -23,10 +40,16 @@ import { isFgaNotEnabledError } from '../../lib/utils';
 import type {
 	FgaTuple,
 	FgaReadTuplesResponse,
+	FgaGetModelResponse,
 	FgaWriteTuplesResponse,
 	FgaDeleteTuplesResponse,
 } from '../../types';
 
+// OpenFGA rejects tuple writes until a model exists ("No authorization models
+// found for store"). We translate that into a clear, actionable message.
+const isNoModelError = (message: string): boolean =>
+	/no authorization model/i.test(message);
+
 const PAGE_SIZE = 25;
 
 const emptyForm = { user: '', relation: '', object: '' };
@@ -52,7 +75,11 @@ const GRANT_PATTERNS: {
 	{
 		name: 'Grant a whole role',
 		desc: 'Everyone in role:editor becomes editor of the object.',
-		tuple: { user: 'role:editor#assignee', relation: 'editor', object: 'document:1' },
+		tuple: {
+			user: 'role:editor#assignee',
+			relation: 'editor',
+			object: 'document:1',
+		},
 	},
 	{
 		name: 'Public — all users',
@@ -79,6 +106,36 @@ const Tuples = () => {
 	const [tokenStack, setTokenStack] = useState<string[]>([]);
 	const [form, setForm] = useState<typeof emptyForm>(emptyForm);
 	const [submitting, setSubmitting] = useState<boolean>(false);
+	// Tuples can only be written once a model exists. null = not checked yet.
+	const [modelExists, setModelExists] = useState<boolean | null>(null);
+	// The grant-pattern catalog lives in a modal so the form stays the focus.
+	const [patternsOpen, setPatternsOpen] = useState(false);
+
+	const checkModel = useCallback(async () => {
+		try {
+			const res = await client
+				.query<FgaGetModelResponse>(
+					FgaGetModelQuery,
+					{},
+					{ requestPolicy: 'network-only' },
+				)
+				.toPromise();
+			if (res.error) {
+				if (isFgaNotEnabledError(res.error)) {
+					setFgaDisabled(true);
+				} else if (isNoModelError(res.error.message)) {
+					// Older servers error instead of returning an empty model.
+					setModelExists(false);
+				}
+				// Any other error (network, transient): leave modelExists unknown so
+				// we never wrongly block writes behind a misleading banner.
+				return;
+			}
+			setModelExists(!!res.data?._fga_get_model?.dsl);
+		} catch {
+			// Leave unknown; the write path still guards with a friendly error.
+		}
+	}, [client]);
 
 	const fetchTuples = useCallback(
 		async (continuationToken: string) => {
@@ -121,7 +178,8 @@ const Tuples = () => {
 
 	useEffect(() => {
 		fetchTuples('');
-	}, [fetchTuples]);
+		checkModel();
+	}, [fetchTuples, checkModel]);
 
 	const goNext = () => {
 		if (!nextToken) {
@@ -163,6 +221,9 @@ const Tuples = () => {
 			if (res.error) {
 				if (isFgaNotEnabledError(res.error)) {
 					setFgaDisabled(true);
+				} else if (isNoModelError(res.error.message)) {
+					setModelExists(false);
+					toast.error('Define and save an authorization model in Step 1 first');
 				} else {
 					toast.error(res.error.message.replace('[GraphQL] ', ''));
 				}
@@ -171,6 +232,7 @@ const Tuples = () => {
 
 			toast.success('Tuple added');
 			setForm(emptyForm);
+			setModelExists(true);
 			goReset();
 		} catch {
 			toast.error('Failed to add tuple');
@@ -216,7 +278,9 @@ const Tuples = () => {
 			<div className="m-5 rounded-md bg-white py-5 px-10">
 				<AuthSteps current={2} />
 				<div className="my-4">
-					<h1 className="text-2xl font-semibold text-gray-900">Step 2 · Grant access</h1>
+					<h1 className="text-2xl font-semibold text-gray-900">
+						Step 2 · Grant access
+					</h1>
 				</div>
 				<FgaNotEnabled />
 			</div>
@@ -227,52 +291,122 @@ const Tuples = () => {
 		<div className="m-5 rounded-md bg-white py-5 px-10">
 			<AuthSteps current={2} />
 			<div className="my-4">
-				<h1 className="text-2xl font-semibold text-gray-900">Step 2 · Grant access</h1>
+				<h1 className="text-2xl font-semibold text-gray-900">
+					Step 2 · Grant access
+				</h1>
 				<p className="mt-1 max-w-2xl text-sm text-gray-500">
-					Grant access by adding a <strong>relationship tuple</strong> — it links a{' '}
-					<strong>user</strong> to an <strong>object</strong> via a <strong>relation</strong>{' '}
-					from your model. Add or remove tuples any time to change who has access.
+					Grant access by adding a <strong>relationship tuple</strong> — it
+					links a <strong>user</strong> to an <strong>object</strong> via a{' '}
+					<strong>relation</strong> from your model. Add or remove tuples any
+					time to change who has access.
 				</p>
 			</div>
 
+			{modelExists === false && (
+				<div className="mb-4 flex items-start gap-2 rounded-lg border border-amber-200 bg-amber-50 p-4">
+					<AlertTriangle
+						className="mt-0.5 h-5 w-5 shrink-0 text-amber-500"
+						aria-hidden="true"
+					/>
+					<div className="flex-1">
+						<p className="text-sm font-medium text-amber-800">
+							Define a model before granting access
+						</p>
+						<p className="mt-1 text-xs leading-relaxed text-amber-700/90">
+							Relationship tuples reference the relations in your authorization
+							model, so OpenFGA requires a saved model before any tuple can be
+							written. Head to Step 1, save a model, then come back here.
+						</p>
+						<Link
+							to="/authorization/model"
+							className="mt-2 inline-flex items-center gap-1.5 text-sm font-medium text-amber-800 underline underline-offset-2 hover:text-amber-900"
+						>
+							Go to Step 1 · Define the model
+							<ArrowRight className="h-3.5 w-3.5" aria-hidden="true" />
+						</Link>
+					</div>
+				</div>
+			)}
+
 			<div className="mb-4">
 				<Example>
 					<strong>Example:</strong> give{' '}
-					<code className="rounded bg-white px-1 py-0.5 text-xs">user:alice</code> the{' '}
-					<code className="rounded bg-white px-1 py-0.5 text-xs">viewer</code> relation on{' '}
-					<code className="rounded bg-white px-1 py-0.5 text-xs">document:1</code> — now Alice can
-					view that document.
+					<code className="rounded bg-white px-1 py-0.5 text-xs">
+						user:alice
+					</code>{' '}
+					the{' '}
+					<code className="rounded bg-white px-1 py-0.5 text-xs">viewer</code>{' '}
+					relation on{' '}
+					<code className="rounded bg-white px-1 py-0.5 text-xs">
+						document:1
+					</code>{' '}
+					— now Alice can view that document.
 				</Example>
 			</div>
 
 			{/* Common grant patterns — click to prefill the form */}
-			<div className="mb-4">
-				<p className="mb-2 text-sm font-medium text-gray-700">Common grant patterns</p>
-				<div className="grid grid-cols-1 gap-2 sm:grid-cols-2 lg:grid-cols-3 xl:grid-cols-5">
-					{GRANT_PATTERNS.map((p) => (
-						<button
-							key={p.name}
-							type="button"
-							onClick={() => setForm(p.tuple)}
-							title="Click to fill the form below"
-							className="rounded-xl border border-gray-200 bg-white p-3 text-left transition-colors hover:border-blue-300 hover:bg-blue-50"
-						>
-							<span className="block text-sm font-medium text-gray-800">{p.name}</span>
-							<span className="mt-0.5 block text-xs leading-relaxed text-gray-500">{p.desc}</span>
-							<span className="mt-1.5 block truncate font-mono text-[11px] text-blue-600">
-								{p.tuple.user} · {p.tuple.relation} · {p.tuple.object}
-							</span>
-						</button>
-					))}
-				</div>
-				<p className="mt-2 text-xs text-gray-400">
-					<strong className="text-gray-500">Tip:</strong> to avoid a tuple per object id, grant on a{' '}
-					<code className="rounded bg-gray-100 px-1 py-0.5">folder</code>/
-					<code className="rounded bg-gray-100 px-1 py-0.5">organization</code> and let resources inherit,
-					or use <code className="rounded bg-gray-100 px-1 py-0.5">user:*</code> for public access.
-				</p>
+			{/* Grant-pattern catalog opens in a modal — see the dialog below. */}
+			<div className="mb-4 flex flex-wrap items-center gap-2">
+				<Button
+					type="button"
+					variant="outline"
+					size="sm"
+					onClick={() => setPatternsOpen(true)}
+				>
+					<LayoutTemplate className="mr-2 h-4 w-4" aria-hidden="true" />
+					Browse grant patterns
+				</Button>
+				<span className="text-xs text-gray-500">
+					Common ways to grant access — click one to fill the form.
+				</span>
 			</div>
 
+			<Dialog open={patternsOpen} onOpenChange={setPatternsOpen}>
+				<DialogContent className="max-w-2xl">
+					<DialogHeader>
+						<DialogTitle>Common grant patterns</DialogTitle>
+						<DialogDescription>
+							Pick a pattern to fill the form below. Nothing is granted until
+							you click <strong>Add</strong>.
+						</DialogDescription>
+					</DialogHeader>
+					<div className="grid max-h-[60vh] grid-cols-1 gap-2 overflow-y-auto sm:grid-cols-2">
+						{GRANT_PATTERNS.map((p) => (
+							<button
+								key={p.name}
+								type="button"
+								onClick={() => {
+									setForm(p.tuple);
+									setPatternsOpen(false);
+								}}
+								className="rounded-xl border border-gray-200 bg-white p-3 text-left transition-colors hover:border-blue-300 hover:bg-blue-50"
+							>
+								<span className="block text-sm font-medium text-gray-800">
+									{p.name}
+								</span>
+								<span className="mt-0.5 block text-xs leading-relaxed text-gray-500">
+									{p.desc}
+								</span>
+								<span className="mt-1.5 block truncate font-mono text-[11px] text-blue-600">
+									{p.tuple.user} · {p.tuple.relation} · {p.tuple.object}
+								</span>
+							</button>
+						))}
+					</div>
+					<p className="text-xs text-gray-400">
+						<strong className="text-gray-500">Tip:</strong> to avoid a tuple per
+						object id, grant on a{' '}
+						<code className="rounded bg-gray-100 px-1 py-0.5">folder</code>/
+						<code className="rounded bg-gray-100 px-1 py-0.5">
+							organization
+						</code>{' '}
+						and let resources inherit, or use{' '}
+						<code className="rounded bg-gray-100 px-1 py-0.5">user:*</code> for
+						public access.
+					</p>
+				</DialogContent>
+			</Dialog>
+
 			<div className="mb-4">
 				<DocsLinks />
 			</div>
@@ -309,7 +443,7 @@ const Tuples = () => {
 						onChange={(e) => setForm({ ...form, object: e.target.value })}
 					/>
 				</div>
-				<Button type="submit" disabled={submitting}>
+				<Button type="submit" disabled={submitting || modelExists === false}>
 					<Plus className="mr-2 h-4 w-4" />
 					{submitting ? 'Adding...' : 'Add'}
 				</Button>
@@ -392,12 +526,18 @@ const Tuples = () => {
 					</p>
 					<p className="mt-1 max-w-sm text-sm leading-relaxed text-gray-500">
 						Tuples grant access &mdash; e.g.{' '}
-						<code className="rounded bg-gray-100 px-1 py-0.5 text-xs text-gray-700">user:alice</code>{' '}
+						<code className="rounded bg-gray-100 px-1 py-0.5 text-xs text-gray-700">
+							user:alice
+						</code>{' '}
 						is{' '}
-						<code className="rounded bg-gray-100 px-1 py-0.5 text-xs text-gray-700">viewer</code>{' '}
+						<code className="rounded bg-gray-100 px-1 py-0.5 text-xs text-gray-700">
+							viewer
+						</code>{' '}
 						of{' '}
-						<code className="rounded bg-gray-100 px-1 py-0.5 text-xs text-gray-700">document:1</code>.
-						Add one above to grant your first permission.
+						<code className="rounded bg-gray-100 px-1 py-0.5 text-xs text-gray-700">
+							document:1
+						</code>
+						. Add one above to grant your first permission.
 					</p>
 				</div>
 			)}
diff --git a/web/dashboard/src/pages/authorization/modelDsl.test.ts b/web/dashboard/src/pages/authorization/modelDsl.test.ts
new file mode 100644
index 00000000..9745b838
--- /dev/null
+++ b/web/dashboard/src/pages/authorization/modelDsl.test.ts
@@ -0,0 +1,287 @@
+import { describe, expect, it } from 'vitest';
+import {
+	generateDsl,
+	parseDsl,
+	summarize,
+	rolesTemplate,
+	sanitizeRelationName,
+	rbacModel,
+	MODEL_EXAMPLES,
+	RESERVED_TYPES,
+	type RbacConfig,
+} from './modelDsl';
+
+describe('sanitizeRelationName', () => {
+	it('keeps valid identifiers untouched', () => {
+		expect(sanitizeRelationName('viewer')).toBe('viewer');
+		expect(sanitizeRelationName('can_edit')).toBe('can_edit');
+	});
+
+	it('replaces invalid characters with underscores and trims edges', () => {
+		expect(sanitizeRelationName('  power user ')).toBe('power_user');
+		expect(sanitizeRelationName('read-only')).toBe('read_only');
+		expect(sanitizeRelationName('admin!')).toBe('admin');
+	});
+
+	it('returns empty string for names with no usable characters', () => {
+		expect(sanitizeRelationName('   ')).toBe('');
+		expect(sanitizeRelationName('!!!')).toBe('');
+	});
+});
+
+describe('generateDsl / parseDsl round-trip', () => {
+	it('serializes a model and parses it back to an equivalent shape', () => {
+		const dsl = generateDsl({
+			types: [
+				{ name: 'user', relations: [] },
+				{
+					name: 'document',
+					relations: [
+						{ name: 'viewer', directTypes: ['user'], computed: [] },
+						{ name: 'editor', directTypes: ['user'], computed: [] },
+						{
+							name: 'can_view',
+							directTypes: [],
+							computed: [{ relation: 'viewer' }, { relation: 'editor' }],
+						},
+					],
+				},
+			],
+		});
+		expect(dsl).toContain('type user');
+		expect(dsl).toContain('define viewer: [user]');
+		expect(dsl).toContain('define can_view: viewer or editor');
+
+		const parsed = parseDsl(dsl);
+		expect(parsed.supported).toBe(true);
+		expect(parsed.model?.types.map((t) => t.name)).toEqual([
+			'user',
+			'document',
+		]);
+		const doc = parsed.model?.types.find((t) => t.name === 'document');
+		expect(doc?.relations.find((r) => r.name === 'can_view')?.computed).toEqual(
+			[{ relation: 'viewer' }, { relation: 'editor' }],
+		);
+	});
+
+	it('parses inheritance ("from") relations', () => {
+		const parsed = parseDsl(`model
+  schema 1.1
+
+type folder
+  relations
+    define viewer: [user]
+
+type document
+  relations
+    define parent: [folder]
+    define viewer: [user] or viewer from parent`);
+		expect(parsed.supported).toBe(true);
+		const doc = parsed.model?.types.find((t) => t.name === 'document');
+		const viewer = doc?.relations.find((r) => r.name === 'viewer');
+		expect(viewer?.directTypes).toEqual(['user']);
+		expect(viewer?.computed).toEqual([{ relation: 'viewer', from: 'parent' }]);
+	});
+
+	it('flags advanced constructs as unsupported (no plain-English summary)', () => {
+		expect(
+			parseDsl('type x\n  relations\n    define a: [user] but not b').supported,
+		).toBe(false);
+		expect(
+			parseDsl('type x\n  relations\n    define a: b and c').supported,
+		).toBe(false);
+		expect(
+			parseDsl('type x\n  relations\n    define a: (b or c)').supported,
+		).toBe(false);
+		expect(
+			parseDsl('type x\n  relations\n    define a: [user with cond]').supported,
+		).toBe(false);
+	});
+
+	it('treats an empty or comment-only document as unsupported', () => {
+		expect(parseDsl('').supported).toBe(false);
+		expect(parseDsl('model\n  schema 1.1\n# just a comment').supported).toBe(
+			false,
+		);
+	});
+});
+
+describe('summarize', () => {
+	it('describes direct and computed relations in plain English', () => {
+		const lines = summarize({
+			types: [
+				{
+					name: 'document',
+					relations: [
+						{ name: 'viewer', directTypes: ['user'], computed: [] },
+						{
+							name: 'can_view',
+							directTypes: [],
+							computed: [
+								{ relation: 'viewer' },
+								{ relation: 'editor', from: 'parent' },
+							],
+						},
+					],
+				},
+			],
+		});
+		expect(lines[0]).toContain('assigned (user)');
+		expect(lines[0]).toContain('"viewer" of a document');
+		expect(lines[1]).toContain('editor of its parent');
+	});
+});
+
+describe('rolesTemplate', () => {
+	it('builds a resource model with one relation per role plus can_access', () => {
+		const model = rolesTemplate(['admin', 'user']);
+		expect(model).not.toBeNull();
+		const resource = model?.types.find((t) => t.name === 'resource');
+		expect(resource?.relations.map((r) => r.name)).toEqual([
+			'admin',
+			'user',
+			'can_access',
+		]);
+		const canAccess = resource?.relations.find((r) => r.name === 'can_access');
+		expect(canAccess?.computed).toEqual([
+			{ relation: 'admin' },
+			{ relation: 'user' },
+		]);
+	});
+
+	it('dedupes and sanitizes role names, returns null when nothing usable', () => {
+		// "power user" and "power_user" both sanitize to the same name; the
+		// blank is dropped. Dedup is case-sensitive (OpenFGA relations are).
+		const model = rolesTemplate(['power user', 'power_user', '   ']);
+		const resource = model?.types.find((t) => t.name === 'resource');
+		expect(resource?.relations.map((r) => r.name)).toEqual([
+			'power_user',
+			'can_access',
+		]);
+		expect(rolesTemplate([])).toBeNull();
+		expect(rolesTemplate(['   ', '!!!'])).toBeNull();
+	});
+});
+
+describe('rbacModel', () => {
+	const base: RbacConfig = {
+		resourceTypes: ['document'],
+		roles: ['admin', 'editor', 'viewer'],
+		permissions: ['view', 'edit', 'delete'],
+		grant: {
+			admin: ['view', 'edit', 'delete'],
+			editor: ['view', 'edit'],
+			viewer: ['view'],
+		},
+	};
+
+	it('produces user, role and resource types', () => {
+		const model = rbacModel(base);
+		expect(model?.types.map((t) => t.name)).toEqual([
+			'user',
+			'role',
+			'document',
+		]);
+		const role = model?.types.find((t) => t.name === 'role');
+		expect(role?.relations).toEqual([
+			{ name: 'assignee', directTypes: ['user'], computed: [] },
+		]);
+	});
+
+	it('emits a role relation accepting a direct user or a role userset', () => {
+		const dsl = generateDsl(rbacModel(base)!);
+		expect(dsl).toContain('define admin: [user, role#assignee]');
+		expect(dsl).toContain('define editor: [user, role#assignee]');
+	});
+
+	it('emits can_<perm> as the union of roles granted that permission', () => {
+		const dsl = generateDsl(rbacModel(base)!);
+		expect(dsl).toContain('define can_view: admin or editor or viewer');
+		expect(dsl).toContain('define can_edit: admin or editor');
+		expect(dsl).toContain('define can_delete: admin');
+	});
+
+	it('skips permissions that no role is granted', () => {
+		const model = rbacModel({
+			...base,
+			permissions: ['view', 'archive'],
+			grant: { admin: ['view'], editor: ['view'], viewer: ['view'] },
+		});
+		const resource = model?.types.find((t) => t.name === 'document');
+		expect(
+			resource?.relations.find((r) => r.name === 'can_archive'),
+		).toBeUndefined();
+		expect(
+			resource?.relations.find((r) => r.name === 'can_view'),
+		).toBeDefined();
+	});
+
+	it('emits one type per resource, all sharing the same matrix', () => {
+		const dsl = generateDsl(
+			rbacModel({ ...base, resourceTypes: ['document', 'project'] })!,
+		);
+		expect(dsl).toContain('type document');
+		expect(dsl).toContain('type project');
+		// Both resources get the same permission relations.
+		expect(
+			dsl.match(/define can_view: admin or editor or viewer/g),
+		).toHaveLength(2);
+		expect(dsl.match(/define admin: \[user, role#assignee\]/g)).toHaveLength(2);
+	});
+
+	it('dedupes resources and drops reserved ones while keeping valid ones', () => {
+		const model = rbacModel({
+			...base,
+			resourceTypes: ['document', 'document', 'user', 'role', 'project'],
+		});
+		expect(model?.types.map((t) => t.name)).toEqual([
+			'user',
+			'role',
+			'document',
+			'project',
+		]);
+	});
+
+	it('sanitizes resource, role and permission names', () => {
+		const dsl = generateDsl(
+			rbacModel({
+				resourceTypes: ['Customer Record'],
+				roles: ['Account Owner'],
+				permissions: ['Full Access'],
+				grant: { Account_Owner: ['Full_Access'] },
+			})!,
+		);
+		expect(dsl).toContain('type Customer_Record');
+		expect(dsl).toContain('define Account_Owner: [user, role#assignee]');
+		expect(dsl).toContain('define can_Full_Access: Account_Owner');
+	});
+
+	it('returns null for empty, reserved, or fully-ungranted matrices', () => {
+		expect(rbacModel({ ...base, roles: [] })).toBeNull();
+		expect(rbacModel({ ...base, resourceTypes: [] })).toBeNull();
+		expect(rbacModel({ ...base, resourceTypes: [''] })).toBeNull();
+		// A matrix whose only resources are reserved types yields no model.
+		expect(rbacModel({ ...base, resourceTypes: RESERVED_TYPES })).toBeNull();
+		expect(
+			rbacModel({ ...base, grant: { admin: [], editor: [], viewer: [] } }),
+		).toBeNull();
+	});
+
+	it('always generates a model that parses back to a supported summary', () => {
+		const dsl = generateDsl(rbacModel(base)!);
+		const parsed = parseDsl(dsl);
+		expect(parsed.supported).toBe(true);
+		expect(summarize(parsed.model!).length).toBeGreaterThan(0);
+	});
+});
+
+describe('MODEL_EXAMPLES catalog', () => {
+	it('every example has a name, description and non-empty DSL starting with "model"', () => {
+		expect(MODEL_EXAMPLES.length).toBeGreaterThan(0);
+		for (const ex of MODEL_EXAMPLES) {
+			expect(ex.name).toBeTruthy();
+			expect(ex.description).toBeTruthy();
+			expect(ex.dsl.trim().startsWith('model')).toBe(true);
+		}
+	});
+});
diff --git a/web/dashboard/src/pages/authorization/modelDsl.ts b/web/dashboard/src/pages/authorization/modelDsl.ts
index 2664a102..f5ae1f85 100644
--- a/web/dashboard/src/pages/authorization/modelDsl.ts
+++ b/web/dashboard/src/pages/authorization/modelDsl.ts
@@ -25,7 +25,8 @@ const IDENT = /^[a-zA-Z0-9_]+$/;
 function relationExpr(r: RelationDef): string {
 	const parts: string[] = [];
 	if (r.directTypes.length) parts.push(`[${r.directTypes.join(', ')}]`);
-	for (const c of r.computed) parts.push(c.from ? `${c.relation} from ${c.from}` : c.relation);
+	for (const c of r.computed)
+		parts.push(c.from ? `${c.relation} from ${c.from}` : c.relation);
 	return parts.join(' or ');
 }
 
@@ -35,7 +36,8 @@ export function generateDsl(model: ModelDraft): string {
 		lines.push(`type ${t.name}`);
 		if (t.relations.length) {
 			lines.push('  relations');
-			for (const r of t.relations) lines.push(`    define ${r.name}: ${relationExpr(r)}`);
+			for (const r of t.relations)
+				lines.push(`    define ${r.name}: ${relationExpr(r)}`);
 		}
 	}
 	return lines.join('\n') + '\n';
@@ -44,7 +46,10 @@ export function generateDsl(model: ModelDraft): string {
 // parseDsl best-effort parses the simple subset (direct + union + inheritance)
 // so we can render a plain-English summary. Models with advanced constructs
 // return supported=false (no summary shown).
-export function parseDsl(dsl: string): { model: ModelDraft | null; supported: boolean } {
+export function parseDsl(dsl: string): {
+	model: ModelDraft | null;
+	supported: boolean;
+} {
 	const types: TypeDef[] = [];
 	let current: TypeDef | null = null;
 	for (const raw of dsl.split('\n')) {
@@ -68,13 +73,20 @@ export function parseDsl(dsl: string): { model: ModelDraft | null; supported: bo
 			const m = trimmed.match(/^define\s+([a-zA-Z0-9_]+)\s*:\s*(.+)$/);
 			if (!m) return { model: null, supported: false };
 			const expr = m[2].trim();
-			if (/\bbut\s+not\b|\band\b|[()]|\bwith\b/.test(expr)) return { model: null, supported: false };
+			if (/\bbut\s+not\b|\band\b|[()]|\bwith\b/.test(expr))
+				return { model: null, supported: false };
 			const rel: RelationDef = { name: m[1], directTypes: [], computed: [] };
 			for (const partRaw of expr.split(/\s+or\s+/)) {
 				const part = partRaw.trim();
 				if (!part) continue;
 				if (part.startsWith('[') && part.endsWith(']')) {
-					rel.directTypes.push(...part.slice(1, -1).split(',').map((s) => s.trim()).filter(Boolean));
+					rel.directTypes.push(
+						...part
+							.slice(1, -1)
+							.split(',')
+							.map((s) => s.trim())
+							.filter(Boolean),
+					);
 				} else if (/\sfrom\s/.test(part)) {
 					const fm = part.match(/^([a-zA-Z0-9_]+)\s+from\s+([a-zA-Z0-9_]+)$/);
 					if (!fm) return { model: null, supported: false };
@@ -99,16 +111,25 @@ export function summarize(model: ModelDraft): string[] {
 	for (const t of model.types) {
 		for (const r of t.relations) {
 			const bits: string[] = [];
-			if (r.directTypes.length) bits.push(`assigned (${r.directTypes.join(', ')})`);
-			for (const c of r.computed) bits.push(c.from ? `${c.relation} of its ${c.from}` : `a ${c.relation}`);
-			out.push(`A user who is ${bits.join(' OR ')} is "${r.name}" of a ${t.name}.`);
+			if (r.directTypes.length)
+				bits.push(`assigned (${r.directTypes.join(', ')})`);
+			for (const c of r.computed)
+				bits.push(
+					c.from ? `${c.relation} of its ${c.from}` : `a ${c.relation}`,
+				);
+			out.push(
+				`A user who is ${bits.join(' OR ')} is "${r.name}" of a ${t.name}.`,
+			);
 		}
 	}
 	return out;
 }
 
 export function sanitizeRelationName(role: string): string {
-	return role.trim().replace(/[^a-zA-Z0-9_]/g, '_').replace(/^_+|_+$/g, '');
+	return role
+		.trim()
+		.replace(/[^a-zA-Z0-9_]/g, '_')
+		.replace(/^_+|_+$/g, '');
 }
 
 // rolesTemplate builds a model from the instance's configured roles: each role
@@ -123,8 +144,120 @@ export function rolesTemplate(roles: string[]): ModelDraft | null {
 		rel.push({ name, directTypes: ['user'], computed: [] });
 	}
 	if (!rel.length) return null;
-	rel.push({ name: 'can_access', directTypes: [], computed: rel.map((r) => ({ relation: r.name })) });
-	return { types: [{ name: 'user', relations: [] }, { name: 'resource', relations: rel }] };
+	rel.push({
+		name: 'can_access',
+		directTypes: [],
+		computed: rel.map((r) => ({ relation: r.name })),
+	});
+	return {
+		types: [
+			{ name: 'user', relations: [] },
+			{ name: 'resource', relations: rel },
+		],
+	};
+}
+
+// dedupeNames sanitizes a list of role/permission names and drops blanks and
+// duplicates while preserving order.
+function dedupeNames(names: string[]): string[] {
+	const seen = new Set<string>();
+	const out: string[] = [];
+	for (const raw of names) {
+		const name = sanitizeRelationName(raw);
+		if (!name || seen.has(name)) continue;
+		seen.add(name);
+		out.push(name);
+	}
+	return out;
+}
+
+// RbacConfig describes a roles × permissions matrix applied to one or more
+// resource types: a set of roles, a set of actions, and which roles are granted
+// which actions. Every listed resource type shares the same matrix.
+export interface RbacConfig {
+	// The object types being protected (e.g. ["document", "project"]). Each
+	// becomes its own type with the same role/permission relations.
+	resourceTypes: string[];
+	roles: string[];
+	permissions: string[];
+	// grant[role] = list of permission names that role is allowed.
+	grant: Record<string, string[]>;
+}
+
+// RESERVED_TYPES are the type names the RBAC builder always emits; a resource
+// type may not reuse them.
+export const RESERVED_TYPES = ['user', 'role'];
+
+// rbacModel turns a roles × permissions matrix into a standard OpenFGA RBAC
+// model with one type per protected resource:
+//
+//   type user
+//   type role
+//     relations
+//       define assignee: [user]
+//   type <resource>            (one per resourceTypes entry)
+//     relations
+//       define <role>: [user, role#assignee]   (one per role)
+//       define can_<perm>: <roles-with-perm>    (one per granted action)
+//
+// Each role relation accepts a direct user OR a whole role userset, so admins
+// can grant a single user or an entire role on an object. Returns null when the
+// matrix is empty (no valid resource, no role, or no granted permission).
+export function rbacModel(config: RbacConfig): ModelDraft | null {
+	const resources = dedupeNames(config.resourceTypes).filter(
+		(r) => !RESERVED_TYPES.includes(r),
+	);
+	if (!resources.length) return null;
+
+	const roles = dedupeNames(config.roles);
+	const perms = dedupeNames(config.permissions);
+	if (!roles.length) return null;
+
+	const relations: RelationDef[] = [];
+	for (const role of roles) {
+		relations.push({
+			name: role,
+			directTypes: ['user', 'role#assignee'],
+			computed: [],
+		});
+	}
+
+	let grantedAny = false;
+	for (const perm of perms) {
+		const rolesWithPerm = roles.filter((r) =>
+			(config.grant[r] || []).map(sanitizeRelationName).includes(perm),
+		);
+		if (!rolesWithPerm.length) continue;
+		grantedAny = true;
+		relations.push({
+			name: `can_${perm}`,
+			directTypes: [],
+			computed: rolesWithPerm.map((r) => ({ relation: r })),
+		});
+	}
+	if (!grantedAny) return null;
+
+	// Each resource gets its own copy of the relation set (cloned so the
+	// generated types never share mutable references).
+	const resourceTypes: TypeDef[] = resources.map((name) => ({
+		name,
+		relations: relations.map((r) => ({
+			name: r.name,
+			directTypes: [...r.directTypes],
+			computed: r.computed.map((c) => ({ ...c })),
+		})),
+	}));
+
+	return {
+		types: [
+			{ name: 'user', relations: [] },
+			{
+				name: 'role',
+				relations: [{ name: 'assignee', directTypes: ['user'], computed: [] }],
+			},
+			...resourceTypes,
+		],
+	};
 }
 
 // MODEL_EXAMPLES is a catalog of common authorization patterns as raw DSL.
diff --git a/web/dashboard/src/types.ts b/web/dashboard/src/types.ts
index 3cc54bfc..192a04c1 100644
--- a/web/dashboard/src/types.ts
+++ b/web/dashboard/src/types.ts
@@ -132,12 +132,6 @@ export interface FgaTuple {
 	object: string;
 }
 
-export interface AdminRolesResponse {
-	_env: {
-		ROLES?: string[] | null;
-	} | null;
-}
-
 export interface FgaGetModelResponse {
 	_fga_get_model: FgaModel;
 }
@@ -176,4 +170,3 @@ export interface FgaCheckResponse {
 		allowed: boolean;
 	};
 }
-
diff --git a/web/dashboard/vitest.config.ts b/web/dashboard/vitest.config.ts
new file mode 100644
index 00000000..2dae37a4
--- /dev/null
+++ b/web/dashboard/vitest.config.ts
@@ -0,0 +1,11 @@
+import { defineConfig } from 'vitest/config';
+
+// Unit tests run in a plain Node environment — the suites here cover pure
+// model/DSL logic, no DOM required. Kept separate from vite.config.ts so the
+// production build config stays untouched.
+export default defineConfig({
+	test: {
+		environment: 'node',
+		include: ['src/**/*.test.ts'],
+	},
+});

From a7dd8e54447ffb78a6aab01be7f0e18c9df144fe Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Wed, 10 Jun 2026 12:36:01 +0530
Subject: [PATCH 21/39] feat(fga): _admin_meta query + seed model builder from
 configured roles
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add admin-only _admin_meta query (AdminMeta type) returning the configured
  roles / default_roles / protected_roles. Super-admin gated; the non-deprecated
  replacement for the role bits of _env (deprecated in v2).
- Dashboard model builder seeds its roles × permissions matrix from the real
  configured roles via _admin_meta, falling back to a generic set. The builder
  mounts only after the roles fetch settles so it never locks in the fallback.
- Test: admin_meta_test.go (super-admin gated, returns configured roles).
---
 internal/graph/generated/generated.go         | 317 ++++++++++++++++++
 internal/graph/model/models_gen.go            |   6 +
 internal/graph/schema.graphqls                |  12 +
 internal/graph/schema.resolvers.go            |   5 +
 internal/graphql/admin_meta.go                |  47 +++
 internal/graphql/provider.go                  |   5 +
 internal/integration_tests/admin_meta_test.go |  48 +++
 web/dashboard/src/graphql/queries/index.ts    |  12 +
 .../src/pages/authorization/Model.tsx         |  62 +++-
 web/dashboard/src/types.ts                    |   6 +
 10 files changed, 506 insertions(+), 14 deletions(-)
 create mode 100644 internal/graphql/admin_meta.go
 create mode 100644 internal/integration_tests/admin_meta_test.go

diff --git a/internal/graph/generated/generated.go b/internal/graph/generated/generated.go
index 869b7c22..86df0c83 100644
--- a/internal/graph/generated/generated.go
+++ b/internal/graph/generated/generated.go
@@ -46,6 +46,12 @@ type DirectiveRoot struct {
 }
 
 type ComplexityRoot struct {
+	AdminMeta struct {
+		DefaultRoles   func(childComplexity int) int
+		ProtectedRoles func(childComplexity int) int
+		Roles          func(childComplexity int) int
+	}
+
 	AuditLog struct {
 		Action       func(childComplexity int) int
 		ActorEmail   func(childComplexity int) int
@@ -296,6 +302,7 @@ type ComplexityRoot struct {
 	}
 
 	Query struct {
+		AdminMeta            func(childComplexity int) int
 		AdminSession         func(childComplexity int) int
 		AuditLogs            func(childComplexity int, params *model.ListAuditLogRequest) int
 		EmailTemplates       func(childComplexity int, params *model.PaginatedRequest) int
@@ -464,6 +471,7 @@ type QueryResolver interface {
 	User(ctx context.Context, params model.GetUserRequest) (*model.User, error)
 	VerificationRequests(ctx context.Context, params *model.PaginatedRequest) (*model.VerificationRequests, error)
 	AdminSession(ctx context.Context) (*model.Response, error)
+	AdminMeta(ctx context.Context) (*model.AdminMeta, error)
 	Env(ctx context.Context) (*model.Env, error)
 	Webhook(ctx context.Context, params model.WebhookRequest) (*model.Webhook, error)
 	Webhooks(ctx context.Context, params *model.PaginatedRequest) (*model.Webhooks, error)
@@ -498,6 +506,27 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 	_ = ec
 	switch typeName + "." + field {
 
+	case "AdminMeta.default_roles":
+		if e.complexity.AdminMeta.DefaultRoles == nil {
+			break
+		}
+
+		return e.complexity.AdminMeta.DefaultRoles(childComplexity), true
+
+	case "AdminMeta.protected_roles":
+		if e.complexity.AdminMeta.ProtectedRoles == nil {
+			break
+		}
+
+		return e.complexity.AdminMeta.ProtectedRoles(childComplexity), true
+
+	case "AdminMeta.roles":
+		if e.complexity.AdminMeta.Roles == nil {
+			break
+		}
+
+		return e.complexity.AdminMeta.Roles(childComplexity), true
+
 	case "AuditLog.action":
 		if e.complexity.AuditLog.Action == nil {
 			break
@@ -1960,6 +1989,13 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.Pagination.Total(childComplexity), true
 
+	case "Query._admin_meta":
+		if e.complexity.Query.AdminMeta == nil {
+			break
+		}
+
+		return e.complexity.Query.AdminMeta(childComplexity), true
+
 	case "Query._admin_session":
 		if e.complexity.Query.AdminSession == nil {
 			break
@@ -2801,6 +2837,15 @@ type Meta {
   is_phone_verification_enabled: Boolean!
 }
 
+# AdminMeta is admin-only configuration metadata exposed via the _admin_meta
+# query — the non-deprecated way for the dashboard to read configured roles
+# (the deprecated _env used to carry these).
+type AdminMeta {
+  roles: [String!]!
+  default_roles: [String!]!
+  protected_roles: [String!]!
+}
+
 type User {
   id: ID!
   # email or phone_number is always present
@@ -3618,6 +3663,9 @@ type Query {
   _user(params: GetUserRequest!): User!
   _verification_requests(params: PaginatedRequest): VerificationRequests!
   _admin_session: Response!
+  # Admin-only configuration metadata (e.g. configured roles). Non-deprecated
+  # replacement for the bits of _env the dashboard needs.
+  _admin_meta: AdminMeta!
   # Deprecated from v2.0.0
   _env: Env!
   _webhook(params: WebhookRequest!): Webhook!
@@ -5163,6 +5211,138 @@ func (ec *executionContext) field___Type_fields_argsIncludeDeprecated(
 
 // region    **************************** field.gotpl *****************************
 
+func (ec *executionContext) _AdminMeta_roles(ctx context.Context, field graphql.CollectedField, obj *model.AdminMeta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AdminMeta_roles(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Roles, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.([]string)
+	fc.Result = res
+	return ec.marshalNString2ᚕstringᚄ(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_AdminMeta_roles(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "AdminMeta",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _AdminMeta_default_roles(ctx context.Context, field graphql.CollectedField, obj *model.AdminMeta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AdminMeta_default_roles(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.DefaultRoles, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.([]string)
+	fc.Result = res
+	return ec.marshalNString2ᚕstringᚄ(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_AdminMeta_default_roles(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "AdminMeta",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _AdminMeta_protected_roles(ctx context.Context, field graphql.CollectedField, obj *model.AdminMeta) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_AdminMeta_protected_roles(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.ProtectedRoles, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.([]string)
+	fc.Result = res
+	return ec.marshalNString2ᚕstringᚄ(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_AdminMeta_protected_roles(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "AdminMeta",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
 func (ec *executionContext) _AuditLog_id(ctx context.Context, field graphql.CollectedField, obj *model.AuditLog) (ret graphql.Marshaler) {
 	fc, err := ec.fieldContext_AuditLog_id(ctx, field)
 	if err != nil {
@@ -14577,6 +14757,58 @@ func (ec *executionContext) fieldContext_Query__admin_session(_ context.Context,
 	return fc, nil
 }
 
+func (ec *executionContext) _Query__admin_meta(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query__admin_meta(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return ec.resolvers.Query().AdminMeta(rctx)
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(*model.AdminMeta)
+	fc.Result = res
+	return ec.marshalNAdminMeta2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAdminMeta(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Query__admin_meta(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Query",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: true,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "roles":
+				return ec.fieldContext_AdminMeta_roles(ctx, field)
+			case "default_roles":
+				return ec.fieldContext_AdminMeta_default_roles(ctx, field)
+			case "protected_roles":
+				return ec.fieldContext_AdminMeta_protected_roles(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type AdminMeta", field.Name)
+		},
+	}
+	return fc, nil
+}
+
 func (ec *executionContext) _Query__env(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
 	fc, err := ec.fieldContext_Query__env(ctx, field)
 	if err != nil {
@@ -22932,6 +23164,55 @@ func (ec *executionContext) unmarshalInputWebhookRequest(ctx context.Context, ob
 
 // region    **************************** object.gotpl ****************************
 
+var adminMetaImplementors = []string{"AdminMeta"}
+
+func (ec *executionContext) _AdminMeta(ctx context.Context, sel ast.SelectionSet, obj *model.AdminMeta) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, adminMetaImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("AdminMeta")
+		case "roles":
+			out.Values[i] = ec._AdminMeta_roles(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "default_roles":
+			out.Values[i] = ec._AdminMeta_default_roles(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "protected_roles":
+			out.Values[i] = ec._AdminMeta_protected_roles(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
+		}
+	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
+
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
+	}
+
+	return out
+}
+
 var auditLogImplementors = []string{"AuditLog"}
 
 func (ec *executionContext) _AuditLog(ctx context.Context, sel ast.SelectionSet, obj *model.AuditLog) graphql.Marshaler {
@@ -24626,6 +24907,28 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 					func(ctx context.Context) graphql.Marshaler { return innerFunc(ctx, out) })
 			}
 
+			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
+		case "_admin_meta":
+			field := field
+
+			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
+				defer func() {
+					if r := recover(); r != nil {
+						ec.Error(ctx, ec.Recover(ctx, r))
+					}
+				}()
+				res = ec._Query__admin_meta(ctx, field)
+				if res == graphql.Null {
+					atomic.AddUint32(&fs.Invalids, 1)
+				}
+				return res
+			}
+
+			rrm := func(ctx context.Context) graphql.Marshaler {
+				return ec.OperationContext.RootResolverMiddleware(ctx,
+					func(ctx context.Context) graphql.Marshaler { return innerFunc(ctx, out) })
+			}
+
 			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
 		case "_env":
 			field := field
@@ -25880,6 +26183,20 @@ func (ec *executionContext) unmarshalNAdminLoginRequest2githubᚗcomᚋauthorize
 	return res, graphql.ErrorOnPath(ctx, err)
 }
 
+func (ec *executionContext) marshalNAdminMeta2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAdminMeta(ctx context.Context, sel ast.SelectionSet, v model.AdminMeta) graphql.Marshaler {
+	return ec._AdminMeta(ctx, sel, &v)
+}
+
+func (ec *executionContext) marshalNAdminMeta2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAdminMeta(ctx context.Context, sel ast.SelectionSet, v *model.AdminMeta) graphql.Marshaler {
+	if v == nil {
+		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
+			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
+		}
+		return graphql.Null
+	}
+	return ec._AdminMeta(ctx, sel, v)
+}
+
 func (ec *executionContext) unmarshalNAdminSignupRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAdminSignupRequest(ctx context.Context, v any) (model.AdminSignupRequest, error) {
 	res, err := ec.unmarshalInputAdminSignupRequest(ctx, v)
 	return res, graphql.ErrorOnPath(ctx, err)
diff --git a/internal/graph/model/models_gen.go b/internal/graph/model/models_gen.go
index af50b6ef..29a460c0 100644
--- a/internal/graph/model/models_gen.go
+++ b/internal/graph/model/models_gen.go
@@ -21,6 +21,12 @@ type AdminLoginRequest struct {
 	AdminSecret string `json:"admin_secret"`
 }
 
+type AdminMeta struct {
+	Roles          []string `json:"roles"`
+	DefaultRoles   []string `json:"default_roles"`
+	ProtectedRoles []string `json:"protected_roles"`
+}
+
 type AdminSignupRequest struct {
 	AdminSecret string `json:"admin_secret"`
 }
diff --git a/internal/graph/schema.graphqls b/internal/graph/schema.graphqls
index 0a300949..35f9e79f 100644
--- a/internal/graph/schema.graphqls
+++ b/internal/graph/schema.graphqls
@@ -35,6 +35,15 @@ type Meta {
   is_phone_verification_enabled: Boolean!
 }
 
+# AdminMeta is admin-only configuration metadata exposed via the _admin_meta
+# query — the non-deprecated way for the dashboard to read configured roles
+# (the deprecated _env used to carry these).
+type AdminMeta {
+  roles: [String!]!
+  default_roles: [String!]!
+  protected_roles: [String!]!
+}
+
 type User {
   id: ID!
   # email or phone_number is always present
@@ -852,6 +861,9 @@ type Query {
   _user(params: GetUserRequest!): User!
   _verification_requests(params: PaginatedRequest): VerificationRequests!
   _admin_session: Response!
+  # Admin-only configuration metadata (e.g. configured roles). Non-deprecated
+  # replacement for the bits of _env the dashboard needs.
+  _admin_meta: AdminMeta!
   # Deprecated from v2.0.0
   _env: Env!
   _webhook(params: WebhookRequest!): Webhook!
diff --git a/internal/graph/schema.resolvers.go b/internal/graph/schema.resolvers.go
index 5308079c..c67ec937 100644
--- a/internal/graph/schema.resolvers.go
+++ b/internal/graph/schema.resolvers.go
@@ -237,6 +237,11 @@ func (r *queryResolver) AdminSession(ctx context.Context) (*model.Response, erro
 	return r.GraphQLProvider.AdminSession(ctx)
 }
 
+// AdminMeta is the resolver for the _admin_meta field.
+func (r *queryResolver) AdminMeta(ctx context.Context) (*model.AdminMeta, error) {
+	return r.GraphQLProvider.AdminMeta(ctx)
+}
+
 // Env is the resolver for the _env field.
 func (r *queryResolver) Env(ctx context.Context) (*model.Env, error) {
 	return nil, fmt.Errorf("deprecated. please configure env via cli args")
diff --git a/internal/graphql/admin_meta.go b/internal/graphql/admin_meta.go
new file mode 100644
index 00000000..252f52ad
--- /dev/null
+++ b/internal/graphql/admin_meta.go
@@ -0,0 +1,47 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// AdminMeta returns admin-only configuration metadata — the configured roles,
+// default roles and protected roles. It is the non-deprecated replacement for
+// the bits of _env the dashboard needs (e.g. seeding the FGA model builder with
+// the instance's real roles and flagging FGA role references that aren't
+// configured roles).
+// Permissions: authorizer:admin
+func (g *graphqlProvider) AdminMeta(ctx context.Context) (*model.AdminMeta, error) {
+	log := g.Log.With().Str("func", "AdminMeta").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+	// Never return nil slices: the schema fields are non-null lists, so default
+	// to empty slices when nothing is configured.
+	roles := g.Config.Roles
+	if roles == nil {
+		roles = []string{}
+	}
+	defaultRoles := g.Config.DefaultRoles
+	if defaultRoles == nil {
+		defaultRoles = []string{}
+	}
+	protectedRoles := g.Config.ProtectedRoles
+	if protectedRoles == nil {
+		protectedRoles = []string{}
+	}
+	return &model.AdminMeta{
+		Roles:          roles,
+		DefaultRoles:   defaultRoles,
+		ProtectedRoles: protectedRoles,
+	}, nil
+}
diff --git a/internal/graphql/provider.go b/internal/graphql/provider.go
index c7cfe6fb..8f55b484 100644
--- a/internal/graphql/provider.go
+++ b/internal/graphql/provider.go
@@ -117,6 +117,11 @@ type Provider interface {
 	// Meta is the method to get meta.
 	// Permissions: none
 	Meta(ctx context.Context) (*model.Meta, error)
+	// AdminMeta returns admin-only configuration metadata (e.g. the configured
+	// roles), the non-deprecated replacement for the bits of _env the dashboard
+	// needs.
+	// Permissions: authorizer:admin
+	AdminMeta(ctx context.Context) (*model.AdminMeta, error)
 	// Profile is the method to get profile.
 	// Permissions: authorized user
 	Profile(ctx context.Context) (*model.User, error)
diff --git a/internal/integration_tests/admin_meta_test.go b/internal/integration_tests/admin_meta_test.go
new file mode 100644
index 00000000..3eb87edd
--- /dev/null
+++ b/internal/integration_tests/admin_meta_test.go
@@ -0,0 +1,48 @@
+package integration_tests
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/authorizerdev/authorizer/internal/constants"
+	"github.com/authorizerdev/authorizer/internal/crypto"
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// TestAdminMeta tests the _admin_meta query, the non-deprecated source of the
+// configured roles for the dashboard. It must be super-admin gated and return
+// the configured role lists.
+func TestAdminMeta(t *testing.T) {
+	cfg := getTestConfig()
+	ts := initTestSetup(t, cfg)
+	req, ctx := createContext(ts)
+
+	t.Run("should fail without admin cookie", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.AdminMeta(ctx)
+		assert.Error(t, err)
+		assert.Nil(t, res)
+	})
+
+	t.Run("should return configured roles with a valid admin cookie", func(t *testing.T) {
+		_, err := ts.GraphQLProvider.AdminLogin(ctx, &model.AdminLoginRequest{
+			AdminSecret: cfg.AdminSecret,
+		})
+		require.NoError(t, err)
+
+		h, err := crypto.EncryptPassword(cfg.AdminSecret)
+		require.NoError(t, err)
+		req.Header.Set("Cookie", fmt.Sprintf("%s=%s", constants.AdminCookieName, h))
+
+		res, err := ts.GraphQLProvider.AdminMeta(ctx)
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		// Mirrors the configured roles in getTestConfig.
+		assert.Equal(t, cfg.Roles, res.Roles)
+		assert.Equal(t, cfg.DefaultRoles, res.DefaultRoles)
+		assert.Contains(t, res.Roles, "admin")
+		// Non-null list contract: never nil, even when nothing is configured.
+		assert.NotNil(t, res.ProtectedRoles)
+	})
+}
diff --git a/web/dashboard/src/graphql/queries/index.ts b/web/dashboard/src/graphql/queries/index.ts
index 3f43411b..864a3d9a 100644
--- a/web/dashboard/src/graphql/queries/index.ts
+++ b/web/dashboard/src/graphql/queries/index.ts
@@ -164,3 +164,15 @@ export const FgaCheckQuery = `
     }
   }
 `;
+
+// AdminRolesQuery fetches the instance's configured roles via the admin-only
+// _admin_meta query so the FGA model builder can seed its matrix with the real
+// roles, and the dashboard can flag FGA role references that aren't configured
+// roles. (_env, the old source, is deprecated in v2.)
+export const AdminRolesQuery = `
+  query adminMeta {
+    _admin_meta {
+      roles
+    }
+  }
+`;
diff --git a/web/dashboard/src/pages/authorization/Model.tsx b/web/dashboard/src/pages/authorization/Model.tsx
index 85edf6b3..d1c7c0cc 100644
--- a/web/dashboard/src/pages/authorization/Model.tsx
+++ b/web/dashboard/src/pages/authorization/Model.tsx
@@ -10,7 +10,11 @@ import {
 	AlertTriangle,
 	LayoutTemplate,
 } from 'lucide-react';
-import { FgaGetModelQuery, FgaReadTuplesQuery } from '../../graphql/queries';
+import {
+	FgaGetModelQuery,
+	FgaReadTuplesQuery,
+	AdminRolesQuery,
+} from '../../graphql/queries';
 import { FgaWriteModel, FgaReset } from '../../graphql/mutation';
 import { Button } from '../../components/ui/button';
 import { Textarea } from '../../components/ui/textarea';
@@ -37,6 +41,7 @@ import type {
 	FgaWriteModelResponse,
 	FgaReadTuplesResponse,
 	FgaResetResponse,
+	AdminRolesResponse,
 } from '../../types';
 
 const PLACEHOLDER = `model
@@ -70,6 +75,13 @@ const Model = () => {
 	const [confirmText, setConfirmText] = useState('');
 	// The example catalog lives in a modal so the editor stays the focus.
 	const [exampleOpen, setExampleOpen] = useState(false);
+	// The instance's configured roles. Used to seed the builder's matrix and to
+	// flag FGA role references that aren't configured roles (advisory only).
+	const [roles, setRoles] = useState<string[]>([]);
+	// The builder seeds its matrix from `roles` in a one-time initializer, so we
+	// must not mount it until the roles fetch has settled — otherwise it locks in
+	// the generic fallback before the real roles arrive.
+	const [rolesLoaded, setRolesLoaded] = useState(false);
 
 	const checkTuples = useCallback(async () => {
 		try {
@@ -124,6 +136,21 @@ const Model = () => {
 		checkTuples();
 	}, [fetchModel, checkTuples]);
 
+	// Load the instance's configured roles (best-effort) to seed the builder and
+	// power the advisory "not a configured role" hints. Failure is non-fatal —
+	// with no roles list the hints simply never fire.
+	useEffect(() => {
+		client
+			.query<AdminRolesResponse>(AdminRolesQuery, {})
+			.toPromise()
+			.then((res) => {
+				const r = res.data?._admin_meta?.roles;
+				if (Array.isArray(r)) setRoles(r.filter(Boolean));
+			})
+			.catch(() => {})
+			.finally(() => setRolesLoaded(true));
+	}, [client]);
+
 	const applyExample = (name: string, exampleDsl: string) => {
 		if (
 			dsl.trim() &&
@@ -282,19 +309,26 @@ const Model = () => {
 								Need hierarchies, groups or conditions? Switch to{' '}
 								<strong>Advanced (DSL)</strong>.
 							</Example>
-							<RbacBuilder
-								initialRoles={[]}
-								onApply={(generatedDsl) => {
-									// Populate the editor and switch to Advanced for review.
-									// Saving (a new immutable model version) stays an explicit
-									// click on "Save model", so the user controls when a
-									// version is created — no churn from repeated clicks.
-									setDsl(generatedDsl);
-									setValidationError('');
-									setMode('advanced');
-									toast.success('Model ready — review it below, then Save');
-								}}
-							/>
+							{rolesLoaded ? (
+								<RbacBuilder
+									initialRoles={roles}
+									onApply={(generatedDsl) => {
+										// Populate the editor and switch to Advanced for review.
+										// Saving (a new immutable model version) stays an explicit
+										// click on "Save model", so the user controls when a
+										// version is created — no churn from repeated clicks.
+										setDsl(generatedDsl);
+										setValidationError('');
+										setMode('advanced');
+										toast.success('Model ready — review it below, then Save');
+									}}
+								/>
+							) : (
+								<div className="space-y-3">
+									<Skeleton className="h-8 w-72" />
+									<Skeleton className="h-40 w-full" />
+								</div>
+							)}
 						</>
 					) : (
 						<>
diff --git a/web/dashboard/src/types.ts b/web/dashboard/src/types.ts
index 192a04c1..96e3eba4 100644
--- a/web/dashboard/src/types.ts
+++ b/web/dashboard/src/types.ts
@@ -170,3 +170,9 @@ export interface FgaCheckResponse {
 		allowed: boolean;
 	};
 }
+
+export interface AdminRolesResponse {
+	_admin_meta: {
+		roles?: string[] | null;
+	} | null;
+}

From e6c457cc726677befef8ca5a3290b9e83bcf9b5b Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Wed, 10 Jun 2026 12:36:45 +0530
Subject: [PATCH 22/39] docs(fga): ReBAC hierarchy guide, concentric examples,
 user-id convention
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Add docs/fga-rebac-guide.md: app vs FGA roles, identifying subjects by
  user:<id> (not names), org→project→resource hierarchy (grant once, inherit
  everywhere), and fine-grained grants that coexist with inheritance.
- Add "Org → project → resource" and "Company roles (RBAC)" model examples;
  make both concentric (editor implies viewer; permissions reference the next
  more-powerful one) per OpenFGA's concentric-relationships guidance.
- Add hierarchy_test.go proving inheritance from one org-level grant, scoped
  fine-grained grants, and concentric view, all keyed by user:<id>.
- Grant form nudges admins to use the user's id, not a name.
---
 docs/fga-rebac-guide.md                       | 156 ++++++++++++++++++
 .../engine/openfga/hierarchy_test.go          | 128 ++++++++++++++
 .../src/pages/authorization/Tuples.tsx        |   6 +-
 .../src/pages/authorization/modelDsl.test.ts  |  30 ++++
 .../src/pages/authorization/modelDsl.ts       |  56 +++++++
 5 files changed, 375 insertions(+), 1 deletion(-)
 create mode 100644 docs/fga-rebac-guide.md
 create mode 100644 internal/authorization/engine/openfga/hierarchy_test.go

diff --git a/docs/fga-rebac-guide.md b/docs/fga-rebac-guide.md
new file mode 100644
index 00000000..925f5422
--- /dev/null
+++ b/docs/fga-rebac-guide.md
@@ -0,0 +1,156 @@
+# Authorizer ReBAC guide (OpenFGA)
+
+Authorizer's fine-grained authorization (FGA) embeds OpenFGA in-process and
+models access as **relationships** between objects, not as flat per-user grants.
+This guide covers the patterns that make ReBAC worth using — hierarchy and
+inheritance — plus two things that are easy to get wrong: which kind of "role"
+you are dealing with, and how to identify subjects.
+
+## 1. Two kinds of "role" — they can and should differ
+
+| | Authorizer (app) roles | FGA roles |
+|---|---|---|
+| What | Configured via `--roles`; carried in the JWT `roles` claim. Read in the dashboard via the admin-only `_admin_meta` query. | Relations in the model (`editor`) and `role:` objects (`role:editor`). |
+| Scope | Global, coarse, identity-level — "is this principal an admin at all". | Fine-grained, object-scoped — "editor **of** `resource:doc1`". |
+| Lives in | The token. | The authorization graph (model + tuples). |
+
+They are **decoupled by design**. FGA roles are usually more granular than app
+roles (a `viewer` *of one org*, an `editor` *of one document*), so an FGA role
+name does **not** have to be one of your configured app roles. Forcing parity
+would throw away ReBAC's main advantage. If you want a specific app role to be
+globally assignable in the graph, *mirror it* as a tuple
+(`role:admin#assignee@user:<id>`) — don't equate the two sets.
+
+## 2. Always identify subjects by user **ID**, never by name
+
+A tuple's subject is `user:<id>`. Use the user's **immutable id** (Authorizer's
+user UUID), e.g.:
+
+```
+user:1b9d6bcd-bbfd-4b2d-9b5d-ab8dfbbd4bed   ✅ stable, unique
+user:alice                                  ❌ names aren't unique and change
+```
+
+Display names and emails are not unique and can change; the user id is stable
+for the lifetime of the account. Worked examples in the dashboard use
+`user:alice` for readability only — in real tuples, use the id.
+
+(The engine does not hard-enforce a UUID format, because a subject can also be a
+wildcard `user:*` or a userset like `group:eng#member` / `role:editor#assignee`.
+The id convention is a guideline, not a validation.)
+
+## 3. Hierarchy: grant once, inherit everywhere
+
+The canonical model is `organization → project → resource`, where each level
+inherits viewer/editor from its parent via `X from parent`:
+
+```dsl
+model
+  schema 1.1
+type user
+type organization
+  relations
+    define admin: [user]
+    define editor: [user] or admin
+    define viewer: [user] or editor
+    define can_view: viewer
+    define can_edit: editor
+type project
+  relations
+    define org: [organization]
+    define editor: [user] or editor from org
+    define viewer: [user] or editor or viewer from org
+    define can_view: viewer
+    define can_edit: editor
+type resource
+  relations
+    define project: [project]
+    define editor: [user] or editor from project
+    define viewer: [user] or editor or viewer from project
+    define can_view: viewer
+    define can_edit: editor
+```
+
+The roles are **concentric** — `viewer: [user] or editor` means an editor is
+automatically a viewer, so you never grant both. (This follows OpenFGA's
+concentric-relationships guidance: owner ⊃ editor ⊃ viewer.)
+
+This is the **"Org → project → resource"** example in the dashboard model
+builder (Step 1 → Advanced → Browse examples).
+
+### Wire up the structure once
+
+```
+organization:acme  org      project:webapp     # project belongs to org
+project:webapp     project  resource:doc1      # resource belongs to project
+project:webapp     project  resource:doc2
+```
+
+### Grant once, high in the tree
+
+```
+user:1b9d…  viewer  organization:acme          # one tuple
+```
+
+Now every check below inherits — **no per-resource tuples needed**:
+
+```
+Check(user:1b9d…, can_view, organization:acme) → allowed
+Check(user:1b9d…, can_view, project:webapp)    → allowed   (viewer from org)
+Check(user:1b9d…, can_view, resource:doc1)     → allowed   (viewer from project ← from org)
+Check(user:1b9d…, can_view, resource:doc2)     → allowed
+```
+
+A viewer does **not** inherit edit:
+
+```
+Check(user:1b9d…, can_edit, resource:doc1)     → denied
+```
+
+`ListObjects(user:1b9d…, can_view, "resource")` returns
+`["resource:doc1", "resource:doc2"]` — the whole subtree, from one grant.
+
+## 4. Fine-grained grants coexist with the hierarchy
+
+Inheritance does not stop you from granting a single object directly. A direct
+grant stays **scoped to that object**:
+
+```
+user:2c8e…  editor  resource:doc1              # one resource only
+```
+
+```
+Check(user:2c8e…, can_edit, resource:doc1)     → allowed   (direct grant)
+Check(user:2c8e…, can_view, resource:doc1)     → allowed   (concentric: editor ⊃ viewer)
+Check(user:2c8e…, can_edit, resource:doc2)     → denied    (does NOT leak to siblings)
+Check(user:2c8e…, can_view, resource:doc2)     → denied
+```
+
+So you compose **broad inherited access** (grant on the org/project) with
+**narrow exceptions** (grant on a single resource) in the same model.
+
+## 5. What the save paths validate
+
+- **`_fga_write_model`** parses the DSL and runs OpenFGA's model-consistency
+  check (relations reference defined types, no illegal cycles). It does **not**
+  validate role names against app roles.
+- **`_fga_write_tuples`** validates each tuple **against the active model** — the
+  object type must exist and the relation must be defined on it, with an allowed
+  user type. A tuple referencing an undefined relation/type is rejected. It does
+  **not** validate `role:<x>` ids or `user:<id>` against any external list.
+
+Both surfaces are super-admin gated and audited. The dashboard model builder
+seeds its roles from `_admin_meta` as a convenience, but FGA roles are free to
+diverge from app roles (see §1).
+
+## Where this lives in the code
+
+- Engine: `internal/authorization/engine/openfga/` (`openfga.go` bootstrap +
+  `Config`, `operations.go` model/tuple/check). SPI in
+  `internal/authorization/engine/engine.go`.
+- Hierarchy + fine-grained behaviour is covered by
+  `internal/authorization/engine/openfga/hierarchy_test.go`.
+- Dashboard examples: `web/dashboard/src/pages/authorization/modelDsl.ts`
+  (`MODEL_EXAMPLES`), tested in `modelDsl.test.ts`.
+- `_admin_meta` query: `internal/graphql/admin_meta.go` (super-admin gated),
+  tested in `internal/integration_tests/admin_meta_test.go`.
diff --git a/internal/authorization/engine/openfga/hierarchy_test.go b/internal/authorization/engine/openfga/hierarchy_test.go
new file mode 100644
index 00000000..1e542747
--- /dev/null
+++ b/internal/authorization/engine/openfga/hierarchy_test.go
@@ -0,0 +1,128 @@
+package openfga
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/authorizerdev/authorizer/internal/authorization/engine"
+)
+
+// hierarchyModel is the canonical ReBAC hierarchy: organization → project →
+// resource, where viewer/editor inherit down each edge (`X from parent`). It
+// mirrors the "Org → project → resource" dashboard example. The point of the
+// model is that a grant high in the tree applies to everything below it without
+// a per-object tuple, while a direct grant on one object stays scoped to it.
+const hierarchyModel = `model
+  schema 1.1
+type user
+type organization
+  relations
+    define admin: [user]
+    define editor: [user] or admin
+    define viewer: [user] or editor
+    define can_view: viewer
+    define can_edit: editor
+type project
+  relations
+    define org: [organization]
+    define editor: [user] or editor from org
+    define viewer: [user] or editor or viewer from org
+    define can_view: viewer
+    define can_edit: editor
+type resource
+  relations
+    define project: [project]
+    define editor: [user] or editor from project
+    define viewer: [user] or editor or viewer from project
+    define can_view: viewer
+    define can_edit: editor`
+
+// Subjects are referenced by their immutable user ID (user:<uuid>), never a
+// display name — names are not unique and can change, IDs are stable. The IDs
+// below are fixed UUIDs only so the test is deterministic.
+const (
+	userAlice = "user:1b9d6bcd-bbfd-4b2d-9b5d-ab8dfbbd4bed" // org-wide viewer
+	userBob   = "user:2c8e7cde-ccfe-4c3e-ac6e-bc9efccd5cfe" // single-resource editor
+	userCarol = "user:3d9f8def-ddff-4d4f-bd7f-cd0ffdde6dff" // no grant at all
+)
+
+// TestOpenFGAEngine_HierarchyInheritanceAndFineGrained proves the two headline
+// ReBAC behaviours: (1) a single org-level grant inherits to every project and
+// resource beneath it with no per-resource tuples, and (2) a fine-grained
+// direct grant on one resource stays scoped to that resource.
+func TestOpenFGAEngine_HierarchyInheritanceAndFineGrained(t *testing.T) {
+	ctx := context.Background()
+	eng, _ := newTestEngine(t)
+
+	_, err := eng.WriteModel(ctx, hierarchyModel)
+	require.NoError(t, err)
+
+	// Structure: organization:acme → project:webapp → {resource:doc1, doc2}.
+	// Grants: alice is an org viewer (once); bob is editor of doc1 only.
+	err = eng.WriteTuples(ctx, []engine.TupleKey{
+		// Hierarchy edges.
+		{User: "organization:acme", Relation: "org", Object: "project:webapp"},
+		{User: "project:webapp", Relation: "project", Object: "resource:doc1"},
+		{User: "project:webapp", Relation: "project", Object: "resource:doc2"},
+		// Grant ONCE on the org — no per-resource tuples for alice.
+		{User: userAlice, Relation: "viewer", Object: "organization:acme"},
+		// Fine-grained override — bob is editor of a single resource only.
+		{User: userBob, Relation: "editor", Object: "resource:doc1"},
+	})
+	require.NoError(t, err)
+
+	t.Run("org grant inherits down to every resource without a per-resource tuple", func(t *testing.T) {
+		for _, obj := range []string{
+			"organization:acme", "project:webapp", "resource:doc1", "resource:doc2",
+		} {
+			allowed, err := eng.Check(ctx, userAlice, "can_view", obj)
+			require.NoError(t, err)
+			assert.True(t, allowed, "org viewer must inherit can_view on %s", obj)
+		}
+	})
+
+	t.Run("a viewer does not inherit edit", func(t *testing.T) {
+		allowed, err := eng.Check(ctx, userAlice, "can_edit", "resource:doc1")
+		require.NoError(t, err)
+		assert.False(t, allowed, "viewer must not gain can_edit")
+	})
+
+	t.Run("a fine-grained grant stays scoped to its single resource", func(t *testing.T) {
+		allowed, err := eng.Check(ctx, userBob, "can_edit", "resource:doc1")
+		require.NoError(t, err)
+		assert.True(t, allowed, "direct editor must can_edit its own resource")
+
+		allowed, err = eng.Check(ctx, userBob, "can_edit", "resource:doc2")
+		require.NoError(t, err)
+		assert.False(t, allowed, "direct grant must NOT leak to a sibling resource")
+
+		// Concentric: an editor is also a viewer of the same object.
+		allowed, err = eng.Check(ctx, userBob, "can_view", "resource:doc1")
+		require.NoError(t, err)
+		assert.True(t, allowed, "an editor must also be able to view its resource")
+
+		// ...but bob has no access at all to a sibling resource.
+		allowed, err = eng.Check(ctx, userBob, "can_view", "resource:doc2")
+		require.NoError(t, err)
+		assert.False(t, allowed, "fine-grained editor has no access to doc2")
+	})
+
+	t.Run("an ungranted user is denied at every level", func(t *testing.T) {
+		for _, obj := range []string{
+			"organization:acme", "project:webapp", "resource:doc1",
+		} {
+			allowed, err := eng.Check(ctx, userCarol, "can_view", obj)
+			require.NoError(t, err)
+			assert.False(t, allowed, "ungranted user must be denied on %s", obj)
+		}
+	})
+
+	t.Run("ListObjects enumerates every inherited resource for the org viewer", func(t *testing.T) {
+		objs, err := eng.ListObjects(ctx, userAlice, "can_view", "resource")
+		require.NoError(t, err)
+		assert.ElementsMatch(t, []string{"resource:doc1", "resource:doc2"}, objs)
+	})
+}
diff --git a/web/dashboard/src/pages/authorization/Tuples.tsx b/web/dashboard/src/pages/authorization/Tuples.tsx
index 1c335938..60ac5049 100644
--- a/web/dashboard/src/pages/authorization/Tuples.tsx
+++ b/web/dashboard/src/pages/authorization/Tuples.tsx
@@ -420,10 +420,14 @@ const Tuples = () => {
 					<Label htmlFor="tuple-user">User</Label>
 					<Input
 						id="tuple-user"
-						placeholder="user:alice"
+						placeholder="user:<id>"
 						value={form.user}
 						onChange={(e) => setForm({ ...form, user: e.target.value })}
 					/>
+					<p className="text-xs text-gray-400">
+						Use the user&rsquo;s id (<code>user:&lt;id&gt;</code>), not a name —
+						ids are stable and unique.
+					</p>
 				</div>
 				<div className="space-y-1">
 					<Label htmlFor="tuple-relation">Relation</Label>
diff --git a/web/dashboard/src/pages/authorization/modelDsl.test.ts b/web/dashboard/src/pages/authorization/modelDsl.test.ts
index 9745b838..cda005f4 100644
--- a/web/dashboard/src/pages/authorization/modelDsl.test.ts
+++ b/web/dashboard/src/pages/authorization/modelDsl.test.ts
@@ -282,6 +282,36 @@ describe('MODEL_EXAMPLES catalog', () => {
 			expect(ex.name).toBeTruthy();
 			expect(ex.description).toBeTruthy();
 			expect(ex.dsl.trim().startsWith('model')).toBe(true);
+			// parseDsl must never throw on a shipped example (advanced ones may be
+			// flagged unsupported, but they must still parse cleanly).
+			expect(() => parseDsl(ex.dsl)).not.toThrow();
 		}
 	});
+
+	it('includes a relatable company-roles RBAC example that summarizes', () => {
+		const ex = MODEL_EXAMPLES.find((e) => e.name === 'Company roles (RBAC)');
+		expect(ex).toBeDefined();
+		const parsed = parseDsl(ex!.dsl);
+		expect(parsed.supported).toBe(true);
+		const lines = summarize(parsed.model!);
+		// labour / manager / executive all appear as record relations.
+		expect(lines.join(' ')).toContain('labour');
+		expect(lines.join(' ')).toContain('executive');
+	});
+
+	it('includes an org → project → resource hierarchy example with inheritance', () => {
+		const ex = MODEL_EXAMPLES.find(
+			(e) => e.name === 'Org → project → resource',
+		);
+		expect(ex).toBeDefined();
+		const parsed = parseDsl(ex!.dsl);
+		expect(parsed.supported).toBe(true);
+		// resource.viewer inherits from project (the grant-once-inherit chain).
+		const resource = parsed.model!.types.find((t) => t.name === 'resource');
+		const viewer = resource?.relations.find((r) => r.name === 'viewer');
+		expect(viewer?.computed).toContainEqual({
+			relation: 'viewer',
+			from: 'project',
+		});
+	});
 });
diff --git a/web/dashboard/src/pages/authorization/modelDsl.ts b/web/dashboard/src/pages/authorization/modelDsl.ts
index f5ae1f85..6fd7db08 100644
--- a/web/dashboard/src/pages/authorization/modelDsl.ts
+++ b/web/dashboard/src/pages/authorization/modelDsl.ts
@@ -323,6 +323,39 @@ type team
   relations
     define org: [organization]
     define member: [user] or member from org`,
+	},
+	{
+		name: 'Org → project → resource',
+		description:
+			'Grant once on the org; every project and resource under it inherits. Add a direct grant for a single resource exception.',
+		dsl: `model
+  schema 1.1
+
+type user
+
+type organization
+  relations
+    define admin: [user]
+    define editor: [user] or admin
+    define viewer: [user] or editor
+    define can_view: viewer
+    define can_edit: editor
+
+type project
+  relations
+    define org: [organization]
+    define editor: [user] or editor from org
+    define viewer: [user] or editor or viewer from org
+    define can_view: viewer
+    define can_edit: editor
+
+type resource
+  relations
+    define project: [project]
+    define editor: [user] or editor from project
+    define viewer: [user] or editor or viewer from project
+    define can_view: viewer
+    define can_edit: editor`,
 	},
 	{
 		name: 'RBAC roles',
@@ -344,6 +377,29 @@ type resource
     define can_view: viewer
     define can_edit: editor
     define can_admin: admin`,
+	},
+	{
+		name: 'Company roles (RBAC)',
+		description:
+			'Job roles — labour, manager, executive — with escalating permissions on a record.',
+		dsl: `model
+  schema 1.1
+
+type user
+
+type role
+  relations
+    define assignee: [user]
+
+type record
+  relations
+    define labour: [user, role#assignee]
+    define manager: [user, role#assignee]
+    define executive: [user, role#assignee]
+    define can_delete: executive
+    define can_approve: executive
+    define can_edit: manager or can_delete
+    define can_view: labour or can_edit`,
 	},
 	{
 		name: 'Groups',

From 0451e0a948106eb24023bc435db23ebf96ac8b77 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Wed, 10 Jun 2026 12:51:56 +0530
Subject: [PATCH 23/39] fix(fga): align all shipped models with OpenFGA best
 practices + validate in CI
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Reviewed every shipped model against openfga/agent-skills (the official
OpenFGA modeling rules):

- Folder hierarchy example: chain owner down (`owner from parent_folder`) so a
  folder owner can edit its documents — was the documented "parent role
  forgotten on child types" anti-pattern; rename parent → parent_folder per
  the naming convention; add folder can_view.
- Organizations & teams example: add can_view so apps check a permission, not
  the member relation directly.
- Model editor placeholder: concentric (editor implies viewer) instead of
  independent viewer/editor unioned in can_view.
- Add examples_validation_test.go: extracts every DSL from the dashboard
  catalog, the editor placeholder, and docs/fga-rebac-guide.md and writes each
  through the real embedded engine — the in-repo equivalent of
  `fga model validate`, so a malformed example can never ship.
---
 docs/fga-rebac-guide.md                       |  4 +
 .../openfga/examples_validation_test.go       | 84 +++++++++++++++++++
 .../src/pages/authorization/Model.tsx         |  5 +-
 .../src/pages/authorization/modelDsl.ts       | 10 ++-
 4 files changed, 97 insertions(+), 6 deletions(-)
 create mode 100644 internal/authorization/engine/openfga/examples_validation_test.go

diff --git a/docs/fga-rebac-guide.md b/docs/fga-rebac-guide.md
index 925f5422..49961dc5 100644
--- a/docs/fga-rebac-guide.md
+++ b/docs/fga-rebac-guide.md
@@ -150,6 +150,10 @@ diverge from app roles (see §1).
   `internal/authorization/engine/engine.go`.
 - Hierarchy + fine-grained behaviour is covered by
   `internal/authorization/engine/openfga/hierarchy_test.go`.
+- Every shipped model (dashboard example catalog, editor placeholder, and the
+  DSL in this guide) is validated against the real embedded engine by
+  `internal/authorization/engine/openfga/examples_validation_test.go` — the
+  in-repo equivalent of `fga model validate`.
 - Dashboard examples: `web/dashboard/src/pages/authorization/modelDsl.ts`
   (`MODEL_EXAMPLES`), tested in `modelDsl.test.ts`.
 - `_admin_meta` query: `internal/graphql/admin_meta.go` (super-admin gated),
diff --git a/internal/authorization/engine/openfga/examples_validation_test.go b/internal/authorization/engine/openfga/examples_validation_test.go
new file mode 100644
index 00000000..8d9099ac
--- /dev/null
+++ b/internal/authorization/engine/openfga/examples_validation_test.go
@@ -0,0 +1,84 @@
+package openfga
+
+import (
+	"context"
+	"os"
+	"regexp"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+// These tests are the in-repo equivalent of `fga model validate` (the
+// openfga/agent-skills "always validate models" workflow step): every DSL we
+// ship — the dashboard example catalog, the model-editor placeholder, and the
+// docs guide — is run through the real embedded engine, so a malformed example
+// can never reach users.
+
+// tsDslRe matches TypeScript template literals holding an OpenFGA model. The
+// DSL never contains a backtick, so a lazy match to the closing backtick is
+// safe.
+var tsDslRe = regexp.MustCompile("(?s)`model\n  schema 1\\.1.*?`")
+
+// mdDslRe matches fenced code blocks in markdown holding an OpenFGA model.
+var mdDslRe = regexp.MustCompile("(?s)```[a-z.]*\n(model\n  schema 1\\.1.*?)```")
+
+// validateAll writes each extracted DSL to a fresh embedded engine and fails
+// with the engine's own error message on the first invalid one.
+func validateAll(t *testing.T, source string, dsls []string) {
+	t.Helper()
+	ctx := context.Background()
+	eng, _ := newTestEngine(t)
+	for i, dsl := range dsls {
+		_, err := eng.WriteModel(ctx, dsl)
+		assert.NoError(t, err, "%s: model #%d is not valid OpenFGA DSL:\n%s", source, i+1, dsl)
+	}
+}
+
+func TestDashboardModelExamplesAreValidOpenFGADSL(t *testing.T) {
+	const path = "../../../../web/dashboard/src/pages/authorization/modelDsl.ts"
+	content, err := os.ReadFile(path)
+	require.NoError(t, err)
+
+	matches := tsDslRe.FindAllString(string(content), -1)
+	// The catalog ships 11 examples; a drop below that means the extraction
+	// regex broke or examples were removed — both worth failing loudly on.
+	require.GreaterOrEqual(t, len(matches), 11, "expected the full example catalog in %s", path)
+
+	dsls := make([]string, 0, len(matches))
+	for _, m := range matches {
+		dsls = append(dsls, m[1:len(m)-1]) // strip the backticks
+	}
+	validateAll(t, "modelDsl.ts", dsls)
+}
+
+func TestModelEditorPlaceholderIsValidOpenFGADSL(t *testing.T) {
+	const path = "../../../../web/dashboard/src/pages/authorization/Model.tsx"
+	content, err := os.ReadFile(path)
+	require.NoError(t, err)
+
+	matches := tsDslRe.FindAllString(string(content), -1)
+	require.NotEmpty(t, matches, "expected the PLACEHOLDER model in %s", path)
+
+	dsls := make([]string, 0, len(matches))
+	for _, m := range matches {
+		dsls = append(dsls, m[1:len(m)-1])
+	}
+	validateAll(t, "Model.tsx", dsls)
+}
+
+func TestRebacGuideModelsAreValidOpenFGADSL(t *testing.T) {
+	const path = "../../../../docs/fga-rebac-guide.md"
+	content, err := os.ReadFile(path)
+	require.NoError(t, err)
+
+	groups := mdDslRe.FindAllStringSubmatch(string(content), -1)
+	require.NotEmpty(t, groups, "expected at least one model block in %s", path)
+
+	dsls := make([]string, 0, len(groups))
+	for _, g := range groups {
+		dsls = append(dsls, g[1])
+	}
+	validateAll(t, "fga-rebac-guide.md", dsls)
+}
diff --git a/web/dashboard/src/pages/authorization/Model.tsx b/web/dashboard/src/pages/authorization/Model.tsx
index d1c7c0cc..5fe151e0 100644
--- a/web/dashboard/src/pages/authorization/Model.tsx
+++ b/web/dashboard/src/pages/authorization/Model.tsx
@@ -51,9 +51,10 @@ type user
 
 type document
   relations
-    define viewer: [user]
     define editor: [user]
-    define can_view: viewer or editor`;
+    define viewer: [user] or editor
+    define can_view: viewer
+    define can_edit: editor`;
 
 const Model = () => {
 	const client = useClient();
diff --git a/web/dashboard/src/pages/authorization/modelDsl.ts b/web/dashboard/src/pages/authorization/modelDsl.ts
index 6fd7db08..bfcae0a3 100644
--- a/web/dashboard/src/pages/authorization/modelDsl.ts
+++ b/web/dashboard/src/pages/authorization/modelDsl.ts
@@ -297,12 +297,13 @@ type folder
   relations
     define owner: [user]
     define viewer: [user] or owner
+    define can_view: viewer
 
 type document
   relations
-    define parent: [folder]
-    define owner: [user]
-    define viewer: [user] or owner or viewer from parent
+    define parent_folder: [folder]
+    define owner: [user] or owner from parent_folder
+    define viewer: [user] or owner or viewer from parent_folder
     define can_view: viewer
     define can_edit: owner`,
 	},
@@ -322,7 +323,8 @@ type organization
 type team
   relations
     define org: [organization]
-    define member: [user] or member from org`,
+    define member: [user] or member from org
+    define can_view: member`,
 	},
 	{
 		name: 'Org → project → resource',

From b473534720983a4bd77e4df2585d9c5600e490ef Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Wed, 10 Jun 2026 13:16:54 +0530
Subject: [PATCH 24/39] =?UTF-8?q?docs(specs):=20v1=E2=86=92v2=20migration?=
 =?UTF-8?q?=20tool=20design=20spec?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 .../specs/2026-06-08-migration-tool-design.md | 282 ++++++++++++++++++
 1 file changed, 282 insertions(+)
 create mode 100644 docs/specs/2026-06-08-migration-tool-design.md

diff --git a/docs/specs/2026-06-08-migration-tool-design.md b/docs/specs/2026-06-08-migration-tool-design.md
new file mode 100644
index 00000000..a05821d8
--- /dev/null
+++ b/docs/specs/2026-06-08-migration-tool-design.md
@@ -0,0 +1,282 @@
+# Authorizer Migration Tool — Design Spec
+
+**Status:** Draft for review
+**Date:** 2026-06-08
+**Author:** Principal Engineering
+**Scope:** A zero-downtime migration tool to move users, credentials, and configuration into Authorizer from Auth0, Clerk, WorkOS, Keycloak, Okta, and SuperTokens — plus the Authorizer core APIs required to support it.
+
+---
+
+## 1. Problem & goals
+
+Authorizer (as a SaaS / self-hosted offering) wants to win customers off incumbent auth providers. The single biggest adoption blocker is migration risk: moving an existing user base without **(a)** forcing password resets, **(b)** a maintenance window, or **(c)** losing roles/MFA/social links.
+
+### Goals
+1. Migrate **users + credentials + social links + roles + MFA + org/tenant + client config** from six sources.
+2. **Zero downtime, zero forced reset** for the common case (coexistence migration with live cutover and rollback-before-cutover).
+3. Data never transits Authorizer SaaS unnecessarily — extraction runs in the customer's network.
+4. Idempotent, resumable, inspectable, dry-runnable.
+
+### Non-goals (v1)
+- Auto-applying org/tenant and OAuth-client/connection config into Authorizer (v1 = **report-only**, see §9).
+- True "no re-login" session continuity via foreign-JWKS bridging (v1 = **one silent re-auth at cutover**, see §7).
+- Reversible-after-cutover write-journaling (v1 = **forward-only after a validated bake**, see §7).
+- WebAuthn/passkey migration (cryptographically bound to original origin — re-enroll required).
+
+---
+
+## 2. Research findings: what each source actually exposes
+
+Verified against current provider docs / source (June 2026). This table drives every connector's behavior.
+
+| Source | User profiles | Password hashes (self-serve?) | Hash algo | MFA/TOTP seeds | Social links | Roles/RBAC | Orgs/Tenants |
+|---|---|---|---|---|---|---|---|
+| **Keycloak** | ✅ realm export / Admin API | ✅ **Yes** — realm-export JSON | PBKDF2-sha256/512 (+iter+salt, 64-byte dk) | ✅ **Yes** — seed in export | ✅ `federatedIdentities` | ✅ realm/client roles, groups | realm = tenant |
+| **SuperTokens** | ✅ Core API (`GET /users`) | ✅ **Yes** — direct DB read (self-hosted) | **bcrypt default**, or argon2id | ✅ **Yes** — DB `totp_user_devices.secret_key` | ✅ `thirdParty` per loginMethod | ✅ roles recipe | ✅ multitenancy API |
+| **Clerk** | ✅ Backend API / Dashboard CSV | ✅ **Yes** — Dashboard CSV incl. hashes | bcrypt | ❌ no | ✅ `external_accounts` | ✅ org roles/perms | ✅ organizations |
+| **Auth0** | ✅ `POST /jobs/users-exports` | ⚠️ **support ticket only** (PGP, paid tier) | bcrypt (`$2a/$2b$`) | ⚠️ same PGP ticket | ✅ `identities[]` | ✅ Authorization Core | ✅ Organizations |
+| **Okta** | ✅ `GET /api/v1/users` | ❌ **Never** | n/a | ❌ no | ✅ IdP links | ✅ groups, roles | single org |
+| **WorkOS** | ✅ User Mgmt API | ❌ **Never** (reset/lazy) | n/a | ❌ no | ✅ AuthKit identities | ✅ roles | ✅ orgs + SSO conns |
+
+**Conclusion:** Hashes are obtainable from three sources directly (Keycloak/SuperTokens/Clerk), one with heavy effort (Auth0), never from two (Okta/WorkOS). Therefore the tool **must** support both a bulk-hash path and a live lazy/JIT path. Confirmed cross-reference: WorkOS's own "migrate from X" docs document the same realities and fall back to password-reset; we improve on that with live lazy verification.
+
+### Key source endpoints (for connectors)
+- **Auth0:** `POST /api/v2/jobs/users-exports` (NDJSON, 24h TTL, 60s download link); `GET /roles`, `/roles/{id}/permissions`, `/users/{id}/roles`; `/organizations/*`; `/clients` (+`read:client_keys` for secrets); `/connections` (+`read:connections_options` for social/SAML keys); `/resource-servers`; `/users/{id}/enrollments` (MFA metadata only). Mgmt token via M2M client-credentials, 24h expiry. **Password hashes + MFA secrets:** PGP support-ticket export only (`export-password-hashes-and-mfa-secrets`), not Free tier.
+- **Clerk:** `GET /v1/users` (Backend API, bcrypt `password_digest`/`password_hasher`); Dashboard CSV export includes hashes (since 2024-10-23); `/v1/organizations` + memberships; trickle-migration documented. Insecure hashers transparently upgraded to bcrypt on first login.
+- **WorkOS:** `GET /user_management/users` (cursor pagination); `/organizations`, `/organization_memberships`; `/connections` (SSO SAML/OIDC); `/directories` (SCIM). No hash export → lazy/reset. Import side accepts bcrypt/scrypt/firebase-scrypt/ssha/pbkdf2/argon2 in PHC.
+- **Keycloak:** realm export via `kc.sh export --users different_files` (credentials included) — `credentials[].secretData{value,salt}` + `credentialData{hashIterations,algorithm}` (PBKDF2, **64-byte derived key**, read per-credential iteration count); OTP creds carry the TOTP seed; `federatedIdentities`; `realmRoles`/`clientRoles`; groups; `/clients` (+secrets), `/identity-provider/instances` (+secrets). Admin token via `admin-cli` client-credentials.
+- **Okta:** `GET /api/v1/users` (limit 200, link-header cursor); `/idps` + `/idps/{id}/users`; `/users/{id}/factors` (no secrets); `/groups`; `/apps` (+`/apps/{id}/users`). SSWS or OAuth2 scopes (`okta.users.read`, …). **No hash export** → Okta Password Import Inline Hook is the lazy pattern (we mirror it in reverse).
+- **SuperTokens:** Core API `GET /users` (`paginationToken` loop), `/recipe/roles`, `/recipe/multitenancy/tenant/list`, `/recipe/user/metadata`; **hashes + TOTP secrets via direct DB read** (`emailpassword_users.password_hash`, `totp_user_devices.secret_key`); bulk-import API shape (`loginMethods[].passwordHash`+`hashingAlgorithm` ∈ {argon2,bcrypt,firebase_scrypt}, `totpDevices[].secretKey`, `userRoles`, `userMetadata`, `externalUserId`) is the reference for our own import API.
+
+---
+
+## 3. Architecture
+
+Three components.
+
+### (a) `authorizer-migrate` CLI (Go single binary)
+Matches Authorizer's stack. Runs in the **customer's network** so source data never transits Authorizer SaaS. Pipeline:
+
+```
+  extract                 transform/normalize          load
+┌──────────┐   source     ┌────────────────────┐      ┌──────────────────┐
+│ connector│──API/DB────▶ │  <source>.amf.json │ ───▶ │ Authorizer       │
+│ (source  │              │  (canonical AMF,    │      │ _import_users    │
+│  creds)  │              │   inspectable)     │      │ (admin creds)    │
+└──────────┘              └────────────────────┘      └──────────────────┘
+```
+
+Commands:
+- `authorizer-migrate extract --from <provider> --config <creds.yaml> --out users.amf.json [--since <ts>]`
+- `authorizer-migrate validate users.amf.json` (schema + referential integrity, offline)
+- `authorizer-migrate load --in users.amf.json --authorizer <url> --admin-secret … [--dry-run] [--resume]`
+- `authorizer-migrate report --in users.amf.json` (org/RBAC/client-config report, §9)
+
+Properties: **idempotent upsert** (`source`+`externalUserId`), **resumable** (checkpoint file), **dry-run**, **delta** (`--since`).
+
+### (b) AMF — Authorizer Migration Format
+One canonical JSON schema all connectors normalize into. Decouples extract (source creds) from load (target creds), gives a human review/edit/diff checkpoint, makes the pipeline idempotent + resumable. Sketch:
+
+```jsonc
+{
+  "amfVersion": "1.0",
+  "source": { "provider": "keycloak", "exportedAt": 1749312000, "realmOrTenant": "acme" },
+  "users": [
+    {
+      "externalUserId": "f8a...",            // stable source id → idempotency key
+      "email": "jane@acme.com",
+      "emailVerified": true,
+      "phoneNumber": null,
+      "givenName": "Jane", "familyName": "Doe",
+      "picture": "https://...",
+      "roles": ["admin", "billing"],
+      "credential": {
+        "type": "password_hash",             // password_hash | none (lazy) | reset
+        "algorithm": "pbkdf2-sha256",        // bcrypt | pbkdf2-sha256 | pbkdf2-sha512 | argon2id | scrypt | firebase-scrypt
+        "hash": "base64...",                  // normalized to PHC string where possible
+        "params": { "iterations": 27500, "salt": "base64...", "keyLen": 64 }
+      },
+      "identities": [
+        { "provider": "google", "providerUserId": "104...", "email": "jane@gmail.com" }
+      ],
+      "mfa": [
+        { "type": "totp", "secret": "BASE32SEED", "algorithm": "SHA1", "digits": 6, "period": 30 }
+      ],
+      "appData": { "sourceOrg": "acme", "legacyId": "..." },
+      "createdAt": 1700000000, "updatedAt": 1749000000
+    }
+  ],
+  "lazyMigration": {                          // present when source can't export hashes
+    "enabled": true,
+    "originProvider": "okta",
+    "verifyVia": "password-grant"             // how Authorizer re-verifies on first login
+  }
+}
+```
+
+`config-report` (orgs, roles tree, OAuth clients, connections) is emitted to a **separate** `*.report.json` consumed by `report`, not by `load` (v1 report-only).
+
+### (c) Authorizer core additions
+The "missing APIs." See §4–§6.
+
+---
+
+## 4. New Authorizer APIs (the missing surface)
+
+Authorizer today has **no bulk import** and **no create-user-with-prehashed-password** path (`signup` hashes plaintext; `invite_members` invites). We add:
+
+### 4.1 `_import_users` — admin GraphQL mutation (async job)
+- Admin-authenticated (admin secret), behind the existing `_`-prefixed admin namespace.
+- Accepts a batch (≤ N per call, e.g. 1000) of canonical AMF user records.
+- Creates users with **pre-hashed passwords + algorithm metadata**, identities, roles, TOTP devices, `app_data`, and `externalUserId`+`source` for idempotency.
+- **Idempotent upsert:** re-running with the same `source`+`externalUserId` updates instead of duplicating (enables delta sync).
+- Returns a `jobID`.
+
+```graphql
+mutation { _import_users(params: ImportUsersInput!): ImportJob! }
+
+input ImportUsersInput {
+  source: String!                 # "auth0" | "keycloak" | ...
+  users: [ImportUserInput!]!
+  upsert: Boolean = true
+}
+input ImportUserInput {
+  external_user_id: String!
+  email: String
+  email_verified: Boolean
+  phone_number: String
+  given_name: String
+  family_name: String
+  picture: String
+  roles: [String!]
+  password_hash: String          # optional; omit for lazy/reset users
+  password_hash_algorithm: String # bcrypt | pbkdf2-sha256 | pbkdf2-sha512 | argon2id | scrypt | firebase-scrypt
+  password_hash_params: String   # JSON: iterations, salt, keyLen, memory, parallelism, etc.
+  identities: [ImportIdentityInput!]
+  mfa: [ImportMFAInput!]
+  app_data: String               # JSON
+  created_at: Int64
+  updated_at: Int64
+}
+```
+
+### 4.2 `_import_status(jobID)` + job resource
+Large tenants import async. Poll job progress and inspect per-row failures (mirrors SuperTokens' `bulk-import/users?status=FAILED`).
+
+```graphql
+query { _import_status(job_id: ID!): ImportJob! }
+type ImportJob { id: ID!  status: ImportStatus!  total: Int!  succeeded: Int!  failed: Int!  errors: [ImportRowError!]! }
+enum ImportStatus { QUEUED PROCESSING COMPLETED COMPLETED_WITH_ERRORS FAILED }
+type ImportRowError { external_user_id: String!  message: String! }
+```
+
+---
+
+## 5. User schema change + multi-algorithm verifier
+
+**Today:** `User.Password *string` (bcrypt, `bcrypt.DefaultCost`), no algorithm column → a Keycloak PBKDF2 or SuperTokens argon2id hash cannot be verified after import.
+
+**Change (decision: add algo-metadata + multi-algo verify with transparent upgrade):**
+
+1. Add columns to `User` (all providers): `password_hash_algorithm *string`, `password_hash_params *string` (JSON). Nullable; null/empty ⇒ legacy bcrypt (back-compat — existing rows untouched).
+2. Add a `crypto` verifier registry: `bcrypt` (native, existing), `pbkdf2-sha256`, `pbkdf2-sha512`, `argon2id`, `scrypt`, `firebase-scrypt`. Each verifies a candidate password against `(hash, params)`.
+3. **Login path change:** on password verify, dispatch by `password_hash_algorithm`. On the **first successful** login against a non-bcrypt hash, **transparently re-hash to bcrypt** (`bcrypt.DefaultCost`), persist, and clear the algorithm/params columns. This is Clerk's upgrade model — within a tail period the whole base converges to native bcrypt and the foreign-algo code is exercised only transiently.
+
+**Verification:** import a hand-written AMF with one bcrypt, one pbkdf2-sha256, and one argon2id user; log in as each with the original password and get a session with **no reset**; confirm the non-bcrypt rows flip to bcrypt + null metadata after first login.
+
+**Security notes:** foreign-algo verifiers are constant-time-compared; params are validated (bounded iteration/memory to prevent a malicious AMF from triggering resource exhaustion); the existing dummy-bcrypt timing-equalization on login (`internal/graphql/login.go`) is extended to cover the dispatch so non-existent-user timing doesn't leak.
+
+---
+
+## 6. Lazy / JIT migration-source (the zero-reset coexistence engine)
+
+For Okta & WorkOS (no hash export) **and** for any user whose password changed after the last delta, Authorizer verifies the password **live against the origin provider** on first login.
+
+**Decision: lives in Authorizer core** as a configurable *migration source* (not an external webhook), mirroring Auth0/Okta's own inline-hook pattern but in reverse.
+
+- New config object (DB-config, like other Authorizer settings): `migration_source { provider, base_url, credentials, verify_method }` where `verify_method` ∈ `{ password-grant, ropc, verify-endpoint }`.
+- A user imported via the lazy path carries `credential.type = none` and a dedicated nullable `User.migration_source *string` column (checked on the hot login path — avoids parsing `app_data`). Non-null ⇒ this user still needs origin verification.
+- **Failed-login hook:** when local verification fails (or there is no local hash) for a user with non-null `migration_source`, Authorizer calls the origin's password-grant/verify API with the submitted credentials. On success → mint an Authorizer session, **store the password as bcrypt**, null out `migration_source`. On failure → normal invalid-credentials.
+- Promoted from "Okta/WorkOS only" to a **general coexistence primitive** usable by all six connectors.
+
+**Verification:** configure an Okta migration source; import an Okta user with `credential.type=none`; log into Authorizer with the user's real Okta password → success, session issued, row now has a bcrypt hash and null `migration_source`; second login verifies locally (no origin call).
+
+---
+
+## 7. Zero-downtime strategy
+
+Principle: **never a moment where neither provider can authenticate; never a forced reset or maintenance window.** Four layers:
+
+1. **Bulk pre-seed** — initial export → AMF → `_import_users`. Authorizer runs as a **shadow**; app still points at the old provider. Most users immediately authenticatable where hashes are exportable.
+2. **Repeatable delta sync** — `extract --since <ts>` + idempotent `load` upsert, scheduled (e.g. hourly), keeps the shadow current as users sign up / edit profiles in the old system.
+3. **Live lazy verify-against-origin (§6)** — the correctness guarantee: whatever the user's *current* origin password is, it validates live on first login. **Delta sync therefore never needs to carry passwords for correctness** — only profile freshness and lazy-load reduction.
+4. **Staged cutover + rollback:**
+
+```
+Coexist:      app → OLD (authoritative).  CLI bulk + delta → Authorizer (shadow, READ-ONLY from source).
+Cutover:      flip app auth → Authorizer (config/DNS). Authorizer authoritative for writes.
+              Lazy hook verifies stragglers live against OLD (read-only). No more writes to OLD.
+Decommission: after tail period + final reconciliation, disable OLD + lazy hook.
+```
+
+Because coexistence is **read-only from the source**, rollback *before* cutover is a no-op and the source is never mutated.
+
+### Decided tradeoffs
+- **Session continuity = one silent re-auth at cutover.** Old-provider JWTs aren't trusted post-cutover; users re-authenticate once (seamless via bulk hash or lazy verify — no reset, no error). No foreign-JWKS bridging in v1.
+- **Rollback = forward-only after a validated bake.** Cutover begins with a canary (e.g. 1–2% traffic or a pilot tenant) that is validated; once full cutover is confirmed healthy, forward-only. No write-journaling / reverse-sync in v1.
+
+### Deliverable: cutover runbook
+A checklist doc (pre-flight credential/scope checks, pre-seed, delta cadence, canary, validation queries, go/no-go, rollback-before-cutover procedure, decommission criteria) shipped alongside the CLI.
+
+---
+
+## 8. Per-provider connector behavior
+
+| Connector | Profiles | Password disposition | MFA | Notes |
+|---|---|---|---|---|
+| **Keycloak** | realm export | **bulk hash** (PBKDF2 → multi-algo verify) | **bulk TOTP seed** | best case; per-credential iterations; realm→instance |
+| **SuperTokens** | Core API + DB | **bulk hash** (bcrypt direct / argon2id via multi-algo) | **bulk TOTP seed** (DB) | DB read for hash+seed; account-linking → identities |
+| **Clerk** | Backend API / CSV | **bulk hash** (bcrypt) | re-enroll | CSV includes hashes |
+| **Auth0** | export job | **bulk hash if PGP export obtained**, else **lazy** | bulk if PGP, else re-enroll | NDJSON→JSON; identities[] |
+| **Okta** | Users API | **lazy** (verify-against-origin) | re-enroll | mirrors Okta Password Import Hook in reverse |
+| **WorkOS** | User Mgmt API | **lazy** | re-enroll | SSO/Directory config → report |
+
+Each connector: paginates fully (no silent caps — log dropped/over-limit), normalizes to AMF, supports `--since`.
+
+---
+
+## 9. Scope mapping for orgs / RBAC / client-config (v1 = report-only)
+
+- **Orgs/tenants:** Authorizer is single-tenant per instance. Map **1 Keycloak realm / 1 Auth0 tenant / 1 WorkOS org-set → 1 Authorizer instance.** Multi-org sources emit a **mapping report**; org membership is preserved as a role and/or `app_data.sourceOrg` namespace (no silent loss).
+- **RBAC:** source roles/permissions → Authorizer roles + the new **FGA permission model**; emitted to the report with a proposed mapping the customer confirms.
+- **App/client & connection config** (OAuth clients, social keys, SAML/OIDC enterprise connections): exported into the report (secrets flagged, never auto-written). Customer applies via Authorizer's DB-config. **Rationale:** these are low-volume, high-blast-radius config objects; auto-writing them into a single-tenant instance is risky and provider-shape-specific. Auto-apply is a post-v1 candidate.
+
+---
+
+## 10. Phasing & milestones (each ships + verifies independently)
+
+| Phase | Deliverable | Verify |
+|---|---|---|
+| **0** | User schema columns + multi-algo verifier + transparent upgrade (§5) | bcrypt+pbkdf2+argon2id users log in from hand-written AMF, no reset; non-bcrypt flips to bcrypt post-login |
+| **1** | `_import_users` + `_import_status` async job (§4) | import 10k-row AMF; idempotent re-run upserts; failures surfaced per-row |
+| **2** | AMF spec + CLI skeleton (`extract`/`validate`/`load`, dry-run, resume, `--since`) | round-trip a sample AMF; resume after kill; dry-run mutates nothing |
+| **3** | Connectors (hash-friendly order): Keycloak → SuperTokens → Clerk → Auth0 | each extracts to valid AMF; bulk-hash users log in post-load with no reset |
+| **4** | Migration-source + failed-login hook (§6); Okta + WorkOS connectors | Okta user logs into Authorizer with old password → silently upgraded |
+| **5** | Zero-downtime cutover runbook + delta-sync scheduling guide (§7) | dry-run a full coexist→delta→cutover on a pilot tenant |
+| **6** | `report` command: orgs/RBAC/client-config (§9) | report lists every org/role/client/connection with proposed mapping |
+
+---
+
+## 11. Risks & open questions
+
+- **Auth0 hash export is gated** (PGP + paid tier + CISO sign-off). For customers who can't/won't, Auth0 falls to the lazy path — document this prominently; it's the main "it depends" in the matrix.
+- **argon2id params** must be carried exactly (memory/iterations/parallelism); a mismatch silently fails verification. Validate on `load`.
+- **Keycloak iteration counts are per-credential** and version-dependent — never hardcode; read each credential. Confirm 64-byte derived-key length against the customer's Keycloak version.
+- **Delta-sync window for profile writes** (not passwords) made in the old system between last delta and cutover are lost unless cutover stops old-system writes — handled by the "old is authoritative until cutover, then writes move to Authorizer" rule; flag in runbook.
+- **Rate limits** (Auth0 Mgmt API, Okta org-wide concurrency) — connectors must backoff; large exports use the async export job where available, not page-scan.
+- **PII handling** — AMF files contain hashes/seeds/PII; CLI writes them `0600`, supports encryption-at-rest for the AMF file, and the runbook mandates secure deletion post-migration.
+
+---
+
+## 12. Out of scope (v1)
+WebAuthn/passkey migration; foreign-JWKS session bridging; reversible-after-cutover write-journaling; auto-applying org/client config; non-listed source providers (Cognito/Firebase/Supabase — future connectors, AMF already accommodates them).

From 0bfde7c3f1697e34e8bb70a9d7130ac32fe7b823 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Wed, 10 Jun 2026 13:47:51 +0530
Subject: [PATCH 25/39] fix(dashboard): user:<id> examples everywhere +
 grant-form alignment
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- Replace every user:alice example, placeholder and grant-pattern prefill with
  the user:<id> / user:<user-id> convention the docs recommend — names aren't
  unique or stable; point admins at the Users page for the id.
- Fix the Grant access form alignment: the id hint under the User column made
  it taller than the other columns in the items-end grid; the hint is now a
  full-width row below the inputs so all fields and the Add button align.
---
 .../src/pages/authorization/Tester.tsx        | 17 +++++------
 .../src/pages/authorization/Tuples.tsx        | 29 ++++++++++++-------
 2 files changed, 26 insertions(+), 20 deletions(-)

diff --git a/web/dashboard/src/pages/authorization/Tester.tsx b/web/dashboard/src/pages/authorization/Tester.tsx
index b50a4cea..d695f9c1 100644
--- a/web/dashboard/src/pages/authorization/Tester.tsx
+++ b/web/dashboard/src/pages/authorization/Tester.tsx
@@ -142,17 +142,13 @@ const Tester = () => {
 				<Example>
 					<strong>Example:</strong> ask &ldquo;can{' '}
 					<code className="rounded bg-white px-1 py-0.5 text-xs">
-						user:alice
+						user:&lt;id&gt;
 					</code>{' '}
 					<code className="rounded bg-white px-1 py-0.5 text-xs">can_view</code>{' '}
 					<code className="rounded bg-white px-1 py-0.5 text-xs">
 						document:1
 					</code>
-					?&rdquo; &mdash; if you granted{' '}
-					<code className="rounded bg-white px-1 py-0.5 text-xs">
-						user:alice
-					</code>{' '}
-					the{' '}
+					?&rdquo; &mdash; if you granted that user the{' '}
 					<code className="rounded bg-white px-1 py-0.5 text-xs">viewer</code>{' '}
 					relation in step 2, the result is <strong>Allowed</strong>.
 				</Example>
@@ -163,14 +159,15 @@ const Tester = () => {
 					<Label htmlFor="check-user">User (subject)</Label>
 					<Input
 						id="check-user"
-						placeholder="user:alice — blank checks yourself"
+						placeholder="user:<id> — blank checks yourself"
 						value={user}
 						onChange={(e) => setUser(e.target.value)}
 						spellCheck={false}
 					/>
 					<p className="text-xs text-gray-400">
-						The subject to check, e.g. <code>user:alice</code>. A bare id is
-						treated as <code>user:&lt;id&gt;</code>.
+						The subject&rsquo;s <strong>user id</strong> (from the Users page),
+						e.g. <code>user:&lt;id&gt;</code> — not a name or email. A bare id
+						is treated as <code>user:&lt;id&gt;</code>.
 					</p>
 				</div>
 				<div className="grid grid-cols-1 gap-3 md:grid-cols-2">
@@ -220,7 +217,7 @@ const Tester = () => {
 								className="grid grid-cols-1 gap-2 md:grid-cols-[1fr_1fr_1fr_auto] md:items-center"
 							>
 								<Input
-									placeholder="user:alice"
+									placeholder="user:<id>"
 									value={tuple.user}
 									onChange={(e) =>
 										updateContextualTuple(index, 'user', e.target.value)
diff --git a/web/dashboard/src/pages/authorization/Tuples.tsx b/web/dashboard/src/pages/authorization/Tuples.tsx
index 60ac5049..368899b7 100644
--- a/web/dashboard/src/pages/authorization/Tuples.tsx
+++ b/web/dashboard/src/pages/authorization/Tuples.tsx
@@ -65,12 +65,16 @@ const GRANT_PATTERNS: {
 	{
 		name: 'Direct grant',
 		desc: 'One user → one object.',
-		tuple: { user: 'user:alice', relation: 'viewer', object: 'document:1' },
+		tuple: { user: 'user:<user-id>', relation: 'viewer', object: 'document:1' },
 	},
 	{
 		name: 'Assign a role',
 		desc: 'Put a user into a role.',
-		tuple: { user: 'user:alice', relation: 'assignee', object: 'role:editor' },
+		tuple: {
+			user: 'user:<user-id>',
+			relation: 'assignee',
+			object: 'role:editor',
+		},
 	},
 	{
 		name: 'Grant a whole role',
@@ -89,7 +93,11 @@ const GRANT_PATTERNS: {
 	{
 		name: 'All resources in a folder',
 		desc: 'Grant on the folder once; every document under it inherits.',
-		tuple: { user: 'user:alice', relation: 'viewer', object: 'folder:root' },
+		tuple: {
+			user: 'user:<user-id>',
+			relation: 'viewer',
+			object: 'folder:root',
+		},
 	},
 ];
 
@@ -332,7 +340,7 @@ const Tuples = () => {
 				<Example>
 					<strong>Example:</strong> give{' '}
 					<code className="rounded bg-white px-1 py-0.5 text-xs">
-						user:alice
+						user:&lt;id&gt;
 					</code>{' '}
 					the{' '}
 					<code className="rounded bg-white px-1 py-0.5 text-xs">viewer</code>{' '}
@@ -340,7 +348,7 @@ const Tuples = () => {
 					<code className="rounded bg-white px-1 py-0.5 text-xs">
 						document:1
 					</code>{' '}
-					— now Alice can view that document.
+					— that user can now view the document.
 				</Example>
 			</div>
 
@@ -424,10 +432,6 @@ const Tuples = () => {
 						value={form.user}
 						onChange={(e) => setForm({ ...form, user: e.target.value })}
 					/>
-					<p className="text-xs text-gray-400">
-						Use the user&rsquo;s id (<code>user:&lt;id&gt;</code>), not a name —
-						ids are stable and unique.
-					</p>
 				</div>
 				<div className="space-y-1">
 					<Label htmlFor="tuple-relation">Relation</Label>
@@ -451,6 +455,11 @@ const Tuples = () => {
 					<Plus className="mr-2 h-4 w-4" />
 					{submitting ? 'Adding...' : 'Add'}
 				</Button>
+				{/* Full-width hint row so the input columns above stay aligned. */}
+				<p className="text-xs text-gray-400 md:col-span-4">
+					Use the user&rsquo;s id (<code>user:&lt;id&gt;</code>, from the{' '}
+					<strong>Users</strong> page), not a name — ids are stable and unique.
+				</p>
 			</form>
 
 			{loading ? (
@@ -531,7 +540,7 @@ const Tuples = () => {
 					<p className="mt-1 max-w-sm text-sm leading-relaxed text-gray-500">
 						Tuples grant access &mdash; e.g.{' '}
 						<code className="rounded bg-gray-100 px-1 py-0.5 text-xs text-gray-700">
-							user:alice
+							user:&lt;id&gt;
 						</code>{' '}
 						is{' '}
 						<code className="rounded bg-gray-100 px-1 py-0.5 text-xs text-gray-700">

From 54f533aa5e59a2f1dd829bb80414183c98c8bae0 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Wed, 10 Jun 2026 13:55:04 +0530
Subject: [PATCH 26/39] feat(dashboard): generic RBAC seed with instance roles
 as suggestions, id-only examples
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- The model builder now always starts from the standard admin/editor/viewer
  matrix; the instance's configured roles are offered as one-click suggestion
  chips instead of being forced in as the seed (app roles like "user" make
  poor object-scoped FGA roles).
- Grant-pattern prefill uses folder:<folder-id>; ReBAC guide examples now use
  numeric object ids (organization:101, project:201, resource:301) — objects,
  like users, are identified by id, never by name. role:* objects stay keyed
  by role name by design.
---
 docs/fga-rebac-guide.md                       | 50 +++++++++-------
 .../src/pages/authorization/Model.tsx         | 44 +++++---------
 .../src/pages/authorization/RbacBuilder.tsx   | 60 ++++++++++++++-----
 .../src/pages/authorization/Tuples.tsx        |  2 +-
 4 files changed, 89 insertions(+), 67 deletions(-)

diff --git a/docs/fga-rebac-guide.md b/docs/fga-rebac-guide.md
index 49961dc5..45a31d5c 100644
--- a/docs/fga-rebac-guide.md
+++ b/docs/fga-rebac-guide.md
@@ -11,7 +11,7 @@ you are dealing with, and how to identify subjects.
 | | Authorizer (app) roles | FGA roles |
 |---|---|---|
 | What | Configured via `--roles`; carried in the JWT `roles` claim. Read in the dashboard via the admin-only `_admin_meta` query. | Relations in the model (`editor`) and `role:` objects (`role:editor`). |
-| Scope | Global, coarse, identity-level — "is this principal an admin at all". | Fine-grained, object-scoped — "editor **of** `resource:doc1`". |
+| Scope | Global, coarse, identity-level — "is this principal an admin at all". | Fine-grained, object-scoped — "editor **of** `resource:301`". |
 | Lives in | The token. | The authorization graph (model + tuples). |
 
 They are **decoupled by design**. FGA roles are usually more granular than app
@@ -32,11 +32,14 @@ user:alice                                  ❌ names aren't unique and change
 ```
 
 Display names and emails are not unique and can change; the user id is stable
-for the lifetime of the account. Worked examples in the dashboard use
-`user:alice` for readability only — in real tuples, use the id.
-
-(The engine does not hard-enforce a UUID format, because a subject can also be a
-wildcard `user:*` or a userset like `group:eng#member` / `role:editor#assignee`.
+for the lifetime of the account. The dashboard and docs use `user:<id>`
+placeholders (or short ids like `user:1b9d…`); in real tuples, use the full id.
+The same applies to objects: identify orgs, projects and resources by their ids
+(`organization:101`), never by name. The one exception is `role:` objects,
+which are keyed by the role name by design (`role:editor#assignee`).
+
+(The engine does not hard-enforce an id format, because a subject can also be a
+wildcard `user:*` or a userset like `group:9#member` / `role:editor#assignee`.
 The id convention is a guideline, not a validation.)
 
 ## 3. Hierarchy: grant once, inherit everywhere
@@ -81,34 +84,34 @@ builder (Step 1 → Advanced → Browse examples).
 ### Wire up the structure once
 
 ```
-organization:acme  org      project:webapp     # project belongs to org
-project:webapp     project  resource:doc1      # resource belongs to project
-project:webapp     project  resource:doc2
+organization:101  org      project:201     # project belongs to org
+project:201     project  resource:301      # resource belongs to project
+project:201     project  resource:302
 ```
 
 ### Grant once, high in the tree
 
 ```
-user:1b9d…  viewer  organization:acme          # one tuple
+user:1b9d…  viewer  organization:101          # one tuple
 ```
 
 Now every check below inherits — **no per-resource tuples needed**:
 
 ```
-Check(user:1b9d…, can_view, organization:acme) → allowed
-Check(user:1b9d…, can_view, project:webapp)    → allowed   (viewer from org)
-Check(user:1b9d…, can_view, resource:doc1)     → allowed   (viewer from project ← from org)
-Check(user:1b9d…, can_view, resource:doc2)     → allowed
+Check(user:1b9d…, can_view, organization:101) → allowed
+Check(user:1b9d…, can_view, project:201)    → allowed   (viewer from org)
+Check(user:1b9d…, can_view, resource:301)     → allowed   (viewer from project ← from org)
+Check(user:1b9d…, can_view, resource:302)     → allowed
 ```
 
 A viewer does **not** inherit edit:
 
 ```
-Check(user:1b9d…, can_edit, resource:doc1)     → denied
+Check(user:1b9d…, can_edit, resource:301)     → denied
 ```
 
 `ListObjects(user:1b9d…, can_view, "resource")` returns
-`["resource:doc1", "resource:doc2"]` — the whole subtree, from one grant.
+`["resource:301", "resource:302"]` — the whole subtree, from one grant.
 
 ## 4. Fine-grained grants coexist with the hierarchy
 
@@ -116,14 +119,14 @@ Inheritance does not stop you from granting a single object directly. A direct
 grant stays **scoped to that object**:
 
 ```
-user:2c8e…  editor  resource:doc1              # one resource only
+user:2c8e…  editor  resource:301              # one resource only
 ```
 
 ```
-Check(user:2c8e…, can_edit, resource:doc1)     → allowed   (direct grant)
-Check(user:2c8e…, can_view, resource:doc1)     → allowed   (concentric: editor ⊃ viewer)
-Check(user:2c8e…, can_edit, resource:doc2)     → denied    (does NOT leak to siblings)
-Check(user:2c8e…, can_view, resource:doc2)     → denied
+Check(user:2c8e…, can_edit, resource:301)     → allowed   (direct grant)
+Check(user:2c8e…, can_view, resource:301)     → allowed   (concentric: editor ⊃ viewer)
+Check(user:2c8e…, can_edit, resource:302)     → denied    (does NOT leak to siblings)
+Check(user:2c8e…, can_view, resource:302)     → denied
 ```
 
 So you compose **broad inherited access** (grant on the org/project) with
@@ -140,8 +143,9 @@ So you compose **broad inherited access** (grant on the org/project) with
   **not** validate `role:<x>` ids or `user:<id>` against any external list.
 
 Both surfaces are super-admin gated and audited. The dashboard model builder
-seeds its roles from `_admin_meta` as a convenience, but FGA roles are free to
-diverge from app roles (see §1).
+starts from a standard `admin / editor / viewer` set and offers the instance's
+configured roles (read via `_admin_meta`) as optional one-click additions — FGA
+roles are free to diverge from app roles (see §1).
 
 ## Where this lives in the code
 
diff --git a/web/dashboard/src/pages/authorization/Model.tsx b/web/dashboard/src/pages/authorization/Model.tsx
index 5fe151e0..53e933ec 100644
--- a/web/dashboard/src/pages/authorization/Model.tsx
+++ b/web/dashboard/src/pages/authorization/Model.tsx
@@ -76,13 +76,9 @@ const Model = () => {
 	const [confirmText, setConfirmText] = useState('');
 	// The example catalog lives in a modal so the editor stays the focus.
 	const [exampleOpen, setExampleOpen] = useState(false);
-	// The instance's configured roles. Used to seed the builder's matrix and to
-	// flag FGA role references that aren't configured roles (advisory only).
+	// The instance's configured roles, offered to the builder as optional
+	// one-click additions (a fallback source of names — never the default seed).
 	const [roles, setRoles] = useState<string[]>([]);
-	// The builder seeds its matrix from `roles` in a one-time initializer, so we
-	// must not mount it until the roles fetch has settled — otherwise it locks in
-	// the generic fallback before the real roles arrive.
-	const [rolesLoaded, setRolesLoaded] = useState(false);
 
 	const checkTuples = useCallback(async () => {
 		try {
@@ -148,8 +144,7 @@ const Model = () => {
 				const r = res.data?._admin_meta?.roles;
 				if (Array.isArray(r)) setRoles(r.filter(Boolean));
 			})
-			.catch(() => {})
-			.finally(() => setRolesLoaded(true));
+			.catch(() => {});
 	}, [client]);
 
 	const applyExample = (name: string, exampleDsl: string) => {
@@ -310,26 +305,19 @@ const Model = () => {
 								Need hierarchies, groups or conditions? Switch to{' '}
 								<strong>Advanced (DSL)</strong>.
 							</Example>
-							{rolesLoaded ? (
-								<RbacBuilder
-									initialRoles={roles}
-									onApply={(generatedDsl) => {
-										// Populate the editor and switch to Advanced for review.
-										// Saving (a new immutable model version) stays an explicit
-										// click on "Save model", so the user controls when a
-										// version is created — no churn from repeated clicks.
-										setDsl(generatedDsl);
-										setValidationError('');
-										setMode('advanced');
-										toast.success('Model ready — review it below, then Save');
-									}}
-								/>
-							) : (
-								<div className="space-y-3">
-									<Skeleton className="h-8 w-72" />
-									<Skeleton className="h-40 w-full" />
-								</div>
-							)}
+							<RbacBuilder
+								suggestedRoles={roles}
+								onApply={(generatedDsl) => {
+									// Populate the editor and switch to Advanced for review.
+									// Saving (a new immutable model version) stays an explicit
+									// click on "Save model", so the user controls when a
+									// version is created — no churn from repeated clicks.
+									setDsl(generatedDsl);
+									setValidationError('');
+									setMode('advanced');
+									toast.success('Model ready — review it below, then Save');
+								}}
+							/>
 						</>
 					) : (
 						<>
diff --git a/web/dashboard/src/pages/authorization/RbacBuilder.tsx b/web/dashboard/src/pages/authorization/RbacBuilder.tsx
index 09632ec6..b576589e 100644
--- a/web/dashboard/src/pages/authorization/RbacBuilder.tsx
+++ b/web/dashboard/src/pages/authorization/RbacBuilder.tsx
@@ -110,19 +110,22 @@ const TokenList = ({
 	);
 };
 
+// SEED_ROLES is the default matrix: a standard RBAC starting point with
+// sensible grants. Instance roles are offered as suggestions, not forced in —
+// app roles (like "user") often make poor object-scoped FGA roles.
+const SEED_ROLES = ['admin', 'editor', 'viewer'];
+
 const RbacBuilder = ({
-	initialRoles,
+	suggestedRoles = [],
 	onApply,
 }: {
-	// Roles configured on the instance (used to seed the matrix). Falls back to a
-	// generic admin/editor/viewer set when none are configured.
-	initialRoles: string[];
+	// Roles configured on the instance, offered as one-click additions to the
+	// matrix (a fallback source of role names — never the default seed).
+	suggestedRoles?: string[];
 	// Called with the generated DSL when the admin is happy with the matrix.
 	onApply: (dsl: string) => void;
 }) => {
-	const seedRoles = initialRoles.length
-		? initialRoles
-		: ['admin', 'editor', 'viewer'];
+	const seedRoles = SEED_ROLES;
 	// One or more object types to protect. All share the same roles × permissions
 	// matrix; for resources that need different shapes, use Advanced (DSL).
 	const [resourceTypes, setResourceTypes] = useState<string[]>(['document']);
@@ -234,14 +237,41 @@ const RbacBuilder = ({
 				)}
 			</div>
 
-			<TokenList
-				label="Roles"
-				help="Named sets of access you assign to people — e.g. admin, editor, viewer."
-				items={roles}
-				onAdd={addRole}
-				onRemove={removeRole}
-				placeholder="role name"
-			/>
+			<div>
+				<TokenList
+					label="Roles"
+					help="Named sets of access you assign to people — e.g. admin, editor, viewer."
+					items={roles}
+					onAdd={addRole}
+					onRemove={removeRole}
+					placeholder="role name"
+				/>
+				{/* Instance roles as optional one-click additions (never forced). */}
+				{(() => {
+					const suggestions = suggestedRoles
+						.map(sanitizeRelationName)
+						.filter((r) => r && !roles.includes(r));
+					if (!suggestions.length) return null;
+					return (
+						<div className="mt-2 flex flex-wrap items-center gap-1.5">
+							<span className="text-xs text-gray-400">
+								From your instance config:
+							</span>
+							{suggestions.map((r) => (
+								<button
+									key={r}
+									type="button"
+									onClick={() => addRole(r)}
+									className="inline-flex items-center gap-1 rounded-full border border-dashed border-gray-300 px-2.5 py-0.5 font-mono text-xs text-gray-500 transition-colors hover:border-blue-300 hover:text-blue-600"
+								>
+									<Plus className="h-3 w-3" aria-hidden="true" />
+									{r}
+								</button>
+							))}
+						</div>
+					);
+				})()}
+			</div>
 
 			<TokenList
 				label="Permissions"
diff --git a/web/dashboard/src/pages/authorization/Tuples.tsx b/web/dashboard/src/pages/authorization/Tuples.tsx
index 368899b7..fd95a5c7 100644
--- a/web/dashboard/src/pages/authorization/Tuples.tsx
+++ b/web/dashboard/src/pages/authorization/Tuples.tsx
@@ -96,7 +96,7 @@ const GRANT_PATTERNS: {
 		tuple: {
 			user: 'user:<user-id>',
 			relation: 'viewer',
-			object: 'folder:root',
+			object: 'folder:<folder-id>',
 		},
 	},
 ];

From 6d95bab8775b52b485a75be8dbad821807a62baf Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Wed, 10 Jun 2026 18:32:43 +0530
Subject: [PATCH 27/39] feat(fga)!: check_permissions + list_permissions public
 API, one resolver per file
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

BREAKING (branch-only, never released): replaces fga_check, fga_batch_check
and fga_list_objects.

- Public surface is now exactly two operations:
  - check_permissions(checks: [{relation, object, contextual_tuples?}], user?)
    → results echo each pair with allowed (a single check is a batch of one).
  - list_permissions(relation, object_type, user?) → objects.
- Subject trust gate (resolveFgaSubject): defaults to the caller's token
  subject; an explicit `user` (bare id normalized to user:<id>) is honored
  only for super-admins or when it equals the caller's own subject — anything
  else is rejected, never silently ignored.
- Resolvers restructured one-per-file: fga.go (shared helpers + gate),
  check_permissions.go, list_permissions.go, fga_write_model.go,
  fga_get_model.go, fga_write_tuples.go, fga_delete_tuples.go,
  fga_read_tuples.go, fga_list_users.go, fga_expand.go, fga_reset.go.
- Dashboard: Access Tester page removed (the wizard is now 2 steps); per-user
  verification moved to Users table → "View Permissions" modal, which calls
  list_permissions with an explicit subject under the admin session.
- Metrics labels: check_permissions / list_permissions.
- Integration tests rewritten, including a new self-specification case
  (non-admin passing their own subject is honored).
---
 internal/graph/generated/generated.go         | 1831 ++++++++---------
 internal/graph/model/models_gen.go            |   67 +-
 internal/graph/schema.graphqls                |   68 +-
 internal/graph/schema.resolvers.go            |   17 +-
 internal/graphql/check_permissions.go         |   76 +
 internal/graphql/fga.go                       |  151 ++
 internal/graphql/fga_admin.go                 |  360 ----
 internal/graphql/fga_delete_tuples.go         |   49 +
 internal/graphql/fga_expand.go                |   43 +
 internal/graphql/fga_get_model.go             |   45 +
 internal/graphql/fga_list_users.go            |   47 +
 internal/graphql/fga_read_tuples.go           |   64 +
 internal/graphql/fga_reset.go                 |   61 +
 internal/graphql/fga_runtime.go               |  233 ---
 internal/graphql/fga_write_model.go           |   50 +
 internal/graphql/fga_write_tuples.go          |   49 +
 internal/graphql/list_permissions.go          |   49 +
 internal/graphql/provider.go                  |   12 +-
 internal/integration_tests/fga_test.go        |  121 +-
 internal/metrics/metrics.go                   |   37 +-
 internal/metrics/metrics_test.go              |   22 +-
 web/dashboard/src/components/Sidebar.tsx      |    5 -
 .../src/components/UserPermissionsModal.tsx   |  163 ++
 web/dashboard/src/graphql/queries/index.ts    |   10 +-
 web/dashboard/src/pages/Users.tsx             |   21 +-
 .../src/pages/authorization/AuthSteps.tsx     |   56 +-
 .../src/pages/authorization/Tester.tsx        |  293 ---
 .../src/pages/authorization/Tuples.tsx        |    4 +-
 web/dashboard/src/routes/index.tsx            |    5 -
 web/dashboard/src/types.ts                    |    6 +-
 30 files changed, 1964 insertions(+), 2051 deletions(-)
 create mode 100644 internal/graphql/check_permissions.go
 create mode 100644 internal/graphql/fga.go
 delete mode 100644 internal/graphql/fga_admin.go
 create mode 100644 internal/graphql/fga_delete_tuples.go
 create mode 100644 internal/graphql/fga_expand.go
 create mode 100644 internal/graphql/fga_get_model.go
 create mode 100644 internal/graphql/fga_list_users.go
 create mode 100644 internal/graphql/fga_read_tuples.go
 create mode 100644 internal/graphql/fga_reset.go
 delete mode 100644 internal/graphql/fga_runtime.go
 create mode 100644 internal/graphql/fga_write_model.go
 create mode 100644 internal/graphql/fga_write_tuples.go
 create mode 100644 internal/graphql/list_permissions.go
 create mode 100644 web/dashboard/src/components/UserPermissionsModal.tsx
 delete mode 100644 web/dashboard/src/pages/authorization/Tester.tsx

diff --git a/internal/graph/generated/generated.go b/internal/graph/generated/generated.go
index 86df0c83..d45022d3 100644
--- a/internal/graph/generated/generated.go
+++ b/internal/graph/generated/generated.go
@@ -86,6 +86,10 @@ type ComplexityRoot struct {
 		User                       func(childComplexity int) int
 	}
 
+	CheckPermissionsResponse struct {
+		Results func(childComplexity int) int
+	}
+
 	EmailTemplate struct {
 		CreatedAt func(childComplexity int) int
 		Design    func(childComplexity int) int
@@ -180,22 +184,10 @@ type ComplexityRoot struct {
 		Reason  func(childComplexity int) int
 	}
 
-	FgaBatchCheckResponse struct {
-		Results func(childComplexity int) int
-	}
-
-	FgaCheckResponse struct {
-		Allowed func(childComplexity int) int
-	}
-
 	FgaExpandResponse struct {
 		Tree func(childComplexity int) int
 	}
 
-	FgaListObjectsResponse struct {
-		Objects func(childComplexity int) int
-	}
-
 	FgaListUsersResponse struct {
 		Users func(childComplexity int) int
 	}
@@ -232,6 +224,10 @@ type ComplexityRoot struct {
 		Users   func(childComplexity int) int
 	}
 
+	ListPermissionsResponse struct {
+		Objects func(childComplexity int) int
+	}
+
 	Meta struct {
 		ClientID                           func(childComplexity int) int
 		IsAppleLoginEnabled                func(childComplexity int) int
@@ -301,19 +297,24 @@ type ComplexityRoot struct {
 		Total  func(childComplexity int) int
 	}
 
+	PermissionCheckResult struct {
+		Allowed  func(childComplexity int) int
+		Object   func(childComplexity int) int
+		Relation func(childComplexity int) int
+	}
+
 	Query struct {
 		AdminMeta            func(childComplexity int) int
 		AdminSession         func(childComplexity int) int
 		AuditLogs            func(childComplexity int, params *model.ListAuditLogRequest) int
+		CheckPermissions     func(childComplexity int, params model.CheckPermissionsInput) int
 		EmailTemplates       func(childComplexity int, params *model.PaginatedRequest) int
 		Env                  func(childComplexity int) int
-		FgaBatchCheck        func(childComplexity int, params model.FgaBatchCheckInput) int
-		FgaCheck             func(childComplexity int, params model.FgaCheckInput) int
 		FgaExpand            func(childComplexity int, params model.FgaExpandInput) int
 		FgaGetModel          func(childComplexity int) int
-		FgaListObjects       func(childComplexity int, params model.FgaListObjectsInput) int
 		FgaListUsers         func(childComplexity int, params model.FgaListUsersInput) int
 		FgaReadTuples        func(childComplexity int, params model.FgaReadTuplesInput) int
+		ListPermissions      func(childComplexity int, params model.ListPermissionsInput) int
 		Meta                 func(childComplexity int) int
 		Profile              func(childComplexity int) int
 		Session              func(childComplexity int, params *model.SessionQueryRequest) int
@@ -482,9 +483,8 @@ type QueryResolver interface {
 	FgaReadTuples(ctx context.Context, params model.FgaReadTuplesInput) (*model.FgaTuples, error)
 	FgaListUsers(ctx context.Context, params model.FgaListUsersInput) (*model.FgaListUsersResponse, error)
 	FgaExpand(ctx context.Context, params model.FgaExpandInput) (*model.FgaExpandResponse, error)
-	FgaCheck(ctx context.Context, params model.FgaCheckInput) (*model.FgaCheckResponse, error)
-	FgaBatchCheck(ctx context.Context, params model.FgaBatchCheckInput) (*model.FgaBatchCheckResponse, error)
-	FgaListObjects(ctx context.Context, params model.FgaListObjectsInput) (*model.FgaListObjectsResponse, error)
+	CheckPermissions(ctx context.Context, params model.CheckPermissionsInput) (*model.CheckPermissionsResponse, error)
+	ListPermissions(ctx context.Context, params model.ListPermissionsInput) (*model.ListPermissionsResponse, error)
 }
 
 type executableSchema struct {
@@ -702,6 +702,13 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.AuthResponse.User(childComplexity), true
 
+	case "CheckPermissionsResponse.results":
+		if e.complexity.CheckPermissionsResponse.Results == nil {
+			break
+		}
+
+		return e.complexity.CheckPermissionsResponse.Results(childComplexity), true
+
 	case "EmailTemplate.created_at":
 		if e.complexity.EmailTemplate.CreatedAt == nil {
 			break
@@ -1276,20 +1283,6 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.Error.Reason(childComplexity), true
 
-	case "FgaBatchCheckResponse.results":
-		if e.complexity.FgaBatchCheckResponse.Results == nil {
-			break
-		}
-
-		return e.complexity.FgaBatchCheckResponse.Results(childComplexity), true
-
-	case "FgaCheckResponse.allowed":
-		if e.complexity.FgaCheckResponse.Allowed == nil {
-			break
-		}
-
-		return e.complexity.FgaCheckResponse.Allowed(childComplexity), true
-
 	case "FgaExpandResponse.tree":
 		if e.complexity.FgaExpandResponse.Tree == nil {
 			break
@@ -1297,13 +1290,6 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.FgaExpandResponse.Tree(childComplexity), true
 
-	case "FgaListObjectsResponse.objects":
-		if e.complexity.FgaListObjectsResponse.Objects == nil {
-			break
-		}
-
-		return e.complexity.FgaListObjectsResponse.Objects(childComplexity), true
-
 	case "FgaListUsersResponse.users":
 		if e.complexity.FgaListUsersResponse.Users == nil {
 			break
@@ -1409,6 +1395,13 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.InviteMembersResponse.Users(childComplexity), true
 
+	case "ListPermissionsResponse.objects":
+		if e.complexity.ListPermissionsResponse.Objects == nil {
+			break
+		}
+
+		return e.complexity.ListPermissionsResponse.Objects(childComplexity), true
+
 	case "Meta.client_id":
 		if e.complexity.Meta.ClientID == nil {
 			break
@@ -1989,6 +1982,27 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.Pagination.Total(childComplexity), true
 
+	case "PermissionCheckResult.allowed":
+		if e.complexity.PermissionCheckResult.Allowed == nil {
+			break
+		}
+
+		return e.complexity.PermissionCheckResult.Allowed(childComplexity), true
+
+	case "PermissionCheckResult.object":
+		if e.complexity.PermissionCheckResult.Object == nil {
+			break
+		}
+
+		return e.complexity.PermissionCheckResult.Object(childComplexity), true
+
+	case "PermissionCheckResult.relation":
+		if e.complexity.PermissionCheckResult.Relation == nil {
+			break
+		}
+
+		return e.complexity.PermissionCheckResult.Relation(childComplexity), true
+
 	case "Query._admin_meta":
 		if e.complexity.Query.AdminMeta == nil {
 			break
@@ -2015,48 +2029,36 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.Query.AuditLogs(childComplexity, args["params"].(*model.ListAuditLogRequest)), true
 
-	case "Query._email_templates":
-		if e.complexity.Query.EmailTemplates == nil {
+	case "Query.check_permissions":
+		if e.complexity.Query.CheckPermissions == nil {
 			break
 		}
 
-		args, err := ec.field_Query__email_templates_args(ctx, rawArgs)
+		args, err := ec.field_Query_check_permissions_args(ctx, rawArgs)
 		if err != nil {
 			return 0, false
 		}
 
-		return e.complexity.Query.EmailTemplates(childComplexity, args["params"].(*model.PaginatedRequest)), true
-
-	case "Query._env":
-		if e.complexity.Query.Env == nil {
-			break
-		}
-
-		return e.complexity.Query.Env(childComplexity), true
+		return e.complexity.Query.CheckPermissions(childComplexity, args["params"].(model.CheckPermissionsInput)), true
 
-	case "Query.fga_batch_check":
-		if e.complexity.Query.FgaBatchCheck == nil {
+	case "Query._email_templates":
+		if e.complexity.Query.EmailTemplates == nil {
 			break
 		}
 
-		args, err := ec.field_Query_fga_batch_check_args(ctx, rawArgs)
+		args, err := ec.field_Query__email_templates_args(ctx, rawArgs)
 		if err != nil {
 			return 0, false
 		}
 
-		return e.complexity.Query.FgaBatchCheck(childComplexity, args["params"].(model.FgaBatchCheckInput)), true
+		return e.complexity.Query.EmailTemplates(childComplexity, args["params"].(*model.PaginatedRequest)), true
 
-	case "Query.fga_check":
-		if e.complexity.Query.FgaCheck == nil {
+	case "Query._env":
+		if e.complexity.Query.Env == nil {
 			break
 		}
 
-		args, err := ec.field_Query_fga_check_args(ctx, rawArgs)
-		if err != nil {
-			return 0, false
-		}
-
-		return e.complexity.Query.FgaCheck(childComplexity, args["params"].(model.FgaCheckInput)), true
+		return e.complexity.Query.Env(childComplexity), true
 
 	case "Query._fga_expand":
 		if e.complexity.Query.FgaExpand == nil {
@@ -2077,18 +2079,6 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.Query.FgaGetModel(childComplexity), true
 
-	case "Query.fga_list_objects":
-		if e.complexity.Query.FgaListObjects == nil {
-			break
-		}
-
-		args, err := ec.field_Query_fga_list_objects_args(ctx, rawArgs)
-		if err != nil {
-			return 0, false
-		}
-
-		return e.complexity.Query.FgaListObjects(childComplexity, args["params"].(model.FgaListObjectsInput)), true
-
 	case "Query._fga_list_users":
 		if e.complexity.Query.FgaListUsers == nil {
 			break
@@ -2113,6 +2103,18 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.Query.FgaReadTuples(childComplexity, args["params"].(model.FgaReadTuplesInput)), true
 
+	case "Query.list_permissions":
+		if e.complexity.Query.ListPermissions == nil {
+			break
+		}
+
+		args, err := ec.field_Query_list_permissions_args(ctx, rawArgs)
+		if err != nil {
+			return 0, false
+		}
+
+		return e.complexity.Query.ListPermissions(childComplexity, args["params"].(model.ListPermissionsInput)), true
+
 	case "Query.meta":
 		if e.complexity.Query.Meta == nil {
 			break
@@ -2660,13 +2662,10 @@ func (e *executableSchema) Exec(ctx context.Context) graphql.ResponseHandler {
 		ec.unmarshalInputAddWebhookRequest,
 		ec.unmarshalInputAdminLoginRequest,
 		ec.unmarshalInputAdminSignupRequest,
+		ec.unmarshalInputCheckPermissionsInput,
 		ec.unmarshalInputDeleteEmailTemplateRequest,
 		ec.unmarshalInputDeleteUserRequest,
-		ec.unmarshalInputFgaBatchCheckInput,
-		ec.unmarshalInputFgaCheckInput,
-		ec.unmarshalInputFgaCheckPairInput,
 		ec.unmarshalInputFgaExpandInput,
-		ec.unmarshalInputFgaListObjectsInput,
 		ec.unmarshalInputFgaListUsersInput,
 		ec.unmarshalInputFgaReadTuplesInput,
 		ec.unmarshalInputFgaRelationInput,
@@ -2678,6 +2677,7 @@ func (e *executableSchema) Exec(ctx context.Context) graphql.ResponseHandler {
 		ec.unmarshalInputGetUserRequest,
 		ec.unmarshalInputInviteMemberRequest,
 		ec.unmarshalInputListAuditLogRequest,
+		ec.unmarshalInputListPermissionsInput,
 		ec.unmarshalInputListWebhookLogRequest,
 		ec.unmarshalInputLoginRequest,
 		ec.unmarshalInputMagicLinkLoginRequest,
@@ -2686,6 +2686,7 @@ func (e *executableSchema) Exec(ctx context.Context) graphql.ResponseHandler {
 		ec.unmarshalInputOAuthRevokeRequest,
 		ec.unmarshalInputPaginatedRequest,
 		ec.unmarshalInputPaginationRequest,
+		ec.unmarshalInputPermissionCheckInput,
 		ec.unmarshalInputResendOTPRequest,
 		ec.unmarshalInputResendVerifyEmailRequest,
 		ec.unmarshalInputResetPasswordRequest,
@@ -2944,18 +2945,22 @@ type FgaTuples {
   continuation_token: String
 }
 
-# FgaCheckResponse is the result of a single relationship check.
-type FgaCheckResponse {
+# PermissionCheckResult is the outcome of one permission check, echoing the
+# checked pair so batch results are self-describing (and positionally aligned).
+type PermissionCheckResult {
+  relation: String!
+  object: String!
   allowed: Boolean!
 }
 
-# FgaBatchCheckResponse is the positionally-aligned result of a batch check.
-type FgaBatchCheckResponse {
-  results: [FgaCheckResponse!]!
+# CheckPermissionsResponse carries one result per supplied check, in order.
+type CheckPermissionsResponse {
+  results: [PermissionCheckResult!]!
 }
 
-# FgaListObjectsResponse lists fully-qualified object ids the caller relates to.
-type FgaListObjectsResponse {
+# ListPermissionsResponse lists the fully-qualified object ids the subject
+# holds the queried permission on.
+type ListPermissionsResponse {
   objects: [String!]!
 }
 
@@ -3542,45 +3547,32 @@ input FgaReadTuplesInput {
   continuation_token: String
 }
 
-# FgaCheckInput asks "is <user> related to object via relation?". The subject
-# (user) defaults to the authenticated caller and is pinned server-side from the
-# auth token. The optional ` + "`" + `user` + "`" + ` field lets a TRUSTED caller (super-admin) check
-# on behalf of another subject; a non-trusted caller supplying ` + "`" + `user` + "`" + ` is rejected
-# (no silent self-fallback). Only relation, object, optional ` + "`" + `user` + "`" + ` and optional
-# contextual tuples are accepted from the client.
-input FgaCheckInput {
+# PermissionCheckInput is one permission to evaluate: "does the subject have
+# <relation> on <object>?". Contextual tuples are evaluated for this check only
+# and never persisted.
+input PermissionCheckInput {
   relation: String!
   object: String!
   contextual_tuples: [FgaTupleInput!]
-  # Optional subject override ("type:id" or bare id → "user:id"). Honored only
-  # for super-admin callers; rejected otherwise.
-  user: String
-}
-
-# FgaBatchCheckInput evaluates multiple relation/object pairs for the
-# authenticated caller (principal pinned server-side).
-input FgaBatchCheckInput {
-  checks: [FgaCheckPairInput!]!
 }
 
-# FgaCheckPairInput is one relation/object pair within a batch check.
-input FgaCheckPairInput {
-  relation: String!
-  object: String!
-  contextual_tuples: [FgaTupleInput!]
-  # Optional subject override ("type:id" or bare id → "user:id"). Honored only
-  # for super-admin callers; rejected otherwise.
+# CheckPermissionsInput evaluates one or more permission checks in a single
+# call. The subject defaults to the authenticated caller (JWT / session
+# cookie). The optional ` + "`" + `user` + "`" + ` ("type:id", or a bare id treated as
+# "user:<id>") is honored only when the caller is a super-admin OR it equals
+# the caller's own token subject; anything else is rejected — never silently
+# ignored.
+input CheckPermissionsInput {
+  checks: [PermissionCheckInput!]!
   user: String
 }
 
-# FgaListObjectsInput enumerates objects of type object_type that <user> relates
-# to via relation. The subject defaults to the authenticated caller; the optional
-# ` + "`" + `user` + "`" + ` override is honored only for super-admin callers (rejected otherwise).
-input FgaListObjectsInput {
+# ListPermissionsInput enumerates the objects of ` + "`" + `object_type` + "`" + ` the subject
+# holds ` + "`" + `relation` + "`" + ` on. Subject resolution follows the same rules as
+# CheckPermissionsInput.user.
+input ListPermissionsInput {
   relation: String!
   object_type: String!
-  # Optional subject override ("type:id" or bare id → "user:id"). Honored only
-  # for super-admin callers; rejected otherwise.
   user: String
 }
 
@@ -3679,9 +3671,8 @@ type Query {
   _fga_list_users(params: FgaListUsersInput!): FgaListUsersResponse!
   _fga_expand(params: FgaExpandInput!): FgaExpandResponse!
   # FGA runtime queries (authenticated caller; principal pinned server-side)
-  fga_check(params: FgaCheckInput!): FgaCheckResponse!
-  fga_batch_check(params: FgaBatchCheckInput!): FgaBatchCheckResponse!
-  fga_list_objects(params: FgaListObjectsInput!): FgaListObjectsResponse!
+  check_permissions(params: CheckPermissionsInput!): CheckPermissionsResponse!
+  list_permissions(params: ListPermissionsInput!): ListPermissionsResponse!
 }
 `, BuiltIn: false},
 }
@@ -4923,87 +4914,59 @@ func (ec *executionContext) field_Query__webhooks_argsParams(
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query_fga_batch_check_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Query_check_permissions_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query_fga_batch_check_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Query_check_permissions_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query_fga_batch_check_argsParams(
+func (ec *executionContext) field_Query_check_permissions_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.FgaBatchCheckInput, error) {
+) (model.CheckPermissionsInput, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.FgaBatchCheckInput
+		var zeroVal model.CheckPermissionsInput
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNFgaBatchCheckInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaBatchCheckInput(ctx, tmp)
+		return ec.unmarshalNCheckPermissionsInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐCheckPermissionsInput(ctx, tmp)
 	}
 
-	var zeroVal model.FgaBatchCheckInput
+	var zeroVal model.CheckPermissionsInput
 	return zeroVal, nil
 }
 
-func (ec *executionContext) field_Query_fga_check_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
+func (ec *executionContext) field_Query_list_permissions_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
 	var err error
 	args := map[string]any{}
-	arg0, err := ec.field_Query_fga_check_argsParams(ctx, rawArgs)
+	arg0, err := ec.field_Query_list_permissions_argsParams(ctx, rawArgs)
 	if err != nil {
 		return nil, err
 	}
 	args["params"] = arg0
 	return args, nil
 }
-func (ec *executionContext) field_Query_fga_check_argsParams(
+func (ec *executionContext) field_Query_list_permissions_argsParams(
 	ctx context.Context,
 	rawArgs map[string]any,
-) (model.FgaCheckInput, error) {
+) (model.ListPermissionsInput, error) {
 	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.FgaCheckInput
+		var zeroVal model.ListPermissionsInput
 		return zeroVal, nil
 	}
 
 	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
 	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNFgaCheckInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckInput(ctx, tmp)
+		return ec.unmarshalNListPermissionsInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐListPermissionsInput(ctx, tmp)
 	}
 
-	var zeroVal model.FgaCheckInput
-	return zeroVal, nil
-}
-
-func (ec *executionContext) field_Query_fga_list_objects_args(ctx context.Context, rawArgs map[string]any) (map[string]any, error) {
-	var err error
-	args := map[string]any{}
-	arg0, err := ec.field_Query_fga_list_objects_argsParams(ctx, rawArgs)
-	if err != nil {
-		return nil, err
-	}
-	args["params"] = arg0
-	return args, nil
-}
-func (ec *executionContext) field_Query_fga_list_objects_argsParams(
-	ctx context.Context,
-	rawArgs map[string]any,
-) (model.FgaListObjectsInput, error) {
-	if _, ok := rawArgs["params"]; !ok {
-		var zeroVal model.FgaListObjectsInput
-		return zeroVal, nil
-	}
-
-	ctx = graphql.WithPathContext(ctx, graphql.NewPathWithField("params"))
-	if tmp, ok := rawArgs["params"]; ok {
-		return ec.unmarshalNFgaListObjectsInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaListObjectsInput(ctx, tmp)
-	}
-
-	var zeroVal model.FgaListObjectsInput
+	var zeroVal model.ListPermissionsInput
 	return zeroVal, nil
 }
 
@@ -6456,6 +6419,58 @@ func (ec *executionContext) fieldContext_AuthResponse_authenticator_recovery_cod
 	return fc, nil
 }
 
+func (ec *executionContext) _CheckPermissionsResponse_results(ctx context.Context, field graphql.CollectedField, obj *model.CheckPermissionsResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_CheckPermissionsResponse_results(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Results, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.([]*model.PermissionCheckResult)
+	fc.Result = res
+	return ec.marshalNPermissionCheckResult2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPermissionCheckResultᚄ(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_CheckPermissionsResponse_results(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "CheckPermissionsResponse",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "relation":
+				return ec.fieldContext_PermissionCheckResult_relation(ctx, field)
+			case "object":
+				return ec.fieldContext_PermissionCheckResult_object(ctx, field)
+			case "allowed":
+				return ec.fieldContext_PermissionCheckResult_allowed(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type PermissionCheckResult", field.Name)
+		},
+	}
+	return fc, nil
+}
+
 func (ec *executionContext) _EmailTemplate_id(ctx context.Context, field graphql.CollectedField, obj *model.EmailTemplate) (ret graphql.Marshaler) {
 	fc, err := ec.fieldContext_EmailTemplate_id(ctx, field)
 	if err != nil {
@@ -9922,8 +9937,8 @@ func (ec *executionContext) fieldContext_Error_reason(_ context.Context, field g
 	return fc, nil
 }
 
-func (ec *executionContext) _FgaBatchCheckResponse_results(ctx context.Context, field graphql.CollectedField, obj *model.FgaBatchCheckResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_FgaBatchCheckResponse_results(ctx, field)
+func (ec *executionContext) _FgaExpandResponse_tree(ctx context.Context, field graphql.CollectedField, obj *model.FgaExpandResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_FgaExpandResponse_tree(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9936,7 +9951,7 @@ func (ec *executionContext) _FgaBatchCheckResponse_results(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Results, nil
+		return obj.Tree, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9948,30 +9963,26 @@ func (ec *executionContext) _FgaBatchCheckResponse_results(ctx context.Context,
 		}
 		return graphql.Null
 	}
-	res := resTmp.([]*model.FgaCheckResponse)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNFgaCheckResponse2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckResponseᚄ(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_FgaBatchCheckResponse_results(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_FgaExpandResponse_tree(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "FgaBatchCheckResponse",
+		Object:     "FgaExpandResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "allowed":
-				return ec.fieldContext_FgaCheckResponse_allowed(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type FgaCheckResponse", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _FgaCheckResponse_allowed(ctx context.Context, field graphql.CollectedField, obj *model.FgaCheckResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_FgaCheckResponse_allowed(ctx, field)
+func (ec *executionContext) _FgaListUsersResponse_users(ctx context.Context, field graphql.CollectedField, obj *model.FgaListUsersResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_FgaListUsersResponse_users(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -9984,7 +9995,7 @@ func (ec *executionContext) _FgaCheckResponse_allowed(ctx context.Context, field
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Allowed, nil
+		return obj.Users, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -9996,26 +10007,26 @@ func (ec *executionContext) _FgaCheckResponse_allowed(ctx context.Context, field
 		}
 		return graphql.Null
 	}
-	res := resTmp.(bool)
+	res := resTmp.([]string)
 	fc.Result = res
-	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+	return ec.marshalNString2ᚕstringᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_FgaCheckResponse_allowed(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_FgaListUsersResponse_users(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "FgaCheckResponse",
+		Object:     "FgaListUsersResponse",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type Boolean does not have child fields")
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _FgaExpandResponse_tree(ctx context.Context, field graphql.CollectedField, obj *model.FgaExpandResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_FgaExpandResponse_tree(ctx, field)
+func (ec *executionContext) _FgaModel_id(ctx context.Context, field graphql.CollectedField, obj *model.FgaModel) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_FgaModel_id(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10028,7 +10039,7 @@ func (ec *executionContext) _FgaExpandResponse_tree(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Tree, nil
+		return obj.ID, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -10045,9 +10056,9 @@ func (ec *executionContext) _FgaExpandResponse_tree(ctx context.Context, field g
 	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_FgaExpandResponse_tree(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_FgaModel_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "FgaExpandResponse",
+		Object:     "FgaModel",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -10058,8 +10069,8 @@ func (ec *executionContext) fieldContext_FgaExpandResponse_tree(_ context.Contex
 	return fc, nil
 }
 
-func (ec *executionContext) _FgaListObjectsResponse_objects(ctx context.Context, field graphql.CollectedField, obj *model.FgaListObjectsResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_FgaListObjectsResponse_objects(ctx, field)
+func (ec *executionContext) _FgaModel_dsl(ctx context.Context, field graphql.CollectedField, obj *model.FgaModel) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_FgaModel_dsl(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10072,7 +10083,7 @@ func (ec *executionContext) _FgaListObjectsResponse_objects(ctx context.Context,
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Objects, nil
+		return obj.Dsl, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -10084,14 +10095,14 @@ func (ec *executionContext) _FgaListObjectsResponse_objects(ctx context.Context,
 		}
 		return graphql.Null
 	}
-	res := resTmp.([]string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNString2ᚕstringᚄ(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_FgaListObjectsResponse_objects(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_FgaModel_dsl(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "FgaListObjectsResponse",
+		Object:     "FgaModel",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -10102,8 +10113,8 @@ func (ec *executionContext) fieldContext_FgaListObjectsResponse_objects(_ contex
 	return fc, nil
 }
 
-func (ec *executionContext) _FgaListUsersResponse_users(ctx context.Context, field graphql.CollectedField, obj *model.FgaListUsersResponse) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_FgaListUsersResponse_users(ctx, field)
+func (ec *executionContext) _FgaTuple_user(ctx context.Context, field graphql.CollectedField, obj *model.FgaTuple) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_FgaTuple_user(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10116,7 +10127,7 @@ func (ec *executionContext) _FgaListUsersResponse_users(ctx context.Context, fie
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Users, nil
+		return obj.User, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -10128,14 +10139,14 @@ func (ec *executionContext) _FgaListUsersResponse_users(ctx context.Context, fie
 		}
 		return graphql.Null
 	}
-	res := resTmp.([]string)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNString2ᚕstringᚄ(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_FgaListUsersResponse_users(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_FgaTuple_user(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "FgaListUsersResponse",
+		Object:     "FgaTuple",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -10146,8 +10157,8 @@ func (ec *executionContext) fieldContext_FgaListUsersResponse_users(_ context.Co
 	return fc, nil
 }
 
-func (ec *executionContext) _FgaModel_id(ctx context.Context, field graphql.CollectedField, obj *model.FgaModel) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_FgaModel_id(ctx, field)
+func (ec *executionContext) _FgaTuple_relation(ctx context.Context, field graphql.CollectedField, obj *model.FgaTuple) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_FgaTuple_relation(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10160,7 +10171,7 @@ func (ec *executionContext) _FgaModel_id(ctx context.Context, field graphql.Coll
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.ID, nil
+		return obj.Relation, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -10177,9 +10188,9 @@ func (ec *executionContext) _FgaModel_id(ctx context.Context, field graphql.Coll
 	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_FgaModel_id(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_FgaTuple_relation(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "FgaModel",
+		Object:     "FgaTuple",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -10190,8 +10201,8 @@ func (ec *executionContext) fieldContext_FgaModel_id(_ context.Context, field gr
 	return fc, nil
 }
 
-func (ec *executionContext) _FgaModel_dsl(ctx context.Context, field graphql.CollectedField, obj *model.FgaModel) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_FgaModel_dsl(ctx, field)
+func (ec *executionContext) _FgaTuple_object(ctx context.Context, field graphql.CollectedField, obj *model.FgaTuple) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_FgaTuple_object(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10204,7 +10215,7 @@ func (ec *executionContext) _FgaModel_dsl(ctx context.Context, field graphql.Col
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.Dsl, nil
+		return obj.Object, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -10221,9 +10232,9 @@ func (ec *executionContext) _FgaModel_dsl(ctx context.Context, field graphql.Col
 	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_FgaModel_dsl(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_FgaTuple_object(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "FgaModel",
+		Object:     "FgaTuple",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -10234,8 +10245,8 @@ func (ec *executionContext) fieldContext_FgaModel_dsl(_ context.Context, field g
 	return fc, nil
 }
 
-func (ec *executionContext) _FgaTuple_user(ctx context.Context, field graphql.CollectedField, obj *model.FgaTuple) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_FgaTuple_user(ctx, field)
+func (ec *executionContext) _FgaTuples_tuples(ctx context.Context, field graphql.CollectedField, obj *model.FgaTuples) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_FgaTuples_tuples(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -10248,7 +10259,7 @@ func (ec *executionContext) _FgaTuple_user(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return obj.User, nil
+		return obj.Tuples, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -10260,146 +10271,14 @@ func (ec *executionContext) _FgaTuple_user(ctx context.Context, field graphql.Co
 		}
 		return graphql.Null
 	}
-	res := resTmp.(string)
+	res := resTmp.([]*model.FgaTuple)
 	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
+	return ec.marshalNFgaTuple2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaTupleᚄ(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_FgaTuple_user(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_FgaTuples_tuples(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "FgaTuple",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) _FgaTuple_relation(ctx context.Context, field graphql.CollectedField, obj *model.FgaTuple) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_FgaTuple_relation(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Relation, nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
-		return graphql.Null
-	}
-	res := resTmp.(string)
-	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext_FgaTuple_relation(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "FgaTuple",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) _FgaTuple_object(ctx context.Context, field graphql.CollectedField, obj *model.FgaTuple) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_FgaTuple_object(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Object, nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
-		return graphql.Null
-	}
-	res := resTmp.(string)
-	fc.Result = res
-	return ec.marshalNString2string(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext_FgaTuple_object(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "FgaTuple",
-		Field:      field,
-		IsMethod:   false,
-		IsResolver: false,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			return nil, errors.New("field of type String does not have child fields")
-		},
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) _FgaTuples_tuples(ctx context.Context, field graphql.CollectedField, obj *model.FgaTuples) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_FgaTuples_tuples(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return obj.Tuples, nil
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
-		return graphql.Null
-	}
-	res := resTmp.([]*model.FgaTuple)
-	fc.Result = res
-	return ec.marshalNFgaTuple2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaTupleᚄ(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext_FgaTuples_tuples(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "FgaTuples",
+		Object:     "FgaTuples",
 		Field:      field,
 		IsMethod:   false,
 		IsResolver: false,
@@ -10797,6 +10676,50 @@ func (ec *executionContext) fieldContext_InviteMembersResponse_Users(_ context.C
 	return fc, nil
 }
 
+func (ec *executionContext) _ListPermissionsResponse_objects(ctx context.Context, field graphql.CollectedField, obj *model.ListPermissionsResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_ListPermissionsResponse_objects(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Objects, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.([]string)
+	fc.Result = res
+	return ec.marshalNString2ᚕstringᚄ(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_ListPermissionsResponse_objects(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "ListPermissionsResponse",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
 func (ec *executionContext) _Meta_version(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
 	fc, err := ec.fieldContext_Meta_version(ctx, field)
 	if err != nil {
@@ -14115,8 +14038,8 @@ func (ec *executionContext) fieldContext_Pagination_total(_ context.Context, fie
 	return fc, nil
 }
 
-func (ec *executionContext) _Query_meta(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query_meta(ctx, field)
+func (ec *executionContext) _PermissionCheckResult_relation(ctx context.Context, field graphql.CollectedField, obj *model.PermissionCheckResult) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_PermissionCheckResult_relation(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14129,7 +14052,7 @@ func (ec *executionContext) _Query_meta(ctx context.Context, field graphql.Colle
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().Meta(rctx)
+		return obj.Relation, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -14141,68 +14064,26 @@ func (ec *executionContext) _Query_meta(ctx context.Context, field graphql.Colle
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.Meta)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNMeta2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐMeta(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query_meta(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_PermissionCheckResult_relation(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "PermissionCheckResult",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "version":
-				return ec.fieldContext_Meta_version(ctx, field)
-			case "client_id":
-				return ec.fieldContext_Meta_client_id(ctx, field)
-			case "is_google_login_enabled":
-				return ec.fieldContext_Meta_is_google_login_enabled(ctx, field)
-			case "is_facebook_login_enabled":
-				return ec.fieldContext_Meta_is_facebook_login_enabled(ctx, field)
-			case "is_github_login_enabled":
-				return ec.fieldContext_Meta_is_github_login_enabled(ctx, field)
-			case "is_linkedin_login_enabled":
-				return ec.fieldContext_Meta_is_linkedin_login_enabled(ctx, field)
-			case "is_apple_login_enabled":
-				return ec.fieldContext_Meta_is_apple_login_enabled(ctx, field)
-			case "is_discord_login_enabled":
-				return ec.fieldContext_Meta_is_discord_login_enabled(ctx, field)
-			case "is_twitter_login_enabled":
-				return ec.fieldContext_Meta_is_twitter_login_enabled(ctx, field)
-			case "is_microsoft_login_enabled":
-				return ec.fieldContext_Meta_is_microsoft_login_enabled(ctx, field)
-			case "is_twitch_login_enabled":
-				return ec.fieldContext_Meta_is_twitch_login_enabled(ctx, field)
-			case "is_roblox_login_enabled":
-				return ec.fieldContext_Meta_is_roblox_login_enabled(ctx, field)
-			case "is_email_verification_enabled":
-				return ec.fieldContext_Meta_is_email_verification_enabled(ctx, field)
-			case "is_basic_authentication_enabled":
-				return ec.fieldContext_Meta_is_basic_authentication_enabled(ctx, field)
-			case "is_magic_link_login_enabled":
-				return ec.fieldContext_Meta_is_magic_link_login_enabled(ctx, field)
-			case "is_sign_up_enabled":
-				return ec.fieldContext_Meta_is_sign_up_enabled(ctx, field)
-			case "is_strong_password_enabled":
-				return ec.fieldContext_Meta_is_strong_password_enabled(ctx, field)
-			case "is_multi_factor_auth_enabled":
-				return ec.fieldContext_Meta_is_multi_factor_auth_enabled(ctx, field)
-			case "is_mobile_basic_authentication_enabled":
-				return ec.fieldContext_Meta_is_mobile_basic_authentication_enabled(ctx, field)
-			case "is_phone_verification_enabled":
-				return ec.fieldContext_Meta_is_phone_verification_enabled(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type Meta", field.Name)
+			return nil, errors.New("field of type String does not have child fields")
 		},
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query_session(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query_session(ctx, field)
+func (ec *executionContext) _PermissionCheckResult_object(ctx context.Context, field graphql.CollectedField, obj *model.PermissionCheckResult) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_PermissionCheckResult_object(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -14215,7 +14096,7 @@ func (ec *executionContext) _Query_session(ctx context.Context, field graphql.Co
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().Session(rctx, fc.Args["params"].(*model.SessionQueryRequest))
+		return obj.Object, nil
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -14227,35 +14108,209 @@ func (ec *executionContext) _Query_session(ctx context.Context, field graphql.Co
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.AuthResponse)
+	res := resTmp.(string)
 	fc.Result = res
-	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
+	return ec.marshalNString2string(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query_session(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_PermissionCheckResult_object(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
-		Object:     "Query",
+		Object:     "PermissionCheckResult",
 		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
+		IsMethod:   false,
+		IsResolver: false,
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "message":
-				return ec.fieldContext_AuthResponse_message(ctx, field)
-			case "should_show_email_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
-			case "should_show_mobile_otp_screen":
-				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
-			case "should_show_totp_screen":
-				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
-			case "access_token":
-				return ec.fieldContext_AuthResponse_access_token(ctx, field)
-			case "id_token":
-				return ec.fieldContext_AuthResponse_id_token(ctx, field)
-			case "refresh_token":
-				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
-			case "expires_in":
-				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _PermissionCheckResult_allowed(ctx context.Context, field graphql.CollectedField, obj *model.PermissionCheckResult) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_PermissionCheckResult_allowed(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Allowed, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(bool)
+	fc.Result = res
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_PermissionCheckResult_allowed(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "PermissionCheckResult",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Boolean does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _Query_meta(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query_meta(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return ec.resolvers.Query().Meta(rctx)
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(*model.Meta)
+	fc.Result = res
+	return ec.marshalNMeta2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐMeta(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Query_meta(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Query",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: true,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "version":
+				return ec.fieldContext_Meta_version(ctx, field)
+			case "client_id":
+				return ec.fieldContext_Meta_client_id(ctx, field)
+			case "is_google_login_enabled":
+				return ec.fieldContext_Meta_is_google_login_enabled(ctx, field)
+			case "is_facebook_login_enabled":
+				return ec.fieldContext_Meta_is_facebook_login_enabled(ctx, field)
+			case "is_github_login_enabled":
+				return ec.fieldContext_Meta_is_github_login_enabled(ctx, field)
+			case "is_linkedin_login_enabled":
+				return ec.fieldContext_Meta_is_linkedin_login_enabled(ctx, field)
+			case "is_apple_login_enabled":
+				return ec.fieldContext_Meta_is_apple_login_enabled(ctx, field)
+			case "is_discord_login_enabled":
+				return ec.fieldContext_Meta_is_discord_login_enabled(ctx, field)
+			case "is_twitter_login_enabled":
+				return ec.fieldContext_Meta_is_twitter_login_enabled(ctx, field)
+			case "is_microsoft_login_enabled":
+				return ec.fieldContext_Meta_is_microsoft_login_enabled(ctx, field)
+			case "is_twitch_login_enabled":
+				return ec.fieldContext_Meta_is_twitch_login_enabled(ctx, field)
+			case "is_roblox_login_enabled":
+				return ec.fieldContext_Meta_is_roblox_login_enabled(ctx, field)
+			case "is_email_verification_enabled":
+				return ec.fieldContext_Meta_is_email_verification_enabled(ctx, field)
+			case "is_basic_authentication_enabled":
+				return ec.fieldContext_Meta_is_basic_authentication_enabled(ctx, field)
+			case "is_magic_link_login_enabled":
+				return ec.fieldContext_Meta_is_magic_link_login_enabled(ctx, field)
+			case "is_sign_up_enabled":
+				return ec.fieldContext_Meta_is_sign_up_enabled(ctx, field)
+			case "is_strong_password_enabled":
+				return ec.fieldContext_Meta_is_strong_password_enabled(ctx, field)
+			case "is_multi_factor_auth_enabled":
+				return ec.fieldContext_Meta_is_multi_factor_auth_enabled(ctx, field)
+			case "is_mobile_basic_authentication_enabled":
+				return ec.fieldContext_Meta_is_mobile_basic_authentication_enabled(ctx, field)
+			case "is_phone_verification_enabled":
+				return ec.fieldContext_Meta_is_phone_verification_enabled(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Meta", field.Name)
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _Query_session(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query_session(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return ec.resolvers.Query().Session(rctx, fc.Args["params"].(*model.SessionQueryRequest))
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(*model.AuthResponse)
+	fc.Result = res
+	return ec.marshalNAuthResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐAuthResponse(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Query_session(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Query",
+		Field:      field,
+		IsMethod:   true,
+		IsResolver: true,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "message":
+				return ec.fieldContext_AuthResponse_message(ctx, field)
+			case "should_show_email_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_email_otp_screen(ctx, field)
+			case "should_show_mobile_otp_screen":
+				return ec.fieldContext_AuthResponse_should_show_mobile_otp_screen(ctx, field)
+			case "should_show_totp_screen":
+				return ec.fieldContext_AuthResponse_should_show_totp_screen(ctx, field)
+			case "access_token":
+				return ec.fieldContext_AuthResponse_access_token(ctx, field)
+			case "id_token":
+				return ec.fieldContext_AuthResponse_id_token(ctx, field)
+			case "refresh_token":
+				return ec.fieldContext_AuthResponse_refresh_token(ctx, field)
+			case "expires_in":
+				return ec.fieldContext_AuthResponse_expires_in(ctx, field)
 			case "user":
 				return ec.fieldContext_AuthResponse_user(ctx, field)
 			case "authenticator_scanner_image":
@@ -15543,67 +15598,8 @@ func (ec *executionContext) fieldContext_Query__fga_expand(ctx context.Context,
 	return fc, nil
 }
 
-func (ec *executionContext) _Query_fga_check(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query_fga_check(ctx, field)
-	if err != nil {
-		return graphql.Null
-	}
-	ctx = graphql.WithFieldContext(ctx, fc)
-	defer func() {
-		if r := recover(); r != nil {
-			ec.Error(ctx, ec.Recover(ctx, r))
-			ret = graphql.Null
-		}
-	}()
-	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
-		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().FgaCheck(rctx, fc.Args["params"].(model.FgaCheckInput))
-	})
-	if err != nil {
-		ec.Error(ctx, err)
-		return graphql.Null
-	}
-	if resTmp == nil {
-		if !graphql.HasFieldError(ctx, fc) {
-			ec.Errorf(ctx, "must not be null")
-		}
-		return graphql.Null
-	}
-	res := resTmp.(*model.FgaCheckResponse)
-	fc.Result = res
-	return ec.marshalNFgaCheckResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckResponse(ctx, field.Selections, res)
-}
-
-func (ec *executionContext) fieldContext_Query_fga_check(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
-	fc = &graphql.FieldContext{
-		Object:     "Query",
-		Field:      field,
-		IsMethod:   true,
-		IsResolver: true,
-		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
-			switch field.Name {
-			case "allowed":
-				return ec.fieldContext_FgaCheckResponse_allowed(ctx, field)
-			}
-			return nil, fmt.Errorf("no field named %q was found under type FgaCheckResponse", field.Name)
-		},
-	}
-	defer func() {
-		if r := recover(); r != nil {
-			err = ec.Recover(ctx, r)
-			ec.Error(ctx, err)
-		}
-	}()
-	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query_fga_check_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
-		ec.Error(ctx, err)
-		return fc, err
-	}
-	return fc, nil
-}
-
-func (ec *executionContext) _Query_fga_batch_check(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query_fga_batch_check(ctx, field)
+func (ec *executionContext) _Query_check_permissions(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query_check_permissions(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15616,7 +15612,7 @@ func (ec *executionContext) _Query_fga_batch_check(ctx context.Context, field gr
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().FgaBatchCheck(rctx, fc.Args["params"].(model.FgaBatchCheckInput))
+		return ec.resolvers.Query().CheckPermissions(rctx, fc.Args["params"].(model.CheckPermissionsInput))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -15628,12 +15624,12 @@ func (ec *executionContext) _Query_fga_batch_check(ctx context.Context, field gr
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.FgaBatchCheckResponse)
+	res := resTmp.(*model.CheckPermissionsResponse)
 	fc.Result = res
-	return ec.marshalNFgaBatchCheckResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaBatchCheckResponse(ctx, field.Selections, res)
+	return ec.marshalNCheckPermissionsResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐCheckPermissionsResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query_fga_batch_check(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query_check_permissions(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Query",
 		Field:      field,
@@ -15642,9 +15638,9 @@ func (ec *executionContext) fieldContext_Query_fga_batch_check(ctx context.Conte
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
 			case "results":
-				return ec.fieldContext_FgaBatchCheckResponse_results(ctx, field)
+				return ec.fieldContext_CheckPermissionsResponse_results(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type FgaBatchCheckResponse", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type CheckPermissionsResponse", field.Name)
 		},
 	}
 	defer func() {
@@ -15654,15 +15650,15 @@ func (ec *executionContext) fieldContext_Query_fga_batch_check(ctx context.Conte
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query_fga_batch_check_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Query_check_permissions_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
 	return fc, nil
 }
 
-func (ec *executionContext) _Query_fga_list_objects(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
-	fc, err := ec.fieldContext_Query_fga_list_objects(ctx, field)
+func (ec *executionContext) _Query_list_permissions(ctx context.Context, field graphql.CollectedField) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Query_list_permissions(ctx, field)
 	if err != nil {
 		return graphql.Null
 	}
@@ -15675,7 +15671,7 @@ func (ec *executionContext) _Query_fga_list_objects(ctx context.Context, field g
 	}()
 	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
 		ctx = rctx // use context from middleware stack in children
-		return ec.resolvers.Query().FgaListObjects(rctx, fc.Args["params"].(model.FgaListObjectsInput))
+		return ec.resolvers.Query().ListPermissions(rctx, fc.Args["params"].(model.ListPermissionsInput))
 	})
 	if err != nil {
 		ec.Error(ctx, err)
@@ -15687,12 +15683,12 @@ func (ec *executionContext) _Query_fga_list_objects(ctx context.Context, field g
 		}
 		return graphql.Null
 	}
-	res := resTmp.(*model.FgaListObjectsResponse)
+	res := resTmp.(*model.ListPermissionsResponse)
 	fc.Result = res
-	return ec.marshalNFgaListObjectsResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaListObjectsResponse(ctx, field.Selections, res)
+	return ec.marshalNListPermissionsResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐListPermissionsResponse(ctx, field.Selections, res)
 }
 
-func (ec *executionContext) fieldContext_Query_fga_list_objects(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+func (ec *executionContext) fieldContext_Query_list_permissions(ctx context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
 	fc = &graphql.FieldContext{
 		Object:     "Query",
 		Field:      field,
@@ -15701,9 +15697,9 @@ func (ec *executionContext) fieldContext_Query_fga_list_objects(ctx context.Cont
 		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
 			switch field.Name {
 			case "objects":
-				return ec.fieldContext_FgaListObjectsResponse_objects(ctx, field)
+				return ec.fieldContext_ListPermissionsResponse_objects(ctx, field)
 			}
-			return nil, fmt.Errorf("no field named %q was found under type FgaListObjectsResponse", field.Name)
+			return nil, fmt.Errorf("no field named %q was found under type ListPermissionsResponse", field.Name)
 		},
 	}
 	defer func() {
@@ -15713,7 +15709,7 @@ func (ec *executionContext) fieldContext_Query_fga_list_objects(ctx context.Cont
 		}
 	}()
 	ctx = graphql.WithFieldContext(ctx, fc)
-	if fc.Args, err = ec.field_Query_fga_list_objects_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
+	if fc.Args, err = ec.field_Query_list_permissions_args(ctx, field.ArgumentMap(ec.Variables)); err != nil {
 		ec.Error(ctx, err)
 		return fc, err
 	}
@@ -20616,177 +20612,88 @@ func (ec *executionContext) unmarshalInputAdminSignupRequest(ctx context.Context
 	return it, nil
 }
 
-func (ec *executionContext) unmarshalInputDeleteEmailTemplateRequest(ctx context.Context, obj any) (model.DeleteEmailTemplateRequest, error) {
-	var it model.DeleteEmailTemplateRequest
+func (ec *executionContext) unmarshalInputCheckPermissionsInput(ctx context.Context, obj any) (model.CheckPermissionsInput, error) {
+	var it model.CheckPermissionsInput
 	asMap := map[string]any{}
 	for k, v := range obj.(map[string]any) {
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"id"}
+	fieldsInOrder := [...]string{"checks", "user"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
 			continue
 		}
 		switch k {
-		case "id":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
-			data, err := ec.unmarshalNID2string(ctx, v)
+		case "checks":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("checks"))
+			data, err := ec.unmarshalNPermissionCheckInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPermissionCheckInputᚄ(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.ID = data
+			it.Checks = data
+		case "user":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("user"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.User = data
 		}
 	}
 
 	return it, nil
 }
 
-func (ec *executionContext) unmarshalInputDeleteUserRequest(ctx context.Context, obj any) (model.DeleteUserRequest, error) {
-	var it model.DeleteUserRequest
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"email"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "email":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Email = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputFgaBatchCheckInput(ctx context.Context, obj any) (model.FgaBatchCheckInput, error) {
-	var it model.FgaBatchCheckInput
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"checks"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "checks":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("checks"))
-			data, err := ec.unmarshalNFgaCheckPairInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckPairInputᚄ(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Checks = data
-		}
-	}
-
-	return it, nil
-}
-
-func (ec *executionContext) unmarshalInputFgaCheckInput(ctx context.Context, obj any) (model.FgaCheckInput, error) {
-	var it model.FgaCheckInput
+func (ec *executionContext) unmarshalInputDeleteEmailTemplateRequest(ctx context.Context, obj any) (model.DeleteEmailTemplateRequest, error) {
+	var it model.DeleteEmailTemplateRequest
 	asMap := map[string]any{}
 	for k, v := range obj.(map[string]any) {
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"relation", "object", "contextual_tuples", "user"}
+	fieldsInOrder := [...]string{"id"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
 			continue
 		}
 		switch k {
-		case "relation":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("relation"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Relation = data
-		case "object":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("object"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Object = data
-		case "contextual_tuples":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("contextual_tuples"))
-			data, err := ec.unmarshalOFgaTupleInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaTupleInputᚄ(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.ContextualTuples = data
-		case "user":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("user"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+		case "id":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("id"))
+			data, err := ec.unmarshalNID2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.User = data
+			it.ID = data
 		}
 	}
 
 	return it, nil
 }
 
-func (ec *executionContext) unmarshalInputFgaCheckPairInput(ctx context.Context, obj any) (model.FgaCheckPairInput, error) {
-	var it model.FgaCheckPairInput
+func (ec *executionContext) unmarshalInputDeleteUserRequest(ctx context.Context, obj any) (model.DeleteUserRequest, error) {
+	var it model.DeleteUserRequest
 	asMap := map[string]any{}
 	for k, v := range obj.(map[string]any) {
 		asMap[k] = v
 	}
 
-	fieldsInOrder := [...]string{"relation", "object", "contextual_tuples", "user"}
+	fieldsInOrder := [...]string{"email"}
 	for _, k := range fieldsInOrder {
 		v, ok := asMap[k]
 		if !ok {
 			continue
 		}
 		switch k {
-		case "relation":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("relation"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Relation = data
-		case "object":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("object"))
+		case "email":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("email"))
 			data, err := ec.unmarshalNString2string(ctx, v)
 			if err != nil {
 				return it, err
 			}
-			it.Object = data
-		case "contextual_tuples":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("contextual_tuples"))
-			data, err := ec.unmarshalOFgaTupleInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaTupleInputᚄ(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.ContextualTuples = data
-		case "user":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("user"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.User = data
+			it.Email = data
 		}
 	}
 
@@ -20827,47 +20734,6 @@ func (ec *executionContext) unmarshalInputFgaExpandInput(ctx context.Context, ob
 	return it, nil
 }
 
-func (ec *executionContext) unmarshalInputFgaListObjectsInput(ctx context.Context, obj any) (model.FgaListObjectsInput, error) {
-	var it model.FgaListObjectsInput
-	asMap := map[string]any{}
-	for k, v := range obj.(map[string]any) {
-		asMap[k] = v
-	}
-
-	fieldsInOrder := [...]string{"relation", "object_type", "user"}
-	for _, k := range fieldsInOrder {
-		v, ok := asMap[k]
-		if !ok {
-			continue
-		}
-		switch k {
-		case "relation":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("relation"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.Relation = data
-		case "object_type":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("object_type"))
-			data, err := ec.unmarshalNString2string(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.ObjectType = data
-		case "user":
-			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("user"))
-			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
-			if err != nil {
-				return it, err
-			}
-			it.User = data
-		}
-	}
-
-	return it, nil
-}
-
 func (ec *executionContext) unmarshalInputFgaListUsersInput(ctx context.Context, obj any) (model.FgaListUsersInput, error) {
 	var it model.FgaListUsersInput
 	asMap := map[string]any{}
@@ -21305,6 +21171,47 @@ func (ec *executionContext) unmarshalInputListAuditLogRequest(ctx context.Contex
 	return it, nil
 }
 
+func (ec *executionContext) unmarshalInputListPermissionsInput(ctx context.Context, obj any) (model.ListPermissionsInput, error) {
+	var it model.ListPermissionsInput
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"relation", "object_type", "user"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "relation":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("relation"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Relation = data
+		case "object_type":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("object_type"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.ObjectType = data
+		case "user":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("user"))
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.User = data
+		}
+	}
+
+	return it, nil
+}
+
 func (ec *executionContext) unmarshalInputListWebhookLogRequest(ctx context.Context, obj any) (model.ListWebhookLogRequest, error) {
 	var it model.ListWebhookLogRequest
 	asMap := map[string]any{}
@@ -21738,6 +21645,47 @@ func (ec *executionContext) unmarshalInputPaginationRequest(ctx context.Context,
 	return it, nil
 }
 
+func (ec *executionContext) unmarshalInputPermissionCheckInput(ctx context.Context, obj any) (model.PermissionCheckInput, error) {
+	var it model.PermissionCheckInput
+	asMap := map[string]any{}
+	for k, v := range obj.(map[string]any) {
+		asMap[k] = v
+	}
+
+	fieldsInOrder := [...]string{"relation", "object", "contextual_tuples"}
+	for _, k := range fieldsInOrder {
+		v, ok := asMap[k]
+		if !ok {
+			continue
+		}
+		switch k {
+		case "relation":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("relation"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Relation = data
+		case "object":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("object"))
+			data, err := ec.unmarshalNString2string(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.Object = data
+		case "contextual_tuples":
+			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("contextual_tuples"))
+			data, err := ec.unmarshalOFgaTupleInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaTupleInputᚄ(ctx, v)
+			if err != nil {
+				return it, err
+			}
+			it.ContextualTuples = data
+		}
+	}
+
+	return it, nil
+}
+
 func (ec *executionContext) unmarshalInputResendOTPRequest(ctx context.Context, obj any) (model.ResendOTPRequest, error) {
 	var it model.ResendOTPRequest
 	asMap := map[string]any{}
@@ -23377,45 +23325,84 @@ func (ec *executionContext) _AuthResponse(ctx context.Context, sel ast.Selection
 	return out
 }
 
-var emailTemplateImplementors = []string{"EmailTemplate"}
+var checkPermissionsResponseImplementors = []string{"CheckPermissionsResponse"}
 
-func (ec *executionContext) _EmailTemplate(ctx context.Context, sel ast.SelectionSet, obj *model.EmailTemplate) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, emailTemplateImplementors)
+func (ec *executionContext) _CheckPermissionsResponse(ctx context.Context, sel ast.SelectionSet, obj *model.CheckPermissionsResponse) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, checkPermissionsResponseImplementors)
 
 	out := graphql.NewFieldSet(fields)
 	deferred := make(map[string]*graphql.FieldSet)
 	for i, field := range fields {
 		switch field.Name {
 		case "__typename":
-			out.Values[i] = graphql.MarshalString("EmailTemplate")
-		case "id":
-			out.Values[i] = ec._EmailTemplate_id(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "event_name":
-			out.Values[i] = ec._EmailTemplate_event_name(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "template":
-			out.Values[i] = ec._EmailTemplate_template(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "design":
-			out.Values[i] = ec._EmailTemplate_design(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		case "subject":
-			out.Values[i] = ec._EmailTemplate_subject(ctx, field, obj)
+			out.Values[i] = graphql.MarshalString("CheckPermissionsResponse")
+		case "results":
+			out.Values[i] = ec._CheckPermissionsResponse_results(ctx, field, obj)
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
-		case "created_at":
-			out.Values[i] = ec._EmailTemplate_created_at(ctx, field, obj)
-		case "updated_at":
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
+		}
+	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
+
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
+	}
+
+	return out
+}
+
+var emailTemplateImplementors = []string{"EmailTemplate"}
+
+func (ec *executionContext) _EmailTemplate(ctx context.Context, sel ast.SelectionSet, obj *model.EmailTemplate) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, emailTemplateImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("EmailTemplate")
+		case "id":
+			out.Values[i] = ec._EmailTemplate_id(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "event_name":
+			out.Values[i] = ec._EmailTemplate_event_name(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "template":
+			out.Values[i] = ec._EmailTemplate_template(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "design":
+			out.Values[i] = ec._EmailTemplate_design(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "subject":
+			out.Values[i] = ec._EmailTemplate_subject(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "created_at":
+			out.Values[i] = ec._EmailTemplate_created_at(ctx, field, obj)
+		case "updated_at":
 			out.Values[i] = ec._EmailTemplate_updated_at(ctx, field, obj)
 		default:
 			panic("unknown field " + strconv.Quote(field.Name))
@@ -23755,84 +23742,6 @@ func (ec *executionContext) _Error(ctx context.Context, sel ast.SelectionSet, ob
 	return out
 }
 
-var fgaBatchCheckResponseImplementors = []string{"FgaBatchCheckResponse"}
-
-func (ec *executionContext) _FgaBatchCheckResponse(ctx context.Context, sel ast.SelectionSet, obj *model.FgaBatchCheckResponse) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, fgaBatchCheckResponseImplementors)
-
-	out := graphql.NewFieldSet(fields)
-	deferred := make(map[string]*graphql.FieldSet)
-	for i, field := range fields {
-		switch field.Name {
-		case "__typename":
-			out.Values[i] = graphql.MarshalString("FgaBatchCheckResponse")
-		case "results":
-			out.Values[i] = ec._FgaBatchCheckResponse_results(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		default:
-			panic("unknown field " + strconv.Quote(field.Name))
-		}
-	}
-	out.Dispatch(ctx)
-	if out.Invalids > 0 {
-		return graphql.Null
-	}
-
-	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
-
-	for label, dfs := range deferred {
-		ec.processDeferredGroup(graphql.DeferredGroup{
-			Label:    label,
-			Path:     graphql.GetPath(ctx),
-			FieldSet: dfs,
-			Context:  ctx,
-		})
-	}
-
-	return out
-}
-
-var fgaCheckResponseImplementors = []string{"FgaCheckResponse"}
-
-func (ec *executionContext) _FgaCheckResponse(ctx context.Context, sel ast.SelectionSet, obj *model.FgaCheckResponse) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, fgaCheckResponseImplementors)
-
-	out := graphql.NewFieldSet(fields)
-	deferred := make(map[string]*graphql.FieldSet)
-	for i, field := range fields {
-		switch field.Name {
-		case "__typename":
-			out.Values[i] = graphql.MarshalString("FgaCheckResponse")
-		case "allowed":
-			out.Values[i] = ec._FgaCheckResponse_allowed(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		default:
-			panic("unknown field " + strconv.Quote(field.Name))
-		}
-	}
-	out.Dispatch(ctx)
-	if out.Invalids > 0 {
-		return graphql.Null
-	}
-
-	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
-
-	for label, dfs := range deferred {
-		ec.processDeferredGroup(graphql.DeferredGroup{
-			Label:    label,
-			Path:     graphql.GetPath(ctx),
-			FieldSet: dfs,
-			Context:  ctx,
-		})
-	}
-
-	return out
-}
-
 var fgaExpandResponseImplementors = []string{"FgaExpandResponse"}
 
 func (ec *executionContext) _FgaExpandResponse(ctx context.Context, sel ast.SelectionSet, obj *model.FgaExpandResponse) graphql.Marshaler {
@@ -23872,45 +23781,6 @@ func (ec *executionContext) _FgaExpandResponse(ctx context.Context, sel ast.Sele
 	return out
 }
 
-var fgaListObjectsResponseImplementors = []string{"FgaListObjectsResponse"}
-
-func (ec *executionContext) _FgaListObjectsResponse(ctx context.Context, sel ast.SelectionSet, obj *model.FgaListObjectsResponse) graphql.Marshaler {
-	fields := graphql.CollectFields(ec.OperationContext, sel, fgaListObjectsResponseImplementors)
-
-	out := graphql.NewFieldSet(fields)
-	deferred := make(map[string]*graphql.FieldSet)
-	for i, field := range fields {
-		switch field.Name {
-		case "__typename":
-			out.Values[i] = graphql.MarshalString("FgaListObjectsResponse")
-		case "objects":
-			out.Values[i] = ec._FgaListObjectsResponse_objects(ctx, field, obj)
-			if out.Values[i] == graphql.Null {
-				out.Invalids++
-			}
-		default:
-			panic("unknown field " + strconv.Quote(field.Name))
-		}
-	}
-	out.Dispatch(ctx)
-	if out.Invalids > 0 {
-		return graphql.Null
-	}
-
-	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
-
-	for label, dfs := range deferred {
-		ec.processDeferredGroup(graphql.DeferredGroup{
-			Label:    label,
-			Path:     graphql.GetPath(ctx),
-			FieldSet: dfs,
-			Context:  ctx,
-		})
-	}
-
-	return out
-}
-
 var fgaListUsersResponseImplementors = []string{"FgaListUsersResponse"}
 
 func (ec *executionContext) _FgaListUsersResponse(ctx context.Context, sel ast.SelectionSet, obj *model.FgaListUsersResponse) graphql.Marshaler {
@@ -24209,6 +24079,45 @@ func (ec *executionContext) _InviteMembersResponse(ctx context.Context, sel ast.
 	return out
 }
 
+var listPermissionsResponseImplementors = []string{"ListPermissionsResponse"}
+
+func (ec *executionContext) _ListPermissionsResponse(ctx context.Context, sel ast.SelectionSet, obj *model.ListPermissionsResponse) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, listPermissionsResponseImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("ListPermissionsResponse")
+		case "objects":
+			out.Values[i] = ec._ListPermissionsResponse_objects(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
+		}
+	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
+
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
+	}
+
+	return out
+}
+
 var metaImplementors = []string{"Meta"}
 
 func (ec *executionContext) _Meta(ctx context.Context, sel ast.SelectionSet, obj *model.Meta) graphql.Marshaler {
@@ -24691,6 +24600,55 @@ func (ec *executionContext) _Pagination(ctx context.Context, sel ast.SelectionSe
 	return out
 }
 
+var permissionCheckResultImplementors = []string{"PermissionCheckResult"}
+
+func (ec *executionContext) _PermissionCheckResult(ctx context.Context, sel ast.SelectionSet, obj *model.PermissionCheckResult) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, permissionCheckResultImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("PermissionCheckResult")
+		case "relation":
+			out.Values[i] = ec._PermissionCheckResult_relation(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "object":
+			out.Values[i] = ec._PermissionCheckResult_object(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "allowed":
+			out.Values[i] = ec._PermissionCheckResult_allowed(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
+		}
+	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
+
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
+	}
+
+	return out
+}
+
 var queryImplementors = []string{"Query"}
 
 func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) graphql.Marshaler {
@@ -25150,29 +25108,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 			}
 
 			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
-		case "fga_check":
-			field := field
-
-			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
-				defer func() {
-					if r := recover(); r != nil {
-						ec.Error(ctx, ec.Recover(ctx, r))
-					}
-				}()
-				res = ec._Query_fga_check(ctx, field)
-				if res == graphql.Null {
-					atomic.AddUint32(&fs.Invalids, 1)
-				}
-				return res
-			}
-
-			rrm := func(ctx context.Context) graphql.Marshaler {
-				return ec.OperationContext.RootResolverMiddleware(ctx,
-					func(ctx context.Context) graphql.Marshaler { return innerFunc(ctx, out) })
-			}
-
-			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
-		case "fga_batch_check":
+		case "check_permissions":
 			field := field
 
 			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
@@ -25181,7 +25117,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 						ec.Error(ctx, ec.Recover(ctx, r))
 					}
 				}()
-				res = ec._Query_fga_batch_check(ctx, field)
+				res = ec._Query_check_permissions(ctx, field)
 				if res == graphql.Null {
 					atomic.AddUint32(&fs.Invalids, 1)
 				}
@@ -25194,7 +25130,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 			}
 
 			out.Concurrently(i, func(ctx context.Context) graphql.Marshaler { return rrm(innerCtx) })
-		case "fga_list_objects":
+		case "list_permissions":
 			field := field
 
 			innerFunc := func(ctx context.Context, fs *graphql.FieldSet) (res graphql.Marshaler) {
@@ -25203,7 +25139,7 @@ func (ec *executionContext) _Query(ctx context.Context, sel ast.SelectionSet) gr
 						ec.Error(ctx, ec.Recover(ctx, r))
 					}
 				}()
-				res = ec._Query_fga_list_objects(ctx, field)
+				res = ec._Query_list_permissions(ctx, field)
 				if res == graphql.Null {
 					atomic.AddUint32(&fs.Invalids, 1)
 				}
@@ -26300,6 +26236,25 @@ func (ec *executionContext) marshalNBoolean2bool(ctx context.Context, sel ast.Se
 	return res
 }
 
+func (ec *executionContext) unmarshalNCheckPermissionsInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐCheckPermissionsInput(ctx context.Context, v any) (model.CheckPermissionsInput, error) {
+	res, err := ec.unmarshalInputCheckPermissionsInput(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
+}
+
+func (ec *executionContext) marshalNCheckPermissionsResponse2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐCheckPermissionsResponse(ctx context.Context, sel ast.SelectionSet, v model.CheckPermissionsResponse) graphql.Marshaler {
+	return ec._CheckPermissionsResponse(ctx, sel, &v)
+}
+
+func (ec *executionContext) marshalNCheckPermissionsResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐCheckPermissionsResponse(ctx context.Context, sel ast.SelectionSet, v *model.CheckPermissionsResponse) graphql.Marshaler {
+	if v == nil {
+		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
+			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
+		}
+		return graphql.Null
+	}
+	return ec._CheckPermissionsResponse(ctx, sel, v)
+}
+
 func (ec *executionContext) unmarshalNDeleteEmailTemplateRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐDeleteEmailTemplateRequest(ctx context.Context, v any) (model.DeleteEmailTemplateRequest, error) {
 	res, err := ec.unmarshalInputDeleteEmailTemplateRequest(ctx, v)
 	return res, graphql.ErrorOnPath(ctx, err)
@@ -26392,108 +26347,6 @@ func (ec *executionContext) marshalNEnv2ᚖgithubᚗcomᚋauthorizerdevᚋauthor
 	return ec._Env(ctx, sel, v)
 }
 
-func (ec *executionContext) unmarshalNFgaBatchCheckInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaBatchCheckInput(ctx context.Context, v any) (model.FgaBatchCheckInput, error) {
-	res, err := ec.unmarshalInputFgaBatchCheckInput(ctx, v)
-	return res, graphql.ErrorOnPath(ctx, err)
-}
-
-func (ec *executionContext) marshalNFgaBatchCheckResponse2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaBatchCheckResponse(ctx context.Context, sel ast.SelectionSet, v model.FgaBatchCheckResponse) graphql.Marshaler {
-	return ec._FgaBatchCheckResponse(ctx, sel, &v)
-}
-
-func (ec *executionContext) marshalNFgaBatchCheckResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaBatchCheckResponse(ctx context.Context, sel ast.SelectionSet, v *model.FgaBatchCheckResponse) graphql.Marshaler {
-	if v == nil {
-		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
-			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
-		}
-		return graphql.Null
-	}
-	return ec._FgaBatchCheckResponse(ctx, sel, v)
-}
-
-func (ec *executionContext) unmarshalNFgaCheckInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckInput(ctx context.Context, v any) (model.FgaCheckInput, error) {
-	res, err := ec.unmarshalInputFgaCheckInput(ctx, v)
-	return res, graphql.ErrorOnPath(ctx, err)
-}
-
-func (ec *executionContext) unmarshalNFgaCheckPairInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckPairInputᚄ(ctx context.Context, v any) ([]*model.FgaCheckPairInput, error) {
-	var vSlice []any
-	vSlice = graphql.CoerceList(v)
-	var err error
-	res := make([]*model.FgaCheckPairInput, len(vSlice))
-	for i := range vSlice {
-		ctx := graphql.WithPathContext(ctx, graphql.NewPathWithIndex(i))
-		res[i], err = ec.unmarshalNFgaCheckPairInput2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckPairInput(ctx, vSlice[i])
-		if err != nil {
-			return nil, err
-		}
-	}
-	return res, nil
-}
-
-func (ec *executionContext) unmarshalNFgaCheckPairInput2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckPairInput(ctx context.Context, v any) (*model.FgaCheckPairInput, error) {
-	res, err := ec.unmarshalInputFgaCheckPairInput(ctx, v)
-	return &res, graphql.ErrorOnPath(ctx, err)
-}
-
-func (ec *executionContext) marshalNFgaCheckResponse2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckResponse(ctx context.Context, sel ast.SelectionSet, v model.FgaCheckResponse) graphql.Marshaler {
-	return ec._FgaCheckResponse(ctx, sel, &v)
-}
-
-func (ec *executionContext) marshalNFgaCheckResponse2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckResponseᚄ(ctx context.Context, sel ast.SelectionSet, v []*model.FgaCheckResponse) graphql.Marshaler {
-	ret := make(graphql.Array, len(v))
-	var wg sync.WaitGroup
-	isLen1 := len(v) == 1
-	if !isLen1 {
-		wg.Add(len(v))
-	}
-	for i := range v {
-		i := i
-		fc := &graphql.FieldContext{
-			Index:  &i,
-			Result: &v[i],
-		}
-		ctx := graphql.WithFieldContext(ctx, fc)
-		f := func(i int) {
-			defer func() {
-				if r := recover(); r != nil {
-					ec.Error(ctx, ec.Recover(ctx, r))
-					ret = nil
-				}
-			}()
-			if !isLen1 {
-				defer wg.Done()
-			}
-			ret[i] = ec.marshalNFgaCheckResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckResponse(ctx, sel, v[i])
-		}
-		if isLen1 {
-			f(i)
-		} else {
-			go f(i)
-		}
-
-	}
-	wg.Wait()
-
-	for _, e := range ret {
-		if e == graphql.Null {
-			return graphql.Null
-		}
-	}
-
-	return ret
-}
-
-func (ec *executionContext) marshalNFgaCheckResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaCheckResponse(ctx context.Context, sel ast.SelectionSet, v *model.FgaCheckResponse) graphql.Marshaler {
-	if v == nil {
-		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
-			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
-		}
-		return graphql.Null
-	}
-	return ec._FgaCheckResponse(ctx, sel, v)
-}
-
 func (ec *executionContext) unmarshalNFgaExpandInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaExpandInput(ctx context.Context, v any) (model.FgaExpandInput, error) {
 	res, err := ec.unmarshalInputFgaExpandInput(ctx, v)
 	return res, graphql.ErrorOnPath(ctx, err)
@@ -26513,25 +26366,6 @@ func (ec *executionContext) marshalNFgaExpandResponse2ᚖgithubᚗcomᚋauthoriz
 	return ec._FgaExpandResponse(ctx, sel, v)
 }
 
-func (ec *executionContext) unmarshalNFgaListObjectsInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaListObjectsInput(ctx context.Context, v any) (model.FgaListObjectsInput, error) {
-	res, err := ec.unmarshalInputFgaListObjectsInput(ctx, v)
-	return res, graphql.ErrorOnPath(ctx, err)
-}
-
-func (ec *executionContext) marshalNFgaListObjectsResponse2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaListObjectsResponse(ctx context.Context, sel ast.SelectionSet, v model.FgaListObjectsResponse) graphql.Marshaler {
-	return ec._FgaListObjectsResponse(ctx, sel, &v)
-}
-
-func (ec *executionContext) marshalNFgaListObjectsResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaListObjectsResponse(ctx context.Context, sel ast.SelectionSet, v *model.FgaListObjectsResponse) graphql.Marshaler {
-	if v == nil {
-		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
-			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
-		}
-		return graphql.Null
-	}
-	return ec._FgaListObjectsResponse(ctx, sel, v)
-}
-
 func (ec *executionContext) unmarshalNFgaListUsersInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐFgaListUsersInput(ctx context.Context, v any) (model.FgaListUsersInput, error) {
 	res, err := ec.unmarshalInputFgaListUsersInput(ctx, v)
 	return res, graphql.ErrorOnPath(ctx, err)
@@ -26767,6 +26601,25 @@ func (ec *executionContext) marshalNInviteMembersResponse2ᚖgithubᚗcomᚋauth
 	return ec._InviteMembersResponse(ctx, sel, v)
 }
 
+func (ec *executionContext) unmarshalNListPermissionsInput2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐListPermissionsInput(ctx context.Context, v any) (model.ListPermissionsInput, error) {
+	res, err := ec.unmarshalInputListPermissionsInput(ctx, v)
+	return res, graphql.ErrorOnPath(ctx, err)
+}
+
+func (ec *executionContext) marshalNListPermissionsResponse2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐListPermissionsResponse(ctx context.Context, sel ast.SelectionSet, v model.ListPermissionsResponse) graphql.Marshaler {
+	return ec._ListPermissionsResponse(ctx, sel, &v)
+}
+
+func (ec *executionContext) marshalNListPermissionsResponse2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐListPermissionsResponse(ctx context.Context, sel ast.SelectionSet, v *model.ListPermissionsResponse) graphql.Marshaler {
+	if v == nil {
+		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
+			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
+		}
+		return graphql.Null
+	}
+	return ec._ListPermissionsResponse(ctx, sel, v)
+}
+
 func (ec *executionContext) unmarshalNLoginRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐLoginRequest(ctx context.Context, v any) (model.LoginRequest, error) {
 	res, err := ec.unmarshalInputLoginRequest(ctx, v)
 	return res, graphql.ErrorOnPath(ctx, err)
@@ -26811,6 +26664,80 @@ func (ec *executionContext) marshalNPagination2ᚖgithubᚗcomᚋauthorizerdev
 	return ec._Pagination(ctx, sel, v)
 }
 
+func (ec *executionContext) unmarshalNPermissionCheckInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPermissionCheckInputᚄ(ctx context.Context, v any) ([]*model.PermissionCheckInput, error) {
+	var vSlice []any
+	vSlice = graphql.CoerceList(v)
+	var err error
+	res := make([]*model.PermissionCheckInput, len(vSlice))
+	for i := range vSlice {
+		ctx := graphql.WithPathContext(ctx, graphql.NewPathWithIndex(i))
+		res[i], err = ec.unmarshalNPermissionCheckInput2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPermissionCheckInput(ctx, vSlice[i])
+		if err != nil {
+			return nil, err
+		}
+	}
+	return res, nil
+}
+
+func (ec *executionContext) unmarshalNPermissionCheckInput2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPermissionCheckInput(ctx context.Context, v any) (*model.PermissionCheckInput, error) {
+	res, err := ec.unmarshalInputPermissionCheckInput(ctx, v)
+	return &res, graphql.ErrorOnPath(ctx, err)
+}
+
+func (ec *executionContext) marshalNPermissionCheckResult2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPermissionCheckResultᚄ(ctx context.Context, sel ast.SelectionSet, v []*model.PermissionCheckResult) graphql.Marshaler {
+	ret := make(graphql.Array, len(v))
+	var wg sync.WaitGroup
+	isLen1 := len(v) == 1
+	if !isLen1 {
+		wg.Add(len(v))
+	}
+	for i := range v {
+		i := i
+		fc := &graphql.FieldContext{
+			Index:  &i,
+			Result: &v[i],
+		}
+		ctx := graphql.WithFieldContext(ctx, fc)
+		f := func(i int) {
+			defer func() {
+				if r := recover(); r != nil {
+					ec.Error(ctx, ec.Recover(ctx, r))
+					ret = nil
+				}
+			}()
+			if !isLen1 {
+				defer wg.Done()
+			}
+			ret[i] = ec.marshalNPermissionCheckResult2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPermissionCheckResult(ctx, sel, v[i])
+		}
+		if isLen1 {
+			f(i)
+		} else {
+			go f(i)
+		}
+
+	}
+	wg.Wait()
+
+	for _, e := range ret {
+		if e == graphql.Null {
+			return graphql.Null
+		}
+	}
+
+	return ret
+}
+
+func (ec *executionContext) marshalNPermissionCheckResult2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPermissionCheckResult(ctx context.Context, sel ast.SelectionSet, v *model.PermissionCheckResult) graphql.Marshaler {
+	if v == nil {
+		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
+			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
+		}
+		return graphql.Null
+	}
+	return ec._PermissionCheckResult(ctx, sel, v)
+}
+
 func (ec *executionContext) unmarshalNResendOTPRequest2githubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐResendOTPRequest(ctx context.Context, v any) (model.ResendOTPRequest, error) {
 	res, err := ec.unmarshalInputResendOTPRequest(ctx, v)
 	return res, graphql.ErrorOnPath(ctx, err)
diff --git a/internal/graph/model/models_gen.go b/internal/graph/model/models_gen.go
index 29a460c0..e9769d8b 100644
--- a/internal/graph/model/models_gen.go
+++ b/internal/graph/model/models_gen.go
@@ -65,6 +65,15 @@ type AuthResponse struct {
 	AuthenticatorRecoveryCodes []*string `json:"authenticator_recovery_codes,omitempty"`
 }
 
+type CheckPermissionsInput struct {
+	Checks []*PermissionCheckInput `json:"checks"`
+	User   *string                 `json:"user,omitempty"`
+}
+
+type CheckPermissionsResponse struct {
+	Results []*PermissionCheckResult `json:"results"`
+}
+
 type DeleteEmailTemplateRequest struct {
 	ID string `json:"id"`
 }
@@ -167,32 +176,6 @@ type Error struct {
 	Reason  string `json:"reason"`
 }
 
-type FgaBatchCheckInput struct {
-	Checks []*FgaCheckPairInput `json:"checks"`
-}
-
-type FgaBatchCheckResponse struct {
-	Results []*FgaCheckResponse `json:"results"`
-}
-
-type FgaCheckInput struct {
-	Relation         string           `json:"relation"`
-	Object           string           `json:"object"`
-	ContextualTuples []*FgaTupleInput `json:"contextual_tuples,omitempty"`
-	User             *string          `json:"user,omitempty"`
-}
-
-type FgaCheckPairInput struct {
-	Relation         string           `json:"relation"`
-	Object           string           `json:"object"`
-	ContextualTuples []*FgaTupleInput `json:"contextual_tuples,omitempty"`
-	User             *string          `json:"user,omitempty"`
-}
-
-type FgaCheckResponse struct {
-	Allowed bool `json:"allowed"`
-}
-
 type FgaExpandInput struct {
 	Relation string `json:"relation"`
 	Object   string `json:"object"`
@@ -202,16 +185,6 @@ type FgaExpandResponse struct {
 	Tree string `json:"tree"`
 }
 
-type FgaListObjectsInput struct {
-	Relation   string  `json:"relation"`
-	ObjectType string  `json:"object_type"`
-	User       *string `json:"user,omitempty"`
-}
-
-type FgaListObjectsResponse struct {
-	Objects []string `json:"objects"`
-}
-
 type FgaListUsersInput struct {
 	Object   string `json:"object"`
 	Relation string `json:"relation"`
@@ -312,6 +285,16 @@ type ListAuditLogRequest struct {
 	ToTimestamp   *int64             `json:"to_timestamp,omitempty"`
 }
 
+type ListPermissionsInput struct {
+	Relation   string  `json:"relation"`
+	ObjectType string  `json:"object_type"`
+	User       *string `json:"user,omitempty"`
+}
+
+type ListPermissionsResponse struct {
+	Objects []string `json:"objects"`
+}
+
 type ListWebhookLogRequest struct {
 	Pagination *PaginationRequest `json:"pagination,omitempty"`
 	WebhookID  *string            `json:"webhook_id,omitempty"`
@@ -408,6 +391,18 @@ type PaginationRequest struct {
 	Page  *int64 `json:"page,omitempty"`
 }
 
+type PermissionCheckInput struct {
+	Relation         string           `json:"relation"`
+	Object           string           `json:"object"`
+	ContextualTuples []*FgaTupleInput `json:"contextual_tuples,omitempty"`
+}
+
+type PermissionCheckResult struct {
+	Relation string `json:"relation"`
+	Object   string `json:"object"`
+	Allowed  bool   `json:"allowed"`
+}
+
 type Query struct {
 }
 
diff --git a/internal/graph/schema.graphqls b/internal/graph/schema.graphqls
index 35f9e79f..6ca15502 100644
--- a/internal/graph/schema.graphqls
+++ b/internal/graph/schema.graphqls
@@ -142,18 +142,22 @@ type FgaTuples {
   continuation_token: String
 }
 
-# FgaCheckResponse is the result of a single relationship check.
-type FgaCheckResponse {
+# PermissionCheckResult is the outcome of one permission check, echoing the
+# checked pair so batch results are self-describing (and positionally aligned).
+type PermissionCheckResult {
+  relation: String!
+  object: String!
   allowed: Boolean!
 }
 
-# FgaBatchCheckResponse is the positionally-aligned result of a batch check.
-type FgaBatchCheckResponse {
-  results: [FgaCheckResponse!]!
+# CheckPermissionsResponse carries one result per supplied check, in order.
+type CheckPermissionsResponse {
+  results: [PermissionCheckResult!]!
 }
 
-# FgaListObjectsResponse lists fully-qualified object ids the caller relates to.
-type FgaListObjectsResponse {
+# ListPermissionsResponse lists the fully-qualified object ids the subject
+# holds the queried permission on.
+type ListPermissionsResponse {
   objects: [String!]!
 }
 
@@ -740,45 +744,32 @@ input FgaReadTuplesInput {
   continuation_token: String
 }
 
-# FgaCheckInput asks "is <user> related to object via relation?". The subject
-# (user) defaults to the authenticated caller and is pinned server-side from the
-# auth token. The optional `user` field lets a TRUSTED caller (super-admin) check
-# on behalf of another subject; a non-trusted caller supplying `user` is rejected
-# (no silent self-fallback). Only relation, object, optional `user` and optional
-# contextual tuples are accepted from the client.
-input FgaCheckInput {
+# PermissionCheckInput is one permission to evaluate: "does the subject have
+# <relation> on <object>?". Contextual tuples are evaluated for this check only
+# and never persisted.
+input PermissionCheckInput {
   relation: String!
   object: String!
   contextual_tuples: [FgaTupleInput!]
-  # Optional subject override ("type:id" or bare id → "user:id"). Honored only
-  # for super-admin callers; rejected otherwise.
-  user: String
-}
-
-# FgaBatchCheckInput evaluates multiple relation/object pairs for the
-# authenticated caller (principal pinned server-side).
-input FgaBatchCheckInput {
-  checks: [FgaCheckPairInput!]!
 }
 
-# FgaCheckPairInput is one relation/object pair within a batch check.
-input FgaCheckPairInput {
-  relation: String!
-  object: String!
-  contextual_tuples: [FgaTupleInput!]
-  # Optional subject override ("type:id" or bare id → "user:id"). Honored only
-  # for super-admin callers; rejected otherwise.
+# CheckPermissionsInput evaluates one or more permission checks in a single
+# call. The subject defaults to the authenticated caller (JWT / session
+# cookie). The optional `user` ("type:id", or a bare id treated as
+# "user:<id>") is honored only when the caller is a super-admin OR it equals
+# the caller's own token subject; anything else is rejected — never silently
+# ignored.
+input CheckPermissionsInput {
+  checks: [PermissionCheckInput!]!
   user: String
 }
 
-# FgaListObjectsInput enumerates objects of type object_type that <user> relates
-# to via relation. The subject defaults to the authenticated caller; the optional
-# `user` override is honored only for super-admin callers (rejected otherwise).
-input FgaListObjectsInput {
+# ListPermissionsInput enumerates the objects of `object_type` the subject
+# holds `relation` on. Subject resolution follows the same rules as
+# CheckPermissionsInput.user.
+input ListPermissionsInput {
   relation: String!
   object_type: String!
-  # Optional subject override ("type:id" or bare id → "user:id"). Honored only
-  # for super-admin callers; rejected otherwise.
   user: String
 }
 
@@ -877,7 +868,6 @@ type Query {
   _fga_list_users(params: FgaListUsersInput!): FgaListUsersResponse!
   _fga_expand(params: FgaExpandInput!): FgaExpandResponse!
   # FGA runtime queries (authenticated caller; principal pinned server-side)
-  fga_check(params: FgaCheckInput!): FgaCheckResponse!
-  fga_batch_check(params: FgaBatchCheckInput!): FgaBatchCheckResponse!
-  fga_list_objects(params: FgaListObjectsInput!): FgaListObjectsResponse!
+  check_permissions(params: CheckPermissionsInput!): CheckPermissionsResponse!
+  list_permissions(params: ListPermissionsInput!): ListPermissionsResponse!
 }
diff --git a/internal/graph/schema.resolvers.go b/internal/graph/schema.resolvers.go
index c67ec937..4bc623bd 100644
--- a/internal/graph/schema.resolvers.go
+++ b/internal/graph/schema.resolvers.go
@@ -292,19 +292,14 @@ func (r *queryResolver) FgaExpand(ctx context.Context, params model.FgaExpandInp
 	return r.GraphQLProvider.FgaExpand(ctx, &params)
 }
 
-// FgaCheck is the resolver for the fga_check field.
-func (r *queryResolver) FgaCheck(ctx context.Context, params model.FgaCheckInput) (*model.FgaCheckResponse, error) {
-	return r.GraphQLProvider.FgaCheck(ctx, &params)
+// CheckPermissions is the resolver for the check_permissions field.
+func (r *queryResolver) CheckPermissions(ctx context.Context, params model.CheckPermissionsInput) (*model.CheckPermissionsResponse, error) {
+	return r.GraphQLProvider.CheckPermissions(ctx, &params)
 }
 
-// FgaBatchCheck is the resolver for the fga_batch_check field.
-func (r *queryResolver) FgaBatchCheck(ctx context.Context, params model.FgaBatchCheckInput) (*model.FgaBatchCheckResponse, error) {
-	return r.GraphQLProvider.FgaBatchCheck(ctx, &params)
-}
-
-// FgaListObjects is the resolver for the fga_list_objects field.
-func (r *queryResolver) FgaListObjects(ctx context.Context, params model.FgaListObjectsInput) (*model.FgaListObjectsResponse, error) {
-	return r.GraphQLProvider.FgaListObjects(ctx, &params)
+// ListPermissions is the resolver for the list_permissions field.
+func (r *queryResolver) ListPermissions(ctx context.Context, params model.ListPermissionsInput) (*model.ListPermissionsResponse, error) {
+	return r.GraphQLProvider.ListPermissions(ctx, &params)
 }
 
 // Mutation returns generated.MutationResolver implementation.
diff --git a/internal/graphql/check_permissions.go b/internal/graphql/check_permissions.go
new file mode 100644
index 00000000..98f5bd1c
--- /dev/null
+++ b/internal/graphql/check_permissions.go
@@ -0,0 +1,76 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/authorizerdev/authorizer/internal/authorization/engine"
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/metrics"
+	"github.com/authorizerdev/authorizer/internal/refs"
+)
+
+// CheckPermissions evaluates one or more permission checks ("does the subject
+// have <relation> on <object>?") in a single call and returns one result per
+// check, in order. A single check is simply a list of one.
+//
+// SUBJECT TRUST GATE: the subject defaults to the authenticated caller's token
+// subject; an explicit `user` is honored only for super-admins or when it
+// equals the caller's own subject (see resolveFgaSubject). Fail-closed: any
+// engine error denies.
+// Permission: authorized user.
+func (g *graphqlProvider) CheckPermissions(ctx context.Context, params *model.CheckPermissionsInput) (*model.CheckPermissionsResponse, error) {
+	log := g.Log.With().Str("func", "CheckPermissions").Logger()
+	if g.AuthzEngine == nil {
+		return nil, errFgaNotEnabled
+	}
+	if params == nil || len(params.Checks) == 0 {
+		return nil, fmt.Errorf("at least one check is required")
+	}
+	if len(params.Checks) > maxPermissionChecks {
+		return nil, fmt.Errorf("too many checks: max %d per request", maxPermissionChecks)
+	}
+	subject, err := g.resolveFgaSubject(ctx, refs.StringValue(params.User))
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to resolve subject")
+		return nil, err
+	}
+	requests := make([]engine.CheckRequest, 0, len(params.Checks))
+	for _, c := range params.Checks {
+		if c == nil || strings.TrimSpace(c.Relation) == "" || strings.TrimSpace(c.Object) == "" {
+			return nil, fmt.Errorf("each check requires relation and object")
+		}
+		ctxTuples, err := toContextualTuples(c.ContextualTuples)
+		if err != nil {
+			return nil, err
+		}
+		requests = append(requests, engine.CheckRequest{
+			User:             subject,
+			Relation:         c.Relation,
+			Object:           c.Object,
+			ContextualTuples: ctxTuples,
+		})
+	}
+	start := time.Now()
+	results, err := g.AuthzEngine.BatchCheck(ctx, requests)
+	metrics.ObserveFgaCheckDuration(metrics.FgaOpCheckPermissions, time.Since(start).Seconds())
+	if err != nil {
+		// Fail closed for the whole call.
+		metrics.RecordFgaCheck(metrics.FgaOpCheckPermissions, metrics.FgaResultError)
+		log.Debug().Err(err).Msg("CheckPermissions failed; denying")
+		return nil, fmt.Errorf("authorization check failed")
+	}
+	out := &model.CheckPermissionsResponse{Results: make([]*model.PermissionCheckResult, 0, len(results))}
+	for i, r := range results {
+		// Record each decision so adoption/denial rates reflect every pair.
+		metrics.RecordFgaCheckResult(metrics.FgaOpCheckPermissions, r.Allowed)
+		out.Results = append(out.Results, &model.PermissionCheckResult{
+			Relation: params.Checks[i].Relation,
+			Object:   params.Checks[i].Object,
+			Allowed:  r.Allowed,
+		})
+	}
+	return out, nil
+}
diff --git a/internal/graphql/fga.go b/internal/graphql/fga.go
new file mode 100644
index 00000000..c4a11af8
--- /dev/null
+++ b/internal/graphql/fga.go
@@ -0,0 +1,151 @@
+package graphql
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/internal/authorization/engine"
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// errFgaNotEnabled is returned by every FGA resolver when no authorization
+// engine is configured (no --fga-store). Fail-closed.
+var errFgaNotEnabled = errors.New("fine-grained authorization is not enabled")
+
+// maxFgaTuplesPerWrite caps the number of tuples accepted in a single write or
+// delete to bound the work an admin call performs.
+const maxFgaTuplesPerWrite = 100
+
+// maxFgaReadPageSize caps the page size for tuple reads. OpenFGA's ReadRequest
+// enforces a [1, 100] range, so this is both a safety cap and a hard backend
+// limit.
+const maxFgaReadPageSize = 100
+
+// maxFgaListResults caps the number of objects returned by list_permissions
+// and the page size of admin tuple reads. Listing is an expensive enumeration
+// surface, so the result set is bounded.
+const maxFgaListResults = 1000
+
+// maxPermissionChecks caps the number of checks accepted by a single
+// check_permissions call.
+const maxPermissionChecks = 100
+
+// resolveFgaSubject is the single, centralized trust gate for the public
+// permission APIs (check_permissions, list_permissions). It decides which
+// OpenFGA subject ("type:id") a decision is evaluated for, given the optional
+// client-supplied explicitUser.
+//
+// Rules (fail-closed):
+//   - explicitUser empty → the caller's own token subject ("user:<sub>" from
+//     the JWT / session cookie). This is the default and the common case.
+//   - explicitUser set → normalized (a bare id becomes "user:<id>") and
+//     validated, then honored only when the caller is a super-admin OR the
+//     subject equals the caller's own token subject. Anything else is
+//     REJECTED — never silently self-pinned, never silently ignored —
+//     because honoring it would let an end user probe another subject's
+//     access (IDOR / info disclosure).
+//
+// TODO(phase-2 M2M): machine-to-machine / client-credentials callers should
+// also be allowed to pass an explicit user once that caller type exists;
+// extend the trust check here (the rule must stay centralized in this one
+// helper).
+func (g *graphqlProvider) resolveFgaSubject(ctx context.Context, explicitUser string) (string, error) {
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		return "", err
+	}
+	explicitUser = strings.TrimSpace(explicitUser)
+
+	// The caller's own subject, when they carry a user token/session. Resolved
+	// lazily-ish here because both branches may need it.
+	ownSubject := ""
+	if tokenData, terr := g.TokenProvider.GetUserIDFromSessionOrAccessToken(gc); terr == nil && strings.TrimSpace(tokenData.UserID) != "" {
+		ownSubject = "user:" + tokenData.UserID
+	}
+
+	if explicitUser == "" {
+		// Default: pin to the caller's own token subject.
+		if ownSubject == "" {
+			return "", fmt.Errorf("unauthorized")
+		}
+		return ownSubject, nil
+	}
+
+	subject := normalizeFgaSubject(explicitUser)
+	if err := validateFgaSubject(subject); err != nil {
+		return "", err
+	}
+	// Self-specification is always allowed: it is exactly what the token
+	// already proves. This keeps client code symmetric (it may always send
+	// `user`) while the server stays strict.
+	if subject == ownSubject {
+		return subject, nil
+	}
+	// Only a super-admin may evaluate a different subject. The trust level is
+	// derived from the admin cookie/secret — never from client input.
+	if g.TokenProvider.IsSuperAdmin(gc) {
+		return subject, nil
+	}
+	return "", fmt.Errorf("not authorized to query authorization for another subject")
+}
+
+// normalizeFgaSubject turns a bare id into the canonical "user:<id>" form;
+// values that already carry a type ("type:id") pass through unchanged.
+func normalizeFgaSubject(user string) string {
+	if !strings.Contains(user, ":") {
+		return "user:" + user
+	}
+	return user
+}
+
+// validateFgaSubject ensures an explicitly supplied subject is in OpenFGA
+// "type:id" form (both halves non-empty). It rejects usersets
+// ("type:id#relation") and malformed values.
+func validateFgaSubject(user string) error {
+	objType, objID, found := strings.Cut(user, ":")
+	if !found || strings.TrimSpace(objType) == "" || strings.TrimSpace(objID) == "" {
+		return fmt.Errorf("user must be in type:id form, got %q", user)
+	}
+	if strings.Contains(objID, "#") {
+		return fmt.Errorf("user must be a concrete subject in type:id form, not a userset, got %q", user)
+	}
+	return nil
+}
+
+// toContextualTuples converts client-supplied contextual tuples. These are
+// request-scoped only (never persisted) and are safe to accept from the client.
+func toContextualTuples(in []*model.FgaTupleInput) ([]engine.ContextualTuple, error) {
+	if len(in) == 0 {
+		return nil, nil
+	}
+	out := make([]engine.ContextualTuple, 0, len(in))
+	for _, t := range in {
+		if t == nil || strings.TrimSpace(t.User) == "" || strings.TrimSpace(t.Relation) == "" || strings.TrimSpace(t.Object) == "" {
+			return nil, fmt.Errorf("each contextual tuple requires user, relation and object")
+		}
+		out = append(out, engine.ContextualTuple{User: t.User, Relation: t.Relation, Object: t.Object})
+	}
+	return out, nil
+}
+
+// toEngineTuples validates and converts admin-supplied tuple inputs into engine
+// tuples. It enforces a per-call cap and rejects empty fields.
+func toEngineTuples(params *model.FgaWriteTuplesInput) ([]engine.TupleKey, error) {
+	if params == nil || len(params.Tuples) == 0 {
+		return nil, fmt.Errorf("at least one tuple is required")
+	}
+	if len(params.Tuples) > maxFgaTuplesPerWrite {
+		return nil, fmt.Errorf("too many tuples: max %d per request", maxFgaTuplesPerWrite)
+	}
+	tuples := make([]engine.TupleKey, 0, len(params.Tuples))
+	for _, t := range params.Tuples {
+		if t == nil || strings.TrimSpace(t.User) == "" || strings.TrimSpace(t.Relation) == "" || strings.TrimSpace(t.Object) == "" {
+			return nil, fmt.Errorf("each tuple requires user, relation and object")
+		}
+		tuples = append(tuples, engine.TupleKey{User: t.User, Relation: t.Relation, Object: t.Object})
+	}
+	return tuples, nil
+}
diff --git a/internal/graphql/fga_admin.go b/internal/graphql/fga_admin.go
deleted file mode 100644
index 29a072ca..00000000
--- a/internal/graphql/fga_admin.go
+++ /dev/null
@@ -1,360 +0,0 @@
-package graphql
-
-import (
-	"context"
-	"errors"
-	"fmt"
-	"strings"
-
-	"github.com/authorizerdev/authorizer/internal/audit"
-	"github.com/authorizerdev/authorizer/internal/authorization/engine"
-	"github.com/authorizerdev/authorizer/internal/constants"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/metrics"
-	"github.com/authorizerdev/authorizer/internal/refs"
-	"github.com/authorizerdev/authorizer/internal/utils"
-)
-
-// errFgaNotEnabled is returned by every FGA resolver when no authorization
-// engine is configured (no --fga-store). Fail-closed.
-var errFgaNotEnabled = errors.New("fine-grained authorization is not enabled")
-
-// maxFgaTuplesPerWrite caps the number of tuples accepted in a single write or
-// delete to bound the work an admin call performs.
-const maxFgaTuplesPerWrite = 100
-
-// maxFgaReadPageSize caps the page size for tuple reads. OpenFGA's ReadRequest
-// enforces a [1, 100] range, so this is both a safety cap and a hard backend
-// limit.
-const maxFgaReadPageSize = 100
-
-// FgaWriteModel installs a new fine-grained authorization model from its DSL.
-// Permission: authorizer:admin. Audited.
-func (g *graphqlProvider) FgaWriteModel(ctx context.Context, params *model.FgaWriteModelInput) (*model.FgaModel, error) {
-	log := g.Log.With().Str("func", "FgaWriteModel").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-	if g.AuthzEngine == nil {
-		return nil, errFgaNotEnabled
-	}
-	if params == nil || strings.TrimSpace(params.Dsl) == "" {
-		return nil, fmt.Errorf("dsl is required")
-	}
-	modelID, err := g.AuthzEngine.WriteModel(ctx, params.Dsl)
-	if err != nil {
-		metrics.RecordFgaOperation(metrics.FgaOpWriteModel, metrics.FgaResultError)
-		log.Debug().Err(err).Msg("Failed to write authorization model")
-		return nil, err
-	}
-	metrics.RecordFgaOperation(metrics.FgaOpWriteModel, metrics.FgaResultSuccess)
-	g.AuditProvider.LogEvent(audit.Event{
-		Action:       constants.AuditAdminFgaModelWrittenEvent,
-		ActorType:    constants.AuditActorTypeAdmin,
-		ResourceType: constants.AuditResourceTypeFgaModel,
-		ResourceID:   modelID,
-		IPAddress:    utils.GetIP(gc.Request),
-		UserAgent:    utils.GetUserAgent(gc.Request),
-	})
-	return &model.FgaModel{ID: modelID, Dsl: params.Dsl}, nil
-}
-
-// FgaGetModel returns the active fine-grained authorization model as DSL.
-// Permission: authorizer:admin.
-func (g *graphqlProvider) FgaGetModel(ctx context.Context) (*model.FgaModel, error) {
-	log := g.Log.With().Str("func", "FgaGetModel").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-	if g.AuthzEngine == nil {
-		return nil, errFgaNotEnabled
-	}
-	id, dsl, err := g.AuthzEngine.ReadModel(ctx)
-	if err != nil {
-		// A store with no model yet is a normal empty state, not a failure:
-		// return an empty model so the dashboard shows its "define a model"
-		// starting point instead of an error.
-		if errors.Is(err, engine.ErrNoModel) {
-			metrics.RecordFgaOperation(metrics.FgaOpGetModel, metrics.FgaResultSuccess)
-			return &model.FgaModel{ID: "", Dsl: ""}, nil
-		}
-		metrics.RecordFgaOperation(metrics.FgaOpGetModel, metrics.FgaResultError)
-		log.Debug().Err(err).Msg("Failed to read authorization model")
-		return nil, err
-	}
-	metrics.RecordFgaOperation(metrics.FgaOpGetModel, metrics.FgaResultSuccess)
-	return &model.FgaModel{ID: id, Dsl: dsl}, nil
-}
-
-// FgaWriteTuples persists the given relationship tuples.
-// Permission: authorizer:admin. Audited.
-func (g *graphqlProvider) FgaWriteTuples(ctx context.Context, params *model.FgaWriteTuplesInput) (*model.Response, error) {
-	log := g.Log.With().Str("func", "FgaWriteTuples").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-	if g.AuthzEngine == nil {
-		return nil, errFgaNotEnabled
-	}
-	tuples, err := toEngineTuples(params)
-	if err != nil {
-		return nil, err
-	}
-	if err := g.AuthzEngine.WriteTuples(ctx, tuples); err != nil {
-		metrics.RecordFgaOperation(metrics.FgaOpWriteTuples, metrics.FgaResultError)
-		log.Debug().Err(err).Msg("Failed to write tuples")
-		return nil, err
-	}
-	metrics.RecordFgaOperation(metrics.FgaOpWriteTuples, metrics.FgaResultSuccess)
-	g.AuditProvider.LogEvent(audit.Event{
-		Action:       constants.AuditAdminFgaTuplesWrittenEvent,
-		ActorType:    constants.AuditActorTypeAdmin,
-		ResourceType: constants.AuditResourceTypeFgaTuple,
-		IPAddress:    utils.GetIP(gc.Request),
-		UserAgent:    utils.GetUserAgent(gc.Request),
-		Metadata:     fmt.Sprintf("count=%d", len(tuples)),
-	})
-	return &model.Response{Message: "Tuples written successfully"}, nil
-}
-
-// FgaDeleteTuples removes the given relationship tuples.
-// Permission: authorizer:admin. Audited.
-func (g *graphqlProvider) FgaDeleteTuples(ctx context.Context, params *model.FgaWriteTuplesInput) (*model.Response, error) {
-	log := g.Log.With().Str("func", "FgaDeleteTuples").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-	if g.AuthzEngine == nil {
-		return nil, errFgaNotEnabled
-	}
-	tuples, err := toEngineTuples(params)
-	if err != nil {
-		return nil, err
-	}
-	if err := g.AuthzEngine.DeleteTuples(ctx, tuples); err != nil {
-		metrics.RecordFgaOperation(metrics.FgaOpDeleteTuples, metrics.FgaResultError)
-		log.Debug().Err(err).Msg("Failed to delete tuples")
-		return nil, err
-	}
-	metrics.RecordFgaOperation(metrics.FgaOpDeleteTuples, metrics.FgaResultSuccess)
-	g.AuditProvider.LogEvent(audit.Event{
-		Action:       constants.AuditAdminFgaTuplesDeletedEvent,
-		ActorType:    constants.AuditActorTypeAdmin,
-		ResourceType: constants.AuditResourceTypeFgaTuple,
-		IPAddress:    utils.GetIP(gc.Request),
-		UserAgent:    utils.GetUserAgent(gc.Request),
-		Metadata:     fmt.Sprintf("count=%d", len(tuples)),
-	})
-	return &model.Response{Message: "Tuples deleted successfully"}, nil
-}
-
-// FgaReadTuples returns a page of persisted tuples matching the filter.
-// Permission: authorizer:admin.
-func (g *graphqlProvider) FgaReadTuples(ctx context.Context, params *model.FgaReadTuplesInput) (*model.FgaTuples, error) {
-	log := g.Log.With().Str("func", "FgaReadTuples").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-	if g.AuthzEngine == nil {
-		return nil, errFgaNotEnabled
-	}
-	filter := engine.ReadTuplesFilter{}
-	if params != nil {
-		filter.User = refs.StringValue(params.User)
-		filter.Relation = refs.StringValue(params.Relation)
-		filter.Object = refs.StringValue(params.Object)
-		filter.ContinuationToken = refs.StringValue(params.ContinuationToken)
-		if params.PageSize != nil {
-			ps := *params.PageSize
-			// Cap page size; it is an enumeration surface and the backend
-			// enforces a [1, 100] range.
-			if ps <= 0 || ps > maxFgaReadPageSize {
-				ps = maxFgaReadPageSize
-			}
-			filter.PageSize = int32(ps)
-		}
-	}
-	if filter.PageSize == 0 {
-		filter.PageSize = maxFgaReadPageSize
-	}
-	res, err := g.AuthzEngine.ReadTuples(ctx, filter)
-	if err != nil {
-		metrics.RecordFgaOperation(metrics.FgaOpReadTuples, metrics.FgaResultError)
-		log.Debug().Err(err).Msg("Failed to read tuples")
-		return nil, err
-	}
-	metrics.RecordFgaOperation(metrics.FgaOpReadTuples, metrics.FgaResultSuccess)
-	out := &model.FgaTuples{Tuples: make([]*model.FgaTuple, 0, len(res.Tuples))}
-	for _, t := range res.Tuples {
-		out.Tuples = append(out.Tuples, &model.FgaTuple{User: t.User, Relation: t.Relation, Object: t.Object})
-	}
-	if res.ContinuationToken != "" {
-		out.ContinuationToken = refs.NewStringRef(res.ContinuationToken)
-	}
-	return out, nil
-}
-
-// FgaListUsers returns the fully-qualified user ids of user_type that have
-// relation on object ("who can access this object?"). This is an introspection
-// surface that reveals the access graph, so it is super-admin gated like the
-// other _fga_* admin ops. Read-only: no audit.
-// Permission: authorizer:admin.
-func (g *graphqlProvider) FgaListUsers(ctx context.Context, params *model.FgaListUsersInput) (*model.FgaListUsersResponse, error) {
-	log := g.Log.With().Str("func", "FgaListUsers").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-	if g.AuthzEngine == nil {
-		return nil, errFgaNotEnabled
-	}
-	if params == nil || strings.TrimSpace(params.Object) == "" || strings.TrimSpace(params.Relation) == "" || strings.TrimSpace(params.UserType) == "" {
-		return nil, fmt.Errorf("object, relation and user_type are required")
-	}
-	users, err := g.AuthzEngine.ListUsers(ctx, params.Object, params.Relation, params.UserType)
-	if err != nil {
-		metrics.RecordFgaOperation(metrics.FgaOpListUsers, metrics.FgaResultError)
-		log.Debug().Err(err).Msg("Failed to list users")
-		return nil, err
-	}
-	metrics.RecordFgaOperation(metrics.FgaOpListUsers, metrics.FgaResultSuccess)
-	// Cap the result set; ListUsers is an expensive enumeration surface.
-	if len(users) > maxFgaListResults {
-		users = users[:maxFgaListResults]
-	}
-	return &model.FgaListUsersResponse{Users: users}, nil
-}
-
-// FgaExpand returns the OpenFGA relationship/userset tree for (relation, object)
-// as a JSON string (the explainability/"why" primitive). It reveals the access
-// graph, so it is super-admin gated like the other _fga_* admin ops. Read-only:
-// no audit.
-// Permission: authorizer:admin.
-func (g *graphqlProvider) FgaExpand(ctx context.Context, params *model.FgaExpandInput) (*model.FgaExpandResponse, error) {
-	log := g.Log.With().Str("func", "FgaExpand").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-	if g.AuthzEngine == nil {
-		return nil, errFgaNotEnabled
-	}
-	if params == nil || strings.TrimSpace(params.Relation) == "" || strings.TrimSpace(params.Object) == "" {
-		return nil, fmt.Errorf("relation and object are required")
-	}
-	tree, err := g.AuthzEngine.Expand(ctx, params.Relation, params.Object)
-	if err != nil {
-		metrics.RecordFgaOperation(metrics.FgaOpExpand, metrics.FgaResultError)
-		log.Debug().Err(err).Msg("Failed to expand")
-		return nil, err
-	}
-	metrics.RecordFgaOperation(metrics.FgaOpExpand, metrics.FgaResultSuccess)
-	return &model.FgaExpandResponse{Tree: tree}, nil
-}
-
-// FgaReset deletes the entire fine-grained authorization store — the model, all
-// its versions, and all tuples — and starts a fresh, empty store. OpenFGA has no
-// per-version model delete, so this is the only way to remove a model.
-//
-// It is guarded: the reset is refused while any relationship tuples still exist,
-// so an admin cannot silently drop live grants. Callers must delete all tuples
-// first. Destructive and audited.
-// Permission: authorizer:admin.
-func (g *graphqlProvider) FgaReset(ctx context.Context) (*model.Response, error) {
-	log := g.Log.With().Str("func", "FgaReset").Logger()
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to get GinContext")
-		return nil, err
-	}
-	if !g.TokenProvider.IsSuperAdmin(gc) {
-		log.Debug().Msg("Not logged in as super admin")
-		return nil, fmt.Errorf("unauthorized")
-	}
-	if g.AuthzEngine == nil {
-		return nil, errFgaNotEnabled
-	}
-	// Safety gate: refuse to reset while tuples still exist so live grants are
-	// never dropped without an explicit prior cleanup.
-	existing, err := g.AuthzEngine.ReadTuples(ctx, engine.ReadTuplesFilter{PageSize: 1})
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to check for existing tuples before reset")
-		return nil, err
-	}
-	if existing != nil && len(existing.Tuples) > 0 {
-		return nil, fmt.Errorf("remove all relationship tuples before resetting the authorization model")
-	}
-	if err := g.AuthzEngine.Reset(ctx); err != nil {
-		metrics.RecordFgaOperation(metrics.FgaOpReset, metrics.FgaResultError)
-		log.Debug().Err(err).Msg("Failed to reset authorization store")
-		return nil, err
-	}
-	metrics.RecordFgaOperation(metrics.FgaOpReset, metrics.FgaResultSuccess)
-	g.AuditProvider.LogEvent(audit.Event{
-		Action:       constants.AuditAdminFgaResetEvent,
-		ActorType:    constants.AuditActorTypeAdmin,
-		ResourceType: constants.AuditResourceTypeFgaModel,
-		IPAddress:    utils.GetIP(gc.Request),
-		UserAgent:    utils.GetUserAgent(gc.Request),
-	})
-	return &model.Response{Message: "Authorization model reset successfully"}, nil
-}
-
-// toEngineTuples validates and converts admin-supplied tuple inputs into engine
-// tuples. It enforces a per-call cap and rejects empty fields.
-func toEngineTuples(params *model.FgaWriteTuplesInput) ([]engine.TupleKey, error) {
-	if params == nil || len(params.Tuples) == 0 {
-		return nil, fmt.Errorf("at least one tuple is required")
-	}
-	if len(params.Tuples) > maxFgaTuplesPerWrite {
-		return nil, fmt.Errorf("too many tuples: max %d per request", maxFgaTuplesPerWrite)
-	}
-	tuples := make([]engine.TupleKey, 0, len(params.Tuples))
-	for _, t := range params.Tuples {
-		if t == nil || strings.TrimSpace(t.User) == "" || strings.TrimSpace(t.Relation) == "" || strings.TrimSpace(t.Object) == "" {
-			return nil, fmt.Errorf("each tuple requires user, relation and object")
-		}
-		tuples = append(tuples, engine.TupleKey{User: t.User, Relation: t.Relation, Object: t.Object})
-	}
-	return tuples, nil
-}
diff --git a/internal/graphql/fga_delete_tuples.go b/internal/graphql/fga_delete_tuples.go
new file mode 100644
index 00000000..a73efaed
--- /dev/null
+++ b/internal/graphql/fga_delete_tuples.go
@@ -0,0 +1,49 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/authorizerdev/authorizer/internal/audit"
+	"github.com/authorizerdev/authorizer/internal/constants"
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/metrics"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// FgaDeleteTuples removes the given relationship tuples.
+// Permission: authorizer:admin. Audited.
+func (g *graphqlProvider) FgaDeleteTuples(ctx context.Context, params *model.FgaWriteTuplesInput) (*model.Response, error) {
+	log := g.Log.With().Str("func", "FgaDeleteTuples").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+	if g.AuthzEngine == nil {
+		return nil, errFgaNotEnabled
+	}
+	tuples, err := toEngineTuples(params)
+	if err != nil {
+		return nil, err
+	}
+	if err := g.AuthzEngine.DeleteTuples(ctx, tuples); err != nil {
+		metrics.RecordFgaOperation(metrics.FgaOpDeleteTuples, metrics.FgaResultError)
+		log.Debug().Err(err).Msg("Failed to delete tuples")
+		return nil, err
+	}
+	metrics.RecordFgaOperation(metrics.FgaOpDeleteTuples, metrics.FgaResultSuccess)
+	g.AuditProvider.LogEvent(audit.Event{
+		Action:       constants.AuditAdminFgaTuplesDeletedEvent,
+		ActorType:    constants.AuditActorTypeAdmin,
+		ResourceType: constants.AuditResourceTypeFgaTuple,
+		IPAddress:    utils.GetIP(gc.Request),
+		UserAgent:    utils.GetUserAgent(gc.Request),
+		Metadata:     fmt.Sprintf("count=%d", len(tuples)),
+	})
+	return &model.Response{Message: "Tuples deleted successfully"}, nil
+}
diff --git a/internal/graphql/fga_expand.go b/internal/graphql/fga_expand.go
new file mode 100644
index 00000000..3aa65777
--- /dev/null
+++ b/internal/graphql/fga_expand.go
@@ -0,0 +1,43 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/metrics"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// FgaExpand returns the OpenFGA relationship/userset tree for (relation, object)
+// as a JSON string (the explainability/"why" primitive). It reveals the access
+// graph, so it is super-admin gated like the other _fga_* admin ops. Read-only:
+// no audit.
+// Permission: authorizer:admin.
+func (g *graphqlProvider) FgaExpand(ctx context.Context, params *model.FgaExpandInput) (*model.FgaExpandResponse, error) {
+	log := g.Log.With().Str("func", "FgaExpand").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+	if g.AuthzEngine == nil {
+		return nil, errFgaNotEnabled
+	}
+	if params == nil || strings.TrimSpace(params.Relation) == "" || strings.TrimSpace(params.Object) == "" {
+		return nil, fmt.Errorf("relation and object are required")
+	}
+	tree, err := g.AuthzEngine.Expand(ctx, params.Relation, params.Object)
+	if err != nil {
+		metrics.RecordFgaOperation(metrics.FgaOpExpand, metrics.FgaResultError)
+		log.Debug().Err(err).Msg("Failed to expand")
+		return nil, err
+	}
+	metrics.RecordFgaOperation(metrics.FgaOpExpand, metrics.FgaResultSuccess)
+	return &model.FgaExpandResponse{Tree: tree}, nil
+}
diff --git a/internal/graphql/fga_get_model.go b/internal/graphql/fga_get_model.go
new file mode 100644
index 00000000..d825e933
--- /dev/null
+++ b/internal/graphql/fga_get_model.go
@@ -0,0 +1,45 @@
+package graphql
+
+import (
+	"context"
+	"errors"
+	"fmt"
+
+	"github.com/authorizerdev/authorizer/internal/authorization/engine"
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/metrics"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// FgaGetModel returns the active fine-grained authorization model as DSL.
+// Permission: authorizer:admin.
+func (g *graphqlProvider) FgaGetModel(ctx context.Context) (*model.FgaModel, error) {
+	log := g.Log.With().Str("func", "FgaGetModel").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+	if g.AuthzEngine == nil {
+		return nil, errFgaNotEnabled
+	}
+	id, dsl, err := g.AuthzEngine.ReadModel(ctx)
+	if err != nil {
+		// A store with no model yet is a normal empty state, not a failure:
+		// return an empty model so the dashboard shows its "define a model"
+		// starting point instead of an error.
+		if errors.Is(err, engine.ErrNoModel) {
+			metrics.RecordFgaOperation(metrics.FgaOpGetModel, metrics.FgaResultSuccess)
+			return &model.FgaModel{ID: "", Dsl: ""}, nil
+		}
+		metrics.RecordFgaOperation(metrics.FgaOpGetModel, metrics.FgaResultError)
+		log.Debug().Err(err).Msg("Failed to read authorization model")
+		return nil, err
+	}
+	metrics.RecordFgaOperation(metrics.FgaOpGetModel, metrics.FgaResultSuccess)
+	return &model.FgaModel{ID: id, Dsl: dsl}, nil
+}
diff --git a/internal/graphql/fga_list_users.go b/internal/graphql/fga_list_users.go
new file mode 100644
index 00000000..9ebfabc7
--- /dev/null
+++ b/internal/graphql/fga_list_users.go
@@ -0,0 +1,47 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/metrics"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// FgaListUsers returns the fully-qualified user ids of user_type that have
+// relation on object ("who can access this object?"). This is an introspection
+// surface that reveals the access graph, so it is super-admin gated like the
+// other _fga_* admin ops. Read-only: no audit.
+// Permission: authorizer:admin.
+func (g *graphqlProvider) FgaListUsers(ctx context.Context, params *model.FgaListUsersInput) (*model.FgaListUsersResponse, error) {
+	log := g.Log.With().Str("func", "FgaListUsers").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+	if g.AuthzEngine == nil {
+		return nil, errFgaNotEnabled
+	}
+	if params == nil || strings.TrimSpace(params.Object) == "" || strings.TrimSpace(params.Relation) == "" || strings.TrimSpace(params.UserType) == "" {
+		return nil, fmt.Errorf("object, relation and user_type are required")
+	}
+	users, err := g.AuthzEngine.ListUsers(ctx, params.Object, params.Relation, params.UserType)
+	if err != nil {
+		metrics.RecordFgaOperation(metrics.FgaOpListUsers, metrics.FgaResultError)
+		log.Debug().Err(err).Msg("Failed to list users")
+		return nil, err
+	}
+	metrics.RecordFgaOperation(metrics.FgaOpListUsers, metrics.FgaResultSuccess)
+	// Cap the result set; ListUsers is an expensive enumeration surface.
+	if len(users) > maxFgaListResults {
+		users = users[:maxFgaListResults]
+	}
+	return &model.FgaListUsersResponse{Users: users}, nil
+}
diff --git a/internal/graphql/fga_read_tuples.go b/internal/graphql/fga_read_tuples.go
new file mode 100644
index 00000000..d90d8094
--- /dev/null
+++ b/internal/graphql/fga_read_tuples.go
@@ -0,0 +1,64 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/authorizerdev/authorizer/internal/authorization/engine"
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/metrics"
+	"github.com/authorizerdev/authorizer/internal/refs"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// FgaReadTuples returns a page of persisted tuples matching the filter.
+// Permission: authorizer:admin.
+func (g *graphqlProvider) FgaReadTuples(ctx context.Context, params *model.FgaReadTuplesInput) (*model.FgaTuples, error) {
+	log := g.Log.With().Str("func", "FgaReadTuples").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+	if g.AuthzEngine == nil {
+		return nil, errFgaNotEnabled
+	}
+	filter := engine.ReadTuplesFilter{}
+	if params != nil {
+		filter.User = refs.StringValue(params.User)
+		filter.Relation = refs.StringValue(params.Relation)
+		filter.Object = refs.StringValue(params.Object)
+		filter.ContinuationToken = refs.StringValue(params.ContinuationToken)
+		if params.PageSize != nil {
+			ps := *params.PageSize
+			// Cap page size; it is an enumeration surface and the backend
+			// enforces a [1, 100] range.
+			if ps <= 0 || ps > maxFgaReadPageSize {
+				ps = maxFgaReadPageSize
+			}
+			filter.PageSize = int32(ps)
+		}
+	}
+	if filter.PageSize == 0 {
+		filter.PageSize = maxFgaReadPageSize
+	}
+	res, err := g.AuthzEngine.ReadTuples(ctx, filter)
+	if err != nil {
+		metrics.RecordFgaOperation(metrics.FgaOpReadTuples, metrics.FgaResultError)
+		log.Debug().Err(err).Msg("Failed to read tuples")
+		return nil, err
+	}
+	metrics.RecordFgaOperation(metrics.FgaOpReadTuples, metrics.FgaResultSuccess)
+	out := &model.FgaTuples{Tuples: make([]*model.FgaTuple, 0, len(res.Tuples))}
+	for _, t := range res.Tuples {
+		out.Tuples = append(out.Tuples, &model.FgaTuple{User: t.User, Relation: t.Relation, Object: t.Object})
+	}
+	if res.ContinuationToken != "" {
+		out.ContinuationToken = refs.NewStringRef(res.ContinuationToken)
+	}
+	return out, nil
+}
diff --git a/internal/graphql/fga_reset.go b/internal/graphql/fga_reset.go
new file mode 100644
index 00000000..1c28981b
--- /dev/null
+++ b/internal/graphql/fga_reset.go
@@ -0,0 +1,61 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/authorizerdev/authorizer/internal/audit"
+	"github.com/authorizerdev/authorizer/internal/authorization/engine"
+	"github.com/authorizerdev/authorizer/internal/constants"
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/metrics"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// FgaReset deletes the entire fine-grained authorization store — the model, all
+// its versions, and all tuples — and starts a fresh, empty store. OpenFGA has no
+// per-version model delete, so this is the only way to remove a model.
+//
+// It is guarded: the reset is refused while any relationship tuples still exist,
+// so an admin cannot silently drop live grants. Callers must delete all tuples
+// first. Destructive and audited.
+// Permission: authorizer:admin.
+func (g *graphqlProvider) FgaReset(ctx context.Context) (*model.Response, error) {
+	log := g.Log.With().Str("func", "FgaReset").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+	if g.AuthzEngine == nil {
+		return nil, errFgaNotEnabled
+	}
+	// Safety gate: refuse to reset while tuples still exist so live grants are
+	// never dropped without an explicit prior cleanup.
+	existing, err := g.AuthzEngine.ReadTuples(ctx, engine.ReadTuplesFilter{PageSize: 1})
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to check for existing tuples before reset")
+		return nil, err
+	}
+	if existing != nil && len(existing.Tuples) > 0 {
+		return nil, fmt.Errorf("remove all relationship tuples before resetting the authorization model")
+	}
+	if err := g.AuthzEngine.Reset(ctx); err != nil {
+		metrics.RecordFgaOperation(metrics.FgaOpReset, metrics.FgaResultError)
+		log.Debug().Err(err).Msg("Failed to reset authorization store")
+		return nil, err
+	}
+	metrics.RecordFgaOperation(metrics.FgaOpReset, metrics.FgaResultSuccess)
+	g.AuditProvider.LogEvent(audit.Event{
+		Action:       constants.AuditAdminFgaResetEvent,
+		ActorType:    constants.AuditActorTypeAdmin,
+		ResourceType: constants.AuditResourceTypeFgaModel,
+		IPAddress:    utils.GetIP(gc.Request),
+		UserAgent:    utils.GetUserAgent(gc.Request),
+	})
+	return &model.Response{Message: "Authorization model reset successfully"}, nil
+}
diff --git a/internal/graphql/fga_runtime.go b/internal/graphql/fga_runtime.go
deleted file mode 100644
index 8235129d..00000000
--- a/internal/graphql/fga_runtime.go
+++ /dev/null
@@ -1,233 +0,0 @@
-package graphql
-
-import (
-	"context"
-	"fmt"
-	"strings"
-	"time"
-
-	"github.com/authorizerdev/authorizer/internal/authorization/engine"
-	"github.com/authorizerdev/authorizer/internal/graph/model"
-	"github.com/authorizerdev/authorizer/internal/metrics"
-	"github.com/authorizerdev/authorizer/internal/refs"
-	"github.com/authorizerdev/authorizer/internal/utils"
-)
-
-// maxFgaListResults caps the number of objects returned by fga_list_objects and
-// the page size of admin tuple reads. ListObjects is an expensive enumeration
-// surface, so the result set is bounded.
-const maxFgaListResults = 1000
-
-// maxFgaBatchChecks caps the number of pairs accepted in a single batch check.
-const maxFgaBatchChecks = 100
-
-// resolveFgaSubject is the single, centralized trust gate for the FGA decision
-// ops (fga_check, fga_batch_check, fga_list_objects). It decides which OpenFGA
-// subject ("type:id") a decision is evaluated for, given the optional
-// client-supplied explicitUser override.
-//
-// Rules (fail-closed):
-//   - The trust level is ALWAYS derived from the auth token/session/admin cookie
-//     — never from client input.
-//   - super-admin caller: an explicitly supplied explicitUser is honored
-//     (validated to look like "type:id"); if absent it defaults to the
-//     super-admin's own "user:<sub>" when they also carry a user token, else it
-//     is required (a bare admin cookie has no subject of its own).
-//   - non-super-admin caller (ordinary end-user token/cookie):
-//   - explicitUser empty  → pin to the caller's own "user:<sub>".
-//   - explicitUser set    → REJECT. We do not silently honor it (would let an
-//     end user enumerate another subject's access — IDOR / info-disclosure)
-//     and we do not silently ignore it.
-//
-// TODO(phase-2 M2M): machine-to-machine / client-credentials callers should also
-// be allowed to pass an explicit user once that caller type exists; extend the
-// trust check here (the rule must stay centralized in this one helper).
-func (g *graphqlProvider) resolveFgaSubject(ctx context.Context, explicitUser string) (string, error) {
-	gc, err := utils.GinContextFromContext(ctx)
-	if err != nil {
-		return "", err
-	}
-	explicitUser = strings.TrimSpace(explicitUser)
-
-	// Determine the trust level first. Super-admin authenticates via the admin
-	// cookie/secret and need not carry a user token of its own, so this check
-	// must not depend on resolving a user subject.
-	isSuperAdmin := g.TokenProvider.IsSuperAdmin(gc)
-
-	if explicitUser != "" {
-		// A subject override was requested — only super-admin callers may target
-		// another subject. Everyone else is rejected (no silent self-fallback, no
-		// silent ignore).
-		if !isSuperAdmin {
-			return "", fmt.Errorf("not authorized to query authorization for another subject")
-		}
-		if err := validateFgaSubject(explicitUser); err != nil {
-			return "", err
-		}
-		return explicitUser, nil
-	}
-
-	// No override: pin to the caller's own subject (unchanged self-pinning
-	// behavior). This requires a resolvable user subject from the token/session.
-	tokenData, err := g.TokenProvider.GetUserIDFromSessionOrAccessToken(gc)
-	if err != nil || strings.TrimSpace(tokenData.UserID) == "" {
-		return "", fmt.Errorf("unauthorized")
-	}
-	return "user:" + tokenData.UserID, nil
-}
-
-// validateFgaSubject ensures a super-admin-supplied subject override is in
-// OpenFGA "type:id" form (both halves non-empty). It rejects usersets
-// ("type:id#relation") and malformed values.
-func validateFgaSubject(user string) error {
-	objType, objID, found := strings.Cut(user, ":")
-	if !found || strings.TrimSpace(objType) == "" || strings.TrimSpace(objID) == "" {
-		return fmt.Errorf("user must be in type:id form, got %q", user)
-	}
-	if strings.Contains(objID, "#") {
-		return fmt.Errorf("user must be a concrete subject in type:id form, not a userset, got %q", user)
-	}
-	return nil
-}
-
-// toContextualTuples converts client-supplied contextual tuples. These are
-// request-scoped only (never persisted) and are safe to accept from the client.
-func toContextualTuples(in []*model.FgaTupleInput) ([]engine.ContextualTuple, error) {
-	if len(in) == 0 {
-		return nil, nil
-	}
-	out := make([]engine.ContextualTuple, 0, len(in))
-	for _, t := range in {
-		if t == nil || strings.TrimSpace(t.User) == "" || strings.TrimSpace(t.Relation) == "" || strings.TrimSpace(t.Object) == "" {
-			return nil, fmt.Errorf("each contextual tuple requires user, relation and object")
-		}
-		out = append(out, engine.ContextualTuple{User: t.User, Relation: t.Relation, Object: t.Object})
-	}
-	return out, nil
-}
-
-// FgaCheck answers "is the authenticated caller related to object via relation?".
-// PRINCIPAL PINNING: the subject is the caller's token sub ("user:<sub>"), never
-// client input. Fail-closed: any engine error denies.
-// Permission: authorized user.
-func (g *graphqlProvider) FgaCheck(ctx context.Context, params *model.FgaCheckInput) (*model.FgaCheckResponse, error) {
-	log := g.Log.With().Str("func", "FgaCheck").Logger()
-	if g.AuthzEngine == nil {
-		return nil, errFgaNotEnabled
-	}
-	if params == nil || strings.TrimSpace(params.Relation) == "" || strings.TrimSpace(params.Object) == "" {
-		return nil, fmt.Errorf("relation and object are required")
-	}
-	// TRUST GATE — derive subject from the authenticated caller; an explicit
-	// `user` override is honored only for super-admins (see resolveFgaSubject).
-	principal, err := g.resolveFgaSubject(ctx, refs.StringValue(params.User))
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to resolve subject")
-		return nil, err
-	}
-	ctxTuples, err := toContextualTuples(params.ContextualTuples)
-	if err != nil {
-		return nil, err
-	}
-	start := time.Now()
-	allowed, err := g.AuthzEngine.Check(ctx, principal, params.Relation, params.Object, ctxTuples...)
-	metrics.ObserveFgaCheckDuration(metrics.FgaOpCheck, time.Since(start).Seconds())
-	if err != nil {
-		// Fail closed: treat engine error as deny.
-		metrics.RecordFgaCheck(metrics.FgaOpCheck, metrics.FgaResultError)
-		log.Debug().Err(err).Msg("Check failed; denying")
-		return nil, fmt.Errorf("authorization check failed")
-	}
-	metrics.RecordFgaCheckResult(metrics.FgaOpCheck, allowed)
-	return &model.FgaCheckResponse{Allowed: allowed}, nil
-}
-
-// FgaBatchCheck evaluates multiple relation/object pairs for the authenticated
-// caller. Principal pinned; fail-closed per the engine contract.
-// Permission: authorized user.
-func (g *graphqlProvider) FgaBatchCheck(ctx context.Context, params *model.FgaBatchCheckInput) (*model.FgaBatchCheckResponse, error) {
-	log := g.Log.With().Str("func", "FgaBatchCheck").Logger()
-	if g.AuthzEngine == nil {
-		return nil, errFgaNotEnabled
-	}
-	if params == nil || len(params.Checks) == 0 {
-		return nil, fmt.Errorf("at least one check is required")
-	}
-	if len(params.Checks) > maxFgaBatchChecks {
-		return nil, fmt.Errorf("too many checks: max %d per request", maxFgaBatchChecks)
-	}
-	requests := make([]engine.CheckRequest, 0, len(params.Checks))
-	for _, c := range params.Checks {
-		if c == nil || strings.TrimSpace(c.Relation) == "" || strings.TrimSpace(c.Object) == "" {
-			return nil, fmt.Errorf("each check requires relation and object")
-		}
-		// TRUST GATE — derive subject per item from the authenticated caller; an
-		// explicit `user` override is honored only for super-admins.
-		principal, err := g.resolveFgaSubject(ctx, refs.StringValue(c.User))
-		if err != nil {
-			log.Debug().Err(err).Msg("Failed to resolve subject")
-			return nil, err
-		}
-		ctxTuples, err := toContextualTuples(c.ContextualTuples)
-		if err != nil {
-			return nil, err
-		}
-		requests = append(requests, engine.CheckRequest{
-			User:             principal,
-			Relation:         c.Relation,
-			Object:           c.Object,
-			ContextualTuples: ctxTuples,
-		})
-	}
-	start := time.Now()
-	results, err := g.AuthzEngine.BatchCheck(ctx, requests)
-	metrics.ObserveFgaCheckDuration(metrics.FgaOpBatchCheck, time.Since(start).Seconds())
-	if err != nil {
-		// Fail closed for the whole batch.
-		metrics.RecordFgaCheck(metrics.FgaOpBatchCheck, metrics.FgaResultError)
-		log.Debug().Err(err).Msg("BatchCheck failed; denying")
-		return nil, fmt.Errorf("authorization check failed")
-	}
-	out := &model.FgaBatchCheckResponse{Results: make([]*model.FgaCheckResponse, 0, len(results))}
-	for _, r := range results {
-		// Record each sub-decision so adoption/denial rates reflect every pair.
-		metrics.RecordFgaCheckResult(metrics.FgaOpBatchCheck, r.Allowed)
-		out.Results = append(out.Results, &model.FgaCheckResponse{Allowed: r.Allowed})
-	}
-	return out, nil
-}
-
-// FgaListObjects enumerates objects of object_type the authenticated caller
-// relates to via relation. Principal pinned; result set capped (enumeration
-// surface). Fail-closed.
-// Permission: authorized user.
-func (g *graphqlProvider) FgaListObjects(ctx context.Context, params *model.FgaListObjectsInput) (*model.FgaListObjectsResponse, error) {
-	log := g.Log.With().Str("func", "FgaListObjects").Logger()
-	if g.AuthzEngine == nil {
-		return nil, errFgaNotEnabled
-	}
-	if params == nil || strings.TrimSpace(params.Relation) == "" || strings.TrimSpace(params.ObjectType) == "" {
-		return nil, fmt.Errorf("relation and object_type are required")
-	}
-	// TRUST GATE — derive subject from the authenticated caller; an explicit
-	// `user` override is honored only for super-admins (see resolveFgaSubject).
-	principal, err := g.resolveFgaSubject(ctx, refs.StringValue(params.User))
-	if err != nil {
-		log.Debug().Err(err).Msg("Failed to resolve subject")
-		return nil, err
-	}
-	start := time.Now()
-	objects, err := g.AuthzEngine.ListObjects(ctx, principal, params.Relation, params.ObjectType)
-	metrics.ObserveFgaCheckDuration(metrics.FgaOpListObjects, time.Since(start).Seconds())
-	if err != nil {
-		metrics.RecordFgaOperation(metrics.FgaOpListObjects, metrics.FgaResultError)
-		log.Debug().Err(err).Msg("ListObjects failed; denying")
-		return nil, fmt.Errorf("authorization list failed")
-	}
-	metrics.RecordFgaOperation(metrics.FgaOpListObjects, metrics.FgaResultSuccess)
-	// Cap the result set; ListObjects is an expensive enumeration surface.
-	if len(objects) > maxFgaListResults {
-		objects = objects[:maxFgaListResults]
-	}
-	return &model.FgaListObjectsResponse{Objects: objects}, nil
-}
diff --git a/internal/graphql/fga_write_model.go b/internal/graphql/fga_write_model.go
new file mode 100644
index 00000000..2112c901
--- /dev/null
+++ b/internal/graphql/fga_write_model.go
@@ -0,0 +1,50 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+	"strings"
+
+	"github.com/authorizerdev/authorizer/internal/audit"
+	"github.com/authorizerdev/authorizer/internal/constants"
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/metrics"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// FgaWriteModel installs a new fine-grained authorization model from its DSL.
+// Permission: authorizer:admin. Audited.
+func (g *graphqlProvider) FgaWriteModel(ctx context.Context, params *model.FgaWriteModelInput) (*model.FgaModel, error) {
+	log := g.Log.With().Str("func", "FgaWriteModel").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+	if g.AuthzEngine == nil {
+		return nil, errFgaNotEnabled
+	}
+	if params == nil || strings.TrimSpace(params.Dsl) == "" {
+		return nil, fmt.Errorf("dsl is required")
+	}
+	modelID, err := g.AuthzEngine.WriteModel(ctx, params.Dsl)
+	if err != nil {
+		metrics.RecordFgaOperation(metrics.FgaOpWriteModel, metrics.FgaResultError)
+		log.Debug().Err(err).Msg("Failed to write authorization model")
+		return nil, err
+	}
+	metrics.RecordFgaOperation(metrics.FgaOpWriteModel, metrics.FgaResultSuccess)
+	g.AuditProvider.LogEvent(audit.Event{
+		Action:       constants.AuditAdminFgaModelWrittenEvent,
+		ActorType:    constants.AuditActorTypeAdmin,
+		ResourceType: constants.AuditResourceTypeFgaModel,
+		ResourceID:   modelID,
+		IPAddress:    utils.GetIP(gc.Request),
+		UserAgent:    utils.GetUserAgent(gc.Request),
+	})
+	return &model.FgaModel{ID: modelID, Dsl: params.Dsl}, nil
+}
diff --git a/internal/graphql/fga_write_tuples.go b/internal/graphql/fga_write_tuples.go
new file mode 100644
index 00000000..16345c95
--- /dev/null
+++ b/internal/graphql/fga_write_tuples.go
@@ -0,0 +1,49 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/authorizerdev/authorizer/internal/audit"
+	"github.com/authorizerdev/authorizer/internal/constants"
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/metrics"
+	"github.com/authorizerdev/authorizer/internal/utils"
+)
+
+// FgaWriteTuples persists the given relationship tuples.
+// Permission: authorizer:admin. Audited.
+func (g *graphqlProvider) FgaWriteTuples(ctx context.Context, params *model.FgaWriteTuplesInput) (*model.Response, error) {
+	log := g.Log.With().Str("func", "FgaWriteTuples").Logger()
+	gc, err := utils.GinContextFromContext(ctx)
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to get GinContext")
+		return nil, err
+	}
+	if !g.TokenProvider.IsSuperAdmin(gc) {
+		log.Debug().Msg("Not logged in as super admin")
+		return nil, fmt.Errorf("unauthorized")
+	}
+	if g.AuthzEngine == nil {
+		return nil, errFgaNotEnabled
+	}
+	tuples, err := toEngineTuples(params)
+	if err != nil {
+		return nil, err
+	}
+	if err := g.AuthzEngine.WriteTuples(ctx, tuples); err != nil {
+		metrics.RecordFgaOperation(metrics.FgaOpWriteTuples, metrics.FgaResultError)
+		log.Debug().Err(err).Msg("Failed to write tuples")
+		return nil, err
+	}
+	metrics.RecordFgaOperation(metrics.FgaOpWriteTuples, metrics.FgaResultSuccess)
+	g.AuditProvider.LogEvent(audit.Event{
+		Action:       constants.AuditAdminFgaTuplesWrittenEvent,
+		ActorType:    constants.AuditActorTypeAdmin,
+		ResourceType: constants.AuditResourceTypeFgaTuple,
+		IPAddress:    utils.GetIP(gc.Request),
+		UserAgent:    utils.GetUserAgent(gc.Request),
+		Metadata:     fmt.Sprintf("count=%d", len(tuples)),
+	})
+	return &model.Response{Message: "Tuples written successfully"}, nil
+}
diff --git a/internal/graphql/list_permissions.go b/internal/graphql/list_permissions.go
new file mode 100644
index 00000000..17385138
--- /dev/null
+++ b/internal/graphql/list_permissions.go
@@ -0,0 +1,49 @@
+package graphql
+
+import (
+	"context"
+	"fmt"
+	"strings"
+	"time"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+	"github.com/authorizerdev/authorizer/internal/metrics"
+	"github.com/authorizerdev/authorizer/internal/refs"
+)
+
+// ListPermissions enumerates the fully-qualified object ids of object_type the
+// subject holds relation on — "which documents can I view?". Ideal for
+// filtering list pages down to what the subject may access.
+//
+// SUBJECT TRUST GATE: same rules as CheckPermissions (token subject by
+// default; explicit `user` for super-admins or self). The result set is
+// capped: listing is an expensive enumeration surface.
+// Permission: authorized user.
+func (g *graphqlProvider) ListPermissions(ctx context.Context, params *model.ListPermissionsInput) (*model.ListPermissionsResponse, error) {
+	log := g.Log.With().Str("func", "ListPermissions").Logger()
+	if g.AuthzEngine == nil {
+		return nil, errFgaNotEnabled
+	}
+	if params == nil || strings.TrimSpace(params.Relation) == "" || strings.TrimSpace(params.ObjectType) == "" {
+		return nil, fmt.Errorf("relation and object_type are required")
+	}
+	subject, err := g.resolveFgaSubject(ctx, refs.StringValue(params.User))
+	if err != nil {
+		log.Debug().Err(err).Msg("Failed to resolve subject")
+		return nil, err
+	}
+	start := time.Now()
+	objects, err := g.AuthzEngine.ListObjects(ctx, subject, params.Relation, params.ObjectType)
+	metrics.ObserveFgaCheckDuration(metrics.FgaOpListPermissions, time.Since(start).Seconds())
+	if err != nil {
+		metrics.RecordFgaOperation(metrics.FgaOpListPermissions, metrics.FgaResultError)
+		log.Debug().Err(err).Msg("ListPermissions failed; denying")
+		return nil, fmt.Errorf("authorization list failed")
+	}
+	metrics.RecordFgaOperation(metrics.FgaOpListPermissions, metrics.FgaResultSuccess)
+	// Cap the result set; ListObjects is an expensive enumeration surface.
+	if len(objects) > maxFgaListResults {
+		objects = objects[:maxFgaListResults]
+	}
+	return &model.ListPermissionsResponse{Objects: objects}, nil
+}
diff --git a/internal/graphql/provider.go b/internal/graphql/provider.go
index 8f55b484..afa20cc1 100644
--- a/internal/graphql/provider.go
+++ b/internal/graphql/provider.go
@@ -220,13 +220,11 @@ type Provider interface {
 	// FgaExpand returns the relationship/userset tree for a (relation, object).
 	// Permissions: authorizer:admin
 	FgaExpand(ctx context.Context, params *model.FgaExpandInput) (*model.FgaExpandResponse, error)
-	// FgaCheck checks a relation for the authenticated caller (principal pinned).
+	// CheckPermissions evaluates one or more permission checks for the subject
+	// (token-resolved by default; explicit user for super-admins or self).
 	// Permissions: authorized user
-	FgaCheck(ctx context.Context, params *model.FgaCheckInput) (*model.FgaCheckResponse, error)
-	// FgaBatchCheck checks multiple relations for the authenticated caller.
+	CheckPermissions(ctx context.Context, params *model.CheckPermissionsInput) (*model.CheckPermissionsResponse, error)
+	// ListPermissions enumerates the objects the subject holds a permission on.
 	// Permissions: authorized user
-	FgaBatchCheck(ctx context.Context, params *model.FgaBatchCheckInput) (*model.FgaBatchCheckResponse, error)
-	// FgaListObjects lists objects the authenticated caller relates to.
-	// Permissions: authorized user
-	FgaListObjects(ctx context.Context, params *model.FgaListObjectsInput) (*model.FgaListObjectsResponse, error)
+	ListPermissions(ctx context.Context, params *model.ListPermissionsInput) (*model.ListPermissionsResponse, error)
 }
diff --git a/internal/integration_tests/fga_test.go b/internal/integration_tests/fga_test.go
index 121e9811..da66e1fb 100644
--- a/internal/integration_tests/fga_test.go
+++ b/internal/integration_tests/fga_test.go
@@ -226,28 +226,24 @@ func TestFGA(t *testing.T) {
 	clearCookies(ts)
 	ts.GinContext.Request.Header.Set("Cookie", fmt.Sprintf("%s_session=%s", constants.AppCookieName, sessionToken))
 
-	// ---- Runtime: fga_check allow (principal pinned to the caller). ----
-	t.Run("fga_check allows owner on granted object", func(t *testing.T) {
-		res, err := ts.GraphQLProvider.FgaCheck(ctx, &model.FgaCheckInput{
-			Relation: "can_view", Object: "document:1",
-		})
+	// ---- Runtime: check_permissions allow (principal pinned to the caller). ----
+	t.Run("check_permissions allows owner on granted object", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.CheckPermissions(ctx, &model.CheckPermissionsInput{Checks: []*model.PermissionCheckInput{{Relation: "can_view", Object: "document:1"}}})
 		require.NoError(t, err)
 		require.NotNil(t, res)
-		assert.True(t, res.Allowed)
+		assert.True(t, res.Results[0].Allowed)
 	})
 
-	// ---- Runtime: fga_check deny on a non-granted object. ----
-	t.Run("fga_check denies on ungranted object", func(t *testing.T) {
-		res, err := ts.GraphQLProvider.FgaCheck(ctx, &model.FgaCheckInput{
-			Relation: "can_view", Object: "document:2",
-		})
+	// ---- Runtime: check_permissions deny on a non-granted object. ----
+	t.Run("check_permissions denies on ungranted object", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.CheckPermissions(ctx, &model.CheckPermissionsInput{Checks: []*model.PermissionCheckInput{{Relation: "can_view", Object: "document:2"}}})
 		require.NoError(t, err)
 		require.NotNil(t, res)
-		assert.False(t, res.Allowed)
+		assert.False(t, res.Results[0].Allowed)
 	})
 
 	// ---- Runtime: PRINCIPAL PINNING — client cannot ask about another user. ----
-	t.Run("fga_check pins principal to caller (no impersonation)", func(t *testing.T) {
+	t.Run("check_permissions pins principal to caller (no impersonation)", func(t *testing.T) {
 		// Grant a DIFFERENT user viewer on document:3.
 		setAdminCookie(t, ts)
 		_, err := ts.GraphQLProvider.FgaWriteTuples(ctx, &model.FgaWriteTuplesInput{
@@ -261,17 +257,15 @@ func TestFGA(t *testing.T) {
 
 		// The caller (who is NOT someone-else) must be denied on document:3.
 		// There is no client-supplied "user" field, so impersonation is impossible.
-		res, err := ts.GraphQLProvider.FgaCheck(ctx, &model.FgaCheckInput{
-			Relation: "can_view", Object: "document:3",
-		})
+		res, err := ts.GraphQLProvider.CheckPermissions(ctx, &model.CheckPermissionsInput{Checks: []*model.PermissionCheckInput{{Relation: "can_view", Object: "document:3"}}})
 		require.NoError(t, err)
 		require.NotNil(t, res)
-		assert.False(t, res.Allowed, "caller must not inherit another user's grant")
+		assert.False(t, res.Results[0].Allowed, "caller must not inherit another user's grant")
 	})
 
-	// ---- Runtime: fga_list_objects returns only the caller's objects. ----
-	t.Run("fga_list_objects returns granted objects for caller", func(t *testing.T) {
-		res, err := ts.GraphQLProvider.FgaListObjects(ctx, &model.FgaListObjectsInput{
+	// ---- Runtime: list_permissions returns only the caller's objects. ----
+	t.Run("list_permissions returns granted objects for caller", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.ListPermissions(ctx, &model.ListPermissionsInput{
 			Relation: "can_view", ObjectType: "document",
 		})
 		require.NoError(t, err)
@@ -280,10 +274,10 @@ func TestFGA(t *testing.T) {
 		assert.NotContains(t, res.Objects, "document:3")
 	})
 
-	// ---- Runtime: fga_batch_check. ----
-	t.Run("fga_batch_check positional allow/deny", func(t *testing.T) {
-		res, err := ts.GraphQLProvider.FgaBatchCheck(ctx, &model.FgaBatchCheckInput{
-			Checks: []*model.FgaCheckPairInput{
+	// ---- Runtime: check_permissions (batch). ----
+	t.Run("check_permissions (batch) positional allow/deny", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.CheckPermissions(ctx, &model.CheckPermissionsInput{
+			Checks: []*model.PermissionCheckInput{
 				{Relation: "can_view", Object: "document:1"},
 				{Relation: "can_view", Object: "document:2"},
 			},
@@ -338,47 +332,63 @@ func TestFGA(t *testing.T) {
 	})
 
 	// ---- Trust gate: explicit `user` override on the decision ops. ----
-	t.Run("fga_check super-admin may check another subject via explicit user", func(t *testing.T) {
+	t.Run("check_permissions super-admin may check another subject via explicit user", func(t *testing.T) {
 		setAdminCookie(t, ts)
 		otherUser := "user:someone-else" // granted viewer on document:3 above
-		res, err := ts.GraphQLProvider.FgaCheck(ctx, &model.FgaCheckInput{
-			Relation: "can_view", Object: "document:3", User: &otherUser,
+		res, err := ts.GraphQLProvider.CheckPermissions(ctx, &model.CheckPermissionsInput{
+			Checks: []*model.PermissionCheckInput{{Relation: "can_view", Object: "document:3"}},
+			User:   &otherUser,
 		})
 		require.NoError(t, err)
 		require.NotNil(t, res)
-		assert.True(t, res.Allowed, "super-admin override must evaluate the supplied subject")
+		assert.True(t, res.Results[0].Allowed, "super-admin override must evaluate the supplied subject")
 
 		// Same admin, but checking the caller's own (admin) subject on document:3 → deny.
 		adminSelf := "user:does-not-have-access"
-		res, err = ts.GraphQLProvider.FgaCheck(ctx, &model.FgaCheckInput{
-			Relation: "can_view", Object: "document:3", User: &adminSelf,
+		res, err = ts.GraphQLProvider.CheckPermissions(ctx, &model.CheckPermissionsInput{
+			Checks: []*model.PermissionCheckInput{{Relation: "can_view", Object: "document:3"}},
+			User:   &adminSelf,
 		})
 		require.NoError(t, err)
 		require.NotNil(t, res)
-		assert.False(t, res.Allowed)
+		assert.False(t, res.Results[0].Allowed)
 	})
 
-	t.Run("fga_check ordinary user supplying another subject is REJECTED", func(t *testing.T) {
+	t.Run("check_permissions ordinary user supplying another subject is REJECTED", func(t *testing.T) {
 		clearCookies(ts)
 		ts.GinContext.Request.Header.Set("Cookie", fmt.Sprintf("%s_session=%s", constants.AppCookieName, sessionToken))
 		otherUser := "user:someone-else"
-		res, err := ts.GraphQLProvider.FgaCheck(ctx, &model.FgaCheckInput{
-			Relation: "can_view", Object: "document:3", User: &otherUser,
+		res, err := ts.GraphQLProvider.CheckPermissions(ctx, &model.CheckPermissionsInput{
+			Checks: []*model.PermissionCheckInput{{Relation: "can_view", Object: "document:3"}},
+			User:   &otherUser,
 		})
 		assert.Error(t, err, "end user must not query another subject")
 		assert.Nil(t, res)
 		assert.Contains(t, err.Error(), "not authorized to query authorization for another subject")
 	})
 
-	t.Run("fga_check ordinary user with no user still self-checks", func(t *testing.T) {
+	t.Run("check_permissions ordinary user may pass their OWN subject explicitly", func(t *testing.T) {
 		clearCookies(ts)
 		ts.GinContext.Request.Header.Set("Cookie", fmt.Sprintf("%s_session=%s", constants.AppCookieName, sessionToken))
-		res, err := ts.GraphQLProvider.FgaCheck(ctx, &model.FgaCheckInput{
-			Relation: "can_view", Object: "document:1",
+		// Self-specification equals the token subject, so it is honored even for
+		// non-admin callers — explicit and strict.
+		self := "user:" + userID
+		res, err := ts.GraphQLProvider.CheckPermissions(ctx, &model.CheckPermissionsInput{
+			Checks: []*model.PermissionCheckInput{{Relation: "can_view", Object: "document:1"}},
+			User:   &self,
 		})
+		require.NoError(t, err, "self-specification must be allowed")
+		require.NotNil(t, res)
+		assert.True(t, res.Results[0].Allowed)
+	})
+
+	t.Run("check_permissions ordinary user with no user still self-checks", func(t *testing.T) {
+		clearCookies(ts)
+		ts.GinContext.Request.Header.Set("Cookie", fmt.Sprintf("%s_session=%s", constants.AppCookieName, sessionToken))
+		res, err := ts.GraphQLProvider.CheckPermissions(ctx, &model.CheckPermissionsInput{Checks: []*model.PermissionCheckInput{{Relation: "can_view", Object: "document:1"}}})
 		require.NoError(t, err)
 		require.NotNil(t, res)
-		assert.True(t, res.Allowed, "self-check on a granted object must still succeed")
+		assert.True(t, res.Results[0].Allowed, "self-check on a granted object must still succeed")
 	})
 
 	// ---- Phase 4: validate_session honors required_relations. ----
@@ -447,28 +457,29 @@ func TestFGA(t *testing.T) {
 		assert.Contains(t, res.Dsl, "document")
 	})
 
-	// ---- Trust gate is enforced per decision op, not only on fga_check. ----
-	t.Run("fga_list_objects rejects ordinary user supplying another subject", func(t *testing.T) {
+	// ---- Trust gate is enforced per decision op, not only on check_permissions. ----
+	t.Run("list_permissions rejects ordinary user supplying another subject", func(t *testing.T) {
 		clearCookies(ts)
 		ts.GinContext.Request.Header.Set("Cookie", fmt.Sprintf("%s_session=%s", constants.AppCookieName, sessionToken))
 		other := "user:someone-else"
-		res, err := ts.GraphQLProvider.FgaListObjects(ctx, &model.FgaListObjectsInput{
+		res, err := ts.GraphQLProvider.ListPermissions(ctx, &model.ListPermissionsInput{
 			Relation: "can_view", ObjectType: "document", User: &other,
 		})
 		assert.Error(t, err, "end user must not list another subject's objects")
 		assert.Nil(t, res)
 	})
 
-	t.Run("fga_batch_check rejects ordinary user supplying another subject", func(t *testing.T) {
+	t.Run("check_permissions (batch) rejects ordinary user supplying another subject", func(t *testing.T) {
 		clearCookies(ts)
 		ts.GinContext.Request.Header.Set("Cookie", fmt.Sprintf("%s_session=%s", constants.AppCookieName, sessionToken))
 		other := "user:someone-else"
-		res, err := ts.GraphQLProvider.FgaBatchCheck(ctx, &model.FgaBatchCheckInput{
-			Checks: []*model.FgaCheckPairInput{
-				{Relation: "can_view", Object: "document:3", User: &other},
+		res, err := ts.GraphQLProvider.CheckPermissions(ctx, &model.CheckPermissionsInput{
+			Checks: []*model.PermissionCheckInput{
+				{Relation: "can_view", Object: "document:3"},
 			},
+			User: &other,
 		})
-		assert.Error(t, err, "end user must not batch-check another subject")
+		assert.Error(t, err, "end user must not check another subject")
 		assert.Nil(t, res)
 	})
 
@@ -534,20 +545,20 @@ func TestFGA(t *testing.T) {
 		clearCookies(ts)
 		ts.GinContext.Request.Header.Set("Cookie", fmt.Sprintf("%s_session=%s", constants.AppCookieName, freshSession))
 
-		allowBefore := testutil.ToFloat64(metrics.FgaChecksTotal.WithLabelValues(metrics.FgaOpCheck, metrics.FgaResultAllowed))
-		denyBefore := testutil.ToFloat64(metrics.FgaChecksTotal.WithLabelValues(metrics.FgaOpCheck, metrics.FgaResultDenied))
+		allowBefore := testutil.ToFloat64(metrics.FgaChecksTotal.WithLabelValues(metrics.FgaOpCheckPermissions, metrics.FgaResultAllowed))
+		denyBefore := testutil.ToFloat64(metrics.FgaChecksTotal.WithLabelValues(metrics.FgaOpCheckPermissions, metrics.FgaResultDenied))
 
 		// document:1 is granted to the caller (allowed); document:2 is not (denied).
-		_, err = ts.GraphQLProvider.FgaCheck(ctx, &model.FgaCheckInput{Relation: "can_view", Object: "document:1"})
+		_, err = ts.GraphQLProvider.CheckPermissions(ctx, &model.CheckPermissionsInput{Checks: []*model.PermissionCheckInput{{Relation: "can_view", Object: "document:1"}}})
 		require.NoError(t, err)
-		_, err = ts.GraphQLProvider.FgaCheck(ctx, &model.FgaCheckInput{Relation: "can_view", Object: "document:2"})
+		_, err = ts.GraphQLProvider.CheckPermissions(ctx, &model.CheckPermissionsInput{Checks: []*model.PermissionCheckInput{{Relation: "can_view", Object: "document:2"}}})
 		require.NoError(t, err)
 
 		assert.Equal(t, allowBefore+1,
-			testutil.ToFloat64(metrics.FgaChecksTotal.WithLabelValues(metrics.FgaOpCheck, metrics.FgaResultAllowed)),
+			testutil.ToFloat64(metrics.FgaChecksTotal.WithLabelValues(metrics.FgaOpCheckPermissions, metrics.FgaResultAllowed)),
 			"an allowed check must increment the allowed counter")
 		assert.Equal(t, denyBefore+1,
-			testutil.ToFloat64(metrics.FgaChecksTotal.WithLabelValues(metrics.FgaOpCheck, metrics.FgaResultDenied)),
+			testutil.ToFloat64(metrics.FgaChecksTotal.WithLabelValues(metrics.FgaOpCheckPermissions, metrics.FgaResultDenied)),
 			"a denied check must increment the denied counter")
 		// The duration histogram has at least the 'check' series populated.
 		assert.GreaterOrEqual(t, testutil.CollectAndCount(metrics.FgaCheckDuration), 1,
@@ -573,10 +584,8 @@ func TestFGADisabled(t *testing.T) {
 	ts := initTestSetup(t, cfg) // no AuthzEngine wired
 	_, ctx := createContext(ts)
 
-	t.Run("fga_check errors when engine not enabled", func(t *testing.T) {
-		res, err := ts.GraphQLProvider.FgaCheck(ctx, &model.FgaCheckInput{
-			Relation: "can_view", Object: "document:1",
-		})
+	t.Run("check_permissions errors when engine not enabled", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.CheckPermissions(ctx, &model.CheckPermissionsInput{Checks: []*model.PermissionCheckInput{{Relation: "can_view", Object: "document:1"}}})
 		assert.Error(t, err)
 		assert.Nil(t, res)
 		assert.Contains(t, err.Error(), "fine-grained authorization is not enabled")
diff --git a/internal/metrics/metrics.go b/internal/metrics/metrics.go
index 4359fb20..a9e569ff 100644
--- a/internal/metrics/metrics.go
+++ b/internal/metrics/metrics.go
@@ -131,24 +131,24 @@ var (
 	)
 
 	// FgaChecksTotal is the headline fine-grained-authorization access-decision
-	// counter: every fga_check / fga_batch_check decision by outcome. Use it for
-	// FGA adoption tracking and denial/error alerting.
-	// operation: check | batch_check. result: allowed | denied | error.
+	// counter: every check_permissions decision by outcome. Use it for FGA
+	// adoption tracking and denial/error alerting.
+	// operation: check_permissions. result: allowed | denied | error.
 	FgaChecksTotal = prometheus.NewCounterVec(
 		prometheus.CounterOpts{
 			Name: "authorizer_fga_checks_total",
-			Help: "Total fine-grained authorization access decisions. operation=check|batch_check, result=allowed|denied|error",
+			Help: "Total fine-grained authorization access decisions. operation=check_permissions, result=allowed|denied|error",
 		},
 		[]string{"operation", "result"},
 	)
 
 	// FgaCheckDuration tracks the latency of the client-facing FGA read
 	// operations (the OpenFGA engine call), in seconds.
-	// operation: check | batch_check | list_objects.
+	// operation: check_permissions | list_permissions.
 	FgaCheckDuration = prometheus.NewHistogramVec(
 		prometheus.HistogramOpts{
 			Name:    "authorizer_fga_check_duration_seconds",
-			Help:    "Fine-grained authorization engine call duration in seconds. operation=check|batch_check|list_objects",
+			Help:    "Fine-grained authorization engine call duration in seconds. operation=check_permissions|list_permissions",
 			Buckets: prometheus.DefBuckets,
 		},
 		[]string{"operation"},
@@ -157,7 +157,7 @@ var (
 	// FgaOperationsTotal counts non-decision FGA operations (model/tuple
 	// management, enumeration, reset) by outcome — useful for auditing admin
 	// authorization changes and alerting on failures.
-	// operation: get_model|write_model|read_tuples|write_tuples|delete_tuples|list_users|expand|list_objects|reset.
+	// operation: get_model|write_model|read_tuples|write_tuples|delete_tuples|list_users|expand|list_permissions|reset.
 	// result: success | error.
 	FgaOperationsTotal = prometheus.NewCounterVec(
 		prometheus.CounterOpts{
@@ -304,17 +304,16 @@ func RecordClientIDHeaderMissing() {
 // FGA operation labels (low-cardinality, package constants). Never pass
 // user-controlled strings as label values.
 const (
-	FgaOpCheck        = "check"
-	FgaOpBatchCheck   = "batch_check"
-	FgaOpListObjects  = "list_objects"
-	FgaOpGetModel     = "get_model"
-	FgaOpWriteModel   = "write_model"
-	FgaOpReadTuples   = "read_tuples"
-	FgaOpWriteTuples  = "write_tuples"
-	FgaOpDeleteTuples = "delete_tuples"
-	FgaOpListUsers    = "list_users"
-	FgaOpExpand       = "expand"
-	FgaOpReset        = "reset"
+	FgaOpCheckPermissions = "check_permissions"
+	FgaOpListPermissions  = "list_permissions"
+	FgaOpGetModel         = "get_model"
+	FgaOpWriteModel       = "write_model"
+	FgaOpReadTuples       = "read_tuples"
+	FgaOpWriteTuples      = "write_tuples"
+	FgaOpDeleteTuples     = "delete_tuples"
+	FgaOpListUsers        = "list_users"
+	FgaOpExpand           = "expand"
+	FgaOpReset            = "reset"
 )
 
 // FGA result labels.
@@ -326,7 +325,7 @@ const (
 )
 
 // RecordFgaCheck records a single FGA access decision.
-// operation must be FgaOpCheck or FgaOpBatchCheck; result must be one of
+// operation must be FgaOpCheckPermissions; result must be one of
 // FgaResultAllowed / FgaResultDenied / FgaResultError.
 func RecordFgaCheck(operation, result string) {
 	FgaChecksTotal.WithLabelValues(operation, result).Inc()
diff --git a/internal/metrics/metrics_test.go b/internal/metrics/metrics_test.go
index f287b13f..926e6b2e 100644
--- a/internal/metrics/metrics_test.go
+++ b/internal/metrics/metrics_test.go
@@ -67,20 +67,20 @@ func TestSkipHTTPRequestMetrics_chunkSegment(t *testing.T) {
 
 func TestRecordFgaCheck(t *testing.T) {
 	// RecordFgaCheckResult maps the boolean decision to the right label.
-	allowBefore := testutil.ToFloat64(FgaChecksTotal.WithLabelValues(FgaOpCheck, FgaResultAllowed))
-	RecordFgaCheckResult(FgaOpCheck, true)
+	allowBefore := testutil.ToFloat64(FgaChecksTotal.WithLabelValues(FgaOpCheckPermissions, FgaResultAllowed))
+	RecordFgaCheckResult(FgaOpCheckPermissions, true)
 	assert.Equal(t, allowBefore+1,
-		testutil.ToFloat64(FgaChecksTotal.WithLabelValues(FgaOpCheck, FgaResultAllowed)))
+		testutil.ToFloat64(FgaChecksTotal.WithLabelValues(FgaOpCheckPermissions, FgaResultAllowed)))
 
-	denyBefore := testutil.ToFloat64(FgaChecksTotal.WithLabelValues(FgaOpBatchCheck, FgaResultDenied))
-	RecordFgaCheckResult(FgaOpBatchCheck, false)
+	denyBefore := testutil.ToFloat64(FgaChecksTotal.WithLabelValues(FgaOpCheckPermissions, FgaResultDenied))
+	RecordFgaCheckResult(FgaOpCheckPermissions, false)
 	assert.Equal(t, denyBefore+1,
-		testutil.ToFloat64(FgaChecksTotal.WithLabelValues(FgaOpBatchCheck, FgaResultDenied)))
+		testutil.ToFloat64(FgaChecksTotal.WithLabelValues(FgaOpCheckPermissions, FgaResultDenied)))
 
-	errBefore := testutil.ToFloat64(FgaChecksTotal.WithLabelValues(FgaOpCheck, FgaResultError))
-	RecordFgaCheck(FgaOpCheck, FgaResultError)
+	errBefore := testutil.ToFloat64(FgaChecksTotal.WithLabelValues(FgaOpCheckPermissions, FgaResultError))
+	RecordFgaCheck(FgaOpCheckPermissions, FgaResultError)
 	assert.Equal(t, errBefore+1,
-		testutil.ToFloat64(FgaChecksTotal.WithLabelValues(FgaOpCheck, FgaResultError)))
+		testutil.ToFloat64(FgaChecksTotal.WithLabelValues(FgaOpCheckPermissions, FgaResultError)))
 }
 
 func TestRecordFgaOperation(t *testing.T) {
@@ -96,8 +96,8 @@ func TestRecordFgaOperation(t *testing.T) {
 }
 
 func TestObserveFgaCheckDuration(t *testing.T) {
-	ObserveFgaCheckDuration(FgaOpListObjects, 0.01)
-	ObserveFgaCheckDuration(FgaOpCheck, 0.02)
+	ObserveFgaCheckDuration(FgaOpListPermissions, 0.01)
+	ObserveFgaCheckDuration(FgaOpCheckPermissions, 0.02)
 	// At least the two observed series are present in the histogram vec.
 	assert.GreaterOrEqual(t, testutil.CollectAndCount(FgaCheckDuration), 1)
 }
diff --git a/web/dashboard/src/components/Sidebar.tsx b/web/dashboard/src/components/Sidebar.tsx
index dd5cacd6..7ef31b3b 100644
--- a/web/dashboard/src/components/Sidebar.tsx
+++ b/web/dashboard/src/components/Sidebar.tsx
@@ -62,11 +62,6 @@ const navGroups: NavGroupConfig[] = [
 				icon: Network,
 				route: '/authorization/tuples',
 			},
-			{
-				name: 'Access Tester',
-				icon: SearchCheck,
-				route: '/authorization/tester',
-			},
 		],
 	},
 ];
diff --git a/web/dashboard/src/components/UserPermissionsModal.tsx b/web/dashboard/src/components/UserPermissionsModal.tsx
new file mode 100644
index 00000000..6ccca088
--- /dev/null
+++ b/web/dashboard/src/components/UserPermissionsModal.tsx
@@ -0,0 +1,163 @@
+import React, { useState } from 'react';
+import { useClient } from 'urql';
+import { Search, ShieldCheck } from 'lucide-react';
+import { Button } from './ui/button';
+import { Input } from './ui/input';
+import { Label } from './ui/label';
+import {
+	Dialog,
+	DialogContent,
+	DialogHeader,
+	DialogTitle,
+	DialogDescription,
+} from './ui/dialog';
+import { ListPermissionsQuery } from '../graphql/queries';
+import { isFgaNotEnabledError } from '../lib/utils';
+import type { ListPermissionsResponse, User } from '../types';
+
+interface UserPermissionsModalProps {
+	user: User | null;
+	open: boolean;
+	onClose: () => void;
+}
+
+// UserPermissionsModal lets an admin answer "which objects does this user hold
+// a permission on?" straight from the Users table. It calls the public
+// list_permissions API with an explicit subject — honored because the
+// dashboard session is super-admin.
+const UserPermissionsModal = ({
+	user,
+	open,
+	onClose,
+}: UserPermissionsModalProps) => {
+	const client = useClient();
+	const [relation, setRelation] = useState('');
+	const [objectType, setObjectType] = useState('');
+	const [objects, setObjects] = useState<string[] | null>(null);
+	const [error, setError] = useState('');
+	const [running, setRunning] = useState(false);
+
+	if (!user) return null;
+
+	const handleList = async (e: React.FormEvent) => {
+		e.preventDefault();
+		if (!relation.trim() || !objectType.trim()) {
+			setError('relation and object type are both required');
+			return;
+		}
+		setRunning(true);
+		setError('');
+		setObjects(null);
+		try {
+			const res = await client
+				.query<ListPermissionsResponse>(
+					ListPermissionsQuery,
+					{
+						params: {
+							relation: relation.trim(),
+							object_type: objectType.trim(),
+							user: `user:${user.id}`,
+						},
+					},
+					{ requestPolicy: 'network-only' },
+				)
+				.toPromise();
+			if (res.error) {
+				setError(
+					isFgaNotEnabledError(res.error)
+						? 'Fine-grained authorization is not enabled on this instance.'
+						: res.error.message.replace('[GraphQL] ', ''),
+				);
+				return;
+			}
+			setObjects(res.data?.list_permissions?.objects ?? []);
+		} catch {
+			setError('Failed to list permissions');
+		} finally {
+			setRunning(false);
+		}
+	};
+
+	const close = () => {
+		setObjects(null);
+		setError('');
+		onClose();
+	};
+
+	return (
+		<Dialog open={open} onOpenChange={(o) => !o && close()}>
+			<DialogContent className="max-w-lg">
+				<DialogHeader>
+					<DialogTitle className="flex items-center gap-2">
+						<ShieldCheck className="h-5 w-5 text-blue-600" aria-hidden="true" />
+						Permissions · {user.email || user.phone_number || user.id}
+					</DialogTitle>
+					<DialogDescription>
+						List the objects{' '}
+						<code className="rounded bg-gray-100 px-1 py-0.5 text-xs">
+							user:{user.id}
+						</code>{' '}
+						holds a permission on. Pick the permission (relation) and object
+						type from your authorization model.
+					</DialogDescription>
+				</DialogHeader>
+				<form onSubmit={handleList} className="space-y-3">
+					<div className="grid grid-cols-1 gap-3 md:grid-cols-2">
+						<div className="space-y-1">
+							<Label htmlFor="perm-relation">Permission (relation)</Label>
+							<Input
+								id="perm-relation"
+								placeholder="can_view"
+								value={relation}
+								onChange={(e) => setRelation(e.target.value)}
+								spellCheck={false}
+							/>
+						</div>
+						<div className="space-y-1">
+							<Label htmlFor="perm-object-type">Object type</Label>
+							<Input
+								id="perm-object-type"
+								placeholder="document"
+								value={objectType}
+								onChange={(e) => setObjectType(e.target.value)}
+								spellCheck={false}
+							/>
+						</div>
+					</div>
+					<Button type="submit" disabled={running}>
+						<Search className="mr-2 h-4 w-4" aria-hidden="true" />
+						{running ? 'Listing…' : 'List permissions'}
+					</Button>
+				</form>
+				{error && (
+					<p className="rounded-md border border-red-200 bg-red-50 p-3 text-sm text-red-700">
+						{error}
+					</p>
+				)}
+				{objects !== null &&
+					(objects.length ? (
+						<div className="max-h-64 overflow-y-auto rounded-lg border border-gray-200">
+							<ul className="divide-y divide-gray-100">
+								{objects.map((o) => (
+									<li
+										key={o}
+										className="px-3 py-2 font-mono text-xs text-gray-800"
+									>
+										{o}
+									</li>
+								))}
+							</ul>
+						</div>
+					) : (
+						<p className="rounded-lg border border-dashed border-gray-200 p-3 text-sm text-gray-500">
+							No <code className="font-mono text-xs">{objectType}</code> objects
+							with <code className="font-mono text-xs">{relation}</code> for
+							this user.
+						</p>
+					))}
+			</DialogContent>
+		</Dialog>
+	);
+};
+
+export default UserPermissionsModal;
diff --git a/web/dashboard/src/graphql/queries/index.ts b/web/dashboard/src/graphql/queries/index.ts
index 864a3d9a..99d7ac93 100644
--- a/web/dashboard/src/graphql/queries/index.ts
+++ b/web/dashboard/src/graphql/queries/index.ts
@@ -157,10 +157,12 @@ export const FgaReadTuplesQuery = `
   }
 `;
 
-export const FgaCheckQuery = `
-  query fgaCheck($params: FgaCheckInput!) {
-    fga_check(params: $params) {
-      allowed
+// ListPermissionsQuery enumerates the objects a subject holds a permission on.
+// The optional user param is honored for the super-admin dashboard session.
+export const ListPermissionsQuery = `
+  query listPermissions($params: ListPermissionsInput!) {
+    list_permissions(params: $params) {
+      objects
     }
   }
 `;
diff --git a/web/dashboard/src/pages/Users.tsx b/web/dashboard/src/pages/Users.tsx
index c85bf0a3..8f5ef91c 100644
--- a/web/dashboard/src/pages/Users.tsx
+++ b/web/dashboard/src/pages/Users.tsx
@@ -18,6 +18,7 @@ import EditUserModal from '../components/EditUserModal';
 import DeleteUserModal from '../components/DeleteUserModal';
 import InviteMembersModal from '../components/InviteMembersModal';
 import ViewUserModal from '../components/ViewUserModal';
+import UserPermissionsModal from '../components/UserPermissionsModal';
 import { Button } from '../components/ui/button';
 import { Badge } from '../components/ui/badge';
 import { Input } from '../components/ui/input';
@@ -83,6 +84,10 @@ export default function Users() {
 	const [loading, setLoading] = React.useState<boolean>(false);
 	const [searchQuery, setSearchQuery] = React.useState('');
 	const [selectedUser, setSelectedUser] = React.useState<User | null>(null);
+	// User whose FGA permissions are being inspected (Users table → dropdown).
+	const [permissionsUser, setPermissionsUser] = React.useState<User | null>(
+		null,
+	);
 
 	const updateUserList = async () => {
 		setLoading(true);
@@ -285,7 +290,11 @@ export default function Users() {
 									...rest
 								} = user;
 								return (
-									<TableRow key={user.id} className="cursor-pointer hover:bg-gray-50" onClick={() => setSelectedUser(user)}>
+									<TableRow
+										key={user.id}
+										className="cursor-pointer hover:bg-gray-50"
+										onClick={() => setSelectedUser(user)}
+									>
 										<TableCell className="max-w-[300px] truncate text-sm">
 											{user.email || user.phone_number}
 										</TableCell>
@@ -396,6 +405,11 @@ export default function Users() {
 															Revoke Access
 														</DropdownMenuItem>
 													)}
+													<DropdownMenuItem
+														onClick={() => setPermissionsUser(user)}
+													>
+														View Permissions
+													</DropdownMenuItem>
 													{user.is_multi_factor_auth_enabled ? (
 														<DropdownMenuItem
 															onClick={() => multiFactorAuthUpdateHandler(user)}
@@ -517,6 +531,11 @@ export default function Users() {
 					<p className="text-2xl font-bold">No Data</p>
 				</div>
 			)}
+			<UserPermissionsModal
+				user={permissionsUser}
+				open={!!permissionsUser}
+				onClose={() => setPermissionsUser(null)}
+			/>
 			<ViewUserModal
 				user={selectedUser}
 				open={!!selectedUser}
diff --git a/web/dashboard/src/pages/authorization/AuthSteps.tsx b/web/dashboard/src/pages/authorization/AuthSteps.tsx
index 6d43016c..dcf63ee1 100644
--- a/web/dashboard/src/pages/authorization/AuthSteps.tsx
+++ b/web/dashboard/src/pages/authorization/AuthSteps.tsx
@@ -5,16 +5,25 @@ import { Check, ArrowRight, Lightbulb } from 'lucide-react';
 import { FgaGetModelQuery, FgaReadTuplesQuery } from '../../graphql/queries';
 import type { FgaGetModelResponse, FgaReadTuplesResponse } from '../../types';
 
-// The three FGA pages are a sequential workflow: define the model, grant access,
-// then verify. AuthSteps renders that as a clickable stepper shown on each page,
-// so the flow is always visible but any step is reachable directly.
+// The FGA pages are a sequential workflow: define the model, then grant
+// access. AuthSteps renders that as a clickable stepper shown on each page.
+// (Per-user verification lives in the Users table → "View permissions".)
 export const STEPS = [
-	{ n: 1, label: 'Define model', desc: 'Set the rules', route: '/authorization/model' },
-	{ n: 2, label: 'Grant access', desc: 'Who can do what', route: '/authorization/tuples' },
-	{ n: 3, label: 'Test access', desc: 'Verify it works', route: '/authorization/tester' },
+	{
+		n: 1,
+		label: 'Define model',
+		desc: 'Set the rules',
+		route: '/authorization/model',
+	},
+	{
+		n: 2,
+		label: 'Grant access',
+		desc: 'Who can do what',
+		route: '/authorization/tuples',
+	},
 ] as const;
 
-const AuthSteps = ({ current }: { current: 1 | 2 | 3 }) => {
+const AuthSteps = ({ current }: { current: 1 | 2 }) => {
 	const navigate = useNavigate();
 	const client = useClient();
 	// A step shows a check only when it's actually complete: step 1 when a model
@@ -25,7 +34,11 @@ const AuthSteps = ({ current }: { current: 1 | 2 | 3 }) => {
 	useEffect(() => {
 		let active = true;
 		client
-			.query<FgaGetModelResponse>(FgaGetModelQuery, {}, { requestPolicy: 'network-only' })
+			.query<FgaGetModelResponse>(
+				FgaGetModelQuery,
+				{},
+				{ requestPolicy: 'network-only' },
+			)
 			.toPromise()
 			.then((r) => active && setModelDone(!!r.data?._fga_get_model?.dsl))
 			.catch(() => {});
@@ -36,20 +49,26 @@ const AuthSteps = ({ current }: { current: 1 | 2 | 3 }) => {
 				{ requestPolicy: 'network-only' },
 			)
 			.toPromise()
-			.then((r) => active && setTuplesDone((r.data?._fga_read_tuples?.tuples?.length ?? 0) > 0))
+			.then(
+				(r) =>
+					active &&
+					setTuplesDone((r.data?._fga_read_tuples?.tuples?.length ?? 0) > 0),
+			)
 			.catch(() => {});
 		return () => {
 			active = false;
 		};
 	}, [client]);
 
-	const isDone = (n: number) => (n === 1 ? modelDone : n === 2 ? tuplesDone : false);
+	const isDone = (n: number) =>
+		n === 1 ? modelDone : n === 2 ? tuplesDone : false;
 
 	return (
 		<nav aria-label="Fine-grained authorization setup" className="mb-5">
 			<ol className="flex flex-col gap-2 sm:flex-row sm:items-stretch">
 				{STEPS.map((s) => {
-					const state = s.n === current ? 'current' : isDone(s.n) ? 'done' : 'upcoming';
+					const state =
+						s.n === current ? 'current' : isDone(s.n) ? 'done' : 'upcoming';
 					return (
 						<li key={s.n} className="flex-1">
 							<button
@@ -71,7 +90,11 @@ const AuthSteps = ({ current }: { current: 1 | 2 | 3 }) => {
 												: 'bg-gray-100 text-gray-500'
 									}`}
 								>
-									{state === 'done' ? <Check className="h-4 w-4" aria-hidden="true" /> : s.n}
+									{state === 'done' ? (
+										<Check className="h-4 w-4" aria-hidden="true" />
+									) : (
+										s.n
+									)}
 								</span>
 								<span className="min-w-0">
 									<span
@@ -81,7 +104,9 @@ const AuthSteps = ({ current }: { current: 1 | 2 | 3 }) => {
 									>
 										{s.label}
 									</span>
-									<span className="block truncate text-xs text-gray-400">{s.desc}</span>
+									<span className="block truncate text-xs text-gray-400">
+										{s.desc}
+									</span>
 								</span>
 							</button>
 						</li>
@@ -96,7 +121,10 @@ const AuthSteps = ({ current }: { current: 1 | 2 | 3 }) => {
 // real entry looks like.
 export const Example = ({ children }: { children: React.ReactNode }) => (
 	<div className="flex items-start gap-2.5 rounded-lg border border-blue-100 bg-blue-50/60 px-3.5 py-2.5 text-sm text-gray-600">
-		<Lightbulb className="mt-0.5 h-4 w-4 shrink-0 text-blue-500" aria-hidden="true" />
+		<Lightbulb
+			className="mt-0.5 h-4 w-4 shrink-0 text-blue-500"
+			aria-hidden="true"
+		/>
 		<div className="leading-relaxed">{children}</div>
 	</div>
 );
diff --git a/web/dashboard/src/pages/authorization/Tester.tsx b/web/dashboard/src/pages/authorization/Tester.tsx
deleted file mode 100644
index d695f9c1..00000000
--- a/web/dashboard/src/pages/authorization/Tester.tsx
+++ /dev/null
@@ -1,293 +0,0 @@
-import React, { useState } from 'react';
-import { useClient } from 'urql';
-import { toast } from 'sonner';
-import { Plus, Trash2, ShieldCheck, ShieldX, Play } from 'lucide-react';
-import { FgaCheckQuery } from '../../graphql/queries';
-import { Button } from '../../components/ui/button';
-import { Input } from '../../components/ui/input';
-import { Label } from '../../components/ui/label';
-import { Badge } from '../../components/ui/badge';
-import FgaNotEnabled from '../../components/FgaNotEnabled';
-import AuthSteps, { Example } from './AuthSteps';
-import { isFgaNotEnabledError } from '../../lib/utils';
-import type { FgaTuple, FgaCheckResponse } from '../../types';
-
-const emptyTuple: FgaTuple = { user: '', relation: '', object: '' };
-
-const Tester = () => {
-	const client = useClient();
-	const [fgaDisabled, setFgaDisabled] = useState<boolean>(false);
-	// The subject to check. As a super-admin (the dashboard caller) you may check
-	// any subject; leaving it blank checks your own token, which only resolves
-	// when you signed in with a user account (not the admin secret).
-	const [user, setUser] = useState<string>('');
-	const [relation, setRelation] = useState<string>('');
-	const [object, setObject] = useState<string>('');
-	const [contextualTuples, setContextualTuples] = useState<FgaTuple[]>([]);
-	const [running, setRunning] = useState<boolean>(false);
-	const [result, setResult] = useState<boolean | null>(null);
-	// The subject the last result is for, captured at submit time for the message.
-	const [checkedUser, setCheckedUser] = useState<string>('');
-
-	const addContextualTuple = () => {
-		setContextualTuples((prev) => [...prev, { ...emptyTuple }]);
-	};
-
-	const updateContextualTuple = (
-		index: number,
-		field: keyof FgaTuple,
-		value: string,
-	) => {
-		setContextualTuples((prev) =>
-			prev.map((t, i) => (i === index ? { ...t, [field]: value } : t)),
-		);
-	};
-
-	const removeContextualTuple = (index: number) => {
-		setContextualTuples((prev) => prev.filter((_, i) => i !== index));
-	};
-
-	const handleCheck = async (e: React.FormEvent) => {
-		e.preventDefault();
-		if (!relation.trim() || !object.trim()) {
-			toast.error('relation and object are required');
-			return;
-		}
-		setRunning(true);
-		setResult(null);
-		try {
-			const validContextual = contextualTuples
-				.filter((t) => t.user.trim() && t.relation.trim() && t.object.trim())
-				.map((t) => ({
-					user: t.user.trim(),
-					relation: t.relation.trim(),
-					object: t.object.trim(),
-				}));
-
-			const params: {
-				relation: string;
-				object: string;
-				user?: string;
-				contextual_tuples?: FgaTuple[];
-			} = {
-				relation: relation.trim(),
-				object: object.trim(),
-			};
-			if (user.trim()) {
-				params.user = user.trim();
-			}
-			if (validContextual.length) {
-				params.contextual_tuples = validContextual;
-			}
-			setCheckedUser(user.trim());
-
-			const res = await client
-				.query<FgaCheckResponse>(
-					FgaCheckQuery,
-					{ params },
-					{ requestPolicy: 'network-only' },
-				)
-				.toPromise();
-
-			if (res.error) {
-				if (isFgaNotEnabledError(res.error)) {
-					setFgaDisabled(true);
-				} else {
-					toast.error(res.error.message.replace('[GraphQL] ', ''));
-				}
-				return;
-			}
-
-			if (res.data?.fga_check) {
-				setResult(res.data.fga_check.allowed);
-			}
-		} catch {
-			toast.error('Failed to run access check');
-		} finally {
-			setRunning(false);
-		}
-	};
-
-	if (fgaDisabled) {
-		return (
-			<div className="m-5 rounded-md bg-white py-5 px-10">
-				<AuthSteps current={3} />
-				<div className="my-4">
-					<h1 className="text-2xl font-semibold text-gray-900">
-						Step 3 · Test access
-					</h1>
-				</div>
-				<FgaNotEnabled />
-			</div>
-		);
-	}
-
-	return (
-		<div className="m-5 rounded-md bg-white py-5 px-10">
-			<AuthSteps current={3} />
-			<div className="my-4">
-				<h1 className="text-2xl font-semibold text-gray-900">
-					Step 3 · Test access
-				</h1>
-				<p className="mt-1 max-w-2xl text-sm text-gray-500">
-					Ask the engine &ldquo;can <strong>this user</strong> do{' '}
-					<strong>this relation</strong> on <strong>this object</strong>
-					?&rdquo;. As a super-admin you can check <strong>any subject</strong>.
-					Leave <strong>User</strong> blank to check yourself &mdash; that only
-					resolves when you signed in with a user account, not the admin secret.
-				</p>
-			</div>
-
-			<div className="mb-5">
-				<Example>
-					<strong>Example:</strong> ask &ldquo;can{' '}
-					<code className="rounded bg-white px-1 py-0.5 text-xs">
-						user:&lt;id&gt;
-					</code>{' '}
-					<code className="rounded bg-white px-1 py-0.5 text-xs">can_view</code>{' '}
-					<code className="rounded bg-white px-1 py-0.5 text-xs">
-						document:1
-					</code>
-					?&rdquo; &mdash; if you granted that user the{' '}
-					<code className="rounded bg-white px-1 py-0.5 text-xs">viewer</code>{' '}
-					relation in step 2, the result is <strong>Allowed</strong>.
-				</Example>
-			</div>
-
-			<form onSubmit={handleCheck} className="max-w-2xl space-y-5">
-				<div className="space-y-1">
-					<Label htmlFor="check-user">User (subject)</Label>
-					<Input
-						id="check-user"
-						placeholder="user:<id> — blank checks yourself"
-						value={user}
-						onChange={(e) => setUser(e.target.value)}
-						spellCheck={false}
-					/>
-					<p className="text-xs text-gray-400">
-						The subject&rsquo;s <strong>user id</strong> (from the Users page),
-						e.g. <code>user:&lt;id&gt;</code> — not a name or email. A bare id
-						is treated as <code>user:&lt;id&gt;</code>.
-					</p>
-				</div>
-				<div className="grid grid-cols-1 gap-3 md:grid-cols-2">
-					<div className="space-y-1">
-						<Label htmlFor="check-relation">Relation</Label>
-						<Input
-							id="check-relation"
-							placeholder="can_view"
-							value={relation}
-							onChange={(e) => setRelation(e.target.value)}
-						/>
-					</div>
-					<div className="space-y-1">
-						<Label htmlFor="check-object">Object</Label>
-						<Input
-							id="check-object"
-							placeholder="document:1"
-							value={object}
-							onChange={(e) => setObject(e.target.value)}
-						/>
-					</div>
-				</div>
-
-				{/* Contextual tuples */}
-				<div className="space-y-2">
-					<div className="flex items-center justify-between">
-						<Label>Contextual tuples (optional)</Label>
-						<Button
-							type="button"
-							variant="outline"
-							size="sm"
-							onClick={addContextualTuple}
-						>
-							<Plus className="mr-2 h-4 w-4" />
-							Add
-						</Button>
-					</div>
-					{contextualTuples.length === 0 ? (
-						<p className="text-xs text-gray-400">
-							Contextual tuples are evaluated only for this check and are not
-							persisted.
-						</p>
-					) : (
-						contextualTuples.map((tuple, index) => (
-							<div
-								key={index}
-								className="grid grid-cols-1 gap-2 md:grid-cols-[1fr_1fr_1fr_auto] md:items-center"
-							>
-								<Input
-									placeholder="user:<id>"
-									value={tuple.user}
-									onChange={(e) =>
-										updateContextualTuple(index, 'user', e.target.value)
-									}
-								/>
-								<Input
-									placeholder="viewer"
-									value={tuple.relation}
-									onChange={(e) =>
-										updateContextualTuple(index, 'relation', e.target.value)
-									}
-								/>
-								<Input
-									placeholder="document:1"
-									value={tuple.object}
-									onChange={(e) =>
-										updateContextualTuple(index, 'object', e.target.value)
-									}
-								/>
-								<Button
-									type="button"
-									variant="ghost"
-									size="sm"
-									onClick={() => removeContextualTuple(index)}
-								>
-									<Trash2 className="h-4 w-4 text-red-500" />
-								</Button>
-							</div>
-						))
-					)}
-				</div>
-
-				<Button type="submit" disabled={running}>
-					<Play className="mr-2 h-4 w-4" />
-					{running ? 'Checking...' : 'Run Check'}
-				</Button>
-			</form>
-
-			{result !== null && (
-				<div className="mt-6 max-w-2xl">
-					{result ? (
-						<div className="flex items-center gap-3 rounded-md border border-green-200 bg-green-50 p-4">
-							<ShieldCheck className="h-6 w-6 text-green-600" />
-							<div>
-								<Badge variant="success">Allowed</Badge>
-								<p className="mt-1 text-sm text-gray-600">
-									<strong>{checkedUser || 'You'}</strong>{' '}
-									{checkedUser ? 'has' : 'have'} <strong>{relation}</strong>{' '}
-									access to <strong>{object}</strong>.
-								</p>
-							</div>
-						</div>
-					) : (
-						<div className="flex items-center gap-3 rounded-md border border-red-200 bg-red-50 p-4">
-							<ShieldX className="h-6 w-6 text-red-600" />
-							<div>
-								<Badge variant="destructive">Denied</Badge>
-								<p className="mt-1 text-sm text-gray-600">
-									<strong>{checkedUser || 'You'}</strong>{' '}
-									{checkedUser ? 'does' : 'do'} not have{' '}
-									<strong>{relation}</strong> access to{' '}
-									<strong>{object}</strong>.
-								</p>
-							</div>
-						</div>
-					)}
-				</div>
-			)}
-		</div>
-	);
-};
-
-export default Tester;
diff --git a/web/dashboard/src/pages/authorization/Tuples.tsx b/web/dashboard/src/pages/authorization/Tuples.tsx
index fd95a5c7..b591ca7c 100644
--- a/web/dashboard/src/pages/authorization/Tuples.tsx
+++ b/web/dashboard/src/pages/authorization/Tuples.tsx
@@ -556,8 +556,8 @@ const Tuples = () => {
 			)}
 
 			<div className="mt-6 flex items-center justify-between border-t border-gray-100 pt-4 text-sm text-gray-500">
-				<span>Granted some access? Verify it works.</span>
-				<NextStep to="/authorization/tester" label="Next: test access" />
+				<span>Granted some access? Verify it per user.</span>
+				<NextStep to="/users" label="View permissions in Users" />
 			</div>
 		</div>
 	);
diff --git a/web/dashboard/src/routes/index.tsx b/web/dashboard/src/routes/index.tsx
index 4d6e41e1..aeb5e105 100644
--- a/web/dashboard/src/routes/index.tsx
+++ b/web/dashboard/src/routes/index.tsx
@@ -12,7 +12,6 @@ const EmailTemplates = lazy(() => import('../pages/EmailTemplates'));
 const AuditLogs = lazy(() => import('../pages/AuditLogs'));
 const AuthorizationModel = lazy(() => import('../pages/authorization/Model'));
 const AuthorizationTuples = lazy(() => import('../pages/authorization/Tuples'));
-const AuthorizationTester = lazy(() => import('../pages/authorization/Tester'));
 
 export const AppRoutes = () => {
 	const { isLoggedIn } = useAuthContext();
@@ -42,10 +41,6 @@ export const AppRoutes = () => {
 								path="authorization/tuples"
 								element={<AuthorizationTuples />}
 							/>
-							<Route
-								path="authorization/tester"
-								element={<AuthorizationTester />}
-							/>
 							<Route path="*" element={<Overview />} />
 						</Route>
 					</Routes>
diff --git a/web/dashboard/src/types.ts b/web/dashboard/src/types.ts
index 96e3eba4..dbbfc2a4 100644
--- a/web/dashboard/src/types.ts
+++ b/web/dashboard/src/types.ts
@@ -165,9 +165,9 @@ export interface FgaResetResponse {
 	};
 }
 
-export interface FgaCheckResponse {
-	fga_check: {
-		allowed: boolean;
+export interface ListPermissionsResponse {
+	list_permissions: {
+		objects: string[];
 	};
 }
 

From 094ea8a00e933fd33c8f4312e4f5d320e2612650 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Wed, 10 Jun 2026 18:40:58 +0530
Subject: [PATCH 28/39] docs: point openfga-modeling skill reference at the new
 permission APIs

---
 CLAUDE.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CLAUDE.md b/CLAUDE.md
index ec536527..3bb69860 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -73,7 +73,7 @@ Detailed rules load via skills (see below) — don't restate them here.
 | `authorizer-security` | auth-sensitive code or `security/` branches |
 | `authorizer-testing` | any `*_test.go` |
 | `authorizer-frontend` | `web/app/`, `web/dashboard/` |
-| `openfga-modeling` | FGA engine (`internal/authorization/`), authz models/tuples, `_fga_*`/`fga_*` GraphQL |
+| `openfga-modeling` | FGA engine (`internal/authorization/`), authz models/tuples, `check_permissions`/`list_permissions`/`_fga_*` GraphQL |
 | `agentic-auth-standards` | token exchange, delegation, MCP, agent-identity (`internal/token/`, `internal/http_handlers/`) |
 
 ## Token Optimization Notes

From 0e374df52c7503a771f8d47412dcca50e86737e8 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Wed, 10 Jun 2026 18:45:41 +0530
Subject: [PATCH 29/39] docs(fga): note exact-string self-match semantics in
 the trust gate

---
 internal/graphql/fga.go | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/internal/graphql/fga.go b/internal/graphql/fga.go
index c4a11af8..c389763a 100644
--- a/internal/graphql/fga.go
+++ b/internal/graphql/fga.go
@@ -80,7 +80,9 @@ func (g *graphqlProvider) resolveFgaSubject(ctx context.Context, explicitUser st
 	}
 	// Self-specification is always allowed: it is exactly what the token
 	// already proves. This keeps client code symmetric (it may always send
-	// `user`) while the server stays strict.
+	// `user`) while the server stays strict. The comparison is exact-string
+	// after outer TrimSpace + normalization — no inner-whitespace or case
+	// tolerance; a near-miss falls through and is rejected (fail-closed).
 	if subject == ownSubject {
 		return subject, nil
 	}

From e89291cbef1721140413af0cb5779054cb339a33 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Wed, 10 Jun 2026 23:22:54 +0530
Subject: [PATCH 30/39] fix(fga): actionable error when a tuple doesn't match
 the model

Adding a tuple whose relation or object type isn't in the active model
surfaced OpenFGA's raw gRPC error ("rpc error: code = Code(2000) desc =
Invalid tuple ..."), which read as "can't add grant access".

- Map tuple-validation errors in _fga_write_tuples/_fga_delete_tuples to a
  friendly message that keeps OpenFGA's reason and points at Step 1; raw
  error stays in the debug log. Covered by an integration test (also asserts
  no gRPC internals leak).
- Grant-pattern modal now states tuples must match YOUR model; the folder
  pattern notes it needs a folder type.
---
 internal/graphql/fga.go                        | 18 ++++++++++++++++++
 internal/graphql/fga_delete_tuples.go          |  2 +-
 internal/graphql/fga_write_tuples.go           |  2 +-
 internal/integration_tests/fga_test.go         | 16 ++++++++++++++++
 .../src/pages/authorization/Tuples.tsx         |  6 ++++--
 5 files changed, 40 insertions(+), 4 deletions(-)

diff --git a/internal/graphql/fga.go b/internal/graphql/fga.go
index c389763a..bcc24b95 100644
--- a/internal/graphql/fga.go
+++ b/internal/graphql/fga.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"errors"
 	"fmt"
+	"regexp"
 	"strings"
 
 	"github.com/authorizerdev/authorizer/internal/authorization/engine"
@@ -151,3 +152,20 @@ func toEngineTuples(params *model.FgaWriteTuplesInput) ([]engine.TupleKey, error
 	}
 	return tuples, nil
 }
+
+// tupleValidationRe extracts the useful part of OpenFGA's tuple-validation
+// error (e.g. `Invalid tuple 'document:9#owner@user:abc'. Reason: relation
+// 'document#owner' not found`) from the raw gRPC error string.
+var tupleValidationRe = regexp.MustCompile(`Invalid tuple '([^']+)'\. Reason: (.+)$`)
+
+// friendlyTupleError turns OpenFGA's raw tuple-validation gRPC error into an
+// actionable message ("relation X not found — define it in the model first").
+// Non-validation errors pass through unchanged; the raw error stays in the
+// debug log at the call site.
+func friendlyTupleError(err error) error {
+	m := tupleValidationRe.FindStringSubmatch(err.Error())
+	if m == nil {
+		return err
+	}
+	return fmt.Errorf("invalid tuple %q: %s — the relation and object type must be defined in the active authorization model (Step 1)", m[1], m[2])
+}
diff --git a/internal/graphql/fga_delete_tuples.go b/internal/graphql/fga_delete_tuples.go
index a73efaed..19e5b527 100644
--- a/internal/graphql/fga_delete_tuples.go
+++ b/internal/graphql/fga_delete_tuples.go
@@ -34,7 +34,7 @@ func (g *graphqlProvider) FgaDeleteTuples(ctx context.Context, params *model.Fga
 	if err := g.AuthzEngine.DeleteTuples(ctx, tuples); err != nil {
 		metrics.RecordFgaOperation(metrics.FgaOpDeleteTuples, metrics.FgaResultError)
 		log.Debug().Err(err).Msg("Failed to delete tuples")
-		return nil, err
+		return nil, friendlyTupleError(err)
 	}
 	metrics.RecordFgaOperation(metrics.FgaOpDeleteTuples, metrics.FgaResultSuccess)
 	g.AuditProvider.LogEvent(audit.Event{
diff --git a/internal/graphql/fga_write_tuples.go b/internal/graphql/fga_write_tuples.go
index 16345c95..954679d9 100644
--- a/internal/graphql/fga_write_tuples.go
+++ b/internal/graphql/fga_write_tuples.go
@@ -34,7 +34,7 @@ func (g *graphqlProvider) FgaWriteTuples(ctx context.Context, params *model.FgaW
 	if err := g.AuthzEngine.WriteTuples(ctx, tuples); err != nil {
 		metrics.RecordFgaOperation(metrics.FgaOpWriteTuples, metrics.FgaResultError)
 		log.Debug().Err(err).Msg("Failed to write tuples")
-		return nil, err
+		return nil, friendlyTupleError(err)
 	}
 	metrics.RecordFgaOperation(metrics.FgaOpWriteTuples, metrics.FgaResultSuccess)
 	g.AuditProvider.LogEvent(audit.Event{
diff --git a/internal/integration_tests/fga_test.go b/internal/integration_tests/fga_test.go
index da66e1fb..fba6c653 100644
--- a/internal/integration_tests/fga_test.go
+++ b/internal/integration_tests/fga_test.go
@@ -206,6 +206,22 @@ func TestFGA(t *testing.T) {
 	})
 	require.NoError(t, err)
 
+	// ---- Admin: a tuple that doesn't match the model gets a friendly error. ----
+	t.Run("_fga_write_tuples maps model-validation errors to an actionable message", func(t *testing.T) {
+		_, err := ts.GraphQLProvider.FgaWriteTuples(ctx, &model.FgaWriteTuplesInput{
+			Tuples: []*model.FgaTupleInput{
+				{User: "user:" + userID, Relation: "owner", Object: "document:1"},
+			},
+		})
+		require.Error(t, err, "a relation not in the model must be rejected")
+		assert.Contains(t, err.Error(), "relation 'document#owner' not found",
+			"the OpenFGA reason must be surfaced")
+		assert.Contains(t, err.Error(), "must be defined in the active authorization model",
+			"the error must tell the admin where to fix it")
+		assert.NotContains(t, err.Error(), "rpc error",
+			"raw gRPC internals must not leak to the client")
+	})
+
 	// ---- Admin: read tuples back. ----
 	t.Run("_fga_read_tuples returns written tuple", func(t *testing.T) {
 		tuplesRes, err := ts.GraphQLProvider.FgaReadTuples(ctx, &model.FgaReadTuplesInput{})
diff --git a/web/dashboard/src/pages/authorization/Tuples.tsx b/web/dashboard/src/pages/authorization/Tuples.tsx
index b591ca7c..3d6f1381 100644
--- a/web/dashboard/src/pages/authorization/Tuples.tsx
+++ b/web/dashboard/src/pages/authorization/Tuples.tsx
@@ -92,7 +92,7 @@ const GRANT_PATTERNS: {
 	},
 	{
 		name: 'All resources in a folder',
-		desc: 'Grant on the folder once; every document under it inherits.',
+		desc: 'Grant on the folder once; every document under it inherits (needs a folder type in the model).',
 		tuple: {
 			user: 'user:<user-id>',
 			relation: 'viewer',
@@ -375,7 +375,9 @@ const Tuples = () => {
 						<DialogTitle>Common grant patterns</DialogTitle>
 						<DialogDescription>
 							Pick a pattern to fill the form below. Nothing is granted until
-							you click <strong>Add</strong>.
+							you click <strong>Add</strong>. A tuple is accepted only when its
+							relation and object type exist in <strong>your</strong> model
+							(Step 1).
 						</DialogDescription>
 					</DialogHeader>
 					<div className="grid max-h-[60vh] grid-cols-1 gap-2 overflow-y-auto sm:grid-cols-2">

From 0bced1948ac16b1f117d57afc577690f33a4c56c Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Thu, 11 Jun 2026 10:03:49 +0530
Subject: [PATCH 31/39] docs!: move design specs and guides to the
 authorizer-docs repo

All program design docs (FGA migration plan, agentic delegation design,
enterprise authz model, implementation agents, migration-tool spec) and the
ReBAC guide now live in the authorizer-docs repo under specs/. References in
CLAUDE.md and ROADMAP_V2.md point there. The docs-guide DSL validation
subtest is removed with the guide; dashboard example validation stays.
---
 AGENTIC_DELEGATION_DESIGN.md                  | 152 ----------
 CLAUDE.md                                     |   4 +-
 ENTERPRISE_AUTHZ_MODEL.md                     | 173 -----------
 FGA_IMPLEMENTATION_AGENTS.md                  |  80 -----
 FGA_OPENFGA_MIGRATION_PLAN.md                 | 208 -------------
 ROADMAP_V2.md                                 |   6 +-
 docs/fga-rebac-guide.md                       | 164 ----------
 .../specs/2026-06-08-migration-tool-design.md | 282 ------------------
 .../openfga/examples_validation_test.go       |  24 +-
 9 files changed, 8 insertions(+), 1085 deletions(-)
 delete mode 100644 AGENTIC_DELEGATION_DESIGN.md
 delete mode 100644 ENTERPRISE_AUTHZ_MODEL.md
 delete mode 100644 FGA_IMPLEMENTATION_AGENTS.md
 delete mode 100644 FGA_OPENFGA_MIGRATION_PLAN.md
 delete mode 100644 docs/fga-rebac-guide.md
 delete mode 100644 docs/specs/2026-06-08-migration-tool-design.md

diff --git a/AGENTIC_DELEGATION_DESIGN.md b/AGENTIC_DELEGATION_DESIGN.md
deleted file mode 100644
index 42f2fb30..00000000
--- a/AGENTIC_DELEGATION_DESIGN.md
+++ /dev/null
@@ -1,152 +0,0 @@
-# Design: Agentic Delegation Chain (Token Exchange · Attenuation · Audit)
-
-**Scope:** Capabilities #13 (RFC 8693 token exchange), #14 (attenuation / least-privilege), #21 (audit delegation chain) from the agentic-auth capability matrix. This is the **highest-leverage layer after ReBAC** — it answers *"who is asking, with whose borrowed authority, and constrained to what?"*
-
-**Current state (verified in code):** greenfield. No token-exchange grant, no `act` claim, audit has a single actor. `authorization.Principal.MaxScopes` exists as a "delegation ceiling" to build on.
-
----
-
-## 1. The problem
-
-An agent acts **as itself** **on behalf of a user**, possibly delegated through one or more apps. Three things must be true on every downstream call:
-
-1. **Both identities travel together** — the resource server and audit must see *agent X acting for user Y*.
-2. **The agent gets least privilege** — a token downscoped to the task, never the user's full power.
-3. **The full chain is recorded** — `app → agent → user` is queryable in audit.
-
-RFC 8693 (OAuth 2.0 Token Exchange) is the standard mechanism. The `act` claim carries the chain.
-
----
-
-## 2. The `act` claim — the heart of the design
-
-A task-scoped token minted for the agent:
-
-```jsonc
-{
-  "sub": "user:alice",                  // whose authority is exercised
-  "aud": "https://calendar.example",    // bound target (RFC 8707)
-  "scope": "calendar:read",             // attenuated, not alice's full scope
-  "exp": "<now+5m>",                    // short-lived
-  "act": {                              // who is acting
-    "sub": "agent:booking-bot",
-    "act": {                            // nested: who delegated to the agent
-      "sub": "app:concierge"
-    }
-  }
-}
-```
-
-- `sub` stays the **user** (authority source); `act.sub` is the **immediate actor**; nested `act` encodes multi-hop delegation.
-- **`act` becomes a reserved claim** (alongside `roles`, `scope`, …) in `internal/token/auth_token.go` so `CustomAccessTokenScript` cannot forge it.
-
----
-
-## 3. Token exchange endpoint (#13)
-
-Extend `POST /oauth/token` with `grant_type=urn:ietf:params:oauth:grant-type:token-exchange`.
-
-| Param | Meaning |
-|---|---|
-| `subject_token` (+ `_type`) | the user's token (authority being exercised) |
-| `actor_token` (+ `_type`) | the agent's token (the actor) — present ⇒ **delegation** |
-| `requested_token_type` | usually `urn:ietf:params:oauth:token-type:access_token` |
-| `resource` / `audience` | RFC 8707 target binding (**required** for MCP) |
-| `scope` | requested (down)scope |
-
-**Two semantics:**
-- **Delegation** (`actor_token` present): mint composite token with `sub=user`, `act` chain. Default agent path.
-- **Impersonation** (no `actor_token`): actor fully becomes the subject. **Admin-gated, always audited.** Used sparingly (support tooling), not the agent path.
-
-**Flow:**
-```
-1. validate subject_token + actor_token (sig, exp, aud, not revoked)
-2. resolve actor's delegation ceiling (agent service-account MaxScopes)
-3. attenuated_scope = intersection(subject_effective, requested_scope, actor_ceiling)   ← §4
-4. mint access_token: sub=subject, act=chain, aud=resource, scope=attenuated, short exp
-5. audit: actor=agent, on_behalf_of=user, chain                                          ← §5
-```
-
----
-
-## 4. Attenuation — least privilege per task (#14)
-
-The exchanged token's authority is the **intersection** of three ceilings:
-
-```
-effective = subject_permissions  ∩  requested_scope  ∩  agent_delegation_ceiling
-```
-
-- **`subject_permissions`** — what the user actually has (scopes + FGA-derived).
-- **`requested_scope`** — what the agent asked for (RAR can carry structured detail).
-- **`agent_delegation_ceiling`** — `Principal.MaxScopes` on the agent's service account (the existing primitive). An agent can never exceed its registered ceiling even if the user is an admin.
-
-Further constraints stamped on the token:
-- **Audience binding** (`aud` = `resource`, RFC 8707) — token works only at the named MCP server / API.
-- **Short TTL** — 5 min default for agent tokens (matches roadmap 4.2).
-- **(Later)** sender-constraint via DPoP (Phase 5.2).
-
-**FGA interplay:** object-level checks still run at the resource server as `Check(user:alice, relation, object, context={actor: agent, purpose})`. OpenFGA **Conditions** can additionally require the actor be a delegated agent / within a context window. Token attenuation is the *coarse* least-privilege gate; FGA is the *fine* one. Both apply.
-
----
-
-## 5. Audit delegation chain (#21)
-
-**Schema change (storage tax across all DBs).** Extend `schemas.AuditLog` and `audit.Event`:
-
-```go
-// audit.Event — add:
-OnBehalfOfID    string  // the subject (user) the actor acted for
-OnBehalfOfType  string  // "user" | "agent"
-DelegationChain string  // serialized act chain, e.g. "app:concierge>agent:booking-bot>user:alice"
-```
-
-- Every action performed with an exchanged token logs **actor + on-behalf-of + chain**.
-- Makes "what did `booking-bot` do for Alice last week?" and "every action delegated through `app:concierge`" queryable.
-- Schema must be added to all 6 DB implementations + AutoMigrate / collection setup (same multi-DB pattern as any new field).
-
----
-
-## 6. End-to-end runtime flow
-
-```
-User ──OIDC──► Authorizer ──► user token (sub=alice)
-App/agent ──token-exchange(subject=user, actor=agent, scope=calendar:read, resource=calendar)──► Authorizer
-Authorizer ──► attenuated token (sub=alice, act=[app>agent], aud=calendar, scope=calendar:read, exp=5m)
-Agent ──► MCP tool / Calendar API  (presents attenuated token)
-Resource server ──► validate aud+scope ──► FGA Check(alice, read, calendar:..., ctx{actor:agent})
-Authorizer audit ──► {actor: agent, on_behalf_of: alice, chain: app>agent>alice, action, resource}
-User ──► dashboard: view / revoke active agent delegations   (roadmap 4.3)
-```
-
----
-
-## 7. Decisions (LOCKED — principal-engineer calls)
-
-| # | Decision | Locked choice |
-|---|---|---|
-| DC1 | Delegation vs impersonation | **Both**; impersonation admin-gated + always audited |
-| DC2 | Where the agent ceiling lives | Agent **service-account `MaxScopes`** + optional FGA tuples |
-| DC3 | `act` claim format | **RFC 8693 nested `act`** (multi-hop chains) |
-| DC4 | Token binding | **RFC 8707 `resource`/`aud` required** for exchanged/MCP tokens; DPoP later (Phase 5.2) |
-| DC5 | Revocation | **Short TTL (5m) baseline + revocation-list-via-introspection for sensitive scopes** (see §7.1) |
-
-### 7.1 Revocation — the real design (not a footnote)
-A two-tier model, reusing the **existing `/oauth/introspect` endpoint**:
-- **Default (non-sensitive scopes):** rely on the **5-minute TTL**. Revoking a delegation stops *refresh*; in-flight access tokens expire within the window. Acceptable for the common case.
-- **Sensitive scopes (operator-flagged, e.g. `payments:*`):** the exchanged token is marked `sensitive`, and **resource servers MUST call `/oauth/introspect`** before honoring it. Introspection checks a **revocation list** updated the instant a user revokes the delegation (dashboard / `revoke` mutation) → immediate effect, no TTL wait.
-- **Distributed propagation:** the revocation list lives in `memory_store` (Redis/DB) so all nodes and the introspect endpoint see revocations consistently. Document the (sub-second) propagation window.
-
-This keeps the hot path cheap (short TTL, no introspection) while giving immediate revocation where it actually matters.
-
-**Prereq dependency (review fix #10):** this design sits on **agent identity + M2M/client-credentials** (roadmap Phase 2 / 4.2) and the **OpenFGA decision core** (FGA_OPENFGA_MIGRATION_PLAN.md). Do not start Wave 2 before those land.
-
-## 8. Phasing (verify-gated)
-
-1. **`act` claim + reserved-claim guard** → verify: minted token carries `act`; custom script cannot overwrite it.
-2. **Token-exchange grant (delegation only)** → verify: subject+actor tokens produce composite token with correct `act` + intersected scope + bound `aud`.
-3. **Attenuation via agent `MaxScopes`** → verify: agent cannot exceed its ceiling even with an admin subject token.
-4. **Audit chain fields (all DBs)** → verify: exchanged-token action logs actor + on_behalf_of + chain; `make test-all-db` green.
-5. **Impersonation (admin-gated) + dashboard revocation** → verify: impersonation requires admin + audits; user can revoke an active delegation.
-
-**Dependency:** sits on top of the OpenFGA decision core (FGA_OPENFGA_MIGRATION_PLAN.md) and the M2M/service-account + agent-identity work (roadmap 2.2 / 4.2).
diff --git a/CLAUDE.md b/CLAUDE.md
index 3bb69860..f8c26408 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -59,8 +59,8 @@ Detailed rules load via skills (see below) — don't restate them here.
 | `security-engineer` | opus | OAuth2/OIDC, JWT, MFA, vulnerability audit. Second-pass on auth-sensitive PRs. |
 | `doc-writer` | haiku | API docs, guides, migration docs. |
 | `authz-researcher` | opus | Deep, adversarially-verified research on authz standards (OpenFGA, RFC 8693/8707/9728, MCP, CIBA, AuthZEN). Run before designing/building any authz capability. |
-| `fga-engineer` | opus | Implements the OpenFGA migration (Wave 1) per FGA_OPENFGA_MIGRATION_PLAN.md. |
-| `delegation-engineer` | opus | Implements the agentic delegation chain (Wave 2) per AGENTIC_DELEGATION_DESIGN.md. Security-critical. |
+| `fga-engineer` | opus | Implements the OpenFGA migration (Wave 1) per specs/FGA_OPENFGA_MIGRATION_PLAN.md (authorizer-docs repo). |
+| `delegation-engineer` | opus | Implements the agentic delegation chain (Wave 2) per specs/AGENTIC_DELEGATION_DESIGN.md (authorizer-docs repo). Security-critical. |
 
 ## Project Skills (auto-load on matching files)
 
diff --git a/ENTERPRISE_AUTHZ_MODEL.md b/ENTERPRISE_AUTHZ_MODEL.md
deleted file mode 100644
index 36faa64d..00000000
--- a/ENTERPRISE_AUTHZ_MODEL.md
+++ /dev/null
@@ -1,173 +0,0 @@
-# Enterprise Authorization Model (OpenFGA ReBAC)
-
-How an enterprise expresses **fine-grained permissions on resources by role**, plus **one-off user-specific grants**, plus **user-specific exceptions/denials** — and how all of them mix in a single check.
-
----
-
-## The mental model: every check is `UNION of grants − exclusions`
-
-Four ways a user gets (or loses) access, all evaluated together:
-
-| Layer | Mechanism | Example |
-|---|---|---|
-| **1. Role-based** (broad) | Assign a *role* to a relation → everyone with the role inherits | "all `editor`s can edit project docs" |
-| **2. Structural** (hierarchy) | Membership + inheritance org→team→project→doc | "engineering team members can view phoenix docs" |
-| **3. User-specific grant** (additive) | Direct tuple to one user | "Frank gets view on this one budget" |
-| **4. User-specific exception** (subtractive) | `blocked` relation + `but not` | "Erin is blocked from this sensitive doc despite team membership" |
-
-A `Check` resolves to: **(role grants ∪ structural grants ∪ direct grants) − blocked**. That intersection/union/exclusion *is* "all the mix-matches."
-
----
-
-## The authorization model (DSL — authored once)
-
-```dsl
-model
-  schema 1.1
-
-type user
-
-# Roles are first-class objects so they can be assigned to any relation (RBAC-in-ReBAC)
-type role
-  relations
-    define assignee: [user]
-
-type organization
-  relations
-    define admin:  [user, role#assignee]
-    define member: [user, role#assignee] or admin
-
-type team
-  relations
-    define org:    [organization]
-    define member: [user, team#member] or admin from org   # org admins are implicitly team members
-
-type project
-  relations
-    define team:   [team]
-    define lead:   [user, role#assignee]
-    define editor: [user, role#assignee] or lead or member from team
-    define viewer: [user, role#assignee] or editor
-
-type document
-  relations
-    define project: [project]
-    define owner:   [user]
-    define blocked: [user]                                  # user-specific exception
-    define editor:  [user, role#assignee] or owner or editor from project
-    define viewer:  [user, role#assignee] or editor or viewer from project
-    define can_edit: editor but not blocked                 # effective permission
-    define can_view: viewer but not blocked
-```
-
-Key constructs that deliver each layer:
-- `[role#assignee]` → **role-based** grants (assign a whole role to a relation).
-- `[user]` → **user-specific** one-off grants.
-- `X from Y` → **hierarchical inheritance** (e.g., `editor from project`).
-- `but not blocked` → **user-specific exception/deny** override.
-
----
-
-## Worked scenario: Acme Corp
-
-**Structure:** `org:acme` → `team:engineering`, `team:finance` → `project:phoenix` (eng), `project:ledger` (finance) → `doc:design-spec` (phoenix), `doc:q4-budget` (ledger).
-**Roles:** `role:org-admin`, `role:editor`, `role:auditor`.
-
-### Relationship tuples (the data — written at runtime)
-
-```text
-# --- roles & org ---
-role:org-admin#assignee        @ user:alice
-organization:acme#admin        @ role:org-admin#assignee     # role grants org admin
-team:engineering#org           @ organization:acme
-team:finance#org               @ organization:acme
-
-# --- structural membership ---
-team:engineering#member        @ user:bob
-team:engineering#member        @ user:erin
-team:finance#member            @ user:carol
-
-# --- project wiring + role-based grant ---
-project:phoenix#team           @ team:engineering
-project:ledger#team            @ team:finance
-project:phoenix#editor         @ role:editor#assignee        # role:editor → edit phoenix
-role:editor#assignee           @ user:bob
-project:ledger#viewer          @ role:auditor#assignee       # role:auditor → view ledger
-role:auditor#assignee          @ user:dave
-
-# --- documents ---
-document:design-spec#project   @ project:phoenix
-document:q4-budget#project     @ project:ledger
-
-# --- user-specific overrides ---
-document:design-spec#blocked   @ user:erin                   # exception: deny (layer 4)
-document:q4-budget#viewer      @ user:frank                  # odd one-off grant (layer 3)
-```
-
-### Resulting access (Check results)
-
-| User | Why | `can_view design-spec` | `can_edit design-spec` | `can_view q4-budget` |
-|---|---|---|---|---|
-| **alice** | org-admin role → admin → (member→editor→) inherits everywhere | ✅ | ✅ | ✅ |
-| **bob** | `role:editor` → project editor → doc editor | ✅ | ✅ | ❌ |
-| **erin** | eng member → would inherit viewer **but blocked** | ❌ *(exception)* | ❌ *(exception)* | ❌ |
-| **frank** | not a member; **direct one-off** viewer on budget only | ❌ | ❌ | ✅ *(one-off)* |
-| **dave** | `role:auditor` → view ledger only (read) | ❌ | ❌ | ✅ *(role, read-only)* |
-| **carol** | finance member; no path to eng docs | ❌ | ❌ | ✅ |
-
-### The mix-match, on one resource
-
-`doc:design-spec` effective **can_edit** set =
-
-```
-  { alice }            # role-based (org-admin) + structural inheritance
-∪ { bob }              # role-based (role:editor on project)
-∪ { <project leads> }  # role/structural
-∪ { <direct owners> }  # user-specific grant
-−  { erin }            # user-specific exception (but not blocked)
-```
-
-One check, four layers, resolved by the engine. Adding a contractor for a day = one tuple; revoking = delete it. No role explosion, no policy rewrite.
-
----
-
-## ABAC / conditional twist (optional)
-
-Need "editors may edit **only during business hours**" or "**only from corp network**"? Attach an OpenFGA **Condition**:
-
-```dsl
-condition in_business_hours(now: timestamp) {
-  now.Hours >= 9 && now.Hours < 18
-}
-type document
-  relations
-    define editor: [user, role#assignee with in_business_hours] or ...
-```
-
-Context (`now`, IP, purpose) is passed at check time — no separate ABAC engine.
-
----
-
-## How the enterprise drives this (Dashboard + API)
-
-| Task | Dashboard | API |
-|---|---|---|
-| Define the model | **Authorization Model** page (DSL editor) | `_fga_write_model` |
-| Assign a role to a user | "Assign role" (writes `role:X#assignee@user:Y`) | `_fga_write_tuples` |
-| Grant role broad access on a resource type | Model relation `[role#assignee]` + tuple | `_fga_write_tuples` |
-| One-off share to a user | "Share resource" | `_fga_write_tuples` |
-| Block/except a user | "Block user" (writes `#blocked`) | `_fga_write_tuples` |
-| Ask "can X do Y on Z?" | **Access Tester** | `fga_check` |
-| "What can X see?" (UI / RAG) | — | `fga_list_objects` |
-| "Who can see Z?" | resource access panel | `expand` |
-
----
-
-## Why this is the enterprise sweet spot
-
-- **Roles still feel like roles** (assign a role, broad access follows) — admins keep the mental model they know.
-- **One-off exceptions don't break the model** — additive grants and `but not` exclusions are just tuples.
-- **Hierarchy is automatic** — grant at org/team/project, resources inherit.
-- **Reverse queries** (`list_objects`) power both AI retrieval and "show me everything I can access" UIs.
-- **Auditable & revocable** — every grant is a tuple with a clear provenance; revoke = delete.
-```
diff --git a/FGA_IMPLEMENTATION_AGENTS.md b/FGA_IMPLEMENTATION_AGENTS.md
deleted file mode 100644
index 68dfdfa9..00000000
--- a/FGA_IMPLEMENTATION_AGENTS.md
+++ /dev/null
@@ -1,80 +0,0 @@
-# FGA → OpenFGA + Agentic Auth: Agent Fleet & Execution Plan
-
-How a small fleet of specialized agents carries the OpenFGA migration and agentic-auth program forward **to standard, with verification at every gate**. This is the orchestration layer over the design docs.
-
-**Source-of-truth docs (agents MUST read before acting):**
-- `FGA_OPENFGA_MIGRATION_PLAN.md` — phased plan + LOCKED decisions (D1–D4, store, why-logs)
-- `AGENTIC_DELEGATION_DESIGN.md` — Wave 2 delegation (DC1–DC5)
-- `ENTERPRISE_AUTHZ_MODEL.md` — the OpenFGA model + Acme worked example
-- `ROADMAP_V2.md` — Agentic Authorization Track (4 waves)
-
----
-
-## The fleet
-
-| Agent | Model | Owns | Reads | Produces |
-|---|---|---|---|---|
-| **authz-researcher** | opus | Deep, adversarially-verified research on OpenFGA, Zanzibar, Auth0 parity, and standards (RFC 8693/8707/9728, MCP, CIBA, AuthZEN) | the web + design docs | cited research briefs that gate design choices |
-| **fga-engineer** | opus | Wave 1 — engine SPI, embedded/external OpenFGA, model/tuple/check APIs, GraphQL `_fga_*`/`fga_*`, session/validate changes, dashboard wiring, SDK FGA surface | migration plan, openfga-modeling skill | working code + tests, one verified phase at a time |
-| **delegation-engineer** | opus | Wave 2 — RFC 8693 token exchange, `act` claim, attenuation, audit delegation chain | delegation design, agentic-auth-standards skill | working code + tests, security-first |
-
-**Existing agents reused (do not duplicate):**
-- `principal-engineer` — owns any change touching >1 subsystem; the default driver if a program agent isn't a better fit.
-- `security-engineer` — **mandatory second pass** on every FGA/delegation PR (auth-sensitive).
-- `doc-writer` — migration guide, API docs, Auth0-import guide.
-
-**Domain skills (auto-load on matching work):**
-- `openfga-modeling` — DSL/tuple patterns, enterprise model, the **verified embed API**, check/list_objects, conditions.
-- `agentic-auth-standards` — the standards + the LOCKED decisions, so no agent re-litigates them.
-
----
-
-## Execution waves (each gated by `Verify`)
-
-### Wave 0 — Research & validate *(authz-researcher)*
-- Confirm current OpenFGA embed API + SQLite/Postgres datastore bootstrap (the one remaining spike step).
-- Track standards deltas (MCP spec, ID-JAG draft status, AuthZEN).
-- → **Verify:** every claim feeding a design decision is cited and adversarially checked. Spike code compiles & runs.
-
-### Wave 1 — Decision core *(fga-engineer → security-engineer)*
-Follows `FGA_OPENFGA_MIGRATION_PLAN.md` Phases 1→7. The old engine was removed outright (never rolled out). Authorizer embeds OpenFGA in-process — it IS the engine; FGA is enabled by configuring a store (`--fga-store`). No engine-selector or external-service flags.
-- → **Verify per phase:** the phase's own Verify gate + `go build ./...` + `make test-all-db` (proves no DB-impl dangling refs) + security-engineer review.
-
-### Wave 2 — Delegation core *(delegation-engineer → security-engineer)*
-Follows `AGENTIC_DELEGATION_DESIGN.md`. **Prereq:** agent identity + M2M (roadmap Phase 2). Do not start before it lands.
-- → **Verify:** `act` chain correct, attenuation can't exceed ceiling, revocation works for sensitive scopes, audit chain queryable, security review.
-
-### Waves 3–4 — Async/custody + Enterprise hardening
-CIBA+RAR, Token Vault, MCP/ID-JAG, JIT/guardrails. New research brief per capability before build.
-
----
-
-## Handoff protocol (research → implement → review)
-
-1. **Research first.** No engineer agent starts a capability without a current `authz-researcher` brief (or a cited section in the design docs). "Don't assume" is enforced here.
-2. **Implement to the plan.** Engineer agents follow the phased plan + locked decisions verbatim. Deviation requires an explicit, written rationale appended to the relevant design doc — not a silent change.
-3. **Verify before claiming done.** Build + tests + the phase's Verify gate. No "should work."
-4. **Security review is mandatory**, not optional, for every FGA/token/delegation PR (`security-engineer`).
-5. **Docs follow** (`doc-writer`) once an API is frozen.
-
----
-
-## Definition of Done (program standard — non-negotiable)
-
-A change is done only when ALL hold:
-- [ ] Matches the LOCKED decisions (or amends the design doc with rationale).
-- [ ] `go build ./...` green; `make generate-graphql` run if schema changed.
-- [ ] Tests written and passing; `make test-all-db` green for storage-touching changes.
-- [ ] Auth-sensitive code reviewed by `security-engineer`.
-- [ ] Principal pinned to token `sub` on every `fga_*` runtime check; admin-gating on `_fga_*` and model edits; fail-closed on engine error.
-- [ ] No secrets in logs; no stale-allow cache path (cache only in embedded mode).
-- [ ] Verified against the phase's `Verify` gate with real output, not assertion.
-
----
-
-## Guardrails the agents must respect (lessons already paid for)
-- **FGA store is SQL-only** (SQLite single-node / external Postgres for HA). Do not attempt Mongo/Dynamo adapters.
-- **Don't double-cache** decisions in external mode.
-- **`required_relations` is the new fine path; `roles` filter stays for coarse** — never force capabilities into ReBAC except via the singleton-object pattern.
-- **Two-release removal** of the old engine, not big-bang.
-- **`go.mod` probe passed** (openfga v1.17.1, sqlite→v1.51.0 compiles clean) — but re-run `make test-sqlite` on the integration branch.
diff --git a/FGA_OPENFGA_MIGRATION_PLAN.md b/FGA_OPENFGA_MIGRATION_PLAN.md
deleted file mode 100644
index ced8ff6b..00000000
--- a/FGA_OPENFGA_MIGRATION_PLAN.md
+++ /dev/null
@@ -1,208 +0,0 @@
-# Migration Plan: Replace Bespoke FGA with OpenFGA
-
-**Status:** Decisions locked · Phase 0 PASSED · Phases 1–4 DONE on branch `feat/fga-engine-spi` (uncommitted) · **Precondition:** FGA is pre-stable (no GA compat guarantee) · **Type:** Breaking, full replacement
-
-> **Implementation status:** Old FGA (Resource/Scope/Policy/Permission, #607/#610/#611) **fully removed** (never rolled out). New OpenFGA engine seam (Phase 1), GraphQL `_fga_*`/`fga_*` API + engine routed into request paths (Phase 3), and `required_relations` on session/validate (Phase 4) all **DONE** — `go build ./...` green, FGA + integration tests pass, proof-grep clean, principal-pinning + nil-engine handling tested. **Remaining:** dashboard FGA pages (Phase 5, done), SDK cleanup in the separate `authorizer-go`/`authorizer-js` repos (Phase 6), Auth0 import tool + docs (Phase 7).
->
-> **Config simplification (supersedes D2 + the deployment-mode external-service framing below):** Authorizer **embeds OpenFGA in-process — it IS the engine.** The `--authorization-engine`, `--fga-mode`, and `--fga-external-url` flags were **removed**, along with three dead old-engine flags (`--authorization-cache-ttl`, `--include-permissions-in-token`, `--authorization-log-all-checks`).
->
-> **FGA reuses the main database by default.** When `--database-type` is `sqlite`/`postgres`/`mysql`/`mariadb`, FGA derives its store from the existing `--database-url` automatically — **no extra flags** (OpenFGA tables live in the main DB, like the old engine; migrations run on boot, goose-locked → HA-safe). `--fga-store` (+ `--fga-store-url`) is an **override**, required only when the main DB is not OpenFGA-compatible (mongodb, dynamodb, cassandra, couchbase, arangodb, sqlserver) or to use a dedicated store. Resolved by `config.FGAStoreConfig()` (unit-tested). The driver-conflict known-issue below is **resolved** (Option B: GORM standardized on `modernc.org/sqlite`), which is what makes same-DB reuse possible.
-
-> ✅ **RESOLVED — SQLite driver double-registration (Option B).** Linking OpenFGA's SQL datastores (`modernc.org/sqlite`) alongside Authorizer's old GORM SQLite driver (`glebarez/go-sqlite`) panicked at startup (`sql: Register called twice for driver sqlite`, since both register the name `sqlite`). Fixed by standardizing GORM on `modernc.org/sqlite` via a local dialect (`internal/storage/db/sql/sqlitedialect/`, a near-verbatim copy of glebarez's MIT dialect with the driver import swapped) and dropping `glebarez/*`. The `fga_sql` build tag was removed — OpenFGA's SQL datastores are now in the **default build**. Verified: default binary starts with no panic; embedded SQLite FGA runs in-process alongside GORM SQLite; full SQLite suite green. Pure-Go, no CGO. *(Maintenance note: the vendored dialect is now Authorizer-maintained — apply modernc/dialect updates manually.)*
-
-> **Phase 0 spike result (FULLY validated, not assumed):** `openfga v1.17.1` embeds in-process; DSL→model→tuples→`Check`→`ListObjects` work incl. `but not` exclusion. **Persistent SQLite datastore verified** — data written by one process is read back by a separate fresh process (persistence across restart proven); bootstrap = `migrate.RunMigrations(...)` then `sqlite.New(uri, sqlcommon.NewConfig())` (pure-Go, no CGO). `go.mod` integration probe **passed** (whole authorizer tree builds with openfga added, `modernc.org/sqlite`→v1.51.0). Binary +~36–38M. See `openfga-modeling` skill for the verified bootstrap recipe + gotchas. **No open Phase 0 risks.**
-
----
-
-## 0. Decisions (LOCKED — principal-engineer calls)
-
-| # | Decision | Locked choice | Note |
-|---|---|---|---|
-| **D1** | Multi-DB / FGA store | **Decouple from main DB.** Embedded **SQLite = single-node/dev only**; **external Postgres/MySQL required for HA/multi-replica.** No custom datastore adapters for Mongo/Dynamo/etc. | ⚠️ SQLite cannot back multi-writer. **Honest cost: any HA install runs a second datastore** — the real price of the multi-DB moat for FGA. |
-| **D2** | Deployment | **Both, configurable.** Embedded default (single-binary for dev/single-node) + **external OpenFGA first-class** (HA/distributed/cloud-native). | — |
-| **D3** | Permissions API | **Replace `required_permissions` → `required_relations`.** Keep existing `roles`/`scope` filters for coarse gating; document **singleton-object pattern** (`feature:x#reader`) for capability checks. | `roles` filter already covers coarse RBAC; no dead fields kept. |
-| **D4** | Roles ↔ graph | **Dual: keep `roles` claim AND mirror role grants as tuples** (`role:x#assignee@user:y`), maintained by Authorizer on role assignment. | Required for `[role#assignee]` grants + `list_objects`. |
-| **Store** | Multi-tenancy | **Single global OpenFGA store; isolate tenants in the graph** (namespaced object IDs + org-membership relations). Per-store only for data-residency isolation. | OpenFGA stores aren't built for thousands of tenants. |
-| **Why** | Explainability | **OpenFGA `Expand` for "why"; log decision traces for denied sensitive checks.** No custom explainer. | Compliance requirement. |
-
-**Model-change governance:** the authorization model (DSL) is extremely powerful (one edit re-grants broadly) → admin-gated, audited, and staged (write new model version, validate, then activate).
-
-**What is NOT removed:** core auth — login, OAuth2/OIDC, token issuance, sessions, **roles** (`roles`/`allowed_roles` claims), **OAuth scopes**, and the **custom-token-script hook**. Only the FGA Resource/Scope/Policy/Permission subsystem is removed.
-
-> ⚠️ **Two different "scope" concepts — do not conflate.** (a) **OAuth `scope`** (the `scope` claim, `SessionQueryRequest.scope`, consent) is core OIDC — **untouched**. (b) The FGA **`Scope` entity** (resource scope) is what we delete. The removal inventory in §1 refers only to (b).
-
-### Auth0 authz layers — what coexists with OpenFGA
-OpenFGA covers only the ReBAC layer. The full Auth0-parity stack is layered; these layers are **retained and integrated**, not replaced:
-
-| Auth0 layer | Covered by | Plan action |
-|---|---|---|
-| OAuth/OIDC scopes (API gate) | OAuth scopes (existing) | Keep; checked **before** FGA (cheap coarse gate) |
-| RBAC roles → token | roles claims (existing) | Keep; bridge to graph per D4 |
-| ReBAC (object access) | **OpenFGA (new)** | This plan |
-| Actions/Rules (token pipeline) | `CustomAccessTokenScript` (existing) | Keep; expose `engine.Check`/`ListObjects` to it |
-| ABAC / conditional | **OpenFGA Conditions + contextual tuples** | Fold in — no separate ABAC engine |
-| Organizations / B2B | tuples (`org:X#member@user:Y`) + `org_id` claim | Model membership as tuples |
-| CIBA / Token Vault / RFC 8693 delegation | — | **Out of scope** (next agent-auth layer; FGA authorizes, doesn't implement) |
-
-**Enforcement order at runtime:** OAuth scope check → FGA `Check`. Both must pass.
-
----
-
-## 1. Removal inventory (what "completely remove" deletes)
-
-Verifiable by `grep` returning zero hits post-removal (excluding OpenFGA-new code).
-
-**Backend — storage**
-- `internal/storage/schemas/`: `resource.go`, `scope.go`, `policy.go`, `permission.go` (Resource, Scope, Policy, PolicyTarget, Permission, PermissionScope, PermissionPolicy, and the `*WithPolicies`/`*View` denorm types)
-- Provider interface methods in `internal/storage/provider.go`: all `*Resource`, `*Scope`, `*Policy`, `*PolicyTarget`, `*Permission`, `*PermissionScope`, `*PermissionPolicy`, `GetPermissionsForResourceScope`
-- All 6 DB implementations of the above: `db/sql/`, `db/mongodb/`, `db/arangodb/`, `db/cassandradb/`, `db/couchbase/`, `db/dynamodb/` (`resource.go`, `scope.go`, `policy.go`, `permission.go` in each)
-- AutoMigrate / collection-creation entries for those schemas in each `db/*/provider.go`
-- `schemas/model.go` `CollectionList` entries for those collections
-
-**Backend — engine**
-- `internal/authorization/` evaluator logic for resource/scope/policy (`evaluator.go`, parts of `cache.go`) — **repurposed**, not all deleted (the `Provider` interface + cache plumbing is reused by the new engine; see §3)
-
-**Backend — GraphQL**
-- `internal/graph/schema.graphqls`: types `AuthzResource(s)`, `AuthzScope(s)`, `AuthzPolicy/Target/Policies`, `AuthzPermission(s)`, `Permission`, `PermissionInput`; inputs `Add/Update Resource/Scope/Policy/Permission`, `PolicyTargetInput`; mutations `_authz_add/update/delete_{resource,scope,policy,permission}`; queries `_authz_{resources,scopes,policies,permissions}`, `permissions`
-- `internal/graphql/`: `authz_*.go` (16 files), `permission_check.go`, `permissions.go`
-
-**Dashboard**
-- `web/dashboard/src/pages/authorization/`: `Resources.tsx`, `Scopes.tsx`, `Policies.tsx`, `Permissions.tsx`
-- Authz entries in `graphql/mutation/index.ts`, `graphql/queries/index.ts`, `types.ts`
-
-**SDKs**
-- `authorizer-go`: `PermissionInput{Resource,Scope}`, `RequiredPermissions` fields on `get_session.go`, `validate_jwt_token.go`, `validate_session.go`
-- `authorizer-js`: `PermissionInput`, `Permission`, `required_permissions` on session/validate types
-
----
-
-## 2. Target architecture
-
-```
-Relying app / AI agent / MCP client
-        │  check(user, relation, object) · list_objects · batch_check
-        ▼
-Authorizer GraphQL  ──►  AuthorizationEngine (OpenFGA)
-   _fga_* admin              ├─ embedded openfga lib (default)   ┐
-   fga_check / list          └─ external openfga (gRPC, config)  ┘
-        │                                  │
-   validate_jwt_token / validate_session / session
-   (required_permissions → relation checks)
-                                           ▼
-                              FGA tuple store (SQLite | Postgres | MySQL)
-```
-
-- **Model**: OpenFGA authorization model (DSL) — types, relations, conditions.
-- **Data**: relationship tuples `(object, relation, user)`.
-- **Decision**: `Check`; **retrieval**: `ListObjects` (RAG pre-filter), `BatchCheck`.
-
-### 2.1 Deployment modes (single-node / HA / serverless)
-The FGA store is the deciding factor. Same engine, different backing.
-
-| Mode | Engine | FGA store | Migrations | Notes |
-|---|---|---|---|---|
-| **Single-node / dev** | embedded | **SQLite file** | on boot (idempotent) OK | one process only; WAL sidecar files on local disk |
-| **HA / multi-replica** | embedded *or* external | **external Postgres/MySQL** | **separate init job** | SQLite cannot back multiple writers |
-| **Serverless** (Lambda/Cloud Run-scale/Vercel/Fly) | **external OpenFGA service preferred** (or embedded engine → external SQL) | **external managed Postgres/MySQL behind a connection pooler** | **separate init job; NEVER on cold start** | see rules below |
-
-**Serverless rules (review-derived — embedded-SQLite is NOT serverless-compatible):**
-- ❌ **No embedded SQLite** — ephemeral, non-shared disk; N concurrent instances can't share one file. Serverless ⇒ external SQL store, same constraint as HA but stricter.
-- ❌ **No migrate-on-cold-start** — run `migrate.RunMigrations` as a deploy/init job; concurrent cold starts must not race migrations and must not pay init latency.
-- ⚠️ **Connection pooling required** — per-instance pgx pools × many instances = connection explosion. Front Postgres with pgbouncer / RDS Proxy / provider pooling.
-- ⚠️ **Flush before response on freeze platforms (Lambda)** — OpenFGA workers and Authorizer's fire-and-forget audit goroutine (incl. the delegation audit chain) may be frozen post-response; ensure audit writes complete before returning, or enqueue.
-- ✅ **External `memory_store`** (Redis/DB) already serverless-ready — used for sessions, the FGA decision cache (embedded mode only), and the delegation revocation list.
-- ✅ **Don't cache FGA decisions in external mode** (locked rule) — so no stale-allow across ephemeral instances.
-- **Platform fit:** Cloud Run/Fly (process alive while warm) tolerate the embedded engine + external store; Lambda/Vercel (freeze-based) prefer the **external OpenFGA service** so the function binary stays lean and no in-process engine state depends on the frozen runtime.
-
----
-
-## 3. Phased plan (goal-driven; each phase has a verify gate)
-
-### Phase 1 — Engine seam + OpenFGA embed
-1. Add `internal/authorization/engine` interface: `Check(ctx, user, relation, object, ctxTuples) (bool, error)`, `ListObjects(ctx, user, relation, type) ([]string, error)`, `BatchCheck`, `WriteTuples`, `DeleteTuples`, `ReadTuples`, `WriteModel`, `ReadModel`.
-2. Vendor `github.com/openfga/openfga` as an in-process library; implement `engine.openfga`.
-3. Wire FGA store config: `--fga-store=sqlite|postgres|mysql`, `--fga-store-url`, `--fga-mode=embedded|external`, `--fga-external-url`.
-4. Init in `cmd/root.go` after Storage/MemoryStore.
-
-→ **Verify:** unit test writes a model + tuples, `Check` returns expected allow/deny against the embedded store; server boots with `--fga-mode=embedded` on a Mongo main DB.
-
-### Phase 2 — Remove bespoke storage + engine *(deferred one release — review fix #4)*
-**Do not big-bang.** Ship Phase 1's SPI with **both** engines for one release: OpenFGA default, old `policy` engine still selectable (`--authorization-engine=fga|policy`). Validate FGA in production, *then* remove the old engine in the following release. The "completely remove" directive still holds — just one release later, behind the seam that exists precisely to de-risk this.
-1. (Release N) Both engines live behind SPI; default `fga`.
-2. (Release N+1) Delete schemas, provider methods, and all 6 DB impls per §1; remove AutoMigrate / collection entries; delete dead `evaluator.go` resource/scope/policy paths (keep cache plumbing reused by the new engine).
-
-→ **Verify:** N: both engines pass integration tests. N+1: `grep -r "Resource\|Scope\|Policy\|Permission" internal/storage` returns only unrelated hits; `go build ./...` green; `make test-all-db` green.
-
-### Phase 3 — GraphQL API replacement (breaking)
-1. Remove all `_authz_*` + `permissions` + `Permission*` schema/resolvers.
-2. Add admin model/tuple management (admin-gated, `_` prefix):
-   - `_fga_write_model(params): FgaModel!` / `_fga_get_model: FgaModel!`
-   - `_fga_write_tuples(params: [FgaTupleInput!]!): Response!`
-   - `_fga_delete_tuples(params: [FgaTupleInput!]!): Response!`
-   - `_fga_read_tuples(params: FgaReadInput!): FgaTuples!`
-3. Add runtime check API (authenticated, principal = `user:<id>`):
-   - `fga_check(params: FgaCheckInput!): FgaCheckResponse!`
-   - `fga_list_objects(params: FgaListObjectsInput!): FgaObjects!`
-   - `fga_batch_check(params: [FgaCheckInput!]!): [FgaCheckResponse!]!`
-   - `FgaCheckInput { object: String!, relation: String!, context: Map }`
-4. `make generate-graphql`.
-
-→ **Verify:** integration test: admin writes model+tuples via GraphQL, authenticated user gets correct `fga_check`/`fga_list_objects` results; old `_authz_*` ops return "unknown field".
-
-### Phase 4 — session / validate_session / validate_jwt (the API the user flagged) *(D3 — review fix #2)*
-**Coarse vs fine are different questions — don't force capabilities into ReBAC.**
-- **Coarse gating stays** on the existing `roles` (and `scope`) filters — pure "user must have role/scope X" needs no graph.
-- **Fine gating is new:** replace `required_permissions` with `required_relations: [{object, relation}]` (AND, OpenFGA `Check` with `user:<principal.ID>`).
-- **Capability-style checks** (e.g., "can read reports at all") use the **singleton-object pattern** — model `feature:reports#reader` and check `{object: "feature:reports", relation: "reader"}`. Documented, not awkward.
-1. Schema: remove `required_permissions: [PermissionInput!]`; add `required_relations: [FgaRelationCheck!]` on `SessionQueryRequest`, `ValidateJWTTokenRequest`, `ValidateSessionRequest`. Keep `roles`/`scope` filters untouched.
-2. Replace `enforceRequiredPermissions` → `enforceRequiredRelations`: loop `engine.Check(user, rel.relation, rel.object)`, AND semantics, fail-closed, keep metrics/labels shape.
-3. Update `session.go`, `validate_jwt_token.go`, `validate_session.go` call sites.
-
-→ **Verify:** `validate_session` with a satisfied relation → authorized; unsatisfied → `unauthorized`; empty list still authorizes; existing `roles` filter still gates coarsely.
-
-### Phase 5 — Dashboard
-Replace `pages/authorization/{Resources,Scopes,Policies,Permissions}.tsx` with:
-1. **Authorization Model** page — DSL editor (textarea + validate-on-save via `_fga_write_model`), shows current model + version.
-2. **Relationship Tuples** page — table + add/delete (`object`, `relation`, `user`), backed by `_fga_read/write/delete_tuples`.
-3. **Access Tester** page — form (`user`, `relation`, `object`) → calls `fga_check`, shows allow/deny + (optionally) `expand`.
-4. Update `graphql/mutation|queries/index.ts`, `types.ts`, route stays `authorization/*`.
-
-→ **Verify:** `make build-dashboard` green; manual: define model, add tuple, tester returns allow; remove tuple, tester returns deny.
-
-### Phase 6 — SDKs (client-facing surface only, per agreed scope — no admin CRUD)
-**authorizer-go** and **authorizer-js**:
-1. Remove `PermissionInput`/`Permission`/`required_permissions`.
-2. Add `required_relations` to `GetSession`/`ValidateJWTToken`/`ValidateSession` params.
-3. Add client methods: `FgaCheck`, `FgaListObjects`, `FgaBatchCheck` (+ a thin `FgaRetriever`-style helper for RAG pre-filtering in each).
-
-→ **Verify:** SDK unit tests against a running server: `FgaCheck` allow/deny correct; `FgaListObjects` returns expected IDs; `ValidateSession` honors `required_relations`.
-
-### Phase 7 — Auth0 import tool + Docs *(review fix #7 — the migration value, actually built)*
-1. **Auth0 FGA → Authorizer import** CLI/endpoint: ingest an Auth0/OpenFGA **model (DSL)** and **tuple export** → write via `_fga_write_model` / `_fga_write_tuples`. This is the headline migration deliverable; without it "ports 1:1" is just a claim.
-2. `MIGRATION.md`: breaking-change notes + Auth0-FGA→Authorizer mapping; singleton-object pattern guide for coarse checks.
-3. Document `--fga-*` flags, **SQL-store requirement (single-node SQLite vs HA external Postgres/MySQL — D1)**, embedded vs external.
-4. Update `ROADMAP_V2.md`: FGA = OpenFGA ReBAC.
-
-→ **Verify:** a real Auth0 FGA export imports and `fga_check` reproduces the same decisions; a follower can stand up FGA from the guide alone.
-
----
-
-## 4. Cross-cutting
-
-- **Audit/metrics:** mirror existing `RecordAuthzCheck` / required-permissions metric shape for the new check + relation paths (low-cardinality labels).
-- **Cache (review fix #5 — don't double-cache):** **only cache in embedded mode**, where Authorizer intercepts every tuple/model write and can invalidate; key on `(user, relation, object, model_version)`. In **external mode, do NOT layer Authorizer's cache** — tuples can be written directly to OpenFGA, so rely on OpenFGA's own consistency/caching. A second cache there = stale-allow bug.
-- **`list_objects` cost (review fix #9):** expensive + an enumeration surface → mandatory pagination, result cap, latency budget, and rate-limit/DoS guards on `fga_list_objects`.
-- **Security:** `_fga_*` admin-gated (`IsSuperAdmin`); `fga_*` authenticated, principal pinned to token `sub` (never client-supplied user); fail-closed on engine error. **Model edits** admin-gated + audited + staged (write→validate→activate).
-- **Test matrix:** `make test-all-db` must pass to prove removal left no DB-impl dangling refs, even though the FGA store itself is SQL-only.
-
-## 5. Ordering / rollout *(review fix #4 — seam, not big-bang)*
-- **Release N:** Phase 1 (SPI + embed) + Phases 3/4 (new API) ship with **both engines** behind `--authorization-engine`, default `fga`. Old engine still selectable.
-- **Release N+1:** Phase 2 removal once FGA is validated in production.
-- **Then:** 5 (dashboard) + 6 (SDKs) once the API is frozen; 7 (import tool + docs).
-- **Prereqs (review fix #10):** Wave-2 delegation depends on agent identity + M2M/client-credentials (roadmap Phase 2) and OAuth 2.1 AS / DCR (Phase 4.1) — not started here.
-
-## 6. Open risks
-1. **D1 multi-DB** — the central tradeoff (above).
-2. **Embedding maturity** — confirm `openfga` embeds cleanly as a lib (Phase 0 spike) vs. forcing external mode.
-3. **Consistency window** — document OpenFGA consistency options for distributed deployments.
-4. **SDK scope** — admin tuple CRUD intentionally excluded from SDKs (matches agreed client-facing-only scope).
diff --git a/ROADMAP_V2.md b/ROADMAP_V2.md
index c6fc6755..beba9319 100644
--- a/ROADMAP_V2.md
+++ b/ROADMAP_V2.md
@@ -18,10 +18,10 @@
 | 13+ Database backends | Done | Unique differentiator |
 | Rate Limiting / Brute Force | Missing | No protection at all |
 | M2M / Client Credentials | Missing | No service accounts or API keys |
-| Fine-Grained Permissions | In progress (pre-stable) | RBAC/ABAC Resource/Scope/Policy/Permission engine exists; migrating to OpenFGA ReBAC — see FGA_OPENFGA_MIGRATION_PLAN.md |
+| Fine-Grained Permissions | In progress (pre-stable) | RBAC/ABAC Resource/Scope/Policy/Permission engine exists; migrating to OpenFGA ReBAC — see specs/FGA_OPENFGA_MIGRATION_PLAN.md (authorizer-docs repo) |
 | SAML | Missing | Zero support |
 | SCIM / Directory Sync | Missing | No provisioning |
-| Audit Logs | Partial | Structured AuditLog + audit provider exist (single actor); needs delegation-chain fields for agents — see AGENTIC_DELEGATION_DESIGN.md |
+| Audit Logs | Partial | Structured AuditLog + audit provider exist (single actor); needs delegation-chain fields for agents — see specs/AGENTIC_DELEGATION_DESIGN.md (authorizer-docs repo) |
 | Bot Detection | Missing | No CAPTCHA, no fingerprinting |
 | Monitoring / Metrics | Missing | Health check only, no Prometheus |
 | MCP Auth | Missing | No OAuth 2.1 AS capabilities |
@@ -330,7 +330,7 @@ These are table-stakes features that every competitor has. Without them, Authori
 
 ## Agentic Authorization Track (cross-phase sequencing)
 
-> A re-sequencing lens over the items above, ordered by dependency for enterprise + agentic auth. Authorization for agents is a **pipeline**, not one feature; each wave builds on the last. ReBAC is necessary but not sufficient. Design detail: `FGA_OPENFGA_MIGRATION_PLAN.md`, `AGENTIC_DELEGATION_DESIGN.md`.
+> A re-sequencing lens over the items above, ordered by dependency for enterprise + agentic auth. Authorization for agents is a **pipeline**, not one feature; each wave builds on the last. ReBAC is necessary but not sufficient. Design detail: `../authorizer-docs/specs/FGA_OPENFGA_MIGRATION_PLAN.md`, `../authorizer-docs/specs/AGENTIC_DELEGATION_DESIGN.md`.
 
 **The pipeline (evaluated per request):** Identity → Authentication → Token/Delegation → Authorization (scope → RBAC → ReBAC → ABAC → list_objects) → Human-in-the-loop → Governance.
 
diff --git a/docs/fga-rebac-guide.md b/docs/fga-rebac-guide.md
deleted file mode 100644
index 45a31d5c..00000000
--- a/docs/fga-rebac-guide.md
+++ /dev/null
@@ -1,164 +0,0 @@
-# Authorizer ReBAC guide (OpenFGA)
-
-Authorizer's fine-grained authorization (FGA) embeds OpenFGA in-process and
-models access as **relationships** between objects, not as flat per-user grants.
-This guide covers the patterns that make ReBAC worth using — hierarchy and
-inheritance — plus two things that are easy to get wrong: which kind of "role"
-you are dealing with, and how to identify subjects.
-
-## 1. Two kinds of "role" — they can and should differ
-
-| | Authorizer (app) roles | FGA roles |
-|---|---|---|
-| What | Configured via `--roles`; carried in the JWT `roles` claim. Read in the dashboard via the admin-only `_admin_meta` query. | Relations in the model (`editor`) and `role:` objects (`role:editor`). |
-| Scope | Global, coarse, identity-level — "is this principal an admin at all". | Fine-grained, object-scoped — "editor **of** `resource:301`". |
-| Lives in | The token. | The authorization graph (model + tuples). |
-
-They are **decoupled by design**. FGA roles are usually more granular than app
-roles (a `viewer` *of one org*, an `editor` *of one document*), so an FGA role
-name does **not** have to be one of your configured app roles. Forcing parity
-would throw away ReBAC's main advantage. If you want a specific app role to be
-globally assignable in the graph, *mirror it* as a tuple
-(`role:admin#assignee@user:<id>`) — don't equate the two sets.
-
-## 2. Always identify subjects by user **ID**, never by name
-
-A tuple's subject is `user:<id>`. Use the user's **immutable id** (Authorizer's
-user UUID), e.g.:
-
-```
-user:1b9d6bcd-bbfd-4b2d-9b5d-ab8dfbbd4bed   ✅ stable, unique
-user:alice                                  ❌ names aren't unique and change
-```
-
-Display names and emails are not unique and can change; the user id is stable
-for the lifetime of the account. The dashboard and docs use `user:<id>`
-placeholders (or short ids like `user:1b9d…`); in real tuples, use the full id.
-The same applies to objects: identify orgs, projects and resources by their ids
-(`organization:101`), never by name. The one exception is `role:` objects,
-which are keyed by the role name by design (`role:editor#assignee`).
-
-(The engine does not hard-enforce an id format, because a subject can also be a
-wildcard `user:*` or a userset like `group:9#member` / `role:editor#assignee`.
-The id convention is a guideline, not a validation.)
-
-## 3. Hierarchy: grant once, inherit everywhere
-
-The canonical model is `organization → project → resource`, where each level
-inherits viewer/editor from its parent via `X from parent`:
-
-```dsl
-model
-  schema 1.1
-type user
-type organization
-  relations
-    define admin: [user]
-    define editor: [user] or admin
-    define viewer: [user] or editor
-    define can_view: viewer
-    define can_edit: editor
-type project
-  relations
-    define org: [organization]
-    define editor: [user] or editor from org
-    define viewer: [user] or editor or viewer from org
-    define can_view: viewer
-    define can_edit: editor
-type resource
-  relations
-    define project: [project]
-    define editor: [user] or editor from project
-    define viewer: [user] or editor or viewer from project
-    define can_view: viewer
-    define can_edit: editor
-```
-
-The roles are **concentric** — `viewer: [user] or editor` means an editor is
-automatically a viewer, so you never grant both. (This follows OpenFGA's
-concentric-relationships guidance: owner ⊃ editor ⊃ viewer.)
-
-This is the **"Org → project → resource"** example in the dashboard model
-builder (Step 1 → Advanced → Browse examples).
-
-### Wire up the structure once
-
-```
-organization:101  org      project:201     # project belongs to org
-project:201     project  resource:301      # resource belongs to project
-project:201     project  resource:302
-```
-
-### Grant once, high in the tree
-
-```
-user:1b9d…  viewer  organization:101          # one tuple
-```
-
-Now every check below inherits — **no per-resource tuples needed**:
-
-```
-Check(user:1b9d…, can_view, organization:101) → allowed
-Check(user:1b9d…, can_view, project:201)    → allowed   (viewer from org)
-Check(user:1b9d…, can_view, resource:301)     → allowed   (viewer from project ← from org)
-Check(user:1b9d…, can_view, resource:302)     → allowed
-```
-
-A viewer does **not** inherit edit:
-
-```
-Check(user:1b9d…, can_edit, resource:301)     → denied
-```
-
-`ListObjects(user:1b9d…, can_view, "resource")` returns
-`["resource:301", "resource:302"]` — the whole subtree, from one grant.
-
-## 4. Fine-grained grants coexist with the hierarchy
-
-Inheritance does not stop you from granting a single object directly. A direct
-grant stays **scoped to that object**:
-
-```
-user:2c8e…  editor  resource:301              # one resource only
-```
-
-```
-Check(user:2c8e…, can_edit, resource:301)     → allowed   (direct grant)
-Check(user:2c8e…, can_view, resource:301)     → allowed   (concentric: editor ⊃ viewer)
-Check(user:2c8e…, can_edit, resource:302)     → denied    (does NOT leak to siblings)
-Check(user:2c8e…, can_view, resource:302)     → denied
-```
-
-So you compose **broad inherited access** (grant on the org/project) with
-**narrow exceptions** (grant on a single resource) in the same model.
-
-## 5. What the save paths validate
-
-- **`_fga_write_model`** parses the DSL and runs OpenFGA's model-consistency
-  check (relations reference defined types, no illegal cycles). It does **not**
-  validate role names against app roles.
-- **`_fga_write_tuples`** validates each tuple **against the active model** — the
-  object type must exist and the relation must be defined on it, with an allowed
-  user type. A tuple referencing an undefined relation/type is rejected. It does
-  **not** validate `role:<x>` ids or `user:<id>` against any external list.
-
-Both surfaces are super-admin gated and audited. The dashboard model builder
-starts from a standard `admin / editor / viewer` set and offers the instance's
-configured roles (read via `_admin_meta`) as optional one-click additions — FGA
-roles are free to diverge from app roles (see §1).
-
-## Where this lives in the code
-
-- Engine: `internal/authorization/engine/openfga/` (`openfga.go` bootstrap +
-  `Config`, `operations.go` model/tuple/check). SPI in
-  `internal/authorization/engine/engine.go`.
-- Hierarchy + fine-grained behaviour is covered by
-  `internal/authorization/engine/openfga/hierarchy_test.go`.
-- Every shipped model (dashboard example catalog, editor placeholder, and the
-  DSL in this guide) is validated against the real embedded engine by
-  `internal/authorization/engine/openfga/examples_validation_test.go` — the
-  in-repo equivalent of `fga model validate`.
-- Dashboard examples: `web/dashboard/src/pages/authorization/modelDsl.ts`
-  (`MODEL_EXAMPLES`), tested in `modelDsl.test.ts`.
-- `_admin_meta` query: `internal/graphql/admin_meta.go` (super-admin gated),
-  tested in `internal/integration_tests/admin_meta_test.go`.
diff --git a/docs/specs/2026-06-08-migration-tool-design.md b/docs/specs/2026-06-08-migration-tool-design.md
deleted file mode 100644
index a05821d8..00000000
--- a/docs/specs/2026-06-08-migration-tool-design.md
+++ /dev/null
@@ -1,282 +0,0 @@
-# Authorizer Migration Tool — Design Spec
-
-**Status:** Draft for review
-**Date:** 2026-06-08
-**Author:** Principal Engineering
-**Scope:** A zero-downtime migration tool to move users, credentials, and configuration into Authorizer from Auth0, Clerk, WorkOS, Keycloak, Okta, and SuperTokens — plus the Authorizer core APIs required to support it.
-
----
-
-## 1. Problem & goals
-
-Authorizer (as a SaaS / self-hosted offering) wants to win customers off incumbent auth providers. The single biggest adoption blocker is migration risk: moving an existing user base without **(a)** forcing password resets, **(b)** a maintenance window, or **(c)** losing roles/MFA/social links.
-
-### Goals
-1. Migrate **users + credentials + social links + roles + MFA + org/tenant + client config** from six sources.
-2. **Zero downtime, zero forced reset** for the common case (coexistence migration with live cutover and rollback-before-cutover).
-3. Data never transits Authorizer SaaS unnecessarily — extraction runs in the customer's network.
-4. Idempotent, resumable, inspectable, dry-runnable.
-
-### Non-goals (v1)
-- Auto-applying org/tenant and OAuth-client/connection config into Authorizer (v1 = **report-only**, see §9).
-- True "no re-login" session continuity via foreign-JWKS bridging (v1 = **one silent re-auth at cutover**, see §7).
-- Reversible-after-cutover write-journaling (v1 = **forward-only after a validated bake**, see §7).
-- WebAuthn/passkey migration (cryptographically bound to original origin — re-enroll required).
-
----
-
-## 2. Research findings: what each source actually exposes
-
-Verified against current provider docs / source (June 2026). This table drives every connector's behavior.
-
-| Source | User profiles | Password hashes (self-serve?) | Hash algo | MFA/TOTP seeds | Social links | Roles/RBAC | Orgs/Tenants |
-|---|---|---|---|---|---|---|---|
-| **Keycloak** | ✅ realm export / Admin API | ✅ **Yes** — realm-export JSON | PBKDF2-sha256/512 (+iter+salt, 64-byte dk) | ✅ **Yes** — seed in export | ✅ `federatedIdentities` | ✅ realm/client roles, groups | realm = tenant |
-| **SuperTokens** | ✅ Core API (`GET /users`) | ✅ **Yes** — direct DB read (self-hosted) | **bcrypt default**, or argon2id | ✅ **Yes** — DB `totp_user_devices.secret_key` | ✅ `thirdParty` per loginMethod | ✅ roles recipe | ✅ multitenancy API |
-| **Clerk** | ✅ Backend API / Dashboard CSV | ✅ **Yes** — Dashboard CSV incl. hashes | bcrypt | ❌ no | ✅ `external_accounts` | ✅ org roles/perms | ✅ organizations |
-| **Auth0** | ✅ `POST /jobs/users-exports` | ⚠️ **support ticket only** (PGP, paid tier) | bcrypt (`$2a/$2b$`) | ⚠️ same PGP ticket | ✅ `identities[]` | ✅ Authorization Core | ✅ Organizations |
-| **Okta** | ✅ `GET /api/v1/users` | ❌ **Never** | n/a | ❌ no | ✅ IdP links | ✅ groups, roles | single org |
-| **WorkOS** | ✅ User Mgmt API | ❌ **Never** (reset/lazy) | n/a | ❌ no | ✅ AuthKit identities | ✅ roles | ✅ orgs + SSO conns |
-
-**Conclusion:** Hashes are obtainable from three sources directly (Keycloak/SuperTokens/Clerk), one with heavy effort (Auth0), never from two (Okta/WorkOS). Therefore the tool **must** support both a bulk-hash path and a live lazy/JIT path. Confirmed cross-reference: WorkOS's own "migrate from X" docs document the same realities and fall back to password-reset; we improve on that with live lazy verification.
-
-### Key source endpoints (for connectors)
-- **Auth0:** `POST /api/v2/jobs/users-exports` (NDJSON, 24h TTL, 60s download link); `GET /roles`, `/roles/{id}/permissions`, `/users/{id}/roles`; `/organizations/*`; `/clients` (+`read:client_keys` for secrets); `/connections` (+`read:connections_options` for social/SAML keys); `/resource-servers`; `/users/{id}/enrollments` (MFA metadata only). Mgmt token via M2M client-credentials, 24h expiry. **Password hashes + MFA secrets:** PGP support-ticket export only (`export-password-hashes-and-mfa-secrets`), not Free tier.
-- **Clerk:** `GET /v1/users` (Backend API, bcrypt `password_digest`/`password_hasher`); Dashboard CSV export includes hashes (since 2024-10-23); `/v1/organizations` + memberships; trickle-migration documented. Insecure hashers transparently upgraded to bcrypt on first login.
-- **WorkOS:** `GET /user_management/users` (cursor pagination); `/organizations`, `/organization_memberships`; `/connections` (SSO SAML/OIDC); `/directories` (SCIM). No hash export → lazy/reset. Import side accepts bcrypt/scrypt/firebase-scrypt/ssha/pbkdf2/argon2 in PHC.
-- **Keycloak:** realm export via `kc.sh export --users different_files` (credentials included) — `credentials[].secretData{value,salt}` + `credentialData{hashIterations,algorithm}` (PBKDF2, **64-byte derived key**, read per-credential iteration count); OTP creds carry the TOTP seed; `federatedIdentities`; `realmRoles`/`clientRoles`; groups; `/clients` (+secrets), `/identity-provider/instances` (+secrets). Admin token via `admin-cli` client-credentials.
-- **Okta:** `GET /api/v1/users` (limit 200, link-header cursor); `/idps` + `/idps/{id}/users`; `/users/{id}/factors` (no secrets); `/groups`; `/apps` (+`/apps/{id}/users`). SSWS or OAuth2 scopes (`okta.users.read`, …). **No hash export** → Okta Password Import Inline Hook is the lazy pattern (we mirror it in reverse).
-- **SuperTokens:** Core API `GET /users` (`paginationToken` loop), `/recipe/roles`, `/recipe/multitenancy/tenant/list`, `/recipe/user/metadata`; **hashes + TOTP secrets via direct DB read** (`emailpassword_users.password_hash`, `totp_user_devices.secret_key`); bulk-import API shape (`loginMethods[].passwordHash`+`hashingAlgorithm` ∈ {argon2,bcrypt,firebase_scrypt}, `totpDevices[].secretKey`, `userRoles`, `userMetadata`, `externalUserId`) is the reference for our own import API.
-
----
-
-## 3. Architecture
-
-Three components.
-
-### (a) `authorizer-migrate` CLI (Go single binary)
-Matches Authorizer's stack. Runs in the **customer's network** so source data never transits Authorizer SaaS. Pipeline:
-
-```
-  extract                 transform/normalize          load
-┌──────────┐   source     ┌────────────────────┐      ┌──────────────────┐
-│ connector│──API/DB────▶ │  <source>.amf.json │ ───▶ │ Authorizer       │
-│ (source  │              │  (canonical AMF,    │      │ _import_users    │
-│  creds)  │              │   inspectable)     │      │ (admin creds)    │
-└──────────┘              └────────────────────┘      └──────────────────┘
-```
-
-Commands:
-- `authorizer-migrate extract --from <provider> --config <creds.yaml> --out users.amf.json [--since <ts>]`
-- `authorizer-migrate validate users.amf.json` (schema + referential integrity, offline)
-- `authorizer-migrate load --in users.amf.json --authorizer <url> --admin-secret … [--dry-run] [--resume]`
-- `authorizer-migrate report --in users.amf.json` (org/RBAC/client-config report, §9)
-
-Properties: **idempotent upsert** (`source`+`externalUserId`), **resumable** (checkpoint file), **dry-run**, **delta** (`--since`).
-
-### (b) AMF — Authorizer Migration Format
-One canonical JSON schema all connectors normalize into. Decouples extract (source creds) from load (target creds), gives a human review/edit/diff checkpoint, makes the pipeline idempotent + resumable. Sketch:
-
-```jsonc
-{
-  "amfVersion": "1.0",
-  "source": { "provider": "keycloak", "exportedAt": 1749312000, "realmOrTenant": "acme" },
-  "users": [
-    {
-      "externalUserId": "f8a...",            // stable source id → idempotency key
-      "email": "jane@acme.com",
-      "emailVerified": true,
-      "phoneNumber": null,
-      "givenName": "Jane", "familyName": "Doe",
-      "picture": "https://...",
-      "roles": ["admin", "billing"],
-      "credential": {
-        "type": "password_hash",             // password_hash | none (lazy) | reset
-        "algorithm": "pbkdf2-sha256",        // bcrypt | pbkdf2-sha256 | pbkdf2-sha512 | argon2id | scrypt | firebase-scrypt
-        "hash": "base64...",                  // normalized to PHC string where possible
-        "params": { "iterations": 27500, "salt": "base64...", "keyLen": 64 }
-      },
-      "identities": [
-        { "provider": "google", "providerUserId": "104...", "email": "jane@gmail.com" }
-      ],
-      "mfa": [
-        { "type": "totp", "secret": "BASE32SEED", "algorithm": "SHA1", "digits": 6, "period": 30 }
-      ],
-      "appData": { "sourceOrg": "acme", "legacyId": "..." },
-      "createdAt": 1700000000, "updatedAt": 1749000000
-    }
-  ],
-  "lazyMigration": {                          // present when source can't export hashes
-    "enabled": true,
-    "originProvider": "okta",
-    "verifyVia": "password-grant"             // how Authorizer re-verifies on first login
-  }
-}
-```
-
-`config-report` (orgs, roles tree, OAuth clients, connections) is emitted to a **separate** `*.report.json` consumed by `report`, not by `load` (v1 report-only).
-
-### (c) Authorizer core additions
-The "missing APIs." See §4–§6.
-
----
-
-## 4. New Authorizer APIs (the missing surface)
-
-Authorizer today has **no bulk import** and **no create-user-with-prehashed-password** path (`signup` hashes plaintext; `invite_members` invites). We add:
-
-### 4.1 `_import_users` — admin GraphQL mutation (async job)
-- Admin-authenticated (admin secret), behind the existing `_`-prefixed admin namespace.
-- Accepts a batch (≤ N per call, e.g. 1000) of canonical AMF user records.
-- Creates users with **pre-hashed passwords + algorithm metadata**, identities, roles, TOTP devices, `app_data`, and `externalUserId`+`source` for idempotency.
-- **Idempotent upsert:** re-running with the same `source`+`externalUserId` updates instead of duplicating (enables delta sync).
-- Returns a `jobID`.
-
-```graphql
-mutation { _import_users(params: ImportUsersInput!): ImportJob! }
-
-input ImportUsersInput {
-  source: String!                 # "auth0" | "keycloak" | ...
-  users: [ImportUserInput!]!
-  upsert: Boolean = true
-}
-input ImportUserInput {
-  external_user_id: String!
-  email: String
-  email_verified: Boolean
-  phone_number: String
-  given_name: String
-  family_name: String
-  picture: String
-  roles: [String!]
-  password_hash: String          # optional; omit for lazy/reset users
-  password_hash_algorithm: String # bcrypt | pbkdf2-sha256 | pbkdf2-sha512 | argon2id | scrypt | firebase-scrypt
-  password_hash_params: String   # JSON: iterations, salt, keyLen, memory, parallelism, etc.
-  identities: [ImportIdentityInput!]
-  mfa: [ImportMFAInput!]
-  app_data: String               # JSON
-  created_at: Int64
-  updated_at: Int64
-}
-```
-
-### 4.2 `_import_status(jobID)` + job resource
-Large tenants import async. Poll job progress and inspect per-row failures (mirrors SuperTokens' `bulk-import/users?status=FAILED`).
-
-```graphql
-query { _import_status(job_id: ID!): ImportJob! }
-type ImportJob { id: ID!  status: ImportStatus!  total: Int!  succeeded: Int!  failed: Int!  errors: [ImportRowError!]! }
-enum ImportStatus { QUEUED PROCESSING COMPLETED COMPLETED_WITH_ERRORS FAILED }
-type ImportRowError { external_user_id: String!  message: String! }
-```
-
----
-
-## 5. User schema change + multi-algorithm verifier
-
-**Today:** `User.Password *string` (bcrypt, `bcrypt.DefaultCost`), no algorithm column → a Keycloak PBKDF2 or SuperTokens argon2id hash cannot be verified after import.
-
-**Change (decision: add algo-metadata + multi-algo verify with transparent upgrade):**
-
-1. Add columns to `User` (all providers): `password_hash_algorithm *string`, `password_hash_params *string` (JSON). Nullable; null/empty ⇒ legacy bcrypt (back-compat — existing rows untouched).
-2. Add a `crypto` verifier registry: `bcrypt` (native, existing), `pbkdf2-sha256`, `pbkdf2-sha512`, `argon2id`, `scrypt`, `firebase-scrypt`. Each verifies a candidate password against `(hash, params)`.
-3. **Login path change:** on password verify, dispatch by `password_hash_algorithm`. On the **first successful** login against a non-bcrypt hash, **transparently re-hash to bcrypt** (`bcrypt.DefaultCost`), persist, and clear the algorithm/params columns. This is Clerk's upgrade model — within a tail period the whole base converges to native bcrypt and the foreign-algo code is exercised only transiently.
-
-**Verification:** import a hand-written AMF with one bcrypt, one pbkdf2-sha256, and one argon2id user; log in as each with the original password and get a session with **no reset**; confirm the non-bcrypt rows flip to bcrypt + null metadata after first login.
-
-**Security notes:** foreign-algo verifiers are constant-time-compared; params are validated (bounded iteration/memory to prevent a malicious AMF from triggering resource exhaustion); the existing dummy-bcrypt timing-equalization on login (`internal/graphql/login.go`) is extended to cover the dispatch so non-existent-user timing doesn't leak.
-
----
-
-## 6. Lazy / JIT migration-source (the zero-reset coexistence engine)
-
-For Okta & WorkOS (no hash export) **and** for any user whose password changed after the last delta, Authorizer verifies the password **live against the origin provider** on first login.
-
-**Decision: lives in Authorizer core** as a configurable *migration source* (not an external webhook), mirroring Auth0/Okta's own inline-hook pattern but in reverse.
-
-- New config object (DB-config, like other Authorizer settings): `migration_source { provider, base_url, credentials, verify_method }` where `verify_method` ∈ `{ password-grant, ropc, verify-endpoint }`.
-- A user imported via the lazy path carries `credential.type = none` and a dedicated nullable `User.migration_source *string` column (checked on the hot login path — avoids parsing `app_data`). Non-null ⇒ this user still needs origin verification.
-- **Failed-login hook:** when local verification fails (or there is no local hash) for a user with non-null `migration_source`, Authorizer calls the origin's password-grant/verify API with the submitted credentials. On success → mint an Authorizer session, **store the password as bcrypt**, null out `migration_source`. On failure → normal invalid-credentials.
-- Promoted from "Okta/WorkOS only" to a **general coexistence primitive** usable by all six connectors.
-
-**Verification:** configure an Okta migration source; import an Okta user with `credential.type=none`; log into Authorizer with the user's real Okta password → success, session issued, row now has a bcrypt hash and null `migration_source`; second login verifies locally (no origin call).
-
----
-
-## 7. Zero-downtime strategy
-
-Principle: **never a moment where neither provider can authenticate; never a forced reset or maintenance window.** Four layers:
-
-1. **Bulk pre-seed** — initial export → AMF → `_import_users`. Authorizer runs as a **shadow**; app still points at the old provider. Most users immediately authenticatable where hashes are exportable.
-2. **Repeatable delta sync** — `extract --since <ts>` + idempotent `load` upsert, scheduled (e.g. hourly), keeps the shadow current as users sign up / edit profiles in the old system.
-3. **Live lazy verify-against-origin (§6)** — the correctness guarantee: whatever the user's *current* origin password is, it validates live on first login. **Delta sync therefore never needs to carry passwords for correctness** — only profile freshness and lazy-load reduction.
-4. **Staged cutover + rollback:**
-
-```
-Coexist:      app → OLD (authoritative).  CLI bulk + delta → Authorizer (shadow, READ-ONLY from source).
-Cutover:      flip app auth → Authorizer (config/DNS). Authorizer authoritative for writes.
-              Lazy hook verifies stragglers live against OLD (read-only). No more writes to OLD.
-Decommission: after tail period + final reconciliation, disable OLD + lazy hook.
-```
-
-Because coexistence is **read-only from the source**, rollback *before* cutover is a no-op and the source is never mutated.
-
-### Decided tradeoffs
-- **Session continuity = one silent re-auth at cutover.** Old-provider JWTs aren't trusted post-cutover; users re-authenticate once (seamless via bulk hash or lazy verify — no reset, no error). No foreign-JWKS bridging in v1.
-- **Rollback = forward-only after a validated bake.** Cutover begins with a canary (e.g. 1–2% traffic or a pilot tenant) that is validated; once full cutover is confirmed healthy, forward-only. No write-journaling / reverse-sync in v1.
-
-### Deliverable: cutover runbook
-A checklist doc (pre-flight credential/scope checks, pre-seed, delta cadence, canary, validation queries, go/no-go, rollback-before-cutover procedure, decommission criteria) shipped alongside the CLI.
-
----
-
-## 8. Per-provider connector behavior
-
-| Connector | Profiles | Password disposition | MFA | Notes |
-|---|---|---|---|---|
-| **Keycloak** | realm export | **bulk hash** (PBKDF2 → multi-algo verify) | **bulk TOTP seed** | best case; per-credential iterations; realm→instance |
-| **SuperTokens** | Core API + DB | **bulk hash** (bcrypt direct / argon2id via multi-algo) | **bulk TOTP seed** (DB) | DB read for hash+seed; account-linking → identities |
-| **Clerk** | Backend API / CSV | **bulk hash** (bcrypt) | re-enroll | CSV includes hashes |
-| **Auth0** | export job | **bulk hash if PGP export obtained**, else **lazy** | bulk if PGP, else re-enroll | NDJSON→JSON; identities[] |
-| **Okta** | Users API | **lazy** (verify-against-origin) | re-enroll | mirrors Okta Password Import Hook in reverse |
-| **WorkOS** | User Mgmt API | **lazy** | re-enroll | SSO/Directory config → report |
-
-Each connector: paginates fully (no silent caps — log dropped/over-limit), normalizes to AMF, supports `--since`.
-
----
-
-## 9. Scope mapping for orgs / RBAC / client-config (v1 = report-only)
-
-- **Orgs/tenants:** Authorizer is single-tenant per instance. Map **1 Keycloak realm / 1 Auth0 tenant / 1 WorkOS org-set → 1 Authorizer instance.** Multi-org sources emit a **mapping report**; org membership is preserved as a role and/or `app_data.sourceOrg` namespace (no silent loss).
-- **RBAC:** source roles/permissions → Authorizer roles + the new **FGA permission model**; emitted to the report with a proposed mapping the customer confirms.
-- **App/client & connection config** (OAuth clients, social keys, SAML/OIDC enterprise connections): exported into the report (secrets flagged, never auto-written). Customer applies via Authorizer's DB-config. **Rationale:** these are low-volume, high-blast-radius config objects; auto-writing them into a single-tenant instance is risky and provider-shape-specific. Auto-apply is a post-v1 candidate.
-
----
-
-## 10. Phasing & milestones (each ships + verifies independently)
-
-| Phase | Deliverable | Verify |
-|---|---|---|
-| **0** | User schema columns + multi-algo verifier + transparent upgrade (§5) | bcrypt+pbkdf2+argon2id users log in from hand-written AMF, no reset; non-bcrypt flips to bcrypt post-login |
-| **1** | `_import_users` + `_import_status` async job (§4) | import 10k-row AMF; idempotent re-run upserts; failures surfaced per-row |
-| **2** | AMF spec + CLI skeleton (`extract`/`validate`/`load`, dry-run, resume, `--since`) | round-trip a sample AMF; resume after kill; dry-run mutates nothing |
-| **3** | Connectors (hash-friendly order): Keycloak → SuperTokens → Clerk → Auth0 | each extracts to valid AMF; bulk-hash users log in post-load with no reset |
-| **4** | Migration-source + failed-login hook (§6); Okta + WorkOS connectors | Okta user logs into Authorizer with old password → silently upgraded |
-| **5** | Zero-downtime cutover runbook + delta-sync scheduling guide (§7) | dry-run a full coexist→delta→cutover on a pilot tenant |
-| **6** | `report` command: orgs/RBAC/client-config (§9) | report lists every org/role/client/connection with proposed mapping |
-
----
-
-## 11. Risks & open questions
-
-- **Auth0 hash export is gated** (PGP + paid tier + CISO sign-off). For customers who can't/won't, Auth0 falls to the lazy path — document this prominently; it's the main "it depends" in the matrix.
-- **argon2id params** must be carried exactly (memory/iterations/parallelism); a mismatch silently fails verification. Validate on `load`.
-- **Keycloak iteration counts are per-credential** and version-dependent — never hardcode; read each credential. Confirm 64-byte derived-key length against the customer's Keycloak version.
-- **Delta-sync window for profile writes** (not passwords) made in the old system between last delta and cutover are lost unless cutover stops old-system writes — handled by the "old is authoritative until cutover, then writes move to Authorizer" rule; flag in runbook.
-- **Rate limits** (Auth0 Mgmt API, Okta org-wide concurrency) — connectors must backoff; large exports use the async export job where available, not page-scan.
-- **PII handling** — AMF files contain hashes/seeds/PII; CLI writes them `0600`, supports encryption-at-rest for the AMF file, and the runbook mandates secure deletion post-migration.
-
----
-
-## 12. Out of scope (v1)
-WebAuthn/passkey migration; foreign-JWKS session bridging; reversible-after-cutover write-journaling; auto-applying org/client config; non-listed source providers (Cognito/Firebase/Supabase — future connectors, AMF already accommodates them).
diff --git a/internal/authorization/engine/openfga/examples_validation_test.go b/internal/authorization/engine/openfga/examples_validation_test.go
index 8d9099ac..6dc23ec4 100644
--- a/internal/authorization/engine/openfga/examples_validation_test.go
+++ b/internal/authorization/engine/openfga/examples_validation_test.go
@@ -12,18 +12,15 @@ import (
 
 // These tests are the in-repo equivalent of `fga model validate` (the
 // openfga/agent-skills "always validate models" workflow step): every DSL we
-// ship — the dashboard example catalog, the model-editor placeholder, and the
-// docs guide — is run through the real embedded engine, so a malformed example
-// can never reach users.
+// ship — the dashboard example catalog and the model-editor placeholder — is
+// run through the real embedded engine, so a malformed example can never
+// reach users.
 
 // tsDslRe matches TypeScript template literals holding an OpenFGA model. The
 // DSL never contains a backtick, so a lazy match to the closing backtick is
 // safe.
 var tsDslRe = regexp.MustCompile("(?s)`model\n  schema 1\\.1.*?`")
 
-// mdDslRe matches fenced code blocks in markdown holding an OpenFGA model.
-var mdDslRe = regexp.MustCompile("(?s)```[a-z.]*\n(model\n  schema 1\\.1.*?)```")
-
 // validateAll writes each extracted DSL to a fresh embedded engine and fails
 // with the engine's own error message on the first invalid one.
 func validateAll(t *testing.T, source string, dsls []string) {
@@ -67,18 +64,3 @@ func TestModelEditorPlaceholderIsValidOpenFGADSL(t *testing.T) {
 	}
 	validateAll(t, "Model.tsx", dsls)
 }
-
-func TestRebacGuideModelsAreValidOpenFGADSL(t *testing.T) {
-	const path = "../../../../docs/fga-rebac-guide.md"
-	content, err := os.ReadFile(path)
-	require.NoError(t, err)
-
-	groups := mdDslRe.FindAllStringSubmatch(string(content), -1)
-	require.NotEmpty(t, groups, "expected at least one model block in %s", path)
-
-	dsls := make([]string, 0, len(groups))
-	for _, g := range groups {
-		dsls = append(dsls, g[1])
-	}
-	validateAll(t, "fga-rebac-guide.md", dsls)
-}

From 94ea4759cc647c308c7bf0296b0f53d975da2153 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Thu, 11 Jun 2026 10:03:49 +0530
Subject: [PATCH 32/39] security(fga): cap contextual tuples per check at the
 API boundary

check_permissions accepted unbounded contextual-tuple arrays from any
authenticated caller, relying on the embedded OpenFGA default limit as the
only guard. Enforce an explicit cap (100) in toContextualTuples with unit
coverage so the boundary no longer depends on engine configuration.
---
 internal/graphql/fga.go      |  9 ++++++
 internal/graphql/fga_test.go | 60 ++++++++++++++++++++++++++++++++++++
 2 files changed, 69 insertions(+)
 create mode 100644 internal/graphql/fga_test.go

diff --git a/internal/graphql/fga.go b/internal/graphql/fga.go
index bcc24b95..48f718d3 100644
--- a/internal/graphql/fga.go
+++ b/internal/graphql/fga.go
@@ -34,6 +34,12 @@ const maxFgaListResults = 1000
 // check_permissions call.
 const maxPermissionChecks = 100
 
+// maxContextualTuplesPerCheck caps client-supplied contextual tuples on a
+// single check. OpenFGA enforces its own per-request limit (default 100), but
+// the boundary must not depend on the embedded engine's configuration —
+// contextual tuples are accepted from any authenticated caller.
+const maxContextualTuplesPerCheck = 100
+
 // resolveFgaSubject is the single, centralized trust gate for the public
 // permission APIs (check_permissions, list_permissions). It decides which
 // OpenFGA subject ("type:id") a decision is evaluated for, given the optional
@@ -124,6 +130,9 @@ func toContextualTuples(in []*model.FgaTupleInput) ([]engine.ContextualTuple, er
 	if len(in) == 0 {
 		return nil, nil
 	}
+	if len(in) > maxContextualTuplesPerCheck {
+		return nil, fmt.Errorf("too many contextual tuples: max %d per check", maxContextualTuplesPerCheck)
+	}
 	out := make([]engine.ContextualTuple, 0, len(in))
 	for _, t := range in {
 		if t == nil || strings.TrimSpace(t.User) == "" || strings.TrimSpace(t.Relation) == "" || strings.TrimSpace(t.Object) == "" {
diff --git a/internal/graphql/fga_test.go b/internal/graphql/fga_test.go
new file mode 100644
index 00000000..9a7de731
--- /dev/null
+++ b/internal/graphql/fga_test.go
@@ -0,0 +1,60 @@
+package graphql
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+
+	"github.com/authorizerdev/authorizer/internal/graph/model"
+)
+
+// TestToContextualTuples covers the public-boundary validation for
+// client-supplied contextual tuples: empty input, field presence, and the
+// per-check count cap that must hold regardless of the embedded engine's own
+// limits.
+func TestToContextualTuples(t *testing.T) {
+	t.Run("nil input returns nil without error", func(t *testing.T) {
+		out, err := toContextualTuples(nil)
+		require.NoError(t, err)
+		assert.Nil(t, out)
+	})
+
+	t.Run("valid tuples convert one to one", func(t *testing.T) {
+		in := []*model.FgaTupleInput{
+			{User: "user:1", Relation: "viewer", Object: "document:a"},
+			{User: "user:2", Relation: "editor", Object: "document:b"},
+		}
+		out, err := toContextualTuples(in)
+		require.NoError(t, err)
+		require.Len(t, out, 2)
+		assert.Equal(t, "user:1", out[0].User)
+		assert.Equal(t, "editor", out[1].Relation)
+	})
+
+	t.Run("blank field is rejected", func(t *testing.T) {
+		in := []*model.FgaTupleInput{{User: "user:1", Relation: " ", Object: "document:a"}}
+		_, err := toContextualTuples(in)
+		require.Error(t, err)
+	})
+
+	t.Run("count above the cap is rejected", func(t *testing.T) {
+		in := make([]*model.FgaTupleInput, maxContextualTuplesPerCheck+1)
+		for i := range in {
+			in[i] = &model.FgaTupleInput{User: "user:1", Relation: "viewer", Object: "document:a"}
+		}
+		_, err := toContextualTuples(in)
+		require.Error(t, err)
+		assert.Contains(t, err.Error(), "too many contextual tuples")
+	})
+
+	t.Run("count at the cap is accepted", func(t *testing.T) {
+		in := make([]*model.FgaTupleInput, maxContextualTuplesPerCheck)
+		for i := range in {
+			in[i] = &model.FgaTupleInput{User: "user:1", Relation: "viewer", Object: "document:a"}
+		}
+		out, err := toContextualTuples(in)
+		require.NoError(t, err)
+		assert.Len(t, out, maxContextualTuplesPerCheck)
+	})
+}

From e44cd3c7db5b2ef5afbcb6819c0327d555814e69 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Thu, 11 Jun 2026 10:03:49 +0530
Subject: [PATCH 33/39] fix(fga)!: recover store and model across restarts;
 non-fatal engine init
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The engine created a fresh OpenFGA store on every boot whenever no StoreID
was passed — and no caller ever persisted one — so on SQL-backed deployments
a restart orphaned the model and every tuple, and all checks failed with
'no authorization model written yet' until an admin rebuilt everything.

New() now recovers the existing store by exact name via ListStores and
adopts the store's latest authorization model, so persistent deployments
survive restarts with zero operator action. Covered by a restart-continuity
test that boots a second engine on the same SQLite file and asserts the
original decisions still hold.

Engine-init failure no longer log.Fatal()s the instance: FGA is optional,
so init errors (e.g. missing DDL rights for OpenFGA migrations) now log
and leave the engine nil — permission APIs fail closed, core auth keeps
serving. Also inlines the no-op strconvItoa wrapper.
---
 cmd/root.go                                   |  32 +++--
 .../engine/openfga/datastore_sqlite_test.go   |  55 ++++++++
 .../authorization/engine/openfga/openfga.go   | 118 ++++++++++++++----
 .../engine/openfga/operations.go              |   5 +-
 4 files changed, 173 insertions(+), 37 deletions(-)

diff --git a/cmd/root.go b/cmd/root.go
index 1eebbbce..950c2ff6 100644
--- a/cmd/root.go
+++ b/cmd/root.go
@@ -474,8 +474,15 @@ func runRoot(c *cobra.Command, args []string) {
 	// By default FGA reuses the main database (sqlite/postgres/mysql/mariadb);
 	// --fga-store is only needed when the main DB is unsupported (mongodb,
 	// dynamodb, etc.) or to point at a dedicated store. FGAStoreConfig() resolves
-	// this. OpenFGA migrations run on boot for SQL stores (idempotent + goose-
-	// locked, so HA-safe); memory needs none.
+	// this. OpenFGA migrations run on boot for SQL stores (idempotent); memory
+	// needs none. NOTE: multi-replica deployments should prefer running
+	// migrations once via an init job — concurrent on-boot migrations rely on
+	// the migration tool's own locking and add cold-start latency.
+	//
+	// Engine-init failure is deliberately NON-fatal: FGA is an optional
+	// subsystem, so a failure here (e.g. the DB user lacks DDL rights for the
+	// OpenFGA tables) logs loudly and leaves authzEngine nil — fga_* and the
+	// permission APIs fail closed while core authentication keeps serving.
 	var authzEngine engine.AuthorizationEngine
 	if fgaStore, fgaStoreURL, fgaEnabled := rootArgs.config.FGAStoreConfig(); fgaEnabled {
 		runMigrations := !strings.EqualFold(fgaStore, fgaengine.StoreMemory)
@@ -489,16 +496,19 @@ func runRoot(c *cobra.Command, args []string) {
 			&fgaengine.Dependencies{Log: &log},
 		)
 		if ferr != nil {
-			log.Fatal().Err(ferr).Msg("failed to create OpenFGA authorization engine")
-		}
-		if closer, ok := fgaEngine.(interface{ Close() }); ok {
-			defer closer.Close()
+			log.Error().Err(ferr).
+				Str("fga_store", fgaStore).
+				Msg("failed to initialize OpenFGA authorization engine; fine-grained authorization is DISABLED (fail-closed) — core auth continues")
+		} else {
+			if closer, ok := fgaEngine.(interface{ Close() }); ok {
+				defer closer.Close()
+			}
+			authzEngine = fgaEngine
+			log.Info().
+				Str("fga_store", fgaStore).
+				Bool("reused_main_db", strings.TrimSpace(rootArgs.config.FGAStore) == "").
+				Msg("OpenFGA authorization engine initialized (embedded); routed into GraphQL + session/validate")
 		}
-		authzEngine = fgaEngine
-		log.Info().
-			Str("fga_store", fgaStore).
-			Bool("reused_main_db", strings.TrimSpace(rootArgs.config.FGAStore) == "").
-			Msg("OpenFGA authorization engine initialized (embedded); routed into GraphQL + session/validate")
 	}
 
 	// SMS provider
diff --git a/internal/authorization/engine/openfga/datastore_sqlite_test.go b/internal/authorization/engine/openfga/datastore_sqlite_test.go
index 6740e411..aaab8048 100644
--- a/internal/authorization/engine/openfga/datastore_sqlite_test.go
+++ b/internal/authorization/engine/openfga/datastore_sqlite_test.go
@@ -93,3 +93,58 @@ func TestOpenFGAEngine_SQLiteStore_EndToEnd(t *testing.T) {
 	require.NoError(t, statErr, "OpenFGA SQLite db file must exist on disk")
 	assert.Positive(t, info.Size(), "OpenFGA SQLite db file must be non-empty")
 }
+
+// TestOpenFGAEngine_SQLiteStore_RestartContinuity proves the application-level
+// restart story, not just datastore durability: a second engine constructed
+// against the same SQLite file (a simulated process restart) must recover the
+// SAME store by name and adopt the latest written model, so checks keep
+// returning the original decisions without the operator re-writing the model
+// or re-creating tuples.
+func TestOpenFGAEngine_SQLiteStore_RestartContinuity(t *testing.T) {
+	ctx := context.Background()
+	log := zerolog.New(os.Stderr)
+
+	dir := t.TempDir()
+	fgaURI := fmt.Sprintf("file:%s", filepath.Join(dir, "openfga.db"))
+	cfg := &Config{
+		Store:         StoreSQLite,
+		StoreURL:      fgaURI,
+		StoreName:     "restart-continuity",
+		RunMigrations: true,
+	}
+
+	// Boot #1: bootstrap store, write model + tuple, then shut down.
+	eng1, err := New(cfg, &Dependencies{Log: &log})
+	require.NoError(t, err)
+	impl1 := eng1.(*engineImpl)
+	storeID1 := impl1.StoreID()
+	require.NotEmpty(t, storeID1)
+
+	modelID1, err := eng1.WriteModel(ctx, testModel)
+	require.NoError(t, err)
+	require.NoError(t, eng1.WriteTuples(ctx, []engine.TupleKey{
+		{User: "user:alice", Relation: "viewer", Object: "document:1"},
+	}))
+	allowed, err := eng1.Check(ctx, "user:alice", "can_view", "document:1")
+	require.NoError(t, err)
+	require.True(t, allowed)
+	impl1.Close()
+
+	// Boot #2: a fresh engine on the same file must bind to the same store and
+	// adopt the latest model — no CreateStore, no WriteModel.
+	eng2, err := New(cfg, &Dependencies{Log: &log})
+	require.NoError(t, err, "second boot against the same datastore must construct")
+	impl2 := eng2.(*engineImpl)
+	t.Cleanup(impl2.Close)
+
+	assert.Equal(t, storeID1, impl2.StoreID(), "restart must reuse the existing store, not orphan it")
+	assert.Equal(t, modelID1, impl2.ModelID(), "restart must adopt the latest written model")
+
+	allowed, err = eng2.Check(ctx, "user:alice", "can_view", "document:1")
+	require.NoError(t, err)
+	assert.True(t, allowed, "grants written before restart must still hold after restart")
+
+	allowed, err = eng2.Check(ctx, "user:bob", "can_view", "document:1")
+	require.NoError(t, err)
+	assert.False(t, allowed, "non-grants must still be denied after restart")
+}
diff --git a/internal/authorization/engine/openfga/openfga.go b/internal/authorization/engine/openfga/openfga.go
index 2f195b83..5626524c 100644
--- a/internal/authorization/engine/openfga/openfga.go
+++ b/internal/authorization/engine/openfga/openfga.go
@@ -11,7 +11,6 @@ package openfga
 import (
 	"context"
 	"fmt"
-	"strconv"
 	"sync"
 
 	openfgav1 "github.com/openfga/api/proto/openfga/v1"
@@ -19,6 +18,7 @@ import (
 	"github.com/openfga/openfga/pkg/storage"
 	"github.com/openfga/openfga/pkg/storage/memory"
 	"github.com/rs/zerolog"
+	"google.golang.org/protobuf/types/known/wrapperspb"
 
 	"github.com/authorizerdev/authorizer/internal/authorization/engine"
 )
@@ -37,11 +37,12 @@ const (
 
 // Config holds the parameters needed to construct the embedded OpenFGA engine.
 //
-// StoreID and ModelID are the OpenFGA-assigned ULIDs that Authorizer MUST
-// persist itself (config or main DB) and pass back on every call — OpenFGA does
-// not look stores/models up by name across restarts. When they are empty (e.g.
-// memory store on first boot), the caller is expected to bootstrap via
-// CreateStore + WriteModel and then persist the returned IDs.
+// StoreID and ModelID are the OpenFGA-assigned ULIDs. They normally stay
+// empty: on boot the engine recovers the existing store by name (StoreName)
+// and adopts the latest written authorization model, so persistent datastores
+// survive restarts without the caller persisting any IDs. Set them only to
+// pin a specific store/model explicitly. Note: the store is found by exact
+// name, so changing StoreName (organization name) starts a fresh store.
 type Config struct {
 	// Store selects the datastore kind: memory|sqlite|postgres|mysql.
 	Store string
@@ -89,9 +90,10 @@ var _ engine.AuthorizationEngine = &engineImpl{}
 // must run migrate.RunMigrations as a separate init job and leave
 // RunMigrations=false so engine boot assumes the schema already exists (§2.1).
 //
-// If cfg.StoreID is empty a new store is created and its ID exposed via
-// StoreID(); callers should persist it. If cfg.ModelID is empty, callers must
-// call WriteModel before issuing checks.
+// If cfg.StoreID is empty the engine binds to the existing store matching
+// cfg.StoreName (restart continuity) or creates one when none exists. If
+// cfg.ModelID is empty the latest written model in the store is adopted;
+// when the store has no model yet, callers must WriteModel before checks.
 func New(cfg *Config, deps *Dependencies) (engine.AuthorizationEngine, error) {
 	if cfg == nil {
 		return nil, fmt.Errorf("openfga.New: config is required")
@@ -121,24 +123,95 @@ func New(cfg *Config, deps *Dependencies) (engine.AuthorizationEngine, error) {
 		storeName: cfg.StoreName,
 	}
 
-	// Bootstrap a store if none was provided. The store ID is exposed via
-	// StoreID() so the caller can persist it for subsequent boots.
+	// Bind to a store. An explicit cfg.StoreID wins; otherwise reuse the
+	// existing store with this name — OpenFGA assigns store ULIDs and has no
+	// name lookup of its own, so without this scan every boot would create a
+	// fresh store and orphan the previous model and tuples on persistent
+	// datastores. Only when no store with the name exists is one created.
 	if e.storeID == "" {
-		store, cErr := srv.CreateStore(context.Background(), &openfgav1.CreateStoreRequest{
-			Name: storeNameOrDefault(cfg.StoreName),
-		})
-		if cErr != nil {
+		name := storeNameOrDefault(cfg.StoreName)
+		existing, fErr := findStoreByName(srv, name)
+		if fErr != nil {
 			srv.Close()
 			ds.Close()
-			return nil, fmt.Errorf("openfga.New: CreateStore: %w", cErr)
+			return nil, fmt.Errorf("openfga.New: ListStores: %w", fErr)
+		}
+		if existing != "" {
+			e.storeID = existing
+			log.Info().Str("store_id", e.storeID).Str("store_name", name).Msg("reusing existing OpenFGA store")
+		} else {
+			store, cErr := srv.CreateStore(context.Background(), &openfgav1.CreateStoreRequest{Name: name})
+			if cErr != nil {
+				srv.Close()
+				ds.Close()
+				return nil, fmt.Errorf("openfga.New: CreateStore: %w", cErr)
+			}
+			e.storeID = store.GetId()
+			log.Info().Str("store_id", e.storeID).Str("store_name", name).Msg("created new OpenFGA store")
+		}
+	}
+
+	// Adopt the latest written model so checks keep working after a restart
+	// without the caller persisting the model ID.
+	if e.modelID == "" {
+		mID, mErr := latestModelID(srv, e.storeID)
+		if mErr != nil {
+			srv.Close()
+			ds.Close()
+			return nil, fmt.Errorf("openfga.New: ReadAuthorizationModels: %w", mErr)
+		}
+		if mID != "" {
+			e.modelID = mID
+			log.Info().Str("model_id", mID).Msg("adopted latest authorization model from store")
 		}
-		e.storeID = store.GetId()
-		log.Info().Str("store_id", e.storeID).Msg("created new OpenFGA store; persist this ID")
 	}
 
 	return e, nil
 }
 
+// findStoreByName pages through ListStores and returns the ID of the store
+// with the exact given name, or empty when none exists. OpenFGA has no
+// lookup-by-name API, so restart continuity depends on this scan.
+func findStoreByName(srv *server.Server, name string) (string, error) {
+	token := ""
+	for {
+		res, err := srv.ListStores(context.Background(), &openfgav1.ListStoresRequest{
+			PageSize:          wrapperspb.Int32(100),
+			ContinuationToken: token,
+		})
+		if err != nil {
+			return "", err
+		}
+		for _, s := range res.GetStores() {
+			if s.GetName() == name {
+				return s.GetId(), nil
+			}
+		}
+		token = res.GetContinuationToken()
+		if token == "" {
+			return "", nil
+		}
+	}
+}
+
+// latestModelID returns the most recent authorization model ID in the store,
+// or empty when no model has been written yet. ReadAuthorizationModels
+// returns models newest-first.
+func latestModelID(srv *server.Server, storeID string) (string, error) {
+	res, err := srv.ReadAuthorizationModels(context.Background(), &openfgav1.ReadAuthorizationModelsRequest{
+		StoreId:  storeID,
+		PageSize: wrapperspb.Int32(1),
+	})
+	if err != nil {
+		return "", err
+	}
+	models := res.GetAuthorizationModels()
+	if len(models) == 0 {
+		return "", nil
+	}
+	return models[0].GetId(), nil
+}
+
 // Reset deletes the current store (model + all versions + tuples) and creates a
 // fresh empty store. The new store has no model — callers must WriteModel again
 // before checks. Destructive; admin-gated by callers.
@@ -192,8 +265,8 @@ func storeNameOrDefault(name string) string {
 	return name
 }
 
-// StoreID returns the OpenFGA store ID this engine is bound to. Callers should
-// persist it (config/main DB) so subsequent boots target the same store.
+// StoreID returns the OpenFGA store ID this engine is bound to. Subsequent
+// boots recover the same store by name, so persisting this is optional.
 func (e *engineImpl) StoreID() string {
 	e.mu.RLock()
 	defer e.mu.RUnlock()
@@ -201,7 +274,7 @@ func (e *engineImpl) StoreID() string {
 }
 
 // ModelID returns the currently active authorization model ID, or empty if no
-// model has been written yet. Callers should persist it alongside the store ID.
+// model has been written yet. Boots adopt the store's latest model automatically.
 func (e *engineImpl) ModelID() string {
 	e.mu.RLock()
 	defer e.mu.RUnlock()
@@ -226,9 +299,6 @@ func (e *engineImpl) ids() (storeID, modelID string) {
 	return e.storeID, e.modelID
 }
 
-// strconvItoa is a tiny helper to build correlation IDs for BatchCheck.
-func strconvItoa(i int) string { return strconv.Itoa(i) }
-
 // toProtoContextual converts engine contextual tuples to the OpenFGA wire type.
 func toProtoContextual(ctxTuples []engine.ContextualTuple) *openfgav1.ContextualTupleKeys {
 	if len(ctxTuples) == 0 {
diff --git a/internal/authorization/engine/openfga/operations.go b/internal/authorization/engine/openfga/operations.go
index 8f959d62..2531fe2b 100644
--- a/internal/authorization/engine/openfga/operations.go
+++ b/internal/authorization/engine/openfga/operations.go
@@ -3,6 +3,7 @@ package openfga
 import (
 	"context"
 	"fmt"
+	"strconv"
 	"strings"
 
 	openfgav1 "github.com/openfga/api/proto/openfga/v1"
@@ -60,7 +61,7 @@ func (e *engineImpl) BatchCheck(ctx context.Context, requests []engine.CheckRequ
 				Object:   r.Object,
 			},
 			ContextualTuples: toProtoContextual(r.ContextualTuples),
-			CorrelationId:    strconvItoa(i),
+			CorrelationId:    strconv.Itoa(i),
 		})
 	}
 
@@ -76,7 +77,7 @@ func (e *engineImpl) BatchCheck(ctx context.Context, requests []engine.CheckRequ
 	results := make([]engine.CheckResult, len(requests))
 	resultMap := res.GetResult()
 	for i := range requests {
-		single, ok := resultMap[strconvItoa(i)]
+		single, ok := resultMap[strconv.Itoa(i)]
 		if !ok {
 			return nil, fmt.Errorf("openfga.BatchCheck: missing result for check %d", i)
 		}

From 99c052bab11b3355851783b8c2fb8780050779f3 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Thu, 11 Jun 2026 10:35:51 +0530
Subject: [PATCH 34/39] feat(fga): list_permissions returns all subject
 permissions when filters omitted
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

relation and object_type are now optional on list_permissions. When either
is omitted, every matching (type, relation) pair of the active model is
enumerated — an empty input answers "what can this user access?" in one
call. Pairs come from the new TypeRelations engine SPI method and are
expanded via ListObjects with bounded concurrency (5) so a single request
cannot saturate the embedded engine.

The response now carries (object, relation) detail in permissions[] and an
explicit truncated flag when the 1000-entry cap is hit, replacing the
previous silent truncation. The subject trust gate is unchanged: callers
enumerate their own access unless super-admin.
---
 internal/authorization/engine/engine.go       |   7 +
 .../engine/openfga/operations.go              |  32 ++
 internal/graph/generated/generated.go         | 363 +++++++++++++++++-
 internal/graph/model/models_gen.go            |  13 +-
 internal/graph/schema.graphqls                |  28 +-
 internal/graphql/list_permissions.go          | 122 +++++-
 internal/integration_tests/fga_test.go        |  42 +-
 7 files changed, 572 insertions(+), 35 deletions(-)

diff --git a/internal/authorization/engine/engine.go b/internal/authorization/engine/engine.go
index dd5837ab..353ef836 100644
--- a/internal/authorization/engine/engine.go
+++ b/internal/authorization/engine/engine.go
@@ -163,6 +163,13 @@ type AuthorizationEngine interface {
 	// backend-assigned id and its DSL rendering.
 	ReadModel(ctx context.Context) (id string, dsl string, err error)
 
+	// TypeRelations returns, for every object type in the active model, the
+	// relation names defined on it (type -> sorted relation names). Types with
+	// no relations are omitted. It powers "list everything this subject can
+	// access" enumeration. Returns ErrNoModel (wrapped) when no model has been
+	// written yet.
+	TypeRelations(ctx context.Context) (map[string][]string, error)
+
 	// Reset deletes the entire authorization store (the model, all its versions,
 	// and all tuples) and starts a fresh, empty store. It is destructive and must
 	// be admin-gated by callers; OpenFGA has no per-version delete, so this is the
diff --git a/internal/authorization/engine/openfga/operations.go b/internal/authorization/engine/openfga/operations.go
index 2531fe2b..e9f0fbbf 100644
--- a/internal/authorization/engine/openfga/operations.go
+++ b/internal/authorization/engine/openfga/operations.go
@@ -3,6 +3,7 @@ package openfga
 import (
 	"context"
 	"fmt"
+	"sort"
 	"strconv"
 	"strings"
 
@@ -290,6 +291,37 @@ func (e *engineImpl) WriteModel(ctx context.Context, dsl string) (string, error)
 	return modelID, nil
 }
 
+// TypeRelations returns the relation names defined on each object type in the
+// active model, sorted for deterministic output. Types without relations are
+// omitted — they cannot be the object of any permission.
+func (e *engineImpl) TypeRelations(ctx context.Context) (map[string][]string, error) {
+	storeID, modelID := e.ids()
+	if modelID == "" {
+		return nil, fmt.Errorf("openfga.TypeRelations: %w", engine.ErrNoModel)
+	}
+	res, err := e.srv.ReadAuthorizationModel(ctx, &openfgav1.ReadAuthorizationModelRequest{
+		StoreId: storeID,
+		Id:      modelID,
+	})
+	if err != nil {
+		return nil, fmt.Errorf("openfga.TypeRelations: %w", err)
+	}
+	out := make(map[string][]string)
+	for _, td := range res.GetAuthorizationModel().GetTypeDefinitions() {
+		rels := td.GetRelations()
+		if len(rels) == 0 {
+			continue
+		}
+		names := make([]string, 0, len(rels))
+		for name := range rels {
+			names = append(names, name)
+		}
+		sort.Strings(names)
+		out[td.GetType()] = names
+	}
+	return out, nil
+}
+
 // ReadModel returns the active authorization model: its id and DSL rendering.
 func (e *engineImpl) ReadModel(ctx context.Context) (string, string, error) {
 	storeID, modelID := e.ids()
diff --git a/internal/graph/generated/generated.go b/internal/graph/generated/generated.go
index d45022d3..037dc39f 100644
--- a/internal/graph/generated/generated.go
+++ b/internal/graph/generated/generated.go
@@ -225,7 +225,9 @@ type ComplexityRoot struct {
 	}
 
 	ListPermissionsResponse struct {
-		Objects func(childComplexity int) int
+		Objects     func(childComplexity int) int
+		Permissions func(childComplexity int) int
+		Truncated   func(childComplexity int) int
 	}
 
 	Meta struct {
@@ -297,6 +299,11 @@ type ComplexityRoot struct {
 		Total  func(childComplexity int) int
 	}
 
+	Permission struct {
+		Object   func(childComplexity int) int
+		Relation func(childComplexity int) int
+	}
+
 	PermissionCheckResult struct {
 		Allowed  func(childComplexity int) int
 		Object   func(childComplexity int) int
@@ -1402,6 +1409,20 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.ListPermissionsResponse.Objects(childComplexity), true
 
+	case "ListPermissionsResponse.permissions":
+		if e.complexity.ListPermissionsResponse.Permissions == nil {
+			break
+		}
+
+		return e.complexity.ListPermissionsResponse.Permissions(childComplexity), true
+
+	case "ListPermissionsResponse.truncated":
+		if e.complexity.ListPermissionsResponse.Truncated == nil {
+			break
+		}
+
+		return e.complexity.ListPermissionsResponse.Truncated(childComplexity), true
+
 	case "Meta.client_id":
 		if e.complexity.Meta.ClientID == nil {
 			break
@@ -1982,6 +2003,20 @@ func (e *executableSchema) Complexity(ctx context.Context, typeName, field strin
 
 		return e.complexity.Pagination.Total(childComplexity), true
 
+	case "Permission.object":
+		if e.complexity.Permission.Object == nil {
+			break
+		}
+
+		return e.complexity.Permission.Object(childComplexity), true
+
+	case "Permission.relation":
+		if e.complexity.Permission.Relation == nil {
+			break
+		}
+
+		return e.complexity.Permission.Relation(childComplexity), true
+
 	case "PermissionCheckResult.allowed":
 		if e.complexity.PermissionCheckResult.Allowed == nil {
 			break
@@ -2958,10 +2993,21 @@ type CheckPermissionsResponse {
   results: [PermissionCheckResult!]!
 }
 
-# ListPermissionsResponse lists the fully-qualified object ids the subject
-# holds the queried permission on.
+# Permission is one (object, relation) pair the subject holds: "subject has
+# ` + "`" + `relation` + "`" + ` on ` + "`" + `object` + "`" + `".
+type Permission {
+  object: String!
+  relation: String!
+}
+
+# ListPermissionsResponse lists what the subject can access. ` + "`" + `objects` + "`" + ` is the
+# distinct fully-qualified object ids; ` + "`" + `permissions` + "`" + ` carries the (object,
+# relation) detail — relevant when no relation filter was supplied. ` + "`" + `truncated` + "`" + `
+# is true when the result was capped (1000 entries) and more permissions exist.
 type ListPermissionsResponse {
   objects: [String!]!
+  permissions: [Permission!]!
+  truncated: Boolean!
 }
 
 # FgaListUsersResponse lists fully-qualified user ids (e.g. "user:alice") that
@@ -3567,12 +3613,15 @@ input CheckPermissionsInput {
   user: String
 }
 
-# ListPermissionsInput enumerates the objects of ` + "`" + `object_type` + "`" + ` the subject
-# holds ` + "`" + `relation` + "`" + ` on. Subject resolution follows the same rules as
-# CheckPermissionsInput.user.
+# ListPermissionsInput enumerates what the subject can access. With both
+# ` + "`" + `relation` + "`" + ` and ` + "`" + `object_type` + "`" + ` set it answers "which <object_type>s can I
+# <relation>?". Either or both filters may be omitted: every matching
+# (type, relation) pair of the active model is then enumerated, so an empty
+# input returns ALL permissions the subject holds. Subject resolution follows
+# the same rules as CheckPermissionsInput.user.
 input ListPermissionsInput {
-  relation: String!
-  object_type: String!
+  relation: String
+  object_type: String
   user: String
 }
 
@@ -10720,6 +10769,100 @@ func (ec *executionContext) fieldContext_ListPermissionsResponse_objects(_ conte
 	return fc, nil
 }
 
+func (ec *executionContext) _ListPermissionsResponse_permissions(ctx context.Context, field graphql.CollectedField, obj *model.ListPermissionsResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_ListPermissionsResponse_permissions(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Permissions, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.([]*model.Permission)
+	fc.Result = res
+	return ec.marshalNPermission2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPermissionᚄ(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_ListPermissionsResponse_permissions(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "ListPermissionsResponse",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			switch field.Name {
+			case "object":
+				return ec.fieldContext_Permission_object(ctx, field)
+			case "relation":
+				return ec.fieldContext_Permission_relation(ctx, field)
+			}
+			return nil, fmt.Errorf("no field named %q was found under type Permission", field.Name)
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _ListPermissionsResponse_truncated(ctx context.Context, field graphql.CollectedField, obj *model.ListPermissionsResponse) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_ListPermissionsResponse_truncated(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Truncated, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(bool)
+	fc.Result = res
+	return ec.marshalNBoolean2bool(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_ListPermissionsResponse_truncated(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "ListPermissionsResponse",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type Boolean does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
 func (ec *executionContext) _Meta_version(ctx context.Context, field graphql.CollectedField, obj *model.Meta) (ret graphql.Marshaler) {
 	fc, err := ec.fieldContext_Meta_version(ctx, field)
 	if err != nil {
@@ -14038,6 +14181,94 @@ func (ec *executionContext) fieldContext_Pagination_total(_ context.Context, fie
 	return fc, nil
 }
 
+func (ec *executionContext) _Permission_object(ctx context.Context, field graphql.CollectedField, obj *model.Permission) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Permission_object(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Object, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(string)
+	fc.Result = res
+	return ec.marshalNString2string(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Permission_object(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Permission",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
+func (ec *executionContext) _Permission_relation(ctx context.Context, field graphql.CollectedField, obj *model.Permission) (ret graphql.Marshaler) {
+	fc, err := ec.fieldContext_Permission_relation(ctx, field)
+	if err != nil {
+		return graphql.Null
+	}
+	ctx = graphql.WithFieldContext(ctx, fc)
+	defer func() {
+		if r := recover(); r != nil {
+			ec.Error(ctx, ec.Recover(ctx, r))
+			ret = graphql.Null
+		}
+	}()
+	resTmp, err := ec.ResolverMiddleware(ctx, func(rctx context.Context) (any, error) {
+		ctx = rctx // use context from middleware stack in children
+		return obj.Relation, nil
+	})
+	if err != nil {
+		ec.Error(ctx, err)
+		return graphql.Null
+	}
+	if resTmp == nil {
+		if !graphql.HasFieldError(ctx, fc) {
+			ec.Errorf(ctx, "must not be null")
+		}
+		return graphql.Null
+	}
+	res := resTmp.(string)
+	fc.Result = res
+	return ec.marshalNString2string(ctx, field.Selections, res)
+}
+
+func (ec *executionContext) fieldContext_Permission_relation(_ context.Context, field graphql.CollectedField) (fc *graphql.FieldContext, err error) {
+	fc = &graphql.FieldContext{
+		Object:     "Permission",
+		Field:      field,
+		IsMethod:   false,
+		IsResolver: false,
+		Child: func(ctx context.Context, field graphql.CollectedField) (*graphql.FieldContext, error) {
+			return nil, errors.New("field of type String does not have child fields")
+		},
+	}
+	return fc, nil
+}
+
 func (ec *executionContext) _PermissionCheckResult_relation(ctx context.Context, field graphql.CollectedField, obj *model.PermissionCheckResult) (ret graphql.Marshaler) {
 	fc, err := ec.fieldContext_PermissionCheckResult_relation(ctx, field)
 	if err != nil {
@@ -15698,6 +15929,10 @@ func (ec *executionContext) fieldContext_Query_list_permissions(ctx context.Cont
 			switch field.Name {
 			case "objects":
 				return ec.fieldContext_ListPermissionsResponse_objects(ctx, field)
+			case "permissions":
+				return ec.fieldContext_ListPermissionsResponse_permissions(ctx, field)
+			case "truncated":
+				return ec.fieldContext_ListPermissionsResponse_truncated(ctx, field)
 			}
 			return nil, fmt.Errorf("no field named %q was found under type ListPermissionsResponse", field.Name)
 		},
@@ -21187,14 +21422,14 @@ func (ec *executionContext) unmarshalInputListPermissionsInput(ctx context.Conte
 		switch k {
 		case "relation":
 			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("relation"))
-			data, err := ec.unmarshalNString2string(ctx, v)
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
 			it.Relation = data
 		case "object_type":
 			ctx := graphql.WithPathContext(ctx, graphql.NewPathWithField("object_type"))
-			data, err := ec.unmarshalNString2string(ctx, v)
+			data, err := ec.unmarshalOString2ᚖstring(ctx, v)
 			if err != nil {
 				return it, err
 			}
@@ -24095,6 +24330,16 @@ func (ec *executionContext) _ListPermissionsResponse(ctx context.Context, sel as
 			if out.Values[i] == graphql.Null {
 				out.Invalids++
 			}
+		case "permissions":
+			out.Values[i] = ec._ListPermissionsResponse_permissions(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "truncated":
+			out.Values[i] = ec._ListPermissionsResponse_truncated(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
 		default:
 			panic("unknown field " + strconv.Quote(field.Name))
 		}
@@ -24600,6 +24845,50 @@ func (ec *executionContext) _Pagination(ctx context.Context, sel ast.SelectionSe
 	return out
 }
 
+var permissionImplementors = []string{"Permission"}
+
+func (ec *executionContext) _Permission(ctx context.Context, sel ast.SelectionSet, obj *model.Permission) graphql.Marshaler {
+	fields := graphql.CollectFields(ec.OperationContext, sel, permissionImplementors)
+
+	out := graphql.NewFieldSet(fields)
+	deferred := make(map[string]*graphql.FieldSet)
+	for i, field := range fields {
+		switch field.Name {
+		case "__typename":
+			out.Values[i] = graphql.MarshalString("Permission")
+		case "object":
+			out.Values[i] = ec._Permission_object(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		case "relation":
+			out.Values[i] = ec._Permission_relation(ctx, field, obj)
+			if out.Values[i] == graphql.Null {
+				out.Invalids++
+			}
+		default:
+			panic("unknown field " + strconv.Quote(field.Name))
+		}
+	}
+	out.Dispatch(ctx)
+	if out.Invalids > 0 {
+		return graphql.Null
+	}
+
+	atomic.AddInt32(&ec.deferred, int32(len(deferred)))
+
+	for label, dfs := range deferred {
+		ec.processDeferredGroup(graphql.DeferredGroup{
+			Label:    label,
+			Path:     graphql.GetPath(ctx),
+			FieldSet: dfs,
+			Context:  ctx,
+		})
+	}
+
+	return out
+}
+
 var permissionCheckResultImplementors = []string{"PermissionCheckResult"}
 
 func (ec *executionContext) _PermissionCheckResult(ctx context.Context, sel ast.SelectionSet, obj *model.PermissionCheckResult) graphql.Marshaler {
@@ -26664,6 +26953,60 @@ func (ec *executionContext) marshalNPagination2ᚖgithubᚗcomᚋauthorizerdev
 	return ec._Pagination(ctx, sel, v)
 }
 
+func (ec *executionContext) marshalNPermission2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPermissionᚄ(ctx context.Context, sel ast.SelectionSet, v []*model.Permission) graphql.Marshaler {
+	ret := make(graphql.Array, len(v))
+	var wg sync.WaitGroup
+	isLen1 := len(v) == 1
+	if !isLen1 {
+		wg.Add(len(v))
+	}
+	for i := range v {
+		i := i
+		fc := &graphql.FieldContext{
+			Index:  &i,
+			Result: &v[i],
+		}
+		ctx := graphql.WithFieldContext(ctx, fc)
+		f := func(i int) {
+			defer func() {
+				if r := recover(); r != nil {
+					ec.Error(ctx, ec.Recover(ctx, r))
+					ret = nil
+				}
+			}()
+			if !isLen1 {
+				defer wg.Done()
+			}
+			ret[i] = ec.marshalNPermission2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPermission(ctx, sel, v[i])
+		}
+		if isLen1 {
+			f(i)
+		} else {
+			go f(i)
+		}
+
+	}
+	wg.Wait()
+
+	for _, e := range ret {
+		if e == graphql.Null {
+			return graphql.Null
+		}
+	}
+
+	return ret
+}
+
+func (ec *executionContext) marshalNPermission2ᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPermission(ctx context.Context, sel ast.SelectionSet, v *model.Permission) graphql.Marshaler {
+	if v == nil {
+		if !graphql.HasFieldError(ctx, graphql.GetFieldContext(ctx)) {
+			ec.Errorf(ctx, "the requested element is null which the schema does not allow")
+		}
+		return graphql.Null
+	}
+	return ec._Permission(ctx, sel, v)
+}
+
 func (ec *executionContext) unmarshalNPermissionCheckInput2ᚕᚖgithubᚗcomᚋauthorizerdevᚋauthorizerᚋinternalᚋgraphᚋmodelᚐPermissionCheckInputᚄ(ctx context.Context, v any) ([]*model.PermissionCheckInput, error) {
 	var vSlice []any
 	vSlice = graphql.CoerceList(v)
diff --git a/internal/graph/model/models_gen.go b/internal/graph/model/models_gen.go
index e9769d8b..6bb43195 100644
--- a/internal/graph/model/models_gen.go
+++ b/internal/graph/model/models_gen.go
@@ -286,13 +286,15 @@ type ListAuditLogRequest struct {
 }
 
 type ListPermissionsInput struct {
-	Relation   string  `json:"relation"`
-	ObjectType string  `json:"object_type"`
+	Relation   *string `json:"relation,omitempty"`
+	ObjectType *string `json:"object_type,omitempty"`
 	User       *string `json:"user,omitempty"`
 }
 
 type ListPermissionsResponse struct {
-	Objects []string `json:"objects"`
+	Objects     []string      `json:"objects"`
+	Permissions []*Permission `json:"permissions"`
+	Truncated   bool          `json:"truncated"`
 }
 
 type ListWebhookLogRequest struct {
@@ -391,6 +393,11 @@ type PaginationRequest struct {
 	Page  *int64 `json:"page,omitempty"`
 }
 
+type Permission struct {
+	Object   string `json:"object"`
+	Relation string `json:"relation"`
+}
+
 type PermissionCheckInput struct {
 	Relation         string           `json:"relation"`
 	Object           string           `json:"object"`
diff --git a/internal/graph/schema.graphqls b/internal/graph/schema.graphqls
index 6ca15502..ac643c19 100644
--- a/internal/graph/schema.graphqls
+++ b/internal/graph/schema.graphqls
@@ -155,10 +155,21 @@ type CheckPermissionsResponse {
   results: [PermissionCheckResult!]!
 }
 
-# ListPermissionsResponse lists the fully-qualified object ids the subject
-# holds the queried permission on.
+# Permission is one (object, relation) pair the subject holds: "subject has
+# `relation` on `object`".
+type Permission {
+  object: String!
+  relation: String!
+}
+
+# ListPermissionsResponse lists what the subject can access. `objects` is the
+# distinct fully-qualified object ids; `permissions` carries the (object,
+# relation) detail — relevant when no relation filter was supplied. `truncated`
+# is true when the result was capped (1000 entries) and more permissions exist.
 type ListPermissionsResponse {
   objects: [String!]!
+  permissions: [Permission!]!
+  truncated: Boolean!
 }
 
 # FgaListUsersResponse lists fully-qualified user ids (e.g. "user:alice") that
@@ -764,12 +775,15 @@ input CheckPermissionsInput {
   user: String
 }
 
-# ListPermissionsInput enumerates the objects of `object_type` the subject
-# holds `relation` on. Subject resolution follows the same rules as
-# CheckPermissionsInput.user.
+# ListPermissionsInput enumerates what the subject can access. With both
+# `relation` and `object_type` set it answers "which <object_type>s can I
+# <relation>?". Either or both filters may be omitted: every matching
+# (type, relation) pair of the active model is then enumerated, so an empty
+# input returns ALL permissions the subject holds. Subject resolution follows
+# the same rules as CheckPermissionsInput.user.
 input ListPermissionsInput {
-  relation: String!
-  object_type: String!
+  relation: String
+  object_type: String
   user: String
 }
 
diff --git a/internal/graphql/list_permissions.go b/internal/graphql/list_permissions.go
index 17385138..1caa535f 100644
--- a/internal/graphql/list_permissions.go
+++ b/internal/graphql/list_permissions.go
@@ -3,47 +3,143 @@ package graphql
 import (
 	"context"
 	"fmt"
+	"sort"
 	"strings"
 	"time"
 
+	"golang.org/x/sync/errgroup"
+
 	"github.com/authorizerdev/authorizer/internal/graph/model"
 	"github.com/authorizerdev/authorizer/internal/metrics"
 	"github.com/authorizerdev/authorizer/internal/refs"
 )
 
-// ListPermissions enumerates the fully-qualified object ids of object_type the
-// subject holds relation on — "which documents can I view?". Ideal for
-// filtering list pages down to what the subject may access.
+// maxConcurrentFgaListCalls bounds the parallel ListObjects expansions issued
+// by an unfiltered list_permissions call so one request cannot saturate the
+// embedded engine.
+const maxConcurrentFgaListCalls = 5
+
+// typeRelation is one (object type, relation) pair to enumerate.
+type typeRelation struct {
+	objType  string
+	relation string
+}
+
+// ListPermissions enumerates what the subject can access. With both filters
+// set it answers "which <object_type>s can I <relation>?" via a single
+// ListObjects call. When either filter is omitted, every matching (type,
+// relation) pair of the active model is enumerated with bounded concurrency —
+// an empty input returns ALL permissions the subject holds.
 //
 // SUBJECT TRUST GATE: same rules as CheckPermissions (token subject by
 // default; explicit `user` for super-admins or self). The result set is
-// capped: listing is an expensive enumeration surface.
+// capped at maxFgaListResults and `truncated` reports when the cap was hit:
+// listing is an expensive enumeration surface.
 // Permission: authorized user.
 func (g *graphqlProvider) ListPermissions(ctx context.Context, params *model.ListPermissionsInput) (*model.ListPermissionsResponse, error) {
 	log := g.Log.With().Str("func", "ListPermissions").Logger()
 	if g.AuthzEngine == nil {
 		return nil, errFgaNotEnabled
 	}
-	if params == nil || strings.TrimSpace(params.Relation) == "" || strings.TrimSpace(params.ObjectType) == "" {
-		return nil, fmt.Errorf("relation and object_type are required")
+	if params == nil {
+		params = &model.ListPermissionsInput{}
 	}
+	relationFilter := strings.TrimSpace(refs.StringValue(params.Relation))
+	typeFilter := strings.TrimSpace(refs.StringValue(params.ObjectType))
 	subject, err := g.resolveFgaSubject(ctx, refs.StringValue(params.User))
 	if err != nil {
 		log.Debug().Err(err).Msg("Failed to resolve subject")
 		return nil, err
 	}
+
 	start := time.Now()
-	objects, err := g.AuthzEngine.ListObjects(ctx, subject, params.Relation, params.ObjectType)
-	metrics.ObserveFgaCheckDuration(metrics.FgaOpListPermissions, time.Since(start).Seconds())
+	pairs, err := g.listPermissionPairs(ctx, relationFilter, typeFilter)
 	if err != nil {
 		metrics.RecordFgaOperation(metrics.FgaOpListPermissions, metrics.FgaResultError)
-		log.Debug().Err(err).Msg("ListPermissions failed; denying")
+		log.Debug().Err(err).Msg("Failed to resolve model type relations; denying")
+		return nil, fmt.Errorf("authorization list failed")
+	}
+
+	// Enumerate each pair with bounded concurrency; results stay positionally
+	// aligned with pairs so aggregation order is deterministic.
+	results := make([][]string, len(pairs))
+	eg, egCtx := errgroup.WithContext(ctx)
+	eg.SetLimit(maxConcurrentFgaListCalls)
+	for i, p := range pairs {
+		eg.Go(func() error {
+			objects, lerr := g.AuthzEngine.ListObjects(egCtx, subject, p.relation, p.objType)
+			if lerr != nil {
+				return lerr
+			}
+			results[i] = objects
+			return nil
+		})
+	}
+	egErr := eg.Wait()
+	metrics.ObserveFgaCheckDuration(metrics.FgaOpListPermissions, time.Since(start).Seconds())
+	if egErr != nil {
+		metrics.RecordFgaOperation(metrics.FgaOpListPermissions, metrics.FgaResultError)
+		log.Debug().Err(egErr).Msg("ListPermissions failed; denying")
 		return nil, fmt.Errorf("authorization list failed")
 	}
 	metrics.RecordFgaOperation(metrics.FgaOpListPermissions, metrics.FgaResultSuccess)
-	// Cap the result set; ListObjects is an expensive enumeration surface.
-	if len(objects) > maxFgaListResults {
-		objects = objects[:maxFgaListResults]
+
+	// Aggregate under the global cap; `truncated` tells callers more exist.
+	permissions := make([]*model.Permission, 0)
+	objects := make([]string, 0)
+	seen := make(map[string]struct{})
+	truncated := false
+	for i, objs := range results {
+		for _, obj := range objs {
+			if len(permissions) >= maxFgaListResults {
+				truncated = true
+				break
+			}
+			permissions = append(permissions, &model.Permission{Object: obj, Relation: pairs[i].relation})
+			if _, ok := seen[obj]; !ok {
+				seen[obj] = struct{}{}
+				objects = append(objects, obj)
+			}
+		}
+		if truncated {
+			break
+		}
+	}
+	return &model.ListPermissionsResponse{
+		Objects:     objects,
+		Permissions: permissions,
+		Truncated:   truncated,
+	}, nil
+}
+
+// listPermissionPairs resolves which (type, relation) pairs to enumerate. With
+// both filters present no model read is needed; otherwise the active model's
+// type/relation map is filtered down, sorted for deterministic output.
+func (g *graphqlProvider) listPermissionPairs(ctx context.Context, relationFilter, typeFilter string) ([]typeRelation, error) {
+	if relationFilter != "" && typeFilter != "" {
+		return []typeRelation{{objType: typeFilter, relation: relationFilter}}, nil
+	}
+	typeRels, err := g.AuthzEngine.TypeRelations(ctx)
+	if err != nil {
+		return nil, err
+	}
+	pairs := make([]typeRelation, 0)
+	for objType, relations := range typeRels {
+		if typeFilter != "" && objType != typeFilter {
+			continue
+		}
+		for _, relation := range relations {
+			if relationFilter != "" && relation != relationFilter {
+				continue
+			}
+			pairs = append(pairs, typeRelation{objType: objType, relation: relation})
+		}
 	}
-	return &model.ListPermissionsResponse{Objects: objects}, nil
+	sort.Slice(pairs, func(i, j int) bool {
+		if pairs[i].objType != pairs[j].objType {
+			return pairs[i].objType < pairs[j].objType
+		}
+		return pairs[i].relation < pairs[j].relation
+	})
+	return pairs, nil
 }
diff --git a/internal/integration_tests/fga_test.go b/internal/integration_tests/fga_test.go
index fba6c653..a975f939 100644
--- a/internal/integration_tests/fga_test.go
+++ b/internal/integration_tests/fga_test.go
@@ -28,6 +28,7 @@ import (
 	"github.com/authorizerdev/authorizer/internal/metrics"
 	"github.com/authorizerdev/authorizer/internal/oauth"
 	"github.com/authorizerdev/authorizer/internal/rate_limit"
+	"github.com/authorizerdev/authorizer/internal/refs"
 	"github.com/authorizerdev/authorizer/internal/sms"
 	"github.com/authorizerdev/authorizer/internal/storage"
 	"github.com/authorizerdev/authorizer/internal/token"
@@ -282,12 +283,49 @@ func TestFGA(t *testing.T) {
 	// ---- Runtime: list_permissions returns only the caller's objects. ----
 	t.Run("list_permissions returns granted objects for caller", func(t *testing.T) {
 		res, err := ts.GraphQLProvider.ListPermissions(ctx, &model.ListPermissionsInput{
-			Relation: "can_view", ObjectType: "document",
+			Relation: refs.NewStringRef("can_view"), ObjectType: refs.NewStringRef("document"),
 		})
 		require.NoError(t, err)
 		require.NotNil(t, res)
 		assert.Contains(t, res.Objects, "document:1")
 		assert.NotContains(t, res.Objects, "document:3")
+		assert.False(t, res.Truncated)
+		require.NotEmpty(t, res.Permissions)
+		assert.Equal(t, "can_view", res.Permissions[0].Relation)
+	})
+
+	// ---- Runtime: list_permissions with NO filters returns every permission
+	// the caller holds across all (type, relation) pairs of the model. ----
+	t.Run("list_permissions without filters returns all caller permissions", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.ListPermissions(ctx, &model.ListPermissionsInput{})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.Contains(t, res.Objects, "document:1")
+		assert.NotContains(t, res.Objects, "document:3", "another user's grant must not appear")
+		assert.False(t, res.Truncated)
+		// The (object, relation) detail must include both the direct tuple
+		// (viewer) and the computed permission (can_view) on document:1.
+		rels := make([]string, 0)
+		for _, p := range res.Permissions {
+			if p.Object == "document:1" {
+				rels = append(rels, p.Relation)
+			}
+		}
+		assert.Contains(t, rels, "viewer")
+		assert.Contains(t, rels, "can_view")
+	})
+
+	// ---- Runtime: list_permissions with a relation-only filter. ----
+	t.Run("list_permissions with relation-only filter spans object types", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.ListPermissions(ctx, &model.ListPermissionsInput{
+			Relation: refs.NewStringRef("viewer"),
+		})
+		require.NoError(t, err)
+		require.NotNil(t, res)
+		assert.Contains(t, res.Objects, "document:1")
+		for _, p := range res.Permissions {
+			assert.Equal(t, "viewer", p.Relation, "relation filter must apply to every entry")
+		}
 	})
 
 	// ---- Runtime: check_permissions (batch). ----
@@ -479,7 +517,7 @@ func TestFGA(t *testing.T) {
 		ts.GinContext.Request.Header.Set("Cookie", fmt.Sprintf("%s_session=%s", constants.AppCookieName, sessionToken))
 		other := "user:someone-else"
 		res, err := ts.GraphQLProvider.ListPermissions(ctx, &model.ListPermissionsInput{
-			Relation: "can_view", ObjectType: "document", User: &other,
+			Relation: refs.NewStringRef("can_view"), ObjectType: refs.NewStringRef("document"), User: &other,
 		})
 		assert.Error(t, err, "end user must not list another subject's objects")
 		assert.Nil(t, res)

From bdfe3ddeafd326216955b175b3aff1cb173d0a0c Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Thu, 11 Jun 2026 14:30:50 +0530
Subject: [PATCH 35/39] feat(dashboard): user permissions modal lists
 everything by default

The Users-table permissions modal now treats both filters as optional,
matching the new list_permissions API: an empty form lists every permission
the user holds. Results render as (object, permission) rows instead of bare
object ids, and a notice appears when the server truncated at 1000 entries.
---
 .../src/components/UserPermissionsModal.tsx   | 124 ++++++++++++------
 web/dashboard/src/graphql/queries/index.ts    |  11 +-
 web/dashboard/src/types.ts                    |   9 ++
 3 files changed, 100 insertions(+), 44 deletions(-)

diff --git a/web/dashboard/src/components/UserPermissionsModal.tsx b/web/dashboard/src/components/UserPermissionsModal.tsx
index 6ccca088..3c7e8652 100644
--- a/web/dashboard/src/components/UserPermissionsModal.tsx
+++ b/web/dashboard/src/components/UserPermissionsModal.tsx
@@ -1,6 +1,6 @@
 import React, { useState } from 'react';
 import { useClient } from 'urql';
-import { Search, ShieldCheck } from 'lucide-react';
+import { Search, ShieldCheck, TriangleAlert } from 'lucide-react';
 import { Button } from './ui/button';
 import { Input } from './ui/input';
 import { Label } from './ui/label';
@@ -13,7 +13,7 @@ import {
 } from './ui/dialog';
 import { ListPermissionsQuery } from '../graphql/queries';
 import { isFgaNotEnabledError } from '../lib/utils';
-import type { ListPermissionsResponse, User } from '../types';
+import type { ListPermissionsResponse, Permission, User } from '../types';
 
 interface UserPermissionsModalProps {
 	user: User | null;
@@ -21,10 +21,11 @@ interface UserPermissionsModalProps {
 	onClose: () => void;
 }
 
-// UserPermissionsModal lets an admin answer "which objects does this user hold
-// a permission on?" straight from the Users table. It calls the public
-// list_permissions API with an explicit subject — honored because the
-// dashboard session is super-admin.
+// UserPermissionsModal lets an admin answer "what can this user access?"
+// straight from the Users table. It calls the public list_permissions API with
+// an explicit subject — honored because the dashboard session is super-admin.
+// Both filters are optional: leaving them empty lists EVERY permission the
+// user holds across the authorization model.
 const UserPermissionsModal = ({
 	user,
 	open,
@@ -33,7 +34,8 @@ const UserPermissionsModal = ({
 	const client = useClient();
 	const [relation, setRelation] = useState('');
 	const [objectType, setObjectType] = useState('');
-	const [objects, setObjects] = useState<string[] | null>(null);
+	const [permissions, setPermissions] = useState<Permission[] | null>(null);
+	const [truncated, setTruncated] = useState(false);
 	const [error, setError] = useState('');
 	const [running, setRunning] = useState(false);
 
@@ -41,24 +43,20 @@ const UserPermissionsModal = ({
 
 	const handleList = async (e: React.FormEvent) => {
 		e.preventDefault();
-		if (!relation.trim() || !objectType.trim()) {
-			setError('relation and object type are both required');
-			return;
-		}
 		setRunning(true);
 		setError('');
-		setObjects(null);
+		setPermissions(null);
+		setTruncated(false);
 		try {
+			// Omit empty filters so the server enumerates every matching
+			// (type, relation) pair of the model.
+			const params: Record<string, string> = { user: `user:${user.id}` };
+			if (relation.trim()) params.relation = relation.trim();
+			if (objectType.trim()) params.object_type = objectType.trim();
 			const res = await client
 				.query<ListPermissionsResponse>(
 					ListPermissionsQuery,
-					{
-						params: {
-							relation: relation.trim(),
-							object_type: objectType.trim(),
-							user: `user:${user.id}`,
-						},
-					},
+					{ params },
 					{ requestPolicy: 'network-only' },
 				)
 				.toPromise();
@@ -70,7 +68,8 @@ const UserPermissionsModal = ({
 				);
 				return;
 			}
-			setObjects(res.data?.list_permissions?.objects ?? []);
+			setPermissions(res.data?.list_permissions?.permissions ?? []);
+			setTruncated(res.data?.list_permissions?.truncated ?? false);
 		} catch {
 			setError('Failed to list permissions');
 		} finally {
@@ -79,11 +78,14 @@ const UserPermissionsModal = ({
 	};
 
 	const close = () => {
-		setObjects(null);
+		setPermissions(null);
+		setTruncated(false);
 		setError('');
 		onClose();
 	};
 
+	const hasFilters = Boolean(relation.trim() || objectType.trim());
+
 	return (
 		<Dialog open={open} onOpenChange={(o) => !o && close()}>
 			<DialogContent className="max-w-lg">
@@ -93,18 +95,19 @@ const UserPermissionsModal = ({
 						Permissions · {user.email || user.phone_number || user.id}
 					</DialogTitle>
 					<DialogDescription>
-						List the objects{' '}
+						List what{' '}
 						<code className="rounded bg-gray-100 px-1 py-0.5 text-xs">
 							user:{user.id}
 						</code>{' '}
-						holds a permission on. Pick the permission (relation) and object
-						type from your authorization model.
+						can access. Leave both fields empty to list everything, or narrow
+						by permission (relation) and/or object type from your authorization
+						model.
 					</DialogDescription>
 				</DialogHeader>
 				<form onSubmit={handleList} className="space-y-3">
 					<div className="grid grid-cols-1 gap-3 md:grid-cols-2">
 						<div className="space-y-1">
-							<Label htmlFor="perm-relation">Permission (relation)</Label>
+							<Label htmlFor="perm-relation">Permission (optional)</Label>
 							<Input
 								id="perm-relation"
 								placeholder="can_view"
@@ -114,7 +117,7 @@ const UserPermissionsModal = ({
 							/>
 						</div>
 						<div className="space-y-1">
-							<Label htmlFor="perm-object-type">Object type</Label>
+							<Label htmlFor="perm-object-type">Object type (optional)</Label>
 							<Input
 								id="perm-object-type"
 								placeholder="document"
@@ -126,7 +129,11 @@ const UserPermissionsModal = ({
 					</div>
 					<Button type="submit" disabled={running}>
 						<Search className="mr-2 h-4 w-4" aria-hidden="true" />
-						{running ? 'Listing…' : 'List permissions'}
+						{running
+							? 'Listing…'
+							: hasFilters
+								? 'List matching permissions'
+								: 'List all permissions'}
 					</Button>
 				</form>
 				{error && (
@@ -134,25 +141,58 @@ const UserPermissionsModal = ({
 						{error}
 					</p>
 				)}
-				{objects !== null &&
-					(objects.length ? (
+				{truncated && (
+					<p className="flex items-center gap-2 rounded-md border border-amber-200 bg-amber-50 p-3 text-sm text-amber-700">
+						<TriangleAlert className="h-4 w-4 shrink-0" aria-hidden="true" />
+						Showing the first 1000 permissions — more exist. Narrow by
+						permission or object type to see the rest.
+					</p>
+				)}
+				{permissions !== null &&
+					(permissions.length ? (
 						<div className="max-h-64 overflow-y-auto rounded-lg border border-gray-200">
-							<ul className="divide-y divide-gray-100">
-								{objects.map((o) => (
-									<li
-										key={o}
-										className="px-3 py-2 font-mono text-xs text-gray-800"
-									>
-										{o}
-									</li>
-								))}
-							</ul>
+							<table className="w-full text-left">
+								<thead className="sticky top-0 bg-gray-50">
+									<tr className="text-xs font-medium text-gray-500">
+										<th className="px-3 py-2">Object</th>
+										<th className="px-3 py-2">Permission</th>
+									</tr>
+								</thead>
+								<tbody className="divide-y divide-gray-100">
+									{permissions.map((p) => (
+										<tr key={`${p.object}#${p.relation}`}>
+											<td className="px-3 py-2 font-mono text-xs text-gray-800">
+												{p.object}
+											</td>
+											<td className="px-3 py-2">
+												<span className="rounded bg-blue-50 px-1.5 py-0.5 font-mono text-xs text-blue-700">
+													{p.relation}
+												</span>
+											</td>
+										</tr>
+									))}
+								</tbody>
+							</table>
 						</div>
 					) : (
 						<p className="rounded-lg border border-dashed border-gray-200 p-3 text-sm text-gray-500">
-							No <code className="font-mono text-xs">{objectType}</code> objects
-							with <code className="font-mono text-xs">{relation}</code> for
-							this user.
+							{hasFilters ? (
+								<>
+									No permissions matching{' '}
+									{relation.trim() && (
+										<code className="font-mono text-xs">{relation.trim()}</code>
+									)}
+									{relation.trim() && objectType.trim() && ' on '}
+									{objectType.trim() && (
+										<code className="font-mono text-xs">
+											{objectType.trim()}
+										</code>
+									)}{' '}
+									for this user.
+								</>
+							) : (
+								<>This user holds no permissions in the authorization model.</>
+							)}
 						</p>
 					))}
 			</DialogContent>
diff --git a/web/dashboard/src/graphql/queries/index.ts b/web/dashboard/src/graphql/queries/index.ts
index 99d7ac93..06f84873 100644
--- a/web/dashboard/src/graphql/queries/index.ts
+++ b/web/dashboard/src/graphql/queries/index.ts
@@ -157,12 +157,19 @@ export const FgaReadTuplesQuery = `
   }
 `;
 
-// ListPermissionsQuery enumerates the objects a subject holds a permission on.
-// The optional user param is honored for the super-admin dashboard session.
+// ListPermissionsQuery enumerates what a subject can access. relation and
+// object_type are optional — omitting them lists ALL permissions the subject
+// holds across the model. The optional user param is honored for the
+// super-admin dashboard session.
 export const ListPermissionsQuery = `
   query listPermissions($params: ListPermissionsInput!) {
     list_permissions(params: $params) {
       objects
+      permissions {
+        object
+        relation
+      }
+      truncated
     }
   }
 `;
diff --git a/web/dashboard/src/types.ts b/web/dashboard/src/types.ts
index dbbfc2a4..544f7bf7 100644
--- a/web/dashboard/src/types.ts
+++ b/web/dashboard/src/types.ts
@@ -165,9 +165,18 @@ export interface FgaResetResponse {
 	};
 }
 
+// Permission is one (object, relation) pair a subject holds.
+export interface Permission {
+	object: string;
+	relation: string;
+}
+
 export interface ListPermissionsResponse {
 	list_permissions: {
 		objects: string[];
+		permissions: Permission[];
+		// True when the server capped the result set and more permissions exist.
+		truncated: boolean;
 	};
 }
 

From 67ccb246c9d0d20d70ab855f87088ece58610ced Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Thu, 11 Jun 2026 14:30:50 +0530
Subject: [PATCH 36/39] feat(dashboard): copyable user ID under the email in
 the Users table

FGA tuples and permission lookups need the user's UUID; admins previously
had to open the user detail view to get it. The ID now shows muted and
monospaced under the email with a one-click copy button (existing
clipboard + toast pattern); the click does not trigger the row's detail
view.
---
 web/dashboard/src/pages/Users.tsx | 34 ++++++++++++++++++++++++++++---
 1 file changed, 31 insertions(+), 3 deletions(-)

diff --git a/web/dashboard/src/pages/Users.tsx b/web/dashboard/src/pages/Users.tsx
index 8f5ef91c..9cecbd57 100644
--- a/web/dashboard/src/pages/Users.tsx
+++ b/web/dashboard/src/pages/Users.tsx
@@ -9,11 +9,12 @@ import {
 	ChevronRight,
 	ChevronDown,
 	AlertCircle,
+	Copy,
 	Search,
 } from 'lucide-react';
 import { UserDetailsQuery } from '../graphql/queries';
 import { EnableAccess, RevokeAccess, UpdateUser } from '../graphql/mutation';
-import { getGraphQLErrorMessage } from '../utils';
+import { copyTextToClipboard, getGraphQLErrorMessage } from '../utils';
 import EditUserModal from '../components/EditUserModal';
 import DeleteUserModal from '../components/DeleteUserModal';
 import InviteMembersModal from '../components/InviteMembersModal';
@@ -295,8 +296,35 @@ export default function Users() {
 										className="cursor-pointer hover:bg-gray-50"
 										onClick={() => setSelectedUser(user)}
 									>
-										<TableCell className="max-w-[300px] truncate text-sm">
-											{user.email || user.phone_number}
+										<TableCell className="max-w-[300px] text-sm">
+											<div className="truncate">
+												{user.email || user.phone_number}
+											</div>
+											<div className="mt-0.5 flex items-center gap-1 text-xs text-gray-400">
+												<span className="truncate font-mono" title={user.id}>
+													{user.id}
+												</span>
+												<Tooltip>
+													<TooltipTrigger asChild>
+														<Button
+															variant="ghost"
+															size="icon"
+															className="h-5 w-5 shrink-0 text-gray-400 hover:text-gray-700"
+															aria-label="Copy user ID"
+															onClick={(e) => {
+																// The row itself opens the user detail view —
+																// copying must not.
+																e.stopPropagation();
+																copyTextToClipboard(user.id);
+																toast.success('User ID copied');
+															}}
+														>
+															<Copy className="h-3 w-3" aria-hidden="true" />
+														</Button>
+													</TooltipTrigger>
+													<TooltipContent>Copy user ID</TooltipContent>
+												</Tooltip>
+											</div>
 										</TableCell>
 										<TableCell className="text-sm">
 											{dayjs(user.created_at * 1000).format('MMM DD, YYYY')}

From 8119fa7e42e2767450513bfb9955a77217a750ed Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Thu, 11 Jun 2026 14:34:21 +0530
Subject: [PATCH 37/39] feat(dashboard): permissions modal auto-loads the full
 list on open
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The Users-table permissions modal now fetches everything the user can
access the moment it opens — no filter input or button click required.
The form is purely a narrowing filter (Apply filters / Refresh), skeleton
rows show while loading, and all state resets on close so the next open
starts fresh for any user.
---
 .../src/components/UserPermissionsModal.tsx   | 127 +++++++++++-------
 1 file changed, 78 insertions(+), 49 deletions(-)

diff --git a/web/dashboard/src/components/UserPermissionsModal.tsx b/web/dashboard/src/components/UserPermissionsModal.tsx
index 3c7e8652..7a451a62 100644
--- a/web/dashboard/src/components/UserPermissionsModal.tsx
+++ b/web/dashboard/src/components/UserPermissionsModal.tsx
@@ -1,9 +1,10 @@
-import React, { useState } from 'react';
+import React, { useCallback, useEffect, useState } from 'react';
 import { useClient } from 'urql';
-import { Search, ShieldCheck, TriangleAlert } from 'lucide-react';
+import { RefreshCw, Search, ShieldCheck, TriangleAlert } from 'lucide-react';
 import { Button } from './ui/button';
 import { Input } from './ui/input';
 import { Label } from './ui/label';
+import { Skeleton } from './ui/skeleton';
 import {
 	Dialog,
 	DialogContent,
@@ -24,8 +25,9 @@ interface UserPermissionsModalProps {
 // UserPermissionsModal lets an admin answer "what can this user access?"
 // straight from the Users table. It calls the public list_permissions API with
 // an explicit subject — honored because the dashboard session is super-admin.
-// Both filters are optional: leaving them empty lists EVERY permission the
-// user holds across the authorization model.
+// The COMPLETE permission list loads automatically when the modal opens; the
+// form only narrows it (relation and/or object type), and all state resets on
+// close.
 const UserPermissionsModal = ({
 	user,
 	open,
@@ -39,45 +41,66 @@ const UserPermissionsModal = ({
 	const [error, setError] = useState('');
 	const [running, setRunning] = useState(false);
 
-	if (!user) return null;
+	const userId = user?.id ?? '';
 
-	const handleList = async (e: React.FormEvent) => {
-		e.preventDefault();
-		setRunning(true);
-		setError('');
-		setPermissions(null);
-		setTruncated(false);
-		try {
-			// Omit empty filters so the server enumerates every matching
-			// (type, relation) pair of the model.
-			const params: Record<string, string> = { user: `user:${user.id}` };
-			if (relation.trim()) params.relation = relation.trim();
-			if (objectType.trim()) params.object_type = objectType.trim();
-			const res = await client
-				.query<ListPermissionsResponse>(
-					ListPermissionsQuery,
-					{ params },
-					{ requestPolicy: 'network-only' },
-				)
-				.toPromise();
-			if (res.error) {
-				setError(
-					isFgaNotEnabledError(res.error)
-						? 'Fine-grained authorization is not enabled on this instance.'
-						: res.error.message.replace('[GraphQL] ', ''),
-				);
-				return;
+	const fetchPermissions = useCallback(
+		async (relationFilter: string, typeFilter: string) => {
+			if (!userId) return;
+			setRunning(true);
+			setError('');
+			setPermissions(null);
+			setTruncated(false);
+			try {
+				// Omit empty filters so the server enumerates every matching
+				// (type, relation) pair of the model.
+				const params: Record<string, string> = { user: `user:${userId}` };
+				if (relationFilter) params.relation = relationFilter;
+				if (typeFilter) params.object_type = typeFilter;
+				const res = await client
+					.query<ListPermissionsResponse>(
+						ListPermissionsQuery,
+						{ params },
+						{ requestPolicy: 'network-only' },
+					)
+					.toPromise();
+				if (res.error) {
+					setError(
+						isFgaNotEnabledError(res.error)
+							? 'Fine-grained authorization is not enabled on this instance.'
+							: res.error.message.replace('[GraphQL] ', ''),
+					);
+					return;
+				}
+				setPermissions(res.data?.list_permissions?.permissions ?? []);
+				setTruncated(res.data?.list_permissions?.truncated ?? false);
+			} catch {
+				setError('Failed to list permissions');
+			} finally {
+				setRunning(false);
 			}
-			setPermissions(res.data?.list_permissions?.permissions ?? []);
-			setTruncated(res.data?.list_permissions?.truncated ?? false);
-		} catch {
-			setError('Failed to list permissions');
-		} finally {
-			setRunning(false);
+		},
+		[client, userId],
+	);
+
+	// Load the complete list as soon as the modal opens — no filter or click
+	// needed to see what the user can access.
+	useEffect(() => {
+		if (open && userId) {
+			void fetchPermissions('', '');
 		}
+	}, [open, userId, fetchPermissions]);
+
+	if (!user) return null;
+
+	const handleFilter = async (e: React.FormEvent) => {
+		e.preventDefault();
+		await fetchPermissions(relation.trim(), objectType.trim());
 	};
 
 	const close = () => {
+		// Reset everything so the next open starts fresh for any user.
+		setRelation('');
+		setObjectType('');
 		setPermissions(null);
 		setTruncated(false);
 		setError('');
@@ -95,16 +118,15 @@ const UserPermissionsModal = ({
 						Permissions · {user.email || user.phone_number || user.id}
 					</DialogTitle>
 					<DialogDescription>
-						List what{' '}
+						Everything{' '}
 						<code className="rounded bg-gray-100 px-1 py-0.5 text-xs">
 							user:{user.id}
 						</code>{' '}
-						can access. Leave both fields empty to list everything, or narrow
-						by permission (relation) and/or object type from your authorization
-						model.
+						can access. Narrow by permission (relation) and/or object type if
+						the list is long.
 					</DialogDescription>
 				</DialogHeader>
-				<form onSubmit={handleList} className="space-y-3">
+				<form onSubmit={handleFilter} className="space-y-3">
 					<div className="grid grid-cols-1 gap-3 md:grid-cols-2">
 						<div className="space-y-1">
 							<Label htmlFor="perm-relation">Permission (optional)</Label>
@@ -127,13 +149,13 @@ const UserPermissionsModal = ({
 							/>
 						</div>
 					</div>
-					<Button type="submit" disabled={running}>
-						<Search className="mr-2 h-4 w-4" aria-hidden="true" />
-						{running
-							? 'Listing…'
-							: hasFilters
-								? 'List matching permissions'
-								: 'List all permissions'}
+					<Button type="submit" variant="outline" disabled={running}>
+						{hasFilters ? (
+							<Search className="mr-2 h-4 w-4" aria-hidden="true" />
+						) : (
+							<RefreshCw className="mr-2 h-4 w-4" aria-hidden="true" />
+						)}
+						{running ? 'Listing…' : hasFilters ? 'Apply filters' : 'Refresh'}
 					</Button>
 				</form>
 				{error && (
@@ -148,6 +170,13 @@ const UserPermissionsModal = ({
 						permission or object type to see the rest.
 					</p>
 				)}
+				{running && permissions === null && !error && (
+					<div className="space-y-2" aria-label="Loading permissions">
+						<Skeleton className="h-8 w-full" />
+						<Skeleton className="h-8 w-full" />
+						<Skeleton className="h-8 w-2/3" />
+					</div>
+				)}
 				{permissions !== null &&
 					(permissions.length ? (
 						<div className="max-h-64 overflow-y-auto rounded-lg border border-gray-200">

From 5e96925b6391d70f4b6567e30866dad8e2e7b407 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Thu, 11 Jun 2026 17:31:15 +0530
Subject: [PATCH 38/39] test(fga): fail-closed coverage for every admin op +
 explicit store override
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

TestFGADisabled now asserts that ALL admin FGA ops — including every write
path (_fga_write_model, _fga_write_tuples, _fga_delete_tuples, _fga_reset)
plus _fga_get_model, _fga_read_tuples, _fga_list_users, _fga_expand and the
public list_permissions — return the not-enabled error when no engine is
configured, even for a super admin. This proves no FGA record can be
created via the API on an unsupported database without --fga-store, and is
the exact error that switches the dashboard's Authorization tab into its
FgaNotEnabled state.

TestFGAExplicitStoreOverrideForUnsupportedDB proves the other direction at
the config→engine seam: a mongodb main DB with explicit --fga-store/
--fga-store-url resolves to an enabled FGA config, and an engine built from
it exactly as cmd/root.go wires it serves model writes, tuple writes, and
checks.
---
 internal/integration_tests/fga_test.go | 122 +++++++++++++++++++++++++
 1 file changed, 122 insertions(+)

diff --git a/internal/integration_tests/fga_test.go b/internal/integration_tests/fga_test.go
index a975f939..f68bb384 100644
--- a/internal/integration_tests/fga_test.go
+++ b/internal/integration_tests/fga_test.go
@@ -1,8 +1,10 @@
 package integration_tests
 
 import (
+	"context"
 	"fmt"
 	"net/http/httptest"
+	"strings"
 	"testing"
 
 	"github.com/gin-gonic/gin"
@@ -690,4 +692,124 @@ func TestFGADisabled(t *testing.T) {
 		require.NotNil(t, res)
 		assert.True(t, res.IsValid)
 	})
+
+	// ---- No FGA records can be created or read via the API when no engine is
+	// configured (unsupported main DB without --fga-store). Every admin op —
+	// including all WRITE paths — must return the not-enabled error even for a
+	// super admin, which is also what makes the dashboard's Authorization tab
+	// render its FgaNotEnabled state. ----
+	t.Run("all admin FGA ops fail closed when engine not enabled", func(t *testing.T) {
+		setAdminCookie(t, ts)
+		defer clearCookies(ts)
+
+		const notEnabled = "fine-grained authorization is not enabled"
+		tuples := &model.FgaWriteTuplesInput{Tuples: []*model.FgaTupleInput{
+			{User: "user:alice", Relation: "viewer", Object: "document:1"},
+		}}
+
+		ops := []struct {
+			name string
+			call func() error
+		}{
+			{"_fga_write_model", func() error {
+				_, err := ts.GraphQLProvider.FgaWriteModel(ctx, &model.FgaWriteModelInput{Dsl: fgaTestModel})
+				return err
+			}},
+			{"_fga_write_tuples", func() error {
+				_, err := ts.GraphQLProvider.FgaWriteTuples(ctx, tuples)
+				return err
+			}},
+			{"_fga_delete_tuples", func() error {
+				_, err := ts.GraphQLProvider.FgaDeleteTuples(ctx, tuples)
+				return err
+			}},
+			{"_fga_reset", func() error {
+				_, err := ts.GraphQLProvider.FgaReset(ctx)
+				return err
+			}},
+			{"_fga_get_model", func() error {
+				_, err := ts.GraphQLProvider.FgaGetModel(ctx)
+				return err
+			}},
+			{"_fga_read_tuples", func() error {
+				_, err := ts.GraphQLProvider.FgaReadTuples(ctx, &model.FgaReadTuplesInput{})
+				return err
+			}},
+			{"_fga_list_users", func() error {
+				_, err := ts.GraphQLProvider.FgaListUsers(ctx, &model.FgaListUsersInput{
+					Object: "document:1", Relation: "viewer", UserType: "user",
+				})
+				return err
+			}},
+			{"_fga_expand", func() error {
+				_, err := ts.GraphQLProvider.FgaExpand(ctx, &model.FgaExpandInput{
+					Relation: "viewer", Object: "document:1",
+				})
+				return err
+			}},
+		}
+		for _, op := range ops {
+			t.Run(op.name, func(t *testing.T) {
+				err := op.call()
+				require.Error(t, err, "%s must fail when FGA is not enabled", op.name)
+				assert.Contains(t, err.Error(), notEnabled)
+			})
+		}
+	})
+
+	t.Run("list_permissions errors when engine not enabled", func(t *testing.T) {
+		res, err := ts.GraphQLProvider.ListPermissions(ctx, &model.ListPermissionsInput{})
+		assert.Error(t, err)
+		assert.Nil(t, res)
+		assert.Contains(t, err.Error(), "fine-grained authorization is not enabled")
+	})
+}
+
+// TestFGAExplicitStoreOverrideForUnsupportedDB proves the --fga-store override
+// end-to-end at the config→engine seam: a main database OpenFGA cannot use
+// (mongodb) combined with explicit --fga-store/--fga-store-url flags must
+// resolve to an ENABLED FGA config, and an engine built from that resolved
+// config — wired exactly the way cmd/root.go does it — must serve model
+// writes, tuple writes, and checks. This is what makes the dashboard's
+// Authorization tab fully functional on unsupported databases.
+func TestFGAExplicitStoreOverrideForUnsupportedDB(t *testing.T) {
+	ctx := context.Background()
+	logger := zerolog.New(zerolog.NewTestWriter(t))
+
+	cfg := getTestConfigForDB(constants.DbTypeMongoDB, "mongodb://unused-host/db")
+	cfg.FGAStore = "sqlite"
+	cfg.FGAStoreURL = t.TempDir() + "/fga-override.db"
+
+	store, storeURL, enabled := cfg.FGAStoreConfig()
+	require.True(t, enabled, "--fga-store must enable FGA on an unsupported main DB")
+	require.Equal(t, "sqlite", store)
+	require.Equal(t, "file:"+cfg.FGAStoreURL, storeURL)
+
+	// Mirror cmd/root.go's wiring of the resolved store config.
+	eng, err := fgaengine.New(&fgaengine.Config{
+		Store:         store,
+		StoreURL:      storeURL,
+		StoreName:     "override-test",
+		RunMigrations: !strings.EqualFold(store, fgaengine.StoreMemory),
+	}, &fgaengine.Dependencies{Log: &logger})
+	require.NoError(t, err, "engine must construct from the override store")
+	t.Cleanup(func() {
+		if closer, ok := eng.(interface{ Close() }); ok {
+			closer.Close()
+		}
+	})
+
+	_, err = eng.WriteModel(ctx, fgaTestModel)
+	require.NoError(t, err)
+	require.NoError(t, eng.WriteTuples(ctx, []engine.TupleKey{
+		{User: "user:alice", Relation: "viewer", Object: "document:1"},
+	}))
+
+	allowed, err := eng.Check(ctx, "user:alice", "can_view", "document:1")
+	require.NoError(t, err)
+	assert.True(t, allowed, "FGA must be fully functional via the explicit store override")
+
+	allowed, err = eng.Check(ctx, "user:bob", "can_view", "document:1")
+	require.NoError(t, err)
+	assert.False(t, allowed)
 }

From 099dc47451d12ac0be8b866ac3fb61039cb54db0 Mon Sep 17 00:00:00 2001
From: Lakhan Samani <lakhan.m.samani@gmail.com>
Date: Thu, 11 Jun 2026 17:31:15 +0530
Subject: [PATCH 39/39] test(dashboard): FgaNotEnabled rendering + not-enabled
 error detection
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Adds the first component-level dashboard tests: FgaNotEnabled (what the
Authorization tab shows on databases without OpenFGA support and no
--fga-store) must explain the state and surface the exact flags that fix
it, and isFgaNotEnabledError — the single decision point that switches the
tab into that state — is covered for the backend message, case variants,
unrelated errors, and missing input. Component tests opt into jsdom per
file; pure DSL tests stay on the node environment.

New dev-only deps: jsdom, @testing-library/react, @testing-library/dom.
---
 web/dashboard/package-lock.json               | 682 ++++++++++++++++++
 web/dashboard/package.json                    |   3 +
 .../src/components/FgaNotEnabled.test.tsx     |  28 +
 web/dashboard/src/lib/utils.test.ts           |  37 +
 web/dashboard/vitest.config.ts                |  11 +-
 5 files changed, 757 insertions(+), 4 deletions(-)
 create mode 100644 web/dashboard/src/components/FgaNotEnabled.test.tsx
 create mode 100644 web/dashboard/src/lib/utils.test.ts

diff --git a/web/dashboard/package-lock.json b/web/dashboard/package-lock.json
index 2769a00f..c24eef19 100644
--- a/web/dashboard/package-lock.json
+++ b/web/dashboard/package-lock.json
@@ -34,12 +34,15 @@
 			},
 			"devDependencies": {
 				"@tailwindcss/vite": "^4.1.4",
+				"@testing-library/dom": "^10.4.1",
+				"@testing-library/react": "^16.3.2",
 				"@types/lodash": "^4.17.7",
 				"@types/react": "^18.3.12",
 				"@types/react-dom": "^18.3.1",
 				"@types/react-email-editor": "^1.7.0",
 				"@types/react-router-dom": "^5.3.3",
 				"@vitejs/plugin-react": "^4.3.1",
+				"jsdom": "^29.1.1",
 				"prettier": "^3.3.3",
 				"tailwindcss": "^4.1.4",
 				"typescript": "^5.6.3",
@@ -61,6 +64,57 @@
 				}
 			}
 		},
+		"node_modules/@asamuzakjp/css-color": {
+			"version": "5.1.11",
+			"resolved": "https://registry.npmjs.org/@asamuzakjp/css-color/-/css-color-5.1.11.tgz",
+			"integrity": "sha512-KVw6qIiCTUQhByfTd78h2yD1/00waTmm9uy/R7Ck/ctUyAPj+AEDLkQIdJW0T8+qGgj3j5bpNKK7Q3G+LedJWg==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@asamuzakjp/generational-cache": "^1.0.1",
+				"@csstools/css-calc": "^3.2.0",
+				"@csstools/css-color-parser": "^4.1.0",
+				"@csstools/css-parser-algorithms": "^4.0.0",
+				"@csstools/css-tokenizer": "^4.0.0"
+			},
+			"engines": {
+				"node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+			}
+		},
+		"node_modules/@asamuzakjp/dom-selector": {
+			"version": "7.1.1",
+			"resolved": "https://registry.npmjs.org/@asamuzakjp/dom-selector/-/dom-selector-7.1.1.tgz",
+			"integrity": "sha512-67RZDnYRc8H/8MLDgQCDE//zoqVFwajkepHZgmXrbwybzXOEwOWGPYGmALYl9J2DOLfFPPs6kKCqmbzV895hTQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@asamuzakjp/generational-cache": "^1.0.1",
+				"@asamuzakjp/nwsapi": "^2.3.9",
+				"bidi-js": "^1.0.3",
+				"css-tree": "^3.2.1",
+				"is-potential-custom-element-name": "^1.0.1"
+			},
+			"engines": {
+				"node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+			}
+		},
+		"node_modules/@asamuzakjp/generational-cache": {
+			"version": "1.0.1",
+			"resolved": "https://registry.npmjs.org/@asamuzakjp/generational-cache/-/generational-cache-1.0.1.tgz",
+			"integrity": "sha512-wajfB8KqzMCN2KGNFdLkReeHncd0AslUSrvHVvvYWuU8ghncRJoA50kT3zP9MVL0+9g4/67H+cdvBskj9THPzg==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+			}
+		},
+		"node_modules/@asamuzakjp/nwsapi": {
+			"version": "2.3.9",
+			"resolved": "https://registry.npmjs.org/@asamuzakjp/nwsapi/-/nwsapi-2.3.9.tgz",
+			"integrity": "sha512-n8GuYSrI9bF7FFZ/SjhwevlHc8xaVlb/7HmHelnc/PZXBD2ZR49NnN9sMMuDdEGPeeRQ5d0hqlSlEpgCX3Wl0Q==",
+			"dev": true,
+			"license": "MIT"
+		},
 		"node_modules/@babel/code-frame": {
 			"version": "7.29.0",
 			"resolved": "https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.29.0.tgz",
@@ -295,6 +349,16 @@
 				"@babel/core": "^7.0.0-0"
 			}
 		},
+		"node_modules/@babel/runtime": {
+			"version": "7.29.7",
+			"resolved": "https://registry.npmjs.org/@babel/runtime/-/runtime-7.29.7.tgz",
+			"integrity": "sha512-Nq8OhGWiZIZGV6hLHoyAKLLcJihP/xFeBMGJoUrxTX2psI8dCifzLhZISFb+VWS3wFMRDmCGw5R+dOySCqPLhw==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=6.9.0"
+			}
+		},
 		"node_modules/@babel/template": {
 			"version": "7.28.6",
 			"resolved": "https://registry.npmjs.org/@babel/template/-/template-7.28.6.tgz",
@@ -343,6 +407,159 @@
 				"node": ">=6.9.0"
 			}
 		},
+		"node_modules/@bramus/specificity": {
+			"version": "2.4.2",
+			"resolved": "https://registry.npmjs.org/@bramus/specificity/-/specificity-2.4.2.tgz",
+			"integrity": "sha512-ctxtJ/eA+t+6q2++vj5j7FYX3nRu311q1wfYH3xjlLOsczhlhxAg2FWNUXhpGvAw3BWo1xBcvOV6/YLc2r5FJw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"css-tree": "^3.0.0"
+			},
+			"bin": {
+				"specificity": "bin/cli.js"
+			}
+		},
+		"node_modules/@csstools/color-helpers": {
+			"version": "6.0.2",
+			"resolved": "https://registry.npmjs.org/@csstools/color-helpers/-/color-helpers-6.0.2.tgz",
+			"integrity": "sha512-LMGQLS9EuADloEFkcTBR3BwV/CGHV7zyDxVRtVDTwdI2Ca4it0CCVTT9wCkxSgokjE5Ho41hEPgb8OEUwoXr6Q==",
+			"dev": true,
+			"funding": [
+				{
+					"type": "github",
+					"url": "https://github.com/sponsors/csstools"
+				},
+				{
+					"type": "opencollective",
+					"url": "https://opencollective.com/csstools"
+				}
+			],
+			"license": "MIT-0",
+			"engines": {
+				"node": ">=20.19.0"
+			}
+		},
+		"node_modules/@csstools/css-calc": {
+			"version": "3.2.1",
+			"resolved": "https://registry.npmjs.org/@csstools/css-calc/-/css-calc-3.2.1.tgz",
+			"integrity": "sha512-DtdHlgXh5ZkA43cwBcAm+huzgJiwx3ZTWVjBs94kwz2xKqSimDA3lBgCjphYgwgVUMWatSM0pDd8TILB1yrVVg==",
+			"dev": true,
+			"funding": [
+				{
+					"type": "github",
+					"url": "https://github.com/sponsors/csstools"
+				},
+				{
+					"type": "opencollective",
+					"url": "https://opencollective.com/csstools"
+				}
+			],
+			"license": "MIT",
+			"engines": {
+				"node": ">=20.19.0"
+			},
+			"peerDependencies": {
+				"@csstools/css-parser-algorithms": "^4.0.0",
+				"@csstools/css-tokenizer": "^4.0.0"
+			}
+		},
+		"node_modules/@csstools/css-color-parser": {
+			"version": "4.1.3",
+			"resolved": "https://registry.npmjs.org/@csstools/css-color-parser/-/css-color-parser-4.1.3.tgz",
+			"integrity": "sha512-DOgvIPkikIOixQRlD4YF31VN6fLLUTdrzhfRbis8vm0kMTgIbEPX0Ip/YX9fOeV9iywAS4sUUbTclpan7yYP8Q==",
+			"dev": true,
+			"funding": [
+				{
+					"type": "github",
+					"url": "https://github.com/sponsors/csstools"
+				},
+				{
+					"type": "opencollective",
+					"url": "https://opencollective.com/csstools"
+				}
+			],
+			"license": "MIT",
+			"dependencies": {
+				"@csstools/color-helpers": "^6.0.2",
+				"@csstools/css-calc": "^3.2.1"
+			},
+			"engines": {
+				"node": ">=20.19.0"
+			},
+			"peerDependencies": {
+				"@csstools/css-parser-algorithms": "^4.0.0",
+				"@csstools/css-tokenizer": "^4.0.0"
+			}
+		},
+		"node_modules/@csstools/css-parser-algorithms": {
+			"version": "4.0.0",
+			"resolved": "https://registry.npmjs.org/@csstools/css-parser-algorithms/-/css-parser-algorithms-4.0.0.tgz",
+			"integrity": "sha512-+B87qS7fIG3L5h3qwJ/IFbjoVoOe/bpOdh9hAjXbvx0o8ImEmUsGXN0inFOnk2ChCFgqkkGFQ+TpM5rbhkKe4w==",
+			"dev": true,
+			"funding": [
+				{
+					"type": "github",
+					"url": "https://github.com/sponsors/csstools"
+				},
+				{
+					"type": "opencollective",
+					"url": "https://opencollective.com/csstools"
+				}
+			],
+			"license": "MIT",
+			"engines": {
+				"node": ">=20.19.0"
+			},
+			"peerDependencies": {
+				"@csstools/css-tokenizer": "^4.0.0"
+			}
+		},
+		"node_modules/@csstools/css-syntax-patches-for-csstree": {
+			"version": "1.1.5",
+			"resolved": "https://registry.npmjs.org/@csstools/css-syntax-patches-for-csstree/-/css-syntax-patches-for-csstree-1.1.5.tgz",
+			"integrity": "sha512-oNjBvzLq2GPZtJphCjLqXow/cHySHSgtxvKZb7OqSZ/xHgw6NWNhfad+6AB9cLeVm6eA9d/qMll3JdEHjy6M+A==",
+			"dev": true,
+			"funding": [
+				{
+					"type": "github",
+					"url": "https://github.com/sponsors/csstools"
+				},
+				{
+					"type": "opencollective",
+					"url": "https://opencollective.com/csstools"
+				}
+			],
+			"license": "MIT-0",
+			"peerDependencies": {
+				"css-tree": "^3.2.1"
+			},
+			"peerDependenciesMeta": {
+				"css-tree": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/@csstools/css-tokenizer": {
+			"version": "4.0.0",
+			"resolved": "https://registry.npmjs.org/@csstools/css-tokenizer/-/css-tokenizer-4.0.0.tgz",
+			"integrity": "sha512-QxULHAm7cNu72w97JUNCBFODFaXpbDg+dP8b/oWFAZ2MTRppA3U00Y2L1HqaS4J6yBqxwa/Y3nMBaxVKbB/NsA==",
+			"dev": true,
+			"funding": [
+				{
+					"type": "github",
+					"url": "https://github.com/sponsors/csstools"
+				},
+				{
+					"type": "opencollective",
+					"url": "https://opencollective.com/csstools"
+				}
+			],
+			"license": "MIT",
+			"engines": {
+				"node": ">=20.19.0"
+			}
+		},
 		"node_modules/@esbuild/aix-ppc64": {
 			"version": "0.27.7",
 			"resolved": "https://registry.npmjs.org/@esbuild/aix-ppc64/-/aix-ppc64-0.27.7.tgz",
@@ -785,6 +1002,24 @@
 				"node": ">=18"
 			}
 		},
+		"node_modules/@exodus/bytes": {
+			"version": "1.15.1",
+			"resolved": "https://registry.npmjs.org/@exodus/bytes/-/bytes-1.15.1.tgz",
+			"integrity": "sha512-S6mL0yNB/Abt9Ei4tq8gDhcczc4S3+vQ4ra7vxnAf+YHC02srtqxKKZghx2Dq6p0e66THKwR6r8N6P95wEty7Q==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+			},
+			"peerDependencies": {
+				"@noble/hashes": "^1.8.0 || ^2.0.0"
+			},
+			"peerDependenciesMeta": {
+				"@noble/hashes": {
+					"optional": true
+				}
+			}
+		},
 		"node_modules/@floating-ui/core": {
 			"version": "1.7.5",
 			"resolved": "https://registry.npmjs.org/@floating-ui/core/-/core-1.7.5.tgz",
@@ -2410,6 +2645,61 @@
 				"vite": "^5.2.0 || ^6 || ^7 || ^8"
 			}
 		},
+		"node_modules/@testing-library/dom": {
+			"version": "10.4.1",
+			"resolved": "https://registry.npmjs.org/@testing-library/dom/-/dom-10.4.1.tgz",
+			"integrity": "sha512-o4PXJQidqJl82ckFaXUeoAW+XysPLauYI43Abki5hABd853iMhitooc6znOnczgbTYmEP6U6/y1ZyKAIsvMKGg==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@babel/code-frame": "^7.10.4",
+				"@babel/runtime": "^7.12.5",
+				"@types/aria-query": "^5.0.1",
+				"aria-query": "5.3.0",
+				"dom-accessibility-api": "^0.5.9",
+				"lz-string": "^1.5.0",
+				"picocolors": "1.1.1",
+				"pretty-format": "^27.0.2"
+			},
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/@testing-library/react": {
+			"version": "16.3.2",
+			"resolved": "https://registry.npmjs.org/@testing-library/react/-/react-16.3.2.tgz",
+			"integrity": "sha512-XU5/SytQM+ykqMnAnvB2umaJNIOsLF3PVv//1Ew4CTcpz0/BRyy/af40qqrt7SjKpDdT1saBMc42CUok5gaw+g==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@babel/runtime": "^7.12.5"
+			},
+			"engines": {
+				"node": ">=18"
+			},
+			"peerDependencies": {
+				"@testing-library/dom": "^10.0.0",
+				"@types/react": "^18.0.0 || ^19.0.0",
+				"@types/react-dom": "^18.0.0 || ^19.0.0",
+				"react": "^18.0.0 || ^19.0.0",
+				"react-dom": "^18.0.0 || ^19.0.0"
+			},
+			"peerDependenciesMeta": {
+				"@types/react": {
+					"optional": true
+				},
+				"@types/react-dom": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/@types/aria-query": {
+			"version": "5.0.4",
+			"resolved": "https://registry.npmjs.org/@types/aria-query/-/aria-query-5.0.4.tgz",
+			"integrity": "sha512-rfT93uj5s0PRL7EzccGMs3brplhcrghnDoV26NqKhCAS1hVo+WdNsPvE/yb6ilfr5hi2MEk6d5EWJTKdxg8jVw==",
+			"dev": true,
+			"license": "MIT"
+		},
 		"node_modules/@types/babel__core": {
 			"version": "7.20.5",
 			"resolved": "https://registry.npmjs.org/@types/babel__core/-/babel__core-7.20.5.tgz",
@@ -2661,6 +2951,29 @@
 				"url": "https://opencollective.com/vitest"
 			}
 		},
+		"node_modules/ansi-regex": {
+			"version": "5.0.1",
+			"resolved": "https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz",
+			"integrity": "sha512-quJQXlTSUGL2LH9SUXo8VwsY4soanhgo6LNSm84E1LBcE8s3O0wpdiRzyR9z/ZZJMlMWv37qOOb9pdJlMUEKFQ==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=8"
+			}
+		},
+		"node_modules/ansi-styles": {
+			"version": "5.2.0",
+			"resolved": "https://registry.npmjs.org/ansi-styles/-/ansi-styles-5.2.0.tgz",
+			"integrity": "sha512-Cxwpt2SfTzTtXcfOlzGEee8O+c+MmUgGrNiBcXnuWxuFJHe6a5Hz7qwhwe5OgaSYI0IJvkLqWX1ASG+cJOkEiA==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=10"
+			},
+			"funding": {
+				"url": "https://github.com/chalk/ansi-styles?sponsor=1"
+			}
+		},
 		"node_modules/aria-hidden": {
 			"version": "1.2.6",
 			"resolved": "https://registry.npmjs.org/aria-hidden/-/aria-hidden-1.2.6.tgz",
@@ -2673,6 +2986,16 @@
 				"node": ">=10"
 			}
 		},
+		"node_modules/aria-query": {
+			"version": "5.3.0",
+			"resolved": "https://registry.npmjs.org/aria-query/-/aria-query-5.3.0.tgz",
+			"integrity": "sha512-b0P0sZPKtyu8HkeRAfCq0IfURZK+SuwMjY1UXGBU27wpAiTwQAIlq56IbIO+ytk/JjS1fMR14ee5WBBfKi5J6A==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"dependencies": {
+				"dequal": "^2.0.3"
+			}
+		},
 		"node_modules/assertion-error": {
 			"version": "2.0.1",
 			"resolved": "https://registry.npmjs.org/assertion-error/-/assertion-error-2.0.1.tgz",
@@ -2705,6 +3028,16 @@
 				"node": ">=6.0.0"
 			}
 		},
+		"node_modules/bidi-js": {
+			"version": "1.0.3",
+			"resolved": "https://registry.npmjs.org/bidi-js/-/bidi-js-1.0.3.tgz",
+			"integrity": "sha512-RKshQI1R3YQ+n9YJz2QQ147P66ELpa1FQEg20Dk8oW9t2KgLbpDLLp9aGZ7y8WHSshDknG0bknqGw5/tyCs5tw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"require-from-string": "^2.0.2"
+			}
+		},
 		"node_modules/browserslist": {
 			"version": "4.28.2",
 			"resolved": "https://registry.npmjs.org/browserslist/-/browserslist-4.28.2.tgz",
@@ -2838,6 +3171,20 @@
 				"url": "https://opencollective.com/express"
 			}
 		},
+		"node_modules/css-tree": {
+			"version": "3.2.1",
+			"resolved": "https://registry.npmjs.org/css-tree/-/css-tree-3.2.1.tgz",
+			"integrity": "sha512-X7sjQzceUhu1u7Y/ylrRZFU2FS6LRiFVp6rKLPg23y3x3c3DOKAwuXGDp+PAGjh6CSnCjYeAul8pcT8bAl+lSA==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"mdn-data": "2.27.1",
+				"source-map-js": "^1.2.1"
+			},
+			"engines": {
+				"node": "^10 || ^12.20.0 || ^14.13.0 || >=15.0.0"
+			}
+		},
 		"node_modules/csstype": {
 			"version": "3.2.3",
 			"resolved": "https://registry.npmjs.org/csstype/-/csstype-3.2.3.tgz",
@@ -2845,6 +3192,20 @@
 			"devOptional": true,
 			"license": "MIT"
 		},
+		"node_modules/data-urls": {
+			"version": "7.0.0",
+			"resolved": "https://registry.npmjs.org/data-urls/-/data-urls-7.0.0.tgz",
+			"integrity": "sha512-23XHcCF+coGYevirZceTVD7NdJOqVn+49IHyxgszm+JIiHLoB2TkmPtsYkNWT1pvRSGkc35L6NHs0yHkN2SumA==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"whatwg-mimetype": "^5.0.0",
+				"whatwg-url": "^16.0.0"
+			},
+			"engines": {
+				"node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+			}
+		},
 		"node_modules/dayjs": {
 			"version": "1.11.20",
 			"resolved": "https://registry.npmjs.org/dayjs/-/dayjs-1.11.20.tgz",
@@ -2869,6 +3230,13 @@
 				}
 			}
 		},
+		"node_modules/decimal.js": {
+			"version": "10.6.0",
+			"resolved": "https://registry.npmjs.org/decimal.js/-/decimal.js-10.6.0.tgz",
+			"integrity": "sha512-YpgQiITW3JXGntzdUmyUR1V812Hn8T1YVXhCu+wO3OpS4eU9l4YdD3qjyiKdV6mvV29zapkMeD390UVEf2lkUg==",
+			"dev": true,
+			"license": "MIT"
+		},
 		"node_modules/deep-eql": {
 			"version": "5.0.2",
 			"resolved": "https://registry.npmjs.org/deep-eql/-/deep-eql-5.0.2.tgz",
@@ -2879,6 +3247,16 @@
 				"node": ">=6"
 			}
 		},
+		"node_modules/dequal": {
+			"version": "2.0.3",
+			"resolved": "https://registry.npmjs.org/dequal/-/dequal-2.0.3.tgz",
+			"integrity": "sha512-0je+qPKHEMohvfRTCEo3CrPG6cAzAYgmzKyxRiYSSDkS6eGJdyVJm7WaYA5ECaAD9wLB2T4EEeymA5aFVcYXCA==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=6"
+			}
+		},
 		"node_modules/detect-libc": {
 			"version": "2.1.2",
 			"resolved": "https://registry.npmjs.org/detect-libc/-/detect-libc-2.1.2.tgz",
@@ -2895,6 +3273,13 @@
 			"integrity": "sha512-ypdmJU/TbBby2Dxibuv7ZLW3Bs1QEmM7nHjEANfohJLvE0XVujisn1qPJcZxg+qDucsr+bP6fLD1rPS3AhJ7EQ==",
 			"license": "MIT"
 		},
+		"node_modules/dom-accessibility-api": {
+			"version": "0.5.16",
+			"resolved": "https://registry.npmjs.org/dom-accessibility-api/-/dom-accessibility-api-0.5.16.tgz",
+			"integrity": "sha512-X7BJ2yElsnOJ30pZF4uIIDfBEVgF4XEBxL9Bxhy6dnrm5hkzqmsWHGTiHqRiITNhMyFLyAiWndIJP7Z1NTteDg==",
+			"dev": true,
+			"license": "MIT"
+		},
 		"node_modules/electron-to-chromium": {
 			"version": "1.5.335",
 			"resolved": "https://registry.npmjs.org/electron-to-chromium/-/electron-to-chromium-1.5.335.tgz",
@@ -2916,6 +3301,19 @@
 				"node": ">=10.13.0"
 			}
 		},
+		"node_modules/entities": {
+			"version": "8.0.0",
+			"resolved": "https://registry.npmjs.org/entities/-/entities-8.0.0.tgz",
+			"integrity": "sha512-zwfzJecQ/Uej6tusMqwAqU/6KL2XaB2VZ2Jg54Je6ahNBGNH6Ek6g3jjNCF0fG9EWQKGZNddNjU5F1ZQn/sBnA==",
+			"dev": true,
+			"license": "BSD-2-Clause",
+			"engines": {
+				"node": ">=20.19.0"
+			},
+			"funding": {
+				"url": "https://github.com/fb55/entities?sponsor=1"
+			}
+		},
 		"node_modules/es-module-lexer": {
 			"version": "1.7.0",
 			"resolved": "https://registry.npmjs.org/es-module-lexer/-/es-module-lexer-1.7.0.tgz",
@@ -3075,6 +3473,26 @@
 				"node": "^12.22.0 || ^14.16.0 || ^16.0.0 || >=17.0.0"
 			}
 		},
+		"node_modules/html-encoding-sniffer": {
+			"version": "6.0.0",
+			"resolved": "https://registry.npmjs.org/html-encoding-sniffer/-/html-encoding-sniffer-6.0.0.tgz",
+			"integrity": "sha512-CV9TW3Y3f8/wT0BRFc1/KAVQ3TUHiXmaAb6VW9vtiMFf7SLoMd1PdAc4W3KFOFETBJUb90KatHqlsZMWV+R9Gg==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@exodus/bytes": "^1.6.0"
+			},
+			"engines": {
+				"node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+			}
+		},
+		"node_modules/is-potential-custom-element-name": {
+			"version": "1.0.1",
+			"resolved": "https://registry.npmjs.org/is-potential-custom-element-name/-/is-potential-custom-element-name-1.0.1.tgz",
+			"integrity": "sha512-bCYeRA2rVibKZd+s2625gGnGF/t7DSqDs4dP7CrLA1m7jKWz6pps0LpYLJN8Q64HtmPKJ1hrN3nzPNKFEKOUiQ==",
+			"dev": true,
+			"license": "MIT"
+		},
 		"node_modules/jiti": {
 			"version": "2.6.1",
 			"resolved": "https://registry.npmjs.org/jiti/-/jiti-2.6.1.tgz",
@@ -3091,6 +3509,57 @@
 			"integrity": "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==",
 			"license": "MIT"
 		},
+		"node_modules/jsdom": {
+			"version": "29.1.1",
+			"resolved": "https://registry.npmjs.org/jsdom/-/jsdom-29.1.1.tgz",
+			"integrity": "sha512-ECi4Fi2f7BdJtUKTflYRTiaMxIB0O6zfR1fX0GXpUrf6flp8QIYn1UT20YQqdSOfk2dfkCwS8LAFoJDEppNK5Q==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@asamuzakjp/css-color": "^5.1.11",
+				"@asamuzakjp/dom-selector": "^7.1.1",
+				"@bramus/specificity": "^2.4.2",
+				"@csstools/css-syntax-patches-for-csstree": "^1.1.3",
+				"@exodus/bytes": "^1.15.0",
+				"css-tree": "^3.2.1",
+				"data-urls": "^7.0.0",
+				"decimal.js": "^10.6.0",
+				"html-encoding-sniffer": "^6.0.0",
+				"is-potential-custom-element-name": "^1.0.1",
+				"lru-cache": "^11.3.5",
+				"parse5": "^8.0.1",
+				"saxes": "^6.0.0",
+				"symbol-tree": "^3.2.4",
+				"tough-cookie": "^6.0.1",
+				"undici": "^7.25.0",
+				"w3c-xmlserializer": "^5.0.0",
+				"webidl-conversions": "^8.0.1",
+				"whatwg-mimetype": "^5.0.0",
+				"whatwg-url": "^16.0.1",
+				"xml-name-validator": "^5.0.0"
+			},
+			"engines": {
+				"node": "^20.19.0 || ^22.13.0 || >=24.0.0"
+			},
+			"peerDependencies": {
+				"canvas": "^3.0.0"
+			},
+			"peerDependenciesMeta": {
+				"canvas": {
+					"optional": true
+				}
+			}
+		},
+		"node_modules/jsdom/node_modules/lru-cache": {
+			"version": "11.5.1",
+			"resolved": "https://registry.npmjs.org/lru-cache/-/lru-cache-11.5.1.tgz",
+			"integrity": "sha512-RPimw/7aMdv2oqRrxKwvZXcPfwBrn/JZ2xYcY9Hus/6LaS3VOAKVWKWgNLCFSiOm1ESXinjsDlidVU7JlnCN2A==",
+			"dev": true,
+			"license": "BlueOak-1.0.0",
+			"engines": {
+				"node": "20 || >=22"
+			}
+		},
 		"node_modules/jsesc": {
 			"version": "3.1.0",
 			"resolved": "https://registry.npmjs.org/jsesc/-/jsesc-3.1.0.tgz",
@@ -3422,6 +3891,16 @@
 				"react": "^16.5.1 || ^17.0.0 || ^18.0.0 || ^19.0.0"
 			}
 		},
+		"node_modules/lz-string": {
+			"version": "1.5.0",
+			"resolved": "https://registry.npmjs.org/lz-string/-/lz-string-1.5.0.tgz",
+			"integrity": "sha512-h5bgJWpxJNswbU7qCrV0tIKQCaS3blPDrqKWx+QxzuzL1zGUzij9XCWLrSLsJPu5t+eWA/ycetzYAO5IOMcWAQ==",
+			"dev": true,
+			"license": "MIT",
+			"bin": {
+				"lz-string": "bin/bin.js"
+			}
+		},
 		"node_modules/magic-string": {
 			"version": "0.30.21",
 			"resolved": "https://registry.npmjs.org/magic-string/-/magic-string-0.30.21.tgz",
@@ -3432,6 +3911,13 @@
 				"@jridgewell/sourcemap-codec": "^1.5.5"
 			}
 		},
+		"node_modules/mdn-data": {
+			"version": "2.27.1",
+			"resolved": "https://registry.npmjs.org/mdn-data/-/mdn-data-2.27.1.tgz",
+			"integrity": "sha512-9Yubnt3e8A0OKwxYSXyhLymGW4sCufcLG6VdiDdUGVkPhpqLxlvP5vl1983gQjJl3tqbrM731mjaZaP68AgosQ==",
+			"dev": true,
+			"license": "CC0-1.0"
+		},
 		"node_modules/ms": {
 			"version": "2.1.3",
 			"resolved": "https://registry.npmjs.org/ms/-/ms-2.1.3.tgz",
@@ -3474,6 +3960,19 @@
 				"node": ">=0.10.0"
 			}
 		},
+		"node_modules/parse5": {
+			"version": "8.0.1",
+			"resolved": "https://registry.npmjs.org/parse5/-/parse5-8.0.1.tgz",
+			"integrity": "sha512-z1e/HMG90obSGeidlli3hj7cbocou0/wa5HacvI3ASx34PecNjNQeaHNo5WIZpWofN9kgkqV1q5YvXe3F0FoPw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"entities": "^8.0.0"
+			},
+			"funding": {
+				"url": "https://github.com/inikulin/parse5?sponsor=1"
+			}
+		},
 		"node_modules/pathe": {
 			"version": "1.1.2",
 			"resolved": "https://registry.npmjs.org/pathe/-/pathe-1.1.2.tgz",
@@ -3556,6 +4055,28 @@
 				"url": "https://github.com/prettier/prettier?sponsor=1"
 			}
 		},
+		"node_modules/pretty-format": {
+			"version": "27.5.1",
+			"resolved": "https://registry.npmjs.org/pretty-format/-/pretty-format-27.5.1.tgz",
+			"integrity": "sha512-Qb1gy5OrP5+zDf2Bvnzdl3jsTf1qXVMazbvCoKhtKqVs4/YK4ozX4gKQJJVyNe+cajNPn0KoC0MC3FUmaHWEmQ==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"ansi-regex": "^5.0.1",
+				"ansi-styles": "^5.0.0",
+				"react-is": "^17.0.1"
+			},
+			"engines": {
+				"node": "^10.13.0 || ^12.13.0 || ^14.15.0 || >=15.0.0"
+			}
+		},
+		"node_modules/pretty-format/node_modules/react-is": {
+			"version": "17.0.2",
+			"resolved": "https://registry.npmjs.org/react-is/-/react-is-17.0.2.tgz",
+			"integrity": "sha512-w2GsyukL62IJnlaff/nRegPQR94C/XXamvMWmSHRJ4y7Ts/4ocGRmTHvOs8PSE6pB3dWOrD/nueuU5sduBsQ4w==",
+			"dev": true,
+			"license": "MIT"
+		},
 		"node_modules/prop-types": {
 			"version": "15.8.1",
 			"resolved": "https://registry.npmjs.org/prop-types/-/prop-types-15.8.1.tgz",
@@ -3567,6 +4088,16 @@
 				"react-is": "^16.13.1"
 			}
 		},
+		"node_modules/punycode": {
+			"version": "2.3.1",
+			"resolved": "https://registry.npmjs.org/punycode/-/punycode-2.3.1.tgz",
+			"integrity": "sha512-vYt7UD1U9Wg6138shLtLOvdAu+8DsC/ilFtEVHcH+wydcSpNE20AfSOduf6MkRFahL5FY7X1oU7nKVZFtfq8Fg==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=6"
+			}
+		},
 		"node_modules/react": {
 			"version": "18.3.1",
 			"resolved": "https://registry.npmjs.org/react/-/react-18.3.1.tgz",
@@ -3747,6 +4278,16 @@
 				}
 			}
 		},
+		"node_modules/require-from-string": {
+			"version": "2.0.2",
+			"resolved": "https://registry.npmjs.org/require-from-string/-/require-from-string-2.0.2.tgz",
+			"integrity": "sha512-Xf0nWe6RseziFMu+Ap9biiUbmplq6S9/p+7w7YXP/JBHhrUDDUhwa+vANyubuqfZWTveU//DYVGsDG7RKL/vEw==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=0.10.0"
+			}
+		},
 		"node_modules/rollup": {
 			"version": "4.60.1",
 			"resolved": "https://registry.npmjs.org/rollup/-/rollup-4.60.1.tgz",
@@ -3792,6 +4333,19 @@
 				"fsevents": "~2.3.2"
 			}
 		},
+		"node_modules/saxes": {
+			"version": "6.0.0",
+			"resolved": "https://registry.npmjs.org/saxes/-/saxes-6.0.0.tgz",
+			"integrity": "sha512-xAg7SOnEhrm5zI3puOOKyy1OMcMlIJZYNJY7xLBwSze0UjhPLnWfj2GF2EpT0jmzaJKIWKHLsaSSajf35bcYnA==",
+			"dev": true,
+			"license": "ISC",
+			"dependencies": {
+				"xmlchars": "^2.2.0"
+			},
+			"engines": {
+				"node": ">=v12.22.7"
+			}
+		},
 		"node_modules/scheduler": {
 			"version": "0.23.2",
 			"resolved": "https://registry.npmjs.org/scheduler/-/scheduler-0.23.2.tgz",
@@ -3858,6 +4412,13 @@
 			"dev": true,
 			"license": "MIT"
 		},
+		"node_modules/symbol-tree": {
+			"version": "3.2.4",
+			"resolved": "https://registry.npmjs.org/symbol-tree/-/symbol-tree-3.2.4.tgz",
+			"integrity": "sha512-9QNk5KwDF+Bvz+PyObkmSYjI5ksVUYtjW7AU22r2NKcfLJcXp96hkDWU3+XndOsUb+AQ9QhfzfCT2O+CNWT5Tw==",
+			"dev": true,
+			"license": "MIT"
+		},
 		"node_modules/tailwind-merge": {
 			"version": "2.6.1",
 			"resolved": "https://registry.npmjs.org/tailwind-merge/-/tailwind-merge-2.6.1.tgz",
@@ -3950,6 +4511,52 @@
 				"node": ">=14.0.0"
 			}
 		},
+		"node_modules/tldts": {
+			"version": "7.4.2",
+			"resolved": "https://registry.npmjs.org/tldts/-/tldts-7.4.2.tgz",
+			"integrity": "sha512-kCwffuaH8ntKtygnWe1b4BJKWiCUH30n5KfoTr6IchcXOwR7chAOFJxFrH3vjANafUYrIA4a7SDL+nn7SiR4Sw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"tldts-core": "^7.4.2"
+			},
+			"bin": {
+				"tldts": "bin/cli.js"
+			}
+		},
+		"node_modules/tldts-core": {
+			"version": "7.4.2",
+			"resolved": "https://registry.npmjs.org/tldts-core/-/tldts-core-7.4.2.tgz",
+			"integrity": "sha512-nwEyF4vl4RSJjwSjBUmOSxc3BFPoIFdlRthJ6e+5v9P3bHNsoD06UjuqMUspqp7vsEZ1beaHi1km+optiE17yA==",
+			"dev": true,
+			"license": "MIT"
+		},
+		"node_modules/tough-cookie": {
+			"version": "6.0.1",
+			"resolved": "https://registry.npmjs.org/tough-cookie/-/tough-cookie-6.0.1.tgz",
+			"integrity": "sha512-LktZQb3IeoUWB9lqR5EWTHgW/VTITCXg4D21M+lvybRVdylLrRMnqaIONLVb5mav8vM19m44HIcGq4qASeu2Qw==",
+			"dev": true,
+			"license": "BSD-3-Clause",
+			"dependencies": {
+				"tldts": "^7.0.5"
+			},
+			"engines": {
+				"node": ">=16"
+			}
+		},
+		"node_modules/tr46": {
+			"version": "6.0.0",
+			"resolved": "https://registry.npmjs.org/tr46/-/tr46-6.0.0.tgz",
+			"integrity": "sha512-bLVMLPtstlZ4iMQHpFHTR7GAGj2jxi8Dg0s2h2MafAE4uSWF98FC/3MomU51iQAMf8/qDUbKWf5GxuvvVcXEhw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"punycode": "^2.3.1"
+			},
+			"engines": {
+				"node": ">=20"
+			}
+		},
 		"node_modules/tslib": {
 			"version": "2.8.1",
 			"resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz",
@@ -3970,6 +4577,16 @@
 				"node": ">=14.17"
 			}
 		},
+		"node_modules/undici": {
+			"version": "7.27.2",
+			"resolved": "https://registry.npmjs.org/undici/-/undici-7.27.2.tgz",
+			"integrity": "sha512-uZsKNuzQxDMUY6M3pIMvy5tvlGmtq8XJ2oLAkfRKGNu+1VQAIvLy2xIVG5ATZl5wDXl/tddByAWCizRbOme+TA==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=20.18.1"
+			}
+		},
 		"node_modules/update-browserslist-db": {
 			"version": "1.2.3",
 			"resolved": "https://registry.npmjs.org/update-browserslist-db/-/update-browserslist-db-1.2.3.tgz",
@@ -5239,6 +5856,54 @@
 				}
 			}
 		},
+		"node_modules/w3c-xmlserializer": {
+			"version": "5.0.0",
+			"resolved": "https://registry.npmjs.org/w3c-xmlserializer/-/w3c-xmlserializer-5.0.0.tgz",
+			"integrity": "sha512-o8qghlI8NZHU1lLPrpi2+Uq7abh4GGPpYANlalzWxyWteJOCsr/P+oPBA49TOLu5FTZO4d3F9MnWJfiMo4BkmA==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"xml-name-validator": "^5.0.0"
+			},
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/webidl-conversions": {
+			"version": "8.0.1",
+			"resolved": "https://registry.npmjs.org/webidl-conversions/-/webidl-conversions-8.0.1.tgz",
+			"integrity": "sha512-BMhLD/Sw+GbJC21C/UgyaZX41nPt8bUTg+jWyDeg7e7YN4xOM05YPSIXceACnXVtqyEw/LMClUQMtMZ+PGGpqQ==",
+			"dev": true,
+			"license": "BSD-2-Clause",
+			"engines": {
+				"node": ">=20"
+			}
+		},
+		"node_modules/whatwg-mimetype": {
+			"version": "5.0.0",
+			"resolved": "https://registry.npmjs.org/whatwg-mimetype/-/whatwg-mimetype-5.0.0.tgz",
+			"integrity": "sha512-sXcNcHOC51uPGF0P/D4NVtrkjSU2fNsm9iog4ZvZJsL3rjoDAzXZhkm2MWt1y+PUdggKAYVoMAIYcs78wJ51Cw==",
+			"dev": true,
+			"license": "MIT",
+			"engines": {
+				"node": ">=20"
+			}
+		},
+		"node_modules/whatwg-url": {
+			"version": "16.0.1",
+			"resolved": "https://registry.npmjs.org/whatwg-url/-/whatwg-url-16.0.1.tgz",
+			"integrity": "sha512-1to4zXBxmXHV3IiSSEInrreIlu02vUOvrhxJJH5vcxYTBDAx51cqZiKdyTxlecdKNSjj8EcxGBxNf6Vg+945gw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@exodus/bytes": "^1.11.0",
+				"tr46": "^6.0.0",
+				"webidl-conversions": "^8.0.1"
+			},
+			"engines": {
+				"node": "^20.19.0 || ^22.12.0 || >=24.0.0"
+			}
+		},
 		"node_modules/why-is-node-running": {
 			"version": "2.3.0",
 			"resolved": "https://registry.npmjs.org/why-is-node-running/-/why-is-node-running-2.3.0.tgz",
@@ -5262,6 +5927,23 @@
 			"integrity": "sha512-MXH+6mDHAZ2GuMpgKS055FR6v0xVP3XwquxIMYXgiW+FejHQlMGlvVRZT4qMCxR+bEo/FCtIdKxwej9WV3YQag==",
 			"license": "MIT"
 		},
+		"node_modules/xml-name-validator": {
+			"version": "5.0.0",
+			"resolved": "https://registry.npmjs.org/xml-name-validator/-/xml-name-validator-5.0.0.tgz",
+			"integrity": "sha512-EvGK8EJ3DhaHfbRlETOWAS5pO9MZITeauHKJyb8wyajUfQUenkIg2MvLDTZ4T/TgIcm3HU0TFBgWWboAZ30UHg==",
+			"dev": true,
+			"license": "Apache-2.0",
+			"engines": {
+				"node": ">=18"
+			}
+		},
+		"node_modules/xmlchars": {
+			"version": "2.2.0",
+			"resolved": "https://registry.npmjs.org/xmlchars/-/xmlchars-2.2.0.tgz",
+			"integrity": "sha512-JZnDKK8B0RCDw84FNdDAIpZK+JuJw+s7Lz8nksI7SIuU3UXJJslUthsi+uWBUYOwPFwW7W7PRLRfUKpxjtjFCw==",
+			"dev": true,
+			"license": "MIT"
+		},
 		"node_modules/yallist": {
 			"version": "3.1.1",
 			"resolved": "https://registry.npmjs.org/yallist/-/yallist-3.1.1.tgz",
diff --git a/web/dashboard/package.json b/web/dashboard/package.json
index c7b0972e..0a5ab6b3 100644
--- a/web/dashboard/package.json
+++ b/web/dashboard/package.json
@@ -40,12 +40,15 @@
 	},
 	"devDependencies": {
 		"@tailwindcss/vite": "^4.1.4",
+		"@testing-library/dom": "^10.4.1",
+		"@testing-library/react": "^16.3.2",
 		"@types/lodash": "^4.17.7",
 		"@types/react": "^18.3.12",
 		"@types/react-dom": "^18.3.1",
 		"@types/react-email-editor": "^1.7.0",
 		"@types/react-router-dom": "^5.3.3",
 		"@vitejs/plugin-react": "^4.3.1",
+		"jsdom": "^29.1.1",
 		"prettier": "^3.3.3",
 		"tailwindcss": "^4.1.4",
 		"typescript": "^5.6.3",
diff --git a/web/dashboard/src/components/FgaNotEnabled.test.tsx b/web/dashboard/src/components/FgaNotEnabled.test.tsx
new file mode 100644
index 00000000..29d49cae
--- /dev/null
+++ b/web/dashboard/src/components/FgaNotEnabled.test.tsx
@@ -0,0 +1,28 @@
+// @vitest-environment jsdom
+import React from 'react';
+import { describe, expect, it } from 'vitest';
+import { render, screen } from '@testing-library/react';
+import FgaNotEnabled from './FgaNotEnabled';
+
+// FgaNotEnabled is what the Authorization tab renders when the backend
+// reports "fine-grained authorization is not enabled" — i.e. the main
+// database does not support OpenFGA and no --fga-store override was passed.
+// The screen must explain the state and show the exact flags that fix it.
+describe('FgaNotEnabled', () => {
+	it('explains that FGA is not enabled', () => {
+		render(<FgaNotEnabled />);
+		expect(
+			screen.getByText(/Fine-Grained Authorization isn(’|')t enabled yet/),
+		).toBeTruthy();
+	});
+
+	it('shows the --fga-store flags needed to enable it', () => {
+		render(<FgaNotEnabled />);
+		// The command renders in more than one place (code block + copy
+		// affordance) — all occurrences must carry both flags.
+		expect(
+			screen.getAllByText(/--fga-store=postgres/).length,
+		).toBeGreaterThan(0);
+		expect(screen.getAllByText(/--fga-store-url=/).length).toBeGreaterThan(0);
+	});
+});
diff --git a/web/dashboard/src/lib/utils.test.ts b/web/dashboard/src/lib/utils.test.ts
new file mode 100644
index 00000000..7c466842
--- /dev/null
+++ b/web/dashboard/src/lib/utils.test.ts
@@ -0,0 +1,37 @@
+import { describe, expect, it } from 'vitest';
+import { isFgaNotEnabledError } from './utils';
+
+// isFgaNotEnabledError is the single decision point that switches the
+// Authorization tab (and the user permissions modal) into the FgaNotEnabled
+// state — e.g. when the main database does not support OpenFGA and no
+// --fga-store override is configured.
+describe('isFgaNotEnabledError', () => {
+	it('detects the backend not-enabled error', () => {
+		expect(
+			isFgaNotEnabledError({
+				message: '[GraphQL] fine-grained authorization is not enabled',
+			}),
+		).toBe(true);
+	});
+
+	it('is case-insensitive', () => {
+		expect(
+			isFgaNotEnabledError({
+				message: 'Fine-Grained Authorization Is Not Enabled',
+			}),
+		).toBe(true);
+	});
+
+	it('ignores unrelated errors', () => {
+		expect(isFgaNotEnabledError({ message: 'unauthorized' })).toBe(false);
+		expect(
+			isFgaNotEnabledError({ message: 'authorization check failed' }),
+		).toBe(false);
+	});
+
+	it('handles missing errors safely', () => {
+		expect(isFgaNotEnabledError(undefined)).toBe(false);
+		expect(isFgaNotEnabledError(null)).toBe(false);
+		expect(isFgaNotEnabledError({})).toBe(false);
+	});
+});
diff --git a/web/dashboard/vitest.config.ts b/web/dashboard/vitest.config.ts
index 2dae37a4..78ef10a8 100644
--- a/web/dashboard/vitest.config.ts
+++ b/web/dashboard/vitest.config.ts
@@ -1,11 +1,14 @@
 import { defineConfig } from 'vitest/config';
+import react from '@vitejs/plugin-react';
 
-// Unit tests run in a plain Node environment — the suites here cover pure
-// model/DSL logic, no DOM required. Kept separate from vite.config.ts so the
-// production build config stays untouched.
+// Unit tests default to a plain Node environment (pure model/DSL logic);
+// component tests opt into jsdom per file via `// @vitest-environment jsdom`.
+// Kept separate from vite.config.ts so the production build config stays
+// untouched.
 export default defineConfig({
+	plugins: [react()],
 	test: {
 		environment: 'node',
-		include: ['src/**/*.test.ts'],
+		include: ['src/**/*.test.ts', 'src/**/*.test.tsx'],
 	},
 });