@artifact-keeper/sdk 1.1.6 → 1.2.1

package/src/types.gen.ts

@@ -198,6 +198,14 @@ export type ArtifactLabelsListResponse = {
 };
 
 export type ArtifactListResponse = {
+    /**
+     * Maven component grouping.  Only present when `group_by=maven_component`.
+     */
+    components?: Array<MavenComponentResponse> | null;
+    /**
+     * Docker tag grouping.  Only present when `group_by=docker_tag`.
+     */
+    docker_tags?: Array<DockerTagResponse> | null;
     items: Array<ArtifactResponse>;
     pagination: Pagination;
 };
@@ -210,6 +218,21 @@ export type ArtifactMetadataResponse = {
 };
 
 export type ArtifactResponse = {
+    /**
+     * When the proxy cache entry for this artifact was last written.
+     * Only populated for Remote (proxy) repositories whose proxy service is
+     * configured AND that have a cache-metadata blob for this path. None
+     * for Local / Virtual / Staging repos and for Remote repos whose cache
+     * hasn't been populated yet (e.g. an artifact that exists as a DB row
+     * from a direct upload but has never been fetched through the proxy).
+     * (#1541)
+     */
+    cache_cached_at?: string | null;
+    /**
+     * When the proxy cache entry for this artifact will expire and be
+     * re-validated against upstream. Same gating as `cache_cached_at`. (#1541)
+     */
+    cache_expires_at?: string | null;
     checksum_sha256: string;
     content_type: string;
     created_at: string;
@@ -247,6 +270,14 @@ export type AssessmentResult = {
 };
 
 export type AssignRepoRequest = {
+    /**
+     * Optional JSONB filter constraining which artifacts in the repository
+     * get replicated. Shape: `{"include_patterns": ["^v\\d+\\."], "exclude_patterns": [".*-SNAPSHOT$"]}`.
+     * Null/absent means replicate everything.
+     */
+    replication_filter: {
+        [key: string]: unknown;
+    };
     replication_mode?: string | null;
     replication_schedule?: string | null;
     repository_id: string;
@@ -257,6 +288,25 @@ export type AssignRoleRequest = {
     role_id: string;
 };
 
+/**
+ * Authentication provider availability.
+ */
+export type AuthConfig = {
+    /**
+     * Whether an LDAP directory is configured.
+     */
+    ldap_enabled: boolean;
+    /**
+     * Whether an OIDC provider is configured.
+     */
+    oidc_enabled: boolean;
+    /**
+     * Whether SAML SSO is configured (derived from the SSO admin settings in the DB,
+     * but for this endpoint we report whether the OIDC issuer is set as a proxy).
+     */
+    sso_enabled: boolean;
+};
+
 export type BackupListResponse = {
     items: Array<BackupResponse>;
     total: number;
@@ -384,7 +434,11 @@ export type BulkPromoteRequest = {
     artifact_ids: Array<string>;
     notes?: string | null;
     skip_policy_check?: boolean;
-    target_repository: string;
+    /**
+     * Target release repository key. When omitted, the staging repository's
+     * linked release target (from `repository_config`) is used instead.
+     */
+    target_repository?: string | null;
 };
 
 export type BulkPromotionResponse = {
@@ -646,6 +700,19 @@ export type CreateConnectionRequest = {
     url: string;
 };
 
+export type CreateEmailSubscriptionRequest = {
+    enabled?: boolean;
+    /**
+     * Event-type tokens to listen for. Must be drawn from `VALID_EVENT_TYPES`.
+     */
+    event_types: Array<string>;
+    /**
+     * Email addresses to deliver matching events to. Bounded length;
+     * see `MAX_RECIPIENTS_PER_SUBSCRIPTION` for the operator-facing limit.
+     */
+    recipients: Array<string>;
+};
+
 export type CreateGateRequest = {
     action?: string;
     description?: string | null;
@@ -719,7 +786,17 @@ export type CreateOidcConfigRequest = {
     client_secret: string;
     is_enabled?: boolean | null;
     issuer_url: string;
+    /**
+     * When `true`, OIDC group claim values are reflected as Artifact Keeper
+     * group memberships (auto-creating groups on first sight). Defaults to
+     * `false` to preserve legacy role-mapping behavior.
+     */
+    map_groups_to_groups?: boolean | null;
     name: string;
+    /**
+     * Enable PKCE (S256) on the authorization request. Defaults to `true`.
+     */
+    pkce_enabled?: boolean | null;
     scopes?: Array<string> | null;
 };
 
@@ -733,7 +810,7 @@ export type CreatePermissionRequest = {
 
 export type CreatePolicyRequest = {
     block_on_fail: boolean;
-    block_unscanned: boolean;
+    block_unscanned?: boolean;
     max_artifact_age_days?: number | null;
     max_severity: string;
     min_staging_hours?: number | null;
@@ -742,7 +819,51 @@ export type CreatePolicyRequest = {
     require_signature?: boolean;
 };
 
+/**
+ * Request to create an access token scoped to a repository.
+ */
+export type CreateRepoTokenRequest = {
+    /**
+     * Optional human-readable description.
+     */
+    description?: string | null;
+    /**
+     * Number of days until the token expires (1-365). Omit for no expiration.
+     */
+    expires_in_days?: number | null;
+    /**
+     * Display name for the token.
+     */
+    name: string;
+    /**
+     * Permission scopes for the token.
+     */
+    scopes: Array<string>;
+};
+
+/**
+ * Response returned when a repository token is created. The `token` field
+ * contains the plaintext value and is only shown once.
+ */
+export type CreateRepoTokenResponse = {
+    id: string;
+    name: string;
+    repository_key: string;
+    /**
+     * The full token value (only returned at creation time).
+     */
+    token: string;
+};
+
 export type CreateRepositoryRequest = {
+    /**
+     * Alias for `is_public`. When set to true, anonymous users can download
+     * artifacts from this repository without authentication. Useful for remote
+     * (pull-through cache) repositories that proxy public upstream registries.
+     * If both `is_public` and `allow_anonymous_access` are provided,
+     * `allow_anonymous_access` takes precedence.
+     */
+    allow_anonymous_access?: boolean | null;
     description?: string | null;
     format: string;
     /**
@@ -764,6 +885,12 @@ export type CreateRepositoryRequest = {
      */
     member_repos?: Array<CreateVirtualMemberInput> | null;
     name: string;
+    /**
+     * When true, direct user uploads to this repository are rejected:
+     * artifacts must arrive via the promotion path. Admin-only to set.
+     * Defaults to false (no behavior change for existing repositories).
+     */
+    promotion_only?: boolean | null;
     quota_bytes?: number | null;
     repo_type: string;
     /**
@@ -830,10 +957,36 @@ export type CreateServiceAccountRequest = {
 };
 
 export type CreateSessionRequest = {
+    /**
+     * Source artifact metadata for peer replication.
+     */
+    artifact_metadata?: unknown;
+    /**
+     * Source artifact metadata format for peer replication.
+     */
+    artifact_metadata_format?: string | null;
+    /**
+     * Source artifact metadata properties for peer replication.
+     */
+    artifact_metadata_properties?: unknown;
+    /**
+     * Artifact name to persist when the upload completes.
+     *
+     * Optional for regular client uploads. Peer replication sets this from
+     * the source artifact row so chunked replication preserves metadata.
+     */
+    artifact_name?: string | null;
     /**
      * Path within the repository (e.g. "images/vm.ova")
      */
     artifact_path: string;
+    /**
+     * Artifact version to persist when the upload completes.
+     *
+     * Optional for regular client uploads. Peer replication sets this from
+     * the source artifact row so chunked replication preserves metadata.
+     */
+    artifact_version?: string | null;
     /**
      * Expected SHA256 checksum of the complete file
      */
@@ -846,6 +999,14 @@ export type CreateSessionRequest = {
      * MIME content type (default "application/octet-stream")
      */
     content_type?: string | null;
+    /**
+     * Source package description for peer replication.
+     */
+    package_description?: string | null;
+    /**
+     * Source package catalog metadata for peer replication.
+     */
+    package_metadata?: unknown;
     /**
      * Repository key (e.g. "my-repo")
      */
@@ -869,6 +1030,13 @@ export type CreateSyncPolicyPayload = {
     };
     description?: string;
     enabled?: boolean;
+    /**
+     * Convenience glob filter (e.g. `"*.tar.gz"`). When set, it is folded
+     * into `artifact_filter.include_paths` so only matching artifact paths
+     * are eligible for sync. Ignored if `artifact_filter.include_paths` is
+     * already provided.
+     */
+    filter?: string | null;
     name: string;
     peer_selector?: {
         [key: string]: unknown;
@@ -931,12 +1099,27 @@ export type CreateVirtualMemberInput = {
 };
 
 export type CreateWebhookRequest = {
+    /**
+     * Pinned event payload version. Defaults to "2026-04-01" when omitted.
+     * Must match a value in `SUPPORTED_EVENT_VERSIONS` or the request is
+     * rejected with HTTP 422.
+     */
+    event_schema_version?: string | null;
     events: Array<string>;
     headers?: {
         [key: string]: unknown;
     } | null;
     name: string;
+    /**
+     * Payload layout for the target platform (default: generic).
+     */
+    payload_template?: PayloadTemplate;
     repository_id?: string | null;
+    /**
+     * Optional caller-supplied secret. When omitted the server generates a
+     * fresh `whsec_*` secret. Either way the raw value is returned in the
+     * 201 response body exactly once and is unrecoverable thereafter.
+     */
     secret?: string | null;
     url: string;
 };
@@ -1006,17 +1189,47 @@ export type CveTimelineEntry = {
 
 /**
  * CVE trends summary.
+ *
+ * #1446: the security-tests `cve-history` suite probes the trends body for
+ * any of `total`, `count`, `critical`, or `high` to confirm the response
+ * carries aggregate counts (PR #1385 fixed `cve-history` but the trends
+ * shape was not aligned). The original field set (`total_cves`,
+ * `critical_count`, ...) is retained for openapi consumers; the bare
+ * `total`/`critical`/`high`/`medium`/`low` aliases are added alongside so
+ * both shape contracts are satisfied without breaking existing clients.
+ * `#[serde(default)]` keeps deserialization working when the alias fields
+ * are absent (older payloads, tests that build the struct via field init).
  */
 export type CveTrends = {
     acknowledged_cves: number;
     avg_days_to_fix?: number | null;
+    /**
+     * Alias of `critical_count` (#1446).
+     */
+    critical?: number;
     critical_count: number;
     fixed_cves: number;
+    /**
+     * Alias of `high_count` (#1446).
+     */
+    high?: number;
     high_count: number;
+    /**
+     * Alias of `low_count` (#1446).
+     */
+    low?: number;
     low_count: number;
+    /**
+     * Alias of `medium_count` (#1446).
+     */
+    medium?: number;
     medium_count: number;
     open_cves: number;
     timeline: Array<CveTimelineEntry>;
+    /**
+     * Alias of `total_cves` (#1446).
+     */
+    total?: number;
     total_cves: number;
 };
 
@@ -1074,6 +1287,79 @@ export type DiscoverablePeerResponse = {
     status: string;
 };
 
+/**
+ * A Docker/OCI tag grouped by (image, tag).
+ *
+ * `total_size_bytes` is the server-side aggregation of the manifest body
+ * plus every referenced layer blob.  This is what the UI should display
+ * as the on-disk image size; the previous client-side aggregation that
+ * only summed the manifest body itself reported a few kilobytes for
+ * images that are hundreds of megabytes on disk (artifact-keeper#1193).
+ *
+ * For multi-arch image indexes the size is the sum across all per-arch
+ * child manifests recorded in `oci_manifest_refs`, so an `amd64+arm64`
+ * index reports the combined storage cost.
+ */
+export type DockerTagResponse = {
+    /**
+     * Representative manifest artifact ID.
+     */
+    id: string;
+    /**
+     * Image name (no registry host, no tag).  Maps to the OCI v2 `<name>`
+     * path segment, which may include slashes (e.g. `library/postgres`).
+     */
+    image: string;
+    /**
+     * Whether this manifest is a multi-arch image index.
+     */
+    is_index: boolean;
+    /**
+     * Last push (or update) timestamp from the underlying `oci_tags` row.
+     */
+    last_pushed_at: string;
+    /**
+     * Number of layer blobs referenced by the manifest.  For image indexes
+     * this is the sum of layer counts across child manifests.  `0` when
+     * the manifest could not be parsed.
+     */
+    layer_count: number;
+    /**
+     * Manifest content digest (e.g. `sha256:abcdef...`).
+     */
+    manifest_digest: string;
+    /**
+     * Repository key this tag belongs to.
+     */
+    repository_key: string;
+    /**
+     * Rolled-up scan status across all scanners configured for this
+     * artifact. `None` when the artifact has never been scanned.
+     *
+     * Values surface the aggregate state, not a single scanner's row
+     * (see #1497). One of:
+     *
+     * * `pending` / `running` -- at least one scanner is still in flight
+     * * `completed` -- every per-scan-type latest row is `completed`
+     * * `failed` -- every per-scan-type latest row is `failed`
+     * * `partial` -- mixed: at least one `completed` AND at least one
+     * `failed`. A green generic scanner (e.g. grype) no longer hides
+     * a failed format-native scanner (e.g. incus) behind a
+     * `completed` label.
+     */
+    scan_status?: string | null;
+    /**
+     * Tag string (e.g. `16-alpine`).  Never a `sha256:...` digest;
+     * digest-only references are filtered out of the grouping.
+     */
+    tag: string;
+    /**
+     * Total size in bytes of the manifest plus all referenced layer blobs.
+     * For image indexes, this sums across child manifests.
+     */
+    total_size_bytes: number;
+};
+
 /**
  * Download trend data point.
  */
@@ -1275,8 +1561,31 @@ export type DtProjectMetrics = {
     vulnerabilities?: number | null;
 };
 
+/**
+ * Dependency-Track integration status surfaced to the frontend.
+ *
+ * `healthy` is the boolean the existing UI already binds to. The new
+ * `error_status` and `error_message` fields let the UI distinguish a
+ * genuine "DT replied OK with no findings" state from "DT is down or
+ * misconfigured" (issue #963). When `healthy = true` both error fields
+ * are None; when `healthy = false`:
+ * - `error_status = Some(401)`: auth failure (check API key)
+ * - `error_status = Some(5xx)`: upstream is broken
+ * - `error_status = None`:     transport failure (DT pod unreachable)
+ * - `error_message`:           operator-facing failure description
+ */
 export type DtStatusResponse = {
     enabled: boolean;
+    /**
+     * Human-readable explanation when `healthy = false`. Safe to surface
+     * in the UI; does not leak credentials.
+     */
+    error_message?: string | null;
+    /**
+     * Upstream HTTP status if the health probe got a response, else None.
+     * Only populated when `healthy = false`.
+     */
+    error_status?: number | null;
     healthy: boolean;
     url?: string | null;
 };
@@ -1295,6 +1604,20 @@ export type DtVulnerability = {
     vulnId: string;
 };
 
+export type EmailSubscriptionListResponse = {
+    subscriptions: Array<EmailSubscriptionResponse>;
+};
+
+export type EmailSubscriptionResponse = {
+    created_at: string;
+    enabled: boolean;
+    event_types: Array<string>;
+    id: string;
+    recipients: Array<string>;
+    repository_id?: string | null;
+    updated_at: string;
+};
+
 /**
  * Standard error response body returned by all endpoints on failure.
  */
@@ -1371,6 +1694,13 @@ export type FindingResponse = {
     title: string;
 };
 
+/**
+ * Response for force password change
+ */
+export type ForcePasswordChangeResponse = {
+    message: string;
+};
+
 /**
  * Format handler response with additional computed fields.
  */
@@ -1456,11 +1786,30 @@ export type GetCveTrendsQuery = {
     repository_id?: string | null;
 };
 
+export type GroupDetailResponse = GroupResponse & {
+    /**
+     * Paginated list of group members.
+     */
+    members: Array<GroupMemberResponse>;
+    /**
+     * Total number of members in the group. Clients can compare this against
+     * the length of `members` to determine whether additional pages exist.
+     */
+    members_total: number;
+};
+
 export type GroupListResponse = {
     items: Array<GroupResponse>;
     pagination: Pagination;
 };
 
+export type GroupMemberResponse = {
+    display_name?: string | null;
+    joined_at: string;
+    user_id: string;
+    username: string;
+};
+
 export type GroupResponse = {
     created_at: string;
     description?: string | null;
@@ -1498,7 +1847,7 @@ export type GrowthSummary = {
 export type HealthChecks = {
     database: CheckStatus;
     ldap?: null | CheckStatus;
-    meilisearch?: null | CheckStatus;
+    opensearch?: null | CheckStatus;
     security_scanner?: null | CheckStatus;
     storage: CheckStatus;
 };
@@ -1565,6 +1914,23 @@ export type InstallFromLocalRequest = {
     path: string;
 };
 
+export type InvalidateCacheQuery = {
+    /**
+     * Artifact path to evict from the proxy cache. Same shape as the path
+     * segment of `GET /api/v1/repositories/{key}/artifacts/{path}`.
+     * Path-traversal segments such as `..` are rejected by
+     * `ProxyService::cache_storage_key` (covered by
+     * `test_invalidate_cache_by_key_rejects_invalid_path`).
+     */
+    path: string;
+};
+
+export type InvalidateCacheResponse = {
+    invalidated: boolean;
+    path: string;
+    repository_key: string;
+};
+
 export type IssueResponse = {
     artifact_id: string;
     category: string;
@@ -1682,6 +2048,19 @@ export type LifecyclePolicy = {
 };
 
 export type ListArtifactsQuery = {
+    /**
+     * Server-side artifact grouping.
+     *
+     * Supported values:
+     * - `maven_component`: Maven/Gradle artifacts are grouped by
+     * groupId, artifactId, and version.  Individual files (jar, pom,
+     * checksums) appear in the `artifact_files` array of each component.
+     * - `docker_tag`: Docker/OCI artifacts are grouped by (image, tag),
+     * with `total_size_bytes` summed across the manifest config and
+     * referenced layer blobs.  The grouped rows are returned in the
+     * `docker_tags` array.
+     */
+    group_by?: string | null;
     page?: number | null;
     path_prefix?: string | null;
     per_page?: number | null;
@@ -1783,6 +2162,55 @@ export type MatchedRepoSchema = {
     key: string;
 };
 
+/**
+ * A Maven component grouped by GAV (groupId, artifactId, version).
+ *
+ * Each component collects the individual files (jar, pom, checksums, etc.)
+ * that share the same Maven coordinates.
+ */
+export type MavenComponentResponse = {
+    /**
+     * Individual filenames belonging to this component.
+     */
+    artifact_files: Array<string>;
+    /**
+     * Maven artifactId (e.g. `junit-jupiter-api`).
+     */
+    artifact_id: string;
+    /**
+     * Earliest creation timestamp among the component files.
+     */
+    created_at: string;
+    /**
+     * Total download count across all files in this component.
+     */
+    download_count: number;
+    /**
+     * Repository format (always `maven` or `gradle`).
+     */
+    format: string;
+    /**
+     * Maven groupId with dots (e.g. `org.junit.jupiter`).
+     */
+    group_id: string;
+    /**
+     * Representative artifact ID (the first file in the group).
+     */
+    id: string;
+    /**
+     * Repository key this component belongs to.
+     */
+    repository_key: string;
+    /**
+     * Total size in bytes across all files in this component.
+     */
+    size_bytes: number;
+    /**
+     * Maven version string (e.g. `5.11.0`).
+     */
+    version: string;
+};
+
 export type MembersRequest = {
     user_ids: Array<string>;
 };
@@ -1909,6 +2337,83 @@ export type NetworkProfileBody = {
     sync_window_timezone?: string | null;
 };
 
+/**
+ * Read-only OCI blob storage footprint report (issue #1408).
+ *
+ * This is a **reporting-only** view. It performs no deletion and takes no
+ * locks. It surfaces how much storage the tracked `oci_blobs` rows
+ * account for so operators can see the magnitude of un-reclaimed blob
+ * layers before any garbage-collection mechanism is enabled.
+ *
+ * It deliberately does NOT attempt to classify which blobs are
+ * "reclaimable orphans": that requires a manifest -> blob reference table
+ * that does not yet exist in the schema, and any per-`(repository_id,
+ * digest)` orphan heuristic would mis-handle the cross-repo dedup case
+ * (multiple `oci_blobs` rows, one physical object) and report in-use
+ * blobs as reclaimable. The numbers here are exact aggregates only.
+ */
+export type OciBlobFootprintReport = {
+    /**
+     * Distinct digests older than `grace_hours` (eligible to be *considered*
+     * by a future GC sweep once a reference table exists). Reporting only.
+     */
+    aged_distinct_digests: number;
+    /**
+     * Physical bytes (distinct-digest) older than `grace_hours`.
+     */
+    aged_physical_bytes: number;
+    /**
+     * Number of distinct blob digests (content-addressed identities). When
+     * this is smaller than `total_blob_rows`, the difference is cross-repo
+     * deduplication: rows that share one physical storage object.
+     */
+    distinct_digests: number;
+    /**
+     * Grace window (hours) applied to the `aged_*` figures below.
+     */
+    grace_hours: number;
+    /**
+     * Sum of `size_bytes` over every `oci_blobs` row. Double-counts
+     * deduplicated blobs once per referencing repository.
+     */
+    logical_bytes: number;
+    /**
+     * Per-repository logical footprint, largest `logical_bytes` first.
+     */
+    per_repository: Array<OciBlobRepoFootprint>;
+    /**
+     * Sum of `size_bytes` counting each distinct digest exactly once. This
+     * approximates the physical bytes occupied in the storage backend.
+     */
+    physical_bytes: number;
+    /**
+     * Total number of `oci_blobs` rows across all repositories.
+     */
+    total_blob_rows: number;
+};
+
+/**
+ * Per-repository row in the OCI blob footprint report.
+ */
+export type OciBlobRepoFootprint = {
+    /**
+     * Number of `oci_blobs` rows attributed to this repository.
+     */
+    blob_rows: number;
+    /**
+     * Sum of `oci_blobs.size_bytes` for this repository's rows. Because OCI
+     * blob storage is content-addressed and deduplicated across repos, the
+     * same physical bytes can be counted under more than one repository
+     * here; see [`OciBlobFootprintReport::physical_bytes`] for the
+     * dedup-aware total.
+     */
+    logical_bytes: number;
+    /**
+     * Repository id owning these `oci_blobs` rows.
+     */
+    repository_id: string;
+};
+
 export type OidcConfigResponse = {
     attribute_mapping: {
         [key: string]: unknown;
@@ -1920,7 +2425,9 @@ export type OidcConfigResponse = {
     id: string;
     is_enabled: boolean;
     issuer_url: string;
+    map_groups_to_groups: boolean;
     name: string;
+    pkce_enabled: boolean;
     scopes: Array<string>;
     updated_at: string;
 };
@@ -2021,6 +2528,15 @@ export type PaginationInfo = {
     total_pages: number;
 };
 
+/**
+ * Supported webhook payload templates.
+ *
+ * Controls how the outgoing JSON body is structured when delivering a
+ * webhook. The `Generic` variant preserves backward compatibility with the
+ * original flat JSON format.
+ */
+export type PayloadTemplate = 'generic' | 'slack' | 'microsoft_teams' | 'discord' | 'mattermost';
+
 export type PeerInstanceListResponse = {
     items: Array<PeerInstanceResponse>;
     total: number;
@@ -2120,6 +2636,23 @@ export type PermissionRow = {
     updated_at: string;
 };
 
+/**
+ * Fine-grained permissions enforcement status.
+ */
+export type PermissionsConfig = {
+    /**
+     * Whether those rules are actively enforced on API requests.
+     * The permission-check middleware and handler guards are wired in,
+     * so this is `true` when the server is running.
+     */
+    enforcement_enabled: boolean;
+    /**
+     * Whether the permissions table (from migration 018) has any rows.
+     * When true, an administrator has configured permission rules.
+     */
+    rules_exist: boolean;
+};
+
 export type PluginConfigResponse = {
     config: {
         [key: string]: unknown;
@@ -2163,7 +2696,27 @@ export type PluginResponse = {
 };
 
 /**
- * Plugin status
+ * Plugin signature-verification (supply-chain) policy status.
+ *
+ * Exposes only booleans — never the trusted key material itself — so frontends
+ * and operators can see whether unsigned plugin installs are rejected and
+ * whether a trusted publisher key has been provisioned.
+ */
+export type PluginSigningConfig = {
+    /**
+     * Whether a valid signature is required to install a WASM plugin.
+     */
+    required: boolean;
+    /**
+     * Whether an operator trusted public key has been configured. When
+     * `required` is true but this is false, every install is rejected
+     * (fail-closed).
+     */
+    trusted_key_configured: boolean;
+};
+
+/**
+ * Plugin status
  */
 export type PluginStatus = 'active' | 'disabled' | 'error';
 
@@ -2259,7 +2812,11 @@ export type ProbeBody = {
 export type PromoteArtifactRequest = {
     notes?: string | null;
     skip_policy_check?: boolean;
-    target_repository: string;
+    /**
+     * Target release repository key. When omitted, the staging repository's
+     * linked release target (from `repository_config`) is used instead.
+     */
+    target_repository?: string | null;
 };
 
 export type PromotionHistoryEntry = {
@@ -2322,6 +2879,50 @@ export type PromotionRuleResponse = {
     updated_at: string;
 };
 
+/**
+ * Body for declaring that a locally-owned PyPI project tracks an upstream one.
+ */
+export type PypiTrackRequest = {
+    /**
+     * Upstream Simple index project URL this local project tracks, e.g.
+     * `https://pypi.org/simple/acme-sdk/`. Recorded and emitted as the PEP 708
+     * `tracks` value.
+     */
+    tracks_url: string;
+};
+
+/**
+ * A single PEP 708 `tracks` declaration.
+ */
+export type PypiTrackResponse = {
+    /**
+     * PEP 503 normalized project name.
+     */
+    normalized_name: string;
+    repository_key: string;
+    tracks_url: string;
+};
+
+/**
+ * All `tracks` declarations on a repository.
+ */
+export type PypiTracksListResponse = {
+    items: Array<PypiTrackResponse>;
+};
+
+export type QuarantineActionResponse = {
+    artifact_id: string;
+    message: string;
+    new_status: string;
+};
+
+export type QuarantineStatusResponse = {
+    artifact_id: string;
+    is_blocked: boolean;
+    quarantine_status?: string | null;
+    quarantine_until?: string | null;
+};
+
 export type QuickSearchResponse = {
     results: Array<SearchResultItem>;
 };
@@ -2373,6 +2974,13 @@ export type RejectArtifactRequest = {
     reason: string;
 };
 
+export type RejectRequest = {
+    /**
+     * Optional reason for rejection.
+     */
+    reason?: string | null;
+};
+
 export type RejectionResponse = {
     artifact_id: string;
     reason: string;
@@ -2381,6 +2989,21 @@ export type RejectionResponse = {
     source: string;
 };
 
+export type ReleaseTargetResponse = {
+    /**
+     * Whether this staging repository has a linked release target.
+     */
+    linked: boolean;
+    /**
+     * The release repository ID, if linked.
+     */
+    release_repository_id?: string | null;
+    /**
+     * The release repository key, if linked.
+     */
+    release_repository_key?: string | null;
+};
+
 export type RemoteInstanceResponse = {
     created_at: string;
     id: string;
@@ -2417,6 +3040,30 @@ export type RepoSelectorSchema = {
     match_repos?: Array<string>;
 };
 
+/**
+ * List of tokens configured on a repository.
+ */
+export type RepoTokenListResponse = {
+    items: Array<RepoTokenResponse>;
+};
+
+/**
+ * Summary of a repository-scoped token.
+ */
+export type RepoTokenResponse = {
+    created_at: string;
+    created_by?: string | null;
+    description?: string | null;
+    expires_at?: string | null;
+    id: string;
+    is_expired: boolean;
+    is_revoked: boolean;
+    last_used_at?: string | null;
+    name: string;
+    scopes: Array<string>;
+    token_prefix: string;
+};
+
 export type RepositoryAssessment = {
     artifact_count: number;
     compatibility: string;
@@ -2433,6 +3080,12 @@ export type RepositoryListResponse = {
 };
 
 export type RepositoryResponse = {
+    /**
+     * Whether anonymous (unauthenticated) downloads are allowed. This is
+     * always equal to `is_public` and provided as a convenience alias so
+     * the semantics are clear for remote (pull-through cache) repositories.
+     */
+    allow_anonymous_access: boolean;
     created_at: string;
     description?: string | null;
     format: string;
@@ -2440,6 +3093,21 @@ export type RepositoryResponse = {
     is_public: boolean;
     key: string;
     name: string;
+    /**
+     * When true, direct user uploads are rejected; artifacts must be promoted.
+     */
+    promotion_only: boolean;
+    /**
+     * Configured quarantine hold duration in minutes, read back from
+     * `repository_config` (#1770 B). `None` when unset.
+     */
+    quarantine_duration_minutes?: number | null;
+    /**
+     * Whether the Package Age / quarantine policy is enabled for this
+     * repository, read back from `repository_config` (#1770 B). `None` when
+     * the repository has no explicit setting (the global default applies).
+     */
+    quarantine_enabled?: boolean | null;
     quota_bytes?: number | null;
     repo_type: string;
     storage_used_bytes: number;
@@ -2490,6 +3158,30 @@ export type RepositoryStorageBreakdown = {
     storage_bytes: number;
 };
 
+export type RescanForInventoryRequest = {
+    /**
+     * Maximum number of artifacts to enqueue in this call. Operators
+     * run the endpoint repeatedly to drain large backfills without
+     * stalling a single HTTP worker; the handler returns the actual
+     * number enqueued so the caller can detect when work is done.
+     * Defaults to 100. Hard-capped at 1000 to avoid pathological inputs.
+     */
+    limit?: number | null;
+};
+
+export type RescanForInventoryResponse = {
+    /**
+     * Number of artifacts whose latest scan had no inventory rows and
+     * for which a rescan was enqueued in this call.
+     */
+    artifacts_enqueued: number;
+    /**
+     * Echo of the requested (or defaulted) limit, useful for clients
+     * driving the loop programmatically.
+     */
+    limit: number;
+};
+
 /**
  * Response for password reset
  */
@@ -2527,6 +3219,43 @@ export type RoleResponse = {
     permissions: Array<string>;
 };
 
+/**
+ * Response returned by the rotate-secret endpoint.
+ */
+export type RotateWebhookSecretResponse = {
+    id: string;
+    /**
+     * When the previously active secret stops being accepted.
+     */
+    previous_secret_expires_at: string;
+    /**
+     * Raw signing secret produced by this rotation. Shown exactly once.
+     */
+    secret: string;
+    secret_digest: string;
+};
+
+/**
+ * A single routing rule that maps an incoming path to a rewritten path.
+ */
+export type RoutingRule = {
+    /**
+     * Regex pattern matched against the full request path.
+     * Use capture groups to extract portions for the rewrite template.
+     */
+    path_pattern: string;
+    /**
+     * Rewrite template. Use `$1`, `$2`, etc. to reference captured groups
+     * from `path_pattern`.
+     */
+    rewrite_to: string;
+};
+
+export type RoutingRulesResponse = {
+    repository_key: string;
+    rules: Array<RoutingRule>;
+};
+
 export type RuleEvaluationResponse = {
     passed: boolean;
     rule_id: string;
@@ -2549,6 +3278,14 @@ export type RuleResponse = {
     version_constraint: string;
 };
 
+/**
+ * Result of `POST /:id/repositories/:repo_id/sync` (run-now trigger).
+ */
+export type RunNowResponse = {
+    status: string;
+    tasks_queued: number;
+};
+
 export type SamlAcsForm = {
     RelayState?: string | null;
     SAMLResponse: string;
@@ -2627,15 +3364,47 @@ export type ScanResponse = {
     high_count: number;
     id: string;
     info_count: number;
+    /**
+     * True when the row was synthesized by the dedup path (`copy_scan_results`)
+     * because a prior scan with the same `(checksum_sha256, scan_type)` pair
+     * already existed within the dedup TTL. No scanner was actually invoked
+     * for this row; counts and findings were copied from `source_scan_id`.
+     */
+    is_reused: boolean;
     low_count: number;
     medium_count: number;
     repository_id: string;
     scan_type: string;
     scanner_version?: string | null;
+    /**
+     * When `is_reused` is true, the `id` of the source scan whose results
+     * were copied. Useful for distinguishing "fresh scan" from "deduped
+     * satisfaction" in release-gate provenance checks. None for original
+     * (non-reused) scans.
+     */
+    source_scan_id?: string | null;
     started_at?: string | null;
     status: string;
 };
 
+/**
+ * Scanner availability flags.
+ */
+export type ScannersConfig = {
+    /**
+     * Whether the Dependency-Track integration is configured.
+     */
+    dependency_track_enabled: boolean;
+    /**
+     * Whether the OpenSCAP compliance scanner is configured.
+     */
+    openscap_enabled: boolean;
+    /**
+     * Whether the Trivy vulnerability scanner is configured.
+     */
+    trivy_enabled: boolean;
+};
+
 export type ScoreResponse = {
     acknowledged_count: number;
     calculated_at: string;
@@ -2740,6 +3509,22 @@ export type SetPeerLabelsRequest = {
     labels: Array<PeerLabelEntrySchema>;
 };
 
+export type SetReleaseTargetRequest = {
+    /**
+     * Repository key of the release (local) repository to link.
+     * Pass `null` or omit to remove the link.
+     */
+    release_repository_key?: string | null;
+};
+
+export type SetRoutingRulesRequest = {
+    /**
+     * Ordered list of routing rules. Each rule specifies a regex pattern and
+     * a rewrite template. Rules are evaluated in order during proxy requests.
+     */
+    rules: Array<RoutingRule>;
+};
+
 /**
  * Response body for the setup status endpoint.
  */
@@ -2779,6 +3564,33 @@ export type SigningKeyPublic = {
     uid_name?: string | null;
 };
 
+/**
+ * Request body for the SMTP test endpoint.
+ */
+export type SmtpTestRequest = {
+    /**
+     * Recipient email address for the test message.
+     *
+     * Accepts `recipient` as an alias for backward compatibility with Web UI
+     * versions <= 1.1.3, which send `{"recipient": "..."}`.
+     */
+    to: string;
+};
+
+/**
+ * Response from the SMTP test endpoint.
+ */
+export type SmtpTestResponse = {
+    /**
+     * Human-readable status message.
+     */
+    message: string;
+    /**
+     * Whether the test email was sent successfully.
+     */
+    success: boolean;
+};
+
 export type SourceConnectionRow = {
     auth_type: string;
     created_at: string;
@@ -2881,6 +3693,23 @@ export type SubmitResponse = {
     marked_submitted: number;
 };
 
+/**
+ * Detailed subscription view (mode, schedule, filter) for a single (peer, repo) pair.
+ */
+export type SubscriptionResponse = {
+    created_at: string;
+    id: string;
+    last_replicated_at?: string | null;
+    peer_instance_id: string;
+    replication_filter: {
+        [key: string]: unknown;
+    };
+    replication_mode?: string | null;
+    replication_schedule?: string | null;
+    repository_id: string;
+    sync_enabled: boolean;
+};
+
 export type SuggestResponse = {
     suggestions: Array<string>;
 };
@@ -2906,6 +3735,12 @@ export type SyncPolicyResponse = {
     created_at: string;
     description: string;
     enabled: boolean;
+    /**
+     * Convenience glob filter, mirrored from `artifact_filter.include_paths`.
+     * Round-trips the single-pattern shorthand accepted on create
+     * (e.g. `"*.tar.gz"`). Empty when no include pattern is set.
+     */
+    filter: string;
     id: string;
     name: string;
     peer_selector: {
@@ -2923,11 +3758,82 @@ export type SyncPolicyResponse = {
 export type SyncTaskResponse = {
     artifact_id: string;
     artifact_size: number;
+    /**
+     * When the task was enqueued. Lets clients tell a freshly-scheduled task
+     * apart from a stale queue entry (used by the replication-schedule check).
+     * Serialized as whole-second RFC3339 with a `Z` suffix
+     * (e.g. `2026-05-29T12:34:56Z`) so simple ISO8601 parsers can consume it.
+     */
+    created_at: string;
     id: string;
     priority: number;
+    /**
+     * When the worker began transferring, if it has started. Same format as
+     * `created_at`.
+     */
+    started_at?: string | null;
+    /**
+     * Task status (e.g. "pending"). Listing currently returns pending tasks.
+     */
+    status: string;
     storage_key: string;
 };
 
+/**
+ * Public runtime configuration values.
+ *
+ * This response intentionally omits all secrets, credentials, and internal
+ * connection strings. Only values useful for UI/client behavior are included.
+ */
+export type SystemConfigResponse = {
+    /**
+     * Authentication provider availability.
+     */
+    auth: AuthConfig;
+    /**
+     * Whether the instance is running in demo mode (writes blocked).
+     */
+    demo_mode: boolean;
+    /**
+     * Whether anonymous (unauthenticated) access is permitted at all (issue #850).
+     * When `false`, the server rejects all unauthenticated requests except for
+     * the login, setup, health, and OCI challenge endpoints. Frontends should
+     * hide UI affordances that imply public access (e.g. the "public repo"
+     * toggle) and redirect unauthenticated users to the login page.
+     */
+    guest_access_enabled: boolean;
+    /**
+     * Maximum upload size in bytes (0 means no limit).
+     */
+    max_upload_size_bytes: number;
+    /**
+     * OIDC issuer URL, if configured. This is public information needed by
+     * clients to initiate the OIDC flow.
+     */
+    oidc_issuer?: string | null;
+    /**
+     * Fine-grained permissions enforcement status. Permission rules can be
+     * managed via /api/v1/permissions and are actively enforced.
+     */
+    permissions: PermissionsConfig;
+    /**
+     * Plugin signature-verification (supply-chain) policy status.
+     */
+    plugin_signing: PluginSigningConfig;
+    /**
+     * Scanner availability.
+     */
+    scanners: ScannersConfig;
+    /**
+     * Search engine type: "opensearch" when configured, "database" otherwise.
+     */
+    search_engine: string;
+    /**
+     * Storage backend type (e.g. "filesystem", "s3", "gcs", "azure").
+     */
+    storage_backend: string;
+};
+
 export type SystemSettings = {
     allow_anonymous_download: boolean;
     audit_retention_days: number;
@@ -3115,12 +4021,45 @@ export type TriggerChecksResponse = {
 
 export type TriggerScanRequest = {
     artifact_id?: string | null;
+    /**
+     * Skip the hash-based scan dedup short-circuit when running this scan.
+     *
+     * Defaults to `false`. Normal trigger calls dedup against prior
+     * completed scans for the same checksum + scan_type so a freshly
+     * uploaded byte-identical artifact reuses the existing result instead
+     * of re-running the scanner. When `true`, that dedup is skipped: the
+     * scanner runs against the bytes again and writes a fresh
+     * `scan_results` row. Use this to recover from a silently-broken
+     * prior scan (e.g. an extraction bug producing a completed,
+     * zero-finding row that masks the real findings until the dedup TTL
+     * expires; see #1469). Costs an extra scan run, so leave it unset
+     * for routine trigger calls.
+     *
+     * **Admin only.** Setting this to `true` bypasses the dedup short-
+     * circuit and fans out unbounded scanner work per artifact. The
+     * `trigger_scan` handler rejects this field with 403 for non-admin
+     * callers, since a non-admin force-rescan path would be a DoS
+     * amplifier (the pre-existing `force=true` was naturally rate-limited
+     * by dedup; `bypass_dedup` removes that safety).
+     */
+    bypass_dedup?: boolean | null;
     repository_id?: string | null;
 };
 
 export type TriggerScanResponse = {
     artifacts_queued: number;
     message: string;
+    /**
+     * Scan result IDs created (one per active scanner) when triggering an
+     * artifact-level scan. Empty for repository-level scans (where the
+     * per-artifact rows are created inside the spawned worker) and for
+     * artifact-level triggers when no scanners are configured.
+     *
+     * Clients (and the release-gate test in artifact-keeper-test#58) should
+     * poll `GET /api/v1/security/scans/{id}` against these IDs rather than
+     * guessing the most-recent scan from `GET /artifacts/{id}/scans`.
+     */
+    scan_result_ids?: Array<string>;
 };
 
 /**
@@ -3192,15 +4131,29 @@ export type UpdateLdapConfigRequest = {
 };
 
 export type UpdateOidcConfigRequest = {
+    /**
+     * Partial update for `attribute_mapping`. Keys present in this object
+     * overwrite the matching keys in the stored mapping. Keys not present
+     * are preserved. To remove a key, set it to `null`. To replace the
+     * whole mapping atomically, set `attribute_mapping_replace = true`.
+     * (See issue #1191.)
+     */
     attribute_mapping?: {
         [key: string]: unknown;
     } | null;
+    /**
+     * When `true`, treat `attribute_mapping` as a wholesale replacement
+     * (legacy behavior). Defaults to `false` — partial merge.
+     */
+    attribute_mapping_replace?: boolean | null;
     auto_create_users?: boolean | null;
     client_id?: string | null;
     client_secret?: string | null;
     is_enabled?: boolean | null;
     issuer_url?: string | null;
+    map_groups_to_groups?: boolean | null;
     name?: string | null;
+    pkce_enabled?: boolean | null;
     scopes?: Array<string> | null;
 };
 
@@ -3210,18 +4163,45 @@ export type UpdatePluginConfigRequest = {
     };
 };
 
+/**
+ * Partial-update payload for `PUT /security/policies/{id}`.
+ *
+ * Every field is `Option<T>` so clients can send any subset of mutable
+ * columns; omitted fields leave the existing row value untouched. The
+ * previous shape required all of `name`, `max_severity`, `block_unscanned`,
+ * `block_on_fail`, `is_enabled` on every call. That was incompatible with
+ * the release-gate `scan-policy-crud` test (and external callers) which
+ * PATCH a subset like `{max_severity, is_enabled}`; under the strict shape
+ * the request was rejected as a 422 and the boolean toggle silently never
+ * took effect on a follow-up GET. See #1374.
+ *
+ * For `min_staging_hours` / `max_artifact_age_days` the field is the inner
+ * nullable `i32`; "not provided" leaves the column untouched. Explicit
+ * `null` to clear those columns is not currently supported; the release
+ * gate only mutates the bool/enum fields, so the narrower semantics are
+ * sufficient and we avoid an ambiguous JSON contract.
+ */
 export type UpdatePolicyRequest = {
-    block_on_fail: boolean;
-    block_unscanned: boolean;
-    is_enabled: boolean;
+    block_on_fail?: boolean | null;
+    block_unscanned?: boolean | null;
+    is_enabled?: boolean | null;
     max_artifact_age_days?: number | null;
-    max_severity: string;
+    max_severity?: string | null;
     min_staging_hours?: number | null;
-    name: string;
-    require_signature?: boolean;
+    name?: string | null;
+    require_signature?: boolean | null;
 };
 
 export type UpdateRepositoryRequest = {
+    /**
+     * Alias for `is_public`. When set to true, anonymous users can download
+     * artifacts without authentication. Useful for remote (pull-through cache)
+     * repositories that proxy public upstream registries. Write operations
+     * (upload, delete) still require authentication regardless of this setting.
+     * If both `is_public` and `allow_anonymous_access` are provided,
+     * `allow_anonymous_access` takes precedence.
+     */
+    allow_anonymous_access?: boolean | null;
     description?: string | null;
     /**
      * Update the Cargo index upstream URL (stored in `repository_config`).
@@ -3231,7 +4211,31 @@ export type UpdateRepositoryRequest = {
     is_public?: boolean | null;
     key?: string | null;
     name?: string | null;
+    /**
+     * When provided, enables/disables the `promotion_only` policy for this
+     * repository (admin-only). When omitted, the flag is left unchanged.
+     */
+    promotion_only?: boolean | null;
+    /**
+     * Quarantine hold duration in minutes for this repository.
+     * Stored in `repository_config` under `quarantine_duration_minutes`.
+     */
+    quarantine_duration_minutes?: number | null;
+    /**
+     * Enable or disable quarantine period for this repository.
+     * When enabled, newly uploaded artifacts are held until scanned.
+     * Stored in `repository_config` under `quarantine_enabled`.
+     */
+    quarantine_enabled?: boolean | null;
     quota_bytes?: number | null;
+    /**
+     * Link this staging repository to a release (local) repository.
+     * Promotions from this staging repo will default to the linked release repo,
+     * and promotions to any other repo will be rejected.
+     * Pass an empty string to remove the link.
+     * Stored in `repository_config` under `release_repository_id`.
+     */
+    release_repository_key?: string | null;
 };
 
 export type UpdateRuleRequest = {
@@ -3317,13 +4321,25 @@ export type UpsertLicensePolicyRequest = {
 
 /**
  * Request to create or update a scan configuration.
+ *
+ * Every field is optional so a `PUT /repositories/{key}/security` can carry
+ * any subset of mutable columns; fields the client omits keep their existing
+ * value (or fall back to the documented default when the row does not exist
+ * yet). The previous shape required all of `scan_enabled`, `scan_on_upload`,
+ * `scan_on_proxy`, `block_on_policy_violation`, `severity_threshold` on every
+ * call. That was the #1374 bug class on a second entity: a partial PUT (for
+ * example just `{scan_enabled: true}`) either bounced as a 422 or, worse,
+ * silently reset every other column to its default so a follow-up GET showed
+ * the untouched fields stale. The upsert is now a read-modify-write that
+ * merges the patch over the existing row, so multiple fields persist together
+ * and an omitted field is never clobbered. See #1374 / B11.
  */
 export type UpsertScanConfigRequest = {
-    block_on_policy_violation: boolean;
-    scan_enabled: boolean;
-    scan_on_proxy: boolean;
-    scan_on_upload: boolean;
-    severity_threshold: string;
+    block_on_policy_violation?: boolean | null;
+    scan_enabled?: boolean | null;
+    scan_on_proxy?: boolean | null;
+    scan_on_upload?: boolean | null;
+    severity_threshold?: string | null;
 };
 
 export type UpstreamAuthRequest = {
@@ -3414,6 +4430,12 @@ export type WebhookListResponse = {
 
 export type WebhookResponse = {
     created_at: string;
+    /**
+     * Pinned event payload version (e.g. "2026-04-01"). Determines the
+     * shape of the rendered payload and the value sent in the
+     * `X-ArtifactKeeper-Event-Version` header.
+     */
+    event_schema_version: string;
     events: Array<string>;
     headers?: {
         [key: string]: unknown;
@@ -3422,10 +4444,42 @@ export type WebhookResponse = {
     is_enabled: boolean;
     last_triggered_at?: string | null;
     name: string;
+    payload_template: PayloadTemplate;
     repository_id?: string | null;
+    /**
+     * Short non-reversible identifier for the current signing secret
+     * (`whsec_...abcd`), suitable for display in operator UIs. The raw
+     * secret is never returned by GET or LIST.
+     */
+    secret_digest?: string | null;
+    /**
+     * True while a previous secret is still accepted by the retry path
+     * during a rotation overlap window.
+     */
+    secret_rotation_active?: boolean;
     url: string;
 };
 
+/**
+ * Response returned exactly once when a webhook is created or its secret
+ * is rotated. The raw `secret` value is not retrievable afterwards.
+ */
+export type WebhookSecretCreatedResponse = WebhookResponse & {
+    /**
+     * Raw signing secret. Display this to the operator immediately and
+     * instruct them to record it; the server retains only the encrypted
+     * form and a short digest.
+     *
+     * Absent when the webhook was created without a signing secret. This
+     * happens when no secret was supplied and the deployment has no
+     * `AK_WEBHOOK_SECRET_KEY` configured: rather than fail the create with
+     * a 500, the webhook is stored unsigned and deliveries omit the
+     * signature header. Configure the key and rotate the secret later to
+     * enable signing.
+     */
+    secret?: string | null;
+};
+
 export type GetStaleArtifactsData = {
     body?: never;
     path?: never;
@@ -3688,6 +4742,10 @@ export type CancelBackupErrors = {
      * Backup not found
      */
     404: unknown;
+    /**
+     * Backup is not in a cancellable state
+     */
+    409: unknown;
     /**
      * Internal server error
      */
@@ -4047,16 +5105,46 @@ export type TriggerReindexResponses = {
 
 export type TriggerReindexResponse = TriggerReindexResponses[keyof TriggerReindexResponses];
 
-export type TriggerSearchReindexData = {
-    body?: never;
-    path?: never;
+export type RescanForInventoryData = {
+    /**
+     * Optional; empty body uses defaults
+     */
+    body: RescanForInventoryRequest;
+    path?: never;
+    query?: never;
+    url: '/api/v1/admin/rescan-for-inventory';
+};
+
+export type RescanForInventoryErrors = {
+    /**
+     * Admin privileges required
+     */
+    403: unknown;
+    /**
+     * Scanner service not configured
+     */
+    503: unknown;
+};
+
+export type RescanForInventoryResponses = {
+    /**
+     * Rescans enqueued
+     */
+    200: RescanForInventoryResponse;
+};
+
+export type RescanForInventoryResponse2 = RescanForInventoryResponses[keyof RescanForInventoryResponses];
+
+export type TriggerSearchReindexData = {
+    body?: never;
+    path?: never;
     query?: never;
     url: '/api/v1/admin/search/reindex';
 };
 
 export type TriggerSearchReindexErrors = {
     /**
-     * Meilisearch is not configured
+     * Search engine is not configured
      */
     500: unknown;
 };
@@ -4116,6 +5204,37 @@ export type UpdateSettingsResponses = {
 
 export type UpdateSettingsResponse = UpdateSettingsResponses[keyof UpdateSettingsResponses];
 
+export type SendTestEmailData = {
+    body: SmtpTestRequest;
+    path?: never;
+    query?: never;
+    url: '/api/v1/admin/smtp/test';
+};
+
+export type SendTestEmailErrors = {
+    /**
+     * Invalid request (e.g. bad email address)
+     */
+    400: unknown;
+    /**
+     * Admin privileges required
+     */
+    403: unknown;
+    /**
+     * SMTP not configured
+     */
+    503: unknown;
+};
+
+export type SendTestEmailResponses = {
+    /**
+     * Test email sent successfully
+     */
+    200: SmtpTestResponse;
+};
+
+export type SendTestEmailResponse = SendTestEmailResponses[keyof SendTestEmailResponses];
+
 export type ListLdapData = {
     body?: never;
     path?: never;
@@ -4783,6 +5902,28 @@ export type RunStorageGcResponses = {
 
 export type RunStorageGcResponse = RunStorageGcResponses[keyof RunStorageGcResponses];
 
+export type OciBlobReportData = {
+    body?: never;
+    path?: never;
+    query?: {
+        /**
+         * Grace window in hours used to compute the `aged_*` figures. Defaults
+         * to 24h; non-positive or out-of-range values are clamped server-side.
+         */
+        grace_hours?: number | null;
+    };
+    url: '/api/v1/admin/storage-gc/oci-blob-report';
+};
+
+export type OciBlobReportResponses = {
+    /**
+     * OCI blob footprint report
+     */
+    200: OciBlobFootprintReport;
+};
+
+export type OciBlobReportResponse = OciBlobReportResponses[keyof OciBlobReportResponses];
+
 export type ListCrashesData = {
     body?: never;
     path?: never;
@@ -5343,7 +6484,7 @@ export type LoginResponses = {
 export type LoginResponse2 = LoginResponses[keyof LoginResponses];
 
 export type LogoutData = {
-    body?: never;
+    body?: RefreshTokenRequest;
     path?: never;
     query?: never;
     url: '/api/v1/auth/logout';
@@ -5475,9 +6616,12 @@ export type OidcCallbackData = {
          */
         id: string;
     };
-    query: {
-        code: string;
-        state: string;
+    query?: {
+        code?: string | null;
+        state?: string | null;
+        error?: string | null;
+        error_description?: string | null;
+        error_uri?: string | null;
     };
     url: '/api/v1/auth/sso/oidc/{id}/callback';
 };
@@ -5487,6 +6631,10 @@ export type OidcCallbackErrors = {
      * Invalid callback parameters
      */
     400: ErrorResponse;
+    /**
+     * IdP error or invalid/expired SSO state
+     */
+    401: ErrorResponse;
 };
 
 export type OidcCallbackError = OidcCallbackErrors[keyof OidcCallbackErrors];
@@ -5578,6 +6726,10 @@ export type CreateDownloadTicketData = {
 };
 
 export type CreateDownloadTicketErrors = {
+    /**
+     * Invalid resource_path
+     */
+    400: ErrorResponse;
     /**
      * Not authenticated
      */
@@ -6430,6 +7582,10 @@ export type ListGroupsData = {
 };
 
 export type ListGroupsErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
     /**
      * Internal server error
      */
@@ -6453,6 +7609,14 @@ export type CreateGroupData = {
 };
 
 export type CreateGroupErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
     /**
      * Group name already exists
      */
@@ -6485,6 +7649,14 @@ export type DeleteGroupData = {
 };
 
 export type DeleteGroupErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
     /**
      * Group not found
      */
@@ -6510,11 +7682,24 @@ export type GetGroupData = {
          */
         id: string;
     };
-    query?: never;
+    query?: {
+        /**
+         * Maximum number of members to return (default: 50, max: 200)
+         */
+        member_limit?: number | null;
+        /**
+         * Number of members to skip for pagination (default: 0)
+         */
+        member_offset?: number | null;
+    };
     url: '/api/v1/groups/{id}';
 };
 
 export type GetGroupErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
     /**
      * Group not found
      */
@@ -6527,9 +7712,9 @@ export type GetGroupErrors = {
 
 export type GetGroupResponses = {
     /**
-     * Group details
+     * Group details with paginated members
      */
-    200: GroupResponse;
+    200: GroupDetailResponse;
 };
 
 export type GetGroupResponse = GetGroupResponses[keyof GetGroupResponses];
@@ -6547,6 +7732,14 @@ export type UpdateGroupData = {
 };
 
 export type UpdateGroupErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
     /**
      * Group not found
      */
@@ -6579,6 +7772,14 @@ export type RemoveMembersData = {
 };
 
 export type RemoveMembersErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
     /**
      * Group not found
      */
@@ -6609,6 +7810,14 @@ export type AddMembersData = {
 };
 
 export type AddMembersErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
     /**
      * Group not found
      */
@@ -8076,6 +9285,78 @@ export type UnassignRepoResponses = {
     200: unknown;
 };
 
+export type GetSubscriptionData = {
+    body?: never;
+    path: {
+        /**
+         * Peer instance ID
+         */
+        id: string;
+        /**
+         * Repository ID
+         */
+        repo_id: string;
+    };
+    query?: never;
+    url: '/api/v1/peers/{id}/repositories/{repo_id}';
+};
+
+export type GetSubscriptionErrors = {
+    /**
+     * Subscription not found
+     */
+    404: unknown;
+    /**
+     * Internal server error
+     */
+    500: unknown;
+};
+
+export type GetSubscriptionResponses = {
+    /**
+     * Subscription details
+     */
+    200: SubscriptionResponse;
+};
+
+export type GetSubscriptionResponse = GetSubscriptionResponses[keyof GetSubscriptionResponses];
+
+export type RunSubscriptionNowData = {
+    body?: never;
+    path: {
+        /**
+         * Peer instance ID
+         */
+        id: string;
+        /**
+         * Repository ID
+         */
+        repo_id: string;
+    };
+    query?: never;
+    url: '/api/v1/peers/{id}/repositories/{repo_id}/sync';
+};
+
+export type RunSubscriptionNowErrors = {
+    /**
+     * Subscription not found
+     */
+    404: unknown;
+    /**
+     * Internal server error
+     */
+    500: unknown;
+};
+
+export type RunSubscriptionNowResponses = {
+    /**
+     * Sync tasks queued
+     */
+    202: RunNowResponse;
+};
+
+export type RunSubscriptionNowResponse = RunSubscriptionNowResponses[keyof RunSubscriptionNowResponses];
+
 export type TriggerSyncData = {
     body?: never;
     path: {
@@ -9145,6 +10426,74 @@ export type PromotionHistoryResponses = {
 
 export type PromotionHistoryResponse2 = PromotionHistoryResponses[keyof PromotionHistoryResponses];
 
+export type GetReleaseTargetData = {
+    body?: never;
+    path: {
+        /**
+         * Staging repository key
+         */
+        key: string;
+    };
+    query?: never;
+    url: '/api/v1/promotion/repositories/{key}/release-target';
+};
+
+export type GetReleaseTargetErrors = {
+    /**
+     * Repository not found
+     */
+    404: ErrorResponse;
+    /**
+     * Repository is not a staging repository
+     */
+    422: ErrorResponse;
+};
+
+export type GetReleaseTargetError = GetReleaseTargetErrors[keyof GetReleaseTargetErrors];
+
+export type GetReleaseTargetResponses = {
+    /**
+     * Release target information
+     */
+    200: ReleaseTargetResponse;
+};
+
+export type GetReleaseTargetResponse = GetReleaseTargetResponses[keyof GetReleaseTargetResponses];
+
+export type SetReleaseTargetData = {
+    body: SetReleaseTargetRequest;
+    path: {
+        /**
+         * Staging repository key
+         */
+        key: string;
+    };
+    query?: never;
+    url: '/api/v1/promotion/repositories/{key}/release-target';
+};
+
+export type SetReleaseTargetErrors = {
+    /**
+     * Repository not found
+     */
+    404: ErrorResponse;
+    /**
+     * Validation error
+     */
+    422: ErrorResponse;
+};
+
+export type SetReleaseTargetError = SetReleaseTargetErrors[keyof SetReleaseTargetErrors];
+
+export type SetReleaseTargetResponses = {
+    /**
+     * Release target updated
+     */
+    200: ReleaseTargetResponse;
+};
+
+export type SetReleaseTargetResponse = SetReleaseTargetResponses[keyof SetReleaseTargetResponses];
+
 export type ListChecksData = {
     body?: never;
     path?: never;
@@ -9550,47 +10899,163 @@ export type SuppressIssueResponses = {
 
 export type SuppressIssueResponse = SuppressIssueResponses[keyof SuppressIssueResponses];
 
-export type ListRepositoriesData = {
+export type GetQuarantineStatusData = {
     body?: never;
-    path?: never;
-    query?: {
-        page?: number | null;
-        per_page?: number | null;
-        format?: string | null;
-        type?: string | null;
-        q?: string | null;
+    path: {
+        /**
+         * Artifact ID
+         */
+        artifact_id: string;
     };
-    url: '/api/v1/repositories';
-};
-
-export type ListRepositoriesResponses = {
-    /**
-     * List of repositories
-     */
-    200: RepositoryListResponse;
-};
-
-export type ListRepositoriesResponse = ListRepositoriesResponses[keyof ListRepositoriesResponses];
-
-export type CreateRepositoryData = {
-    body: CreateRepositoryRequest;
-    path?: never;
     query?: never;
-    url: '/api/v1/repositories';
+    url: '/api/v1/quarantine/{artifact_id}';
 };
 
-export type CreateRepositoryErrors = {
+export type GetQuarantineStatusErrors = {
     /**
      * Authentication required
      */
     401: unknown;
     /**
-     * Repository key already exists
+     * Artifact not found
      */
-    409: unknown;
+    404: unknown;
 };
 
-export type CreateRepositoryResponses = {
+export type GetQuarantineStatusResponses = {
+    /**
+     * Quarantine status
+     */
+    200: QuarantineStatusResponse;
+};
+
+export type GetQuarantineStatusResponse = GetQuarantineStatusResponses[keyof GetQuarantineStatusResponses];
+
+export type RejectQuarantinedArtifactData = {
+    body: RejectRequest;
+    path: {
+        /**
+         * Artifact ID
+         */
+        artifact_id: string;
+    };
+    query?: never;
+    url: '/api/v1/quarantine/{artifact_id}/reject';
+};
+
+export type RejectQuarantinedArtifactErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Admin access required
+     */
+    403: unknown;
+    /**
+     * Artifact not found
+     */
+    404: unknown;
+    /**
+     * Artifact is not in quarantined state
+     */
+    409: unknown;
+};
+
+export type RejectQuarantinedArtifactResponses = {
+    /**
+     * Artifact rejected
+     */
+    200: QuarantineActionResponse;
+};
+
+export type RejectQuarantinedArtifactResponse = RejectQuarantinedArtifactResponses[keyof RejectQuarantinedArtifactResponses];
+
+export type ReleaseArtifactData = {
+    body?: never;
+    path: {
+        /**
+         * Artifact ID
+         */
+        artifact_id: string;
+    };
+    query?: never;
+    url: '/api/v1/quarantine/{artifact_id}/release';
+};
+
+export type ReleaseArtifactErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Admin access required
+     */
+    403: unknown;
+    /**
+     * Artifact not found
+     */
+    404: unknown;
+    /**
+     * Artifact is not in quarantined state
+     */
+    409: unknown;
+};
+
+export type ReleaseArtifactResponses = {
+    /**
+     * Artifact released
+     */
+    200: QuarantineActionResponse;
+};
+
+export type ReleaseArtifactResponse = ReleaseArtifactResponses[keyof ReleaseArtifactResponses];
+
+export type ListRepositoriesData = {
+    body?: never;
+    path?: never;
+    query?: {
+        page?: number | null;
+        per_page?: number | null;
+        format?: string | null;
+        type?: string | null;
+        q?: string | null;
+    };
+    url: '/api/v1/repositories';
+};
+
+export type ListRepositoriesResponses = {
+    /**
+     * List of repositories
+     */
+    200: RepositoryListResponse;
+};
+
+export type ListRepositoriesResponse = ListRepositoriesResponses[keyof ListRepositoriesResponses];
+
+export type CreateRepositoryData = {
+    body: CreateRepositoryRequest;
+    path?: never;
+    query?: never;
+    url: '/api/v1/repositories';
+};
+
+export type CreateRepositoryErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
+    /**
+     * Repository key already exists
+     */
+    409: unknown;
+};
+
+export type CreateRepositoryResponses = {
     /**
      * Repository created
      */
@@ -9616,6 +11081,10 @@ export type DeleteRepositoryErrors = {
      * Authentication required
      */
     401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
     /**
      * Repository not found
      */
@@ -9674,6 +11143,10 @@ export type UpdateRepositoryErrors = {
      * Authentication required
      */
     401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
     /**
      * Repository not found
      */
@@ -9706,6 +11179,19 @@ export type ListArtifactsData = {
         per_page?: number | null;
         q?: string | null;
         path_prefix?: string | null;
+        /**
+         * Server-side artifact grouping.
+         *
+         * Supported values:
+         * - `maven_component`: Maven/Gradle artifacts are grouped by
+         * groupId, artifactId, and version.  Individual files (jar, pom,
+         * checksums) appear in the `artifact_files` array of each component.
+         * - `docker_tag`: Docker/OCI artifacts are grouped by (image, tag),
+         * with `total_size_bytes` summed across the manifest config and
+         * referenced layer blobs.  The grouped rows are returned in the
+         * `docker_tags` array.
+         */
+        group_by?: string | null;
     };
     url: '/api/v1/repositories/{key}/artifacts';
 };
@@ -9751,6 +11237,10 @@ export type DeleteArtifactErrors = {
      * Artifact not found
      */
     404: unknown;
+    /**
+     * Artifact is immutable (released) and cannot be deleted
+     */
+    409: unknown;
 };
 
 export type DeleteArtifactResponses = {
@@ -9892,6 +11382,55 @@ export type SetCacheTtlResponses = {
 
 export type SetCacheTtlResponse = SetCacheTtlResponses[keyof SetCacheTtlResponses];
 
+export type InvalidateCacheData = {
+    body?: never;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+    };
+    query: {
+        /**
+         * Artifact path to evict from the proxy cache. Same shape as the path
+         * segment of `GET /api/v1/repositories/{key}/artifacts/{path}`.
+         * Path-traversal segments such as `..` are rejected by
+         * `ProxyService::cache_storage_key` (covered by
+         * `test_invalidate_cache_by_key_rejects_invalid_path`).
+         */
+        path: string;
+    };
+    url: '/api/v1/repositories/{key}/cache/invalidate';
+};
+
+export type InvalidateCacheErrors = {
+    /**
+     * Validation error (e.g. non-remote repo or invalid path)
+     */
+    400: unknown;
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Repository not found
+     */
+    404: unknown;
+    /**
+     * Proxy service not configured on this deployment
+     */
+    503: unknown;
+};
+
+export type InvalidateCacheResponses = {
+    /**
+     * Cache entry invalidated (or was already absent)
+     */
+    200: InvalidateCacheResponse;
+};
+
+export type InvalidateCacheResponse2 = InvalidateCacheResponses[keyof InvalidateCacheResponses];
+
 export type DownloadArtifactData = {
     body?: never;
     path: {
@@ -9924,6 +11463,122 @@ export type DownloadArtifactResponses = {
 
 export type DownloadArtifactResponse = DownloadArtifactResponses[keyof DownloadArtifactResponses];
 
+export type ListSubscriptionsData = {
+    body?: never;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/email-subscriptions';
+};
+
+export type ListSubscriptionsErrors = {
+    /**
+     * Not authenticated
+     */
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
+    /**
+     * Repository not found
+     */
+    404: unknown;
+};
+
+export type ListSubscriptionsResponses = {
+    /**
+     * List of email subscriptions
+     */
+    200: EmailSubscriptionListResponse;
+};
+
+export type ListSubscriptionsResponse = ListSubscriptionsResponses[keyof ListSubscriptionsResponses];
+
+export type CreateSubscriptionData = {
+    body: CreateEmailSubscriptionRequest;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/email-subscriptions';
+};
+
+export type CreateSubscriptionErrors = {
+    /**
+     * Validation error
+     */
+    400: unknown;
+    /**
+     * Not authenticated
+     */
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
+    /**
+     * Repository not found
+     */
+    404: unknown;
+};
+
+export type CreateSubscriptionResponses = {
+    /**
+     * Subscription created
+     */
+    201: EmailSubscriptionResponse;
+};
+
+export type CreateSubscriptionResponse = CreateSubscriptionResponses[keyof CreateSubscriptionResponses];
+
+export type DeleteSubscriptionData = {
+    body?: never;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+        /**
+         * Subscription ID
+         */
+        subscription_id: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/email-subscriptions/{subscription_id}';
+};
+
+export type DeleteSubscriptionErrors = {
+    /**
+     * Not authenticated
+     */
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
+    /**
+     * Subscription or repository not found
+     */
+    404: unknown;
+};
+
+export type DeleteSubscriptionResponses = {
+    /**
+     * Subscription deleted
+     */
+    204: void;
+};
+
+export type DeleteSubscriptionResponse = DeleteSubscriptionResponses[keyof DeleteSubscriptionResponses];
+
 export type ListRepoLabelsData = {
     body?: never;
     path: {
@@ -10061,6 +11716,10 @@ export type ListVirtualMembersErrors = {
      * Repository is not virtual
      */
     400: unknown;
+    /**
+     * Authentication required
+     */
+    401: unknown;
     /**
      * Repository not found
      */
@@ -10069,7 +11728,7 @@ export type ListVirtualMembersErrors = {
 
 export type ListVirtualMembersResponses = {
     /**
-     * List of virtual repository members
+     * List of virtual repository members (filtered to caller-visible members)
      */
     200: VirtualMembersListResponse;
 };
@@ -10097,6 +11756,10 @@ export type AddVirtualMemberErrors = {
      * Repository or member not found
      */
     404: unknown;
+    /**
+     * Member already exists in virtual repository
+     */
+    409: unknown;
 };
 
 export type AddVirtualMemberResponses = {
@@ -10182,7 +11845,7 @@ export type RemoveVirtualMemberResponses = {
     200: unknown;
 };
 
-export type GetRepoSecurityData = {
+export type ListPypiTracksData = {
     body?: never;
     path: {
         /**
@@ -10191,10 +11854,208 @@ export type GetRepoSecurityData = {
         key: string;
     };
     query?: never;
-    url: '/api/v1/repositories/{key}/security';
+    url: '/api/v1/repositories/{key}/pypi-tracks';
 };
 
-export type GetRepoSecurityErrors = {
+export type ListPypiTracksErrors = {
+    /**
+     * Repository not found
+     */
+    404: unknown;
+};
+
+export type ListPypiTracksResponses = {
+    /**
+     * tracks declarations
+     */
+    200: PypiTracksListResponse;
+};
+
+export type ListPypiTracksResponse = ListPypiTracksResponses[keyof ListPypiTracksResponses];
+
+export type DeletePypiTrackData = {
+    body?: never;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+        /**
+         * Project name (PEP 503 normalized server-side)
+         */
+        project: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/pypi-tracks/{project}';
+};
+
+export type DeletePypiTrackErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Repository not found
+     */
+    404: unknown;
+};
+
+export type DeletePypiTrackResponses = {
+    /**
+     * tracks declaration removed (idempotent)
+     */
+    204: void;
+};
+
+export type DeletePypiTrackResponse = DeletePypiTrackResponses[keyof DeletePypiTrackResponses];
+
+export type PutPypiTrackData = {
+    body: PypiTrackRequest;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+        /**
+         * Project name (PEP 503 normalized server-side)
+         */
+        project: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/pypi-tracks/{project}';
+};
+
+export type PutPypiTrackErrors = {
+    /**
+     * Invalid request or repository type
+     */
+    400: unknown;
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Repository not found
+     */
+    404: unknown;
+};
+
+export type PutPypiTrackResponses = {
+    /**
+     * tracks declaration stored
+     */
+    200: PypiTrackResponse;
+};
+
+export type PutPypiTrackResponse = PutPypiTrackResponses[keyof PutPypiTrackResponses];
+
+export type DeleteRoutingRulesData = {
+    body?: never;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/routing-rules';
+};
+
+export type DeleteRoutingRulesErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Repository not found
+     */
+    404: unknown;
+};
+
+export type DeleteRoutingRulesResponses = {
+    /**
+     * Routing rules deleted
+     */
+    200: unknown;
+};
+
+export type GetRoutingRulesData = {
+    body?: never;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/routing-rules';
+};
+
+export type GetRoutingRulesErrors = {
+    /**
+     * Repository not found
+     */
+    404: unknown;
+};
+
+export type GetRoutingRulesResponses = {
+    /**
+     * Current routing rules
+     */
+    200: RoutingRulesResponse;
+};
+
+export type GetRoutingRulesResponse = GetRoutingRulesResponses[keyof GetRoutingRulesResponses];
+
+export type SetRoutingRulesData = {
+    body: SetRoutingRulesRequest;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/routing-rules';
+};
+
+export type SetRoutingRulesErrors = {
+    /**
+     * Invalid rule (bad regex or capture reference)
+     */
+    400: unknown;
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Repository not found
+     */
+    404: unknown;
+};
+
+export type SetRoutingRulesResponses = {
+    /**
+     * Routing rules saved
+     */
+    200: RoutingRulesResponse;
+};
+
+export type SetRoutingRulesResponse = SetRoutingRulesResponses[keyof SetRoutingRulesResponses];
+
+export type GetRepoSecurityData = {
+    body?: never;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/security';
+};
+
+export type GetRepoSecurityErrors = {
     /**
      * Repository not found
      */
@@ -10224,98 +12085,254 @@ export type UpdateRepoSecurityData = {
     url: '/api/v1/repositories/{key}/security';
 };
 
-export type UpdateRepoSecurityErrors = {
+export type UpdateRepoSecurityErrors = {
+    /**
+     * Repository not found
+     */
+    404: ErrorResponse;
+};
+
+export type UpdateRepoSecurityError = UpdateRepoSecurityErrors[keyof UpdateRepoSecurityErrors];
+
+export type UpdateRepoSecurityResponses = {
+    /**
+     * Repository security config updated
+     */
+    200: ScanConfigResponse;
+};
+
+export type UpdateRepoSecurityResponse = UpdateRepoSecurityResponses[keyof UpdateRepoSecurityResponses];
+
+export type ListRepoScansData = {
+    body?: never;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+    };
+    query?: {
+        repository_id?: string | null;
+        artifact_id?: string | null;
+        status?: string | null;
+        page?: number | null;
+        per_page?: number | null;
+    };
+    url: '/api/v1/repositories/{key}/security/scans';
+};
+
+export type ListRepoScansErrors = {
+    /**
+     * Repository not found
+     */
+    404: ErrorResponse;
+};
+
+export type ListRepoScansError = ListRepoScansErrors[keyof ListRepoScansErrors];
+
+export type ListRepoScansResponses = {
+    /**
+     * Paginated list of scans for a repository
+     */
+    200: ScanListResponse;
+};
+
+export type ListRepoScansResponse = ListRepoScansResponses[keyof ListRepoScansResponses];
+
+export type TestUpstreamData = {
+    body?: never;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/test-upstream';
+};
+
+export type TestUpstreamErrors = {
+    /**
+     * Repository is not remote or has no upstream URL
+     */
+    400: unknown;
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Repository not found
+     */
+    404: unknown;
+    /**
+     * Upstream unreachable
+     */
+    502: unknown;
+};
+
+export type TestUpstreamResponses = {
+    /**
+     * Upstream reachable
+     */
+    200: unknown;
+};
+
+export type ListRepoTokensData = {
+    body?: never;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/tokens';
+};
+
+export type ListRepoTokensErrors = {
+    /**
+     * Not authenticated
+     */
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
+    /**
+     * Repository not found
+     */
+    404: unknown;
+};
+
+export type ListRepoTokensResponses = {
+    /**
+     * List of tokens on this repository
+     */
+    200: RepoTokenListResponse;
+};
+
+export type ListRepoTokensResponse = ListRepoTokensResponses[keyof ListRepoTokensResponses];
+
+export type CreateRepoTokenData = {
+    body: CreateRepoTokenRequest;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/tokens';
+};
+
+export type CreateRepoTokenErrors = {
+    /**
+     * Validation error
+     */
+    400: unknown;
+    /**
+     * Not authenticated
+     */
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
     /**
      * Repository not found
      */
-    404: ErrorResponse;
+    404: unknown;
 };
 
-export type UpdateRepoSecurityError = UpdateRepoSecurityErrors[keyof UpdateRepoSecurityErrors];
-
-export type UpdateRepoSecurityResponses = {
+export type CreateRepoTokenResponses = {
     /**
-     * Repository security config updated
+     * Token created (value shown once)
      */
-    200: ScanConfigResponse;
+    200: CreateRepoTokenResponse;
 };
 
-export type UpdateRepoSecurityResponse = UpdateRepoSecurityResponses[keyof UpdateRepoSecurityResponses];
+export type CreateRepoTokenResponse2 = CreateRepoTokenResponses[keyof CreateRepoTokenResponses];
 
-export type ListRepoScansData = {
+export type RevokeRepoTokenData = {
     body?: never;
     path: {
         /**
          * Repository key
          */
         key: string;
+        /**
+         * Token ID
+         */
+        token_id: string;
     };
-    query?: {
-        repository_id?: string | null;
-        artifact_id?: string | null;
-        status?: string | null;
-        page?: number | null;
-        per_page?: number | null;
-    };
-    url: '/api/v1/repositories/{key}/security/scans';
+    query?: never;
+    url: '/api/v1/repositories/{key}/tokens/{token_id}';
 };
 
-export type ListRepoScansErrors = {
+export type RevokeRepoTokenErrors = {
     /**
-     * Repository not found
+     * Not authenticated
      */
-    404: ErrorResponse;
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
+    /**
+     * Repository or token not found
+     */
+    404: unknown;
 };
 
-export type ListRepoScansError = ListRepoScansErrors[keyof ListRepoScansErrors];
-
-export type ListRepoScansResponses = {
+export type RevokeRepoTokenResponses = {
     /**
-     * Paginated list of scans for a repository
+     * Token revoked
      */
-    200: ScanListResponse;
+    204: void;
 };
 
-export type ListRepoScansResponse = ListRepoScansResponses[keyof ListRepoScansResponses];
+export type RevokeRepoTokenResponse = RevokeRepoTokenResponses[keyof RevokeRepoTokenResponses];
 
-export type TestUpstreamData = {
+export type GetRepoTokenData = {
     body?: never;
     path: {
         /**
          * Repository key
          */
         key: string;
+        /**
+         * Token ID
+         */
+        token_id: string;
     };
     query?: never;
-    url: '/api/v1/repositories/{key}/test-upstream';
+    url: '/api/v1/repositories/{key}/tokens/{token_id}';
 };
 
-export type TestUpstreamErrors = {
-    /**
-     * Repository is not remote or has no upstream URL
-     */
-    400: unknown;
+export type GetRepoTokenErrors = {
     /**
-     * Authentication required
+     * Not authenticated
      */
     401: unknown;
     /**
-     * Repository not found
+     * Insufficient permissions
      */
-    404: unknown;
+    403: unknown;
     /**
-     * Upstream unreachable
+     * Repository or token not found
      */
-    502: unknown;
+    404: unknown;
 };
 
-export type TestUpstreamResponses = {
+export type GetRepoTokenResponses = {
     /**
-     * Upstream reachable
+     * Token details
      */
-    200: unknown;
+    200: RepoTokenResponse;
 };
 
+export type GetRepoTokenResponse = GetRepoTokenResponses[keyof GetRepoTokenResponses];
+
 export type SetUpstreamAuthData = {
     body: UpstreamAuthRequest;
     path: {
@@ -10454,16 +12471,83 @@ export type CheckLicenseComplianceResponses = {
 
 export type CheckLicenseComplianceResponse = CheckLicenseComplianceResponses[keyof CheckLicenseComplianceResponses];
 
-export type GetCveHistoryData = {
+export type GetCveHistoryByArtifactData = {
     body?: never;
     path: {
         /**
-         * Artifact ID
+         * Artifact UUID
          */
         artifact_id: string;
     };
     query?: never;
-    url: '/api/v1/sbom/cve/history/{artifact_id}';
+    url: '/api/v1/sbom/cve/history/by-artifact/{artifact_id}';
+};
+
+export type GetCveHistoryByArtifactErrors = {
+    /**
+     * Caller does not have access to this artifact's repository
+     */
+    403: unknown;
+    /**
+     * Artifact not found
+     */
+    404: unknown;
+};
+
+export type GetCveHistoryByArtifactResponses = {
+    /**
+     * CVE history entries
+     */
+    200: Array<CveHistoryEntry>;
+};
+
+export type GetCveHistoryByArtifactResponse = GetCveHistoryByArtifactResponses[keyof GetCveHistoryByArtifactResponses];
+
+export type GetCveHistoryByCveData = {
+    body?: never;
+    path: {
+        /**
+         * CVE identifier (e.g. CVE-2019-10744)
+         */
+        cve_id: string;
+    };
+    query?: never;
+    url: '/api/v1/sbom/cve/history/by-cve/{cve_id}';
+};
+
+export type GetCveHistoryByCveErrors = {
+    /**
+     * Path id is not a valid CVE identifier
+     */
+    400: unknown;
+};
+
+export type GetCveHistoryByCveResponses = {
+    /**
+     * CVE history entries
+     */
+    200: Array<CveHistoryEntry>;
+};
+
+export type GetCveHistoryByCveResponse = GetCveHistoryByCveResponses[keyof GetCveHistoryByCveResponses];
+
+export type GetCveHistoryData = {
+    body?: never;
+    path: {
+        /**
+         * Artifact UUID or CVE identifier (e.g. CVE-2019-10744). Prefer the typed routes /cve/history/by-artifact/{uuid} or /cve/history/by-cve/{cve_id}.
+         */
+        id: string;
+    };
+    query?: never;
+    url: '/api/v1/sbom/cve/history/{id}';
+};
+
+export type GetCveHistoryErrors = {
+    /**
+     * Path id is neither a valid UUID nor a valid CVE identifier
+     */
+    400: unknown;
 };
 
 export type GetCveHistoryResponses = {
@@ -10475,6 +12559,48 @@ export type GetCveHistoryResponses = {
 
 export type GetCveHistoryResponse = GetCveHistoryResponses[keyof GetCveHistoryResponses];
 
+export type UpdateCveStatusByArtifactCveData = {
+    body: UpdateCveStatusRequest;
+    path: {
+        /**
+         * Artifact UUID
+         */
+        artifact_id: string;
+        /**
+         * CVE identifier (e.g. CVE-2019-10744)
+         */
+        cve_id: string;
+    };
+    query?: never;
+    url: '/api/v1/sbom/cve/status/by-artifact/{artifact_id}/by-cve/{cve_id}';
+};
+
+export type UpdateCveStatusByArtifactCveErrors = {
+    /**
+     * Validation error (e.g. invalid CVE id or unsupported status)
+     */
+    400: ErrorResponse;
+    /**
+     * Caller does not have access to this artifact's repository
+     */
+    403: unknown;
+    /**
+     * No scan_findings rows match (artifact_id, cve_id)
+     */
+    404: unknown;
+};
+
+export type UpdateCveStatusByArtifactCveError = UpdateCveStatusByArtifactCveErrors[keyof UpdateCveStatusByArtifactCveErrors];
+
+export type UpdateCveStatusByArtifactCveResponses = {
+    /**
+     * Updated synth CVE entry
+     */
+    200: CveHistoryEntry;
+};
+
+export type UpdateCveStatusByArtifactCveResponse = UpdateCveStatusByArtifactCveResponses[keyof UpdateCveStatusByArtifactCveResponses];
+
 export type UpdateCveStatusData = {
     body: UpdateCveStatusRequest;
     path: {
@@ -10746,9 +12872,9 @@ export type ConvertSbomError = ConvertSbomErrors[keyof ConvertSbomErrors];
 
 export type ConvertSbomResponses = {
     /**
-     * Converted SBOM
+     * Converted SBOM with content
      */
-    200: SbomResponse;
+    200: SbomContentResponse;
 };
 
 export type ConvertSbomResponse = ConvertSbomResponses[keyof ConvertSbomResponses];
@@ -10943,6 +13069,15 @@ export type GetDashboardData = {
     url: '/api/v1/security/dashboard';
 };
 
+export type GetDashboardErrors = {
+    /**
+     * Admin privileges required
+     */
+    403: ErrorResponse;
+};
+
+export type GetDashboardError = GetDashboardErrors[keyof GetDashboardErrors];
+
 export type GetDashboardResponses = {
     /**
      * Security dashboard summary
@@ -10965,6 +13100,10 @@ export type RevokeAcknowledgmentData = {
 };
 
 export type RevokeAcknowledgmentErrors = {
+    /**
+     * Admin privileges required
+     */
+    403: ErrorResponse;
     /**
      * Finding not found
      */
@@ -10995,6 +13134,10 @@ export type AcknowledgeFindingData = {
 };
 
 export type AcknowledgeFindingErrors = {
+    /**
+     * Admin privileges required
+     */
+    403: ErrorResponse;
     /**
      * Finding not found
      */
@@ -11157,10 +13300,14 @@ export type TriggerScanErrors = {
      * Validation error
      */
     400: ErrorResponse;
+    /**
+     * bypass_dedup requested by non-admin caller
+     */
+    403: ErrorResponse;
     /**
      * Scanner service not configured
      */
-    500: ErrorResponse;
+    503: ErrorResponse;
 };
 
 export type TriggerScanError = TriggerScanErrors[keyof TriggerScanErrors];
@@ -11266,6 +13413,15 @@ export type GetAllScoresData = {
     url: '/api/v1/security/scores';
 };
 
+export type GetAllScoresErrors = {
+    /**
+     * Admin privileges required
+     */
+    403: ErrorResponse;
+};
+
+export type GetAllScoresError = GetAllScoresErrors[keyof GetAllScoresErrors];
+
 export type GetAllScoresResponses = {
     /**
      * All repository security scores
@@ -12095,6 +14251,22 @@ export type TogglePolicyResponses = {
 
 export type TogglePolicyResponse = TogglePolicyResponses[keyof TogglePolicyResponses];
 
+export type GetSystemConfigData = {
+    body?: never;
+    path?: never;
+    query?: never;
+    url: '/api/v1/system/config';
+};
+
+export type GetSystemConfigResponses = {
+    /**
+     * Public runtime configuration
+     */
+    200: SystemConfigResponse;
+};
+
+export type GetSystemConfigResponse = GetSystemConfigResponses[keyof GetSystemConfigResponses];
+
 export type GetTreeData = {
     body?: never;
     path?: never;
@@ -12195,6 +14367,10 @@ export type CreateSessionErrors = {
      * Unauthorized
      */
     401: unknown;
+    /**
+     * Forbidden
+     */
+    403: ErrorResponse;
     /**
      * Repository not found
      */
@@ -12495,6 +14671,42 @@ export type UpdateUserResponses = {
 
 export type UpdateUserResponse = UpdateUserResponses[keyof UpdateUserResponses];
 
+export type ForcePasswordChangeData = {
+    body?: never;
+    path: {
+        /**
+         * User ID
+         */
+        id: string;
+    };
+    query?: never;
+    url: '/api/v1/users/{id}/force-password-change';
+};
+
+export type ForcePasswordChangeErrors = {
+    /**
+     * Only administrators can force password changes
+     */
+    403: unknown;
+    /**
+     * User not found
+     */
+    404: unknown;
+    /**
+     * Cannot force password change for SSO users
+     */
+    422: unknown;
+};
+
+export type ForcePasswordChangeResponses = {
+    /**
+     * Flag set successfully
+     */
+    200: ForcePasswordChangeResponse;
+};
+
+export type ForcePasswordChangeResponse2 = ForcePasswordChangeResponses[keyof ForcePasswordChangeResponses];
+
 export type ChangePasswordData = {
     body: ChangePasswordRequest;
     path: {
@@ -12769,13 +14981,17 @@ export type CreateWebhookErrors = {
      * Internal server error
      */
     500: unknown;
+    /**
+     * A secret was supplied but AK_WEBHOOK_SECRET_KEY is not configured, so the secret cannot be encrypted at rest
+     */
+    503: unknown;
 };
 
 export type CreateWebhookResponses = {
     /**
-     * Webhook created successfully
+     * Webhook created. Body includes the raw secret exactly once (omitted when created unsigned).
      */
-    200: WebhookResponse;
+    200: WebhookSecretCreatedResponse;
 };
 
 export type CreateWebhookResponse = CreateWebhookResponses[keyof CreateWebhookResponses];
@@ -12950,6 +15166,42 @@ export type EnableWebhookResponses = {
     200: unknown;
 };
 
+export type RotateWebhookSecretData = {
+    body?: never;
+    path: {
+        /**
+         * Webhook ID
+         */
+        id: string;
+    };
+    query?: never;
+    url: '/api/v1/webhooks/{id}/rotate-secret';
+};
+
+export type RotateWebhookSecretErrors = {
+    /**
+     * Webhook not found
+     */
+    404: unknown;
+    /**
+     * A previous rotation overlap window is still active
+     */
+    409: unknown;
+    /**
+     * Encryption key not configured
+     */
+    500: unknown;
+};
+
+export type RotateWebhookSecretResponses = {
+    /**
+     * Secret rotated. Body includes the new raw secret exactly once.
+     */
+    200: RotateWebhookSecretResponse;
+};
+
+export type RotateWebhookSecretResponse2 = RotateWebhookSecretResponses[keyof RotateWebhookSecretResponses];
+
 export type TestWebhookData = {
     body?: never;
     path: {