npm - @artifact-keeper/sdk - Versions diffs - 1.1.9-rc.1 → 1.2.1 - Mend

@artifact-keeper/sdk 1.1.9-rc.1 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/src/types.gen.ts CHANGED Viewed

@@ -198,6 +198,14 @@ export type ArtifactLabelsListResponse = {
 };
 export type ArtifactListResponse = {
+    /**
+     * Maven component grouping.  Only present when `group_by=maven_component`.
+     */
+    components?: Array<MavenComponentResponse> | null;
+    /**
+     * Docker tag grouping.  Only present when `group_by=docker_tag`.
+     */
+    docker_tags?: Array<DockerTagResponse> | null;
     items: Array<ArtifactResponse>;
     pagination: Pagination;
 };
@@ -210,6 +218,21 @@ export type ArtifactMetadataResponse = {
 };
 export type ArtifactResponse = {
+    /**
+     * When the proxy cache entry for this artifact was last written.
+     * Only populated for Remote (proxy) repositories whose proxy service is
+     * configured AND that have a cache-metadata blob for this path. None
+     * for Local / Virtual / Staging repos and for Remote repos whose cache
+     * hasn't been populated yet (e.g. an artifact that exists as a DB row
+     * from a direct upload but has never been fetched through the proxy).
+     * (#1541)
+     */
+    cache_cached_at?: string | null;
+    /**
+     * When the proxy cache entry for this artifact will expire and be
+     * re-validated against upstream. Same gating as `cache_cached_at`. (#1541)
+     */
+    cache_expires_at?: string | null;
     checksum_sha256: string;
     content_type: string;
     created_at: string;
@@ -247,6 +270,14 @@ export type AssessmentResult = {
 };
 export type AssignRepoRequest = {
+    /**
+     * Optional JSONB filter constraining which artifacts in the repository
+     * get replicated. Shape: `{"include_patterns": ["^v\\d+\\."], "exclude_patterns": [".*-SNAPSHOT$"]}`.
+     * Null/absent means replicate everything.
+     */
+    replication_filter: {
+        [key: string]: unknown;
+    };
     replication_mode?: string | null;
     replication_schedule?: string | null;
     repository_id: string;
@@ -257,6 +288,25 @@ export type AssignRoleRequest = {
     role_id: string;
 };
+/**
+ * Authentication provider availability.
+ */
+export type AuthConfig = {
+    /**
+     * Whether an LDAP directory is configured.
+     */
+    ldap_enabled: boolean;
+    /**
+     * Whether an OIDC provider is configured.
+     */
+    oidc_enabled: boolean;
+    /**
+     * Whether SAML SSO is configured (derived from the SSO admin settings in the DB,
+     * but for this endpoint we report whether the OIDC issuer is set as a proxy).
+     */
+    sso_enabled: boolean;
+};
 export type BackupListResponse = {
     items: Array<BackupResponse>;
     total: number;
@@ -384,7 +434,11 @@ export type BulkPromoteRequest = {
     artifact_ids: Array<string>;
     notes?: string | null;
     skip_policy_check?: boolean;
-    target_repository: string;
+    /**
+     * Target release repository key. When omitted, the staging repository's
+     * linked release target (from `repository_config`) is used instead.
+     */
+    target_repository?: string | null;
 };
 export type BulkPromotionResponse = {
@@ -646,6 +700,19 @@ export type CreateConnectionRequest = {
     url: string;
 };
+export type CreateEmailSubscriptionRequest = {
+    enabled?: boolean;
+    /**
+     * Event-type tokens to listen for. Must be drawn from `VALID_EVENT_TYPES`.
+     */
+    event_types: Array<string>;
+    /**
+     * Email addresses to deliver matching events to. Bounded length;
+     * see `MAX_RECIPIENTS_PER_SUBSCRIPTION` for the operator-facing limit.
+     */
+    recipients: Array<string>;
+};
 export type CreateGateRequest = {
     action?: string;
     description?: string | null;
@@ -719,7 +786,17 @@ export type CreateOidcConfigRequest = {
     client_secret: string;
     is_enabled?: boolean | null;
     issuer_url: string;
+    /**
+     * When `true`, OIDC group claim values are reflected as Artifact Keeper
+     * group memberships (auto-creating groups on first sight). Defaults to
+     * `false` to preserve legacy role-mapping behavior.
+     */
+    map_groups_to_groups?: boolean | null;
     name: string;
+    /**
+     * Enable PKCE (S256) on the authorization request. Defaults to `true`.
+     */
+    pkce_enabled?: boolean | null;
     scopes?: Array<string> | null;
 };
@@ -733,7 +810,7 @@ export type CreatePermissionRequest = {
 export type CreatePolicyRequest = {
     block_on_fail: boolean;
-    block_unscanned: boolean;
+    block_unscanned?: boolean;
     max_artifact_age_days?: number | null;
     max_severity: string;
     min_staging_hours?: number | null;
@@ -742,7 +819,51 @@ export type CreatePolicyRequest = {
     require_signature?: boolean;
 };
+/**
+ * Request to create an access token scoped to a repository.
+ */
+export type CreateRepoTokenRequest = {
+    /**
+     * Optional human-readable description.
+     */
+    description?: string | null;
+    /**
+     * Number of days until the token expires (1-365). Omit for no expiration.
+     */
+    expires_in_days?: number | null;
+    /**
+     * Display name for the token.
+     */
+    name: string;
+    /**
+     * Permission scopes for the token.
+     */
+    scopes: Array<string>;
+};
+/**
+ * Response returned when a repository token is created. The `token` field
+ * contains the plaintext value and is only shown once.
+ */
+export type CreateRepoTokenResponse = {
+    id: string;
+    name: string;
+    repository_key: string;
+    /**
+     * The full token value (only returned at creation time).
+     */
+    token: string;
+};
 export type CreateRepositoryRequest = {
+    /**
+     * Alias for `is_public`. When set to true, anonymous users can download
+     * artifacts from this repository without authentication. Useful for remote
+     * (pull-through cache) repositories that proxy public upstream registries.
+     * If both `is_public` and `allow_anonymous_access` are provided,
+     * `allow_anonymous_access` takes precedence.
+     */
+    allow_anonymous_access?: boolean | null;
     description?: string | null;
     format: string;
     /**
@@ -764,6 +885,12 @@ export type CreateRepositoryRequest = {
      */
     member_repos?: Array<CreateVirtualMemberInput> | null;
     name: string;
+    /**
+     * When true, direct user uploads to this repository are rejected:
+     * artifacts must arrive via the promotion path. Admin-only to set.
+     * Defaults to false (no behavior change for existing repositories).
+     */
+    promotion_only?: boolean | null;
     quota_bytes?: number | null;
     repo_type: string;
     /**
@@ -830,10 +957,36 @@ export type CreateServiceAccountRequest = {
 };
 export type CreateSessionRequest = {
+    /**
+     * Source artifact metadata for peer replication.
+     */
+    artifact_metadata?: unknown;
+    /**
+     * Source artifact metadata format for peer replication.
+     */
+    artifact_metadata_format?: string | null;
+    /**
+     * Source artifact metadata properties for peer replication.
+     */
+    artifact_metadata_properties?: unknown;
+    /**
+     * Artifact name to persist when the upload completes.
+     *
+     * Optional for regular client uploads. Peer replication sets this from
+     * the source artifact row so chunked replication preserves metadata.
+     */
+    artifact_name?: string | null;
     /**
      * Path within the repository (e.g. "images/vm.ova")
      */
     artifact_path: string;
+    /**
+     * Artifact version to persist when the upload completes.
+     *
+     * Optional for regular client uploads. Peer replication sets this from
+     * the source artifact row so chunked replication preserves metadata.
+     */
+    artifact_version?: string | null;
     /**
      * Expected SHA256 checksum of the complete file
      */
@@ -846,6 +999,14 @@ export type CreateSessionRequest = {
      * MIME content type (default "application/octet-stream")
      */
     content_type?: string | null;
+    /**
+     * Source package description for peer replication.
+     */
+    package_description?: string | null;
+    /**
+     * Source package catalog metadata for peer replication.
+     */
+    package_metadata?: unknown;
     /**
      * Repository key (e.g. "my-repo")
      */
@@ -869,6 +1030,13 @@ export type CreateSyncPolicyPayload = {
     };
     description?: string;
     enabled?: boolean;
+    /**
+     * Convenience glob filter (e.g. `"*.tar.gz"`). When set, it is folded
+     * into `artifact_filter.include_paths` so only matching artifact paths
+     * are eligible for sync. Ignored if `artifact_filter.include_paths` is
+     * already provided.
+     */
+    filter?: string | null;
     name: string;
     peer_selector?: {
         [key: string]: unknown;
@@ -931,12 +1099,27 @@ export type CreateVirtualMemberInput = {
 };
 export type CreateWebhookRequest = {
+    /**
+     * Pinned event payload version. Defaults to "2026-04-01" when omitted.
+     * Must match a value in `SUPPORTED_EVENT_VERSIONS` or the request is
+     * rejected with HTTP 422.
+     */
+    event_schema_version?: string | null;
     events: Array<string>;
     headers?: {
         [key: string]: unknown;
     } | null;
     name: string;
+    /**
+     * Payload layout for the target platform (default: generic).
+     */
+    payload_template?: PayloadTemplate;
     repository_id?: string | null;
+    /**
+     * Optional caller-supplied secret. When omitted the server generates a
+     * fresh `whsec_*` secret. Either way the raw value is returned in the
+     * 201 response body exactly once and is unrecoverable thereafter.
+     */
     secret?: string | null;
     url: string;
 };
@@ -1006,17 +1189,47 @@ export type CveTimelineEntry = {
 /**
  * CVE trends summary.
+ *
+ * #1446: the security-tests `cve-history` suite probes the trends body for
+ * any of `total`, `count`, `critical`, or `high` to confirm the response
+ * carries aggregate counts (PR #1385 fixed `cve-history` but the trends
+ * shape was not aligned). The original field set (`total_cves`,
+ * `critical_count`, ...) is retained for openapi consumers; the bare
+ * `total`/`critical`/`high`/`medium`/`low` aliases are added alongside so
+ * both shape contracts are satisfied without breaking existing clients.
+ * `#[serde(default)]` keeps deserialization working when the alias fields
+ * are absent (older payloads, tests that build the struct via field init).
  */
 export type CveTrends = {
     acknowledged_cves: number;
     avg_days_to_fix?: number | null;
+    /**
+     * Alias of `critical_count` (#1446).
+     */
+    critical?: number;
     critical_count: number;
     fixed_cves: number;
+    /**
+     * Alias of `high_count` (#1446).
+     */
+    high?: number;
     high_count: number;
+    /**
+     * Alias of `low_count` (#1446).
+     */
+    low?: number;
     low_count: number;
+    /**
+     * Alias of `medium_count` (#1446).
+     */
+    medium?: number;
     medium_count: number;
     open_cves: number;
     timeline: Array<CveTimelineEntry>;
+    /**
+     * Alias of `total_cves` (#1446).
+     */
+    total?: number;
     total_cves: number;
 };
@@ -1074,6 +1287,79 @@ export type DiscoverablePeerResponse = {
     status: string;
 };
+/**
+ * A Docker/OCI tag grouped by (image, tag).
+ *
+ * `total_size_bytes` is the server-side aggregation of the manifest body
+ * plus every referenced layer blob.  This is what the UI should display
+ * as the on-disk image size; the previous client-side aggregation that
+ * only summed the manifest body itself reported a few kilobytes for
+ * images that are hundreds of megabytes on disk (artifact-keeper#1193).
+ *
+ * For multi-arch image indexes the size is the sum across all per-arch
+ * child manifests recorded in `oci_manifest_refs`, so an `amd64+arm64`
+ * index reports the combined storage cost.
+ */
+export type DockerTagResponse = {
+    /**
+     * Representative manifest artifact ID.
+     */
+    id: string;
+    /**
+     * Image name (no registry host, no tag).  Maps to the OCI v2 `<name>`
+     * path segment, which may include slashes (e.g. `library/postgres`).
+     */
+    image: string;
+    /**
+     * Whether this manifest is a multi-arch image index.
+     */
+    is_index: boolean;
+    /**
+     * Last push (or update) timestamp from the underlying `oci_tags` row.
+     */
+    last_pushed_at: string;
+    /**
+     * Number of layer blobs referenced by the manifest.  For image indexes
+     * this is the sum of layer counts across child manifests.  `0` when
+     * the manifest could not be parsed.
+     */
+    layer_count: number;
+    /**
+     * Manifest content digest (e.g. `sha256:abcdef...`).
+     */
+    manifest_digest: string;
+    /**
+     * Repository key this tag belongs to.
+     */
+    repository_key: string;
+    /**
+     * Rolled-up scan status across all scanners configured for this
+     * artifact. `None` when the artifact has never been scanned.
+     *
+     * Values surface the aggregate state, not a single scanner's row
+     * (see #1497). One of:
+     *
+     * * `pending` / `running` -- at least one scanner is still in flight
+     * * `completed` -- every per-scan-type latest row is `completed`
+     * * `failed` -- every per-scan-type latest row is `failed`
+     * * `partial` -- mixed: at least one `completed` AND at least one
+     * `failed`. A green generic scanner (e.g. grype) no longer hides
+     * a failed format-native scanner (e.g. incus) behind a
+     * `completed` label.
+     */
+    scan_status?: string | null;
+    /**
+     * Tag string (e.g. `16-alpine`).  Never a `sha256:...` digest;
+     * digest-only references are filtered out of the grouping.
+     */
+    tag: string;
+    /**
+     * Total size in bytes of the manifest plus all referenced layer blobs.
+     * For image indexes, this sums across child manifests.
+     */
+    total_size_bytes: number;
+};
 /**
  * Download trend data point.
  */
@@ -1275,8 +1561,31 @@ export type DtProjectMetrics = {
     vulnerabilities?: number | null;
 };
+/**
+ * Dependency-Track integration status surfaced to the frontend.
+ *
+ * `healthy` is the boolean the existing UI already binds to. The new
+ * `error_status` and `error_message` fields let the UI distinguish a
+ * genuine "DT replied OK with no findings" state from "DT is down or
+ * misconfigured" (issue #963). When `healthy = true` both error fields
+ * are None; when `healthy = false`:
+ * - `error_status = Some(401)`: auth failure (check API key)
+ * - `error_status = Some(5xx)`: upstream is broken
+ * - `error_status = None`:     transport failure (DT pod unreachable)
+ * - `error_message`:           operator-facing failure description
+ */
 export type DtStatusResponse = {
     enabled: boolean;
+    /**
+     * Human-readable explanation when `healthy = false`. Safe to surface
+     * in the UI; does not leak credentials.
+     */
+    error_message?: string | null;
+    /**
+     * Upstream HTTP status if the health probe got a response, else None.
+     * Only populated when `healthy = false`.
+     */
+    error_status?: number | null;
     healthy: boolean;
     url?: string | null;
 };
@@ -1295,6 +1604,20 @@ export type DtVulnerability = {
     vulnId: string;
 };
+export type EmailSubscriptionListResponse = {
+    subscriptions: Array<EmailSubscriptionResponse>;
+};
+export type EmailSubscriptionResponse = {
+    created_at: string;
+    enabled: boolean;
+    event_types: Array<string>;
+    id: string;
+    recipients: Array<string>;
+    repository_id?: string | null;
+    updated_at: string;
+};
 /**
  * Standard error response body returned by all endpoints on failure.
  */
@@ -1371,6 +1694,13 @@ export type FindingResponse = {
     title: string;
 };
+/**
+ * Response for force password change
+ */
+export type ForcePasswordChangeResponse = {
+    message: string;
+};
 /**
  * Format handler response with additional computed fields.
  */
@@ -1517,7 +1847,7 @@ export type GrowthSummary = {
 export type HealthChecks = {
     database: CheckStatus;
     ldap?: null | CheckStatus;
-    meilisearch?: null | CheckStatus;
+    opensearch?: null | CheckStatus;
     security_scanner?: null | CheckStatus;
     storage: CheckStatus;
 };
@@ -1584,6 +1914,23 @@ export type InstallFromLocalRequest = {
     path: string;
 };
+export type InvalidateCacheQuery = {
+    /**
+     * Artifact path to evict from the proxy cache. Same shape as the path
+     * segment of `GET /api/v1/repositories/{key}/artifacts/{path}`.
+     * Path-traversal segments such as `..` are rejected by
+     * `ProxyService::cache_storage_key` (covered by
+     * `test_invalidate_cache_by_key_rejects_invalid_path`).
+     */
+    path: string;
+};
+export type InvalidateCacheResponse = {
+    invalidated: boolean;
+    path: string;
+    repository_key: string;
+};
 export type IssueResponse = {
     artifact_id: string;
     category: string;
@@ -1701,6 +2048,19 @@ export type LifecyclePolicy = {
 };
 export type ListArtifactsQuery = {
+    /**
+     * Server-side artifact grouping.
+     *
+     * Supported values:
+     * - `maven_component`: Maven/Gradle artifacts are grouped by
+     * groupId, artifactId, and version.  Individual files (jar, pom,
+     * checksums) appear in the `artifact_files` array of each component.
+     * - `docker_tag`: Docker/OCI artifacts are grouped by (image, tag),
+     * with `total_size_bytes` summed across the manifest config and
+     * referenced layer blobs.  The grouped rows are returned in the
+     * `docker_tags` array.
+     */
+    group_by?: string | null;
     page?: number | null;
     path_prefix?: string | null;
     per_page?: number | null;
@@ -1802,6 +2162,55 @@ export type MatchedRepoSchema = {
     key: string;
 };
+/**
+ * A Maven component grouped by GAV (groupId, artifactId, version).
+ *
+ * Each component collects the individual files (jar, pom, checksums, etc.)
+ * that share the same Maven coordinates.
+ */
+export type MavenComponentResponse = {
+    /**
+     * Individual filenames belonging to this component.
+     */
+    artifact_files: Array<string>;
+    /**
+     * Maven artifactId (e.g. `junit-jupiter-api`).
+     */
+    artifact_id: string;
+    /**
+     * Earliest creation timestamp among the component files.
+     */
+    created_at: string;
+    /**
+     * Total download count across all files in this component.
+     */
+    download_count: number;
+    /**
+     * Repository format (always `maven` or `gradle`).
+     */
+    format: string;
+    /**
+     * Maven groupId with dots (e.g. `org.junit.jupiter`).
+     */
+    group_id: string;
+    /**
+     * Representative artifact ID (the first file in the group).
+     */
+    id: string;
+    /**
+     * Repository key this component belongs to.
+     */
+    repository_key: string;
+    /**
+     * Total size in bytes across all files in this component.
+     */
+    size_bytes: number;
+    /**
+     * Maven version string (e.g. `5.11.0`).
+     */
+    version: string;
+};
 export type MembersRequest = {
     user_ids: Array<string>;
 };
@@ -1928,6 +2337,83 @@ export type NetworkProfileBody = {
     sync_window_timezone?: string | null;
 };
+/**
+ * Read-only OCI blob storage footprint report (issue #1408).
+ *
+ * This is a **reporting-only** view. It performs no deletion and takes no
+ * locks. It surfaces how much storage the tracked `oci_blobs` rows
+ * account for so operators can see the magnitude of un-reclaimed blob
+ * layers before any garbage-collection mechanism is enabled.
+ *
+ * It deliberately does NOT attempt to classify which blobs are
+ * "reclaimable orphans": that requires a manifest -> blob reference table
+ * that does not yet exist in the schema, and any per-`(repository_id,
+ * digest)` orphan heuristic would mis-handle the cross-repo dedup case
+ * (multiple `oci_blobs` rows, one physical object) and report in-use
+ * blobs as reclaimable. The numbers here are exact aggregates only.
+ */
+export type OciBlobFootprintReport = {
+    /**
+     * Distinct digests older than `grace_hours` (eligible to be *considered*
+     * by a future GC sweep once a reference table exists). Reporting only.
+     */
+    aged_distinct_digests: number;
+    /**
+     * Physical bytes (distinct-digest) older than `grace_hours`.
+     */
+    aged_physical_bytes: number;
+    /**
+     * Number of distinct blob digests (content-addressed identities). When
+     * this is smaller than `total_blob_rows`, the difference is cross-repo
+     * deduplication: rows that share one physical storage object.
+     */
+    distinct_digests: number;
+    /**
+     * Grace window (hours) applied to the `aged_*` figures below.
+     */
+    grace_hours: number;
+    /**
+     * Sum of `size_bytes` over every `oci_blobs` row. Double-counts
+     * deduplicated blobs once per referencing repository.
+     */
+    logical_bytes: number;
+    /**
+     * Per-repository logical footprint, largest `logical_bytes` first.
+     */
+    per_repository: Array<OciBlobRepoFootprint>;
+    /**
+     * Sum of `size_bytes` counting each distinct digest exactly once. This
+     * approximates the physical bytes occupied in the storage backend.
+     */
+    physical_bytes: number;
+    /**
+     * Total number of `oci_blobs` rows across all repositories.
+     */
+    total_blob_rows: number;
+};
+/**
+ * Per-repository row in the OCI blob footprint report.
+ */
+export type OciBlobRepoFootprint = {
+    /**
+     * Number of `oci_blobs` rows attributed to this repository.
+     */
+    blob_rows: number;
+    /**
+     * Sum of `oci_blobs.size_bytes` for this repository's rows. Because OCI
+     * blob storage is content-addressed and deduplicated across repos, the
+     * same physical bytes can be counted under more than one repository
+     * here; see [`OciBlobFootprintReport::physical_bytes`] for the
+     * dedup-aware total.
+     */
+    logical_bytes: number;
+    /**
+     * Repository id owning these `oci_blobs` rows.
+     */
+    repository_id: string;
+};
 export type OidcConfigResponse = {
     attribute_mapping: {
         [key: string]: unknown;
@@ -1939,7 +2425,9 @@ export type OidcConfigResponse = {
     id: string;
     is_enabled: boolean;
     issuer_url: string;
+    map_groups_to_groups: boolean;
     name: string;
+    pkce_enabled: boolean;
     scopes: Array<string>;
     updated_at: string;
 };
@@ -2040,6 +2528,15 @@ export type PaginationInfo = {
     total_pages: number;
 };
+/**
+ * Supported webhook payload templates.
+ *
+ * Controls how the outgoing JSON body is structured when delivering a
+ * webhook. The `Generic` variant preserves backward compatibility with the
+ * original flat JSON format.
+ */
+export type PayloadTemplate = 'generic' | 'slack' | 'microsoft_teams' | 'discord' | 'mattermost';
 export type PeerInstanceListResponse = {
     items: Array<PeerInstanceResponse>;
     total: number;
@@ -2139,6 +2636,23 @@ export type PermissionRow = {
     updated_at: string;
 };
+/**
+ * Fine-grained permissions enforcement status.
+ */
+export type PermissionsConfig = {
+    /**
+     * Whether those rules are actively enforced on API requests.
+     * The permission-check middleware and handler guards are wired in,
+     * so this is `true` when the server is running.
+     */
+    enforcement_enabled: boolean;
+    /**
+     * Whether the permissions table (from migration 018) has any rows.
+     * When true, an administrator has configured permission rules.
+     */
+    rules_exist: boolean;
+};
 export type PluginConfigResponse = {
     config: {
         [key: string]: unknown;
@@ -2181,6 +2695,26 @@ export type PluginResponse = {
     version: string;
 };
+/**
+ * Plugin signature-verification (supply-chain) policy status.
+ *
+ * Exposes only booleans — never the trusted key material itself — so frontends
+ * and operators can see whether unsigned plugin installs are rejected and
+ * whether a trusted publisher key has been provisioned.
+ */
+export type PluginSigningConfig = {
+    /**
+     * Whether a valid signature is required to install a WASM plugin.
+     */
+    required: boolean;
+    /**
+     * Whether an operator trusted public key has been configured. When
+     * `required` is true but this is false, every install is rejected
+     * (fail-closed).
+     */
+    trusted_key_configured: boolean;
+};
 /**
  * Plugin status
  */
@@ -2278,8 +2812,12 @@ export type ProbeBody = {
 export type PromoteArtifactRequest = {
     notes?: string | null;
     skip_policy_check?: boolean;
-    target_repository: string;
-};
+    /**
+     * Target release repository key. When omitted, the staging repository's
+     * linked release target (from `repository_config`) is used instead.
+     */
+    target_repository?: string | null;
+};
 export type PromotionHistoryEntry = {
     artifact_id: string;
@@ -2341,6 +2879,50 @@ export type PromotionRuleResponse = {
     updated_at: string;
 };
+/**
+ * Body for declaring that a locally-owned PyPI project tracks an upstream one.
+ */
+export type PypiTrackRequest = {
+    /**
+     * Upstream Simple index project URL this local project tracks, e.g.
+     * `https://pypi.org/simple/acme-sdk/`. Recorded and emitted as the PEP 708
+     * `tracks` value.
+     */
+    tracks_url: string;
+};
+/**
+ * A single PEP 708 `tracks` declaration.
+ */
+export type PypiTrackResponse = {
+    /**
+     * PEP 503 normalized project name.
+     */
+    normalized_name: string;
+    repository_key: string;
+    tracks_url: string;
+};
+/**
+ * All `tracks` declarations on a repository.
+ */
+export type PypiTracksListResponse = {
+    items: Array<PypiTrackResponse>;
+};
+export type QuarantineActionResponse = {
+    artifact_id: string;
+    message: string;
+    new_status: string;
+};
+export type QuarantineStatusResponse = {
+    artifact_id: string;
+    is_blocked: boolean;
+    quarantine_status?: string | null;
+    quarantine_until?: string | null;
+};
 export type QuickSearchResponse = {
     results: Array<SearchResultItem>;
 };
@@ -2392,6 +2974,13 @@ export type RejectArtifactRequest = {
     reason: string;
 };
+export type RejectRequest = {
+    /**
+     * Optional reason for rejection.
+     */
+    reason?: string | null;
+};
 export type RejectionResponse = {
     artifact_id: string;
     reason: string;
@@ -2400,6 +2989,21 @@ export type RejectionResponse = {
     source: string;
 };
+export type ReleaseTargetResponse = {
+    /**
+     * Whether this staging repository has a linked release target.
+     */
+    linked: boolean;
+    /**
+     * The release repository ID, if linked.
+     */
+    release_repository_id?: string | null;
+    /**
+     * The release repository key, if linked.
+     */
+    release_repository_key?: string | null;
+};
 export type RemoteInstanceResponse = {
     created_at: string;
     id: string;
@@ -2436,6 +3040,30 @@ export type RepoSelectorSchema = {
     match_repos?: Array<string>;
 };
+/**
+ * List of tokens configured on a repository.
+ */
+export type RepoTokenListResponse = {
+    items: Array<RepoTokenResponse>;
+};
+/**
+ * Summary of a repository-scoped token.
+ */
+export type RepoTokenResponse = {
+    created_at: string;
+    created_by?: string | null;
+    description?: string | null;
+    expires_at?: string | null;
+    id: string;
+    is_expired: boolean;
+    is_revoked: boolean;
+    last_used_at?: string | null;
+    name: string;
+    scopes: Array<string>;
+    token_prefix: string;
+};
 export type RepositoryAssessment = {
     artifact_count: number;
     compatibility: string;
@@ -2452,6 +3080,12 @@ export type RepositoryListResponse = {
 };
 export type RepositoryResponse = {
+    /**
+     * Whether anonymous (unauthenticated) downloads are allowed. This is
+     * always equal to `is_public` and provided as a convenience alias so
+     * the semantics are clear for remote (pull-through cache) repositories.
+     */
+    allow_anonymous_access: boolean;
     created_at: string;
     description?: string | null;
     format: string;
@@ -2459,6 +3093,21 @@ export type RepositoryResponse = {
     is_public: boolean;
     key: string;
     name: string;
+    /**
+     * When true, direct user uploads are rejected; artifacts must be promoted.
+     */
+    promotion_only: boolean;
+    /**
+     * Configured quarantine hold duration in minutes, read back from
+     * `repository_config` (#1770 B). `None` when unset.
+     */
+    quarantine_duration_minutes?: number | null;
+    /**
+     * Whether the Package Age / quarantine policy is enabled for this
+     * repository, read back from `repository_config` (#1770 B). `None` when
+     * the repository has no explicit setting (the global default applies).
+     */
+    quarantine_enabled?: boolean | null;
     quota_bytes?: number | null;
     repo_type: string;
     storage_used_bytes: number;
@@ -2509,6 +3158,30 @@ export type RepositoryStorageBreakdown = {
     storage_bytes: number;
 };
+export type RescanForInventoryRequest = {
+    /**
+     * Maximum number of artifacts to enqueue in this call. Operators
+     * run the endpoint repeatedly to drain large backfills without
+     * stalling a single HTTP worker; the handler returns the actual
+     * number enqueued so the caller can detect when work is done.
+     * Defaults to 100. Hard-capped at 1000 to avoid pathological inputs.
+     */
+    limit?: number | null;
+};
+export type RescanForInventoryResponse = {
+    /**
+     * Number of artifacts whose latest scan had no inventory rows and
+     * for which a rescan was enqueued in this call.
+     */
+    artifacts_enqueued: number;
+    /**
+     * Echo of the requested (or defaulted) limit, useful for clients
+     * driving the loop programmatically.
+     */
+    limit: number;
+};
 /**
  * Response for password reset
  */
@@ -2546,6 +3219,43 @@ export type RoleResponse = {
     permissions: Array<string>;
 };
+/**
+ * Response returned by the rotate-secret endpoint.
+ */
+export type RotateWebhookSecretResponse = {
+    id: string;
+    /**
+     * When the previously active secret stops being accepted.
+     */
+    previous_secret_expires_at: string;
+    /**
+     * Raw signing secret produced by this rotation. Shown exactly once.
+     */
+    secret: string;
+    secret_digest: string;
+};
+/**
+ * A single routing rule that maps an incoming path to a rewritten path.
+ */
+export type RoutingRule = {
+    /**
+     * Regex pattern matched against the full request path.
+     * Use capture groups to extract portions for the rewrite template.
+     */
+    path_pattern: string;
+    /**
+     * Rewrite template. Use `$1`, `$2`, etc. to reference captured groups
+     * from `path_pattern`.
+     */
+    rewrite_to: string;
+};
+export type RoutingRulesResponse = {
+    repository_key: string;
+    rules: Array<RoutingRule>;
+};
 export type RuleEvaluationResponse = {
     passed: boolean;
     rule_id: string;
@@ -2568,6 +3278,14 @@ export type RuleResponse = {
     version_constraint: string;
 };
+/**
+ * Result of `POST /:id/repositories/:repo_id/sync` (run-now trigger).
+ */
+export type RunNowResponse = {
+    status: string;
+    tasks_queued: number;
+};
 export type SamlAcsForm = {
     RelayState?: string | null;
     SAMLResponse: string;
@@ -2646,15 +3364,47 @@ export type ScanResponse = {
     high_count: number;
     id: string;
     info_count: number;
+    /**
+     * True when the row was synthesized by the dedup path (`copy_scan_results`)
+     * because a prior scan with the same `(checksum_sha256, scan_type)` pair
+     * already existed within the dedup TTL. No scanner was actually invoked
+     * for this row; counts and findings were copied from `source_scan_id`.
+     */
+    is_reused: boolean;
     low_count: number;
     medium_count: number;
     repository_id: string;
     scan_type: string;
     scanner_version?: string | null;
+    /**
+     * When `is_reused` is true, the `id` of the source scan whose results
+     * were copied. Useful for distinguishing "fresh scan" from "deduped
+     * satisfaction" in release-gate provenance checks. None for original
+     * (non-reused) scans.
+     */
+    source_scan_id?: string | null;
     started_at?: string | null;
     status: string;
 };
+/**
+ * Scanner availability flags.
+ */
+export type ScannersConfig = {
+    /**
+     * Whether the Dependency-Track integration is configured.
+     */
+    dependency_track_enabled: boolean;
+    /**
+     * Whether the OpenSCAP compliance scanner is configured.
+     */
+    openscap_enabled: boolean;
+    /**
+     * Whether the Trivy vulnerability scanner is configured.
+     */
+    trivy_enabled: boolean;
+};
 export type ScoreResponse = {
     acknowledged_count: number;
     calculated_at: string;
@@ -2759,6 +3509,22 @@ export type SetPeerLabelsRequest = {
     labels: Array<PeerLabelEntrySchema>;
 };
+export type SetReleaseTargetRequest = {
+    /**
+     * Repository key of the release (local) repository to link.
+     * Pass `null` or omit to remove the link.
+     */
+    release_repository_key?: string | null;
+};
+export type SetRoutingRulesRequest = {
+    /**
+     * Ordered list of routing rules. Each rule specifies a regex pattern and
+     * a rewrite template. Rules are evaluated in order during proxy requests.
+     */
+    rules: Array<RoutingRule>;
+};
 /**
  * Response body for the setup status endpoint.
  */
@@ -2798,6 +3564,33 @@ export type SigningKeyPublic = {
     uid_name?: string | null;
 };
+/**
+ * Request body for the SMTP test endpoint.
+ */
+export type SmtpTestRequest = {
+    /**
+     * Recipient email address for the test message.
+     *
+     * Accepts `recipient` as an alias for backward compatibility with Web UI
+     * versions <= 1.1.3, which send `{"recipient": "..."}`.
+     */
+    to: string;
+};
+/**
+ * Response from the SMTP test endpoint.
+ */
+export type SmtpTestResponse = {
+    /**
+     * Human-readable status message.
+     */
+    message: string;
+    /**
+     * Whether the test email was sent successfully.
+     */
+    success: boolean;
+};
 export type SourceConnectionRow = {
     auth_type: string;
     created_at: string;
@@ -2900,6 +3693,23 @@ export type SubmitResponse = {
     marked_submitted: number;
 };
+/**
+ * Detailed subscription view (mode, schedule, filter) for a single (peer, repo) pair.
+ */
+export type SubscriptionResponse = {
+    created_at: string;
+    id: string;
+    last_replicated_at?: string | null;
+    peer_instance_id: string;
+    replication_filter: {
+        [key: string]: unknown;
+    };
+    replication_mode?: string | null;
+    replication_schedule?: string | null;
+    repository_id: string;
+    sync_enabled: boolean;
+};
 export type SuggestResponse = {
     suggestions: Array<string>;
 };
@@ -2925,6 +3735,12 @@ export type SyncPolicyResponse = {
     created_at: string;
     description: string;
     enabled: boolean;
+    /**
+     * Convenience glob filter, mirrored from `artifact_filter.include_paths`.
+     * Round-trips the single-pattern shorthand accepted on create
+     * (e.g. `"*.tar.gz"`). Empty when no include pattern is set.
+     */
+    filter: string;
     id: string;
     name: string;
     peer_selector: {
@@ -2942,11 +3758,82 @@ export type SyncPolicyResponse = {
 export type SyncTaskResponse = {
     artifact_id: string;
     artifact_size: number;
+    /**
+     * When the task was enqueued. Lets clients tell a freshly-scheduled task
+     * apart from a stale queue entry (used by the replication-schedule check).
+     * Serialized as whole-second RFC3339 with a `Z` suffix
+     * (e.g. `2026-05-29T12:34:56Z`) so simple ISO8601 parsers can consume it.
+     */
+    created_at: string;
     id: string;
     priority: number;
+    /**
+     * When the worker began transferring, if it has started. Same format as
+     * `created_at`.
+     */
+    started_at?: string | null;
+    /**
+     * Task status (e.g. "pending"). Listing currently returns pending tasks.
+     */
+    status: string;
     storage_key: string;
 };
+/**
+ * Public runtime configuration values.
+ *
+ * This response intentionally omits all secrets, credentials, and internal
+ * connection strings. Only values useful for UI/client behavior are included.
+ */
+export type SystemConfigResponse = {
+    /**
+     * Authentication provider availability.
+     */
+    auth: AuthConfig;
+    /**
+     * Whether the instance is running in demo mode (writes blocked).
+     */
+    demo_mode: boolean;
+    /**
+     * Whether anonymous (unauthenticated) access is permitted at all (issue #850).
+     * When `false`, the server rejects all unauthenticated requests except for
+     * the login, setup, health, and OCI challenge endpoints. Frontends should
+     * hide UI affordances that imply public access (e.g. the "public repo"
+     * toggle) and redirect unauthenticated users to the login page.
+     */
+    guest_access_enabled: boolean;
+    /**
+     * Maximum upload size in bytes (0 means no limit).
+     */
+    max_upload_size_bytes: number;
+    /**
+     * OIDC issuer URL, if configured. This is public information needed by
+     * clients to initiate the OIDC flow.
+     */
+    oidc_issuer?: string | null;
+    /**
+     * Fine-grained permissions enforcement status. Permission rules can be
+     * managed via /api/v1/permissions and are actively enforced.
+     */
+    permissions: PermissionsConfig;
+    /**
+     * Plugin signature-verification (supply-chain) policy status.
+     */
+    plugin_signing: PluginSigningConfig;
+    /**
+     * Scanner availability.
+     */
+    scanners: ScannersConfig;
+    /**
+     * Search engine type: "opensearch" when configured, "database" otherwise.
+     */
+    search_engine: string;
+    /**
+     * Storage backend type (e.g. "filesystem", "s3", "gcs", "azure").
+     */
+    storage_backend: string;
+};
 export type SystemSettings = {
     allow_anonymous_download: boolean;
     audit_retention_days: number;
@@ -3134,12 +4021,45 @@ export type TriggerChecksResponse = {
 export type TriggerScanRequest = {
     artifact_id?: string | null;
+    /**
+     * Skip the hash-based scan dedup short-circuit when running this scan.
+     *
+     * Defaults to `false`. Normal trigger calls dedup against prior
+     * completed scans for the same checksum + scan_type so a freshly
+     * uploaded byte-identical artifact reuses the existing result instead
+     * of re-running the scanner. When `true`, that dedup is skipped: the
+     * scanner runs against the bytes again and writes a fresh
+     * `scan_results` row. Use this to recover from a silently-broken
+     * prior scan (e.g. an extraction bug producing a completed,
+     * zero-finding row that masks the real findings until the dedup TTL
+     * expires; see #1469). Costs an extra scan run, so leave it unset
+     * for routine trigger calls.
+     *
+     * **Admin only.** Setting this to `true` bypasses the dedup short-
+     * circuit and fans out unbounded scanner work per artifact. The
+     * `trigger_scan` handler rejects this field with 403 for non-admin
+     * callers, since a non-admin force-rescan path would be a DoS
+     * amplifier (the pre-existing `force=true` was naturally rate-limited
+     * by dedup; `bypass_dedup` removes that safety).
+     */
+    bypass_dedup?: boolean | null;
     repository_id?: string | null;
 };
 export type TriggerScanResponse = {
     artifacts_queued: number;
     message: string;
+    /**
+     * Scan result IDs created (one per active scanner) when triggering an
+     * artifact-level scan. Empty for repository-level scans (where the
+     * per-artifact rows are created inside the spawned worker) and for
+     * artifact-level triggers when no scanners are configured.
+     *
+     * Clients (and the release-gate test in artifact-keeper-test#58) should
+     * poll `GET /api/v1/security/scans/{id}` against these IDs rather than
+     * guessing the most-recent scan from `GET /artifacts/{id}/scans`.
+     */
+    scan_result_ids?: Array<string>;
 };
 /**
@@ -3211,15 +4131,29 @@ export type UpdateLdapConfigRequest = {
 };
 export type UpdateOidcConfigRequest = {
+    /**
+     * Partial update for `attribute_mapping`. Keys present in this object
+     * overwrite the matching keys in the stored mapping. Keys not present
+     * are preserved. To remove a key, set it to `null`. To replace the
+     * whole mapping atomically, set `attribute_mapping_replace = true`.
+     * (See issue #1191.)
+     */
     attribute_mapping?: {
         [key: string]: unknown;
     } | null;
+    /**
+     * When `true`, treat `attribute_mapping` as a wholesale replacement
+     * (legacy behavior). Defaults to `false` — partial merge.
+     */
+    attribute_mapping_replace?: boolean | null;
     auto_create_users?: boolean | null;
     client_id?: string | null;
     client_secret?: string | null;
     is_enabled?: boolean | null;
     issuer_url?: string | null;
+    map_groups_to_groups?: boolean | null;
     name?: string | null;
+    pkce_enabled?: boolean | null;
     scopes?: Array<string> | null;
 };
@@ -3229,18 +4163,45 @@ export type UpdatePluginConfigRequest = {
     };
 };
+/**
+ * Partial-update payload for `PUT /security/policies/{id}`.
+ *
+ * Every field is `Option<T>` so clients can send any subset of mutable
+ * columns; omitted fields leave the existing row value untouched. The
+ * previous shape required all of `name`, `max_severity`, `block_unscanned`,
+ * `block_on_fail`, `is_enabled` on every call. That was incompatible with
+ * the release-gate `scan-policy-crud` test (and external callers) which
+ * PATCH a subset like `{max_severity, is_enabled}`; under the strict shape
+ * the request was rejected as a 422 and the boolean toggle silently never
+ * took effect on a follow-up GET. See #1374.
+ *
+ * For `min_staging_hours` / `max_artifact_age_days` the field is the inner
+ * nullable `i32`; "not provided" leaves the column untouched. Explicit
+ * `null` to clear those columns is not currently supported; the release
+ * gate only mutates the bool/enum fields, so the narrower semantics are
+ * sufficient and we avoid an ambiguous JSON contract.
+ */
 export type UpdatePolicyRequest = {
-    block_on_fail: boolean;
-    block_unscanned: boolean;
-    is_enabled: boolean;
+    block_on_fail?: boolean | null;
+    block_unscanned?: boolean | null;
+    is_enabled?: boolean | null;
     max_artifact_age_days?: number | null;
-    max_severity: string;
+    max_severity?: string | null;
     min_staging_hours?: number | null;
-    name: string;
-    require_signature?: boolean;
+    name?: string | null;
+    require_signature?: boolean | null;
 };
 export type UpdateRepositoryRequest = {
+    /**
+     * Alias for `is_public`. When set to true, anonymous users can download
+     * artifacts without authentication. Useful for remote (pull-through cache)
+     * repositories that proxy public upstream registries. Write operations
+     * (upload, delete) still require authentication regardless of this setting.
+     * If both `is_public` and `allow_anonymous_access` are provided,
+     * `allow_anonymous_access` takes precedence.
+     */
+    allow_anonymous_access?: boolean | null;
     description?: string | null;
     /**
      * Update the Cargo index upstream URL (stored in `repository_config`).
@@ -3250,7 +4211,31 @@ export type UpdateRepositoryRequest = {
     is_public?: boolean | null;
     key?: string | null;
     name?: string | null;
+    /**
+     * When provided, enables/disables the `promotion_only` policy for this
+     * repository (admin-only). When omitted, the flag is left unchanged.
+     */
+    promotion_only?: boolean | null;
+    /**
+     * Quarantine hold duration in minutes for this repository.
+     * Stored in `repository_config` under `quarantine_duration_minutes`.
+     */
+    quarantine_duration_minutes?: number | null;
+    /**
+     * Enable or disable quarantine period for this repository.
+     * When enabled, newly uploaded artifacts are held until scanned.
+     * Stored in `repository_config` under `quarantine_enabled`.
+     */
+    quarantine_enabled?: boolean | null;
     quota_bytes?: number | null;
+    /**
+     * Link this staging repository to a release (local) repository.
+     * Promotions from this staging repo will default to the linked release repo,
+     * and promotions to any other repo will be rejected.
+     * Pass an empty string to remove the link.
+     * Stored in `repository_config` under `release_repository_id`.
+     */
+    release_repository_key?: string | null;
 };
 export type UpdateRuleRequest = {
@@ -3336,13 +4321,25 @@ export type UpsertLicensePolicyRequest = {
 /**
  * Request to create or update a scan configuration.
+ *
+ * Every field is optional so a `PUT /repositories/{key}/security` can carry
+ * any subset of mutable columns; fields the client omits keep their existing
+ * value (or fall back to the documented default when the row does not exist
+ * yet). The previous shape required all of `scan_enabled`, `scan_on_upload`,
+ * `scan_on_proxy`, `block_on_policy_violation`, `severity_threshold` on every
+ * call. That was the #1374 bug class on a second entity: a partial PUT (for
+ * example just `{scan_enabled: true}`) either bounced as a 422 or, worse,
+ * silently reset every other column to its default so a follow-up GET showed
+ * the untouched fields stale. The upsert is now a read-modify-write that
+ * merges the patch over the existing row, so multiple fields persist together
+ * and an omitted field is never clobbered. See #1374 / B11.
  */
 export type UpsertScanConfigRequest = {
-    block_on_policy_violation: boolean;
-    scan_enabled: boolean;
-    scan_on_proxy: boolean;
-    scan_on_upload: boolean;
-    severity_threshold: string;
+    block_on_policy_violation?: boolean | null;
+    scan_enabled?: boolean | null;
+    scan_on_proxy?: boolean | null;
+    scan_on_upload?: boolean | null;
+    severity_threshold?: string | null;
 };
 export type UpstreamAuthRequest = {
@@ -3433,6 +4430,12 @@ export type WebhookListResponse = {
 export type WebhookResponse = {
     created_at: string;
+    /**
+     * Pinned event payload version (e.g. "2026-04-01"). Determines the
+     * shape of the rendered payload and the value sent in the
+     * `X-ArtifactKeeper-Event-Version` header.
+     */
+    event_schema_version: string;
     events: Array<string>;
     headers?: {
         [key: string]: unknown;
@@ -3441,10 +4444,42 @@ export type WebhookResponse = {
     is_enabled: boolean;
     last_triggered_at?: string | null;
     name: string;
+    payload_template: PayloadTemplate;
     repository_id?: string | null;
+    /**
+     * Short non-reversible identifier for the current signing secret
+     * (`whsec_...abcd`), suitable for display in operator UIs. The raw
+     * secret is never returned by GET or LIST.
+     */
+    secret_digest?: string | null;
+    /**
+     * True while a previous secret is still accepted by the retry path
+     * during a rotation overlap window.
+     */
+    secret_rotation_active?: boolean;
     url: string;
 };
+/**
+ * Response returned exactly once when a webhook is created or its secret
+ * is rotated. The raw `secret` value is not retrievable afterwards.
+ */
+export type WebhookSecretCreatedResponse = WebhookResponse & {
+    /**
+     * Raw signing secret. Display this to the operator immediately and
+     * instruct them to record it; the server retains only the encrypted
+     * form and a short digest.
+     *
+     * Absent when the webhook was created without a signing secret. This
+     * happens when no secret was supplied and the deployment has no
+     * `AK_WEBHOOK_SECRET_KEY` configured: rather than fail the create with
+     * a 500, the webhook is stored unsigned and deliveries omit the
+     * signature header. Configure the key and rotate the secret later to
+     * enable signing.
+     */
+    secret?: string | null;
+};
 export type GetStaleArtifactsData = {
     body?: never;
     path?: never;
@@ -3707,6 +4742,10 @@ export type CancelBackupErrors = {
      * Backup not found
      */
     404: unknown;
+    /**
+     * Backup is not in a cancellable state
+     */
+    409: unknown;
     /**
      * Internal server error
      */
@@ -4066,21 +5105,51 @@ export type TriggerReindexResponses = {
 export type TriggerReindexResponse = TriggerReindexResponses[keyof TriggerReindexResponses];
-export type TriggerSearchReindexData = {
-    body?: never;
+export type RescanForInventoryData = {
+    /**
+     * Optional; empty body uses defaults
+     */
+    body: RescanForInventoryRequest;
     path?: never;
     query?: never;
-    url: '/api/v1/admin/search/reindex';
+    url: '/api/v1/admin/rescan-for-inventory';
 };
-export type TriggerSearchReindexErrors = {
+export type RescanForInventoryErrors = {
     /**
-     * Meilisearch is not configured
+     * Admin privileges required
      */
-    500: unknown;
+    403: unknown;
+    /**
+     * Scanner service not configured
+     */
+    503: unknown;
 };
-export type TriggerSearchReindexResponses = {
+export type RescanForInventoryResponses = {
+    /**
+     * Rescans enqueued
+     */
+    200: RescanForInventoryResponse;
+};
+export type RescanForInventoryResponse2 = RescanForInventoryResponses[keyof RescanForInventoryResponses];
+export type TriggerSearchReindexData = {
+    body?: never;
+    path?: never;
+    query?: never;
+    url: '/api/v1/admin/search/reindex';
+};
+export type TriggerSearchReindexErrors = {
+    /**
+     * Search engine is not configured
+     */
+    500: unknown;
+};
+export type TriggerSearchReindexResponses = {
     /**
      * Reindex started in background
      */
@@ -4135,6 +5204,37 @@ export type UpdateSettingsResponses = {
 export type UpdateSettingsResponse = UpdateSettingsResponses[keyof UpdateSettingsResponses];
+export type SendTestEmailData = {
+    body: SmtpTestRequest;
+    path?: never;
+    query?: never;
+    url: '/api/v1/admin/smtp/test';
+};
+export type SendTestEmailErrors = {
+    /**
+     * Invalid request (e.g. bad email address)
+     */
+    400: unknown;
+    /**
+     * Admin privileges required
+     */
+    403: unknown;
+    /**
+     * SMTP not configured
+     */
+    503: unknown;
+};
+export type SendTestEmailResponses = {
+    /**
+     * Test email sent successfully
+     */
+    200: SmtpTestResponse;
+};
+export type SendTestEmailResponse = SendTestEmailResponses[keyof SendTestEmailResponses];
 export type ListLdapData = {
     body?: never;
     path?: never;
@@ -4802,6 +5902,28 @@ export type RunStorageGcResponses = {
 export type RunStorageGcResponse = RunStorageGcResponses[keyof RunStorageGcResponses];
+export type OciBlobReportData = {
+    body?: never;
+    path?: never;
+    query?: {
+        /**
+         * Grace window in hours used to compute the `aged_*` figures. Defaults
+         * to 24h; non-positive or out-of-range values are clamped server-side.
+         */
+        grace_hours?: number | null;
+    };
+    url: '/api/v1/admin/storage-gc/oci-blob-report';
+};
+export type OciBlobReportResponses = {
+    /**
+     * OCI blob footprint report
+     */
+    200: OciBlobFootprintReport;
+};
+export type OciBlobReportResponse = OciBlobReportResponses[keyof OciBlobReportResponses];
 export type ListCrashesData = {
     body?: never;
     path?: never;
@@ -5362,7 +6484,7 @@ export type LoginResponses = {
 export type LoginResponse2 = LoginResponses[keyof LoginResponses];
 export type LogoutData = {
-    body?: never;
+    body?: RefreshTokenRequest;
     path?: never;
     query?: never;
     url: '/api/v1/auth/logout';
@@ -5494,9 +6616,12 @@ export type OidcCallbackData = {
          */
         id: string;
     };
-    query: {
-        code: string;
-        state: string;
+    query?: {
+        code?: string | null;
+        state?: string | null;
+        error?: string | null;
+        error_description?: string | null;
+        error_uri?: string | null;
     };
     url: '/api/v1/auth/sso/oidc/{id}/callback';
 };
@@ -5506,6 +6631,10 @@ export type OidcCallbackErrors = {
      * Invalid callback parameters
      */
     400: ErrorResponse;
+    /**
+     * IdP error or invalid/expired SSO state
+     */
+    401: ErrorResponse;
 };
 export type OidcCallbackError = OidcCallbackErrors[keyof OidcCallbackErrors];
@@ -6453,6 +7582,10 @@ export type ListGroupsData = {
 };
 export type ListGroupsErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
     /**
      * Internal server error
      */
@@ -6476,6 +7609,14 @@ export type CreateGroupData = {
 };
 export type CreateGroupErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
     /**
      * Group name already exists
      */
@@ -6508,6 +7649,14 @@ export type DeleteGroupData = {
 };
 export type DeleteGroupErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
     /**
      * Group not found
      */
@@ -6547,6 +7696,10 @@ export type GetGroupData = {
 };
 export type GetGroupErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
     /**
      * Group not found
      */
@@ -6579,6 +7732,14 @@ export type UpdateGroupData = {
 };
 export type UpdateGroupErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
     /**
      * Group not found
      */
@@ -6611,6 +7772,14 @@ export type RemoveMembersData = {
 };
 export type RemoveMembersErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
     /**
      * Group not found
      */
@@ -6641,6 +7810,14 @@ export type AddMembersData = {
 };
 export type AddMembersErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
     /**
      * Group not found
      */
@@ -8108,6 +9285,78 @@ export type UnassignRepoResponses = {
     200: unknown;
 };
+export type GetSubscriptionData = {
+    body?: never;
+    path: {
+        /**
+         * Peer instance ID
+         */
+        id: string;
+        /**
+         * Repository ID
+         */
+        repo_id: string;
+    };
+    query?: never;
+    url: '/api/v1/peers/{id}/repositories/{repo_id}';
+};
+export type GetSubscriptionErrors = {
+    /**
+     * Subscription not found
+     */
+    404: unknown;
+    /**
+     * Internal server error
+     */
+    500: unknown;
+};
+export type GetSubscriptionResponses = {
+    /**
+     * Subscription details
+     */
+    200: SubscriptionResponse;
+};
+export type GetSubscriptionResponse = GetSubscriptionResponses[keyof GetSubscriptionResponses];
+export type RunSubscriptionNowData = {
+    body?: never;
+    path: {
+        /**
+         * Peer instance ID
+         */
+        id: string;
+        /**
+         * Repository ID
+         */
+        repo_id: string;
+    };
+    query?: never;
+    url: '/api/v1/peers/{id}/repositories/{repo_id}/sync';
+};
+export type RunSubscriptionNowErrors = {
+    /**
+     * Subscription not found
+     */
+    404: unknown;
+    /**
+     * Internal server error
+     */
+    500: unknown;
+};
+export type RunSubscriptionNowResponses = {
+    /**
+     * Sync tasks queued
+     */
+    202: RunNowResponse;
+};
+export type RunSubscriptionNowResponse = RunSubscriptionNowResponses[keyof RunSubscriptionNowResponses];
 export type TriggerSyncData = {
     body?: never;
     path: {
@@ -9177,6 +10426,74 @@ export type PromotionHistoryResponses = {
 export type PromotionHistoryResponse2 = PromotionHistoryResponses[keyof PromotionHistoryResponses];
+export type GetReleaseTargetData = {
+    body?: never;
+    path: {
+        /**
+         * Staging repository key
+         */
+        key: string;
+    };
+    query?: never;
+    url: '/api/v1/promotion/repositories/{key}/release-target';
+};
+export type GetReleaseTargetErrors = {
+    /**
+     * Repository not found
+     */
+    404: ErrorResponse;
+    /**
+     * Repository is not a staging repository
+     */
+    422: ErrorResponse;
+};
+export type GetReleaseTargetError = GetReleaseTargetErrors[keyof GetReleaseTargetErrors];
+export type GetReleaseTargetResponses = {
+    /**
+     * Release target information
+     */
+    200: ReleaseTargetResponse;
+};
+export type GetReleaseTargetResponse = GetReleaseTargetResponses[keyof GetReleaseTargetResponses];
+export type SetReleaseTargetData = {
+    body: SetReleaseTargetRequest;
+    path: {
+        /**
+         * Staging repository key
+         */
+        key: string;
+    };
+    query?: never;
+    url: '/api/v1/promotion/repositories/{key}/release-target';
+};
+export type SetReleaseTargetErrors = {
+    /**
+     * Repository not found
+     */
+    404: ErrorResponse;
+    /**
+     * Validation error
+     */
+    422: ErrorResponse;
+};
+export type SetReleaseTargetError = SetReleaseTargetErrors[keyof SetReleaseTargetErrors];
+export type SetReleaseTargetResponses = {
+    /**
+     * Release target updated
+     */
+    200: ReleaseTargetResponse;
+};
+export type SetReleaseTargetResponse = SetReleaseTargetResponses[keyof SetReleaseTargetResponses];
 export type ListChecksData = {
     body?: never;
     path?: never;
@@ -9582,77 +10899,197 @@ export type SuppressIssueResponses = {
 export type SuppressIssueResponse = SuppressIssueResponses[keyof SuppressIssueResponses];
-export type ListRepositoriesData = {
+export type GetQuarantineStatusData = {
     body?: never;
-    path?: never;
-    query?: {
-        page?: number | null;
-        per_page?: number | null;
-        format?: string | null;
-        type?: string | null;
-        q?: string | null;
+    path: {
+        /**
+         * Artifact ID
+         */
+        artifact_id: string;
     };
-    url: '/api/v1/repositories';
-};
-export type ListRepositoriesResponses = {
-    /**
-     * List of repositories
-     */
-    200: RepositoryListResponse;
-};
-export type ListRepositoriesResponse = ListRepositoriesResponses[keyof ListRepositoriesResponses];
-export type CreateRepositoryData = {
-    body: CreateRepositoryRequest;
-    path?: never;
     query?: never;
-    url: '/api/v1/repositories';
+    url: '/api/v1/quarantine/{artifact_id}';
 };
-export type CreateRepositoryErrors = {
+export type GetQuarantineStatusErrors = {
     /**
      * Authentication required
      */
     401: unknown;
     /**
-     * Repository key already exists
+     * Artifact not found
      */
-    409: unknown;
+    404: unknown;
 };
-export type CreateRepositoryResponses = {
+export type GetQuarantineStatusResponses = {
     /**
-     * Repository created
+     * Quarantine status
      */
-    200: RepositoryResponse;
+    200: QuarantineStatusResponse;
 };
-export type CreateRepositoryResponse = CreateRepositoryResponses[keyof CreateRepositoryResponses];
+export type GetQuarantineStatusResponse = GetQuarantineStatusResponses[keyof GetQuarantineStatusResponses];
-export type DeleteRepositoryData = {
-    body?: never;
+export type RejectQuarantinedArtifactData = {
+    body: RejectRequest;
     path: {
         /**
-         * Repository key
+         * Artifact ID
          */
-        key: string;
+        artifact_id: string;
     };
     query?: never;
-    url: '/api/v1/repositories/{key}';
+    url: '/api/v1/quarantine/{artifact_id}/reject';
 };
-export type DeleteRepositoryErrors = {
+export type RejectQuarantinedArtifactErrors = {
     /**
      * Authentication required
      */
     401: unknown;
     /**
-     * Repository not found
+     * Admin access required
      */
-    404: unknown;
-};
+    403: unknown;
+    /**
+     * Artifact not found
+     */
+    404: unknown;
+    /**
+     * Artifact is not in quarantined state
+     */
+    409: unknown;
+};
+export type RejectQuarantinedArtifactResponses = {
+    /**
+     * Artifact rejected
+     */
+    200: QuarantineActionResponse;
+};
+export type RejectQuarantinedArtifactResponse = RejectQuarantinedArtifactResponses[keyof RejectQuarantinedArtifactResponses];
+export type ReleaseArtifactData = {
+    body?: never;
+    path: {
+        /**
+         * Artifact ID
+         */
+        artifact_id: string;
+    };
+    query?: never;
+    url: '/api/v1/quarantine/{artifact_id}/release';
+};
+export type ReleaseArtifactErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Admin access required
+     */
+    403: unknown;
+    /**
+     * Artifact not found
+     */
+    404: unknown;
+    /**
+     * Artifact is not in quarantined state
+     */
+    409: unknown;
+};
+export type ReleaseArtifactResponses = {
+    /**
+     * Artifact released
+     */
+    200: QuarantineActionResponse;
+};
+export type ReleaseArtifactResponse = ReleaseArtifactResponses[keyof ReleaseArtifactResponses];
+export type ListRepositoriesData = {
+    body?: never;
+    path?: never;
+    query?: {
+        page?: number | null;
+        per_page?: number | null;
+        format?: string | null;
+        type?: string | null;
+        q?: string | null;
+    };
+    url: '/api/v1/repositories';
+};
+export type ListRepositoriesResponses = {
+    /**
+     * List of repositories
+     */
+    200: RepositoryListResponse;
+};
+export type ListRepositoriesResponse = ListRepositoriesResponses[keyof ListRepositoriesResponses];
+export type CreateRepositoryData = {
+    body: CreateRepositoryRequest;
+    path?: never;
+    query?: never;
+    url: '/api/v1/repositories';
+};
+export type CreateRepositoryErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
+    /**
+     * Repository key already exists
+     */
+    409: unknown;
+};
+export type CreateRepositoryResponses = {
+    /**
+     * Repository created
+     */
+    200: RepositoryResponse;
+};
+export type CreateRepositoryResponse = CreateRepositoryResponses[keyof CreateRepositoryResponses];
+export type DeleteRepositoryData = {
+    body?: never;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}';
+};
+export type DeleteRepositoryErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
+    /**
+     * Repository not found
+     */
+    404: unknown;
+};
 export type DeleteRepositoryResponses = {
     /**
@@ -9706,6 +11143,10 @@ export type UpdateRepositoryErrors = {
      * Authentication required
      */
     401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
     /**
      * Repository not found
      */
@@ -9738,6 +11179,19 @@ export type ListArtifactsData = {
         per_page?: number | null;
         q?: string | null;
         path_prefix?: string | null;
+        /**
+         * Server-side artifact grouping.
+         *
+         * Supported values:
+         * - `maven_component`: Maven/Gradle artifacts are grouped by
+         * groupId, artifactId, and version.  Individual files (jar, pom,
+         * checksums) appear in the `artifact_files` array of each component.
+         * - `docker_tag`: Docker/OCI artifacts are grouped by (image, tag),
+         * with `total_size_bytes` summed across the manifest config and
+         * referenced layer blobs.  The grouped rows are returned in the
+         * `docker_tags` array.
+         */
+        group_by?: string | null;
     };
     url: '/api/v1/repositories/{key}/artifacts';
 };
@@ -9783,6 +11237,10 @@ export type DeleteArtifactErrors = {
      * Artifact not found
      */
     404: unknown;
+    /**
+     * Artifact is immutable (released) and cannot be deleted
+     */
+    409: unknown;
 };
 export type DeleteArtifactResponses = {
@@ -9924,6 +11382,55 @@ export type SetCacheTtlResponses = {
 export type SetCacheTtlResponse = SetCacheTtlResponses[keyof SetCacheTtlResponses];
+export type InvalidateCacheData = {
+    body?: never;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+    };
+    query: {
+        /**
+         * Artifact path to evict from the proxy cache. Same shape as the path
+         * segment of `GET /api/v1/repositories/{key}/artifacts/{path}`.
+         * Path-traversal segments such as `..` are rejected by
+         * `ProxyService::cache_storage_key` (covered by
+         * `test_invalidate_cache_by_key_rejects_invalid_path`).
+         */
+        path: string;
+    };
+    url: '/api/v1/repositories/{key}/cache/invalidate';
+};
+export type InvalidateCacheErrors = {
+    /**
+     * Validation error (e.g. non-remote repo or invalid path)
+     */
+    400: unknown;
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Repository not found
+     */
+    404: unknown;
+    /**
+     * Proxy service not configured on this deployment
+     */
+    503: unknown;
+};
+export type InvalidateCacheResponses = {
+    /**
+     * Cache entry invalidated (or was already absent)
+     */
+    200: InvalidateCacheResponse;
+};
+export type InvalidateCacheResponse2 = InvalidateCacheResponses[keyof InvalidateCacheResponses];
 export type DownloadArtifactData = {
     body?: never;
     path: {
@@ -9956,6 +11463,122 @@ export type DownloadArtifactResponses = {
 export type DownloadArtifactResponse = DownloadArtifactResponses[keyof DownloadArtifactResponses];
+export type ListSubscriptionsData = {
+    body?: never;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/email-subscriptions';
+};
+export type ListSubscriptionsErrors = {
+    /**
+     * Not authenticated
+     */
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
+    /**
+     * Repository not found
+     */
+    404: unknown;
+};
+export type ListSubscriptionsResponses = {
+    /**
+     * List of email subscriptions
+     */
+    200: EmailSubscriptionListResponse;
+};
+export type ListSubscriptionsResponse = ListSubscriptionsResponses[keyof ListSubscriptionsResponses];
+export type CreateSubscriptionData = {
+    body: CreateEmailSubscriptionRequest;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/email-subscriptions';
+};
+export type CreateSubscriptionErrors = {
+    /**
+     * Validation error
+     */
+    400: unknown;
+    /**
+     * Not authenticated
+     */
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
+    /**
+     * Repository not found
+     */
+    404: unknown;
+};
+export type CreateSubscriptionResponses = {
+    /**
+     * Subscription created
+     */
+    201: EmailSubscriptionResponse;
+};
+export type CreateSubscriptionResponse = CreateSubscriptionResponses[keyof CreateSubscriptionResponses];
+export type DeleteSubscriptionData = {
+    body?: never;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+        /**
+         * Subscription ID
+         */
+        subscription_id: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/email-subscriptions/{subscription_id}';
+};
+export type DeleteSubscriptionErrors = {
+    /**
+     * Not authenticated
+     */
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
+    /**
+     * Subscription or repository not found
+     */
+    404: unknown;
+};
+export type DeleteSubscriptionResponses = {
+    /**
+     * Subscription deleted
+     */
+    204: void;
+};
+export type DeleteSubscriptionResponse = DeleteSubscriptionResponses[keyof DeleteSubscriptionResponses];
 export type ListRepoLabelsData = {
     body?: never;
     path: {
@@ -10094,14 +11717,18 @@ export type ListVirtualMembersErrors = {
      */
     400: unknown;
     /**
-     * Repository not found
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Repository not found
      */
     404: unknown;
 };
 export type ListVirtualMembersResponses = {
     /**
-     * List of virtual repository members
+     * List of virtual repository members (filtered to caller-visible members)
      */
     200: VirtualMembersListResponse;
 };
@@ -10129,6 +11756,10 @@ export type AddVirtualMemberErrors = {
      * Repository or member not found
      */
     404: unknown;
+    /**
+     * Member already exists in virtual repository
+     */
+    409: unknown;
 };
 export type AddVirtualMemberResponses = {
@@ -10214,6 +11845,204 @@ export type RemoveVirtualMemberResponses = {
     200: unknown;
 };
+export type ListPypiTracksData = {
+    body?: never;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/pypi-tracks';
+};
+export type ListPypiTracksErrors = {
+    /**
+     * Repository not found
+     */
+    404: unknown;
+};
+export type ListPypiTracksResponses = {
+    /**
+     * tracks declarations
+     */
+    200: PypiTracksListResponse;
+};
+export type ListPypiTracksResponse = ListPypiTracksResponses[keyof ListPypiTracksResponses];
+export type DeletePypiTrackData = {
+    body?: never;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+        /**
+         * Project name (PEP 503 normalized server-side)
+         */
+        project: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/pypi-tracks/{project}';
+};
+export type DeletePypiTrackErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Repository not found
+     */
+    404: unknown;
+};
+export type DeletePypiTrackResponses = {
+    /**
+     * tracks declaration removed (idempotent)
+     */
+    204: void;
+};
+export type DeletePypiTrackResponse = DeletePypiTrackResponses[keyof DeletePypiTrackResponses];
+export type PutPypiTrackData = {
+    body: PypiTrackRequest;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+        /**
+         * Project name (PEP 503 normalized server-side)
+         */
+        project: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/pypi-tracks/{project}';
+};
+export type PutPypiTrackErrors = {
+    /**
+     * Invalid request or repository type
+     */
+    400: unknown;
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Repository not found
+     */
+    404: unknown;
+};
+export type PutPypiTrackResponses = {
+    /**
+     * tracks declaration stored
+     */
+    200: PypiTrackResponse;
+};
+export type PutPypiTrackResponse = PutPypiTrackResponses[keyof PutPypiTrackResponses];
+export type DeleteRoutingRulesData = {
+    body?: never;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/routing-rules';
+};
+export type DeleteRoutingRulesErrors = {
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Repository not found
+     */
+    404: unknown;
+};
+export type DeleteRoutingRulesResponses = {
+    /**
+     * Routing rules deleted
+     */
+    200: unknown;
+};
+export type GetRoutingRulesData = {
+    body?: never;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/routing-rules';
+};
+export type GetRoutingRulesErrors = {
+    /**
+     * Repository not found
+     */
+    404: unknown;
+};
+export type GetRoutingRulesResponses = {
+    /**
+     * Current routing rules
+     */
+    200: RoutingRulesResponse;
+};
+export type GetRoutingRulesResponse = GetRoutingRulesResponses[keyof GetRoutingRulesResponses];
+export type SetRoutingRulesData = {
+    body: SetRoutingRulesRequest;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/routing-rules';
+};
+export type SetRoutingRulesErrors = {
+    /**
+     * Invalid rule (bad regex or capture reference)
+     */
+    400: unknown;
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Repository not found
+     */
+    404: unknown;
+};
+export type SetRoutingRulesResponses = {
+    /**
+     * Routing rules saved
+     */
+    200: RoutingRulesResponse;
+};
+export type SetRoutingRulesResponse = SetRoutingRulesResponses[keyof SetRoutingRulesResponses];
 export type GetRepoSecurityData = {
     body?: never;
     path: {
@@ -10256,98 +12085,254 @@ export type UpdateRepoSecurityData = {
     url: '/api/v1/repositories/{key}/security';
 };
-export type UpdateRepoSecurityErrors = {
+export type UpdateRepoSecurityErrors = {
+    /**
+     * Repository not found
+     */
+    404: ErrorResponse;
+};
+export type UpdateRepoSecurityError = UpdateRepoSecurityErrors[keyof UpdateRepoSecurityErrors];
+export type UpdateRepoSecurityResponses = {
+    /**
+     * Repository security config updated
+     */
+    200: ScanConfigResponse;
+};
+export type UpdateRepoSecurityResponse = UpdateRepoSecurityResponses[keyof UpdateRepoSecurityResponses];
+export type ListRepoScansData = {
+    body?: never;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+    };
+    query?: {
+        repository_id?: string | null;
+        artifact_id?: string | null;
+        status?: string | null;
+        page?: number | null;
+        per_page?: number | null;
+    };
+    url: '/api/v1/repositories/{key}/security/scans';
+};
+export type ListRepoScansErrors = {
+    /**
+     * Repository not found
+     */
+    404: ErrorResponse;
+};
+export type ListRepoScansError = ListRepoScansErrors[keyof ListRepoScansErrors];
+export type ListRepoScansResponses = {
+    /**
+     * Paginated list of scans for a repository
+     */
+    200: ScanListResponse;
+};
+export type ListRepoScansResponse = ListRepoScansResponses[keyof ListRepoScansResponses];
+export type TestUpstreamData = {
+    body?: never;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/test-upstream';
+};
+export type TestUpstreamErrors = {
+    /**
+     * Repository is not remote or has no upstream URL
+     */
+    400: unknown;
+    /**
+     * Authentication required
+     */
+    401: unknown;
+    /**
+     * Repository not found
+     */
+    404: unknown;
+    /**
+     * Upstream unreachable
+     */
+    502: unknown;
+};
+export type TestUpstreamResponses = {
+    /**
+     * Upstream reachable
+     */
+    200: unknown;
+};
+export type ListRepoTokensData = {
+    body?: never;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/tokens';
+};
+export type ListRepoTokensErrors = {
+    /**
+     * Not authenticated
+     */
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
+    /**
+     * Repository not found
+     */
+    404: unknown;
+};
+export type ListRepoTokensResponses = {
+    /**
+     * List of tokens on this repository
+     */
+    200: RepoTokenListResponse;
+};
+export type ListRepoTokensResponse = ListRepoTokensResponses[keyof ListRepoTokensResponses];
+export type CreateRepoTokenData = {
+    body: CreateRepoTokenRequest;
+    path: {
+        /**
+         * Repository key
+         */
+        key: string;
+    };
+    query?: never;
+    url: '/api/v1/repositories/{key}/tokens';
+};
+export type CreateRepoTokenErrors = {
+    /**
+     * Validation error
+     */
+    400: unknown;
+    /**
+     * Not authenticated
+     */
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
     /**
      * Repository not found
      */
-    404: ErrorResponse;
+    404: unknown;
 };
-export type UpdateRepoSecurityError = UpdateRepoSecurityErrors[keyof UpdateRepoSecurityErrors];
-export type UpdateRepoSecurityResponses = {
+export type CreateRepoTokenResponses = {
     /**
-     * Repository security config updated
+     * Token created (value shown once)
      */
-    200: ScanConfigResponse;
+    200: CreateRepoTokenResponse;
 };
-export type UpdateRepoSecurityResponse = UpdateRepoSecurityResponses[keyof UpdateRepoSecurityResponses];
+export type CreateRepoTokenResponse2 = CreateRepoTokenResponses[keyof CreateRepoTokenResponses];
-export type ListRepoScansData = {
+export type RevokeRepoTokenData = {
     body?: never;
     path: {
         /**
          * Repository key
          */
         key: string;
+        /**
+         * Token ID
+         */
+        token_id: string;
     };
-    query?: {
-        repository_id?: string | null;
-        artifact_id?: string | null;
-        status?: string | null;
-        page?: number | null;
-        per_page?: number | null;
-    };
-    url: '/api/v1/repositories/{key}/security/scans';
+    query?: never;
+    url: '/api/v1/repositories/{key}/tokens/{token_id}';
 };
-export type ListRepoScansErrors = {
+export type RevokeRepoTokenErrors = {
     /**
-     * Repository not found
+     * Not authenticated
      */
-    404: ErrorResponse;
+    401: unknown;
+    /**
+     * Insufficient permissions
+     */
+    403: unknown;
+    /**
+     * Repository or token not found
+     */
+    404: unknown;
 };
-export type ListRepoScansError = ListRepoScansErrors[keyof ListRepoScansErrors];
-export type ListRepoScansResponses = {
+export type RevokeRepoTokenResponses = {
     /**
-     * Paginated list of scans for a repository
+     * Token revoked
      */
-    200: ScanListResponse;
+    204: void;
 };
-export type ListRepoScansResponse = ListRepoScansResponses[keyof ListRepoScansResponses];
+export type RevokeRepoTokenResponse = RevokeRepoTokenResponses[keyof RevokeRepoTokenResponses];
-export type TestUpstreamData = {
+export type GetRepoTokenData = {
     body?: never;
     path: {
         /**
          * Repository key
          */
         key: string;
+        /**
+         * Token ID
+         */
+        token_id: string;
     };
     query?: never;
-    url: '/api/v1/repositories/{key}/test-upstream';
+    url: '/api/v1/repositories/{key}/tokens/{token_id}';
 };
-export type TestUpstreamErrors = {
-    /**
-     * Repository is not remote or has no upstream URL
-     */
-    400: unknown;
+export type GetRepoTokenErrors = {
     /**
-     * Authentication required
+     * Not authenticated
      */
     401: unknown;
     /**
-     * Repository not found
+     * Insufficient permissions
      */
-    404: unknown;
+    403: unknown;
     /**
-     * Upstream unreachable
+     * Repository or token not found
      */
-    502: unknown;
+    404: unknown;
 };
-export type TestUpstreamResponses = {
+export type GetRepoTokenResponses = {
     /**
-     * Upstream reachable
+     * Token details
      */
-    200: unknown;
+    200: RepoTokenResponse;
 };
+export type GetRepoTokenResponse = GetRepoTokenResponses[keyof GetRepoTokenResponses];
 export type SetUpstreamAuthData = {
     body: UpstreamAuthRequest;
     path: {
@@ -10486,16 +12471,83 @@ export type CheckLicenseComplianceResponses = {
 export type CheckLicenseComplianceResponse = CheckLicenseComplianceResponses[keyof CheckLicenseComplianceResponses];
-export type GetCveHistoryData = {
+export type GetCveHistoryByArtifactData = {
     body?: never;
     path: {
         /**
-         * Artifact ID
+         * Artifact UUID
          */
         artifact_id: string;
     };
     query?: never;
-    url: '/api/v1/sbom/cve/history/{artifact_id}';
+    url: '/api/v1/sbom/cve/history/by-artifact/{artifact_id}';
+};
+export type GetCveHistoryByArtifactErrors = {
+    /**
+     * Caller does not have access to this artifact's repository
+     */
+    403: unknown;
+    /**
+     * Artifact not found
+     */
+    404: unknown;
+};
+export type GetCveHistoryByArtifactResponses = {
+    /**
+     * CVE history entries
+     */
+    200: Array<CveHistoryEntry>;
+};
+export type GetCveHistoryByArtifactResponse = GetCveHistoryByArtifactResponses[keyof GetCveHistoryByArtifactResponses];
+export type GetCveHistoryByCveData = {
+    body?: never;
+    path: {
+        /**
+         * CVE identifier (e.g. CVE-2019-10744)
+         */
+        cve_id: string;
+    };
+    query?: never;
+    url: '/api/v1/sbom/cve/history/by-cve/{cve_id}';
+};
+export type GetCveHistoryByCveErrors = {
+    /**
+     * Path id is not a valid CVE identifier
+     */
+    400: unknown;
+};
+export type GetCveHistoryByCveResponses = {
+    /**
+     * CVE history entries
+     */
+    200: Array<CveHistoryEntry>;
+};
+export type GetCveHistoryByCveResponse = GetCveHistoryByCveResponses[keyof GetCveHistoryByCveResponses];
+export type GetCveHistoryData = {
+    body?: never;
+    path: {
+        /**
+         * Artifact UUID or CVE identifier (e.g. CVE-2019-10744). Prefer the typed routes /cve/history/by-artifact/{uuid} or /cve/history/by-cve/{cve_id}.
+         */
+        id: string;
+    };
+    query?: never;
+    url: '/api/v1/sbom/cve/history/{id}';
+};
+export type GetCveHistoryErrors = {
+    /**
+     * Path id is neither a valid UUID nor a valid CVE identifier
+     */
+    400: unknown;
 };
 export type GetCveHistoryResponses = {
@@ -10507,6 +12559,48 @@ export type GetCveHistoryResponses = {
 export type GetCveHistoryResponse = GetCveHistoryResponses[keyof GetCveHistoryResponses];
+export type UpdateCveStatusByArtifactCveData = {
+    body: UpdateCveStatusRequest;
+    path: {
+        /**
+         * Artifact UUID
+         */
+        artifact_id: string;
+        /**
+         * CVE identifier (e.g. CVE-2019-10744)
+         */
+        cve_id: string;
+    };
+    query?: never;
+    url: '/api/v1/sbom/cve/status/by-artifact/{artifact_id}/by-cve/{cve_id}';
+};
+export type UpdateCveStatusByArtifactCveErrors = {
+    /**
+     * Validation error (e.g. invalid CVE id or unsupported status)
+     */
+    400: ErrorResponse;
+    /**
+     * Caller does not have access to this artifact's repository
+     */
+    403: unknown;
+    /**
+     * No scan_findings rows match (artifact_id, cve_id)
+     */
+    404: unknown;
+};
+export type UpdateCveStatusByArtifactCveError = UpdateCveStatusByArtifactCveErrors[keyof UpdateCveStatusByArtifactCveErrors];
+export type UpdateCveStatusByArtifactCveResponses = {
+    /**
+     * Updated synth CVE entry
+     */
+    200: CveHistoryEntry;
+};
+export type UpdateCveStatusByArtifactCveResponse = UpdateCveStatusByArtifactCveResponses[keyof UpdateCveStatusByArtifactCveResponses];
 export type UpdateCveStatusData = {
     body: UpdateCveStatusRequest;
     path: {
@@ -10778,9 +12872,9 @@ export type ConvertSbomError = ConvertSbomErrors[keyof ConvertSbomErrors];
 export type ConvertSbomResponses = {
     /**
-     * Converted SBOM
+     * Converted SBOM with content
      */
-    200: SbomResponse;
+    200: SbomContentResponse;
 };
 export type ConvertSbomResponse = ConvertSbomResponses[keyof ConvertSbomResponses];
@@ -10975,6 +13069,15 @@ export type GetDashboardData = {
     url: '/api/v1/security/dashboard';
 };
+export type GetDashboardErrors = {
+    /**
+     * Admin privileges required
+     */
+    403: ErrorResponse;
+};
+export type GetDashboardError = GetDashboardErrors[keyof GetDashboardErrors];
 export type GetDashboardResponses = {
     /**
      * Security dashboard summary
@@ -10997,6 +13100,10 @@ export type RevokeAcknowledgmentData = {
 };
 export type RevokeAcknowledgmentErrors = {
+    /**
+     * Admin privileges required
+     */
+    403: ErrorResponse;
     /**
      * Finding not found
      */
@@ -11027,6 +13134,10 @@ export type AcknowledgeFindingData = {
 };
 export type AcknowledgeFindingErrors = {
+    /**
+     * Admin privileges required
+     */
+    403: ErrorResponse;
     /**
      * Finding not found
      */
@@ -11189,10 +13300,14 @@ export type TriggerScanErrors = {
      * Validation error
      */
     400: ErrorResponse;
+    /**
+     * bypass_dedup requested by non-admin caller
+     */
+    403: ErrorResponse;
     /**
      * Scanner service not configured
      */
-    500: ErrorResponse;
+    503: ErrorResponse;
 };
 export type TriggerScanError = TriggerScanErrors[keyof TriggerScanErrors];
@@ -11298,6 +13413,15 @@ export type GetAllScoresData = {
     url: '/api/v1/security/scores';
 };
+export type GetAllScoresErrors = {
+    /**
+     * Admin privileges required
+     */
+    403: ErrorResponse;
+};
+export type GetAllScoresError = GetAllScoresErrors[keyof GetAllScoresErrors];
 export type GetAllScoresResponses = {
     /**
      * All repository security scores
@@ -12127,6 +14251,22 @@ export type TogglePolicyResponses = {
 export type TogglePolicyResponse = TogglePolicyResponses[keyof TogglePolicyResponses];
+export type GetSystemConfigData = {
+    body?: never;
+    path?: never;
+    query?: never;
+    url: '/api/v1/system/config';
+};
+export type GetSystemConfigResponses = {
+    /**
+     * Public runtime configuration
+     */
+    200: SystemConfigResponse;
+};
+export type GetSystemConfigResponse = GetSystemConfigResponses[keyof GetSystemConfigResponses];
 export type GetTreeData = {
     body?: never;
     path?: never;
@@ -12227,6 +14367,10 @@ export type CreateSessionErrors = {
      * Unauthorized
      */
     401: unknown;
+    /**
+     * Forbidden
+     */
+    403: ErrorResponse;
     /**
      * Repository not found
      */
@@ -12527,6 +14671,42 @@ export type UpdateUserResponses = {
 export type UpdateUserResponse = UpdateUserResponses[keyof UpdateUserResponses];
+export type ForcePasswordChangeData = {
+    body?: never;
+    path: {
+        /**
+         * User ID
+         */
+        id: string;
+    };
+    query?: never;
+    url: '/api/v1/users/{id}/force-password-change';
+};
+export type ForcePasswordChangeErrors = {
+    /**
+     * Only administrators can force password changes
+     */
+    403: unknown;
+    /**
+     * User not found
+     */
+    404: unknown;
+    /**
+     * Cannot force password change for SSO users
+     */
+    422: unknown;
+};
+export type ForcePasswordChangeResponses = {
+    /**
+     * Flag set successfully
+     */
+    200: ForcePasswordChangeResponse;
+};
+export type ForcePasswordChangeResponse2 = ForcePasswordChangeResponses[keyof ForcePasswordChangeResponses];
 export type ChangePasswordData = {
     body: ChangePasswordRequest;
     path: {
@@ -12801,13 +14981,17 @@ export type CreateWebhookErrors = {
      * Internal server error
      */
     500: unknown;
+    /**
+     * A secret was supplied but AK_WEBHOOK_SECRET_KEY is not configured, so the secret cannot be encrypted at rest
+     */
+    503: unknown;
 };
 export type CreateWebhookResponses = {
     /**
-     * Webhook created successfully
+     * Webhook created. Body includes the raw secret exactly once (omitted when created unsigned).
      */
-    200: WebhookResponse;
+    200: WebhookSecretCreatedResponse;
 };
 export type CreateWebhookResponse = CreateWebhookResponses[keyof CreateWebhookResponses];
@@ -12982,6 +15166,42 @@ export type EnableWebhookResponses = {
     200: unknown;
 };
+export type RotateWebhookSecretData = {
+    body?: never;
+    path: {
+        /**
+         * Webhook ID
+         */
+        id: string;
+    };
+    query?: never;
+    url: '/api/v1/webhooks/{id}/rotate-secret';
+};
+export type RotateWebhookSecretErrors = {
+    /**
+     * Webhook not found
+     */
+    404: unknown;
+    /**
+     * A previous rotation overlap window is still active
+     */
+    409: unknown;
+    /**
+     * Encryption key not configured
+     */
+    500: unknown;
+};
+export type RotateWebhookSecretResponses = {
+    /**
+     * Secret rotated. Body includes the new raw secret exactly once.
+     */
+    200: RotateWebhookSecretResponse;
+};
+export type RotateWebhookSecretResponse2 = RotateWebhookSecretResponses[keyof RotateWebhookSecretResponses];
 export type TestWebhookData = {
     body?: never;
     path: {