smplkit 3.0.88 → 3.0.89

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8b4904b7847b08b27d2961a2d2627969f2e50b3e1905fe0fc4867def1d09332e
-  data.tar.gz: 5facbd70792ef873500e8ab13282c9384d4f29beb2f1aff156464f0f4fdc0309
+  metadata.gz: e74796a149f8cbc251ba882ad41437fc2abfb444ec41c1ddc1a016b747b44239
+  data.tar.gz: 40b5cf412aeee85051340f68aac8c6a125e387ee6d7e116c7e8733e3901fdbff
 SHA512:
-  metadata.gz: 8ade3b3e53ad9b226de37b24d31bc392f1d37d8bc1626e3fa9ff74a5eca98b1e67714d0c9197c6430b3c577d3bc38071c5af9eec9d6e3363a2a2a6e7da554753
-  data.tar.gz: a681e7271d381e91949ed83a918db7c7178b8c3d260fef73fe74f243f949dc49f751a9f1fa8f5558cef005d661e2bcf6a7fff31946e13a98d22a4d7a05c1959f
+  metadata.gz: 62168449fd8f785be652fb7ca29d0ba277677600c48005ddae7e1e388e668abaeb319bfbd3749a5ed0fc09650d5422c42dfa1e16c0e1cbdcddd562103f00ba12
+  data.tar.gz: b9d53e62c4b73514a7e5ce03baa56d22e81049979bd7b445f9b572753dc60e667e4291a92960c4fec7723ace99d6b64672dfaf0d536c01f93c1003260e977bae

data/lib/smplkit/_generated/audit/lib/smplkit_audit_client/api/categories_api.rb

@@ -20,7 +20,7 @@ module SmplkitGeneratedClient::Audit
       @api_client = api_client
     end
     # List Categories
-    # List the distinct `category` values recorded for this account.  The resource `id` is the category value itself. Default sort is `key` ascending; pass `sort=-key` for descending. Useful for populating filter dropdowns in a UI.
+    # List the distinct `category` values recorded for this account.  The resource `id` is the category value itself. Default sort is `key` ascending; pass `sort=-key` for descending. Scoped to the resolved environment. Useful for populating filter dropdowns in a UI.
     # @param [Hash] opts the optional parameters
     # @option opts [String] :sort Field to sort by. Prefix with `-` for descending order. Default: `key`. Allowed values: `key`, `-key`. (default to 'key')
     # @option opts [Integer] :page_number 1-based page number to return. Optional; defaults to `1` when omitted. Must be `>= 1` — requests with a smaller value are rejected with a 400 error. (default to 1)
@@ -33,7 +33,7 @@ module SmplkitGeneratedClient::Audit
     end
 
     # List Categories
-    # List the distinct `category` values recorded for this account.  The resource `id` is the category value itself. Default sort is `key` ascending; pass `sort=-key` for descending. Useful for populating filter dropdowns in a UI.
+    # List the distinct `category` values recorded for this account.  The resource `id` is the category value itself. Default sort is `key` ascending; pass `sort=-key` for descending. Scoped to the resolved environment. Useful for populating filter dropdowns in a UI.
     # @param [Hash] opts the optional parameters
     # @option opts [String] :sort Field to sort by. Prefix with `-` for descending order. Default: `key`. Allowed values: `key`, `-key`. (default to 'key')
     # @option opts [Integer] :page_number 1-based page number to return. Optional; defaults to `1` when omitted. Must be `>= 1` — requests with a smaller value are rejected with a 400 error. (default to 1)

data/lib/smplkit/_generated/audit/lib/smplkit_audit_client/api/event_types_api.rb

@@ -20,7 +20,7 @@ module SmplkitGeneratedClient::Audit
       @api_client = api_client
     end
     # List Event Types
-    # List the distinct `event_type` slugs recorded for this account.  Default sort is `key` ascending; pass `sort=-key` for descending. Without `filter[resource_type]`, returns one row per distinct event_type. With `filter[resource_type]`, returns the event_types recorded for that specific resource type.
+    # List the distinct `event_type` slugs recorded for this account.  Default sort is `key` ascending; pass `sort=-key` for descending. Scoped to the resolved environment. Without `filter[resource_type]`, returns one row per distinct event_type. With `filter[resource_type]`, returns the event_types recorded for that specific resource type.
     # @param [Hash] opts the optional parameters
     # @option opts [String] :filter_resource_type 
     # @option opts [String] :sort Field to sort by. Prefix with `-` for descending order. Default: `key`. Allowed values: `key`, `-key`. (default to 'key')
@@ -34,7 +34,7 @@ module SmplkitGeneratedClient::Audit
     end
 
     # List Event Types
-    # List the distinct `event_type` slugs recorded for this account.  Default sort is `key` ascending; pass `sort=-key` for descending. Without `filter[resource_type]`, returns one row per distinct event_type. With `filter[resource_type]`, returns the event_types recorded for that specific resource type.
+    # List the distinct `event_type` slugs recorded for this account.  Default sort is `key` ascending; pass `sort=-key` for descending. Scoped to the resolved environment. Without `filter[resource_type]`, returns one row per distinct event_type. With `filter[resource_type]`, returns the event_types recorded for that specific resource type.
     # @param [Hash] opts the optional parameters
     # @option opts [String] :filter_resource_type 
     # @option opts [String] :sort Field to sort by. Prefix with `-` for descending order. Default: `key`. Allowed values: `key`, `-key`. (default to 'key')

data/lib/smplkit/_generated/audit/lib/smplkit_audit_client/api/events_api.rb

@@ -20,7 +20,7 @@ module SmplkitGeneratedClient::Audit
       @api_client = api_client
     end
     # Get Event
-    # Retrieve a single audit event by id.
+    # Retrieve a single audit event by id.  Authorized against the caller's permitted environment set: the event is returned only if its environment is one the caller may access, otherwise `404` (the same response as a non-existent id, so existence never leaks across environments). The `X-Smplkit-Environment` header is ignored here — a single-object lookup names the object by id, it does not resolve an ambient environment.
     # @param event_id [String] 
     # @param [Hash] opts the optional parameters
     # @return [EventResponse]
@@ -30,7 +30,7 @@ module SmplkitGeneratedClient::Audit
     end
 
     # Get Event
-    # Retrieve a single audit event by id.
+    # Retrieve a single audit event by id.  Authorized against the caller's permitted environment set: the event is returned only if its environment is one the caller may access, otherwise `404` (the same response as a non-existent id, so existence never leaks across environments). The `X-Smplkit-Environment` header is ignored here — a single-object lookup names the object by id, it does not resolve an ambient environment.
     # @param event_id [String] 
     # @param [Hash] opts the optional parameters
     # @return [Array<(EventResponse, Integer, Hash)>] EventResponse data, response status code and response headers
@@ -194,7 +194,7 @@ module SmplkitGeneratedClient::Audit
     end
 
     # Record Event
-    # Record an audit event for this account.  Returns `201 Created` on first write, `200 OK` if the request was a duplicate (matched by `Idempotency-Key` or a key derived from the event's content).  `resource_type` values beginning with `smpl.` are reserved for events that smplkit emits about its own resources and cannot be used here.
+    # Record an audit event for this account.  The event is stamped with the environment it occurred in: a single-environment credential implies it; a multi-environment or unrestricted credential must send the `X-Smplkit-Environment` header. The resolved environment must exist and be managed for the account.  Returns `201 Created` on first write, `200 OK` if the request was a duplicate (matched by `Idempotency-Key` or a key derived from the event's content). The same content recorded in two environments produces two distinct events.  `resource_type` values beginning with `smpl.` are reserved for events that smplkit emits about its own resources and cannot be used here.
     # @param event_request [EventRequest] 
     # @param [Hash] opts the optional parameters
     # @option opts [String] :idempotency_key 
@@ -205,7 +205,7 @@ module SmplkitGeneratedClient::Audit
     end
 
     # Record Event
-    # Record an audit event for this account.  Returns &#x60;201 Created&#x60; on first write, &#x60;200 OK&#x60; if the request was a duplicate (matched by &#x60;Idempotency-Key&#x60; or a key derived from the event&#39;s content).  &#x60;resource_type&#x60; values beginning with &#x60;smpl.&#x60; are reserved for events that smplkit emits about its own resources and cannot be used here.
+    # Record an audit event for this account.  The event is stamped with the environment it occurred in: a single-environment credential implies it; a multi-environment or unrestricted credential must send the &#x60;X-Smplkit-Environment&#x60; header. The resolved environment must exist and be managed for the account.  Returns &#x60;201 Created&#x60; on first write, &#x60;200 OK&#x60; if the request was a duplicate (matched by &#x60;Idempotency-Key&#x60; or a key derived from the event&#39;s content). The same content recorded in two environments produces two distinct events.  &#x60;resource_type&#x60; values beginning with &#x60;smpl.&#x60; are reserved for events that smplkit emits about its own resources and cannot be used here.
     # @param event_request [EventRequest] 
     # @param [Hash] opts the optional parameters
     # @option opts [String] :idempotency_key 
@@ -265,7 +265,7 @@ module SmplkitGeneratedClient::Audit
     end
 
     # Search Events
-    # Search audit events with column filters and an optional JSON Logic expression.  Without a JSON Logic `filter`: behaves like `GET /api/v1/events` with the same column filters.  With a JSON Logic `filter`: the search is silently capped to the last 30 days by `occurred_at` (intersected with any explicit `filter[occurred_at]` the caller supplied), the column filters narrow the candidate set in SQL, and the JSON Logic expression runs in memory against each candidate row using the same `json-logic-qubit` evaluator the forwarder pipeline uses. Up to 50,000 rows are scanned per request; the response's `meta.scan` block reports the scan stats so a selective filter doesn't look like \"0 matches\" when the truth is \"ceiling reached.\"
+    # Search audit events with column filters and an optional JSON Logic expression.  Scoped to the resolved environment (a single-environment credential implies it; otherwise send the `X-Smplkit-Environment` header).  Without a JSON Logic `filter`: behaves like `GET /api/v1/events` with the same column filters.  With a JSON Logic `filter`: the search is silently capped to the last 30 days by `occurred_at` (intersected with any explicit `filter[occurred_at]` the caller supplied), the column filters narrow the candidate set in SQL, and the JSON Logic expression runs in memory against each candidate row using the same `json-logic-qubit` evaluator the forwarder pipeline uses. Up to 50,000 rows are scanned per request; the response's `meta.scan` block reports the scan stats so a selective filter doesn't look like \"0 matches\" when the truth is \"ceiling reached.\"
     # @param event_search_request [EventSearchRequest] 
     # @param [Hash] opts the optional parameters
     # @return [EventSearchResponse]
@@ -275,7 +275,7 @@ module SmplkitGeneratedClient::Audit
     end
 
     # Search Events
-    # Search audit events with column filters and an optional JSON Logic expression.  Without a JSON Logic &#x60;filter&#x60;: behaves like &#x60;GET /api/v1/events&#x60; with the same column filters.  With a JSON Logic &#x60;filter&#x60;: the search is silently capped to the last 30 days by &#x60;occurred_at&#x60; (intersected with any explicit &#x60;filter[occurred_at]&#x60; the caller supplied), the column filters narrow the candidate set in SQL, and the JSON Logic expression runs in memory against each candidate row using the same &#x60;json-logic-qubit&#x60; evaluator the forwarder pipeline uses. Up to 50,000 rows are scanned per request; the response&#39;s &#x60;meta.scan&#x60; block reports the scan stats so a selective filter doesn&#39;t look like \&quot;0 matches\&quot; when the truth is \&quot;ceiling reached.\&quot;
+    # Search audit events with column filters and an optional JSON Logic expression.  Scoped to the resolved environment (a single-environment credential implies it; otherwise send the &#x60;X-Smplkit-Environment&#x60; header).  Without a JSON Logic &#x60;filter&#x60;: behaves like &#x60;GET /api/v1/events&#x60; with the same column filters.  With a JSON Logic &#x60;filter&#x60;: the search is silently capped to the last 30 days by &#x60;occurred_at&#x60; (intersected with any explicit &#x60;filter[occurred_at]&#x60; the caller supplied), the column filters narrow the candidate set in SQL, and the JSON Logic expression runs in memory against each candidate row using the same &#x60;json-logic-qubit&#x60; evaluator the forwarder pipeline uses. Up to 50,000 rows are scanned per request; the response&#39;s &#x60;meta.scan&#x60; block reports the scan stats so a selective filter doesn&#39;t look like \&quot;0 matches\&quot; when the truth is \&quot;ceiling reached.\&quot;
     # @param event_search_request [EventSearchRequest] 
     # @param [Hash] opts the optional parameters
     # @return [Array<(EventSearchResponse, Integer, Hash)>] EventSearchResponse data, response status code and response headers

data/lib/smplkit/_generated/audit/lib/smplkit_audit_client/api/forwarders_api.rb

@@ -20,7 +20,7 @@ module SmplkitGeneratedClient::Audit
       @api_client = api_client
     end
     # Create Forwarder
-    # Create a forwarder for this account.  The caller supplies the forwarder's key as `data.id`. Keys are unique within an account and immutable for the lifetime of the forwarder.
+    # Create a forwarder for this account.  The caller supplies the forwarder's key as `data.id`. Keys are unique within an account and immutable for the lifetime of the forwarder.  Enablement is per-environment: a forwarder is enabled in an environment only via `environments[<env>].enabled`; the base `enabled` is always false. Every environment referenced in `environments` must exist and be managed for the account.
     # @param forwarder_create_request [ForwarderCreateRequest] 
     # @param [Hash] opts the optional parameters
     # @return [ForwarderResponse]
@@ -30,7 +30,7 @@ module SmplkitGeneratedClient::Audit
     end
 
     # Create Forwarder
-    # Create a forwarder for this account.  The caller supplies the forwarder&#39;s key as &#x60;data.id&#x60;. Keys are unique within an account and immutable for the lifetime of the forwarder.
+    # Create a forwarder for this account.  The caller supplies the forwarder&#39;s key as &#x60;data.id&#x60;. Keys are unique within an account and immutable for the lifetime of the forwarder.  Enablement is per-environment: a forwarder is enabled in an environment only via &#x60;environments[&lt;env&gt;].enabled&#x60;; the base &#x60;enabled&#x60; is always false. Every environment referenced in &#x60;environments&#x60; must exist and be managed for the account.
     # @param forwarder_create_request [ForwarderCreateRequest] 
     # @param [Hash] opts the optional parameters
     # @return [Array<(ForwarderResponse, Integer, Hash)>] ForwarderResponse data, response status code and response headers
@@ -217,7 +217,7 @@ module SmplkitGeneratedClient::Audit
     end
 
     # Get Forwarder
-    # Retrieve a single forwarder by id.  Header values are returned in plaintext so the resource can be round-tripped with `GET`, mutate, `PUT` without re-entering secrets.
+    # Retrieve a single forwarder by id.  Header values are returned in plaintext so the resource can be round-tripped with `GET`, mutate, `PUT` without re-entering secrets. The `environments` override map is scoped to the caller's environment groups.
     # @param forwarder_id [String] 
     # @param [Hash] opts the optional parameters
     # @return [ForwarderResponse]
@@ -227,7 +227,7 @@ module SmplkitGeneratedClient::Audit
     end
 
     # Get Forwarder
-    # Retrieve a single forwarder by id.  Header values are returned in plaintext so the resource can be round-tripped with &#x60;GET&#x60;, mutate, &#x60;PUT&#x60; without re-entering secrets.
+    # Retrieve a single forwarder by id.  Header values are returned in plaintext so the resource can be round-tripped with &#x60;GET&#x60;, mutate, &#x60;PUT&#x60; without re-entering secrets. The &#x60;environments&#x60; override map is scoped to the caller&#39;s environment groups.
     # @param forwarder_id [String] 
     # @param [Hash] opts the optional parameters
     # @return [Array<(ForwarderResponse, Integer, Hash)>] ForwarderResponse data, response status code and response headers
@@ -280,7 +280,7 @@ module SmplkitGeneratedClient::Audit
     end
 
     # List Forwarder Deliveries
-    # List delivery log entries for a forwarder.  Default sort is `-created_at` (newest first). Filter by `status` (`SUCCEEDED` or `FAILED`, case-insensitive), by `event`, or by a `created_at` range using interval notation (e.g. `[2026-01-01T00:00:00Z,*)`).
+    # List delivery log entries for a forwarder.  Scoped to the resolved environment — only that environment's deliveries for the forwarder are shown. Default sort is `-created_at` (newest first). Filter by `status` (`SUCCEEDED` or `FAILED`, case-insensitive), by `event`, or by a `created_at` range using interval notation (e.g. `[2026-01-01T00:00:00Z,*)`).
     # @param forwarder_id [String] 
     # @param [Hash] opts the optional parameters
     # @option opts [String] :filter_status 
@@ -296,7 +296,7 @@ module SmplkitGeneratedClient::Audit
     end
 
     # List Forwarder Deliveries
-    # List delivery log entries for a forwarder.  Default sort is &#x60;-created_at&#x60; (newest first). Filter by &#x60;status&#x60; (&#x60;SUCCEEDED&#x60; or &#x60;FAILED&#x60;, case-insensitive), by &#x60;event&#x60;, or by a &#x60;created_at&#x60; range using interval notation (e.g. &#x60;[2026-01-01T00:00:00Z,*)&#x60;).
+    # List delivery log entries for a forwarder.  Scoped to the resolved environment — only that environment&#39;s deliveries for the forwarder are shown. Default sort is &#x60;-created_at&#x60; (newest first). Filter by &#x60;status&#x60; (&#x60;SUCCEEDED&#x60; or &#x60;FAILED&#x60;, case-insensitive), by &#x60;event&#x60;, or by a &#x60;created_at&#x60; range using interval notation (e.g. &#x60;[2026-01-01T00:00:00Z,*)&#x60;).
     # @param forwarder_id [String] 
     # @param [Hash] opts the optional parameters
     # @option opts [String] :filter_status 
@@ -369,10 +369,9 @@ module SmplkitGeneratedClient::Audit
     end
 
     # List Forwarders
-    # List forwarders for this account.  Default sort is `-created_at` (newest first).
+    # List forwarders for this account.  Default sort is `-created_at` (newest first). Each forwarder's `environments` override map is scoped to the caller's environment groups.
     # @param [Hash] opts the optional parameters
     # @option opts [String] :filter_forwarder_type 
-    # @option opts [Boolean] :filter_enabled 
     # @option opts [String] :sort Field to sort by. Prefix with &#x60;-&#x60; for descending order. Default: &#x60;-created_at&#x60;. Allowed values: &#x60;created_at&#x60;, &#x60;-created_at&#x60;, &#x60;updated_at&#x60;, &#x60;-updated_at&#x60;. (default to '-created_at')
     # @option opts [Integer] :page_number 1-based page number to return. Optional; defaults to &#x60;1&#x60; when omitted. Must be &#x60;&gt;&#x3D; 1&#x60; — requests with a smaller value are rejected with a 400 error. (default to 1)
     # @option opts [Integer] :page_size Number of items per page. Optional; defaults to &#x60;1000&#x60; when omitted. Must be between &#x60;1&#x60; and &#x60;1000&#x60; inclusive — requests outside that range are rejected with a 400 error. (default to 1000)
@@ -384,10 +383,9 @@ module SmplkitGeneratedClient::Audit
     end
 
     # List Forwarders
-    # List forwarders for this account.  Default sort is &#x60;-created_at&#x60; (newest first).
+    # List forwarders for this account.  Default sort is &#x60;-created_at&#x60; (newest first). Each forwarder&#39;s &#x60;environments&#x60; override map is scoped to the caller&#39;s environment groups.
     # @param [Hash] opts the optional parameters
     # @option opts [String] :filter_forwarder_type 
-    # @option opts [Boolean] :filter_enabled 
     # @option opts [String] :sort Field to sort by. Prefix with &#x60;-&#x60; for descending order. Default: &#x60;-created_at&#x60;. Allowed values: &#x60;created_at&#x60;, &#x60;-created_at&#x60;, &#x60;updated_at&#x60;, &#x60;-updated_at&#x60;. (default to '-created_at')
     # @option opts [Integer] :page_number 1-based page number to return. Optional; defaults to &#x60;1&#x60; when omitted. Must be &#x60;&gt;&#x3D; 1&#x60; — requests with a smaller value are rejected with a 400 error. (default to 1)
     # @option opts [Integer] :page_size Number of items per page. Optional; defaults to &#x60;1000&#x60; when omitted. Must be between &#x60;1&#x60; and &#x60;1000&#x60; inclusive — requests outside that range are rejected with a 400 error. (default to 1000)
@@ -407,7 +405,6 @@ module SmplkitGeneratedClient::Audit
       # query parameters
       query_params = opts[:query_params] || {}
       query_params[:'filter[forwarder_type]'] = opts[:'filter_forwarder_type'] if !opts[:'filter_forwarder_type'].nil?
-      query_params[:'filter[enabled]'] = opts[:'filter_enabled'] if !opts[:'filter_enabled'].nil?
       query_params[:'sort'] = opts[:'sort'] if !opts[:'sort'].nil?
       query_params[:'page[number]'] = opts[:'page_number'] if !opts[:'page_number'].nil?
       query_params[:'page[size]'] = opts[:'page_size'] if !opts[:'page_size'].nil?
@@ -448,7 +445,7 @@ module SmplkitGeneratedClient::Audit
     end
 
     # Retry Failed Forwarder Deliveries
-    # Retry every failed delivery for this forwarder.  Each failed delivery is re-attempted using the forwarder's current configuration and the original event. Returns the counts.
+    # Retry every failed delivery for this forwarder in the resolved environment.  Scoped to the resolved environment (a single-environment credential implies it; otherwise send the `X-Smplkit-Environment` header): only that environment's failed deliveries are re-attempted, each using the forwarder's effective configuration for that environment and the original event. Returns the counts.
     # @param forwarder_id [String] 
     # @param [Hash] opts the optional parameters
     # @return [RetryFailedDeliveriesSummary]
@@ -458,7 +455,7 @@ module SmplkitGeneratedClient::Audit
     end
 
     # Retry Failed Forwarder Deliveries
-    # Retry every failed delivery for this forwarder.  Each failed delivery is re-attempted using the forwarder&#39;s current configuration and the original event. Returns the counts.
+    # Retry every failed delivery for this forwarder in the resolved environment.  Scoped to the resolved environment (a single-environment credential implies it; otherwise send the &#x60;X-Smplkit-Environment&#x60; header): only that environment&#39;s failed deliveries are re-attempted, each using the forwarder&#39;s effective configuration for that environment and the original event. Returns the counts.
     # @param forwarder_id [String] 
     # @param [Hash] opts the optional parameters
     # @return [Array<(RetryFailedDeliveriesSummary, Integer, Hash)>] RetryFailedDeliveriesSummary data, response status code and response headers
@@ -511,7 +508,7 @@ module SmplkitGeneratedClient::Audit
     end
 
     # Retry Forwarder Delivery
-    # Retry a single failed delivery.  Returns the new delivery log entry. The prior entry is left in place.
+    # Retry a single failed delivery.  The delivery is named by id, so it is authorized against the caller's permitted environment set: a delivery in an environment the caller can't access returns `404` (existence never leaks). Returns the new delivery log entry. The prior entry is left in place.
     # @param forwarder_id [String] 
     # @param delivery_id [String] 
     # @param [Hash] opts the optional parameters
@@ -522,7 +519,7 @@ module SmplkitGeneratedClient::Audit
     end
 
     # Retry Forwarder Delivery
-    # Retry a single failed delivery.  Returns the new delivery log entry. The prior entry is left in place.
+    # Retry a single failed delivery.  The delivery is named by id, so it is authorized against the caller&#39;s permitted environment set: a delivery in an environment the caller can&#39;t access returns &#x60;404&#x60; (existence never leaks). Returns the new delivery log entry. The prior entry is left in place.
     # @param forwarder_id [String] 
     # @param delivery_id [String] 
     # @param [Hash] opts the optional parameters
@@ -580,7 +577,7 @@ module SmplkitGeneratedClient::Audit
     end
 
     # Update Forwarder
-    # Replace an existing forwarder. Every writable field is overwritten.
+    # Replace an existing forwarder. Every writable field is overwritten.  The `environments` override map is a full replace for the environments you can manage; overrides for environments outside your access (which were hidden from your read) are preserved. Every environment referenced in `environments` must exist and be managed.
     # @param forwarder_id [String] 
     # @param forwarder_request [ForwarderRequest] 
     # @param [Hash] opts the optional parameters
@@ -591,7 +588,7 @@ module SmplkitGeneratedClient::Audit
     end
 
     # Update Forwarder
-    # Replace an existing forwarder. Every writable field is overwritten.
+    # Replace an existing forwarder. Every writable field is overwritten.  The &#x60;environments&#x60; override map is a full replace for the environments you can manage; overrides for environments outside your access (which were hidden from your read) are preserved. Every environment referenced in &#x60;environments&#x60; must exist and be managed.
     # @param forwarder_id [String] 
     # @param forwarder_request [ForwarderRequest] 
     # @param [Hash] opts the optional parameters

data/lib/smplkit/_generated/audit/lib/smplkit_audit_client/api/resource_types_api.rb

@@ -20,7 +20,7 @@ module SmplkitGeneratedClient::Audit
       @api_client = api_client
     end
     # List Resource Types
-    # List the distinct `resource_type` slugs recorded for this account.  The resource `id` is the slug itself. Default sort is `key` ascending; pass `sort=-key` for descending. Useful for populating filter dropdowns in a UI. Results are scoped to the resource types visible under the account's current plan.
+    # List the distinct `resource_type` slugs recorded for this account.  The resource `id` is the slug itself. Default sort is `key` ascending; pass `sort=-key` for descending. Useful for populating filter dropdowns in a UI. Results are scoped to the resolved environment and to the resource types visible under the account's current plan.
     # @param [Hash] opts the optional parameters
     # @option opts [String] :sort Field to sort by. Prefix with `-` for descending order. Default: `key`. Allowed values: `key`, `-key`. (default to 'key')
     # @option opts [Integer] :page_number 1-based page number to return. Optional; defaults to `1` when omitted. Must be `>= 1` — requests with a smaller value are rejected with a 400 error. (default to 1)
@@ -33,7 +33,7 @@ module SmplkitGeneratedClient::Audit
     end
 
     # List Resource Types
-    # List the distinct `resource_type` slugs recorded for this account.  The resource `id` is the slug itself. Default sort is `key` ascending; pass `sort=-key` for descending. Useful for populating filter dropdowns in a UI. Results are scoped to the resource types visible under the account's current plan.
+    # List the distinct `resource_type` slugs recorded for this account.  The resource `id` is the slug itself. Default sort is `key` ascending; pass `sort=-key` for descending. Useful for populating filter dropdowns in a UI. Results are scoped to the resolved environment and to the resource types visible under the account's current plan.
     # @param [Hash] opts the optional parameters
     # @option opts [String] :sort Field to sort by. Prefix with `-` for descending order. Default: `key`. Allowed values: `key`, `-key`. (default to 'key')
     # @option opts [Integer] :page_number 1-based page number to return. Optional; defaults to `1` when omitted. Must be `>= 1` — requests with a smaller value are rejected with a 400 error. (default to 1)

data/lib/smplkit/_generated/audit/lib/smplkit_audit_client/models/event.rb

@@ -52,6 +52,9 @@ module SmplkitGeneratedClient::Audit
     # When `true`, the event is recorded but not delivered to any forwarder, and no delivery log entries are created for it.
     attr_accessor :do_not_forward
 
+    # The environment the event occurred in. Always present on read. Resolved when the event is recorded — from a single-environment credential, or the `X-Smplkit-Environment` header for multi-environment credentials — and never set on the request body. The same content recorded in two environments produces two distinct events.
+    attr_accessor :environment
+
     # When the event was received and recorded.
     attr_accessor :created_at
 
@@ -95,6 +98,7 @@ module SmplkitGeneratedClient::Audit
         :'actor_label' => :'actor_label',
         :'data' => :'data',
         :'do_not_forward' => :'do_not_forward',
+        :'environment' => :'environment',
         :'created_at' => :'created_at',
         :'idempotency_key' => :'idempotency_key'
       }
@@ -125,6 +129,7 @@ module SmplkitGeneratedClient::Audit
         :'actor_label' => :'String',
         :'data' => :'Hash<String, Object>',
         :'do_not_forward' => :'Boolean',
+        :'environment' => :'String',
         :'created_at' => :'Time',
         :'idempotency_key' => :'String'
       }
@@ -140,6 +145,7 @@ module SmplkitGeneratedClient::Audit
         :'actor_type',
         :'actor_id',
         :'actor_label',
+        :'environment',
         :'created_at',
         :'idempotency_key'
       ])
@@ -219,6 +225,10 @@ module SmplkitGeneratedClient::Audit
         self.do_not_forward = false
       end
 
+      if attributes.key?(:'environment')
+        self.environment = attributes[:'environment']
+      end
+
       if attributes.key?(:'created_at')
         self.created_at = attributes[:'created_at']
       end
@@ -332,6 +342,7 @@ module SmplkitGeneratedClient::Audit
           actor_label == o.actor_label &&
           data == o.data &&
           do_not_forward == o.do_not_forward &&
+          environment == o.environment &&
           created_at == o.created_at &&
           idempotency_key == o.idempotency_key
     end
@@ -345,7 +356,7 @@ module SmplkitGeneratedClient::Audit
     # Calculates hash code according to all attributes.
     # @return [Integer] Hash code
     def hash
-      [event_type, resource_type, resource_id, description, severity, category, occurred_at, actor_type, actor_id, actor_label, data, do_not_forward, created_at, idempotency_key].hash
+      [event_type, resource_type, resource_id, description, severity, category, occurred_at, actor_type, actor_id, actor_label, data, do_not_forward, environment, created_at, idempotency_key].hash
     end
 
     # Builds the object from hash

data/lib/smplkit/_generated/audit/lib/smplkit_audit_client/models/forwarder.rb

@@ -25,7 +25,7 @@ module SmplkitGeneratedClient::Audit
     # Destination type.
     attr_accessor :forwarder_type
 
-    # Whether the forwarder is currently delivering events. Set to `false` to pause deliveries without deleting the forwarder.
+    # Always false. Enablement is per-environment: a forwarder delivers in an environment only when `environments[<env>].enabled` is true. The base value is pinned false and cannot be set.
     attr_accessor :enabled
 
     # JSON Logic expression evaluated against each event. The event is delivered only if the expression returns truthy. Omit to deliver every event.
@@ -37,9 +37,12 @@ module SmplkitGeneratedClient::Audit
     # Template applied to each event before delivery. The shape depends on ``transform_type``: for `JSONATA`, a string containing a JSONata expression. Omit to deliver the event JSON unchanged.
     attr_accessor :transform
 
-    # Transport-specific delivery configuration. Shape is discriminated by ``forwarder_type``; today all destination types use ``HttpConfiguration``. Branded vendor types (everything except `http`) constrain the configuration against a per-vendor template — see `GET /api/v1/forwarder_types` for the URL pattern, fixed headers, and customer-supplied placeholders for each type.
+    # Base delivery configuration template. Shape is discriminated by ``forwarder_type``; today all destination types use ``HttpConfiguration``. Branded vendor types (everything except `http`) constrain the configuration against a per-vendor template — see `GET /api/v1/forwarder_types` for the URL pattern, fixed headers, and customer-supplied placeholders for each type. A per-environment override in `environments` replaces this template for that environment.
     attr_accessor :configuration
 
+    # Per-environment overrides keyed by environment key (e.g. `production`, `staging`). Each entry sets `enabled` (whether the forwarder delivers in that environment) and an optional `configuration` override (omit to inherit the base `configuration`). A forwarder with no entry for an environment is disabled there. Every referenced environment must exist and be managed for the account.
+    attr_accessor :environments
+
     # When the forwarder was created.
     attr_accessor :created_at
 
@@ -85,6 +88,7 @@ module SmplkitGeneratedClient::Audit
         :'transform_type' => :'transform_type',
         :'transform' => :'transform',
         :'configuration' => :'configuration',
+        :'environments' => :'environments',
         :'created_at' => :'created_at',
         :'updated_at' => :'updated_at',
         :'deleted_at' => :'deleted_at',
@@ -113,6 +117,7 @@ module SmplkitGeneratedClient::Audit
         :'transform_type' => :'String',
         :'transform' => :'Object',
         :'configuration' => :'HttpConfiguration',
+        :'environments' => :'Hash<String, ForwarderEnvironment>',
         :'created_at' => :'Time',
         :'updated_at' => :'Time',
         :'deleted_at' => :'Time',
@@ -169,7 +174,7 @@ module SmplkitGeneratedClient::Audit
       if attributes.key?(:'enabled')
         self.enabled = attributes[:'enabled']
       else
-        self.enabled = true
+        self.enabled = false
       end
 
       if attributes.key?(:'filter')
@@ -192,6 +197,12 @@ module SmplkitGeneratedClient::Audit
         self.configuration = nil
       end
 
+      if attributes.key?(:'environments')
+        if (value = attributes[:'environments']).is_a?(Hash)
+          self.environments = value
+        end
+      end
+
       if attributes.key?(:'created_at')
         self.created_at = attributes[:'created_at']
       end
@@ -327,6 +338,7 @@ module SmplkitGeneratedClient::Audit
           transform_type == o.transform_type &&
           transform == o.transform &&
           configuration == o.configuration &&
+          environments == o.environments &&
           created_at == o.created_at &&
           updated_at == o.updated_at &&
           deleted_at == o.deleted_at &&
@@ -342,7 +354,7 @@ module SmplkitGeneratedClient::Audit
     # Calculates hash code according to all attributes.
     # @return [Integer] Hash code
     def hash
-      [name, description, forwarder_type, enabled, filter, transform_type, transform, configuration, created_at, updated_at, deleted_at, version].hash
+      [name, description, forwarder_type, enabled, filter, transform_type, transform, configuration, environments, created_at, updated_at, deleted_at, version].hash
     end
 
     # Builds the object from hash

data/lib/smplkit/_generated/audit/lib/smplkit_audit_client/models/forwarder_delivery.rb

@@ -16,6 +16,9 @@ require 'time'
 module SmplkitGeneratedClient::Audit
   # A log entry for one attempt to deliver an event to a forwarder.
   class ForwarderDelivery < ApiModelBase
+    # Environment the delivered event occurred in. Deliveries are scoped to one environment.
+    attr_accessor :environment
+
     # Forwarder the delivery belongs to.
     attr_accessor :forwarder
 
@@ -71,6 +74,7 @@ module SmplkitGeneratedClient::Audit
     # Attribute mapping from ruby-style variable name to JSON key.
     def self.attribute_map
       {
+        :'environment' => :'environment',
         :'forwarder' => :'forwarder',
         :'event' => :'event',
         :'attempt_number' => :'attempt_number',
@@ -97,6 +101,7 @@ module SmplkitGeneratedClient::Audit
     # Attribute type mapping.
     def self.openapi_types
       {
+        :'environment' => :'String',
         :'forwarder' => :'String',
         :'event' => :'String',
         :'attempt_number' => :'Integer',
@@ -138,6 +143,12 @@ module SmplkitGeneratedClient::Audit
         h[k.to_sym] = v
       }
 
+      if attributes.key?(:'environment')
+        self.environment = attributes[:'environment']
+      else
+        self.environment = nil
+      end
+
       if attributes.key?(:'forwarder')
         self.forwarder = attributes[:'forwarder']
       else
@@ -194,6 +205,10 @@ module SmplkitGeneratedClient::Audit
     def list_invalid_properties
       warn '[DEPRECATED] the `list_invalid_properties` method is obsolete'
       invalid_properties = Array.new
+      if @environment.nil?
+        invalid_properties.push('invalid value for "environment", environment cannot be nil.')
+      end
+
       if @forwarder.nil?
         invalid_properties.push('invalid value for "forwarder", forwarder cannot be nil.')
       end
@@ -217,6 +232,7 @@ module SmplkitGeneratedClient::Audit
     # @return true if the model is valid
     def valid?
       warn '[DEPRECATED] the `valid?` method is obsolete'
+      return false if @environment.nil?
       return false if @forwarder.nil?
       return false if @event.nil?
       return false if @attempt_number.nil?
@@ -226,6 +242,16 @@ module SmplkitGeneratedClient::Audit
       true
     end
 
+    # Custom attribute writer method with validation
+    # @param [Object] environment Value to be assigned
+    def environment=(environment)
+      if environment.nil?
+        fail ArgumentError, 'environment cannot be nil'
+      end
+
+      @environment = environment
+    end
+
     # Custom attribute writer method with validation
     # @param [Object] forwarder Value to be assigned
     def forwarder=(forwarder)
@@ -271,6 +297,7 @@ module SmplkitGeneratedClient::Audit
     def ==(o)
       return true if self.equal?(o)
       self.class == o.class &&
+          environment == o.environment &&
           forwarder == o.forwarder &&
           event == o.event &&
           attempt_number == o.attempt_number &&
@@ -292,7 +319,7 @@ module SmplkitGeneratedClient::Audit
     # Calculates hash code according to all attributes.
     # @return [Integer] Hash code
     def hash
-      [forwarder, event, attempt_number, status, request, response_status, response_body, latency_ms, error, created_at].hash
+      [environment, forwarder, event, attempt_number, status, request, response_status, response_body, latency_ms, error, created_at].hash
     end
 
     # Builds the object from hash

data/lib/smplkit/_generated/audit/lib/smplkit_audit_client/models/forwarder_environment.rb

@@ -0,0 +1,162 @@
+=begin
+#smplkit Audit API
+
+#Append-only change-history substrate for smpl.* resources and customer-application events. ADR-047.
+
+The version of the OpenAPI document: 0.1.0
+
+Generated by: https://openapi-generator.tech
+Generator version: 7.22.0
+
+=end
+
+require 'date'
+require 'time'
+
+module SmplkitGeneratedClient::Audit
+  # Per-environment override for a forwarder's enablement and configuration.
+  class ForwarderEnvironment < ApiModelBase
+    # Whether the forwarder delivers events in this environment. A forwarder is enabled in an environment only via this field — the base `enabled` is always false.
+    attr_accessor :enabled
+
+    # Per-environment delivery configuration override. Omit to inherit the forwarder's base `configuration`. When present, it fully replaces the base configuration for this environment and is validated against the same per-vendor template.
+    attr_accessor :configuration
+
+    # Attribute mapping from ruby-style variable name to JSON key.
+    def self.attribute_map
+      {
+        :'enabled' => :'enabled',
+        :'configuration' => :'configuration'
+      }
+    end
+
+    # Returns attribute mapping this model knows about
+    def self.acceptable_attribute_map
+      attribute_map
+    end
+
+    # Returns all the JSON keys this model knows about
+    def self.acceptable_attributes
+      acceptable_attribute_map.values
+    end
+
+    # Attribute type mapping.
+    def self.openapi_types
+      {
+        :'enabled' => :'Boolean',
+        :'configuration' => :'HttpConfiguration'
+      }
+    end
+
+    # List of attributes with nullable: true
+    def self.openapi_nullable
+      Set.new([
+        :'configuration'
+      ])
+    end
+
+    # Initializes the object
+    # @param [Hash] attributes Model attributes in the form of hash
+    def initialize(attributes = {})
+      if (!attributes.is_a?(Hash))
+        fail ArgumentError, "The input argument (attributes) must be a hash in `SmplkitGeneratedClient::Audit::ForwarderEnvironment` initialize method"
+      end
+
+      # check to see if the attribute exists and convert string to symbol for hash key
+      acceptable_attribute_map = self.class.acceptable_attribute_map
+      attributes = attributes.each_with_object({}) { |(k, v), h|
+        if (!acceptable_attribute_map.key?(k.to_sym))
+          fail ArgumentError, "`#{k}` is not a valid attribute in `SmplkitGeneratedClient::Audit::ForwarderEnvironment`. Please check the name to make sure it's valid. List of attributes: " + acceptable_attribute_map.keys.inspect
+        end
+        h[k.to_sym] = v
+      }
+
+      if attributes.key?(:'enabled')
+        self.enabled = attributes[:'enabled']
+      else
+        self.enabled = false
+      end
+
+      if attributes.key?(:'configuration')
+        self.configuration = attributes[:'configuration']
+      end
+    end
+
+    # Show invalid properties with the reasons. Usually used together with valid?
+    # @return Array for valid properties with the reasons
+    def list_invalid_properties
+      warn '[DEPRECATED] the `list_invalid_properties` method is obsolete'
+      invalid_properties = Array.new
+      invalid_properties
+    end
+
+    # Check to see if the all the properties in the model are valid
+    # @return true if the model is valid
+    def valid?
+      warn '[DEPRECATED] the `valid?` method is obsolete'
+      true
+    end
+
+    # Checks equality by comparing each attribute.
+    # @param [Object] Object to be compared
+    def ==(o)
+      return true if self.equal?(o)
+      self.class == o.class &&
+          enabled == o.enabled &&
+          configuration == o.configuration
+    end
+
+    # @see the `==` method
+    # @param [Object] Object to be compared
+    def eql?(o)
+      self == o
+    end
+
+    # Calculates hash code according to all attributes.
+    # @return [Integer] Hash code
+    def hash
+      [enabled, configuration].hash
+    end
+
+    # Builds the object from hash
+    # @param [Hash] attributes Model attributes in the form of hash
+    # @return [Object] Returns the model itself
+    def self.build_from_hash(attributes)
+      return nil unless attributes.is_a?(Hash)
+      attributes = attributes.transform_keys(&:to_sym)
+      transformed_hash = {}
+      openapi_types.each_pair do |key, type|
+        if attributes.key?(attribute_map[key]) && attributes[attribute_map[key]].nil?
+          transformed_hash["#{key}"] = nil
+        elsif type =~ /\AArray<(.*)>/i
+          # check to ensure the input is an array given that the attribute
+          # is documented as an array but the input is not
+          if attributes[attribute_map[key]].is_a?(Array)
+            transformed_hash["#{key}"] = attributes[attribute_map[key]].map { |v| _deserialize($1, v) }
+          end
+        elsif !attributes[attribute_map[key]].nil?
+          transformed_hash["#{key}"] = _deserialize(type, attributes[attribute_map[key]])
+        end
+      end
+      new(transformed_hash)
+    end
+
+    # Returns the object in the form of hash
+    # @return [Hash] Returns the object in the form of hash
+    def to_hash
+      hash = {}
+      self.class.attribute_map.each_pair do |attr, param|
+        value = self.send(attr)
+        if value.nil?
+          is_nullable = self.class.openapi_nullable.include?(attr)
+          next if !is_nullable || (is_nullable && !instance_variable_defined?(:"@#{attr}"))
+        end
+
+        hash[param] = _to_hash(value)
+      end
+      hash
+    end
+
+  end
+
+end

data/lib/smplkit/_generated/audit/lib/smplkit_audit_client.rb

@@ -49,6 +49,7 @@ require 'smplkit_audit_client/models/forwarder_delivery_list_meta'
 require 'smplkit_audit_client/models/forwarder_delivery_list_response'
 require 'smplkit_audit_client/models/forwarder_delivery_resource'
 require 'smplkit_audit_client/models/forwarder_delivery_response'
+require 'smplkit_audit_client/models/forwarder_environment'
 require 'smplkit_audit_client/models/forwarder_list_response'
 require 'smplkit_audit_client/models/forwarder_request'
 require 'smplkit_audit_client/models/forwarder_resource'

data/lib/smplkit/_generated/audit/spec/api/categories_api_spec.rb

@@ -34,7 +34,7 @@ describe 'CategoriesApi' do
 
   # unit tests for list_categories
   # List Categories
-  # List the distinct `category` values recorded for this account.  The resource `id` is the category value itself. Default sort is `key` ascending; pass `sort=-key` for descending. Useful for populating filter dropdowns in a UI.
+  # List the distinct `category` values recorded for this account.  The resource `id` is the category value itself. Default sort is `key` ascending; pass `sort=-key` for descending. Scoped to the resolved environment. Useful for populating filter dropdowns in a UI.
   # @param [Hash] opts the optional parameters
   # @option opts [String] :sort Field to sort by. Prefix with `-` for descending order. Default: `key`. Allowed values: `key`, `-key`.
   # @option opts [Integer] :page_number 1-based page number to return. Optional; defaults to `1` when omitted. Must be `>= 1` — requests with a smaller value are rejected with a 400 error.

data/lib/smplkit/_generated/audit/spec/api/event_types_api_spec.rb

@@ -34,7 +34,7 @@ describe 'EventTypesApi' do
 
   # unit tests for list_event_types
   # List Event Types
-  # List the distinct `event_type` slugs recorded for this account.  Default sort is `key` ascending; pass `sort=-key` for descending. Without `filter[resource_type]`, returns one row per distinct event_type. With `filter[resource_type]`, returns the event_types recorded for that specific resource type.
+  # List the distinct `event_type` slugs recorded for this account.  Default sort is `key` ascending; pass `sort=-key` for descending. Scoped to the resolved environment. Without `filter[resource_type]`, returns one row per distinct event_type. With `filter[resource_type]`, returns the event_types recorded for that specific resource type.
   # @param [Hash] opts the optional parameters
   # @option opts [String] :filter_resource_type 
   # @option opts [String] :sort Field to sort by. Prefix with `-` for descending order. Default: `key`. Allowed values: `key`, `-key`.

data/lib/smplkit/_generated/audit/spec/api/events_api_spec.rb

@@ -34,7 +34,7 @@ describe 'EventsApi' do
 
   # unit tests for get_event
   # Get Event
-  # Retrieve a single audit event by id.
+  # Retrieve a single audit event by id.  Authorized against the caller's permitted environment set: the event is returned only if its environment is one the caller may access, otherwise `404` (the same response as a non-existent id, so existence never leaks across environments). The `X-Smplkit-Environment` header is ignored here — a single-object lookup names the object by id, it does not resolve an ambient environment.
   # @param event_id 
   # @param [Hash] opts the optional parameters
   # @return [EventResponse]
@@ -71,7 +71,7 @@ describe 'EventsApi' do
 
   # unit tests for record_event
   # Record Event
-  # Record an audit event for this account.  Returns `201 Created` on first write, `200 OK` if the request was a duplicate (matched by `Idempotency-Key` or a key derived from the event's content).  `resource_type` values beginning with `smpl.` are reserved for events that smplkit emits about its own resources and cannot be used here.
+  # Record an audit event for this account.  The event is stamped with the environment it occurred in: a single-environment credential implies it; a multi-environment or unrestricted credential must send the `X-Smplkit-Environment` header. The resolved environment must exist and be managed for the account.  Returns `201 Created` on first write, `200 OK` if the request was a duplicate (matched by `Idempotency-Key` or a key derived from the event's content). The same content recorded in two environments produces two distinct events.  `resource_type` values beginning with `smpl.` are reserved for events that smplkit emits about its own resources and cannot be used here.
   # @param event_request 
   # @param [Hash] opts the optional parameters
   # @option opts [String] :idempotency_key 
@@ -84,7 +84,7 @@ describe 'EventsApi' do
 
   # unit tests for search_events
   # Search Events
-  # Search audit events with column filters and an optional JSON Logic expression.  Without a JSON Logic `filter`: behaves like `GET /api/v1/events` with the same column filters.  With a JSON Logic `filter`: the search is silently capped to the last 30 days by `occurred_at` (intersected with any explicit `filter[occurred_at]` the caller supplied), the column filters narrow the candidate set in SQL, and the JSON Logic expression runs in memory against each candidate row using the same `json-logic-qubit` evaluator the forwarder pipeline uses. Up to 50,000 rows are scanned per request; the response's `meta.scan` block reports the scan stats so a selective filter doesn't look like \"0 matches\" when the truth is \"ceiling reached.\"
+  # Search audit events with column filters and an optional JSON Logic expression.  Scoped to the resolved environment (a single-environment credential implies it; otherwise send the `X-Smplkit-Environment` header).  Without a JSON Logic `filter`: behaves like `GET /api/v1/events` with the same column filters.  With a JSON Logic `filter`: the search is silently capped to the last 30 days by `occurred_at` (intersected with any explicit `filter[occurred_at]` the caller supplied), the column filters narrow the candidate set in SQL, and the JSON Logic expression runs in memory against each candidate row using the same `json-logic-qubit` evaluator the forwarder pipeline uses. Up to 50,000 rows are scanned per request; the response's `meta.scan` block reports the scan stats so a selective filter doesn't look like \"0 matches\" when the truth is \"ceiling reached.\"
   # @param event_search_request 
   # @param [Hash] opts the optional parameters
   # @return [EventSearchResponse]

data/lib/smplkit/_generated/audit/spec/api/forwarders_api_spec.rb

@@ -34,7 +34,7 @@ describe 'ForwardersApi' do
 
   # unit tests for create_forwarder
   # Create Forwarder
-  # Create a forwarder for this account.  The caller supplies the forwarder's key as `data.id`. Keys are unique within an account and immutable for the lifetime of the forwarder.
+  # Create a forwarder for this account.  The caller supplies the forwarder's key as `data.id`. Keys are unique within an account and immutable for the lifetime of the forwarder.  Enablement is per-environment: a forwarder is enabled in an environment only via `environments[<env>].enabled`; the base `enabled` is always false. Every environment referenced in `environments` must exist and be managed for the account.
   # @param forwarder_create_request 
   # @param [Hash] opts the optional parameters
   # @return [ForwarderResponse]
@@ -70,7 +70,7 @@ describe 'ForwardersApi' do
 
   # unit tests for get_forwarder
   # Get Forwarder
-  # Retrieve a single forwarder by id.  Header values are returned in plaintext so the resource can be round-tripped with `GET`, mutate, `PUT` without re-entering secrets.
+  # Retrieve a single forwarder by id.  Header values are returned in plaintext so the resource can be round-tripped with `GET`, mutate, `PUT` without re-entering secrets. The `environments` override map is scoped to the caller's environment groups.
   # @param forwarder_id 
   # @param [Hash] opts the optional parameters
   # @return [ForwarderResponse]
@@ -82,7 +82,7 @@ describe 'ForwardersApi' do
 
   # unit tests for list_forwarder_deliveries
   # List Forwarder Deliveries
-  # List delivery log entries for a forwarder.  Default sort is `-created_at` (newest first). Filter by `status` (`SUCCEEDED` or `FAILED`, case-insensitive), by `event`, or by a `created_at` range using interval notation (e.g. `[2026-01-01T00:00:00Z,*)`).
+  # List delivery log entries for a forwarder.  Scoped to the resolved environment — only that environment's deliveries for the forwarder are shown. Default sort is `-created_at` (newest first). Filter by `status` (`SUCCEEDED` or `FAILED`, case-insensitive), by `event`, or by a `created_at` range using interval notation (e.g. `[2026-01-01T00:00:00Z,*)`).
   # @param forwarder_id 
   # @param [Hash] opts the optional parameters
   # @option opts [String] :filter_status 
@@ -100,10 +100,9 @@ describe 'ForwardersApi' do
 
   # unit tests for list_forwarders
   # List Forwarders
-  # List forwarders for this account.  Default sort is `-created_at` (newest first).
+  # List forwarders for this account.  Default sort is `-created_at` (newest first). Each forwarder's `environments` override map is scoped to the caller's environment groups.
   # @param [Hash] opts the optional parameters
   # @option opts [String] :filter_forwarder_type 
-  # @option opts [Boolean] :filter_enabled 
   # @option opts [String] :sort Field to sort by. Prefix with `-` for descending order. Default: `-created_at`. Allowed values: `created_at`, `-created_at`, `updated_at`, `-updated_at`.
   # @option opts [Integer] :page_number 1-based page number to return. Optional; defaults to `1` when omitted. Must be `>= 1` — requests with a smaller value are rejected with a 400 error.
   # @option opts [Integer] :page_size Number of items per page. Optional; defaults to `1000` when omitted. Must be between `1` and `1000` inclusive — requests outside that range are rejected with a 400 error.
@@ -117,7 +116,7 @@ describe 'ForwardersApi' do
 
   # unit tests for retry_failed_forwarder_deliveries
   # Retry Failed Forwarder Deliveries
-  # Retry every failed delivery for this forwarder.  Each failed delivery is re-attempted using the forwarder's current configuration and the original event. Returns the counts.
+  # Retry every failed delivery for this forwarder in the resolved environment.  Scoped to the resolved environment (a single-environment credential implies it; otherwise send the `X-Smplkit-Environment` header): only that environment's failed deliveries are re-attempted, each using the forwarder's effective configuration for that environment and the original event. Returns the counts.
   # @param forwarder_id 
   # @param [Hash] opts the optional parameters
   # @return [RetryFailedDeliveriesSummary]
@@ -129,7 +128,7 @@ describe 'ForwardersApi' do
 
   # unit tests for retry_forwarder_delivery
   # Retry Forwarder Delivery
-  # Retry a single failed delivery.  Returns the new delivery log entry. The prior entry is left in place.
+  # Retry a single failed delivery.  The delivery is named by id, so it is authorized against the caller's permitted environment set: a delivery in an environment the caller can't access returns `404` (existence never leaks). Returns the new delivery log entry. The prior entry is left in place.
   # @param forwarder_id 
   # @param delivery_id 
   # @param [Hash] opts the optional parameters
@@ -142,7 +141,7 @@ describe 'ForwardersApi' do
 
   # unit tests for update_forwarder
   # Update Forwarder
-  # Replace an existing forwarder. Every writable field is overwritten.
+  # Replace an existing forwarder. Every writable field is overwritten.  The `environments` override map is a full replace for the environments you can manage; overrides for environments outside your access (which were hidden from your read) are preserved. Every environment referenced in `environments` must exist and be managed.
   # @param forwarder_id 
   # @param forwarder_request 
   # @param [Hash] opts the optional parameters

data/lib/smplkit/_generated/audit/spec/api/resource_types_api_spec.rb

@@ -34,7 +34,7 @@ describe 'ResourceTypesApi' do
 
   # unit tests for list_resource_types
   # List Resource Types
-  # List the distinct `resource_type` slugs recorded for this account.  The resource `id` is the slug itself. Default sort is `key` ascending; pass `sort=-key` for descending. Useful for populating filter dropdowns in a UI. Results are scoped to the resource types visible under the account's current plan.
+  # List the distinct `resource_type` slugs recorded for this account.  The resource `id` is the slug itself. Default sort is `key` ascending; pass `sort=-key` for descending. Useful for populating filter dropdowns in a UI. Results are scoped to the resolved environment and to the resource types visible under the account's current plan.
   # @param [Hash] opts the optional parameters
   # @option opts [String] :sort Field to sort by. Prefix with `-` for descending order. Default: `key`. Allowed values: `key`, `-key`.
   # @option opts [Integer] :page_number 1-based page number to return. Optional; defaults to `1` when omitted. Must be `>= 1` — requests with a smaller value are rejected with a 400 error.

data/lib/smplkit/_generated/audit/spec/models/event_spec.rb

@@ -99,6 +99,12 @@ describe SmplkitGeneratedClient::Audit::Event do
     end
   end
 
+  describe 'test attribute "environment"' do
+    it 'should work' do
+      # assertion here. ref: https://rspec.info/features/3-12/rspec-expectations/built-in-matchers/
+    end
+  end
+
   describe 'test attribute "created_at"' do
     it 'should work' do
       # assertion here. ref: https://rspec.info/features/3-12/rspec-expectations/built-in-matchers/

data/lib/smplkit/_generated/audit/spec/models/forwarder_delivery_spec.rb

@@ -27,6 +27,12 @@ describe SmplkitGeneratedClient::Audit::ForwarderDelivery do
     end
   end
 
+  describe 'test attribute "environment"' do
+    it 'should work' do
+      # assertion here. ref: https://rspec.info/features/3-12/rspec-expectations/built-in-matchers/
+    end
+  end
+
   describe 'test attribute "forwarder"' do
     it 'should work' do
       # assertion here. ref: https://rspec.info/features/3-12/rspec-expectations/built-in-matchers/

data/lib/smplkit/_generated/audit/spec/models/forwarder_environment_spec.rb

@@ -0,0 +1,42 @@
+=begin
+#smplkit Audit API
+
+#Append-only change-history substrate for smpl.* resources and customer-application events. ADR-047.
+
+The version of the OpenAPI document: 0.1.0
+
+Generated by: https://openapi-generator.tech
+Generator version: 7.22.0
+
+=end
+
+require 'spec_helper'
+require 'json'
+require 'date'
+
+# Unit tests for SmplkitGeneratedClient::Audit::ForwarderEnvironment
+# Automatically generated by openapi-generator (https://openapi-generator.tech)
+# Please update as you see appropriate
+describe SmplkitGeneratedClient::Audit::ForwarderEnvironment do
+  #let(:instance) { SmplkitGeneratedClient::Audit::ForwarderEnvironment.new }
+
+  describe 'test an instance of ForwarderEnvironment' do
+    it 'should create an instance of ForwarderEnvironment' do
+      # uncomment below to test the instance creation
+      #expect(instance).to be_instance_of(SmplkitGeneratedClient::Audit::ForwarderEnvironment)
+    end
+  end
+
+  describe 'test attribute "enabled"' do
+    it 'should work' do
+      # assertion here. ref: https://rspec.info/features/3-12/rspec-expectations/built-in-matchers/
+    end
+  end
+
+  describe 'test attribute "configuration"' do
+    it 'should work' do
+      # assertion here. ref: https://rspec.info/features/3-12/rspec-expectations/built-in-matchers/
+    end
+  end
+
+end

data/lib/smplkit/_generated/audit/spec/models/forwarder_spec.rb

@@ -79,6 +79,12 @@ describe SmplkitGeneratedClient::Audit::Forwarder do
     end
   end
 
+  describe 'test attribute "environments"' do
+    it 'should work' do
+      # assertion here. ref: https://rspec.info/features/3-12/rspec-expectations/built-in-matchers/
+    end
+  end
+
   describe 'test attribute "created_at"' do
     it 'should work' do
       # assertion here. ref: https://rspec.info/features/3-12/rspec-expectations/built-in-matchers/

data/lib/smplkit/audit/client.rb

@@ -16,7 +16,7 @@ module Smplkit
 
       SDK_OWNED_HEADERS = %w[authorization content-type user-agent].freeze
 
-      def initialize(api_key:, base_url:, timeout: 10.0, extra_headers: nil)
+      def initialize(api_key:, base_url:, environment: nil, timeout: 10.0, extra_headers: nil)
         cfg = SmplkitGeneratedClient::Audit::Configuration.new
         cfg.host = URI.parse(base_url).host
         cfg.scheme = URI.parse(base_url).scheme
@@ -24,6 +24,14 @@ module Smplkit
         cfg.timeout = timeout
         api_client = SmplkitGeneratedClient::Audit::ApiClient.new(cfg)
         api_client.default_headers["User-Agent"] = "smplkit-ruby-sdk/#{Smplkit::VERSION}"
+        # Runtime audit ops are environment-scoped: record / list / get /
+        # discovery all resolve their environment from the
+        # +X-Smplkit-Environment+ request header (ADR-055). We stamp it once
+        # at the client level from the SDK's configured runtime environment so
+        # every generated call carries it. It is stamped before +extra_headers+
+        # is applied so a caller-supplied entry of the same name wins (explicit
+        # override).
+        api_client.default_headers["X-Smplkit-Environment"] = environment unless environment.nil?
         extra_headers&.each do |k, v|
           api_client.default_headers[k] = v unless SDK_OWNED_HEADERS.include?(k.downcase)
         end

data/lib/smplkit/audit/models.rb

@@ -165,11 +165,17 @@ module Smplkit
     #   @return [String, nil] Customer-supplied dedupe key, +nil+ if not provided.
     # @!attribute [rw] do_not_forward
     #   @return [Boolean] When +true+, skip SIEM forwarder delivery regardless of any matching filter.
+    # @!attribute [rw] environment
+    #   @return [String, nil] The environment the event was recorded in.
+    #     Read-only and always present on reads — the audit service resolves it
+    #     when the event is recorded (from a single-environment credential, or
+    #     from the runtime SDK's configured environment, which the SDK sends on
+    #     every recording call). Never set on the recording request body.
     AuditEvent = Struct.new(
       :id, :event_type, :resource_type, :resource_id,
       :occurred_at, :created_at,
       :actor_type, :actor_id, :actor_label,
-      :data, :idempotency_key, :do_not_forward,
+      :data, :idempotency_key, :do_not_forward, :environment,
       keyword_init: true
     ) do
       def self.from_resource(resource)
@@ -186,7 +192,8 @@ module Smplkit
           actor_label: attrs.actor_label,
           data: Smplkit::Helpers.deep_stringify_keys(attrs.data || {}),
           idempotency_key: attrs.idempotency_key,
-          do_not_forward: attrs.do_not_forward || false
+          do_not_forward: attrs.do_not_forward || false,
+          environment: attrs.environment
         )
       end
     end
@@ -332,6 +339,40 @@ module Smplkit
     end
     # rubocop:enable Lint/StructNewOverride
 
+    # Per-environment enablement and optional configuration override for a
+    # forwarder.
+    #
+    # A forwarder delivers events in a given environment only when that
+    # environment has an entry in {Forwarder#environments} with
+    # +enabled: true+. An environment with no entry (or +enabled: false+)
+    # receives no deliveries.
+    #
+    # @!attribute [rw] enabled
+    #   @return [Boolean] Whether the forwarder delivers events in this
+    #     environment. Defaults to +false+.
+    # @!attribute [rw] configuration
+    #   @return [HttpConfiguration, nil] Optional per-environment destination
+    #     configuration that fully replaces the forwarder's base
+    #     {Forwarder#configuration} for this environment. +nil+ (the default)
+    #     inherits the base configuration. As with the base configuration,
+    #     header values are plaintext on writes and returned redacted on reads —
+    #     re-supply real values before {Forwarder#save}.
+    ForwarderEnvironment = Struct.new(:enabled, :configuration, keyword_init: true) do
+      def initialize(enabled: false, configuration: nil)
+        super
+      end
+
+      def self.from_wire(src)
+        return new if src.nil?
+
+        cfg = src.configuration
+        new(
+          enabled: src.enabled.nil? ? false : src.enabled,
+          configuration: cfg.nil? ? nil : HttpConfiguration.from_wire(cfg)
+        )
+      end
+    end
+
     # A SIEM streaming forwarder configured on the customer's account.
     #
     # Active-record style: instantiate via
@@ -354,10 +395,21 @@ module Smplkit
       # @return [String] One of {ForwarderType::VALUES}.
       attr_accessor :forwarder_type
 
-      # @return [Boolean] When +false+, the audit service skips delivery for
-      #   this forwarder but still records +filtered_out+ deliveries.
+      # @return [Boolean] Read-only. Always +false+ — the base enablement is
+      #   pinned off. Whether a forwarder actually delivers is decided per
+      #   environment via {#environments}; mutating this field has no effect on
+      #   the server.
       attr_accessor :enabled
 
+      # @return [Hash{String => ForwarderEnvironment}] Per-environment overrides
+      #   keyed by environment key (e.g. +"production"+, +"staging"+). A
+      #   forwarder delivers in an environment only when
+      #   +environments[env].enabled+ is +true+. Each entry may carry an optional
+      #   {HttpConfiguration} override; omit it to inherit the base
+      #   {#configuration}. Every referenced environment must exist and be
+      #   managed for the account.
+      attr_accessor :environments
+
       # @return [HttpConfiguration] Destination request configuration.
       attr_accessor :configuration
 
@@ -393,7 +445,7 @@ module Smplkit
       attr_accessor :version
 
       def initialize(client = nil, name:, forwarder_type:, configuration:,
-                     id: nil, enabled: true, description: nil,
+                     id: nil, enabled: false, environments: nil, description: nil,
                      filter: nil, transform: nil, transform_type: nil,
                      created_at: nil, updated_at: nil, deleted_at: nil, version: nil)
         @client = client
@@ -401,7 +453,11 @@ module Smplkit
         @name = name
         @forwarder_type = ForwarderType.coerce(forwarder_type)
         @configuration = configuration
+        # ``enabled`` is server-pinned false; we keep the attribute so reads
+        # round-trip the server value, but enablement is driven by
+        # ``environments`` (see the class docstring).
         @enabled = enabled
+        @environments = environments || {}
         @description = description
         @filter = filter
         @transform = transform
@@ -451,6 +507,7 @@ module Smplkit
         @forwarder_type = other.forwarder_type
         @configuration = other.configuration
         @enabled = other.enabled
+        @environments = other.environments
         @description = other.description
         @filter = other.filter
         @transform = other.transform
@@ -483,13 +540,20 @@ module Smplkit
 
       def self.from_resource(resource, client: nil)
         a = resource.attributes
+        environments = (a.environments || {}).each_with_object({}) do |(env_key, env_raw), out|
+          out[env_key.to_s] = ForwarderEnvironment.from_wire(env_raw)
+        end
         new(
           client,
           id: resource.id,
           name: a.name,
           description: a.description,
           forwarder_type: a.forwarder_type,
-          enabled: a.enabled.nil? || a.enabled,
+          # The base ``enabled`` is server-pinned false; round-trip whatever
+          # the server returned (always false) without assuming a default of
+          # true.
+          enabled: a.enabled.nil? ? false : a.enabled,
+          environments: environments,
           filter: a.filter.nil? ? nil : Smplkit::Helpers.deep_stringify_keys(a.filter),
           transform_type: a.transform_type,
           transform: a.transform,

data/lib/smplkit/client.rb

@@ -90,7 +90,7 @@ module Smplkit
       @logging = Logging::LoggingClient.new(self, manage: @manage, metrics: @metrics,
                                                   logging_base_url: logging_url, app_base_url: app_url)
       @audit = Audit::AuditClient.new(api_key: cfg.api_key, base_url: audit_url,
-                                      extra_headers: extra_headers)
+                                      environment: cfg.environment, extra_headers: extra_headers)
 
       @closed = false
       schedule_periodic_flush

data/lib/smplkit/management/audit.rb

@@ -39,7 +39,14 @@ module Smplkit
       # @param configuration [Smplkit::Audit::HttpConfiguration] Destination
       #   request configuration. Headers carry credentials and are encrypted at
       #   rest server-side; reads return them redacted.
-      # @param enabled [Boolean] Whether the forwarder is active. Defaults +true+.
+      # @param environments [Hash{String => Smplkit::Audit::ForwarderEnvironment, Hash}, nil]
+      #   Per-environment overrides keyed by environment key (e.g.
+      #   +"production"+). A forwarder delivers in an environment only when that
+      #   environment's entry has +enabled: true+. Values may be
+      #   {Smplkit::Audit::ForwarderEnvironment} instances or plain hashes
+      #   (+{ enabled: true }+, optionally with a +:configuration+
+      #   {Smplkit::Audit::HttpConfiguration} override). Omit to create a
+      #   forwarder that delivers nowhere until enabled per environment.
       # @param description [String, nil] Optional free-text description.
       # @param filter [Hash, nil] Optional JSON Logic filter; events that don't
       #   match are recorded as +filtered_out+ deliveries.
@@ -57,7 +64,7 @@ module Smplkit
       #   is not a +String+.
       # @return [Smplkit::Audit::Forwarder]
       def new_forwarder(id, forwarder_type:, configuration:, name: nil,
-                        enabled: true, description: nil,
+                        environments: nil, description: nil,
                         filter: nil, transform: nil, transform_type: nil)
         Smplkit::Audit::Forwarder.send(:validate_transform_pair!, transform, transform_type)
         Smplkit::Audit::Forwarder.new(
@@ -66,7 +73,7 @@ module Smplkit
           name: name || id,
           forwarder_type: forwarder_type,
           configuration: configuration,
-          enabled: enabled,
+          environments: normalize_environments(environments),
           description: description,
           filter: filter,
           transform: transform,
@@ -82,10 +89,9 @@ module Smplkit
       # block (costs an extra COUNT query server-side).
       #
       # @return [ForwarderListPage]
-      def list(forwarder_type: nil, enabled: nil, page_number: nil, page_size: nil, meta_total: nil)
+      def list(forwarder_type: nil, page_number: nil, page_size: nil, meta_total: nil)
         opts = {}
         opts[:filter_forwarder_type] = Smplkit::Audit::ForwarderType.coerce(forwarder_type) if forwarder_type
-        opts[:filter_enabled] = enabled unless enabled.nil?
         opts[:page_number] = page_number if page_number
         opts[:page_size] = page_size if page_size
         opts[:meta_total] = meta_total unless meta_total.nil?
@@ -143,12 +149,49 @@ module Smplkit
 
       private
 
+      # Coerce a caller's +environments+ map to wrapper instances.
+      #
+      # Accepts either {Smplkit::Audit::ForwarderEnvironment} values or plain
+      # hashes (+{ enabled: true, configuration: HttpConfiguration.new(...) }+)
+      # so callers can use the lightweight hash form without importing the
+      # model.
+      def normalize_environments(environments)
+        return {} if environments.nil? || environments.empty?
+
+        environments.each_with_object({}) do |(env_key, value), out|
+          out[env_key.to_s] = if value.is_a?(Smplkit::Audit::ForwarderEnvironment)
+                                value
+                              else
+                                Smplkit::Audit::ForwarderEnvironment.new(
+                                  enabled: value[:enabled] || value["enabled"] || false,
+                                  configuration: value[:configuration] || value["configuration"]
+                                )
+                              end
+        end
+      end
+
+      # Convert the wrapper +environments+ map to the generated model hash.
+      #
+      # Per-environment +configuration+ overrides are sent as full
+      # {Smplkit::Audit::HttpConfiguration} payloads (plaintext headers in),
+      # mirroring the base configuration's round-trip semantics.
+      def environments_to_wire(environments)
+        (environments || {}).each_with_object({}) do |(env_key, env), out|
+          out[env_key.to_s] = SmplkitGeneratedClient::Audit::ForwarderEnvironment.new(
+            enabled: env.enabled,
+            configuration: env.configuration.nil? ? nil : Smplkit::Audit::HttpConfiguration.to_wire(env.configuration)
+          )
+        end
+      end
+
       def build_attrs(forwarder)
+        # The base ``enabled`` is server-pinned false (ADR-055); we don't send
+        # it. Enablement travels entirely through ``environments``.
         SmplkitGeneratedClient::Audit::Forwarder.new(
           name: forwarder.name,
           description: forwarder.description,
           forwarder_type: Smplkit::Audit::ForwarderType.coerce(forwarder.forwarder_type),
-          enabled: forwarder.enabled,
+          environments: environments_to_wire(forwarder.environments),
           filter: forwarder.filter,
           transform_type: Smplkit::Audit::TransformType.coerce(forwarder.transform_type),
           transform: forwarder.transform,

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: smplkit
 version: !ruby/object:Gem::Version
-  version: 3.0.88
+  version: 3.0.89
 platform: ruby
 authors:
 - Smpl Solutions LLC
@@ -526,6 +526,7 @@ files:
 - lib/smplkit/_generated/audit/lib/smplkit_audit_client/models/forwarder_delivery_list_response.rb
 - lib/smplkit/_generated/audit/lib/smplkit_audit_client/models/forwarder_delivery_resource.rb
 - lib/smplkit/_generated/audit/lib/smplkit_audit_client/models/forwarder_delivery_response.rb
+- lib/smplkit/_generated/audit/lib/smplkit_audit_client/models/forwarder_environment.rb
 - lib/smplkit/_generated/audit/lib/smplkit_audit_client/models/forwarder_list_response.rb
 - lib/smplkit/_generated/audit/lib/smplkit_audit_client/models/forwarder_request.rb
 - lib/smplkit/_generated/audit/lib/smplkit_audit_client/models/forwarder_resource.rb
@@ -592,6 +593,7 @@ files:
 - lib/smplkit/_generated/audit/spec/models/forwarder_delivery_resource_spec.rb
 - lib/smplkit/_generated/audit/spec/models/forwarder_delivery_response_spec.rb
 - lib/smplkit/_generated/audit/spec/models/forwarder_delivery_spec.rb
+- lib/smplkit/_generated/audit/spec/models/forwarder_environment_spec.rb
 - lib/smplkit/_generated/audit/spec/models/forwarder_list_response_spec.rb
 - lib/smplkit/_generated/audit/spec/models/forwarder_request_spec.rb
 - lib/smplkit/_generated/audit/spec/models/forwarder_resource_spec.rb