@apito-io/js-admin-sdk 2.7.0 → 3.0.0

package/README.md

@@ -145,33 +145,51 @@ const relatedUsers = await client.getRelationDocuments('todo-123', {
 });
 ```
 
-### Pro: tenant catalog users (Apito Pro)
+### Project users (system GraphQL)
 
-These calls use the same admin client and system GraphQL endpoint as the rest of the SDK. They mirror the Go SDK and require a **Pro** Apito engine. Pass `projectId`; each returned user includes `tenant_id`.
+These calls use the admin client and system GraphQL endpoint. They mirror the Go SDK. Pass `projectId`; on Pro/SaaS engines each user may include `tenant_id`.
 
 | Method | Description |
 |--------|-------------|
-| `searchTenantUsers(projectId, limit?, offset?)` | List users registered for a project (each row has `email`, `phone`, `tenant_id`). |
+| `searchUsers(projectId, limit?, offset?)` | List project end-users (`email`, `phone`, optional `tenant_id`). |
 | `searchTenantsByDomain(projectId, domain)` | Exact domain lookup in project scope; returns `{ tenant }` (null if no match). |
-| `createTenantUser(projectId, params)` | Create a local-password user; `params`: `{ password, role?, email?, phone? }` (engine validates required identifier per project). |
-| `loginTenantUser(params)` | General: `{ projectId, password, email? or phone? }`. Google OAuth **code** flow: **`tenantGoogleOAuthState(projectId)`** then redirect; on callback **`loginTenantUser({ projectId, authMethod: 'google', code, state })`**. |
-| `tenantGoogleOAuthState(projectId)` | Returns **`{ state }`** for the Google authorize URL (project must have client id, secret, redirect URI configured). |
-| `updateTenantUser(userId, params)` | Mutate `email`, `phone`, `password`, and/or `role` (omit fields you do not want to send). |
-| `deleteTenantUser(userId)` | Remove a tenant catalog user. |
+| `createUser(projectId, params)` | Create a local-password user; `params`: `{ password, role?, email?, phone? }`. |
+| `loginUser(params)` | General: `{ projectId, password, email? or phone? }`. Google: **`googleOAuthState(projectId)`** then **`loginUser({ projectId, authMethod: 'google', code, state })`**. |
+| `googleOAuthState(projectId)` | Returns **`{ state }`** for the Google authorize URL. |
+| `updateUser(userId, params)` | Mutate `email`, `phone`, and/or `role` only. |
+| `resetUserPassword(userId, password)` | Admin password reset. |
+| `deleteUser(userId)` | Remove a project user. |
+
+### Project storage settings (system GraphQL)
+
+| Method | Description |
+|--------|-------------|
+| `getProjectStorageSettings(projectId)` | Read S3/storage settings (secrets not returned). |
+| `updateProjectStorageSettings(input)` | Persist storage settings. |
+
+### System files (REST)
+
+REST base is derived from `baseURL` by stripping `/graphql`, or set `restBaseURL` on the client config.
+
+| Method | Description |
+|--------|-------------|
+| `uploadSystemFile(params)` | POST `/files/upload` (multipart). |
+| `listSystemFiles(fileType?, limit?, offset?)` | GET `/files/list`. |
+| `deleteSystemFiles(ids)` | POST `/files/delete`. |
 
 On the engine system GraphQL API, `createTenant` accepts an optional `domain`; when set, the domain must be unused in the project (otherwise the mutation fails). `updateTenant` enforces the same when setting `domain` to a non-empty value. Call those mutations via `executeGraphQL` if needed.
 
 ```javascript
 const projectId = 'your-project-id';
 
-const { users, count } = await client.searchTenantUsers(projectId, 50, 0);
+const { users, count } = await client.searchUsers(projectId, 50, 0);
 console.log(
   'users:',
   count,
   users.map((u) => u.email || u.phone || u.id),
 );
 
-const login = await client.loginTenantUser({
+const login = await client.loginUser({
   projectId,
   password: 'your-password',
   email: 'user@example.com', // use phone: '+15551234567' when project is phone mode
@@ -181,7 +199,7 @@ if (login.token) {
 }
 ```
 
-Runnable sample: `examples/tenant_users` (set `APITO_BASE_URL`, `APITO_API_KEY`, `APITO_PROJECT_ID`).
+Runnable samples: `examples/users`, `examples/system_files` (set `APITO_BASE_URL`, `APITO_API_KEY`, `APITO_PROJECT_ID`).
 
 ### Typed Operations
 
@@ -374,7 +392,7 @@ npm start
 Pro tenant-user listing (optional `APITO_TENANT_EMAIL` / `APITO_TENANT_PHONE` + `APITO_TENANT_PASSWORD` for login):
 
 ```bash
-cd examples/tenant_users
+cd examples/users
 npm install
 APITO_BASE_URL=http://localhost:5050/system/graphql APITO_API_KEY=... APITO_PROJECT_ID=... npm start
 ```

package/dist/index.d.mts

@@ -69,56 +69,97 @@ interface CreateAndUpdateRequest {
     singlePageData?: boolean;
     forceUpdate?: boolean;
 }
-/** Tenant catalog user from engine system DB (pro_tenant_users). */
-interface TenantUser {
+/** Project end-user from engine system DB (table project_users). */
+interface User {
     id: string;
     email?: string;
     phone?: string;
     role: string;
-    tenant_id: string;
+    tenant_id?: string;
     provider?: string;
     status?: string;
     created_at?: string;
     updated_at?: string;
 }
-/** Login via system GraphQL `loginTenantUser`. Password path: use `email` or `phone` per project settings. Google OAuth code path: `authMethod: 'google'`, `code`, `state` from redirect (get `state` first via `tenantGoogleOAuthState`). */
-interface TenantLoginParams {
+/** Login via system GraphQL `loginUser`. Password path: use `email` or `phone` per project settings. Google OAuth code path: `authMethod: 'google'`, `code`, `state` from redirect (get `state` first via `googleOAuthState`). */
+interface LoginUserParams {
     projectId: string;
-    /** Required for general (password) login. */
     password?: string;
     email?: string;
     phone?: string;
-    /** `general` (default) or `google`. */
     authMethod?: string;
-    /** Google authorization code (with `authMethod: 'google'`). */
     code?: string;
-    /** OAuth state from `tenantGoogleOAuthState` or callback (with `authMethod: 'google'`). */
     state?: string;
 }
-interface TenantGoogleOAuthStateResponse {
+interface GoogleOAuthStateResponse {
     state: string;
 }
-interface CreateTenantUserParams {
+interface CreateUserParams {
     password: string;
     role?: string;
     email?: string;
     phone?: string;
 }
-/** Optional fields for `updateTenantUser`; omitted keys are not sent. */
-interface UpdateTenantUserParams {
+/** Optional fields for `updateUser`; omitted keys are not sent. */
+interface UpdateUserParams {
     email?: string;
     phone?: string;
-    password?: string;
     role?: string;
 }
-interface TenantLoginResponse {
+interface LoginUserResponse {
     token: string;
-    user?: TenantUser;
+    user?: User;
 }
-interface TenantUsersResponse {
-    users: TenantUser[];
+interface UsersResponse {
+    users: User[];
     count: number;
 }
+interface ProjectStorageSettings {
+    use_free_cloud_storage: boolean;
+    endpoint?: string | null;
+    region?: string | null;
+    bucket?: string | null;
+    access_key_id?: string | null;
+    has_secret_access_key: boolean;
+    public_base_url?: string | null;
+    force_path_style?: boolean | null;
+}
+interface UpdateProjectStorageInput {
+    use_free_cloud_storage?: boolean;
+    endpoint?: string;
+    region?: string;
+    bucket?: string;
+    access_key_id?: string;
+    secret_access_key?: string;
+    public_base_url?: string;
+    force_path_style?: boolean;
+}
+interface SystemFile {
+    id: string;
+    file_type: string;
+    file_name: string;
+    file_extension?: string;
+    content_type?: string;
+    size: number;
+    url: string;
+    created_by?: string;
+    created_at?: string;
+}
+interface SystemFilesListResponse {
+    files: SystemFile[];
+    total: number;
+}
+interface SystemFileUploadParams {
+    fileName: string;
+    content: Uint8Array | ArrayBuffer;
+    fileType?: string;
+}
+interface DeleteSystemFilesResponse {
+    success: boolean;
+    deleted_ids: string[];
+    storage_failed?: string[];
+    message?: string;
+}
 /** One SaaS catalog tenant row from searchTenantsByDomain. */
 interface TenantCatalogSearchRow {
     id: string;
@@ -132,6 +173,8 @@ interface TenantByDomainResponse {
 }
 interface ClientConfig {
     baseURL: string;
+    /** REST base (e.g. http://host:5050/system); derived from baseURL when omitted */
+    restBaseURL?: string;
     apiKey: string;
     timeout?: number;
     httpClient?: any;
@@ -159,13 +202,19 @@ interface InjectedDBOperationInterface {
     }): Promise<GraphQLResponse>;
     /** @param token Legacy; ignored. Auth uses client API key. */
     generateTenantToken(tenantId: string, duration?: string, role?: string): Promise<string>;
-    loginTenantUser(params: TenantLoginParams): Promise<TenantLoginResponse>;
-    tenantGoogleOAuthState(projectId: string): Promise<TenantGoogleOAuthStateResponse>;
-    searchTenantUsers(projectId: string, limit?: number, offset?: number): Promise<TenantUsersResponse>;
+    loginUser(params: LoginUserParams): Promise<LoginUserResponse>;
+    googleOAuthState(projectId: string): Promise<GoogleOAuthStateResponse>;
+    searchUsers(projectId: string, limit?: number, offset?: number): Promise<UsersResponse>;
     searchTenantsByDomain(projectId: string, domain: string): Promise<TenantByDomainResponse>;
-    createTenantUser(projectId: string, params: CreateTenantUserParams): Promise<TenantUser>;
-    updateTenantUser(userId: string, params: UpdateTenantUserParams): Promise<TenantUser>;
-    deleteTenantUser(userId: string): Promise<boolean>;
+    createUser(projectId: string, params: CreateUserParams): Promise<User>;
+    updateUser(userId: string, params: UpdateUserParams): Promise<User>;
+    resetUserPassword(userId: string, password: string): Promise<boolean>;
+    deleteUser(userId: string): Promise<boolean>;
+    getProjectStorageSettings(projectId: string): Promise<ProjectStorageSettings>;
+    updateProjectStorageSettings(input: UpdateProjectStorageInput): Promise<ProjectStorageSettings>;
+    uploadSystemFile(params: SystemFileUploadParams): Promise<SystemFile>;
+    listSystemFiles(fileType?: string, limit?: number, offset?: number): Promise<SystemFilesListResponse>;
+    deleteSystemFiles(ids: string[]): Promise<DeleteSystemFilesResponse>;
     getSingleResource(model: string, id: string, singlePageData?: boolean): Promise<DefaultDocumentStructure>;
     searchResources(model: string, filter?: Record<string, any>, aggregate?: boolean): Promise<SearchResult>;
     getRelationDocuments(id: string, connection: Record<string, any>): Promise<SearchResult>;
@@ -203,6 +252,7 @@ declare class ValidationError extends ApitoError {
 declare class ApitoClient implements InjectedDBOperationInterface {
     private httpClient;
     private baseURL;
+    private restBaseURL;
     private apiKey;
     private tenantId?;
     constructor(config: ClientConfig);
@@ -222,36 +272,48 @@ declare class ApitoClient implements InjectedDBOperationInterface {
      * @param role Optional token role; if omitted/empty, the engine defaults to `admin`.
      */
     generateTenantToken(tenantId: string, duration?: string, role?: string): Promise<string>;
+    private authHeaders;
+    private executeREST;
     /**
-     * Tenant catalog login (system GraphQL `loginTenantUser`). Password path: pass `password` and `email` or `phone` per project Authentication settings. Google OAuth path: `authMethod: 'google'` with `code` and `state` from the redirect; call `tenantGoogleOAuthState(projectId)` before opening Google to obtain `state`.
+     * Project user login (system GraphQL `loginUser`). Password path: pass `password` and `email` or `phone` per project Authentication settings. Google OAuth path: `authMethod: 'google'` with `code` and `state` from the redirect; call `googleOAuthState(projectId)` before opening Google to obtain `state`.
      */
-    loginTenantUser(params: TenantLoginParams): Promise<TenantLoginResponse>;
+    loginUser(params: LoginUserParams): Promise<LoginUserResponse>;
     /**
-     * Signed OAuth state for tenant Google login (system query `tenantGoogleOAuthState`). Use in the authorize URL together with project `google_client_id` and the configured redirect URI.
+     * Signed OAuth state for Google login (system query `googleOAuthState`). Use in the authorize URL together with project `google_client_id` and the configured redirect URI.
      */
-    tenantGoogleOAuthState(projectId: string): Promise<{
-        state: string;
-    }>;
+    googleOAuthState(projectId: string): Promise<GoogleOAuthStateResponse>;
     /**
-     * Search tenant users for a project.
+     * Search project end-users.
      */
-    searchTenantUsers(projectId: string, limit?: number, offset?: number): Promise<TenantUsersResponse>;
+    searchUsers(projectId: string, limit?: number, offset?: number): Promise<UsersResponse>;
     /**
      * Resolve the single SaaS catalog tenant for an exact domain match in the project (`tenant` null if none).
      */
     searchTenantsByDomain(projectId: string, domain: string): Promise<TenantByDomainResponse>;
     /**
-     * Create a tenant catalog user (local password). Use `email` and/or `phone` per engine validation for the project identifier mode.
+     * Create a project user (local password). Use `email` and/or `phone` per engine validation for the project identifier mode.
      */
-    createTenantUser(projectId: string, params: CreateTenantUserParams): Promise<TenantUser>;
+    createUser(projectId: string, params: CreateUserParams): Promise<User>;
     /**
-     * Update a tenant catalog user. Project scope is implied by the API key. Only include fields to change.
+     * Update a project user. Project scope is implied by the API key. Only include fields to change.
      */
-    updateTenantUser(userId: string, params: UpdateTenantUserParams): Promise<TenantUser>;
+    updateUser(userId: string, params: UpdateUserParams): Promise<User>;
+    /** Set a new password for a project user (admin mutation resetUserPassword). */
+    resetUserPassword(userId: string, password: string): Promise<boolean>;
     /**
-     * Delete a tenant catalog user by id. Project scope is implied by the API key.
+     * Delete a project user by id. Project scope is implied by the API key.
      */
-    deleteTenantUser(userId: string): Promise<boolean>;
+    deleteUser(userId: string): Promise<boolean>;
+    /** Read project storage settings via getProject. */
+    getProjectStorageSettings(projectId: string): Promise<ProjectStorageSettings>;
+    /** Persist project storage settings. */
+    updateProjectStorageSettings(input: UpdateProjectStorageInput): Promise<ProjectStorageSettings>;
+    /** Upload a file via POST /system/files/upload. */
+    uploadSystemFile(params: SystemFileUploadParams): Promise<SystemFile>;
+    /** List files via GET /system/files/list. */
+    listSystemFiles(fileType?: string, limit?: number, offset?: number): Promise<SystemFilesListResponse>;
+    /** Delete files via POST /system/files/delete. */
+    deleteSystemFiles(ids: string[]): Promise<DeleteSystemFilesResponse>;
     /**
      * Get a single resource by model and ID
      */
@@ -319,10 +381,10 @@ declare class TypedOperations {
 /**
  * Apito JavaScript internal SDK version (kept in sync with package.json for releases)
  */
-declare const Version = "2.7.0";
+declare const Version = "3.0.0";
 /**
  * GetVersion returns the current version of the SDK
  */
 declare function getVersion(): string;
 
-export { ApitoClient, ApitoError, type ClientConfig, type ConnectionOptions, type CreateAndUpdateRequest, type CreateTenantUserParams, type DefaultDocumentStructure, type Filter, GraphQLError, type GraphQLErrorLocation, type GraphQLResponse, type InjectedDBOperationInterface, type MetaField, type RequestOptions, type SearchOptions, type SearchResult, type TenantByDomainResponse, type TenantCatalogSearchRow, type TenantGoogleOAuthStateResponse, type TenantLoginParams, type TenantLoginResponse, type TenantUser, type TenantUsersResponse, type TypedDocumentStructure, TypedOperations, type TypedSearchResult, type UpdateTenantUserParams, ValidationError, Version, createClient, ApitoClient as default, getVersion };
+export { ApitoClient, ApitoError, type ClientConfig, type ConnectionOptions, type CreateAndUpdateRequest, type CreateUserParams, type DefaultDocumentStructure, type DeleteSystemFilesResponse, type Filter, type GoogleOAuthStateResponse, GraphQLError, type GraphQLErrorLocation, type GraphQLResponse, type InjectedDBOperationInterface, type LoginUserParams, type LoginUserResponse, type MetaField, type ProjectStorageSettings, type RequestOptions, type SearchOptions, type SearchResult, type SystemFile, type SystemFileUploadParams, type SystemFilesListResponse, type TenantByDomainResponse, type TenantCatalogSearchRow, type TypedDocumentStructure, TypedOperations, type TypedSearchResult, type UpdateProjectStorageInput, type UpdateUserParams, type User, type UsersResponse, ValidationError, Version, createClient, ApitoClient as default, getVersion };

package/dist/index.d.ts

@@ -69,56 +69,97 @@ interface CreateAndUpdateRequest {
     singlePageData?: boolean;
     forceUpdate?: boolean;
 }
-/** Tenant catalog user from engine system DB (pro_tenant_users). */
-interface TenantUser {
+/** Project end-user from engine system DB (table project_users). */
+interface User {
     id: string;
     email?: string;
     phone?: string;
     role: string;
-    tenant_id: string;
+    tenant_id?: string;
     provider?: string;
     status?: string;
     created_at?: string;
     updated_at?: string;
 }
-/** Login via system GraphQL `loginTenantUser`. Password path: use `email` or `phone` per project settings. Google OAuth code path: `authMethod: 'google'`, `code`, `state` from redirect (get `state` first via `tenantGoogleOAuthState`). */
-interface TenantLoginParams {
+/** Login via system GraphQL `loginUser`. Password path: use `email` or `phone` per project settings. Google OAuth code path: `authMethod: 'google'`, `code`, `state` from redirect (get `state` first via `googleOAuthState`). */
+interface LoginUserParams {
     projectId: string;
-    /** Required for general (password) login. */
     password?: string;
     email?: string;
     phone?: string;
-    /** `general` (default) or `google`. */
     authMethod?: string;
-    /** Google authorization code (with `authMethod: 'google'`). */
     code?: string;
-    /** OAuth state from `tenantGoogleOAuthState` or callback (with `authMethod: 'google'`). */
     state?: string;
 }
-interface TenantGoogleOAuthStateResponse {
+interface GoogleOAuthStateResponse {
     state: string;
 }
-interface CreateTenantUserParams {
+interface CreateUserParams {
     password: string;
     role?: string;
     email?: string;
     phone?: string;
 }
-/** Optional fields for `updateTenantUser`; omitted keys are not sent. */
-interface UpdateTenantUserParams {
+/** Optional fields for `updateUser`; omitted keys are not sent. */
+interface UpdateUserParams {
     email?: string;
     phone?: string;
-    password?: string;
     role?: string;
 }
-interface TenantLoginResponse {
+interface LoginUserResponse {
     token: string;
-    user?: TenantUser;
+    user?: User;
 }
-interface TenantUsersResponse {
-    users: TenantUser[];
+interface UsersResponse {
+    users: User[];
     count: number;
 }
+interface ProjectStorageSettings {
+    use_free_cloud_storage: boolean;
+    endpoint?: string | null;
+    region?: string | null;
+    bucket?: string | null;
+    access_key_id?: string | null;
+    has_secret_access_key: boolean;
+    public_base_url?: string | null;
+    force_path_style?: boolean | null;
+}
+interface UpdateProjectStorageInput {
+    use_free_cloud_storage?: boolean;
+    endpoint?: string;
+    region?: string;
+    bucket?: string;
+    access_key_id?: string;
+    secret_access_key?: string;
+    public_base_url?: string;
+    force_path_style?: boolean;
+}
+interface SystemFile {
+    id: string;
+    file_type: string;
+    file_name: string;
+    file_extension?: string;
+    content_type?: string;
+    size: number;
+    url: string;
+    created_by?: string;
+    created_at?: string;
+}
+interface SystemFilesListResponse {
+    files: SystemFile[];
+    total: number;
+}
+interface SystemFileUploadParams {
+    fileName: string;
+    content: Uint8Array | ArrayBuffer;
+    fileType?: string;
+}
+interface DeleteSystemFilesResponse {
+    success: boolean;
+    deleted_ids: string[];
+    storage_failed?: string[];
+    message?: string;
+}
 /** One SaaS catalog tenant row from searchTenantsByDomain. */
 interface TenantCatalogSearchRow {
     id: string;
@@ -132,6 +173,8 @@ interface TenantByDomainResponse {
 }
 interface ClientConfig {
     baseURL: string;
+    /** REST base (e.g. http://host:5050/system); derived from baseURL when omitted */
+    restBaseURL?: string;
     apiKey: string;
     timeout?: number;
     httpClient?: any;
@@ -159,13 +202,19 @@ interface InjectedDBOperationInterface {
     }): Promise<GraphQLResponse>;
     /** @param token Legacy; ignored. Auth uses client API key. */
     generateTenantToken(tenantId: string, duration?: string, role?: string): Promise<string>;
-    loginTenantUser(params: TenantLoginParams): Promise<TenantLoginResponse>;
-    tenantGoogleOAuthState(projectId: string): Promise<TenantGoogleOAuthStateResponse>;
-    searchTenantUsers(projectId: string, limit?: number, offset?: number): Promise<TenantUsersResponse>;
+    loginUser(params: LoginUserParams): Promise<LoginUserResponse>;
+    googleOAuthState(projectId: string): Promise<GoogleOAuthStateResponse>;
+    searchUsers(projectId: string, limit?: number, offset?: number): Promise<UsersResponse>;
     searchTenantsByDomain(projectId: string, domain: string): Promise<TenantByDomainResponse>;
-    createTenantUser(projectId: string, params: CreateTenantUserParams): Promise<TenantUser>;
-    updateTenantUser(userId: string, params: UpdateTenantUserParams): Promise<TenantUser>;
-    deleteTenantUser(userId: string): Promise<boolean>;
+    createUser(projectId: string, params: CreateUserParams): Promise<User>;
+    updateUser(userId: string, params: UpdateUserParams): Promise<User>;
+    resetUserPassword(userId: string, password: string): Promise<boolean>;
+    deleteUser(userId: string): Promise<boolean>;
+    getProjectStorageSettings(projectId: string): Promise<ProjectStorageSettings>;
+    updateProjectStorageSettings(input: UpdateProjectStorageInput): Promise<ProjectStorageSettings>;
+    uploadSystemFile(params: SystemFileUploadParams): Promise<SystemFile>;
+    listSystemFiles(fileType?: string, limit?: number, offset?: number): Promise<SystemFilesListResponse>;
+    deleteSystemFiles(ids: string[]): Promise<DeleteSystemFilesResponse>;
     getSingleResource(model: string, id: string, singlePageData?: boolean): Promise<DefaultDocumentStructure>;
     searchResources(model: string, filter?: Record<string, any>, aggregate?: boolean): Promise<SearchResult>;
     getRelationDocuments(id: string, connection: Record<string, any>): Promise<SearchResult>;
@@ -203,6 +252,7 @@ declare class ValidationError extends ApitoError {
 declare class ApitoClient implements InjectedDBOperationInterface {
     private httpClient;
     private baseURL;
+    private restBaseURL;
     private apiKey;
     private tenantId?;
     constructor(config: ClientConfig);
@@ -222,36 +272,48 @@ declare class ApitoClient implements InjectedDBOperationInterface {
      * @param role Optional token role; if omitted/empty, the engine defaults to `admin`.
      */
     generateTenantToken(tenantId: string, duration?: string, role?: string): Promise<string>;
+    private authHeaders;
+    private executeREST;
     /**
-     * Tenant catalog login (system GraphQL `loginTenantUser`). Password path: pass `password` and `email` or `phone` per project Authentication settings. Google OAuth path: `authMethod: 'google'` with `code` and `state` from the redirect; call `tenantGoogleOAuthState(projectId)` before opening Google to obtain `state`.
+     * Project user login (system GraphQL `loginUser`). Password path: pass `password` and `email` or `phone` per project Authentication settings. Google OAuth path: `authMethod: 'google'` with `code` and `state` from the redirect; call `googleOAuthState(projectId)` before opening Google to obtain `state`.
      */
-    loginTenantUser(params: TenantLoginParams): Promise<TenantLoginResponse>;
+    loginUser(params: LoginUserParams): Promise<LoginUserResponse>;
     /**
-     * Signed OAuth state for tenant Google login (system query `tenantGoogleOAuthState`). Use in the authorize URL together with project `google_client_id` and the configured redirect URI.
+     * Signed OAuth state for Google login (system query `googleOAuthState`). Use in the authorize URL together with project `google_client_id` and the configured redirect URI.
      */
-    tenantGoogleOAuthState(projectId: string): Promise<{
-        state: string;
-    }>;
+    googleOAuthState(projectId: string): Promise<GoogleOAuthStateResponse>;
     /**
-     * Search tenant users for a project.
+     * Search project end-users.
      */
-    searchTenantUsers(projectId: string, limit?: number, offset?: number): Promise<TenantUsersResponse>;
+    searchUsers(projectId: string, limit?: number, offset?: number): Promise<UsersResponse>;
     /**
      * Resolve the single SaaS catalog tenant for an exact domain match in the project (`tenant` null if none).
      */
     searchTenantsByDomain(projectId: string, domain: string): Promise<TenantByDomainResponse>;
     /**
-     * Create a tenant catalog user (local password). Use `email` and/or `phone` per engine validation for the project identifier mode.
+     * Create a project user (local password). Use `email` and/or `phone` per engine validation for the project identifier mode.
      */
-    createTenantUser(projectId: string, params: CreateTenantUserParams): Promise<TenantUser>;
+    createUser(projectId: string, params: CreateUserParams): Promise<User>;
     /**
-     * Update a tenant catalog user. Project scope is implied by the API key. Only include fields to change.
+     * Update a project user. Project scope is implied by the API key. Only include fields to change.
      */
-    updateTenantUser(userId: string, params: UpdateTenantUserParams): Promise<TenantUser>;
+    updateUser(userId: string, params: UpdateUserParams): Promise<User>;
+    /** Set a new password for a project user (admin mutation resetUserPassword). */
+    resetUserPassword(userId: string, password: string): Promise<boolean>;
     /**
-     * Delete a tenant catalog user by id. Project scope is implied by the API key.
+     * Delete a project user by id. Project scope is implied by the API key.
      */
-    deleteTenantUser(userId: string): Promise<boolean>;
+    deleteUser(userId: string): Promise<boolean>;
+    /** Read project storage settings via getProject. */
+    getProjectStorageSettings(projectId: string): Promise<ProjectStorageSettings>;
+    /** Persist project storage settings. */
+    updateProjectStorageSettings(input: UpdateProjectStorageInput): Promise<ProjectStorageSettings>;
+    /** Upload a file via POST /system/files/upload. */
+    uploadSystemFile(params: SystemFileUploadParams): Promise<SystemFile>;
+    /** List files via GET /system/files/list. */
+    listSystemFiles(fileType?: string, limit?: number, offset?: number): Promise<SystemFilesListResponse>;
+    /** Delete files via POST /system/files/delete. */
+    deleteSystemFiles(ids: string[]): Promise<DeleteSystemFilesResponse>;
     /**
      * Get a single resource by model and ID
      */
@@ -319,10 +381,10 @@ declare class TypedOperations {
 /**
  * Apito JavaScript internal SDK version (kept in sync with package.json for releases)
  */
-declare const Version = "2.7.0";
+declare const Version = "3.0.0";
 /**
  * GetVersion returns the current version of the SDK
  */
 declare function getVersion(): string;
 
-export { ApitoClient, ApitoError, type ClientConfig, type ConnectionOptions, type CreateAndUpdateRequest, type CreateTenantUserParams, type DefaultDocumentStructure, type Filter, GraphQLError, type GraphQLErrorLocation, type GraphQLResponse, type InjectedDBOperationInterface, type MetaField, type RequestOptions, type SearchOptions, type SearchResult, type TenantByDomainResponse, type TenantCatalogSearchRow, type TenantGoogleOAuthStateResponse, type TenantLoginParams, type TenantLoginResponse, type TenantUser, type TenantUsersResponse, type TypedDocumentStructure, TypedOperations, type TypedSearchResult, type UpdateTenantUserParams, ValidationError, Version, createClient, ApitoClient as default, getVersion };
+export { ApitoClient, ApitoError, type ClientConfig, type ConnectionOptions, type CreateAndUpdateRequest, type CreateUserParams, type DefaultDocumentStructure, type DeleteSystemFilesResponse, type Filter, type GoogleOAuthStateResponse, GraphQLError, type GraphQLErrorLocation, type GraphQLResponse, type InjectedDBOperationInterface, type LoginUserParams, type LoginUserResponse, type MetaField, type ProjectStorageSettings, type RequestOptions, type SearchOptions, type SearchResult, type SystemFile, type SystemFileUploadParams, type SystemFilesListResponse, type TenantByDomainResponse, type TenantCatalogSearchRow, type TypedDocumentStructure, TypedOperations, type TypedSearchResult, type UpdateProjectStorageInput, type UpdateUserParams, type User, type UsersResponse, ValidationError, Version, createClient, ApitoClient as default, getVersion };